FreeBSD 12 の環境で、メールサーバ環境を構築しました。
また、以下の条件に当てはまる環境を構築してみましたので
設定した時の内容をメモ書きする事にしました。

条件

  • ウィルスに感染しないようにする。
  • SPAMメールを除外できるようにする。
  • 安定性とセキュリティに強い環境を構築する。

上記の条件に当てはまるように、以下の内容で構築する事にしました。

  • postfix
  • dovecot
  • clamav
  • clamav-milter
  • spamass-milter
  • milter-greylist
  • milter-manager
  • blacklistd

注意事項

  • 設定内容が膨大なため、設定内容のみを抜粋して記入してます。
  • Ports Collection が使用できる必要がある。

1.clamav 導入

①.clamav をインストールする。

pkg install clamav

②.インストールした時の情報です。

[root@FreeBSD ~]# pkg install clamav
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 5 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        arc: 5.21p
        arj: 3.10.22_8
        clamav: 0.102.2,1
        libltdl: 2.4.6
        unzoo: 4.4_2

Number of packages to be installed: 5

The process will require 6 MiB more space.
2 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/5] Fetching clamav-0.102.2,1.txz: 100%    1 MiB   1.3MB/s    00:01
[2/5] Fetching libltdl-2.4.6.txz: 100%   37 KiB  38.3kB/s    00:01
[3/5] Fetching unzoo-4.4_2.txz: 100%   17 KiB  17.8kB/s    00:01
[4/5] Fetching arj-3.10.22_8.txz: 100%  196 KiB 200.7kB/s    00:01
[5/5] Fetching arc-5.21p.txz: 100%   52 KiB  52.8kB/s    00:01
Checking integrity... done (0 conflicting)
[1/5] Installing libltdl-2.4.6...
[1/5] Extracting libltdl-2.4.6: 100%
[2/5] Installing unzoo-4.4_2...
[2/5] Extracting unzoo-4.4_2: 100%
[3/5] Installing arj-3.10.22_8...
[3/5] Extracting arj-3.10.22_8: 100%
[4/5] Installing arc-5.21p...
[4/5] Extracting arc-5.21p: 100%
[5/5] Installing clamav-0.102.2,1...
===> Creating groups.
Creating group 'clamav' with gid '106'.
Using existing group 'mail'.
===> Creating users
Creating user 'clamav' with uid '106'.
Adding user 'clamav' to group 'mail'.
[5/5] Extracting clamav-0.102.2,1: 100%

③.起動できるように設定する。

vi /etc/rc.conf

④.以下の内容を記入する。

clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"

clamav と ウィルスの定義ファイル(freshclam)を更新できるようにする。

⑤.clamd.conf を修正する。

vi /usr/local/etc/clamd.conf

⑥.以下の内容を設定する。

LogFile /var/log/clamav/clamd.log
LogTime yes
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/db/clamav
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket yes
User clamav
ScanPE yes
ScanOLE2 yes
ScanMail yes
ScanHTML yes
ScanArchive yes

⑦.clamav-freshclam を起動する。

/usr/local/etc/rc.d/clamav-freshclam start

Starting clamav_freshclam.

⑧.ウィルスの定義ファイルを更新する。

freshclam

⑨.以下のように表示する事を確認する。

ClamAV update process started at Wed Apr 29 02:25:48 2020
daily.cvd database is up to date (version: 25796, sigs: 2307772, f-level: 63, builder: raynman)
main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)

⑩.clamav を起動する。

/usr/local/etc/rc.d/clamav-clamd start

Starting clamav_clamd.

⑪.clamav-milter.conf を修正する。

vi /usr/local/etc/clamav-milter.conf

⑫.以下の内容を記入する。

MilterSocket /var/run/clamav/clmilter.sock
MilterSocketMode 660
FixStaleSocket yes
User clamav
PidFile /var/run/clamav/clamav-milter.pid
ClamdSocket unix:/var/run/clamav/clamd.sock
MaxFileSize 100M
OnInfected Reject
AddHeader Replace
VirusAction /usr/local/bin/my_infected_message_handler.sh
LogSyslog yes
LogFacility LOG_MAIL
LogInfected Full

⑬.my_infected_message_handlerを作成する。

vi /usr/local/bin/my_infected_message_handler.sh

⑭.以下の内容を記入する。

#!/bin/sh

cat << EOM | mail -s "Virus Found by clamav-milter" root

-------------------------------------------------------
Virus Mail Information
-------------------------------------------------------
Queue-id: $2
Message-id: $6
Date:  $7
Subject: $5
Sender:  $3
Destination:  $4
Virus Name: $1
-------------------------------------------------------

EOM

⑮.実行権限を付与する。

chmod +x /usr/local/bin/my_infected_message_handler.sh

2.procmail 導入

①.procmail をインストールする。

pkg install procmail

②.インストールした時の情報です。

[root@FreeBSD ~]# pkg install procmail
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Updating database digests format: 100%
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        procmail: 3.22_10

Number of packages to be installed: 1

139 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching procmail-3.22_10.txz: 100%  139 KiB 142.1kB/s    00:01
Checking integrity... done (0 conflicting)
[1/1] Installing procmail-3.22_10...
[1/1] Extracting procmail-3.22_10: 100%

④.procmailrc を作成する。

vi /usr/local/etc/procmailrc

⑤.以下の内容を記入する。

SHELL=/bin/sh
PATH=/bin:/usr/bin:/usr/local/bin
DROPPRIVS=yes
MAILDIR=$HOME/Maildir
DEFAULT=$MAILDIR/
#LOGFILE=$MAILDIR/procmail.log

#remove sexy
:0
* ^Subject: .*sexy.*
/dev/null

3.cyrus-sasl cyrus-sasl-saslauthd 導入

SMTP認証にsasl認証を使用する。

①.cyrus-sasl cyrus-sasl-saslauthd をインストールする。

pkg install cyrus-sasl cyrus-sasl-saslauthd

②.インストールした時の情報です。

[root@FreeBSD ]# pkg install cyrus-sasl cyrus-sasl-saslauthd
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        cyrus-sasl: 2.1.27_1
        cyrus-sasl-saslauthd: 2.1.27_1

Number of packages to be installed: 2

The process will require 8 MiB more space.
1 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/2] Fetching cyrus-sasl-2.1.27_1.txz: 100%  959 KiB 982.2kB/s    00:01
[2/2] Fetching cyrus-sasl-saslauthd-2.1.27_1.txz: 100%   42 KiB  42.6kB/s    00:01
Checking integrity... done (0 conflicting)
[1/2] Installing cyrus-sasl-2.1.27_1...
*** Added group `cyrus' (id 60)
*** Added user `cyrus' (id 60)
[1/2] Extracting cyrus-sasl-2.1.27_1: 100%
[2/2] Installing cyrus-sasl-saslauthd-2.1.27_1...
[2/2] Extracting cyrus-sasl-saslauthd-2.1.27_1: 100%
=====
Message from cyrus-sasl-2.1.27_1:

--
You can use sasldb2 for authentication, to add users use:

        saslpasswd2 -c username

If you want to enable SMTP AUTH with the system Sendmail, read
Sendmail.README

NOTE: This port has been compiled with a default pwcheck_method of
      auxprop.  If you want to authenticate your user by /etc/passwd,
      PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and
      set sasl_pwcheck_method to saslauthd after installing the
      Cyrus-IMAPd 2.X port.  You should also check the
      /usr/local/lib/sasl2/*.conf files for the correct
      pwcheck_method.
      If you want to use GSSAPI mechanism, install
      ports/security/cyrus-sasl2-gssapi.
      If you want to use SRP mechanism, install
      ports/security/cyrus-sasl2-srp.
      If you want to use LDAP auxprop plugin, install
      ports/security/cyrus-sasl2-ldapdb.
=====
Message from cyrus-sasl-saslauthd-2.1.27_1:

--
To run saslauthd from startup, add saslauthd_enable="YES" in your
/etc/rc.conf.

