Added greylisting to an article "Setting up a mail server".
This commit is contained in:
parent
27183bd846
commit
cecd885ba2
@ -56,10 +56,12 @@ block article
|
|||||||
li #[a(href='#art-8-4') DMARC]
|
li #[a(href='#art-8-4') DMARC]
|
||||||
li #[a(href='#art-8-5') DKIM]
|
li #[a(href='#art-8-5') DKIM]
|
||||||
li #[a(href='#art-9') Setting up a ClamAV antivirus]
|
li #[a(href='#art-9') Setting up a ClamAV antivirus]
|
||||||
|
li #[a(href='#art-10') Greylisting with postgrey]
|
||||||
|
|
||||||
h3#art-1 #[a(href='#art-1') 1. Introduction]
|
h3#art-1 #[a(href='#art-1') 1. Introduction]
|
||||||
p E-mail itself is a system consisting of several parts. A main E-mail protocol — SMTP is used for exchanging of mail between servers. For a user to manage his mail IMAP and POP3 protocols are used. Difference between IMAP and POP3 is that IMAP manages mail stored on a server, while POP3, once fetched mail, deletes it from server.
|
p E-mail itself is a system consisting of several parts. A main E-mail protocol — SMTP is used for exchanging of mail between servers. For a user to manage his mail IMAP and POP3 protocols are used. Difference between IMAP and POP3 is that IMAP manages mail stored on a server, while POP3, once fetched mail, deletes it from server.
|
||||||
p As SMTP server I use Postfix. For IMAP (I don't use POP3 because I need access from multiple devices) I use Dovecot. Dovecot is also being used for SASL authentication in Postfix. And Dovecot supports Sieve protocol, through its implementation called Pigeonhole, that allows users to write their own message filtering rules.
|
p As SMTP server I use Postfix. For IMAP (I don't use POP3 because I need access from multiple devices) I use Dovecot. Dovecot is also being used for SASL authentication in Postfix. And Dovecot supports Sieve protocol, through its implementation called Pigeonhole, that allows users to write their own message filtering rules.
|
||||||
|
p I decided to make use of greylisting. Even though I don't have a problem with spam after training of SpamAssassin. Luckily, it is very easy.
|
||||||
p Server is configured in a simple way using PAM (real system users) with user's passwords and with mail stored in ~/Maildir.
|
p Server is configured in a simple way using PAM (real system users) with user's passwords and with mail stored in ~/Maildir.
|
||||||
p But, as you know, there is a major problem called spam. And in order to withstand this problem there was mechanisms created. So that no one could impersonate you DKIM, DMARC and SPF were created. To ensure encrypted connection a MTA-STS (RFC8461) standard was made. To resist incoming spam anti-spam systems like SpamAssassin or spamd are used. Also it is good to check incoming mail for viruses, there are many antiviruses and I use one called ClamAV.
|
p But, as you know, there is a major problem called spam. And in order to withstand this problem there was mechanisms created. So that no one could impersonate you DKIM, DMARC and SPF were created. To ensure encrypted connection a MTA-STS (RFC8461) standard was made. To resist incoming spam anti-spam systems like SpamAssassin or spamd are used. Also it is good to check incoming mail for viruses, there are many antiviruses and I use one called ClamAV.
|
||||||
p I have mentioned DKIM (DomainKeys Identified Mail), it is used to sign mail going out that it is indeed comes from your server, and verify incoming mail. And for that I use OpenDKIM implementation.
|
p I have mentioned DKIM (DomainKeys Identified Mail), it is used to sign mail going out that it is indeed comes from your server, and verify incoming mail. And for that I use OpenDKIM implementation.
|
||||||
@ -71,7 +73,7 @@ block article
|
|||||||
p There is another problem known as not trusted top level domain, like mine .top domain. :) Because of how cheap it is, it is popular among spammers.
|
p There is another problem known as not trusted top level domain, like mine .top domain. :) Because of how cheap it is, it is popular among spammers.
|
||||||
|
|
||||||
h3#art-2 #[a(href='#art-2') 2. Installing]
|
h3#art-2 #[a(href='#art-2') 2. Installing]
|
||||||
p You need to install following packages: #[code postfix], #[code dovecot], #[code pigeonhole] (or could be named as #[code dovecot-sieve]), #[code clamav], #[code opendkim], #[code opendmarc], and #[code spamassassin].
|
p You need to install following packages: #[code postfix], #[code dovecot], #[code pigeonhole] (or could be named as #[code dovecot-sieve]), #[code clamav], #[code opendkim], #[code opendmarc], #[code spamassassin], and #[code postgrey].
|
||||||
|
|
||||||
h3#art-3 #[a(href='#art-3') 3. Postfix SMTP server]
|
h3#art-3 #[a(href='#art-3') 3. Postfix SMTP server]
|
||||||
p Its configuration files are in directory #[code /etc/postfix]. There are two configuration files we'll work with. The first one is a #[code main.cf] file. Then we configure services in #[code master.cf]. Also I'll show you how to make aliases for users.
|
p Its configuration files are in directory #[code /etc/postfix]. There are two configuration files we'll work with. The first one is a #[code main.cf] file. Then we configure services in #[code master.cf]. Also I'll show you how to make aliases for users.
|
||||||
@ -511,4 +513,19 @@ block article
|
|||||||
| [Install]
|
| [Install]
|
||||||
| WantedBy=multi-user.target
|
| WantedBy=multi-user.target
|
||||||
p Save it as #[code /usr/lib/systemd/system/clamav-milter.service] and run #[code systemctl daemon-reload].
|
p Save it as #[code /usr/lib/systemd/system/clamav-milter.service] and run #[code systemctl daemon-reload].
|
||||||
p Next you need to enable and start #[code clamav-daemon] and #[code clamav-milter].
|
p Next you need to enable and start #[code clamav-daemon] and #[code clamav-milter].
|
||||||
|
|
||||||
|
h3#art-10 #[a(href='#art-10') 10. Greylisting with postgrey]
|
||||||
|
p #[code postgrey] is being configured primarily by passing arguments you configure in its service file. I go by defaults. So it is listening on #[code 127.0.0.1:10030].
|
||||||
|
p So, to set a listen port pass this option: #[code --inet=127.0.0.1:10030].
|
||||||
|
p To configure greylisting duration use option #[code --delay=seconds]. #[code --max-age=N] to delete entries older than N days since the last time that they have been seen.
|
||||||
|
p Look #[code perldoc postgrey] for help.
|
||||||
|
p There are two configuaration files named #[code postgrey_whitelist_clients] and #[code postgrey_whitelist_recipients]. Dunno about other distros, but in ArchLinux they are in #[code /etc/postfix]. Could be in #[code /etc/postgrey] in other distros.
|
||||||
|
p #[code postgrey_whitelist_clients] is list of trusted SMTP servers that will not be greylisted. Also there comes some problematic servers that will not attempt to send a mail again, or have a large pool of addresses. This file comes pre-filled with some known server such as #[code gmail.com] and #[code outlook.com].
|
||||||
|
p #[code postgrey_whitelist_recipients] contains a list of recipients for which mail won't be greylisted. By default there are #[code postmaster] and #[code abuse] recipients listed.
|
||||||
|
p In postfix's #[code main.cf] you need just add this last line:
|
||||||
|
pre
|
||||||
|
| smtpd_recipient_restrictions =
|
||||||
|
| reject_unknown_recipient_domain,
|
||||||
|
| reject_non_fqdn_recipient,
|
||||||
|
| #[b check_policy_service inet:127.0.0.1:10030]
|
Loading…
Reference in New Issue
Block a user