SMTPサーバ関連の設定の覚え書きが、ちょっと古くなりすぎているので、またまた更新版です。
現時点では、
postfix + amavisd-new + clamav + spamassassin + courier-imap&couier-pop + pop-before-smtp
という組み合わせで、稼働中。
SMTPサーバ関連の設定の覚え書きが、ちょっと古くなりすぎているので、またまた更新版です。
現時点では、
postfix + amavisd-new + clamav + spamassassin + courier-imap&couier-pop + pop-before-smtp
という組み合わせで、稼働中。
courier-*、couriergraphなどは、基本的にインストールして、そのまんま。pop-before-smtpについては、こちらのエントリーを参照のこと。
eswat2:~# dpkg -l postfix* amavis* *clam* *spam* *courier* *pop* | grep -e ^ii ii clamav 0.88.1-1 antivirus scanner for Unix ii clamav-base 0.88.1-1 base package for clamav, an anti-virus utili ii clamav-daemon 0.88.1-1 antivirus scanner daemon ii clamav-docs 0.88.1-1 documentation package for clamav, an anti-vi ii clamav-freshclam 0.88.1-1 downloads clamav virus databases from the In ii clamav-testfiles 0.88.1-1 use these files to test that your Antivirus ii courier-authdaemon 0.47-13 Courier Mail Server - Authentication daemon ii courier-base 0.47-13 Courier Mail Server - Base system ii courier-doc 0.47-13 Courier Mail Server - Additional documentati ii courier-imap 3.0.8-13 Courier Mail Server - IMAP server ii courier-pop 0.47-13 Courier Mail Server - POP3 server ii libclamav1 0.88.1-1 virus scanner library ii libdspam7 3.6.4-3 DSPAM is a scalable and statistical anti-spa ii libmail-pop3client-perl 2.17-1 POP3 client module for perl ii pop-before-smtp 1.36-2 watch log for POP/IMAP auth, notify MTA to a ii postfix 2.2.10-1 A high-performance mail transport agent ii postfix-doc 2.2.10-1 Postfix documentation ii postfix-pcre 2.2.10-1 PCRE map support for Postfix ii spamassassin 3.1.0a-2 Perl-based spam filter using text analysis ii spamc 3.1.0a-2 Client for SpamAssassin spam filtering daemo
main.cfから。(postconf -n
の結果)
alias_database = hash:/etc/aliases hash:/var/spool/ml/etc/aliases alias_maps = hash:/etc/aliases hash:/var/spool/ml/etc/aliases allow_mail_to_commands = alias,forward,include command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix home_mailbox = Maildir/ inet_interfaces = all mailbox_size_limit = 0 message_size_limit = 20480000 mydestination = $myhostname localhost.$mydomain $mydomain localhost mydomain = downtown.jp myhostname = eswat2.downtown.jp mynetworks = 127.0.0.0/8 192.168.0.0/24 218.219.149.232/29 myorigin = $mydomain notify_classes = bounce recipient_delimiter = + relay_domains = $mydestination katsushika.org relayhost = smtpd_client_restrictions = permit_mynetworks permit_mx_backup reject_rbl_client relays.ordb.org reject_rbl_client rbl.maps.vix.com reject_rbl_client dul.maps.vix.com reject_rbl_client relays.mail-abuse.org reject_rbl_client spamips.shub-inter.net reject_rhsbl_client relays.mail-abuse.org reject_rhsbl_client spamips.shub-inter.net reject_non_fqdn_sender reject_non_fqdn_recipient reject_unauth_pipelining reject_unknown_sender_domain reject_unknown_recipient_domain reject_unknown_client permit smtpd_recipient_restrictions = permit_mynetworks reject_non_fqdn_recipient check_client_access hash:/var/lib/pop-before-smtp/hosts check_relay_domains smtpd_sender_restrictions = permit_mynetworks permit_mx_backup reject_non_fqdn_sender reject_non_fqdn_hostname reject_unlisted_sender reject_unknown_sender_domain reject_rhsbl_sender relays.mail-abuse.org reject_rhsbl_sender spamips.shub-inter.net permit virtual_alias_domains = $virtual_alias_maps virtual_alias_maps = hash:/etc/postfix/virtual
master.cfは、amavisd-newを呼び出す部分のみ。
