Configure Postfix

sample config Download Postfix config file

[root@mail ~]#yum -y install postfix

Loading “installonlyn” plugin
Loading “fastestmirror” plugin
Setting up Install Process
Setting up repositories
base 100% |=========================| 1.1 kB 00:00
updates 100% |=========================|951 B 00:00
addons 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:00

Loading mirror speeds from cached hostfile
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
–> Populating transaction set with selected packages. Please wait.
—> Downloading header for postfix to pack into transaction set.
postfix-2.3.3-2.i386.rpm 100% |========================| 41 kB 00:00
—> Package postfix.i386 2:2.3.3-2 set to be updated
–> Running transaction check
Dependencies Resolved

===========================================================
Package Arch Version Repository Size
===========================================================
Installing: postfix i386 2:2.3.3-2 base 3.6 M
Transaction Summary
===========================================================
Install 1 Package(s)

Update 0 Package(s)

Remove 0 Package(s)
Total download size: 3.6 M
Downloading Packages:
(1/1): postfix-2.3.3-2.i3
100% |====================| 3.6 M 00:00

Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: postfix
#################################### [1/1]
Installed: postfix.i386 2:2.3.3-2
Complete!

[root@mail ~]#
[root@mail ~]#vi /etc/postfix/main.cf // edit the file
myhostname =mail.server-linux.info // line 70: make valid and specify hostname
mydomain = server-linux.info // line 77: make valid and specify domain name
myorigin = $mydomain // line 93: make valid
inet_interfaces = all // line 110: change
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain // line 155: add
mynetworks = 127.0.0.0/8, 192.168.0.0/24 // line 255: make valid and specify LAN
home_mailbox = Maildir/ // line 410: make valid (use Maildir) for sendmail //mail_spool_directory = /var/mail
header_checks = regexp:/etc/postfix/header_checks // line 536: make valid
body_checks = regexp:/etc/postfix/body_checks // add
message_size_limit = 5242880 // bottom: add (limit an email 5M)
mailbox_size_limit = 104857600 // limit mailbox 100M
smtpd_sasl_auth_enable = yes // these 4 lines are for SMTP-Auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination, permit_sasl_authenticated, reject

[root@mail ~]#vi /etc/postfix/header_checks // edit the file

/^From:.*<#.*@.*>/ REJECT // add at the head of file
/^Return-Path:.*<#.*@.*>/ REJECT // reject empty address email
/^Received:/ IGNORE // hide Received section

[root@mail ~]# vi /etc/postfix/body_checks // create the file

/^(|[^>].*)example.com/ REJECT // reject email that includes example.com

[root@mail ~]#/etc/rc.d/init.d/sendmail stop // stop

Shutting down sm-client: [ OK ]

Shutting down sendmail: [ OK ]

[root@mail ~]#chkconfig sendmail off

[root@mail ~]#alternatives –config mta // change defalut MTA

There are 2 programs which provide ‘mta’.
Selection Command
———————————————–
*+ 1 /usr/sbin/sendmail.sendmail
2 /usr/sbin/sendmail.postfix

Enter to keep the current selection[+], or type selection number:2 // change to postfix

[root@mail ~]#/etc/rc.d/init.d/postfix start // start

Starting postfix: [ OK ]

[root@mail ~]#/etc/rc.d/init.d/saslauthd start // start

Starting saslauthd: [ OK ]

[root@mail ~]#chkconfig postfix on // set autostart

[root@mail ~]#chkconfig saslauthd on // set autostart

[root@ns ~]#vi /var/named/server-linux.info.lan
$TTL 86400
@ IN SOA ns.server-linux.info. root.server-linux.info. (
2007041805; Serial // update serial number
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
IN NS ns.server-linux.info.
IN A 192.168.0.17
IN MX 10 mail .server-linux.info. // change
ns IN A 192.168.0.17
www IN A 192.168.0.18
mail IN A 192.168.0.19
nfs IN CNAME ns.server-linux.info.
ftp IN CNAME www.server-linux.info.

[root@ns ~]#vi /var/named/server-linux.info.wan

$TTL 86400
@ IN SOA ns.server-linux.info. root.server-linux.info. (
2007041805 ;Serial// update serial number
3600;Refresh
1800;Retry
604800;Expire
86400;Minimum TTL
)
IN NS ns.server-linux.info.
IN A 172.16.0.82
IN MX 10 mail .server-linux.info. // change
ns IN A 172.16.0.82
www IN A 172.16.0.82
mail IN A 172.16.0.82

[root@ns ~]#rndc reload // reload
server reload successful

================================

Installing Dovecot

[root@mail ~]#yum -y install dovecot

Loading “installonlyn” plugin
Loading “fastestmirror” plugin
Setting up Install Process
Setting up repositories
base 100% |=========================| 1.1 kB 00:00

