LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 11-29-2006, 07:56 AM   #1
depam
Member
 
Registered: Sep 2005
Posts: 861

Rep: Reputation: 30
how to change greeting in proxsmtp?


Hi!

Do you know a way for me to change the greeting of proxsmtp? Instead of the smtp.passthru I want it to be something like mail.company.com which is the same as my mail server hostname and reverse dns.

Another thing, does the open relaying means inputing the IP address which is allowed to send out mails? Do I have to put the LAN subnet such as 192.168.x.x in the smtp relaying configuration? How about those users that have mail accounts on the domain? Can they be allowed to send out mails using their email accounts without their actual IPs listed on the smtp relaying list? My smtp relaying lists only has 127.0.0.1/255.255.255.0 which is actually the localhost which does not allow smtp-relaying to other IPs. What are the chances that I would need to add up set of subnets into this list?
 
Old 11-30-2006, 06:53 AM   #2
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: Linuxmint, Slackware
Posts: 356

Rep: Reputation: 34
What's your MTA?

In postfix you need to add your internal network block in mynetworks like this within main.cf:

mynetworks = 127.0.0.0/8, 192.168.0.0/24

Then do this in smtpd_recipient_restriction

smtpd_recipient restrictions =
permit_mynetworks
reject_unauth_destination
.... other options ...
permit


To allow your hosted acounts to relay even if their on the internet, compile you smtpd program with Cyrus-SASL and SSL support to allow secure remote authentication and configure in their mail clients to use SMTP authentication. Then you will need to insert this in the config above:

smtpd_recipient restrictions =
permit_mynetworks
permit_sasl_authenticated # this one
reject_unauth_destination
.... other options ...
permit

Then insert these lines ahead of the lines above:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_authentication_headers = yes
broken_sasl_auth_clients = yes

smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_etrn_restrictions = reject

To check your helo name:

# postconf |grep helo

smtp_helo_name = $myhostname
smtp_helo_timeout = 300s
smtpd_helo_required = yes
smtpd_helo_restrictions =

By default, EHLO/HELO is your myhostname which is your mail host's FQDN (mailhost.yourdomain.tld)which is exactly the one you preferred. So if not in your case, just insert in your main.cf "smtp_helo_name = $myhostname" and make sure that your myhostname = yourmailhost.yourdomain.tld.

To test:

# postfix reload
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 urmailhost.urdomain.tld ESMTP Postfix
<at this point of the cursor type> ehlo hi
250-urmailhost.urdomain.tld
250-PIPELINING
250-SIZE 10240000
250-ETRN
... other features
quit

To compile SASL and SSL with postfix:

Here it is a good thing to make your mail ready for TLS by including it in the compile options and then you can activate it in the future.

Save these options file in a file like "build.sh" or of your choice.

'CCARGS=-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/local/include/sasl -I/usr/local/bdb/include \
-DUSE_TLS -I/usr/local/ssl/include/openssl' \
'AUXLIBS=-L/usr/local/lib -lsasl2 -L/usr/local/bdb/lib \
-lz -lm -L/usr/local/ssl/lib -lssl -lcrypto -lpthread'

The include (-I) and shared libraries (-L) path are of course dependent on how you installed Cyrus-SASL and as well with BerkeleyDB (bdb) and OpenSSL. If you've installed bdb through your package manager, it would not need specified since it will be found through your system path and ld.

Simply execute the file build.sh by issuing "sh build.sh" and proceed with make and "# make install (or upgrade)".

Google on Cyrus-SASL installation guide.
 
Old 12-02-2006, 06:33 PM   #3
depam
Member
 
Registered: Sep 2005
Posts: 861

Original Poster
Rep: Reputation: 30
my MTA is Xmail. My problem is that remote users with email accounts on our domain could not send out mails and it says "550 Relay Denied". Here's my setup. I have IPCop setup with Copfilter. Copfilter serves as the smtp proxy and copfilter it will forward all mails to the mail server. The LAN is on the other network. Which means there are two static IPs used, one for the LAN connection and the other for the IPCop which has the mail server. Now, I notice that if I include the CIDR notation 192.168.0.0/24 in the smtprelay.tab, our mail server becomes an open relay. And if remove that notation, remote users could not send out mails. What seems to be the problem in my setup? Before when the mail server is positioned on the DMZ of our LAN, remote users can send out mails while maintaining our relay closed. What does smtp relaying really means? How am I going to let remote users send out mails while maintaining our relay closed?
 
