To DO ========= FireWall (razor tcp port 2703 and 7) snort/portsentry Make Jail of Apache + SquirrelMail + PHP DShield? Basic stuff =========== VIA EPIA Mini-ITX M6000 2* 20GB Hard disk 512 MB Ram hda1 / 4.8G hda5 /var 2.8G hda6 /tmp 0.5G hda7 /var/spool 11G hda8 swap 0.5G Install minimum Debian - Sarge. Make sure you get a 2.6 kernel with RAID support. General stuff ================================ apt-get install ntp-simple ntpdate ssh openssl less wget sharutils locales Time Servers use the pool.ntp.org and asia.pool.ntp.org or europe.pool.ntp.org (Check http://www.pool.ntp.org) dpkg-reconfigure locales Languages en_US ISO-8859-1 en_US.UTF-8 sv_SE ISO-8859-1 sv_SE.UTF-8 zh_CN GB2312 zh_CN.UTF-8 zh_TW BIG5 zh_TW.UTF-8 inetd ===== more /etc/inetd.conf for each service that are enabled update-inetd --disable ( update-inetd --disable discard daytime time ) /etc/init.d/inetd stop vi /etc/init.d/inetd Add the following after /bin/sh # Do not use inetd exit 0 nsswitch.conf ============= passwd: files compat group: files compat shadow: files compat CYRUS ================================ apt-get install cyrus21-imapd cyrus21-admin cyrus21-pop3d apt-get install libdb3-util sasl2-bin -> .thuree.com vi /etc/cyrus.conf select imaps, pop3s, and imap (for squirrelmail, using https) Event: ------ # Creating SQUAT index to speed up searches. Every 76 minute. squat cmd="/usr/sbin/squatter -r user" period=76 vi /etc/imapd.conf admins: root sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN LOGIN vi /etc/default/saslauthd START=yes MECHANISMS="shadow" Testing Cyrus Imap ------------------ mollie:/etc# telnet 127.0.0.1 imap Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. * OK mollie Cyrus IMAP4 v2.1.14-IPv6-Debian-2.1.14-1 server ready Fix mailboxes ------------- /etc/init.d/saslauthd start cyradm localhost createmailbox user. setacl user. anyone p li ==> Lookup + Insert (not read) setacl user.johan.INBOX ake li setacl user.maria.INBOX ake li Postfix ========================================= good overwiev http://www.akadia.com/services/postfix_mta.html apt-get install postfix-tls postfix-pcre -> Internet -> mollie.thuree.com -> No -> Erase all -> No -> NONE (for mail to root) vi /etc/postfix/main.cf mydomain = thuree.com myhostname = mollie.$mydomain mynetworks = 127.0.0.0/8, 192.168.10.0/24 # Only trust local computer #mynetworks_style = host mydestination = $mydomain, $myhostname, localhost, localhost.$mydomain, mail.$mydomain, www.$mydomain mailbox_transport = cyrus local_recipient_maps = delay_warning_time = 4h # Only report major errors notify_classes = resource, software Turn on Verbose logging vi /etc/postfix/master.cf change "smtpd" to "smtpd -v" Column number #5 (chroot) should have "n" for NO, and "-" for YES Start with running postfix in normal mode. --> n #cyrus unix - n n - - pipe # flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m "${extension}" ${user} # Cyrus 2.1.5 (Amos Gouaux) cyrus unix - n n - - pipe user=cyrus argv=/usr/sbin/cyrdeliver -e -r ${sender} -m ${extension} ${user} Make sure that postfix can talk with saslauthd adduser postfix sasl Prepare a test account temporarily adduser test start postfix /etc/init.d/postfix stop /etc/init.d/postfix start Debug in one window tail -f /var/log/mail.log mail test Verify less /var/spool/cyrus/mail/t/user/test/1. telnet localhost 25 EHLO thuree.com quit mollie:/var/mail# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mollie.thuree.com ESMTP Postfix (Debian/GNU) ehlo test.com 250-mollie.thuree.com 250-PIPELINING 250-SIZE 10240000 250-ETRN 250 8BITMIME quit 221 Bye Connection closed by foreign host. Telnet from a remote host telnet 25 ehlo test.com quit bengt@dellie:~$ telnet 192.168.20.50 25 Trying 192.168.20.50... Connected to 192.168.20.50. Escape character is '^]'. 