====== Mail Server ======
Mail server patri rozhodne k tem slozitejsim instalacim. Nejdrive peclive proberema packet-po-packetu odeslani a prijmuti e-mailu.
===== Cesta mailu =====
Chceme odeslat e-mail na foo@example.com.
Vytvorime e-mail a predame ho k odeslani, to muze znamenat i pomerne komplikovane sifrovane odesilani pres autentizaci apod, ale v nasem pripade rekneme, ze e-mail "predame" lokalnimu postakovi (MTA) a ten zacne resit odeslani e-mailu.
* dotaz do DNS na MX zaznam v zone example.com, vrati se napr. bar.example.com, muze jich byt vic a rekneme ze bar.example.com ma nejvyssi prioritu
* dotaz do DNS na IP adresu (A zaznam) bar.example.com
* dotaz do DNS na IPv6 adresu (AAAA) bar.example.com
* pripojeni na port 25 ziskane ip adresy pro bar.example.com
* dale probiha protokol SMTP napr. takto:
EHLO server.example.com
250-mail.port25.com says hello
250-STARTTLS
250-SIZE 54525952
250 DSN
MAIL FROM:
250 2.1.0 MAIL ok
RCPT TO:
250 2.1.5 ok
DATA
354 send message
From: "John Smith"
To: "Jane Doe"
Subject: test message sent from manual telnet session
Date: Wed, 11 May 2011 16:19:57 -0400
Hello World,
This is a test message sent from a manual telnet session.
Yours truly,
SMTP administrator
.
250 2.6.0 message received
QUIT
221 2.0.0 mail.port25.com says goodbye
* bar.example.com vratil kod **221**, coz znamena OK a e-mail byl prijat
* nyni se v ramci systemu dal dorucuje, nejspise se nejdrive spusti antispam a antivir a pak se teprve zkontrolovany e-mail preda dorucovateli do schranky MDA a tim definitivne vypadne z fronty MTA, ktery si jen pohlida navratovy kod od MDA, ukazka:
June 11 16:00:18 xen-mail postfix/pipe[26779]: 4D6FCEBCD:
to=, relay=dovecot, delay=0.06, delays=0.01/0/0/0.05,
dsn=2.0.0, status=sent (delivered via dovecot service)
U extremne jednoduchych mail serveru muze doruceni provest primo MTA, v nasem pripade postfix.
===== A pojdme si takovy jednoduchy mail server postavit =====
apt-get install postfix
Hlavni konfiguracni soubory jsou ''master.cf'' a ''main.cf''. Master.cf definuje bezici demony, kteri mezi sebou komunikuji, jejich parametry, cisla portu, chroot apod.. Main.cf definuje malou mnozinu parametru pro beh celeho postfixoveho systemu. Konfiguracnich parametru je zhruba 1000 a v main.cf jich byvaji obvykle desitky.
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
myhostname = xen-skoleni-10
mydestination = jahoda.cz, localhost, localhost.localdomain, localhost
#relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.4.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
Prohlidneme log ''/var/log/mail.log''
Prijmuti e-mailu:
Apr 21 23:30:36 xen-skoleni-10 postfix/pickup[3824]: 21E0D1C55: uid=0 from=
Apr 21 23:30:36 xen-skoleni-10 postfix/cleanup[7715]: 21E0D1C55: message-
id=<20140421233036.21E0D1C55@xen-skoleni-10>
Doruceni e-mailu:
Apr 21 23:30:36 xen-skoleni-10 postfix/qmgr[3823]: 21E0D1C55: from=, size=343, nrcpt=1 (queue active)
Apr 21 23:30:36 xen-skoleni-10 postfix/local[7717]: 21E0D1C55: to=, relay=local, delay=1, delays=0.95/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 21 23:30:36 xen-skoleni-10 postfix/qmgr[3823]: 21E0D1C55: removed
Vas prvni e-mail bude ve ''less /var/mail/skoleni''. Nyni zkuste pridat dalsi domenu boruvka.cz a poslat si e-mail.
