CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器

打造全功能的邮件服务器

这几天折腾了下centos下的邮件服务器,为了方便自己使用,发现完整的一套是非常复杂的- -

仅实现了域名绑定和用户添加,没有设置配额限制等等。

Postfix
Dovecot
SASL
Procmail
Postgrey
Mailscanner
Spamassassin
ClamAV
Mailscanner-mrtg
MailWatch
Openwebmail
MySPAM
Part-1:Postfix+Dovecot+SASL+Procmail
一、移除 sendmail,安裝 POSFIX
/etc/init.d/sendmail stop
yum install postfix
rpm -e sendmail
chkconfig --add postfix
/etc/init.d/postfix start
二、安裝 cyrus-sasl
yum install cyrus-sasl
1.設定 SASL 啟動
chkconfig saslauthd on
service saslauthd start
2.修改 SASL 設定
vim /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
#mech_list: PLAIN LOGIN
三、安裝 Procmail
yum install procmail
1.設定 Procmail
vim /etc/procmailrc
LOGFILE=/var/log/procmail/procmail.log
(其餘指令依需求設定)
2.建立 LOG 檔
mkdir /var/log/procmail
touch /var/log/procmail/procmail.log
chmod 644 /var/log/procmail/procmail.log
3.設定 logrotate
vim /etc/logrotate.d/procmail
/var/log/procmail/procmail.log {
monthly
size=10M
rotate 5
nocompress
}
四、安裝 dovecot(pop3 與 imap)
yum install dovecot
1.編輯 dovecot
vim /etc/dovecot.conf
啟用 POP3
protocols = pop3
LingPing by 2008/09/12
啟用純文字驗證功能
disable_plaintext_auth = no
偽裝歡迎訊息
login_greeting = Microsoft Exchange 2000 POP3 server version 6.0.6603.0 (ex.roc.corp) ready.
2.啟動 dovecot
chkconfig dovecot on
service dovecot start
3.變更郵件檔權限
chmod a+rwxt /var/mail
五、設定 Postfix
vim /etc/postfix/main.cf
1.對所有界面服務
#inet_interfaces = localhost
inet_interfaces = all
mail_owner = postfix
2.設定主機名稱及網域設定
mynetworks = 192.168.0.0/24, 127.0.0.0/8
mynetworks_style = host
myhostname = mail.domain.com
mydomain = domain.com
3.設定 procmail 過濾
mailbox_command = /usr/bin/procmail
4.設定使用 SASL
EX.
#SMTP sasl Auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_application_name = smtpd
#開啟 smtp 認證
smtpd_sasl_auth_enable = yes
#client 端的相容性
broken_sasl_auth_clients = yes
#允許 sasl 認證,接收本機為最後一站的信件
smtpd_recipient_restrictions = permit_sasl_authenticated permit_auth_destination rejec
#允許用戶端 sasl 認證
smtpd_client_restrictions = permit_sasl_authenticated
#允許非匿名的使用者
smtpd_sasl_security_options = noanonymous
#sasl 的本地網域
smtpd_sasl_local_domain = $myhostname
#阻擋網域名稱錯誤
smtpd_sender_restrictions = reject_unknown_sender_domain
#阻擋動態 IP 的主機
smtpd_client_restrictions = check_client_access regexp:/etc/postfix/access
設定驗證項目
每個驗證項目前需空格,最後一項不加","
5.針對 client 的 ip/domain 設限
EX.
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:/etc/postfix/access,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client xbl.spamhaus.org,
reject_rbl_client dsbl.dnsbl.net.au
項目說明:
#允許內網不必檢查
permit_mynetworks,
#SASL 驗證
permit_sasl_authenticated,
#反解失敗就拒絕
reject_unknown_client,
#根據 access 清單拒絕 client
check_client_access hash:/etc/postfix/access,
(先建立/etc/postfix/access 檔案,拒絕動態 ip 的 client
dynamic.apol.com.tw REJECT We can't allow dynamic IP to relay!
dynamic.giga.net.tw REJECT We can't allow dynamic IP to relay!
dynamic.hinet.net REJECT We can't allow dynamic IP to relay!
dynamic.seed.net.tw REJECT We can't allow dynamic IP to relay!
dynamic.tfn.net.tw REJECT We can't allow dynamic IP to relay!
