hackerbruecke.net

relayhost

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:56:33 +0000

Postfix configuration for a relayhost (MX) / Anti-SPAM-/UCE-settings smtpd (smtp + daemon) = server = Postfix receives mail from a client smtp = client = Postfix sends mail to another mailserver used Ports: 10023/tcp: postgrey 10024/tcp: amavisd-new 10025/tcp: policyd-weight

email

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 16:26:57 +0000

email Mailserver, Mailgateway, Anti-Spam [AMaVISd-new, SpamAssassin, dSpam, rspamd], SPF, DKIM, PFS etc. \\}} Postfix smtpd Postfix ist ein sehr mächtiger Mail Transport Agent, entwickelt von Wietse Venema. * Postfix Konfiguration für einen Mailserver * use of LDAP lookup maps * Postfix' Postscreen Modul anstatt policyd-weight oder postfwd * Postfix Anti-SPAM/UCE settings * Postfix SASL Konfiguraton * SMTP-authentication * TLS and SSL configuration (smtps) *

commserv

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 15:00:45 +0000

This documentation is work in progress, no liability for correctness can be given! Communications-Server Motivation Because I had to look for a log time around the Internet, asking a lot of questions on mailing-lists, reading books and talking to friends for configuring my commserv, thus having quite a bit of hassle getting things working, I'd like give my experiences back to the comunity.

config_test

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:55:27 +0000

Postfix-Konfiguration testen Die Postfix-Konfigurtation sollte auf alle fälle vor der Produktivnahme ausgiebig getestet und das Verhalten beobachtet werden! Test von main.cf und master.cf Test der Datei- und Verzeichnisrechte, sowie die Syntax von main.cf und master.cf von Postfix:

linux

anonymous@undisclosed.example.com (Anonymous) — Sat, 11 May 2024 11:50:33 +0000

Debian-Installation * Installation von GNU/Debian auf Hardware oder virtueller Instanz * zweite Netzwerkkarte mit wechselnder Konfiguration securing DNS and Mail * Domain Name System Security Extensions (DNSSEC) mit Bind9 * DNS-based Authentication of Named Entities (DANE) und TLS Authentication record (TLSA) * Sender Policy Framework (SPF) * DomainKeys Identified Mail (DKIM) * Domain-based Message Authentication, Reporting and Conformance (DMARC) * Authenticated Received…

email-server

anonymous@undisclosed.example.com (Anonymous) — Fri, 15 Sep 2017 14:18:58 +0000

email * MTA/SMTPd Postfix (Mailserver, Mailgateway, Anti-Spam [AMaVISd-new, SpamAssassin, dSpam], SPF, DKIM, PFS etc.) * MDA/IMAPd Cyrus * MDA/IMAPd Dovecot

cyrus

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:49:42 +0000

Cyrus imapd * Cyrus configuration (IMAP4/POP3) * TLS and SSL configuration (imaps) * Cyrus SIEVE configuration <- zurück

dkim

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 15:49:02 +0000

Postfix mit Domain Key Identifified Mail (DKIM) Vorausssetzung für DKIM ist ein installiertes -> AMaVIS. Auch bei DKIM wird, wie bei allen anderen Signaturen, in zwei Richtngen unterschieden: * eingehende emails (inbound): Überprüfung von DKIM-Signaturen in emails

operation

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:53:27 +0000

AmaViSd-new Operation emails aus der Quarantäne releasen: Wenn AMaViSd emails in die Quarantäne verschiebt, erhält man emails dieser Form: Betreff: BANNED contents (text/x-msdos-batch,.asc,bacula_after_failure.cmd) in mail FROM LOCAL [...] No viruses were found. Banned name: text/x-msdos-batch,.asc,bacula_after_failure.cmd Content type: Banned Internal reference code for the message is 11606-02/IJvAMUUAzNma [...] The message has been quarantined as: I/banned-IJvAMUUAzNma The message W…

