Debian AmavisD
Version vom 21. März 2009, 13:36 Uhr von Erich (Diskussion | Beiträge)
Einleitung
Voraussetzungen:
- C-Compiler
- Webserver installiert
- MySQL installiert
Installation
Es sind zahlreiche Pakete erforderlich:
Debian Paketmanager:
apt-get --yes install libgd2-xpm php5-imap php5-ldap php5-mcrypt php5-gd apt-get --yes install libcrypt-blowfish-perl libossp-uuid-perl libio-zlib-perl apt-get --yes install libarchive-tar-perl libarchive-zip-perl libtemplate-perl apt-get --yes install libemail-address-perl libconvert-tnef-perl libnet-ldap-perl apt-get --yes install libunix-syslog-perl libnet-dns-perl libberkeleydb-perl apt-get --yes install libauthen-sasl-perl libmail-dkim-perl libio-socket-ssl-perl libnet-ident-perl apt-get --yes install imagemagick apt-listchanges
Pear PHP-Manager:
pear channel-update pear.php.net pear upgrade pear pear install XML_RPC pear install Mail_Mime pear install DB_Pager pear install Auth_SASL pear install Net_Socket pear install Net_Smtp pear install Net_IMAP pear install Net_POP3 pear install Log pear install DB pear install Pager pear install --alldeps Image_Color pear install -f Image_Canvas pear install -f Numbers_Words pear install Numbers_Roman pear install -f Image_Graph-0.7.2
Achtung:
- Das Paket NET_IMAP enthält einen Bug, der relativ einfach gefixt werden kann:
(Details zum Bug und Lösung siehe auch http://pear.php.net/bugs/bug.php?id=3438):
vi /usr/share/php/Net/IMAPProtocol.php
Die Zeilen 700 bis 702 folgendermaßen abändern:
#return $args; // not for now return $this->_genericImapResponseParser($args,$cmdid);
Perl-Module (MCPAN):
perl -MCPAN -e shell install Net::Server install Mail::SPF::Query install Convert::UUlib install Crypt::CBC install MIME::Parser exit
AmavisD Spamassassin und ClamAV
apt-get --yes install unrar-free nomarch lzop cabextract apt-get --yes install clamav clamav-daemon clamav-docs apt-get --yes install spamassassin razor pyzor amavisd-new
Konfiguration
Spamassassin
vi /etc/default/spamassassin
Spamassassin aktivieren:
ENABLED=1
vi /etc/spamassassin/v312.pre
DKIM Plugin aktivieren (#-Zeichen entfernen):
loadplugin Mail::SpamAssassin::Plugin::DKIM
Spamassassin Regeln updaten:
sa-update
ClamAV
adduser clamav amavis /etc/init.d/clamav-freshclam restart /etc/init.d/clamav-daemon restart
AmavisD
cd /etc/amavis/conf.d
Aktivieren der Spam- und Virenchecks:
vi 15-content_filter_mode
Folgende Optionen aktivieren (#-Zeichen entfernen):
@bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
Nun sind zahlreiche Einstellungen im File 50-user erforderlich:
Achtung:
- Alle Einträge zwischen use strict und 1; einfügen. Ansonsten wird Amavisd nicht korrekt funktionieren!
vi 50-user
$mydomain und $myhostname entsprechend der Domain und Hostname anpassen
# explicitly set $mydomain and $myhostname: $mydomain = 'example.com'; $myhostname = 'server.example.com'; # when amavisd-new sends notifications, they appear to come from here: $mailfrom_notify_admin = "postmaster\@$mydomain"; $mailfrom_notify_recip = "postmaster\@$mydomain"; $mailfrom_notify_spamadmin = "postmaster\@$mydomain"; $hdrfrom_notify_sender = "amavisd-new <postmaster\@$mydomain>"; $notify_method = 'smtp:[127.0.0.1]:10035'; # where to submit notifications $max_servers = 6;
# We discard (and quarantine) viruses, discard (and quarantine) spam (>= kill_level), # bounce (and quarantine) banned files and pass bad headers: $final_virus_destiny = D_DISCARD; $final_banned_destiny = D_BOUNCE; $final_spam_destiny = D_DISCARD; $final_bad_header_destiny = D_PASS; # disable DKIM - for now $enable_dkim_verification = 0; # enable DKIM signatures verification $enable_dkim_signing = 0; # load DKIM signing code, keys defined by dkim_key # don't quarantine bad headers (no need since we pass them all): $bad_header_quarantine_to = undef;
# Spam gets the Subject line prepended with: #$sa_spam_subject_tag = 'Spam> ';
Falls dem Subject einer Spamnachricht durch amavisd ein Tag (Standard 'Spam> ') vorangestllt werden soll, Kommentarzeichen vor $sa_spam_subject_tag entfernen und das Tag anpassen z.B. ***SPAM***
$sa_spam_subject_tag = '***SPAM*** ';
# We tag all headers (for 'local' domains) with X-Spam info: $sa_tag_level_deflt = undef; # This is the system default spam tag level that will be overridden by user's preferences in MySQL $sa_tag2_level_deflt = 6.31;
# The default is to not quarantine any spam (outside of what users get in their Spam folder), # so set default kill_level high. Users can choose their own kill_level however. kill_level # will trigger quarantining (to MailZu). $sa_kill_level_deflt = 9999; $warnbannedrecip = 1; $defang_banned = 1; $defang_virus = 1; # We are going to create policy banks that will notify us of internally created spam # but also let banned files out (provided they are compressed). @mynetworks = qw( 127.0.0.0/8 192.168.0.0/16 );
Evtl. den Eintrag @mynetworks den Netzwerkgegebenheiten anpassen.
