[Postfixbuch-users] Mails von lokalen Usern werden nicht auf Spam und Viren überprüft

Alexander Homberger ahomberger at gmx.de
Mo Mär 25 20:54:51 CET 2013


Hallo,
 
ich habe einen neuen Mailserver aufgesetzt und weil ich es richtig machen wollte, habe ich im Vorfeld sämtliche Dokumentation dazu verschlungen, die ich finden konnte (Vorträge von Dr. Heinlein, Berichte von Patrick Koetter und Ralf Hildebrandt).
 
Ich benutze Postfix 2.9.1, Dovecot 2.0.19, amavisd-new 2.6.5, ClamAV 0.97.3, SpamAssassin 3.3.2 unter Ubuntu Server 12.04 LTS (ein einzelner Host, im Nachhinein mail.myhost.eu genannt). Soweit klappt das Versenden und Empfangen auch gut, ich habe zumindest schonmal kein offenes Relay produziert :-)
 
Was mir jedoch aufgefallen ist: Wenn ich Mails als lokaler Nutzer von der Command Line verschicke, egal ob an eine lokalen oder eine entfernte E-Mail-Adresse, dann wird diese *nicht* auf Viren und Spam überprüft oder DKIM signiert. Ist das so vorgesehen oder habe ich irgendwo eine unvernünftige Einstellung gewählt? Anbei meine Konfiguration (postconf -n etc.); vielleicht könnt ihr ja mal drüberschauen, woran das liegt und ob ich vielleicht noch irgendwelchen groben Unfug gebaut habe.
 
Danke!
 
Gruß,
Alex
 
 

root at mail:/etc/postfix# date
Mon Mar 25 20:27:38 CET 2013
 
root at mail:/etc/postfix# mail -s test alex at localhost
Cc: Null message body; hope that's ok
 
root at mail:/etc/postfix# date
Mon Mar 25 20:27:53 CET 2013
 
root at mail:/etc/postfix# tail -f /var/log/syslog
Mar 25 20:27:51 mail postfix/pickup[15067]: 01DD942054A: uid=0 from=<root>
Mar 25 20:27:51 mail postfix/cleanup[15077]: 01DD942054A: message-id=<20130325192751.01DD942054A at mail.myhost.eu>
Mar 25 20:27:51 mail postfix/qmgr[15068]: 01DD942054A: from=<root at myhost.eu>, size=302, nrcpt=1 (queue active)
Mar 25 20:27:51 mail postfix/local[15079]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Mar 25 20:27:51 mail postfix/local[15079]: 01DD942054A: to=<alex at localhost.myhost.eu>, orig_to=<alex at localhost>, relay=local, delay=0.03, delays=0.03/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Mar 25 20:27:51 mail postfix/qmgr[15068]: 01DD942054A: removed
 
root at mail:/etc/postfix# postconf -n
anvil_rate_time_unit = 60s
body_checks = pcre:/etc/postfix/body_checks
bounce_queue_lifetime = 1d
bounce_size_limit = 8192
bounce_template_file = /etc/postfix/bounce.de-DE.cf
config_directory = /etc/postfix
default_database_type = btree
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
lmtp_generic_maps = btree:/etc/postfix/lmtp_generic_maps
mailbox_size_limit = 0
maximal_queue_lifetime = 3d
message_size_limit = 52428800
myhostname = mail.myhost.eu
mynetworks = 127.0.0.0/8
myorigin = $mydomain
recipient_canonical_maps = btree:/etc/postfix/recipient_canonical_maps
relay_domains = btree:/etc/postfix/relay_domains
relocated_maps = btree:/etc/postfix/relocated_maps
sender_canonical_maps = btree:/etc/postfix/sender_canonical_maps
smtp_generic_maps = btree:/etc/postfix/smtp_generic_maps
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_count_limit = 20
smtpd_client_connection_rate_limit = 20
smtpd_client_message_rate_limit = 50
smtpd_client_recipient_rate_limit = 50
smtpd_recipient_restrictions = check_recipient_access btree:/etc/postfix/access_recipient-rfc, check_client_access cidr:/etc/postfix/access_client, check_helo_access btree:/etc/postfix/access_helo, check_sender_access btree:/etc/postfix/access_sender, check_recipient_access btree:/etc/postfix/access_recipient, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_tls_clientcerts, permit_mynetworks, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.njabl.org, reject_rhsbl_client multi.uribl.com, check_policy_service inet:127.0.0.1:12525, check_policy_service inet:127.0.0.1:10023, reject_unverified_recipient, reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/mail.myhost.eu.crt
smtpd_tls_key_file = /etc/ssl/private/mail.myhost.eu.key
transport_maps = btree:/etc/postfix/transport_maps, btree:/etc/postfix/relay_domains
unverified_recipient_reject_code = 550
virtual_alias_domains = btree:/etc/postfix/virtual_alias_domains
virtual_alias_maps = btree:/etc/postfix/virtual_alias_maps
 
(Einige der Lookup Maps sind leer; die Dateien mit Inhalt habe ich weiter unten per "cat" beigefügt.)
 
