Virtuelle Benutzer und Domains mit Postfix, Courier und MySQL (Fedora Core 5)

Version 1.0
Author: Falko Timme


Diese Anleitung unterliegt dem Copyright (c) 2006 von Falko Timme und stammt von einem Tutorial von Christoph Haas, was auf http://workaround.org zu finden ist. Du kannst dieses Tutorial unter der Creative Commons License 2.5 oder jeder neueren Verion verwenden.
Diese Anleitung veranschaulicht, wie man einen Postfix-basierten Mail Server installiert, der auf virtuellen Benutzern und Domains basiert, d.h. Benutzer und Domains, die sich in einer MySQL Datenbank befinden. Außerdem werde ich die Installation und Konfiguration von Courier (Courier-POP3, Courier-IMAP) demonstrieren, damit sich Courier gegenüber der gleichen MySQL Datenbank authentifizieren kann, die Postfix verwendet.

Der daraus resultierende Postfix Server ist SMTP-AUTH-, TLS- und quota- fähig (quota ist in Postfix nicht standardmäßig eingebaut, ich werde zeigen, wie Du Dein Postfix richtig patchst). Passwörter werden in der Datenbank verschlüsselt gespeichert (die meisten Dokumente haben mit unverschlüsselten Passwörtern gearbeitet, was ein Sicherheitsrisiko bedeutet). Weiterhin behandelt diese Anleitung die Installation von Amavisd, SpamAssassin und ClamAV, so dass E-Mails nach Spam und Viren gescannt werden.

Der Vorteil eines solchen "virtuellen" Setups (virtuelle Benutzer und Domains in einer MySQL Datenbank) ist, dass es viel leitstungsstärker ist als ein Setup, das auf "realen" Systembenutzern basiert. Mit diesem virtuellen Setup kann Dein E-Mail Server Tausende von Domains und Benutzern bearbeiten. Außerdem ist es einfacher zu verwalten, da Du Dich nur mit der MySQL Datenbank auseinandersetzen musst, wenn Du neue Benutzer/Domains hinzufügst oder bereits vorhandene bearteitest. Keine Postmap Befehle um db Dateien zu erstellen mehr, kein Neuladen von Postfix mehr, etc. Für die Verwaltung der MySQL Datenbank kannst Du Web-basierte Tools wie phpMyAdmin verwenden, die ebenfalls in dieser Anleitung installiert werden. Der dritte Vorteil besteht darin, dass Benutzer eine E-Mail Adresse als Benutzernamen haben (anstelle eines Benutzernamens + E-Mail Adresse), was einfacher zu verstehen und zu behalten ist.

Diese Anleitung basiert auf Fedora Core 5 (i386). Du solltest bereits ein Fedora Basissystem aufgesetzt haben, wie hier (für ein x86_64 System, die Prozedur für i386 Systeme ist allerdings die gleiche): http://www.howtoforge.com/perfect_setup_fedora_core_5 und hier http://www.howtoforge.com/perfect_setup_fedora_core_5_p2 beschrieben wird. Außerdem solltest Du sicher gehen, dass die Firewall ausgeschaltet (zumindest jetzt) und SELinux deaktiviert ist (das ist wichitg!), wie hier gezeigt wird http://www.howtoforge.com/perfect_setup_fedora_core_5_p3.

Diese Anleitung ist ein praktischer Leitfaden; theoretisches Hintergrundwissen wird nicht abgedeckt. Dies wird in zahlreichen anderen Dokumenten im Web behandelt.

Diese Anleitung ist ohne jegliche Gewähr! Ich möchte an dieser Stelle darauf hinweisen, dass dies nicht der einzige Weg ist ein solches System einzurichten. Es gibt viele Möglichkeiten, dieses Ziel zu erreichen - dies ist der Weg, den ich gewählt habe. Ich übernehme keine Garantie, dass dies auch bei Dir funktioniert!

1 Bearbeite /etc/hosts

Unser Hostname in diesem Beispiel ist server1.example.com und hat die IP Adresse 192.168.0.100, also ändern wir /etc/hosts wie folgt:

vi /etc/hosts


# Do not remove the following line, or various programs
# that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 192.168.0.100 server1.example.com server1

2 Konfiguriere eine zusätzliche Paketdatenbank für Fedora Pakete

Einige Pakete, die wir installieren müssen (wie courier-imap), sind in den offiziellen Fedora Paketdatenbanken nicht verfügbar, also müssen wir eine andere Paketdatenbank yum hinzufügen:

rpm -ivh http://www.enlartenment.com/packages/fedora/5/i386/enlartenment-release-1.1-2.fc5.mf.noarch.rpm

Danach müssen wir enabled auf 1 in /etc/yum.repos.d/enlartenment.repo setzen:

vi /etc/yum.repos.d/enlartenment.repo


[enlartenment]
name=Enlartenment Repository for $releasever - $basearch baseurl=http://www.enlartenment.com/packages/fedora/$releasever/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-enlartenment enabled=1 gpgcheck=1 [enlartenment-sources] name=Enlartenment Repository for $releasever - Sources baseurl=http://www.enlartenment.com/packages/fedora/$releasever/SRPMS/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-enlartenment enabled=1 gpgcheck=1
Als Nächstes importieren wir den GPG Key dieser Paketdatenbank:

rpm --import http://www.enlartenment.com/RPM-GPG-KEY.mf


3 Installation von Postfix, Courier, Saslauthd, MySQL, phpMyAdmin

Das kann alles mit nur einem Befehl installiert werden:

yum install ntp httpd mysql-server php php-mysql php-mbstring rpm-build gcc mysql-devel openssl-devel cyrus-sasl-devel pkgconfig zlib-devel maildrop courier-imap courier-authlib-mysql phpmyadmin pcre-devel openldap-devel

Wenn Du dies siehst:

warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2
Public key for ntp-4.2.0.a.20050816-11.FC5.i386.rpm is not installed
Retrieving GPG key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
Importing GPG key 0x4F2A6FD2 "Fedora Project <fedora@redhat.com>"
Is this ok [y/N]:

antworte bitte mit y.

4 Den Quota Patch in Postfix anbringen

Wir müssen das Postfix Quellen rpm beziehen, es mit dem Quota Patch patchen, eine neues Postfix rpm Paket bauen und es installieren.

cd /usr/src
wget http://ftp-stud.fht-esslingen.de/pub/Mirrors/fedora/linux/core/5/source/SRPMS/postfix-2.2.8-1.2.src.rpm
rpm -ivh postfix-2.2.8-1.2.src.rpm
cd /usr/src/redhat/SOURCES
wget http://web.onda.com.br/nadal/postfix/VDA/postfix-2.2.8-vda.patch.gz
gunzip postfix-2.2.8-vda.patch.gz
cd /usr/src/redhat/SPECS/

