User Tools

Site Tools


build:postfix

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
build:postfix [2008/02/11 01:47]
4.245.76.22 Major revision of entire page, see posting to sysadmin list for details.
build:postfix [2008/07/22 13:51] (current)
151.145.245.20
Line 4: Line 4:
  
 The SLUUG sysadmins were divided on whether to use Postfix or Sendmail. Most of the admins more familiar with Linux prefer Postfix; most of the admins used to older UNIX systems would have preferred to use Sendmail. The 2 factors that slightly tipped the scales toward Postfix were the available documentation on setting up many of the features we want, and the preference of the people who installed it. The SLUUG sysadmins were divided on whether to use Postfix or Sendmail. Most of the admins more familiar with Linux prefer Postfix; most of the admins used to older UNIX systems would have preferred to use Sendmail. The 2 factors that slightly tipped the scales toward Postfix were the available documentation on setting up many of the features we want, and the preference of the people who installed it.
 +
  
 ===== Installation ===== ===== Installation =====
 +The default MTA in Debian is EXIM. In the default install the log rotation is already configured in /​etc/​cron.daily for EXIM, so remove the script
 +<code rootshell>​
 +rm /​etc/​cron.daily/​exim4-base
 +</​code>​
  
 Do the [[Firewall|"​Firewall"​ procedure]] first, if not already done, since you need several ports open for testing mail. Do the [[Firewall|"​Firewall"​ procedure]] first, if not already done, since you need several ports open for testing mail.
Line 38: Line 43:
  
 Tell the SMTP server what domains to accept email for. Do NOT list any VIRTUAL domains here. The distinguishing feature of non-virtual domains (the ones listed here) is that any real user ID that exists on the box (or is listed in the aliases file) is a valid address in the domain. The valid addresses in a virtual domain have to be explicitly listed in the virtual alias map. Tell the SMTP server what domains to accept email for. Do NOT list any VIRTUAL domains here. The distinguishing feature of non-virtual domains (the ones listed here) is that any real user ID that exists on the box (or is listed in the aliases file) is a valid address in the domain. The valid addresses in a virtual domain have to be explicitly listed in the virtual alias map.
-The list of domains in the example below is only for the main mail server. ​ For other systems, see the next example.+The list of domains in the example below is only for the main mail server. ​ For other systems, see the next example.  You will probably have to unwrap the following command to be one line.
 <code rootshell>​ <code rootshell>​
-postconf -e '​mydestination=test.sluug.org, ​$mydomain, $myhostname,​ localhost, woodlandchows.com,​ \ +postconf -e '​mydestination=$mydomain,​ $myhostname, ​
-  ​cab3.dyndns.org, ​buchek.com, craigbuchek.com,​ boochtek.com'​+localhost, woodlandchows.com,​ \ 
 +buchek.com, craigbuchek.com,​ boochtek.com, \ 
 +www.sluug.org,​ mail.sluug.org'
 </​code>​ </​code>​
  
Line 120: Line 127:
  
 This section configures some settings that will help reject spam due to the behavior of the spam programs. This does not include spam //​filtering//,​ which rejects spam due to the content (and headers) of the spam messages. That will be covered by a separate program, and the configuration to connect to that program will be covered in a separate section. This section configures some settings that will help reject spam due to the behavior of the spam programs. This does not include spam //​filtering//,​ which rejects spam due to the content (and headers) of the spam messages. That will be covered by a separate program, and the configuration to connect to that program will be covered in a separate section.
 +
 +=== Initial options ===
  
 First, don't tell the SMTP clients that we're rejecting their message until they'​ve specified the sender and the recipient. This is required by some broken clients, but has several other advantages. First, it wastes more of the spammer'​s time and resources. Second, it allows us to log the sender and recipient info of all attempted messages. First, don't tell the SMTP clients that we're rejecting their message until they'​ve specified the sender and the recipient. This is required by some broken clients, but has several other advantages. First, it wastes more of the spammer'​s time and resources. Second, it allows us to log the sender and recipient info of all attempted messages.
Line 131: Line 140:
 </​code>​ </​code>​
  
-The next thing we want to do is check the contents of the HELO string. If the connection is from one of our trusted networkswe don't need to perform the check. Next we look at the ''/​etc/​postfix/​helo_access''​ file, and perform the action specified in that file for any host names that match a host name in the file. If the host name provided in the HELO command ​is not a valid FQDN, we reject the connection. If the client tries to use SMTP command pipelining without asking, we reject the connection. Otherwise we permit the connection.+Turn off the VRFY commandso spammers cannot verify whether an address ​is valid or not.
 <code rootshell>​ <code rootshell>​
-postconf -e "​smtpd_helo_restrictions=permit_mynetworks,​ \ +postconf -e '​disable_vrfy_command=yes'
-  check_helo_access hash:/​etc/​postfix/​helo_access,​ \ +
-  reject_non_fqdn_hostname,​ reject_invalid_hostname,​ \ +
-  reject_unauth_pipelining,​ permit"​+
 </​code>​ </​code>​
  
