Virtuelle Benutzer und Domains mit Postfix, Courier und MySQL (Mandriva 2008.0)

Version 1.0
Author: Falko Timme


Diese Anleitung ist urheberrechtlich geschützt (Copyright (c) 2008 by Falko Timme). Sie stammt von einer Anleitung von Christoph Haas, die Du auf folgender Seite finden kannst http://workaround.org. Du kannst diese Anleitung unter der Creative Commons License 2.5 oder jeder anderen späteren Version verwenden.
Diese Anleitung beschreibt wie man einen Postfix Mail Server installiert, der auf virtuellen Benutzern und Domains basiert, das heißt Benutzer und Domains, die in einer MySQL Datenbank sind. Weiterhin werde ich die Installation und Konfiguration von Courier (Courier-POP3, Courier-IMAP) veranschaulichen, damit sich Courier gegenüber der gleichen MySQL Datenbank, die Postfix verwendet, autentifizieren kann.

Der daraus resultierende Postfix Server ist geeignet für SMTP-AUTH und TLS sowie quota (quota ist nicht standardmäßig in Postfix enthalten, ich werde aufzeigen, wie man Postfix sachgerecht patcht). Passwörter werden in den Datenbanken verschlüsselt abgelegt (die meisten Dokumente, die ich gefunden habe, haben sich mit einfachen Text-Passwörtern befasst, was ziemlich riskant ist). Weiterhin deckt diese Anleitung auch die Installation von Amavisd, SpamAssassin und ClamAV ab, sodass E-Mails auf Spam und Viren überprüft werden.

Der Vorteil eines solchen “virtuellen” Setups (virtuelle Benutzer und Domains in einer MySQL Datenbank) ist, dass es weitaus leistungsfähiger als ein Setup, das auf “realen” Systembenutzern basiert. Mit diesem virtuellen Setup kann Dein Mail Server Tausende von Domains und Benutzern bedienen. Davon abgesehen, ist es einfacher zu verwalten, da man sich nur mit der MySQL Datenbank beschäftigen muss, wenn man neue Benutzer/Domains hinzufügt oder bereits vorhandene bearbeitet. Keine postmap Befehle mehr um db Dateien zu erstellen, kein Neuladen von Postfix, etc. Zur Administration der MySQL Datenbank kannst Du web-basierte Tools wie phpMyAdmin verwenden, die auch in dieser Anleitung installiert werden. Der dritte Vorteil ist, dass die Benutzer eine E-mail Adresse als Benutzernamen haben (anstelle eines Benutzernamens + E-mai Adresse), was einfacher zu verstehen ist und man kann es sich besser merken.

Diese Anleitung basiert auf Mandriva 2008.0 (i386). Du solltest bereits ein Mandriva Basissystem eingerichtet haben, wie in den Kapiteln 1 bis 7 dieser Anleitung: http://www.howtoforge.com/perfect_server_mandriva_2008.0 beschrieben wird.

Diese Anleitung ist ein praktischer Leitfaden und deckt kein theoretisches Hintergrundwissen ab. Dies wird in anderen Dokumenten im Web abgehandelt.

Diese Anleitung ist ohne jegliche Gewähr! Allerdings möchte ich an dieser Stelle darauf hinweisen, dass dies hier nicht der einzige Weg ist, ein solches System zu installieren. Es gibt viele Möglichkeiten - ich selbst habe mich für diese entschieden. Ich kann aber nicht garantieren, dass diese Lösung bei jedem funktioniert bzw. für jeden die richtige ist!

Vorbemerkung

Das System sollte eine statische IP Adresse haben. In dieser Anleitung verwende ich 192.168.0.100 als meine IP Adresse und server1.example.com als den Hostnamen.

1 Installation von Apache, MySQL, phpMyAdmin

Dies kann alles mit einem einzigen Befehl installiert werden:

urpmi MySQL MySQL-client libmysql15-devel phpmyadmin db4-devel html2text libsasl-devel openssl-devel openldap-devel pcre-devel postgresql-devel


2 Installation von Courier und Saslauthd

Um Courier und saslauthd zu installieren, lassen wir einfach Folgendes laufen:

urpmi courier-authlib courier-authlib-mysql courier-imap courier-pop cyrus-sasl libsasl2 libsasl2-devel libsasl2-plug-plain libsasl2-plug-anonymous libsasl2-plug-crammd5 libsasl2-plug-digestmd5 libsasl2-plug-gssapi libsasl2-plug-login


3 Anbringen von Quota Patch in Postfix

Wir müssen den Postfix Quelltext beziehen, ihn dann mit dem Quota Patch patchen, neue Postfix rpm Pakete erstellen und diese Pakete dann installieren.

cd /usr/src
wget ftp://ftp.uni-bayreuth.de/pub/linux/Mandrakelinux/official/2008.0/SRPMS/main/release/postfix-2.4.5-2mdv2008.0.src.rpm
rpm -ivh postfix-2.4.5-2mdv2008.0.src.rpm

Der letzte Befehl wird ein paar Warnungen anzeigen, die Du ignorieren kannst:

warning: user mandrake does not exist - using root
warning: group mandrake does not exist - using root

Nun patchen wir den Postfix Quelltext mit dem Postfix-2.4.5-vda-ng patch (von http://vda.sourceforge.net/):

cd /usr/src/rpm/SOURCES
tar xvfz postfix-2.4.5.tar.gz
wget http://vda.sourceforge.net/VDA/postfix-2.4.5-vda-ng.patch.gz
gunzip postfix-2.4.5-vda-ng.patch.gz
cd postfix-2.4.5
patch -p1 < ../postfix-2.4.5-vda-ng.patch
cd ..
mv postfix-2.4.5.tar.gz postfix-2.4.5.tar.gz_orig
tar -pczf postfix-2.4.5.tar.gz postfix-2.4.5/
rm -fr postfix-2.4.5/

Dann erstellen wir unser neues Postfix rpm Paket mit quota und MySQL Unterstützung:

cd /usr/src/rpm/SPECS/
rpmbuild -ba postfix.spec

Unser Postfix rpm Paket wird in /usr/src/rpm/RPMS/i586 erstellt, also gehen wir dahin:

cd /usr/src/rpm/RPMS/i586

Der Befehl

ls -l

zeigt die verfügbaren Pakete an:

[root@server1 i586]# ls -l
total 4552
-rw-r--r-- 1 root root 264550 2008-01-04 19:36 libpostfix1-2.4.5-2mdv2008.0.i586.rpm
-rw-r--r-- 1 root root 1746569 2008-01-04 19:36 postfix-2.4.5-2mdv2008.0.i586.rpm
-rw-r--r-- 1 root root 2540076 2008-01-04 19:36 postfix-debug-2.4.5-2mdv2008.0.i586.rpm
-rw-r--r-- 1 root root 24970 2008-01-04 19:36 postfix-ldap-2.4.5-2mdv2008.0.i586.rpm
-rw-r--r-- 1 root root 20132 2008-01-04 19:36 postfix-mysql-2.4.5-2mdv2008.0.i586.rpm
-rw-r--r-- 1 root root 20154 2008-01-04 19:36 postfix-pcre-2.4.5-2mdv2008.0.i586.rpm
-rw-r--r-- 1 root root 20196 2008-01-04 19:36 postfix-pgsql-2.4.5-2mdv2008.0.i586.rpm
[root@server1 i586]#

Deinstallieren zunächst Dein derzeitiges Postfix Paket...

urpme postfix

...wähle dann das postfix und das postfix-mysql Paket aus und installiere sie wie folgt:

rpm -ivh postfix-2.4.5-2mdv2008.0.i586.rpm postfix-mysql-2.4.5-2mdv2008.0.i586.rpm


