community.riocities.com
  • Home
  • Categories
  • Tags
  • Archives

MollieLog6

Howto for postfix, mailscanner, cyrus installation on Sarge

MollieLog6.txt download
To DO
=========

FireWall  (razor tcp port 2703 and 7)
snort/portsentry
Make Jail of Apache + SquirrelMail + PHP
DShield?

Basic stuff
===========
VIA EPIA Mini-ITX M6000
2* 20GB Hard disk
512 MB Ram

hda1	/		4.8G
hda5	/var		2.8G
hda6	/tmp		0.5G
hda7	/var/spool	11G
hda8	swap		0.5G

Install minimum Debian - Sarge.
Make sure you get a 2.6 kernel with RAID support.



	
General stuff
================================
apt-get install ntp-simple ntpdate ssh openssl less wget sharutils locales

Time Servers use the pool.ntp.org and asia.pool.ntp.org or europe.pool.ntp.org
	(Check http://www.pool.ntp.org)

dpkg-reconfigure locales
Languages
	en_US ISO-8859-1
	en_US.UTF-8
	sv_SE ISO-8859-1
	sv_SE.UTF-8
	zh_CN GB2312
	zh_CN.UTF-8
	zh_TW BIG5
	zh_TW.UTF-8




inetd
=====
more /etc/inetd.conf
	for each service that are enabled
		update-inetd --disable <service>
		( update-inetd --disable discard daytime time )
/etc/init.d/inetd stop
vi /etc/init.d/inetd
	Add the following after /bin/sh
		# Do not use inetd
		exit 0

nsswitch.conf
=============
passwd:         files compat
group:          files compat
shadow:         files compat


CYRUS
================================
apt-get install cyrus21-imapd cyrus21-admin cyrus21-pop3d 
apt-get install libdb3-util sasl2-bin
-> .thuree.com

vi /etc/cyrus.conf
	select imaps, pop3s, and imap (for squirrelmail, using https)
	Event:
	------
	# Creating SQUAT index to speed up searches. Every 76 minute.
        squat   cmd="/usr/sbin/squatter -r user" period=76
	

vi /etc/imapd.conf
	admins: root
	sasl_pwcheck_method: saslauthd
	sasl_mech_list: PLAIN LOGIN

vi /etc/default/saslauthd
	START=yes
	MECHANISMS="shadow"


Testing Cyrus Imap
------------------
mollie:/etc# telnet 127.0.0.1 imap
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
* OK mollie Cyrus IMAP4 v2.1.14-IPv6-Debian-2.1.14-1 server ready

Fix mailboxes
-------------
/etc/init.d/saslauthd start
cyradm localhost
	createmailbox user.<mailbox> 
	setacl user.<mailbox> anyone p 

	li ==> Lookup + Insert (not read)
	setacl user.johan.INBOX ake li
	setacl user.maria.INBOX ake li



Postfix
=========================================
good overwiev http://www.akadia.com/services/postfix_mta.html
apt-get install postfix-tls postfix-pcre
-> Internet
-> mollie.thuree.com
-> No
-> Erase all
-> No
-> NONE (for mail to root)

vi /etc/postfix/main.cf
	mydomain = thuree.com
	myhostname = mollie.$mydomain
	mynetworks = 127.0.0.0/8, 192.168.10.0/24
	# Only trust local computer
	#mynetworks_style = host
	mydestination = $mydomain, $myhostname, localhost, localhost.$mydomain, mail.$mydomain, www.$mydomain
	mailbox_transport = cyrus
	local_recipient_maps =
	delay_warning_time = 4h
	# Only report major errors
	notify_classes = resource, software

Turn on Verbose logging
vi /etc/postfix/master.cf
	change "smtpd" to "smtpd -v"
	Column number #5 (chroot) should have "n" for NO, and "-" for YES
		Start with running postfix in normal mode. --> n

	#cyrus    unix  -       n       n       -       -       pipe
	#  flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m "${extension}" ${user}
	# Cyrus 2.1.5 (Amos Gouaux)
	cyrus     unix  -       n       n       -       -       pipe
 	   user=cyrus argv=/usr/sbin/cyrdeliver -e -r ${sender} -m ${extension} ${user}

Make sure that postfix can talk with saslauthd
adduser postfix sasl

Prepare a test account temporarily
adduser test

start postfix
/etc/init.d/postfix stop
/etc/init.d/postfix start

Debug in one window
	tail -f /var/log/mail.log
mail test

Verify
	less /var/spool/cyrus/mail/t/user/test/1.
	telnet localhost 25
		EHLO thuree.com
		quit

mollie:/var/mail# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mollie.thuree.com ESMTP Postfix (Debian/GNU)
ehlo test.com
250-mollie.thuree.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250 8BITMIME
quit
221 Bye
Connection closed by foreign host.