220 mollie.thuree.com ESMTP Postfix (Debian/GNU) ehlo test.com 250-mollie.thuree.com 250-PIPELINING 250-SIZE 10240000 250-ETRN 250 8BITMIME mail from:bengt@test.com 250 Ok rcpt to:test@thuree.com 250 Ok data 354 End data with . Test from remote host test #2 . 250 Ok: queued as DBB4A4F882 quit 221 Bye Connection closed by foreign host. bengt@dellie:~$ ###### Make sure that you do not use an IP address from your MYNETWORKS range. Verify to an external address Same as above, but change RCPT TO: rcpt to: 554 : Recipient address rejected: Relay access denied Add checks to postfix --------------------- #--------------------- smtpd_helo_required = yes disable_vrfy_command = yes smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_invalid_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject_unauth_destination check_recipient_access pcre:/etc/postfix/recipient_checks.pcre check_helo_access hash:/etc/postfix/helo_checks check_sender_access hash:/etc/postfix/sender_checks check_client_access hash:/etc/postfix/client_checks check_client_access pcre:/etc/postfix/client_checks.pcre permit smtpd_data_restrictions = reject_unauth_pipelining permit client_checks.db helo_checks.db relay_certs.db sender_checks.db sender_login_maps.db tls_per_site.db # Copy the template *checks and *checks.pcre files to /etc/postfix Convert text files to hash db ----------------------------- postmap helo_checks postmap sender_checks postmap client_checks Certificates ------------ http://www.eclectica.ca/howto/ssl-cert-howto.php cd /etc/ssl Modify openssl.cfg dir = ./ ### CA_default certificate = $dir/certs/mollie_cacert.pem private_key = $dir/private/mollie_cakey.pem default_days = 1095 default_bits = 2048 countryName_default = SE stateOrProvinceName_default = Sweden localityName_default = Linkoeping 0.organizationName_default = Family Thuree's mail server organizationalUnitName_default = Mail Server commonName_default = mollie.thuree.com emailAddress_default = postmaster@thuree.com unique_subject = no To make certificate authority ----------------------------- mkdir newcerts certs private echo "01" > serial touch index.txt # Create CA cert openssl req -new -x509 -extensions v3_ca -keyout private/mollie_cakey.pem \ -out certs/mollie_cacert.pem -days 1095 # Create local cert. openssl req -new -nodes -out certs/mollie_req.pem -keyout private/mollie_key.pem # Sign the local cert. openssl ca -out certs/mollie_cert.pem -cert certs/mollie_cacert.pem -infiles certs/mollie_req.pem # Verify the newly created certificates openssl s_client -connect mollie.thuree.com:smtp -starttls smtp openssl s_client -connect mollie.thuree.com:smtps -cert denton_cert.pem -CAfile denton_cacert.pem openssl verify -purpose sslclient -CAfile certs/cacert.pem certs/mollie_cert.pem openssl verify -purpose sslserver -CAfile certs/cacert.pem certs/mollie_cert.pem # To revoke a certifikate # Check index.txt for which sequential number it is... in this case 02. openssl ca -revoke newcerts/02.pem # Then create and sign the local cert again. cp private/mollie_key.pem private/mollie_key.pem.postfix chown postfix:postfix private/mollie_key.pem.postfix chmod 0400 private/mollie_key.pem.postfix Modify postfix to use the certificates -------------------------------------- http://www.projektfarm.com/en/support/howto/postfix_smtp_auth_tls.html http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/conf.html http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html http://www.tribulaciones.org/docs/postfix-sasl-tls-howto.html vi /etc/postfix/main.cf broken_sasl_auth_clients = yes tls_random_source = dev:/dev/urandom relay_clientcerts = hash:/etc/postfix/relay_certs smtpd_recipient_restrictions = permit_tls_clientcerts ... # # Server - SMTPD - Postfix receiving mails # smtpd_use_tls = yes smtpd_tls_cert_file = /etc/ssl/certs/mollie_cert.pem smtpd_tls_key_file = /etc/ssl/private/mollie_key.pem.postfix smtpd_tls_CAfile = /etc/ssl/certs/mollie_cacert.pem smtpd_tls_CApath = /etc/ssl/tls_peers smtpd_tls_ask_ccert = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_auth_only = yes smtpd_tls_received_header = no #smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = # # Client - SMTP - Postfix sending mails # smtp_use_tls = yes smtp_tls_cert_file = /etc/ssl/certs/mollie_cert.pem smtp_tls_key_file = /etc/ssl/private/mollie_key.pem.postfix smtp_tls_CAfile = /etc/ssl/certs/mollie_cacert.pem smtp_tls_CApath = /etc/ssl/tls_peers smtp_tls_note_starttls_offer = yes smtp_tls_per_site = hash:/etc/postfix/tls_per_site smtp_sasl_security_options = smtp_tls_loglevel = 1 vi /etc/postfix/sasl/smtpd.conf mech_list: plain login pwcheck_method: saslauthd # Generate a fingerprint of the clients cert which you want to allow to relay. openssl x509 -fingerprint -in denton_cert.pem vi /etc/postfix/relay_certs denton.thuree.com # Add the hosts to which you MUST use TLS encryption. vi /etc/ssl/tls_per_site denton.thuree.com MUST postmap hash:/etc/postfix/relay_certs postmap hash:/etc/ssl/tls_per_site postfix reload # Make sure that postfix can authenticate by using cyrus sasl. apt-get install libsasl2 libsasl2-modules # To make SASL work in CHROOT environment cd /var/spool/postfix mkdir -p var/run cd var/run mv /var/run/saslauthd . cd /var/run ln -s /var/spool/postfix/var/run/saslauthd/ vi /etc/default/saslauthd (add last) # Fix the saslauth directory if [ ! -d /var/run/saslauthd ]; then ln -s /var/spool/postfix/var/run/saslauthd/ /var/run fi Norton Antivirus ================ Turn off Norton Antivirus scanning on outgoing mails, it blocks the STARTTLS command Modify cyrus to use certificates -------------------------------- vi /etc/imapd.conf tls_cert_file: /etc/ssl/certs/mollie_cert.pem tls_key_file: /etc/ssl/private/mollie_key.pem.cyrus tls_ca_file: /etc/ssl/certs/mollie_cacert.pem tls_require_cert: no cp /etc/ssl/private/mollie_key.pem /etc/ssl/private/mollie_key.pem.cyrus chown cyrus:mail /etc/ssl/private/mollie_key.pem.cyrus chmod 0400 /etc/ssl/private/mollie_key.pem.cyrus Verify that IMAPS is properly configured. ----------------------------------------- openssl s_client -connect localhost:imaps Verify postfix-tls ------------------ postfix reload telnet 127.0.0.1 25 ehlo thuree.com --> Look for STARTTLS starttls --> Ready to start TLS Verify cyrus ------------ From another computer, run the imtest program imtest -t "" 192.168.20.50 -a when finished Misc ==== apt-get install gotmail fetchmail fetchyahoo cd /etc cp /usr/share/doc/fetchmail/examples/fetchmailrc.example /etc/fetchmailrc chmod 0600 fetchmailrc chown fetchmail:root fetchmailrc vi fetchmailrc poll aaa.bbb.ccc with protocol pop3/imap # interval 6 # Only if you want it to be done less regurlarly... user "XXXX" with password "YYYYY", is "ZZZZ" here fetchall ssl Fix for FetchMail dying ----------------------- /etc/cron.d/fetchmail # # Check regurarly if fetchmail is running, and if not restart it. # @hourly root test -x /root/scripts/CheckFetchMail && /root/scripts/CheckFetchMail /dev/null 2>&1 /root/scripts/CheckFetchMail #!