spf

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:56:59 +0000

Postfix und das Sender Policy Framework (SPF) Das Sender Policy Framework - früher auch Sender Permitted From genannt -, soll das Fälschen des email-Absenders in einer E-Mail auf SMTP-Ebene erschweren. Mithilfe eines SPF-Generators, z.B. oder

spamreport

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:54:58 +0000

Spamreport spamcheck.sh #!/bin/bash ######################################################### # UKBW-Spam-Report, 2007-05-01, chhaas, IuK / Netzwerke # ######################################################### #set -o verbose ######## # ToDo # ######## # - printvariablen bei "grep X-Spam-Status:" korrigieren # - Mail an antispam@uk-bw.de zusammenfassen: 1 Mail die alle Spammails inkl. Empfaenger beinhaltet # - Variablen fuer FROM: und RETURN-PATH einrichten # - evtl. SpamAssassin Spam-T…

amavisd

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:57:55 +0000

AmaVisd-new /etc/amavis/amavisd.conf: use strict; # a minimalistic configuration file for amavisd-new with all necessary settings # # see amavisd.conf-default for a list of all variables with their defaults; # see amavisd.conf-sample for a traditional-style commented file; # for more details see documentation in INSTALL, README_FILES/* # and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html # COMMONLY ADJUSTED SETTINGS: # @bypass_virus_checks_maps = (1); # uncomment to DI…

sieve

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:52:56 +0000

Sieve * * * * Sieve and SSL / TLS timsieved allows for SSL on connect (like https, imaps, or pop3s), only STARTTLS. So you have to wrap it in an stunnel (www.stunnel.org), which is a another story ... Have a look at this: Testi…

monitoring

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:58:04 +0000

Monitoring email-monitoring * create „/var/lib/rrd“ Mailgraph mailgraph is a very simple mail statistics RRDtool frontend for Postfix that produces daily, weekly, monthly and yearly graphs of received/sent and bounced/rejected mail (SMTP traffic).

config

anonymous@undisclosed.example.com (Anonymous) — Sat, 06 Apr 2024 16:56:19 +0000

Postfix smtpd (smtp + daemon) = server = Postfix receives mail from a client smtp = client = Postfix sends mail to another mailserver Edit /etc/postfix/main.cf queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix smtpd_banner = mail.example.org myhostname = mail.example.org myorigin = example.org mydestination = mail.example.org mynetworks = 127.0.0.0/8, 10.0.0.0/8 alias_maps = hash:/etc/aliases, ldap:virtualaliases…

smtp-authentication

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:56:50 +0000

SMTPd- / SMTP-authentication SMTPd-authentication SASL must be configured! in /etc/postfix/main.cf: smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = ... permit_sasl_authenticated

sign

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:53:39 +0000

Domain Key Identified Mail outbound - ORIGINATING - signieren DKIM basiert auf asymetrischer Verschlüsselung mit public- und private-Key. Das Key-Paar wird mit folgender Syntax erzeugt: amavisd genrsa [Anzahl der Bits für den Schlüssel]

verify

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:53:51 +0000

Domain Key Identified Mail inbound verifizieren vim /etc/amavis/conf.d/50-user # DKIM-Ueberpruefung: $enable_dkim_verification = 1; $allowed_added_header_fields{lc('Authentication-Results')} = 1; service amavis restart AMaViS kann nun mit Hilfe des Public-Keys der in der

openssl_ca

anonymous@undisclosed.example.com (Anonymous) — Mon, 27 Dec 2010 16:20:44 +0000

simple OpenSSL Certficate Authority Create Certificate Authority station7:/etc # station7:/usr/share/ssl/misc # ./CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key .....++++++ .....................................++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your c…

sarg

anonymous@undisclosed.example.com (Anonymous) — Fri, 15 Aug 2014 20:46:20 +0000

SARG /etc/crontab: ### SQUID-Monitoring via Sarg: 00 06-19/1 * * * root /usr/local/chhaas-skripts/sarg-reports.sh today > /dev/nul 00 00 * * * root /usr/local/chhaas-skripts/sarg-reports.sh daily > /dev/nul 00 01 * * 1 root /usr/local/chhaas-skripts/sarg-reports.sh weekly > /dev/nul 30 02 1 * * root /usr/local/chhaas-skripts/sarg-reports.sh monthly > /dev/nul