	Telnet from a remote host
		telnet <ip> 25
			ehlo test.com
			quit
bengt@dellie:~$ telnet 192.168.20.50 25
Trying 192.168.20.50...
Connected to 192.168.20.50.
Escape character is '^]'.
220 mollie.thuree.com ESMTP Postfix (Debian/GNU)
ehlo test.com
250-mollie.thuree.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250 8BITMIME
mail from:bengt@test.com
250 Ok
rcpt to:test@thuree.com
250 Ok
data
354 End data with <CR><LF>.<CR><LF>
Test from remote host
test #2
.
250 Ok: queued as DBB4A4F882
quit
221 Bye
Connection closed by foreign host.
bengt@dellie:~$

###### Make sure that you do not use an IP address from your MYNETWORKS range.

Verify to an external address
	Same as above, but change RCPT TO:<remote@user.com>
rcpt to:<remote@user.com>
554 <remote@user.com>: Recipient address rejected: Relay access denied

Add checks to postfix
---------------------
#---------------------
smtpd_helo_required = yes
disable_vrfy_command = yes

smtpd_recipient_restrictions =
            permit_sasl_authenticated
            permit_mynetworks
            reject_invalid_hostname
            reject_non_fqdn_hostname
            reject_non_fqdn_sender
            reject_non_fqdn_recipient
            reject_unknown_sender_domain
            reject_unknown_recipient_domain
            reject_unauth_destination
            check_recipient_access pcre:/etc/postfix/recipient_checks.pcre
            check_helo_access hash:/etc/postfix/helo_checks
            check_sender_access hash:/etc/postfix/sender_checks
            check_client_access hash:/etc/postfix/client_checks
            check_client_access pcre:/etc/postfix/client_checks.pcre
            permit

smtpd_data_restrictions =
	reject_unauth_pipelining
	permit

client_checks.db  helo_checks.db  relay_certs.db 
sender_checks.db  sender_login_maps.db  tls_per_site.db

# Copy the template *checks and *checks.pcre files to /etc/postfix

Convert text files to hash db
-----------------------------
postmap helo_checks
postmap sender_checks
postmap client_checks


Certificates
------------
http://www.eclectica.ca/howto/ssl-cert-howto.php

cd /etc/ssl
Modify openssl.cfg
	dir 				= ./			### CA_default
	certificate			= $dir/certs/mollie_cacert.pem
	private_key			= $dir/private/mollie_cakey.pem
	default_days 			= 1095
	default_bits 			= 2048
	countryName_default 		= SE
	stateOrProvinceName_default 	= Sweden
	localityName_default		= Linkoeping
	0.organizationName_default	= Family Thuree's mail server
	organizationalUnitName_default	= Mail Server
	commonName_default		= mollie.thuree.com
	emailAddress_default		= postmaster@thuree.com
	unique_subject			= no
	
	
To make certificate authority
-----------------------------
mkdir newcerts certs private
echo "01" > serial
touch index.txt

# Create CA cert
openssl req -new -x509 -extensions v3_ca -keyout private/mollie_cakey.pem \
 -out certs/mollie_cacert.pem -days 1095 
 
# Create local cert.
openssl req -new -nodes -out certs/mollie_req.pem   -keyout private/mollie_key.pem
# Sign the local cert.
openssl ca              -out certs/mollie_cert.pem  -cert certs/mollie_cacert.pem -infiles certs/mollie_req.pem 

# Verify the newly created certificates
openssl s_client -connect mollie.thuree.com:smtp -starttls smtp
openssl s_client -connect mollie.thuree.com:smtps -cert denton_cert.pem -CAfile denton_cacert.pem
openssl verify -purpose sslclient -CAfile certs/cacert.pem certs/mollie_cert.pem
openssl verify -purpose sslserver -CAfile certs/cacert.pem certs/mollie_cert.pem 

# To revoke a certifikate
# Check index.txt for which sequential number it is... in this case 02.
openssl ca -revoke newcerts/02.pem 
# Then create and sign the local cert again.

cp private/mollie_key.pem private/mollie_key.pem.postfix
chown postfix:postfix private/mollie_key.pem.postfix
chmod 0400 private/mollie_key.pem.postfix
	
Modify postfix to use the certificates 
--------------------------------------	
http://www.projektfarm.com/en/support/howto/postfix_smtp_auth_tls.html
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/conf.html
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
http://www.tribulaciones.org/docs/postfix-sasl-tls-howto.html

vi /etc/postfix/main.cf

broken_sasl_auth_clients = yes
tls_random_source = dev:/dev/urandom
relay_clientcerts = hash:/etc/postfix/relay_certs
smtpd_recipient_restrictions = permit_tls_clientcerts ...