/bin/sh if [ `ps -eaf | grep fetchmail | grep -v 'grep fetch' | wc -l` -eq 0 ]; then /etc/init.d/fetchmail restart fi gotmail ------- vi /etc/cron.d/gotmail # get hotmail every 15 minutes 08,23,38,53 * * * * jade if [ -x /usr/bin/gotmail ]; then /usr/bin/gotmail fi 03,18,32,47 * * * * bengt if [ -x /usr/bin/gotmail ]; then /usr/bin/gotmail fi vi /.gotmailrc username= password= forward= retry-limit=3 silent delete common compression packets - To enable MailScanner to scan zip files. ========================== apt-get install lha zoo unzoo arc bzip2 unarj unrar unzip SPF === Information can be found here http://spf.pobox.com/index.html Add this to your MX record if your mailserver has a static IP address thuree.com IN TXT v=spf1 mx a: ~all To verify, send an email to echo@generic-nic.net and check the responce. AntiVirus =============================== apt-get install f-prot-installer clamav clamav-testfiles * Clamav - Select MANUAL update of virus definitions. (this since mailscanner will handle the updates) * f-prot - Download and install ## Temporary workaround ## mkdir -p /usr/share/MailScanner/MailScanner apt-get install mailscanner tnef spamassassin razor file copy f-prot-pgm-autoupdate to /etc/MailScanner/autoupdate/f-prot-pgm-autoupdate It's on workie debian/MyMailScanner ---------------------------- ln -s /etc/MailScanner/autoupdate/f-prot-pgm-autoupdate /etc/cron.weekly vi /etc/cron.d/VirusDefUpdate ---------------------------- mollie:/etc/MailScanner/autoupdate# more /etc/cron.d/VirusDefUpdate # Regular cron jobs for updating Virus Definitions, # using MailScanners autoupdate function # # If you only want to receive e-mail only when an error occours, then you want # to include the -quiet parameter 27 * * * * root if [ -x /etc/MailScanner/autoupdate/f-prot-autoupdate ]; then /etc/MailScanner/autoupdate/f-prot-autoupdate /usr/lib/f-prot -cron; fi # ClamAV's virus definition is by default done in -quiet mode. # Only errors will be reported. 46 * * * * root if [ -x /etc/MailScanner/autoupdate/clamav-autoupdate ]; then /etc/MailScanner/autoupdate/clamav-autoupdate ; fi ~ ---------------------------- Test the anti virus programs ---------------------------- cd /tmp wget http://www.eicar.org/download/eicar.com wget http://www.eicar.org/download/eicar.com.txt wget http://www.eicar.org/download/eicar_com.zip wget http://www.eicar.org/download/eicarcom2.zip mollie:/tmp# clamscan /tmp/eicar.com: Eicar-Test-Signature FOUND /tmp/eicar.com.txt: Eicar-Test-Signature FOUND /tmp/eicar_com.zip: Eicar-Test-Signature FOUND /tmp/eicarcom2.zip: Eicar-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 10609 Scanned directories: 1 Scanned files: 7 Infected files: 5 mollie:/tmp# f-prot ei* Virus scanning report - 22 August 2004 @ 16:09 F-PROT ANTIVIRUS Program version: 4.4.4 Engine version: 3.14.11 VIRUS SIGNATURE FILES SIGN.DEF created 18 August 2004 SIGN2.DEF created 18 August 2004 MACRO.DEF created 16 August 2004 Search: eicar.com eicar.com.txt eicar_com.zip eicarcom2.zip Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -SERVER /tmp/eicar.com Infection: EICAR_Test_File /tmp/eicar.com.txt Infection: EICAR_Test_File /tmp/eicar_com.zip->eicar.com Infection: EICAR_Test_File /tmp/eicarcom2.zip->eicar_com.zip->eicar.com Infection: EICAR_Test_File Results of virus scanning: Files: 4 MBRs: 0 Boot sectors: 0 Objects scanned: 7 Infected: 4 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 Fix Postfix&MailScanner so it scans for Viruses ----------------------------------------------- vi /etc/postfix/main.cf header_checks = regexp:/etc/postfix/header_checks hash_queue_depth = 2 hash_queue_names = incoming deferred hold vi /etc/postfix/header_checks /^Received:/ HOLD Use greylistning with PostFix ------------------------------ apt-get install postgrey add a "check_policy_service" in main.cf reject_unauth_destination check_policy_service inet:127.0.0.1:60000 check_recipient_access pcre:/etc/postfix/recipient_checks.pcre