設定覚え書き:Postfixともろもろ(2011年版)

むか〜し、書いておいたPostfixとその周辺の設定に関するエントリーが、ずいぶんとアクセスがあるので、改めて現在の設定状態を書きだしてみる。

以前書いておいたSMTPサーバ関連の設定の覚え書きから、かなり内容が変わっているんで、新しく残しておきます。

[From 設定覚え書き:Postfix編 | Linux - Soukaku's HENA-CHOKO Blog]

このエントリー、日付てみると7年も前なのに、アクセスはなぜか一番多いんだよねぇ。不思議不思議。
まぁ、SMTPサーバなんて一度安定して動いてしまったら、余程の事ない限りは設定弄ることないんで、

postfix + amavisd-new + clamav + spamassassin

という基本的な構成は変わらずに、

postgrey
postfix-policyd-spf-perl
dkim-filter

を組み合わせているのが、現状の構成。


インストールされてるパッケージ類

とりあえず、抜き出すとこんな感じ。
dpkgなりaptitudeでの依存関係の解消が行われるので、実際にはもう少し関連するパッケージは多いです。

# dpkg -l postfix* amavis *clam* *spam* dkim* postgrey | grep ^ii
ii  amavisd-milter                  1.5.0-4                   amavisd-new interface for milter-capable MTAs
ii  amavisd-milter-dbg              1.5.0-4                   amavisd-new interface for milter-capable MTAs - debugging symbols
ii  amavisd-new                     1:2.6.4-4                 Interface between MTA and virus scanner/content filters
ii  clamav                          0.97.2+dfsg-1             anti-virus utility for Unix - command-line interface
ii  clamav-base                     0.97.2+dfsg-1             anti-virus utility for Unix - base package
ii  clamav-daemon                   0.97.2+dfsg-1             anti-virus utility for Unix - scanner daemon
ii  clamav-dbg                      0.97.2+dfsg-1             debug symbols for ClamAV
ii  clamav-docs                     0.97.2+dfsg-1             anti-virus utility for Unix - documentation
ii  clamav-freshclam                0.97.2+dfsg-1             anti-virus utility for Unix - virus database update utility
ii  clamav-getfiles                 2.0-6                     Update script for clamav
ii  clamav-testfiles                0.97.2+dfsg-1             anti-virus utility for Unix - test files
ii  clamav-unofficial-sigs          3.7.1-1                   update script for 3rd-party clamav signatures
ii  dkim-filter                     2.8.2.dfsg-1+b1           DomainKeys Identified Mail (DKIM) Milter implementation
ii  libapache2-mod-spamhaus         0.7-1                     Apache DNSBL module that blocks listed IP addresses
ii  libclamav6                      0.97.2+dfsg-1             anti-virus utility for Unix - library
ii  postfix                         2.8.4-1                   High-performance mail transport agent
ii  postfix-dev                     2.8.4-1                   Loadable modules development environment for Postfix
ii  postfix-doc                     2.8.4-1                   Documentation for Postfix
ii  postfix-pcre                    2.8.4-1                   PCRE map support for Postfix
ii  postfix-policyd-spf-perl        2.007-2                   Simple Postfix policy server for RFC 4408 SPF checking
ii  postgrey                        1.34-1                    greylisting implementation for Postfix
ii  spamassassin                    3.3.2-2                   Perl-based spam filter using text analysis
ii  spamc                           3.3.2-2                   Client for SpamAssassin spam filtering daemon

postfix

ポイントとなるところだけ、抜き出し。
基本的な設定に関しては、ググればいくらでも見つかるので、割愛。

まず、main.cf

"smtpd_client_restrictions"でクライアントからのSMTP接続に関する設定を行う。
"reject_rbl_client bl.spamcop.net"でRBLチェックにspamcopを指定。

smtpd_client_restrictions =
    permit_mynetworks
    permit_mx_backup
    reject_unauth_pipelining
    reject_rbl_client bl.spamcop.net
    permit