Nun müssen wir die Datei postfix.spec bearbeiten:

vi postfix.spec

Ändere %define MYSQL 0 zu %define MYSQL 1, füge Patch0: postfix-2.2.8-vda.patch der # Patches Zeile hinzu und füge letztlich %patch0 -p1 -b .vda der %setup -q Zeile hinzu:
[...]
%define MYSQL 1 [...] # Patches Patch0: postfix-2.2.8-vda.patch Patch1: postfix-2.1.1-config.patch Patch3: postfix-alternatives.patch Patch4: postfix-hostname-fqdn.patch Patch6: postfix-2.1.1-obsolete.patch Patch7: postfix-2.1.5-aliases.patch Patch8: postfix-large-fs.patch Patch9: postfix-2.2.5-cyrus.patch [...] %setup -q # Apply obligatory patches %patch0 -p1 -b .vda %patch1 -p1 -b .config %patch3 -p1 -b .alternatives %patch4 -p1 -b .postfix-hostname-fqdn %patch6 -p1 -b .obsolete %patch7 -p1 -b .aliases %patch8 -p1 -b .large-fs %patch9 -p1 -b .cyrus [...]
Dann bauen wir unser neues Postfix rpm Paket mit Quota und MySQL Unterstützung:

rpmbuild -ba postfix.spec

Du wirst viele Warnungen wie folgende sehen, die Du aber ignorieren kannst:

msg.h:12:1: warning: "/*" within comment
msg.h:14:1: warning: "/*" within comment
msg.h:33:1: warning: "/*" within comment
msg.h:34:1: warning: "/*" within comment
msg.h:35:1: warning: "/*" within comment
msg.h:36:1: warning: "/*" within comment

Unser Postfix rpm Paket wird in /usr/src/redhat/RPMS/i386 erstellt, also begeben wir uns dahin und installieren es:

cd /usr/src/redhat/RPMS/i386
rpm -ivh postfix-2.2.8-1.2.i386.rpm

(Falls Du Probleme mit der Erstellung des Postfix rpm Paketes haben solltest, kannst Du meines von hier runter laden.)

5 MySQL Passwörter einrichten und phpMyAdmin konfigurieren

Starte MySQL:

chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start

Richte dann Passwörter für das MySQL Root Konto ein:

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

Nun konfigurieren wir phpMyAdmin. Erstelle /usr/share/phpmyadmin/config.inc.php:

vi /usr/share/phpmyadmin/config.inc.php


<?php
$cfg[PmaAbsoluteUri] = 'http://192.168.0.100/phpmyadmin/'; $i=0; $i++; $cfg['Servers'][$i]['auth_type'] = 'http'; ?>
Dann ändern wir die Apache Konfiguration, so dass phpMyAdmin nicht nur Verbindungn von localhost zulässt:

vi /etc/httpd/conf.d/phpmyadmin.conf


Alias /phpmyadmin/ "/usr/share/phpmyadmin/"
#<Location "/phpmyadmin/"> # Order allow,deny # Allow from 127.0.0.1 #</Location>
Dann erstellen wir die System Startup Links für Apache und starten es:

chkconfig --levels 235 httpd on
/etc/init.d/httpd start

Nun kannst Du Deinen Browser auf http://server1.example.com/phpmyadmin/ richten und Dich mit dem Benutzernamen root und Deinem neuen Root MySQL Passwort anmelden.

6 Die MySQL Datenbank für Postfix/Courier erstellen

Wir erstellen eine Datenbank mit der Bezeichnung mail:

mysqladmin -u root -p create mail

Als Nächstes gehen wir zu MySQL Kommandozeile:

mysql -u root -p

In der MySQL Kommandozeile erstellen wir den Benutzer mail_admin mit dem Passwort mail_admin_password (ersetze es mit Deinem eigenen Passwort), der SELECT,INSERT,UPDATE,DELETE Privilegien in der mail Datenbank hat. Mit diesem Benutzer werden sich Postfix und Courier mit der mail Datenbank in Verbindung setzen:

GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost' IDENTIFIED BY 'mail_admin_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost.localdomain' IDENTIFIED BY 'mail_admin_password';
FLUSH PRIVILEGES;

Immer noch in der MySQL Kommandozeile erstellen wir die Tabellen, die Postfix und Courier benötigen:

USE mail;


CREATE TABLE domains (
domain varchar(50) NOT NULL,
PRIMARY KEY (domain) )
TYPE=MyISAM;

CREATE TABLE forwardings (
source varchar(80) NOT NULL,
destination TEXT NOT NULL,
PRIMARY KEY (source) )
TYPE=MyISAM;

CREATE TABLE users (
email varchar(80) NOT NULL,
password varchar(20) NOT NULL,
quota INT(10) DEFAULT '10485760',
PRIMARY KEY (email)
) TYPE=MyISAM;

CREATE TABLE transport (
domain varchar(128) NOT NULL default '',
transport varchar(128) NOT NULL default '',
UNIQUE KEY domain (domain)
) TYPE=MyISAM;

quit;

Wie Dir vielleicht bereits aufgefallen ist, haben wir mit dem quit; Befehl die MySQL Kommandozeile verlassen und sind wieder in der Linux Kommandozeile.

Die domains Tabelle speichert jede virtuelle Domain, für die Postfix E-Mails erhalten soll (z.B. example.com).
domain
example.comDie forwardingst Tabelle steht für das Aliasing von einer E-Mail Adresse mit einer anderen, z.B. E-Mails für info@example.com an sales@example.com weiterleiten.
source destination
info@example.com sales@example.comDie users Tabelle speichert alle virtuellen Benutzer (d.h. E-Mail Adressen, da die E-Mail Adresse und der Benutzername identisch sind) und Passwörter (in verschlüsselter Form!) sowie einen Quota Wert für jede Mail Box (in diesem Beispiel ist der Standardwert 10485760 Bytes, was 10MB bedeutet).
email password quota
sales@example.com No9.E4skNvGa. ("secret" in encrypted form) 10485760Die transport Tabelle ist optional, sie ist für fortgeschrittene Benutzer gedacht. Sie erlaubt das Weiterleiten von E-Mails für einzelneBenutzer, ganze Domains oder alle Mails an einen anderen Server. Zum Beispiel würde
domain transport
example.com smtp:[1.2.3.4]alle E-Mails für example.com via smtp Protocol an den Server mit der IP Adresse 1.2.3.4 weiterleiten (die eckigen Klammern [] bedeuten "schlage den MX DNS Record nicht nach" (was für IP Adressen Sinn macht...). Wenn Du stattdessen einen Fully Qualified Domain Name (FQDN) verwenden würdest, würdest Du die eckigen Klammern nicht verwenden.).

7 Konfiguratin von Postfix

Nun müssen wir Postfix mitteilen, wo es die Informationen in der Datenbank findet. Dazu müssen wir sechs Textdateien erstellen. Du wirst feststellen, dass ich Postfix mitteile, sich mit MySQL auf der IP Adresse 127.0.0.1 anstelle von localhost zu verbinden. Postfix läuft in einem Chroot Gefängnis und hat keinen Zugriff auf den MySQL Socket welchen er versuchen würde zu verbinden, wenn ich Postfix mitgeteilt hätte, localhost zu verwenden. Wenn ich 127.0.0.1 verwende, nutzt Postfix den TCP Netzwerkbetrieb um sich mit MySQL zu verbinden, was auch im Chroot Gefängnis kein Problem darstellt (die Alternative wäre den MySQL Socket in ein Chroot Gefängnis zu verschieben, was wieder andere Probleme verursacht).