dynamic.ttn.net REJECT We can't allow dynamic IP to relay!
dynamic.lsc.net.tw REJECT We can't allow dynamic IP to relay!
postmap hash:/etc/postfix/access 來建立 DB)
#使用正規表示式拒絕名稱中有 dynamic 的主機連線
check_client_access regexp:/etc/postfix/access_re
(請先建立 /etc/postfix/access_re
/dynamic/ REJECT )
#使用 DNS Block List 黑名單機制
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client xbl.spamhaus.org,
reject_rbl_client dsbl.dnsbl.net.au,
LingPing by 2008/09/12
Page 5 of 30
CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器
6.要求寄信前要提出 helo 的要求
smtpd_helo_required = yes
7.SMTP 驗證 HELO
EX.
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
check_helo_access hash:/etc/postfix/fake_helo
#拒絕不正確/未知的 helo domain
reject_invalid_hostname,
#reject_non_fqdn_hostname,
#reject_unknown_hostname,
#拒絕外界但是宣稱是自己 domain 的 helo
check_helo_access hash:/etc/postfix/fake_helo
(拒絕外界但是宣稱是自己 domain 的 helo
請先建立 /etc/postfix/fake_helo
內容 example.com REJECT
利用#postmap hash:/etc/postfix/fake_helo 建立 DB)
#馬上拒絕不 delay
smtpd_delay_reject = no
8.根據 Mail from 來限制
EX.
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain
LingPing by 2008/09/12
Page 6 of 30
CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器
#拒收來自於外界卻宣稱發自內部的信件
#check_sender_access hash:/etc/postfix/fake_from,
(建立 /etc/postfix/fake_from
內容 example.com REJECT
使用 #postmap hash:/etc/postfix/fake_from)
#拒絕不正確和未知的 domain
reject_non_fqdn_sender
9.根據接收來限制
EX.
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
permit_auth_destination,
reject_unauth_destination
#有鑑於有些廣告信都是以 edm@xxx.com 為 sender
header_checks = regexp:/etc/postfix/hc
(建立一檔案 /etc/postfix/hc
內容 /^From:.*edm@/ REJECT
使用正規表示式過濾以 edm@xxx.com 為寄件人的廣告信)
10.偽裝登入 POSTFIX 時所顯示的訊息
smtpd_banner = Welcome to Microsoft Exchange 2003
11.佇列儲存時間
#寄出時間
maximal_queue_lifetime = 5d
#退信時間
bounce_queue_lifetime = 5d
12.每封信限制大小
message_size_limit = 512000000
LingPing by 2008/09/12
Page 7 of 30
CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器
13.每個帳號郵箱限制大小(無限)
mailbox_size_limit = 0
--------------------------------------------------------------------
SASL 測試
1.啟動 saslauthd 啟動
/etc/rc.d/init.d/saslauthd start
service postfix reload
2.測試
testsaslauthd -u user -p 'password'
0: OK "Success."-->成功
3.相關設定檔
/etc/sysconfig/saslauthd
主要是 MECH=shadow
4.SASL 驗證訊息
saslauthd -v
saslauthd 2.1.19
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
5.TELNET 測試
telnet mail.domain.com 25
EHLO test.com
250-mail.domain.com
250-PIPELINING
250-SIZE 512000000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
LingPing by 2008/09/12
Page 8 of 30
CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器
250 DSN
六、七行會顯示目前的認證協定
---------------------------------------------------------------------
POSTFIX 測試
1.檢查啟動
service postfix restart
netstat -tupln grep :25
postfix 在 port 25 listen
2.檢查 postfix 設定
#postconf
檢查預設值
#postconf -d
3.Telnet 寄信
Client 傳送信件給 Server 的程序為
HELO / EHLO 網域名稱
MAIL FROM: 寄件者 e-mail
RCPT TO: 收件者 e-mail
DATA 信件內容然後以 . 為結束
QUIT 寄信完離開
Postgrey 就是所謂的灰名單功能,利用垃圾郵件主機大多是"射後不理"的特性,拒絕第一次的連線,待正