updates 100% |=========================| 951 B 00:00

addons 100% |=========================| 951 B 00:00

extras 100% |=========================| 1.1 kB 00:00

Loading mirror speeds from cached hostfile
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
–> Populating transaction set with selected packages. Please wait.
—> Downloading header for dovecot to pack into transaction set.
dovecot-1.0-1.2.rc15.el5. 100% |========================| 27 kB 00:00
—> Package dovecot.i386 0:1.0-1.2.rc15.el5 set to be updated
–> Running transaction check
–> Processing Dependency: libmysqlclient.so.15(libmysqlclient_15) for package: dovecot
–> Processing Dependency: libmysqlclient.so.15 for package: dovecot
–> Restarting Dependency Resolution with new changes.
–> Populating transaction set with selected packages. Please wait.
—> Downloading header for mysql to pack into transaction set.
mysql-5.0.22-2.1.i386.rpm 100% |========================| 35 kB 00:00
—> Package mysql.i386 0:5.0.22-2.1 set to be updated
–> Running transaction check
–> Processing Dependency: perl(DBI) for package: mysql
–> Restarting Dependency Resolution with new changes.
–> Populating transaction set with selected packages. Please wait.
—> Downloading header for perl-DBI to pack into transaction set.
perl-DBI-1.52-1.fc6.i386. 100% |========================| 16 kB 00:00
—> Package perl-DBI.i386 0:1.52-1.fc6 set to be updated
–> Running transaction check

Dependencies Resolved

===========================================================
Package Arch Version Repository Size
===========================================================
Installing:
dovecot i386 1.0-1.2.rc15.el5 base 1.5 M
Installing for dependencies:
mysql i386 5.0.22-2.1 base 3.0 M
perl-DBI i386 1.52-1.fc6 base 605 k

Transaction Summary
===========================================================
Install 3 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 5.1 M
Downloading Packages:
(1/3): mysql-5.0.22-2.1.i100% |====================| 3.0 MB 00:00

(2/3): dovecot-1.0-1.2.rc100% |====================| 1.5 MB 00:00

(3/3): perl-DBI-1.52-1.fc100% |====================|605 kB 00:00

Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: perl-DBI

#################################### [1/3]

Installing: mysql

#################################### [2/3]

Installing: dovecot

#################################### [3/3]

Installed: dovecot.i386 0:1.0-1.2.rc15.el5
Dependency Installed: mysql.i386 0:5.0.22-2.1 perl-DBI.i386 0:1.52-1.fc6
Complete!
[root@mail ~]#
[root@mail ~]#vi /etc/dovecot.conf // edit the file

protocols = imap imaps pop3 pop3s // line 17: make valid
mail_location =maildir:~/Maildir // line 204: make valid and add

// for sendmailtype //mail_location = mbox:~/mail:INBOX=/var/mail/%u

[root@mail ~]#/etc/rc.d/init.d/dovecot start// start

Starting Dovecot Imap:[ OK ]
[root@mail ~]#chkconfig dovecot on// set autostart

=================================
[root@mail ~]#cd /etc/pki/tls/certs[root@mail certs]# make server.key // make private keyumask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.keyGenerating RSA private key, 1024 bit long modulus
………………………………………………++++++
………….++++++
e is 63295 (0x10001)
Enter pass phrase:// set pass phraseVerifying – Enter pass phrase:// verify[root@mail certs]#[root@mail certs]#openssl rsa -in server.key -out server.keyEnter pass phrase for server.key: // input pass phrasewriting RSA key
[root@mail certs]#
[root@mail certs]#make server.csr // make public keyumask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csrYou are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:NP // countryState or Province Name (full name) [Berkshire]:Kathmandu // stateLocality Name (eg, city) [Newbury]:Kathmandu // cityOrganization Name (eg, company) [My Company Ltd]:Server Linux // companyOrganizational Unit Name (eg, section) []:IT Solution // unitCommon Name (eg, your server’s hostname) []:mail.server-linux.info // FQDNEmail Address []:root@server-linux.info // email addressPlease enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: // Enter with emptyAn optional company name []: // Enter with empty

[root@mail certs]#
[root@mail certs]#openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
// create certificate file that is valid for 10 years

Signature ok
subject=/C=NP/ST=Kathmandu/L=Kathmandu/O=Server Linux/OU=IT Solution/CN=mail.server-linux.info/emailAddress=root@server-linux.info Getting Private key
[root@mail certs]#chmod 400 server.* // change permittion

[root@mail certs]#
[root@mail certs]#vi /etc/postfix/main.cf
// edit the file

smtpd_use_tls = yes// add them at the bottom

smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
smtpd_tls_key_file = /etc/pki/tls/certs/server.key
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache

[root@mail certs]#vi /etc/postfix/master.cf // edit the file

// line 14-16: make valid

smtps inet n – n – – smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes

[root@mail certs]# vi /etc/dovecot.conf // edit the file
ssl_disable = no // line 81: change

ssl_cert_file =/etc/pki/tls/certs/server.crt // line 87: make valid and specify cert file

ssl_key_file = /etc/pki/tls/certs/server.key // line 88: make valid and specify key file

[root@mail certs]# /etc/rc.d/init.d/postfix restart // restart

Shutting down postfix: [ OK ]
Starting postfix: [ OK ]

[root@mail certs]#/etc/rc.d/init.d/dovecot restart // restart

Stopping Dovecot Imap:[ OK ]

Starting Dovecot Imap:[ OK ]

=================================

Adding Virtual Host

[root@ns ~]#vi /etc/named.conf
// insert these lines in view “internal” section
zone “virtual.info” IN {
type master;
file “virtual.info.lan”;
allow-update { none; };
};

// insert these lines in view “external” section

zone “virtual.info” IN {
type master;
file “virtual.info.wan”;
allow-update { none; };
};