Fix MailScanner configuration ----------------------------- vi /etc/MailScanner/MailScanner.conf %org-name% = thuree Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming MTA = postfix SendMail2 = /usr/lib/sendmail Virus Scanners = f-prot clamav SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin vi /etc/MailScanner/spam.assassin.prefs.conf bayes_ignore_header X-thuree-MailScanner mkdir /var/spool/MailScanner/spamassassin chown -R postfix:postfix /var/spool/MailScanner chown -R postfix:postfix /var/lib/MailScanner chown -R postfix:postfix /var/run/MailScanner vi /etc/default/mailscanner run_mailscanner=1 Simple monitoring (need to modify to work with multiple scanners and yesterday, last week etc) ----------------- cd /root/scripts wget http://web.csma.biz/apps/vnames.pl vi vnames.pl $Scanner = "f-prot,clamav"; $MailLogFile ="/var/log/mail.log"; $StatsFile = "/root/scripts/virus.log"; vi /etc/crontab 58 23 * * * root /root/vnames.pl youremail@host.com Test MailScanning med AntiVirus ------------------------------- bengt@dellie:~$ telnet 192.168.20.50 25 ehlo test.com mail from:bengt@test.com rcpt to:test@thuree.com data Test from remote host with the eicar.com virus attachment SpamAssassin ============ Fetch some predefined rules for spam assassin. cd /tmp/ wget http://mailscanner.prolocation.net/fetchbigevil-0.2.tar.gz wget http://mailscanner.prolocation.net/fetchbackhair-0.1.tar.gz gunzip fetch* tar xvf fetchbi* tar xvf fetchba* ./update-b* mv update-b* /etc/cron.daily vi /etc/cron.daily/update-backhair --> Add below to just before reload <-- cp /etc/spamassassin/backhair.cf /usr/share/spamassassin/90_backhair.cf --> also, change from /etc/rc.d/init.d --> /etc/init.d vi /etc/cron.daily/update-bigevil --> Add below to just before reload <-- cp /etc/spamassassin/bigevil.cf /usr/share/spamassassin/90_bigevil.cf --> also, change from /etc/rc.d/init.d --> /etc/init.d cd /etc/spamassassin mv local.cf local.cf.org ln -s /etc/MailScanner/spam.assassin.prefs.conf local.cf vi /etc/MailScanner/spam.assassin.prefs.conf #auto_whitelist_path /var/lib/MailScanner/auto-whitelist auto_whitelist_path /var/spool/MailScanner/spamassassin/auto-whitelist #bayes_path /var/lib/MailScanner/bayes bayes_path /var/spool/MailScanner/spamassassin/bayes skip_rbl_checks 0 # English, Chinese, Swedish, Norwegian, Danish ok_locales en zh sv no da # Allow Western and Chinese character sets ok_locales en zh score RCVD_IN_BL_SPAMCOP_NET 2.25 score RCVD_IN_OPM 0.5 score RCVD_IN_DSBL 0.5 score RCVD_IN_SBL 0.5 score RCVD_IN_NJABL 0.5 vi /etc/cron.d/LearnSpams ------------------------- # # Regurlarly re-learn miss-categorized spams and hams # 17 2,8,14,20 * * * root test -x /root/scripts/SA-AutoLearn && /root/scripts/SA-AutoLea rn > /dev/null 2>&1 vi /root/scripts/SA-AutoLearn ----------------------------- #!/bin/sh /etc/init.d/mailscanner stop #Learn hams from all mailboxes sa-learn --ham /var/spool/cyrus/mail/*/*/*/SaLearn/Ham/ #Learn spams from all mailboxes sa-learn --spam /var/spool/cyrus/mail/*/*/*/SaLearn/Spam/ #Just to make sure postfix owns these files chown -R postfix:postfix /var/spool/MailScanner/spamassassin /etc/init.d/mailscanner start PostFix log summary =================== apt-get install pflogsumm vi /etc/cron.d/pflogsumm # # Cron job to compute statistics over the mail traffic using our postfix server # # Daily statistics 10 0 * * * root /usr/sbin/pflogsumm.pl -d yesterday /var/log/mail.log 2>&1 |/usr/bin/mailx -s "`uname -n` daily mail stats" postmaster # # Weekly statistics 10 7 * * 7 root /usr/sbin/pflogsumm.pl /var/log/mail.log.0 2>&1 |/usr/bin/mailx -s "`uname -n` weekly mail stats" postmaster Apache & SquirrelMail ===================== mollie:~# apt-get install squirrelmail mkdir /var/lib/php4 chown www-data.www-data /var/lib/php4 Configure Apache ---------------- cd /etc/apache2/conf.d cp /etc/squirrelmail/apache.conf mail.conf vi mail.conf change alias to /mail Redirect static to https (uncomment all lines in the end, except check for mod_ssl) Start ssl --------- a2enmod ssl apache2.conf AddLanguage zh-CN .cn LanguagePriority en sv zh-CN da nl et fr de el it ja ko no pl pt pt-br ltz ca es Comment out DefaultCharset Fix expired SSL certificate --------------------------- cd /etc/apache-ssl openssl genrsa -out www.euhq.org.key 1024 # Possible 2048 instead of 1024 chmod 600 www.euhq.org.key openssl req -new -key www.euhq.org.key -out www.euhq.org.csr openssl x509 -req -days 730 -in www.euhq.org.csr -signkey www.euhq.org.key -out www.euhq.org.crt mv apache.pem apache.pem.old cp www.euhq.org.key apache.pem cat www.euhq.org.crt >> apache.pem chmod 600 apache.pem /etc/init.d/apache-ssl restart Fix robots.txt -------------- vi /var/www/robots.txt User-agent: * Disallow : / Fix index.html -------------- vi /var/www/index.html No directory listing allowed. Configure SquirrelMail ---------------------- vi /etc/php4/apache2/php.ini #max_execution_time = 30 ; Maximum execution time of each script, in seconds max_execution_time = 180 ; Maximum execution time of each script, in seconds max_input_time = 60 ; Maximum amount of time each script may spend parsing request data #memory_limit = 8M ; Maximum amount of memory a script may consume (8MB) memory_limit = 80M ; Maximum amount of memory a script may consume (8MB) /usr/sbin/squirrelmail-configure Plugins marked with "*" from www.squirrelmail.org ------- Installed Plugins 1. message_details 2. sent_subfolders 3. abook_take 4. info 5. mail_fetch 6. squirrelspell 7. translate 8. change_passwd * 9. compatibility * 10. timeout_user * 11. pupdate * 12. avelsieve * 13. unsafe_image_rules * 14. view_as_html * 15. notify * 16. newmail 17. fortune 18. listcommands Turn on Threaded view in SquirrelMail config.pl, option 4, selection 10 & 11 Spell check for SquirrelMail ----------------------------- apt-get install ispell wamerican ADD a New User ============== adduser cyradm localhost cm user. cm user..Junk cm user..Junk.Spam cm user..Junk.AutoSpam cm user..SaLearn cm user..SaLearn.Spam cm user..SaLearn.Ham sam user. li sam user..Spam li quit http://www.oreilly.de/catalog/mimap/chapter/ch09.html /etc/init.d/postfix restart sieveshell -u -a sieveshell localhost (as the correct user) put Some PostFix commands ===================== mailq -> List the queued mails. postsuper -d -> will delete a mail from a queue Cyrus ===== For the administrator -- So he can delete and manage the mailboxes. cyradm setaclmailbox user. c deletemailbox user. Dshield ? ========= http://www.dshield.org/ To help test PostFix ==================== apt-get install swaks (on another computer recommended) Sieve Example ============= Sieve scripts ============= # Draft 1 # Bengt Thuree 2004-02-21 # Spam, List and system Rules require "fileinto"; if header :contains ["X-thuree-MailScanner-SpamScore"] "ssssssssssss" { fileinto "INBOX.Spam"; stop; } if header :contains ["X-thuree-MailScanner-SpamScore"] "ssssss" { fileinto "INBOX.PossibleSpam"; stop; } if header :contains ["List-Id"] "debian-user" { fileinto "INBOX.debian-user"; stop; } if header :contains ["Subject"] "assp - Open Discussion" { fileinto "INBOX.assp"; stop; } if anyof ( header :contains ["From"] "daemon@mollie.thuree.com" , header :contains ["From"] "root@thuree.com" header :contains ["From"] "root@mollie.thuree.com" ) { fileinto "INBOX.mollie"; stop; } if header :contains ["From"] "JENSVirusCheckService" { # discard; fileinto "INBOX.Spam"; stop; } PostFix files ============= init.d/postfix -------------- #!