I've ran plenty of ubuntu based web servers and even a few application servers, but this is the first mail server I'm going to be running myself.
Let me start by stating what I'm running. I'm using Ubuntu Server 12.04 LTS 64 bit. I followed this guide to setup my initial mail server configuration: http://www.pixelinx.com/2010/10/crea...av-and-amavis/
I also added postfix.admin (http://postfixadmin.sourceforge.net/) and made some tweaks to all the database queries in order to get it's database structure working correctly.
I also configured roundcube to run on the server in order to have webmail access to the emails.
I will be running multiple domains on this server, each with their own individual users, so I'm doing virtual users and domains.
I've got all of this working with two domains currently, am able to send and receive emails on them correctly. (Reverse DNS on the IP is configured and such so that checks out when sending messages, etc)
This is my current /etc/postfix/main.cf
Code:
myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
mydestination =
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = host
mailbox_size_limit = 0
virtual_mailbox_limit = 0
recipient_delimiter = +
inet_interfaces = all
message_size_limit = 0
# SMTP Authentication (SASL)
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
# Encrypted transfer (SSL/TLS)
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/private/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Basic SPAM prevention
smtpd_helo_required = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unverified_sender, reject_unknown_sender_domain, reject_non_fqdn_sender
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, permit_auth_destination, reject
# Force incoming mail to go through Amavis
content_filter = amavis:[127.0.0.1]:10025
receive_override_options = no_address_mappings
# Virtual user mappings
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_maps = mysql:/etc/postfix/maps/user.cf
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_alias_maps = mysql:/etc/postfix/maps/alias.cf
virtual_mailbox_domains = mysql:/etc/postfix/maps/domain.cf
So, with all that said, my first thing is do those restrictions look appropriate to filter outer emails sent to my server that shouldn't be, and to make sure no one tries to use my servers smtpd to send out spam?
Next question is concerning the smtpd. I can't figure out where to make it force authentication when sending emails as well as receiving? I thought the "smtpd_sasl_auth_enable = yes" setting would have done that, but if I set up a pop account in outlook and don't set it saying My outgoing server requires authentication, it still successfully sends messages.
And then the question on Spam. I haven't gotten any spam at the addresses I've set up so far to see what it does. This is the configuration for my /etc/amavis/conf.d/20-debian-defaults file:
Code:
use strict;
$QUARANTINEDIR = "$MYHOME/virusmails";
$quarantine_subdir_levels = 1; # enable quarantine dir hashing
$log_recip_templ = undef; # disable by-recipient level-0 log entries
$DO_SYSLOG = 1; # log via syslogd (preferred)
$syslog_ident = 'amavis'; # syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug'; # switch to info to drop debug output, etc
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
$inet_socket_port = 10024; # default listening socket
$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0; # only tests which do not require internet access?
# Quota limits to avoid bombs (like 42.zip)
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA = 100*1024; # bytes
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes
$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine)
$final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA
$final_spam_destiny = D_BOUNCE;
$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)
$enable_dkim_verification = 0; #disabled to prevent warning
$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
# Set to empty ("") to add no header
$X_HEADER_LINE = "Debian $myproduct_name at $mydomain";
@viruses_that_fake_sender_maps = (new_RE(
[qr'\bEICAR\b'i => 0], # av test pattern name
[qr/.*/ => 1], # true for everything else
));
@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$', # retain full original message for virus checking (can be slow)
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data', # don't trust Archive::Zip
));
# for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample
$banned_filename_re = new_RE(
qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
qr'^\.(exe-ms)$', # banned file(1) types
);
/etc/default/spamassassin
Code:
ENABLED=1
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"
CRON=0
And /etc/spamassassin/local.cf
Code:
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
endif # Mail::SpamAssassin::Plugin::Shortcircuit
I'm not sure what exactly is going to happen if a message is flagged as spam level 1? Is it just going to add the ***SPAM*** to the subject and let it continue to my inbox? If so, is there anyway to automatically push these into a spam folder in the inbox?
If a spam message is out right denied delivery (which i think the 2nd level is doing?), is that noted somewhere so that I can see when messages are blocked? I'm assuming it's logged somewhere at least, but not sure where offhand.
I run an online business and want to make sure I'm not going to miss too many customer emails because of spam rules, but at the same time I've been getting a lot of unrelated spam lately at my current email host that has no spam filter. It's a inevitable thing that I'm going to receive some spam because I list my contact email addresses on the website for people to send me messages, and spam bots probably can just parse that out. But I would like to be able to weed out the majority of it if possible.
Thanks for any assistance you can provide! If you need more information, just let me know what you need and I'll be happy to provide it.
EDIT:
Ok so I'm pulling my hair trying to figure out this smtp requiring authentication thing. I changed my sender and recipient restrions to:
smtpd_sender_restrictions = permit_sasl_authenticated, reject
smtpd_recipient_restrictions = permit_sasl_authenticated, reject
and that seems to force it to require authenticaiton. However it's rejecting my username and password no matter what I try.
I've confirmed that the /etc/postfix/sasl/smtpd.conf is set to pw_check=saslauthd, and saslauthd is loading with the -a pam option. /etc/pam.d/smtp has the correct database configuration for auth and account. I'm not sure what the crypt=1 at the end means on that line though.
I'm at a loss as to why it won't accept my password for the smtp authentication
Bookmarks