設定覚え書き:Postfixともろもろ

SMTPサーバ関連の設定の覚え書きが、ちょっと古くなりすぎているので、またまた更新版です。

現時点では、

postfix + amavisd-new + clamav + spamassassin + courier-imap&couier-pop + pop-before-smtp

という組み合わせで、稼働中。


インストール済みのパッケージ一覧

courier-*、couriergraphなどは、基本的にインストールして、そのまんま。pop-before-smtpについては、こちらのエントリーを参照のこと。

eswat2:~# dpkg -l postfix* amavis* *clam* *spam* *courier* *pop* | grep -e ^ii
ii  clamav                           0.88.1-1       antivirus scanner for Unix
ii  clamav-base                      0.88.1-1       base package for clamav, an anti-virus utili
ii  clamav-daemon                    0.88.1-1       antivirus scanner daemon
ii  clamav-docs                      0.88.1-1       documentation package for clamav, an anti-vi
ii  clamav-freshclam                 0.88.1-1       downloads clamav virus databases from the In
ii  clamav-testfiles                 0.88.1-1       use these files to test that your Antivirus
ii  courier-authdaemon               0.47-13        Courier Mail Server - Authentication daemon
ii  courier-base                     0.47-13        Courier Mail Server - Base system
ii  courier-doc                      0.47-13        Courier Mail Server - Additional documentati
ii  courier-imap                     3.0.8-13       Courier Mail Server - IMAP server
ii  courier-pop                      0.47-13        Courier Mail Server - POP3 server
ii  libclamav1                       0.88.1-1       virus scanner library
ii  libdspam7                        3.6.4-3        DSPAM is a scalable and statistical anti-spa
ii  libmail-pop3client-perl          2.17-1         POP3 client module for perl
ii  pop-before-smtp                  1.36-2         watch log for POP/IMAP auth, notify MTA to a
ii  postfix                          2.2.10-1       A high-performance mail transport agent
ii  postfix-doc                      2.2.10-1       Postfix documentation
ii  postfix-pcre                     2.2.10-1       PCRE map support for Postfix
ii  spamassassin                     3.1.0a-2       Perl-based spam filter using text analysis
ii  spamc                            3.1.0a-2       Client for SpamAssassin spam filtering daemo

postfix

main.cfから。(postconf -nの結果)

alias_database =
 hash:/etc/aliases
  hash:/var/spool/ml/etc/aliases
alias_maps =
  hash:/etc/aliases
  hash:/var/spool/ml/etc/aliases
allow_mail_to_commands = alias,forward,include
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 20480000
mydestination = $myhostname  localhost.$mydomain  $mydomain  localhost
mydomain = downtown.jp
myhostname = eswat2.downtown.jp
mynetworks = 127.0.0.0/8  192.168.0.0/24  218.219.149.232/29
myorigin = $mydomain
notify_classes = bounce
recipient_delimiter = +
relay_domains = $mydestination  katsushika.org
relayhost =
smtpd_client_restrictions =
  permit_mynetworks
  permit_mx_backup
  reject_rbl_client relays.ordb.org
  reject_rbl_client rbl.maps.vix.com
  reject_rbl_client dul.maps.vix.com
  reject_rbl_client relays.mail-abuse.org
  reject_rbl_client spamips.shub-inter.net
  reject_rhsbl_client relays.mail-abuse.org
  reject_rhsbl_client spamips.shub-inter.net
  reject_non_fqdn_sender
  reject_non_fqdn_recipient
  reject_unauth_pipelining
  reject_unknown_sender_domain
  reject_unknown_recipient_domain
  reject_unknown_client
  permit
smtpd_recipient_restrictions =
  permit_mynetworks
  reject_non_fqdn_recipient
  check_client_access hash:/var/lib/pop-before-smtp/hosts
  check_relay_domains
smtpd_sender_restrictions =
  permit_mynetworks
  permit_mx_backup
  reject_non_fqdn_sender
  reject_non_fqdn_hostname
  reject_unlisted_sender
  reject_unknown_sender_domain
  reject_rhsbl_sender relays.mail-abuse.org
  reject_rhsbl_sender spamips.shub-inter.net  permit
virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = hash:/etc/postfix/virtual

