むか〜し、書いておいたPostfixとその周辺の設定に関するエントリーが、ずいぶんとアクセスがあるので、改めて現在の設定状態を書きだしてみる。
以前書いておいたSMTPサーバ関連の設定の覚え書きから、かなり内容が変わっているんで、新しく残しておきます。
[From 設定覚え書き:Postfix編 | Linux - Soukaku's HENA-CHOKO Blog]
このエントリー、日付てみると7年も前なのに、アクセスはなぜか一番多いんだよねぇ。不思議不思議。
まぁ、SMTPサーバなんて一度安定して動いてしまったら、余程の事ない限りは設定弄ることないんで、
postfix + amavisd-new + clamav + spamassassin
という基本的な構成は変わらずに、
postgrey
postfix-policyd-spf-perl
dkim-filter
を組み合わせているのが、現状の構成。
インストールされてるパッケージ類
とりあえず、抜き出すとこんな感じ。
dpkgなりaptitudeでの依存関係の解消が行われるので、実際にはもう少し関連するパッケージは多いです。
# dpkg -l postfix* amavis *clam* *spam* dkim* postgrey | grep ^ii
ii amavisd-milter 1.5.0-4 amavisd-new interface for milter-capable MTAs
ii amavisd-milter-dbg 1.5.0-4 amavisd-new interface for milter-capable MTAs - debugging symbols
ii amavisd-new 1:2.6.4-4 Interface between MTA and virus scanner/content filters
ii clamav 0.97.2+dfsg-1 anti-virus utility for Unix - command-line interface
ii clamav-base 0.97.2+dfsg-1 anti-virus utility for Unix - base package
ii clamav-daemon 0.97.2+dfsg-1 anti-virus utility for Unix - scanner daemon
ii clamav-dbg 0.97.2+dfsg-1 debug symbols for ClamAV
ii clamav-docs 0.97.2+dfsg-1 anti-virus utility for Unix - documentation
ii clamav-freshclam 0.97.2+dfsg-1 anti-virus utility for Unix - virus database update utility
ii clamav-getfiles 2.0-6 Update script for clamav
ii clamav-testfiles 0.97.2+dfsg-1 anti-virus utility for Unix - test files
ii clamav-unofficial-sigs 3.7.1-1 update script for 3rd-party clamav signatures
ii dkim-filter 2.8.2.dfsg-1+b1 DomainKeys Identified Mail (DKIM) Milter implementation
ii libapache2-mod-spamhaus 0.7-1 Apache DNSBL module that blocks listed IP addresses
ii libclamav6 0.97.2+dfsg-1 anti-virus utility for Unix - library
ii postfix 2.8.4-1 High-performance mail transport agent
ii postfix-dev 2.8.4-1 Loadable modules development environment for Postfix
ii postfix-doc 2.8.4-1 Documentation for Postfix
ii postfix-pcre 2.8.4-1 PCRE map support for Postfix
ii postfix-policyd-spf-perl 2.007-2 Simple Postfix policy server for RFC 4408 SPF checking
ii postgrey 1.34-1 greylisting implementation for Postfix
ii spamassassin 3.3.2-2 Perl-based spam filter using text analysis
ii spamc 3.3.2-2 Client for SpamAssassin spam filtering daemon
postfix
ポイントとなるところだけ、抜き出し。
基本的な設定に関しては、ググればいくらでも見つかるので、割愛。
まず、main.cf
。
"smtpd_client_restrictions
"でクライアントからのSMTP接続に関する設定を行う。
"reject_rbl_client bl.spamcop.net
"でRBLチェックにspamcopを指定。
smtpd_client_restrictions =
permit_mynetworks
permit_mx_backup
reject_unauth_pipelining
reject_rbl_client bl.spamcop.net
permit
"smtpd_recipient_restrictions
"で、"RCPT TO
"コマンドを受け取った際の設定を行う。
postgreyとpostfix-policyd-spf-perlに連携させる部分は、smtpd_recipient_restrictions
に。postgreyとの連携は"check_policy_service inet:127.0.0.1:10023
"、postfix-policyd-spf-perlとは"check_policy_service unix:private/spf
"と、ここに書いておく必要がある。
SPFに関しては、master.cf
にも手を入れる必要があるのだけど、そちらは後述。
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_policy_service inet:127.0.0.1:10023