config

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:52:33 +0000

Cyrus imapd / popd Modify /etc/cyrus.conf to: START { recover cmd="ctl_cyrusdb -r" deliver cmd="ctl_deliver -r" } SERVICES { imap cmd="imapd" listen="imap" prefork=0 # imaps cmd="imapd -s" listen="imaps" prefork=0 pop3 cmd="pop3d" listen="pop3" prefork=0 # pop3s cmd="pop3d -s" listen="pop3s" prefork=0 sieve cmd="timsieved" listen="sieve" prefork=2 # entry must be the same as in th…

cyrus_secure

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:52:44 +0000

TLS, IMAP over SSL (imaps) and pop3 over SSL (pop3s) TLS Modify / append the TLS-settings in /etc/imap.conf: #--- SSL/TLS setting ---# tls_ca_path: /etc/ssl/certs tls_ca_file: /etc/ssl/certs/ca_cert.pem tls_cert_file: /etc/ssl/certs/station7_cert.pem tls_key_file: /etc/ssl/private/station7_key.pem

postgrey

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 16:02:27 +0000

Greylisting For a overview what greylisting does, have a look at www.greylisting.org/ There are several greylisting daemons for Postfix available. I stick to David Schweikert's Postgrey or to Lionel Bouton's SQLgrey in combination with it's web-interface http://www.vanheusden.com/sgwi/ Postgrey Postgrey greylisting daemon

pflogsum

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:56:02 +0000

Postfix-Reporting mit Pflogsum apt-get install pflogsum /usr/local/bin/postfix_report.sh #!/bin/bash /usr/sbin/pflogsumm -d yesterday --problems_first /var/log/mail.log.1 > /tmp/pflogsumm /usr/bin/mailx -s "Automatischer Postfix-Report von $(hostname)" -r postfix-admin@station7.example.de postfix-admin@station7.example.de < /tmp/pflogsumm

ldap

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:55:50 +0000

using LDAP /etc/postfix/ldap-aliases.cf: server_host= ldaps://localhost:636 server_port= 636 start_tls = no tls_ca_cert_file = /etc/ssl/postfix/certs/ca_cert.pem tls_ca_cert_dir = /etc/ssl/postfix/certs/ tls_cert = /etc/ssl/postfix/certs/station7_cert.pem tls_key = /etc/ssl/postfix/private/station7_key.pem #tls_random_file = dev:/dev/urandom tls_cipher_suite = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP version= 3 bind= no timeout= 120 search_base= dc=example,dc=com query_filter = (&(object…

pfs

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:56:15 +0000

Postfix Perfect Forwarding Secrecy (PFS) openssl gendh -out /etc/postfix/dh_512.pem -2 512 openssl gendh -out /etc/postfix/dh_1024.pem -2 1024 postconf -e "smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem" postconf -e "smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem" postconf -e "smtpd_tls_eecdh_grade = strong" postconf -e "tls_preempt_cipherlist = yes" postconf -e "smtpd_tls_loglevel = 1" postconf -e "smtp_tls_loglevel = 1" postfix reload

postfix_secure

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:56:23 +0000

Postfix with TLS and SSL (smtps) Use a portscanner like „nmap“: station7:/etc/init.d # nmap localhost | grep smtp 25/tcp open smtp -> smtp is only running at port 25! TLS Modify the TLS-settings in /etc/postfix/main.cf #--- SSL/TLS setting ---# smtpd_client_restrictions= permit_tls_clientcerts, permit_sasl_authenticated smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destination, check_sender_access hash:/etc/…

sasl

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:56:42 +0000

SASL A very conveniant way of configuring the Simple Authentication and Security Layer (SASL) is to use the Pluggable Authentication Modules (PAM), since it can use diffrent authentication sources like ldap or /etc/passwd - thus SASL is everything but simple

ssh-smtp-tunnel

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:57:08 +0000

SMTP-over-SSH-Tunnel Um zwei SMTP-Server (z.B. Mailserver im Heim-Netz zu Mailgateway bei Provider/Hoster) sicher miteinander zu verbinden, gibt es verschiedene Möglichkeiten. OpenVPN-Tunnel Eine Möglichkeit ist, ein OpenVPN-Tunnel zwischen beiden Servern.

