Table of Contents

Mail Server

Mail server patri rozhodne k tem slozitejsim instalacim. Nejdrive peclive proberema packet-po-packetu odeslani a prijmuti e-mailu.

Cesta mailu

Chceme odeslat e-mail na foo@example.com.

Vytvorime e-mail a predame ho k odeslani, to muze znamenat i pomerne komplikovane sifrovane odesilani pres autentizaci apod, ale v nasem pripade rekneme, ze e-mail “predame” lokalnimu postakovi (MTA) a ten zacne resit odeslani e-mailu.

 EHLO server.example.com
 250-mail.port25.com says hello
 250-STARTTLS
 250-SIZE 54525952
 250 DSN
 MAIL FROM: <support@port25.com>
 250 2.1.0 MAIL ok
 RCPT TO: <support@port25.com>
 250 2.1.5 <support@port25.com> ok
 DATA
 354 send message
 From: "John Smith" <jsmith@port25.com>
 To: "Jane Doe" <jdoe@port25.com>
 Subject: test message sent from manual telnet session
 Date: Wed, 11 May 2011 16:19:57 -0400

Hello World,
 This is a test message sent from a manual telnet session.

Yours truly,
 SMTP administrator

.
 250 2.6.0 message received
 QUIT
 221 2.0.0 mail.port25.com says goodbye
  June 11 16:00:18 xen-mail postfix/pipe[26779]: 4D6FCEBCD: 
   to=<servery@panelnet.cz>, relay=dovecot, delay=0.06, delays=0.01/0/0/0.05, 
   dsn=2.0.0, status=sent (delivered via dovecot service)

U extremne jednoduchych mail serveru muze doruceni provest primo MTA, v nasem pripade postfix.

A pojdme si takovy jednoduchy mail server postavit

 apt-get install postfix

Hlavni konfiguracni soubory jsou master.cf a main.cf. Master.cf definuje bezici demony, kteri mezi sebou komunikuji, jejich parametry, cisla portu, chroot apod.. Main.cf definuje malou mnozinu parametru pro beh celeho postfixoveho systemu. Konfiguracnich parametru je zhruba 1000 a v main.cf jich byvaji obvykle desitky.

main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
 
myhostname = xen-skoleni-10
mydestination = jahoda.cz, localhost, localhost.localdomain, localhost
#relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.4.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
 
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

Prohlidneme log /var/log/mail.log Prijmuti e-mailu:

  Apr 21 23:30:36 xen-skoleni-10 postfix/pickup[3824]: 21E0D1C55: uid=0 from=<root@xen-skoleni-10>
  Apr 21 23:30:36 xen-skoleni-10 postfix/cleanup[7715]: 21E0D1C55: message-
 id=<20140421233036.21E0D1C55@xen-skoleni-10>

Doruceni e-mailu:

Apr 21 23:30:36 xen-skoleni-10 postfix/qmgr[3823]: 21E0D1C55: from=<root@xen-skoleni-10>, size=343, nrcpt=1 (queue active)
Apr 21 23:30:36 xen-skoleni-10 postfix/local[7717]: 21E0D1C55: to=<skoleni@jahoda.cz>, relay=local, delay=1, delays=0.95/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 21 23:30:36 xen-skoleni-10 postfix/qmgr[3823]: 21E0D1C55: removed

Vas prvni e-mail bude ve less /var/mail/skoleni. Nyni zkuste pridat dalsi domenu boruvka.cz a poslat si e-mail.

Zamysleni se nad DNS

dast@boss:~$ host -t mx seznam.cz
seznam.cz mail is handled by 60 mx60.seznam.cz.
seznam.cz mail is handled by 50 mx50.seznam.cz.
dast@boss:~$ 

DNS odpovi podle [https://tools.ietf.org/html/rfc2181#section-10.3] na dotaz na MX zaznam domeny automaticky posle ve stejnem paketu i A nebo AAAA zaznamy. Protoze se tim usetri automaticky predvidatelny dotaz na IP adresu mail serveru.