#
# Server - SMTPD - Postfix receiving mails
#
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/certs/mollie_cert.pem
smtpd_tls_key_file = /etc/ssl/private/mollie_key.pem.postfix
smtpd_tls_CAfile = /etc/ssl/certs/mollie_cacert.pem
smtpd_tls_CApath = /etc/ssl/tls_peers
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_auth_only = yes
smtpd_tls_received_header = no
#smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = 

#
# Client - SMTP - Postfix sending mails 
#
smtp_use_tls = yes
smtp_tls_cert_file = /etc/ssl/certs/mollie_cert.pem
smtp_tls_key_file = /etc/ssl/private/mollie_key.pem.postfix
smtp_tls_CAfile = /etc/ssl/certs/mollie_cacert.pem
smtp_tls_CApath = /etc/ssl/tls_peers
smtp_tls_note_starttls_offer = yes
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
smtp_sasl_security_options =
smtp_tls_loglevel = 1

vi /etc/postfix/sasl/smtpd.conf
	mech_list: plain login
	pwcheck_method: saslauthd


# Generate a fingerprint of the clients cert which you want to allow to relay.
openssl x509 -fingerprint -in denton_cert.pem 
vi /etc/postfix/relay_certs
<fingerprint> denton.thuree.com

# Add the hosts to which you MUST use TLS encryption.
vi /etc/ssl/tls_per_site
denton.thuree.com MUST

postmap hash:/etc/postfix/relay_certs
postmap hash:/etc/ssl/tls_per_site


postfix reload


# Make sure that postfix can authenticate by using cyrus sasl.
apt-get install libsasl2 libsasl2-modules


# To make SASL work in CHROOT environment
cd /var/spool/postfix
mkdir -p var/run
cd var/run
mv /var/run/saslauthd .
cd /var/run
ln -s /var/spool/postfix/var/run/saslauthd/ 
vi /etc/default/saslauthd (add last)
	# Fix the saslauth directory
	if [ ! -d /var/run/saslauthd ]; then
	        ln -s /var/spool/postfix/var/run/saslauthd/ /var/run
	fi


Norton Antivirus
================
Turn off Norton Antivirus scanning on outgoing mails, it blocks the STARTTLS command

Modify cyrus to use certificates
--------------------------------
vi /etc/imapd.conf
	tls_cert_file: /etc/ssl/certs/mollie_cert.pem
	tls_key_file: /etc/ssl/private/mollie_key.pem.cyrus
	tls_ca_file: /etc/ssl/certs/mollie_cacert.pem
	tls_require_cert: no
cp /etc/ssl/private/mollie_key.pem /etc/ssl/private/mollie_key.pem.cyrus
chown cyrus:mail /etc/ssl/private/mollie_key.pem.cyrus
chmod 0400 /etc/ssl/private/mollie_key.pem.cyrus

Verify that IMAPS is properly configured.
-----------------------------------------
openssl s_client -connect localhost:imaps

Verify postfix-tls
------------------
postfix reload
telnet 127.0.0.1 25
ehlo thuree.com
--> Look for STARTTLS
starttls
--> Ready to start TLS


Verify cyrus
------------
From another computer, run the imtest program
	imtest -t "" 192.168.20.50 -a <user>
		<ctrl-d> when finished


Misc
====
apt-get install gotmail fetchmail fetchyahoo 

cd /etc
cp /usr/share/doc/fetchmail/examples/fetchmailrc.example /etc/fetchmailrc
chmod 0600 fetchmailrc
chown fetchmail:root fetchmailrc
vi fetchmailrc
	poll aaa.bbb.ccc with protocol pop3/imap
		# interval 6 # Only if you want it to be done less regurlarly...
		user "XXXX" with password "YYYYY", is "ZZZZ" here
		fetchall
		ssl


Fix for FetchMail dying
-----------------------
/etc/cron.d/fetchmail
#
# Check regurarly if fetchmail is running, and if not restart it.
#
@hourly     root    test -x /root/scripts/CheckFetchMail && /root/scripts/CheckFetchMail /dev/null 2>&1


