Szybka konfiguracja serwera pocztowego na Ubuntu

  Konfiguracja dla Ubuntu 14.04 LTS

  Komponenty

  postifx, cyrus-imapd, clamav, greylisting

  Konfiguracja nie uwzględnia żadnego antyspamu poza greylistingiem

  Baza danych userów w sasldb (BerkleyDB) – rozwiązanie to jest mało skalowalne (problem z wydajnością bazy danych na serwerze MySQL na serwerze jest powodem użycia tej bazy).

  Instalacja cyrus-imapd i postfix

  apt-get install -y postfix postfix-pcre cyrus-pop3d-2.4 cyrus-clients-2.4 cyrus-imapd-2.4 cyrus-admin-2.4 sasl2-bin
  

  Po instalacji startujemy cyrus-imapd (cyrmaster) tak jak w Debian/Ubuntu.

  Niestety /etc/init.d/cyrus-imapd może go nie zatrzymać (błąd w konfiguracji -wskazany jest niepoprawny plik pid).

  To może już być poprawione w nowszej wersji deb-ów. Jeśli nie to trzeba ubić serwer ręcznie:

  killall cyrmaster
  rm -f /var/run/cyrus-master.pid
  

   

  Tworzymy katalogi:

  mkdir -p /storage/mail/{spool,sieve}
  chmod 700 /storage/mail /storage/mail/{spool,sieve}
  chown -R cyrus:mail /storage/mail
  

  Oraz bazę sasldb

  mkdir -m 770 /etc/sasl
  chgrp mail /etc/sasl
  gpasswd -a postfix mail
  gpasswd -a cyrus mail
  saslpasswd2 -f /etc/sasl/mail.db -c -u optimus.example.pl administrator
  

  Konfigurujemy uprawnienia oraz sprawdzamy, czy user dodał się poprawnie:

  chmod 660 /etc/sasl/mail.db
  chgrp mail /etc/sasl/mail.db
  sasldblistusers2 -f /etc/sasl/mail.db
  

  Konfiguracja cyrus-imapd

  vim /etc/default/cyrus-imapd

  CYRUS_VERBOSE=0
  CONF=/etc/imapd.conf
  MASTERCONF=/etc/cyrus.conf
  CHKCYRUS=1
  PIDFILE=/var/run/cyrus-master.pid
  OPTIONS=""
  

  vim /etc/imapd.conf

  servername: optimus.example.pl
  defaultdomain: optimus.example.pl
  postmaster: postmaster@optimus.example.pl
  configdirectory: /var/lib/cyrus
  proc_path: /run/cyrus/proc
  mboxname_lockpath: /run/cyrus/lock
  defaultpartition: default
  partition-default: /storage/mail/spool
  sievedir: /storage/mail/sieve
  sieveusehomedir: false
  altnamespace: yes
  unixhierarchysep: yes
  reject8bit: yes
  #munge8bit: no
  admins: administrator
  proxyservers: administrator
  hashimapspool: true
  allowanonymouslogin: no
  allowplaintext: yes
  # Nie działa prawidłowo?
  #autocreatequota: 20485760
  umask: 077
  normalizeuid: yes
  virtdomains: userid
  username_tolower: yes
  allowapop: no
  delete_mode: immediate
  expunge_mode: immediate
  lmtp_downcase_rcpt: yes
  lmtp_over_quota_perm_failure: yes
  lmtp_strict_quota: yes
  imapidresponse: no
  allowusermoves: yes
  sasl_mech_list: PLAIN LOGIN CRAM-MD5
  sasl_minimum_layer: 0
  #sasl_maximum_layer: 256
  sasl_option: yes
  sasl_pwcheck_method: auxprop
  sasl_auxprop_plugin: sasldb
  sasl_sasldb_path: /etc/sasl/mail.db
  sasl_auto_transition: yes
  lmtpsocket: /var/run/cyrus/socket/lmtp
  idlesocket: /var/run/cyrus/socket/idle
  notifysocket: /var/run/cyrus/socket/notify
  syslog_prefix: cyrus
  serverinfo: min
  

  vim /etc/cyrus.conf

  START {
      recover     cmd="/usr/sbin/cyrus ctl_cyrusdb -r"
      delprune    cmd="/usr/sbin/cyrus expire -E 3"
      tlsprune    cmd="/usr/sbin/cyrus tls_prune"
  }
  