[root@ns ~]#cp /var/named/server-linux.info.lan /var/named/virtual.info.lan

[root@ns ~]#cp /var/named/server-linux.info.wan /var/named/virtual.info.wan

[root@ns ~]#vi /var/named/virtual.info.lan
// modify like following example

$TTL 86400

@ IN SOA ns.server-linux.info. root.virtual.info. (
2007042201 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
IN NS ns.server-linux.info.
IN A 192.168.0.17
IN MX 10 mail.server-linux.info.
www IN A 192.168.0.18
mail IN A 192.168.0.19

[root@ns ~]# vi /var/named/virtual.info.wan

// modify like following example
$TTL86400 @ IN SOA ns.server-linux.info. root.virtual.info. (
2007042201 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
IN NS ns.server-linux.info.
IN A 172.16.0.82
IN MX 10 mail.server-linux.info.
www IN A 172.16.0.82
mail IN A 172.16.0.82

[root@ns ~]# cd /usr/sbin

[root@ns sbin]#./bind-chroot-admin -e // make new files chroot
Stopping named: [ OK ]
Starting named: [ OK ]

[root@ns ~]# dig mail.virtual.info.
;; ANSWER SECTION:
mail.virtual.info. 86400 IN A 192.168.0.19 // normally answered

[root@mail ~]#vi /etc/postfix/main.cf

virtual_alias_domains = virtual.info // add these lines at the bottom
virtual_alias_maps = hash:/etc/postfix/virtual

[root@mail ~]#vi /etc/postfix/virtual // edit the file

userA@virtual.info

userB // add at the head

[root@mail ~]#postmap /etc/postfix/virtual // reload
[root@mail ~]#/etc/rc.d/init.d/postfix restart // reboot
Shutting down postfix:[ OK ]
Starting postfix:[ OK ]

====================================

Antivirus

[root@mail ~]#
yum –enablerepo=dag -y install clamd amavisd-new

———- many packages are installed ———-

[root@mail ~]#vi /etc/clamd.conf

LocalSocket /var/run/clamav/clamd.sock // line 72: change

#TCPSocket 3310 // line 80: make it comment

AllowSupplementaryGroups yes // line 149: change

[root@mail ~]#vi /etc/amavisd.conf

$mydomain= ‘server-linux.info’; // line 20: specify domain name

#$virus_admin= “virusalert\@$mydomain”;// line 80: not notify if virus detected

$myhostname= ‘mail.server-linux.info’;// line 113: make valid and specify FQDN

$notify_method= ‘smtp:[127.0.0.1]:10025’;// line 115,116: make valid

$forward_method = ‘smtp:[127.0.0.1]:10025’;

$final_virus_destiny= D_DISCARD; // line 118: make these 4 lines valid

$final_banned_destiny= D_BOUNCE;

$final_spam_destiny= D_BOUNCE;

$final_bad_header_destiny = D_PASS;

[‘ClamAV-clamd’, // line 321: make these 4 lines valid
\&ask_daemon, [“CONTSCAN {}\n”, “/var/run/clamav/clamd.sock”], // add
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

[root@mail ~]#vi /etc/postfix/main.cf

content_filter=smtp-amavis:[127.0.0.1]:10024 // add at the bottom

[root@mail ~]#vi /etc/postfix/master.cf

// add these lines at the bottom
smtp-amavis unix – – n – 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n – n – – smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
[root@mail ~]#/etc/rc.d/init.d/clamd start // start

Stopping Clam AntiVirus Daemon:[ OK ]

Starting Clam AntiVirus Daemon: Running as user clamav (UID 100, GID 101) [ OK ]
[root@mail ~]#/etc/rc.d/init.d/amavisd start // start

Starting Mail Virus Scanner (amavisd): [ OK ]

[root@mail ~]#/etc/rc.d/init.d/spamassassin start // start

Starting spamd:[ OK ]

[root@mail ~]#/etc/rc.d/init.d/postfix restart // restart

Shutting down postfix:[ OK ]

Starting postfix: [ OK ]

[root@mail ~]#chkconfig amavisd on // set autostart

[root@mail ~]#chkconfig spamassassin on // set autostart

[root@mail ~]#chkconfig clamd on // set autostart

=====================================

Log Analizer

[root@mail ~]#cd /usr/share/logwatch/default.conf/logfiles

[root@mail logfiles]#mv maillog.conf maillog.conf.bk// rename

[root@mail logfiles]#touch maillog.conf// create empty file
[root@mail logfiles]#/usr/sbin/logwatch // run logwatch
[root@mail ~]#yum -y install postfix-pflogsumm // display summary of yesterday’s maillogs
[root@mail ~]#perl /usr/sbin/pflogsumm -d yesterday /var/log/maillog
[root@mail ~]# crontab -e// add in cron

// send summary of maillog at AM 1:00 everyday to root
00 01 * * * perl /usr/sbin/pflogsumm -e -d yesterday /var/log/maillog | mail -s ‘Logwatch for Postfix’ root
===========================================

Configuring Postfix to act as a backup MX server

If you’re running your own mailserver for receiving e-mail, you probably want some kind of redundancy when it goes down so you don’t lose any mail. The solution to this is to configure several backup mail exchanger (or MX) servers. it is a popular replacement for the classic *NIX sendmail program that, along with being a primary mail exchanger, can be configured to act as a secondary, backup MX.