Old 12-04-2006, 03:05 AM   #4
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: Linuxmint, Slackware
Posts: 356

Rep: Reputation: 34
Allowing your internal IP block to relay would only allow that block to relay, that is, all your internal clients. If you allow certain internet block to relay would allow that block to relay from the internet. It is wise to deny any relaying from the internet except through SMTP Authentication that would authorize or allow only your hosted accounts/domains to relay through authentication.

Maybe this is what you will need to look at to and since I'm not a user of XMail, this is the only I hint I can give. You need to further read their documentation or consult their mailing list and forum.

SMTPAUTH.TAB
"username"[TAB]"password"[TAB]"permissions"[NEWLINE]

is used to permit SMTP clients authentication with protocols PLAIN, LOGIN, CRAM-MD5 and custom. With custom authentication a file containing all secrets (username + ':' + password) is passed as parameter to the custom authentication program which tests all secrets to find the one matching (if exist). For this reason it's better to keep the number of entries in this file as low as possible. Permissions are a string that can contain:

M
open mailing features

R
open relay features (bypass all other relay blocking traps)

V
VRFY command enabled (bypass SERVER.TAB variable)

T
ETRN command enabled (bypass SERVER.TAB variable)

Z
disable mail size checking (bypass SERVER.TAB variable)

When PLAIN, LOGIN or CRAM-MD5 authentication mode are used, first a lookup in 'MAILUSERS.TAB' accounts is performed to avoid duplicating information with 'SMTPAUTH.TAB'. Therefore when using these authentication modes a user must use as username the full email address (the : separator is permitted instead of @) and as password his POP3 password. If the lookup succeed the 'SERVER.TAB' variable 'DefaultSmtpPerms' is used to assign user SMTP permissions (default MR). If the lookup fails then 'SMTPAUTH.TAB' lookup is done.

[table index] [configuration] [top]

SMTPEXTAUTH.TAB

Besides internal SMTP authentication methods a user (XMail administrator) can define custom authentication procedures by setting up this file properly. The section SMTP Client Authentication explains the client part of custom authentication when we put an 'external' line inside the configuration file. The file 'SMTPEXTAUTH.TAB' is the server part of the custom authentication which has the given format:

"auth-name"[TAB]"base-challenge"[TAB]"program-path"[TAB]"arg-or-macro"...[NEWLINE]

This file can contain multiple lines whose 'auth-name' are listed during the EHLO command response. Where 'arg-or-macro' can be (see [MACRO SUBSTITUTION]):

CHALL
server challenge given by base-challenge + ':' + server-timestamp

DGEST
client response to server challenge (@CHALL)

FSECRT
a file containing all the lines (username + ':' + password) of SMTPAUTH.TAB

Example:

"RSA-AUTH" "foochallenge" "/usr/bin/myrsa-authenticate"=>
"-c" "@@CHALL" "-f" "@@FSECRT" "-d" "@@DGEST"
The external program must test all lines of 'FSECRT' to find the one (if it exists) that matches the client digest (DGEST). If it finds a match, it must return zero and overwrite 'FSECRT' with the matching secret (username + ':' + password). If a match is not found, the program must return a value other than zero.

[table index] [configuration] [top]
 
Old 12-04-2006, 07:39 AM   #5
depam
Member
 
Registered: Sep 2005
Posts: 861

Original Poster
Rep: Reputation: 30
gani,

Thank you very much. You've been very helpful. I now understand how smtp relaying means. I think I know the problem. Since I'm using proxysmtp as a smtp proxy, this proxysmtp filters out spam by using spamassassin. Spamassassin is really cool though I am having this problem. Remote users could not authenticate themselves. I realized that SMTP-AUTH is not configured in my Xmail. I am just wondering if proxsmtp supports smtp-auth. I think if proxsmtp acting as a smtp proxy can allow smtp-auth from the internet to the mail server then I think this will solve the problem. I am trying to find to research for the proxsmtp documentations but I can't seem to find a decent one. I am also interested on how to change proxsmtp's greeting from "smtp pass thru" to "mail.mycompany.com". Hope you can still help me out on this.
 
