From 1342400f67cd315b824913acd269ac1fd9450734 Mon Sep 17 00:00:00 2001 From: revsuine Date: Fri, 22 Nov 2024 20:07:06 +0000 Subject: [PATCH 1/3] themes/terminal: update --- themes/terminal | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/themes/terminal b/themes/terminal index c779a70..b09f47a 160000 --- a/themes/terminal +++ b/themes/terminal @@ -1 +1 @@ -Subproject commit c779a7083471f5f6f7036dfd60e9ff9a321600f9 +Subproject commit b09f47aae7bc7f2fdeab523d15d2a8d217c4dad1 From 039ce26466d99c62fc16371462f0c08d1da2633a Mon Sep 17 00:00:00 2001 From: revsuine Date: Fri, 22 Nov 2024 23:41:32 +0000 Subject: [PATCH 2/3] content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: start amavis section + add service commands --- .../index.md | 22 ++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md b/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md index 1059745..759f12b 100644 --- a/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md +++ b/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md @@ -726,10 +726,11 @@ namespace inbox { You can set the `auto = create` option for any mailbox you want to be auto-created for users. -Now restart Dovecot. Keep an eye on terminal output, as if there's a configuration error, you'll get an error message -when restarting. +Now enable and start the Dovecot service. Keep an eye on terminal output, as if there's a configuration error, you'll +get an error message when restarting. - # rc-service dovecot restart + # rc-update add dovecot default + # rc-service dovecot start # Use a local email client @@ -872,6 +873,11 @@ OpenDKIM is an open-source implementation of DKIM signing and authentication. Yo You may also want `opendkim-doc` for documentation. +Enable the service: + + # rc-update add opendkim default + # rc-service opendkim start + Add the `postfix` user to the `opendkim` group: # adduser postfix opendkim @@ -1218,6 +1224,16 @@ suggestions.](https://wiki.list.org/DEV/DMARC) # Amavis +Amavis is a high-performance interface between MTAs and content checkers, such as virus scanners and spam filters. We +will use Amavis as a Postfix content filter for virus scanning and spam filtering, with ClamAV and SpamAssassin +respectively. + +Install Amavis and enable the service: + + # apk add amavis + # rc-update add amavisd default + # rc-service amavisd start + # Miscellaneous suggestions You may want to get your domain whitelisted on [dnswl.org](https://www.dnswl.org/), an email whitelist service where From a758d1f37010838370e1e7b4c89bc3fb378c2966 Mon Sep 17 00:00:00 2001 From: revsuine Date: Sat, 23 Nov 2024 03:52:28 +0000 Subject: [PATCH 3/3] content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: finish amavis section --- .../index.md | 191 ++++++++++++++++++ 1 file changed, 191 insertions(+) diff --git a/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md b/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md index 759f12b..fe9e42e 100644 --- a/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md +++ b/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md @@ -1234,6 +1234,197 @@ Install Amavis and enable the service: # rc-update add amavisd default # rc-service amavisd start +## Amavis and Postfix + +Let's set up Amavis as an SMTP proxy. Edit your Postfix config at `/etc/postfix/main.cf`, and add the following to the +end of the file: + +```conf +# amavis filtering +# gets overridden by submission & smtps services in master.cf: +content_filter = smtp-amavis:[127.0.0.1]:10024 +# delays postfix connection to content filter until entire email message has arrived +smtpd_proxy_options = speed_adjust +``` + +Amavis listens on port 10024 by default, so this tells Postfix to use Amavis as a content filter. + +Now edit `/etc/postfix/master.cf` and add the following lines: + +```conf +smtp-amavis unix - - n - 2 smtp + -o syslog_name=postfix/amavis + -o smtp_data_done_timeout=1200 + -o smtp_send_xforward_command=yes + -o smtp_dns_support_level=disabled + -o max_use=20 + -o smtp_tls_security_level=none + +127.0.0.1:10025 inet n - n - - smtpd + -o syslog_name=postfix/10025 + -o content_filter= + -o mynetworks_style=host + -o mynetworks=127.0.0.0/8 + -o local_recipient_maps= + -o relay_recipient_maps= + -o strict_rfc821_envelopes=yes + -o smtp_tls_security_level=none + -o smtpd_tls_security_level=none + -o smtpd_restriction_classes= + -o smtpd_delay_reject=no + -o smtpd_client_restrictions=permit_mynetworks,reject + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o smtpd_end_of_data_restrictions= + -o smtpd_error_sleep_time=0 + -o smtpd_soft_error_limit=1001 + -o smtpd_hard_error_limit=1000 + -o smtpd_client_connection_count_limit=0 + -o