Changes to Postfix’s main.cf

Postfix first needs to be allowed to work as a MX backup server, which can be done in addition to being a primary mail server for some other domain. This is done through configuring smtpdrecipientrestrictions in Postfix’s main.cf configuration file (usually located in /etc/postfix/). Add permitmxbackup to the list of restrictions. For example:

smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination permit_mx_backup

Next, the domains to act as a backup. These are added to the relay_domains option. For example:

relay_domains = $mydestination domain1.com domain2.net domain3.org

Now that postfix knows to accept mail destined for these domains, it needs to know what to do with it. Postfix’s transport maps feature can be used to specify to send mail back to the main mailserver. In main.cf, add a transport_maps configuration option, pointing to a database supported by Postfix (such as hashes), like so:

transport_maps = hash:/etc/postfix/transport

Postfix will then look to this file for any information on delivering the e-mail from domains specified in this file.

Setting up Postfix transports file

Assuming you are using Postfix’s hash database format, create a new file transport (in /etc/postfix/ if following the example above). This file is a space-separated list of domains and how to deliver mail for them. For example:

domain1.com smtp:mail.domain1.com
domain2.net smtp:mail.domain2.net
domain3.org smtp:mail.domain3.org

This tells Postfix to send mail destined for domain1.com, domain2.net, and domain3.org via SMTP to mail.domain1.com, mail.domain2.net, and mail.domain3.org respectively.

After adding the above, a binary database that Postfix will actually use needs to be created. This can be made by running;

postmap transport

in the directory the file transport resides.

After doing all this, you’ll now have a backup MX server for your main mail server. If your main mail server goes down, mail will then get sent to this backup MX server and queued up for eventually delivery back to your main mail server when it comes back online.

Dealing with ISP Port 25 Blocking

Many ISPs these days have resorted to port blocking to curb “undesirable usage” (like running web servers, or spamming). A variant of this to prevent the sending of spam involves blocking connections on port 25 (the port for SMTP) to any server that isn’t the ISP’s SMTP server.

If you’re running a mail server behind and ISP that does this, you probably already know about relayhost which will relay all your e-mail through your ISP’s mail server rather than trying to connect to other mail servers directly.

However, for a server wanting to act as a backup MX, this will not work. Mail will be recieved, but since the backup MX cannot connect to the main MX servers specified in the transports file, mail will get stuck in the backup MXs queue indefinitely.

The easy solution to this is to open up another port on the main mail server, such as 2525. The backup MXs transport file could be changed to deliver mail on this port:

domain1.com smtp:mail.domain1.com:2525

On the main mailserver, the smtp component of Postfix is going to have to be run on both port 25 and 2525 (complicated), or, if using Linux or some other OS with fairly lets… INCOMPLETE

Other considerations

Queue Lifetime

If your primary mail server ever is down for a long time (longer than 5 days), you may need some additional tweaking on your backup mail exchangers. By default, Postfix will expire anything sitting in it’s queue for longer than 5 days. These messages will get bounced back. So much for being a “backup.” You can avert this behavior by adding to main.cf:

maximal_queue_lifetime = 60d

Messages will now stay in the queue for 60 days. If your primary mail server is down for longer than this, you probably have other problems. Notice that affects ALL messages in the queue, not just ones stored for being a backup mail exchanger, so it may have other consequences.

==============================================

Please note: This is a work in progress. I do hope that this will eventually expand into a full-blown how-to, but I will probably need some assistance with it. I will also putting notes down here as I work on a complete backup-mail server solution using ISPConfig. Feel free to make comments and questions as I work on it. Thanks.

The situation
I’ve been working on setting up a backup main server for my domains for some amount of time. There are several guides out there that show you how to set one up with postfix, but they have one problem: All of the ones I’ve read will setup a relay server that will simply attempt to forward any mail to the entire domain to the primary server. What then happens in this case is the primary server will reject any email addresses not in its local users table, and the backup mail server will be forced to bounce the message back to the from email address. This can cause a potential problem, though; some unscrupulous person can use the backup server in a “backscatter” attack, where he will send many emails to the backup server to non-existent users that are in its domain and cause the backup email server to bounce messages back tto the forged “from:” addresses, annoying end victims and painting your backup server as a culprit in this “spam” and possibly blacklisted for being in accordance with the RFCs!

The Solution
One possibly solution is to simply go sod with the RFCs and prevent the backup mail server from bouncing emails, but this is a bit of a hack, does not comply with the RFC standard, and is inconsiderate to legitamite users that may have mistyped an email and should know that the message was not successfully delivered.

The better way is to maintain a list of relayable recipent addresses on the backup mail server that will be syncronized with the primary mail backup server’s, virtual users list.

The How-To This applies to the current version of ISPConfig (version 2.2.6). This section is incomplete, but I will include an example to help with fleshing out this idea
An example setup
Let’s say we have two servers with ISPConfig setup on both running with postfix as the MTA. Let’s call them server1.maindomain.tld and server2.maindomain.tld. Let’s say we have a domain hosted on server1,:called www.hosteddomain.tld, with server users with the addresses user1@hosteddomain.tld and user2@hosteddomain.tld.