check_policy_service unix:private/spf
permit_auth_destination
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_unverified_recipient
permit
"smtpd_sender_restrictions
"で、"MAIL FROM
"コマンドを受け取った際の設定を行う。
ここで、RHSBLとしてBarracudaCentralを設定。コレに関しては、こっちに詳しく書いている。
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
permit_mx_backup
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_rhsbl_sender b.barracudacentral.org
permit
amavisd-new & amavisd-milter
Debianのamavisd-newパッケージは、設定ファイルが分割されているので、Debian以外の環境で設定する場合は、適宜読み替えること。
15-content_filter_mode
の"@bypass_virus_checks_maps
"と"@bypass_spam_checks_maps
"をアンコメントして、ClamAVでのウィルスチェックと、SpamAssassinでのSPAMチェックを有効化。
diff -ur /usr/local/src/amavisd-new-2.6.4/debian/etc/conf.d/15-content_filter_mode /etc/amavis/conf.d/15-content_filter_mode
--- /usr/local/src/amavisd-new-2.6.4/debian/etc/conf.d//15-content_filter_mode 2011-09-18 01:20:26.000000000 +0900
+++ /etc/amavis/conf.d//15-content_filter_mode 2010-01-17 00:28:44.000000000 +0900
@@ -10,8 +10,8 @@
# If You wish to enable it, please uncomment the following lines:
-#@bypass_virus_checks_maps = (
-# \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+@bypass_virus_checks_maps = (
+ \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
#
@@ -21,7 +21,7 @@
# If You wish to enable it, please uncomment the following lines:
-#@bypass_spam_checks_maps = (
-# \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+@bypass_spam_checks_maps = (
+ \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
1; # ensure a defined return
20-debian_defaults
で自ドメインのメールがSPAM判定されないようにするために、"@score_sender_maps
"に自ドメインを追加。あとは"$final_spam_destiny
"を"D_BOUNCE
"から"D_DISCARD
"に変更してSPAM判定されたメールをバウンスさせないようにするのと、"$enable_dkim_verification
"を有効にするで終わり。。
diff -ur /usr/local/src/amavisd-new-2.6.4/debian/etc/conf.d/20-debian_defaults /etc/amavis/conf.d/20-debian_defaults
--- /usr/local/src/amavisd-new-2.6.4/debian/etc/conf.d//20-debian_defaults 2011-09-18 01:20:26.000000000 +0900
+++ /etc/amavis/conf.d//20-debian_defaults 2011-01-04 16:35:43.000000000 +0900
@@ -67,10 +67,10 @@
$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine)
$final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA
-$final_spam_destiny = D_BOUNCE;
+$final_spam_destiny = D_DISCARD;
$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)
-$enable_dkim_verification = 0; #disabled to prevent warning
+$enable_dkim_verification = 1; #disabled to prevent warning
$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
@@ -204,6 +204,9 @@
# soft-blacklisting (positive score)
#'sender@example.net' => 3.0,
#'.example.net' => 1.0,
+ '.downtown.jp' => -5.0,
+ 'downtown.jp' => -5.0,
+ 'logcheck@downtown.jp' => -10.0,
},
], # end of site-wide tables
50-user
で、log_levelなどを指定。
diff -ur /usr/local/src/amavisd-new-2.6.4/debian/etc/conf.d/50-user /etc/amavis/conf.d/50-user