root@boss:~# tcpdump udp port 53 -n -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:37:51.174321 IP 10.0.0.201.35318 > 10.0.0.101.53: 15769+ MX? seznam.cz. (27)
        0x0000:  4500 0037 ea99 0000 4011 7aef 0a00 00c9  E..7....@.z.....
        0x0010:  0a00 0065 89f6 0035 0023 66e9 3d99 0100  ...e...5.#f.=...
        0x0020:  0001 0000 0000 0000 0673 657a 6e61 6d02  .........seznam.
        0x0030:  637a 0000 0f00 01                        cz.....
20:37:51.240990 IP 10.0.0.101.53 > 10.0.0.201.35318: 15769 2/2/0 MX mx60.seznam.cz. 60, MX mx50.seznam.cz. 50 (103)
        0x0000:  4500 0083 33e5 0000 4011 3158 0a00 0065  E...3...@.1X...e
        0x0010:  0a00 00c9 0035 89f6 006f 5d50 3d99 8180  .....5...o]P=...
        0x0020:  0001 0002 0002 0000 0673 657a 6e61 6d02  .........seznam.
        0x0030:  637a 0000 0f00 01c0 0c00 0f00 0100 0001  cz..............
        0x0040:  2c00 0900 3c04 6d78 3630 c00c c00c 000f  ,...<.mx60......
        0x0050:  0001 0000 012c 0009 0032 046d 7835 30c0  .....,...2.mx50.
        0x0060:  0cc0 0c00 0200 0100 0046 5000 0502 6e73  .........FP...ns
        0x0070:  c00c c00c 0002 0001 0000 4650 0005 026d  ..........FP...m
        0x0080:  73c0 0c                                  s..

Pokud jste si s analyzou paketu vyse dali stejnou praci jako ja, tak jste si jiste vsimli, ze povest lhala. Prilozene nejsou :(.

Byl jsem mnohem zvidavejsi a provedl jsem analyzu na realnem mail serveru. root@—tajne—:~# mail -s Test ahoj@zde.cz aa . Cc: root@—tajne—:~# </code>

