Postfix + Amavis-NEW + Spamassassin + ClamAV + SPF + Postgrey + DKIM + DMARC

Fra SemarkIT
Skift til: Navigation, Søgning

Indholdsfortegnelse

Opbygning

                                                                                                [SpamAssassin]
                                                                      -> [SPF check] --             ^   |
                                                                     |                 |            |   v
Email --> [(Port 25) Postfix] --> PostSCREEN --> [(10023) Postgrey] -|-> [DKIM check] -|--> [(10024) amavisd-new] --> [(10025) Postfix] --> Mailbox
                                                                     |                 |            |   ^
                                                                      -> [DMARC check] -            v   |
                                                                                                  [ClamAV]

Installation af pakker

apt-get install amavisd-new spamassassin clamav clamav-daemon clamav-freshclam zoo unzip bzip2 p7zip cpio lhasa cabextract \
tnef pax postfix libnet-ph-perl libnet-snpp-perl libnet-telnet-perl nomarch lzop razor pyzor altermime arj ripole unrar \
postfix-pcre sasl2-bin postgrey postfix-policyd-spf-python opendkim opendkim-tools

Opsætning

Amavis-NEW

nano /etc/amavis/conf.d/01-debian
[ ... ]
$lha        = 'lha';
$unrar      = ['rar', 'unrar']; #disabled (non-free, no security support)
$unfreeze   = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
[ ... ]
nano /etc/amavis/conf.d/15-content_filter_mode
#@bypass_virus_checks_maps = (
#  \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

to

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
#@bypass_spam_checks_maps = (
#  \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

to

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
nano /etc/amavis/conf.d/20-debian_defaults
[ ... ] 
$QUARANTINEDIR = "$MYHOME/virusmails";

$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug';  # switch to info to drop debug output, etc 

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1 

$inet_socket_port = 10024;   # default listenting socket

$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt  = -9999;  # add spam info headers if at, or above that level - this will add X-spam-header to all messages
$sa_tag2_level_deflt = 3.31; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 4.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 7;   # spam level beyond which a DSN is not sent

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;    # only tests which do not require internet access?

[...]
$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
$final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA
$final_spam_destiny       = D_BOUNCE;
$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
[...]

Tilføj brugeren clamav til gruppen amavis

adduser clamav amavis

ClamAV

nano /etc/clamav/freshclam.conf
[...]
NotifyClamd /etc/clamav/clamd.conf
[...]

Postfix

Kør følgende kommandore:

postconf -e 'header_checks = pcre:/etc/postfix/header_checks'
postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
postconf -e 'receive_override_options = no_address_mappings'

Åben header_checks:

nano /etc/postfix/header_checks

og tilføj følgende i bunden

/^X-Spam-level: \*\*\*\*\*\*\*.*$/ DISCARD
/^X-Spam-Status: Yes/ DISCARD

åben master.cf

nano /etc/postfix/master.cf

og tilføj følgende i bunden af filen

[ ... ]
amavis unix - - - - 2 smtp
       -o smtp_data_done_timeout=1200
       -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
       -o content_filter=
       -o local_recipient_maps=
       -o relay_recipient_maps=
       -o smtpd_delay_reject=no
       -o smtpd_restriction_classes=
       -o smtpd_client_restrictions=
       -o smtpd_helo_restrictions=
       -o smtpd_sender_restrictions=
       -o smtpd_recipient_restrictions=permit_mynetworks,reject
       -o smtpd_data_restrictions=reject_unauth_pipelining
       -o smtpd_end_of_data_restrictions=
       -o mynetworks=127.0.0.0/8,[::1]/128
       -o smtpd_error_sleep_time=0
       -o smtpd_soft_error_limit=1001
       -o smtpd_hard_error_limit=1000
       -o smtpd_client_connection_count_limit=0
       -o smtpd_client_connection_rate_limit=0
       -o strict_rfc821_envelopes=yes
       -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
       -o smtp_bind_address=127.0.0.1,[::1]

Genstart postfix, og tjek om det virker ved at køre følgende kommando.