Lass uns nun unsere sechs Textdateien erstellen.

vi /etc/postfix/mysql-virtual_domains.cf


user = mail_admin
password = mail_admin_password dbname = mail query = SELECT domain AS virtual FROM domains WHERE domain='%s' hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_forwardings.cf


user = mail_admin
password = mail_admin_password dbname = mail query = SELECT destination FROM forwardings WHERE source='%s' hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_mailboxes.cf


user = mail_admin
password = mail_admin_password dbname = mail query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s' hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_email2email.cf


user = mail_admin
password = mail_admin_password dbname = mail query = SELECT email FROM users WHERE email='%s' hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_transports.cf


user = mail_admin
password = mail_admin_password dbname = mail query = SELECT transport FROM transport WHERE domain='%s' hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_mailbox_limit_maps.cf


user = mail_admin
password = mail_admin_password dbname = mail query = SELECT quota FROM users WHERE email='%s' hosts = 127.0.0.1
(Wenn Du diese Dateien mit den Dateien von http://www.howtoforge.com/virtual_postfix_mysql_quota_courier vergleichst, wirst Du feststellen, dass das Format anders ist. Das liegt daran, dass sich der Syntax von Postfix 2.1 zu 2.2 geändert hat. In dieser Anleitung verwenden wir Postfix 2.2.8, in der anderen ist es 2.1.5.)

chmod o= /etc/postfix/mysql-virtual_*.cf
chgrp postfix /etc/postfix/mysql-virtual_*.cf

Nun erstellen wir einen Benutzer und eine Gruppe mit der Bezeichnung vmail mit dem Home Directory /home/vmail. Dort werden alle Mail Boxes gespeichert.

groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /home/vmail -m

Als Nächstes nehmen wir eine Postfix Konfiguration vor. Pass auf, dass Du server1.example.com mit einem gültigen FQDN ersetzt, sonst kann es sein, dass Dein Postfix nicht richtig funktioniert!

postconf -e 'myhostname = server1.example.com'
postconf -e 'mydestination = server1.example.com, localhost, localhost.localdomain'
postconf -e 'mynetworks = 127.0.0.0/8'
postconf -e 'virtual_alias_domains ='
postconf -e ' virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf'
postconf -e 'virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf'
postconf -e 'virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf'
postconf -e 'virtual_mailbox_base = /home/vmail'
postconf -e 'virtual_uid_maps = static:5000'
postconf -e 'virtual_gid_maps = static:5000'
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/smtpd.cert'
postconf -e 'smtpd_tls_key_file = /etc/postfix/smtpd.key'
postconf -e 'transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf'
postconf -e 'virtual_create_maildirsize = yes'
postconf -e 'virtual_mailbox_extended = yes'
postconf -e 'virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf'
postconf -e 'virtual_mailbox_limit_override = yes'
postconf -e 'virtual_maildir_limit_message = "The user you are trying to reach is over quota."'
postconf -e 'virtual_overquota_bounce = yes'
postconf -e 'proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps'
postconf -e 'inet_interfaces = all'

Danach erstellen wir das SSL Zertifikat, das für TLS benötigt wird:

cd /etc/postfix
openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509

<-- Enter your Country Name (e.g., "DE").
<-- Enter your State or Province Name.
<-- Enter your City.
<-- Enter your Organization Name (e.g., the name of your company).
<-- Enter your Organizational Unit Name (e.g. "IT Department").
<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
<-- Enter your Email Address.

Ändere dann die Berechtigungen des smtpd.keys:

chmod o= /etc/postfix/smtpd.key


8 Konfiguration von Saslauthd

Bearteite /usr/lib/sasl2/smtpd.conf. So sollte es aussehen:

vi /usr/lib/sasl2/smtpd.conf


pwcheck_method: authdaemond
log_level: 3 mech_list: PLAIN LOGIN authdaemond_path:/var/spool/authdaemon/socket
Schalte dann Sendmail aus und starte Postfix, saslauthd und courier-authlib:

chmod 755 /var/spool/authdaemon
chkconfig --levels 235 courier-authlib on
/etc/init.d/courier-authlib start

chkconfig --levels 235 sendmail off
chkconfig --levels 235 postfix on
chkconfig --levels 235 saslauthd on
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start

9 Konfiguration von Courier

Nun müssen wir Courier mitteilen, dass es sich gegenüber unserer MySQL Datenbank authentifizieren soll. Bearbeite zuerst /etc/authlib/authdaemonrc und ändere den Wert von authmodulelist so dass es heißt

vi /etc/authlib/authdaemonrc


[...]
authmodulelist="authmysql" [...]
Bearbeite dann /etc/authlib/authmysqlrc. Es sollte ganz genauso aussehen wie dies (pass auf, dass Du die richtigen Datenbank-Angaben eingibst):

vi /etc/authlib/authmysqlrc


MYSQL_SERVER localhost
MYSQL_USERNAME mail_admin MYSQL_PASSWORD mail_admin_password MYSQL_PORT 0 MYSQL_DATABASE mail MYSQL_USER_TABLE users MYSQL_CRYPT_PWFIELD password #MYSQL_CLEAR_PWFIELD password MYSQL_UID_FIELD 5000 MYSQL_GID_FIELD 5000 MYSQL_LOGIN_FIELD email MYSQL_HOME_FIELD "/home/vmail" MYSQL_MAILDIR_FIELD CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') #MYSQL_NAME_FIELD MYSQL_QUOTA_FIELD quota
Starte Courier dann neu:

chkconfig --levels 235 courier-imap on
/etc/init.d/courier-authlib restart
/etc/init.d/courier-imap restart

Indem Du dies ausführst

telnet localhost pop3

kannst Du sehen, ob Dein POP3 Server richtig funktioniert. Es sollte +OK Hello there zurück geben. (Gib quit ein um wieder zur Linux Kommandozeile zu gelangen.)

10 Installation von Amavisd-new, SpamAssassin und ClamAV

Um amavisd-new, spamassassin und clamav zu installieren, führe folgenden Befehl aus:

yum install amavisd-new spamassassin clamav clamav-data clamav-server clamav-update unzip bzip2 unrar

Nun müssen wir /etc/amavisd/amavisd.conf bearbeiten.

vi /etc/amavisd/amavisd.conf

In dieser Datei ändern wir fünf Stellen:

1) Ändere
$mydomain = 'example.com';   # a convenient default for other settings
zu
########################
$mydomain = 'localhost'; ######################## #$mydomain = 'example.com'; # a convenient default for other settings
2) Ändere
$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level $sa_kill_level_deflt = 6.31; # triggers spam evasive actions $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
zu
########################
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 4.0; # add 'spam detected' headers at that level $sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent ########################
(Natürlich kannst Du die Spam Scores an Deine Wünsche anpassen.)

3) Ändere
# @lookup_sql_dsn =
# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], # ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], # ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); # @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database
zu
# @lookup_sql_dsn =
# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], # ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], # ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); ######################## @lookup_sql_dsn = ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'mail_admin', 'mail_admin_password'] ); $sql_select_policy = 'SELECT "Y" as local FROM domains WHERE CONCAT("@",domain) IN (%k)'; $sql_select_white_black_list = undef; # undef disables SQL white/blacklisting $recipient_delimiter = '+'; # (default is '+') $replace_existing_extension = 1; # (default is false) $localpart_is_case_sensitive = 0; # (default is false) ######################## # @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database
(Pass auf, dass Du die korrekten Datenbank-Angaben eingibst!)