20:56:58.869612 IP 78.xxx.103.xxx.37135 > 46.16.74.70.53: 56099+ MX? zde.cz. (24)
        0x0000:  4500 0034 dd03 4000 4011 2f17 4e89 67bf  E..4..@.@./.N.g.
        0x0010:  2e10 4a46 910f 0035 0020 7f53 db23 0100  ..JF...5...S.#..
        0x0020:  0001 0000 0000 0000 037a 6465 0263 7a00  .........zde.cz.
        0x0030:  000f 0001                                ....
20:56:58.890910 IP 46.16.74.70.53 > 78.xxx.103.xxx.37135: 56099 1/2/3 MX grey.xnet.cz. 10 (163)
        0x0000:  4500 00bf 8c5a 0000 4011 bf35 2e10 4a46  E....Z..@..5..JF
        0x0010:  4e89 67bf 0035 910f 00ab 59e7 db23 8180  N.g..5....Y..#..
        0x0020:  0001 0001 0002 0003 037a 6465 0263 7a00  .........zde.cz.
        0x0030:  000f 0001 c00c 000f 0001 0000 0258 000e  .............X..
        0x0040:  000a 0467 7265 7904 786e 6574 c010 c00c  ...grey.xnet....
        0x0050:  0002 0001 0000 4650 0010 026e 7307 6b72  ......FP...ns.kr
        0x0060:  6178 6e65 7403 636f 6d00 c00c 0002 0001  axnet.com.......
        0x0070:  0000 4650 000d 026e 7307 6b72 6178 6e65  ..FP...ns.kraxne
        0x0080:  74c0 10c0 5a00 0100 0100 0046 5000 04b2  t...Z......FP...
        0x0090:  d9f7 02c0 5a00 1c00 0100 0046 5000 102a  ....Z......FP..*
        0x00a0:  0213 6000 0000 0000 0000 0000 0000 56c0  ..`...........V.
        0x00b0:  3e00 0100 0100 02a3 0000 0452 7137 45    >..........Rq7E
20:56:58.891228 IP 78.xxx.103.xxx.54698 > 46.16.74.70.53: 54610+ A? grey.xnet.cz. (30)
        0x0000:  4500 003a dd05 4000 4011 2f0f 4e89 67bf  E..:..@.@./.N.g.
        0x0010:  2e10 4a46 d5aa 0035 0026 dab6 d552 0100  ..JF...5.&...R..
        0x0020:  0001 0000 0000 0000 0467 7265 7904 786e  .........grey.xn
        0x0030:  6574 0263 7a00 0001 0001                 et.cz.....
20:56:58.924386 IP 46.16.74.70.53 > 78.xxx.103.xxx.54698: 54610 1/2/3 A 82.113.55.82 (159)
        0x0000:  4500 00bb 8c5b 0000 4011 bf38 2e10 4a46  E....[..@..8..JF
        0x0010:  4e89 67bf 0035 d5aa 00a7 6866 d552 8180  N.g..5....hf.R..
        0x0020:  0001 0001 0002 0003 0467 7265 7904 786e  .........grey.xn
        0x0030:  6574 0263 7a00 0001 0001 c00c 0001 0001  et.cz...........
        0x0040:  0000 0258 0004 5271 3752 c011 0002 0001  ...X..Rq7R......
        0x0050:  0000 0258 000d 026e 7307 6b72 6178 6e65  ...X...ns.kraxne
        0x0060:  74c0 16c0 1100 0200 0100 0002 5800 1002  t...........X...
        0x0070:  6e73 076b 7261 786e 6574 0363 6f6d 00c0  ns.kraxnet.com..
        0x0080:  3a00 0100 0100 0046 5000 04b2 d9f7 02c0  :......FP.......
        0x0090:  3a00 1c00 0100 0046 5000 102a 0213 6000  :......FP..*..`.
        0x00a0:  0000 0000 0000 0000 0000 56c0 5300 0100  ..........V.S...
        0x00b0:  0100 02a3 0000 0452 7137 45              .......Rq7E
20:56:58.924784 IP 78.xxx.103.xxx.38144 > 46.16.74.70.53: 12584+ AAAA? grey.xnet.cz. (30)
        0x0000:  4500 003a dd08 4000 4011 2f0c 4e89 67bf  E..:..@.@./.N.g.
        0x0010:  2e10 4a46 9500 0035 0026 bf70 3128 0100  ..JF...5.&.p1(..
        0x0020:  0001 0000 0000 0000 0467 7265 7904 786e  .........grey.xn
        0x0030:  6574 0263 7a00 001c 0001                 et.cz.....
20:56:58.937720 IP 46.16.74.70.53 > 78.xx.103.xxx.38144: 12584 0/1/0 (83)
        0x0000:  4500 006f 8c5c 0000 4011 bf83 2e10 4a46  E..o.\..@.....JF
        0x0010:  4e89 67bf 0035 9500 005b f15f 3128 8180  N.g..5...[._1(..
        0x0020:  0001 0000 0001 0000 0467 7265 7904 786e  .........grey.xn
        0x0030:  6574 0263 7a00 001c 0001 c011 0006 0001  et.cz...........
        0x0040:  0000 012c 0029 026e 7307 6b72 6178 6e65  ...,.).ns.kraxne
        0x0050:  74c0 1605 6164 6d69 6ec0 2d78 0bd5 3900  t...admin.-x..9.
        0x0060:  000e 1000 0002 5800 36ee 8000 0151 80    ......X.6....Q.
^C
30 packets captured
30 packets received by filter
0 packets dropped by kernel

Zaznamy totiz prilozene ani byt nemohou. Server by je mohl prilozit pouze v pripade, ze MX zaznam ma domenove jmeno v jeho domene. Pokud je ale jinde - jako v pripade zde.cz, tak nema do paketu co davat cizi udaje. To jiz hranici s podvodem DNS Cache Poisoning. Velmi pouzivanym a prakticky kvuli tomu prave vzniklo DNS Sec, cimzto Vas zvu na skoleni tykajici se DNS.

Pozn. server nedela rekurzivni dns, ale pouziva nadrazene DNS, ktere za nej dotaz vyridi. Kdyby se stopovaly vsechny pakety (dotaz na “.”, pak na “.cz” atd.), tak by zaznam byl opravdu obrovsky.

Ztracite viru?

Neztracejte

root@---tajne---:~# host -t mx panelnet.cz
panelnet.cz mail is handled by 20 fw.panelnet.cz.