  SERVICES {
      imap      cmd="imapd -U 30" listen="imap" prefork=0 maxchild=25 proto=tcp4
      #imaps     cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100
      pop3      cmd="pop3d -U 30" listen="pop3" prefork=0 maxchild=25 proto=tcp4
      #pop3s     cmd="pop3d -s -U 30" listen="pop3s" prefork=0 maxchild=50
      lmtpunix    cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp" prefork=0 maxchild=20
      sieve      cmd="timsieved" listen="localhost:sieve" prefork=0 maxchild=100
  }
  
  EVENTS {
      checkpoint   cmd="/usr/sbin/cyrus ctl_cyrusdb -c" period=30
      delprune    cmd="/usr/sbin/cyrus expire -E 3" at=0401
      tlsprune    cmd="/usr/sbin/cyrus tls_prune" at=0401
      squatter_a   cmd="/usr/sbin/cyrus squatter" at=0210
  }
  

  Startujemy serwer mailowy:

  update-rc.d cyrus-imapd enable
  update-rc.d saslauthd disable
  service cyrus-imapd start
  

  Testowanie

  Utworzenie mailbox-a dla konta administrator

  cyradm -u administrator@optimus.example.pl localhost
  

  Następnie z CLI:

  cm user/administrator@optimus.example.pl
  sq user/administrator@optimus.example.pl 0
  lq user/administrator@optimus.example.pl
  

  Powyższe ustawia quote na 0.

  Testowanie połączenia POP/IMAP

  pop3test -m PLAIN -a administrator@optimus.example.pl localhost
  --&gt; QUIT</code>
  
  pop3test -m LOGIN -a administrator@optimus.example.pl localhost
  --&gt; QUIT
  
  imtest -m PLAIN -a administrator@optimus.example.pl localhost
  --&gt; 00 LOGOUT
  
  imtest -m LOGIN -a administrator@optimus.example.pl localhost
  --&gt; 00 LOGOUT
  
  imtest -m CRAM-MD5 -a administrator@optimus.example.pl localhost
  --&gt; 00 LOGOUT
  
  

  Konfiguracja postfix

  vim /etc/postfix/main.cf

  myhostname = optimus.example.pl
  myorigin = optimus.example.pl
  smtpd_banner = $myhostname ESMTP $mail_name
  biff = no
  inet_interfaces = all
  mynetworks_style = host
  inet_protocols = ipv4
  local_recipient_maps =
  alias_database =
  alias_maps =
  mydestination =
  relayhost =
  mynetworks = 127.0.0.0/8
  readme_directory = no
  delay_warning_time = 8h
  unknown_local_recipient_reject_code = 450
  maximal_queue_lifetime = 3d
  bounce_queue_lifetime = 0
  minimal_backoff_time = 1000s
  maximal_backoff_time = 8000s
  smtp_helo_timeout = 60s
  smtpd_recipient_limit = 16
  smtpd_soft_error_limit = 3
  smtpd_hard_error_limit = 12
  smtpd_helo_restrictions =
      permit_mynetworks
      warn_if_reject
      reject_non_fqdn_hostname
      reject_invalid_helo_hostname
      permit
  smtpd_sender_restrictions =
      permit_mynetworks
      warn_if_reject
      reject_non_fqdn_sender
      reject_unknown_sender_domain
      reject_unlisted_sender
      reject_unauth_pipelining
      permit
  smtpd_client_restrictions =
      reject_rbl_client cbl.abuseat.org
      reject_rbl_client zen.spamhaus.org=127.0.0.10
      reject_rbl_client zen.spamhaus.org=127.0.0.11
      reject_rbl_client zen.spamhaus.org
      warn_if_reject
      permit
  smtpd_recipient_restrictions =
      reject_unauth_pipelining
      permit_mynetworks
      reject_non_fqdn_recipient
      reject_unknown_recipient_domain
      reject_unauth_destination
      permit
  smtpd_data_restrictions =
      reject_unauth_pipelining
      permit
  message_size_limit = 20971520
  smtpd_helo_required = yes
  smtpd_delay_reject = no
  disable_vrfy_command = yes
  virtual_mailbox_maps = hash:/etc/postfix/db/user hash:/etc/postfix/db/alias
  virtual_alias_maps = hash:/etc/postfix/db/alias
  virtual_mailbox_domains = hash:/etc/postfix/db/domain
  virtual_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
  virtual_destination_recipient_limit = 1
  header_checks = pcre:/etc/postfix/attachment.pcre
  strict_rfc821_envelopes = yes
  smtpd_sasl_authenticated_header = yes
  smtpd_etrn_restrictions = reject
  smtpd_discard_ehlo_keywords=silent-discard,dsn,etrn
  unknown_client_reject_code=450
  show_user_unknown_table_name=no
  smtpd_milters = inet:127.0.0.1:11125 inet:127.0.0.1:11025
  milter_default_action = tempfail
  milter_protocol = 6
  milter_mail_macros = {auth_author} {auth_type} {auth_authen} {mail_addr}
  milter_connect_macros = j {daemon_name} v {client_addr} _
  milter_end_of_data_macros = b i j _ {daemon_name} {client_addr} {mail_addr}
  smtpd_sasl_path=auth
  cyrus_sasl_config_path=/etc/postfix/sasl
  