smtpd_client_connection_rate_limit=0 + -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings +``` + +The first block tells Postfix to send emails to Amavis, and the second block tells Postfix to run an extra smtpd daemon +on port 10025 to receive emails back from Amavis. Restart Postfix for the changes to take effect: + + # rc-service postfix restart + +It's good practice to use a different port for email submissions from authenticated users. Let's use port 10026 for +this. Edit `/etc/amavisd.conf` and set `$inet_socket_port` to: + +```conf +$inet_socket_port = [10024,10026]; +``` + +to listen on multiple TCP ports. + +We'll set the policy to `ORIGINATING` for port 10026 in the same Amavis config file: + +```conf +$interface_policy{'10026'} = 'ORIGINATING'; +``` + +Then define the `ORIGINATING` policy by adding the following lines: + +```conf +$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users + originating => 1, # declare that mail was submitted by our smtp client + allow_disclaimers => 1, # enables disclaimer insertion if available + # notify administrator of locally originating malware + virus_admin_maps => ["virusalert\@$mydomain"], + spam_admin_maps => ["virusalert\@$mydomain"], + warnbadhsender => 1, + # force MTA conversion to 7-bit (e.g. before DKIM signing) + smtpd_discard_ehlo_keywords => ['8BITMIME'], + bypass_banned_checks_maps => [1], # allow sending any file names and types + terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option +}; +``` + +Note that this is configured to send virus alerts to `virusalert@domain.com`. This should be a real email address, not +an alias, because ClamAV bypasses Postfix and sends emails straight to Dovecot, which doesn't have access to Postfix +aliases. + +Restart Amavis for the change to take effect: + + # rc-service amavisd restart + +Edit `/etc/postfix/master.cf` now and add the following to the `submission` and `smtps` services: + +```conf + # emails from authenticated SMTP clients will be passed to Amavis listening + # on port 10026: + -o content_filter=smtp-amavis:[127.0.0.1]:10026 +``` + +Restart Postfix again for the changes to take effect: + + # rc-service postfix restart + +## Amavis and ClamAV + +Install ClamAV and enable its daemon: + + # apk add clamav clamav-daemon + # rc-update add clamd default + # rc-service clamd start + +Enable virus-checking in Amavis by editing `/etc/amavisd.conf` and setting `@bypass_virus_checks_maps` to the +following: + +```conf +# enable virus checking +@bypass_virus_checks_maps = ( + \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); +``` + +Add `clamav` to the `amavis` group: + + # adduser clamav amavis + +Restart the amavisd and clamd daemons: + + # rc-service amavisd restart + # rc-service clamd restart + +## Amavis and SpamAssassin + +Install SpamAssassin: + + # apk add spamassassin + +You may also want to install `spamassassin-doc`. + +Let's configure SpamAssassin. SpamAssassin is configured at `/etc/mail/spamassassin/local.cf`. You may want to +configure the `required_score` option, which defaults to `5.0`. This is the spam score required for an email to be +marked spam. `5.0` is a sensible default, but you can adjust this if you find that your spam filter needs to be more or +less aggressive. + +You can also set options like `rewrite_header` to rewrite headers of a message marked spam, e.g. + +```conf +rewrite_header Subject [SPAM] +``` + +prepends `[SPAM]` to the subject line of a spam message. + +Enable the service: + + # rc-update add spamd default + # rc-service spamd start + +Enable spam filtering by setting `@bypass_spam_checks_maps` in your `/etc/amavisd.conf`: + +```conf +# enable spam filtering +@bypass_spam_checks_maps = ( + \%bypass_spam_checks, \@bypass_spam_checks_acl, $bypass_spam_checks_re); +``` + +Restart Amavis: + + # rc-service amavisd restart + +Now let's test your spam filter. Send yourself an email containing the following string somewhere in the body: + +``` +XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X +``` + +You should see the email arrive with the following headers: + +``` +X-Spam-Flag: YES +X-Spam-Score: 999.802 +X-Spam-Level: **************************************************************** +X-Spam-Status: Yes, score=999.802 tagged_above=2 required=6.2 + tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, + DKIM_VALID_EF=-0.1, GTUBE=1000, NO_RECEIVED=-0.001, NO_RELAYS=-0.001, + TVD_SPACE_RATIO=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, + URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no +``` + # Miscellaneous suggestions You may want to get your domain whitelisted on [dnswl.org](https://www.dnswl.org/), an email whitelist service where