-o smtpd_data_restrictions=
|
-o mynetworks=127.0.0.0/8
|
-o receive_override_options=no_unknown_recipient_checks{/code}
|
+#Add outbound filter to sign outgoing messages in postfix configuration __/etc/postfix/master.cf__{code souce="txt"} |
+# |
+# modify the default submission service to specify a content filter |
+# and restrict it to local clients and SASL authenticated clients only |
+# |
+submission inet n - n - - smtpd |
+ -o smtpd_etrn_restrictions=reject |
+ -o smtpd_sasl_auth_enable=yes |
+ -o content_filter=dksign:[127.0.0.1]:10028 |
+ -o receive_override_options=no_address_mappings |
+ -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject |
|
-!!SenderID (and SPF)
|
-SenderID merged with a smaller group called Sender Policy Framework (SPF). SPF is a very simple mechanism for specifying which servers are valid for sending your email and is much simpler to implement than DomainKeys. Microsoft holds several patents in relation to the SenderID framework, however it released those patents in the "public domain" this past october. Beyond the typical cynicism of Microsoft's ulterior motives, SPF has a significant [http://www.advogato.org/article/816.html|amount of technical criticism]. Regardless, [http://itmanagement.earthweb.com/columns/executive_tech/article.php/3604761|many major ISP's are using SPF] to filter mail, including AOL (and RoadRunner) which has in some reports exclusively implemented SPF to some degree. (Spamassassin reports SOFT_FAIL reports from bogus .rr.com emails.) Spamassassin easily supports SPF with a few simple cpan installs.
|
+# |
+# specify the location of the DKIM signing proxy |
+# Note: the smtp_discard_ehlo_keywords option requires a recent version of |
+# Postfix. Leave it off if your version does not support it. |
+# |
+dksign unix - - n - 10 smtp |
+ -o smtp_send_xforward_command=yes |
+ -o smtp_discard_ehlo_keywords=8bitmime,starttls |
|
+# |
+# service for accepting messages FROM the DKIM signing proxy |
+# |
+127.0.0.1:10029 inet n - n - 10 smtpd |
+ -o content_filter= |
+ -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks |
+ -o smtpd_helo_restrictions= |
+ -o smtpd_client_restrictions= |
+ -o smtpd_sender_restrictions= |
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject |
+ -o mynetworks=127.0.0.0/8 |
+ -o smtpd_authorized_xforward_hosts=127.0.0.0/8{/code} |
+!!SenderID (and SPF) |
+SenderID merged with a smaller group called Sender Policy Framework (SPF). SPF is a very simple mechanism for specifying which servers are valid for sending your email and is much simpler to implement than DomainKeys. Microsoft holds several patents in relation to the SenderID framework, however it released those patents in the "public domain" this past october. Beyond the typical cynicism of Microsoft's ulterior motives, SPF has a significant [http://www.advogato.org/article/816.html|amount of technical criticism]. Regardless, [http://itmanagement.earthweb.com/columns/executive_tech/article.php/3604761|many major ISP's are using SPF] to filter mail, including AOL (and RoadRunner) which has in some reports exclusively implemented SPF to some degree. (Spamassassin reports SOFT_FAIL reports from bogus .rr.com emails.) |
+!!!Spamassassin SPF Support |
+#Install SPF perl module{code source="txt"}cpan -i Mail::SPF::Query{/code} |
+!!!SPF Outbound support |
The quickest way to get the DNS entries up and running is to [http://www.openspf.org/FAQ/Manage_my_own|follow the wizard].
