Creer un backup mx avec postfix et spamassassin

Le serveur de courriel utilisé est postfix

sudo apt-get install postfix

Ensuite on créer la base de données des destinations des site a relayer c’est a dire la liste de leur mx principal

sudo vi /etc/postfix/transport
### debut du fichier transport
toto.com smtp:mail.toto.com
titi.fr smtp:mx1.titi.fr
(et ainsi de suite avec tout les sites a relayer)
### fin du fichier transport

ensuite on converti le fichier text transport en hash comprehensible pas postfix:

cd /etc/postfix/
sudo postmap transport

=> ceci génère le fichier transport.db

Note importante: Si on rajoute des domaine a relayer par la suite, il ne faudra pas oublier de régénérer le fichier transport.db avec cette commande

sudo vi main.cf
### debut du fichier main.cf

# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

#Notre configuration commence ici
myhostname = mxbackup1.mondomaine.com
mydestination = $myhostname, monserveur.{mondomainelocal}, localhost.[mondomainelocal}, localhost
relayhost =

relay_recipient_maps =
relay_domains = $mydestination,
  toto.com,
  titi.fr

smtpd_recipient_restrictions = permit_sasl_authenticated,
  permit_mynetworks,
  permit_mx_backup,
  reject_non_fqdn_hostname,
  reject_non_fqdn_sender,
  reject_non_fqdn_recipient,
  reject_unauth_destination,
  reject_unauth_pipelining,
  reject_invalid_hostname,
  reject_rbl_client zen.spamhaus.org
# helo required
smtpd_helo_required = yes
# disable vrfy command
disable_vrfy_command = yes
smtpd_data_restrictions =
  reject_unauth_pipelining,
  permit

# Delais au dela duquel on envoi un message de retard de distribution
delay_warning_time = 4h
# will it be a permanent error or temporary
unknown_local_recipient_reject_code = 450
# Duree de retention maxi
maximal_queue_lifetime = 15d
# Temps entre les essais quans la connexion vers le mx primaire echoue
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
# Temps maxi entre le helo et l'envoi par l'expediteur
smtp_helo_timeout = 60s
# nombre de destinataires maxi
smtpd_recipient_limit = 25
# how many error before back off.
smtpd_soft_error_limit = 3
# how many max errors before blocking it.
smtpd_hard_error_limit = 12

# fichier contenant les destinations des sites relayes.
transport_maps = hash:/etc/postfix/transport

# fin du fichier main.cf

ce fichier fait réference a un fichier mailname dans le dossier etc. Celui-ci doit contenir le nom du smtp de votre hebergeur:

sudo vi /etc/mailname

puis tapez le nom de votre serveur smtp sortant, par exemple:

smtp.free.fr

(si vous êtes chez free)
puis enregistrez le fichier.

Si tout a fonctionné, le lancement du service postfix

sudo service postfix start

devrait reussir.

A ce stade, cela fonctionne, mais il se trouve que les spammeurs sont des petits malins et savent qu’il est plus facile de s’infiltrer par le backup que par le serveur principal souvent mieux défendu.

Donc il convient d’armer le backup MX d’un antispam

installation de spamassassin:

sudo apt-get install -qq spamassassin spamc

Ensuite on créer un groupe spécialement pour spamassassin:

sudo groupadd -g 5001 spamd
sudo useradd -u 5001 -g spamd -s /sbin/nologin -d /var/lib/spamassassin spamd
sudo mkdir /var/lib/spamassassin
sudo chown spamd:spamd /var/lib/spamassassin

ensuite on configure spam assassin pour taguer SPAM les mails dont le score est supérieur à 5

sudo vi /etc/spamassassin/local.cf
### debut du fichier local.cf
rewrite_header Subject [***** SPAM _SCORE_ *****]
required_score 5.0
# to be able to use _SCORE_ we need report_safe set to 0
# If this option is set to 0, incoming spam is only
# modified by adding some \"X-Spam-\" headers and no
# changes will be made to the body.
report_safe 0