a odpoved DNS

root@---tajne----:~# tcpdump port 53 -n -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:24:34.434111 IP 78.xxx.103.xxx.50593 > 46.16.74.70.53: 36977+ MX? panelnet.cz. (29)
        0x0000:  4500 0039 cb37 0000 4011 80de 4e89 67bf  E..9.7..@...N.g.
        0x0010:  2e10 4a46 c5a1 0035 0025 548f 9071 0100  ..JF...5.%T..q..
        0x0020:  0001 0000 0000 0000 0870 616e 656c 6e65  .........panelne
        0x0030:  7402 637a 0000 0f00 01                   t.cz.....
21:24:34.435590 IP 46.16.74.70.53 > 78.xxx.103.xxx.50593: 36977 1/2/2 MX fw.panelnet.cz. 20 (112)
        0x0000:  4500 008c 8cbb 0000 4011 bf07 2e10 4a46  E.......@.....JF
        0x0010:  4e89 67bf 0035 c5a1 0078 8521 9071 8180  N.g..5...x.!.q..
        0x0020:  0001 0001 0002 0002 0870 616e 656c 6e65  .........panelne
        0x0030:  7402 637a 0000 0f00 01c0 0c00 0f00 0100  t.cz............
        0x0040:  0932 b300 0700 1402 6677 c00c c00c 0002  .2......fw......
        0x0050:  0001 0000 3e83 0002 c02b c00c 0002 0001  ....>....+......
        0x0060:  0000 3e83 0006 036e 7373 c00c c02b 0001  ..>....nss...+..
        0x0070:  0001 0008 2f76 0004*d414 6648*c04a 0001  ..../v....fH.J..
        0x0080:  0001 0000 3e83 0004 5102 c59d            ....>...Q...
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel

d414 6648 kazdy vidi ze je 212.20.102.72 a to je ip fw.panelnet.cz, takze tentokrat byla IP adresa prilozena.

Ale ja jsem viru ztratil

Pokusime se znovu odeslat e-mail na domenu @starlab.cz a budeme sledovat pakety.

root@---tajne---:~# mail -s Test ahoj@starlab.cz
cccccccccc
.
Cc: 
root@---tajne---:~# 
root@---tajne---:~# tcpdump port 53 -n -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes



21:43:09.764588 IP 78.137.103.191.52648 > 46.16.74.70.53: 8524+ MX? starlab.cz. (28)
        0x0000:  4500 0038 1764 4000 4011 f4b2 4e89 67bf  E..8.d@.@...N.g.
        0x0010:  2e10 4a46 cda8 0035 0024 14c6 214c 0100  ..JF...5.$..!L..
        0x0020:  0001 0000 0000 0000 0773 7461 726c 6162  .........starlab
        0x0030:  0263 7a00 000f 0001                      .cz.....
21:43:09.781718 IP 46.16.74.70.53 > 78.137.103.191.52648: 8524 1/2/3 MX fw.starlab.cz. 20 (139)
        0x0000:  4500 00a7 8d0d 0000 4011 be9a 2e10 4a46  E.......@.....JF
        0x0010:  4e89 67bf 0035 cda8 0093 60db 214c 8180  N.g..5....`.!L..
        0x0020:  0001 0001 0002 0003 0773 7461 726c 6162  .........starlab
        0x0030:  0263 7a00 000f 0001 c00c 000f 0001 0000  .cz.............
        0x0040:  7080 0007 0014 0266 77c0 0cc0 0c00 0200  p......fw.......
        0x0050:  0100 0046 3e00 0603 6e73 73c0 0cc0 0c00  ...F>...nss.....
        0x0060:  0200 0100 0046 3e00 02c0 2ac0 2a00 0100  .....F>...*.*...
        0x0070:  0100 0070 6e00 04d4 1466 48c0 2a00 1c00  ...pn....fH.*...
        0x0080:  0100 0070 6e00 1020 014d e809 9c00 0402  ...pn....M......
        0x0090:  163e fffe 0b34 31c0 3b00 0100 0100 0046  .>...41.;......F
        0x00a0:  3e00 0451 02c5 9d                        >..Q...
21:43:09.782074 IP 78.137.103.191.45024 > 46.16.74.70.53: 50314+ A? fw.starlab.cz. (31)
        0x0000:  4500 003b 1766 4000 4011 f4ad 4e89 67bf  E..;.f@.@...N.g.
        0x0010:  2e10 4a46 afe0 0035 0027 d92d c48a 0100  ..JF...5.'.-....
        0x0020:  0001 0000 0000 0000 0266 7707 7374 6172  .........fw.star
        0x0030:  6c61 6202 637a 0000 0100 01              lab.cz.....
21:43:09.783020 IP 46.16.74.70.53 > 78.137.103.191.45024: 50314 1/2/2 A 212.20.102.72 (123)
        0x0000:  4500 0097 8d0e 0000 4011 bea9 2e10 4a46  E.......@.....JF
        0x0010:  4e89 67bf 0035 afe0 0083 2d49 c48a 8180  N.g..5....-I....
        0x0020:  0001 0001 0002 0002 0266 7707 7374 6172  .........fw.star
        0x0030:  6c61 6202 637a 0000 0100 01c0 0c00 0100  lab.cz..........
        0x0040:  0100 0070 6e00 04d4 1466 48c0 0f00 0200  ...pn....fH.....
        0x0050:  0100 0046 3e00 0603 6e73 73c0 0fc0 0f00  ...F>...nss.....
        0x0060:  0200 0100 0046 3e00 02c0 0cc0 0c00 1c00  .....F>.........
        0x0070:  0100 0070 6e00 1020 014d e809 9c00 0402  ...pn....M......
        0x0080:  163e fffe 0b34 31c0 3b00 0100 0100 0046  .>...41.;......F
        0x0090:  3e00 0451 02c5 9d                        >..Q...
21:43:09.783266 IP 78.137.103.191.42543 > 46.16.74.70.53: 22576+ AAAA? fw.starlab.cz. (31)
        0x0000:  4500 003b 1766 4000 4011 f4ad 4e89 67bf  E..;.f@.@...N.g.
        0x0010:  2e10 4a46 a62f 0035 0027 3439 5830 0100  ..JF./.5.'49X0..
        0x0020:  0001 0000 0000 0000 0266 7707 7374 6172  .........fw.star
        0x0030:  6c61 6202 637a 0000 1c00 01              lab.cz.....
21:43:09.783773 IP 46.16.74.70.53 > 78.137.103.191.42543: 22576 1/2/2 AAAA 2001:4de8:99c:4:216:3eff:fe0b:3431 (123)
        0x0000:  4500 0097 8d0f 0000 4011 bea8 2e10 4a46  E.......@.....JF
        0x0010:  4e89 67bf 0035 a62f 0083 6e54 5830 8180  N.g..5./..nTX0..
        0x0020:  0001 0001 0002 0002 0266 7707 7374 6172  .........fw.star
        0x0030:  6c61 6202 637a 0000 1c00 01c0 0c00 1c00  lab.cz..........
        0x0040:  0100 0070 6e00 1020 014d e809 9c00 0402  ...pn....M......
        0x0050:  163e fffe 0b34 31c0 0f00 0200 0100 0046  .>...41........F
        0x0060:  3e00 02c0 0cc0 0f00 0200 0100 0046 3e00  >............F>.
        0x0070:  0603 6e73 73c0 0fc0 0c00 0100 0100 0070  ..nss..........p
        0x0080:  6e00 04d4 1466 48c0 5500 0100 0100 0046  n....fH.U......F
        0x0090:  3e00 0451 02c5 9d                        >..Q...
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
root@---tajne---:~# 

