Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Running a postfix mail server with spamassassin, clamav, and amavis-new, questions

  1. #1
    Join Date
    May 2010
    Beans
    20

    Running a postfix mail server with spamassassin, clamav, and amavis-new, questions

    I've ran plenty of ubuntu based web servers and even a few application servers, but this is the first mail server I'm going to be running myself.

    Let me start by stating what I'm running. I'm using Ubuntu Server 12.04 LTS 64 bit. I followed this guide to setup my initial mail server configuration: http://www.pixelinx.com/2010/10/crea...av-and-amavis/

    I also added postfix.admin (http://postfixadmin.sourceforge.net/) and made some tweaks to all the database queries in order to get it's database structure working correctly.

    I also configured roundcube to run on the server in order to have webmail access to the emails.

    I will be running multiple domains on this server, each with their own individual users, so I'm doing virtual users and domains.

    I've got all of this working with two domains currently, am able to send and receive emails on them correctly. (Reverse DNS on the IP is configured and such so that checks out when sending messages, etc)

    This is my current /etc/postfix/main.cf
    Code:
    myorigin = /etc/mailname
    smtpd_banner = $myhostname ESMTP $mail_name
    biff = no
    append_dot_mydomain = no
    readme_directory = no
    mydestination =
    relayhost =
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mynetworks_style = host
    mailbox_size_limit = 0
    virtual_mailbox_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    message_size_limit = 0
    
    
    # SMTP Authentication (SASL)
    
    
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain =
    
    
    # Encrypted transfer (SSL/TLS)
    
    
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtpd_tls_cert_file = /etc/ssl/private/smtpd.crt
    smtpd_tls_key_file = /etc/ssl/private/smtpd.key
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    
    # Basic SPAM prevention
    
    
    smtpd_helo_required = yes
    smtpd_delay_reject = yes
    disable_vrfy_command = yes
    smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unverified_sender, reject_unknown_sender_domain, reject_non_fqdn_sender
    smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, permit_auth_destination, reject
    
    
    # Force incoming mail to go through Amavis
    
    
    content_filter = amavis:[127.0.0.1]:10025
    receive_override_options = no_address_mappings
    
    
    # Virtual user mappings
    
    
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    virtual_mailbox_base = /var/spool/mail/virtual
    virtual_mailbox_maps = mysql:/etc/postfix/maps/user.cf
    virtual_uid_maps = static:5000
    virtual_gid_maps =  static:5000
    virtual_alias_maps = mysql:/etc/postfix/maps/alias.cf
    virtual_mailbox_domains = mysql:/etc/postfix/maps/domain.cf
    So, with all that said, my first thing is do those restrictions look appropriate to filter outer emails sent to my server that shouldn't be, and to make sure no one tries to use my servers smtpd to send out spam?

    Next question is concerning the smtpd. I can't figure out where to make it force authentication when sending emails as well as receiving? I thought the "smtpd_sasl_auth_enable = yes" setting would have done that, but if I set up a pop account in outlook and don't set it saying My outgoing server requires authentication, it still successfully sends messages.

    And then the question on Spam. I haven't gotten any spam at the addresses I've set up so far to see what it does. This is the configuration for my /etc/amavis/conf.d/20-debian-defaults file:
    Code:
    use strict;
    
    
    $QUARANTINEDIR = "$MYHOME/virusmails";
    $quarantine_subdir_levels = 1; # enable quarantine dir hashing
    
    
    $log_recip_templ = undef;    # disable by-recipient level-0 log entries
    $DO_SYSLOG = 1;              # log via syslogd (preferred)
    $syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
    $syslog_facility = 'mail';
    $syslog_priority = 'debug';  # switch to info to drop debug output, etc
    
    
    $enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
    $enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1
    
    
    $inet_socket_port = 10024;   # default listening socket
    
    
    $sa_spam_subject_tag = '***SPAM*** ';
    $sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
    $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
    $sa_kill_level_deflt = 6.31; # triggers spam evasive actions
    $sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
    
    
    $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
    $sa_local_tests_only = 0;    # only tests which do not require internet access?
    
    
    # Quota limits to avoid bombs (like 42.zip)
    
    
    $MAXLEVELS = 14;
    $MAXFILES = 1500;
    $MIN_EXPANSION_QUOTA =      100*1024;  # bytes
    $MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes
    
    
    $final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
    $final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA
    $final_spam_destiny       = D_BOUNCE;
    $final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
    $enable_dkim_verification = 0; #disabled to prevent warning
    
    
    $virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
    
    
    # Set to empty ("") to add no header
    $X_HEADER_LINE = "Debian $myproduct_name at $mydomain";
    
    
    @viruses_that_fake_sender_maps = (new_RE(
      [qr'\bEICAR\b'i => 0],            # av test pattern name
      [qr/.*/ => 1],  # true for everything else
    ));
    
