FreeBSD 12 の環境で、メールサーバ環境を構築しました。
また、以下の条件に当てはまる環境を構築してみましたので
設定した時の内容をメモ書きする事にしました。
条件
- ウィルスに感染しないようにする。
- SPAMメールを除外できるようにする。
- 安定性とセキュリティに強い環境を構築する。
上記の条件に当てはまるように、以下の内容で構築する事にしました。
- postfix
- dovecot
- clamav
- clamav-milter
- spamass-milter
- milter-greylist
- milter-manager
- blacklistd
注意事項
- 設定内容が膨大なため、設定内容のみを抜粋して記入してます。
- Ports Collection が使用できる必要がある。
1.clamav 導入
①.clamav をインストールする。
pkg install clamav
②.インストールした時の情報です。
[root@FreeBSD ~]# pkg install clamav
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 5 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
arc: 5.21p
arj: 3.10.22_8
clamav: 0.102.2,1
libltdl: 2.4.6
unzoo: 4.4_2
Number of packages to be installed: 5
The process will require 6 MiB more space.
2 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/5] Fetching clamav-0.102.2,1.txz: 100% 1 MiB 1.3MB/s 00:01
[2/5] Fetching libltdl-2.4.6.txz: 100% 37 KiB 38.3kB/s 00:01
[3/5] Fetching unzoo-4.4_2.txz: 100% 17 KiB 17.8kB/s 00:01
[4/5] Fetching arj-3.10.22_8.txz: 100% 196 KiB 200.7kB/s 00:01
[5/5] Fetching arc-5.21p.txz: 100% 52 KiB 52.8kB/s 00:01
Checking integrity... done (0 conflicting)
[1/5] Installing libltdl-2.4.6...
[1/5] Extracting libltdl-2.4.6: 100%
[2/5] Installing unzoo-4.4_2...
[2/5] Extracting unzoo-4.4_2: 100%
[3/5] Installing arj-3.10.22_8...
[3/5] Extracting arj-3.10.22_8: 100%
[4/5] Installing arc-5.21p...
[4/5] Extracting arc-5.21p: 100%
[5/5] Installing clamav-0.102.2,1...
===> Creating groups.
Creating group 'clamav' with gid '106'.
Using existing group 'mail'.
===> Creating users
Creating user 'clamav' with uid '106'.
Adding user 'clamav' to group 'mail'.
[5/5] Extracting clamav-0.102.2,1: 100%
③.起動できるように設定する。
vi /etc/rc.conf
④.以下の内容を記入する。
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
clamav と ウィルスの定義ファイル(freshclam)を更新できるようにする。
⑤.clamd.conf を修正する。
vi /usr/local/etc/clamd.conf
⑥.以下の内容を設定する。
LogFile /var/log/clamav/clamd.log
LogTime yes
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/db/clamav
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket yes
User clamav
ScanPE yes
ScanOLE2 yes
ScanMail yes
ScanHTML yes
ScanArchive yes
⑦.clamav-freshclam を起動する。
/usr/local/etc/rc.d/clamav-freshclam start
Starting clamav_freshclam.
⑧.ウィルスの定義ファイルを更新する。
freshclam
⑨.以下のように表示する事を確認する。
ClamAV update process started at Wed Apr 29 02:25:48 2020
daily.cvd database is up to date (version: 25796, sigs: 2307772, f-level: 63, builder: raynman)
main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
⑩.clamav を起動する。
/usr/local/etc/rc.d/clamav-clamd start
Starting clamav_clamd.
⑪.clamav-milter.conf を修正する。
vi /usr/local/etc/clamav-milter.conf
⑫.以下の内容を記入する。
MilterSocket /var/run/clamav/clmilter.sock
MilterSocketMode 660
FixStaleSocket yes
User clamav
PidFile /var/run/clamav/clamav-milter.pid
ClamdSocket unix:/var/run/clamav/clamd.sock
MaxFileSize 100M
OnInfected Reject
AddHeader Replace
VirusAction /usr/local/bin/my_infected_message_handler.sh
LogSyslog yes
LogFacility LOG_MAIL
LogInfected Full
⑬.my_infected_message_handlerを作成する。
vi /usr/local/bin/my_infected_message_handler.sh
⑭.以下の内容を記入する。
#!/bin/sh
cat << EOM | mail -s "Virus Found by clamav-milter" root
-------------------------------------------------------
Virus Mail Information
-------------------------------------------------------
Queue-id: $2
Message-id: $6
Date: $7
Subject: $5
Sender: $3
Destination: $4
Virus Name: $1
-------------------------------------------------------
EOM
⑮.実行権限を付与する。
chmod +x /usr/local/bin/my_infected_message_handler.sh
2.procmail 導入
①.procmail をインストールする。
pkg install procmail
②.インストールした時の情報です。
[root@FreeBSD ~]# pkg install procmail
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Updating database digests format: 100%
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
procmail: 3.22_10
Number of packages to be installed: 1
139 KiB to be downloaded.
Proceed with this action? [y/N]: y
[1/1] Fetching procmail-3.22_10.txz: 100% 139 KiB 142.1kB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Installing procmail-3.22_10...
[1/1] Extracting procmail-3.22_10: 100%
④.procmailrc を作成する。
vi /usr/local/etc/procmailrc
⑤.以下の内容を記入する。
SHELL=/bin/sh
PATH=/bin:/usr/bin:/usr/local/bin
DROPPRIVS=yes
MAILDIR=$HOME/Maildir
DEFAULT=$MAILDIR/
#LOGFILE=$MAILDIR/procmail.log
#remove sexy
:0
* ^Subject: .*sexy.*
/dev/null
3.cyrus-sasl cyrus-sasl-saslauthd 導入
SMTP認証にsasl認証を使用する。
①.cyrus-sasl cyrus-sasl-saslauthd をインストールする。
pkg install cyrus-sasl cyrus-sasl-saslauthd
②.インストールした時の情報です。
[root@FreeBSD ]# pkg install cyrus-sasl cyrus-sasl-saslauthd
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
cyrus-sasl: 2.1.27_1
cyrus-sasl-saslauthd: 2.1.27_1
Number of packages to be installed: 2
The process will require 8 MiB more space.
1 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/2] Fetching cyrus-sasl-2.1.27_1.txz: 100% 959 KiB 982.2kB/s 00:01
[2/2] Fetching cyrus-sasl-saslauthd-2.1.27_1.txz: 100% 42 KiB 42.6kB/s 00:01
Checking integrity... done (0 conflicting)
[1/2] Installing cyrus-sasl-2.1.27_1...
*** Added group `cyrus' (id 60)
*** Added user `cyrus' (id 60)
[1/2] Extracting cyrus-sasl-2.1.27_1: 100%
[2/2] Installing cyrus-sasl-saslauthd-2.1.27_1...
[2/2] Extracting cyrus-sasl-saslauthd-2.1.27_1: 100%
=====
Message from cyrus-sasl-2.1.27_1:
--
You can use sasldb2 for authentication, to add users use:
saslpasswd2 -c username
If you want to enable SMTP AUTH with the system Sendmail, read
Sendmail.README
NOTE: This port has been compiled with a default pwcheck_method of
auxprop. If you want to authenticate your user by /etc/passwd,
PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and
set sasl_pwcheck_method to saslauthd after installing the
Cyrus-IMAPd 2.X port. You should also check the
/usr/local/lib/sasl2/*.conf files for the correct
pwcheck_method.