===== Zamysleni se nad DNS =====
dast@boss:~$ host -t mx seznam.cz
seznam.cz mail is handled by 60 mx60.seznam.cz.
seznam.cz mail is handled by 50 mx50.seznam.cz.
dast@boss:~$
DNS odpovi podle
[https://tools.ietf.org/html/rfc2181#section-10.3]
na dotaz na MX zaznam domeny automaticky posle ve stejnem paketu i A nebo AAAA zaznamy. Protoze se tim usetri automaticky predvidatelny dotaz na IP adresu mail serveru.
root@boss:~# tcpdump udp port 53 -n -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:37:51.174321 IP 10.0.0.201.35318 > 10.0.0.101.53: 15769+ MX? seznam.cz. (27)
0x0000: 4500 0037 ea99 0000 4011 7aef 0a00 00c9 E..7....@.z.....
0x0010: 0a00 0065 89f6 0035 0023 66e9 3d99 0100 ...e...5.#f.=...
0x0020: 0001 0000 0000 0000 0673 657a 6e61 6d02 .........seznam.
0x0030: 637a 0000 0f00 01 cz.....
20:37:51.240990 IP 10.0.0.101.53 > 10.0.0.201.35318: 15769 2/2/0 MX mx60.seznam.cz. 60, MX mx50.seznam.cz. 50 (103)
0x0000: 4500 0083 33e5 0000 4011 3158 0a00 0065 E...3...@.1X...e
0x0010: 0a00 00c9 0035 89f6 006f 5d50 3d99 8180 .....5...o]P=...
0x0020: 0001 0002 0002 0000 0673 657a 6e61 6d02 .........seznam.
0x0030: 637a 0000 0f00 01c0 0c00 0f00 0100 0001 cz..............
0x0040: 2c00 0900 3c04 6d78 3630 c00c c00c 000f ,...<.mx60......
0x0050: 0001 0000 012c 0009 0032 046d 7835 30c0 .....,...2.mx50.
0x0060: 0cc0 0c00 0200 0100 0046 5000 0502 6e73 .........FP...ns
0x0070: c00c c00c 0002 0001 0000 4650 0005 026d ..........FP...m
0x0080: 73c0 0c s..
Pokud jste si s analyzou paketu vyse dali stejnou praci jako ja, tak jste si jiste vsimli, ze povest lhala. Prilozene nejsou :(.
Byl jsem mnohem zvidavejsi a provedl jsem analyzu na realnem mail serveru.
root@---tajne---:~# mail -s Test ahoj@zde.cz
aa
.
Cc:
root@---tajne---:~#
20:56:58.869612 IP 78.xxx.103.xxx.37135 > 46.16.74.70.53: 56099+ MX? zde.cz. (24)
0x0000: 4500 0034 dd03 4000 4011 2f17 4e89 67bf E..4..@.@./.N.g.
0x0010: 2e10 4a46 910f 0035 0020 7f53 db23 0100 ..JF...5...S.#..
0x0020: 0001 0000 0000 0000 037a 6465 0263 7a00 .........zde.cz.
0x0030: 000f 0001 ....
20:56:58.890910 IP 46.16.74.70.53 > 78.xxx.103.xxx.37135: 56099 1/2/3 MX grey.xnet.cz. 10 (163)
0x0000: 4500 00bf 8c5a 0000 4011 bf35 2e10 4a46 E....Z..@..5..JF
0x0010: 4e89 67bf 0035 910f 00ab 59e7 db23 8180 N.g..5....Y..#..
0x0020: 0001 0001 0002 0003 037a 6465 0263 7a00 .........zde.cz.
0x0030: 000f 0001 c00c 000f 0001 0000 0258 000e .............X..
0x0040: 000a 0467 7265 7904 786e 6574 c010 c00c ...grey.xnet....
0x0050: 0002 0001 0000 4650 0010 026e 7307 6b72 ......FP...ns.kr
0x0060: 6178 6e65 7403 636f 6d00 c00c 0002 0001 axnet.com.......
0x0070: 0000 4650 000d 026e 7307 6b72 6178 6e65 ..FP...ns.kraxne
0x0080: 74c0 10c0 5a00 0100 0100 0046 5000 04b2 t...Z......FP...
0x0090: d9f7 02c0 5a00 1c00 0100 0046 5000 102a ....Z......FP..*
0x00a0: 0213 6000 0000 0000 0000 0000 0000 56c0 ..`...........V.
0x00b0: 3e00 0100 0100 02a3 0000 0452 7137 45 >..........Rq7E
20:56:58.891228 IP 78.xxx.103.xxx.54698 > 46.16.74.70.53: 54610+ A? grey.xnet.cz. (30)
0x0000: 4500 003a dd05 4000 4011 2f0f 4e89 67bf E..:..@.@./.N.g.
