Thursday, May 14, 2009

Solaris 10 installing Postfix, Spamassassin and DNS Blocklists

== Install Postfix ==

Install postfix with our pkg-get program (http://www.opencsw.org/pkg-get):

pkg-get -U
pkg-get -i postfix

== Disable Sendmail and enable Postfix ==

First disable sendmail:

/usr/sbin/svcadm disable svc:/network/smtp:sendmail

Then clear maintenance and enable postfix:

/usr/sbin/svcadm clear svc:/network/smtp/postfix:default
/usr/sbin/svcadm enable svc:/network/smtp/postfix:default
/usr/sbin/svcadm restart svc:/network/smtp/postfix:default

Test that postfix is now the MTA:

root@Mitsubishi-S10-T1SMTP - />telnet 0 25
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
220 Mitsubishi-S10-T1SMTP.localdomain ESMTP POSTFIX
quit
221 2.0.0 Bye
Connection to 0 closed by foreign host.

Notice the POSTFIX on the 220 reply line - this means postfix is installed and working

== Enabling Postfix to deliver and receive mail ==

exit the /etc/opt/csw/postfix/main.cf file and make sure the following lines are unhashed and configured (current values included are for demonstration purposes only) :

inet_interfaces = $myhostname '''(specify which interfaces to listen on)'''
mynetworks_style = host '''(specify which type of access is allowed)'''
mynetworks = 10.0.0.0/24, 127.0.0.0/8 '''(specify which networks are allowed to relay)'''
relay_domains = $mydestination '''(domains that this mail server accepts mail for)'''
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain '''(list of acceptable domain suffix on addresses)'''
myhostname = Mitsubishi-S10-T1SMTP '''(defined hostname, make sure it matches the system hostname)'''
mydomain = kaizania.co.za '''(specify the domain that will be this mail servers mail suffix)'''

== Test the server ==

You can test the server to see that it relays mail:

root@Mitsubishi-S10-T1SMTP - /etc/opt/csw/postfix>telnet Mitsubishi-S10-T1SMTP 25
Trying 10.0.0.107...
Connected to Mitsubishi-S10-T1SMTP.
Escape character is '^]'.
220 Mitsubishi-S10-T1SMTP ESMTP Postfix
helo test
250 Mitsubishi-S10-T1SMTP
mail from: lionel.bisschoff@kaizania.co.za
250 2.1.0 Ok
rcpt to: someone@somewhere.com
250 2.1.5 Ok
data
354 End data with .
Subject : Test
Test
.
250 2.0.0 Ok: queued as 2404EDDD1B

And we see the message in the delivery queue:

root@Mitsubishi-S10-T1SMTP - /opt/csw/bin>./mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
2404EDDD1B* 378 Tue May 27 10:16:23
lionel.bisschoff@kaizania.co.za
someone@somewhere.com

There we go - working now !!!

== Adding Spamassassin anti-spam ==

First, installing spamassassin:

pkg-get install spamassassin

Then the easiest way to integrate postfix and spamassassin is to use spamd in an "after-queue" inspection. This configuration does not allow rejecting messages within the SMTP transaction, so it unfortunately contributes to backscatter email. On the other hand, it has important performance advantages over "before-queue" inspection.

First, edit /etc/postfix/master.cf, find the

# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (50)
# ==========================================================================
...
smtp inet n - n - - smtpd
...

line and just add " -o content_filter=spamassassin" to the end of the line:

# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (50)
# ==========================================================================
...
smtp inet n - n - - smtpd -o content_filter=spamassassin
...

## you can change the maxproc to 400 if you have a strong server (dual xeon 2.8 nd above) and the performance will be much better.

Then, go to the end of the file, and add this:


# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (50)
# ==========================================================================
...
spamassassin
unix - n n - - pipe
user=nobody argv=/path/to/spamc -e /path/to/postfix/sendmail -oi -f ${sender} ${recipient}
# make sure it's all on one line or
# start the consecutive lines with a whitespace
# like I did here

Make sure that you have adjusted the path to the spamc and sendmail commands above! (Please note that the path required is Postfix's sendmail and not the standalone package, Sendmail the SMTP server. It will not work if you're not careful about which one is installed). Then, setup spamd to start with the system, and you are ready to go. If you wish to provide spamassassin preferences, change "user=nobody" to a valid system user (except for root, since Postfix will NOT call external programs as root), and add .spamassassin into that user's home directory.

If you use user preferences stored in SQL, you should change "spamassassin" service in master.cf to following:

# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (50)
# ==========================================================================
...
spamassassin
unix - n n - - pipe
flags=Rq user=nobody argv=/path/to/spamc -u ${recipient} -e /path/to/postfix/sendmail -oi -f ${sender} ${recipient}

Notice "-u ${recipient}" added. Otherwise "username" field in database will always appear as user which postfix is invoking spamc(in this example it is 'nobody').

Only mail received by SMTP will be scanned with this method, i.e. mail injected with sendmail(1) will not be fed to SpamAssassin.

== Adding a Blacklist to Postfix ==

to add a Blacklist to block certain senders, do the following:

Create a blacklist file in the postfix /etc directory (i.e. /etc/opt/csw/postfix/blacklist) and add the addresses you wish to block within:

support@connect2casino.com REJECT

With this file created, make it a DB file with the following command:

/opt/csw/sbin/postmap hash:/etc/opt/csw/postfix/blacklist

Then at the end of the postfix /etc/opt/csw/postfix/main.cf file, add the sender check line:

smtpd_sender_restrictions = reject_unknown_sender_domain, check_sender_access hash:/etc/opt/csw/postfix/blacklist

The added "reject_unknown_sender_domain" will also reject domains that do not exist (a DNS Lookup is performed). Restart the Postfix service to effect the changes:

svcadm disable /network/smtp/postfix; svcadm enable /network/smtp/postfix

And test that the sender address is now rejected:

Iridium-S10-SMTP(root)/var/log# telnet 10.1.2.24 25
Trying 10.1.2.24...
Connected to 10.1.2.24.
Escape character is '^]'.
220 iSMTP.actionpokernetwork.com ESMTP Postfix
helo dorks
250 iSMTP.network.com
mail from: support@connect.com
250 2.1.0 Ok
rcpt to: operations@network.com
554 5.7.1 : Sender address rejected: Access denied

No comments:

Post a Comment