Subject: Re: Junk mail and virus filtering on netbsd mailserver
To: Martti Kuparinen <martti.kuparinen@iki.fi>
From: None <netbsd@ns.purk.ee>
List: netbsd-help
Date: 08/25/2003 18:07:47
Hi
Postfix is really greate!Welcome to the world of misconfigured dns ;-)There is a
good reason to REJECT fake HELO/EHLO dns names.
Aug 24 22:32:58 ns postfix/smtpd[17544]: 6CF4BAEC4: reject: RCPT from
80-235-40-213-dsl.mus.estpak.ee[80.235.40.213]: 450 <KOHV>: Helo command
rejected: Host not found; from=<JURI123456@HOT.EE> to=<purk@purk.e$Aug 24
22:32:59 ns postfix/smtpd[17544]: disconnect from
80-235-40-213-dsl.mus.estpak.ee[80.235.40.213]
Greetings
Tsiteerimine Martti Kuparinen <martti.kuparinen@iki.fi>:
> Martti Kuparinen wrote:
>
> [Few updates to my original text]
>
> > This is what I have:
> >
> > - postfix with pcre support
> > - spamassassing
> > - procmail
> - cyrus with IPv6 support for POP3 and IMAP
> >
> > Feel free to ask me more.
> >
> > Martti
> >
> >
> > Install the software
> > ====================
> >
> > # cd /usr/pkgsrc/mail/spamassassin
> > # make install clean clean-depends
> >
> > # cd /usr/pkgsrc/mail/procmail
> > # make install clean clean-depends
>
> # echo CYRUS_USE_INET6=YES >> /etc/mk.conf
> # cd /usr/pkgsrc/mail/cyrus-imapd21
> # make install clean clean-depends
>
> > # echo POSTFIX_USE_PCRE=YES >> /etc/mk.conf
> > # cd /usr/pkgsrc/mail/postfix
> > # make install clean clean-depends
> >
> > Configure the software
> > ======================
> >
> > ## Disable all incoming mails with dangerous attachments
> > # cat > /usr/pkg/etc/postfix/body_checks << EOF
> > #
> > # Block mails with the following attachments:
> > #
> > # bat|chm|cmd|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh]
> > #
> >
>
/^begin\s+\d{3}\s+.+?\.(bat|chm|cmd|cnm|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh])\n?$/
>
> >
> > REJECT Windows executable blocked
> >
> >
>
/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.(bat|chm|cmd|cnm|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh])"?\n?$/
>
> >
> > REJECT Windows executable blocked
> >
> >
>
/^\s+(file)?name="?.+?\.(bat|chm|cmd|cnm|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh])"?\n?$/
>
> >
> > REJECT Windows executable blocked
> > EOF
> >
> > # vi /usr/pkg/etc/postfix/main.cf
> >
> mailbox_transport = cyrus
> > smtpd_client_restrictions =
> > permit_mynetworks,
> > reject_rbl_client list.dsbl.org,
> > reject_rbl_client relays.ordb.org,
> > reject_rbl_client sbl.spamhaus.org,
> > permit
> > smtpd_sender_restrictions =
> > check_sender_access regexp:$config_directory/reject_sender,
> > permit_mynetworks,
> > reject_rbl_client list.dsbl.org,
> > reject_rbl_client relays.ordb.org,
> > reject_rbl_client sbl.spamhaus.org,
> > reject_non_fqdn_sender,
> > reject_unknown_sender_domain
> > smtpd_recipient_restrictions =
> > check_recipient_access regexp:$config_directory/reject_rcpt,
> > permit_mynetworks,
> > permit_mx_backup,
> > reject_non_fqdn_recipient,
> > reject_invalid_hostname,
> > reject_unknown_recipient_domain,
> > reject_rbl_client sbl.spamhaus.org,
> > reject_rbl_client relays.ordb.org,
> > reject_rbl_client list.dsbl.org,
> > reject_unauth_destination,
> > reject_unauth_pipelining,
> > check_relay_domains
> >
> > # Check for harmful attachments
> > mime_header_checks = pcre:$config_directory/body_checks
> >
> > ## Add known trouble makers to my local black list
> > # cat > /usr/pkg/etc/postfix/reject_rcpt << EOF
> > # Address syntax
> > /[@!%].*[@!%]/ 550 Please use user@domain address forms
> > only
> > EOF
> > # cat > /usr/pkg/etc/postfix/reject_sender << EOF
> > # Address syntax
> > /[@!%].*[@!%]/ 550 Please use user@domain address forms
> > only
> > EOF
> >
> > # mkdir -p /usr/local/bin
> > # cat > /usr/local/bin/deliver-wrapper.c << EOF
> > /*
> > * Wrapper for cyrus 'deliver' to allow anyone to run it
> > * with restricted set of parameters.
> > *
> > * This should be
> > *
> > * # chown root:wheel deliver-wrapper.c
> > * # chmod 600 deliver-wrapper.c
> > *
> > * # gcc -Wall -static -o deliver-wrapper deliver-wrapper.c
> > *
> > * # chown cyrus:mail deliver-wrapper
> > * # chmod 6711 deliver-wrapper
> > */
> >
> > #include <stdio.h>
> > #include <unistd.h>
> > #include <pwd.h>
> > #include <sys/types.h>
> >
> > int
> > main(int argc, char *argv[])
> > {
> > char *const envp[] = { NULL };
> > struct passwd *ent = getpwuid(getuid());
> > const char *uname = (ent && ent->pw_name && ent->pw_name[0])
> > ? ent->pw_name : "anonymous";
> >
> > if (argc != 2) {
> > fprintf(stderr, "Usage: %s mailbox\n", argv[0]);
> > return 64; /* EX_USAGE */
> > }
> >
> > execle("/usr/pkg/cyrus/bin/deliver", "deliver", "-e",
> > "-a", uname, "-m", argv[1],
> > NULL, envp);
> >
> > perror("exec /usr/cyrus/bin/deliver");
> > return 71; /* EX_OSERR */
> > }
> > EOF
> >
> > # cd /usr/local/bin
> > # gcc -Wall -static -o deliver-wrapper deliver-wrapper.c
> > # chown cyrus:mail deliver-wrapper
> > # chmod 6711 deliver-wrapper
> >
> > Activate spam tagging
> > =====================
> >
> > # cat > ${HOME}/.procmailrc << EOF
> > SHELL=/bin/sh
> > DELIVER=/usr/local/bin/deliver-wrapper
> > FORMAIL=/usr/pkg/bin/formail
> > VACATION=/usr/bin/vacation
> > SPAMASSASSIN=/usr/pkg/bin/spamassassin
> > USER=myusername
> > HOME=/home/$USER
> > MAILDIR=$HOME/mail
> > ON_VACATION=no
> >
> > # SpamAssassin
> > :0 fw
> > | $SPAMASSASSIN
> >
> > # spam
> > :0:$HOME/.cyrus.lock
> > * ^Subject: \[SPAM\?\].*
> > | $FORMAIL -I "From " | $DELIVER user.$USER.spam
> >
> > # root
> > :0:$HOME/.cyrus.lock
> > * ^TO_(root|helpdesk)@
> > | $FORMAIL -I "From " | $DELIVER user.$USER.root
> >
> > # everything else
> > :0
> > {
> > :0 cwi
> > * ON_VACATION ?? ^^yes^^
> > | $VACATION $USER
> > :0:$HOME/.cyrus.lock
> > | $FORMAIL -I "From " | $DELIVER user.$USER
> > }
> >
> > # The last resort - if all other recipes fail
> > :0:
> > IN-ERROR
> > EOF
> >
> > # cat > ${HOME}/.forward << EOF
> > "|exec /usr/pkg/bin/procmail || exit 75"
> > EOF
>
>
---------------------------------------------
Powered By "NetBSD" http://www.netbsd.org/