Subject: Re: Junk mail and virus filtering on netbsd mailserver
To: Scott R. Burns <Scott.Burns@Netcontech.Com>
From: Martti Kuparinen <martti.kuparinen@iki.fi>
List: netbsd-help
Date: 08/25/2003 10:57:30
Martti Kuparinen wrote:
[Few updates to my original text]
> This is what I have:
>
> - postfix with pcre support
> - spamassassing
> - procmail
- cyrus with IPv6 support for POP3 and IMAP
>
> Feel free to ask me more.
>
> Martti
>
>
> Install the software
> ====================
>
> # cd /usr/pkgsrc/mail/spamassassin
> # make install clean clean-depends
>
> # cd /usr/pkgsrc/mail/procmail
> # make install clean clean-depends
# echo CYRUS_USE_INET6=YES >> /etc/mk.conf
# cd /usr/pkgsrc/mail/cyrus-imapd21
# make install clean clean-depends
> # echo POSTFIX_USE_PCRE=YES >> /etc/mk.conf
> # cd /usr/pkgsrc/mail/postfix
> # make install clean clean-depends
>
> Configure the software
> ======================
>
> ## Disable all incoming mails with dangerous attachments
> # cat > /usr/pkg/etc/postfix/body_checks << EOF
> #
> # Block mails with the following attachments:
> #
> # bat|chm|cmd|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh]
> #
> /^begin\s+\d{3}\s+.+?\.(bat|chm|cmd|cnm|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh])\n?$/
>
> REJECT Windows executable blocked
>
> /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.(bat|chm|cmd|cnm|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh])"?\n?$/
>
> REJECT Windows executable blocked
>
> /^\s+(file)?name="?.+?\.(bat|chm|cmd|cnm|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh])"?\n?$/
>
> REJECT Windows executable blocked
> EOF
>
> # vi /usr/pkg/etc/postfix/main.cf
>
mailbox_transport = cyrus
> smtpd_client_restrictions =
> permit_mynetworks,
> reject_rbl_client list.dsbl.org,
> reject_rbl_client relays.ordb.org,
> reject_rbl_client sbl.spamhaus.org,
> permit
> smtpd_sender_restrictions =
> check_sender_access regexp:$config_directory/reject_sender,
> permit_mynetworks,
> reject_rbl_client list.dsbl.org,
> reject_rbl_client relays.ordb.org,
> reject_rbl_client sbl.spamhaus.org,
> reject_non_fqdn_sender,
> reject_unknown_sender_domain
> smtpd_recipient_restrictions =
> check_recipient_access regexp:$config_directory/reject_rcpt,
> permit_mynetworks,
> permit_mx_backup,
> reject_non_fqdn_recipient,
> reject_invalid_hostname,
> reject_unknown_recipient_domain,
> reject_rbl_client sbl.spamhaus.org,
> reject_rbl_client relays.ordb.org,
> reject_rbl_client list.dsbl.org,
> reject_unauth_destination,
> reject_unauth_pipelining,
> check_relay_domains
>
> # Check for harmful attachments
> mime_header_checks = pcre:$config_directory/body_checks
>
> ## Add known trouble makers to my local black list
> # cat > /usr/pkg/etc/postfix/reject_rcpt << EOF
> # Address syntax
> /[@!%].*[@!%]/ 550 Please use user@domain address forms
> only
> EOF
> # cat > /usr/pkg/etc/postfix/reject_sender << EOF
> # Address syntax
> /[@!%].*[@!%]/ 550 Please use user@domain address forms
> only
> EOF
>
> # mkdir -p /usr/local/bin
> # cat > /usr/local/bin/deliver-wrapper.c << EOF
> /*
> * Wrapper for cyrus 'deliver' to allow anyone to run it
> * with restricted set of parameters.
> *
> * This should be
> *
> * # chown root:wheel deliver-wrapper.c
> * # chmod 600 deliver-wrapper.c
> *
> * # gcc -Wall -static -o deliver-wrapper deliver-wrapper.c
> *
> * # chown cyrus:mail deliver-wrapper
> * # chmod 6711 deliver-wrapper
> */
>
> #include <stdio.h>
> #include <unistd.h>
> #include <pwd.h>
> #include <sys/types.h>
>
> int
> main(int argc, char *argv[])
> {
> char *const envp[] = { NULL };
> struct passwd *ent = getpwuid(getuid());
> const char *uname = (ent && ent->pw_name && ent->pw_name[0])
> ? ent->pw_name : "anonymous";
>
> if (argc != 2) {
> fprintf(stderr, "Usage: %s mailbox\n", argv[0]);
> return 64; /* EX_USAGE */
> }
>
> execle("/usr/pkg/cyrus/bin/deliver", "deliver", "-e",
> "-a", uname, "-m", argv[1],
> NULL, envp);
>
> perror("exec /usr/cyrus/bin/deliver");
> return 71; /* EX_OSERR */
> }
> EOF
>
> # cd /usr/local/bin
> # gcc -Wall -static -o deliver-wrapper deliver-wrapper.c
> # chown cyrus:mail deliver-wrapper
> # chmod 6711 deliver-wrapper
>
> Activate spam tagging
> =====================
>
> # cat > ${HOME}/.procmailrc << EOF
> SHELL=/bin/sh
> DELIVER=/usr/local/bin/deliver-wrapper
> FORMAIL=/usr/pkg/bin/formail
> VACATION=/usr/bin/vacation
> SPAMASSASSIN=/usr/pkg/bin/spamassassin
> USER=myusername
> HOME=/home/$USER
> MAILDIR=$HOME/mail
> ON_VACATION=no
>
> # SpamAssassin
> :0 fw
> | $SPAMASSASSIN
>
> # spam
> :0:$HOME/.cyrus.lock
> * ^Subject: \[SPAM\?\].*
> | $FORMAIL -I "From " | $DELIVER user.$USER.spam
>
> # root
> :0:$HOME/.cyrus.lock
> * ^TO_(root|helpdesk)@
> | $FORMAIL -I "From " | $DELIVER user.$USER.root
>
> # everything else
> :0
> {
> :0 cwi
> * ON_VACATION ?? ^^yes^^
> | $VACATION $USER
> :0:$HOME/.cyrus.lock
> | $FORMAIL -I "From " | $DELIVER user.$USER
> }
>
> # The last resort - if all other recipes fail
> :0:
> IN-ERROR
> EOF
>
> # cat > ${HOME}/.forward << EOF
> "|exec /usr/pkg/bin/procmail || exit 75"
> EOF