用Linux建立电邮网关

By | 2018-11-26

转自: http://cha.homeip.net/blog/archives/2007/11/_mail_gateway.html

建立防毒、過濾垃圾郵件的 Mail Gateway

  • 在 FC6 安裝 Postfix (as gateway) + MailScanner + ClamAV + Spamassassin
  • 將 Sendmail 設定成 Mail Gateway

環境

  • Mail Gateway: Postfix + MailScanner + ClamAV + Spamassassin (based on Fedora Core 6)
  • Internal Mail Server: 任一種郵件伺服器, 假設內部 IP 為: 192.168.1.1
  • Primary MX: domain.com IN MX mail.domain.com. (MX 記錄指向 Mail Gateway)

安裝 Postfix, 並將 Postfix 設定成 Mail Gateway

yum install postfix

service sendmail stop

chkconfig sendmail off

vi /etc/postfix/main.cf

myhostname = mail.domain.com
mydomain = domain.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $mydomain, localhost.$mydomain, localhost
local_recipient_maps = (空白)
networks_style = host
relay_domains = domain.com
transport_maps = hash:/etc/postfix/transport
append_at_myorigin = no

vi /etc/postfix/transport

domain.com    smtp:[192.168.1.1]

postmap /etc/postfix/transport

service postfix start

修改 NAT 配置, 將 tcp 25 指向 postfix_host:25, 並從外部寄郵件到 [email protected], 觀察 postfix 是否能 forward 給真正的 mail server (192.168.1.1), 或 telnet 到 mail gateway 進行測試

安裝 ClamAV、MailScanner

下載 ClamAV

groupadd clamav

useradd -g clamav -s /sbin/nologin -M clamav

tar zxf clamav-0.91.2.tar.gz

cd clamav-0.91.2

./configure && make && make install

vi /usr/local/etc/clamd.conf

#Example

vi /usr/local/etc/freshclam.conf

#Example

vi /etc/ld.so.conf

#加入
/usr/local/lib

ldconfig

freshclam

下載 MailScanner

 安装前先安装以下lib库:  [针对ubuntu或者debian平台]
 apt-get install libconvert-tnef-perl libdbd-sqlite3-perl libfilesys-df-perl 
 apt-get install libmailtools-perl libmime-tools-perl libmime-perl 
 apt-get install libnet-cidr-perl libsys-syslog-perl libio-stringy-perl 
 apt-get install libfile-temp-perl

tar zxf MailScanner-4.65.3-1.rpm.tar.gz

cd MailScanner-4.65.3-1

./install.sh

vi /etc/MailScanner/MailScanner.conf

Run As User = postfix
Run As Group = www-data
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix

Quarantine User = postfix
Quarantine Group = www-data

Virus Scanning = yes
Virus Scanners = clamav
Use SpamAssassin = yes
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

Sign Clean Message = no (不在信尾加註 “This message has been scanned…”)

mkdir /var/spool/MailScanner/spamassassin

chown postfix:postfix /var/spool/MailScanner/*

vi /etc/postfix/main.cf

header_checks = regexp:/etc/postfix/header_checks

vi /etc/postfix/header_checks

/^Received:/ HOLD

service postfix stop

service MailScanner start

將 Sendmail 設定成 Mail Gateway

環境

  • Fedora Core 3, Sendmail 8.13.1-2
  • Primary MX: domain.com IN MX mail.domain.com.

yum install sendmail-cf

vi /etc/sysconfig/network

HOSTNAME=mail.domain.com

vi /etc/hosts

127.0.0.1    mail.domain.com mail localhost.localdomain localhost

vi /etc/mail/sendmail.mc

DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0,Name=MTA’)
FEATURE(`accept_unresolveble_domains’)
FEATURE(`mailertable’)

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

vi /etc/mail/access

#加入
domain.com    RELAY

makemap hash /etc/mail/access.db < /etc/mail/access

vi /etc/mail/mailertable

#加入
domain.com    smtp:[192.168.1.1]

makemap hash /etc/mail/mailertable.db < /etc/mail/mailertable

service sendmail restart

確認 “domain.com” 不在清單中

sendmail -bt -C /etc/mail/sendmail.cf

Enter <ruleset> <address>
> $=w
mail
localhost.localdomain
localhost
mail.domain.com
[127.0.0.1]
>/quit

確認 mailertable 是否設定正確

sendmail -bv [email protected]

[email protected]… deliverable: mailer smtp, host [192.168.1.1], user [email protected]

測試 mal gateway 能否正常轉信給真正的 mail server

telnet mail.domain.com 25

ehlo localhost
mail from: [email protected]
rcpt to: [email protected]
data
subject: this is a test
.
quit

===  将 MailScanner 日志单独写入 MailScanner.log 文件

(1)在 /etc/MailScanner/MailScanner.conf 中,修改下面这个参数:

Syslog Facility = mail

改为

Syslog Facility = local0

(2)在 /etc/syslog.conf 中增加相应的一行:

local0.info                                        /var/log/MailScanner.log

(注明:中间空格处用 TAB 键)

(3)生成一下日志文件:

# touch /var/log/MailScanner.log

(4)重启一下 MailScanner 服务和 syslogd 系统日志服务:

# /etc/rc.d/init.d/MailScanner restart
# /etc/rc.d/init.d/syslogd restart

(5)验证一下,成功了:

# tail -f /var/log/MailScanner.log

——- 用MailWatch 来管理 MailScanner ——

去官網下載MailWatch

http://sourceforge.net/project/showfiles.php?group_id=87163

目前最新版本是1.04

解壓縮下載來的檔案

tar  -zxvf  mailwatch-1.0.4.tar.gz

cd mailwatch

執行以下指令

mysql -p < create.sql

這會產生一個名為mailscanner的資料庫並建立資料表等等

修改MailWatch.pm以下項目為你的資訊

my($db_name) = ‘mailscanner’;  #資料庫名稱
my($db_host) = ‘localhost’;  #資料庫位置
my($db_user) = ‘root’;  #使用者名稱
my($db_pass) = ‘123456′;  #使用者密碼

接下來複製到/usr/share/MailScanner/MailScanner/CustomFunctions/底下

新增網頁使用者  指令如下

mysql mailscanner -u root -p
Enter password: ******

mysql> INSERT INTO users VALUES (’<username>‘,md5(’<password>‘),’<name>‘,’A’,’0′,’0′,’0′,’0′,’0′);

修改紅色部份 [这里的红色部分是指登录MailWatch时的用户名及密码]

 

Step 2 : WEB介面設定

將檔案移置網頁跟目錄

mv mailscanner /var/www/

修改部分權限讓apache可以存取

cd  /var/www/mailscanner

chown www-data:www-data images

chmod ug+rwx images

chown www-data:www-data images/cache

chmod ug+rwx images/cache

接著將conf.php.example複製成conf.php

cp  conf.php.example  conf.php

將以下資訊一樣設定好

define(DB_TYPE, ‘mysql’);
define(DB_USER, ‘root’);
define(DB_PASS, ‘123456′);
define(DB_HOST, ‘localhost’);
define(DB_NAME, ‘mailscanner’);

 

Step 3 : MailScanner設定

編輯/etc/MailScanner/MailScanner.conf 如下

  • Quarantine User = postfix
  • Quarantine Group = www-data
  • Quarantine Permissions = 0660
  • Quarantine Whole Message = yes
  • Quarantine Whole Message As Queue Files = no
  • Detailed Spam Report = yes
  • Include Scores In SpamAssassin Report = yes
  • Always Looked Up Last = &MailWatchLogging

 

Step 3 : 黑白名單設定

修改SQLBlackWhiteList.pm 中的資料庫資料並一樣複製到/usr/share/MailScanner/MailScanner/CustomFunctions/底下

修改/etc/MailScanner/MailScanner.conf 如下

  • Is Definitely Not Spam = &SQLWhitelist
  • Is Definitely Spam = &SQLBlacklist

基本上這樣就已經完成設定了,當然其中更詳細的設定可以參考官方的說明

http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:install

MailWatch的說明真的寫的很詳細

另外我有碰到Quarantine無法讀取或找不到,基本上都是權限設定有錯

可以執行tools底下的fix_quarantine_permissions

==========  MailWatch BUG 修正 =============

1) mailwatch安装以后,如果学习邮件,会提示message id找不到

其实这是程序设计的不完善的地方,postfix的队列ID是用.分割的。修改一下mailwatch的代码就可以了

Change the following in /var/www/mailscanner/do_message_ops.php
file:
把         $id = $Regs[1];

  修改为:  $id = str_replace(“_”, “.”,$Regs[1]);

2) 如果提示没有找到message在quarantine

需要修改 /etc/MailScaner/MailScanner.conf
Spam Actions = store deliver header “X-Spam-Status: Yes”
High Scoring Spam Actions = store
Non Spam Actions = store deliver header “X-Spam-Status: No”

3) 如果学习的时候提示
SA Learn: error code 13 returned from sa-learn: bayes: expire_old_tokens: locker: safe_lock: cannot create lockfile /root/.spamassassin/bayes.mutex: Permission denied bayes: locker: safe_lock: cannot create lockfile /root/.spamassassin/bayes.mutex: Permission denied Learned tokens from 0 message(s) (1 message(s) examined)

需要配置bayes的路径

Move the Bayesian Databases and set-up permissions (skip this if you don’t use bayes)Edit /etc/MailScanner/spam.assassin.prefs.conf and set:

bayes_path /etc/MailScanner/bayes/bayes

  • bayes_file_mode 0660

Create the ‘new’ bayes directory, make the directory owned by the same group as the web server user and make the directory setgid:
# mkdir /etc/MailScanner/bayes
# chown root:apache /etc/MailScanner/bayes
# chmod g+rws /etc/MailScanner/bayes
Copy the existing bayes databases and set the permissions:

# cp /root/.spamassassin/bayes_* /etc/MailScanner/bayes
# chown root:apache /etc/MailScanner/bayes/bayes_*
# chmod g+rw /etc/MailScanner/bayes/bayes_*
Test SpamAssassin to make sure that it is using the new databases correctly:

# spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf –lint

 

====== 以下是调用网上过滤列表的设置 =======

只需要把以下内容贴到/etc/postfix/main.cf 里即可,postfix将会对寄入的IP地址进行黑名单过滤

smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

smtpd_recipient_restrictions =
            reject_invalid_hostname,
            reject_unknown_recipient_domain,
            reject_unauth_pipelining,
            permit_mynetworks,
            permit_sasl_authenticated,
            reject_unauth_destination,
            reject_rbl_client multi.uribl.com,
            reject_rbl_client dsn.rfc-ignorant.org,
            reject_rbl_client dul.dnsbl.sorbs.net,
            reject_rbl_client list.dsbl.org,
            reject_rbl_client sbl-xbl.spamhaus.org,
            reject_rbl_client bl.spamcop.net,
            reject_rbl_client dnsbl.sorbs.net,
            reject_rbl_client cbl.abuseat.org,
            reject_rbl_client ix.dnsbl.manitu.net,
            reject_rbl_client combined.rbl.msrbl.net,
            reject_rbl_client rabl.nuclearelephant.com,
            permit

發佈回覆