| Dieser Inhalt in deutsch |

Debian Squeeze - Mailrelay

The goal is to install a (first) mail server, which receives e-mails for your domain from external servers and transmits them to another internal e-mail server in your intranet to which your client software connects. This relay server protects your internal mail server. He rejects any mail for unkowns addresses. Your internal mailserver only get emails with regualr addresses. Because this (first) e-mail server has to forward the e-mails, it is required that the name of your domain confired in the servers name, is not(!) the same as your domainname in the internet. So here the domainname is domainname.local in the sample files. Postfix will not forward e-mails to the place which is named after 'mydomain', postfix will try to deliver the mail locally on that (first) server. The domain for which the e-mails are forwarded, is here mentioned at the end in the main.cf in relay_domains.

The users receive their e-mails from the second e-mail server or from terminal server using a mail client.

I've used Debian Squeeze in the base installation with Postfix. This is sufficient to accept the emails. Additionally installed: amavis, clamav, freshclam, SpamAssassin.

The sources also serve network mirrors the non-free software, security updates, and the volatile updates.

The configuration files contains all the entries of the finished system. A reboot of an affected service would trigger an error message if not all configurations were finished. So you can enter all commands with respect to files, permissions, etc. and at the end restart the relevant services or restart the computer.

Scheme

www --->
<---
Provider's server for
forwarding
into www
--->
<---
own Windows-Domain
in this example
domainname.local
+ Debian-Mailrelay
+ Mail-Scanner
+ Mailserver
for client programs
--->
<---
Workstations/
Client Computer/
Terminal Server
with an
E-Mail Client-Program

Install Postfix

The program Postfix is installed and a component (postfix-pcre [PCRE map support for Postfix]), with which it is possible to read a file in which the features/extensions of file types are listed which will not be accepted (*. com,. exe). More on this below in MIME header checks.

Eingabe:

# apt-get install postfix postfix-pcre

Choose 'Internet site'.

/etc/postfix/main.cf

This is the file with the added changes marked bold. Notes are partially in the file.

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
content_filter = smtp-amavis:[127.0.0.1]:10024
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
# Postfix gets myhostname from the system.
#myhostname = hostname.domainname.local
mydomain = domainname.local
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# changed myorigin, to use this file more flexible
# an to copy it on another computer
#myorigin = /etc/mailname
myorigin = $mydomain
# changed mydestination - last place for e-mails
#mydestination = hostname.domainname.local, localhost.domainname.local, , localhost
mydestination = $mydomain
$myhostname
relayhost = [ip-address of the forwarding mail servers at the provider with brackets]
mynetworks = ipaddress of the internal mail server to clients without brackets/32,
127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
smtp_recipient_restrictions = permit_mynetworks,
permit_mx_backup,
reject_unauth_destination
check_recipient_access hash:/etc/postfix/roleaccount_exceptions
# nest line - check files, send with e-mail
mime_header_checks = pcre:/etc/postfix/mime_header_checks
inet_interfaces = all
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
# for these domains e-mail are accepted
relay_domains = domainname.de
# next command - list of addresses for which e-mails are accepted
# every other e-mail will be rejected,
# not even scanned
relay_recipients_maps = hash:/etc/postfix/relay_recipients

/etc/postfix/master.cf

E-Mails arrive in postfix, were moved to amavis (smtp-amavis), scanned and then moved back to Postfix (localhost...), where they will not be scanned again. Therefore, the entry after content_filter = is empty. Amavis already scanned the e-mail.

#Abstract start

# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
localhost:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1800
-o disable_dns_lookups=yes

#submission inet n - - - - smtpd

#Abstract end

Create and integrate transport entry

Postfix has know to which internal mail server emails should be forwarded. Here the domain name is specified (domainname.de) as found on the Internet.

Input:

# touch /etc/postfix/transport

Content in the first line of file:

domainname.de smtp:[ip-address]

The brackets [] must be written in the file.

If the system is configured to send messages to other internal mail relays, they are entered in the same way. For each mail relay a row.

Example:

domainname.de smtp:[ip-address]
still-another-domain.de smtp:[still-another-ipaddress]

Integrating the transport file, the system creates a transport.db.

Input:

# postmap hash:/etc/postfix/transport

Prepare Mime-Header-Checks

The system must be prepared to examine attachments.

Input (if not already done above):

# apt-get install postfix-pcre

MIME header checks - set file with the relevant characteristics

Input:

# touch /etc/postfix/mime_header_checks
/etc/postfix/mime_header_checks - content of file
# File in the e-mail attachment - blocked due to their extension
# Here, only the schema is shown.
# The list of entries can be expanded.
# Individual entries separated by pipe.
/name="?(.*)\.(bat|com|exe)"$/ \
REJECT For Security rejected $1.$2

Amavis install

Input:

# apt-get install amavisd-new

The configuration is spread across multiple files.