Nejdrive dostane odpoved na MX a k ni pribalene dva NS servery i s ip adresami. Pak se na tu samou IP zepta dotazem “A? fw.panelnet.cz” a pak jeste dotazem na IPv6 “AAAA? fw.panelnet.cz”.

Napojeni na SQL

mysql_virtual_domains_map.cf
cat > mysql_virtual_domains_maps.cf
user = postfixadmin
password = skoleni
hosts = 127.0.0.1
dbname = postfixadmin
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'
mysql_virtual_alias_map.cf
cat > mysql_virtual_alias_maps.cf 
user = postfixadmin
password = skoleni
hosts = 127.0.0.1
dbname = postfixadmin
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'
mysql_virtual_mailbox_maps.cf
cat > mysql_virtual_mailbox_maps.cf
user = postfixadmin
password = skoleni
hosts = 127.0.0.1
dbname = postfixadmin
table = mailbox
select_field = maildir
where_field = username
additional_conditions = and active = '1'

Pridavek do souboru main.cf

main.cf
virtual_mailbox_base = /srv/mail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domain_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_uid_maps = static:1008
virtual_gid_maps = static:1008

Postfix Admin

apt-get install postfixadmin

spustit [http://10.0.4.161/postfixadmin/setup.php]. Je potreba zaskrtnout “apache2”, aby se vytvoril link /etc/apache2/conf.d/postfixadmin. Jinak je mozne zmenu provest pozdeji prikazem

dpkg-reconfigure postfixadmin

Dovecot

Poskytuje IMAP, POP3 a hlavne velmi vyhodnou autentizaci.