4 Richte MySQL Passwörter ein und konfigure phpMyAdmin

Der Netzwerkbetrieb ist im Mandriva 2008 MySQL Paket standardmäßig nicht aktiviert. Jedoch wird der Netzwerkbetrieb von ISPConfig verlangt. Dies können wir ändern, indem wir die Zeile skip-networking in /etc/my.cnf auskommentieren:

vi /etc/my.cnf


[...]
# Don't listen on a TCP/IP port at all. This can be a security enhancement, # if all processes that need to connect to mysqld run on the same host. # All interaction with mysqld must be made via Unix sockets or named pipes. # Note that using this option without enabling named pipes on Windows # (via the "enable-named-pipe" option) will render mysqld useless! # #skip-networking [...]
Danach starten wir MySQL:

/etc/init.d/mysqld start

Überprüfe nun, ob der Netzwerkbetrieb aktiviert ist. Lass Folgendes laufen

netstat -tap | grep mysql

Die Ausgabe sollte wie folgt aussehen:

[root@server1 var]# netstat -tap | grep mysql
tcp 0 0 *:mysql-im *:* LISTEN 5697/mysqlmanager
tcp 0 0 *:mysql *:* LISTEN 5705/mysqld

Lass als Nächstes Folgendes laufen

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

um ein Passwort für den Benutzer Root einzurichten (sonst kann jeder auf Deine MySQL Datenbank zugreifen!).

Nun kannst Du Deinen Browser auf http://server1.example.com/phpmyadmin/ oder http://192.168.0.100/phpmyadmin/ ausrichten und Dich mit dem Benutzernamen Root und Deinen neuen Root MySQL Passwort anmelden.

5 Erstelle die MySQL Datenbank für Postfix/Courier

Wir erstellen einen Datenbank mit der Bezeichnung mail:

mysqladmin -u root -p create mail

Als Nächstes gehen wir zur MySQL Kommandozeile:

mysql -u root -p

In der MySQL Kommandozeile erstellen wir den Benutzer mail_admin mit dem Passwort mail_admin_password (ersetze es mit Deinem eigenen Passwort), der SELECT,INSERT,UPDATE,DELETE Privilegien in der mail Datenbank hat. Mit diesem Benutzer werden sich Postfix und Courier mit der mail Datenbank verbinden:

GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost' IDENTIFIED BY 'mail_admin_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost.localdomain' IDENTIFIED BY 'mail_admin_password';
FLUSH PRIVILEGES;

Immer noch in der MySQL Kommandozeile erstellen wir die Tabellen, die Postfix und Courier benötigen:

USE mail;


CREATE TABLE domains (
domain varchar(50) NOT NULL,
PRIMARY KEY (domain) )
TYPE=MyISAM;

CREATE TABLE forwardings (
source varchar(80) NOT NULL,
destination TEXT NOT NULL,
PRIMARY KEY (source) )
TYPE=MyISAM;

CREATE TABLE users (
email varchar(80) NOT NULL,
password varchar(20) NOT NULL,
quota INT(10) DEFAULT '10485760',
PRIMARY KEY (email)
) TYPE=MyISAM;

CREATE TABLE transport (
domain varchar(128) NOT NULL default '',
transport varchar(128) NOT NULL default '',
UNIQUE KEY domain (domain)
) TYPE=MyISAM;

quit;

Wie Du vielleicht festgestellt hast, haben wir mit dem quit; Befehl die MySQL Kommandozeile verlassen und sind zurück in der Linux Kommandozeile.

Die domains Tabelle wird jede virtuelle Domain speichern, für die Postfix E-Mails erhalten sollte (z.B. example.com).
domain
example.comDie forwardings Tabelle ist für das Aliasing einer E-Mail Adresse mit der anderen zustänidg, z.B. leite E-Mails für info@example.com an sales@example.com weiter.
source destination
info@example.com sales@example.comDie users Tabelle speichert alle virtuellen Benutzer (das heißt E-Mail Adressen, da die Adressen und der Benutzername das Gleiche ist) und Passwörter (in verschlüsselter Form!) sowie einen Quota-Wert für jede Mail Box (in diesem Beispiel ist der Standardwert 10485760 bytes, das heißt 10MB).
email password quota
sales@example.com No9.E4skNvGa. ("secret" in encrypted form) 10485760Die transport Tabelle ist optional, sie ist für fortgeschrittene Benutzer. Sie erlaubt Mails an einzelne Benutzer, ganze Domains oder alle Mails an einen anderen Server weiterzuleiten. Zum Beispiel würde
domain transport
example.com smtp:[1.2.3.4]alle E-Mails für example.com via smtp Protokoll an den Server mit der IP Adresse 1.2.3.4 weiterleiten (die eckigen Klammern [] bedeuten "schlage den MX DNS Record nicht nach" (was für IP Adressen Sinn macht...). Wenn Du stattdessen einen Fully Qualified Domain Name (FQDN) nutzt, verwendest Du die eckigen Klammern nicht.).

6 Konfiguriere Postfix

Nun müssen wir Postfix mitteilen, wo es alle Informationen in der Datenbank finden kann. Dafür müssen wir sechs Textdateien erstellen. Du wirst feststellen, dass ich Postfix mitteile, sich mit MySQL auf der IP Adresse 127.0.0.1 anstatt sich mit localhost zu verbinden. Postfix läuft in einem Chroot Gefängnis und hat keinen Zugriff auf den MySQL Socket welchen er versuchen würde zu verbinden, wenn ich Postfix mitgeteilt hätte, localhost zu verwenden. Wenn ich 127.0.0.1 verwende, nutzt Postfix den TCP Netzwerkbetrieb um sich mit MySQL zu verbinden, was auch im Chroot Gefängnis kein Problem darstellt (die Alternative wäre den MySQL Socket in ein Chroot Gefängnis zu verschieben, was wieder andere Probleme verursacht).

Lass uns nun unsere sechs Textdateien erstellen.

vi /etc/postfix/mysql-virtual_domains.cf


user = mail_admin
password = mail_admin_password dbname = mail query = SELECT domain AS virtual FROM domains WHERE domain='%s' hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_forwardings.cf


user = mail_admin
password = mail_admin_password dbname = mail query = SELECT destination FROM forwardings WHERE source='%s' hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_mailboxes.cf


user = mail_admin
password = mail_admin_password dbname = mail query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s' hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_email2email.cf


user = mail_admin
password = mail_admin_password dbname = mail query = SELECT email FROM users WHERE email='%s' hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_transports.cf


user = mail_admin
password = mail_admin_password dbname = mail query = SELECT transport FROM transport WHERE domain='%s' hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_mailbox_limit_maps.cf


user = mail_admin
password = mail_admin_password dbname = mail query = SELECT quota FROM users WHERE email='%s' hosts = 127.0.0.1

chmod o= /etc/postfix/mysql-virtual_*.cf
chgrp postfix /etc/postfix/mysql-virtual_*.cf

Nun erstellen wir einen Benutzer und eine Gruppe mit der Bezeichnung vmail und dem Home Verzeichnis /home/vmail. Dort werden alle Mail Boxes gespeichert werden.

groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /home/vmail -m

Als Nächstes nehmen wir eine Postfix Konfiguration vor. Stelle sicher, dass Du server1.example.com mit einem gültigen FQDN ersetzt, sonst kann es sein, dass Dein Postfix nicht richtig funktioniert!