Old 12-04-2006, 08:19 AM   #6
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: Linuxmint, Slackware
Posts: 356

Rep: Reputation: 34
Browsing the home page of ProxSMTP doesn't reveal what you're asking. It is said that this is intentionally designed for postfix as an after-queue filter that means filtering after DATA (email exchange) and before the message is dropped finally to the users' mailboxes. This is like what Amavisd-new peforms by using its built-in rules and further invoking SA and ClamaAV.

Even reading proxsmtpd.conf(5) and proxsmtpd(8) doesn't seems to reveal either. This is simply what its name carries - smtp proxy/content filter.

This would mean that SMTP-auth should be handled by XMail since Xmail is really your smtp server/MTA.

Regarding EHLO, maybe this is the one you're looking for which is a variable in SERVER.TAB:

[HeloDomain]
If this variable is specified and is not empty, its content is sent as HELO domain. Otherwise the reverse lookup of the local IP is sent as HELO domain. This helps to deal with remote SMTP servers that are set to check the reverse lookup of the incoming IP.

BUT, activating smtp-auth within XMail might require that port 25 shall be forwarded/redirected through your firewall to your XMail server and doing this will/might bypass proxsmtp in your copfilter and will require you to install/integrate a new content filter in your XMail.
 
Old 12-04-2006, 07:27 PM   #7
depam
Member
 
Registered: Sep 2005
Posts: 861

Original Poster
Rep: Reputation: 30
Thanks again gani. I've already set the helo domain in xmail. However, don't know where to change it in proxsmtp. It just kept on saying "smtp passthru". This XMail mail server was provided by a consultant with Smarpost installed as the web administration. What I figured out is that it does not by default enable smtp-auth. This is the reason why when I installed copfilter remote users does not authenticate itself. When I turned on the smtp-auth, it worked but I got problem in squirrelmail and was not able to receive mails. The mail bounced backed on my yahoo saying "Delivery failed 551 Server use forbidden". I am thinking of using a new MTA for me to fully configure with Copfilter. Do you know any site/reference for me to setup a MTA, email accounts and if possible to have a web administration on adding up mail accounts.
 
Old 12-05-2006, 12:34 AM   #8
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: Linuxmint, Slackware
Posts: 356

Rep: Reputation: 34
I'm using postfix and definitely, many are now using it. Postfix is easier to configure and has many available add-on software that provides further functionalites and better features.

By visiting postfix's website, you can see several contributed howtos that you can choose from. The one that I used is this:

http://www.postfixvirtual.net/

Though I can't notice now its webgui for administering accounts/domains that it has before written in PHP and with this, what I'm exactly doing, you will need to only resort to MySQL command line management.

You can also add Postgrey, a greylisting implementation for Postfix that nowadays is a must add-on software for mail servers. This will reduce greatly your spam by temporarily rejecting/greylisting incoming mails during RCPT since spambots seldom retry after the end of a system predefined greylisting period which is by default 300secs or 5minutes.

http://isg.ee.ethz.ch/tools/postgrey/

You can choose from squirrel, openwebmail or roundcube for a webmail that I haven't installed any yet. Their respective website has the instructions to do it.

Also, a new and nice add-on is DKIM (DomainKeys Identified Mail) to prevent someone, usually spammers and phishers, to falsely claim and identify (spoofing) as among your accounts/domains by adding digital signature on mail messages with the public key, stored in your DNS zone file as TXT. This will as well prevent your email contents on being tampered.

http://mipassoc.org/dkim
http://www.ijs.si/software/amavisd/a...docs.html#dkim
http://www.elandsys.com/resources/sendmail/dkim.html

This system has its own anti-spam and anti-virus mechanisms built and this might remove now the burder from your copfilter. It combined the forces of Postgrey (greylisting), amavisd-new as your proxysmtp and can as well invoke the services of spamassassin and ClamAV. With amavisd-new, SA and clamav alone, without postgrey, I had a very high success rate on blocking unwanted mails, including viruses.
 