10-auth.conf
auth_mechanisms = plain
!include auth-system.conf.ext
!include auth-sql.conf.ext
mail_location = maildir:/srv/mail/%d/%n
mail_privileged_group = mail

Postfix Auth

main.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
root@xen-skoleni-10:/srv/mail# perl -MMIME::Base64 -e 'print encode_base64("\000siska\@smrk.cz\000siska")';
AHNpc2thQHNtcmsuY3oAc2lza2E=
root@xen-skoleni-10:/srv/mail# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 Secure xen-skoleni-10 ESMTP Postfix NO UCE, NO UBE
ehlo ahoj
250-xen-skoleni-10
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth plain AHNpc2thQHNtcmsuY3oAc2lza2E=
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@xen-skoleni-10:/srv/mail# 

SSL

cd /etc/postfix
mkdir ssl
cd ssl
openssl req -new -x509 -nodes -out cert.pem -keyout key.pem
main.cf
# TLS
smtpd_tls_cert_file=/etc/postfix/ssl/cert.pem
smtpd_tls_key_file=/etc/postfix/ssl/key.pem
smtpd_use_tls=yes

Dorucovani pres Dovecot

Pozor, nefunguje dovecot_destination_recipient_limit = 1

master.cf
dovecot   unix  -        n       n       -       -       pipe
#  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${user}@${nexthop}

Antispam, antivir, blacklisty a greylisting

apt-get install amavis clamav

Odkomentovat v /etc/amavis/conf.d/15-content-filter-mode radky pro predani e-mailu ke kontrole

/etc/amavis/conf.d/15-content-filter-mode
@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
main.cf
# Anti spam/vir/komunista
content_filter = zabijak:[127.0.0.1]:10024
master.cf
zabijak    unix  -       -       -       -       5        smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n -        -       -       -        smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

SPF - cast prvni

Kdyz jsme venovali tolik prace DNS, ukazeme si pomerne hezkou antispamovou techniku. Jedna se o hlubsi overovani domeny odesilatele. Konkretne se dotazeme serveru jahoda.cz, jestli adresa 1.2.3.4 mohla odeslat e-mail From:nekdo@jahoda.cz.

Pokud spravce domeny jahoda.cz presne vi, ze vsichni jeho uzivatele pouzivaji jeden centralni server, vuci kteremu se overuji a odesilaji pres nej postu, pak muze vesele do DNS napsat informaci: “Mame jeden centralni server pres ktery odesilame postu na IPv4: 9.8.7.6, jine jsou podvod.”

Akorat se to zapisuje takto:

jahoda.cz. IN TXT "v=spf1 ip4:9.8.7.6 -all"

Zaznamy, ktere nemaji pred sebou znamenko +/- se berou, jako by mely +. Tedy “+ipv4” v nasem prikladu.

Vysvetleni:

Kdyby nekoho zajimalo, jak vypada nas SPF zaznam, tady je:

 starlab.cz. IN TXT "v=spf1 mx -all".

Promite mi, ze to sem pisu, vdyt' vsichni umite

 host -t txt starlab.cz

Upozorneni: Tim ovsem pomahate jen druhym, aby e-maily s vasi podvrzenou domenou nikde nezpusobovali spam. Jeste je potreba take nastavit druhou cast tj. implementovat ochranu na vlastnim serveru.

SPF - cast druha

Zarazeni do postfixu je obvykla trojkombinace

A pak trocha ladeni a opravovani preklepu.

Existuje python i perl verze.

 apt-get install postfix-policyd-spf-python
 apt-get install postfix-policyd-spf-perl

Pro ty co se nudi mohou napsat pojednani, jaky je mezi nimi rozdil.

Do main.cf pridame kamkoliv

policy-spf_time_limit = 3600s

A do master.cf pridame treba pythonovsky skript

policy-spf  unix  -       n       n       -       -       spawn
     user=nobody argv=/usr/bin/policyd-spf

A obohatime smtpd_recipient_restrictions v main.cf:

smtpd_recipient_restrictions =
     ...
     permit_sasl_authenticated
     permit_mynetworks
     reject_unauth_destination
     check_policy_service unix:private/policy-spf

Sieve filtry v akci

Globalni filtr pro razeni spamu vsem uzivatelum do slozky spam.

