hbruns
21.02.06, 13:13
Hallo zusammen,
ich habe bei uns einen neuen SLES9 + OpenXchange Server aufgetzt und die Postfix main.cf um einige Regeln erweitert.
Der Server soll Mails senden umd empfangen.
Sind die smtp_reciepient_restircions so in der richtigen Reihenfolge?
Bin mit hier nicht ganz sicher ob die reject_rbl´s an der richtigen Stelle stehen.
Ist diese Configuration so sicher, oder fehlt hier vielleicht noch was wichtiges?
main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
program_directory = /usr/lib/postfix
mail_spool_directory = /var/mail
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = maildrop
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/packages/postfix/samples
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
mail_owner = postfix
#default_privs = nobody
myhostname = webmailgateway.tricontes.com
mydomain = tricontes.com
myorigin = $myhostname
mydestination = $myhostname,localhost.$mydomain
inet_interfaces = all
local_recipient_maps =
unknown_local_recipient_reject_code = 450
mynetworks = 127.0.0.1,10.2.0.0/24
#relay_domains = $mydestination
relayhost =
recipient_delimiter = +
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport = lmtp:unix:/file/name
#luser_relay = **LUSER_RELAY**
smtpd_banner = $myhostname
transport_maps = ldap:ldaptrans
virtual_alias_maps = hash:/etc/postfix/virtual,ldap:ldapaliases
virtual_alias_domains = ldap:ldapvdom
alias_maps = hash:/etc/aliases,ldap:ldapsharedfolder
disable_dns_lookups = no
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
###masquerade_domains = $mydomain
defer_transports =
message_size_limit = 15728640
mailbox_size_limit = 0
#smtpd_recipient_restrictions = permit_mynetworks,permit_tls_clientcerts,permit_sa sl_authenticated,reject_unauth_destination
###Meine Aenderungen####
smtp_host_lookup = dns
smtpd_helo_required = yes
smtpd_sender_restrictions =
reject_unknown_sender_domain
reject_non_fqdn_sender
smtpd_recipient_restrictions =
reject_unknown_sender_domain
reject_non_fqdn_sender
reject_invalid_hostname
permit_mynetworks
permit_tls_clientcerts
permit_sasl_authenticated
reject_unauth_destination
reject_rbl_client relays.ordb.org
reject_rbl_client bl.spamcop.net
################ SASL config ##############
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
###########################################
################ TLS config ################
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_ask_ccert = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile= /etc/ssl/newcerts/server.crt
smtpd_tls_key_file = /etc/ssl/newcerts/server_priv.key
smtpd_tls_cert_file = /etc/ssl/newcerts/server.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom
#############################################
############Meine Aenderungen Ende#############
#ldap_restrictions_server_host = 127.0.0.1
#ldap_restrictions_server_port = 389
#ldap_restrictions_bind = no
#ldap_restrictions_timeout = 20
#ldap_restrictions_search_base = ou=peopleSYSTEM_LDAP_BASE,
#ldap_restrictions_query_filter = (|(mail=%s)(alias=%s))
#ldap_restrictions_result_attribute = lnetMailAccess
#ldap_restrictions_scope = sub
ldaptrans_server_host= 127.0.0.1
ldaptrans_server_port= 389
ldaptrans_bind= no
ldaptrans_timeout= 20
ldaptrans_search_base= ou=MailTransports,ou=SMTPObjects,ou=AdminObjects,o u=OxObjects,dc=tricontes,dc=com
ldaptrans_query_filter= (&(objectclass=OXMailTransportObject)(smtpDomain=%s) )
ldaptrans_result_attribute= smtpDomainTransportNexthop
ldaptrans_scope= one
ldapvdom_server_host= 127.0.0.1
ldapvdom_server_port= 389
ldapvdom_bind= no
ldapvdom_timeout= 20
ldapvdom_search_base= ou=DNSObjects,ou=AdminObjects,ou=OxObjects,dc=tric ontes,dc=com
ldapvdom_query_filter= (&(objectclass=OXVDomainObject)(domainName=%s)(MTALo caldomain=OK))
ldapvdom_result_attribute= domainName
ldapvdom_scope= sub
ldapaliases_server_host= 127.0.0.1
ldapaliases_server_port= 389
ldapaliases_bind= no
ldapaliases_timeout= 20
ldapaliases_search_base= dc=tricontes,dc=com
ldapaliases_query_filter= (|(&(alias=%s)(objectclass=shadowAccount)(mailenabled= OK))(&(aliasName=%s)(objectclass=OXAlias))(&(mail=%s)(objectclass=shadowAccount)(mailenabled=O K)))
ldapaliases_result_attribute= uid,aliasRecipient
ldapaliases_scope= sub
ldapsharedfolder_server_host= 127.0.0.1
ldapsharedfolder_server_port= 389
ldapsharedfolder_bind= no
ldapsharedfolder_timeout= 20
ldapsharedfolder_search_base= ou=SharedFolder,ou=OxObjects,dc=tricontes,dc=com
ldapsharedfolder_query_filter= (&(objectclass=OXIMAPFolderObject)(|(fn=%u)(fn=%s)))
ldapsharedfolder_result_attribute= deliverToUID,mailDeliveryProgram
ldapsharedfolder_scope= sub
ldaplocdom_server_host= 127.0.0.1
ldaplocdom_server_port= 389
ldaplocdom_bind= no
ldaplocdom_timeout= 20
ldaplocdom_search_base= ou=DNSObjects,ou=AdminObjects,ou=OxObjects,dc=tric ontes,dc=com
ldaplocdom_query_filter= (&(objectclass=OXVDomainObject)(domainName=%s))
ldaplocdom_result_attribute= MTALocaldomain
ldaplocdom_scope= sub
ldapchecksender_server_host= 127.0.0.1
ldapchecksender_server_port= 389
ldapchecksender_bind= no
ldapchecksender_timeout= 20
ldapchecksender_search_base= ou=people,dc=tricontes,dc=com
ldapchecksender_query_filter= (|(&(alias=%s)(objectclass=shadowAccount))(&(mail=%s)(objectclass=shadowAccount)))
ldapchecksender_result_attribute = lnetMailAccess
ldapchecksender_scope= sub
master.cf
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - n - - smtpd
### KASPERSKY ANTI-SPAM BEGIN ###
-o content_filter=lmtp:127.0.0.1:9026
### KASPERSKY ANTI-SPAM END ###
##<KIS55> ## Added by Kaspersky Anti-Virus Installer ##
### -o content_filter=lmtp:127.0.0.1:10030
## Added by Kaspersky Anti-Virus Installer ##<KIS55>
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
### KASPERSKY ANTI-SPAM BEGIN ###
-o content_filter=lmtp:127.0.0.1:9026
### KASPERSKY ANTI-SPAM END ###
##<KIS55> ## Added by Kaspersky Anti-Virus Installer ##
### -o content_filter=lmtp:127.0.0.1:10030
## Added by Kaspersky Anti-Virus Installer ##<KIS55>
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 nqmgr
#tlsmgr fifo - - n 300 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
#localhost:10025 inet n - n - - smtpd -o content_filter=
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
vscan unix - n n - 10 pipe
user=vscan argv=/usr/sbin/amavis ${sender} ${recipient}
procmail unix - n n - - pipe
flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient}
###### SPAMASSASIN #####
#spamassassin unix - n n - - pipe user=nobody argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
#<KIS55>
127.0.0.1:10030 inet n n n - 20 spawn
user=kluser argv=/opt/kav/5.5/kav4mailservers/bin/smtpscanner
127.0.0.1:10031 inet n - n - 21 smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o myhostname=webmailgateway
#<KIS55>
### KASPERSKY ANTI-SPAM BEGIN ###
127.0.0.1:9026 inet n n n - 20 spawn
user=mailflt argv=/usr/local/ap-mailfilter/bin/kas-pipe -c /usr/local/ap-mailfilter/etc/kas-pipe-postfix.conf
### KASPERSKY ANTI-SPAM END ###
Vielen Dank im voraus
Gruß
Hans-Peter
ich habe bei uns einen neuen SLES9 + OpenXchange Server aufgetzt und die Postfix main.cf um einige Regeln erweitert.