③.起動できるように設定する。

vi /etc/rc.conf

④.以下の内容を記入する。

saslauthd_enable="YES"
saslauthd_flags="-a sasldb"

4.postfix 導入

ports からリビルドして使用する。

①.postfix の格納場所に移動する。

cd /usr/ports/mail/postfix/

②.オプション情報を設定する。

make config

③.変更後の内容に設定する。

■変更前

[ ] BDB         Berkeley DB support                                      
[x] BLACKLISTD  Enable blacklistd support (FreeBSD 11.0 and later only)  
[ ] CDB         CDB maps lookups                                         
[x] DOCS        Build and/or install documentation                       
[x] EAI         Email Address Internationalization (SMTPUTF8) support    
[ ] INST_BASE   Install into /usr and /etc/postfix                       
[ ] LDAP        LDAP maps (uses WITH_OPENLDAP_VER)                       
[ ] LDAP_SASL   LDAP client-to-server SASL auth                          
[ ] LMDB        LMDB maps                                                
[ ] MYSQL       MySQL database support                                   
[ ] NIS         Network Information Services/YP support                  
[x] PCRE        Use Perl Compatible Regular Expressions                  
[ ] PGSQL       PostgreSQL database support                              
[ ] SASL        Cyrus SASL support (Dovecot SASL is always built in)     
[ ] SQLITE      SQLite database support                                  
[ ] TEST        SMTP/LMTP test server and generator                      
[x] TLS         Secure network connection support via TLS                
-------------- Kerberos network authentication protocol type ------------
( ) SASLKRB5    If your SASL req. Kerberos5, select this                 
( ) SASLKMIT    If your SASL req. MIT Kerberos5, select this 
■変更後

[ ] BDB         Berkeley DB support                                      
[x] BLACKLISTD  Enable blacklistd support (FreeBSD 11.0 and later only)  
[ ] CDB         CDB maps lookups                                         
[x] DOCS        Build and/or install documentation                       
[x] EAI         Email Address Internationalization (SMTPUTF8) support    
[ ] INST_BASE   Install into /usr and /etc/postfix                       
[ ] LDAP        LDAP maps (uses WITH_OPENLDAP_VER)                       
[ ] LDAP_SASL   LDAP client-to-server SASL auth                          
[ ] LMDB        LMDB maps                                                
[ ] MYSQL       MySQL database support                                   
[ ] NIS         Network Information Services/YP support                  
[x] PCRE        Use Perl Compatible Regular Expressions                  
[ ] PGSQL       PostgreSQL database support                              
[x] SASL        Cyrus SASL support (Dovecot SASL is always built in)     
[ ] SQLITE      SQLite database support                                  
[ ] TEST        SMTP/LMTP test server and generator                      
[x] TLS         Secure network connection support via TLS                
------------- Kerberos network authentication protocol type -------------
( ) SASLKRB5    If your SASL req. Kerberos5, select this                 
( ) SASLKMIT    If your SASL req. MIT Kerberos5, select this  

④.オプション情報を確認する。

cat /usr/ports/mail/postfix/Makefile

⑤.以下の内容がオプション情報です。

BLACKLISTD_DESC=        Enable blacklistd support (FreeBSD 11.0 and later only)
CDB_DESC=       CDB maps lookups
EAI_DESC=       Email Address Internationalization (SMTPUTF8) support
INST_BASE_DESC= Install into /usr and /etc/postfix
LDAP_DESC=      LDAP maps (uses WITH_OPENLDAP_VER)
LDAP_SASL_DESC= LDAP client-to-server SASL auth
LMDB_DESC=      LMDB maps
TEST_DESC=      SMTP/LMTP test server and generator

SASL_DESC=      Cyrus SASL support (Dovecot SASL is always built in)
RG1_DESC=       Kerberos network authentication protocol type
SASLKRB5_DESC=  If your SASL req. Kerberos5, select this
SASLKMIT_DESC=  If your SASL req. MIT Kerberos5, select this

⑥.pkgtools.conf を修正する。

vi /usr/local/etc/pkgtools.conf

⑦.MAKE_ARGS の部分に以下の内容を記入する。

'mail/postfix' => [
'BLACKLISTD_DESC=yes',
'DOCS_DESC=yes',
'EAI_DESC=yes',
'PCRE_DESC=yes',
'SASL_DESC=yes',
'TLS_DESC=yes',
],

⑧.リビルドを実行する。

portinstall postfix
make install clean

make コマンドでもリビルドする事ができます。

⑨.以下のように表示する事を確認する。

Installing postfix-3.5.1_1,1...
===> Creating groups.
Using existing group 'mail'.
Creating group 'maildrop' with gid '126'.
Creating group 'postfix' with gid '125'.
===> Creating users
Creating user 'postfix' with uid '125'.
===> Creating homedir(s)
Adding user 'postfix' to group 'mail'.

===============================================================
Postfix was *not* activated in /usr/local/etc/mail/mailer.conf!

To finish installation run the following commands:

  mkdir -p /usr/local/etc/mail
  install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf
===============================================================

To use postfix instead of sendmail:
  - clear sendmail queue and stop the sendmail daemons

Run the following commands to enable postfix during startup:
  - sysrc postfix_enable="YES"
  - sysrc sendmail_enable="NONE"

If postfix is *not* already activated in /usr/local/etc/mail/mailer.conf
  - mv /usr/local/etc/mail/mailer.conf /usr/local/etc/mail/mailer.conf.old
  - install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf

Disable sendmail(8) specific tasks,
add the following lines to /etc/periodic.conf(.local):
  daily_clean_hoststat_enable="NO"
  daily_status_mail_rejects_enable="NO"
  daily_status_include_submit_mailq="NO"
  daily_submit_queuerun="NO"

If you are using SASL, you need to make sure that postfix has access to read
the sasldb file.  This is accomplished by adding postfix to group mail and
making the /usr/local/etc/sasldb* file(s) readable by group mail (this should
be the default for new installs).

===> SECURITY REPORT:
      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.
/usr/local/lib/postfix/libpostfix-util.so

      This port has installed the following startup scripts which may cause
      these network services to be started at boot time.
/usr/local/etc/rc.d/postfix

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage:
http://www.postfix.org/
===>  Cleaning for postfix-3.5.1_1,1
--->  Installation of mail/postfix ended at: Wed, 29 Apr 2020 10:56:39 +0900 (consumed 00:00:05)
--->  Saving the log as '/var/tmp/portupgrade-mail::postfix.log'
--->  Fresh installation of mail/postfix ended at: Wed, 29 Apr 2020 10:56:39 +0900 (consumed 00:02:18)
--->  ** Install tasks 1: 1 done, 0 ignored, 0 skipped and 0 failed
--->  Listing the results (+:done / -:ignored / *:skipped / !:failed)
        + mail/postfix
--->  Packages processed: 1 done, 0 ignored, 0 skipped and 0 failed
--->  Session ended at: Wed, 29 Apr 2020 10:56:39 +0900 (consumed 00:02:23)

⑩.自動的にアップデートされないようにロックする。

pkg lock postfix

postfix-3.5.1_1,1: lock this package? [y/N]: y
Locking postfix-3.5.1_1,1

⑪.Sendmail を無効にする。

vi /etc/periodic.conf

⑫.以下の内容を記入する。

daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

⑬.Sendmail を無効にする。

vi /etc/rc.conf

⑭.以下の内容を記入する。

sendmail_enable="NO"
sendmail_submit_enable="NO" 
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

⑮.postfix が起動できるよに設定する。

vi /etc/rc.conf

⑯.以下の内容を記入する。

postfix_enable="YES"

⑰.mailer.conf を作成する。

mkdir -p /usr/local/etc/mail

install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf

⑱.main.cf を修正する。

vi /usr/local/etc/postfix/main.cf

⑲.以下の内容を記入する。

compatibility_level = 2
queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
mail_owner = postfix
myhostname = ホスト名
mydomain = ドメイン名
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
mynetworks = 192.168.0.0/24, 127.0.0.0/8
relay_domains = $mydestination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/local/bin/procmail
smtpd_banner = $myhostname ESMTP unknown
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = /usr/local/share/doc/postfix
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
meta_directory = /usr/local/libexec/postfix
shlib_directory = /usr/local/lib/postfix


#追加設定

allow_percent_hack = no

#SMTPのVRFYコマンドを使用禁止
#VRFYはアカウントが実在するか確認するコマンドです。
#でたらめなユーザ問い合わせを行う悪質なプログラムによりアカウント流出を防ぎます。
disable_vrfy_command = yes

#sasl認証に対応していないメーラは拒否
broken_sasl_auth_clients = yes

#メール送信時にアカウント名・パスワードをサーバに通知しメールサーバから認証を受ける(SASL認証)
smtpd_sasl_auth_enable = yes

#Received ヘッダに認証されたユーザー名が表示する。
smtpd_sasl_authenticated_header = yes

#Dovecot-SASLを使用する
smtpd_sasl_type = dovecot

#Dovecot-SASLで使用するソケットファイル
smtpd_sasl_path = private/auth

#認証に使用するサーバを指定
smtpd_sasl_local_domain = $mydomain


#ホストの接続に関しての設定
smtpd_client_restrictions = permit_mynetworks,
                            reject_rbl_client all.rbl.jp,
                            reject_rbl_client bl.spamcop.net,
                            reject_rbl_client zen.spamhaus.org,
                            reject_unknown_client,
                            permit

#メール中継の設定
smtpd_recipient_restrictions = permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_destination


#MAIL FROM コマンドの送信者アドレスを制限
smtpd_sender_restrictions = reject_unknown_sender_domain

#TLS有効設定
smtpd_use_tls = yes
smtpd_tls_cert_file = /usr/local/etc/letsencrypt/live/ドメイン名/fullchain.pem
smtpd_tls_key_file = /usr/local/etc/letsencrypt/live/ドメイン名/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:/usr/local/etc/postfix/smtpd_scache


#複数ドメインを使用する場合の設定
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual


#OP25B対策
relayhost = [mail.so-net.ne.jp]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/isp_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = login, plain


#Milter設定

#Milterに不具合が発生した場合に一時エラーを返す設定(デフォルト設定)
#milter_default_action =tempfail

#Milterに不具合が発生した場合にメールを受信する設定
milter_default_action = accept
#smtpd_milters = unix:/var/run/clamav/clmilter.sock
smtpd_milters = unix:/var/run/milter-manager/milter-manager.sock
non_smtpd_milters = $smtpd_milters
milter_protocol = 6

#SMTP Auth関連の情報をmilterに渡すための設定
milter_mail_macros = {auth_author} {auth_type} {auth_authen}

#milterアプリケーションの応答を150秒待つ
milter_command_timeout = 150


#値1にする事でドメインごとの並列度から受信者ごとの並列度に変わります。
smtp_destination_recipient_limit = 1


#HELO (EHLO) コマンドの要求
smtpd_helo_required=yes

TLS有効設定は、Let’s Encrypt を使用して証明書を作成してます。

⑳.master.cf を修正する。

vi /usr/local/etc/postfix/master.cf

㉑.変更後の内容に設定する。

■変更前

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
■変更後

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd

㉒.Sendmail.conf を修正する。

vi /usr/local/lib/sasl2/Sendmail.conf

㉓.変更後の内容に設定する。

■変更前

pwcheck_method: saslauthd
■変更後

#pwcheck_method: saslauthd

pwcheck_method: auxprop

5.dovecot 導入

①.dovecot をインストールする。

pkg install dovecot

②.インストールした時の情報です。

[root@FreeBSD ]# pkg install dovecot
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        dovecot: 2.3.10_2

Number of packages to be installed: 1

The process will require 22 MiB more space.
4 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching dovecot-2.3.10_2.txz: 100%    4 MiB   4.2MB/s    00:01
Checking integrity... done (0 conflicting)
[1/1] Installing dovecot-2.3.10_2...
===> Creating groups.
Creating group 'dovecot' with gid '143'.
Creating group 'dovenull' with gid '144'.
===> Creating users
Creating user 'dovecot' with uid '143'.
Creating user 'dovenull' with uid '144'.
[1/1] Extracting dovecot-2.3.10_2: 100%
=====
Message from dovecot-2.3.10_2:

--
You must create the configuration files yourself. Copy them over
 to /usr/local/etc/dovecot and edit them as desired:

        cp -R /usr/local/etc/dovecot/example-config/* \
                /usr/local/etc/dovecot

 The default configuration includes IMAP and POP3 services, will
 authenticate users agains the system's passwd file, and will use
 the default /var/mail/$USER mbox files.

 Next, enable dovecot in /etc/rc.conf:

        dovecot_enable="YES"


 To avoid a risk of mailbox corruption, do not set the
 security.bsd.see_other_uids or .see_other_gids sysctls to 0
 if Dovecot is storing mail for multiple concurrent users (PR 218392).

 Similarly, setting sysctls security.bsd.hardlink_check_uid or
 security.bsd.hardlink_check_gid to 1 might result in non-working
 mailboxes, depending on what mailbox locking mechanism is used
 (PR 242223).

 If you want to be able to search within attachments using the
 decode2text plugin, you'll need to install textproc/catdoc, and
 one of graphics/xpdf or graphics/poppler-utils.


 There are some potentially breaking changes in Dovecot 2.3. If you
 are upgrading from Dovecot 2.2:

   * Read https://wiki2.dovecot.org/Upgrading/2.3
   * Merge the configuration file changes from
     /usr/local/etc/dovecot/examples-config/

③.設定情報をコピーする。

cp -R /usr/local/etc/dovecot/example-config/* \
/usr/local/etc/dovecot

④.dovecot.conf を修正する。

vi /usr/local/etc/dovecot/dovecot.conf

⑤.以下の内容にする。

protocols = imap pop3
!include conf.d/*.conf
!include_try local.conf

⑥.10-auth.conf を修正する。

vi /usr/local/etc/dovecot/conf.d/10-auth.conf

⑦.以下の内容にする。

disable_plaintext_auth = no
auth_mechanisms = plain login
!include auth-system.conf.ext

⑧.10-mail.conf を修正する。

vi /usr/local/etc/dovecot/conf.d/10-mail.conf

⑨.以下の内容にする。

mail_location = maildir:~/Maildir
namespace inbox {
  inbox = yes
}
protocol !indexer-worker {
}
mbox_write_locks = fcntl

⑩.10-ssl.conf を修正する。

vi /usr/local/etc/dovecot/conf.d/10-ssl.conf

⑪.以下の内容にする。

ssl = yes
ssl_cert = </usr/local/etc/letsencrypt/live/ドメイン名/fullchain.pem
ssl_key = </usr/local/etc/letsencrypt/live/ドメイン名/privkey.pem

Let’s Encrypt を使用して証明書を作成してます。

⑫.10-master.conf を修正する。

vi /usr/local/etc/dovecot/conf.d/10-master.conf

⑬.以下の内容にする。

service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
service pop3-login {
  inet_listener pop3 {
    port = 0
    
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
   mode = 0666
   user = postfix
   group = postfix
}

⑭.dovecot を起動できるように設定する。

vi /etc/rc.conf

⑮.以下の内容を設定する。

dovecot_enable="YES"

6.spamass-milter milter-greylist milter-manager 導入

①.spamass-milter milter-greylist milter-manager をインストールする。

pkg install spamass-milter milter-greylist milter-manager

②.インストールした時の情報です。

[root@FreeBSD ]# pkg install spamass-milter milter-greylist milter-manager
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 45 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        gnupg1: 1.4.23_2
        libev: 4.24,1
        libevent: 2.1.11
        libidn: 1.35
        libspf2: 1.2.10_2
        lua52: 5.2.4
        milter-greylist: 4.6.2_4
        milter-manager: 2.1.1_1
        opendkim: 2.10.3_11
        p5-Crypt-OpenSSL-Bignum: 0.09
        p5-Crypt-OpenSSL-RSA: 0.31
        p5-Crypt-OpenSSL-Random: 0.15
        p5-Digest-HMAC: 1.03_1
        p5-Encode-Detect: 1.01_1
        p5-Error: 0.17029
        p5-HTML-Parser: 3.72
        p5-HTML-Tagset: 3.20_1
        p5-HTTP-Date: 6.05
        p5-IO-Socket-INET6: 2.72_1
        p5-IO-Socket-SSL: 2.068
        p5-JSON: 2.97.001
        p5-Mail-AuthenticationResults: 1.20200331.1
        p5-Mail-DKIM: 0.58
        p5-Mail-SPF: 2.9.0_5
        p5-Mail-Tools: 2.19
        p5-Mozilla-CA: 20180117
        p5-Net-CIDR-Lite: 0.21_1
        p5-Net-DNS: 1.23,1
        p5-Net-DNS-Resolver-Mock: 1.20200215
        p5-Net-DNS-Resolver-Programmable: 0.009
        p5-Net-IDN-Encode: 2.500
        p5-Net-LibIDN: 0.12_5
        p5-Net-SSLeay: 1.88
        p5-NetAddr-IP: 4.079
        p5-Socket6: 0.29
        p5-TimeDate: 2.30_2,1
        p5-URI: 1.76
        re2c: 0.14.3
        ruby26-gems: 3.0.6
        rubygem-glib2: 3.4.1
        rubygem-native-package-installer: 1.0.9
        rubygem-pkg-config: 1.4.1
        spamass-milter: 0.4.0_4
        spamassassin: 3.4.4
        unbound: 1.10.0

Number of packages to be installed: 45

The process will require 39 MiB more space.
9 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/45] Fetching spamass-milter-0.4.0_4.txz: 100%   47 KiB  48.0kB/s    00:01
[2/45] Fetching milter-greylist-4.6.2_4.txz: 100%  120 KiB 122.6kB/s    00:01
[3/45] Fetching milter-manager-2.1.1_1.txz: 100%  889 KiB 910.7kB/s    00:01
[4/45] Fetching spamassassin-3.4.4.txz: 100%  972 KiB 995.6kB/s    00:01
[5/45] Fetching p5-HTTP-Date-6.05.txz: 100%   10 KiB  10.6kB/s    00:01
[6/45] Fetching p5-TimeDate-2.30_2,1.txz: 100%   33 KiB  33.8kB/s    00:01
[7/45] Fetching p5-HTML-Parser-3.72.txz: 100%   79 KiB  81.3kB/s    00:01
[8/45] Fetching p5-HTML-Tagset-3.20_1.txz: 100%   12 KiB  12.0kB/s    00:01
[9/45] Fetching p5-Net-IDN-Encode-2.500.txz: 100%   74 KiB  76.0kB/s    00:01
[10/45] Fetching p5-IO-Socket-SSL-2.068.txz: 100%  170 KiB 174.5kB/s    00:01
[11/45] Fetching p5-Mozilla-CA-20180117.txz: 100%  132 KiB 135.3kB/s    00:01
[12/45] Fetching p5-Net-SSLeay-1.88.txz: 100%  267 KiB 273.6kB/s    00:01
[13/45] Fetching p5-IO-Socket-INET6-2.72_1.txz: 100%   13 KiB  13.1kB/s    00:01
[14/45] Fetching p5-Socket6-0.29.txz: 100%   16 KiB  16.7kB/s    00:01
[15/45] Fetching p5-Crypt-OpenSSL-RSA-0.31.txz: 100%   26 KiB  27.1kB/s    00:01
[16/45] Fetching p5-Crypt-OpenSSL-Random-0.15.txz: 100%   14 KiB  14.5kB/s    00:01
[17/45] Fetching p5-Crypt-OpenSSL-Bignum-0.09.txz: 100%   28 KiB  28.4kB/s    00:01
[18/45] Fetching gnupg1-1.4.23_2.txz: 100%    1 MiB   1.1MB/s    00:01
[19/45] Fetching p5-URI-1.76.txz: 100%   76 KiB  78.3kB/s    00:01
[20/45] Fetching p5-Net-CIDR-Lite-0.21_1.txz: 100%   12 KiB  11.9kB/s    00:01
[21/45] Fetching p5-NetAddr-IP-4.079.txz: 100%   85 KiB  87.2kB/s    00:01
[22/45] Fetching p5-Mail-SPF-2.9.0_5.txz: 100%  123 KiB 125.9kB/s    00:01
[23/45] Fetching p5-Error-0.17029.txz: 100%   27 KiB  27.3kB/s    00:01
[24/45] Fetching p5-Net-DNS-Resolver-Programmable-0.009.txz: 100%   17 KiB  17.4kB/s    00:01
[25/45] Fetching p5-Net-DNS-1.23,1.txz: 100%  308 KiB 315.3kB/s    00:01
[26/45] Fetching p5-Digest-HMAC-1.03_1.txz: 100%   10 KiB  10.1kB/s    00:01
[27/45] Fetching p5-Mail-DKIM-0.58.txz: 100%  113 KiB 115.9kB/s    00:01
[28/45] Fetching p5-Mail-Tools-2.19.txz: 100%   75 KiB  76.7kB/s    00:01
[29/45] Fetching p5-Mail-AuthenticationResults-1.20200331.1.txz: 100%   44 KiB  45.5kB/s    00:01
[30/45] Fetching p5-JSON-2.97.001.txz: 100%   70 KiB  71.6kB/s    00:01
[31/45] Fetching p5-Net-DNS-Resolver-Mock-1.20200215.txz: 100%   11 KiB  10.9kB/s    00:01
[32/45] Fetching p5-Net-LibIDN-0.12_5.txz: 100%   17 KiB  17.0kB/s    00:01
[33/45] Fetching libidn-1.35.txz: 100%  216 KiB 221.3kB/s    00:01
[34/45] Fetching re2c-0.14.3.txz: 100%  163 KiB 166.8kB/s    00:01
[35/45] Fetching p5-Encode-Detect-1.01_1.txz: 100%   72 KiB  74.0kB/s    00:01
[36/45] Fetching opendkim-2.10.3_11.txz: 100%  312 KiB 320.0kB/s    00:01
[37/45] Fetching lua52-5.2.4.txz: 100%  174 KiB 178.4kB/s    00:01
[38/45] Fetching unbound-1.10.0.txz: 100%    2 MiB   2.0MB/s    00:01
[39/45] Fetching libevent-2.1.11.txz: 100%  319 KiB 326.9kB/s    00:01
[40/45] Fetching libspf2-1.2.10_2.txz: 100%  125 KiB 127.5kB/s    00:01
[41/45] Fetching rubygem-glib2-3.4.1.txz: 100%  150 KiB 154.0kB/s    00:01
[42/45] Fetching rubygem-pkg-config-1.4.1.txz: 100%   17 KiB  17.9kB/s    00:01
[43/45] Fetching ruby26-gems-3.0.6.txz: 100%  401 KiB 410.3kB/s    00:01
[44/45] Fetching rubygem-native-package-installer-1.0.9.txz: 100%   19 KiB  19.6kB/s    00:01
[45/45] Fetching libev-4.24,1.txz: 100%  110 KiB 112.9kB/s    00:01
Checking integrity... done (0 conflicting)
[1/45] Installing p5-Digest-HMAC-1.03_1...
[1/45] Extracting p5-Digest-HMAC-1.03_1: 100%
[2/45] Installing p5-TimeDate-2.30_2,1...
[2/45] Extracting p5-TimeDate-2.30_2,1: 100%
[3/45] Installing p5-Socket6-0.29...
[3/45] Extracting p5-Socket6-0.29: 100%
[4/45] Installing p5-Crypt-OpenSSL-Random-0.15...
[4/45] Extracting p5-Crypt-OpenSSL-Random-0.15: 100%
[5/45] Installing p5-Crypt-OpenSSL-Bignum-0.09...
[5/45] Extracting p5-Crypt-OpenSSL-Bignum-0.09: 100%
[6/45] Installing p5-Net-DNS-1.23,1...
[6/45] Extracting p5-Net-DNS-1.23,1: 100%
[7/45] Installing p5-JSON-2.97.001...
[7/45] Extracting p5-JSON-2.97.001: 100%
[8/45] Installing p5-HTML-Tagset-3.20_1...
[8/45] Extracting p5-HTML-Tagset-3.20_1: 100%
[9/45] Installing p5-Mozilla-CA-20180117...
[9/45] Extracting p5-Mozilla-CA-20180117: 100%
[10/45] Installing p5-Net-SSLeay-1.88...
[10/45] Extracting p5-Net-SSLeay-1.88: 100%
[11/45] Installing p5-IO-Socket-INET6-2.72_1...
[11/45] Extracting p5-IO-Socket-INET6-2.72_1: 100%
[12/45] Installing p5-Crypt-OpenSSL-RSA-0.31...
[12/45] Extracting p5-Crypt-OpenSSL-RSA-0.31: 100%
[13/45] Installing p5-URI-1.76...
[13/45] Extracting p5-URI-1.76: 100%
[14/45] Installing p5-NetAddr-IP-4.079...
[14/45] Extracting p5-NetAddr-IP-4.079: 100%
[15/45] Installing p5-Error-0.17029...
[15/45] Extracting p5-Error-0.17029: 100%
[16/45] Installing p5-Net-DNS-Resolver-Programmable-0.009...
[16/45] Extracting p5-Net-DNS-Resolver-Programmable-0.009: 100%
[17/45] Installing p5-Mail-Tools-2.19...
[17/45] Extracting p5-Mail-Tools-2.19: 100%
[18/45] Installing p5-Mail-AuthenticationResults-1.20200331.1...
[18/45] Extracting p5-Mail-AuthenticationResults-1.20200331.1: 100%
[19/45] Installing p5-Net-DNS-Resolver-Mock-1.20200215...
[19/45] Extracting p5-Net-DNS-Resolver-Mock-1.20200215: 100%
[20/45] Installing libidn-1.35...
[20/45] Extracting libidn-1.35: 100%
[21/45] Installing libevent-2.1.11...
[21/45] Extracting libevent-2.1.11: 100%
[22/45] Installing ruby26-gems-3.0.6...
[22/45] Extracting ruby26-gems-3.0.6: 100%
[23/45] Installing p5-HTTP-Date-6.05...
[23/45] Extracting p5-HTTP-Date-6.05: 100%
[24/45] Installing p5-HTML-Parser-3.72...
[24/45] Extracting p5-HTML-Parser-3.72: 100%
[25/45] Installing p5-Net-IDN-Encode-2.500...
[25/45] Extracting p5-Net-IDN-Encode-2.500: 100%
[26/45] Installing p5-IO-Socket-SSL-2.068...
[26/45] Extracting p5-IO-Socket-SSL-2.068: 100%
[27/45] Installing gnupg1-1.4.23_2...
[27/45] Extracting gnupg1-1.4.23_2: 100%
[28/45] Installing p5-Net-CIDR-Lite-0.21_1...
[28/45] Extracting p5-Net-CIDR-Lite-0.21_1: 100%
[29/45] Installing p5-Mail-SPF-2.9.0_5...
[29/45] Extracting p5-Mail-SPF-2.9.0_5: 100%
[30/45] Installing p5-Mail-DKIM-0.58...
[30/45] Extracting p5-Mail-DKIM-0.58: 100%
[31/45] Installing p5-Net-LibIDN-0.12_5...
[31/45] Extracting p5-Net-LibIDN-0.12_5: 100%
[32/45] Installing re2c-0.14.3...
[32/45] Extracting re2c-0.14.3: 100%
[33/45] Installing p5-Encode-Detect-1.01_1...
[33/45] Extracting p5-Encode-Detect-1.01_1: 100%
[34/45] Installing lua52-5.2.4...
[34/45] Extracting lua52-5.2.4: 100%
[35/45] Installing unbound-1.10.0...
===> Creating groups.
Using existing group 'unbound'.
===> Creating users
Using existing user 'unbound'.
[35/45] Extracting unbound-1.10.0: 100%
[36/45] Installing rubygem-pkg-config-1.4.1...
[36/45] Extracting rubygem-pkg-config-1.4.1: 100%
[37/45] Installing rubygem-native-package-installer-1.0.9...
[37/45] Extracting rubygem-native-package-installer-1.0.9: 100%
[38/45] Installing spamassassin-3.4.4...
===> Creating groups.
Creating group 'spamd' with gid '58'.
===> Creating users
Creating user 'spamd' with uid '58'.
[38/45] Extracting spamassassin-3.4.4: 100%
[39/45] Installing opendkim-2.10.3_11...
[39/45] Extracting opendkim-2.10.3_11: 100%
[40/45] Installing libspf2-1.2.10_2...
[40/45] Extracting libspf2-1.2.10_2: 100%
[41/45] Installing rubygem-glib2-3.4.1...
[41/45] Extracting rubygem-glib2-3.4.1: 100%
[42/45] Installing libev-4.24,1...
[42/45] Extracting libev-4.24,1: 100%
[43/45] Installing spamass-milter-0.4.0_4...
[43/45] Extracting spamass-milter-0.4.0_4: 100%
[44/45] Installing milter-greylist-4.6.2_4...
[44/45] Extracting milter-greylist-4.6.2_4: 100%
[45/45] Installing milter-manager-2.1.1_1...
[45/45] Extracting milter-manager-2.1.1_1: 100%
=====
Message from spamassassin-3.4.4:

--
You should complete the following post-installation tasks:

        1) Read /usr/local/share/doc/spamassassin/INSTALL
           and /usr/local/share/doc/spamassassin/UPGRADE
           BEFORE enabling SpamAssassin for important changes

        2) Edit the configuration in /usr/local/etc/mail/spamassassin,
           in particular /usr/local/etc/mail/spamassassin/init.pre
           You may get lots of annoying (but harmless) error messages
           if you skip this step.

        3) To run spamd, add the following to /etc/rc.conf:
           spamd_enable="YES"

        4) If this is a new installation, you should run sa-update
           and sa-compile. If this isn't a new installation, you
           should probably run those commands on a regular basis
           anyway.

        5) Install mail/spamass-rules if you want some third-party
           spam-catching rulesets

SECURITY NOTE:
By default, spamd runs as root (the AS_ROOT option). If you wish
to change this, add the following to /etc/rc.conf:

        spamd_flags="-u spamd -H /var/spool/spamd"
=====
Message from opendkim-2.10.3_11:

--
In order to run this port, write your opendkim.conf and:

if you use sendmail, add the milter socket `socketspec' in
/etc/mail/<your_configuration>.mc:

INPUT_MAIL_FILTER(`dkim-filter', `S=_YOUR_SOCKET_SPEC_, F=T, T=R:2m')

or if you use postfix write your milter socket `socketspec' in
/usr/local/etc/postfix/main.cf:

smtpd_milters = _YOUR_SOCKET_SPEC_


And to run the milter from startup, add milteropendkim_enable="YES" in
your /etc/rc.conf.
Extra options can be found in startup script.

Note: milter sockets must be accessible from postfix/smtpd;
  using inet sockets might be preferred.
=====
Message from spamass-milter-0.4.0_4:

--
spamass-milter has been installed, but it must be activated manually.
Please refer to...

  /usr/local/share/doc/spamass-milter/activation.txt

...for details.

You may also want to tweak your spamd rc.subr(8) startup flags to
specify a username to switch credentials to when delivering mail, if
applicable.
=====
Message from milter-greylist-4.6.2_4:

--
A sample configuration file has been installed in /usr/local/etc/mail
    directory. Copy and edit it to suit your needs before launching
    milter-greylist.

    Add following lines

dnl j,{if_addr},{cert_subject},i,{auth_authen} are already enabled by default
define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO``, {verify}'')
define(`confMILTER_MACROS_ENVRCPT', confMILTER_MACROS_ENVRCPT``, {greylist}'')
INPUT_MAIL_FILTER(`greylist', `S=local:/var/milter-greylist/milter-greylist.sock, F=T, T=R:30s')

    to your /etc/mail/<your_host>.mc configuration.

    To run milter-greylist from startup, add miltergreylist_enable="YES"
    in your /etc/rc.conf or your /etc/rc.conf.local

    See /usr/local/share/doc/milter-greylist/README for operation details.
=====
Message from milter-manager-2.1.1_1:

--
===>   NOTICE:

The milter-manager port currently does not have a maintainer. As a result, it is
more likely to have unresolved issues, not be up-to-date, or even be removed in
the future. To volunteer to maintain this port, please create an issue at:

https://bugs.freebsd.org/bugzilla

More information about port maintainership is available at:

https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port

spamass-milter設定

①.spamassassinのプラグインを有効にする。

vi /usr/local/etc/mail/spamassassin/v310.pre

②.以下のように、変更後の内容にする。

■変更前

#loadplugin Mail::SpamAssassin::Plugin::TextCat
■変更後

loadplugin Mail::SpamAssassin::Plugin::TextCat

③.local.cf を修正する。

vi /usr/local/etc/mail/spamassassin/local.cf

④.以下の内容にする。

remove_header ham Status
remove_header ham Level
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
endif

⑤.spamd を起動できうようにする。

vi /etc/rc.conf

⑥.以下の内容を記入する。

spamd_enable="YES"

⑦.SpamAssassinのルールファイルを更新する。

sa-update

⑧.sa-spamd を起動する。

service sa-spamd start

⑨.spamass-milter のディレクトリを作成する。

mkdir /var/run/spamass-milter/
chown spamd:spamd /var/run/spamass-milter

⑩.spamass_milter を起動できるようにする。

vi /etc/rc.conf

⑪.以下の内容を記入する。

spamass_milter_enable="YES"
spamass_milter_user="spamd"
spamass_milter_group="spamd"
spamass_milter_socket="/var/run/spamass-milter/spamass-milter.sock"
spamass_milter_socket_owner="spamd"
spamass_milter_socket_group="mail"
spamass_milter_socket_mode="660"
spamass_milter_localflags="-u spamd -- -u spamd"

⑫.spamass-milter を起動する。

service spamass-milter start
Starting spamass_milter.

clamav_milter設定

①.clamav_milter が起動時の設定内容を追加する。

vi /etc/rc.conf

②.以下の内容を記入する。

clamav_milter_socket_mode="660"
clamav_milter_socket_group="mail"

③.clamav-milter を起動する。

service clamav-milter start

Starting clamav_milter.
Waiting for clamav-milter socket..

milter-greylist設定

①.greylist.conf を修正する。

vi /usr/local/etc/mail/greylist.conf

②.以下の内容に設定する。

pidfile "/var/run/milter-greylist.pid"
socket "/var/milter-greylist/milter-greylist.sock" 660
dumpfile "/var/milter-greylist/greylist.db" 600
dumpfreq 1
user "mailnull:mail"
subnetmatch /24
quiet
list "my network" addr { \
        127.0.0.1/8      \
        10.0.0.0/8       \
        172.16.0.0/12    \
        192.168.0.0/24   \
}
list "broken mta" addr {   \
	12.5.136.141/32    \ # Southwest Airlines (unique sender)
	12.5.136.142/32    \ # Southwest Airlines
	12.5.136.143/32    \ # Southwest Airlines
	12.5.136.144/32    \ # Southwest Airlines
	12.107.209.244/32  \ # kernel.org (unique sender)
	12.107.209.250/32  \ # sourceware.org (unique sender)
	63.82.37.110/32    \ # SLmail
	63.169.44.143/32   \ # Southwest Airlines
	63.169.44.144/32   \ # Southwest Airlines
	64.7.153.18/32     \ # sentex.ca (common pool)
	64.12.136.0/24     \ # AOL (common pool)
	64.12.137.0/24     \ # AOL
	64.12.138.0/24     \ # AOL
	64.124.204.39      \ # moveon.org (unique sender)
	64.125.132.254/32  \ # collab.net (unique sender)
	64.233.160.0/19    \ # Google
	66.94.237.16/28    \ # Yahoo Groups servers (common pool)
	66.94.237.32/28    \ # Yahoo Groups servers (common pool)
	66.94.237.48/30    \ # Yahoo Groups servers (common pool)
	66.100.210.82/32   \ # Groupwise?
	66.135.192.0/19    \ # Ebay
	66.162.216.166/32  \ # Groupwise?
	66.206.22.82/32    \ # Plexor
	66.206.22.83/32    \ # Plexor
	66.206.22.84/32    \ # Plexor
	66.206.22.85/32    \ # Plexor
	66.218.66.0/23     \ # Yahoo Groups servers (common pool)
	66.218.67.0/23     \ # Yahoo Groups servers (common pool)
	66.218.68.0/23     \ # Yahoo Groups servers (common pool)
	66.218.69.0/23     \ # Yahoo Groups servers (common pool)
	66.27.51.218/32    \ # ljbtc.com (Groupwise)
	66.102.0.0/20      \ # Google
	66.249.80.0/20     \ # Google
	72.14.192.0/18     \ # Google
	74.125.0.0/16	   \ # Google
	152.163.225.0/24   \ # AOL
	194.245.101.88/32  \ # Joker.com
	195.235.39.19/32   \ # Tid InfoMail Exchanger v2.20
	195.238.2.0/24     \ # skynet.be (wierd retry pattern, common pool)
	195.238.3.0/24     \ # skynet.be
	195.46.220.208/32  \ # mgn.net
	195.46.220.209/32  \ # mgn.net
	195.46.220.210/32  \ # mgn.net
	195.46.220.211/32  \ # mgn.net
	195.46.220.221/32  \ # mgn.net
	195.46.220.222/32  \ # mgn.net
	195.238.2.0/24     \ # skynet.be (wierd retry pattern)
	195.238.3.0/24     \ # skynet.be
	204.107.120.10/32  \ # Ameritrade (no retry)
	205.188.0.0/16     \ # AOL
	205.206.231.0/24   \ # SecurityFocus.com (unique sender)
	207.115.63.0/24    \ # Prodigy - retries continually
	207.171.168.0/24   \ # Amazon.com
	207.171.180.0/24   \ # Amazon.com
	207.171.187.0/24   \ # Amazon.com
	207.171.188.0/24   \ # Amazon.com
	207.171.190.0/24   \ # Amazon.com
	209.132.176.174/32 \ # sourceware.org mailing lists (unique sender)
	209.85.128.0/17    \ # Google
	211.29.132.0/24    \ # optusnet.com.au (wierd retry pattern)
	213.136.52.31/32   \ # Mysql.com (unique sender)
	216.33.244.0/24    \ # Ebay
	216.239.32.0/19    \ # Google
	217.158.50.178/32  \ # AXKit mailing list (unique sender)
}
racl continue from /.*/ addheader "X-Greylist: inspected by %V for IP:'%i' DOMAIN:'%d' HELO:'%h' FROM:'%f' RCPT:'%r'"
racl whitelist list "my network"
racl whitelist list "broken mta"
racl whitelist tarpit 125s
racl greylist default

③.milter-greylist が起動できるように設定する。

vi /etc/rc.conf

④.以下の内容を記入する。

miltergreylist_enable="YES"
miltergreylist_runas="mailnull:mail"

⑤.milter-greylist を起動する。

service milter-greylist start
Starting miltergreylist.

milter-opendkim設定

①.opendkim.conf を修正する。

vi /usr/local/etc/mail/opendkim.conf

②.以下の内容に設定する。

Canonicalization       simple/simple
Domain                 ドメイン名
KeyFile                /var/db/dkim/ドメイン名.private
LogWhy                 yes
Mode                   sv
ReportAddress          "DKIM Error Postmaster" <postmaster@ドメイン名>
Selector               ドメイン名
SendReports            yes
Socket                 local:/var/run/milteropendkim/socket
SubDomains             yes
Syslog                 yes
SyslogSuccess          yes
UMask 022

③.保存先を作成する。

mkdir /var/db/dkim
chmod 700 /var/db/dkim

④.認証用のファイルを作成する。

opendkim-genkey -D /var/db/dkim -d ドメイン名 -s ドメイン名

⑤.権限を付与する。

chown -R mailnull:mailnull /var/db/dkim

⑥.認証用のファイルが作成されている事を確認する。

[root@FreeBSD ~]# ls -l /var/db/dkim
合計 8K
-rw------- 1 mailnull mailnull 887  4月 30 00:28 ドメイン名.private
-rw------- 1 mailnull mailnull 323  4月 30 00:28 ドメイン名.txt

⑦.milter-opendkim が起動できるように設定する。

vi /etc/rc.conf

⑧.以下の内容を記入する。

milteropendkim_enable="YES"

⑨.milter-opendkim を起動する。

service milter-opendkim start
Starting milteropendkim.

milter-manager設定

①.ディレクトリを作成する。

mkdir -p /var/run/milter-manager

②.milter-manager が起動できるように設定する。

vi /etc/rc.conf

③.以下の内容を記入する。

miltermanager_enable="YES"
#miltermanager_debug="YES"

miltermanager_debug を設定する事で詳細なログが出力します。

④.milter-manager を起動する。

service milter-manager start
Starting miltermanager.

⑤.milter-managerの設定を確認する。

milter-manager -u milter-manager --show-config

⑥.以下のように表示する事を確認する。

[root@~]# milter-manager -u milter-manager --show-config
failed to find password entry for effective user: milter-manager
# default
package.platform = "ホスト名"
# default
package.options = nil

# /usr/local/etc/milter-manager/defaults/ホスト名.conf:3
security.privilege_mode = true
# default
security.effective_user = "milter-manager"
# default
security.effective_group = nil

# default
log.level = "default"
# default
log.path = nil
# default
log.use_syslog = true
# default
log.syslog_facility = "mail"

# default
manager.connection_spec = "unix:/var/run/milter-manager/milter-manager.sock"
# default
manager.unix_socket_mode = 0660
# default
manager.unix_socket_group = nil
# default
manager.remove_unix_socket_on_create = true
# default
manager.remove_unix_socket_on_close = true
# default
manager.daemon = false
# default
manager.pid_file = nil
# default
manager.maintenance_interval = 10
# default
manager.suspend_time_on_unacceptable = 5
# default
manager.max_connections = 0
# default
manager.max_file_descriptors = 0
# default
manager.custom_configuration_directory = nil
# default
manager.fallback_status = "accept"
# default
manager.fallback_status_at_disconnect = "temporary-failure"
# default
manager.event_loop_backend = "glib"
# default
manager.n_workers = 0
# default
manager.packet_buffer_size = 0
# default
manager.connection_check_interval = 0
# default
manager.chunk_size = 65535
# default
manager.max_pending_finished_sessions = 0

# default
controller.connection_spec = nil
# default
controller.unix_socket_mode = 0660
# default
controller.unix_socket_group = nil
# default
controller.remove_unix_socket_on_create = true
# default
controller.remove_unix_socket_on_close = true

# default
database.type = nil
# default
database.name = nil
# default
database.host = nil
# default
database.port = nil
# default
database.path = nil
# default
database.user = nil
# default
database.password = nil

# /usr/local/etc/milter-manager/applicable-conditions/dnsbl.conf:99
define_applicable_condition("DNSBL Listed") do |condition|
  # /usr/local/etc/milter-manager/applicable-conditions/dnsbl.conf:100
  condition.description = "Apply a milter only when connected host is listed in DNS-based Blackhole List"
end

# /usr/local/etc/milter-manager/applicable-conditions/dnsbl.conf:109
define_applicable_condition("Not DNSBL Listed") do |condition|
  # /usr/local/etc/milter-manager/applicable-conditions/dnsbl.conf:110
  condition.description = "Apply a milter only when connected host is not listed in DNS-based Blackhole List"
end

# /usr/local/etc/milter-manager/applicable-conditions/remote-network.conf:25
define_applicable_condition("Remote Network") do |condition|
  # /usr/local/etc/milter-manager/applicable-conditions/remote-network.conf:26
  condition.description = "Apply milter only if connected from remote network"
end

# /usr/local/etc/milter-manager/applicable-conditions/s25r.conf:70
define_applicable_condition("S25R") do |condition|
  # /usr/local/etc/milter-manager/applicable-conditions/s25r.conf:71
  condition.description = "Selective SMTP Rejection"
end

# /usr/local/etc/milter-manager/applicable-conditions/sendmail-compatible.conf:5
define_applicable_condition("Sendmail Compatible") do |condition|
  # /usr/local/etc/milter-manager/applicable-conditions/sendmail-compatible.conf:6
  condition.description = "Make a milter depends on Sendmail workable with Postfix"
end

# /usr/local/etc/milter-manager/applicable-conditions/stress.conf:25
define_applicable_condition("Stress Notify") do |condition|
  # /usr/local/etc/milter-manager/applicable-conditions/stress.conf:26
  condition.description = "Define stress=yes macro when stress situation"
end

# /usr/local/etc/milter-manager/applicable-conditions/stress.conf:34
define_applicable_condition("No Stress") do |condition|
  # /usr/local/etc/milter-manager/applicable-conditions/stress.conf:35
  condition.description = "Apply milter only when normal condition"
end

# /usr/local/etc/milter-manager/applicable-conditions/trust.conf:87
define_applicable_condition("Trust") do |condition|
  # /usr/local/etc/milter-manager/applicable-conditions/trust.conf:88
  condition.description = "Set {trusted_*}=yes macros for trusted session"
end

# /usr/local/etc/milter-manager/applicable-conditions/authentication.conf:3
define_applicable_condition("Authenticated") do |condition|
  # /usr/local/etc/milter-manager/applicable-conditions/authentication.conf:4
  condition.description = "Apply a milter only when sender is authorized"
end

# /usr/local/etc/milter-manager/applicable-conditions/authentication.conf:11
define_applicable_condition("Unauthenticated") do |condition|
  # /usr/local/etc/milter-manager/applicable-conditions/authentication.conf:12
  condition.description = "Apply a milter only when sender is not authorized"
end

# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("milter-greylist") do |milter|
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
  milter.connection_spec = "unix:/var/milter-greylist/milter-greylist.sock"
  # default
  milter.description = nil
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
  milter.enabled = true
  # default
  milter.fallback_status = "accept"
  # default
  milter.evaluation_mode = false
  milter.applicable_conditions = [
    # default
    "Sendmail Compatible",
    # default
    "Stress Notify",
    # default
    "Trust",
    # default
    "Remote Network",
    # default
    "S25R",
    # default
    "Unauthenticated",
  ]
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:39
  milter.command = "/usr/local/etc/rc.d/milter-greylist"
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:40
  milter.command_options = "start"
  # default
  milter.user_name = nil
  # default
  milter.connection_timeout = 297.0
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/milter-greylist-config-parser.rb:60
  milter.writing_timeout = 132.0
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/milter-greylist-config-parser.rb:61
  milter.reading_timeout = 132.0
  # default
  milter.end_of_message_timeout = 297.0
end

# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("clamav-milter") do |milter|
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
  milter.connection_spec = "unix:/var/run/clamav/clmilter.sock"
  # default
  milter.description = nil
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
  milter.enabled = true
  # default
  milter.fallback_status = "accept"
  # default
  milter.evaluation_mode = false
  # default
  milter.applicable_conditions = []
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:39
  milter.command = "/usr/local/etc/rc.d/clamav-milter"
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:40
  milter.command_options = "start"
  # default
  milter.user_name = nil
  # default
  milter.connection_timeout = 297.0
  # default
  milter.writing_timeout = 7.0
  # default
  milter.reading_timeout = 7.0
  # default
  milter.end_of_message_timeout = 297.0
end

# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("milter-opendkim") do |milter|
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
  milter.connection_spec = "local:/var/run/milteropendkim/socket"
  # default
  milter.description = nil
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
  milter.enabled = true
  # default
  milter.fallback_status = "accept"
  # default
  milter.evaluation_mode = false
  # default
  milter.applicable_conditions = []
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:39
  milter.command = "/usr/local/etc/rc.d/milter-opendkim"
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:40
  milter.command_options = "start"
  # default
  milter.user_name = nil
  # default
  milter.connection_timeout = 297.0
  # default
  milter.writing_timeout = 7.0
  # default
  milter.reading_timeout = 7.0
  # default
  milter.end_of_message_timeout = 297.0
end

# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("spamass-milter") do |milter|
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
  milter.connection_spec = "unix:/var/run/spamass-milter/spamass-milter.sock"
  # default
  milter.description = nil
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
  milter.enabled = true
  # default
  milter.fallback_status = "accept"
  # default
  milter.evaluation_mode = false
  milter.applicable_conditions = [
    # default
    "Remote Network",
    # default
    "Unauthenticated",
    # default
    "No Stress",
  ]
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:39
  milter.command = "/usr/local/etc/rc.d/spamass-milter"
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:40
  milter.command_options = "start"
  # default
  milter.user_name = nil
  # default
  milter.connection_timeout = 297.0
  # default
  milter.writing_timeout = 7.0
  # default
  milter.reading_timeout = 7.0
  # default
  milter.end_of_message_timeout = 297.0
end

⑦.「milter.enabled = true」と表示されている事を確認する。

■milter-greylist

# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("milter-greylist") do |milter|
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
  milter.connection_spec = "unix:/var/milter-greylist/milter-greylist.sock"
  # default
  milter.description = nil
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
  milter.enabled = true
  # default
  milter.fallback_status = "accept"
  # default

■clamav-milter

# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("clamav-milter") do |milter|
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
  milter.connection_spec = "unix:/var/run/clamav/clmilter.sock"
  # default
  milter.description = nil
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
  milter.enabled = true
  # default
  milter.fallback_status = "accept"


■milter-opendkim

# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("milter-opendkim") do |milter|
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
  milter.connection_spec = "local:/var/run/milteropendkim/socket"
  # default
  milter.description = nil
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
  milter.enabled = true
  # default
  milter.fallback_status = "accept"

■pamass-milter

# /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("spamass-milter") do |milter|
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:44
  milter.connection_spec = "unix:/var/run/spamass-milter/spamass-milter.sock"
  # default
  milter.description = nil
  # /usr/local/lib/milter-manager/binding/lib/milter/manager/detector.rb:37
  milter.enabled = true
  # default
  milter.fallback_status = "accept"

milterごとに確認する必要がある。

⑧.milter-managerの動作を確認する。

milter-test-server -s unix:/var/run/milter-manager/milter-manager.sock

⑨.以下のように表示する事を確認する。

status: accept
elapsed-time: 0.246534 seconds

7.Blacklistd設定

①.blacklistd.conf を修正する。

vi /etc/blacklistd.conf

②.以下の内容を記入する。

smtp            stream  *       *               *       3       24h
smtps           stream  *       *               *       3       24h
submission      stream  *       *               *       3       24h
imap            stream  *       *               *       3       24h
imaps           stream  *       *               *       3       24h
pop3            stream  *       *               *       3       24h
pop3s           stream  *       *               *       3       24h

③.blacklistd を再起動する。

service blacklistd restart
Waiting for PIDS: xxxx.
Starting blacklistd.