/root/scripts/CheckFetchMail
#!/bin/sh
if [ `ps -eaf | grep fetchmail | grep -v 'grep fetch' | wc -l` -eq 0 ]; then
    /etc/init.d/fetchmail restart
fi

gotmail
-------
vi /etc/cron.d/gotmail
# get hotmail every 15 minutes
08,23,38,53 *     * * *     jade   if [ -x /usr/bin/gotmail ]; then /usr/bin/gotmail fi
03,18,32,47 *     * * *     bengt  if [ -x /usr/bin/gotmail ]; then /usr/bin/gotmail fi

vi <user>/.gotmailrc
username=<hotmail user name before @>
password=<password>
forward=<Forward this mail to  bengt@thuree.com>
retry-limit=3
silent
delete


common compression packets - To enable MailScanner to scan zip files.
==========================
apt-get install lha zoo unzoo arc bzip2 unarj unrar unzip


SPF 
===
Information can be found here http://spf.pobox.com/index.html
Add this to your MX record if your mailserver has a static IP address
thuree.com       IN TXT         v=spf1 mx a:<IP> ~all 

To verify, send an email to   echo@generic-nic.net and check the responce.


AntiVirus
===============================
apt-get install f-prot-installer clamav clamav-testfiles
* Clamav - Select MANUAL update of virus definitions.
	(this since mailscanner will handle the updates)
* f-prot - Download and install


## Temporary workaround 
## mkdir -p /usr/share/MailScanner/MailScanner
apt-get install mailscanner tnef spamassassin razor file

copy f-prot-pgm-autoupdate to /etc/MailScanner/autoupdate/f-prot-pgm-autoupdate
   It's on workie debian/MyMailScanner


----------------------------
ln -s /etc/MailScanner/autoupdate/f-prot-pgm-autoupdate /etc/cron.weekly

vi /etc/cron.d/VirusDefUpdate
----------------------------
mollie:/etc/MailScanner/autoupdate# more /etc/cron.d/VirusDefUpdate
# Regular cron jobs for updating Virus Definitions,
# using MailScanners autoupdate function
#
# If you only want to receive e-mail only when an error occours, then you want
# to include the -quiet parameter
27 * * * * root if [ -x /etc/MailScanner/autoupdate/f-prot-autoupdate ]; then /etc/MailScanner/autoupdate/f-prot-autoupdate /usr/lib/f-prot -cron; fi

# ClamAV's virus definition is by default done in -quiet mode.
# Only errors will be reported.
46 * * * * root if [ -x /etc/MailScanner/autoupdate/clamav-autoupdate ]; then /etc/MailScanner/autoupdate/clamav-autoupdate ; fi
~
----------------------------

Test the anti virus programs
----------------------------
cd /tmp

wget http://www.eicar.org/download/eicar.com
wget http://www.eicar.org/download/eicar.com.txt
wget http://www.eicar.org/download/eicar_com.zip
wget http://www.eicar.org/download/eicarcom2.zip

mollie:/tmp# clamscan
/tmp/eicar.com: Eicar-Test-Signature FOUND
/tmp/eicar.com.txt: Eicar-Test-Signature FOUND
/tmp/eicar_com.zip: Eicar-Test-Signature FOUND
/tmp/eicarcom2.zip: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 10609
Scanned directories: 1
Scanned files: 7
Infected files: 5

mollie:/tmp# f-prot ei*
Virus scanning report  -  22 August 2004 @ 16:09

F-PROT ANTIVIRUS
Program version: 4.4.4
Engine version: 3.14.11

VIRUS SIGNATURE FILES
SIGN.DEF created 18 August 2004
SIGN2.DEF created 18 August 2004
MACRO.DEF created 16 August 2004

Search: eicar.com eicar.com.txt eicar_com.zip eicarcom2.zip
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER

/tmp/eicar.com  Infection: EICAR_Test_File
/tmp/eicar.com.txt  Infection: EICAR_Test_File
/tmp/eicar_com.zip->eicar.com  Infection: EICAR_Test_File
/tmp/eicarcom2.zip->eicar_com.zip->eicar.com  Infection: EICAR_Test_File

Results of virus scanning:

Files: 4
MBRs: 0
Boot sectors: 0
Objects scanned: 7
Infected: 4
Suspicious: 0
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 0:00

Fix Postfix&MailScanner so it scans for Viruses
-----------------------------------------------
vi /etc/postfix/main.cf
header_checks = regexp:/etc/postfix/header_checks
hash_queue_depth = 2
hash_queue_names = incoming deferred hold


vi /etc/postfix/header_checks
/^Received:/ HOLD


Use greylistning with PostFix
------------------------------
apt-get install postgrey
add a "check_policy_service" in main.cf

            reject_unauth_destination
	    check_policy_service inet:127.0.0.1:60000
            check_recipient_access pcre:/etc/postfix/recipient_checks.pcre

