diff --git a/DOC/etc_postgrey_whitelist_clients.local b/DOC/etc_postgrey_whitelist_clients.local new file mode 100644 index 0000000..d651fbb --- /dev/null +++ b/DOC/etc_postgrey_whitelist_clients.local @@ -0,0 +1,3 @@ +# For Office 365 - servers: +##/.*outbound.protection.outlook.com$/ +/^mail-.*\.outbound\.protection\.outlook\.com$/ diff --git a/DOC/install/postfix_base_mailsystem.install b/DOC/install/postfix_base_mailsystem.install new file mode 100644 index 0000000..5063717 --- /dev/null +++ b/DOC/install/postfix_base_mailsystem.install @@ -0,0 +1,461 @@ +## ------------------------------------ ## ## - - ## +## - install postfix base system - ## +## - - ## +## - supports ipv6 - ## +## - - ## +## ------------------------------------ ## + +_TLS_CERT_DIR=/etc/postfix/ssl +_TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt" +_TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key" + +_TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt + + +_HOSTNAME= +_IPV4= +## - Leave empty, if no IPv6 should be supported +## - +#_IPV6= +_IPV6= + +_ADMIN_EMAIL= + +_SASL_AUTH= +_RELAY_HOST=b.mx.oopen.de +_SASL_USER= +_SASL_PASS='sasl_password' + + +## - remove exim4 and related if installed and you plan +## - to install an alternative mailer +## - +apt-get remove --purge bsd-mailx exim4 exim4-base exim4-config \ + exim4-daemon-light mailx + + +apt-get install postfix postfix-pcre libsasl2-modules bsd-mailx haveged + +if $_SASL_AUTH ; then + apt-get install libsasl2-modules +fi + +cp -a /etc/postfix/main.cf /etc/postfix/main.cf.ORIG + + +cat < /etc/postfix/main.cf +# ============ Basic settings ============ + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname +myorigin = /etc/mailname + +smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = /usr/share/doc/postfix +html_directory = /usr/share/doc/postfix/html + +## - The Internet protocols Postfix will attempt to use when making +## - or accepting connections. +## - DEFAULT: ipv4 +EOF + +if [ -n "$_IPV6" ]; then + cat <> /etc/postfix/main.cf +inet_protocols = ipv4, ipv6 + +#inet_interfaces = all +inet_interfaces = 127.0.0.1 + $_IPV4 + $_IPV6 + +myhostname = $_HOSTNAME + +mydestination = + $_HOSTNAME + localhost + +## - The list of "trusted" SMTP clients that have more +## - privileges than "strangers" +## - +mynetworks = + 127.0.0.0/8 + [::ffff:127.0.0.0]/104 + [::1]/128 + ${_IPV4}/32 + [${_IPV6}]/128 + +smtp_bind_address = $_IPV4 +smtp_bind_address6 = $_IPV6 + +EOF +else + cat <> /etc/postfix/main.cf +inet_protocols = ipv4 + +#inet_interfaces = all +inet_interfaces = + 127.0.0.1 + $_IPV4 + +myhostname = $_HOSTNAME + +mydestination = + $_HOSTNAME + localhost + +## - The list of "trusted" SMTP clients that have more +## - privileges than "strangers" +## - +mynetworks = + 127.0.0.0/8 + ${_IPV4}/32 + +smtp_bind_address = $_IPV4 +#smtp_bind_address6 = $_IPV6 + +EOF +fi + +cat <> /etc/postfix/main.cf + +## - The method to generate the default value for the mynetworks parameter. +## - +## - mynetworks_style = host" when Postfix should "trust" only the local machine +## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP +## - clients in the same IP subnetworks as the local machine. +## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same +## - IP class A/B/C networks as the local machine. +## - +#mynetworks_style = host + + +## - The maximal size of any local(8) individual mailbox or maildir file, +## - or zero (no limit). In fact, this limits the size of any file that is +## - written to upon local delivery, including files written by external +## - commands that are executed by the local(8) delivery agent. +## - +mailbox_size_limit = 0 + +## - The maximal size in bytes of a message, including envelope information. +## - +## - we user 50MB +## - +message_size_limit = 52480000 + +## - The system-wide recipient address extension delimiter +## - +recipient_delimiter = + + +## - The alias databases that are used for local(8) delivery. +## - +alias_maps = + hash:/etc/aliases + +## - The alias databases for local(8) delivery that are updated +## - with "newaliases" or with "sendmail -bi". +## - +alias_database = + hash:/etc/aliases + + +## - The maximal time a message is queued before it is sent back as +## - undeliverable. Defaults to 5d (5 days) +## - Specify 0 when mail delivery should be tried only once. +## - +maximal_queue_lifetime = 3d +bounce_queue_lifetime = \$maximal_queue_lifetime + +## - delay_warning_time (default: 0h) +## - +## - The time after which the sender receives a copy of the message +## - headers of mail that is still queued. To enable this feature, +## - specify a non-zero time value (an integral value plus an optional +## - one-letter suffix that specifies the time unit). +## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). +## - The default time unit is h (hours). +delay_warning_time = 1d + + +EOF + +if $_SASL_AUTH ; then + cat <> /etc/postfix/main.cf + +# ============ Relay parameters ============ + +#relayhost = + + +# ============ SASL authentication ============ + +# Enable SASL authentication +smtp_sasl_auth_enable = yes + +# Forwarding to the ip-adress of host b.mx.oopen.de +relayhost = [b.mx.oopen.de] + +# File including login data +smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd + +# Force using a (TLS) security connection +# obsulete - use smtp_tls_security_level instead +#smtp_use_tls = yes +#smtp_tls_enforce_peername = no +smtp_tls_security_level = encrypt + +# Disallow methods that allow anonymous authentication. +smtp_sasl_security_options = noanonymous + + + +# ============ TLS parameters ============ + +## - Aktiviert TLS für den Mailempfang +## - +## - may: +## - Opportunistic TLS. Use TLS if this is supported by the remote +## - SMTP server, otherwise use plaintext +## - +## - This overrides the obsolete parameters smtpd_use_tls and +## - smtpd_enforce_tls. This parameter is ignored with +## - "smtpd_tls_wrappermode = yes". +#smtpd_use_tls=yes +smtp_tls_security_level=encrypt + +EOF + +else + cat <> /etc/postfix/main.cf + +# ============ Relay parameters ============ + +relayhost = + + +# ============ TLS parameters ============ + +## - Aktiviert TLS für den Mailempfang +## - +## - may: +## - Opportunistic TLS. Use TLS if this is supported by the remote +## - SMTP server, otherwise use plaintext +## - +## - This overrides the obsolete parameters smtpd_use_tls and +## - smtpd_enforce_tls. This parameter is ignored with +## - "smtpd_tls_wrappermode = yes". +#smtpd_use_tls=yes +smtp_tls_security_level=may + +EOF +fi + +cat <> /etc/postfix/main.cf +## - Aktiviert TLS für den Mailversand +## - +## - may: +## - Opportunistic TLS: announce STARTTLS support to SMTP clients, +## - but do not require that clients use TLS encryption. +# smtp_use_tls=yes +smtpd_tls_security_level=may + +## - 0 Disable logging of TLS activity. +## - 1 Log TLS handshake and certificate information. +## - 2 Log levels during TLS negotiation. +## - 3 Log hexadecimal and ASCII dump of TLS negotiation process. +## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS. +## - +smtpd_tls_loglevel = 1 +smtp_tls_loglevel = 1 + +smtpd_tls_cert_file = $_TLS_CERT_FILE +smtpd_tls_key_file = $_TLS_KEY_FILE + +## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. +## - +## - Dont't forget to create it, e.g with openssl: +## - openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024 +## - +smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem +## - also possible to use 2048 key with that parameter +## - +#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem + +## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. +## - +## - Dont't forget to create it, e.g with openssl: +## - openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512 +## - +smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem + + +## - File containing CA certificates of root CAs trusted to sign either remote SMTP +## - server certificates or intermediate CA certificates. These are loaded into +## - memory !! BEFORE !! the smtp(8) client enters the chroot jail. +## - +smtp_tls_CAfile = $_TLS_CA_FILE + +## - Directory with PEM format certificate authority certificates that the Postfix SMTP +## - client uses to verify a remote SMTP server certificate. Don't forget to create the +## - necessary "hash" links with, for example, " +## - $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". +## - +## - !! Note !! +## - To use this option in chroot mode, this directory (or a copy) must be inside +## - the chroot jail. +## - +## - Note that a chrooted daemon resolves all filenames relative to the Postfix +## - queue directory (/var/spool/postfix) +## - +#smtpd_tls_CApath = /etc/postfix/certs + + +# Disable SSLv2 SSLv3 - Postfix SMTP server +# +# List of TLS protocols that the Postfix SMTP server will exclude or +# include with opportunistic TLS encryption. +smtpd_tls_protocols = !SSLv2, !SSLv3 +# +# The SSL/TLS protocols accepted by the Postfix SMTP server +# with mandatory TLS encryption. +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 + + +# Disable SSLv2 SSLv3 - Postfix SMTP client +# +# List of TLS protocols that the Postfix SMTP client will exclude or +# include with opportunistic TLS encryption. +smtp_tls_protocols = !SSLv2, !SSLv3 +# +# List of SSL/TLS protocols that the Postfix SMTP client will use +# with mandatory TLS encryption +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 + + +## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange +## - openssl > 1.0 +## - +smtpd_tls_eecdh_grade = strong + +# standard list cryptographic algorithm +tls_preempt_cipherlist = yes + +# Disable ciphers which are less than 256-bit: +# +#smtpd_tls_mandatory_ciphers = high +# +# opportunistic +smtpd_tls_ciphers = high + + +# Exclude ciphers +#smtpd_tls_exclude_ciphers = +# RC4 +# aNULL +# SEED-SHA +# EXP +# MD5 +smtpd_tls_exclude_ciphers = + aNULL + eNULL + EXPORT + DES + RC4 + MD5 + PSK + aECDH + EDH-DSS-DES-CBC3-SHA + EDH-RSA-DES-CDC3-SHA + KRB5-DE5, CBC3-SHA + + +smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache + +EOF + +if $_SASL_AUTH ; then + + echo "[$_RELAY_HOST] ${_SASL_USER}@${_RELAY_HOST}:$_SASL_PASS" > /etc/postfix/sasl_passwd + chown root:root /etc/postfix/sasl_passwd + chmod 600 /etc/postfix/sasl_passwd + postmap /etc/postfix/sasl_passwd + +fi + + +## - create directory for certificates and copy certificates +## - and coresponding keys to /etc/postfix/ssl/ +## - +mkdir -p /etc/postfix/ssl +cp /etc/postfix/ssl/ + + +## - generate DH parameters that the Postfix SMTP server should use +## - with EDH ciphers (length 512 and 1024 +## - +openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512 +openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024 +openssl gendh -out /etc/postfix/ssl/dh_2048.pem -2 2048 + +ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem $_TLS_CERT_FILE +ln -s /etc/ssl/private/ssl-cert-snakeoil.key $_TLS_KEY_FILE + + + +## - /etc/mailname +## - +echo $_HOSTNAME > /etc/mailname + + +## - /etc/aliases +## - +cat << EOF > /etc/aliases +# See man 5 aliases for format +mailer-daemon: postmaster +postmaster: root +nobody: root +hostmaster: root +usenet: root +news: root +webmaster: root +www: root +ftp: root +abuse: root +noc: root +security: root + +root: $_ADMIN_EMAIL +EOF + +## - rebuld alias database +## - +newaliases + + +cat << EOF >> /etc/rsyslog.d/postfix.conf + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +mail.* -/var/log/mail.log +& ~ +EOF + +/etc/init.d/rsyslog restart + + diff --git a/DOC/install/postfix_mailsystem.install b/DOC/install/postfix_mailsystem.install new file mode 100644 index 0000000..f9cbd78 --- /dev/null +++ b/DOC/install/postfix_mailsystem.install @@ -0,0 +1,1706 @@ + +## ------------------------------------------------------------ ## +## - - ## +## - install postfix + dovecot + sieve + postfisadmin - ## +## - +roundecube - ## +## - - ## +## - supports ipv6 - ## +## - - ## +## ------------------------------------------------------------ ## + +## - mx.warenform.de +## - +_WEBMAIL_IP_4=83.223.85.154 +_WEBMAIL_IP_6=2a01:30:1fff:6::154 + +_APACHE_CONF_DIR=/usr/local/apache2/conf +_APACHE_VHOST_DIR=${_APACHE_CONF_DIR}/vhosts + +_APACHE_LOG_DIR=/var/log/apache2 + +_ADMIN_EMAIL=argus@oopen.de + +_TLS_CERT_DIR=/etc/postfix/ssl +_TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt" +_TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key" +_TLS_CHAIN_FILE="${_TLS_CERT_DIR}/SSL123_CA_Bundle.pem" + +_TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt + + +_HOSTNAME=mx.warenform.de +_IPV4=83.223.85.151 +_IPV6=2a01:30:1fff:6::151 + +_autoreply_domain='autoreply.warenform.de' +#_pf_admin_version=2.3.7 +_pf_admin_version=2.91 +#_pf_admin_version=3.0 + +_db_type='Pg' +#_db_type='mysql' +_db_name='postfix' +_db_user='postfix' +_db_pass='AeB4kohyie5rahJ7' + +## - +## - ENDE: mx.warenform.de + + +## - a.mx.oopen.de +## - +_WEBMAIL_IP_4=83.223.86.91 +_WEBMAIL_IP_6=2a01:30:0:13:2f7:50ff:fed2:cef7 + +_APACHE_CONF_DIR=/usr/local/apache2/conf +_APACHE_VHOST_DIR=${_APACHE_CONF_DIR}/vhosts + +_APACHE_LOG_DIR=/var/log/apache2 + +_ADMIN_EMAIL=argus@oopen.de + +_TLS_CERT_DIR=/etc/postfix/ssl +_TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt" +_TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key" +_TLS_CHAIN_FILE="${_TLS_CERT_DIR}/sub.class2.server.ca.pem" + +_TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt + + +_HOSTNAME=a.mx.oopen.de +_IPV4=83.223.86.91 +_IPV6=2a01:30:0:13:2f7:50ff:fed2:cef7 + +_autoreply_domain='autoreply.oopen.de' +#_pf_admin_version=2.3.7 +#_pf_admin_version=2.91 +_pf_admin_version=3.0 + +_db_type='Pg' +#_db_type='mysql' +_db_name='postfix' +_db_user='postfix' +_db_pass='FKt4z55FxMZp' + +## - +## -ENDE: a.mx.oopen.de + + +## - sympa.oopen.de +## - +_WEBMAIL_IP_4=83.223.85.206 +_WEBMAIL_IP_6=2a01:30:0:13:239:a7ff:fe7e:1129 + +_APACHE_CONF_DIR=/usr/local/apache2/conf +_APACHE_VHOST_DIR=${_APACHE_CONF_DIR}/vhosts + +_APACHE_LOG_DIR=/var/log/apache2 + +_ADMIN_EMAIL=argus@oopen.de + +_TLS_CERT_DIR=/etc/postfix/ssl +_TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt" +_TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key" +_TLS_CHAIN_FILE="${_TLS_CERT_DIR}/sub.class2.server.ca.pem" + +_TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt + + +_HOSTNAME=sympa.oopen.de +_IPV4=83.223.85.206 +_IPV6=2a01:30:0:13:239:a7ff:fe7e:1129 + +_autoreply_domain='autoreply.oopen.de' +#_pf_admin_version=2.3.7 +_pf_admin_version=2.91 + +_db_type='Pg' +#_db_type='mysql' +_db_name='postfix' +_db_user='postfix' +_db_pass='FKt4z55FxMZp' + +## - +## -ENDE: sympa.oopen.de + + +## - d.mx.oopen.de +## - +_WEBMAIL_IP_4=83.223.86.92 +_WEBMAIL_IP_6=2a01:30:0:13:254:9eff:fed5:e7fd + +_APACHE_CONF_DIR=/usr/local/apache2/conf +_APACHE_VHOST_DIR=${_APACHE_CONF_DIR}/vhosts + +_APACHE_LOG_DIR=/var/log/apache2 + +_ADMIN_EMAIL=argus@oopen.de + +_TLS_CERT_DIR=/etc/postfix/ssl +_TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt" +_TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key" +_TLS_CHAIN_FILE="${_TLS_CERT_DIR}/sub.class2.server.ca.pem" + +_TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt + + +_HOSTNAME=d.mx.oopen.de +_IPV4=83.223.86.92 +_IPV6=83.223.86.92 + +_autoreply_domain='autoreply.oopen.de' +#_pf_admin_version=2.3.7 +_pf_admin_version=2.91 + +_db_type='Pg' +#_db_type='mysql' +_db_name='postfix' +_db_user='postfix' +_db_pass='FKt4z55FxMZp' + +## - +## -ENDE: d.mx.oopen.de + + +## - mail.interventionistische-linke.org +## - +_WEBMAIL_IP_4=83.223.85.215 +_WEBMAIL_IP_6=2a01:30:1fff:5::215 + +_APACHE_CONF_DIR=/usr/local/apache2/conf +_APACHE_VHOST_DIR=${_APACHE_CONF_DIR}/vhosts + +_APACHE_LOG_DIR=/var/log/apache2 + +_ADMIN_EMAIL=argus@oopen.de + +_TLS_CERT_DIR=/etc/postfix/ssl +_TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt" +_TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key" +_TLS_CHAIN_FILE="${_TLS_CERT_DIR}/sub.class2.server.ca.pem" + +_TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt + + +_HOSTNAME=mail.interventionistische-linke.org +_IPV4=83.223.85.214 +_IPV6=2a01:30:1fff:5::214 + +_autoreply_domain='autoreply.interventionistische-linke.org' +#_pf_admin_version=2.3.7 +_pf_admin_version=2.91 + +_db_type='Pg' +#_db_type='mysql' +_db_name='postfix' +_db_user='postfix' +_db_pass='NcXxt7sf7bfV' + +## - +## -ENDE: mail.interventionistische-linke.org + + +## - listserver.so36.net +## - +_WEBMAIL_IP_4='' +_WEBMAIL_IP_6='' + +_APACHE_CONF_DIR='' +_APACHE_VHOST_DIR='' + +_APACHE_LOG_DIR='' + +_ADMIN_EMAIL=roots@so36.net + +_TLS_CERT_DIR=/etc/postfix/ssl +_TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt" +_TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key" +_TLS_CHAIN_FILE="${_TLS_CERT_DIR}/sub.class2.server.ca.pem" + +_TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt + + +_HOSTNAME=listserver.so36.net +_IPV4=83.223.73.213 +_IPV6=2a01:30:1fff:fd00::213 + +_autoreply_domain='' +#_pf_admin_version=2.3.7 +_pf_admin_version='' + +#_db_type=pg +#_db_type='mysql' +_db_name='' +_db_user='' +_db_pass='' + +## - +## -ENDE: listserver.so36.net + + + + +## ------------------------------------------------------------ ## +## - Download debian prerequisites - ## +## ------------------------------------------------------------ ## +## - +## - compiler stuff +## - +apt-get install g++ g++-multilib gcc gcc-multilib cpp make libssl-dev +apt-get install automake autoconf libtool flex bison gnu-standards +apt-get install libdb-dev + + +## - Postgres (if needed) +## - +cat < /etc/apt/sources.list.d/pgdg.list +deb http://apt.postgresql.org/pub/repos/apt/ jessie-pgdg main +EOF + +apt-get update +apt-get install pgdg-keyring +apt-get install postgresql postgresql-client + +## - SSL/TLS support +apt-get install libssl-dev + +## - obtain dovecot from Mercurial