If you want to use GSSAPI mechanism, install
ports/security/cyrus-sasl2-gssapi.
If you want to use SRP mechanism, install
ports/security/cyrus-sasl2-srp.
If you want to use LDAP auxprop plugin, install
ports/security/cyrus-sasl2-ldapdb.
=====
Message from cyrus-sasl-saslauthd-2.1.27_1:
--
To run saslauthd from startup, add saslauthd_enable="YES" in your
/etc/rc.conf.
③.起動できるように設定する。
vi /etc/rc.conf
④.以下の内容を記入する。
saslauthd_enable="YES"
saslauthd_flags="-a sasldb"
4.postfix 導入
ports からリビルドして使用する。
①.postfix の格納場所に移動する。
cd /usr/ports/mail/postfix/
②.オプション情報を設定する。
make config
③.変更後の内容に設定する。
■変更前
[ ] BDB Berkeley DB support
[x] BLACKLISTD Enable blacklistd support (FreeBSD 11.0 and later only)
[ ] CDB CDB maps lookups
[x] DOCS Build and/or install documentation
[x] EAI Email Address Internationalization (SMTPUTF8) support
[ ] INST_BASE Install into /usr and /etc/postfix
[ ] LDAP LDAP maps (uses WITH_OPENLDAP_VER)
[ ] LDAP_SASL LDAP client-to-server SASL auth
[ ] LMDB LMDB maps
[ ] MYSQL MySQL database support
[ ] NIS Network Information Services/YP support
[x] PCRE Use Perl Compatible Regular Expressions
[ ] PGSQL PostgreSQL database support
[ ] SASL Cyrus SASL support (Dovecot SASL is always built in)
[ ] SQLITE SQLite database support
[ ] TEST SMTP/LMTP test server and generator
[x] TLS Secure network connection support via TLS
-------------- Kerberos network authentication protocol type ------------
( ) SASLKRB5 If your SASL req. Kerberos5, select this
( ) SASLKMIT If your SASL req. MIT Kerberos5, select this
■変更後
[ ] BDB Berkeley DB support
[x] BLACKLISTD Enable blacklistd support (FreeBSD 11.0 and later only)
[ ] CDB CDB maps lookups
[x] DOCS Build and/or install documentation
[x] EAI Email Address Internationalization (SMTPUTF8) support
[ ] INST_BASE Install into /usr and /etc/postfix
[ ] LDAP LDAP maps (uses WITH_OPENLDAP_VER)
[ ] LDAP_SASL LDAP client-to-server SASL auth
[ ] LMDB LMDB maps
[ ] MYSQL MySQL database support
[ ] NIS Network Information Services/YP support
[x] PCRE Use Perl Compatible Regular Expressions
[ ] PGSQL PostgreSQL database support
[x] SASL Cyrus SASL support (Dovecot SASL is always built in)
[ ] SQLITE SQLite database support
[ ] TEST SMTP/LMTP test server and generator
[x] TLS Secure network connection support via TLS
------------- Kerberos network authentication protocol type -------------
( ) SASLKRB5 If your SASL req. Kerberos5, select this
( ) SASLKMIT If your SASL req. MIT Kerberos5, select this
④.オプション情報を確認する。
cat /usr/ports/mail/postfix/Makefile
⑤.以下の内容がオプション情報です。
BLACKLISTD_DESC= Enable blacklistd support (FreeBSD 11.0 and later only)
CDB_DESC= CDB maps lookups
EAI_DESC= Email Address Internationalization (SMTPUTF8) support
INST_BASE_DESC= Install into /usr and /etc/postfix
LDAP_DESC= LDAP maps (uses WITH_OPENLDAP_VER)
LDAP_SASL_DESC= LDAP client-to-server SASL auth
LMDB_DESC= LMDB maps
TEST_DESC= SMTP/LMTP test server and generator
SASL_DESC= Cyrus SASL support (Dovecot SASL is always built in)
RG1_DESC= Kerberos network authentication protocol type
SASLKRB5_DESC= If your SASL req. Kerberos5, select this
SASLKMIT_DESC= If your SASL req. MIT Kerberos5, select this
⑥.pkgtools.conf を修正する。
vi /usr/local/etc/pkgtools.conf
⑦.MAKE_ARGS の部分に以下の内容を記入する。
'mail/postfix' => [
'BLACKLISTD_DESC=yes',
'DOCS_DESC=yes',
'EAI_DESC=yes',
'PCRE_DESC=yes',
'SASL_DESC=yes',
'TLS_DESC=yes',
],
⑧.リビルドを実行する。
portinstall postfix
make install clean
make コマンドでもリビルドする事ができます。
⑨.以下のように表示する事を確認する。
Installing postfix-3.5.1_1,1...
===> Creating groups.
Using existing group 'mail'.
Creating group 'maildrop' with gid '126'.
Creating group 'postfix' with gid '125'.
===> Creating users
Creating user 'postfix' with uid '125'.
===> Creating homedir(s)
Adding user 'postfix' to group 'mail'.
===============================================================
Postfix was *not* activated in /usr/local/etc/mail/mailer.conf!
To finish installation run the following commands:
mkdir -p /usr/local/etc/mail
install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf
===============================================================
To use postfix instead of sendmail:
- clear sendmail queue and stop the sendmail daemons
Run the following commands to enable postfix during startup:
- sysrc postfix_enable="YES"
- sysrc sendmail_enable="NONE"
If postfix is *not* already activated in /usr/local/etc/mail/mailer.conf
- mv /usr/local/etc/mail/mailer.conf /usr/local/etc/mail/mailer.conf.old
- install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf
Disable sendmail(8) specific tasks,
add the following lines to /etc/periodic.conf(.local):
daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"
If you are using SASL, you need to make sure that postfix has access to read
the sasldb file. This is accomplished by adding postfix to group mail and
making the /usr/local/etc/sasldb* file(s) readable by group mail (this should
be the default for new installs).
