Merge branch 'master' into terminal

content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md

@@ -726,10 +726,11 @@ namespace inbox {
 
 You can set the `auto = create` option for any mailbox you want to be auto-created for users.
 
-Now restart Dovecot. Keep an eye on terminal output, as if there's a configuration error, you'll get an error message
-when restarting.
+Now enable and start the Dovecot service. Keep an eye on terminal output, as if there's a configuration error, you'll
+get an error message when restarting.
 
-    # rc-service dovecot restart
+    # rc-update add dovecot default
+    # rc-service dovecot start
 
 # Use a local email client
 
@@ -872,6 +873,11 @@ OpenDKIM is an open-source implementation of DKIM signing and authentication. Yo
 
 You may also want `opendkim-doc` for documentation.
 
+Enable the service:
+
+    # rc-update add opendkim default
+    # rc-service opendkim start
+
 Add the `postfix` user to the `opendkim` group:
 
     # adduser postfix opendkim
@@ -1218,6 +1224,207 @@ suggestions.](https://wiki.list.org/DEV/DMARC)
 
 # Amavis
 
+Amavis is a high-performance interface between MTAs and content checkers, such as virus scanners and spam filters. We
+will use Amavis as a Postfix content filter for virus scanning and spam filtering, with ClamAV and SpamAssassin
+respectively.
+
+Install Amavis and enable the service:
+
+    # apk add amavis
+    # rc-update add amavisd default
+    # rc-service amavisd start
+
+## Amavis and Postfix
+
+Let's set up Amavis as an SMTP proxy. Edit your Postfix config at `/etc/postfix/main.cf`, and add the following to the
+end of the file:
+
+```conf
+# amavis filtering
+# gets overridden by submission & smtps services in master.cf:
+content_filter = smtp-amavis:[127.0.0.1]:10024
+# delays postfix connection to content filter until entire email message has arrived
+smtpd_proxy_options = speed_adjust
+```
+
+Amavis listens on port 10024 by default, so this tells Postfix to use Amavis as a content filter.
+
+Now edit `/etc/postfix/master.cf` and add the following lines:
+
+```conf
+smtp-amavis   unix -     -       n       -       2       smtp
+  -o syslog_name=postfix/amavis
+  -o smtp_data_done_timeout=1200
+  -o smtp_send_xforward_command=yes
+  -o smtp_dns_support_level=disabled
+  -o max_use=20
+  -o smtp_tls_security_level=none
+
+127.0.0.1:10025   inet   n    -     n     -     -    smtpd
+  -o syslog_name=postfix/10025
+  -o content_filter=
+  -o mynetworks_style=host
+  -o mynetworks=127.0.0.0/8
+  -o local_recipient_maps=
+  -o relay_recipient_maps=
+  -o strict_rfc821_envelopes=yes
+  -o smtp_tls_security_level=none
+  -o smtpd_tls_security_level=none
+  -o smtpd_restriction_classes=
+  -o smtpd_delay_reject=no
+  -o smtpd_client_restrictions=permit_mynetworks,reject
+  -o smtpd_helo_restrictions=
+  -o smtpd_sender_restrictions=
+  -o smtpd_recipient_restrictions=permit_mynetworks,reject
+  -o smtpd_end_of_data_restrictions=
+  -o smtpd_error_sleep_time=0
+  -o smtpd_soft_error_limit=1001
+  -o smtpd_hard_error_limit=1000
+  -o smtpd_client_connection_count_limit=0
+  -o smtpd_client_connection_rate_limit=0
+  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
+```
+
+The first block tells Postfix to send emails to Amavis, and the second block tells Postfix to run an extra smtpd daemon
+on port 10025 to receive emails back from Amavis. Restart Postfix for the changes to take effect:
+
+    # rc-service postfix restart
+
+It's good practice to use a different port for email submissions from authenticated users. Let's use port 10026 for
+this. Edit `/etc/amavisd.conf` and set `$inet_socket_port` to:
+
+```conf
+$inet_socket_port = [10024,10026];
+```
+
+to listen on multiple TCP ports.
+
+We'll set the policy to `ORIGINATING` for port 10026 in the same Amavis config file:
+
+```conf
+$interface_policy{'10026'} = 'ORIGINATING';
+```
+
+Then define the `ORIGINATING` policy by adding the following lines:
+
+```conf
+$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