/srv/mail/globalsieverc
require "fileinto";
if header :contains "X-Spam-Flag" "YES" {
  fileinto "spam";
  stop;
}

Ladeni vykonu a statistiky

apt-get install mailgraph
apt-get install collectd --no-install-recommends

Automaticka odpoved v dobe nepritomnosti

master.cf
moje_prazdniny unix  -       n       n       -       -       pipe
  flags=Rq user=autoreply argv=/home/autoreply/autoreply.pl -f ${sender} -- ${recipient}
vacation.pl.gz.base64
H4sICKCBWlMAA3ZhY2F0aW9uLnBsAK1Ze3fTyA7/m3wK4bYnzjaPBpZ9JLTbkoZL7iltTxPY5dCS
dewJma1jG3vStIf2fvYrafyKHQIXbnpI7BlJI/2kkTTD1uPWIgpbE+m1AhG60FhWtipb8FaGamG5
8NayLSV9D5422zg8uYPXMrJnFpwLJcIIns/1q6VgJj/OnoHjK/CEOkDinh/chTiowLRr8GRv7wk0
6OcZvCLSx0hyIm3hRQIG3tTvwEypoNNqLZfLZuBHaipvLWcuvabtz1t/TKUr9k8Gvf7psN8c/TVi
NY8cR5J6UQdfUPTPrb1fW+2nAMfWjXTgLJr4oQfP/ShyxA0p6Vi+7bNE0jD/iVQobVWHIPRtEUUi
QlPmlvTAFTfCBcuVFg7WYe6Hosi6mIT+QkmP5iPhORCKwL2DaejPwUcIpIdQKh8sxwlRNqvO2rbb
rb3fv0dbNFw4EN1Frv8R1w8CP1TZbIF46JIXUKGJUOg1QB5U6SMsZ9KegfRsd+GgvXNUzfoopFNc
68ZH7aQ3lZ5UArn9IIKlVLMEoRgbNGuBvjx+Mejyg0a0W6nM72DbmYzVXSBgH6rzu+iTW+0mwzN0
NQ27vm259JJNoZSQpvLRkM0GVhTRbHTtu8KT2YRnzcUX2Mg7qLOL0wYHfkSRn4wamgjxoWhjGjUP
WjfxJmjihNElSLYgCoQtp3dgAZPykjMRCpj6IYhbax64ogN5Tq2dmCy+IJynSDwKF8H/Ipw5tXk6
IPZhr8tatkFOyd0gPHQG+jia+QvXwUCgOFUUk5olcdIMedGBjQOMO0/YyjTwrZN4r5Og20kcZ9TB
SDyVPJNf8PkzXFgyEv0wRKX3D1CXhxoGwxYgrUMrO5hCbJUFVrw7KMCuF4GOs9gffmD7C0/t76EA
3G0YeONPCxHewecK2ok05ja/11D9w3E3HtyOFNlDZjUOAtyTVihSQlTKkQKMnuVVFcSzoGc7MY8I
QwziS89giSQOx26FvUBtV/mTUTUTkIjQ5CxCCwiFWuAGp4lu5SG1hN2Xs0R67Trg9xP+fsrfP/P3
M/7+JWclutfMR1UtlbPtWEowjR8ID8zj/os3/0IPHRzk6I0UB9N441kTlICOYQatlSZiMfbMD1A7
Eovr/82/xu7Ou9bOvLXjwM6rzs7rzs7Q+FuTB6HEAONVwdjnD8TM/ElQTUinCe1OBPew/gt5GIGv
4KPVdX3MQdpsrdFDDnPbstFTGebKR1bK14UI0lG2D58+fR72T/q9EWjOlxdnr9MNCH++6l/0QVAK
2a+irCocnR7Dy8Hp8XhwOh72R2aVhVfrzF17KERoGs5JdKbz4Q0FMEdS6C+j1Oc8gds89jdFZ07V
N+fHR6N+ph9qoPXe752d9o5GJr/Uq/SnFauVbXhI3LNRyYd8YIc3+bimvJMhnFYXBDpFG3+Q+B9M
AwXc0+DVAR7ntczaOKiH74YnZxTV92kXQ8UNq0YjADKlidnFh4ZKG5kNEa85MdohWSQOTL0KGGdY