0x0010: 2e10 4a46 d5aa 0035 0026 dab6 d552 0100 ..JF...5.&...R..
0x0020: 0001 0000 0000 0000 0467 7265 7904 786e .........grey.xn
0x0030: 6574 0263 7a00 0001 0001 et.cz.....
20:56:58.924386 IP 46.16.74.70.53 > 78.xxx.103.xxx.54698: 54610 1/2/3 A 82.113.55.82 (159)
0x0000: 4500 00bb 8c5b 0000 4011 bf38 2e10 4a46 E....[..@..8..JF
0x0010: 4e89 67bf 0035 d5aa 00a7 6866 d552 8180 N.g..5....hf.R..
0x0020: 0001 0001 0002 0003 0467 7265 7904 786e .........grey.xn
0x0030: 6574 0263 7a00 0001 0001 c00c 0001 0001 et.cz...........
0x0040: 0000 0258 0004 5271 3752 c011 0002 0001 ...X..Rq7R......
0x0050: 0000 0258 000d 026e 7307 6b72 6178 6e65 ...X...ns.kraxne
0x0060: 74c0 16c0 1100 0200 0100 0002 5800 1002 t...........X...
0x0070: 6e73 076b 7261 786e 6574 0363 6f6d 00c0 ns.kraxnet.com..
0x0080: 3a00 0100 0100 0046 5000 04b2 d9f7 02c0 :......FP.......
0x0090: 3a00 1c00 0100 0046 5000 102a 0213 6000 :......FP..*..`.
0x00a0: 0000 0000 0000 0000 0000 56c0 5300 0100 ..........V.S...
0x00b0: 0100 02a3 0000 0452 7137 45 .......Rq7E
20:56:58.924784 IP 78.xxx.103.xxx.38144 > 46.16.74.70.53: 12584+ AAAA? grey.xnet.cz. (30)
0x0000: 4500 003a dd08 4000 4011 2f0c 4e89 67bf E..:..@.@./.N.g.
0x0010: 2e10 4a46 9500 0035 0026 bf70 3128 0100 ..JF...5.&.p1(..
0x0020: 0001 0000 0000 0000 0467 7265 7904 786e .........grey.xn
0x0030: 6574 0263 7a00 001c 0001 et.cz.....
20:56:58.937720 IP 46.16.74.70.53 > 78.xx.103.xxx.38144: 12584 0/1/0 (83)
0x0000: 4500 006f 8c5c 0000 4011 bf83 2e10 4a46 E..o.\..@.....JF
0x0010: 4e89 67bf 0035 9500 005b f15f 3128 8180 N.g..5...[._1(..
0x0020: 0001 0000 0001 0000 0467 7265 7904 786e .........grey.xn
0x0030: 6574 0263 7a00 001c 0001 c011 0006 0001 et.cz...........
0x0040: 0000 012c 0029 026e 7307 6b72 6178 6e65 ...,.).ns.kraxne
0x0050: 74c0 1605 6164 6d69 6ec0 2d78 0bd5 3900 t...admin.-x..9.
0x0060: 000e 1000 0002 5800 36ee 8000 0151 80 ......X.6....Q.
^C
30 packets captured
30 packets received by filter
0 packets dropped by kernel
Zaznamy totiz prilozene ani byt nemohou. Server by je mohl prilozit pouze v pripade, ze MX zaznam ma domenove jmeno v jeho domene. Pokud je ale jinde - jako v pripade ''zde.cz'', tak nema do paketu co davat cizi udaje. To jiz hranici s podvodem DNS Cache Poisoning. Velmi pouzivanym a prakticky kvuli tomu prave vzniklo DNS Sec, cimzto Vas zvu na skoleni tykajici se DNS.
Pozn. server nedela rekurzivni dns, ale pouziva nadrazene DNS, ktere za nej dotaz vyridi. Kdyby se stopovaly vsechny pakety (dotaz na ".", pak na ".cz" atd.), tak by zaznam byl opravdu obrovsky.
======Ztracite viru?======
Neztracejte
root@---tajne---:~# host -t mx panelnet.cz
panelnet.cz mail is handled by 20 fw.panelnet.cz.
a odpoved DNS
root@---tajne----:~# tcpdump port 53 -n -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:24:34.434111 IP 78.xxx.103.xxx.50593 > 46.16.74.70.53: 36977+ MX? panelnet.cz. (29)
0x0000: 4500 0039 cb37 0000 4011 80de 4e89 67bf E..9.7..@...N.g.
0x0010: 2e10 4a46 c5a1 0035 0025 548f 9071 0100 ..JF...5.%T..q..
0x0020: 0001 0000 0000 0000 0870 616e 656c 6e65 .........panelne
0x0030: 7402 637a 0000 0f00 01 t.cz.....
21:24:34.435590 IP 46.16.74.70.53 > 78.xxx.103.xxx.50593: 36977 1/2/2 MX fw.panelnet.cz. 20 (112)
0x0000: 4500 008c 8cbb 0000 4011 bf07 2e10 4a46 E.......@.....JF
0x0010: 4e89 67bf 0035 c5a1 0078 8521 9071 8180 N.g..5...x.!.q..
0x0020: 0001 0001 0002 0002 0870 616e 656c 6e65 .........panelne
0x0030: 7402 637a 0000 0f00 01c0 0c00 0f00 0100 t.cz............
0x0040: 0932 b300 0700 1402 6677 c00c c00c 0002 .2......fw......
0x0050: 0001 0000 3e83 0002 c02b c00c 0002 0001 ....>....+......
0x0060: 0000 3e83 0006 036e 7373 c00c c02b 0001 ..>....nss...+..
0x0070: 0001 0008 2f76 0004*d414 6648*c04a 0001 ..../v....fH.J..
0x0080: 0001 0000 3e83 0004 5102 c59d ....>...Q...
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
**d414 6648** kazdy vidi ze je 212.20.102.72 a to je ip fw.panelnet.cz, takze tentokrat byla IP adresa prilozena.
======Ale ja jsem viru ztratil======
Pokusime se znovu odeslat e-mail na domenu ''@starlab.cz'' a budeme sledovat pakety.
root@---tajne---:~# mail -s Test ahoj@starlab.cz
cccccccccc
.
Cc:
root@---tajne---:~#
root@---tajne---:~# tcpdump port 53 -n -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:43:09.764588 IP 78.137.103.191.52648 > 46.16.74.70.53: 8524+ MX? starlab.cz. (28)
0x0000: 4500 0038 1764 4000 4011 f4b2 4e89 67bf E..8.d@.@...N.g.
0x0010: 2e10 4a46 cda8 0035 0024 14c6 214c 0100 ..JF...5.$..!L..
0x0020: 0001 0000 0000 0000 0773 7461 726c 6162 .........starlab
0x0030: 0263 7a00 000f 0001 .cz.....
21:43:09.781718 IP 46.16.74.70.53 > 78.137.103.191.52648: 8524 1/2/3 MX fw.starlab.cz. 20 (139)
0x0000: 4500 00a7 8d0d 0000 4011 be9a 2e10 4a46 E.......@.....JF
0x0010: 4e89 67bf 0035 cda8 0093 60db 214c 8180 N.g..5....`.!L..
0x0020: 0001 0001 0002 0003 0773 7461 726c 6162 .........starlab
0x0030: 0263 7a00 000f 0001 c00c 000f 0001 0000 .cz.............
0x0040: 7080 0007 0014 0266 77c0 0cc0 0c00 0200 p......fw.......
0x0050: 0100 0046 3e00 0603 6e73 73c0 0cc0 0c00 ...F>...nss.....
0x0060: 0200 0100 0046 3e00 02c0 2ac0 2a00 0100 .....F>...*.*...
0x0070: 0100 0070 6e00 04d4 1466 48c0 2a00 1c00 ...pn....fH.*...
0x0080: 0100 0070 6e00 1020 014d e809 9c00 0402 ...pn....M......
0x0090: 163e fffe 0b34 31c0 3b00 0100 0100 0046 .>...41.;......F
0x00a0: 3e00 0451 02c5 9d >..Q...
21:43:09.782074 IP 78.137.103.191.45024 > 46.16.74.70.53: 50314+ A? fw.starlab.cz. (31)
0x0000: 4500 003b 1766 4000 4011 f4ad 4e89 67bf E..;.f@.@...N.g.
0x0010: 2e10 4a46 afe0 0035 0027 d92d c48a 0100 ..JF...5.'.-....
0x0020: 0001 0000 0000 0000 0266 7707 7374 6172 .........fw.star
0x0030: 6c61 6202 637a 0000 0100 01 lab.cz.....