postconf -e 'myhostname = server1.example.com'
postconf -e 'mydestination = server1.example.com, localhost, localhost.localdomain'
postconf -e 'mynetworks = 127.0.0.0/8'
postconf -e 'virtual_alias_domains ='
postconf -e ' virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf'
postconf -e 'virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf'
postconf -e 'virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf'
postconf -e 'virtual_mailbox_base = /home/vmail'
postconf -e 'virtual_uid_maps = static:5000'
postconf -e 'virtual_gid_maps = static:5000'
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/smtpd.cert'
postconf -e 'smtpd_tls_key_file = /etc/postfix/smtpd.key'
postconf -e 'transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf'
postconf -e 'virtual_create_maildirsize = yes'
postconf -e 'virtual_mailbox_extended = yes'
postconf -e 'virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf'
postconf -e 'virtual_mailbox_limit_override = yes'
postconf -e 'virtual_maildir_limit_message = "The user you are trying to reach is over quota."'
postconf -e 'virtual_overquota_bounce = yes'
postconf -e 'proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps'
postconf -e 'inet_interfaces = all'
postconf -e 'alias_database = hash:/etc/postfix/aliases'
postconf -e 'alias_maps = hash:/etc/postfix/aliases'

Danach erstellen wir das SSL Zertifikat, das wir für TLS benötigen:

cd /etc/postfix
openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509

Country Name (2 letter code) [GB]: <-- Gib Dein Land ein (z.B., "DE").
State or Province Name (full name) [Berkshire]: <-- Gib Dein Bundesland oder die Region ein.
Locality Name (eg, city) [Newbury]: <-- Gib Deine Stadt ein.
Organization Name (eg, company) [My Company Ltd]: <-- Gib den Namen Deiner Organisation ein (z.B., den Namen Deiner Firma).
Organizational Unit Name (eg, section) []: <-- Gib den Namen Deiner Abteilung ein (z.B. "IT Department").
Common Name (eg, your name or your server's hostname) []: <-- Gib den Fully Qualified Domain Name des Systems ein (z.B. "server1.example.com").
Email Address []: <-- Gib Deine E-Mail Adresse ein.

Ändere dann die Berechtigung des smtpd.key:

chmod o= /etc/postfix/smtpd.key


7 Konfiguriere Saslauthd

Bearbeite /etc/sasl2/smtpd.conf. So sollte es aussehen:

vi /etc/sasl2/smtpd.conf


# SASL library configuration file for postfix
# all parameters are documented into: # /usr/share/doc/cyrus-sasl/options.html # The mech_list parameters list the sasl mechanisms to use, # default being all mechs found. #mech_list: plain login # To authenticate using the separate saslauthd daemon, (e.g. for # system or ldap users). Also see /etc/sysconfig/saslauthd. #pwcheck_method: saslauthd #saslauthd_path: /var/lib/sasl2/mux # To authenticate against users stored in sasldb. #pwcheck_method: auxprop #auxprop_plugin: sasldb #sasldb_path: /var/lib/sasl2/sasl.db pwcheck_method: authdaemond log_level: 3 mech_list: PLAIN LOGIN authdaemond_path:/var/lib/authdaemon/socket
Starte dann Postfix, saslauthd und courier-authdaemon:

chmod 755 /var/lib/authdaemon
/etc/init.d/courier-authdaemon start
/etc/init.d/postfix start
/etc/init.d/saslauthd start

8 Konfiguriere Courier

Nun müssen wir Courier mitteilen, dass es sich gegenüber unserer MySQL Datenbank authentifizieren soll. Bearbeite zunächst /etc/courier/authdaemonrc und ändere den Wert von authmodulelist sodass es heißt

vi /etc/courier/authdaemonrc


[...]
authmodulelist="authmysql" #authmodulelist="authpam authpwd authshadow" [...]
Bearbeite dann /etc/courier/authmysqlrc. Es sollte ganz genau wie Folgendes aussehen (vergewissere Dich, dass Du die genauen Datenangaben eingibst):

cp /etc/courier/authmysqlrc /etc/courier/authmysqlrc_orig
cat /dev/null > /etc/courier/authmysqlrc
vi /etc/courier/authmysqlrc

MYSQL_SERVER localhost
MYSQL_USERNAME mail_admin MYSQL_PASSWORD mail_admin_password MYSQL_PORT 0 MYSQL_DATABASE mail MYSQL_USER_TABLE users MYSQL_CRYPT_PWFIELD password #MYSQL_CLEAR_PWFIELD password MYSQL_UID_FIELD 5000 MYSQL_GID_FIELD 5000 MYSQL_LOGIN_FIELD email MYSQL_HOME_FIELD "/home/vmail" MYSQL_MAILDIR_FIELD CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') #MYSQL_NAME_FIELD MYSQL_QUOTA_FIELD quota
Starte dann Courier neu:

/etc/init.d/courier-authdaemon restart
/etc/init.d/courier-imapd restart
/etc/init.d/courier-pop3d restart

Indem Du Folgendes ausführst

telnet localhost pop3

kannst Du feststellen, ob Dein POP3 Server richtig funktioniert. Es sollte +OK Hello there zurückgeben. (Gib quit ein um wieder zur Linux Kommandozeile zu gelangen):

[root@server1 postfix]# telnet localhost pop3
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
+OK Hello there.
quit
+OK Better luck next time.
Connection closed by foreign host.
[root@server1 postfix]#

9 Installiere Amavisd-new, SpamAssassin und ClamAV

Um amavisd-new, spamassassin und clamav zu installieren, lass folgenden Befehl laufen:

urpmi amavisd-new spamassassin spamassassin-spamc spamassassin-spamd pax cabextract lha lzop ncompress nomarch clamd clamav unzip bzip2 arj freeze p7zip

Nun müssen wir /etc/amavisd/amavisd.conf bearbeiten.

vi /etc/amavisd/amavisd.conf

In dieser Datei ändern wir sechs Stellen:

1) Ändere
$inet_socket_port = 10025;   # listen on this local TCP port(s)
zu
$inet_socket_port = 10024;   # listen on this local TCP port(s)
2) Ändere
$sa_tag_level_deflt  = 1.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 4.9; # add 'spam detected' headers at that level $sa_kill_level_deflt = 4.9; # triggers spam evasive actions (e.g. blocks mail) $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
zu
$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 4.0; # add 'spam detected' headers at that level $sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions (e.g. blocks mail) $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
(Natürlich kannst Du die spam scores an Deine Wünsche anpassen.)

3) Ändere
# @lookup_sql_dsn =
# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], # ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], # ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); # @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database
zu
# @lookup_sql_dsn =
# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], # ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], # ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); # @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database @lookup_sql_dsn = ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'mail_admin', 'mail_admin_password'] ); $sql_select_policy = 'SELECT "Y" as local FROM domains WHERE CONCAT("@",domain) IN (%k)'; $sql_select_white_black_list = undef; # undef disables SQL white/blacklisting $recipient_delimiter = '+'; # (default is '+') $replace_existing_extension = 1; # (default is false) $localpart_is_case_sensitive = 0; # (default is false)
(Vergewissere Dich, dass Du die richtigen Dantenbankangaben eingibst!)

4) Ändere
# $recipient_delimiter = '+';  # undef disables address extensions altogether
# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+
zu
$recipient_delimiter = undef;  # undef disables address extensions altogether
# $recipient_delimiter = '+'; # undef disables address extensions altogether # when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+
5) Ändere
# $notify_method  = 'smtp:[127.0.0.1]:10026';
# $forward_method = 'smtp:[127.0.0.1]:10026'; # set to undef with milter!
zu
$notify_method  = 'smtp:[127.0.0.1]:10025';
$forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter!
6) Ändere
# $final_virus_destiny      = D_DISCARD;
# $final_banned_destiny = D_BOUNCE; # $final_spam_destiny = D_PASS; # $final_bad_header_destiny = D_PASS;
zu
$final_virus_destiny      = D_REJECT;
$final_banned_destiny = D_REJECT; $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS;
(Natürlich ist es ganz Dir überlassen, wie Du mit Spam und Viren verfährst. Ich habe mich entschlossen, Spam zu akzeptieren (D_PASS) damit Spam in meinem E-Mail Klienten mit einem einfachen Filter Rule gefiltert werden kann (das hängt von dem ab, was von amavisd-new überschrieben wird, wenn es denkt, dass eine Mail Spam ist). Die zulässigen Aktionen (D_PASS, D_DISCARD, D_BOUNCE, and D_REJECT) sind hier beschrieben: http://www.ijs.si/software/amavisd/amavisd-new-docs.html#actions)

