[Postfixbuch-users] Alte Konfiguration postfix/amavis mit dovecot auf neuen Server übernehmen
Michael Koehler
postfixbuch-users at makomi.de
Mo Jan 19 11:17:21 CET 2015
Hallo,
ich habe mir vor mehr als 4/5 Jahren einen eigenen Mailserver mit
Postfix und Dovecot, verwaltet mit Postfixadmin, unter Zuhilfenahme
diverser Lektüre (meist deutschsprachig) erfolgreich aufgebaut und seit
dem läuft es gut, ohne das ich groß etwas anpassen mußte. Ich denke auch
heute noch das Grundprinzip zu verstehen, aber inzwischen wurden doch
schon diverse Veränderungen eingeführt, mit denen ich bisher noch nicht
in Berührung kam. Nun will ich (freiwillig :)) einen neuen Mailserver
aufbauen (und spiele dabei mit dem Gedanken statt Postfixadmin zukünftig
Modoboa zu nutzen) und bin dabei zusammenzustellen, was an meiner
bisherigen Konfiguration übernommen werden kann und was besser verändert
werden muß. Fakt ist, dass ich bei Debian Wheezy wohl bleiben werde
(eventuell könnte ich mir einen Wechsel zu Jessie vorstellen, da das
inzwischen auch recht stabil sein soll) und ich am liebsten bei den
deb-Paketen bleiben möchte.
Es wäre schön, wenn jemand sich die Zeit nehmen könnte mal kurz
drüberzuschauen, wie die bisherige Konfiguration ist und ob es
Verbesserungsvorschläge gibt.
Zur Zeit läuft der "alte" Mailserver auf einem Debian Wheezy mit:
- postfix 2.11.2-1~bpo70+1
- amavisd-new 2.7.1-2
- dovecot 2.2.15-1~auto+88 (von xi.rename-it.nl)
- spamassassin 3.4.0-2~bpo70+1 mit pyzor 0.5.0-2 und razor 2.85-4+b1
- postgrey 1.34-1.1
Die Konfigurationen sind unten angehangen.
Viele Grüße,
Michael
--- postconf -n ---
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 2d
bounce_template_file = /etc/postfix/bounce-templates/bounce.de-DE.cf
config_directory = /etc/postfix
header_checks = pcre:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 0
mydestination = localhost
myhostname = $(hostname -f)
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname
smtpd_data_restrictions = reject_multi_recipient_bounce
smtpd_proxy_filter = [127.0.0.1]:10024
smtpd_proxy_options = speed_adjust
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated reject_non_fqdn_sender
reject_non_fqdn_recipient reject_unknown_sender_domain
reject_unauth_destination check_recipient_access
hash:/etc/postfix/roleaccount_exceptions reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname check_helo_access
pcre:/etc/postfix/helo_checks check_sender_mx_access
cidr:/etc/postfix/bogus_mx check_sender_access pcre:/etc/postfix/umlaute
reject_unlisted_recipient check_client_access
hash:/etc/postfix/client_whitelist reject_rbl_client ix.dnsbl.manitu.net
check_policy_service inet:127.0.0.1:60000 permit
smtpd_tls_CAfile = /etc/ssl/certs/startssl-ca.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/$(hostname -f)-startssl-sub-cert.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_key_file = /etc/ssl/private/$(hostname -f)-startssl-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_high_cipherlist =
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
---
--- master.cf ---
smtp inet n - - - - smtpd
amavisd-new unix - - n - 2 lmtp
-o syslog_name=postfix/amavisd-new
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o lmtp_tls_note_starttls_offer=no
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o syslog_name=postfix/amavisd-feed-smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o transport_maps=hash:/etc/postfix/transport
-o relay_recipient_maps=
127.0.0.1:10027 inet n - n - - smtpd
-o syslog_name=postfix/amavisd-feed-submission
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o header_checks=pcre:/etc/postfix/header_checks_submission
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o transport_maps=hash:/etc/postfix/transport
-o relay_recipient_maps=
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o content_filter=amavisd-new:[127.0.0.1]:10026
-o smtpd_proxy_filter=
-o smtpd_proxy_options=
-o smtpd_client_connection_count_limit=16
-o smtpd_delay_reject=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_auth_only=yes
-o tls_preempt_cipherlist=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_tls_security_options=$smtpd_sasl_security_options
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_authenticated_header=yes
-o cleanup_service_name=cleanup-submission
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o content_filter=amavisd-new:[127.0.0.1]:10026
-o smtpd_proxy_filter=
-o smtpd_proxy_options=
-o smtpd_client_connection_count_limit=16
-o smtpd_delay_reject=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_auth_only=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_tls_security_options=$smtpd_sasl_security_options
-o smtpd_sasl_security_options=noanonymous,noplaintext
-o smtpd_sasl_authenticated_header=yes
-o cleanup_service_name=cleanup-submission
-o smtpd_tls_wrappermode=yes
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
cleanup-submission unix n - - - 0 cleanup
-o syslog_name=cleanup-submission
-o header_checks=pcre:/etc/postfix/submission_header_checks
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
---
---amavisd-new/conf.d/50-user ---
$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
