設定覚え書き:Postfix編

以前書いておいたSMTPサーバ関連の設定の覚え書きから、かなり内容が変わっているんで、新しく残しておきます。

現時点では、

postfix+amavisd-new+clamav+spamassassin+courier-imap&courie-pop

という組み合わせで、pop-before-smtpパッケージを利用してPOP-Before-SMTP、IMAP-Before-SMTPを実現しています。


インストール済みのパッケージ一覧

courier-*、amavis-stats、couriergraphなどは、基本的にインストールして、そのまんま。pop-before-smtpについては、こちらのエントリーを参照のこと。

eswat2:/var/log# dpkg -l postfix* amavis* *clam* *spam* *courier* *pop* | grep -e ^ii
ii  postfix        2.1.4-5        A high-performance mail transport agent
ii  postfix-doc    2.1.4-5        Postfix documentation
ii  postfix-pcre   2.1.4-5        PCRE map support for Postfix
ii  amavis-stats   0.1.12-5       Virus statistics RRDtool frontend for Amavis
ii  amavisd-new    20030616p10-4  Interface between MTA and virus scanner/cont
ii  clamav         0.75.1-4       Antivirus scanner for Unix
ii  spamassassin   3.0.0-1        Perl-based spam filter using text analysis
ii  spamc          3.0.0-1        Client for SpamAssassin spam filtering daemo
ii  courier-authda 0.47-1         Courier Mail Server - Authentication daemon
ii  courier-base   0.47-1         Courier Mail Server - Base system
ii  courier-doc    0.47-1         Courier Mail Server - Additional documentati
ii  courier-imap   3.0.8-1        Courier Mail Server - IMAP server
ii  courier-imap-s 3.0.8-1        Courier Mail Server - IMAP over SSL
ii  courier-pop    0.47-1         Courier Mail Server - POP3 server
ii  courier-pop-ss 0.47-1         Courier Mail Server - POP3 over SSL
ii  courier-ssl    0.47-1         Courier Mail Server - SSL/TLS Support
ii  courier-webadm 0.47-1         Courier Mail Server - Web-based administrati
ii  couriergraph   0.23-2         Mail statistics RRDtool frontend for Courier
ii  pop-before-smt 1.31-2         watch log for pop/imap auth, notify Postfix

postfix

main.cfから。(postconf -nの結果)

alias_database =
 hash:/etc/aliases
  hash:/var/spool/ml/etc/aliases
alias_maps =
  hash:/etc/aliases
  hash:/var/spool/ml/etc/aliases
allow_mail_to_commands = alias,forward,include
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 20480000
mydestination = $myhostname  localhost.$mydomain  $mydomain  localhost
mydomain = downtown.jp
myhostname = eswat2.downtown.jp
mynetworks = 127.0.0.0/8  192.168.0.0/24  218.219.149.232/29
myorigin = $mydomain
notify_classes = bounce
recipient_delimiter = +
relay_domains = $mydestination  katsushika.org
relayhost =
smtpd_client_restrictions =
  permit_mynetworks
  permit_mx_backup
  reject_rbl_client relays.ordb.org
  reject_rbl_client rbl.maps.vix.com
  reject_rbl_client dul.maps.vix.com
  reject_rbl_client relays.mail-abuse.org
  reject_rbl_client spamips.shub-inter.net
  reject_rhsbl_client relays.mail-abuse.org
  reject_rhsbl_client spamips.shub-inter.net
  reject_non_fqdn_sender
  reject_non_fqdn_recipient
  reject_unauth_pipelining
  reject_unknown_sender_domain
  reject_unknown_recipient_domain
  reject_unknown_client
  permit
smtpd_recipient_restrictions =
  permit_mynetworks
  reject_non_fqdn_recipient
  check_client_access hash:/var/lib/pop-before-smtp/hosts
  check_relay_domains
smtpd_sender_restrictions =
  permit_mynetworks
  permit_mx_backup
  reject_non_fqdn_sender
  reject_non_fqdn_hostname
  reject_unlisted_sender
  reject_unknown_sender_domain
  reject_rhsbl_sender relays.mail-abuse.org
  reject_rhsbl_sender spamips.shub-inter.net  permit
virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = hash:/etc/postfix/virtual