Nach meinen Änderungen sieht /etc/amavisd/amavisd.conf wie folgt aus:
use strict;
# a minimalistic configuration file for amavisd-new with all necessary settings # # see amavisd.conf-default for a list of all variables with their defaults; # see amavisd.conf-sample for a traditional-style commented file; # for more details see documentation in INSTALL, README_FILES/* # and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html # COMMONLY ADJUSTED SETTINGS: # @bypass_virus_checks_maps = (1); # controls running of anti-virus code # @bypass_spam_checks_maps = (1); # controls running of anti-spam code # $bypass_decode_parts = 1; # controls running of decoders&dearchivers $max_servers = 2; # num of pre-forked children (2..15 is common), -m $daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u $daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g $mydomain = 'localhost.localdomain'; # a convenient default for other settings # $MYHOME = '/var/lib/amavis'; # a convenient default for other settings, -H $TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc. $QUARANTINEDIR = '/var/spool/amavis/virusmails'; # -Q # $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine # $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R # $db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D # $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S # $lock_file = "$MYHOME/var/lib/amavisd.lock"; # -L # $pid_file = "$MYHOME/var/lib/amavisd.pid"; # -P #NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually $log_level = 0; # verbosity 0..5, -d $log_recip_templ = undef; # disable by-recipient level-0 log entries $DO_SYSLOG = 1; # log via syslogd (preferred) $syslog_facility = 'mail'; # Syslog facility as a string # e.g.: mail, daemon, user, local0, ... local7 $syslog_priority = 'debug'; # Syslog base (minimal) priority as a string, # choose from: emerg, alert, crit, err, warning, notice, info, debug $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 $nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed @local_domains_maps = ( [".$mydomain"] ); # list of all local domains @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); $unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter # option(s) -p overrides $inet_socket_port and $unix_socketname $inet_socket_port = 10024; # listen on this local TCP port(s) # $inet_socket_port = [10024,10026]; # listen on multiple TCP ports $policy_bank{'MYNETS'} = { # mail originating from @mynetworks originating => 1, # is true in MYNETS by default, but let's make it explicit os_fingerprint_method => undef, # don't query p0f for internal clients }; # it is up to MTA to re-route mail from authenticated roaming users or # from internal hosts to a dedicated TCP port (such as 10026) for filtering $interface_policy{'10026'} = 'ORIGINATING'; $policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users originating => 1, # declare that mail was submitted by our smtp client allow_disclaimers => 1, # enables disclaimer insertion if available # notify administrator of locally originating malware virus_admin_maps => ["virusalert@$mydomain"], spam_admin_maps => ["virusalert@$mydomain"], warnbadhsender => 1, # forward to a smtpd service providing DKIM signing service forward_method => 'smtp:[127.0.0.1]:10027', # force MTA conversion to 7-bit (e.g. before DKIM signing) smtpd_discard_ehlo_keywords => ['8BITMIME'], bypass_banned_checks_maps => [1], # allow sending any file names and types terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option }; $interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname # Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c # (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'): $policy_bank{'AM.PDP-SOCK'} = { protocol => 'AM.PDP', auth_required_release => 0, # do not require secret_id for amavisd-release }; #$sa_tag_level_deflt = 1.0; # add spam info headers if at, or above that level #$sa_tag2_level_deflt = 4.9; # add 'spam detected' headers at that level #$sa_kill_level_deflt = 4.9; # triggers spam evasive actions (e.g. blocks mail) #$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 4.0; # add 'spam detected' headers at that level $sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions (e.g. blocks mail) $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent # $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off $penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database) $penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam $sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger $sa_local_tests_only = 0; # only tests which do not require internet access? # @lookup_sql_dsn = # ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], # ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], # ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); # @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database @lookup_sql_dsn = ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'mail_admin', 'mail_admin_password'] ); $sql_select_policy = 'SELECT "Y" as local FROM domains WHERE CONCAT("@",domain) IN (%k)'; $sql_select_white_black_list = undef; # undef disables SQL white/blacklisting $recipient_delimiter = '+'; # (default is '+') $replace_existing_extension = 1; # (default is false) $localpart_is_case_sensitive = 0; # (default is false) # $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; # defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16) $virus_admin = "virusalert@$mydomain"; # notifications recip. $mailfrom_notify_admin = "virusalert@$mydomain"; # notifications sender $mailfrom_notify_recip = "virusalert@$mydomain"; # notifications sender $mailfrom_notify_spamadmin = "spam.police@$mydomain"; # notifications sender $mailfrom_to_quarantine = ''; # null return path; uses original sender if undef @addr_extension_virus_maps = ('virus'); @addr_extension_banned_maps = ('banned'); @addr_extension_spam_maps = ('spam'); @addr_extension_bad_header_maps = ('badh'); $recipient_delimiter = undef; # undef disables address extensions altogether # $recipient_delimiter = '+'; # undef disables address extensions altogether # when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+ $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; # $dspam = 'dspam'; $MAXLEVELS = 14; $MAXFILES = 1500; $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) $sa_spam_subject_tag = '***SPAM*** '; $defang_virus = 1; # MIME-wrap passed infected mail $defang_banned = 1; # MIME-wrap passed mail containing banned name # for defanging bad headers only turn on certain minor contents categories: $defang_by_ccat{+CC_BADH.",3"} = 1; # NUL or CR character in header $defang_by_ccat{+CC_BADH.",5"} = 1; # header line longer than 998 characters $defang_by_ccat{+CC_BADH.",6"} = 1; # header field syntax error # OTHER MORE COMMON SETTINGS (defaults may suffice): # $myhostname = 'host.example.com'; # must be a fully-qualified domain name! $notify_method = 'smtp:[127.0.0.1]:10025'; $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter! # $final_virus_destiny = D_DISCARD; # $final_banned_destiny = D_BOUNCE; # $final_spam_destiny = D_PASS; # $final_bad_header_destiny = D_PASS; $final_virus_destiny = D_REJECT; $final_banned_destiny = D_REJECT; $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS; # $os_fingerprint_method = 'p0f:127.0.0.1:2345'; # to query p0f-analyzer.pl ## hierarchy by which a final setting is chosen: ## policy bank (based on port or IP address) -> *_by_ccat ## *_by_ccat (based on mail contents) -> *_maps ## *_maps (based on recipient address) -> final configuration value # SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all) # $warnbadhsender, # $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps) # # @bypass_virus_checks_maps, @bypass_spam_checks_maps, # @bypass_banned_checks_maps, @bypass_header_checks_maps, # # @virus_lovers_maps, @spam_lovers_maps, # @banned_files_lovers_maps, @bad_header_lovers_maps, # # @blacklist_sender_maps, @score_sender_maps, # # $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to, # $bad_header_quarantine_to, $spam_quarantine_to, # # $defang_bad_header, $defang_undecipherable, $defang_spam # REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS @keep_decoded_original_maps = (new_RE( # qr'^MAIL$', # retain full original message for virus checking (can be slow) qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, # qr'^Zip archive data', # don't trust Archive::Zip )); # for $banned_namepath_re (a new-style of banned table) see amavisd.conf-sample $banned_filename_re = new_RE( ### BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components qr'^.(exe-ms|dll)$', # banned file(1) types, rudimentary # qr'^.(exe|lha|tnef|cab|dll)$', # banned file(1) types ### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: # [ qr'^.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 [ qr'^.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives qr'..(pif|scr)$'i, # banned extensions - rudimentary # qr'^.zip$', # block zip type ### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: # [ qr'^.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # qr'^message/partial$'i, # rfc2046 MIME type # qr'^message/external-body$'i, # rfc2046 MIME type # qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type # qr'^.wmf$', # Windows Metafile file(1) type # block certain double extensions in filenames qr'.