repository +apt-get install hgsvn + + +## - Mysql +## - +#apt-get install mysql-server-5.0 mysql-client-5.0 libmysqlclient15-dev + +## - SASL support +## - +#apt-get install libsasl2-dev libsasl2-2 + +## - I think quota is not needed, because quota support is +## - softwareside realised +## - +## - ## - quota support +## - ## - +## - apt-get install quota +## - +## - ## - /etc/fstab +## - ## - +## - ## - proc /proc proc defaults 0 0 +## - ## - none /dev/pts devpts gid=5,mode=620 0 0 +## - ## - /dev/md0 none swap sw 0 0 +## - ## - /dev/md1 /boot ext3 defaults 0 0 +## - ## - /dev/md2 / ext3 defaults,usrquota,grpquota 0 0 +## - ## - /dev/md3 /data ext3 defaults,usrquota,grpquota 0 0 + + +## ------------------------------------------------------------ ## +## - Download sources - ## +## ------------------------------------------------------------ ## + +mkdir -p /usr/local/src/mailsystem/tarballs +cd /usr/local/src/mailsystem/tarballs + +# - postfix +## - +#wget http://de.postfix.org/ftpmirror/official/postfix-2.7.1.tar.gz + +## - postfixadmin (needed for vacation plugin) +## - +#wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.3.7/postfixadmin-2.3.7.tar.gz +#wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.91/postfixadmin-2.91.tar.gz +wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-${_pf_admin_version}/postfixadmin-${_pf_admin_version}.tar.gz + + + +## ------------------------------------------------------------ ## +## - Install software - ## +## ------------------------------------------------------------ ## + +## --------------------------------- # +## --- install Apapche webserver --- # +## --------------------------------- # + +apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils + + +## - access server-status +## - +## - Allow from 178.63.63.151 127.0.0.1 +## - +vim /etc/apache2/mods-enabled/status.conf + +## - configure ports +## - +## - NameVirtualHost 178.63.63.151:80 +## - Listen 178.63.63.151:80 +## - Listen 127.0.0.1:80 +## - +## - +## - # SSL name based virtual hosts are not yet supported, therefore no +## - # NameVirtualHost statement here +## - NameVirtualHost 178.63.63.151:443 +## - Listen 178.63.63.151:443 +## - +## - +vim /etc/apache2/ports.conf + + +## - configure default site +## - +rm /etc/apache2/sites-enabled/000-default +mv /etc/apache2/sites-available/default /etc/apache2/sites-available/_default +mv /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/_default-ssl + +mkdir -p /var/www + +## - Apache base configuration +## - +cat < ${_APACHE_VHOST_DIR}/000default.conf + + Options FollowSymLinks + AllowOverride None + ## - Apache httpd 2.2.x + #Order deny,allow + #Deny from all + ## - Apache httpd 2.4.x + Require all denied + + + + AllowOverride None + ## - Apache httpd 2.2.x + #Order deny,allow + #Deny from all + ## - Apache httpd 2.4.x + Require all granted + + +## - the first VirtualHost Directive - All Requests +## - with no concerning VirtualHost Directive will be +## - handelde here + + + ServerAdmin $_ADMIN_EMAIL + + ServerName dummy.warenform.net + + RewriteEngine On + RewriteCond %{HTTP_HOST} .* + RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] + + + + + + + ServerAdmin $_ADMIN_EMAIL + + ServerName dummy.warenform.net + + DocumentRoot /var/www/ + + SSLEngine on + + SSLHonorCipherOrder On + SSLCompression Off + SSLProtocol ALL -SSLv2 -SSLv3 + SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS + + Header add Strict-Transport-Security "max-age=15768000" + + SSLCertificateFile ${_APACHE_CONF_DIR}/server.crt + SSLCertificateKeyFile ${_APACHE_CONF_DIR}/server.key + SSLCACertificateFile ${_APACHE_CONF_DIR}/SSL123_CA_Bundle.pem + + + + + + ServerAdmin admin@warenform.net + + ServerName dummy.warenform.net + + + + +## - IPv6 +## - + + + ServerAdmin $_ADMIN_EMAIL + + ServerName dummy.warenform.net + + RewriteEngine On + RewriteCond %{HTTP_HOST} .* + RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] + + + + + + + ServerAdmin $_ADMIN_EMAIL + + ServerName dummy.warenform.net + + DocumentRoot /var/www/ + + SSLEngine on + + SSLHonorCipherOrder On + SSLCompression Off + SSLProtocol ALL -SSLv2 -SSLv3 + SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS + + Header add Strict-Transport-Security "max-age=15768000" + + SSLCertificateFile ${_APACHE_CONF_DIR}/server.crt + SSLCertificateKeyFile ${_APACHE_CONF_DIR}/server.key + SSLCACertificateFile ${_APACHE_CONF_DIR}/SSL123_CA_Bundle.pem + + +EOF + +#ln -s ../sites-available/000default.conf /etc/apache2/sites-enabled/ + + +## - enable module ssl +## - +a2enmod ssl + +## - include certificates +## - + +chgrp ssl-cert /etc/ssl/private/20091103-0058-aktionsbuendnis_key.pem +chmod 640 /etc/ssl/private/20091103-0058-aktionsbuendnis_key.pem + +chmod 644 /etc/ssl/certs/20091103-0058-aktionsbuendnis_crt.pem + + +## - enable module ssl +## - +a2enmod rewrite + + +## - enable sites +## - put the VirtualHosts Directives in files living in the +## - directory /etc/apache2/sites-available +## - i.e. you have configured the files +## - - 000default.conf +## - - aktionsbuendnis.oopen.de.conf +## - +#a2ensite 000default.conf aktionsbuendnis.oopen.de.conf +a2ensite 000default.conf + + +## --------------------------------------------------------- # +## --- install PHP (needed for postfixadmin / roundcube) --- # +## --------------------------------------------------------- # + +## - Zusatzinstallation php (fuer: postfixadmin / roundcube) +## - +apt-get install libexpat1 mcrypt imagemagick +mpt-get install libcompress-zlib-perl +apt-get install re2c +apt-get install libmagic-dev + +apt-get install php5 php5-common php5-cli php5-pgsql \ + php5-mcrypt php5-gd php5-imagick php5-curl \ + php-pear php5-suhosin php5-mhash php5-dev \ + php-file php-gettext php-auth + +apt-get install php5-imap uw-mailutils + +## - settings /etc/php5/apache2/php.ini +## - +vim /etc/php5/apache2/php.ini + + memory_limit = 128M + register_globals = Off + session.save_handler = file + error_reporting = E_ALL + safe_mode = Off + session.cache_limiter = nocache + cgi.fix_pathinfo=1 + +apt-get install libmysqlclient15-dev +pecl channel-update pear.php.net +pecl install fileinfo + + +## - already included in php 5.3 +## - +## - #extension=pdo.so +## - #extension=pdo_mysql.so +## - #extension=fileinfo.so +#vim /etc/php5/apache2/php.ini + + + +mkdir -p /var/www/adm.warenform.de + + + +## ----------------------- ## +## --- install postfix --- ## +## ----------------------- ## + +## *************************** ## +## - install from source - ## + +_postfix_version=2.11.5 + +## - postfix user/group anlegen +## - +addgroup --system postfix +addgroup --system postdrop +adduser --system --home /var/spool/postfix --group postfix postfix + +cd /usr/local/src/mailsystem/tarballs +wget http://de.postfix.org/ftpmirror/official/postfix-${_postfix_version}.tar.gz + +cd /usr/local/src/mailsystem +gunzip < tarballs/postfix-${_postfix_version}.tar.gz | tar -xf - + +cd postfix-$_postfix_version + +## - For Postgres (PCRE-support, TLS-support, SASL-support also included) +## - +make makefiles \ + CCARGS="-DHAS_PGSQL -I/usr/include/postgresql -DHAS_PCRE `pcre-config --cflags` -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl" \ + AUXLIBS="-L/usr/lib/x86_64-linux-gnu -lpg `pcre-config --libs` -lssl -lcrypto -L/usr/lib/x86_64-linux-gnu -lsasl2" + +## - For MySQL installed to /usr/local/Mysql (PCRE-support, TLS-support, SASL-support also included) +## - +make makefiles \ + CCARGS="-DHAS_MYSQL -I/usr/local/mysql/include -DHAS_PCRE `pcre-config --cflags` -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl" \ + AUXLIBS="-L/usr/local/mysql/lib -lmysqlclient -lz -lm `pcre-config --libs` -lssl -lcrypto -L/usr/lib/x86_64-linux-gnu -lsasl2" +make +make install + +## ************************************** ## +## - install from debian package-system - ## +## - +## - since debian wheezy, postfix-tls is integrated in postfix package +## - + +# - postfix +apt-get install -t jessie-backports postfix postfix-pgsql postfix-pcre +# - mysql +apt-get install -t jessie-backports postfix postfix-mysql postfix-pcre + +## - remove exim4 and related if installed and you plan +## - to install an alternative mailer +## - +apt-get remove --purge bsd-mailx exim4 exim4-base exim4-config \ + exim4-daemon-light mailx + + +apt-get install postfix postfix-pcre libsasl2-modules bsd-mailx haveged + + + +## - !! Notice: +## - +## - If using MySQL and MySQL was installed from source, then +## - remove/check my.cnf file from debian package "mysql-common", +## - which will be installed within postfix-mysql. +## - +## - !! End: Notice + + +## - adjust main.cf +## - + +cp /etc/postfix/main.cf /etc/postfix/main.cf.ORIG + +cat < /etc/postfix/main.cf +# ============ Basic settings ============ + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname +myorigin = /etc/mailname + +smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +#readme_directory = no +readme_directory = /usr/share/doc/postfix +html_directory = /usr/share/doc/postfix/html + +## - The Internet protocols Postfix will attempt to use when making +## - or accepting connections. +## - DEFAULT: ipv4 +EOF + +if [ -n "$_IPV6" ]; then + cat <> /etc/postfix/main.cf +inet_protocols = ipv4, ipv6 + +#inet_interfaces = all +inet_interfaces = + 127.0.0.1 + $_IPV4 + $_IPV6 + +myhostname = $_HOSTNAME + +mydestination = + $_HOSTNAME + localhost + +## - The list of "trusted" SMTP clients that have more +## - privileges than "strangers" +## - +mynetworks = + 127.0.0.0/8 + [::ffff:127.0.0.0]/104 + [::1]/128 + ${_IPV4}/32, + [${_IPV6}]/128 + # b.mx.oopen.de + #83.223.86.162/32 + #[2a01:30:1fff:a::162]/128 + +smtp_bind_address = $_IPV4 +smtp_bind_address6 = $_IPV6 + +EOF + +else + cat <> /etc/postfix/main.cf +inet_protocols = ipv4 + +#inet_interfaces = all +inet_interfaces = + 127.0.0.1 + $_IPV4 + +myhostname = $_HOSTNAME + +mydestination = + $_HOSTNAME + localhost + +## - The list of "trusted" SMTP clients that have more +## - privileges than "strangers" +## - +mynetworks = + 127.0.0.0/8 + ${_IPV4}/32 + # b.mx.oopen.de + #83.223.86.162/32 + #[2a01:30:1fff:a::162]/128 + +smtp_bind_address = $_IPV4 +#smtp_bind_address6 = $_IPV6 + +EOF +fi + +cat <> /etc/postfix/main.cf + +## - The method to generate the default value for the mynetworks parameter. +## - +## - mynetworks_style = host" when Postfix should "trust" only the local machine +## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP +## - clients in the same IP subnetworks as the local machine. +## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same +## - IP class A/B/C networks as the local machine. +## - +#mynetworks_style = host + + +## - The maximal size of any local(8) individual mailbox or maildir file, +## - or zero (no limit). In fact, this limits the size of any file that is +## - written to upon local delivery, including files written by external +## - commands that are executed by the local(8) delivery agent. +## - +mailbox_size_limit = 0 + +## - The maximal size in bytes of a message, including envelope information. +## - +## - we user 50MB +## - +message_size_limit = 52480000 + +## - The system-wide recipient address extension delimiter +## - +recipient_delimiter = + + +## - The alias databases that are used for local(8) delivery. +## - +alias_maps = + hash:/etc/aliases + +## - The alias databases for local(8) delivery that are updated +## - with "newaliases" or with "sendmail -bi". +## - +alias_database = + hash:/etc/aliases + +## - Optional lookup tables with mappings from recipient address +## - to (message delivery transport, next-hop destination). +## - See transport(5) for details. +## - +transport_maps = + btree:/etc/postfix/transport + btree:/etc/postfix/relay_domains + +## - The maximal time a message is queued before it is sent back as +## - undeliverable. Defaults to 5d (5 days) +## - Specify 0 when mail delivery should be tried only once. +## - +maximal_queue_lifetime = 3d +bounce_queue_lifetime = \$maximal_queue_lifetime + +## - delay_warning_time (default: 0h) +## - +## - The time after which the sender receives a copy of the message +## - headers of mail that is still queued. To enable this feature, +## - specify a non-zero time value (an integral value plus an optional +## - one-letter suffix that specifies the time unit). +## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). +## - The default time unit is h (hours). +delay_warning_time = 1d + + +#header_checks = pcre:/etc/postfix/header_checks +prepend_delivered_header = + forward + file + + +## - proxy_read_maps +## - +## - The lookup tables that the proxymap(8) server is allowed to access for the read-only service. +## - +## - Specify zero or more "type:name" lookup tables, separated by whitespace or comma. Table +## - references that don't begin with proxy: are ignored. +## - +#proxy_read_maps = \$local_recipient_maps \$mydestination \$virtual_alias_maps \$virtual_alias_domains \$virtual_mailbox_maps \$virtual_mailbox_domains \$relay_recipient_maps \$relay_domains \$canonical_maps \$sender_canonical_maps \$recipient_canonical_maps \$relocated_maps \$transport_maps \$mynetworks \$sender_bcc_maps \$recipient_bcc_maps \$smtp_generic_maps \$lmtp_generic_maps \$smtpd_sender_login_maps + + +# ============ Relay parameters ============ + +relayhost = +relay_domains = + \$mydestination + btree:/etc/postfix/relay_domains + + +# ============ TLS parameters ============ + +## - supports DNSSEC +## - +## - !! Notice !! +## - In order to support DNSSEC and DANE your resolver MUST support +## - DNSSEC too. +## - +## - If your resolver does not support DNSSEC, install "unbound". +## - +smtp_host_lookup = dns +smtp_dns_support_level = dnssec + +## - Aktiviert STARTTLS für den Mailempfang +## - +## - may: +## - Opportunistic TLS. Use TLS if this is supported by the remote +## - SMTP server, otherwise use plaintext +## - +## - This overrides the obsolete parameters smtpd_use_tls and +## - smtpd_enforce_tls. This parameter is ignored with +## - "smtpd_tls_wrappermode = yes". +#smtpd_use_tls=yes +smtpd_tls_security_level=may + +## - Aktiviert STARTTLS für den Mailversand +## - +## - may: +## - Opportunistic TLS: announce STARTTLS support to SMTP clients, +## - but do not require that clients use TLS encryption. +# smtp_use_tls=yes +#smtp_tls_security_level=may +smtp_tls_security_level=dane + +## - 0 Disable logging of TLS activity. +## - 1 Log TLS handshake and certificate information. +## - 2 Log levels during TLS negotiation. +## - 3 Log hexadecimal and ASCII dump of TLS negotiation process. +## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS. +## - +smtpd_tls_loglevel = 1 +smtp_tls_loglevel = 1 + +smtpd_tls_cert_file = $_TLS_CERT_FILE +smtpd_tls_key_file = $_TLS_KEY_FILE + +## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. +## - +## - Dont't forget to create it, e.g with openssl: +## - openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024 +## - +#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem +## - also possible to use 2048 key with that parameter +## - +smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem + +## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. +## - +## - Dont't forget to create it, e.g with openssl: +## - openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512 +## - +smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem + + +## - File containing CA certificates of root CAs trusted to sign either remote SMTP +## - server certificates or intermediate CA certificates. These are loaded into +## - memory !! BEFORE !! the smtp(8) client enters the chroot jail. +## - +smtp_tls_CAfile = $_TLS_CA_FILE + +## - Directory with PEM format certificate authority certificates that the Postfix SMTP +## - client uses to verify a remote SMTP server certificate. Don't forget to create the +## - necessary "hash" links with, for example, " +## - $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". +## - +## - !! Note !! +## - To use this option in chroot mode, this directory (or a copy) must be inside +## - the chroot jail. +## - +## - Note that a chrooted daemon resolves all filenames relative to the Postfix +## - queue directory (/var/spool/postfix) +## - +#smtpd_tls_CApath = /etc/postfix/certs + + +# Disable SSLv2 SSLv3 - Postfix SMTP server +# +# List of TLS protocols that the Postfix SMTP server will exclude or +# include with opportunistic TLS encryption. +smtpd_tls_protocols = !SSLv2, !SSLv3 +# +# The SSL/TLS protocols accepted by the Postfix SMTP server +# with mandatory TLS encryption. +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 + + +# Disable SSLv2 SSLv3 - Postfix SMTP client +# +# List of TLS protocols that the Postfix SMTP client will exclude or +# include with opportunistic TLS encryption. +smtp_tls_protocols = !SSLv2, !SSLv3 +# +# List of SSL/TLS protocols that the Postfix SMTP client will use +# with mandatory TLS encryption +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 + + +## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange +## - openssl > 1.0 +## - +smtpd_tls_eecdh_grade = strong + +# standard list cryptographic algorithm +tls_preempt_cipherlist = yes + +# Disable ciphers which are less than 256-bit: +# +#smtpd_tls_mandatory_ciphers = high +# +# opportunistic +smtpd_tls_ciphers = high + + +# Exclude ciphers +#smtpd_tls_exclude_ciphers = +# RC4 +# aNULL +# SEED-SHA +# EXP +# MD5 +smtpd_tls_exclude_ciphers = + aNULL + eNULL + EXPORT + DES + RC4 + MD5 + PSK + aECDH + EDH-DSS-DES-CBC3-SHA + EDH-RSA-DES-CDC3-SHA + KRB5-DE5 + CBC3-SHA + + +smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache + + +#======= SASL Authentification ============ +smtpd_sasl_auth_enable = yes +smtpd_sasl_type=dovecot +smtpd_sasl_path=private/dovecot-auth + +smtpd_sasl_security_options = noanonymous +smtpd_sasl_authenticated_header = yes +broken_sasl_auth_clients = yes + + +## - Optional lookup table with the SASL login names that own +## - sender (MAIL FROM) addresses. +smtpd_sender_login_maps = + + +#======= Virtual mailboxes ============ + +## - Local Mailboxes +## - +virtual_mailbox_base = /var/vmail +virtual_uid_maps = static:5000 +virtual_gid_maps = static:5000 + +## - virtual_transport +## - ================= +## - +## - using postfix +## - virtual_transport = virtual +## - +## - using dovecot lda +## - virtual_transport = dovecot +## - +## - using dovecot's lmtp service +## - virtual_transport = lmtp:unix:private/dovecot-lmtp +## - +virtual_transport = virtual + +virtual_mailbox_maps = + +virtual_mailbox_domains = + +## - Optional lookup tables that alias specific mail addresses or domains +## - to other local or remote address. The table format and lookups are +## - documented in virtual(5). For an overview of Postfix address +## - manipulations see the ADDRESS_REWRITING_README document. +## - +virtual_alias_maps = + ## - mailman + #hash:/var/lib/mailman/data/virtual-mailman + +## - Postfix is final destination for the specified list of virtual alias +## - domains, that is, domains for which all addresses are aliased to addresses +## - in other local or remote domains. The SMTP server validates recipient +## - addresses with \$virtual_alias_maps and rejects non-existent recipients. +## - See also the virtual alias domain class in the ADDRESS_CLASS_README file +## - +virtual_alias_domains = + + +#header_checks = pcre:/etc/postfix/header_checks +prepend_delivered_header = forward, file + + +#======= Restrictions ============ +smtpd_recipient_restrictions = +# only special accounts (postmaster, abuse and other rolr accounts) + check_recipient_access btree:/etc/postfix/access_recipient-rfc, +# White- / Blacklisting + check_sender_access btree:/etc/postfix/access_sender, + check_recipient_access btree:/etc/postfix/access_recipient, +# permit trusted network (mynetwork) + permit_mynetworks, +# permit our users + permit_sasl_authenticated, +# dont' accept misconfigured Mail + reject_non_fqdn_sender, + reject_non_fqdn_recipient, + reject_unknown_sender_domain, + reject_unknown_recipient_domain, + reject_unlisted_recipient, +# don't accept misconfigured recipients +# RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use + # Whitelist (configured on a.ns.oopen.de + # in /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone ) + permit_dnswl_client dnswl.oopen.de, + # Blacklists + reject_rbl_client zen.spamhaus.org, + reject_rbl_client ix.dnsbl.manitu.net, + #reject_rbl_client bl.spamcop.net, + # March 1, 2013: NJABL is in the process of being shut down + #reject_rbl_client dnsbl.njabl.org, +# Policyd-Weight + #check_policy_service inet:127.0.0.1:12525, +# Greylisting check + #warn_if_reject, + #check_policy_service inet:127.0.0.1:10023, +# Reject the request unless one of the following is true: +# +# - Postfix is mail forwarder: the resolved RCPT TO domain matches $relay_domains +# or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain), +# +# +# - Postfix is the final destination: the resolved RCPT TO domain matches +# $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, +# or $virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain). + reject_unverified_recipient, +# permit Backup MX + permit_mx_backup, +# forbid all other relaying + reject_unauth_destination, +# permit, if all restrictions so far passed + permit + + +## - Sinve version 2.11 +## - +smtpd_relay_restrictions = +# only special accounts (postmaster, abuse and other rolr accounts) + check_recipient_access btree:/etc/postfix/access_recipient-rfc, +# White- / Blacklisting + check_sender_access btree:/etc/postfix/access_sender, + check_recipient_access btree:/etc/postfix/access_recipient, +# permit trusted network (mynetwork) + permit_mynetworks, +# permit our users + permit_sasl_authenticated, +# dont' accept misconfigured Mail + reject_non_fqdn_sender, + reject_non_fqdn_recipient, + reject_unknown_sender_domain, + reject_unknown_recipient_domain, + reject_unlisted_recipient, +# don't accept misconfigured recipients +# RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use + # Whitelist (configured on a.ns.oopen.de + # in /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone ) + permit_dnswl_client dnswl.oopen.de, + # Blacklists + reject_rbl_client zen.spamhaus.org, + reject_rbl_client ix.dnsbl.manitu.net, + #reject_rbl_client bl.spamcop.net, + # March 1, 2013: NJABL is in the process of being shut down + #reject_rbl_client dnsbl.njabl.org, +# Policyd-Weight + #check_policy_service inet:127.0.0.1:12525, +# Greylisting check + #warn_if_reject, + #check_policy_service inet:127.0.0.1:10023, +# Reject the request unless one of the following is true: +# +# - Postfix is mail forwarder: the resolved RCPT TO domain matches $relay_domains +# or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain), +# +# +# - Postfix is the final destination: the resolved RCPT TO domain matches +# $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, +# or $virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain). + reject_unverified_recipient, +# permit Backup MX + permit_mx_backup, +# forbid all other relaying + reject_unauth_destination, +# permit, if all restrictions so far passed + permit + +EOF + + +## - create directory for certificates and copy certificates +## - and coresponding keys to /etc/postfix/ssl/ +## - +mkdir -p /etc/postfix/ssl +cp /etc/postfix/ssl/ + +#mkdir -p /etc/postfix/ssl/certs + +## - generate DH parameters that the Postfix SMTP server should use +## - with EDH ciphers (length 512 and 1024 +## - +openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512 +openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024 +openssl gendh -out /etc/postfix/ssl/dh_2048.pem -2 2048 + + +## - put all CA root certs you trustet into directory /etc/postfix/certs +## - afterwards create the hashes: +## - c_rehash /etc/postfix/sslcerts +## - +## - +## - create directory for trusted root certificates and copy +## - certificates into it +## - +#mkdir -p /etc/postfix/certs +# +#c_rehash /etc/postfix/certs +# +## - Note that a chrooted daemon resolves all filenames relative to the Postfix +## - queue directory (/var/spool/postfix) +# +#mkdir -p /var/spool/postfix/etc/postfix/ +#cp -a /etc/postfix/certs /var/spool/postfix/etc/postfix/ + + +## - create files +## - +cat < /etc/postfix/access_recipient-rfc +# if destination is ok, permit +/^postmaster\@/ permit_auth_destination +/^abuse\@/ permit_auth_destination +EOF + +postmap btree:/etc/postfix/access_recipient-rfc + +cat < /etc/postfix/access_sender +## - bekannte Virus/Spam Absener blocken +## - +error@mailfrom.com REJECT +EOF + +## - Notice: +## - this (access_sender) list can also be used as white list: +## - backup@b3-bornim.de OK +## - backup_file-ah@oopen.de OK +## - backup_file-spr@oopen.de OK +## - root_file_spr@oopen.de OK +## - backup_anw-urban@oopen.de OK +## - anonymous@bbb-server.b3-bornim.de OK + +postmap btree:/etc/postfix/access_sender + +echo > /etc/postfix/access_recipient +postmap btree:/etc/postfix/access_recipient + +echo > /etc/postfix/transport +postmap btree:/etc/postfix/transport + +echo > /etc/postfix/relay_domains +postmap btree:/etc/postfix/relay_domains + + +## - Eliminate Sender ip-address, repalce with 127.0.0.1 +## - +echo '/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\)).*?([[:space:]]+).*\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$2(Authenticated sender: $3)$4' > /etc/postfix/header_checks + + +## - add to /etc/aliases +## - +## - postmaster: root +## - abuse: root +## - root: argus@oopen.de +## - +## - and execute "newaliases" to generate /etc/aliases.db +## - +newaliases + + +## - Configure rsyslogd to avoid writing into two logfiles (syslog, mail.log) +## - +## - !! APPEND to /etc/rsyslog.d/postfix.conf +## - +cat << EOF >> /etc/rsyslog.d/postfix.conf + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +mail.