History of postmax

Version 20

postmax

How to configure Postfix to be fully tricked out with maximum high quality of service

Created by: Anonymous, Last modification: 28 Apr 2008 (15:54 UTC) by spiderr
This installation guide is intended to walk you through completely setting up a mail server with the maximum spam and anti-virus protection available from the open-source community. This technique is almost identical to installed in Mac OS X Server Mail.

1. Software Install


yum install postfix spamassassin amavisd-new clamav
chkconfig postfix on
chkconfig clamd on
chkconfig freshclam on
chkconfig amavisd on


For RedHat / CentOS, you might need to get the RPM's from DAG

2. Anti-Virus Configuration

Tweak /etc/amavisd.conf with your host information, and uncomment the clamd scanner

['ClamAV-clamd',
  \&ask_daemon, ["CONTSCAN {}\n", "127.0.0.1:3310"],
  qr/\bOK$/, qr/\bFOUND$/,
  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

You might need to change the socket listed with "127.0.0.1:3310" as listed above. SpamAssassin settings are made in this file. Also, make sure $inet_socket_port = 10024; See detailed explanation of amavisd.conf for more information.


<?php
/etc/init.d/clamd start
service amavisd start
service clamd start
# If you are behind a proxy, you need adjust /etc/freshclam.conf
freshclam
service freshclam start
?>


postconf -e 'content_filter = amavis:127.0.0.1:10024'
postconf -e 'receive_override_options = no_address_mappings'

Append these lines to /etc/postfix/master.cf

amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_bind_address=127.0.0.1

Restart postfix

If you run a server for a significant number of users, you will want to run several virus scans at once. Change the 2 in two places: "- - - - 2" as above in master.cf, and "$max_servers = 2;" in amavisd.conf. These numbers should always match.

3. Test Setup

Use telnet to see if the appropriate ports are open:

telnet yourhost.com 25
telnet localhost 3310
telnet localhost 10025
telnet localhost 10024

4. IP Address Spam Prevention

RBLDNSD

This is a local DNS server database that performs local (e.g. FAST) DNS lookups against a list of dynamic and blacklisted IP's. Successful local lookup means it's on the blacklist and will be rejected.

  1. Install the rbldns RPM (available in Fedora Extras, or source)
  2. Edit your named.conf and add:
    
    zone "clients.blocked.rbl" IN {
            type forward;
            forward first;
            forwarders { 127.0.0.1 port 530; };
    };
    zone "hosts.blocked.rbl" IN {
            type forward;
            forward first;
            forwarders { 127.0.0.1 port 530; };
    };
  3. Edit /etc/sysconfig/rbldnsd and add the following lines:
    
    RBLDNSD="dsbl -r/var/lib/rbldnsd -b 127.0.0.1/530 \
    clients.blocked.rbl:ip4set:clients,dynamic \
    hosts.blocked.rbl:dnset:hosts \
    "
  4. Get the latest RBLDNS databases and move database files to /var/lib/rbldnsd
  5. Gentlepeople, start your daemons: "service restart named; service restart rbldnsd;" Test with telnet localhost 53; and telnet locahost 530;
  6. Preform a test lookup:
    
    $dig @localhost 223.61.83.162.clients.blocked.rbl -t txt
    ;; ANSWER SECTION:
    223.61.83.162.clients.blocked.rbl. 2048 IN TXT "DNSBL. 162.83.61.223 is a known spam source. Mail from 162.83.61.223 is NOT accepted on this server!"
  7. Update the following line of your /etc/postfix/main.cf
    
    smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination,reject_rbl_client clients.blocked.rbl,reject_rhsbl_client hosts.blocked.rbl,reject_rhsbl_sender hosts.blocked.rbl

En-masse IP Block Here is a tutorial for Blocking E-mail from China and Korea using Postfix and the Okean CIDR Blocks

5. DNS Spam Prevention

There are two main options DomainKeys, and SenderID.
DomainKeys were invented by Yahoo, SenderID was invented by Microsoft. These are arguably competing techniques, however, implementing both seems to have no ill-effect. Given SenderID was invented by Microsoft, you can be assured Outlook Server SMTP gateways employ SenderID, and are unlikely to support DomainKeys any time soon. In early 2005 when these proposals came out simultaneously, they were seen as competing techniques. As time has passed, they are now seen as more complementary, and typically both are implemented.

DomainKeys

To use DomainKeys, typically a filter or "plugin" is needed for your SMTP gateway. There is a postfix filter that is fairly easy to install and configure. Several perl modules need to be installed:

cpan -i Crypt::OpenSSL::RSA Mail::Address MIME::Base64 Net::DNS Net::Server Test::More


SenderID (and SPF)

SenderID merged with a smaller group called Sender Policy Framework (SPF). SPF is a very simple mechanism for specifying which servers are valid for sending your email and is much simpler to implement than DomainKeys. Microsoft holds several patents in relation to the SenderID framework, however it released those patents in the "public domain" this past october. Beyond the typical cynicism of Microsoft's ulterior motives, SPF has a significant amount of technical criticism. Regardless, many major ISP's are using SPF to filter mail, including AOL (and RoadRunner) which has in some reports exclusively implemented SPF to some degree. (Spamassassin reports SOFT_FAIL reports from bogus .rr.com emails.) Spamassassin easily supports SPF with a few simple cpan installs.

The quickest way to get the DNS entries up and running is to follow the wizard.

References and Other tutorails

http://devnull.com/kyler/dspam.20040512.html
http://howtoforge.com/virtual-users-domains-postfix-courier-mysql-squirrelmail-mandriva2008.1-p3
Page History
Date/CommentUserIPVersion
30 May 2008 (11:33 UTC)
spamassassin sa-update
spiderr66.194.217.22351
Current • Source
spiderr66.194.217.22350
View • Compare • Difference • Source
spiderr66.194.217.22249
View • Compare • Difference • Source
spiderr66.194.217.22248
View • Compare • Difference • Source
spiderr66.194.217.22247
View • Compare • Difference • Source
spiderr66.194.217.22146
View • Compare • Difference • Source
spiderr66.194.217.22145
View • Compare • Difference • Source
spiderr66.194.217.22343
View • Compare • Difference • Source
spiderr66.194.217.22240
View • Compare • Difference • Source
spiderr66.194.217.22337
View • Compare • Difference • Source
spiderr66.194.217.22335
View • Compare • Difference • Source
spiderr66.194.217.22233
View • Compare • Difference • Source
spiderr66.194.217.22232
View • Compare • Difference • Source
spiderr66.194.217.22331
View • Compare • Difference • Source
spiderr66.194.217.22128
View • Compare • Difference • Source
spiderr66.194.217.22227
View • Compare • Difference • Source
spiderr66.194.217.22224
View • Compare • Difference • Source
spiderr66.194.217.22123
View • Compare • Difference • Source
spiderr66.194.217.22120
View • Compare • Difference • Source
spiderr69.134.60.20414
View • Compare • Difference • Source
spiderr66.194.217.2211
View • Compare • Difference • Source