master.cfは、amavisd-newを呼び出す部分のみ。

--- master.cf.dpkg-dist 2004-05-31 11:46:16.000000000 +0900
+++ master.cf   2004-10-15 10:59:37.000000000 +0900
@@ -130,3 +130,17 @@
 #tlsmgr          fifo  -       -       n       300     1       tlsmgr
 #smtps   inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
 #587     inet  n       -       n       -       -       smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
+
+#      *****   amavisd-new
+smtp-amavis    unix    -       -       n       -       8       smtp
+    -o smtp_data_done_timeout=1200
+    -o disable_dns_lookups=yes
+
+127.0.0.1:10025        inet    n       -       n       -       -       smtpd
+    -o content_filter=
+    -o local_recipient_maps=
+    -o smtpd_helo_restrictions=
+    -o smtpd_client_restrictions=
+    -o smtpd_sender_restrictions=
+    -o smtpd_recipient_restrictions=permit_mynetworks,reject
+    -o mynetworks=127.0.0.0/8

amavisd-new

3.1にバージョンが上がってから、confファイルが分割されたので、その辺の調整で、ちょっと四苦八苦。で、手を入れたのは、/etc/amavis/conf.d/15-content_filter_modeと/etc/amavis/conf.d/20-debian_defaults、/etc/amavis/conf.d/50-userの3つ。

eswat2:/etc/amavis/conf.d# diff -u 15-content_filter_mode~ 15-content_filter_mode
--- 15-content_filter_mode~     2006-01-25 02:12:20.000000000 +0900
+++ 15-content_filter_mode      2006-01-25 02:17:52.000000000 +0900
@@ -8,8 +8,8 @@
 # Uncomment the two lines below to enable it back
 #
-#@bypass_virus_checks_maps = (
-#   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+@bypass_virus_checks_maps = (
+   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
 #
@@ -17,7 +17,7 @@
 # Uncomment the two lines below to enable it back
 #
-#@bypass_spam_checks_maps = (
-#   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+@bypass_spam_checks_maps = (
+   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
 1;  # insure a defined return
eswat2:/etc/amavis/conf.d# diff -u 20-debian_defaults.dpkg-dist 20-debian_defaults
--- 20-debian_defaults.dpkg-dist        2006-04-20 03:45:44.000000000 +0900
+++ 20-debian_defaults  2006-04-04 21:43:17.000000000 +0900
@@ -15,16 +15,18 @@
 #       a traditional-style commented file
 #   [note: the above files were not converted to Debian settings!]
 #
-#   for more details see documentation in /usr/share/doc/amavisd-new
+#   for more details see documentation in INSTALL, README_FILES/*
 #   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
+
+# COMMONLY ADJUSTED SETTINGS:
+
+#$QUARANTINEDIR = "$MYHOME/quarantine";
 $QUARANTINEDIR = "$MYHOME/virusmails";
-$log_recip_templ = undef;    # disable by-recipient level-0 log entries
+#$log_recip_templ = undef;    # disable by-recipient level-0 log entries
 $DO_SYSLOG = 1;              # log via syslogd (preferred)
-$syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
-$syslog_facility = 'mail';
-$syslog_priority = 'debug';  # switch to info to drop debug output, etc
+$SYSLOG_LEVEL = 'mail.debug'; # switch to mail.info to drop debug output, etc
 $enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
 $enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1
@@ -32,13 +34,13 @@
 $inet_socket_port = 10024;   # default listenting socket
 $sa_spam_subject_tag = '***SPAM*** ';
-$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
+$sa_tag_level_deflt  = 4.0;  # add spam info headers if at, or above that level
 $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
 $sa_kill_level_deflt = 6.31; # triggers spam evasive actions
 $sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
 $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
-$sa_local_tests_only = 0;    # only tests which do not require internet access?
+#$sa_local_tests_only = 0;    # only tests which do not require internet access?
 # Quota limits to avoid bombs (like 42.zip)
@@ -47,6 +49,8 @@
 $MIN_EXPANSION_QUOTA =      100*1024;  # bytes
 $MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes
+# OTHER MORE COMMON SETTINGS (defaults may suffice):
+
 # You should:
 #   Use D_DISCARD to discard data (viruses)
 #   Use D_BOUNCE to generate local bounces by amavisd-new
@@ -66,7 +70,7 @@
 $final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
 $final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA
-$final_spam_destiny       = D_BOUNCE;
+$final_spam_destiny       = D_DISCARD;
 $final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
 $virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
@@ -81,8 +85,7 @@
 #
 # These days, almost all viruses fake the envelope sender and mail headers.
 # Therefore, "virus notifications" became nothing but undesired, aggravating
-# SPAM.  This holds true even inside one's domain.  We disable them all by
-# default, except for the EICAR test pattern.
+# SPAM.  This holds true even inside one's domain.
 #
 @viruses_that_fake_sender_maps = (new_RE(
eswat2:/etc/amavis/conf.d# more 50-user
use strict;
#
# Place your configuration directives here.  They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
$log_level = 2;
$X_HEADER_TAG = 'X-Virus-Scanned';
$remove_existing_x_scanned_headers = 0;
$remove_existing_spam_headers  = 1;
$replace_existing_extension = 1;
$sa_local_tests_only = 1;   # (default: false)
$sa_auto_whitelist = 1;     # turn on AWL (default: false)
$sa_debug = 1;
$max_servers  =  4;     # number of pre-forked children          (default 2)
$max_requests = 16;     # retire a child after that many accepts (default 10)
#------------ Do not modify anything below this line -------------
1;  # insure a defined return