Old 12-06-2006, 06:37 PM   #9
depam
Member
 
Registered: Sep 2005
Posts: 861

Original Poster
Rep: Reputation: 30
Gani,

Thanks a lot for the info. I'll give it a try. You know I am really not a linux guru but wanted to put up my own mail server. Someone suggested that I try qmail toaster which has a web administration and scripts that will install everything. But you're infos really gave me an idea on how to start. Thank you very much.
 
Old 12-07-2006, 12:03 AM   #10
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: Linuxmint, Slackware
Posts: 356

Rep: Reputation: 34
Nice thing about Postfix is it is well accepted and supported by many third party developers and continuously contributes add-on software for enhancing the security of our email experience. I'm attesting to this. Spamming is a growing underground industry with the internet and these add-ons really helps and has been strenghtening Postfix further. These add-ons integrates so well with postfix and all of them provides nice instructions on doing things and thus making our adventures enjoyable. Besides, postfix stayed with the traditional Unix-style configurations.

That howto will build for you a strong email server with; MySQL support as your accounts database and virtual domains, secure and strong SMTP authentication based on Cyrus-SASL and OpenSSL, Transport Layer Security (TLS) based on OpenSSL with instructions on creating your CA, CSR (certificate signing request) and signing your own certificate to enable the outside MTAs to send securely to your MTA, integration of Courier-IMAP and maildrop and integration of Amavisd-new with SpamAssassin and ClamAV to reject unwanted mails. Don't forget to add Postgrey.

If you want to as well make your messages sent outside wrapped with TLS, you need to invest for digital certificate signed by a CA.

You don't need to learn much on MySQL in order to administer this system and by just looking for an introductory tutorial or book on MySQL you can immediately start. I'm recommending a book published under the title "MySQL Visual Quick Start" that I have with me.

For flexibility it is better to compile postfix from source.
 
Old 12-07-2006, 02:37 AM   #11
depam
Member
 
Registered: Sep 2005
Posts: 861

Original Poster
Rep: Reputation: 30
Thanks again Gani. The link you provided me did not specify what distro he used for the installation. Honestly, I am really having hard time compiling from source especially dependencies. What OS would you recommend for that setup? I am currently using Debian but I am also familiar with RH or RPM-based OS.
 
Old 12-07-2006, 04:00 AM   #12
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: Linuxmint, Slackware
Posts: 356

Rep: Reputation: 34
Slackware will not frustrate you. You can compile anything without problems or maybe 99% success. This is the reason why I'm staying with this distro and up to now I still prefer 2.4 specially for this kind of internet application. I have even managed to patch my kernel with Grsecurity+PaX but has been frustrated with RBAC (an equivalent of RSBAC, AppArmor and maybe Systrace in BSD's) of not being able to run SSHD because it is preventing me to log remotely from PuTTY no matter how hard I've tried. But I'm still running a stronger kernel due to gresec+pax.

I'm also a bit interested using Crux since it is more like BSD in style and much easier and it has port system like the BSD family. If you wish, you can try Crux out because they have a nice installations guide that is easy to follow and installing apps is easy using their port system. Though I haven't tried it yet but a friend of mine after him trying it has recommended it to me.

The hardest part with Slackware for the beginners is its text based installations and fdisk for partitioning. Though there is cfdisk that is menu driven but still I'm comfortable with fdisk. This is up to now driving other Linux users away from Slackware and being critisized, including its *.tgz styled packages. But once you got this up and running and has earned some familiarity, you will loved it as what its users are always saying. If you have some fdisk experience this is not a problem with you and its website has a book and LQ to guide startups like.

Slackware has the complete packages of necessary and standard libraries to help you compile programs successfully.

Slackware 11 has now MySQL 5, BerkeleyDB 4.4.2, OpenSSL 0.9.8b and might be the latest Cyrus-SASL. But with the later (cyrus-sasl), it is still preferable to compile from source since you won't need most of its plugin compiled with the package. With this new packages on hand, the burden of compiling from source has been lessened and they just need to be installed using its package manager or install them right during OS installations.

But switching to another distro would take some adjustment period before you could start with your new project. Maybe the least is a week to get you familiar with.