/bin/sh -e # Start or stop Postfix # # LaMont Jones # based on sendmail's init.d script PATH=/bin:/usr/bin:/sbin:/usr/sbin DAEMON=/usr/sbin/postfix DAEMON2="/usr/sbin/postfix -c /etc/postfix.outgoing" PIDFILE=/var/run/postfix.pid NAME=Postfix TZ= unset TZ # Defaults - don't touch, edit /etc/default/postfix SYNC_CHROOT="y" test -f /etc/default/postfix && . /etc/default/postfix #test -x $DAEMON && test -f /etc/postfix/main.cf || exit 0 test -x $DAEMON && test -f /etc/postfix/main.cf && test -f /etc/postfix.outgoing/main.cf || exit 0 case "$1" in start) echo -n "Starting mail transport agent: Postfix" # postmap all needed files first POSTMAP_FILES="client_checks helo_checks relay_certs sender_checks tls_per_site" for POSTMAP_FILE in ${POSTMAP_FILES}; do postmap /etc/postfix/${POSTMAP_FILE} postmap /etc/postfix.outgoing/${POSTMAP_FILE} done # see if anything is running chrooted. NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf) if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then # Make sure that the chroot environment is set up correctly. oldumask=$(umask) umask 022 cd $(postconf -h queue_directory) # if we're using unix:passwd.byname, then we need to add etc/passwd. local_maps=$(postconf -h local_recipient_maps) if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then # if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd chmod a+r etc/passwd # fi fi FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \ etc/nsswitch.conf etc/sasldb2" for file in $FILES; do [ -d ${file%/*} ] || mkdir -p ${file%/*} if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi if [ -f ${file} ]; then chmod a+rX ${file}; fi done rm -f usr/lib/zoneinfo/localtime ln -sf /etc/localtime usr/lib/zoneinfo/localtime rm -f lib/libnss_*so* tar cf - /lib/libnss_*so* 2>/dev/null |tar xf - # Fix peers SSL certificates mkdir -p etc/ssl/tls_peers #if [ -f /etc/ssl/tls_peers/* ]; then c_rehash /etc/ssl/tls_peers/ #fi tar cf - /etc/ssl/tls_peers/ 2> /dev/null | tar xf - cp -rp etc $(postconf -c /etc/postfix.outgoing -h queue_directory) cd $(postconf -c /etc/postfix.outgoing -h queue_directory) mkdir -p usr/lib/zoneinfo mkdir -p var/run rm -f usr/lib/zoneinfo/localtime ln -sf /etc/localtime usr/lib/zoneinfo/localtime rm -f lib/libnss_*so* tar cf - /lib/libnss_*so* 2>/dev/null |tar xf - umask $oldumask fi ${DAEMON} start 2>&1 | (grep -v 'starting the Postfix' 1>&2 || /bin/true) ${DAEMON2} start 2>&1 | (grep -v 'starting the Postfix' 1>&2 || /bin/true) echo "." ;; stop) echo -n "Stopping mail transport agent: Postfix" ${DAEMON} stop 2>&1 | (grep -v 'stopping the Postfix' 1>&2 || /bin/true) ${DAEMON2} stop 2>&1 | (grep -v 'stopping the Postfix' 1>&2 || /bin/true) echo "." ;; restart) $0 stop $0 start ;; force-reload|reload) echo -n "Reloading Postfix configuration..." ${DAEMON} reload 2>&1 | (grep -v 'refreshing the Postfix' 1>&2 || /bin/true) ${DAEMON2} reload 2>&1 | (grep -v 'refreshing the Postfix' 1>&2 || /bin/true) echo "done." ;; flush) ${DAEMON} flush ${DAEMON2} flush ;; check) ${DAEMON} check ${DAEMON2} check ;; *) echo "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|force-reload}" exit 1 ;; esac exit 0 --------------- mollie:/etc/postfix# more recipient_checks.pcre # Note: You must have PCRE support support built in to Postfix at # compile time to use this. (Tho I've been told the following are # valid POSIX RE's ["regexp:" map type], as well.) # # Postfix doesn't relay by default. But it may *appear* to do so # to some testers. The first two statements below remove all # doubt. /^\@/ 550 Invalid address format. /[!%\@].