[^./]*[A-Za-z][^./]*.s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.s]*$'i, # qr'{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}}?'i, # Class ID CLSID, strict # qr'{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}}?'i, # Class ID extension CLSID, loose qr'..(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic # qr'..(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd # qr'..(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| # inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| # ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| # wmf|wsc|wsf|wsh)$'ix, # banned ext - long # qr'..(ani|cur|ico)$'i, # banned cursors and icons filename # qr'^.ani$', # banned animated cursor file(1) type # qr'..(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. ); # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 # and http://www.cknow.com/vtutor/vtextensions.htm # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING @score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed # ## per-recipient personal tables (NOTE: positive: black, negative: white) # 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], # 'user3@example.com' => [{'.ebay.com' => -3.0}], # 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, # '.cleargreen.com' => -5.0}], ## site-wide opinions about senders (the '.' matches any recipient) '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new.tld.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)d*@'i => 5.0], ), # read_hash("/var/lib/amavis/sender_scores_sitewide"), { # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0, 'amavis-user-admin@lists.sourceforge.net'=> -3.0, 'amavis-user-bounces@lists.sourceforge.net' => -3.0, 'spamassassin.apache.org' => -3.0, 'notification-return@lists.sophos.com' => -3.0, 'owner-postfix-users@postfix.org' => -3.0, 'owner-postfix-announce@postfix.org' => -3.0, 'owner-sendmail-announce@lists.sendmail.org' => -3.0, 'sendmail-announce-request@lists.sendmail.org' => -3.0, 'donotreply@sendmail.org' => -3.0, 'ca+envelope@sendmail.org' => -3.0, 'noreply@freshmeat.net' => -3.0, 'owner-technews@postel.acm.org' => -3.0, 'ietf-123-owner@loki.ietf.org' => -3.0, 'cvs-commits-list-admin@gnome.org' => -3.0, 'rt-users-admin@lists.fsck.com' => -3.0, 'clp-request@comp.nus.edu.sg' => -3.0, 'surveys-errors@lists.nua.ie' => -3.0, 'emailnews@genomeweb.com' => -5.0, 'yahoo-dev-null@yahoo-inc.com' => -3.0, 'returns.groups.yahoo.com' => -3.0, 'clusternews@linuxnetworx.com' => -3.0, lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, # soft-blacklisting (positive score) 'sender@example.net' => 3.0, '.example.net' => 1.0, }, ], # end of site-wide tables }); @decoders = ( ['mail', &do_mime_decode], ['asc', &do_ascii], ['uue', &do_ascii], ['hqx', &do_ascii], ['ync', &do_ascii], ['F', &do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], ['Z', &do_uncompress, ['uncompress','gzip -d','zcat'] ], ['gz', &do_uncompress, 'gzip -d'], ['gz', &do_gunzip], ['bz2', &do_uncompress, 'bzip2 -d'], ['lzo', &do_uncompress, 'lzop -d'], ['rpm', &do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], ['cpio', &do_pax_cpio, ['pax','gcpio','cpio'] ], ['tar', &do_pax_cpio, ['pax','gcpio','cpio'] ], ['deb', &do_ar, 'ar'], # ['a', &do_ar, 'ar'], # unpacking .a seems an overkill ['zip', &do_unzip], ['7z', &do_7zip, ['7zr','7za','7z'] ], ['rar', &do_unrar, ['rar','unrar'] ], ['arj', &do_unarj, ['arj','unarj'] ], ['arc', &do_arc, ['nomarch','arc'] ], ['zoo', &do_zoo, ['zoo','unzoo'] ], ['lha', &do_lha, 'lha'], # ['doc', &do_ole, 'ripole'], ['cab', &do_cabextract, 'cabextract'], ['tnef', &do_tnef_ext, 'tnef'], ['tnef', &do_tnef], # ['sit', &do_unstuff, 'unstuff'], # broken/unsafe decoder ['exe', &do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], ); @av_scanners = ( # ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/) # ['Sophie', # &ask_daemon, ["{}/n", '/var/run/sophie'], # qr/(?x)^ 0+ ( : | [?00rn]* $)/, qr/(?x)^ 1 ( : | [?00rn]* $)/, # qr/(?x)^ [-+]? d+ : (.*?) [?00rn]* $/ ], # ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ # ['Sophos SAVI', &sophos_savi ], # ### http://www.clamav.net/ ['ClamAV-clamd', &ask_daemon, ["CONTSCAN {}n", "/var/lib/clamav/clamd.socket"], qr/bOK$/, qr/bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], # NOTE: run clamd under the same user as amavisd, or run it under its own # uid such as clamav, add user clamav to the amavis group, and then add # AllowSupplementaryGroups to clamd.conf; # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in # this entry; when running chrooted one may prefer socket "$MYHOME/clamd". # ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) # # note that Mail::ClamAV requires perl to be build with threading! # ['Mail::ClamAV', &ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/], # ### http://www.openantivirus.org/ # ['OpenAntiVirus ScannerDaemon (OAV)', # &ask_daemon, ["SCAN {}n", '127.0.0.1:8127'], # qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ], # ### http://www.vanja.com/tools/trophie/ # ['Trophie', # &ask_daemon, ["{}/n", '/var/run/trophie'], # qr/(?x)^ 0+ ( : | [?00rn]* $)/, qr/(?x)^ 1 ( : | [?00rn]* $)/, # qr/(?x)^ [-+]? d+ : (.*?) [?00rn]* $/ ], # ### http://www.grisoft.com/ # ['AVG Anti-Virus', # &ask_daemon, ["SCAN {}n", '127.0.0.1:55555'], # qr/^200/, qr/^403/, qr/^403 .*?: ([^rn]+)/ ], # ### http://www.f-prot.com/ # ['FRISK F-Prot Daemon', # &ask_daemon, # ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0rnrn", # ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202', # '127.0.0.1:10203','127.0.0.1:10204'] ], # qr/(?i)<summary[^>]*>clean</summary>/, # qr/(?i)<summary[^>]*>infected</summary>/, # qr/(?i)<name>(.+)</name>/ ], # ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ # ['DrWebD', &ask_daemon, # DrWebD 4.31 or later # [pack('N',1). # DRWEBD_SCAN_CMD # pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES # pack('N', # path length # length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). # '{}/*'. # path # pack('N',0). # content size # pack('N',0), # '/var/drweb/run/drwebd.sock', # # '/var/lib/amavis/var/run/drwebd.sock', # suitable for chroot # # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default # # '127.0.0.1:3000', # or over an inet socket # ], # qr/Ax00[x10x11][x00x10]x00/s, # IS_CLEAN,EVAL_KEY; SKIPPED # qr/Ax00[x00x01][x00x10][x20x40x80]/s, # KNOWN_V,UNKNOWN_V,V._MODIF # qr/A.{12}(?:infected with )?([^x00]+)x00/s, # ], # # NOTE: If using amavis-milter, change length to: # # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). ### http://www.kaspersky.com/ (kav4mailservers) ['KasperskyLab AVP - aveclient', ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'], '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/b(INFECTED|SUSPICION|SUSPICIOUS)b/, qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/, ], # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious, # currupted or protected archives are to be handled ### http://www.kaspersky.com/ ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? qr/infected: (.+)/, sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], ### The kavdaemon and AVPDaemonClient have been removed from Kasperky ### products and replaced by aveserver and aveclient ['KasperskyLab AVPDaemonClient', [ '/opt/AVP/kavdaemon', 'kavdaemon', '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', '/opt/AVP/AvpTeamDream', 'AvpTeamDream', '/opt/AVP/avpdc', 'avpdc' ], "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^rn]+)/ ], # change the startup-script in /etc/init.d/kavd to: # DPARMS="-* -Y -dl -f=/var/lib/amavis /var/lib/amavis" # (or perhaps: DPARMS="-I0 -Y -* /var/lib/amavis" ) # adjusting /var/lib/amavis above to match your $TEMPBASE. # The '-f=/var/lib/amavis' is needed if not running it as root, so it # can find, read, and write its pid file, etc., see 'man kavdaemon'. # defUnix.prf: there must be an entry "*/var/lib/amavis" (or whatever # directory $TEMPBASE specifies) in the 'Names=' section. # cd /opt/AVP/DaemonClients; configure; cd Sample; make # cp AvpDaemonClient /opt/AVP/ # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" ### http://www.centralcommand.com/ ['CentralCommand Vexira (new) vascan', ['vascan','/usr/lib/Vexira/vascan'], "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". "--log=/var/log/vascan.log {}", [0,3], [1,2,5], qr/(?x)^s* (?:virus|iworm|macro|mutant|sequence|trojan) found: ( [^]s']+ ) ... / ], # Adjust the path of the binary and the virus database as needed. # 'vascan' does not allow to have the temp directory to be the same as # the quarantine directory, and the quarantine option can not be disabled. # If $QUARANTINEDIR is not used, then another directory must be specified # to appease 'vascan'. Move status 3 to the second list if password # protected files are to be considered infected. ### http://www.avira.com/ ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus ['Avira AntiVir', ['antivir','vexira'], '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/, qr/(?x)^s* (?: ALERT: s* (?: [ | [^']* ' ) | (?i) VIRUS: .*? virus '?) ( [^]s']+ )/ ], # NOTE: if you only have a demo version, remove -z and add 214, as in: # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, ### http://www.commandsoftware.com/ ['Command AntiVirus for Linux', 'csav', '-all -archive -packed {}', [50], [51,52,53], qr/Infection: (.+)/ ], ### http://www.symantec.com/ ['Symantec CarrierScan via Symantec CommandLineScanner', 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', qr/^Files Infected:s+0$/, qr/^Infectedb/, qr/^(?:Info|Virus Name):s+(.