master.cfは、amavisd-newを呼び出す部分のみ。

--- master.cf.dpkg-dist 2004-05-31 11:46:16.000000000 +0900
+++ master.cf   2004-10-15 10:59:37.000000000 +0900
@@ -130,3 +130,17 @@
 #tlsmgr          fifo  -       -       n       300     1       tlsmgr
 #smtps   inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
 #587     inet  n       -       n       -       -       smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
+
+#      *****   amavisd-new
+smtp-amavis    unix    -       -       n       -       8       smtp
+    -o smtp_data_done_timeout=1200
+    -o disable_dns_lookups=yes
+
+127.0.0.1:10025        inet    n       -       n       -       -       smtpd
+    -o content_filter=
+    -o local_recipient_maps=
+    -o smtpd_helo_restrictions=
+    -o smtpd_client_restrictions=
+    -o smtpd_sender_restrictions=
+    -o smtpd_recipient_restrictions=permit_mynetworks,reject
+    -o mynetworks=127.0.0.0/8

amavisd-new

変更部分は、必要最低限でOK。

--- amavisd.conf.orig   2004-08-03 02:08:29.000000000 +0900
+++ amavisd.conf        2004-09-30 14:03:55.000000000 +0900
@@ -2,7 +2,7 @@
 # Configuration file for amavisd-new
 # Defaults modified for the Debian amavisd-new package
-# $Id: amavisd.conf,v 1.27 2004/07/31 19:43:41 hmh Exp $
+# $Id: amavisd.conf,v 1.26 2004/07/05 15:15:02 hmh Exp $
 #
 # This software is licensed under the GNU General Public License (GPL).
 # See comments at the start of amavisd-new for the whole license text.
@@ -63,7 +63,7 @@
 # $mydomain serves as a quick default for some other configuration settings.
 # More refined control is available with each individual setting further down.
 # $mydomain is never used directly by the program.
-$mydomain = 'example.com';      # (no useful default)
+$mydomain = 'downtown.jp';      # (no useful default)
 # $myhostname = 'host.example.com';  # fqdn of this host, default by uname(3)
@@ -137,8 +137,8 @@
 # feeding amavisd, e.g. with Postfix the 'Max procs' field in the
 # master.cf file, like the '2' in the:  smtp-amavis unix - - n - 2 smtp
 #
-$max_servers  =  2;   # number of pre-forked children          (default 2)
-$max_requests = 10;   # retire a child after that many accepts (default 10)
+$max_servers  =  8;   # number of pre-forked children          (default 2)
+$max_requests = 32;   # retire a child after that many accepts (default 10)
 $child_timeout=5*60;  # abort child if it does not complete each task in n sec
                       # (default: 8*60 seconds)
@@ -158,7 +158,7 @@
 #
 # Any setting can be changed with a new assignment, so make sure
 # you do not unintentionally override these settings further down!
-@bypass_spam_checks_acl  = qw( . );    # No default dependency on spamassassin
+#@bypass_spam_checks_acl  = qw( . );    # No default dependency on spamassassin
 # Lookup list of local domains (see README.lookups for syntax details)
 #
@@ -210,7 +210,7 @@
 #
 # These are logged at level 3, so enable logging until you know you got it
 # right.
-$relayhost_is_client = 0;         # (defaults to false)
+$relayhost_is_client = 1;         # (defaults to false)
 $insert_received_line = 1;        # behave like MTA: insert 'Received:' header
                                  # (does not apply to sendmail/milter)
@@ -288,7 +288,7 @@
 # 3: server, client
 # 4: decompose parts
 # 5: more debug details
-#$log_level = 2;               # (defaults to 0)
+$log_level = 2;                # (defaults to 0)
 # Customizable template for the most interesting log file entry (e.g. with
 # $log_level=0) (take care to properly quote Perl special characters like '\')
@@ -339,7 +339,7 @@
 #
 #   read_l10n_templates('/etc/amavis/en_US');
 #
-# Debian available locales: en_US, pt_BR, de_DE, it_IT
+# Debian available locales: en_US, pt_BR
 read_l10n_templates('en_US', '/etc/amavis');
@@ -1102,7 +1102,7 @@
 # that require internet access will be performed.
 #
 $sa_local_tests_only = 1;   # (default: false)
-#$sa_auto_whitelist = 1;    # turn on AWL (default: false)
+$sa_auto_whitelist = 1;     # turn on AWL (default: false)
 # Timout for SpamAssassin. This is only used if spamassassin does NOT
 # override it (which it often does if sa_local_tests_only is not true)
@@ -1112,7 +1112,7 @@
 # AWL (auto whitelisting), requires spamassassin 2.44 or better
 # $sa_auto_whitelist = 1;   # defaults to undef
-$sa_mail_body_size_limit = 150*1024;  # don't waste time on SA is mail is larger
+#$sa_mail_body_size_limit = 150*1024;  # don't waste time on SA is mail is larger
                            # (less than 1% of spam is > 64k)
                            # default: undef, no limitations
@@ -1501,7 +1501,7 @@
 #$keep_decoded_original_re = new_RE( qr/.*/ );
 # Turn on SpamAssassin debugging (output to STDERR, use with 'amavisd debug')
-#$sa_debug = 1;            # defaults to false
+$sa_debug = 1;            # defaults to false
 #-------------
 1;  # insure a defined return