Amavis - Change location of log file

Change file: /etc/amavis/conf.d/20-debian-default

You may do this, you don't have to do this: The location where the log file should be stored is modified to gain a better overview. Otherwise, all messages appear in /var/log/syslog. The disadvantage is that everything is written to a log file amavis, and that at the moment I do not know how I make it happen that weekly or even daily, a new log file is created. Attempts so far led to the fact that the new log file could not be accessed. To change the location of the log file can be omitted. Syslog is automatically rotated. So you maybe better got to the next step.

# Top cut
$QUARANTINEDIR = "$MYHOME/virusmails";
$quarantine_subdir_levels = 1; # enable quarantine dir hashing
$log_recip_templ = undef; # disable by-recipient level-0 log entries
$DO_SYSLOG = 0; # log via syslogd (preferred)
# Syslog deaktiviert mit 0 und Pfad für die Log-Datei geaendert
$LOGFILE = "/var/log/amavis/amavis.log"; # Pfad geaendert
#Cut end

Amavis-Log directory and permissions

Run only if the path for the log file to /var/log/amavis/amavis.log.

Input

# cd /var/log
# mkdir amavis
# chown amavis:amavis amavis
# chmod 750 amavis

Amavis - what to do with spam e-mails

Change file: /etc/amavis/conf.d/20-debian-defaults

The setting here lets through spam mails, it recorded in the log file and copy the spam mail into a folder under /var/lib/amavis/virusmails.

Cut beginning

$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine)
$final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA
#$final_spam_destiny = D_BOUNCE; # deaktiviert und umgestellt; erst Log-Daten pruefen
$final_spam_destiny = D_PASS; # Spam durchlassen, vgl. Log-Datei
$final_bad_header_destiny = D_PASS # False-positive prone (for spam)

#$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
### next lines addes to tell the system to send notofocations
### if an e-mail is not delivered because of vius or
### not allowed attachment.
### With the default entries an error occurs.
### (!)Failed to notify admin
#$banned_admin = "postmaster\@$mydomain";
### Here the three new entries
$virus_admin = "email\@domain.de";
$banned_admin = "email\@domain.de";
$mailfrom_notify_admin = "email\@domain.de";

Cut end

Note: today, actually notifications about blocked e-mails to the e-mail address-at-domain.de been sent.

Amavis - install decoder

Amavis to be put in a position of being able to examine the contents of files.

Input:

# apt-get install arc arj bzip2 cabextract freeze lha lzop nomarch pax rpm unrar-free zoo

Amavis - Socket change

file: /etc/amavis/conf.d/15-av_scanner

Für die Zusammanarbeit mit Amavis diese Änderung vornehmen.

from
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl "],

to
\&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamav.socket"],

Amavis - Content Filter Setting

/etc/amavis/conf.d/15-content-filter-mode

Remove '#' at:

@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

and

@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

Install clamav

Input:

# apt-get install clamav-daemon

Change file: /etc/clamav/clamd.conf

Changes:

LocalSocket /tmp/clamav.socket
[...]
User amavis

And ... (after an upgrade to avoid a problem on clamav 0.96.)

from: LocalSocketGroup clamav
to: LocalSocketGroup amavis

Clamav - clamav group membership change to amavis

Input:

# addgroup clamav amavis

Change other permissions; amavis gets rights for different folders;
Input:

# chown -R amavis:amavis /var/lib/clamav
# chown -R amavis:amavis /var/log/clamav
# chown -R amavis:amavis /var/run/clamav

Because of this message, which appeared after a restart of the services
Can't open/parse the config file /etc/clamav/freshclam.conf
or
Can't open/parse the config file /etc/clamav/clamd.conf
additional permissions need to be set.

Input:

# cd /etc/clamav
# chown amavis:amavis clamd.conf
# chown amavis:amavis freshclam.conf

Freshclam install

Input:

# apt-get install clamav-freshclam
Eventually already installed with clamav

Configure freshclm

Change file: /etc/clamav/freshclam.conf

Change file /etc/clamav/freshclam.conf. To work with the database the owner must be amavis, to provide Internet access, access to the proxy has to be assigned.
Change at the top or at the end of the file:

DatabaseOwner amavis
[...]
#ProxySettings, if necessary
HTTPProxyServer ip-address of yout proxy server
HTTPProxyPort portnumber of your proxy server
HTTPProxyUsername username for your proxy server
HTTPProxyPassword password for your proxy server

Thus clamav-freshclam on restart because of permissions reporting an error, these permissions are changed.