--- /usr/local/src/amavisd-new-2.6.4/debian/etc/conf.d//50-user 2011-09-18 01:20:26.000000000 +0900
+++ /etc/amavis/conf.d//50-user 2010-03-30 22:48:58.000000000 +0900
@@ -8,6 +8,21 @@
# the directives you can use in this file
#
+$log_level = 1;
+
+$X_HEADER_TAG = 'X-Virus-Scanned';
+
+$remove_existing_x_scanned_headers = 0;
+$remove_existing_spam_headers = 0;
+
+$replace_existing_extension = 1;
+
+#$sa_local_tests_only = 1; # (default: false)
+$sa_auto_whitelist = 1; # turn on AWL (default: false)
+$sa_debug = 0;
+
+$max_servers = 4; # number of pre-forked children (default 2)
+$max_requests = 16; # retire a child after that many accepts (default 10)
#------------ Do not modify anything below this line -------------
-1; # ensure a defined return
+1; # insure a defined return
で、postfixとamavisdの間をmilterで処理させるために、amavisd-milterの"/etc/default/amavsd-milter"に、
MILTERSOCKET=inet:60001@127.0.0.1
として、postfix側にmilterを喋らせるために、/etc/postfix/main.cfに
non_smtpd_milters = inet:[127.0.0.1]:60001
smtpd_milters = inet:[127.0.0.1]:60001
milter_default_action = accept
milter_protocol = 2
を追加しておくのを忘れないこと。
clamav
長年使っている設定ファイルなので、いまのパッケージデフォルトのものと違うのだけど、特にそのまま使えているので、あまり手を入れていない。
more /etc/clamav/clamd.conf
#Automatically Generated by clamav-base postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-base
#Please read /usr/share/doc/clamav-base/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket yes
LocalSocketGroup amavis
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User amavis
AllowSupplementaryGroups yes
ScanMail yes
ScanArchive yes
ArchiveBlockEncrypted no
MaxDirectoryRecursion 15
FollowDirectorySymlinks no
FollowFileSymlinks yes
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog yes
LogFacility LOG_MAIL
LogClean no
LogVerbose no
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/lib/clamav
SelfCheck 3600
Foreground no
Debug no
ScanPE yes
ScanOLE2 yes
ScanHTML yes
DetectBrokenExecutables yes
ExitOnOOM no
LeaveTemporaryFiles no
AlgorithmicDetection yes
ScanELF yes
IdleTimeout 30
PhishingSignatures yes
PhishingScanURLs yes
PhishingAlwaysBlockSSLMismatch yes
PhishingAlwaysBlockCloak yes
DetectPUA no
ScanPartialMessages yes
HeuristicScanPrecedence yes
StructuredDataDetection no
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo yes
OLE2BlockMacros no
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime yes
LogFileUnlock no
LogFileMaxSize 0
Bytecode yes
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OfficialDatabaseOnly no
CrossFilesystems yes
spamassassin
"/etc/spamassassin/local.cf
"は、必要最低限の修正のみ。
個別に追加するルールについては、"/var/lib/amavis/.spamassassin/private_prefs
"のほうに。
diff -u spamassassin-3.3.2/rules/local.cf /etc/spamassassin/local.cf
--- spamassassin-3.3.2/rules/local.cf 2011-06-07 08:59:17.000000000 +0900
+++ /etc/spamassassin/local.cf 2011-05-16 16:07:30.897250011 +0900
@@ -22,6 +22,8 @@
# server (i.e. not spammers)
#
# trusted_networks 212.17.35.
+trusted_networks 172.16.0.