-Now we need to create ​the ''/​etc/​postfix/​helo_access''​ file. We want to reject anyone who sends us our own IP address or host name in the HELO string. Add all your possible IP addresses and host names, so the file looks something like this:+=== Tests to the value of the SMTP HELO command === 
 + 
 +The next thing we want to do is check the contents of the HELO string. If the connection is from one of our trusted networks, we don'​t ​need to perform the check. Next we look at the ''/​etc/​postfix/​helo_access''​ file, and perform the action specified in that file for any host names that match a host name in the file. If the host name provided in the HELO command is not a valid FQDN, we reject the connection. If the client tries to use SMTP command pipelining without asking, we reject the connection. Otherwise we permit the connection. 
 + 
 +Create ​the ''/​etc/​postfix/​helo_access''​ file. We want to reject anyone who sends us our own IP address or host name in the HELO string. Add all your possible IP addresses and host names, so the file looks something like this:
 <code configfile>​ <code configfile>​
 # We want to reject anyone who pretends that they have our address. # We want to reject anyone who pretends that they have our address.
Line 154: Line 164:
 postmap /​etc/​postfix/​helo_access postmap /​etc/​postfix/​helo_access
 </​code>​ </​code>​
 +
 +Update the configuration file to use the database, and other desired options.
 +
 +<code rootshell>​
 +postconf -e "​smtpd_helo_restrictions=permit_mynetworks,​ \
 +  check_helo_access hash:/​etc/​postfix/​helo_access,​ \
 +  reject_non_fqdn_hostname,​ reject_invalid_hostname,​ \
 +  reject_unauth_pipelining,​ permit"​
 +</​code>​
 +
 +=== Tests to the value of the SMTP MAIL FROM command ===
  
 Next, we want to take a look at the sender'​s address, unless the sender is on the local network, or they'​ve authenticated themselves via SASL. We want to reject any sender address that's not using a FQDN. (I.e. we reject things like ''​bill@nonfqdnhostname''​ and ''​bill''​.) And we'll also reject the message if the sender'​s domain does not have an A or MX record in DNS. Next, we want to take a look at the sender'​s address, unless the sender is on the local network, or they'​ve authenticated themselves via SASL. We want to reject any sender address that's not using a FQDN. (I.e. we reject things like ''​bill@nonfqdnhostname''​ and ''​bill''​.) And we'll also reject the message if the sender'​s domain does not have an A or MX record in DNS.
 +
 +Create the access database source file, ''/​etc/​postfix/​sender_access''​ using your favorite text editor.
 +Add in comments and desired entries in the form below. ​ Check any existing systems for what entries we are currently using, or just copy from another of our Debian systems.
 +
 +<​code>​
 +#​*******************************************************************************
 +#
 +# Database to give you the ability to allow or refuse to accept mail
 +# based on the MAIL FROM command.
 +#
 +# This is used with the smtpd_sender_restrictions option.
 +#
 +# Rebuild the database with:  postmap /​etc/​postfix/​sender_access
 +#
 +#​*******************************************************************************
 +
 +# We were spammed by zorpia on 19 Oct 2007
 +zorpia.com ​     550 "​Disallowed due to prior spam history"​
 +</​code>​
 +
 +Generate the database from the source file:
 +
 +<code rootshell>​
 +postmap /​etc/​postfix/​sender_access
 +</​code>​
 +
 +Update the configuration file to use the database, and other desired options.
 +
 <code rootshell>​ <code rootshell>​
-postconf -e "​smtpd_sender_restrictions=permit_mynetworks,​ \+postconf -e "​smtpd_sender_restrictions=hash:/​etc/​postfix/​sender_access,​ \ 
 +  ​permit_mynetworks,​ \
   permit_sasl_authenticated,​ reject_non_fqdn_sender,​ \   permit_sasl_authenticated,​ reject_non_fqdn_sender,​ \
   reject_unknown_sender_domain,​ permit"​   reject_unknown_sender_domain,​ permit"​
 </​code>​ </​code>​
  
 +=== Greylisting ===
 NOTE: See also the [[#​greylisting|Greylisting section]] below. It does even more thorough spam avoidance, but it's in a separate section because it requires a separate program. NOTE: See also the [[#​greylisting|Greylisting section]] below. It does even more thorough spam avoidance, but it's in a separate section because it requires a separate program.
  