  vim /etc/postfix/attachment.pcre

  /^Content-(Disposition|Type).*name\s*=\s*"?(.*\.(bat|exe|scr|com|cmd|lnk|vbs|js|pif|msi))(\?=)?"?\s*(;|$)/x   REJECT Attachment name "$2" may not end with ".$3"
  

  vim /etc/postfix/sasl/auth.conf

  pwcheck_method: auxprop
  auxprop_plugin: sasldb
  sasldb_path: /etc/sasl/mail.db
  auto_transition: yes
  mech_list: PLAIN LOGIN CRAM-MD5
  minimum_layer: 0
  

  vim /etc/postfix/master.cf

  # ==========================================================================
  # service type private unpriv chroot wakeup maxproc command + args
  #        (yes)  (yes)  (yes)  (never) (100)
  # ==========================================================================
  smtp   inet n    -    -    -    -    smtpd
  submission inet n    -   n    -    -    smtpd
   -o myhostname=smtp.example.pl
   -o syslog_name=postfix/submission
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_reject_unlisted_recipient=yes
   -o smtpd_recipient_restrictions=
   -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,permit_sasl_authenticated,reject
   -o smtpd_sender_restrictions=reject_non_fqdn_sender
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o smtpd_milters=inet:127.0.0.1:11025
   -o smtpd_sasl_auth_enable=yes
   -o milter_macro_daemon_name=ORIGINATING
  pickup  unix n    -    -    60   1    pickup
  cleanup  unix n    -    -    -    0    cleanup
  qmgr   unix n    -    n    300   1    qmgr
  tlsmgr  unix -    -    -    1000?  1    tlsmgr
  rewrite  unix -    -    -    -    -    trivial-rewrite
  bounce  unix -    -    -    -    0    bounce
  defer   unix -    -    -    -    0    bounce
  trace   unix -    -    -    -    0    bounce
  verify  unix -    -    -    -    1    verify
  flush   unix n    -    -    1000?  0    flush
  proxymap unix -    -    n    -    -    proxymap
  proxywrite unix -    -    n    -    1    proxymap
  smtp   unix -    -    -    -    -    smtp
  relay   unix -    -    -    -    -    smtp
  showq   unix n    -    -    -    -    showq
  error   unix -    -    -    -    -    error
  retry   unix -    -    -    -    -    error
  discard  unix -    -    -    -    -    discard
  local   unix -    n    n    -    -    local
  virtual  unix -    n    n    -    -    virtual
  lmtp   unix -    -    n    -    -    lmtp
  anvil   unix -    -    -    -    1    anvil
  scache  unix -    -    -    -    1    scache
  

  Tworzymy bazy domen, kont i aliasów

  mkdir -p /etc/postfix/db/scripts
  touch /etc/postfix/db/alias.custom
  touch /etc/postfix/db/user.custom
  touch /etc/postfix/db/domain.custom
  cat >/etc/postfix/db/refresh <<"EOF" #!/bin/bash cd /etc/postfix/db echo "#DON'T EDIT BY HAND" :>user
  for usr in $(/etc/postfix/db/scripts/listusers)
  do
      echo -e "$usr\tOK" >>user
  done
  [ -f user.custom ] && cat user.custom >>user
  echo "#DON'T EDIT BY HAND" :>domain
  for dmn in $(/etc/postfix/db/scripts/listdomains)
  do
      echo -e "$dmn\tOK" >>domain
  done
  [ -f domain.custom ] && cat domain.custom >>domain
  echo "#DON'T EDIT BY HAND" :>alias
  [ -f alias.custom ] && cat alias.custom >>alias
  postmap hash:user
  postmap hash:domain
  postmap hash:alias
  echo do: postfix reload
  EOF
  chmod +x /etc/postfix/db/refresh
  cat >/etc/postfix/db/scripts/listusers <<"EOF" #!/bin/bash sasldblistusers2 -f /etc/sasl/mail.db | cut -d: -f1 | sort -u | grep -v 'administrator@optimus.example.pl' EOF cat >/etc/postfix/db/scripts/listdomains <<"EOF"
  #!/bin/bash
  /etc/postfix/db/scripts/listusers | awk -F@ '{print $2}' | sort -u
  EOF
  chmod +x /etc/postfix/db/scripts/listusers 
  chmod +x /etc/postfix/db/scripts/listdomains
  