常郵件伺服器進行再嘗試時,才允許連線並加入白名單。
1.安裝 Postgrey
yum install postgrey
2.啟動 postgrey
service postgrey start
chkconfig postgrey on
3.設定 postgrey for postfix
LingPing by 2008/09/12
Page 9 of 30
CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器
第一種設定方式
vim /etc/postfix/main.cf
smtpd_recipient_restrictions =
permit_mynetworks,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
reject_unauth_destination
第二種設定方式
a.vim /etc/sysconfig/postgrey
OPTIONS="--inet=127.0.0.1:10023 --delay=60"
b.vim /etc/postfix/main.cf
smtpd_recipient_restrictions =
permit_mynetworks
check_policy_service inet:127.0.0.1:10023
reject_unauth_destination
備註:
◎白名單
vim /etc/postfix/postgrey_whitelist_clients
◎清除記錄
rm /var/spool/postfix/postgrey/*
Part-2:MailScanner+ClamAV+SpamAssassin 可涵蓋郵件的內容及病毒過濾
A.安裝 mailscanner
1.安裝相關元件
yum install patch rpm-build
yum install perl-MIME-tools
yum install gcc perl-Archive-Zip
LingPing by 2008/09/12
Page 10 of 30
CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器
2.下載 MailScanner
cd /usr/local/src
elinks http://www.mailscanner.info/downloads.html
下載 Version 4.70.7-1 for RedHat, Fedora and Mandrake Linux (and other RPM-based Linux distributions)
3.安裝 MailScanner
cd /usr/local/src
tar -zxvf MailScanner-4.70.7-1.rpm.tar.gz
cd MailScanner-4.70.7-1
./install.sh
4.啟動 MailScanner
service postfix stop
chkconfig postfix off
chkconfig --level 2345 MailScanner on
service MailScanner start
5.設定 MailScanner 設定檔案
vim /etc/MailScanner/MailScanner.conf
基本設定
Run As User = postfix (啟動的使用者)
Run As Group = postfix (啟動的群組)
Incoming Queue Dir = /var/spool/postfix/hold (收信佇列)
Outgoing Queue Dir = /var/spool/postfix/incoming (寄信佇列)
MTA = postfix (使用的 MTA)
Max Children = 5 (產生子程序的上限)
Virus Scanning = yes (啟動病毒掃瞄)
Virus Scanners = clamav (設定掃毒套件,多個掃毒套件時以空白字元分隔)
Spam Checks = yes (啟動 SPAM 掃瞄)
Use SpamAssassin = yes (使用 SpamAssassin 偵測 SPAM)
SpamAssassin Site Rules Dir = /etc/mail/spamassassin (SpamAssassin 規則檔路徑)
Deliver Unparsable TNEF = yes (增加使用 Outlook 的相容性)
High Scoring Spam Actions = deliver header "X-Spam-Status: Yes" (高積分時在 header 標記 X-Spam)
效能調教(可參考修改)
LingPing by 2008/09/12
Page 11 of 30
CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器
Max Unscanned Bytes Per Scan = 300m (每批不被掃瞄大小的上限)
Max Unsafe Bytes Per Scan = 150m (每批被掃瞄大小的上限)
Max Unscanned Messages Per Scan = 300 (每批不被掃瞄數目的上限)
Max Unsafe Messages Per Scan = 300 (每批被掃瞄數目的上限)
其他設定
Spam Subject Text = **SPAM** (普通 SPAM 的附加標題)
High Scoring Spam Subject Text = **SPAM** (高分 SPAM 的附加標題)
Send Notices = no (感染信件通知管理員)
Notices Include Full Headers = no (通知信件包含完整表頭)
Required SpamAssassin Score = 6 (普通 SPAM 積分)
High SpamAssassin Score = 10 (高 SPAM 積分)
Delivery Method = batch (批次掃描)
6.附件過濾設定(依需求調整)
過濾附件副檔名屬性設定
vim /etc/MailScanner/filename.rules.conf
過濾附件類型屬性設定
vim /etc/MailScanner/filetype.rules.conf
7.佇列環境配置
chown postfix.postfix /var/spool/MailScanner/incoming
chown postfix.postfix /var/spool/MailScanner/quarantine
8.設定 postfix 將信件移到佇列
vim /etc/postfix/main.cf
header_checks = regexp:/etc/postfix/header_checks
vim /etc/postfix/header_checks