# Enable the Bayes system
use_bayes 1
use_bayes_rules 1
# Enable Bayes auto-learning
bayes_auto_learn 1

# Enable or disable network checks
skip_rbl_checks 0
use_razor2 0
use_pyzor 0
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
###########################################################################

# Add *****SPAM***** to the Subject header of spam e-mails
#
# rewrite_header Subject *****SPAM*****

# Save spam messages as a message/rfc822 MIME attachment instead of
# modifying the original message (0: off, 2: use text/plain instead)
#
# report_safe 1

# Set which networks or hosts are considered 'trusted' by your mail
# server (i.e. not spammers)
#
# trusted_networks 212.17.35.

# Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock

# Set the threshold at which a message is considered spam (default: 5.0)
#
# required_score 5.0

# Use Bayesian classifier (default: 1)
#
# use_bayes 1

# Bayesian classifier auto-learning (default: 1)
#
# bayes_auto_learn 1

# Set headers which may provide inappropriate cues to the Bayesian
# classifier
#
# bayes_ignore_header X-Bogosity
# bayes_ignore_header X-Spam-Flag
# bayes_ignore_header X-Spam-Status

# Some shortcircuiting, if the plugin is enabled
#
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
#
# default: strongly-whitelisted mails are *really* whitelisted now, if the
# shortcircuiting plugin is active, causing early exit to save CPU load.
# Uncomment to turn this on
#
# shortcircuit USER_IN_WHITELIST on
# shortcircuit USER_IN_DEF_WHITELIST on
# shortcircuit USER_IN_ALL_SPAM_TO on
# shortcircuit SUBJECT_IN_WHITELIST on

# the opposite; blacklisted mails can also save CPU
#
# shortcircuit USER_IN_BLACKLIST on
# shortcircuit USER_IN_BLACKLIST_TO on
# shortcircuit SUBJECT_IN_BLACKLIST on

# if you have taken the time to correctly specify your "trusted_networks",
# this is another good way to save CPU
#
# shortcircuit ALL_TRUSTED on

# and a well-trained bayes DB can save running rules, too
#
# shortcircuit BAYES_99 spam
# shortcircuit BAYES_00 ham

endif # Mail::SpamAssassin::Plugin::Shortcircuit

### fin du fichier local.cf

Petite subtilitée: le service (daemon) de spamassassin est desactivé par défaut
donc

sudo vi /etc/default/spamassassin
et changer ENABLED=0 en ENABLE=1

puis

sudo service spamassassin start

pour mettre a jour spamassassin la commande est

sa-update

suivi du redémarrage du service:

service spamassassin restart

ce qui donne

sudo sa-update && sudo service spamassassin restart

ceci peut etre automatiser dans un tache quotidienne cron:
sudo crontab -e
ajouter la ligne
0 4 * * * sa-update && service spamassassin restart

pour le mettre a jour toute les nuit a 4h du matin.

une fois spamassassin installé, il faut l’interconnecter dans postfix
Ceci est fait dans le master.cf, le second fichier de configuration de posfix

sudo vi /etc/postfix/master.cf
### debut du fichier master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
  -o smtpd_helo_restrictions=reject_unknown_hostname,permit
  -o content_filter=spamassassin
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
#submission inet n - - - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
spamassassin unix - n n - - pipe
  user=spamd argv=/usr/bin/spamc -f -e
  /usr/sbin/sendmail -oi -f ${sender} ${recipient}

### fin du fichier master.cf

pour voir la file d’attente:

mailq

pour forcer la tentative d’envoi de la file d’attente:

postqueue -f

resoumettre la file d’attente (quand des messages n’arrivent pas a partir):

postsuper -r ALL

Réferences:

http://www.system-linux.eu/index.php?post/2009/01/15/Serveur-de-Backup-MX-sous-Postfix

http://www.howtoforge.com/postfix_backup_mx

http://www.debianadmin.com/how-to-filter-spam-with-spamassassin-and-postfix-in-debian.html

Laisser un commentaire