From 39e271213e63583e8675545378131853bb9911d0 Mon Sep 17 00:00:00 2001 From: "Alexander \"Arav\" Andreev" Date: Fri, 17 Sep 2021 23:45:01 +0400 Subject: [PATCH] Continuation of finishing an article on setting up a mail server. --- .../articles/setting_up_a_mail_server.pug | 35 ++++++++++++++++--- 1 file changed, 30 insertions(+), 5 deletions(-) diff --git a/homepage/views/articles/setting_up_a_mail_server.pug b/homepage/views/articles/setting_up_a_mail_server.pug index 39af64a..0ff4917 100644 --- a/homepage/views/articles/setting_up_a_mail_server.pug +++ b/homepage/views/articles/setting_up_a_mail_server.pug @@ -19,6 +19,9 @@ block article li #[a(href='#art-3-4') Starting Postfix] li #[a(href='#art-4') Dovecot POP3/IMAP server with Sieve mail filter] li #[a(href='#art-5') SpamAssassin spam filter] + ol + li #[a(href='#art-5-1') Updating built-in rule set] + li #[a(href='#art-5-2') Bayesian classifier training] li #[a(href='#art-6') OpenDKIM signing and verifying filter] ol li #[a(href='#art-6-1') opendkim.conf] @@ -124,7 +127,11 @@ block article | smtpd_sasl_local_domain = $mydomain | broken_sasl_auth_clients = no p It's pretty clear. We chose dovecot as our SASL, set path to it withing /var/spool, and enable it. Then we set option to not allow anonymous connections. Set our domain for SASL, and wether let the clients with obsolete version of AUTH command in or not, we chose not to. - p It's time for encryption, lets start with client part of it. + p It's time for encryption, lets specify a list of high ciphers to use: + pre + | tls_high_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384 + p High means just that those ciphers are strong. I took them from a file #[code options-ssl-nginx.conf] generated by certbot, and ditched 128 byte key size. + p Lets do client part of encryption. pre | smtp_use_tls = yes | smtp_tls_security_level = may @@ -145,8 +152,8 @@ block article | smtpd_use_tls = yes | smtpd_tls_security_level = may | smtpd_tls_auth_only = yes - | smtpd_tls_key_file = /etc/letsencrypt/live/aravs.ru/privkey.pem - | smtpd_tls_cert_file = /etc/letsencrypt/live/aravs.ru/fullchain.pem + | smtpd_tls_key_file = /etc/letsencrypt/live/example.org/privkey.pem + | smtpd_tls_cert_file = /etc/letsencrypt/live/example.org/fullchain.pem | smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols | smtpd_tls_protocols = $smtpd_tls_mandatory_protocols | smtpd_tls_mandatory_ciphers = $smtp_tls_mandatory_ciphers @@ -185,7 +192,7 @@ block article | reject_non_fqdn_recipient h4#art-3-2 #[a(href='#art-3-2') 3.2. master.cf] - p The following services are needed: #[code smtp], #[code submission], #[code smtps], and we add #[code spamassassin] service. The rest in this file is untouchable. + p The following services are needed: #[code smtp], #[code submission], #[code smtps], and we add #[code spamassassin] service. The rest in this file left untouchable. pre | smtp inet n - n - - smtpd | -o content_filter=spamassassin @@ -205,7 +212,7 @@ block article | spamassassin unix - n n - - pipe | user=spamd argv=/bin/vendor_perl/spamc | -e /sbin/sendmail -oi -f ${sender} ${recipient} - p #[code smtp] is listening on port 25, and #[code smtps] on port 465, and are used for cross-server talking. #[code submission] is listening on port 587 and is used by mail client to send mail. + p #[code smtp] is listening on port 25, and #[code smtps] on port 465. #[code submission] is listening on port 587 and is used by mail client to send mail. h4#art-3-3 #[a(href='#art-3-3') 3.3. User aliases] p User aliases are in #[code aliases] file. They has a form "#[code <alias>: <username>]", e.g. #[code me: arav]. Where #[code username] may be other alias. After modifications you need to run #[code newaliases] program to update #[code aliases.db] database file. @@ -216,6 +223,24 @@ block article h3#art-4 #[a(href='#art-4') 4. Dovecot POP3/IMAP server with Sieve mail filter] h3#art-5 #[a(href='#art-5') 5. SpamAssassin spam filter] + p Here we are working with a #[code local.cf] file to configure SpamAssassin. + p I didn't any fancy tweaking, didn't make any custom rules. I just changed options presented in file. + p I left #[code rewrite_header] option commented since I don't want to append anything to a Subject header of spam messages. + p Option #[code report_safe] I set to 2 to save spam messages as a text/plain attachment instead of modifying original message. + p #[code trusted_networks] sets networks and hosts that are considered trusted, i.e. not spammers. + p #[code lock_method] left to be flock, since I don't use NFS. + p #[code required_score] left to be its default value of 5.0. + p I use Bayesian classifier, so options #[code use_bayes] and #[code bayes_auto_learn] are set to 1. + p I chose to normalise charset to UTF-8 with option #[code normalize_charset 1]. + + h4#art-5-1 #[a(href='#art-5-1') 5.1. Updating built-in rule set] + p I sometimes run #[code sa-update] util to update built-in rules and pre-compile them with #[code sa-compile] util. After that restart SpamAssassin. + p And so SpamAssassin make use of compiled rules ensure that a plugin Rule2XSBody in a #[code v320.pre] is uncommented. + + h4#art-5-1 #[a(href='#art-5-2') 5.2. Bayesian classifier training] + p After you set up SpamAssassin for the first time you have to train Bayesian classifier. It will start to work after 200 messages will be examined. + p For training use #[code sa-learn] utility and use #[code --ham] and #[code --spam] to mark messages as normal mail and spam. I additionaly have to specify a path to database with #[code --dbpath /var/lib/spamassassin/.spamassassin] option, otherwise it will complain, so try first without it. + h3#art-6 #[a(href='#art-6') 6. OpenDKIM signing and verifying filter] p On ArchLinux OpenDKIM is unable to write in #[code /run], so I created #[code /var/spool/opendkim] directory for it.