* -/var/log/mail.log +& ~ +EOF + +/etc/init.d/rsyslog restart + + + +## - Create user and directory for virtual mailboxes +## - +useradd -s /bin/false -d /var/vmail -M -u 5000 vmail +mkdir /var/vmail +chown vmail:vmail /var/vmail +chmod 700 /var/vmail + + +## - Create Listener for user authenticated smtp connection port 587 (submission) +## - and port 465 (smtps) +## - +## - Two posibilities: +## - 1.) Do not filter outgong e-mails +## - 2.) Filter outgoing e-mails (amavis) +## - + +## ------------------------------------------------------- +## - Configure smtps and submission WITHOUT filtering + +## - edit /etc/postfix/master.cf - and add services on +## - submissionport (587) an smtpds (465). on these ports +## - only allow authenticated users +## - +## - submission inet n - - - - smtpd +## - -o smtpd_tls_security_level=encrypt +## - -o smtpd_sasl_auth_enable=yes +## - -o smtpd_client_restrictions=permit_sasl_authenticated,reject +## - # -o milter_macro_daemon_name=ORIGINATING +## - +## - smtps inet n - - - - smtpd +## - -o smtpd_tls_wrappermode=yes +## - -o smtpd_sasl_auth_enable=yes +## - -o smtpd_client_restrictions=permit_sasl_authenticated,reject +## - +vim /etc/postfix/master.cf + +## - End: Configure smtps and submission WITHOUT filtering +## ------------------------------------------------------- + + +## ------------------------------------------------------- +## - Configure smtps and submission WITH filtering + +## - in file /etc/postfix/master.cf +## - +## - 1.) add to smtp entry +## - +## - smtp inet n - - - - smtpd +## - -o smtpd_proxy_filter=127.0.0.1:10024 +## - -o content_filter= +## - +## - 2.) add to / create submisson entry: +## - +## - submission inet n - - - 20 smtpd +## - -o content_filter=amavisfeed:[127.0.0.1]:10024 +## - -o smtpd_tls_security_level=encrypt +## - -o smtpd_sasl_auth_enable=yes +## - -o smtpd_client_restrictions=permit_sasl_authenticated,reject +## - # -o milter_macro_daemon_name=ORIGINATING +## - +## - +## - 3.) add to / create "smtps" entry +## - +## - smtps inet n - - - - smtpd +## - -o content_filter=amavisfeed:[127.0.0.1]:10024 +## - -o smtpd_tls_wrappermode=yes +## - -o smtpd_sasl_auth_enable=yes +## - -o smtpd_client_restrictions=permit_sasl_authenticated,reject +## - # -o milter_macro_daemon_name=ORIGINATING +## - +## - +## - 4.) add entry "amavisfeed" +## - +## - amavisfeed unix - - n - 20 lmtp +## - -o smtp_data_done_timeout=1200 +## - -o smtp_send_xforward_command=yes +## - -o disable_dns_lookups=yes +## - ... +## - + +## - so it looks like: +## - + +smtp inet n - - - - smtpd + -o smtpd_proxy_filter=127.0.0.1:10024 + -o content_filter= + +submission inet n - - - 20 smtpd + -o content_filter=amavisfeed:[127.0.0.1]:10024 + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING + +smtps inet n - - - - smtpd + -o content_filter=amavisfeed:[127.0.0.1]:10024 + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING + +amavisfeed unix - - n - 20 lmtp + -o smtp_data_done_timeout=1200 + -o smtp_send_xforward_command=yes + -o disable_dns_lookups=yes + +## - End: Configure smtps and submission WITH filtering +## ------------------------------------------------------- + + +## --------------------------------------------------------- # +## --- Install Greylist-Daemon and configure for Postfix --- # +## --------------------------------------------------------- # + +apt-get install postgrey + +## - configure Postgrey-Daemon +## - +## - the default values are: +## - host: localhost (127.0.0.1) +## - port: 10023 +## - delay: 300 seconds +## - max ge: 35 days +## - +## - --inet=10023 --inet=[HOST:]PORT listen on PORT, localhost if HOST is not specified +## - --delay=N how long to greylist, seconds (default: 300) +## - --max-age=N delete old entries after N days (default: 35) +## - +## - you can also specify whitelists (for client hostnames +## - and recipients) +## - see whitelist_clients and whitelist_recipients in /etc/postgrey +## - +cp /usr/share/postgrey/postgrey-default /etc/default/postgrey + +## - edit /etc/default/postgrey +## - +## - set: +## - POSTGREY_OPTS="--inet=10023 --delay=149" +## - +vim /etc/default/postgrey + + +## - Complement the client whitelist. Put additional entries +## - into file /etc/postgrey/whitelist_clients.local +## - +## - Notice the following Problem +## - A delivery attempt runs into greylisting (because ist the first +## - time) - Thats OK. But the next delivery attempt for just the same +## - e-mail comes from another very different client-ip - and runs into +## - greylisting again, and again, and again.. +## - +## - very different client-ip meens: even if stripping the last byte of +## - the ip-address, postgreys default (--lookup-by-subnet), the rest of +## - the ip-addresse ist still different. +## - +## - +cat << EOF > /etc/postgrey/whitelist_clients.local +# For Office 365 - servers: +##/.*outbound.protection.outlook.com\$/ +/^mail-.*\.outbound\.protection\.outlook\.com\$/ +EOF + + +/etc/init.d/postgrey restart + +## - start at boot time +## - +update-rc.d postgrey defaults + +## - /etc/postfix/main.cf +## - +## - +## - in section Restrictions, parameter smtpd_recipient_restrictions +## - uncomment add +## - +## - ceck_policy_service inet:127.0.0.1:10023,, +## - +## - Notice: +## - you can use the directive "warn_if_reject" just befor the check_policy_service +## - directive and let it +## - To bring postgrey to learn about incomming wanted emails, but not rejecting them +## - by firts arrival, you can use the directive "warn_if_reject" just befor the check_policy_service +## - directive. then the following directive "check_policy_service" will not reject, but +## - only logging. +## - +vim /etc/postfix/main.cf +/etc/init.d/postfix reload + + + +## ------------------------- # +## --- install vacation --- # +## ------------------------- # + + +if [ "$_db_type" = "postgres" -o "$_db_type" = "postgresql" -o "$_db_type" = "pgsql" -o "$_db_type" = "psql" ];then + _db_type=Pg +fi + + +## - install prerequisites +## - +apt-get install libdbi-perl libmime-encwords-perl libemail-valid-perl \ + libmail-sendmail-perl liblog-log4perl-perl libdbd-pg-perl \ + libmail-sender-perl + + +## - If MySQL/Postgres was installed from debian package system, install also perl +## - modules "DBI" and DBD::mysql/DBD::Pg from debian package system +## - +if [ "$_db_type" = "Pg" ]; then + apt-get install libdbd-pgsql libdbd-pg-perl libdbi-perl libdbi-dev +else + apt-get install libdbd-mysql libdbd-mysql-perl libdbi-perl libdbi-dev +fi + +## - If MySQL/PostgresSQL was installed from source, install perl modules "DBI" and +## - "DBD::mysql" via cpan +## - +cpan -i DBI +if [ "$_db_type" = "Pg" ]; then + cpan -i DBD::Pg +else + cpan -i DBD::mysql +fi + +## - create a local accaount +## - +## - this user handles all potentially dangerous mail content - that is why it +## - should be a separate account. +## - +addgroup --system --gid 65501 vacation +adduser --system --home /var/spool/vacation --no-create-home --uid 65501 --gid 65501 --shell /usr/sbin/nologin vacation + +## - create directory /var/spool/vacation +## - +mkdir /var/spool/vacation +chown vacation:vacation /var/spool/vacation + +## - as perl binary, we use the vacation.pl from the postfixadmin distribution. +## - +cd /usr/local/src/mailsystem/tarballs +wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-${_pf_admin_version}/postfixadmin-${_pf_admin_version}.tar.gz +## - since postfixadmin v. 2.91 , the subject-patch i already included +#wget http://sourceforge.net/p/postfixadmin/patches/_discuss/thread/69a7ce85/b4e9/attachment/vacation.pl_SUBJECT.patch + + +cd /usr/local/src/mailsystem +gunzip < tarballs/postfixadmin-${_pf_admin_version}.tar.gz | tar -xf - + + + +cd /tmp +cp /usr/local/src/mailsystem/postfixadmin-${_pf_admin_version}/VIRTUAL_VACATION/vacation.pl /tmp/ + + +## - Add a patch +## - +## - Add capability to include the subject of the original mail in the subject of the vacation message. +## - A good vacation subject could be: 'Re: $SUBJECT' +## - Also corrected log entry about "Already informed ..." to show the $orig_from, not $email +## - +#wget http://sourceforge.net/p/postfixadmin/patches/_discuss/thread/69a7ce85/b4e9/attachment/vacation.pl_SUBJECT.patch + + +## - Apply the patch +## - +## - !!Note: +## - Patch is already included in version of postfixadmin distribution >= 2.91 +## - +#patch -p0 /tmp/vacation.pl /usr/local/src/mailsystem/tarballs/vacation.pl_SUBJECT.patch + + +## - postfixadmin, version 2.91 is broken if database backend is PostgreSQL +## - +## - I have written a patch, which fixes that errors +## - +## - Note: +## - Patch seems already included in version of postfixadmin distribution >= 2.91 +## - +#patch vacation.pl /usr/local/src/mailsystem/tarballs/vacation-4.0r1.pl_PGSQL.patch + + + +## - Encoding does not work as exspected. +## - +## - NOTE: +## - this IS NOT a fix, but a workaround +## - +perl -i -n -p -e "s/(\s*\'ctype\'\s* =>\s*)\'text\/plain.*$/\1\'text\/plain; charset=iso-8859-1\',/" \ + /tmp/vacation.pl + + +## - Copy vacation.pl into /var/spool/vacation/ +## - + +if [ -f /var/spool/vacation/vacation.pl ]; then + mv /var/spool/vacation/vacation.pl /var/spool/vacation/vacation.pl.