4) Ändere
# $recipient_delimiter = '+';  # undef disables address extensions altogether
# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+
zu
########################
$recipient_delimiter = undef; # undef disables address extensions altogether # when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+ ########################
5) Ändere
$final_virus_destiny      = D_DISCARD;
$final_banned_destiny = D_BOUNCE; $final_spam_destiny = D_DISCARD; $final_bad_header_destiny = D_BOUNCE;
zu
########################
$final_virus_destiny = D_REJECT; $final_banned_destiny = D_REJECT; $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS; ########################
(Natürlich kannst Du selbst entscheiden, was mit Spam und Viren passieren soll. Ich habe mich dafür entschieden, Spam (D_PASS) zu akzeptieren, damit Spam in meinem E-Mail Client mit einem einfachen Filter Rule gefiltert werden kann (basierend auf dem Betreff, der von amavisd-new umgeschrieben wird, wenn er denkt, dass es Spam ist). Erlaubte Aktionen (D_PASS, D_DISCARD, D_BOUNCE, and D_REJECT) werden hier erklärt: http://www.ijs.si/software/amavisd/amavisd-new-docs.html#actions)


Nach meinen Änderungen sieht /etc/amavisd/amavisd.conf wie folgt aus:
use strict;
# a minimalistic configuration file for amavisd-new with all necessary settings # # see amavisd.conf-default for a list of all variables with their defaults; # see amavisd.conf-sample for a traditional-style commented file; # for more details see documentation in INSTALL, README_FILES/* # and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html # COMMONLY ADJUSTED SETTINGS: # @bypass_virus_checks_maps = (1); # uncomment to DISABLE anti-virus code # @bypass_spam_checks_maps = (1); # uncomment to DISABLE anti-spam code $max_servers = 2; # num of pre-forked children (2..15 is common), -m $daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u $daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g ######################## $mydomain = 'localhost'; ######################## #$mydomain = 'example.com'; # a convenient default for other settings $MYHOME = '/var/spool/amavisd'; # a convenient default for other settings, -H $TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR $QUARANTINEDIR = undef; # -Q # $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine # $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R # $db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D # $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S $lock_file = "/var/run/amavisd/amavisd.lock"; # -L $pid_file = "/var/run/amavisd/amavisd.pid"; # -P #NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually @local_domains_maps = ( [".$mydomain"] ); # @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 # 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); $log_level = 0; # verbosity 0..5, -d $log_recip_templ = undef; # disable by-recipient level-0 log entries $DO_SYSLOG = 1; # log via syslogd (preferred) $syslog_facility = 'mail'; # Syslog facility as a string # e.g.: mail, daemon, user, local0, ... local7 $syslog_priority = 'debug'; # Syslog base (minimal) priority as a string, # choose from: emerg, alert, crit, err, warning, notice, info, debug $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 $inet_socket_port = 10024; # listen on this local TCP port(s) (see $protocol) $unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter # option(s) -p overrides $inet_socket_port and $unix_socketname $interface_policy{'SOCK'}='AM.PDP-SOCK'; # only relevant with $unix_socketname # Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c # (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'): $policy_bank{'AM.PDP-SOCK'} = { protocol=>'AM.PDP' }; ######################## $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 4.0; # add 'spam detected' headers at that level $sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent ######################## # $sa_quarantine_cutoff_level = 20; # spam level beyond which quarantine is off # $penpals_bonus_score = 4; # (no effect without a @storage_sql_dsn database) # $penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam $sa_mail_body_size_limit = 512*1024; # don't waste time on SA if mail is larger $sa_local_tests_only = 0; # only tests which do not require internet access? # @lookup_sql_dsn = # ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], # ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], # ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); ######################## @lookup_sql_dsn = ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'mail_admin', 'mail_admin_password'] ); $sql_select_policy = 'SELECT "Y" as local FROM domains WHERE CONCAT("@",domain) IN (%k)'; $sql_select_white_black_list = undef; # undef disables SQL white/blacklisting $recipient_delimiter = '+'; # (default is '+') $replace_existing_extension = 1; # (default is false) $localpart_is_case_sensitive = 0; # (default is false) ######################## # @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database # $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; # defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16) $virus_admin = undef; # notifications recip. $mailfrom_notify_admin = undef; # notifications sender $mailfrom_notify_recip = undef; # notifications sender $mailfrom_notify_spamadmin = undef; # notifications sender $mailfrom_to_quarantine = ''; # null return path; uses original sender if undef @addr_extension_virus_maps = ('virus'); @addr_extension_spam_maps = ('spam'); @addr_extension_banned_maps = ('banned'); @addr_extension_bad_header_maps = ('badh'); ######################## $recipient_delimiter = undef; # undef disables address extensions altogether # when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+ ######################## $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; # $dspam = 'dspam'; $MAXLEVELS = 14; $MAXFILES = 1500; $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) $sa_spam_subject_tag = '***SPAM*** '; $defang_virus = 1; # MIME-wrap passed infected mail $defang_banned = 1; # MIME-wrap passed mail containing banned name # OTHER MORE COMMON SETTINGS (defaults may suffice): # $myhostname = 'host.example.com'; # must be a fully-qualified domain name! # $notify_method = 'smtp:[127.0.0.1]:10025'; # $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter! ######################## $final_virus_destiny = D_REJECT; $final_banned_destiny = D_REJECT; $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS; ######################## # $os_fingerprint_method = 'p0f:127.0.0.1:2345'; # to query p0f-analyzer.pl ## hierarchy by which a final setting is chosen: ## policy bank (based on port or IP address) -> *_by_ccat ## *_by_ccat (based on mail contents) -> *_maps ## *_maps (based on recipient address) -> final configuration value # SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all) # $warnbadhsender, # $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps) # # @bypass_virus_checks_maps, @bypass_spam_checks_maps, # @bypass_banned_checks_maps, @bypass_header_checks_maps, # # @virus_lovers_maps, @spam_lovers_maps, # @banned_files_lovers_maps, @bad_header_lovers_maps, # # @blacklist_sender_maps, @score_sender_maps, # # $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to, # $bad_header_quarantine_to, $spam_quarantine_to, # # $defang_bad_header, $defang_undecipherable, $defang_spam # REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS @keep_decoded_original_maps = (new_RE( # qr'^MAIL$', # retain full original message for virus checking (can be slow) qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, # qr'^Zip archive data', # don't trust Archive::Zip )); # for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample $banned_filename_re = new_RE( # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components # block certain double extensions anywhere in the base name qr'.[^./]*[A-Za-z][^./]*.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll).?$'i, # qr'{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}}?'i, # Class ID CLSID, strict # qr'{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}}?'i, # Class ID extension CLSID, loose qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME # qr'^.wmf$', # Windows Metafile file(1) type # qr'^message/partial$'i, # rfc2046 MIME type # qr'^message/external-body$'i, # rfc2046 MIME type # [ qr'^.