netstat -tap

og se om noget liggende dette fremgår

[ ... ]
tcp        0      0 localhost:10024         *:*                     LISTEN      3659/amavisd (maste
tcp        0      0 localhost:10025         *:*                     LISTEN      24744/master  
[ ... ]

SMTPS

nano /etc/postfix/main.cf
# SMTP
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual

smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous


smtpd_sender_restrictions = 
       permit_sasl_authenticated, 
       permit_mynetworks

smtpd_recipient_restrictions =
       permit_sasl_authenticated,
       permit_mynetworks,
       reject_invalid_hostname,
       reject_unknown_recipient_domain,
       reject_unauth_destination,
       reject_rhsbl_client blackhole.securitysage.com,
       reject_rhsbl_sender blackhole.securitysage.com,
       reject_rbl_client sbl.spamhaus.org,
       reject_rbl_client sbl-xbl.spamhaus.org,
       reject_rbl_client relays.ordb.org,
       reject_rbl_client blackholes.easynet.nl,
       reject_rbl_client cbl.abuseat.org,
       reject_rbl_client proxies.blackholes.wirehub.net,
       reject_rbl_client bl.spamcop.net,
       permit
nano /etc/postfix/master.cf
smtp      inet  n       -       -       -       -       smtpd

submission inet n       -       -       -       -       smtpd
  -o smtpd_etrn_restrictions = reject
  -o smtpd_enforce_tls = yes
  -o smtpd_tls_security_level = encrypt
  -o smtpd_sasl_auth_enable = yes
  -o smtpd_client_restrictions = permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name = ORIGINATING

smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_etrn_restrictions = reject
  -o smtpd_tls_wrappermode = yes
  -o smtpd_sasl_auth_enable = yes
  -o smtpd_tls_security_level = encrypt
  -o smtpd_client_restrictions = permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name = ORIGINATING
nano /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
# pwcheck_method: auxprop
# auxprop_plugin: pam
mech_list: PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM
log_level: 7
allow_plaintext: true
nano /etc/default/saslauthd

Change the following:

START=yes
[ ... ]
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Enabling SASL authentication in the Postfix SMTP/LMTP client

This section shows a typical scenario where the Postfix SMTP client sends all messages via a mail gateway server that requires SASL authentication.

nano /etc/postfix/main.cf

Add the following to your main.cf file

# SMTP
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = login, plain
# smtp_tls_security_level = may
smtp_tls_security_level = encrypt
relayhost = [mail.example.com]:587
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
nano /etc/postfix/sasl_passwd
[mail.example.com]:587 <some-username>:<some-password>
postmap /etc/postfix/sasl_passwd

Spamassasin

nano /etc/default/spamassassin
[ ... ]
ENABLED=1
[ ... ]
CRON=1
[ ... ]
nano /etc/spamassassin/local.cf
#   Add *****SPAM***** to the Subject header of spam e-mails
#
rewrite_header Subject *****SPAM*****

#   Save spam messages as a message/rfc822 MIME attachment instead of
#   modifying the original message (0: off, 2: use text/plain instead)
report_safe 1

#   Set which networks or hosts are considered 'trusted' by your mail
#   server (i.e. not spammers)
#
# trusted_networks 212.17.35.

#   Set file-locking method (flock is not safe over NFS, but is faster)
#
lock_method flock

#   Set the threshold at which a message is considered spam (default: 5.0)
#
required_score 5.0

#   Set headers which may provide inappropriate cues to the Bayesian
#   classifier
#

# Pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
pyzor_add_header 1

# Razor
use_razor2 1
razor_config /etc/razor/razor-agent.conf 

# Use Bayesian classifier
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status

FuzzyOcr

apt-get install netpbm gifsicle libungif-bin gocr ocrad libstring-approx-perl libmldbm-sync-perl imagemagick tesseract-ocr fuzzyocr
http://fuzzyocr.own-hero.net/wiki/Downloads
wget -c http://users.own-hero.net/~decoder/fuzzyocr/fuzzyocr-3.6.0.tar.gz
tar -zxf fuzzyocr-3.6.0.tar.gz
cd FuzzyOcr-3.6.0
mv FuzzyOcr* /etc/mail/spamassassin/
vi /etc/mail/spamassassin/FuzzyOcr.cf
[...]
focr_global_wordlist /etc/mail/spamassassin/FuzzyOcr.words
[...]