Line 314: Line 365:
  
 We also have a list of static IPs that we allow to replay through us. These are located in ''/​etc/​postfix/​mynetworks''​. This list of IPs was taken from Dark; we do not have any documentation on who was using them. After a few months of production use, we'll check the logs to see which are still being used, and delete the rest. We'll also try to convert all the users to authenticate via SASL/TLS instead of hard-coding their IPs. We also have a list of static IPs that we allow to replay through us. These are located in ''/​etc/​postfix/​mynetworks''​. This list of IPs was taken from Dark; we do not have any documentation on who was using them. After a few months of production use, we'll check the logs to see which are still being used, and delete the rest. We'll also try to convert all the users to authenticate via SASL/TLS instead of hard-coding their IPs.
 +
  
 ==== SMTP Security Extensions (STARTTLS and SASL) ==== ==== SMTP Security Extensions (STARTTLS and SASL) ====
Line 321: Line 373:
 Most of this was stolen from [[http://​www.jimmy.co.at/​weblog/?​p=52|Jimmys Weblog - Postfix and SASL]] and [[http://​www.nervous.it/​txt/​Postfix-SMTP-AUTH-4-DUMMIES.html|Postfix SMTP-AUTH 4 DUMMIES]]. I admit to blatant cut 'n paste. Most of this was stolen from [[http://​www.jimmy.co.at/​weblog/?​p=52|Jimmys Weblog - Postfix and SASL]] and [[http://​www.nervous.it/​txt/​Postfix-SMTP-AUTH-4-DUMMIES.html|Postfix SMTP-AUTH 4 DUMMIES]]. I admit to blatant cut 'n paste.
  
-===required packges=== +=== Required Packages ​=== 
-First install ​postfix-tls ​and sasl librarys required for postfix+First install ​some prerequisites that are required to get TLS/​SSL ​and SASL working with Postfix.
 <code rootshell>​ <code rootshell>​
-apt-get install ​postfix-tls sasl2-bin libsasl2 libsasl2-modules+apt-get install ​openssl ssl-cert ca-certificates 
 +apt-get install ​sasl2-bin libsasl2 libsasl2-modules 
 +apt-get install postfix-tls
 </​code>​ </​code>​
  
-===saslauthd===+Next, you'll need to create the SSL certificates. We've not documented this part well, but this might do the trick: 
 +<code rootshell>​ 
 +openssl -gencert postfix 
 +</​code>​ 
 + 
 + 
 + 
 +=== saslauthd ===
 Edit ''/​etc/​default/​saslauthd''​ to enable SASL and ensure we're using PAM: Edit ''/​etc/​default/​saslauthd''​ to enable SASL and ensure we're using PAM:
 <​file>​ <​file>​
Line 334: Line 395:
 </​file>​ </​file>​
  
-===smtpd.conf===+=== smtpd.conf ===
 Create ''/​etc/​postfix/​sasl/​smtpd.conf''​ and tell it to use ''​saslauthd''​ for SMTP authentication:​ Create ''/​etc/​postfix/​sasl/​smtpd.conf''​ and tell it to use ''​saslauthd''​ for SMTP authentication:​
 <​file>​ <​file>​
Line 341: Line 402:
 </​file>​ </​file>​
  
-===main.cf=== +=== main.cf === 
-Add SASL configuration directives to ''/​etc/​postfix/​main.cf''​ by using ''​postconf -e''​+Add SASL configuration directives to the Postfix configuration:​
 <code rootshell>​ <code rootshell>​
 postconf -e '​smtpd_sasl_auth_enable=yes'​ postconf -e '​smtpd_sasl_auth_enable=yes'​
Line 350: Line 411:
 </​code>​ </​code>​
  
-To enable TLS SMTP authentication,​ add these options ​to ''/​etc/​postfix/​main.cf''​:+To enable TLS SMTP authentication,​ add these options:
 <code rootshell>​ <code rootshell>​
 postconf -e '​smtpd_use_tls=yes'​ postconf -e '​smtpd_use_tls=yes'​
Line 361: Line 422:
  
 ===master.cf=== ===master.cf===
-Add or uncomment the following lines in /​etc/​postfix/​master.cf to allow smtps via port 465.+Add or uncomment the following lines in /​etc/​postfix/​master.cf to allow SMTPS via port 465.
 <​file>​ <​file>​
 # Turn smtps on for port 465 # Turn smtps on for port 465
Line 371: Line 432:
  
 ===shorewall=== ===shorewall===
-Add the following line to **/​etc/​shorewall/​rules** to open the smtps port in shorewall+Add the following line to **/​etc/​shorewall/​rules** to open the SMTPS port in Shorewall
 <​file>​ <​file>​
 ACCEPT ​ net     ​$FW ​    tcp 465 ACCEPT ​ net     ​$FW ​    tcp 465
 </​file>​ </​file>​
  
-Then restart ​shorewall+Then restart ​Shorewall:
 <​code>​ <​code>​
 /​etc/​init.d/​shorewall restart /​etc/​init.d/​shorewall restart
build/postfix.1202716065.txt.gz · Last modified: 2008/02/11 01:47 by 4.245.76.22