Another distro that you can look at to is Mandrake/Mandriva since you have already experience with RPM-based distro. A friend of mine just reported some compilation problem with the newer PCRE version that has no issue with Slackware and also, Slackware has this package ready. PCRE (Perl Compatible Regular Expression) is required by postfix and the most latest version possible is better. With Mandrake/Mandriva he is also able to compile ClamAV's 0.9rc2 that I'm already using in my mail server and in the one I've installed as SMTP proxy and anti-spam/anti-virus for exchange server that is heavily battered with spam and viruses.

So it is up for you to decide.
 
Old 12-07-2006, 09:57 AM   #13
depam
Member
 
Registered: Sep 2005
Posts: 861

Original Poster
Rep: Reputation: 30
Gani,

Thanks again for the infos. I've been learning a lot from you. At first, I was surprised that someone would entertain my questions (at least to novice linux user like me). But you proved me wrong. There are still few people who wants to share his' knowledge and help users like me. I also agree with you that Slackware is a solid distro. Its one of the "realiable" distro according to almost all of the linux guru out there. I haven't tried it yet but I think I'll give it a try if I'll have time. I have tried Vector, DSL, Ubuntu, CentOS, Fedora, RH9. Mepis is the distro that is currently installed on my notebook. What I like about Mepis is that it can easily detect most of the hardwares that I like to use.

I don't mind using the shell. I can forget about GUI since this is the strongest point of Linux. Most of the settings should really be done on the shell. But I think, I am not as good as you to really understand and configure everything on the shell. Thanks for the "postfixvirtual" which you introduced to me. I tried installing it on my newly installed CentOS 4.4. Most of my friends told me that CentOS 4.4 is a 100% rebuild of the Red Hat Enterprise. I got an error on courier-authlib section. The error says it has something to do with /lib/cpp. I think I'll try to reconfigure it again tomorrow. The documentation you showed me is really straightforward. I did a few modifications on the ./configure since I am using a different distro (which is CentOS). I am hoping that I will be able to successfully build everything and to make it functional so I can replace the current mail server setup that I have.
 
Old 12-07-2006, 11:46 PM   #14
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: Linuxmint, Slackware
Posts: 356

Rep: Reputation: 34
Quote:
I don't mind using the shell. I can forget about GUI since this is the strongest point of Linux. Most of the settings shouldreally be done on the shell.
Only on desktop. GUI is of no use on a server specially if your too concern about security and resource conservation. Running unnecessary processes not just consume vital resources but may create vulnerabilities and put more burden when performing updates and your administration/troubleshooting skill will not advance. If you prefer GUI, just stick with windows and this is how Unix/Linux/BSD is differentiated. Even Longhorn, as I've read from an osnews.com review, is now switching to command line administration in order to reduce its codebase and in the hopes of improving security.

Quote:
I tried installing it on my newly installed CentOS 4.4. Most of my friends told me that CentOS 4.4 is a 100% rebuild of the Red Hat Enterprise. I got an error on courier-authlib section. The error says it has something to do with /lib/cpp.
This is not to discourage or to mean saying that a distro like this is not good. Each of the distro has its own strong feature/s or point/s. I've also tried CentOS, but only for a while because I want the one that would allow me to customize and specially if I want the latest stable release which as hot as a hot cake just taken out from a pan (or even an eagerness to try a release candidate) - compiling from source is the only way. This is the main reason that this method is not loosing in popularity and will not in any way for sure. Gurus love doing this.

I've even tried Ubuntu and OpenSuSE, and just the same, only for a while due to what have been mentioned above. I'm as well a loyal user of OpenBSD but when it comes to this kind of application, she's not a very good choice because there are some source compilation issues due to its strict security policy or that might have been due to its ProPolice patch on GCC. Not all compiles well from source like with PCRE (but its nice having a port at v6.4) and with ClamAV I have to wait for the port update within 1 - 2 weeks, and sometimes even longer but its not too late still. But OpenBSD is my only choice when it comes to firewall/gateway/router/IPSec VPN - so easy to use and proven secure. Its open source IPSec VPN is easy to deploy.