Ret

[...]
focr_bin_helper pnmnorm, pnminvert, pamthreshold, ppmtopgm, pamtopnm
focr_bin_helper tesseract
[...]

til

[...]
focr_bin_helper pnmnorm, pnminvert, convert, ppmtopgm, tesseract
[...]

Tilføj

[...]
# Search path for locating helper applications
focr_path_bin /usr/local/netpbm/bin:/usr/local/bin:/usr/bin

focr_preprocessor_file /etc/mail/spamassassin/FuzzyOcr.preps
focr_scanset_file /etc/mail/spamassassin/FuzzyOcr.scansets

focr_enable_image_hashing 2
focr_digest_db /etc/mail/spamassassin/FuzzyOcr.hashdb
focr_db_hash /etc/mail/spamassassin/FuzzyOcr.db
focr_db_safe /etc/mail/spamassassin/FuzzyOcr.safe.db
[...]

Test FuzzyOcr

spamassassin --debug FuzzyOcr < /usr/src/FuzzyOcr-3.6.0/samples/ocr-gif.eml > /dev/null

Hvis outputtet er noget ligende

[...]
[30678] info: FuzzyOcr: Scanset "ocrad" found word "target" with fuzz of 0.0000
[30678] info: FuzzyOcr: line: "short term price target oo"
[30678] info: FuzzyOcr: Scanset "ocrad" found word "service" with fuzz of 0.0000
[30678] info: FuzzyOcr: line: "trading on the frankfurt stock exchange the company has retained the services ofbaltic"
[30678] info: FuzzyOcr: Scanset "ocrad" found word "stock" with fuzz of 0.0000
[30678] info: FuzzyOcr: line: "hot energy stocki"
[30678] info: FuzzyOcr: Scanset "ocrad" found word "stock" with fuzz of 0.0000
[30678] info: FuzzyOcr: line: "trading on the frankfurt stock exchange the company has retained the services ofbaltic"
[30678] info: FuzzyOcr: Scanset "ocrad" found word "price" with fuzz of 0.0000
[30678] info: FuzzyOcr: line: "current price o"
[30678] info: FuzzyOcr: Scanset "ocrad" found word "price" with fuzz of 0.0000
[30678] info: FuzzyOcr: line: "short term price target oo"
[30678] info: FuzzyOcr: Scanset "ocrad" found word "company" with fuzz of 0.0000
[30678] info: FuzzyOcr: line: "trading on the frankfurt stock exchange the company has retained the services ofbaltic"
[30678] info: FuzzyOcr: Scanset "ocrad" found word "recommendation" with fuzz of 0.0000
[30678] info: FuzzyOcr: line: "sboog bup recommendation"
[30678] dbg: FuzzyOcr: Enough OCR Hits without space stripping, skipping second matching pass...
[30678] info: FuzzyOcr: Scanset "ocrad" generates enough hits (8), skipping further scansets...
[30678] info: FuzzyOcr: Message is spam, score = 15.000
[30678] info: FuzzyOcr: Adding Hash to "/etc/mail/spamassassin/FuzzyOcr.db" with score "15.000"
[30678] dbg: FuzzyOcr: Digest: 538584:327:549:7::255:255:255:255:168580::0:0:0:0:9098::0:128:0:75:1086::0:0:128:15:395::128:0:128:53:213::0:0:255:29:115
[30678] info: FuzzyOcr: Words found:
[30678] info: FuzzyOcr: "target" in 1 lines
[30678] info: FuzzyOcr: "service" in 1 lines
[30678] info: FuzzyOcr: "stock" in 2 lines
[30678] info: FuzzyOcr: "price" in 2 lines
[30678] info: FuzzyOcr: "company" in 1 lines
[30678] info: FuzzyOcr: "recommendation" in 1 lines
[30678] info: FuzzyOcr: (12 word occurrences found)
[30678] dbg: FuzzyOcr: Remove DIR: /tmp/.spamassassin30678nbEa6Utmp
[30678] dbg: FuzzyOcr: FuzzyOcr ending successfully...
[30678] dbg: FuzzyOcr: Processed in 0.495910 sec.