|
+ |
+!Spam Detection |
+There are two top spam tools - DSPAM and spamassassin. |
+ |
+!6. Spamassassin Configuration |
+#The spamassassin site has a review on [http://wiki.apache.org/spamassassin/IntegratedInPostfixWithAmavis|integrating amavis and spamassassin], which is mostly ready to go by default.symlinking the bayes databases ( __ln -s /var/spool/amavis/.spamassassin /root__ ) is a good idea so you can use sa-learn by hand to stock you bayes database. Review [http://www.ijs.si/software/amavisd/#faq-spam|amavis + spamassassin FAQ] to tweak your configuration parameters. |
+#Configure __sa-update__ - add [http://saupdates.openprotect.com/|OpenProtect Rules] to update daily.{code source="bash"}$ wget http://saupdates.openprotect.com/pub.gpg |
+$ sa-update --nogpg --import pub.gpg |
+$ crontab -e |
+... add ... |
+1 5 0 0 0 sa-update --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com --channel updates.spamassassin.org |
+{/code} |
+!![http://razor.sourceforge.net/|Razor] |
+#Get the [http://razor.sourceforge.net/|latest SDK source] and install {code source="bash"}wget http://unc.dl.sourceforge.net/sourceforge/razor/razor-agents-sdk-2.07.tar.gz |
+tar xvzf razor-agents-sdk-2.07.tar.gz |
+cd razor-agents-sdk-2.07 |
+perl Makefile.PL && make && make install # Or, if not root: perl Makefile.PL PREFIX=$HOME && make && make install{/code} |
+# Get the [http://razor.sourceforge.net/|latest agents source] and register agents{code source="bash"}wget http://unc.dl.sourceforge.net/sourceforge/razor/razor-agents-2.84.tar.gz |
+tar xvzf razor-agents-2.84.tar.gz |
+cd razor-agents-2.84 |
+perl Makefile.PL PREFIX=$HOME && make && make install # Or, if installing system-wide as root: perl Makefile.PL && make && make install |
+razor-admin -create |
+razor-admin -discover |
+razor-admin -register{/code} |
+# Disable razor logging, else you will quickly fill up /var/. Edit __/var/spool/amavisd/.razor/razor-agent.conf__ and add: debuglevel = 0 |
|
!Troubleshooting
|
*Be sure to watch your logs, such as: tail -f /var/log/maillog
|
*Config tinkering can lead to one of the services being down..
|
*On SLES 10, it seems clamd can take up to 10 minutes to begin accepting connections. Reason currenly unknown. Please chime in if you have any ideas.
|
+*Check your open ports with __netstat -lp__ and you should see somthing like:{code source="txt}# netstat -lp |
+Active Internet connections (only servers) |
+Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name |
+tcp 0 0 localhost:10024 *:* LISTEN 2011/amavisd (maste |
+tcp 0 0 localhost:10025 *:* LISTEN 19755/master |
+tcp 0 0 localhost:10026 *:* LISTEN 19221/perl |
+tcp 0 0 localhost:10027 *:* LISTEN 19755/master |
+tcp 0 0 localhost:10028 *:* LISTEN 19229/perl |
+tcp 0 0 localhost:10029 *:* LISTEN 19755/master |
+tcp 0 0 localhost:dyna-access *:* LISTEN 1803/clamd |
+tcp 0 0 localhost:domain *:* LISTEN 1875/named |
+tcp 0 0 *:smtp *:* LISTEN 19755/master |
+tcp 0 0 *:domain *:* LISTEN 1875/named |
+tcp 0 0 *:ssh *:* LISTEN 2064/sshd |
+tcp 0 0 *:smtp *:* LISTEN 19755/master |
+*snip*{/code} |
+* Error like : {code source="text"}child process [20099]: Error closing main::stdin: Bad file descriptor at /usr/sbin/amavisd line 1872, <GEN8> line 74.\n{/code} Net: :Server 0.91 (or later) introduced a change which makes it incompatible with amavisd-new-2.3.3 (or earlier). Either [http://www.ijs.si/software/amavisd/#download|upgrade amavis] or downgrade your perl Net: :Server |
|
!References and Other tutorails
|
+[http://www.akadia.com/services/postfix_amavisd.html] Similar setup to postmax with mysql and quarantining web app. |
+[http://wiki.apache.org/spamassassin/SingleUserUnixInstall] |
[http://devnull.com/kyler/dspam.20040512.html]
|
[http://howtoforge.com/virtual-users-domains-postfix-courier-mysql-squirrelmail-mandriva2008.1-p3] |