We want to setup server2.maindomain.tld as a backup mail server for hosteddomain.tld, so our DNS records will have the following information for this domain:

Priority: 10, Host: @, Goes to: server1.maindomain.tld
Priority: 20, Host: @, Goes to: server2.maindomain.tld

On server2.maindomain.tld, we need to modify /etc/postfix/main.cf by adding the following two lines:

relay_domains = hash:/etc/postfix/relay_domains
relay_recipient_maps = hash:/etc/postfix/relay_recipients

Then create /etc/postfix/relay_domains with the following text:

hosteddomain.tld relay

Then run the following commands:

postmap /etc/postfix/relay_domains

Next, create /etc/postfix/relay_recipients with the following text:

user1@hosteddomain.tld relay
user2@hosteddomain.tld relay

Then run:

postmap /etc/postfix/relay_recipients

The “relay” column can actually be anything, like “x” or something. It’s just that postmap requires there be two actual columns (it seems).

server2.maindomain.tld should now be acting as a backup mail server for the hosteddomain.tld domain (according to most such guides on the net and my own testing). Now, whenever a new user is added in the primary server, a new entry in “relay_recipents” will have to be added and postmap /etc/postfix/relay_recipients run to add the new user in the backup server’s relay list.

My observations to flesh out an auto-syncronizing system between Primary mail server and the Backup mail server(s)
On the primary mail server, I’ve observed a file that would make this much simpler. This is /etc/postfix/virtualusertable. It seems simply copying this file to the backup mail server as /etc/postfix/relay_recipents with the domains setup in relay_domains might be sufficient to syncronize the list and make the backup server reject any invalid “to:” addresses without having to have itself bounce a message. The nice thing is virtualusertable also includes any aliases of users on the primary system.

What I plan on doing is creating a script that will do the following on the primary server:

1) Make a copy of the virtualusertable file in a location where the backup mail server can retrieve it, preferably http locked with a user and password login, everytime this file is modified or running as a cron job.

On the backup server, I’m looking into a script that will do the following in a cronjob:

1) Retrieve the file from the primary server (probably using wget). If the retrieve failed, cancel the rest of the script. If it retrieves it, save it temporarily as “retrievedvirtualusertable”.
2) Detect any changes.
3) Parse through retrievedvirtualusertable and create a file called retrieveddomains, where it would only have all of the domains list only once.
4) Match retrieveddomains with the backup server’s local-host-names, save anything in retrieveddomains but not in local-host-names in /etc/postfix/relay_domains.
5) Run “postmap /etc/postfix/relay_domains”
6) Match retrievedvirtualusertable with the backup server’s virtualusertable, save anything in retrievedvirtualusertable but not in virtualusertable in /etc/postfix/relay_recipient.
6) Run “postmap /etc/postfix/relay_recipient”.

Well, this is where I’m at so far. Hopefully, I’ll have time in the next week to create these scripts to do that.

====================================================================

Configuring procmail for spamassassin

The /etc/procmailrc file is used by procmail to determine the procmail helper programs that should be used to filter mail. This file isn’t created by default.

spamassassin has a template you can use called /etc/mail/spamassassin/spamassassin-spamc.rc. Copy the template to the /etc directory:

     [root@bigboy tmp]# cp /etc/mail/spamassassin/spamassassin-spamc.rc
     /etc/procmailrc

This file forces all mail arriving for your mail server’s users through Spamassasin.

Configuring spamassassin

The spamassassin configuration file is named /etc/mail/spamassassin/local.cf. You can customize this fully commented sample configuration file to meet your needs:

     ###################################################################
     # See 'perldoc Mail::SpamAssassin::Conf' for
     # details of what can be adjusted.
     ################################################################### 

     #
     # These values can be overridden by editing
     # ~/.spamassassin/user_prefs.cf (see spamassassin(1) for details)
     # 

     # How many hits before a message is considered spam. The lower the
     # number the more sensitive it is. 

     required_hits           5.0 

     # Whether to change the subject of suspected spam (1=Yes, 0=No)
     rewrite_subject         1 

     # Text to prepend to subject if rewrite_subject is used
     subject_tag             *****SPAM***** 

     # Encapsulate spam in an attachment (1=Yes, 0=No)
     report_safe             1 

     # Use terse version of the spam report (1=Yes, 0=No)
     use_terse_report        0 

     # Enable the Bayes system (1=Yes, 0=No)
     use_bayes               1 

     # Enable Bayes auto-learning (1=Yes, 0=No)
     auto_learn              1 

     # Enable or disable network checks (1=Yes, 0=No)
     skip_rbl_checks         0
     use_razor2              1
     use_dcc                 1
     use_pyzor               1 

     # Mail using languages used in these country codes will not be marked
     # as being possibly spam in a foreign language.
     # - english 

     ok_languages            en
     # Mail using locales used in these country codes will not be marked
     # as being possibly spam in a foreign language. 

     ok_locales              en

Be sure to restart spamassassin for your changes to take effect.

Startup spamassassin

The final steps are to configure spamassassin to start on booting and then to start it.

     [root@bigboy tmp]# chkconfig spamassassin on
     [root@bigboy tmp]# service spamassassin start
     Starting spamd: [  OK  ]
     [root@bigboy tmp]#

Spam Scripts

1.
Place mail-filter.pl in your $HOME directory (default login directory). In this case the username is mailiuser.
2.
Use the chmod command to make it executable:

[root@bigboy mailuser]# chmod 700 mail-filter.pl
3.
Go to the /etc/smrsh directory and create a symbolic link to the mailfilter.pl file there:

[root@bigboy mailuser]# cd /etc/smrsh
[root@bigboy smrsh]# ln s /home/mailuser/mail-filter.pl
4.
Create a .forward file in your home directory:

#!/bin/bash
| ~/mail-filter.pl

You should then be ready to go!