Add Postfix to sasl group

adduser postfix sasl
/etc/init.d/postfix restart

Postgrey

The postgrey package is a greylisting implementation for postfix. It is a breeze to set-up and stopped 90% of my spam in conjunction with blacklisting.

nano /etc/default/postgrey

Add the following:

POSTGREY_OPTS="--inet=10023 --delay=60"
/etc/init.d/postgrey restart

Open main.cf and check that you have at least the following in your smtpd_recipient_restrictions

nano /etc/postfix/main.cf
smtpd_recipient_restrictions =
    ...
    permit_sasl_authenticated
    permit_mynetworks
    reject_unauth_destination
    ...
    check_policy_service inet:127.0.0.1:10023
    ...
    permit


Check that Postgrey is running

netstat -anp | grep 10023 

The output should be somethin simuler

tcp        0      0 127.0.0.1:10023         0.0.0.0:*               LISTEN     18478/postgrey.pid

SPF

SPF is an e-mail anti-forgery technology the enables domain owners to list, in the Domain Name Service (DNS), authorized sources of mail from their domains. It enables mail receivers to reject mail that does not come from authorized sources. This guide describes the second part of the protocol, rejecting mail from unauthorized sources.

Configuration

Add the following to the bottom of your main.cf

nano /etc/postfix/main.cf
# SPF
policy-spf_time_limit   = 3600s

Add this section to the bottom of your /etc/postfix/master.cf

nano /etc/postfix/master.cf
policy-spf  unix  -       n       n       -       -       spawn
    user=nobody argv=/usr/bin/policyd-spf

now re-open main.cf and check that you have at least the following in your smtpd_recipient_restrictions

nano /etc/postfix/main.cf
smtpd_recipient_restrictions =
    ...
    permit_sasl_authenticated
    permit_mynetworks
    reject_unauth_destination
    ...
    check_policy_service unix:private/policy-spf
    ...
    permit

NB. If you have greyfilter running also, make sure that SPF is after that.

DNS Record

Now your server is checking for SPF rules, but your domain don't have them set for other servers to check yours. Since my own SPF-rules are a bit complex, I will only provide a simple example for this article

<domain>.<prefix> IN TXT "v=spf1 redirect=_spf.<domain>.<prefix>"
_spf.<domain>.<prefix> IN TXT "v=spf1 mx:<domain>.<prefix> ip:<your mail-servers ext. IPv4> ip6:<your mail-servers ext. IPv6> -all"
<domain>.<prefix> IN TXT "spf2.0/pra redirect=_spf.<domain>.<prefix>"
_spf.<domain>.<prefix> IN TXT "spf2.0/pra mx:<domain>.<prefix> ip:<your mail-servers ext. IPv4> ip6:<your mail-servers ext. IPv6> -all"

for a more information see http://en.wikipedia.org/wiki/Sender_Policy_Framework#Implementation

OpenDKIM

DomainKeys Identified Mail (DKIM) is a method for E-mail authentication, allowing a person who receives email to verify that the message actually comes from the domain that it claims to have come from. The need for this type of authentication arises because spam often has forged headers.

DKIM uses public-key cryptography to allow the sender to electronically sign legitimate emails in a way that can be verified by recipients.

DKIM also guards against tampering with mail, offering almost end-to-end integrity from a signing to a verifying Mail transfer agent (MTA).

Read more on Wikipedia

dkim-milter is a milter-based application (dkim-filter) which plugs in to Postfix to provide DomainKeys Identified Mail service for your mail server. dkim-milter is no longer being developed, and it's original author has forked the source and is now developing opendkim.