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/lib/postfix/libpostfix-util.so
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/postfix
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://www.postfix.org/
===> Cleaning for postfix-3.5.1_1,1
---> Installation of mail/postfix ended at: Wed, 29 Apr 2020 10:56:39 +0900 (consumed 00:00:05)
---> Saving the log as '/var/tmp/portupgrade-mail::postfix.log'
---> Fresh installation of mail/postfix ended at: Wed, 29 Apr 2020 10:56:39 +0900 (consumed 00:02:18)
---> ** Install tasks 1: 1 done, 0 ignored, 0 skipped and 0 failed
---> Listing the results (+:done / -:ignored / *:skipped / !:failed)
+ mail/postfix
---> Packages processed: 1 done, 0 ignored, 0 skipped and 0 failed
---> Session ended at: Wed, 29 Apr 2020 10:56:39 +0900 (consumed 00:02:23)
⑩.自動的にアップデートされないようにロックする。
pkg lock postfix
postfix-3.5.1_1,1: lock this package? [y/N]: y
Locking postfix-3.5.1_1,1
⑪.Sendmail を無効にする。
vi /etc/periodic.conf
⑫.以下の内容を記入する。
daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"
⑬.Sendmail を無効にする。
vi /etc/rc.conf
⑭.以下の内容を記入する。
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
⑮.postfix が起動できるよに設定する。
vi /etc/rc.conf
⑯.以下の内容を記入する。
postfix_enable="YES"
⑰.mailer.conf を作成する。
mkdir -p /usr/local/etc/mail
install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf
⑱.main.cf を修正する。
vi /usr/local/etc/postfix/main.cf
⑲.以下の内容を記入する。
compatibility_level = 2
queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
mail_owner = postfix
myhostname = ホスト名
mydomain = ドメイン名
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
mynetworks = 192.168.0.0/24, 127.0.0.0/8
relay_domains = $mydestination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/local/bin/procmail
smtpd_banner = $myhostname ESMTP unknown
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = /usr/local/share/doc/postfix
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
meta_directory = /usr/local/libexec/postfix
shlib_directory = /usr/local/lib/postfix
#追加設定
allow_percent_hack = no
#SMTPのVRFYコマンドを使用禁止
#VRFYはアカウントが実在するか確認するコマンドです。
#でたらめなユーザ問い合わせを行う悪質なプログラムによりアカウント流出を防ぎます。
disable_vrfy_command = yes
#sasl認証に対応していないメーラは拒否
broken_sasl_auth_clients = yes
#メール送信時にアカウント名・パスワードをサーバに通知しメールサーバから認証を受ける(SASL認証)
smtpd_sasl_auth_enable = yes
#Received ヘッダに認証されたユーザー名が表示する。
smtpd_sasl_authenticated_header = yes
#Dovecot-SASLを使用する
smtpd_sasl_type = dovecot
#Dovecot-SASLで使用するソケットファイル
smtpd_sasl_path = private/auth
#認証に使用するサーバを指定
smtpd_sasl_local_domain = $mydomain
#ホストの接続に関しての設定
smtpd_client_restrictions = permit_mynetworks,
reject_rbl_client all.rbl.jp,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_unknown_client,
permit
#メール中継の設定
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
#MAIL FROM コマンドの送信者アドレスを制限
smtpd_sender_restrictions = reject_unknown_sender_domain
#TLS有効設定
smtpd_use_tls = yes
smtpd_tls_cert_file = /usr/local/etc/letsencrypt/live/ドメイン名/fullchain.pem
smtpd_tls_key_file = /usr/local/etc/letsencrypt/live/ドメイン名/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:/usr/local/etc/postfix/smtpd_scache
#複数ドメインを使用する場合の設定
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
#OP25B対策
relayhost = [mail.so-net.ne.jp]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/isp_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = login, plain
#Milter設定
#Milterに不具合が発生した場合に一時エラーを返す設定(デフォルト設定)
#milter_default_action =tempfail
#Milterに不具合が発生した場合にメールを受信する設定
milter_default_action = accept
#smtpd_milters = unix:/var/run/clamav/clmilter.sock
smtpd_milters = unix:/var/run/milter-manager/milter-manager.sock
non_smtpd_milters = $smtpd_milters
milter_protocol = 6
#SMTP Auth関連の情報をmilterに渡すための設定
milter_mail_macros = {auth_author} {auth_type} {auth_authen}
#milterアプリケーションの応答を150秒待つ
milter_command_timeout = 150
#値1にする事でドメインごとの並列度から受信者ごとの並列度に変わります。
smtp_destination_recipient_limit = 1
#HELO (EHLO) コマンドの要求
smtpd_helo_required=yes
TLS有効設定は、Let’s Encrypt を使用して証明書を作成してます。
⑳.master.cf を修正する。
vi /usr/local/etc/postfix/master.cf
㉑.変更後の内容に設定する。
■変更前
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
■変更後
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
㉒.Sendmail.conf を修正する。
vi /usr/local/lib/sasl2/Sendmail.conf
㉓.変更後の内容に設定する。
■変更前
pwcheck_method: saslauthd
■変更後
#pwcheck_method: saslauthd
pwcheck_method: auxprop
5.dovecot 導入
①.dovecot をインストールする。
pkg install dovecot
②.インストールした時の情報です。
[root@FreeBSD ]# pkg install dovecot
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
dovecot: 2.3.10_2
Number of packages to be installed: 1
The process will require 22 MiB more space.
4 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/1] Fetching dovecot-2.3.10_2.txz: 100% 4 MiB 4.2MB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Installing dovecot-2.3.10_2...
===> Creating groups.
Creating group 'dovecot' with gid '143'.
Creating group 'dovenull' with gid '144'.
===> Creating users
Creating user 'dovecot' with uid '143'.
Creating user 'dovenull' with uid '144'.
[1/1] Extracting dovecot-2.3.10_2: 100%
=====
Message from dovecot-2.3.10_2:
--
You must create the configuration files yourself. Copy them over
to /usr/local/etc/dovecot and edit them as desired:
cp -R /usr/local/etc/dovecot/example-config/* \
/usr/local/etc/dovecot
The default configuration includes IMAP and POP3 services, will
authenticate users agains the system's passwd file, and will use
the default /var/mail/$USER mbox files.
Next, enable dovecot in /etc/rc.conf:
dovecot_enable="YES"
To avoid a risk of mailbox corruption, do not set the
security.bsd.see_other_uids or .see_other_gids sysctls to 0
if Dovecot is storing mail for multiple concurrent users (PR 218392).
Similarly, setting sysctls security.bsd.hardlink_check_uid or
security.bsd.hardlink_check_gid to 1 might result in non-working
mailboxes, depending on what mailbox locking mechanism is used
(PR 242223).
If you want to be able to search within attachments using the
decode2text plugin, you'll need to install textproc/catdoc, and
one of graphics/xpdf or graphics/poppler-utils.