+  originating => 1,  # declare that mail was submitted by our smtp client
+  allow_disclaimers => 1,  # enables disclaimer insertion if available
+  # notify administrator of locally originating malware
+  virus_admin_maps => ["virusalert\@$mydomain"],
+  spam_admin_maps  => ["virusalert\@$mydomain"],
+  warnbadhsender   => 1,
+  # force MTA conversion to 7-bit (e.g. before DKIM signing)
+  smtpd_discard_ehlo_keywords => ['8BITMIME'],
+  bypass_banned_checks_maps => [1],  # allow sending any file names and types
+  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
+};
+```
+
+Note that this is configured to send virus alerts to `virusalert@domain.com`. This should be a real email address, not
+an alias, because ClamAV bypasses Postfix and sends emails straight to Dovecot, which doesn't have access to Postfix
+aliases.
+
+Restart Amavis for the change to take effect:
+
+    # rc-service amavisd restart
+
+Edit `/etc/postfix/master.cf` now and add the following to the `submission` and `smtps` services:
+
+```conf
+  # emails from authenticated SMTP clients will be passed to Amavis listening
+  # on port 10026:
+  -o content_filter=smtp-amavis:[127.0.0.1]:10026
+```
+
+Restart Postfix again for the changes to take effect:
+
+    # rc-service postfix restart
+
+## Amavis and ClamAV
+
+Install ClamAV and enable its daemon:
+
+    # apk add clamav clamav-daemon
+    # rc-update add clamd default
+    # rc-service clamd start
+
+Enable virus-checking in Amavis by editing `/etc/amavisd.conf` and setting `@bypass_virus_checks_maps` to the
+following:
+
+```conf
+# enable virus checking
+@bypass_virus_checks_maps = (
+    \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+```
+
+Add `clamav` to the `amavis` group:
+
+    # adduser clamav amavis
+
+Restart the amavisd and clamd daemons:
+
+    # rc-service amavisd restart
+    # rc-service clamd restart
+
+## Amavis and SpamAssassin
+
+Install SpamAssassin:
+
+    # apk add spamassassin
+
+You may also want to install `spamassassin-doc`.
+
+Let's configure SpamAssassin. SpamAssassin is configured at `/etc/mail/spamassassin/local.cf`. You may want to
+configure the `required_score` option, which defaults to `5.0`. This is the spam score required for an email to be
+marked spam. `5.0` is a sensible default, but you can adjust this if you find that your spam filter needs to be more or
+less aggressive.
+
+You can also set options like `rewrite_header` to rewrite headers of a message marked spam, e.g.
+
+```conf
+rewrite_header Subject [SPAM]
+```
+
+prepends `[SPAM]` to the subject line of a spam message.
+
+Enable the service:
+
+    # rc-update add spamd default
+    # rc-service spamd start
+
+Enable spam filtering by setting `@bypass_spam_checks_maps` in your `/etc/amavisd.conf`:
+
+```conf
+# enable spam filtering
+@bypass_spam_checks_maps = (
+    \%bypass_spam_checks, \@bypass_spam_checks_acl, $bypass_spam_checks_re);
+```
+
+Restart Amavis:
+
+    # rc-service amavisd restart
+
+Now let's test your spam filter. Send yourself an email containing the following string somewhere in the body:
+
+```
+XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
+```
+
+You should see the email arrive with the following headers:
+
+```
+X-Spam-Flag: YES
+X-Spam-Score: 999.802
+X-Spam-Level: ****************************************************************
+X-Spam-Status: Yes, score=999.802 tagged_above=2 required=6.2
+ tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
+ DKIM_VALID_EF=-0.1, GTUBE=1000, NO_RECEIVED=-0.001, NO_RELAYS=-0.001,
+ TVD_SPACE_RATIO=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001,
+ URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
+```
+
 # Miscellaneous suggestions
 
 You may want to get your domain whitelisted on [dnswl.org](https://www.dnswl.org/), an email whitelist service where

themes/terminal

@@ -1 +1 @@
-Subproject commit c779a7083471f5f6f7036dfd60e9ff9a321600f9
+Subproject commit b09f47aae7bc7f2fdeab523d15d2a8d217c4dad1