yhsjbFQwHF+i9vzwWts1OOa3obaGno2CoXkAYqMThJNg1QvFCjxk5icFKbZf264Np+0cT2827Qe2
cgoFMAzM1wECAg2MkWArM/MTC/PwZAhAsvlju9no4hblMp3FT4wiIxoLx6eJ7+STvkbm9dHghGIi
V+4xAhpTreQGmNI+IJ/CSBoYOSsT5fPTMRjrpkqYrCPq+Z7CgtwYUZUFJW5VK3Cxt+qir6wwEmpf
Rn7jt9+e/d54so7/r8YJFskOnOuWB/tD7HlKXfylt46XQVzxB43X0q2M5dkZh8Jyx0mFzrzC+aJQ
j3Z3s4oNB9joZts2zgqmUZZJLI+phbAXYYhQuFRCWTwN9i8uzi6yh2yPakNMA3u9SJIvV/pUfFuj
PnVRz7Xsgyb0ZsK+5jHuY5kPYUpDX9xKBe0s2XFaRnHMv6FQ8PzGQsG/VbDwwGDZSt6I/fYPVIYK
d3wX2JYGknq7GdqSLFwoG+1c2UhNIXGxTWwrCDcSa8tLbOBHn3Y/2aeB08bFIKfmfVsZYU3WWVQw
SkYIl16vjluDPId20UIT/7ZkctnqNLUziIe4TrrmVCh7hgNjKwytu+4K4ba2EEmR4P3eVW72uzzP
4tZ5/tug2oQWA3bE6q6B44txsC4aWMvcmg+ZR/6k4510XVzjhvMnNe28idadmpvNZsyZRNWqH8xt
Oj9gOtfMlE+iwJXKbB226nFU1jZj/pVgvDyMZVd/GOd0Kg/4CHvCUNgit/esNVB80Quw4oZvDk1N
u72UrmNboYNHCT5Ll6M0wZkoY6zpcT3eK+Jq+chiW3XCzJ/9VwjYsmSdkmn4IbvruVCj5ctJ2iyq
8WhFTiE9rcDhieU4DWK+Q2hC9bCK3zmju9+rViq9pFKl9PhQbJFLi6RVlnqPcbJbY/ULdRYZ6TZp
nLU//Bp3RvzM7RE/pc3WV080iThqA76hXv3fDi+57PNtAU+86dmtgAmf3SjaNNDd1AXpAds03g/7
eCy76A/Pz06H/StOVwWwOnzENAiFpP0AM0a2k2Jc01Sjs05udT02fPPi3whqZ9VVeu7tEZ69Bmen
kBHpjVqYfnF2/C6ea1/lW5GkK15jez2RVU8Y81zcdBVMLYdMPpCSY1lyFqEw3fryBzgZbCDQH75m
Wu3lbXuloc/Clu+KRtY1XX1ZDl02W4EVqspyRkch8/lwdDw4PYhjyLUw8VF8tD5st2pppLU+0FKd
y2jXbP6EXttuSYoRfVjBYGt3s2NW6wO6uESJVaVEZ9tlOtsu08VWlYmTw1GJI7a+QYFYZMpOTyW2
gEqPIzxbMNtk4V7fuzJS9/8svOua5uc21tyrrTDeNqjbJab4rvQS+Lb0Em700eEyzQVlKRQRMJiC
kGqGOVafkHBL0VmI7tI8X2FWQ6cSU4UWfKyBv7+HxwhsUV4lcYtrxzGiY6CXtHlSVbn98yc30l9E
nDKplKXyYwH/gZb5/nJ52WjuXO1eHuJjs3G1W2uVXZ8xiU9gGKRZJuODv/RE2LhvmKHAzIZw8kDt
8vD+g0n7DycdS8x9757Qm2MI8mwZKTRiqEIZaGiw6evZ+jdYRDO6M5zTQYVzHW2QQ7o5D8a2Hac/
yA0qXw9mJbsOP+E/xowwRcw4TwqsXcKhwCRtCiLXchMlq8tamYUF60UZNX2zfxgJK7RnSaZOTdW5
Mz1yEajxPq5Q3i2Kj/cxO2S82YWVR4mCuZUxdbR1snq0kvFHF4NzTPm9wfmgfzoaXnXAKNzFtDH1
NozsK3cTgbbwEvrefcUg/X8nKx12bFZOqVqugnPd39hYjGsbKmShkr08e4OlLKkYa6zKp9ikWKQ5
vfJoXbthligLcvK5OYFor1v5L3Gl/PBDHAAA

LDAP

http://www.howtoforge.com/postfix-virtual-hosting-with-ldap-backend-and-with-dovecot-as-imap-pop3-server-on-ubuntu-karmic-koala-9.10-p2