+)/ ], ### http://www.symantec.com/ ['Symantec AntiVirus Scan Engine', 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', [0], qr/^Infectedb/, qr/^(?:Info|Virus Name):s+(.+)/ ], # NOTE: check options and patterns to see which entry better applies # ### http://www.f-secure.com/products/anti-virus/ version 4.65 # ['F-Secure Antivirus for Linux servers', # ['/opt/f-secure/fsav/bin/fsav', 'fsav'], # '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '. # '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8], # qr/(?:infection|Infected|Suspected): (.+)/ ], ### http://www.f-secure.com/products/anti-virus/ version 5.52 ['F-Secure Antivirus for Linux servers', ['/opt/f-secure/fsav/bin/fsav', 'fsav'], '--virus-action1=report --archive=yes --auto=yes '. '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8], qr/(?:infection|Infected|Suspected|Riskware): (.+)/ ], # NOTE: internal archive handling may be switched off by '--archive=no' # to prevent fsav from exiting with status 9 on broken archives # ### http://www.avast.com/ # ['avast! Antivirus daemon', # &ask_daemon, # greets with 220, terminate with QUIT # ["SCAN {}?15?12QUIT?15?12", '/var/run/avast4/mailscanner.sock'], # qr/t[+]/, qr/t[L]t/, qr/t[L]t([^[ t?15?12]+)/ ], # ### http://www.avast.com/ # ['avast! Antivirus - Client/Server Version', 'avastlite', # '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1], # qr/t[L]t([^[ t?15?12]+)/ ], ['CAI InoculateIT', 'inocucmd', # retired product '-sec -nex {}', [0], [100], qr/was infected by virus (.+)/ ], # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) ['CAI eTrust Antivirus', 'etrust-wrapper', '-arc -nex -spm h {}', [0], [101], qr/is infected by virus: (.+)/ ], # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 ### http://mks.com.pl/english.html ['MkS_Vir for Linux (beta)', ['mks32','mks'], '-s {}/*', [0], [1,2], qr/--[ t]*(.+)/ ], ### http://mks.com.pl/english.html ['MkS_Vir daemon', 'mksscan', '-s -q {}', [0], [1..7], qr/^... (S+)/ ], # ### http://www.nod32.com/, version v2.52 and above # ['ESET NOD32 for Linux Mail servers', # ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'], # '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '. # '-w -a --action-on-infected=accept --action-on-uncleanable=accept '. # '--action-on-notscanned=accept {}', # [0,3], [1,2], qr/virus="([^"]+)"/ ], ### http://www.eset.com/, version v2.7 ['ESET NOD32 Linux Mail Server - command line interface', ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'], '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/ ], ## http://www.nod32.com/, NOD32LFS version 2.5 and above ['ESET NOD32 for Linux File servers', ['/opt/eset/nod32/sbin/nod32','nod32'], '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '. '-w -a --action=1 -b {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/ ], # Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31 # ['ESET Software NOD32 Client/Server (NOD32SS)', # &ask_daemon2, # greets with 200, persistent, terminate with QUIT # ["SCAN {}/*rn", '127.0.0.1:8448' ], # qr/^200 File OK/, qr/^201 /, qr/^201 (.+)/ ], ### http://www.norman.com/products_nvc.shtml ['Norman Virus Control v5 / Linux', 'nvcc', '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], qr/(?i).* virus in .* -> '(.+)'/ ], ### http://www.pandasoftware.com/ ['Panda CommandLineSecure 9 for Linux', ['/opt/pavcl/usr/bin/pavcl','pavcl'], '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}', qr/Number of files infected[ .]*: 0+(?!d)/, qr/Number of files infected[ .]*: 0*[1-9]/, qr/Found virus :s*(S+)/ ], # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr' # before starting amavisd - the bases are then loaded only once at startup. # To reload bases in a signature update script: # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr # Please review other options of pavcl, for example: # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies # ### http://www.pandasoftware.com/ # ['Panda Antivirus for Linux', ['pavcl'], # '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}', # [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0], # qr/Found virus :s*(S+)/ ], # GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. # Check your RAV license terms before fiddling with the following two lines! # ['GeCAD RAV AntiVirus 8', 'ravav', # '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ], # # NOTE: the command line switches changed with scan engine 8.5 ! # # (btw, assigning stdin to /dev/null causes RAV to fail) ### http://www.nai.com/ ['NAI McAfee AntiVirus (uvscan)', 'uvscan', '--secure -rv --mime --summary --noboot - {}', [0], [13], qr/(?x) Found (?: the (.+) (?:virus|trojan) | (?:virus|trojan) or variant ([^ ]+) | : (.+) NOT a virus)/, # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, # sub {delete $ENV{LD_PRELOAD}}, ], # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 # and then clear it when finished to avoid confusing anything else. # NOTE2: to treat encrypted files as viruses replace the [13] with: # qr/^s{5,}(Found|is password-protected|.*(virus|trojan))/ ### http://www.virusbuster.hu/en/ ['VirusBuster', ['vbuster', 'vbengcl'], "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], qr/: '(.*)' - Virus/ ], # VirusBuster Ltd. does not support the daemon version for the workstation # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of # binaries, some parameters AND return codes have changed (from 3 to 1). # See also the new Vexira entry 'vascan' which is possibly related. # ### http://www.virusbuster.hu/en/ # ['VirusBuster (Client + Daemon)', 'vbengd', # '-f -log scandir {}', [0], [3], # qr/Virus found = (.*);/ ], # # HINT: for an infected file it always returns 3, # # although the man-page tells a different story ### http://www.cyber.com/ ['CyberSoft VFind', 'vfind', '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/, # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, ], ### http://www.avast.com/ ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], '-a -i -n -t=A {}', [0], [1], qr/binfected by:s+([^ tn[]]+)/ ], ### http://www.ikarus-software.com/ ['Ikarus AntiVirus for Linux', 'ikarus', '{}', [0], [40], qr/Signature (.+) found/ ], ### http://www.bitdefender.com/ ['BitDefender', 'bdc', '--arc --mail {}', qr/^Infected files *:0+(?!d)/, qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, qr/(?:suspected|infected): (.*)(?:?33|$)/ ], # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may # not apply to your version of bdc, check documentation and see 'bdc --help' ### ArcaVir for Linux and Unix http://www.arcabit.pl/ ['ArcaVir for Linux', ['arcacmd','arcacmd.static'], '-v 1 -summary 0 -s {}', [0], [1,2], qr/(?:VIR|WIR):[ t]*(.+)/ ], # ['File::Scan', sub {Amavis::AV::ask_av(sub{ # use File::Scan; my($fn)=@_; # my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0); # my($vname) = $f->scan($fn); # $f->error ? (2,"Error: ".$f->error) # : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) }, # ["{}/*"], [0], [1], qr/^(.*) FOUND$/ ], # ### fully-fledged checker for JPEG marker segments of invalid length # ['check-jpeg', # sub { use JpegTester (); Amavis::AV::ask_av(&JpegTester::test_jpeg, @_) }, # ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/ ], # # NOTE: place file JpegTester.pm somewhere where Perl can find it, # # for example in /usr/local/lib/perl5/site_perl ); @av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], qr/:.*sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ### http://www.f-prot.com/ - backs up F-Prot Daemon ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], '-dumb -archive -packed {}', [0,8], [3,6], # or: [0], [3,6,8], qr/(?:Infection:|security risk named) (.+)|s+containss+(.+)$/ ], ### http://www.trendmicro.com/ - backs up Trophie ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], '-path={} -al -go -ot -cn -upn -ok-', [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'], ### http://www.kaspersky.com/ ['Kaspersky Antivirus v5.5', ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner', '/opt/kav/5.5/kav4unix/bin/kavscanner', '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'], '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25], qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/ , # sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, # sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], # Commented out because the name 'sweep' clashes with Debian and FreeBSD # package/port of an audio editor. Make sure the correct 'sweep' is found # in the path when enabling. # # ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl # ['Sophos Anti Virus (sweep)', 'sweep', # '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. # '--no-reset-atime {}', # [0,2], qr/Virus .*? found/, # qr/^>>> Virus(?: fragment)? '?(.*?)'? found/, # ], # # other options to consider: -idedir=/usr/local/sav # always succeeds (uncomment to consider mail clean if all other scanners fail) # ['always-clean', sub {0}], ); 1; # insure a defined return
amavisd-new ist das Programm, das Postfix und SpamAssassin/ClamAV zusammenfügt. Postfix leitet die Mails an amavisd-new weiter, was dann SpamAssassin und ClamAV aufruft, die Mails zu scannen. Sieh Dir bitte die Einstellungen für Spamassassin und ClamAV in /etc/amavisd/amavisd.conf an. Selbstverständlich kannst Du diese Datei noch weiter anpassen. Sieh Dir dazu die Erklärungen in der originalen /etc/amavisd/amavisd.conf Datei an!