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed [ qr'^.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives # [ qr'^.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives qr'..(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic # qr'..(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| # inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| # ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| # wmf|wsc|wsf|wsh)$'ix, # banned ext - long # qr'..(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. qr'^.(exe-ms)$', # banned file(1) types # qr'^.(exe|lha|tnef|cab|dll)$', # banned file(1) types ); # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 # and http://www.cknow.com/vtutor/vtextensions.htm # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING @score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed # ## per-recipient personal tables (NOTE: positive: black, negative: white) # 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], # 'user3@example.com' => [{'.ebay.com' => -3.0}], # 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, # '.cleargreen.com' => -5.0}], ## site-wide opinions about senders (the '.' matches any recipient) '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new.tld.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)d*@'i => 5.0], ), # read_hash("/var/amavis/sender_scores_sitewide"), { # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0, 'amavis-user-admin@lists.sourceforge.net'=> -3.0, 'amavis-user-bounces@lists.sourceforge.net' => -3.0, 'spamassassin.apache.org' => -3.0, 'notification-return@lists.sophos.com' => -3.0, 'owner-postfix-users@postfix.org' => -3.0, 'owner-postfix-announce@postfix.org' => -3.0, 'owner-sendmail-announce@lists.sendmail.org' => -3.0, 'sendmail-announce-request@lists.sendmail.org' => -3.0, 'donotreply@sendmail.org' => -3.0, 'ca+envelope@sendmail.org' => -3.0, 'noreply@freshmeat.net' => -3.0, 'owner-technews@postel.acm.org' => -3.0, 'ietf-123-owner@loki.ietf.org' => -3.0, 'cvs-commits-list-admin@gnome.org' => -3.0, 'rt-users-admin@lists.fsck.com' => -3.0, 'clp-request@comp.nus.edu.sg' => -3.0, 'surveys-errors@lists.nua.ie' => -3.0, 'emailnews@genomeweb.com' => -5.0, 'yahoo-dev-null@yahoo-inc.com' => -3.0, 'returns.groups.yahoo.com' => -3.0, 'clusternews@linuxnetworx.com' => -3.0, lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, # soft-blacklisting (positive score) 'sender@example.net' => 3.0, '.example.net' => 1.0, }, ], # end of site-wide tables }); @decoders = ( ['mail', &do_mime_decode], ['asc', &do_ascii], ['uue', &do_ascii], ['hqx', &do_ascii], ['ync', &do_ascii], ['F', &do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], ['Z', &do_uncompress, ['uncompress','gzip -d','zcat'] ], ['gz', &do_uncompress, 'gzip -d'], ['gz', &do_gunzip], ['bz2', &do_uncompress, 'bzip2 -d'], ['lzo', &do_uncompress, 'lzop -d'], ['rpm', &do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], ['cpio', &do_pax_cpio, ['pax','gcpio','cpio'] ], ['tar', &do_pax_cpio, ['pax','gcpio','cpio'] ], ['tar', &do_tar], ['deb', &do_ar, 'ar'], # ['a', &do_ar, 'ar'], # unpacking .a seems an overkill ['zip', &do_unzip], ['rar', &do_unrar, ['rar','unrar'] ], ['arj', &do_unarj, ['arj','unarj'] ], ['arc', &do_arc, ['nomarch','arc'] ], ['zoo', &do_zoo, ['zoo','unzoo'] ], ['lha', &do_lha, 'lha'], # ['doc', &do_ole, 'ripole'], ['cab', &do_cabextract, 'cabextract'], ['tnef', &do_tnef_ext, 'tnef'], ['tnef', &do_tnef], # ['sit', &do_unstuff, 'unstuff'], # broken/unsafe decoder ['exe', &do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], ); @av_scanners = ( # ### http://www.vanja.com/tools/sophie/ # ['Sophie', # &ask_daemon, ["{}/n", '/var/run/sophie'], # qr/(?x)^ 0+ ( : | [?00rn]* $)/, qr/(?x)^ 1 ( : | [?00rn]* $)/, # qr/(?x)^ [-+]? d+ : (.*?) [?00rn]* $/ ], # ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ # ['Sophos SAVI', &sophos_savi ], # ### http://www.clamav.net/ ['ClamAV-clamd', &ask_daemon, ["CONTSCAN {}n", "/var/spool/amavisd/clamd.sock"], qr/bOK$/, qr/bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], # # NOTE: the easiest is to run clamd under the same user as amavisd; match the # # socket name (LocalSocket) in clamav.conf to the socket name in this entry # # When running chrooted one may prefer: ["CONTSCAN {}n","$MYHOME/clamd"], # ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) # ['Mail::ClamAV', &ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/], # ### http://www.openantivirus.org/ # ['OpenAntiVirus ScannerDaemon (OAV)', # &ask_daemon, ["SCAN {}n", '127.0.0.1:8127'], # qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ], # ### http://www.vanja.com/tools/trophie/ # ['Trophie', # &ask_daemon, ["{}/n", '/var/run/trophie'], # qr/(?x)^ 0+ ( : | [?00rn]* $)/, qr/(?x)^ 1 ( : | [?00rn]* $)/, # qr/(?x)^ [-+]? d+ : (.*?) [?00rn]* $/ ], # ### http://www.grisoft.com/ # ['AVG Anti-Virus', # &ask_daemon, ["SCAN {}n", '127.0.0.1:55555'], # qr/^200/, qr/^403/, qr/^403 .*?: ([^rn]+)/ ], # ### http://www.f-prot.com/ # ['FRISK F-Prot Daemon', # &ask_daemon, # ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0rnrn", # ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202', # '127.0.0.1:10203','127.0.0.1:10204'] ], # qr/(?i)<summary[^>]*>clean</summary>/, # qr/(?i)<summary[^>]*>infected</summary>/, # qr/(?i)<name>(.+)</name>/ ], # ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ # ['DrWebD', &ask_daemon, # DrWebD 4.31 or later # [pack('N',1). # DRWEBD_SCAN_CMD # pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES # pack('N', # path length # length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). # '{}/*'. # path # pack('N',0). # content size # pack('N',0), # '/var/drweb/run/drwebd.sock', # # '/var/amavis/var/run/drwebd.sock', # suitable for chroot # # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default # # '127.0.0.1:3000', # or over an inet socket # ], # qr/Ax00[x10x11][x00x10]x00/s, # IS_CLEAN,EVAL_KEY; SKIPPED # qr/Ax00[x00x01][x00x10][x20x40x80]/s, # KNOWN_V,UNKNOWN_V,V._MODIF # qr/A.{12}(?:infected with )?([^x00]+)x00/s, # ], # # NOTE: If using amavis-milter, change length to: # # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). ### http://www.kaspersky.com/ (kav4mailservers) ['KasperskyLab AVP - aveclient', ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', '/opt/kav/bin/aveclient','aveclient'], '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/b(INFECTED|SUSPICION)b/, qr/(?:INFECTED|SUSPICION) (.+)/, ], ### http://www.kaspersky.com/ ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? qr/infected: (.+)/, sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], ### The kavdaemon and AVPDaemonClient have been removed from Kasperky ### products and replaced by aveserver and aveclient ['KasperskyLab AVPDaemonClient', [ '/opt/AVP/kavdaemon', 'kavdaemon', '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', '/opt/AVP/AvpTeamDream', 'AvpTeamDream', '/opt/AVP/avpdc', 'avpdc' ], "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^rn]+)/ ], # change the startup-script in /etc/init.d/kavd to: # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) # adjusting /var/amavis above to match your $TEMPBASE. # The '-f=/var/amavis' is needed if not running it as root, so it # can find, read, and write its pid file, etc., see 'man kavdaemon'. # defUnix.prf: there must be an entry "*/var/amavis" (or whatever # directory $TEMPBASE specifies) in the 'Names=' section. # cd /opt/AVP/DaemonClients; configure; cd Sample; make # cp AvpDaemonClient /opt/AVP/ # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" ### http://www.centralcommand.com/ ['CentralCommand Vexira (new) vascan', ['vascan','/usr/lib/Vexira/vascan'], "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". "--vdb=/usr/lib/Vexira/vexira8.vdb --log=/var/log/vascan.log {}", [0,3], [1,2,5], qr/(?x)^s* (?:virus|iworm|macro|mutant|sequence|trojan) found: ( [^]s']+ ) ... / ], # Adjust the path of the binary and the virus database as needed. # 'vascan' does not allow to have the temp directory to be the same as # the quarantine directory, and the quarantine option can not be disabled. # If $QUARANTINEDIR is not used, then another directory must be specified # to appease 'vascan'. Move status 3 to the second list if password # protected files are to be considered infected. ### http://www.hbedv.com/ ['H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus', ['antivir','vexira'], '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/, qr/(?x)^s* (?: ALERT: s* (?: [ | [^']* ' ) | (?i) VIRUS: .