"smtpd_recipient_restrictions"で、"RCPT TO"コマンドを受け取った際の設定を行う。
postgreyとpostfix-policyd-spf-perlに連携させる部分は、smtpd_recipient_restrictionsに。postgreyとの連携は"check_policy_service inet:127.0.0.1:10023"、postfix-policyd-spf-perlとは"check_policy_service unix:private/spf"と、ここに書いておく必要がある。
SPFに関しては、master.cfにも手を入れる必要があるのだけど、そちらは後述。

smtpd_recipient_restrictions =
    permit_mynetworks
    reject_unauth_destination
    check_policy_service inet:127.0.0.1:10023
    check_policy_service unix:private/spf
    permit_auth_destination
    reject_non_fqdn_recipient
    reject_unknown_recipient_domain
    reject_unverified_recipient
    permit

"smtpd_sender_restrictions"で、"MAIL FROM"コマンドを受け取った際の設定を行う。
ここで、RHSBLとしてBarracudaCentralを設定。コレに関しては、こっちに詳しく書いている。

smtpd_sender_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    permit_mx_backup
    reject_non_fqdn_sender
    reject_unknown_sender_domain
    reject_rhsbl_sender b.barracudacentral.org
    permit

amavisd-new & amavisd-milter

Debianのamavisd-newパッケージは、設定ファイルが分割されているので、Debian以外の環境で設定する場合は、適宜読み替えること。

15-content_filter_modeの"@bypass_virus_checks_maps"と"@bypass_spam_checks_maps"をアンコメントして、ClamAVでのウィルスチェックと、SpamAssassinでのSPAMチェックを有効化。

diff -ur /usr/local/src/amavisd-new-2.6.4/debian/etc/conf.d/15-content_filter_mode /etc/amavis/conf.d/15-content_filter_mode
--- /usr/local/src/amavisd-new-2.6.4/debian/etc/conf.d//15-content_filter_mode  2011-09-18 01:20:26.000000000 +0900
+++ /etc/amavis/conf.d//15-content_filter_mode  2010-01-17 00:28:44.000000000 +0900
@@ -10,8 +10,8 @@
 # If You wish to enable it, please uncomment the following lines:
-#@bypass_virus_checks_maps = (
-#   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+@bypass_virus_checks_maps = (
+   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
 #
@@ -21,7 +21,7 @@
 # If You wish to enable it, please uncomment the following lines:
-#@bypass_spam_checks_maps = (
-#   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+@bypass_spam_checks_maps = (
+   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
 1;  # ensure a defined return

20-debian_defaultsで自ドメインのメールがSPAM判定されないようにするために、"@score_sender_maps"に自ドメインを追加。あとは"$final_spam_destiny"を"D_BOUNCE"から"D_DISCARD"に変更してSPAM判定されたメールをバウンスさせないようにするのと、"$enable_dkim_verification"を有効にするで終わり。。

diff -ur /usr/local/src/amavisd-new-2.6.4/debian/etc/conf.d/20-debian_defaults /etc/amavis/conf.d/20-debian_defaults
--- /usr/local/src/amavisd-new-2.6.4/debian/etc/conf.d//20-debian_defaults      2011-09-18 01:20:26.000000000 +0900
+++ /etc/amavis/conf.d//20-debian_defaults      2011-01-04 16:35:43.000000000 +0900
@@ -67,10 +67,10 @@
 $final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
 $final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA
-$final_spam_destiny       = D_BOUNCE;
+$final_spam_destiny       = D_DISCARD;
 $final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
-$enable_dkim_verification = 0; #disabled to prevent warning
+$enable_dkim_verification = 1; #disabled to prevent warning
 $virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
@@ -204,6 +204,9 @@
      # soft-blacklisting (positive score)
      #'sender@example.net'                     =>  3.0,
      #'.example.net'                           =>  1.0,
+     '.downtown.jp'                           => -5.0,
+     'downtown.jp'                            => -5.0,
+     'logcheck@downtown.jp'                   => -10.0,
    },
   ],  # end of site-wide tables