The message reads:

WARNING: Insecure permissions(for HTTPProxyPassword): /etc/clamav/freshclam.conf must have no more than 0700 permissions.

Input:

# chmod 0700 /etc/clamav/freshclam.conf

Release Administrative addresses

Messages Addressed to be locally delivered to this mail relay ever.

Create an address list

Input:

# touch /etc/postfix/roleaccount_exceptions

Content:

####################################################################
### Always accept messages to this adminitrative address ###
####################################################################
abuse@ OK
hostmaster@ OK
postmaster@ OK
webmaster@ OK

Incoming messages are delivered locally (/var/mail/benutzername).

Transfer the address list into a database

Input:

# postmap hash:/etc/postfix/roleaccount_exceptions

List of recipient mailboxes integrate

At the moment e-mails would arrive at the mail relay. Mail Relay scans the messages, the message then will be send to the mail server from which the client retrieve the messages. If the relevant e-mail address is not known, the e-mail is rejected and a message is sent about the non-delivery. Should it be a spam mail, the return address is probably fake. This news would get the wrong place.

This time, and the system performance for scanning (and optionally subsequent rejection of the e-mail) can be saved. Postfix should already be able to see incoming e-mails, if there is an associated mailbox. For smaller lists, it is worthwhile to apply them manually. How to do this automatically, I do not know. This list is then integrated into the main.cf.

Create /etc/postfix/relay_recipients

Input

# touch /etc/postfix/relay_recipients

Inhalt

##########################################
### Accept messages to these addresses ###
##########################################
abuse-at-domainname.de OK
hostmaster-at-domainname.de OK
postmaster-at-domainname.de OK
webmaster-at-domainname.de OK
################################################################
# List of the users mailboxes
name-at-domain.de OK
an-so-on-at-domain.de OK
##############################
### reject everything else ###
##############################
domainname.de REJECT
Create database

Input:

# postmap hash:/etc/postfix/relay_recipents

This creates the file /etc/postfix/relay_recipients.db. The file is included at the end of /etc/postfix/main.cf. E-mails to other addresses will be rejected and discarded. If the list is changed, the comman...

postmap hash:/etc/postfix/relay_recipents

...must be executed again.

A reload with...

# /etc/init.d/postfix reload

...is required.

SpamAssassin install and configure

Input: apt-get install spamassassin

Change file /etc/default/spamassassin

to: ENABLED = 1

Header and body checks activate

Under http://www.postfixbuch.de/web/service/checks/ load files and copy to / etc / postfix as header_checks and body_checks.

In /etc/postfix/main.cf add this

[...]
inet_interfaces = all
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
# for this domain e-mails will be accepted
relay_domains = domainname.de
# next command leads to al list of addresses for which e-mails
# will be accepted. Every other e-mails will be rejected,
# not even scanned.
relay_recipients_maps = hash:/etc/postfix/relay_recipients
### against spam from http://www.postfixbuch.de/web/service/checks/ start ###
header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks
### against spam from http://www.postfixbuch.de/web/service/checks/ end ###

Restart services

All services can be combined with each

# /etc/init.d namedesdienstes restart

[postfix/ amavis/ clamav-daemon/ clamav-freshclam/ spamassasin] restart

restart.

Act according to my experience in operation are the changes to the files not made until that service is restarted or its configuration has been re-read. If the system is currently set up, it can also simply restart. Then run a Telnet connection to the dialogue of client and mail server times play through and watch the log files.

Mailgraph install

nput:

# apt-get install mailgraph

View results on the e-mail traffic in the browser

http://ip-address-of-mailserver/cgi-bin/mailgraph.cgi

As a test I've tried this procedure with Debian Etch. Via a Telnet connection (ip_address 25) I played the dialog when sending mail. It e-mails were sent :-).

In the incoming and outgoing e-mails can be found in the header:
X-Virus-Scanned: Debian amavisd-new at mailservername.domainname.local
and in de logs of amavis is as [...] passed CLEAN [...].

VMWare...

Windows Server 2003 with ... the system is running well so far. Alone during a restart of the main system Debian seems not keep permissions if the path was to /var/log/amavis/amavis.log changed. With some tinkering I had indeed reached, created a new file. To the system but then had no access. So I decided to leave it at /var/log/syslog. That works well.

Configuration backup and restore

Any changed files (for example /etc/postfix/) copy in a safe place.

Install for restoring all their services, copy the configuration files to the mail server and restart the services or reboot the computer.