  Instalacja ClamAV i milter-greylist

  apt-get install -y clamav-daemon clamav-freshclam clamav  clamav-milter 
  
  apt-get install -y milter-greylist
  

  Konfiguracja clamav-milter:

  vim /etc/clamav/clamav-milter.conf

  MilterSocket inet:11025@127.0.0.1
  FixStaleSocket true
  User clamav
  AllowSupplementaryGroups true
  ReadTimeout 45
  Foreground false
  PidFile /var/run/clamav/clamav-milter.pid
  ClamdSocket unix:/var/run/clamav/clamd.ctl
  OnClean Accept
  OnInfected Reject
  OnFail Defer
  AddHeader no
  LogSyslog true
  LogFacility LOG_LOCAL6
  LogVerbose false
  LogInfected Basic
  LogClean Off
  LogRotate true
  MaxFileSize 25M
  SupportMultipleRecipients false
  RejectMsg Virus detected - %v
  TemporaryDirectory /tmp
  LogFile /var/log/clamav/clamav-milter.log
  LogTime true
  LogFileUnlock false
  LogFileMaxSize 25M
  MilterSocketGroup clamav
  MilterSocketMode 660
  

  Konfiguracja milter-greylist:

  vim /etc/default/milter-greylist

  ENABLED=1
  SOCKET="inet:11125@127.0.0.1"
  

  vim /etc/milter-greylist/greylist.conf

  pidfile "/var/run/milter-greylist.pid"
  dumpfile "/var/lib/milter-greylist/greylist.db" 600
  dumpfreq 10m
  nospf
  stat "|logger -p local7.info" "%T{%Y/%m/%d %T} %d [%i] %r -> %f %S (ACL %A) %Xc %Xe %Xm %Xh"
  quiet
  list "my network" addr { 127.0.0.1/8 }
  # This is a list of broken MTAs that break with greylisting. Derived from
  # http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt?rev=1.16
  list "broken mta" addr {  \
      12.5.136.141/32  \ # Southwest Airlines (unique sender)
      12.5.136.142/32  \ # Southwest Airlines
      12.5.136.143/32  \ # Southwest Airlines
      12.5.136.144/32  \ # Southwest Airlines
      12.107.209.244/32 \ # kernel.org (unique sender)
      12.107.209.250/32 \ # sourceware.org (unique sender)
      63.82.37.110/32  \ # SLmail
      63.169.44.143/32  \ # Southwest Airlines
      63.169.44.144/32  \ # Southwest Airlines
      64.7.153.18/32   \ # sentex.ca (common pool)
      64.12.136.0/24   \ # AOL (common pool)
      64.12.137.0/24   \ # AOL
      64.12.138.0/24   \ # AOL
      64.124.204.39   \ # moveon.org (unique sender)
      64.125.132.254/32 \ # collab.net (unique sender)
      64.233.160.0/19  \ # Google
      66.94.237.16/28  \ # Yahoo Groups servers (common pool)
      66.94.237.32/28  \ # Yahoo Groups servers (common pool)
      66.94.237.48/30  \ # Yahoo Groups servers (common pool)
      66.100.210.82/32  \ # Groupwise?
      66.135.192.0/19  \ # Ebay
      66.162.216.166/32 \ # Groupwise?
      66.206.22.82/32  \ # Plexor
      66.206.22.83/32  \ # Plexor
      66.206.22.84/32  \ # Plexor
      66.206.22.85/32  \ # Plexor
      66.218.66.0/23   \ # Yahoo Groups servers (common pool)
      66.218.67.0/23   \ # Yahoo Groups servers (common pool)
      66.218.68.0/23   \ # Yahoo Groups servers (common pool)
      66.218.69.0/23   \ # Yahoo Groups servers (common pool)
      66.27.51.218/32  \ # ljbtc.com (Groupwise)
      66.102.0.0/20   \ # Google
      66.249.80.0/20   \ # Google
      72.14.192.0/18   \ # Google
      74.125.0.0/16   \ # Google
      152.163.225.0/24  \ # AOL
      194.245.101.88/32 \ # Joker.com
      195.235.39.19/32  \ # Tid InfoMail Exchanger v2.20
      195.238.2.0/24   \ # skynet.be (wierd retry pattern, common pool)
      195.238.3.0/24   \ # skynet.be
      195.46.220.208/32 \ # mgn.net
      195.46.220.209/32 \ # mgn.net
      195.46.220.210/32 \ # mgn.net
      195.46.220.211/32 \ # mgn.net
      195.46.220.221/32 \ # mgn.net
      195.46.220.222/32 \ # mgn.net
      195.238.2.0/24   \ # skynet.be (wierd retry pattern)
      195.238.3.0/24   \ # skynet.be
      204.107.120.10/32 \ # Ameritrade (no retry)
      205.188.0.0/16   \ # AOL
      205.206.231.0/24  \ # SecurityFocus.com (unique sender)
      207.115.63.0/24  \ # Prodigy - retries continually
      207.171.168.0/24  \ # Amazon.com
      207.171.180.0/24  \ # Amazon.com
      207.171.187.0/24  \ # Amazon.com
      207.171.188.0/24  \ # Amazon.com
      207.171.190.0/24  \ # Amazon.com
      209.132.176.174/32 \ # sourceware.org mailing lists (unique sender)
      209.85.128.0/17  \ # Google
      211.29.132.0/24  \ # optusnet.com.au (wierd retry pattern)
      213.136.52.31/32  \ # Mysql.com (unique sender)
      216.33.244.0/24  \ # Ebay
      216.239.32.0/19  \ # Google
      217.158.50.178/32 \ # AXKit mailing list (unique sender)
  }
  list "whitelist users" rcpt { \
      socha@socha.it \
  }
  racl whitelist list "my network"
  racl whitelist list "broken mta"
  racl whitelist list "whitelist users"
  racl greylist default delay 15m autowhite 3d
  

