Nethence NEWDOC OLDDOC Lab Webmail Your IP BBDock  

Setting up a strong anti-spam MX with Postfix

Introduction

The Postfix config syntax changes depending on the version. I am using 3.1.0 here. Check with,

postconf -d|grep ^mail_ver

In this guide, the users' Maildir folders are possibly stored on a shared volume (NFS or shared disk fs), however the user db is still on the server itself into /etc/passwd. The best would be to switch mappings to MariaDB or something else for the running node to be independent from the data. Same goes if you are proceeding as a Docker container: it provides the application and is ideally data-independent.

Requirements

Make sure your system up-to-date,

apt update
apt -y full-upgrade
apt autoremove
dpkg -l | grep ^rc

Make sure you’ve got those installed,

apt -y install \
    postfix bsd-mailx rsyslog \
    postfix-policyd-spf-python
#mailutils pmailq

Postfix prep

Make some handy symlinks for operations (assuming this is a dedicated node or container),

cd ~/
ln -s ../home
ln -s ../etc/postfix
ln -s /etc/aliases
ln -s /var/log/mail.log
ln -s /var/log/mail.err

Backup the confs,

cd /etc/postfix/
cp -pi main.cf main.cf.dist
cp -pi master.cf master.cf.dist

and edit the configurations based on those examples,

vi main.cf

main.cf

vi master.cf

master.cf

Note that the Docker network 172.17.0.0/16 is added to mynetworks so e.g. the RBL checks won’t be performed against the MX server itself.

The helo.regexp file may look like,

/^ovh\.nethence\.com$/          550 you are not ovh.nethence.com
/^nethence\.com$/               550 you are not nethence.com

The sender_access file may look like (this is optional as it goes togeather with the unverified sender policy feature that is not enabled),

securityfocus.com       OK
online.net              OK
ovh.com                 OK

Make sure your DNS settings are SPF ready e.g.,

* IN TXT "v=spf1 +mx +a:ovh.nethence.com ?a:yoursmarthost -all"
@ IN TXT "v=spf1 +mx +a:ovh.nethence.com ?a:yoursmarthost -all"

and check,

host -t txt nethence.com
host -t txt spoof.nethence.com

Refs.

Allow Postfix to resolve hosts from its chroot land,

cd /var/spool/postfix/etc/
cp -pf /etc/resolv.conf /etc/hosts /etc/services ./

mkdir -p /var/spool/postfix/lib/x86_64-linux-gnu/
cd /var/spool/postfix/lib/x86_64-linux-gnu/
cp -vl /lib/x86_64-linux-gnu/libnss_* ./
ls -alhF

Make sure the mail users don’t get the dotfile skeletons,

mv -i /etc/skel/ /etc/skel.dist/
mkdir /etc/skel/

Don’t forget to tweak the system’s or container’s aliases e.g.,

cd /etc/
cp -pi aliases aliases.dist
vi aliases

root: real_mailbox_user
wheeleduser: root
abuse: root
contact: root
info: root
sales: root
hostmaster: root
www: root
webmaster: root

newaliases

Dovecot prep

You could run the IMAP server on another system, but as the passwords are managed locally for now in the postfix guide, there’s no other choice. It also needs to point on the same Maildir location anyway.

apt -y install dovecot-imapd
cd /etc/dovecot/
cp -pi dovecot.conf dovecot.conf.dist
cd conf.d/
cp -pi 10-auth.conf.dist 10-auth.conf
vi 10-auth.conf

disable_plaintext_auth = yes

cp -pi 10-mail.conf 10-mail.conf.dist
vi 10-mail.conf

mail_location = maildir:~/Maildir

cp -pi 10-ssl.conf 10-ssl.conf.dist
vi 10-ssl.conf

ssl = yes
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key

cp -pi 20-imap.conf 20-imap.conf.dist
vi 20-imap.conf

imap_client_workarounds = tb-extra-mailbox-sep

Ready to go

Assuming you stick to the provided init scripts, restart the thing,

service postfix restart

otherwise,

postfix stop
postfix start

then for minor changes,

postfix reload

Make sure the unix socker for SPF is up and running,

netstat -an|grep policy

Read the logs,

tail -F /var/log/mail.*

while doing some testing from remote hosts (try with an authorized IP as well as from a should-be-blocked IP e.g. ADSL connection),

telnet newmx.nethence.com 25
helo my.real.resolvable.remote.fqdn
mail from:<some.real@email>
rcpt to:<user@example.com>

and also try to send an email to yourself with an email client of course (is your smarthost is in the SPF?). And don’t forget to do a last telnet check against an SMTP open proxy service, just in case you messed up smtpd_relay_restrictions.

Operations

Creating / Removing Mailboxes

Create a new mailbox,

new=<someuser>
#useradd -g users -m -s /sbin/nologin $new
useradd -g users -m -s /dev/null $new
passwd $new
unset new

Note. The Maildir/ folder into the user’s homedir will be created by Postfix when the first mail arrives.

Manual REJECT

Deal with spam that eventually came through the hereby protections (wow, so that’s a clean spam!): look at the headers what fqdn connected to your MX and reject it manually so it doesn’t spam you again,

vi /etc/postfix/client_access

manewsbio.com           REJECT spammers are not welcome
.manewsbio.com          REJECT spammers are not welcome

postmap /etc/postfix/client_access

(Optional) False-positives

The unverified sender feature is not enabled. In case you do enable it, you need to deal with false-positives on the domains that do not pass tru the brutal verify-sender-against-all setting,

vi /etc/postfix/client_access

securityfocus.com       OK

postmap /etc/postfix/sender_access

Troubleshooting

If you get this error quite often in the logs,

close database /var/lib/postfix/verify_cache.db: No such file or directory (possible Berkeley DB bug)

==> use proxy: in the address_verify_map statement as shown above.

Ref. http://www.postfix.org/ADDRESS_VERIFICATION_README.html

References

References about anti-spam & RFC compliance

References for MariaDB mappings