21:43:09.783020 IP 46.16.74.70.53 > 78.137.103.191.45024: 50314 1/2/2 A 212.20.102.72 (123)
0x0000: 4500 0097 8d0e 0000 4011 bea9 2e10 4a46 E.......@.....JF
0x0010: 4e89 67bf 0035 afe0 0083 2d49 c48a 8180 N.g..5....-I....
0x0020: 0001 0001 0002 0002 0266 7707 7374 6172 .........fw.star
0x0030: 6c61 6202 637a 0000 0100 01c0 0c00 0100 lab.cz..........
0x0040: 0100 0070 6e00 04d4 1466 48c0 0f00 0200 ...pn....fH.....
0x0050: 0100 0046 3e00 0603 6e73 73c0 0fc0 0f00 ...F>...nss.....
0x0060: 0200 0100 0046 3e00 02c0 0cc0 0c00 1c00 .....F>.........
0x0070: 0100 0070 6e00 1020 014d e809 9c00 0402 ...pn....M......
0x0080: 163e fffe 0b34 31c0 3b00 0100 0100 0046 .>...41.;......F
0x0090: 3e00 0451 02c5 9d >..Q...
21:43:09.783266 IP 78.137.103.191.42543 > 46.16.74.70.53: 22576+ AAAA? fw.starlab.cz. (31)
0x0000: 4500 003b 1766 4000 4011 f4ad 4e89 67bf E..;.f@.@...N.g.
0x0010: 2e10 4a46 a62f 0035 0027 3439 5830 0100 ..JF./.5.'49X0..
0x0020: 0001 0000 0000 0000 0266 7707 7374 6172 .........fw.star
0x0030: 6c61 6202 637a 0000 1c00 01 lab.cz.....
21:43:09.783773 IP 46.16.74.70.53 > 78.137.103.191.42543: 22576 1/2/2 AAAA 2001:4de8:99c:4:216:3eff:fe0b:3431 (123)
0x0000: 4500 0097 8d0f 0000 4011 bea8 2e10 4a46 E.......@.....JF
0x0010: 4e89 67bf 0035 a62f 0083 6e54 5830 8180 N.g..5./..nTX0..
0x0020: 0001 0001 0002 0002 0266 7707 7374 6172 .........fw.star
0x0030: 6c61 6202 637a 0000 1c00 01c0 0c00 1c00 lab.cz..........
0x0040: 0100 0070 6e00 1020 014d e809 9c00 0402 ...pn....M......
0x0050: 163e fffe 0b34 31c0 0f00 0200 0100 0046 .>...41........F
0x0060: 3e00 02c0 0cc0 0f00 0200 0100 0046 3e00 >............F>.
0x0070: 0603 6e73 73c0 0fc0 0c00 0100 0100 0070 ..nss..........p
0x0080: 6e00 04d4 1466 48c0 5500 0100 0100 0046 n....fH.U......F
0x0090: 3e00 0451 02c5 9d >..Q...
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
root@---tajne---:~#
Nejdrive dostane odpoved na MX a k ni pribalene dva NS servery i s ip adresami. Pak se na tu samou IP zepta dotazem "A? fw.panelnet.cz" a pak jeste dotazem na IPv6 "AAAA? fw.panelnet.cz".
===== Napojeni na SQL =====
cat > mysql_virtual_domains_maps.cf
user = postfixadmin
password = skoleni
hosts = 127.0.0.1
dbname = postfixadmin
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'
cat > mysql_virtual_alias_maps.cf
user = postfixadmin
password = skoleni
hosts = 127.0.0.1
dbname = postfixadmin
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'
cat > mysql_virtual_mailbox_maps.cf
user = postfixadmin
password = skoleni
hosts = 127.0.0.1
dbname = postfixadmin
table = mailbox
select_field = maildir
where_field = username
additional_conditions = and active = '1'
Pridavek do souboru ''main.cf''
virtual_mailbox_base = /srv/mail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domain_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_uid_maps = static:1008
virtual_gid_maps = static:1008
====== Postfix Admin ======
apt-get install postfixadmin
spustit [http://10.0.4.161/postfixadmin/setup.php]. Je potreba zaskrtnout "apache2", aby se vytvoril link ''/etc/apache2/conf.d/postfixadmin''. Jinak je mozne zmenu provest pozdeji prikazem
dpkg-reconfigure postfixadmin
====== Dovecot =======
Poskytuje IMAP, POP3 a hlavne velmi vyhodnou autentizaci.
auth_mechanisms = plain
!include auth-system.conf.ext
!include auth-sql.conf.ext
mail_location = maildir:/srv/mail/%d/%n
mail_privileged_group = mail
===== Postfix Auth=====
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
root@xen-skoleni-10:/srv/mail# perl -MMIME::Base64 -e 'print encode_base64("\000siska\@smrk.cz\000siska")';
AHNpc2thQHNtcmsuY3oAc2lza2E=
root@xen-skoleni-10:/srv/mail# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 Secure xen-skoleni-10 ESMTP Postfix NO UCE, NO UBE
ehlo ahoj
250-xen-skoleni-10
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth plain AHNpc2thQHNtcmsuY3oAc2lza2E=
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@xen-skoleni-10:/srv/mail#
===== SSL =====
cd /etc/postfix
mkdir ssl
cd ssl
openssl req -new -x509 -nodes -out cert.pem -keyout key.pem
# TLS
smtpd_tls_cert_file=/etc/postfix/ssl/cert.pem
smtpd_tls_key_file=/etc/postfix/ssl/key.pem
smtpd_use_tls=yes
====== Dorucovani pres Dovecot ======
Pozor, nefunguje ''dovecot_destination_recipient_limit = 1''
dovecot unix - n n - - pipe
# flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${user}@${nexthop}
====== Antispam, antivir, blacklisty a greylisting ========
apt-get install amavis clamav
Odkomentovat v /etc/amavis/conf.d/15-content-filter-mode radky pro predani e-mailu ke kontrole
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
# Anti spam/vir/komunista
content_filter = zabijak:[127.0.0.1]:10024
zabijak unix - - - - 5 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
====== SPF - cast prvni======
Kdyz jsme venovali tolik prace DNS, ukazeme si pomerne hezkou antispamovou techniku. Jedna se o hlubsi overovani domeny odesilatele. Konkretne se dotazeme serveru jahoda.cz, jestli adresa 1.2.3.4 mohla odeslat e-mail From:.
Pokud spravce domeny jahoda.cz presne vi, ze vsichni jeho uzivatele pouzivaji jeden centralni server, vuci kteremu se overuji a odesilaji pres nej postu, pak muze vesele do DNS napsat informaci:
"Mame jeden centralni server pres ktery odesilame postu na IPv4: 9.8.7.6, jine jsou podvod."
Akorat se to zapisuje takto:
jahoda.cz. IN TXT "v=spf1 ip4:9.8.7.6 -all"
Zaznamy, ktere nemaji pred sebou znamenko +/- se berou, jako by mely +. Tedy "+ipv4" v nasem prikladu.
Vysvetleni:
* spf1 - zaznam popisuje Sender Policy Framework
* ipv4 - oznamuje ip aderesu, ktera patri mezi povolene
* -all - oznamuje ze vse ostatni je neplatne
Kdyby nekoho zajimalo, jak vypada nas SPF zaznam, tady je:
starlab.cz. IN TXT "v=spf1 mx -all".
Promite mi, ze to sem pisu, vdyt' vsichni umite
host -t txt starlab.cz
**Upozorneni: Tim ovsem pomahate jen druhym, aby e-maily s vasi podvrzenou domenou nikde nezpusobovali spam.** Jeste je potreba take nastavit druhou cast tj. implementovat ochranu na vlastnim serveru.
====== SPF - cast druha =======
Zarazeni do postfixu je obvykla trojkombinace
* apt-get install
* pridani do main.cf
* pridani do master.cf
A pak trocha ladeni a opravovani preklepu.
Existuje python i perl verze.
apt-get install postfix-policyd-spf-python
apt-get install postfix-policyd-spf-perl
Pro ty co se nudi mohou napsat pojednani, jaky je mezi nimi rozdil.
Do ''main.cf'' pridame kamkoliv policy-spf_time_limit = 3600s
A do ''master.cf'' pridame treba pythonovsky skript
policy-spf unix - n n - - spawn
user=nobody argv=/usr/bin/policyd-spf
A obohatime ''smtpd_recipient_restrictions'' v main.cf:
smtpd_recipient_restrictions =
...
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
check_policy_service unix:private/policy-spf
====== Sieve filtry v akci ======
Globalni filtr pro razeni spamu vsem uzivatelum do slozky spam.
require "fileinto";
if header :contains "X-Spam-Flag" "YES" {
fileinto "spam";
stop;
}
====== Ladeni vykonu a statistiky ======
apt-get install mailgraph
apt-get install collectd --no-install-recommends
======= Automaticka odpoved v dobe nepritomnosti ======
moje_prazdniny unix - n n - - pipe
flags=Rq user=autoreply argv=/home/autoreply/autoreply.pl -f ${sender} -- ${recipient}
H4sICKCBWlMAA3ZhY2F0aW9uLnBsAK1Ze3fTyA7/m3wK4bYnzjaPBpZ9JLTbkoZL7iltTxPY5dCS
dewJma1jG3vStIf2fvYrafyKHQIXbnpI7BlJI/2kkTTD1uPWIgpbE+m1AhG60FhWtipb8FaGamG5
8NayLSV9D5422zg8uYPXMrJnFpwLJcIIns/1q6VgJj/OnoHjK/CEOkDinh/chTiowLRr8GRv7wk0
6OcZvCLSx0hyIm3hRQIG3tTvwEypoNNqLZfLZuBHaipvLWcuvabtz1t/TKUr9k8Gvf7psN8c/TVi
NY8cR5J6UQdfUPTPrb1fW+2nAMfWjXTgLJr4oQfP/ShyxA0p6Vi+7bNE0jD/iVQobVWHIPRtEUUi
QlPmlvTAFTfCBcuVFg7WYe6Hosi6mIT+QkmP5iPhORCKwL2DaejPwUcIpIdQKh8sxwlRNqvO2rbb
rb3fv0dbNFw4EN1Frv8R1w8CP1TZbIF46JIXUKGJUOg1QB5U6SMsZ9KegfRsd+GgvXNUzfoopFNc
68ZH7aQ3lZ5UArn9IIKlVLMEoRgbNGuBvjx+Mejyg0a0W6nM72DbmYzVXSBgH6rzu+iTW+0mwzN0
NQ27vm259JJNoZSQpvLRkM0GVhTRbHTtu8KT2YRnzcUX2Mg7qLOL0wYHfkSRn4wamgjxoWhjGjUP
WjfxJmjihNElSLYgCoQtp3dgAZPykjMRCpj6IYhbax64ogN5Tq2dmCy+IJynSDwKF8H/Ipw5tXk6
IPZhr8tatkFOyd0gPHQG+jia+QvXwUCgOFUUk5olcdIMedGBjQOMO0/YyjTwrZN4r5Og20kcZ9TB
SDyVPJNf8PkzXFgyEv0wRKX3D1CXhxoGwxYgrUMrO5hCbJUFVrw7KMCuF4GOs9gffmD7C0/t76EA
3G0YeONPCxHewecK2ok05ja/11D9w3E3HtyOFNlDZjUOAtyTVihSQlTKkQKMnuVVFcSzoGc7MY8I
QwziS89giSQOx26FvUBtV/mTUTUTkIjQ5CxCCwiFWuAGp4lu5SG1hN2Xs0R67Trg9xP+fsrfP/P3
M/7+JWclutfMR1UtlbPtWEowjR8ID8zj/os3/0IPHRzk6I0UB9N441kTlICOYQatlSZiMfbMD1A7
Eovr/82/xu7Ou9bOvLXjwM6rzs7rzs7Q+FuTB6HEAONVwdjnD8TM/ElQTUinCe1OBPew/gt5GIGv
4KPVdX3MQdpsrdFDDnPbstFTGebKR1bK14UI0lG2D58+fR72T/q9EWjOlxdnr9MNCH++6l/0QVAK
2a+irCocnR7Dy8Hp8XhwOh72R2aVhVfrzF17KERoGs5JdKbz4Q0FMEdS6C+j1Oc8gds89jdFZ07V
N+fHR6N+ph9qoPXe752d9o5GJr/Uq/SnFauVbXhI3LNRyYd8YIc3+bimvJMhnFYXBDpFG3+Q+B9M
AwXc0+DVAR7ntczaOKiH74YnZxTV92kXQ8UNq0YjADKlidnFh4ZKG5kNEa85MdohWSQOTL0KGGdY
yhsjbFQwHF+i9vzwWts1OOa3obaGno2CoXkAYqMThJNg1QvFCjxk5icFKbZf264Np+0cT2827Qe2
cgoFMAzM1wECAg2MkWArM/MTC/PwZAhAsvlju9no4hblMp3FT4wiIxoLx6eJ7+STvkbm9dHghGIi
V+4xAhpTreQGmNI+IJ/CSBoYOSsT5fPTMRjrpkqYrCPq+Z7CgtwYUZUFJW5VK3Cxt+qir6wwEmpf
Rn7jt9+e/d54so7/r8YJFskOnOuWB/tD7HlKXfylt46XQVzxB43X0q2M5dkZh8Jyx0mFzrzC+aJQ
j3Z3s4oNB9joZts2zgqmUZZJLI+phbAXYYhQuFRCWTwN9i8uzi6yh2yPakNMA3u9SJIvV/pUfFuj
PnVRz7Xsgyb0ZsK+5jHuY5kPYUpDX9xKBe0s2XFaRnHMv6FQ8PzGQsG/VbDwwGDZSt6I/fYPVIYK
d3wX2JYGknq7GdqSLFwoG+1c2UhNIXGxTWwrCDcSa8tLbOBHn3Y/2aeB08bFIKfmfVsZYU3WWVQw
SkYIl16vjluDPId20UIT/7ZkctnqNLUziIe4TrrmVCh7hgNjKwytu+4K4ba2EEmR4P3eVW72uzzP
4tZ5/tug2oQWA3bE6q6B44txsC4aWMvcmg+ZR/6k4510XVzjhvMnNe28idadmpvNZsyZRNWqH8xt
Oj9gOtfMlE+iwJXKbB226nFU1jZj/pVgvDyMZVd/GOd0Kg/4CHvCUNgit/esNVB80Quw4oZvDk1N
u72UrmNboYNHCT5Ll6M0wZkoY6zpcT3eK+Jq+chiW3XCzJ/9VwjYsmSdkmn4IbvruVCj5ctJ2iyq
8WhFTiE9rcDhieU4DWK+Q2hC9bCK3zmju9+rViq9pFKl9PhQbJFLi6RVlnqPcbJbY/ULdRYZ6TZp
nLU//Bp3RvzM7RE/pc3WV080iThqA76hXv3fDi+57PNtAU+86dmtgAmf3SjaNNDd1AXpAds03g/7
eCy76A/Pz06H/StOVwWwOnzENAiFpP0AM0a2k2Jc01Sjs05udT02fPPi3whqZ9VVeu7tEZ69Bmen
kBHpjVqYfnF2/C6ea1/lW5GkK15jez2RVU8Y81zcdBVMLYdMPpCSY1lyFqEw3fryBzgZbCDQH75m
Wu3lbXuloc/Clu+KRtY1XX1ZDl02W4EVqspyRkch8/lwdDw4PYhjyLUw8VF8tD5st2pppLU+0FKd
y2jXbP6EXttuSYoRfVjBYGt3s2NW6wO6uESJVaVEZ9tlOtsu08VWlYmTw1GJI7a+QYFYZMpOTyW2
gEqPIzxbMNtk4V7fuzJS9/8svOua5uc21tyrrTDeNqjbJab4rvQS+Lb0Em700eEyzQVlKRQRMJiC
kGqGOVafkHBL0VmI7tI8X2FWQ6cSU4UWfKyBv7+HxwhsUV4lcYtrxzGiY6CXtHlSVbn98yc30l9E
nDKplKXyYwH/gZb5/nJ52WjuXO1eHuJjs3G1W2uVXZ8xiU9gGKRZJuODv/RE2LhvmKHAzIZw8kDt
8vD+g0n7DycdS8x9757Qm2MI8mwZKTRiqEIZaGiw6evZ+jdYRDO6M5zTQYVzHW2QQ7o5D8a2Hac/
yA0qXw9mJbsOP+E/xowwRcw4TwqsXcKhwCRtCiLXchMlq8tamYUF60UZNX2zfxgJK7RnSaZOTdW5
Mz1yEajxPq5Q3i2Kj/cxO2S82YWVR4mCuZUxdbR1snq0kvFHF4NzTPm9wfmgfzoaXnXAKNzFtDH1
NozsK3cTgbbwEvrefcUg/X8nKx12bFZOqVqugnPd39hYjGsbKmShkr08e4OlLKkYa6zKp9ikWKQ5
vfJoXbthligLcvK5OYFor1v5L3Gl/PBDHAAA
======= LDAP =======
[[http://www.howtoforge.com/postfix-virtual-hosting-with-ldap-backend-and-with-dovecot-as-imap-pop3-server-on-ubuntu-karmic-koala-9.10-p2]]