  Uruchomienie usług:

  update-rc.d milter-greylist enable
  service milter-greylist restart
  update-rc.d clamav-freshclam enable
  update-rc.d clamav-daemon enable
  update-rc.d clamav-milter enable
  service clamav-freshclam restart
  service clamav-daemon restart
  service clamav-milter restart
  

  Restart postfixa:

  postfix check
  service postfix restart
  

  Testowanie

  AV – port 25

  smtptest localhost
  >>
  MAIL FROM: <test@dataspace.pl>
  RCPT TO: <socha@dataspace.pl>
  DATA
  X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
  .
  

  AV – port 587 (submission)

  smtptest -m PLAIN -p 587 -a administrator@optimus.example.pl localhost
  smtptest -m LOGIN -p 587 -a administrator@optimus.example.pl localhost
  smtptest -m CRAM-MD5 -p 587 -a administrator@optimus.example.pl localhost
  
  >>
  MAIL FROM: <socha@dataspace.pl>
  RCPT TO: <socha@dataspace.pl>
  DATA
  X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
  .
  

  Testowanie grey-listing, odrzucanie błędnych adresów, relaying itp\\
  Adres testowy admin@ilgwysylka.pl

  Z innego hosta w sieci:

  nc mail.example.pl 25
  >>
  EHLO l.pl
  MAIL FROM: <socha@dataspace.pl>
  RCPT TO: <socha@socha.it>
  RCPT TO: <none@ilgwysylka.pl>
  RCPT TO: <admin@ilgwysylka.pl>
  

  Tworzenie użytkowników/domen

  Dodanie użytkownika do bazy sasldb:

  saslpasswd2 -f /etc/sasl/mail.db -c -u <DOMAIN> <USER>
  

  Utworzenie mailbox-a:

  cyradm -u administrator@optimus.example.pl localhost
  

  Następnie z CLI:

  cm user/<USER>@<DOMAIN>
  sq user/<USER>@<DOMAIN> 20971520
  

  Quota jest wyrażona w KB (powyższe ustawia limit na 20GB)

  Rekonfiguracja posttfix-a:

  /etc/postfix/db/refresh
  postfix reload
  

  Potrzebujesz pomocy z konfiguracją i utrzymaniem serwera?

  Outsourcing IT może być rozwiązaniem dla Ciebie!