Der Server soll Mails senden umd empfangen.
Sind die smtp_reciepient_restircions so in der richtigen Reihenfolge?
Bin mit hier nicht ganz sicher ob die reject_rbl´s an der richtigen Stelle stehen.
Ist diese Configuration so sicher, oder fehlt hier vielleicht noch was wichtiges?
main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
program_directory = /usr/lib/postfix
mail_spool_directory = /var/mail
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = maildrop
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/packages/postfix/samples
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
mail_owner = postfix
#default_privs = nobody
myhostname = webmailgateway.tricontes.com
mydomain = tricontes.com
myorigin = $myhostname
mydestination = $myhostname,localhost.$mydomain
inet_interfaces = all
local_recipient_maps =
unknown_local_recipient_reject_code = 450
mynetworks = 127.0.0.1,10.2.0.0/24
#relay_domains = $mydestination
relayhost =
recipient_delimiter = +
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport = lmtp:unix:/file/name
#luser_relay = **LUSER_RELAY**
smtpd_banner = $myhostname
transport_maps = ldap:ldaptrans
virtual_alias_maps = hash:/etc/postfix/virtual,ldap:ldapaliases
virtual_alias_domains = ldap:ldapvdom
alias_maps = hash:/etc/aliases,ldap:ldapsharedfolder
disable_dns_lookups = no
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
###masquerade_domains = $mydomain
defer_transports =
message_size_limit = 15728640
mailbox_size_limit = 0
#smtpd_recipient_restrictions = permit_mynetworks,permit_tls_clientcerts,permit_sa sl_authenticated,reject_unauth_destination
###Meine Aenderungen####
smtp_host_lookup = dns
smtpd_helo_required = yes
smtpd_sender_restrictions =
reject_unknown_sender_domain
reject_non_fqdn_sender
smtpd_recipient_restrictions =
reject_unknown_sender_domain
reject_non_fqdn_sender
reject_invalid_hostname
permit_mynetworks
permit_tls_clientcerts
permit_sasl_authenticated
reject_unauth_destination
reject_rbl_client relays.ordb.org
reject_rbl_client bl.spamcop.net
################ SASL config ##############
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
###########################################
################ TLS config ################
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_ask_ccert = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile= /etc/ssl/newcerts/server.crt
smtpd_tls_key_file = /etc/ssl/newcerts/server_priv.key
smtpd_tls_cert_file = /etc/ssl/newcerts/server.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom
#############################################
############Meine Aenderungen Ende#############
#ldap_restrictions_server_host = 127.0.0.1
#ldap_restrictions_server_port = 389
#ldap_restrictions_bind = no
#ldap_restrictions_timeout = 20
#ldap_restrictions_search_base = ou=peopleSYSTEM_LDAP_BASE,
#ldap_restrictions_query_filter = (|(mail=%s)(alias=%s))
#ldap_restrictions_result_attribute = lnetMailAccess
#ldap_restrictions_scope = sub
ldaptrans_server_host= 127.0.0.1
ldaptrans_server_port= 389
ldaptrans_bind= no
ldaptrans_timeout= 20
ldaptrans_search_base= ou=MailTransports,ou=SMTPObjects,ou=AdminObjects,o u=OxObjects,dc=tricontes,dc=com
ldaptrans_query_filter= (&(objectclass=OXMailTransportObject)(smtpDomain=%s) )
ldaptrans_result_attribute= smtpDomainTransportNexthop
ldaptrans_scope= one
ldapvdom_server_host= 127.0.0.1
ldapvdom_server_port= 389
ldapvdom_bind= no
ldapvdom_timeout= 20
ldapvdom_search_base= ou=DNSObjects,ou=AdminObjects,ou=OxObjects,dc=tric ontes,dc=com
ldapvdom_query_filter= (&(objectclass=OXVDomainObject)(domainName=%s)(MTALo caldomain=OK))
ldapvdom_result_attribute= domainName
ldapvdom_scope= sub
ldapaliases_server_host= 127.0.0.1
ldapaliases_server_port= 389
ldapaliases_bind= no
ldapaliases_timeout= 20
ldapaliases_search_base= dc=tricontes,dc=com
ldapaliases_query_filter= (|(&(alias=%s)(objectclass=shadowAccount)(mailenabled= OK))(&(aliasName=%s)(objectclass=OXAlias))(&(mail=%s)(objectclass=shadowAccount)(mailenabled=O K)))
ldapaliases_result_attribute= uid,aliasRecipient
ldapaliases_scope= sub
ldapsharedfolder_server_host= 127.0.0.1
ldapsharedfolder_server_port= 389
ldapsharedfolder_bind= no
ldapsharedfolder_timeout= 20
ldapsharedfolder_search_base= ou=SharedFolder,ou=OxObjects,dc=tricontes,dc=com
ldapsharedfolder_query_filter= (&(objectclass=OXIMAPFolderObject)(|(fn=%u)(fn=%s)))
ldapsharedfolder_result_attribute= deliverToUID,mailDeliveryProgram
ldapsharedfolder_scope= sub
ldaplocdom_server_host= 127.0.0.1
ldaplocdom_server_port= 389
ldaplocdom_bind= no
ldaplocdom_timeout= 20
ldaplocdom_search_base= ou=DNSObjects,ou=AdminObjects,ou=OxObjects,dc=tric ontes,dc=com
ldaplocdom_query_filter= (&(objectclass=OXVDomainObject)(domainName=%s))
ldaplocdom_result_attribute= MTALocaldomain
ldaplocdom_scope= sub
ldapchecksender_server_host= 127.0.0.1
ldapchecksender_server_port= 389
ldapchecksender_bind= no
ldapchecksender_timeout= 20
ldapchecksender_search_base= ou=people,dc=tricontes,dc=com
ldapchecksender_query_filter= (|(&(alias=%s)(objectclass=shadowAccount))(&(mail=%s)(objectclass=shadowAccount)))
ldapchecksender_result_attribute = lnetMailAccess
ldapchecksender_scope= sub
master.cf
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - n - - smtpd
### KASPERSKY ANTI-SPAM BEGIN ###
-o content_filter=lmtp:127.0.0.1:9026
### KASPERSKY ANTI-SPAM END ###
##<KIS55> ## Added by Kaspersky Anti-Virus Installer ##
### -o content_filter=lmtp:127.0.0.1:10030
## Added by Kaspersky Anti-Virus Installer ##<KIS55>
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
### KASPERSKY ANTI-SPAM BEGIN ###
-o content_filter=lmtp:127.0.0.1:9026
### KASPERSKY ANTI-SPAM END ###
##<KIS55> ## Added by Kaspersky Anti-Virus Installer ##
### -o content_filter=lmtp:127.0.0.1:10030
## Added by Kaspersky Anti-Virus Installer ##<KIS55>
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 nqmgr
#tlsmgr fifo - - n 300 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
#localhost:10025 inet n - n - - smtpd -o content_filter=
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
vscan unix - n n - 10 pipe
user=vscan argv=/usr/sbin/amavis ${sender} ${recipient}
procmail unix - n n - - pipe
flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient}
###### SPAMASSASIN #####
#spamassassin unix - n n - - pipe user=nobody argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
#<KIS55>
127.0.0.1:10030 inet n n n - 20 spawn
user=kluser argv=/opt/kav/5.5/kav4mailservers/bin/smtpscanner
127.0.0.1:10031 inet n - n - 21 smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o myhostname=webmailgateway
#<KIS55>
### KASPERSKY ANTI-SPAM BEGIN ###
127.0.0.1:9026 inet n n n - 20 spawn
user=mailflt argv=/usr/local/ap-mailfilter/bin/kas-pipe -c /usr/local/ap-mailfilter/etc/kas-pipe-postfix.conf
### KASPERSKY ANTI-SPAM END ###
Vielen Dank im voraus
Gruß
Hans-Peter