amavisd-new

ほぼデフォルト状態でOK。
System Wideでのチェックを行う為には、ユーザamavisのhomeディレクトリにある/var/lib/amavis/.spamassassin/に下記のようなuser_prefsを置くことで、判定が行われます。(whitelist_fromなどのパラメータはここのネットワークに合わせて読み替えてくださいね。)
spam判定用のDBもユーザamavistとしてsa-learnコマンドで作成済み。

# SpamAssassin user preferences file.  See 'perldoc Mail::SpamAssassin::Conf'
# for details of what can be tweaked.
###########################################################################
# How many hits before a mail is considered spam.
required_hits           7.5
# Whitelist and blacklist addresses are now file-glob-style patterns, so
# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.
# whitelist_from        someone@somewhere.com
# Add your own customised scores for some tests below.  The default scores are
# read from the installed spamassassin rules files, but you can override them
# here.  To see the list of tests and their default scores, go to
# http://spamassassin.org/tests.html .
#
# score SYMBOLIC_TEST_NAME n.nn
# Speakers of Asian languages, like Chinese, Japanese and Korean, will almost
# definitely want to uncomment the following lines.  They will switch off some
# rules that detect 8-bit characters, which commonly trigger on mails using CJK
# character sets, or that assume a western-style charset is in use.
#
# score HEADER_8BITS            0
# score HTML_COMMENT_8BITS      0
# score SUBJ_FULL_OF_8BITS      0
# score UPPERCASE_25_50         0
# score UPPERCASE_50_75         0
# score UPPERCASE_75_100        0
trusted_networks 127/8 192.168.0/24
internel_networks 192.168.0/24
whitelist_from logcheck@downtown.jp
whitelist_to root@downtown.jp
#*****
blacklist_from delivery@hosyou-b.mine.nu tomio@tkeiba.net

トラックバック(1)

むか〜し、書いておいたPostfixとその周辺の設定に関するエントリーが、ずいぶんとアクセスがあるので、改めて現在の設定状態を書きだしてみる。 以前書いて... 続きを読む

コメントする