    
    @keep_decoded_original_maps = (new_RE(
    # qr'^MAIL$',   # retain full original message for virus checking (can be slow)
      qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
      qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
    # qr'^Zip archive data',     # don't trust Archive::Zip
    ));
    
    
    
    
    # for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample
    
    
    $banned_filename_re = new_RE(
      qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
      qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict
      qr'^application/x-msdownload$'i,                  # block these MIME types
      qr'^application/x-msdos-program$'i,
      qr'^application/hta$'i,
      qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
      qr'^\.(exe-ms)$',                       # banned file(1) types
    );
    /etc/default/spamassassin
    Code:
    ENABLED=1
    OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
    PIDFILE="/var/run/spamd.pid"
    CRON=0
    And /etc/spamassassin/local.cf
    Code:
    ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
    endif # Mail::SpamAssassin::Plugin::Shortcircuit

    I'm not sure what exactly is going to happen if a message is flagged as spam level 1? Is it just going to add the ***SPAM*** to the subject and let it continue to my inbox? If so, is there anyway to automatically push these into a spam folder in the inbox?

    If a spam message is out right denied delivery (which i think the 2nd level is doing?), is that noted somewhere so that I can see when messages are blocked? I'm assuming it's logged somewhere at least, but not sure where offhand.

    I run an online business and want to make sure I'm not going to miss too many customer emails because of spam rules, but at the same time I've been getting a lot of unrelated spam lately at my current email host that has no spam filter. It's a inevitable thing that I'm going to receive some spam because I list my contact email addresses on the website for people to send me messages, and spam bots probably can just parse that out. But I would like to be able to weed out the majority of it if possible.


    Thanks for any assistance you can provide! If you need more information, just let me know what you need and I'll be happy to provide it.


    EDIT:
    Ok so I'm pulling my hair trying to figure out this smtp requiring authentication thing. I changed my sender and recipient restrions to:
    smtpd_sender_restrictions = permit_sasl_authenticated, reject
    smtpd_recipient_restrictions = permit_sasl_authenticated, reject
    and that seems to force it to require authenticaiton. However it's rejecting my username and password no matter what I try.

    I've confirmed that the /etc/postfix/sasl/smtpd.conf is set to pw_check=saslauthd, and saslauthd is loading with the -a pam option. /etc/pam.d/smtp has the correct database configuration for auth and account. I'm not sure what the crypt=1 at the end means on that line though.

    I'm at a loss as to why it won't accept my password for the smtp authentication
    Last edited by steven6282; August 3rd, 2013 at 10:24 PM.

  2. #2
    Join Date
    May 2010
    Beans
    20

    Re: Running a postfix mail server with spamassassin, clamav, and amavis-nes, question

    Ok, one update. I still have the questions above about the spam but I think I've gotten the authentication required on sending done.

    According to that guid you set /etc/postfix/sasl/smtpd.conf to (updated to my database user and password of course):
    Code:
    pwcheck_method: saslauthd
    auxprop_plugin: sql
    mech_list: plain login
    sql_engine: mysql
    sql_hostnames: 127.0.0.1
    sql_user: mail
    sql_passwd: mailuserpassword
    sql_database: mail
    sql_select: SELECT password FROM user WHERE email='%u@%r' AND enabled = 1


    However I removed everything except pwcheck_method: saslauthd and mech_list: plain login, and it works now. So I guess it was trying to use the sql auxprop method.. even though pwcheck_method was set to salsauthd, not aux. According to postfix.org, auxprop method only works with plain text passwords, and I'm using encrypted passwords. I don't understand why this change I made works, and if anyone can tell me why, I'd like to know. It helps to understand why these thing behave the way they do in case I have another problem down the road that may be related =p


    EDIT:

    Grrrr.... now I remember why I had set the sender and recipient restrictions the way I did to begin with. Got the authentication working, but now with the sender and recipient restrictions set like that, if I try to send an email in from an outside domain, it immediately gets rejected saying the sender address rejected: access denied.

    I don't understand why these restrictions are being replied to sender domains coming from the outside... I tried adding permit_auth_destination on the recipient restrictions but that didn't do any good either.

    EDIT2:
    Ok, adding permit_auth_destination to the sender restrictions lets it go through. However it also makes it so that it doesn't require authentication on the smtp side if the email is going to a valid internal address. While this should prevent anyone from using my server to send out spam emails to other, it also means someone could use my smtp server to send spam emails to me without authentication....

    *sigh*
    Last edited by steven6282; August 3rd, 2013 at 10:08 PM.

  3. #3
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Running a postfix mail server with spamassassin, clamav, and amavis-new, question

    Interesting. I am working on doing the same thing on my VPS, but it is running Debian.

    So far I was able to follow this guide:
    https://library.linode.com/email/pos...ot2.0.19-mysql

    As far as setting up spamassassin and stuff, I used this one:
    https://help.ubuntu.com/community/PostfixAmavisNew

    Hope that helps.

