[Postfixbuch-users] Mails von lokalen Usern werden nicht auf Spam und Viren überprüft
Alexander Homberger
ahomberger at gmx.de
Mo Mär 25 20:54:51 CET 2013
Hallo,
ich habe einen neuen Mailserver aufgesetzt und weil ich es richtig machen wollte, habe ich im Vorfeld sämtliche Dokumentation dazu verschlungen, die ich finden konnte (Vorträge von Dr. Heinlein, Berichte von Patrick Koetter und Ralf Hildebrandt).
Ich benutze Postfix 2.9.1, Dovecot 2.0.19, amavisd-new 2.6.5, ClamAV 0.97.3, SpamAssassin 3.3.2 unter Ubuntu Server 12.04 LTS (ein einzelner Host, im Nachhinein mail.myhost.eu genannt). Soweit klappt das Versenden und Empfangen auch gut, ich habe zumindest schonmal kein offenes Relay produziert :-)
Was mir jedoch aufgefallen ist: Wenn ich Mails als lokaler Nutzer von der Command Line verschicke, egal ob an eine lokalen oder eine entfernte E-Mail-Adresse, dann wird diese *nicht* auf Viren und Spam überprüft oder DKIM signiert. Ist das so vorgesehen oder habe ich irgendwo eine unvernünftige Einstellung gewählt? Anbei meine Konfiguration (postconf -n etc.); vielleicht könnt ihr ja mal drüberschauen, woran das liegt und ob ich vielleicht noch irgendwelchen groben Unfug gebaut habe.
Danke!
Gruß,
Alex
root at mail:/etc/postfix# date
Mon Mar 25 20:27:38 CET 2013
root at mail:/etc/postfix# mail -s test alex at localhost
Cc: Null message body; hope that's ok
root at mail:/etc/postfix# date
Mon Mar 25 20:27:53 CET 2013
root at mail:/etc/postfix# tail -f /var/log/syslog
Mar 25 20:27:51 mail postfix/pickup[15067]: 01DD942054A: uid=0 from=<root>
Mar 25 20:27:51 mail postfix/cleanup[15077]: 01DD942054A: message-id=<20130325192751.01DD942054A at mail.myhost.eu>
Mar 25 20:27:51 mail postfix/qmgr[15068]: 01DD942054A: from=<root at myhost.eu>, size=302, nrcpt=1 (queue active)
Mar 25 20:27:51 mail postfix/local[15079]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Mar 25 20:27:51 mail postfix/local[15079]: 01DD942054A: to=<alex at localhost.myhost.eu>, orig_to=<alex at localhost>, relay=local, delay=0.03, delays=0.03/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Mar 25 20:27:51 mail postfix/qmgr[15068]: 01DD942054A: removed
root at mail:/etc/postfix# postconf -n
anvil_rate_time_unit = 60s
body_checks = pcre:/etc/postfix/body_checks
bounce_queue_lifetime = 1d
bounce_size_limit = 8192
bounce_template_file = /etc/postfix/bounce.de-DE.cf
config_directory = /etc/postfix
default_database_type = btree
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
lmtp_generic_maps = btree:/etc/postfix/lmtp_generic_maps
mailbox_size_limit = 0
maximal_queue_lifetime = 3d
message_size_limit = 52428800
myhostname = mail.myhost.eu
mynetworks = 127.0.0.0/8
myorigin = $mydomain
recipient_canonical_maps = btree:/etc/postfix/recipient_canonical_maps
relay_domains = btree:/etc/postfix/relay_domains
relocated_maps = btree:/etc/postfix/relocated_maps
sender_canonical_maps = btree:/etc/postfix/sender_canonical_maps
smtp_generic_maps = btree:/etc/postfix/smtp_generic_maps
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_count_limit = 20
smtpd_client_connection_rate_limit = 20
smtpd_client_message_rate_limit = 50
smtpd_client_recipient_rate_limit = 50
smtpd_recipient_restrictions = check_recipient_access btree:/etc/postfix/access_recipient-rfc, check_client_access cidr:/etc/postfix/access_client, check_helo_access btree:/etc/postfix/access_helo, check_sender_access btree:/etc/postfix/access_sender, check_recipient_access btree:/etc/postfix/access_recipient, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_tls_clientcerts, permit_mynetworks, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.njabl.org, reject_rhsbl_client multi.uribl.com, check_policy_service inet:127.0.0.1:12525, check_policy_service inet:127.0.0.1:10023, reject_unverified_recipient, reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/mail.myhost.eu.crt
smtpd_tls_key_file = /etc/ssl/private/mail.myhost.eu.key
transport_maps = btree:/etc/postfix/transport_maps, btree:/etc/postfix/relay_domains
unverified_recipient_reject_code = 550
virtual_alias_domains = btree:/etc/postfix/virtual_alias_domains
virtual_alias_maps = btree:/etc/postfix/virtual_alias_maps
(Einige der Lookup Maps sind leer; die Dateien mit Inhalt habe ich weiter unten per "cat" beigefügt.)