System Wideでのチェックを行う為には、ユーザamavisのhomeディレクトリにある/var/lib/amavis/.spamassassin/に下記のようなuser_prefsを置くことで、判定が行われます。(whitelist_fromなどのパラメータはここのネットワークに合わせて読み替えてくださいね。)
spam判定用のDBもユーザamavisとしてsa-learnコマンドで作成済み。

# SpamAssassin user preferences file.  See 'perldoc Mail::SpamAssassin::Conf'
# for details of what can be tweaked.
###########################################################################
# How many hits before a mail is considered spam.
required_hits           7.5
# Whitelist and blacklist addresses are now file-glob-style patterns, so
# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.
# whitelist_from        someone@somewhere.com
# Add your own customised scores for some tests below.  The default scores are
# read from the installed spamassassin rules files, but you can override them
# here.  To see the list of tests and their default scores, go to
# http://spamassassin.org/tests.html .
#
# score SYMBOLIC_TEST_NAME n.nn
# Speakers of Asian languages, like Chinese, Japanese and Korean, will almost
# definitely want to uncomment the following lines.  They will switch off some
# rules that detect 8-bit characters, which commonly trigger on mails using CJK
# character sets, or that assume a western-style charset is in use.
#
# score HEADER_8BITS            0
# score HTML_COMMENT_8BITS      0
# score SUBJ_FULL_OF_8BITS      0
# score UPPERCASE_25_50         0
# score UPPERCASE_50_75         0
# score UPPERCASE_75_100        0
trusted_networks 127/8 192.168.0/24
internel_networks 192.168.0/24
whitelist_from logcheck@downtown.jp
whitelist_to root@downtown.jp
#*****
blacklist_from delivery@hosyou-b.mine.nu tomio@tkeiba.net

clamav関連

基本的には、clamd.confのUser部分をコメントアウトするだけ。それ以外は弄ってなくても大丈夫。

eswat2:/etc/clamav# diff -u clamd.conf.dpkg-dist clamd.conf
--- clamd.conf.dpkg-dist        2005-09-20 12:13:23.000000000 +0900
+++ clamd.conf  2006-04-27 00:54:52.000000000 +0900
@@ -3,7 +3,7 @@
 #Please read /usr/share/doc/clamav-base/README.Debian.gz for details
 LocalSocket /var/run/clamav/clamd.ctl
 FixStaleSocket
-User clamav
+#User clamav
 ScanMail
 ScanArchive
 ArchiveMaxRecursion 5

おまけ

Debianの場合、/etc/defaults以下にあるファイルを変更しないと、デーモンとして起動しないものがあるので、その辺も要注意ですな。

トラックバック(0)

コメントする