    If you only want IMAP access, don't install dovecot-pop3d and also leave pop3 out of dovecot.conf and leave port 110 commented in 10-master.conf - assuming you follow the tutorial I linked above.
    Last edited by CharlesA; August 4th, 2013 at 05:08 AM.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  4. #4
    Join Date
    Jun 2007
    Location
    Porirua, New Zealand
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Running a postfix mail server with spamassassin, clamav, and amavis-new, question

    This is a trimmed down version of what mine has:
    Code:
    smtpd_recipient_restrictions =
         reject_invalid_hostname,
         reject_non_fqdn_sender,
         reject_non_fqdn_recipient,
         reject_unknown_sender_domain,
         reject_unknown_recipient_domain,
         reject_unauth_pipelining,
         permit_mynetworks,
         permit_sasl_authenticated,
         reject_unauth_destination,
         reject_rbl_client bl.spamcop.net,
         reject_rbl_client cbl.abuseat.org,
         reject_rbl_client pbl.spamhaus.org,
         reject_rbl_client dnsbl-1.uceprotect.net,
         permit
    (Mine has a few extra lines, relating mainly to auto-generated access restrictions based on scanning my mail log, and a custom policy service.)
    Forum DOs and DON'Ts
    Never assume that information you find using a search engine is up-to-date.
    Please use CODE tags.
    A low-volume blog

  5. #5
    Join Date
    May 2010
    Beans
    20

    Re: Running a postfix mail server with spamassassin, clamav, and amavis-new, question

    Have an additional question now. I'm still working with the above settings to figure out the spam stuff, but I also need to know something else now.

    My server is named mailServer, when I send an email from it, it's showing Received from mailServer.localdomain. I think this is getting a lot of my emails flagged as spam since it's being received form somewhere different than the from domain on the email address.

    How do I fix this? I tried updating my hostname to mail, and that did not change where it is saying is received from. So not sure what settings effect this.

    Also if I do get this changed, is it just going to be stuck saying it was received from one specific domain even though I'm hosting multiple domains? That kind of sucks if so, I'd rather it say it was received from the domain that I'm actually doing the sending with. But I guess that would only be possible if I set up a different machine to host each individual domain?

    EDIT:
    Ok I found where the setting was coming from. postconf -d showed the default of mydomain = localdomain and myhostname = mailServer.localdomain. So I put these in my /etc/postfix/main.cf file and set them to one of my hosted domains. But I'd really like to know if there is a way to make this show what domain it's supposed to be emailing from instead...
    Last edited by steven6282; August 4th, 2013 at 11:16 PM.

  6. #6
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Running a postfix mail server with spamassassin, clamav, and amavis-new, question

    Check /etc/postfix/main.cf to see what myhostname says.

    Mine says:

    Code:
    myhostname = enterprise.charlesa.net
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  7. #7
    Join Date
    May 2010
    Beans
    20

    Re: Running a postfix mail server with spamassassin, clamav, and amavis-new, question

    Ok, yeah it definitely appears that my spamassassin isn't doing didley squat with the current settings. In the last 24 hours since converting to this server fully I've gotten over 50 clearly spam emails. With things anywhere from ****** in the subject, to things like "You qaulify for a 5000 loan". Stuff any decently configured working spam software should easily pick up on.

    Also had an additional question about the reject_rbl settings. I'm assuming those are rejecting from black list websites, would spamassassin not check those black lists if it were working correctly? Seems like something else any descent spam filtering software would do automatically.

    EDIT: see, even this website knows to filter out that word lol. The male pill

  8. #8
    Join Date
    May 2010
    Beans
    20

    Re: Running a postfix mail server with spamassassin, clamav, and amavis-new, question

    So yeah... that guide that I used, had a major error which is what caused my spam filter to do nothing at all lol.

    Code:
    adduser clamav amavis cat /dev/null > /etc/amavis/conf.d/15-content-filter-mode vi /etc/amavis/conf.d/15-content-filter-mode
    Copy/paste the following (no changes required):
    use strict; @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); 1;
    Unfortunately the file is 15-content_filter_mode meaning my clamav, and spamassassin was never even enabled through amavis.

    Awesome!

  9. #9
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Running a postfix mail server with spamassassin, clamav, and amavis-new, question

    That should have enabled the spam and virus checks.

    What did you do differently that enabled the checks?
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  10. #10
    Join Date
    Aug 2009
    Location
    Makati City, Philippines
    Beans
    2,270
    Distro
    Xubuntu 16.04 Xenial Xerus

    Re: Running a postfix mail server with spamassassin, clamav, and amavis-new, question

    Just saw your post today. This may sound like a product promotion but I would this mail solution saved my ass. If this is a new mail server installation, why not try iRedMail? A suit with postfix, dovecot, spamassassin, amavis and clamav. Plus complete with security like iptables, fail2ban and logwatch. Oh, and should I mention that it uses roundcube as the webmail?
    I can't recommend it enough since it is what we use and the support in the forum is great.
    Just my 2 cents

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •