Empulse Group a collection of notes from a sys admin, musician, and father

6Nov/100

Setting up Postfix with SMTP authentication, TLS support, Spam Assassin mail filter, and procmail

1. Set up Postfix with SMTP authentication,
2. TLS support,
3. Spam Assassin mail filter,
4. procmail to move spam messages at server

********************************************************

1. POSTFIX MAIL SERVER INSTALL WITH SMTP AUTH:

Cyrus-SASL is a software that provides different methods and mechanisms of authentication.

Needed Package(s):
postfix
cyrus-sasl
cyrus-sasl-plain

# /etc/init.d/saslauthd start
# /etc/init.d/postfix start
# chkconfig postfix on
# chkconfig saslauthd on

-Settings in /etc/postfix/main.cf:

inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, hash:/etc/postfix/mydomains
home_mailbox = Maildir/

myhostname = mail.domain.com // needed?
mydomain = domain.com // needed?

mynetworks = 127.0.0.0/8
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -a "$EXTENSION" // needed for procmail, can leave out for now

# SASL SUPPORT FOR CLIENTS
# The following options set parameters needed by Postfix to enable
# Cyrus-SASL support for authentication of mail clients.
#
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains, reject_unauth_destination

NOTE: I have both of the last 2 options in recipient_restrictions because the check_relay_domains will eventually be deprecated.

http://www.softpanorama.org/Mail/Postfix/smtpd_recipient_restrictions.shtml

Limiting SASL mechanisms:
-From file /usr/lib/sasl2/smtpd.conf:
pwcheck_method: saslauthd
mech_list: plain login

# locate smtpd.conf
/usr/lib64/sasl/smtpd.conf
/usr/lib64/sasl2/smtpd.conf

TESTING: You can test this with telnet by trying to relay a message from a remote host to an email address not on the server. You should not be able to relay mail from a remote host to an email address that is not on the server.

SOURCE:
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html

======================================================================================

2. TLS Support in Postfix

-Settings in /etc/postfix/main.cf:

## TLS
# Transport Layer Security
#
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/server_key.pem
smtpd_tls_cert_file = /etc/postfix/server_cert.pem
#smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

TESTING: Using telnet you should be able to use "starttls" after the "EHLO domain.com".

starttls
220 2.0.0 Ready to start TLS

SOURCE:
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html

======================================================================================

3. SPAMASSASSIN INSTALL:

-Settings in /etc/postfix/master.cf:

smtp inet n - n - - smtpd -o content_filter=spamassassin

//at the end of the file add:
spamassassin
unix - n n - - pipe
user=nobody argv=/usr/bin/spamc -e /usr/sbin/sendmail.postfix -oi -f ${sender} ${recipient}

-Settings in /etc/mail/spamassassin/local.cf:
required_hits 5
report_safe 0
rewrite_header Subject [SPAM]
whitelist_from *@rackspace.com

TESTING: Send a spam message using the GTUBE.

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

SOURCE:
http://traxel.com/doc/spamassassin-setup.html
http://spamassassin.apache.org/gtube/

==========================================================

4. PROCMAIL INSTALL:

Here we will use procmail to send messages marked as spam to a folder on the server instead of at the users mail client.

Needed Package(s):
procmail

-Settings in /etc/postfix/main.cf:
mailbox_command = /usr/bin/procmail -a "$EXTENSION"

-Settings in /etc/procmailrc:
DEFAULT=$HOME/Maildir/
MAILDIR=$HOME/Maildir

-Settings in /home/eric/.procmailrc :
PROCMAILDIR=$HOME/.procmail
LOG=$PROCMAILDIR/pmlog
# VERBOSE=yes # turn this on for debugging
MAILDIR=$HOME/mail
INCLUDERC=$PROCMAILDIR/rc.spam
# INCLUDERC=$PROCMAILDIR/rc.morefilters
# If none of the filters match, it will go to your inbox

-Settings in /home/eric/.procmail/rc.spam:
:0:
* ^X-Spam-Level: \*\*\*\*\*
/home/eric/Maildir/.SPAM/new

[root@www ~]# crontab -l
0 0 * * * /usr/bin/sa-update --allowplugins --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com
0 0 * * 0 /usr/bin/sa-learn --spam /home/eric/Maildir/.SPAM/{cur,new}
0 0 * * 0 /usr/bin/sa-learn --no-sync --ham /home/eric/Maildir/{cur,new}
3 0 * * 0 find /home/eric/Maildir/.SPAM/cur/ -delete

TESTING: spam messages should now go to a directory called ".SPAM" in your Maildir.

SOURCE: http://traxel.com/doc/spamassassin-setup.html

=========================================================

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.