$inet_socket_port = [10024, 10026];
## If using Mailzu, use this instead:
#$inet_socket_port = [10024, 10026, 9998];
$inet_socket_bind = '127.0.0.1';
## If using Mailzu, use this instead:
#$inet_socket_bind = undef;
## Interface to MailZu
#$interface_policy{'9998'} = 'MAILZU';
#$policy_bank{'MAILZU'} = {
# protocol => 'AM.PDP',
# inet_acl => [qw( 127.0.0.1 [::1] 111.111.111.111 )],
#};
# If using MailZu, store banned files and spam to MySQL if you want to give users the
# ability to read those messages in the MailZu interface:
#$banned_files_quarantine_method = 'sql:';
#$spam_quarantine_method = 'sql:';
# We create a custom set of banned rules for the MYNETS and TRUSTED policy
# banks. See also the 'DEFAULT' $banned_filename_re settings in 20-debian_defaults
%banned_rules = (
'BLOCK_EXE' => new_RE(
# block double extensions in names:
qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
# allow any name or type (except viruses) within an archive:
[ qr'^\.(Z|gz|bz2|rpm|cpio|tar|zip|rar|arc|arj|zoo)$' => 0],
# blocks MS executable file(1) types, unless allowed above:
qr'^\.(exe|exe-ms)$',
),
'DEFAULT' => $banned_filename_re,
);
$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
originating => 1,
os_fingerprint_method => undef,
spam_admin_maps => ["postmaster\@$mydomain"], # alert of internal spam
final_spam_destiny => D_BOUNCE, # so the sender knows they are a spammer
spam_kill_level_maps => [9.0],
spam_dsn_cutoff_level_maps => [9999],
spam_dsn_cutoff_level_bysender_maps => [9999],
banned_filename_maps => ['BLOCK_EXE'],
};
# Note about spam_kill_level_maps in policy banks: the recipient's
# spam_kill_level is overridden (ignored). This may cause unexpected
# results, such as quarantining or passing of spam. In the two policy
# banks shown here, this would only apply to mail sent from trusted users
# (who typically would not send spam).
$interface_policy{'10026'} = 'TRUSTED';
$policy_bank{'TRUSTED'} = { # mail originating from trusted senders
originating => 1,
os_fingerprint_method => undef,
spam_admin_maps => ["postmaster\@$mydomain"], # alert of internal spam
final_spam_destiny => D_BOUNCE, # so the sender knows they are a spammer
spam_kill_level_maps => [9.0],
spam_dsn_cutoff_level_maps => [9999],
spam_dsn_cutoff_level_bysender_maps => [9999],
banned_filename_maps => ['BLOCK_EXE'],
};
Postfix
An den Postfix Konfigurationsfiles müssen Änderungen durchgeführt werden, um den Spamfilter in die Mail-Transportkette einzuschleifen:
vi /etc/master.cf
Folgende Zeilen ans Ende anfügen:
lmtp-amavis unix - - n - 2 lmtp -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
vi /etc/postfix/main.cf
Folgende Option einfügen:
content_filter=lmtp-amavis:[127.0.0.1]:10024
Starten der Services
/etc/init.d/spamassassin start /etc/init.d/amavisd start /etc/init.d/postfix restart