The mail-filter.accept File

     address: my-address@mysite.com
     address: cnn
     subject: Alumni Association

The mail-filter.reject File

     address: spammer@spammer.com
     repeataddress: my-isp-provider.net
     subject: porn

The mail-filter Script

     #!/usr/bin/perl
     #
     #
     # Mail-filter - PERL Script
     #
     #
     # Reference pages
     #
     # http://search.cpan.org/author/SIMON/Mail-Audit-2.1/Audit.pm
     # http://simon-cozens.org/writings/mail-audit.html
     #
     # PERL modules needed from
     http://www.cpan.org/modules/01modules.index.html
     #
     # Need to install the following modules:
     #
     #      MailTools, IO-Stringy, MIME-tools & Mail-Audit in this order
     #
     #
     # Need to have:
     #
     #    a logical link to this file in /etc/smrsh
     #    .forward file with the following line in it
     #
     #         #!/bin/bash
     #         | ~/mail-filter
     # 

        use Mail::Audit;
        use MIME::Lite; 

        #
        # Spam filter variables
        # 

        $FILEPATH           = "/home/mailuser/";
        $ITEM               = Mail::Audit->new;
        $FROM               = $ITEM->from();
        $TO                 = $ITEM->to();
        $CC                 = $ITEM->cc();
        $SUBJECT            = $ITEM->subject();
        $BODY               = $ITEM->body();
        $DATE               = "";
        $INBOX_LOG          = $FILEPATH . "mail-filter.log";
        $ACCEPT_FILE        = $FILEPATH . "mail-filter.accept";
        $REJECT_FILE        = $FILEPATH . "mail-filter.reject"; 

     #################### Don't edit below here ################### 

        chomp($DATE = `date '+ %m/%d/%Y %H:%M:%S'`);
        $DATE =~ s/^\s*(.*?)\s*$/$1/;
        chomp($FROM, $TO, $CC, $SUBJECT);
        study $FROM;
        study $SUBJECT;
        study $TO;
        study $CC; 

        &Mail_Filter;
        exit; 

     sub Mail_Filter { 

        my %badsubjects        = ();
        my %badaddresses       = ();
        my %badrepeataddresses = ();
        my %goodsubjects       = ();
        my %goodaddresses      = (); 

        #
        # Read in the configuration files
        # 

        open (REJECT_FILE, "$REJECT_FILE"); 

            while(<REJECT_FILE>){ 

               my $record = $_;
               my ($value, $type) = &Strip_Record($record); 

               #
               # Get the bad subjects
               #
               if ($type =~ /^subject$/i){
                  $badsubjects{$value} = "$type";
               } 

               #
               # Get the bad address
               # 

               if ($type =~ /^address$/i){
                  $badaddresses{$value} = "$type";
               } 

               #
               # Get the bad repeat address
               # 

               if ($type =~ /^repeataddress$/i){
                 $badrepeataddresses{$value} = "$type";
               }
            }
        close (REJECT_FILE); 

        open (ACCEPT_FILE, "$ACCEPT_FILE"); 

            while(<ACCEPT_FILE>){ 

               my $record = $_;
               my ($value, $type) = &Strip_Record($record); 

               #
               # Get the good subjects / address
               # 

               if ($type =~ /subject/i){
                  $goodsubjects{$value} = "$type";
               } 

               if ($type =~ /address/i){
                  $goodaddresses{$value} = "$type";
               }
            }
        close (ACCEPT_FILE);
              #
              # Reject by subject
              # 

              foreach my $criteria (keys %badsubjects) {
                  next unless $SUBJECT =~ /$criteria/i;
                  &Reject_Mail("yes"); 

              } 

              #
              # Reject email to/from these addresses
              # 

              foreach my $criteria (keys %badaddresses) {
                  next unless ($TO =~ /$criteria/i) or ($CC =~ /$criteria/i) or
          ($FROM =~ /$criteria/i);
                  &Reject_Mail("yes");
              } 

              #
              # Sometimes SPAM is sent to multiple addresses in the same domain.
          Reject email if
              # the number of addresses in the to: or cc: >= 3
              # 

              foreach my $criteria (keys %badrepeataddresses) { 

             my $to_cc = $TO." ".$CC;
             my @repeat_test_string = split(/$criteria/,$to_cc);
             my $i = -1;
             foreach my $tmp_var (@repeat_test_string){
                 $i++;
             }
             if($i >= 3){ 

                 #
                 # Reject
                 # 

                 &Reject_Mail("yes");
             }
          } 

          #
          # Accept some subject lines
          # 

          for my $criteria (keys %goodsubjects) {
              next unless $SUBJECT =~ /$criteria/i;
              &Reject_Mail("no");
          } 

          #
          # Accept emails to/from these addresses
          # 

          for my $criteria (keys %goodaddresses) {
              next unless ($TO =~ /$criteria/i) or ($CC =~ /$criteria/i) or
      ($FROM =~ /$criteria/i);
             &Reject_Mail("no");
         } 