Fix MailScanner configuration
-----------------------------
vi /etc/MailScanner/MailScanner.conf
     %org-name% = thuree
     Run As User = postfix
     Run As Group = postfix
     Incoming Queue Dir = /var/spool/postfix/hold
     Outgoing Queue Dir = /var/spool/postfix/incoming
     MTA = postfix
     SendMail2 = /usr/lib/sendmail
     Virus Scanners = f-prot clamav
     SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
     
vi /etc/MailScanner/spam.assassin.prefs.conf
	bayes_ignore_header X-thuree-MailScanner

mkdir /var/spool/MailScanner/spamassassin
chown -R postfix:postfix /var/spool/MailScanner
chown -R postfix:postfix /var/lib/MailScanner
chown -R postfix:postfix /var/run/MailScanner

vi /etc/default/mailscanner
	run_mailscanner=1

Simple monitoring (need to modify to work with multiple scanners and yesterday, last week etc)
-----------------
cd /root/scripts
wget http://web.csma.biz/apps/vnames.pl
vi vnames.pl
	$Scanner = "f-prot,clamav";
	$MailLogFile ="/var/log/mail.log";
	$StatsFile = "/root/scripts/virus.log";
vi /etc/crontab
	58 23 * * * root /root/vnames.pl youremail@host.com

 

Test MailScanning med AntiVirus
-------------------------------
bengt@dellie:~$ telnet 192.168.20.50 25
ehlo test.com
mail from:bengt@test.com
rcpt to:test@thuree.com
data
Test from remote host with the eicar.com virus attachment


SpamAssassin
============
Fetch some predefined rules for spam assassin.
cd /tmp/
wget http://mailscanner.prolocation.net/fetchbigevil-0.2.tar.gz
wget http://mailscanner.prolocation.net/fetchbackhair-0.1.tar.gz
gunzip fetch*
tar xvf fetchbi*
tar xvf fetchba*
./update-b*
mv update-b* /etc/cron.daily
vi /etc/cron.daily/update-backhair
	--> Add below to just before reload <--
	cp /etc/spamassassin/backhair.cf /usr/share/spamassassin/90_backhair.cf
	--> also, change from /etc/rc.d/init.d --> /etc/init.d
vi /etc/cron.daily/update-bigevil
	--> Add below to just before reload <--
	cp /etc/spamassassin/bigevil.cf /usr/share/spamassassin/90_bigevil.cf
	--> also, change from /etc/rc.d/init.d --> /etc/init.d
 


cd /etc/spamassassin
	mv local.cf local.cf.org
	ln -s /etc/MailScanner/spam.assassin.prefs.conf local.cf

vi /etc/MailScanner/spam.assassin.prefs.conf
#auto_whitelist_path        /var/lib/MailScanner/auto-whitelist
auto_whitelist_path        /var/spool/MailScanner/spamassassin/auto-whitelist
#bayes_path                 /var/lib/MailScanner/bayes
bayes_path                 /var/spool/MailScanner/spamassassin/bayes
skip_rbl_checks 0
# English, Chinese, Swedish, Norwegian, Danish
ok_locales en zh sv no da

# Allow Western and Chinese character sets
ok_locales en zh
score RCVD_IN_BL_SPAMCOP_NET    2.25
score RCVD_IN_OPM               0.5
score RCVD_IN_DSBL              0.5
score RCVD_IN_SBL               0.5
score RCVD_IN_NJABL             0.5

vi /etc/cron.d/LearnSpams
-------------------------
#
# Regurlarly re-learn miss-categorized spams and hams
#
17 2,8,14,20 * * *   root    test -x /root/scripts/SA-AutoLearn && /root/scripts/SA-AutoLea
rn > /dev/null 2>&1

vi /root/scripts/SA-AutoLearn
-----------------------------
#!/bin/sh
/etc/init.d/mailscanner stop

#Learn hams from all mailboxes
sa-learn --ham  /var/spool/cyrus/mail/*/*/*/SaLearn/Ham/

#Learn spams from all mailboxes
sa-learn --spam /var/spool/cyrus/mail/*/*/*/SaLearn/Spam/

#Just to make sure postfix owns these files
chown -R postfix:postfix /var/spool/MailScanner/spamassassin

/etc/init.d/mailscanner start


PostFix log summary
===================
apt-get install pflogsumm

vi /etc/cron.d/pflogsumm

#
# Cron job to compute statistics over the mail traffic using our postfix server
#
# Daily statistics
10 0 * * * root /usr/sbin/pflogsumm.pl -d yesterday /var/log/mail.log 2>&1 |/usr/bin/mailx -s "`uname -n` daily mail stats" postmaster
#
# Weekly statistics
10 7 * * 7 root /usr/sbin/pflogsumm.pl /var/log/mail.log.0 2>&1 |/usr/bin/mailx -s "`uname -n` weekly mail stats" postmaster