`date "+%Y%m%d-%H%M"` +fi +cp vacation.pl /var/spool/vacation/ +chown vacation:vacation /var/spool/vacation/vacation.pl +chmod 700 /var/spool/vacation/vacation.pl +rm /tmp/vacation.pl + + +## - Configure script vacation.pl +## - +## - Notice: +## - the needed tables (named vacation and vacation_notification) are createt throug +## - postfixadmin installation /setup) +## - +## - instead of changing this script, we put the needed entries +## - to file /etc/postfixadmin/vacation.conf: +## - +## - $db_type = '$_db_type'; +## - $db_username = '$_db_user'; +## - $db_password = '$_db_pass'; +## - $db_name = '$_db_name'; +## - $vacation_domain = '$_autoreply_domain'; +## - $syslog = 0; +## - $log_to_file = 1; +## - $logfile = '/var/log/vacation.log'; +## - $log_level = 1; +## - $interval = 60*60*24; +## - + +mkdir /etc/postfixadmin/ +cat < /etc/postfixadmin/vacation.conf +\$db_type = '$_db_type'; +\$db_username = '$_db_user'; +\$db_password = '$_db_pass'; +\$db_name = '$_db_name'; +\$vacation_domain = '$_autoreply_domain'; +\$syslog = 0; +\$log_to_file = 1; +\$logfile = '/var/log/vacation.log'; +\$log_level = 1; +\$interval = 60*60*24; +EOF + + +touch /var/log/vacation.log +chown vacation:vacation /var/log/vacation.log + + +## - Logrotate entry for /var/log/vacation.log +## - +cat < /etc/logrotate.d/vacation +/var/log/vacation.log { + daily + start 0 + rotate 7 + missingok + compress + delaycompress + notifempty + create 640 vacation vacation + copytruncate +} +EOF + + +## - Deprecated - Already fixed in distribution +## - +## - Fix an Error, considering syslog-functionality in vacation.pl +## - +## - replace (line 208) +## - Facility => 'mail', +## - with +## - facility => 'mail', +## - +#perl -i.ORIG -n -p -e "s#^(\s*)Facility(\s+=.*)#\1facility\2#" /var/spool/vacation/vacation.pl + + + +## - create an entry in /etc/hosts for the (non-existant domain) +## - autoreply.warenform.de +## - add: +## - +## - 127.0.0.1 autoreply.warenform.de +## - +perl -i. -n -p -e"s#(^\s*127.0.0.1\s+localhost.*)#\1\n\n127.0.0.1 $_autoreply_domain#" /etc/hosts +vim /etc/hosts + +## - Define the transport type in the Postfix master file +## - /etc/postfix/master.cf +## - +## - vacation unix - n n - - pipe +## - flags=Rq user=vacation argv=/var/spool/vacation/vacation.pl -f ${sender} -- ${recipient} +## - +cat <> /etc/postfix/master.cf + +vacation unix - n n - - pipe + flags=Rq user=vacation argv=/var/spool/vacation/vacation.pl -f \${sender} -- \${recipient} +EOF + + +## - Setup the transport maps file /etc/postfix/transport +## - +## - add line: +## - +## - autoreply.warenform.de vacation: +## - +echo "$_autoreply_domain vacation:" >> /etc/postfix/transport +postmap btree:/etc/postfix/transport + +## - Notice: +## - take care the entry for transport_maps in /etc/postfix/main.cf +## - contains "btree:/etc/postfix/transport" +## - + +/etc/init.d/postfix reload + + + +## --------------------------------------------------- ## +## --- Install AMaViS with ClamAV and Spamassassin --- ## +## --------------------------------------------------- ## + +## - See file: amavis_clamav_sa.install + + +## ------------------------------ ## +## --- install dovecot server --- ## +## ------------------------------ ## + +## - Use: +## - install_update_dovecot.sh +## - +## - (Old) textversion: install_dovecot+mysql.txt + + +## ---------------------------- ## +## --- install postfixadmin --- ## +## ---------------------------- ## + +## - See file: postfixadmin.install + + +## ----------------------------------- ## +## --- install roundcube Webmailer --- ## +## ----------------------------------- ## + +## - See file: roundcube.install + + +## ------------------------------------------------------ ## +## - Mailgraph - a RRDtool frontend for Mail statistics - ## +## ------------------------------------------------------ ## +apt-get install rrdtool librrds-perl libfile-tail-perl + +cd /usr/local/src/mailsystem/tarballs +wget http://mailgraph.schweikert.ch/pub/mailgraph-1.14.tar.gz +gunzip < mailgraph-1.14.tar.gz | tar -xf - + +cd mailgraph-1.14 +cp mailgraph.pl /usr/local/bin/ + +cp mailgraph-init mailgraph-init.ORIG +cp mailgraph-init /etc/init.d/ +chmod 755 /etc/init.d/mailgraph-init + + + +## -------------------------------------- ## +## - some litle tests ## +## -------------------------------------- ## + +## - test smtp (STARTTLS), submission (587) (STARTTLS), smtp (SSL), +## - pop3 (SSL), pop3 (STARTTLS), imap (SSL) and imap (STARTTLS) +## - +openssl s_client -crlf -starttls smtp -connect localhost:25 [-state -debug] +openssl s_client -crlf -starttls smtp -connect localhost:587 +openssl s_client -crlf -connect localhost:465 +openssl s_client -crlf -connect localhost:995 +openssl s_client -crlf -starttls pop3 -connect localhost:110 +openssl s_client -crlf -connect localhost:993 +openssl s_client -crlf -starttls imap -connect localhost:143 + diff --git a/DOC/postfix_sasl_cyrus_on_relayhost.txt b/DOC/postfix_sasl_cyrus_on_relayhost.txt new file mode 100644 index 0000000..04c5c5d --- /dev/null +++ b/DOC/postfix_sasl_cyrus_on_relayhost.txt @@ -0,0 +1,190 @@ +## - Configure a postfix server to act as relay host for +## - AUTENTiCATED clients +## - +## - see also Postfix SASL Howto: +## - http://www.postfix.org/SASL_README.html +## - http://www.synology-wiki.de/index.php/Mail-Relay_mit_Postfix +## - + + +## - Todo: +## - 1.) Configuring SASL authentication in the Postfix SMTP server +## - - Configuring Cyrus SASL - using accounts are stored stored in a Cyrus SASL +## - Berkeley DB database +## - 2.) Configuring SASL authentication in the Postfix SMTP/LMTP client + +## - ------------------------------------------------------------- - ## +## - 1. Configuring SASL authentication at the Postfix SMTP server - ## +## - ------------------------------------------------------------- - ## + +## ----------------------------- +## - Create the sasldb2 Database +## - +## - To create and maintain the database, we will user the +## - command-line utility "saslpasswd2". So, we have to install +## - the packages sasl2-bin +## - +apt-get install sasl2-bin + + +## - The sasldb auxprop plugin authenticates SASL clients against credentials +## - that are stored in a Berkeley DB database. The database schema is specific +## - to Cyrus SASL. The database is usually located at /etc/sasldb2 +## - +## - !!!! +## - NOTE: in chrooted postfix, thats if chroot in master.cf is not set (have +## - "-") or is set to yes (have "y"), the database "sasdb2" ist +## - searched in the chrooted path. In debian it is file +## - /var/spool/postfix/etc/sasldb2 +## - !!!! +## - + + +## - Create a new account +## - +## - Note: +## - 1.) usernames of accounts are of the Form: +## - @ and NOT +## - +## - 2.) The database-file defaults to "/etc/sasldb2". But on chrooted +## - postfix (as we have), the database file must placed to +## - /var/spool/postfix/etc/sasldb2 - on default debian postfix +## - install. So use flag "-f" +## - +saslpasswd2 -c -u b.mx.oopen.de -f /var/spool/postfix/etc/sasldb2 + +## - Check with command-line utility "sasldblistusers2" +## - +sasldblistusers2 -f /var/spool/postfix/etc/sasldb2 + + +## ------------------------------------------------ +## - Configure and Enable Cyrus SASL authentication + + +## - in /etc/postfix/main.cf set: +## - +## - smtpd_sasl_type = cyrus +## - +## - # Define the name of the configuration file. Cyrus SASL add's the +## - # suffix ".conf". The location where Cyrus SASL searches for the named +## - # file depends on the Cyrus SASL version and the OS/distribution used. +## - # For debian it is: /etc/postfix/sasl/ +## - smtpd_sasl_path = smtpd +## - +## - # enable SASL authentication +## - smtpd_sasl_auth_enable = yes +## - +## - # Disallow methods that allow anonymous authentication. +## - smtpd_sasl_security_options = noanonymous +## - smtpd_sasl_tls_security_options = $smtpd_sasl_security_options +## - +## - # Do not accept SASL authentication over unencrypted connections +## - smtpd_tls_auth_only = yes +## - +vim /etc/postfix/main.cf + +## - create /etc/postfix/sasl/smtpd.conf +## - +## - pwcheck_method: auxprop +## - auxprop_plugin: sasldb +## - mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM +## - +## - Take care only to use provided login mechanisms +## - # saslpluginviewer -x AUXPROP_MECHS +## - +vim /etc/postfix/sasl/smtpd.conf + + +## - To allow (dynamic) ip-adresses to relay, even if they ar blacklistet +## - you can use permit_sasl_authenticated in postfix smtpd_relay_restrictions +## - BEFOR checking against blacklists +## - +## - in /etc/postfix/main.cf set: +## - +## - smtpd_recipient_restrictions = +## - ... +## - # permit trusted network mynetwork +## - permit_mynetworks, +## - # sasl authenticated user (we work as relayhost for some office networks) +## - permit_sasl_authenticated, +## - # dont' accept misconfigured Mail +## - reject_non_fqdn_recipient, +## - reject_unknown_sender_domain, +## - reject_unknown_recipient_domain, +## - reject_unlisted_recipient, +## - # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use +## - permit_dnswl_client dnswl.oopen.de, +## - #reject_rbl_client zen.spamhaus.org, +## - reject_rbl_client ix.dnsbl.manitu.net, +## - reject_rbl_client bl.spamcop.net, +## - reject_rbl_client dnsbl.njabl.org, +## - # Policyd-Weight +## - ... +## - +vim /etc/postfix/main.cf + + +## - --------------------------------------------------------------- - ## +## - Configuring