         #
         # Reject everything else
         # 

         &Reject_Mail("yes");
     } 

     sub Strip_Record{ 

         my $record = shift(@_); 

         #
         # Split out the fields in the record and strip out
     leading/trailing white space
         # 

         chomp $record;
         my @fields = split(/\:/,$record);
         $fields[0] =~ s/^\s*(.*?)\s*$/$1/;
         $fields[1] =~ s/^\s*(.*?)\s*$/$1/; 

         #
         # Return the subjects
         #
         if ($fields[0] =~ /^subject$/i){
            return ($fields[1], "subject");
         } 

         #
         # Return the addresses
         #
         elsif ($fields[0] =~ /^address$/i){
            if ($fields[1] =~ /\@/){
               my ($person, $domain) = split(/\@/, $fields[1]);
               return ($person ."\@" . $domain, "address");
            }
            else{
               return ($fields[1], "address");
            }
         } 

         #
         # Return the repeat addresses
         #
         elsif ($fields[0] =~ /^repeataddress$/i){
            if ($fields[1] =~ /\@/){
                my ($person, $domain) = split(/\@/, $fields[1]);
                return ($person ."\@" . $domain, "repeataddress");
            }
            else{
               return ($fields[1], "repeataddress");
            }
         } 

     } 

     sub Reject_Mail { 

         my $ok = shift(@_); 

         open (LOG, ">> $INBOX_LOG"); 

         #
         # Log message receipt to file
         # 

         if ($ok =~ /yes/i){ 

             print LOG "REJECT $DATE To: $TO From: $FROM Subject:
     $SUBJECT\n";
             $ITEM->reject;
         }
         else{ 

             print LOG "ACCEPT $DATE To: $TO From: $FROM Subject:
     $SUBJECT\n";
             $ITEM->accept;
         } 

         close(LOG);
         exit;
     }

http://www.linux.com/feature/39643

Track those send emails 

Sometimes, it may be necessary to track the email messages
that make their
way across your system. What are those reasons? You may have
noticed an
increase in email abuse, either internal or external, where
forwarding a
copy of each message to an administrator would be desirable. By
using the
always_bcc parameter, a blind carbon copy of each message will
be
delivered to an administrative user of your choice. Since that person
will
be getting a lot of messages, it makes sense to create a temporary
user
account. Tracking and logging messages in this way can be quite a
daunting
task. 

Here's how you do it. Edit your main.cf file and add
the following line: 

always_bcc=adminuser@yourdomain.dom 

The
adminuser is the one you created to receive a copy of all this email.
Reload
postfix and that username will start receiving a copy of every
email that
goes across the system. To activate the feature,
reload
postfix. 

postfix reload 

Postfix via Webmin 

Webmin
provides extensive configuration options for Postfix, and you
should
certainly familiarize yourself with it. Webmin provides multiple
modules to
administer everything, including dealing with messages in the
current mail
queue, client and server restrictions, logging, and a whole
lot more. You'll
find Postfix configuration under Servers in Webmin, or
you can just jump to
it by entering the URL in your browser's location bar
like this: 

http://your_server:10000/postfix/index.cgi
===================================================================
You have user1 of your domain domain.tld. But you need to know/backup all
the ails user1@domain.tld  send. 

Postfix has the solution. In /etc/postfix/main.cf
add: 

sender_bcc_maps = hash:/etc/postfix/sender_bcc
Then edit or
create /etc/postfix/sender_bcc in the following format: 

user1@domain.tld copy@domain.tld
and run postmap
/etc/postfix/sender_bcc and posfix reload. 

Postfix version must be at
leas 2.1.
====================================================================

Start with the amavisd-new example:

smtp-amavis unix – – n – 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes

127.0.0.1:10025 inet n – n – – smtpd
-o content_filter=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o smtpd_milters=
-o local_header_rewrite_clients=
-o local_recipient_maps=
-o relay_recipient_maps=
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Untill you gain more understanding, place this in main.cf:

content_filter = smtp-amavis:[127.0.0.1]:10024

I would also suggest disabling content_filter for the pickup daemon
(so mail from the machine itself is not scanned):

pickup fifo n – – 60 1 pickup
-o content_filter=

Working Mailserver. Postfix, Fetchmail, Procmail, Dovecot

To clarify the aim of this project, I was trying to set up a mailserver which will retrieve my emails from the ISP and then distribute them locally according to the name in the To: header. My ISP allows me to use several “aliases” therefore mail for me has stephen.young@ISP.com and mail for my wife has barbara.young@ISP.com in the To: header even though my account is fred.young@ISP.com. This little project turned out to be very difficult because the configuration information for the various components was scattered about and there is also a lot of wrong configuration info out there. After a few days googling I managed to get the server to filter Barbara’s emails and put them in a directory that was reachable by her Outlook client.I used Postfix, Fetchmail, Procmail and Dovecot to make this work.
Postfix: This was the easiest part, I installed Postfix, added the line home_mailbox = Maildir/ in /etc/postfix/main.cf to make postfix use Maildir as opposed to Mbox and added the LAN address to “mydestination” and it just worked. Here is my Postfix config file.

# appending .domain is the MUA's job.
append_dot_mydomain = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
myhostname = localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost.localdomain, localhost
relayhost = smtp.isp.com
mynetworks = 127.0.0.0/8, 192.168.0.0/24
mailbox_command = procmail -a “$EXTENSION”
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
inet_protocols = all

Fetchmail: I added lines to .fetchmailrc make fetchmail send its output to Procmail. The .fetchmailrc resides in my $HOME directory, here is a copy.

server pop.isp.com
proto pop3
user fred.smith
password nottelling
mda ‘procmail -f-’
mda “/usr/bin/procmail -d %s” # tell fetchmail which MDA to use

Procmail: The .procmailrc file also lives in my $HOME directory. There are two important points here:
1) don’t forget the trailing “/” in the directory names as it informs Procmail to use Maildir format.
2) The UMASK=007 is essential in order to make the moved mails readable by the group. Procmail automatically makes the owner the user using Procmail and sets the permission to owner only! The .procmailrc is here.

UMASK=007
PATH=/usr/bin:/usr/local/bin
MAILDIR=$HOME/Maildir/
DEFAULT=$HOME/Maildir/steve/
LOGFILE=$HOME/procmail.log
SHELL=/bin/sh
# Put mail for barbara into mailbox barbara
:0:
* ^To:.*barbara.young
/home/barbara/Maildir/barbara/

Dovecot: There is some good information at the Dovecot WiKi http://wiki.dovecot.org/ but unfortunately it is hard to find as the site seems more interested in showing you how to use a Wiki than making it easy to navigate through the Dovecot information. In the Dovecot configuration file /etc/dovecot/dovecot.conf make sure that:
1) listen = * or the IP address of your LAN, ie “listen = 192.168.0.0/24, localhost”.
2) ssl_disable = yes at least for the setup phase. I intend to set up ssl etc now that I have everything working but getting it working was my first priority. Here is the confiuration file

protocols = pop3 pop3s
listen = *
ssl_disable = yes
disable_plaintext_auth = no
log_timestamp = “%Y-%m-%d %H:%M:%S “
mail_extra_groups = steve
default_mail_env = maildir:/home/%u/Maildir/%u
protocol pop3 {
login_executable = /usr/lib/dovecot/pop3-login
mail_executable = /usr/lib/dovecot/pop3
pop3_enable_last = no
pop3_uidl_format = %08Xu%08Xv
}
auth default {
mechanisms = plain
passdb pam {
}
userdb passwd {
}
user = root
}
plugin {
}

Now it’s working but I will have to study the SSL features to make it really safe.

MRTG for postfix
perl -MCPAN -e shell; 
cpan> install File::Tail

http://taz.net.au/postfix/mrtg/

NOTE:This hack needs the File::Tail perl module by Matija Grabnar.
Download it from CPAN and install it first.
See ‘man CPAN’ for more info about installing CPAN modules.

DOWNLOAD
--------
You need to download the following three scripts:

update-mailstats.pl
mailstats.pl
mrtg-mailstats.pl

save them all in /usr/local/bin and make them executable.

if you save them in a different directory then you will have to edit the
following line in mrtg-mailstats.pl:

	$mailstats = "/usr/local/bin/mailstats.pl" ;

HOWTO
-----

1. run the update-mailstats.pl program in the background like so:

	update-mailstats.pl &

(you probably want to write a wrapper script to restart it in case it
ever gets killed.)

this updates a file called /tmp/stats.db (adjust to suit your needs)
with the inbound and outbound mail stats.

the logic of this script is extremely simple (and probably far from
perfect):

if the line contains "status=sent" then figure out the transport from
the "relay=" part of the line. if relay= contains "[" then assume it's
an IP address, and transport is smtp. otherwise, transport is whatever
the "relay=" bit says.

if line contains "smtpd.*client=" then we've received a message via
smtp. if line contains "pickup.*(sender|uid)=" then we've received a
message from a local user.

very simple, mostly works. i'm sure there are cases which it doesn't
catch.  if you can improve it, let me know.

to tell the truth, it doesn't matter if it's 100% accurate or not.
the point is to give a pretty graph of some meaningless numbers to
management types. they love it :)

2. if you want to see the raw data, use the mailstats.pl script:

	$ mailstats.pl
	RECEIVED:local 162
	RECEIVED:smtp 4253
	SENT:local 4101
	SENT:smtp 5118

3. add lines like the following to your mrtg.cfg:

	#---------------------------------------------------------------#
	# MRTG mail cfg:  Postfix mailstats plotting with MRTG          #
	#---------------------------------------------------------------#
	Target[postfix]: `/usr/local/bin/mrtg-mailstats.pl`
	Options[postfix]: gauge, growright
	Title[postfix]: Postfix Statistics
	PageTop[postfix]: <H1>Postfix Statistics</H1>
	WithPeak[postfix]: dwmy
	YLegend[postfix]: No. of messages
	ShortLegend[postfix]: messages
	LegendI[postfix]: &nbsp;Incoming:
	LegendO[postfix]: &nbsp;Outgoing:
	#---------------------------------------------------------------#

this runs the mrtg-mailstats.pl programs which totals the RECEIVED and
SENT lines output by mailstats.pl and then outputs it in a form
suitable for MRTG. it keeps the previous RECEIVED and SENT counts in
/tmp/mailstats.old

Some useful links

http://www.postfix.org/STANDARD_CONFIGURATION_README.html

http://www.howtoforge.com/fedora-8-server-lamp-email-dns-ftp-ispconfig-p6

http://www.akadia.com/services/postfix_mta.html

Leave a Reply