There are some potentially breaking changes in Dovecot 2.3. If you
are upgrading from Dovecot 2.2:
* Read https://wiki2.dovecot.org/Upgrading/2.3
* Merge the configuration file changes from
/usr/local/etc/dovecot/examples-config/
③.設定情報をコピーする。
cp -R /usr/local/etc/dovecot/example-config/* \
/usr/local/etc/dovecot
④.dovecot.conf を修正する。
vi /usr/local/etc/dovecot/dovecot.conf
⑤.以下の内容にする。
protocols = imap pop3
!include conf.d/*.conf
!include_try local.conf
⑥.10-auth.conf を修正する。
vi /usr/local/etc/dovecot/conf.d/10-auth.conf
⑦.以下の内容にする。
disable_plaintext_auth = no
auth_mechanisms = plain login
!include auth-system.conf.ext
⑧.10-mail.conf を修正する。
vi /usr/local/etc/dovecot/conf.d/10-mail.conf
⑨.以下の内容にする。
mail_location = maildir:~/Maildir
namespace inbox {
inbox = yes
}
protocol !indexer-worker {
}
mbox_write_locks = fcntl
⑩.10-ssl.conf を修正する。
vi /usr/local/etc/dovecot/conf.d/10-ssl.conf
⑪.以下の内容にする。
ssl = yes
ssl_cert = </usr/local/etc/letsencrypt/live/ドメイン名/fullchain.pem
ssl_key = </usr/local/etc/letsencrypt/live/ドメイン名/privkey.pem
Let’s Encrypt を使用して証明書を作成してます。
⑫.10-master.conf を修正する。
vi /usr/local/etc/dovecot/conf.d/10-master.conf
⑬.以下の内容にする。
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
⑭.dovecot を起動できるように設定する。
vi /etc/rc.conf
⑮.以下の内容を設定する。
dovecot_enable="YES"
6.spamass-milter milter-greylist milter-manager 導入
①.spamass-milter milter-greylist milter-manager をインストールする。
pkg install spamass-milter milter-greylist milter-manager
②.インストールした時の情報です。
[root@FreeBSD ]# pkg install spamass-milter milter-greylist milter-manager
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 45 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
gnupg1: 1.4.23_2
libev: 4.24,1
libevent: 2.1.11
libidn: 1.35
libspf2: 1.2.10_2
lua52: 5.2.4
milter-greylist: 4.6.2_4
milter-manager: 2.1.1_1
opendkim: 2.10.3_11
p5-Crypt-OpenSSL-Bignum: 0.09
p5-Crypt-OpenSSL-RSA: 0.31
p5-Crypt-OpenSSL-Random: 0.15
p5-Digest-HMAC: 1.03_1
p5-Encode-Detect: 1.01_1
p5-Error: 0.17029
p5-HTML-Parser: 3.72
p5-HTML-Tagset: 3.20_1
p5-HTTP-Date: 6.05
p5-IO-Socket-INET6: 2.72_1
p5-IO-Socket-SSL: 2.068
p5-JSON: 2.97.001
p5-Mail-AuthenticationResults: 1.20200331.1
p5-Mail-DKIM: 0.58
p5-Mail-SPF: 2.9.0_5
p5-Mail-Tools: 2.19
p5-Mozilla-CA: 20180117
p5-Net-CIDR-Lite: 0.21_1
p5-Net-DNS: 1.23,1
p5-Net-DNS-Resolver-Mock: 1.20200215
p5-Net-DNS-Resolver-Programmable: 0.009
p5-Net-IDN-Encode: 2.500
p5-Net-LibIDN: 0.12_5
p5-Net-SSLeay: 1.88
p5-NetAddr-IP: 4.079
p5-Socket6: 0.29
p5-TimeDate: 2.30_2,1
p5-URI: 1.76
re2c: 0.14.3
ruby26-gems: 3.0.6
rubygem-glib2: 3.4.1
rubygem-native-package-installer: 1.0.9
rubygem-pkg-config: 1.4.1
spamass-milter: 0.4.0_4
spamassassin: 3.4.4
unbound: 1.10.0
Number of packages to be installed: 45
The process will require 39 MiB more space.
9 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/45] Fetching spamass-milter-0.4.0_4.txz: 100% 47 KiB 48.0kB/s 00:01
[2/45] Fetching milter-greylist-4.6.2_4.txz: 100% 120 KiB 122.6kB/s 00:01
[3/45] Fetching milter-manager-2.1.1_1.txz: 100% 889 KiB 910.7kB/s 00:01
[4/45] Fetching spamassassin-3.4.4.txz: 100% 972 KiB 995.6kB/s 00:01
[5/45] Fetching p5-HTTP-Date-6.05.txz: 100% 10 KiB 10.6kB/s 00:01
[6/45] Fetching p5-TimeDate-2.30_2,1.txz: 100% 33 KiB 33.8kB/s 00:01
[7/45] Fetching p5-HTML-Parser-3.72.txz: 100% 79 KiB 81.3kB/s 00:01
[8/45] Fetching p5-HTML-Tagset-3.20_1.txz: 100% 12 KiB 12.0kB/s 00:01
[9/45] Fetching p5-Net-IDN-Encode-2.500.txz: 100% 74 KiB 76.0kB/s 00:01
[10/45] Fetching p5-IO-Socket-SSL-2.068.txz: 100% 170 KiB 174.5kB/s 00:01
[11/45] Fetching p5-Mozilla-CA-20180117.txz: 100% 132 KiB 135.3kB/s 00:01
[12/45] Fetching p5-Net-SSLeay-1.88.txz: 100% 267 KiB 273.6kB/s 00:01
[13/45] Fetching p5-IO-Socket-INET6-2.72_1.txz: 100% 13 KiB 13.1kB/s 00:01
[14/45] Fetching p5-Socket6-0.29.txz: 100% 16 KiB 16.7kB/s 00:01
[15/45] Fetching p5-Crypt-OpenSSL-RSA-0.31.txz: 100% 26 KiB 27.1kB/s 00:01
[16/45] Fetching p5-Crypt-OpenSSL-Random-0.15.txz: 100% 14 KiB 14.5kB/s 00:01
[17/45] Fetching p5-Crypt-OpenSSL-Bignum-0.09.txz: 100% 28 KiB 28.4kB/s 00:01
[18/45] Fetching gnupg1-1.4.23_2.txz: 100% 1 MiB 1.1MB/s 00:01
[19/45] Fetching p5-URI-1.76.txz: 100% 76 KiB 78.3kB/s 00:01
[20/45] Fetching p5-Net-CIDR-Lite-0.21_1.txz: 100% 12 KiB 11.9kB/s 00:01
[21/45] Fetching p5-NetAddr-IP-4.079.txz: 100% 85 KiB 87.2kB/s 00:01
[22/45] Fetching p5-Mail-SPF-2.9.0_5.txz: 100% 123 KiB 125.9kB/s 00:01
[23/45] Fetching p5-Error-0.17029.txz: 100% 27 KiB 27.3kB/s 00:01
[24/45] Fetching p5-Net-DNS-Resolver-Programmable-0.009.txz: 100% 17 KiB 17.4kB/s 00:01
[25/45] Fetching p5-Net-DNS-1.23,1.txz: 100% 308 KiB 315.3kB/s 00:01
[26/45] Fetching p5-Digest-HMAC-1.03_1.txz: 100% 10 KiB 10.1kB/s 00:01
[27/45] Fetching p5-Mail-DKIM-0.58.txz: 100% 113 KiB 115.9kB/s 00:01
[28/45] Fetching p5-Mail-Tools-2.19.txz: 100% 75 KiB 76.7kB/s 00:01
[29/45] Fetching p5-Mail-AuthenticationResults-1.20200331.1.txz: 100% 44 KiB 45.5kB/s 00:01
[30/45] Fetching p5-JSON-2.97.001.txz: 100% 70 KiB 71.6kB/s 00:01
[31/45] Fetching p5-Net-DNS-Resolver-Mock-1.20200215.txz: 100% 11 KiB 10.9kB/s 00:01
[32/45] Fetching p5-Net-LibIDN-0.12_5.txz: 100% 17 KiB 17.0kB/s 00:01
[33/45] Fetching libidn-1.35.txz: 100% 216 KiB 221.3kB/s 00:01
[34/45] Fetching re2c-0.14.3.txz: 100% 163 KiB 166.8kB/s 00:01
[35/45] Fetching p5-Encode-Detect-1.01_1.txz: 100% 72 KiB 74.0kB/s 00:01
[36/45] Fetching opendkim-2.10.3_11.txz: 100% 312 KiB 320.0kB/s 00:01
[37/45] Fetching lua52-5.2.4.txz: 100% 174 KiB 178.4kB/s 00:01
[38/45] Fetching unbound-1.10.0.txz: 100% 2 MiB 2.0MB/s 00:01
[39/45] Fetching libevent-2.1.11.txz: 100% 319 KiB 326.9kB/s 00:01
[40/45] Fetching libspf2-1.2.10_2.txz: 100% 125 KiB 127.5kB/s 00:01
[41/45] Fetching rubygem-glib2-3.4.1.txz: 100% 150 KiB 154.0kB/s 00:01
[42/45] Fetching rubygem-pkg-config-1.4.1.txz: 100% 17 KiB 17.9kB/s 00:01
[43/45] Fetching ruby26-gems-3.0.6.txz: 100% 401 KiB 410.3kB/s 00:01
[44/45] Fetching rubygem-native-package-installer-1.0.9.txz: 100% 19 KiB 19.6kB/s 00:01
[45/45] Fetching libev-4.24,1.txz: 100% 110 KiB 112.9kB/s 00:01
Checking integrity... done (0 conflicting)
[1/45] Installing p5-Digest-HMAC-1.03_1...
[1/45] Extracting p5-Digest-HMAC-1.03_1: 100%
[2/45] Installing p5-TimeDate-2.30_2,1...
[2/45] Extracting p5-TimeDate-2.30_2,1: 100%
[3/45] Installing p5-Socket6-0.29...
[3/45] Extracting p5-Socket6-0.29: 100%
[4/45] Installing p5-Crypt-OpenSSL-Random-0.15...
[4/45] Extracting p5-Crypt-OpenSSL-Random-0.15: 100%
[5/45] Installing p5-Crypt-OpenSSL-Bignum-0.09...
[5/45] Extracting p5-Crypt-OpenSSL-Bignum-0.09: 100%
[6/45] Installing p5-Net-DNS-1.23,1...
[6/45] Extracting p5-Net-DNS-1.23,1: 100%
[7/45] Installing p5-JSON-2.97.001...
[7/45] Extracting p5-JSON-2.97.001: 100%
[8/45] Installing p5-HTML-Tagset-3.20_1...
[8/45] Extracting p5-HTML-Tagset-3.20_1: 100%
[9/45] Installing p5-Mozilla-CA-20180117...
[9/45] Extracting p5-Mozilla-CA-20180117: 100%
[10/45] Installing p5-Net-SSLeay-1.88...
[10/45] Extracting p5-Net-SSLeay-1.88: 100%
[11/45] Installing p5-IO-Socket-INET6-2.72_1...
[11/45] Extracting p5-IO-Socket-INET6-2.72_1: 100%
[12/45] Installing p5-Crypt-OpenSSL-RSA-0.31...
[12/45] Extracting p5-Crypt-OpenSSL-RSA-0.31: 100%
[13/45] Installing p5-URI-1.76...
[13/45] Extracting p5-URI-1.76: 100%
[14/45] Installing p5-NetAddr-IP-4.079...
[14/45] Extracting p5-NetAddr-IP-4.079: 100%
[15/45] Installing p5-Error-0.17029...
[15/45] Extracting p5-Error-0.17029: 100%
[16/45] Installing p5-Net-DNS-Resolver-Programmable-0.009...
[16/45] Extracting p5-Net-DNS-Resolver-Programmable-0.009: 100%
[17/45] Installing p5-Mail-Tools-2.19...
[17/45] Extracting p5-Mail-Tools-2.19: 100%
[18/45] Installing p5-Mail-AuthenticationResults-1.20200331.1...
[18/45] Extracting p5-Mail-AuthenticationResults-1.20200331.1: 100%
[19/45] Installing p5-Net-DNS-Resolver-Mock-1.20200215...
[19/45] Extracting p5-Net-DNS-Resolver-Mock-1.20200215: 100%
[20/45] Installing libidn-1.35...
[20/45] Extracting libidn-1.35: 100%
[21/45] Installing libevent-2.1.11...
[21/45] Extracting libevent-2.1.11: 100%
[22/45] Installing ruby26-gems-3.0.6...
[22/45] Extracting ruby26-gems-3.0.6: 100%
[23/45] Installing p5-HTTP-Date-6.05...
[23/45] Extracting p5-HTTP-Date-6.05: 100%
[24/45] Installing p5-HTML-Parser-3.72...
[24/45] Extracting p5-HTML-Parser-3.72: 100%
[25/45] Installing p5-Net-IDN-Encode-2.500...
[25/45] Extracting p5-Net-IDN-Encode-2.500: 100%
[26/45] Installing p5-IO-Socket-SSL-2.068...
[26/45] Extracting p5-IO-Socket-SSL-2.068: 100%
[27/45] Installing gnupg1-1.4.23_2...
[27/45] Extracting gnupg1-1.4.23_2: 100%
[28/45] Installing p5-Net-CIDR-Lite-0.21_1...
[28/45] Extracting p5-Net-CIDR-Lite-0.21_1: 100%
[29/45] Installing p5-Mail-SPF-2.9.0_5...
[29/45] Extracting p5-Mail-SPF-2.9.0_5: 100%
[30/45] Installing p5-Mail-DKIM-0.58...
[30/45] Extracting p5-Mail-DKIM-0.58: 100%
[31/45] Installing p5-Net-LibIDN-0.12_5...
[31/45] Extracting p5-Net-LibIDN-0.12_5: 100%
[32/45] Installing re2c-0.14.3...
[32/45] Extracting re2c-0.14.3: 100%
[33/45] Installing p5-Encode-Detect-1.01_1...
[33/45] Extracting p5-Encode-Detect-1.01_1: 100%
[34/45] Installing lua52-5.2.4...
[34/45] Extracting lua52-5.2.4: 100%
[35/45] Installing unbound-1.10.0...
===> Creating groups.
Using existing group 'unbound'.
===> Creating users
Using existing user 'unbound'.
[35/45] Extracting unbound-1.10.0: 100%
[36/45] Installing rubygem-pkg-config-1.4.1...
[36/45] Extracting rubygem-pkg-config-1.4.1: 100%
[37/45] Installing rubygem-native-package-installer-1.0.9...
[37/45] Extracting rubygem-native-package-installer-1.0.9: 100%
[38/45] Installing spamassassin-3.4.4...
===> Creating groups.
Creating group 'spamd' with gid '58'.
===> Creating users
Creating user 'spamd' with uid '58'.
[38/45] Extracting spamassassin-3.4.4: 100%
[39/45] Installing opendkim-2.10.3_11...
[39/45] Extracting opendkim-2.10.3_11: 100%
[40/45] Installing libspf2-1.2.10_2...
[40/45] Extracting libspf2-1.2.10_2: 100%
[41/45] Installing rubygem-glib2-3.4.1...
[41/45] Extracting rubygem-glib2-3.4.1: 100%
[42/45] Installing libev-4.24,1...
[42/45] Extracting libev-4.24,1: 100%
[43/45] Installing spamass-milter-0.4.0_4...
[43/45] Extracting spamass-milter-0.4.0_4: 100%
[44/45] Installing milter-greylist-4.6.2_4...
[44/45] Extracting milter-greylist-4.6.2_4: 100%
[45/45] Installing milter-manager-2.1.1_1...
[45/45] Extracting milter-manager-2.1.1_1: 100%
=====
Message from spamassassin-3.4.4:
--
You should complete the following post-installation tasks:
1) Read /usr/local/share/doc/spamassassin/INSTALL
and /usr/local/share/doc/spamassassin/UPGRADE
BEFORE enabling SpamAssassin for important changes
2) Edit the configuration in /usr/local/etc/mail/spamassassin,
in particular /usr/local/etc/mail/spamassassin/init.pre
You may get lots of annoying (but harmless) error messages
if you skip this step.
3) To run spamd, add the following to /etc/rc.conf:
spamd_enable="YES"
4) If this is a new installation, you should run sa-update
and sa-compile. If this isn't a new installation, you
should probably run those commands on a regular basis
anyway.
5) Install mail/spamass-rules if you want some third-party
spam-catching rulesets
SECURITY NOTE:
By default, spamd runs as root (the AS_ROOT option). If you wish
to change this, add the following to /etc/rc.conf:
spamd_flags="-u spamd -H /var/spool/spamd"
=====
Message from opendkim-2.10.3_11:
--
In order to run this port, write your opendkim.conf and:
if you use sendmail, add the milter socket `socketspec' in
/etc/mail/<your_configuration>.mc:
INPUT_MAIL_FILTER(`dkim-filter', `S=_YOUR_SOCKET_SPEC_, F=T, T=R:2m')
or if you use postfix write your milter socket `socketspec' in
/usr/local/etc/postfix/main.cf:
smtpd_milters = _YOUR_SOCKET_SPEC_
And to run the milter from startup, add milteropendkim_enable="YES" in
your /etc/rc.conf.
Extra options can be found in startup script.
Note: milter sockets must be accessible from postfix/smtpd;
using inet sockets might be preferred.
=====
Message from spamass-milter-0.4.0_4:
--
spamass-milter has been installed, but it must be activated manually.
Please refer to...
/usr/local/share/doc/spamass-milter/activation.txt
...for details.
You may also want to tweak your spamd rc.subr(8) startup flags to
specify a username to switch credentials to when delivering mail, if
applicable.
=====
Message from milter-greylist-4.6.2_4:
--
A sample configuration file has been installed in /usr/local/etc/mail
directory. Copy and edit it to suit your needs before launching
milter-greylist.
Add following lines
dnl j,{if_addr},{cert_subject},i,{auth_authen} are already enabled by default
define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO``, {verify}'')
define(`confMILTER_MACROS_ENVRCPT', confMILTER_MACROS_ENVRCPT``, {greylist}'')
INPUT_MAIL_FILTER(`greylist', `S=local:/var/milter-greylist/milter-greylist.sock, F=T, T=R:30s')
to your /etc/mail/<your_host>.mc configuration.
To run milter-greylist from startup, add miltergreylist_enable="YES"
in your /etc/rc.conf or your /etc/rc.conf.local
See /usr/local/share/doc/milter-greylist/README for operation details.
=====
Message from milter-manager-2.1.1_1:
--
===> NOTICE:
The milter-manager port currently does not have a maintainer. As a result, it is
more likely to have unresolved issues, not be up-to-date, or even be removed in
the future. To volunteer to maintain this port, please create an issue at:
https://bugs.freebsd.org/bugzilla
More information about port maintainership is available at:
https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port
spamass-milter設定
①.spamassassinのプラグインを有効にする。
vi /usr/local/etc/mail/spamassassin/v310.pre
②.以下のように、変更後の内容にする。
■変更前
#loadplugin Mail::SpamAssassin::Plugin::TextCat
■変更後
loadplugin Mail::SpamAssassin::Plugin::TextCat
③.local.cf を修正する。
vi /usr/local/etc/mail/spamassassin/local.cf
④.以下の内容にする。
remove_header ham Status
remove_header ham Level
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
endif
⑤.spamd を起動できうようにする。
vi /etc/rc.conf
⑥.以下の内容を記入する。
spamd_enable="YES"
⑦.SpamAssassinのルールファイルを更新する。
sa-update
⑧.sa-spamd を起動する。
service sa-spamd start
⑨.spamass-milter のディレクトリを作成する。
mkdir /var/run/spamass-milter/
chown spamd:spamd /var/run/spamass-milter
⑩.spamass_milter を起動できるようにする。
vi /etc/rc.conf
⑪.以下の内容を記入する。
spamass_milter_enable="YES"
spamass_milter_user="spamd"
spamass_milter_group="spamd"
spamass_milter_socket="/var/run/spamass-milter/spamass-milter.sock"
spamass_milter_socket_owner="spamd"
spamass_milter_socket_group="mail"
spamass_milter_socket_mode="660"
spamass_milter_localflags="-u spamd -- -u spamd"
⑫.spamass-milter を起動する。
service spamass-milter start
Starting spamass_milter.
clamav_milter設定
①.clamav_milter が起動時の設定内容を追加する。
vi /etc/rc.conf
②.以下の内容を記入する。
clamav_milter_socket_mode="660"
clamav_milter_socket_group="mail"
③.clamav-milter を起動する。
service clamav-milter start
Starting clamav_milter.
Waiting for clamav-milter socket..
milter-greylist設定
①.greylist.conf を修正する。
vi /usr/local/etc/mail/greylist.conf
②.以下の内容に設定する。
pidfile "/var/run/milter-greylist.pid"
socket "/var/milter-greylist/milter-greylist.sock" 660
dumpfile "/var/milter-greylist/greylist.db" 600
dumpfreq 1
user "mailnull:mail"
subnetmatch /24
quiet
list "my network" addr { \
127.0.0.1/8 \
10.0.0.0/8 \
172.16.0.0/12 \
192.168.0.0/24 \
}
list "broken mta" addr { \
12.5.136.141/32 \ # Southwest Airlines (unique sender)
12.5.136.142/32 \ # Southwest Airlines
12.5.136.143/32 \ # Southwest Airlines
12.5.136.144/32 \ # Southwest Airlines
12.107.209.244/32 \ # kernel.org (unique sender)
12.107.209.250/32 \ # sourceware.org (unique sender)
63.82.37.110/32 \ # SLmail
63.169.44.143/32 \ # Southwest Airlines
63.169.44.144/32 \ # Southwest Airlines
64.7.153.18/32 \ # sentex.ca (common pool)
64.12.136.0/24 \ # AOL (common pool)
64.12.137.0/24 \ # AOL
64.12.138.0/24 \ # AOL
64.124.204.39 \ # moveon.org (unique sender)
64.125.132.254/32 \ # collab.net (unique sender)
64.233.160.0/19 \ # Google
66.94.237.16/28 \ # Yahoo Groups servers (common pool)
66.94.237.32/28 \ # Yahoo Groups servers (common pool)
66.94.237.48/30 \ # Yahoo Groups servers (common pool)
66.100.210.82/32 \ # Groupwise?
66.135.192.0/19 \ # Ebay
66.162.216.166/32 \ # Groupwise?
66.206.22.82/32 \ # Plexor
66.206.22.83/32 \ # Plexor
66.206.22.84/32 \ # Plexor
66.206.22.85/32 \ # Plexor
66.218.66.0/23 \ # Yahoo Groups servers (common pool)
66.218.67.0/23 \ # Yahoo Groups servers (common pool)
66.218.68.0/23 \ # Yahoo Groups servers (common pool)
66.218.69.0/23 \ # Yahoo Groups servers (common pool)
66.27.51.218/32 \ # ljbtc.com (Groupwise)
66.102.0.0/20 \ # Google
66.249.80.0/20 \ # Google
72.14.192.0/18 \ # Google
74.125.0.0/16 \ # Google
152.163.225.0/24 \ # AOL
194.245.101.88/32 \ # Joker.com
195.235.39.19/32 \ # Tid InfoMail Exchanger v2.20
195.238.2.0/24 \ # skynet.be (wierd retry pattern, common pool)
195.238.3.0/24 \ # skynet.be
195.46.220.208/32 \ # mgn.net
195.46.220.209/32 \ # mgn.net
195.46.220.210/32 \ # mgn.net
195.46.220.211/32 \ # mgn.net
195.46.220.221/32 \ # mgn.net
195.46.220.222/32 \ # mgn.net
195.238.2.0/24 \ # skynet.be (wierd retry pattern)
195.238.3.0/24 \ # skynet.be
204.107.120.10/32 \ # Ameritrade (no retry)
205.188.0.0/16 \ # AOL
205.206.231.0/24 \ # SecurityFocus.com (unique sender)
207.115.63.0/24 \ # Prodigy - retries continually
207.171.168.0/24 \ # Amazon.com
207.171.180.0/24 \ # Amazon.com
207.171.187.0/24 \ # Amazon.com
207.171.188.0/24 \ # Amazon.com
207.171.190.0/24 \ # Amazon.com
209.132.176.174/32 \ # sourceware.org mailing lists (unique sender)
209.85.128.0/17 \ # Google
211.29.132.0/24 \ # optusnet.com.au (wierd retry pattern)
213.136.52.31/32 \ # Mysql.com (unique sender)
216.33.244.0/24 \ # Ebay
216.239.32.0/19 \ # Google
217.158.50.178/32 \ # AXKit mailing list (unique sender)
}
racl continue from /.*/ addheader "X-Greylist: inspected by %V for IP:'%i' DOMAIN:'%d' HELO:'%h' FROM:'%f' RCPT:'%r'"
racl whitelist list "my network"
racl whitelist list "broken mta"
racl whitelist tarpit 125s
racl greylist default
③.milter-greylist が起動できるように設定する。
vi /etc/rc.conf
④.以下の内容を記入する。
miltergreylist_enable="YES"
miltergreylist_runas="mailnull:mail"
⑤.milter-greylist を起動する。
service milter-greylist start
Starting miltergreylist.
milter-opendkim設定
①.opendkim.conf を修正する。
vi /usr/local/etc/mail/opendkim.conf
②.以下の内容に設定する。
Canonicalization simple/simple
Domain ドメイン名
KeyFile /var/db/dkim/ドメイン名.private
LogWhy yes
Mode sv
ReportAddress "DKIM Error Postmaster" <postmaster@ドメイン名>
Selector ドメイン名
SendReports yes
Socket local:/var/run/milteropendkim/socket
SubDomains yes
Syslog yes
SyslogSuccess yes
UMask 022
③.保存先を作成する。
mkdir /var/db/dkim
chmod 700 /var/db/dkim
④.認証用のファイルを作成する。
opendkim-genkey -D /var/db/dkim -d ドメイン名 -s ドメイン名
⑤.権限を付与する。
chown -R mailnull:mailnull /var/db/dkim
⑥.認証用のファイルが作成されている事を確認する。
[root@FreeBSD ~]# ls -l /var/db/dkim
合計 8K
-rw------- 1 mailnull mailnull 887 4月 30 00:28 ドメイン名.private
-rw------- 1 mailnull mailnull 323 4月 30 00:28 ドメイン名.txt
⑦.milter-opendkim が起動できるように設定する。
vi /etc/rc.conf
⑧.以下の内容を記入する。
milteropendkim_enable="YES"
⑨.milter-opendkim を起動する。
service milter-opendkim start
Starting milteropendkim.
milter-manager設定
①.ディレクトリを作成する。
mkdir -p /var/run/milter-manager
②.milter-manager が起動できるように設定する。
vi /etc/rc.conf
③.以下の内容を記入する。
miltermanager_enable="YES"
#miltermanager_debug="YES"
miltermanager_debug を設定する事で詳細なログが出力します。
④.milter-manager を起動する。
service milter-manager start
Starting miltermanager.
⑤.milter-managerの設定を確認する。
milter-manager -u milter-manager --show-config
⑥.以下のように表示する事を確認する。
[root@~]# milter-manager -u milter-manager --show-config
failed to find password entry for effective user: milter-manager
# default
package.platform = "ホスト名"
# default
package.options = nil
# /usr/local/etc/milter-manager/defaults/ホスト名.conf:3
security.privilege_mode = true
# default
security.effective_user = "milter-manager"
# default
security.effective_group = nil
# default
log.level = "default"
# default
log.path = nil
# default
log.use_syslog = true
# default
log.syslog_facility = "mail"
# default
manager.connection_spec = "unix:/var/run/milter-manager/milter-manager.sock"
# default
manager.unix_socket_mode = 0660
# default
manager.unix_socket_group = nil
# default
manager.remove_unix_socket_on_create = true
# default
manager.remove_unix_socket_on_close = true
# default
manager.daemon = false
# default
manager.pid_file = nil
# default
manager.maintenance_interval = 10
# default
manager.suspend_time_on_unacceptable = 5
# default
manager.max_connections = 0
# default
manager.max_file_descriptors = 0
# default
manager.custom_configuration_directory = nil
# default
manager.fallback_status = "accept"
# default
manager.fallback_status_at_disconnect = "temporary-failure"
# default
manager.event_loop_backend = "glib"
# default
manager.n_workers = 0
# default
manager.packet_buffer_size = 0
# default
manager.connection_check_interval = 0
# default
manager.chunk_size = 65535
# default
manager.max_pending_finished_sessions = 0
# default
controller.connection_spec = nil
# default
controller.unix_socket_mode = 0660
# default
controller.unix_socket_group = nil
# default
controller.remove_unix_socket_on_create = true
# default
controller.remove_unix_socket_on_close = true
# default
database.type = nil
# default
database.name = nil
# default
database.host = nil
# default
database.port = nil
# default
database.path = nil
# default
database.user = nil
# default
database.password = nil
# /usr/local/etc/milter-manager/applicable-conditions/dnsbl.conf:99
define_applicable_condition("DNSBL Listed") do |condition|
# /usr/local/etc/milter-manager/applicable-conditions/dnsbl.conf:100
condition.description = "Apply a milter only when connected host is listed in DNS-based Blackhole List"
end
# /usr/local/etc/milter-manager/applicable-conditions/dnsbl.conf:109
define_applicable_condition("Not DNSBL Listed") do |condition|
# /usr/local/etc/milter-manager/applicable-conditions/dnsbl.conf:110
condition.description = "Apply a milter only when connected host is not listed in DNS-based Blackhole List"
end
# /usr/local/etc/milter-manager/applicable-conditions/remote-network.conf:25
define_applicable_condition("Remote Network") do |condition|
# /usr/local/etc/milter-manager/applicable-conditions/remote-network.conf:26
condition.description = "Apply milter only if connected from remote network"
end
# /usr/local/etc/milter-manager/applicable-conditions/s25r.conf:70
define_applicable_condition("S25R") do |condition|
# /usr/local/etc/milter-manager/applicable-conditions/s25r.conf:71
condition.description = "Selective SMTP Rejection"
end
# /usr/local/etc/milter-manager/applicable-conditions/sendmail-compatible.conf:5
define_applicable_condition("Sendmail Compatible") do |condition|
# /usr/local/etc/milter-manager/applicable-conditions/sendmail-compatible.conf:6
condition.description = "Make a milter depends on Sendmail workable with Postfix"
end
# /usr/local/etc/milter-manager/applicable-conditions/stress.conf:25
define_applicable_condition("Stress Notify") do |condition|
# /usr/local/etc/milter-manager/applicable-conditions/stress.conf:26
condition.description = "Define stress=yes macro when stress situation"
end
# /usr/local/etc/milter-manager/applicable-conditions/stress.conf:34
define_applicable_condition("No Stress") do |condition|
# /usr/local/etc/milter-manager/applicable-conditions/stress.conf:35
condition.description = "Apply milter only when normal condition"
end
# /usr/local/etc/milter-manager/applicable-conditions/trust.conf:87
define_applicable_condition("Trust") do |condition|
# /usr/local/etc/milter-manager/applicable-conditions/trust.conf:88
condition.description = "Set {trusted_*}=yes macros for trusted session"
end
# /usr/local/etc/milter-manager/applicable-conditions/authentication.conf:3
define_applicable_condition("Authenticated") do |condition|
# /usr/local/etc/milter-manager/applicable-conditions/authentication.conf:4
condition.description = "Apply a milter only when sender is authorized"
end
# /usr/local/etc/milter-manager/applicable-conditions/authentication.conf:11
define_applicable_condition("Unauthenticated") do |condition|
# /usr/local/etc/milter-manager/applicable-conditions/authentication.conf:12
condition.description = "Apply a milter only when sender is not authorized"
end
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("milter-greylist") do |milter|
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
milter.connection_spec = "unix:/var/milter-greylist/milter-greylist.sock"
# default
milter.description = nil
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
milter.enabled = true
# default
milter.fallback_status = "accept"
# default
milter.evaluation_mode = false
milter.applicable_conditions = [
# default
"Sendmail Compatible",
# default
"Stress Notify",
# default
"Trust",
# default
"Remote Network",
# default
"S25R",
# default
"Unauthenticated",
]
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:39
milter.command = "/usr/local/etc/rc.d/milter-greylist"
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:40
milter.command_options = "start"
# default
milter.user_name = nil
# default
milter.connection_timeout = 297.0
# /usr/local/lib/milter-manager/binding/lib/milter/manager/milter-greylist-config-parser.rb:60
milter.writing_timeout = 132.0
# /usr/local/lib/milter-manager/binding/lib/milter/manager/milter-greylist-config-parser.rb:61
milter.reading_timeout = 132.0
# default
milter.end_of_message_timeout = 297.0
end
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("clamav-milter") do |milter|
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
milter.connection_spec = "unix:/var/run/clamav/clmilter.sock"
# default
milter.description = nil
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
milter.enabled = true
# default
milter.fallback_status = "accept"
# default
milter.evaluation_mode = false
# default
milter.applicable_conditions = []
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:39
milter.command = "/usr/local/etc/rc.d/clamav-milter"
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:40
milter.command_options = "start"
# default
milter.user_name = nil
# default
milter.connection_timeout = 297.0
# default
milter.writing_timeout = 7.0
# default
milter.reading_timeout = 7.0
# default
milter.end_of_message_timeout = 297.0
end
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("milter-opendkim") do |milter|
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
milter.connection_spec = "local:/var/run/milteropendkim/socket"
# default
milter.description = nil
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
milter.enabled = true
# default
milter.fallback_status = "accept"
# default
milter.evaluation_mode = false
# default
milter.applicable_conditions = []
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:39
milter.command = "/usr/local/etc/rc.d/milter-opendkim"
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:40
milter.command_options = "start"
# default
milter.user_name = nil
# default
milter.connection_timeout = 297.0
# default
milter.writing_timeout = 7.0
# default
milter.reading_timeout = 7.0
# default
milter.end_of_message_timeout = 297.0
end
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("spamass-milter") do |milter|
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
milter.connection_spec = "unix:/var/run/spamass-milter/spamass-milter.sock"
# default
milter.description = nil
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
milter.enabled = true
# default
milter.fallback_status = "accept"
# default
milter.evaluation_mode = false
milter.applicable_conditions = [
# default
"Remote Network",
# default
"Unauthenticated",
# default
"No Stress",
]
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:39
milter.command = "/usr/local/etc/rc.d/spamass-milter"
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:40
milter.command_options = "start"
# default
milter.user_name = nil
# default
milter.connection_timeout = 297.0
# default
milter.writing_timeout = 7.0
# default
milter.reading_timeout = 7.0
# default
milter.end_of_message_timeout = 297.0
end
⑦.「milter.enabled = true」と表示されている事を確認する。
■milter-greylist
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("milter-greylist") do |milter|
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
milter.connection_spec = "unix:/var/milter-greylist/milter-greylist.sock"
# default
milter.description = nil
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
milter.enabled = true
# default
milter.fallback_status = "accept"
# default
■clamav-milter
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("clamav-milter") do |milter|
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
milter.connection_spec = "unix:/var/run/clamav/clmilter.sock"
# default
milter.description = nil
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
milter.enabled = true
# default
milter.fallback_status = "accept"
■milter-opendkim
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("milter-opendkim") do |milter|
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
milter.connection_spec = "local:/var/run/milteropendkim/socket"
# default
milter.description = nil
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
milter.enabled = true
# default
milter.fallback_status = "accept"
■pamass-milter
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("spamass-milter") do |milter|
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
milter.connection_spec = "unix:/var/run/spamass-milter/spamass-milter.sock"
# default
milter.description = nil
# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
milter.enabled = true
# default
milter.fallback_status = "accept"
milterごとに確認する必要がある。
⑧.milter-managerの動作を確認する。
milter-test-server -s unix:/var/run/milter-manager/milter-manager.sock
⑨.以下のように表示する事を確認する。
status: accept
elapsed-time: 0.246534 seconds
7.Blacklistd設定
①.blacklistd.conf を修正する。
vi /etc/blacklistd.conf
②.以下の内容を記入する。
smtp stream * * * 3 24h
smtps stream * * * 3 24h
submission stream * * * 3 24h
imap stream * * * 3 24h
imaps stream * * * 3 24h
pop3 stream * * * 3 24h
pop3s stream * * * 3 24h
③.blacklistd を再起動する。
service blacklistd restart
Waiting for PIDS: xxxx.
Starting blacklistd.