/^Received:/ HOLD
LingPing by 2008/09/12
Page 12 of 30
CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器
9.規則設定
設定郵件白名單
vim /etc/MailScanner/rules/spam.whitelist.rules
10.重新啟動 MailScanner
service MailScanner restart
B.安裝 SpamAssassin+clamav
yum install spamassassin
1.安裝 razor
yum install perl-Razor-Agent
2.安裝 pyzor
yum install pyzor
3.安裝 dcc
cd /usr/local/src
elinks www.rhyolite.com/anti-spam/dcc/source
下載 dcc-dccd.tar.Z
tar -xzvf dcc-dccd.tar.Z
cd dcc-dccd-1.3.39/
./configure
make
make install
4.安裝 unrar
yum install unrar
5.安裝 ClamAV
yum install clamav-db clamav clamd
LingPing by 2008/09/12
Page 13 of 30
CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器
6.排程更新 clamav 病毒碼
(每天 0,12 點更新病毒碼)
vim /etc/crontab
0 0,12 * * * root /usr/bin/freshclam
7.啟動 spamassassin
chkconfig spamassassin on
service spamassassin start
8.修改資料夾權限
chown postfix /var/spool/postfix
C.規則設定
1.spamassassin 預設規則
vim /etc/mail/spamassassin/local.cf
2.可到下列網址取得基本設定
http://www.yrex.com/spam/spamconfig.php
規則 CF 檔放置於/etc/mail/spamassassin/即可,中文規則需用上傳不可直接複製貼上複製
3.下載中文過濾規則
wget -N -P /etc/mail/spamassassin/ www.ccert.edu.cn/spam/sa/Chinese_rules.cf
D.啟動 spamassassin 自動學習
1.建立 bayes 資料庫
spamassassin --lint --config-file=/etc/MailScanner/spam.assassin.prefs.conf -D
無資料庫時出現 debug: bayes: no dbs present, cannot tie DB R/O:
/var/spool/MailScanner/spamassassin/bayes_toks
執行 sa-learn --sync 在/var/spool/MailScanner/spamassassin/裡建立 bayes_seen/bayes_toks 等資料庫檔案
2.建立黑名單帳號
useradd spam
3.建立白名單帳號
LingPing by 2008/09/12
Page 14 of 30
CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器
useradd nospam
4.收到誤判或漏判信件時,"以附加檔案方式轉寄"給 blacklist 或 whitelist
5.學習黑名單
sa-learn --prefs-file=/etc/MailScanner/spam.assassin.prefs.conf --showdots --spam --mbox /var/mail/spam
6.學習白名單
sa-learn --prefs-file=/etc/MailScanner/spam.assassin.prefs.conf --showdots --ham --mbox /var/mail/nospam
7.每小時自動學習黑/白名單
在/etc/cron.daily 建立 Script
vim /etc/cron.daily/spam-learn
#!/bin/sh
SPAM=/var/mail/spam
NOSPAM=/var/mail/nospam
LOGFILE=/var/log/spamlearn.log
CONF=/etc/MailScanner/spam.assassin.prefs.conf
LEARN=/usr/bin/sa-learn
date >> $LOGFILE
if [ -f $SPAM ]; then
BOX=${SPAM}.processing
mv $SPAM $BOX
sleep 5
$LEARN --prefs-file=$CONF --spam --mbox $BOX >> $LOGFILE 2>&1
rm -f $BOX
fi
if [ -f $NOSPAM ]; then
BOX=${NOSPAM}.processing
mv $NOSPAM $BOX
sleep 5
$LEARN --prefs-file=$CONF --ham --mbox $BOX >> $LOGFILE 2>&1
rm -f $BOX
fi
#
LingPing by 2008/09/12
Page 15 of 30
CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器
重新啟動 crond
/etc/init.d/crond restart
Part-3:MailScanner-MRTG
Mailscanner-mrtg 可偵測伺服器各項資源、效能並產生紀錄網頁
1.安裝 SNMP
yum -y install net-snmp net-snmp-utils
2.SNMP 的設定
vim /etc/snmp/snmpd.conf
com2sec local localhost public
com2sec mynetwork 192.168.0.0/24 public
group MyRWGroup v1 local
group MyROGroup v1 mynetwork
group MyRWGroup v2c local
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1
view all included .1 80
access MyROGroup "" any noauth prefix all none none
access MyRWGroup "" any noauth prefix all all all