*? virus '?) ( [^]s']+ )/ ], # NOTE: if you only have a demo version, remove -z and add 214, as in: # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, ### http://www.commandsoftware.com/ ['Command AntiVirus for Linux', 'csav', '-all -archive -packed {}', [50], [51,52,53], qr/Infection: (.+)/ ], ### http://www.symantec.com/ ['Symantec CarrierScan via Symantec CommandLineScanner', 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', qr/^Files Infected:s+0$/, qr/^Infectedb/, qr/^(?:Info|Virus Name):s+(.+)/ ], ### http://www.symantec.com/ ['Symantec AntiVirus Scan Engine', 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', [0], qr/^Infectedb/, qr/^(?:Info|Virus Name):s+(.+)/ ], # NOTE: check options and patterns to see which entry better applies ### http://www.f-secure.com/products/anti-virus/ ['F-Secure Antivirus', 'fsav', '--dumb --mime --archive {}', [0], [3,8], qr/(?:infection|Infected|Suspected): (.+)/ ], # ### http://www.avast.com/ # ['avast! Antivirus daemon', # &ask_daemon, # greets with 220, terminate with QUIT # ["SCAN {}?15?12QUIT?15?12", '/var/run/avast4/mailscanner.sock'], # qr/t[+]/, qr/t[L]t/, qr/t[L]t([^[ t?15?12]+)/ ], # ### http://www.avast.com/ # ['avast! Antivirus - Client/Server Version', 'avastlite', # '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1], # qr/t[L]t([^[ t?15?12]+)/ ], ['CAI InoculateIT', 'inocucmd', # retired product '-sec -nex {}', [0], [100], qr/was infected by virus (.+)/ ], # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) ['CAI eTrust Antivirus', 'etrust-wrapper', '-arc -nex -spm h {}', [0], [101], qr/is infected by virus: (.+)/ ], # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 ### http://mks.com.pl/english.html ['MkS_Vir for Linux (beta)', ['mks32','mks'], '-s {}/*', [0], [1,2], qr/--[ t]*(.+)/ ], ### http://mks.com.pl/english.html ['MkS_Vir daemon', 'mksscan', '-s -q {}', [0], [1..7], qr/^... (S+)/ ], ### http://www.nod32.com/ ['ESET Software NOD32 Command Line Interface v 2.51', 'nod32cli', '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/ ], # ### http://www.nod32.com/ old # ['ESET Software NOD32 - Client/Server Version', 'nod32cli', # '-a -r -d recurse --heur standard {}', [0], [10,11], # qr/^S+s+infected:s+(.+)/ ], # ### http://www.nod32.com/ old # ['ESET Software NOD32', 'nod32', # '--arch --mail {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/ ], # Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31 # ['ESET Software NOD32 Client/Server (NOD32SS)', # &ask_daemon2, # greets with 200, persistent, terminate with QUIT # ["SCAN {}/*rn", '127.0.0.1:8448' ], # qr/^200 File OK/, qr/^201 /, qr/^201 (.+)/ ], ### http://www.norman.com/products_nvc.shtml ['Norman Virus Control v5 / Linux', 'nvcc', '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], qr/(?i).* virus in .* -> '(.+)'/ ], ### http://www.pandasoftware.com/ ['Panda Antivirus for Linux', ['pavcl'], '-aut -aex -heu -cmp -nbr -nor -nso -eng {}', qr/Number of files infected[ .]*: 0+(?!d)/, qr/Number of files infected[ .]*: 0*[1-9]/, qr/Found virus :s*(S+)/ ], # ### http://www.pandasoftware.com/ # ['Panda Antivirus for Linux', ['pavcl'], # '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}', # [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0], # qr/Found virus :s*(S+)/ ], # GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. # Check your RAV license terms before fiddling with the following two lines! # ['GeCAD RAV AntiVirus 8', 'ravav', # '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ], # # NOTE: the command line switches changed with scan engine 8.5 ! # # (btw, assigning stdin to /dev/null causes RAV to fail) ### http://www.nai.com/ ['NAI McAfee AntiVirus (uvscan)', 'uvscan', '--secure -rv --mime --summary --noboot - {}', [0], [13], qr/(?x) Found (?: the (.+) (?:virus|trojan) | (?:virus|trojan) or variant (.+?)s*! | : (.+) NOT a virus)/, # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, # sub {delete $ENV{LD_PRELOAD}}, ], # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 # and then clear it when finished to avoid confusing anything else. # NOTE2: to treat encrypted files as viruses replace the [13] with: # qr/^s{5,}(Found|is password-protected|.*(virus|trojan))/ ### http://www.virusbuster.hu/en/ ['VirusBuster', ['vbuster', 'vbengcl'], "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], qr/: '(.*)' - Virus/ ], # VirusBuster Ltd. does not support the daemon version for the workstation # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of # binaries, some parameters AND return codes have changed (from 3 to 1). # See also the new Vexira entry 'vascan' which is possibly related. # ### http://www.virusbuster.hu/en/ # ['VirusBuster (Client + Daemon)', 'vbengd', # '-f -log scandir {}', [0], [3], # qr/Virus found = (.*);/ ], # # HINT: for an infected file it always returns 3, # # although the man-page tells a different story ### http://www.cyber.com/ ['CyberSoft VFind', 'vfind', '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/, # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, ], ### http://www.avast.com/ ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], '-a -i -n -t=A {}', [0], [1], qr/binfected by:s+([^ tn[]]+)/ ], ### http://www.ikarus-software.com/ ['Ikarus AntiVirus for Linux', 'ikarus', '{}', [0], [40], qr/Signature (.+) found/ ], ### http://www.bitdefender.com/ ['BitDefender', 'bdc', '--arc --mail {}', qr/^Infected files *:0+(?!d)/, qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, qr/(?:suspected|infected): (.*)(?:?33|$)/ ], # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may # not apply to your version of bdc, check documentation and see 'bdc --help' # ['File::Scan', sub {Amavis::AV::ask_av(sub{ # use File::Scan; my($fn)=@_; # my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0); # my($vname) = $f->scan($fn); # $f->error ? (2,"Error: ".$f->error) # : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) }, # ["{}/*"], [0], [1], qr/^(.*) FOUND$/ ], # ### example: fully-fledged checker for JPEG marker segments of invalid length # ['check-jpeg', # sub { use JpegTester (); Amavis::AV::ask_av(&JpegTester::test_jpeg, @_) }, # ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/ ], # # NOTE: place file JpegTester.pm somewhere where Perl can find it, # # for example in /usr/local/lib/perl5/site_perl ); @av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], qr/:.*sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ### http://www.f-prot.com/ - backs up F-Prot Daemon ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], '-dumb -archive -packed {}', [0,8], [3,6], qr/Infection: (.+)|s+containss+(.+)$/ ], ### http://www.trendmicro.com/ - backs up Trophie ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD ['drweb - DrWeb Antivirus', ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], '-path={} -al -go -ot -cn -upn -ok-', [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'], ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'], '-i1 -xp {}', [0,10,15], [5,20,21,25], qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ , sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], # Commented out because the name 'sweep' clashes with Debian and FreeBSD # package/port of an audio editor. Make sure the correct 'sweep' is found # in the path when enabling. # # ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl # ['Sophos Anti Virus (sweep)', 'sweep', # '-nb -f -all -rec -ss -sc -archive -cab -tnef --no-reset-atime {}', # [0,2], qr/Virus .*? found/, # qr/^>>> Virus(?: fragment)? '?(.*?)'? found/, # ], # # other options to consider: -mime -oe -idedir=/usr/local/sav # always succeeds (uncomment to consider mail clean if all other scanners fail) # ['always-clean', sub {0}], ); 1; # insure a defined return
amavisd-new ist das Programm, das Postfix und SpamAssassin/ClamAV zusammenhält. Postfix leitet die Mails an amavisd-new weiter, was dann SpamAssassin und ClamAV aufruft, die E-Mails zu scannen. Sieh Dir bitte die Spamassassin und ClamAV Einstellungen in /etc/amavisd/amavisd.conf an. Selbstverständlich kannst Du diese Datei noch weiter anpassen. Sieh Dir dazu die Erklärungen in der originalen /etc/amavisd/amavisd.conf Datei an!