+trusted_networks 218.219.149.232/29
# Set file-locking method (flock is not safe over NFS, but is faster)
@@ -36,12 +38,12 @@
# Use Bayesian classifier (default: 1)
#
-# use_bayes 1
+use_bayes 1
# Bayesian classifier auto-learning (default: 1)
#
-# bayes_auto_learn 1
+bayes_auto_learn 1
# Set headers which may provide inappropriate cues to the Bayesian
@@ -54,7 +56,7 @@
# Some shortcircuiting, if the plugin is enabled
#
-ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
+# ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
#
# default: strongly-whitelisted mails are *really* whitelisted now, if the
# shortcircuiting plugin is active, causing early exit to save CPU load.
@@ -81,5 +83,8 @@
# shortcircuit BAYES_99 spam
# shortcircuit BAYES_00 ham
+allow_user_rules 1
+include /var/lib/amavis/.spamassassin/private_prefs
+
endif # Mail::SpamAssassin::Plugin::Shortcircuit
"/etc/spamassassin/v3[123]0.pre
"の中身を編集してpluginをいくつか有効にする。
diff -u spamassassin-3.3.2/rules/v310.pre /etc/spamassassin/v310.pre
--- spamassassin-3.3.2/rules/v310.pre 2011-06-07 08:59:17.000000000 +0900
+++ /etc/spamassassin/v310.pre 2011-05-21 23:03:35.825044527 +0900
@@ -50,11 +50,11 @@
# TextCat - language guesser
#
-#loadplugin Mail::SpamAssassin::Plugin::TextCat
+loadplugin Mail::SpamAssassin::Plugin::TextCat
# AccessDB - lookup from-addresses in access database
#
-#loadplugin Mail::SpamAssassin::Plugin::AccessDB
+loadplugin Mail::SpamAssassin::Plugin::AccessDB
# WhitelistSubject - Whitelist/Blacklist certain subject regular expressions
#
diff -u spamassassin-3.3.2/rules//320.pre /etc/spamassassin/v320.pre
--- spamassassin-3.3.2/rules//320.pre 2011-06-07 08:59:17.000000000 +0900
+++ /etc/spamassassin/v320.pre 2010-10-19 15:02:42.000000000 +0900
@@ -50,13 +50,13 @@
# Rule2XSBody - speedup by compilation of ruleset to native code
#
-# loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
+loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
# ASN - Look up the Autonomous System Number of the connecting IP
# and create a header containing ASN data for bayes tokenization.
# See plugin's POD docs for usage info.
#
-# loadplugin Mail::SpamAssassin::Plugin::ASN
+loadplugin Mail::SpamAssassin::Plugin::ASN
# ImageInfo - rules to match metadata of image attachments
#
diff -u spamassassin-3.3.2/rules//v330.pre /etc/spamassassin//v330.pre
--- spamassassin-3.3.2/rules//v330.pre 2011-06-07 08:59:17.000000000 +0900
+++ /etc/spamassassin//v330.pre 2010-03-28 01:04:42.000000000 +0900
@@ -19,7 +19,7 @@
# PhishTag - allows sites to rewrite suspect phish-mail URLs
# (Note: this requires configuration, see http://umut.topkara.org/PhishTag)
#
-#loadplugin Mail::SpamAssassin::Plugin::PhishTag
+loadplugin Mail::SpamAssassin::Plugin::PhishTag
# FreeMail - detect email addresses using free webmail services,
# usable as input for other rules
postgrey
基本的にインストールしっぱなしで、OK。
必要に応じて"/etc/postgrey/whitelist_clients
"、"/etc/postgrey/whitelist_recipients
"を修正すればよし。
posftix-policye-spf-perl
インストール後、"/etc/postfix/master.cf
"に、下記のように追記すればOK。
## PostFix SPF
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
# Added using postfix-add-policy script:
spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl
あと、前述のとおり"/etc/postfix/main.cf
"のsmtpd_recipient_restrictions
に"check_policy_service unix:private/spf
"を書くのを忘れずに。
dkim-filter
コレに関しては、こっちとこっちのエントリーを参考に。
あと、amavisd-milterと併用になるので、"/etc/postfix/main.cf
"は、
non_smtpd_milters = inet:[127.0.0.1]:54321 inet:[127.0.0.1]:60001
smtpd_milters = inet:[127.0.0.1]:54321 inet:[127.0.0.1]:60001
と書くことで、両方とも有効になります。
コメントする