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root (configure /etc/snmp/snmp.local.conf)
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
3.啟動 SNMP
/etc/rc.d/init.d/snmpd start
chkconfig snmpd on
chkconfig --list snmpd
4.安裝 MRTG
yum -y install mrtg
5.安裝 Mailscanner-MRTG
下載 http://sourceforge.net/project/showfiles.php?group_id=68848
rpm -ivh mailscanner-mrtg-0.10.00-1.noarch.rpm
LingPing by 2008/09/12
Page 16 of 30
CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器
6.修改 Mailscanner-MRTG 設定
vim /etc/MailScanner/mailscanner-mrtg.conf
修改下列參數:
MTA = postfix (設定使用的 MTA)
Incoming Queue Dir = /var/spool/postfix/hold (收信佇列目錄)
Outgoing Queue Dir = /var/spool/postfix/incoming (寄信佇列目錄)
MailScanner Work Directory = /var/spool/MailScanner/incoming (MailScanner 目錄)
Spool Directory = /var/spool/mailscanner-mrtg (MailScanner-mrtg 目錄)
# MailScanner Work Directory 及 Spool Directory 是使用 df 指令來取得磁碟空間,如果沒有獨立的分割區,可
以直接改成/var
Use SNMP = yes (使用 SNMP)
SNMP Community = public (SNMP 設定)
#CPU 負載、記憶體用量、網路流量需要使用 SNMP
vim /etc/mrtg/mailscanner-mrtg.cfg
Workdir: /var/www/html/mailscanner-mrtg (Mailscanner-MRTG 網頁目錄)
IconDir: /mrtg/
WriteExpires: Yes
Interval: 5
Refresh: 300
Language: big5 (設定網頁使用的語系)
7.產生 index.html 網頁
indexmaker --output=/var/www/html/mailscanner-mrtg/index.html /etc/mrtg/mailscanner-mrtg.cfg
8.測試參數檔
mrtg /etc/mrtg/mailscanner-mrtg.cfg
需重覆執行到沒有錯誤,如超過三次請檢查設定檔
9.完成後可以在以下看到流量:
http://x.x.x.x/mailscanner-mrtg
LingPing by 2008/09/12
Page 17 of 30
CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器
備註:
◎如 MRTG 的圖示無法顯示,請修改 httpd 設定
vim /etc/httpd/conf.d/mrtg.conf
Allow from localhost 改成 Allow from all
◎如要記錄 MailScanner 處理速度(Processing Speed),需修改 MailScanner 設定
vim /etc/MailScanner/MailScanner.conf
Log Speed = yes
Part-4:MailWatch
MailWatch 蒐集 MailScanner 郵件過濾的判定紀錄,可用於分析、管理規則的設定
1.安裝 MYSQL 及相關元件
yum install mysql mysql-server mod_auth_mysql perl-DBD-MySQL
2.安裝 PHP 及相關元件
yum install php php-gd php-pear php-mysql php-devel
3.設定啟動服務
chkconfig httpd on
chkconfig mysqld on
LingPing by 2008/09/12
Page 18 of 30
CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器
4.啟動服務
service mysqld start
service httpd start
5.設定 MYSQL 密碼
/usr/bin/mysqladmin -u root password 'xxxxxx'
6.設定 PHP
vim /etc/php.ini
short_open_tag = On
safe_mode = Off
register_globals = Off
magic_quotes_gpc = On
magic_quotes_runtime = Off
session.auto_start = 0
7.安裝 MailWatch
下載 http://sourceforge.net/project/showfiles.php?group_id=87163
tar -zxvf mailwatch-1.0.4.tar.gz
8.建立資料庫
cd /usr/local/src/mailwatch-1.0.4/
mysql -p < create.sql
產生 mailscanner 資料庫並建立資料表
9.修改 MailWatch 資料庫設定
vim MailWatch.pm
my($db_name) = ‘mailscanner’; (資料庫名稱)
my($db_host) = ‘localhost’; (資料庫位置)
my($db_user) = ‘root’; (使用者名稱)
my($db_pass) = ‘xxxxxx′; (使用者密碼)
10.複製設定檔
LingPing by 2008/09/12
Page 19 of 30
CentOS+Postfix+SpamAssassin 打造全功能的邮件服务器
cp MailWatch.pm /usr/lib/MailScanner/MailScanner/CustomFunctions/
11.新增網頁使用者
mysql mailscanner -u root -p
Enter password: ******
mysql> INSERT INTO users VALUES

Leave a Comment