50-user で、log_levelなどを指定。

diff -ur /usr/local/src/amavisd-new-2.6.4/debian/etc/conf.d/50-user /etc/amavis/conf.d/50-user
--- /usr/local/src/amavisd-new-2.6.4/debian/etc/conf.d//50-user 2011-09-18 01:20:26.000000000 +0900
+++ /etc/amavis/conf.d//50-user 2010-03-30 22:48:58.000000000 +0900
@@ -8,6 +8,21 @@
 # the directives you can use in this file
 #
+$log_level = 1;
+
+$X_HEADER_TAG = 'X-Virus-Scanned';
+
+$remove_existing_x_scanned_headers = 0;
+$remove_existing_spam_headers  = 0;
+
+$replace_existing_extension = 1;
+
+#$sa_local_tests_only = 1;   # (default: false)
+$sa_auto_whitelist = 1;            # turn on AWL (default: false)
+$sa_debug = 0;
+
+$max_servers  =  4;    # number of pre-forked children          (default 2)
+$max_requests = 16;    # retire a child after that many accepts (default 10)
 #------------ Do not modify anything below this line -------------
-1;  # ensure a defined return
+1;  # insure a defined return

で、postfixとamavisdの間をmilterで処理させるために、amavisd-milterの"/etc/default/amavsd-milter"に、

MILTERSOCKET=inet:60001@127.0.0.1

として、postfix側にmilterを喋らせるために、/etc/postfix/main.cfに

non_smtpd_milters = inet:[127.0.0.1]:60001
smtpd_milters = inet:[127.0.0.1]:60001
milter_default_action = accept
milter_protocol = 2

を追加しておくのを忘れないこと。

clamav

長年使っている設定ファイルなので、いまのパッケージデフォルトのものと違うのだけど、特にそのまま使えているので、あまり手を入れていない。

 more /etc/clamav/clamd.conf
#Automatically Generated by clamav-base postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-base
#Please read /usr/share/doc/clamav-base/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket yes
LocalSocketGroup amavis
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User amavis
AllowSupplementaryGroups yes
ScanMail yes
ScanArchive yes
ArchiveBlockEncrypted no
MaxDirectoryRecursion 15
FollowDirectorySymlinks no
FollowFileSymlinks yes
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog yes
LogFacility LOG_MAIL
LogClean no
LogVerbose no
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/lib/clamav
SelfCheck 3600
Foreground no
Debug no
ScanPE yes
ScanOLE2 yes
ScanHTML yes
DetectBrokenExecutables yes
ExitOnOOM no
LeaveTemporaryFiles no
AlgorithmicDetection yes
ScanELF yes
IdleTimeout 30
PhishingSignatures yes
PhishingScanURLs yes
PhishingAlwaysBlockSSLMismatch yes
PhishingAlwaysBlockCloak yes
DetectPUA no
ScanPartialMessages yes
HeuristicScanPrecedence yes
StructuredDataDetection no
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo yes
OLE2BlockMacros no
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime yes
LogFileUnlock no
LogFileMaxSize 0
Bytecode yes
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OfficialDatabaseOnly no
CrossFilesystems yes

spamassassin

"/etc/spamassassin/local.cf"は、必要最低限の修正のみ。
個別に追加するルールについては、"/var/lib/amavis/.spamassassin/private_prefs"のほうに。

diff -u spamassassin-3.3.2/rules/local.cf /etc/spamassassin/local.cf
--- spamassassin-3.3.2/rules/local.cf  2011-06-07 08:59:17.000000000 +0900
+++ /etc/spamassassin/local.cf 2011-05-16 16:07:30.897250011 +0900
@@ -22,6 +22,8 @@
 #   server (i.e. not spammers)
 #
 # trusted_networks 212.17.35.
+trusted_networks 172.16.0.
+trusted_networks 218.219.149.232/29
 #   Set file-locking method (flock is not safe over NFS, but is faster)
@@ -36,12 +38,12 @@
 #   Use Bayesian classifier (default: 1)
 #
-# use_bayes 1
+use_bayes 1
 #   Bayesian classifier auto-learning (default: 1)
 #
-# bayes_auto_learn 1
+bayes_auto_learn 1
 #   Set headers which may provide inappropriate cues to the Bayesian
@@ -54,7 +56,7 @@
 #   Some shortcircuiting, if the plugin is enabled
 #
-ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
+# ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
 #
 #   default: strongly-whitelisted mails are *really* whitelisted now, if the
 #   shortcircuiting plugin is active, causing early exit to save CPU load.
@@ -81,5 +83,8 @@
 # shortcircuit BAYES_99                spam
 # shortcircuit BAYES_00                ham
+allow_user_rules 1
+include /var/lib/amavis/.spamassassin/private_prefs
+
 endif # Mail::SpamAssassin::Plugin::Shortcircuit
 