$unrar = ['rar', 'unrar'];
$lha = 'lha';
$allow_preserving_evidence = 0;
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl,
\$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl,
\$bypass_spam_checks_re);
read_l10n_templates('de_DE', '/etc/amavis');
@mynetworks = qw(127.0.0.0/8);
$policy_bank{'MYNETS'} = { # clients in @mynetworks
bypass_spam_checks_maps => [1], # don't spam-check internal mail
bypass_banned_checks_maps => [1], # don't banned-check internal mail
bypass_header_checks_maps => [1], # don't header-check internal mail
};
$notify_method = 'smtp:*:*';
$forward_method = 'smtp:*:*';
$inet_socket_port = [10024,10026];
$interface_policy{'10026'} = 'AUTH';
$policy_bank{'AUTH'} = {
virus_admin_maps => ["virusadmin\@$mydomain"],
spam_admin_maps => ["virusadmin\@$mydomain"],
spam_kill_level_maps => 7.0,
spam_dsn_cutoff_level_maps => 15,
bypass_banned_checks_maps => 1,
final_bad_header_destiny => D_BOUNCE,
originating => 1,
final_spam_destiny => D_BOUNCE,
final_virus_destiny => D_REJECT,
final_banned_destiny=> D_PASS,
final_bad_header_destiny => D_PASS,
warnbadhsender => 1,
forward_method => 'smtp:*:*',
notify_method => 'smtp:[127.0.0.1]:10027',
};
@lookup_sql_dsn = (
['DBI:mysql:database=postfixadmin;host=localhost;port=3306',
'postfixadmin', 'PASSWORD'], );
$sql_select_policy = 'SELECT "Y" as local, 1 as id FROM domain WHERE
CONCAT("@",domain) IN (%k)';
$sql_select_white_black_list = undef;
@local_domains_acl = ( "." );
$final_banned_destiny = D_PASS;
$final_spam_destiny = D_DISCARD;
$virus_admin = new_RE( [ qr'^(.*)(@)([^@]*)?$'i => 'virusadmin${2}${3}' ] );
$banned_admin = new_RE( [ qr'^(.*)(@)([^@]*)?$'i => 'postmaster${2}${3}'
] );
$spam_admin = new_RE( [ qr'^(.*)(@)([^@]*)?$'i => 'postmaster${2}${3}' ] );
$spam_quarantine_to = new_RE( [ qr'^(.*)(@)([^@]*)?$'i =>
'postmaster${2}${3}' ] );
$banned_quarantine_to = new_RE( [ qr'^(.*)(@)([^@]*)?$'i =>
'postmaster${2}${3}' ] );
$virus_quarantine_to = new_RE( [ qr'^(.*)(@)([^@]*)?$'i =>
'virusadmin${2}${3}' ] );
$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt = -999.0; # add spam info headers if at, or above
that level
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$allowed_added_header_fields{lc('X-Spam-Report')} = 1;
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
@dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600,
c => 'relaxed/simple' } } );
dkim_key('DOMAIN1', 'main', '/etc/amavis/ssl/dkim-key.pem');
[...]
dkim_key('DOMAIN2', 'main', '/etc/amavis/ssl/dkim-key.pem');
$log_level = 1; # verbosity 0..5
---
--- doveconf -n ---
# 2.2.15 (51e8bbc82edd): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.6
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8 ext4
auth_mechanisms = plain login
auth_verbose = yes
first_valid_uid = 108
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
imap_idle_notify_interval = 14 mins
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lmtp_rcpt_check_quota = yes
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k
mail_home = /var/mail/%d/%u
mail_location = maildir:/var/mail/%d/%u
mail_plugins = " quota mail_log notify listescape mailbox_alias virtual"
maildir_stat_dirs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate
namespace {
hidden = no
inbox = no
list = yes
location = virtual:/var/mail/%d/%u/virtual:INDEX=MEMORY
prefix = Virtual.
separator = .
subscriptions = yes
}
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
mail_log_events = delete undelete expunge copy mailbox_delete
mailbox_rename flag_change
mail_log_fields = uid box msgid size flags
mailbox_alias_new = Sent Messages
mailbox_alias_new2 = Sent Items
mailbox_alias_new3 = Gesendete Objekte
mailbox_alias_new4 = Deleted Messages
mailbox_alias_new5 = Sent Messages
mailbox_alias_new6 = Papierkorb
mailbox_alias_new7 = Junk-E-Mail
mailbox_alias_old = Sent
mailbox_alias_old2 = Sent
mailbox_alias_old3 = Sent
mailbox_alias_old4 = Trash
mailbox_alias_old5 = Gesendet
mailbox_alias_old6 = Trash
mailbox_alias_old7 = Junk
sieve = /var/spool/mail/%d/%u/.dovecot.sieve
sieve_dir = /var/spool/mail/%d/%u/sieve
}
protocols = " imap lmtp sieve"
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
}
service dict {
unix_listener dict {
group = mail
mode = 0660
}
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service imap-postlogin {
executable = script-login /usr/local/bin/postlogin-imap.sh
user = $default_internal_user
}
service imap {
executable = imap imap-postlogin
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
inet_listener sieve_deprecated {
port = 2000
}
}
ssl = required
ssl_ca = </etc/ssl/certs/startssl-ca.pem
ssl_cert = </etc/ssl/certs/$(hostname -f)-startssl-sub-cert.pem
ssl_key = </etc/ssl/private/$(hostname -f)-startssl-key.pem
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocol lmtp {
mail_plugins = " quota mail_log notify listescape mailbox_alias
virtual sieve"
}
protocol lda {
mail_plugins = " quota mail_log notify listescape mailbox_alias
virtual sieve"
}
protocol imap {
mail_max_userip_connections = 50
mail_plugins = " quota mail_log notify listescape mailbox_alias
virtual imap_quota"
}
---
Mehr Informationen über die Mailingliste Postfixbuch-users