--- master.cf.dpkg-dist 2004-05-31 11:46:16.000000000 +0900 +++ master.cf 2004-10-15 10:59:37.000000000 +0900 @@ -130,3 +130,17 @@ #tlsmgr fifo - - n 300 1 tlsmgr #smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes #587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes + +# ***** amavisd-new +smtp-amavis unix - - n - 8 smtp + -o smtp_data_done_timeout=1200 + -o disable_dns_lookups=yes + +127.0.0.1:10025 inet n - n - - smtpd + -o content_filter= + -o local_recipient_maps= + -o smtpd_helo_restrictions= + -o smtpd_client_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o mynetworks=127.0.0.0/8
3.1にバージョンが上がってから、confファイルが分割されたので、その辺の調整で、ちょっと四苦八苦。で、手を入れたのは、/etc/amavis/conf.d/15-content_filter_modeと/etc/amavis/conf.d/20-debian_defaults、/etc/amavis/conf.d/50-userの3つ。
eswat2:/etc/amavis/conf.d# diff -u 15-content_filter_mode~ 15-content_filter_mode --- 15-content_filter_mode~ 2006-01-25 02:12:20.000000000 +0900 +++ 15-content_filter_mode 2006-01-25 02:17:52.000000000 +0900 @@ -8,8 +8,8 @@ # Uncomment the two lines below to enable it back # -#@bypass_virus_checks_maps = ( -# \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); +@bypass_virus_checks_maps = ( + \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); # @@ -17,7 +17,7 @@ # Uncomment the two lines below to enable it back # -#@bypass_spam_checks_maps = ( -# \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); +@bypass_spam_checks_maps = ( + \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); 1; # insure a defined return
eswat2:/etc/amavis/conf.d# diff -u 20-debian_defaults.dpkg-dist 20-debian_defaults --- 20-debian_defaults.dpkg-dist 2006-04-20 03:45:44.000000000 +0900 +++ 20-debian_defaults 2006-04-04 21:43:17.000000000 +0900 @@ -15,16 +15,18 @@ # a traditional-style commented file # [note: the above files were not converted to Debian settings!] # -# for more details see documentation in /usr/share/doc/amavisd-new +# for more details see documentation in INSTALL, README_FILES/* # and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html + +# COMMONLY ADJUSTED SETTINGS: + +#$QUARANTINEDIR = "$MYHOME/quarantine"; $QUARANTINEDIR = "$MYHOME/virusmails"; -$log_recip_templ = undef; # disable by-recipient level-0 log entries +#$log_recip_templ = undef; # disable by-recipient level-0 log entries $DO_SYSLOG = 1; # log via syslogd (preferred) -$syslog_ident = 'amavis'; # syslog ident tag, prepended to all messages -$syslog_facility = 'mail'; -$syslog_priority = 'debug'; # switch to info to drop debug output, etc +$SYSLOG_LEVEL = 'mail.debug'; # switch to mail.info to drop debug output, etc $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 @@ -32,13 +34,13 @@ $inet_socket_port = 10024; # default listenting socket $sa_spam_subject_tag = '***SPAM*** '; -$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level +$sa_tag_level_deflt = 4.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level $sa_kill_level_deflt = 6.31; # triggers spam evasive actions $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger -$sa_local_tests_only = 0; # only tests which do not require internet access? +#$sa_local_tests_only = 0; # only tests which do not require internet access? # Quota limits to avoid bombs (like 42.zip) @@ -47,6 +49,8 @@ $MIN_EXPANSION_QUOTA = 100*1024; # bytes $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes +# OTHER MORE COMMON SETTINGS (defaults may suffice): + # You should: # Use D_DISCARD to discard data (viruses) # Use D_BOUNCE to generate local bounces by amavisd-new @@ -66,7 +70,7 @@ $final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine) $final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA -$final_spam_destiny = D_BOUNCE; +$final_spam_destiny = D_DISCARD; $final_bad_header_destiny = D_PASS; # False-positive prone (for spam) $virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default @@ -81,8 +85,7 @@ # # These days, almost all viruses fake the envelope sender and mail headers. # Therefore, "virus notifications" became nothing but undesired, aggravating -# SPAM. This holds true even inside one's domain. We disable them all by -# default, except for the EICAR test pattern. +# SPAM. This holds true even inside one's domain. # @viruses_that_fake_sender_maps = (new_RE(
eswat2:/etc/amavis/conf.d# more 50-user use strict; # # Place your configuration directives here. They will override those in # earlier files. # # See /usr/share/doc/amavisd-new/ for documentation and examples of # the directives you can use in this file # $log_level = 2; $X_HEADER_TAG = 'X-Virus-Scanned'; $remove_existing_x_scanned_headers = 0; $remove_existing_spam_headers = 1; $replace_existing_extension = 1; $sa_local_tests_only = 1; # (default: false) $sa_auto_whitelist = 1; # turn on AWL (default: false) $sa_debug = 1; $max_servers = 4; # number of pre-forked children (default 2) $max_requests = 16; # retire a child after that many accepts (default 10) #------------ Do not modify anything below this line ------------- 1; # insure a defined return
System Wideでのチェックを行う為には、ユーザamavisのhomeディレクトリにある/var/lib/amavis/.spamassassin/に下記のようなuser_prefsを置くことで、判定が行われます。(whitelist_fromなどのパラメータはここのネットワークに合わせて読み替えてくださいね。)
spam判定用のDBもユーザamavisとしてsa-learn
コマンドで作成済み。
# SpamAssassin user preferences file. See 'perldoc Mail::SpamAssassin::Conf' # for details of what can be tweaked. ########################################################################### # How many hits before a mail is considered spam. required_hits 7.5 # Whitelist and blacklist addresses are now file-glob-style patterns, so # "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work. # whitelist_from someone@somewhere.com # Add your own customised scores for some tests below. The default scores are # read from the installed spamassassin rules files, but you can override them # here. To see the list of tests and their default scores, go to # http://spamassassin.org/tests.html . # # score SYMBOLIC_TEST_NAME n.nn # Speakers of Asian languages, like Chinese, Japanese and Korean, will almost # definitely want to uncomment the following lines. They will switch off some # rules that detect 8-bit characters, which commonly trigger on mails using CJK # character sets, or that assume a western-style charset is in use. # # score HEADER_8BITS 0 # score HTML_COMMENT_8BITS 0 # score SUBJ_FULL_OF_8BITS 0 # score UPPERCASE_25_50 0 # score UPPERCASE_50_75 0 # score UPPERCASE_75_100 0 trusted_networks 127/8 192.168.0/24 internel_networks 192.168.0/24 whitelist_from logcheck@downtown.jp whitelist_to root@downtown.jp #***** blacklist_from delivery@hosyou-b.mine.nu tomio@tkeiba.net
基本的には、clamd.confのUser部分をコメントアウトするだけ。それ以外は弄ってなくても大丈夫。
eswat2:/etc/clamav# diff -u clamd.conf.dpkg-dist clamd.conf --- clamd.conf.dpkg-dist 2005-09-20 12:13:23.000000000 +0900 +++ clamd.conf 2006-04-27 00:54:52.000000000 +0900 @@ -3,7 +3,7 @@ #Please read /usr/share/doc/clamav-base/README.Debian.gz for details LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket -User clamav +#User clamav ScanMail ScanArchive ArchiveMaxRecursion 5
Debianの場合、/etc/defaults以下にあるファイルを変更しないと、デーモンとして起動しないものがあるので、その辺も要注意ですな。
コメントする