 
root at mail:/etc/postfix# cat master.cf
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
  -o smtpd_proxy_filter=127.0.0.1:10024
  -o content_filter=
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=no
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o content_filter=smtp:[127.0.0.1]:10026
  -o smtpd_proxy_filter=
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
#
# amavisd-new integration into postfix
#
127.0.0.1:10025 inet n  -       n       -       -       smtpd
  -o content_filter=
  -o smtpd_proxy_filter=
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_delay_reject=no
  -o smtpd_restriction_classes=
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
 
root at mail:/etc/postfix# cat access_recipient-rfc
# Whitelist accounts required by RFCs
postmaster@     permit_auth_destination
abuse@          permit_auth_destination
 
root at mail:/etc/postfix# cat relay_domains
myhost.eu               lmtp:unix:private/dovecot-lmtp
domain2.de              lmtp:unix:private/dovecot-lmtp
domain3.info            lmtp:unix:private/dovecot-lmtp
 
root at mail:/etc/postfix# cat virtual_alias_maps
postmaster at myhost.eu                 alex at myhost.eu
abuse at myhost.eu                      postmaster at myhost.eu
root at myhost.eu                       postmaster at myhost.eu
MAILER-DAEMON at myhost.eu              postmaster at myhost.eu

postmaster at domain2.de                alex at domain2.de
abuse at domain2.de                     postmaster at domain2.de
alex.homberger at domain2.de            alex at domain2.de

postmaster at domain3.info              mail at domain3.info
abuse at domain3.info                   postmaster at domain3.info
gi at domain3.info                      mail at domain3.info

root at mail:/etc/postfix# cat /etc/aliases
# See man 5 aliases for format
# required by RFC 5321
postmaster:     postmaster at myhost.eu
# required  by RFC 2142
abuse:          postmaster
# included just to make sure
MAILER-DAEMON:  postmaster
# redirect root's e-mails to main account
root:           postmaster
clamav:         postmaster

root at mail:/etc/postfix# doveconf -n
# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-39-generic x86_64 Ubuntu 12.04.2 LTS
mail_gid = vmail
mail_home = /var/vmail/%d/%n
mail_location = mdbox:~/mdbox
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
passdb {
  args = scheme=CRYPT username_format=%n /etc/dovecot/auth/%d/passwd
  driver = passwd-file
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = " imap lmtp sieve"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 0
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 0
  }
}
ssl_cert = </etc/ssl/certs/mail.myhost.eu.crt
ssl_key = </etc/ssl/private/mail.myhost.eu.key
userdb {
  args = username_format=%n /etc/dovecot/auth/%d/passwd
  driver = passwd-file
}
protocol lmtp {
  mail_plugins = sieve
}


Geänderter Teil der amavisd-new Konfiguration (Abweichungen von den Ubuntu Defaults):

root at mail:/etc/postfix# cd ../amavis/conf.d/

root at mail:/etc/amavis/conf.d# cat 50-user
use strict;
#
# Place your configuration directives here.  They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
# Explicitly set $mydomain
$mydomain = 'myhost.eu';
@mynetworks = qw( 127.0.0.0/8 );
# Include all domains to be used here
@local_domains_maps = ( [qw( .$mydomain .domain2.de .domain3.info )] );
# Configuring multiple mail paths
$inet_socket_port = [10024,10026];  # listen on two ports
$forward_method = 'smtp:[127.0.0.1]:10025';  # MTA with non-signing service
# switch policy bank to 'ORIGINATING' for mail received on port 10026:
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {  # mail originating from our users
  originating => 1,  # indicates client is ours, allows signing
  #
  # force MTA to convert mail to 7-bit before DKIM signing
  # to avoid later conversions which could destroy signature:
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
};
# Enable virus checking
@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
# Enable spam checking
@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
####### DKIM START #######
$enable_dkim_verification = 1; # enable DKIM signatures verification
$enable_dkim_signing = 1; # load DKIM signing code
dkim_key('myhost.eu', 'dkim', '/var/lib/amavis/dkim/myhost.eu.pem');
dkim_key('domain2.de', 'dkim', '/var/lib/amavis/dkim/domain2.de.pem');
dkim_key('domain3.info', 'dkim', '/var/lib/amavis/dkim/domain3.info.pem');
@dkim_signature_options_bysender_maps = (
   { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
####### DKIM END #######
# Set virus, spam etc. actions
$final_virus_destiny      = D_REJECT;
$final_banned_destiny     = D_REJECT;
$final_spam_destiny       = D_REJECT;
$final_bad_header_destiny = D_PASS;
# Inform postmaster of virus detections
$virus_admin               = "postmaster\@$mydomain";  # notifications recip.
# Enable support for certain (un)compressors disabled
# by the Debian/Ubuntu maintainers, or override default choice
$lha = 'lha';
$unrar = 'unrar';
#------------ Do not modify anything below this line -------------
1;  # ensure a defined return



Mehr Informationen über die Mailingliste Postfixbuch-users