Als wir ClamAV installiert haben, wurde ein Cron Job eingerichtet, der versucht, die ClamAV Virus-Datenbank alle drei Stunden zu aktualisieren. Das funktioniert allerdings nur, wenn wir es in /etc/sysconfig/freshclam und /etc/freshclam.conf aktivieren:

vi /etc/sysconfig/freshclam

Kommentiere die FRESHCLAM_DELAY Zeile am Ende aus:
## When changing the periodicity of freshclam runs in the crontab,
## this value must be adjusted also. Its value is the timespan between ## two subsequent freshclam runs in minutes. E.g. for the default ## ## | 0 */3 * * * ... ## ## crontab line, the value is 180 (minutes). # FRESHCLAM_MOD= ## A predefined value for the delay in seconds. By default, the value is ## calculated by the 'hostid' program. This predefined value guarantees ## constant timespans of 3 hours between two subsequent freshclam runs. ## ## This option accepts two special values: ## 'disabled-warn' ... disables the automatic freshclam update and ## gives out a warning ## 'disabled' ... disables the automatic freshclam silently # FRESHCLAM_DELAY= ### !!!!! REMOVE ME !!!!!! ### REMOVE ME: By default, the freshclam update is disabled to avoid ### REMOVE ME: network access without prior activation #FRESHCLAM_DELAY=disabled-warn # REMOVE ME

vi /etc/freshclam.conf

Kommentiere die Example Zeile aus:
[...]
# Comment or remove the line below. #Example [...]
Lass uns nun die System Startup Links für ClamAV und amavisd-new erstellen, ClamAV's Virussignatur-Datenbank aktualisieren und beide Dienste starten:

chkconfig --levels 235 amavisd on
chkconfig --levels 235 clamd.amavisd on
/usr/bin/freshclam
/etc/init.d/amavisd start
/etc/init.d/clamd.amavisd start

Nun müssen wir Postfix so konfigurieren, dass es eingehende E-Mails durch amavisd-new leitet:

postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
postconf -e 'receive_override_options = no_address_mappings'

Hänge danach folgende Zeilen /etc/postfix/master.cf an:

vi /etc/postfix/master.cf


[...]
amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_bind_address=127.0.0.1
und starte Postfix neu:

/etc/init.d/postfix restart


11 Installation von Razor, Pyzor und DCC und Konfiguration von SpamAssassin

Razor, Pyzor und DCC sind Spamfilter, die ein gemeinsames Filter-Netzwerk verwenden. Um Razor und Pyzor zu installieren, führe dies aus

yum install perl-Razor-Agent pyzor

Initialisiere dann beide Dienste:

chmod -R a+rX /usr/share/doc/pyzor-0.4.0 /usr/bin/pyzor /usr/bin/pyzord
chmod -R a+rX /usr/lib/python2.4/site-packages/pyzor
su -m amavis -c 'pyzor --homedir /var/spool/amavisd discover'
su -m amavis -c 'razor-admin -home=/var/spool/amavisd -create'
su -m amavis -c 'razor-admin -home=/var/spool/amavisd -register'

(Es kann sein, dass Du den letzten Befehl zweimal ausführen musst, wenn der erste Versuch fehlschlägt.)

Dann installieren wir DCC wie folgt:

cd /tmp
wget http://www.dcc-servers.net/dcc/source/dcc-dccproc.tar.Z
tar xzvf dcc-dccproc.tar.Z
cd dcc-dccproc-1.3.42
./configure --with-uid=amavis
make
make install
chown -R amavis:amavis /var/dcc
ln -s /var/dcc/libexec/dccifd /usr/local/bin/dccifd

Nun müssen wir SpamAssassin mitteilen, diese drei Programme zu verwenden. Bearbeite /etc/mail/spamassassin/local.cf so dass es wie folgt aussieht:

vi /etc/mail/spamassassin/local.cf


# These values can be overridden by editing ~/.spamassassin/user_prefs.cf
# (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. #required_hits 5 #report_safe 0 #rewrite_header Subject [SPAM] # dcc use_dcc 1 dcc_path /usr/local/bin/dccproc dcc_add_header 1 dcc_dccifd_path /usr/local/bin/dccifd #pyzor use_pyzor 1 pyzor_path /usr/bin/pyzor pyzor_add_header 1 #razor use_razor2 1 razor_config /var/spool/amavisd/razor-agent.conf #bayes use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1
Führe danach dies aus

/etc/init.d/amavisd restart

Nun möchte ich einige benutzerdefinierte Rulesets einfügen, die man im Internet bei SpamAssassin finden kann. Ich habe diese Rulesets getestet. Sie gestalten das Filtern von Spam um einiges. Erstelle die Datei /usr/local/sbin/sa_rules_update.sh:

vi /usr/local/sbin/sa_rules_update.sh


#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/71_sare_redirect_pre3.0.0.cf -O 71_sare_redirect_pre3.0.0.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_bayes_poison_nxm.cf -O 70_sare_bayes_poison_nxm.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_html.cf -O 70_sare_html.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_html4.cf -O 70_sare_html4.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_html_x30.cf -O 70_sare_html_x30.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_header0.cf -O 70_sare_header0.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_header3.cf -O 70_sare_header3.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_header_x30.cf -O 70_sare_header_x30.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_specific.cf -O 70_sare_specific.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_adult.cf -O 70_sare_adult.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/72_sare_bml_post25x.cf -O 72_sare_bml_post25x.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf -O 99_sare_fraud_post25x.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_spoof.cf -O 70_sare_spoof.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_random.cf -O 70_sare_random.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_oem.cf -O 70_sare_oem.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_genlsubj0.cf -O 70_sare_genlsubj0.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_genlsubj3.cf -O 70_sare_genlsubj3.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_genlsubj_x30.cf -O 70_sare_genlsubj_x30.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_unsub.cf -O 70_sare_unsub.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_uri.cf -O 70_sare_uri.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://mywebpages.comcast.net/mkettler/sa/antidrug.cf -O antidrug.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.timj.co.uk/linux/bogus-virus-warnings.cf -O bogus-virus-warnings.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.yackley.org/sa-rules/evilnumbers.cf -O evilnumbers.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.stearns.org/sa-blacklist/random.current.cf -O random.current.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_body.cf -O 88_FVGT_body.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_rawbody.cf -O 88_FVGT_rawbody.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_subject.cf -O 88_FVGT_subject.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_headers.cf -O 88_FVGT_headers.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_uri.cf -O 88_FVGT_uri.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/99_FVGT_DomainDigits.cf -O 99_FVGT_DomainDigits.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/99_FVGT_Tripwire.cf -O 99_FVGT_Tripwire.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/99_FVGT_meta.cf -O 99_FVGT_meta.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.nospamtoday.com/download/mime_validate.cf -O mime_validate.cf &> /dev/null /etc/init.d/amavis restart &> /dev/null exit 0
Mach das Skript ausführbar:

chmod 755 /usr/local/sbin/sa_rules_update.sh

Führe dann das Skript einmal aus. Es ruft diese Rulesets ab und fügt sie in SpamAssassin ein:

/usr/local/sbin/sa_rules_update.sh

Wir erstellen einen cron Job, damit diese Rulesets regelmäßig aktualisiert werden. Führe dies aus

crontab -e

um den Cron Job Editor zu öffnen. Erstelle folgenden Cron Job:
23 4 */2 * * /usr/local/sbin/sa_rules_update.sh &> /dev/null
Damit werden die Rulesets jeden zweiten Tag um 4.23 Uhr aktualisiert.

12 Quota Überschreitungsmeldung

Wenn Du Meldungen bezüglich aller E-Mail Konten erhalten möchtest, die über Quota sind, dann führe Folgendes aus:

cd /usr/local/sbin/
wget http://puuhis.net/vhcs/quota.txt
mv quota.txt quota_notify
chmod 755 quota_notify

Öffne /usr/local/sbin/quota_notify und bearbeite die Variablen zu Beginn:

vi /usr/local/sbin/quota_notify


my $POSTFIX_CF = "/etc/postfix/main.cf";
my $MAILPROG = "/usr/sbin/sendmail -t"; my $WARNPERCENT = 80; my @POSTMASTERS = ('postmaster@isp.tld'); my $CONAME = 'ISP.tld'; my $COADDR = 'postmaster@isp.tld'; my $SUADDR = 'postmaster@isp.tld'; my $MAIL_REPORT = 1; my $MAIL_WARNING = 1;
Führe dies aus

crontab -e

um einen Cron Job für dieses Skript anzulegen:
0 0 * * * /usr/local/sbin/quota_notify &> /dev/null

13 Postfix testen

Um festzustellen, ob Postfix für SMTP-AUTH und TLS bereit ist, führe dies aus

telnet localhost 25

Nachdem Du die Verbindung zu Deinem Postfix Mail Server aufgebaut hast, tippe

ehlo localhost

Wenn Du die Zeile

250-STARTTLS
und

250-AUTH
siehst, ist alles in Ordnung.


Tippe

quit

um zur Kommandozeile des Systems zurückzukehren.

14 Die Datenbank füllen und testen

Um die Datenbank zu füllen, kannst Du die MySQL Kommandozeile verwenden:

mysql -u root -p
USE mail;

Du musst wenigstens Einträge in den Tabellen domains und users erstellen:

INSERT INTO `domains` (`domain`) VALUES ('example.com');
INSERT INTO `users` (`email`, `password`, `quota`) VALUES ('sales@example.com', ENCRYPT('secret'), 10485760);

(Bitte pass auf, dass Du den ENCRYPT Syntax im zweiten INSERT Statement verwendest, um das Passwort zu verschlüsseln!)

Wenn Du Einträge in den anderen zwei Tabellen vornehmen möchtest, würde dies so aussehen:

INSERT INTO `forwardings` (`source`, `destination`) VALUES ('info@example.com', 'sales@example.com');
INSERT INTO `transport` (`domain`, `transport`) VALUES ('example.com', 'smtp:mail.example.com');

Um die MySQL Kommandozeile zu verlassen, tippe

quit;

Für die Meisten ist es einfacher, wenn sie ein grafisches Front-end für MySQL haben; daher kannst Du auch phpMyAdmin (in diesem Beispiel unter http://192.168.0.100/phpmyadmin/ oder http://server1.example.com/phpmyadmin/) verwenden, um die mail Datenbank zu verwalten. Wenn Du einen Benutzer einrichtets, pass auf, dass Du die ENCRYPT Funktion verwendest um das Passwort zu verschlüsseln:


Ich denke nicht, dass ich die domains und users Tabellen hier noch weiter erklären muss.

Die forwardings Tabelle könnte folgende Einträge haben:
source destination  
info@example.com sales@example.com Redirects emails for info@example.com to sales@example.com
@example.com thomas@example.com Creates a Catch-All account for thomas@example.com. All emails to example.com will arrive at thomas@example.com, except those that exist in the users table (i.e., if sales@example.com exists in the users table, mails to sales@example.com will still arrive at sales@example.com).
@example.com @anotherdomain.tld This redirects all emails to example.com to the same user at anotherdomain.tld. E.g., emails to thomas@example.com will be forwarded to thomas@anotherdomain.tld.
info@example.com sales@example.com, billing@anotherdomain.tld Forward emails for info@example.com to two or more email addresses. All listed email addresses under destination receive a copy of the email.Die transport Tabelle könnte folgende Einträge haben:
domain transport  
example.com : Delivers emails for example.com locally. This is as if this record would not exist in this table at all.
example.com smtp:mail.anotherdomain.tld Delivers all emails for example.com via smtp to the server mail.anotherdomain.com.
example.com smtp:mail.anotherdomain.tld:2025 Delivers all emails for example.com via smtp to the server mail.anotherdomain.com, but on port 2025, not 25 which is the default port for smtp.
example.com smtp:[1.2.3.4]
smtp:[1.2.3.4]:2025
smtp:[mail.anotherdomain.tld]
The square brackets prevent Postfix from doing lookups of the MX DNS record for the address in square brackets. Makes sense for IP addresses.
.example.com smtp:mail.anotherdomain.tld Mail for any subdomain of example.com is delivered to mail.anotherdomain.tld.
* smtp:mail.anotherdomain.tld All emails are delivered to mail.anotherdomain.tld.
joe@example.com smtp:mail.anotherdomain.tld Emails for joe@example.com are delivered to mail.anotherdomain.tld.Siehe

man transport

um mehr zu erfahren.

Bitte denke daran, dass die Reihenfolge der Einträge in der transport Tabelle wichtig ist! Die Einträge schließen sich von oben nach unten an.
Wichtig: Postfix verwendet einen Caching Mechanism für den Transport, daher kann es eine Weile dauern, bis Deine Änderungen in der transport Tabelle übernommen werden. Wenn Du möchtest, dass sie sofort übernommen werden, lass Folgendes laufen

postfix reload

nachdem Du Deine Änderungen in der transport Tabelle vorgenommen hast.

15 References

Tutorial: ISP-style Email Service with Debian-Sarge and Postfix 2.1: http://workaround.org/articles/ispmail-sarge/
Postfix + Quota: http://vhcs.net/new/modules/newbb/viewtopic.php?topic_id=3496&forum=17
Mail Passwords Encrypted using saslauthd: http://www.syscp.de/docs/public/contrib/cryptedmailpws

16 Links

Postfix MTA: http://www.postfix.org/
Postfix Quota Patch: http://web.onda.com.br/nadal/
phpMyAdmin: http://www.phpmyadmin.net/