SASL authentication in the Postfix SMTP/LMTP client - ## +## - --------------------------------------------------------------- - ## + + +## - Notice: you have to install Pluggable Authentication Modules for SASL +## - for debian: install package libsasl2-modules +## - +apt-get install libsasl2-modules + + +## - Edit file /etc/postfix/main.cf and set: +## - +## - # Enable SASL authentication +## - smtp_sasl_auth_enable = yes +## - +## - # Forwarding to the ip-adress of host b.mx.oopen.de +## - relayhost = [b.mx.oopen.de] +## - +## - # File including login data +## - smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd +## - +## - # Force using a (TLS) security connection +## - # obsulete - use smtp_tls_security_level instead +## - #smtp_use_tls = yes +## - #smtp_tls_enforce_peername = no +## - smtp_tls_security_level = encrypt +## - +## - # Disallow methods that allow anonymous authentication. +## - smtp_sasl_security_options = noanonymous +## - +vim /etc/postfix/main.cf + + +## - Enter SASL account data into file /etc/postfix/sasl_passwd +## - +## - : +## - +## - Note: if relayhost is configured as above, username is of the form +## - @ +## - +vim /etc/postfix/sasl_passwd + +## - Important +## - +## - Keep the SASL client password file in /etc/postfix, and make the file +## - read+write only for root to protect the username/password combinations against +## - other users. The Postfix SMTP client will still be able to read the SASL +## - client passwords. It opens the file as user root before it drops privileges, +## - and before entering an optional chroot jail. +## - +chown root:root /etc/postfix/sasl_passwd +chmod 600 /etc/postfix/sasl_passwd + +## - Create databasefile of /etc/postfix/sasl_passwd +## - +postmap /etc/postfix/sasl_passwd + + +## - Reload postfix +## - +/etc/init.d/postfix reload + diff --git a/DOC/whitelist_email_domain_postgrey.txt b/DOC/whitelist_email_domain_postgrey.txt new file mode 100644 index 0000000..8f6081f --- /dev/null +++ b/DOC/whitelist_email_domain_postgrey.txt @@ -0,0 +1,29 @@ +## - Empfänger Domains oder E-Mailadressen vom Greylisting +## -ausschliessen + +## - Dazu zu sind Einträge in der whitelist_recipients nötig. +## - Das ist die Whitelist für die Empfänger, die dort eingetragenen +## - Domains, Postfächer oder E-Mail-Adressen werden vom Greylisting +## - ausgeschlossen. +## - +## - Die whitelist_recipients sind unter /etc/postgrey zu finden. +## - +vim /etc/postgrey/whitelist_recipients + +## - Beispiel /etc/postgrey/whitelist_recipients: +## - +## - # postgrey whitelist for mail recipients +## - # -------------------------------------- +## - # put this file in /etc/postgrey or specify its path +## - # with --whitelist-recipients=xxx +## - +## - postmaster@ +## - abuse@ +## - +## - # Domain und E-Mail-Adresse vom Greylisting ausschließen +## - oopen.de +## - wolle@k8h.de +## - +## - # Diese Einträge wären ueberflüssig +## - #ckubu-adm@oopen.de +## - #argus@oopen.de diff --git a/DOC/whitelist_host_ip_address.txt b/DOC/whitelist_host_ip_address.txt new file mode 100644 index 0000000..d13c1f4 --- /dev/null +++ b/DOC/whitelist_host_ip_address.txt @@ -0,0 +1,185 @@ +## - To whitelist a server ther a multiple possibilities +## - + +## ----- +## - 1.) +## - +## - To whitelist a server (name or ip-adress) or network , create the file +## - /etc/postfix/rbl_override +## - where you list all IP addresses or host names +## - (one per line!) that you want to whitelist: +## - +## - 1.2.3.4 OK +## - mail.freemailer.tld OK +## - 194.25.134/24 OK +## - ... +## - +vim /etc/postfix/rbl_override + +## - After you've created/modified that file, you must run: +## - +postmap btree:/etc/postfix/rbl_override +#postmap /etc/postfix/rbl_override + +## - Next open +## - /etc/postfix/main.cf +## - and search for the smtpd_recipient_restrictions parameter. +## - Add check_client_access hash:/etc/postfix/rbl_override to +## - that parameter, after reject_unauth_destination, but before +## - the first blacklist. +## - +## - smtpd_recipient_restrictions = +## - ... +## - permit_sasl_authenticated, +## - check_client_access btree:/etc/postfix/rbl_override, +## - #check_client_access hash:/etc/postfix/rbl_override, +## - reject_rbl_client zen.spamhaus.org, +## - ... + + +## - Now restart postfix: +## - +/etc/init.d/postfix restart + + +## ---- +## - Notice: +## - there are also whitelist dns service, like list.dnswl.org +## - see: http://www.dnswl.org/ +## - requesting such a service works the same as requesting a +## - blacklist server like +## - +## - for example the server 194.25.134.17 (one mailserver from t-online) +## - is blacklisted at bl.spamcop.net. that means the request +## - +## - chris@sol:~$ dig 17.134.25.194.bl.spamcop.net +## - +## - results in an ANSWER SECTION like +## - +## - 17.134.25.194.bl.spamcop.net. 2100 IN A 127.0.0.2 +## - +## - ( or using host command: +## - chris@sol:~$ host 17.134.25.194.bl.spamcop.net +## - 17.134.25.194.bl.spamcop.net has address 127.0.0.2 ) +## - +## - in contrast to "not found: 3(NXDOMAIN)" in case of a not blacklistet one +## - +## - +## - That t-online server is also (white-)listed at the at list.dnswl.org and +## - so, the request +## - +## - chris@sol:~$ dig 17.134.25.194.list.dnswl.org +## - +## - results in an ANSWER SECTION like: +## - +## - 17.134.25.194.list.dnswl.org. 12506 IN A 127.0.5.0 +## - +## - or rather +## - chris@sol:~$ host 17.134.25.194.list.dnswl.org +## - 17.134.25.194.list.dnswl.org has address 127.0.5.0 +## - +## - +## ----- + + + +## ----- +## - 2.) +## - +## - You can question more than one blacklist server an also whitelist server, +## - weight the single result and make a decision after getting the all-overresult +## - +## - Do so, use parameters "postscreen_dnsbl_sites and" +## - "postscreen_dnsbl_threshold". +## - +## - +## - Example configuration: +## - +## - postscreen_dnsbl_sites = +## - one.blacklist.server.com*2 +## - another.blacklist.server.com +## - third.blacklist.server.com +## - list.dnswl.org*-3 +## - postscreen_dnsbl_threshold=1 # (the default value) +## - +## - if the requested incomming-ip-adress matches the first blacklist server, +## - you get a result of "2" (because the entry for that blacklict server is +## - weighted with 2). +## - if the requested ip-address matches the second or the third blacklist +## - server the result is each with "1" +## - if the requested ip-address matches the whitelist server, the result +## - is "-3" +## - +## - assuming all servers matches, than the all over result is "2+1+1-3=1". +## - because 1 is equal or grater than "1" (the value of the parameter of +## - "postscreen_dnsbl_threshold"), the concerning the concerning network +## - connection will be dropped. +## - +## - assuming the first and second blacklist server and also the whitelist +## - server matches the concerning the all over result is "2+1-3=0". +## - Because 0 is lower then 1 (the value of the parameter +## - "postscreen_dnsbl_threshold"). the connection will be accepted (at that +## - point) +## - +## - +## - See "man postconf" or site +## - http://www.postfix.org/postconf.5.html for advanced usage +## - +## ----- + + + +## ----- +## - 3.) +## - +## - you can use postfix conf parameter "permit_dnswl_client" +## - in main.cf +## - +## - here is an example using list.dnswl.org +## - +## - smtpd_recipient_restrictions = +## - ... +## - permit_sasl_authenticated, +## - permit_dnswl_client list.dnswl.org, +## - reject_rbl_client someblacklist.example.com, +## - reject_rbl_client moreblacklist.example.com, +## - permit_mynetworks, +## - ... +## - +## - To override only for "low", "med" and "hi" (see +## - http://www.dnswl.org/tech): +## - +## - smtpd_recipient_restrictions = +## - ... +## - permit_sasl_authenticated, +## - permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3], +## - reject_rbl_client someblacklist.example.com, +## - permit_mynetworks, +## - reject_unauth_destination +## - +## ----- + +## - Notice: +## - +## - I have configured some white list entries d.c.b.a.dnswl.oopen.de. +## - see file /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone on +## - a.ns.oopen.de +## - +## - i.e. to avoid blacklisting t-online servers 194.25.134.*, i added +## - the followig entry +## - +*.134.25.194.dnswl.oopen.de:127.0.0.2:4300 +## - +## - i added also a concerning TXT record (not needed): +## - '*.134.25.194.dnswl.oopen.de:T-Online:4300 +## - +## - concernin entry in smtpd_recipient_restrictions of main.cf: +## - +## - ... +## - # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use +## - # Whitelist (configured on a.ns.oopen.de +## - # in /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone ) +## - permit_dnswl_client dnswl.oopen.de, +## - # Blacklists +## - reject_rbl_client zen.spamhaus.org, +## - reject_rbl_client ix.dnsbl.manitu.net, +## - ...