Starte danach clamd, freshclam (das Tool, das die neusten Virussignaturen aus dem Internet bezieht, um calmd zu aktualisieren) und amavisd:

/etc/init.d/clamd start
/etc/init.d/amavisd start
freshclam
/etc/init.d/freshclam start

Nun müssen wir Postfix so konfigurieren, dass es eingehende Mails durch amavisd-new leitet:

postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
postconf -e 'receive_override_options = no_address_mappings'

Füge danach folgende Zeilen /etc/postfix/master.cf an:

vi /etc/postfix/master.cf


[...]
amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_bind_address=127.0.0.1
und starte Postfix neu:

/etc/init.d/postfix restart


10 Installation von Razor, Pyzor und DCC und Konfiguration von SpamAssassin

Razor, Pyzor und DCC sind Spamfilter, die ein gemeinsames Filternetzwerk verwenden. Um Razor, Pyzor und DCC zu installieren, lass Folgendes laufen

urpmi perl-Razor-Agent pyzor dcc

Initialisiere dann Razor und Pyzor:

chmod -R a+rX /usr/share/doc/pyzor-0.4.0 /usr/bin/pyzor /usr/bin/pyzord
chmod -R a+rX /usr/lib/python2.5/site-packages/pyzor
chown amavis:amavis /var/spool/amavis/
su -m amavis -c 'pyzor --homedir /var/spool/amavis discover'
su -m amavis -c 'razor-admin -home=/var/spool/amavis -create'
su -m amavis -c 'razor-admin -home=/var/spool/amavis -register'

Nun müssen wir SpamAssassin mitteilen, diese drei Proramme zu verwenden. Bearbeite /etc/mail/spamassassin/local.cf sodass es wie folgt aussieht:

cp /etc/mail/spamassassin/local.cf /etc/mail/spamassassin/local.cf_orig
cat /dev/null > /etc/mail/spamassassin/local.cf
vi /etc/mail/spamassassin/local.cf

# dcc
use_dcc 1 dcc_path /usr/bin/dccproc #pyzor use_pyzor 1 pyzor_path /usr/bin/pyzor #razor use_razor2 1 razor_config /var/spool/amavis/razor-agent.conf #bayes use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1
Dann müssen wir den DCC plugin in SpamAssassin freischalten. Öffne /etc/mail/spamassassin/v310.pre und aktiviere die loadplugin Mail::SpamAssassin::Plugin::DCC Zeile:

vi /etc/mail/spamassassin/v310.pre


[...]
# DCC - perform DCC message checks. # # DCC is disabled here because it is not open source. See the DCC # license for more details. # loadplugin Mail::SpamAssassin::Plugin::DCC [...]
Du kannst Deine SpamAssassin Konfiguration überprüfen, indem Du Folgendes ausführst:

spamassassin --lint

Es sollten keine Fehler angezeigt werden.

Lass danach Folgendes laufen

/etc/init.d/amavisd restart

Nun möchte ich einige benutzerdefinierte Regeln (Rulesets) in SpamAssassin einfügen, die man im Internet finden kann. Ich habe diese Regeln getestet. Sie gestalten das Filtern von Spam sehr viel effektiver. Erstelle die Datei /usr/local/sbin/sa_rules_update.sh:

vi /usr/local/sbin/sa_rules_update.sh


#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/71_sare_redirect_pre3.0.0.cf -O 71_sare_redirect_pre3.0.0.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_bayes_poison_nxm.cf -O 70_sare_bayes_poison_nxm.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_html.cf -O 70_sare_html.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_html4.cf -O 70_sare_html4.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_html_x30.cf -O 70_sare_html_x30.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_header0.cf -O 70_sare_header0.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_header3.cf -O 70_sare_header3.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_header_x30.cf -O 70_sare_header_x30.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_specific.cf -O 70_sare_specific.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_adult.cf -O 70_sare_adult.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/72_sare_bml_post25x.cf -O 72_sare_bml_post25x.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf -O 99_sare_fraud_post25x.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_spoof.cf -O 70_sare_spoof.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_random.cf -O 70_sare_random.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_oem.cf -O 70_sare_oem.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_genlsubj0.cf -O 70_sare_genlsubj0.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_genlsubj3.cf -O 70_sare_genlsubj3.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_genlsubj_x30.cf -O 70_sare_genlsubj_x30.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_unsub.cf -O 70_sare_unsub.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_uri.cf -O 70_sare_uri.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.timj.co.uk/linux/bogus-virus-warnings.cf -O bogus-virus-warnings.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.yackley.org/sa-rules/evilnumbers.cf -O evilnumbers.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.stearns.org/sa-blacklist/random.current.cf -O random.current.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_body.cf -O 88_FVGT_body.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_rawbody.cf -O 88_FVGT_rawbody.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_subject.cf -O 88_FVGT_subject.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_headers.cf -O 88_FVGT_headers.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_uri.cf -O 88_FVGT_uri.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/99_FVGT_DomainDigits.cf -O 99_FVGT_DomainDigits.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/99_FVGT_Tripwire.cf -O 99_FVGT_Tripwire.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/99_FVGT_meta.cf -O 99_FVGT_meta.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.nospamtoday.com/download/mime_validate.cf -O mime_validate.cf &> /dev/null /etc/init.d/amavisd restart &> /dev/null exit 0
Führe Folgendes aus um das Skript ausführbar zu machen:

chmod 755 /usr/local/sbin/sa_rules_update.sh

Führe das Skript einmal aus. Es bezieht diese Rulesets und sie in SpamAssassin einfügen:

/usr/local/sbin/sa_rules_update.sh

Wir erstellen einen Cron Job, damit diese Rulesets regelmäßig aktualisiert werden. Führe Folgendes aus

crontab -e

um den Cron Job Editor zu öffnen. Erstelle folgenden Cron Job:
23 4 */2 * * /usr/local/sbin/sa_rules_update.sh &> /dev/null
Somit werden die Rulesets jeden zweiten Tag um 4.23 Uhr aktualisiert.

11 Quota Überschreitungsmeldung

Wenn Du Meldungen bezüglich aller E-Mail Konten erhalten möchtest, die über Quota sind, dann führe Folgendes aus:

cd /usr/local/sbin/
wget http://puuhis.net/vhcs/quota.txt
mv quota.txt quota_notify
chmod 755 quota_notify

Öffne /usr/local/sbin/quota_notify und bearbeite die Variabeln am Anfang der Datei. Weiter unten (gegen Ende der Datei) sind zwei Zeilen, an die Du ein % Zeichen anhängen solltest:

vi /usr/local/sbin/quota_notify


[...]
my $POSTFIX_CF = "/etc/postfix/main.cf"; my $MAILPROG = "/usr/sbin/sendmail -t"; my $WARNPERCENT = 80; my @POSTMASTERS = ('postmaster@yourdomain.tld'); my $CONAME = 'My Company'; my $COADDR = 'postmaster@yourdomain.tld'; my $SUADDR = 'postmaster@yourdomain.tld'; my $MAIL_REPORT = 1; my $MAIL_WARNING = 1; [...] print "Subject: WARNING: Your mailbox is $lusers{$luser}% full.n"; [...] print "Your mailbox: $luser is $lusers{$luser}% full.nn"; [...]
Führe Folgendes aus

crontab -e

um einen Cron Job für dieses Skript zu erstellen:
0 0 * * * /usr/local/sbin/quota_notify &> /dev/null

12 Postfix Testen

Um zu sehen, ob Postfix bereit ist für SMTP-AUTH und TLS, führe Folgendes aus

telnet localhost 25

Nachdem Du die Verbindung zu Deinem Postfix Mail Server eingerichtet hast, tippe

ehlo localhost

Wenn Du die Zeile

250-STARTTLS
und

250-AUTH PLAIN LOGIN
siehst, ist alles in Ordnung.

[root@server1 postfix]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 server1.example.com ESMTP Postfix (2.4.5) (Mandriva Linux)
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@server1 postfix]#

Gib ein

quit

um zur Kommandozeile des Systems zurückzukehren.

13 Die Datenbank füllen und testen

Um die Datenbank zu füllen, kannst Du die MySQL Kommandozeile verwenden:

mysql -u root -p
USE mail;

Du musst wenigstens Einträge in den Tabellen domains und users erstellen:

INSERT INTO `domains` (`domain`) VALUES ('example.com');
INSERT INTO `users` (`email`, `password`, `quota`) VALUES ('sales@example.com', ENCRYPT('secret'), 10485760);

(Bitte pass auf, dass Du den ENCRYPT Syntax im zweiten INSERT Statement verwendest, um das Passwort zu verschlüsseln!)

Wenn Du Einträge in den anderen zwei Tabellen vornehmen möchtest, würde dies so aussehen:

INSERT INTO `forwardings` (`source`, `destination`) VALUES ('info@example.com', 'sales@example.com');
INSERT INTO `transport` (`domain`, `transport`) VALUES ('example.com', 'smtp:mail.example.com');

Um die MySQL Kommandozeile zu verlassen, gib Folgendes ein

quit;

Für die Meisten ist es einfachen wenn sie ein grafisches Front-End zu MySQL haben; daher kannst Du auch phpMyAdmin (in diesem Beispiel unter http://192.168.0.100/phpmyadmin/ oder http://server1.example.com/phpmyadmin/) verwenden um die mail Datenbank zu verwalten. Nochmal, wenn Du einen Benutzer einrichtest, vergewissere Dich, dass Du die ENCRYPT Funktion zum Verschlüsseln des Passwortes verwendest:


Ich denke nicht, dass ich die domains und users Tabelle weiter erklären muss.

Die forwardings Tabelle kann Einträge wie den folgenden haben:
source destination  
info@example.com sales@example.com Redirects emails for info@example.com to sales@example.com
@example.com thomas@example.com Creates a Catch-All account for thomas@example.com. All emails to example.com will arrive at thomas@example.com, except those that exist in the users table (i.e., if sales@example.com exists in the users table, mails to sales@example.com will still arrive at sales@example.com).
@example.com @anotherdomain.tld This redirects all emails to example.com to the same user at anotherdomain.tld. E.g., emails to thomas@example.com will be forwarded to thomas@anotherdomain.tld.
info@example.com sales@example.com, billing@anotherdomain.tld Forward emails for info@example.com to two or more email addresses. All listed email addresses under destination receive a copy of the email.Die transport Tabelle kann Einträge wie diese haben:
domain transport  
example.com : Delivers emails for example.com locally. This is as if this record would not exist in this table at all.
example.com smtp:mail.anotherdomain.tld Delivers all emails for example.com via smtp to the server mail.anotherdomain.com.
example.com smtp:mail.anotherdomain.tld:2025 Delivers all emails for example.com via smtp to the server mail.anotherdomain.com, but on port 2025, not 25 which is the default port for smtp.
example.com smtp:[1.2.3.4]
smtp:[1.2.3.4]:2025
smtp:[mail.anotherdomain.tld]
The square brackets prevent Postfix from doing lookups of the MX DNS record for the address in square brackets. Makes sense for IP addresses.
.example.com smtp:mail.anotherdomain.tld Mail for any subdomain of example.com is delivered to mail.anotherdomain.tld.
* smtp:mail.anotherdomain.tld All emails are delivered to mail.anotherdomain.tld.
joe@example.com smtp:mail.anotherdomain.tld Emails for joe@example.com are delivered to mail.anotherdomain.tld.Siehe

man transport

für mehr Informationen.

Bitte denke daran, dass die Anordnung der Einträge in der transport Tabelle wichtig ist! Die Einträge schließen sich von oben nach unten an.

Wichtig: Postfix verwendet einen Caching Mechanism für den Transport, daher kann es eine Weile dauern, bis Deine Änderungen in der transport Tabelle übernommen werden. Wenn Du möchtest, dass sie sofort übernommen werden, lass Folgendes laufen

postfix reload

nachdem Du Deine Änderungen in der transport Tabelle vorgenommen hast.

14 Referenzen

Tutorial: ISP-style Email Service with Debian-Sarge and Postfix 2.1: http://workaround.org/articles/ispmail-sarge/
Postfix + Quota: http://vhcs.net/new/modules/newbb/viewtopic.php?topic_id=3496&forum=17
Mail Passwords Encrypted using saslauthd: http://www.syscp.de/docs/public/contrib/cryptedmailpws

15 Links