"/etc/spamassassin/v3[123]0.pre"の中身を編集してpluginをいくつか有効にする。

diff -u spamassassin-3.3.2/rules/v310.pre /etc/spamassassin/v310.pre
--- spamassassin-3.3.2/rules/v310.pre  2011-06-07 08:59:17.000000000 +0900
+++ /etc/spamassassin/v310.pre 2011-05-21 23:03:35.825044527 +0900
@@ -50,11 +50,11 @@
 # TextCat - language guesser
 #
-#loadplugin Mail::SpamAssassin::Plugin::TextCat
+loadplugin Mail::SpamAssassin::Plugin::TextCat
 # AccessDB - lookup from-addresses in access database
 #
-#loadplugin Mail::SpamAssassin::Plugin::AccessDB
+loadplugin Mail::SpamAssassin::Plugin::AccessDB
 # WhitelistSubject - Whitelist/Blacklist certain subject regular expressions
 #
diff -u spamassassin-3.3.2/rules//320.pre /etc/spamassassin/v320.pre
--- spamassassin-3.3.2/rules//320.pre  2011-06-07 08:59:17.000000000 +0900
+++ /etc/spamassassin/v320.pre 2010-10-19 15:02:42.000000000 +0900
@@ -50,13 +50,13 @@
 # Rule2XSBody - speedup by compilation of ruleset to native code
 #
-# loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
+loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
 # ASN - Look up the Autonomous System Number of the connecting IP
 # and create a header containing ASN data for bayes tokenization.
 # See plugin's POD docs for usage info.
 #
-# loadplugin Mail::SpamAssassin::Plugin::ASN
+loadplugin Mail::SpamAssassin::Plugin::ASN
 # ImageInfo - rules to match metadata of image attachments
 #
diff -u spamassassin-3.3.2/rules//v330.pre /etc/spamassassin//v330.pre
--- spamassassin-3.3.2/rules//v330.pre  2011-06-07 08:59:17.000000000 +0900
+++ /etc/spamassassin//v330.pre 2010-03-28 01:04:42.000000000 +0900
@@ -19,7 +19,7 @@
 # PhishTag - allows sites to rewrite suspect phish-mail URLs
 # (Note: this requires configuration, see http://umut.topkara.org/PhishTag)
 #
-#loadplugin Mail::SpamAssassin::Plugin::PhishTag
+loadplugin Mail::SpamAssassin::Plugin::PhishTag
 # FreeMail - detect email addresses using free webmail services,
 # usable as input for other rules

postgrey

基本的にインストールしっぱなしで、OK。
必要に応じて"/etc/postgrey/whitelist_clients"、"/etc/postgrey/whitelist_recipients"を修正すればよし。

posftix-policye-spf-perl

インストール後、"/etc/postfix/master.cf"に、下記のように追記すればOK。

## PostFix SPF
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
# Added using postfix-add-policy script:
spf     unix     -      n       n       -       0       spawn
        user=policyd-spf        argv=/usr/sbin/postfix-policyd-spf-perl

あと、前述のとおり"/etc/postfix/main.cf"のsmtpd_recipient_restrictionsに"check_policy_service unix:private/spf"を書くのを忘れずに。

dkim-filter

コレに関しては、こっちこっちのエントリーを参考に。
あと、amavisd-milterと併用になるので、"/etc/postfix/main.cf"は、

non_smtpd_milters = inet:[127.0.0.1]:54321 inet:[127.0.0.1]:60001
smtpd_milters = inet:[127.0.0.1]:54321 inet:[127.0.0.1]:60001

と書くことで、両方とも有効になります。

トラックバック(0)

コメントする