tipps

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:57:25 +0000

Postfix Tipps und Tricks Mails aus Mailqueue löschen alle Mails des Benutzers station7@example.com aus der Mailqueue löschen: mail:~# mailq | tail -n +2 | grep -v '^ *(' | awk 'BEGIN { RS = "" } { if ($7 == "station7@example.com") print $1 }' | tr -d '*!' | postsuper -d -

spamassassin

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:58:39 +0000

SpamAssassin SA-config-genarator: /etc/mail/spamassassin/local.cf: # SpamAssassin config file for version 3.x # NOTE: NOT COMPATIBLE WITH VERSIONS 2.5 or 2.6 # See http://www.yrex.com/spam/spamconfig25.php for earlier versions # Generated by http://www.yrex.com/spam/spamconfig.php (version 1.50) # How many hits before a message is considered spam. required_score 5.0 # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) report_safe …

credits

anonymous@undisclosed.example.com (Anonymous) — Mon, 27 Dec 2010 16:20:41 +0000

Credits Credits go to the following persons (in alphabetical order), without their help my commserv would probably never have been working. If I forgot somebody by accident, please drop me a email: * Markus Winkler, Chemnitz / Germany * Manuel Zach, Vienna / Austria

todo

anonymous@undisclosed.example.com (Anonymous) — Mon, 27 Dec 2010 16:20:42 +0000

ToDo Things, that have to be documented: * generating the decrypted SSL-key with OpenSSL-CA * use of TinyCA and phpki-CA * Postfix: main.cf and master.cf * implement in email -> Postfix -> SMTPd- / SMTP-Authentication

all

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:46:38 +0000

2014-08-08 zuerst „Debian OS-Basis-Installation auf Blech“ durchfuehren!!! auf allen Server-Instanzen („Blech“, Linux VServer, LXC): ### Proxy der UKBW fuer die Installations-Shellsitzung setzen: export http_proxy=„“ ### LiHAS GPG-Key importieren: wget -O -

root-alarm

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:47:28 +0000

email-Alarm bei ROOT-Login: # apt-get install mailx # cat << EOF > /root/.bashrc echo 'ALARM - Root-Login auf Maschine' $(hostname) 'am:' $(date) $(who) | mail -s „ALARM: Root-Login auf Maschine $(hostname) von $(who | grep root | cut -d'(' -f2 | cut -d')' -f1)

gnarwl

anonymous@undisclosed.example.com (Anonymous) — Tue, 25 Apr 2017 14:50:23 +0000

Gnarwl Download GNARWL software from and download package named gnarwl-3.3.tgz Compile GNARWL for LDAP vacations # tar xzvf gnarwl-3.3.tgz # cd gnarwl-3.3 # ./configure # make # make install # make perm Adjust File /usr/local/etc/gnarwl.conf map_sender $sender map_receiver $recepient map_subject $subject map_field $fullname cn map_field $deputy mail server localhost port 389 scope sub login cn=admin,dc=example,dc=org password IveGotASe…

config

anonymous@undisclosed.example.com (Anonymous) — Fri, 15 Aug 2014 20:44:51 +0000

Squid configuration */etc/squid/squid.conf: icp_port 0 htcp_port 0 hierarchy_stoplist cgi-bin ? cache_swap_low 90 cache_swap_high 95 maximum_object_size 4096 KB ipcache_size 1024 ipcache_low 90 ipcache_high 95 fqdncache_size 1024 cache_access_log /var/log/squid/access.log cache_dir ufs /var/cache/squid 240000 32 256 cache_log /var/log/squid/cache.log cache_mem 3000 MB cache_store_log /var/log/squid/store.log emulate_httpd_log off mime_table /etc/squid/mime.conf log_mime_hdrs off useragent_log…