Apache & SquirrelMail
=====================
mollie:~# apt-get install  squirrelmail 

mkdir /var/lib/php4
chown www-data.www-data /var/lib/php4


Configure Apache
----------------

cd /etc/apache2/conf.d
cp /etc/squirrelmail/apache.conf mail.conf
vi mail.conf
   change alias to /mail
   Redirect static to https (uncomment all lines in the end, except check for mod_ssl)

Start ssl
---------
a2enmod ssl

apache2.conf 
AddLanguage zh-CN .cn
LanguagePriority en sv zh-CN da nl et fr de el it ja ko no pl pt pt-br ltz ca es
Comment out DefaultCharset

Fix expired SSL certificate
---------------------------
cd /etc/apache-ssl
openssl genrsa -out www.euhq.org.key 1024
# Possible 2048 instead of 1024
chmod 600 www.euhq.org.key
openssl req -new -key www.euhq.org.key -out www.euhq.org.csr
openssl x509 -req -days 730 -in www.euhq.org.csr -signkey www.euhq.org.key -out www.euhq.org.crt
mv apache.pem apache.pem.old
cp www.euhq.org.key apache.pem
cat www.euhq.org.crt >> apache.pem
chmod 600 apache.pem
/etc/init.d/apache-ssl restart 

Fix robots.txt
--------------
vi /var/www/robots.txt
User-agent: *
Disallow : /

Fix index.html
--------------
vi /var/www/index.html
No directory listing allowed.


Configure SquirrelMail
----------------------

vi /etc/php4/apache2/php.ini
#max_execution_time = 30     ; Maximum execution time of each script, in seconds
max_execution_time = 180     ; Maximum execution time of each script, in seconds
max_input_time = 60 ; Maximum amount of time each script may spend parsing request data
#memory_limit = 8M      ; Maximum amount of memory a script may consume (8MB)
memory_limit = 80M      ; Maximum amount of memory a script may consume (8MB)

/usr/sbin/squirrelmail-configure
Plugins marked with "*" from www.squirrelmail.org
-------
Installed Plugins
    1. message_details
    2. sent_subfolders
    3. abook_take
    4. info
    5. mail_fetch
    6. squirrelspell
    7. translate
    8. change_passwd *
    9. compatibility *
    10. timeout_user *
    11. pupdate *
    12. avelsieve *
    13. unsafe_image_rules *
    14. view_as_html *
    15. notify * 
    16. newmail
    17. fortune
    18. listcommands
	
Turn on Threaded view in SquirrelMail
	config.pl, option 4, selection 10 & 11

Spell check for SquirrelMail
-----------------------------
apt-get install ispell wamerican


ADD a New User
==============
adduser <mailbox>
cyradm localhost
	cm  user.<mailbox> 
	cm  user.<mailbox>.Junk
	cm  user.<mailbox>.Junk.Spam
	cm  user.<mailbox>.Junk.AutoSpam
	cm  user.<mailbox>.SaLearn
	cm  user.<mailbox>.SaLearn.Spam
	cm  user.<mailbox>.SaLearn.Ham
	sam user.<child> <parent> li
	sam user.<parent>.<child>Spam <child> li
	quit
http://www.oreilly.de/catalog/mimap/chapter/ch09.html

/etc/init.d/postfix restart

sieveshell -u <user> -a <user> <imap server>
sieveshell localhost 		(as the correct user)
	put <sieve script)
	activate <sieve script>


Some PostFix commands
=====================
mailq   		-> List the queued mails.
postsuper -d <ID> 	-> will delete a mail from a queue

Cyrus
=====
For the administrator -- So he can delete and manage the mailboxes.
cyradm
	setaclmailbox user.<mailbox> <admin_userid> c
	deletemailbox user.<mailbox>


Dshield ?
=========
http://www.dshield.org/

To help test PostFix
====================
apt-get install swaks (on another computer recommended)


Sieve Example
=============
Sieve scripts
=============
# Draft 1
# Bengt Thuree 2004-02-21
# Spam, List and system Rules

require "fileinto";

if header :contains ["X-thuree-MailScanner-SpamScore"] "ssssssssssss" {
        fileinto "INBOX.Spam";
        stop;
}
if header :contains ["X-thuree-MailScanner-SpamScore"] "ssssss" {
        fileinto "INBOX.PossibleSpam";
        stop;
}
if header :contains ["List-Id"] "debian-user" {
        fileinto "INBOX.debian-user";
        stop;
}
if header :contains ["Subject"] "assp - Open Discussion" {
        fileinto "INBOX.assp";
        stop;
}
if anyof (
                header :contains ["From"] "daemon@mollie.thuree.com" ,
                header :contains ["From"] "root@thuree.com"
                header :contains ["From"] "root@mollie.thuree.com"
        ) {
        fileinto "INBOX.mollie";
        stop;
}
if header :contains ["From"] "JENSVirusCheckService" {
#       discard;
        fileinto "INBOX.Spam";
        stop;
}