*\@/ 550 This server disallows weird address syntax. # Let email to the following destinations bypass all the remaining # "reject" and "check" tests. We always want to let email for these # recipients in. /^postmaster\@/ OK /^hostmaster\@/ OK /^abuse\@/ OK # Note: The "OK"s above, for postmaster, etc., will *not* # bypass header and body checks. There is currently no way # to do so with Postfix :( # # Remember where I said, at the very beginning, about how # order is important? Whatever you do, do *not* place an # access map like this one before the "permit mynetworks" # and "reject_unauth_destination" statements. Not unless # you want to be an open relay, anyway. --- mollie:/etc/postfix# more helo_checks.pcre # Note: You must have PCRE support support built in to Postfix at # compile time to use this. # # No, you won't find this entry in my "smtpd_recipient_restrictions," # above. I'm not doing this check (at this time). # If you want to be really picky about it: HELO'ing with an IP # address is RFC-compliant - *if* it's enclosed in square-brackets # ("[]"s). (One would think "reject_invalid_hostname" checks for # this, but it does not.) # # Somebody HELO'ing with a non-RFC-compliant dotted-quad IP # address? For shame! (I don't do this check, btw.) /^[0-9]+(\.[0-9]+){3}$/ REJECT Invalid hostname --- mollie:/etc/postfix# more client_checks.pcre # Postfix' dbm/hash files don't allow CIDR notation, netmasks # or address ranges, but you can achieve the same end with # regular expressions. # # Again: these are in PCRE notation. But you could accomplish # the same with POSIX RE's. (I just don't know how.) # 10.9.8.0 - 10.9.9.255 /10\.9\.[89]\.\d+/ REJECT # 10.9.8.0 - 10.9.10.255 is generally no good, but 10.9.8.7 is OK /10\.9\.8\.7/ OK /10\.9\.([89]|10)\.\d+/ 554 Go away. We don't want any! # A much more complex example of listing a (CIDR) IP range # (If this makes your eyes cross, just ignore it for now) # 10.33.192.0/19 = 10.33.192.0 - 10.33.223.255 /^10\.33\.((19[2-9])|(2(0[0-9]|1[0-9]|2[0-3])))\.\d{1,3}$/ REJECT # Postfix experimental release 20030706 contains experimental # support for CIDR-based lookup tables, so the regexp-type lookups # for address ranges may soon no longer be necessary. To see if # your version of Postfix supports CIDR-based maps, do a "man # cidr_table" and look for "cidr" in the output of "postconf -m". --- mollie:/etc/postfix# more helo_checks # This file has to be "compiled" with "postmap" # Reject anybody that HELO's as being in our own domain(s) # (Note that if you followed the order suggested in the main.cf # examples, above, that machines in mynetworks will be okay.) thuree.com REJECT You are not in thuree.com # Somebody HELO'ing with our IP address? 192.168.20.50 REJECT You are not 192.168.20.50 # Somebody HELO'ing as "localhost?" Impossible, we're "localhost" localhost REJECT You are not me --- mollie:/etc/postfix# more sender_checks # This file must be "compiled" with "postmap" # Using a domain name # example.tld 554 Spam not tolerated here # Maybe example2.tld is on a DNSbl, but we want to let their # email in anyway. # example2.tld OK # We get lots of spam from example3.tld, but we have somebody # there from which we do want to hear # someuser@example3.tld OK # example3.tld REJECT --- mollie:/etc/postfix# more client_checks # This file must be "compiled" with "postmap" # Using a domain name # example.tld 554 Spam not tolerated here # Maybe example2.tld is on a DNSbl, but we want to let their # email in anyway. # example2.tld OK # Checking by IP address # 10.0.0.0/8 10 554 Go away! # 172.16/16 172.16 554 Bugger off! # 192.168.4/24 is bad, but 192.168.4.128 is okay # 192.168.4.128 OK # 192.168.4 554 Take a hike!