Thus we need balance in choices, like the food that we eat. We can't just stick with one, there should be some other else and in choosing/deciding, objectivity should be our guiding light and not emotions. This is the main reason why our universe and our earth was created in diversity to make our lives more enjoyable.

So for me, Slackware is FREEDOM and a versatility in simplicity! Slackware is really true to its words - making use of Linux simple. And allow me to add one - ENJOYABLE. ( BTW: Slackware has now a port of AppArmor though still in beta stage. http://danieldk.org/apparmor/ ).

I actually started with RedHat 9 before trying Slack. Then after some happy moments with Slack, I went with OpenBSD (after it was introduced to me by an American open source enthusiasts now living here) during the time it was at version 3.5 and up to now (v4.0) and until the time when my old age will prevent me on typing to my keyboard and inserting CD on my drives and my eyes blur my console screen.

I don't want to make this long since this is not a review thread specific to a distro.

A note on ClamAV:

ClamAV will search for the openssl.pc during compile time. pc is package-config used to aid on searching for an installed program dependency. If you installed OpenSSL from a package, there should be no problem since most definitely, it is installed on where it should be - /usr/lib/pkgconfig or /usr/local/lib/pkgconfig. In my case I've installed it from source so it is in /usr/local/ssl/lib/pkgconfig. Just add to your environment variable the exact path:

$ export PKG_CONFIG_PATH = "/usr/..path/..path/pkgconfig"
$ ./configure

Also, don't run ClamAV as its own user name to give it a write access to amavisd-new's directory. I think this is not noted on the howto. If you don't do this, you endlessly see access denied error in your postfix logs and might as well affect its performance.

Code:
--disable-clamav \          # disable searching for user clamav
--with-user=amavisd-user \
--with-group=amavisd-group \
But do this after you have already installed Amavisd-new. The best thing to do when installing amavisd-new is simply read the included INSTALL text file with the source program.

Also for security's sake, I don't usually give login shell to daemons/programs when their usernames are created.

# groupadd amavis
# useradd -c "Amavis SMTP Proxy" -d /dev/null -s /bin/false -g amavis amavis

This is practical and very important, because they don't have passwords. Also don't always forgot to disable remote root login in sshd and allow only your useradmin name to logon since they can use mysql, amavis, postfix and other well known daemon users during brute force ssh dictionary attacks if your host connects directly to the internet.

/etc/sshd/sshd_config:

PermitRootLogin no
AllowUsers admin1 admin2

Make it to the least number of admin users for AllowUsers although we believe that the more is merrier but in security it is the opposite - grimmier.

The most practical thing to do when compiling is to save your configure option to a file like

filename: build.sh

Code:
./configure \
    --sysconfdir=/etc \
    --localstatedir=/var \
    --madir=/usr/local/man \
    --sbindir=/usr/local/sbin \
    --others \
    --etc \
    --the last (no backslash)
Then:

$ sh build.sh

This is very usefull because sometimes, one ./configure run is not enough due to errors and you will tire out and prone to errors typing the options repeatedly. Then in order for you to save the output to a file for convinience on checking:

$ sh build.sh 2>&1 | tee build-messages
$ less build-messages

or

$ grep openssl build-messages

That file is now saved for future reference and in times that you will compile a latest release, just grab the original copy of the build.sh from the previous version directory. So it is advisable not to delete immediately the directory after successfully compiling. Just 'make clean' is enough.

To further add, as one of the many reasons why it's best to choose postfix, there is a Japanese contributor that created things like S25R and a patch for Postgrey for Tarpitting and combining S25R. Just google for S25R and go for an english version of its site. I'm already using this both on our own and the one I've intalled for a government hospital guarding their exchange server against spam and viruses. This is a strenghtening patch for postgrey because spammers are now getting even more smarter. Some knew now how to retry and most of them are getting dynamic/PPPoE lines for this purpose and S25R is designed for them. In a simple explanation, S25R will prevent or make it harder for the spammers sending direct from their subscriber lines through its regular expression rules. So it is nowadays wise to accept mails only sent through legitimate MTA and not those direct from workstations since mostly, it is a spam or might be zombies with spambots.