PostFix files
=============

init.d/postfix
--------------
#!/bin/sh -e

# Start or stop Postfix
#
# LaMont Jones <lamont@debian.org>
# based on sendmail's init.d script

PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/sbin/postfix
DAEMON2="/usr/sbin/postfix -c /etc/postfix.outgoing"
PIDFILE=/var/run/postfix.pid
NAME=Postfix
TZ=
unset TZ

# Defaults - don't touch, edit /etc/default/postfix
SYNC_CHROOT="y"

test -f /etc/default/postfix && . /etc/default/postfix

#test -x $DAEMON && test -f /etc/postfix/main.cf || exit 0
test -x $DAEMON && test -f /etc/postfix/main.cf && test -f /etc/postfix.outgoing/main.cf || exit 0

case "$1" in
    start)
        echo -n "Starting mail transport agent: Postfix"
	
        # postmap all needed files first
        POSTMAP_FILES="client_checks helo_checks relay_certs sender_checks tls_per_site"
        for POSTMAP_FILE in ${POSTMAP_FILES}; do
           postmap /etc/postfix/${POSTMAP_FILE}
           postmap /etc/postfix.outgoing/${POSTMAP_FILE}
        done

        # see if anything is running chrooted.
        NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf)

        if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then
            # Make sure that the chroot environment is set up correctly.
            oldumask=$(umask)
            umask 022
            cd $(postconf -h queue_directory)

            # if we're using unix:passwd.byname, then we need to add etc/passwd.
            local_maps=$(postconf -h local_recipient_maps)
            if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then
#               if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then
                    sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
                    chmod a+r etc/passwd
#               fi
            fi

            FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
                etc/nsswitch.conf etc/sasldb2"
            for file in $FILES; do
                [ -d ${file%/*} ] || mkdir -p ${file%/*}
                if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi
                if [ -f  ${file} ]; then chmod a+rX ${file}; fi
            done
            rm -f usr/lib/zoneinfo/localtime
            ln -sf /etc/localtime usr/lib/zoneinfo/localtime
            rm -f lib/libnss_*so*
            tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -
	    
            # Fix peers SSL certificates
            mkdir -p etc/ssl/tls_peers
            #if [ -f /etc/ssl/tls_peers/* ]; then
                c_rehash /etc/ssl/tls_peers/
            #fi
            tar cf - /etc/ssl/tls_peers/ 2> /dev/null | tar xf -

	    cp -rp etc $(postconf -c /etc/postfix.outgoing -h queue_directory)
            cd $(postconf -c /etc/postfix.outgoing -h queue_directory)
	    mkdir -p usr/lib/zoneinfo
	    mkdir -p var/run
            rm -f usr/lib/zoneinfo/localtime
            ln -sf /etc/localtime usr/lib/zoneinfo/localtime
            rm -f lib/libnss_*so*
            tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -

            umask $oldumask

        fi

        ${DAEMON} start 2>&1 |
                (grep -v 'starting the Postfix' 1>&2 || /bin/true)
        ${DAEMON2} start 2>&1 |
                (grep -v 'starting the Postfix' 1>&2 || /bin/true)
        echo "."
    ;;

    stop)
        echo -n "Stopping mail transport agent: Postfix"
        ${DAEMON} stop 2>&1 |
                (grep -v 'stopping the Postfix' 1>&2 || /bin/true)
        ${DAEMON2} stop 2>&1 |
                (grep -v 'stopping the Postfix' 1>&2 || /bin/true)
        echo "."
    ;;

    restart)
        $0 stop
        $0 start
    ;;

    force-reload|reload)
        echo -n "Reloading Postfix configuration..."
        ${DAEMON} reload 2>&1 |
                (grep -v 'refreshing the Postfix' 1>&2 || /bin/true)
        ${DAEMON2} reload 2>&1 |
                (grep -v 'refreshing the Postfix' 1>&2 || /bin/true)
        echo "done."
    ;;

    flush)
        ${DAEMON} flush
        ${DAEMON2} flush
    ;;

    check)
        ${DAEMON} check
        ${DAEMON2} check
    ;;

    *)
        echo "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|force-reload}"
        exit 1
    ;;
esac

exit 0

---------------

mollie:/etc/postfix# more recipient_checks.pcre
# Note: You must have PCRE support support built in to Postfix at
# compile time to use this.  (Tho I've been told the following are
# valid POSIX RE's ["regexp:" map type], as well.)
#
# Postfix doesn't relay by default.  But it may *appear* to do so
# to some testers.  The first two statements below remove all
# doubt.