root at mail:/etc/postfix# cat master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=no
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=smtp:[127.0.0.1]:10026
-o smtpd_proxy_filter=
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
#
# amavisd-new integration into postfix
#
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_delay_reject=no
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
root at mail:/etc/postfix# cat access_recipient-rfc
# Whitelist accounts required by RFCs
postmaster@ permit_auth_destination
abuse@ permit_auth_destination
root at mail:/etc/postfix# cat relay_domains
myhost.eu lmtp:unix:private/dovecot-lmtp
domain2.de lmtp:unix:private/dovecot-lmtp
domain3.info lmtp:unix:private/dovecot-lmtp
root at mail:/etc/postfix# cat virtual_alias_maps
postmaster at myhost.eu alex at myhost.eu
abuse at myhost.eu postmaster at myhost.eu
root at myhost.eu postmaster at myhost.eu
MAILER-DAEMON at myhost.eu postmaster at myhost.eu
postmaster at domain2.de alex at domain2.de
abuse at domain2.de postmaster at domain2.de
alex.homberger at domain2.de alex at domain2.de
postmaster at domain3.info mail at domain3.info
abuse at domain3.info postmaster at domain3.info
gi at domain3.info mail at domain3.info
root at mail:/etc/postfix# cat /etc/aliases
# See man 5 aliases for format
# required by RFC 5321
postmaster: postmaster at myhost.eu
# required by RFC 2142
abuse: postmaster
# included just to make sure
MAILER-DAEMON: postmaster
# redirect root's e-mails to main account
root: postmaster
clamav: postmaster
root at mail:/etc/postfix# doveconf -n
# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-39-generic x86_64 Ubuntu 12.04.2 LTS
mail_gid = vmail
mail_home = /var/vmail/%d/%n
mail_location = mdbox:~/mdbox
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
passdb {
args = scheme=CRYPT username_format=%n /etc/dovecot/auth/%d/passwd
driver = passwd-file
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
protocols = " imap lmtp sieve"
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 0
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 0
}
}
ssl_cert = </etc/ssl/certs/mail.myhost.eu.crt
ssl_key = </etc/ssl/private/mail.myhost.eu.key
userdb {
args = username_format=%n /etc/dovecot/auth/%d/passwd
driver = passwd-file
}
protocol lmtp {
mail_plugins = sieve
}
Geänderter Teil der amavisd-new Konfiguration (Abweichungen von den Ubuntu Defaults):
root at mail:/etc/postfix# cd ../amavis/conf.d/
root at mail:/etc/amavis/conf.d# cat 50-user
use strict;
#
# Place your configuration directives here. They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
# Explicitly set $mydomain
$mydomain = 'myhost.eu';
@mynetworks = qw( 127.0.0.0/8 );
# Include all domains to be used here
@local_domains_maps = ( [qw( .$mydomain .domain2.de .domain3.info )] );
# Configuring multiple mail paths
$inet_socket_port = [10024,10026]; # listen on two ports
$forward_method = 'smtp:[127.0.0.1]:10025'; # MTA with non-signing service
# switch policy bank to 'ORIGINATING' for mail received on port 10026:
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = { # mail originating from our users
originating => 1, # indicates client is ours, allows signing
#
# force MTA to convert mail to 7-bit before DKIM signing
# to avoid later conversions which could destroy signature:
smtpd_discard_ehlo_keywords => ['8BITMIME'],
};
# Enable virus checking
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
# Enable spam checking
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
####### DKIM START #######
$enable_dkim_verification = 1; # enable DKIM signatures verification
$enable_dkim_signing = 1; # load DKIM signing code
dkim_key('myhost.eu', 'dkim', '/var/lib/amavis/dkim/myhost.eu.pem');
dkim_key('domain2.de', 'dkim', '/var/lib/amavis/dkim/domain2.de.pem');
dkim_key('domain3.info', 'dkim', '/var/lib/amavis/dkim/domain3.info.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
####### DKIM END #######
# Set virus, spam etc. actions
$final_virus_destiny = D_REJECT;
$final_banned_destiny = D_REJECT;
$final_spam_destiny = D_REJECT;
$final_bad_header_destiny = D_PASS;
# Inform postmaster of virus detections
$virus_admin = "postmaster\@$mydomain"; # notifications recip.
# Enable support for certain (un)compressors disabled
# by the Debian/Ubuntu maintainers, or override default choice
$lha = 'lha';
$unrar = 'unrar';
#------------ Do not modify anything below this line -------------
1; # ensure a defined return
Mehr Informationen über die Mailingliste Postfixbuch-users