Configuration

apt-get install opendkim
nano /etc/opendkim.conf
[ ... ]

LogWhy                  yes
Syslog                  yes
SyslogFacility          mail

ADSPAction              continue
ADSPNoSuchDomain        no
AlwaysAddARHeader       yes
AuthservIDWithJobId     yes
Background              yes
AutoRestart             yes
Canonicalization        relaxed/relaxed
DNSTimeout              8
Mode                    sv
SubDomains              no
SignatureAlgorithm      rsa-sha256
X-Header                yes
Socket                  inet:10026@localhost

ExternalIgnoreList      file:/etc/opendkim/TrustedHosts
InternalHosts           file:/etc/opendkim/TrustedHosts

Selector                www
Domain                  *
MultipleSignatures      yes
KeyTable                file:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable

[ ... ]
nano /etc/opendkim/KeyTable
<domain>.<prefix>       <domain>.<prefix>:<domain>.<prefix>:/etc/opendkim/keys/<domain>/<domain>.<prefix>.private
nano /etc/opendkim/SigningTable
*@<domain>.<prefix>     <domain>.<prefix>
nano /etc/opendkim/TrustedHosts 
127.0.0.1
::1
localhost
opendkim-genkey -t -s <selector> -d <domain>.<prefix>
mv <domain>.<prefix> /etc/opendkim/keys/<domain>/

DNS Record

after generating the key you will have a file called <selector>.txt in this you will find your line for the DNS server

_domainkey.<domain>.<prefix> IN TXT "o=-; n=http://dkim.org";
[SELECTOR]._domainkey.<domain>.<prefix> IN TXT "v=DKIM1; g=*; k=rsa; p=PpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB" ; ----- DKIM <selector> for <domain>.<prefix>

Postfix

nano /etc/postfix/main.cf

In the bottom of this file, add:

# openDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:10026
non_smtpd_milters = inet:localhost:10026

DMARC

apt-get install opendmarc
nano /etc/default/opendmarc

add this to the bottom of the file

SOCKET="inet:10027@localhost"
nano /etc/postfix/main.cf

add this to the bottom

smtpd_milters = inet:localhost:10027
non_smtpd_milters = inet:localhost:10027

NB. if you have more than one milter, eg openDKIM or other, please do as follow

smtpd_milters = inet:localhost:10027, inet:localhost:10026
non_smtpd_milters = inet:localhost:10027, inet:localhost:10026

DNS record

_dmarc.<domain>.<prefix> IN TXT v=DMARC1\; p=none\; sp=none\; aspf=r\; adkim=r\; fo=1\; rua=mailto:postmaster@<domain>.<prefix>\;

more info about the things you can set in your dmarc record, please check https://support.google.com/a/answer/2466563?hl=en and https://dmarcian.com/dmarc-inspector/semarkit.net

Genstart alle påvirkede services

/etc/init.d/amavis stop && /etc/init.d/clamav-daemon stop && /etc/init.d/clamav-freshclam stop && /etc/init.d/spamassassin stop \
&& /etc/init.d/postgrey stop && /etc/init.d/postfix stop && /etc/init.d/postgrey stop && /etc/init.d/opendkim stop && /etc/init.d/opendmarc stop
/etc/init.d/amavis start && /etc/init.d/clamav-daemon start && /etc/init.d/clamav-freshclam start && /etc/init.d/spamassassin start \
&& /etc/init.d/postgrey start && /etc/init.d/postfix start && /etc/init.d/postgrey start && /etc/init.d/opendkim start && /etc/init.d/opendmarc start

Tjek

tail -f /var/log/mail.log

Postfix Monitoring With Mailgraph

apt-get install rrdtool mailgraph
dpkg-reconfigure mailgraph 
Should Mailgraph start on boot? <-- Yes
Logfile used by mailgraph: <-- /var/log/mail.log
Count incoming mail as outgoing mail? <-- No
cp -p /usr/lib/cgi-bin/mailgraph.cgi /var/www/www.example.com/cgi-bin

Du skulle nu kunne gå på din hjemmeside og se graferne

http://www.example.com/cgi-bin/mailgraph.cgi

Efter noget tid skulle du gerne kunne se nogle grafer over mails til din server eksempel:

MailgraphMonth1.jpg

MailgraphMonth2.jpg

Greylist.jpg

DMARC.png

Personlige værktøjer
Navnerum

Varianter
Handlinger
Navigation
Værktøjer