/^\@/           550 Invalid address format.
/[!%\@].*\@/    550 This server disallows weird address syntax.

# Let email to the following destinations bypass all the remaining
# "reject" and "check" tests.  We always want to let email for these
# recipients in.

/^postmaster\@/ OK
/^hostmaster\@/ OK
/^abuse\@/      OK

# Note: The "OK"s above, for postmaster, etc., will *not*
# bypass header and body checks.  There is currently no way
# to do so with Postfix :(
#
# Remember where I said, at the very beginning, about how
# order is important?  Whatever you do, do *not* place an
# access map like this one before the "permit mynetworks"
# and "reject_unauth_destination" statements.  Not unless
# you want to be an open relay, anyway.

---
mollie:/etc/postfix# more helo_checks.pcre
# Note: You must have PCRE support support built in to Postfix at
# compile time to use this.
#
# No, you won't find this entry in my "smtpd_recipient_restrictions,"
# above.  I'm not doing this check (at this time).

# If you want to be really picky about it: HELO'ing with an IP
# address is RFC-compliant - *if* it's enclosed in square-brackets
# ("[]"s).  (One would think "reject_invalid_hostname" checks for
# this, but it does not.)
#
# Somebody HELO'ing with a non-RFC-compliant dotted-quad IP
# address?  For shame!  (I don't do this check, btw.)
/^[0-9]+(\.[0-9]+){3}$/ REJECT Invalid hostname

---
mollie:/etc/postfix# more client_checks.pcre
# Postfix' dbm/hash files don't allow CIDR notation, netmasks
# or address ranges, but you can achieve the same end with
# regular expressions.
#
# Again: these are in PCRE notation.  But you could accomplish
# the same with POSIX RE's.  (I just don't know how.)

# 10.9.8.0 - 10.9.9.255
/10\.9\.[89]\.\d+/              REJECT

# 10.9.8.0 - 10.9.10.255 is generally no good, but 10.9.8.7 is OK
/10\.9\.8\.7/           OK
/10\.9\.([89]|10)\.\d+/ 554 Go away. We don't want any!

# A much more complex example of listing a (CIDR) IP range
# (If this makes your eyes cross, just ignore it for now)
# 10.33.192.0/19 = 10.33.192.0 - 10.33.223.255
/^10\.33\.((19[2-9])|(2(0[0-9]|1[0-9]|2[0-3])))\.\d{1,3}$/    REJECT

# Postfix experimental release 20030706 contains experimental
# support for CIDR-based lookup tables, so the regexp-type lookups
# for address ranges may soon no longer be necessary.  To see if
# your version of Postfix supports CIDR-based maps, do a "man
# cidr_table" and look for "cidr" in the output of "postconf -m".


---
mollie:/etc/postfix# more helo_checks
# This file has to be "compiled" with "postmap"

# Reject anybody that HELO's as being in our own domain(s)
# (Note that if you followed the order suggested in the main.cf
# examples, above, that machines in mynetworks will be okay.)

thuree.com                      REJECT You are not in thuree.com

# Somebody HELO'ing with our IP address?
192.168.20.50           REJECT You are not 192.168.20.50

# Somebody HELO'ing as "localhost?"  Impossible, we're "localhost"
localhost                       REJECT You are not me

---
mollie:/etc/postfix# more sender_checks
# This file must be "compiled" with "postmap"

# Using a domain name
#    example.tld                        554 Spam not tolerated here

# Maybe example2.tld is on a DNSbl, but we want to let their
# email in anyway.
#    example2.tld               OK

# We get lots of spam from example3.tld, but we have somebody
# there from which we do want to hear
#    someuser@example3.tld      OK
#    example3.tld               REJECT

---
mollie:/etc/postfix# more client_checks
# This file must be "compiled" with "postmap"

# Using a domain name
#   example.tld                 554 Spam not tolerated here

# Maybe example2.tld is on a DNSbl, but we want to let their
# email in anyway.
#    example2.tld               OK

# Checking by IP address
# 10.0.0.0/8
10                              554 Go away!

# 172.16/16
172.16                  554 Bugger off!

# 192.168.4/24 is bad, but 192.168.4.128 is okay
#    192.168.4.128              OK
#    192.168.4                  554 Take a hike!

  • « ExtraIgnore4LogCheck
  • Ubuntu Dapper with dm-crypt »

Published

Oct 27, 2005

Author

bengt

Category

HOWTOs

Social

  • atom feed
  • rss feed
  • ipv6 ready
  • Powered by Pelican. Theme: Elegant by Talha Mansoor