http://k2net.hakuba.jp/pub/targrey-0...rey-1.27.patch
http://k2net.hakuba.jp/spam/postfix.conf.2.tar.gz
http://k2net.hakuba.jp/pub/postfix-sleep.patch

/etc/postfix/main.cf:

Code:
... others ..
...
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_etrn_restrictions = reject

smtpd_recipient_restrictions =
                permit_mynetworks
                permit_sasl_authenticated
                reject_unauth_destination
                check_client_access hash:/etc/postfix/whitelist_client
                check_client_access regexp:/etc/postfix/permit_client_nots25r
                check_recipient_access mysql:/etc/postfix/mysql-recipient.cf
                reject_invalid_hostname
                reject_non_fqdn_sender
                reject_non_fqdn_hostname
                reject_unknown_sender_domain
                reject_non_fqdn_recipient
                reject_multi_recipient_bounce
                check_policy_service inet:127.0.0.1:10023
                check_client_access hash:/etc/postfix/prepend_client
                check_sender_access regexp:/etc/postfix/filter_10024_catchall
                permit

smtpd_data_restrictions = reject_unauth_pipelining
The fileter_10024_catchall is needed only if you installed dkim-filter. The files permit_client_nots25r, whitelist_client and prepend_client are in postfix.conf.2.gz. It is good to unpack that file within /etc/postfix and just copy or point that to that path.

postgrey startup arguments:

Code:
/usr/local/sbin/postgrey --inet=10023 \
  --pidfile=/var/spool/postfix/postgrey/postgrey.pid \
  --dbdir=/var/spool/postfix/postgrey \
  --user=postgrey --group=postgrey \
  --tarpit=65 --retry-count=2 \
  --auto-whitelist-delay=3600 \
  -d
Or create a start|stop|restart script out of this.

This is how I managed to install postgrey:

$ tar xvzf postgrey-1.27.tar.gz
$ patch -p0 < targrey-0.30-postgrey-1.27.patch

If it erred, change p0 to p1.

$ cd postgrey-1.27
$ su
# cp postgrey /usr/local/sbin
# chmod +x /usr/local/sbin/postgrey
# cp postgrey_whitelist_clients /etc/postfix
# cp postgrey_whitelist_recipients /etc/postfix
# groupadd postgrey
# useradd -c "Postfix Policy Service" -d /dev/null -s /bin/false -g postgrey postgrey
# mkdir /var/spool/postfix/postgrey
# chown postgrey.postgrey /var/spool/postfix/postgrey

Apply the sleep patch for postfix before doing compilation.

$ tar xvzf postfix-2.3.4.tar.gz
$ cd postfix<TAB>
$ patch -p0 < ../postfix-sleep.patch

Some manual pages that needs your attention:

$ perldoc postgrey
$ man postqueue
$ man postsuper

SpamAssassin's (SA) docs are accessed also using 'perldoc docname'.

This is how I've read to update SA rules and I'm so sure if this is just the things need done:

# sa-update
# ls /var/lib/spamassassin
3.001006 3.001007

That shows two directories both for 3.1.6 and 3.1.7 versions. I'm currently now using 3.1.7 and the pervious one is still there.

# /usr/local/sbin/amavisd -u amavis reload

That command is needed for me becuase I prefer to use SA within Amavisd-new. But if it is just integrated in your case with maildrop, no need for that. But I'm sure there is nothing wrong on using SA both in maildrop and amavisd-new.

------------
GANI
 
Old 12-07-2006, 11:59 PM   #15
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: Linuxmint, Slackware
Posts: 356

Rep: Reputation: 34
Quote:
This is how I've read to update SA rules and I'm so sure if this is just the things need done:
..I'm not so sure..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Change greeting text on console burninGpi Linux - General 11 08-01-2006 11:24 AM
Greeting All Argo LinuxQuestions.org Member Intro 1 07-13-2006 06:28 PM
Greeting everyone kim_newbie LinuxQuestions.org Member Intro 2 07-01-2006 03:19 AM
Greeting to all rparham LinuxQuestions.org Member Intro 2 01-15-2006 03:11 PM
Why I cannot change the setting on the Standard greeting in Redad 9.0? BEBO28 Linux - Software 2 07-16-2004 05:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration