安装邮件服务器之五

24、垃圾邮件和病毒邮件过滤设置

设置MailScanner

编辑/usr/local/etc/MailScanner/virus.scanners.conf,修改如下语句:

clamav     /usr/local/libexec/MailScanner/clamav-wrapper     /usr/local
clamavmodule     /usr/bin/false     /tmp

编辑/usr/local/etc/postfix/main.cf:

# ee /usr/local/etc/postfix/main.cf

去掉514行的注释:

header_checks = regexp:/usr/local/etc/postfix/header_checks

编辑/usr/local/etc/postfix/header_checks:

# ee /usr/local/etc/postfix/header_checks

新加入:

/^Received:/ HOLD

重新加载postfix配置文件:

# postfix reload

这里下载MailScanner的中文报告文件cn.rar,将其解压,把cn文件夹移动到:

/usr/local/share/MailScanner/reports/

编辑/usr/local/etc/MailScanner/MailScanner.conf,根据需要更改相应的参数为下面的格式

%org-name% = thismail.org
%org-long-name% = LCSoft
%web-site% = www.thismail.org
%etc-dir% = /usr/local/etc/MailScanner
%report-dir% = /usr/local/share/MailScanner/reports/cn
%rules-dir% = /usr/local/etc/MailScanner/rules
%mcp-dir% = /usr/local/etc/MailScanner/mcp
Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix
Sendmail = /usr/sbin/sendmail
Monitors for ClamAV Updates = /var/db/clamav/*.cvd
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
Custom Functions Dir = /usr/local/lib/MailScanner/MailScanner/CustomFunctions
SpamAssassin Install Prefix = /usr/local/bin
SpamAssassin Site Rules Dir = /usr/local/etc/mail/spamassassin
SpamAssassin Local Rules Dir = /usr/local/share/spamassassin
PID file = /var/run/MailScanner.pid

编辑配置文件/usr/local/etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf:

# ee /usr/local/etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf
# MailScanner
# MailScanner users, please see the comments at the bottom of this file.
# MailScanner
#
# SpamAssassin user preferences file.
#
# Format:
#
#   required_hits n
#        (how many hits are required to tag a mail as spam.)
#
#   score SYMBOLIC_TEST_NAME n
#        (if this is omitted, 1 is used as a default score.
#        Set the score to 0 to ignore the test.)
#
# # starts a comment, whitespace is not significant.
#
###########################################################################


# Whitelist and blacklist addresses are *not* patterns; they're just normal
# strings. one exception is that "*@isp.com" is allowed. They should be in
# lower-case. You can either add multiple addrs on one line,
# whitespace-separated, or you can use multiple lines.
#
# Monty Solomon: he posts from an ISP that has often been the source of spam
# (no fault of his own ;), and sometimes uses Bcc: when mailing.
#
#whitelist_from        [email protected]

# Add your blacklist entries in the same format...
#
# blacklist_from    [email protected]

# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
#
#ok_locales        en

skip_rbl_checks 1

use_bayes 0
use_dcc   0
use_pyzor 0
use_razor1 0
use_razor2 0

decode_attachments 1

编辑配置文件/usr/local/etc/MailScanner/rules/max.message.size.rules:

# ee /usr/local/etc/MailScanner/rules/max.message.size.rules
# This is an example ruleset to show how rules can have resulting values
# other than yes and no. This ruleset demonstrates having a numerical result.
# The From: and To: rules show how simple domains can be used to select
# different values for the result of the ruleset.
# Note that the fields of each rule line can be separated by any whitespace,
# any combination of tabs and spaces.
#
# The 2 lines involving domain3.com show that for email to [email protected]
# has a limit of 5Mbytes per message, while email to any other user
# @domain3.com has a limit of 500Kbytes per message.
#

To:     *@domain1.com   10M
To:     *@domain2.com   20M
From:   [email protected]   5M
From:   *@domain3.com   500K

#
# The following line specifies the default result used when none of the
# other rules match. In this example,
# Maximum Message Size = 0
# means that there is no limit to the size of the message.
#

FromOrTo: default       0


编辑配置文件/usr/local/etc/MailScanner/rules/bounce.rules:

# ee /usr/local/etc/MailScanner/rules/bounce.rules
# You can use this ruleset to enable the "bounce" Spam Action.
# You must *only* enable this for mail from sites with which you have
# agreed to bounce possible spam. Use it on low-scoring spam only (<10)
# and only to your regular customers for use in the rare case that a
# message is mis-tagged as spam when it shouldn't have been.
# Beware that many sites will automatically delete the bounce messages
# created by using this option unless you have agreed this with them in
# advance.

# This next line gives an example of how you might enable this option for
# a frequent customer of yours.
#From:        yourcustomer.com    yes

# Under no circumstances should this be changed to "yes".
FromOrTo:    default            no

重新启动mailscanner:

# /usr/local/etc/rc.d/mailscanner restart

加入中文垃圾邮件规则:

# cd /usr/local/share/spamassassin
# fetch
http://www.ccert.edu.cn/spam/sa/Chinese_rules.cf

继续修改/usr/local/etc/MailScanner/MailScanner.conf:

由于加入了中文垃圾邮件规则,请把垃圾邮件的评分的分数设置为高一些,这里的设置为8,最高分设置为10,这样可以降低中文邮件的错误识别率,根据自己的需要来改变这两个分值

Required SpamAssassin Score = 8
High SpamAssassin Score = 10

为了避免邮件扫描后主题变成乱码,建议改变以下设置为no:

Virus Modify Subject = no
Filename Modify Subject = no
Content Modify Subject = no
Disarmed Modify Subject = no
Spam Modify Subject = yes
High Scoring Spam Modify Subject = no

扫描垃圾邮件所执行的运作:

Spam Actions = deliver
High Scoring Spam Actions = delete

相关运作参数说明:
"deliver" -- 邮件正常的转送至原来的收信人。
"delete" -- 删除邮件。
"store" -- 将邮件存放至隔离区。
"bounce" -- 将邮件退给寄信人。
"forward" -- 提供一个 forward 的邮件位址给系统,系统会自动转寄一份。
"striphtml" -- 将内嵌 HTML 的邮件转成 Text,你必需要加入 "deliver",系统才会帮你寄邮件

允许html邮件通行:

Allow IFrame Tags = yes
Allow Form Tags = yes
Allow Script Tags = yes
Allow WebBugs = disarm
Allow Object Codebase Tags = yes
Convert Dangerous HTML To Text = no
Convert HTML To Text = no

允许本机发送出去的邮件不被MailScanner视为垃圾邮件:

# ee /usr/local/etc/MailScanner/rules/spam.whitelist.rules
From:       127.0.0.1     yes

以上规则的说明:以上垃圾邮件的规则是加入了中文垃圾邮件主题和内容的评分规则,所以我设置了一个最低分为8分,最高分为10分的规则,8-10分间的邮件会被打上[spamd]的标识,高于10分的邮件会被自动的删除掉,以上规则允许html邮件通过

25、登录测试

重新启动系统

复制aliases.db数据库:

# /usr/local/bin/newaliases
# cp /etc/mail/aliases.db /etc/aliases.db

生成用户名的base64编码:

# perl -MMIME::Base64 -e 'print encode_base64("test\@test.com");'
dGVzdEB0ZXN0LmNvbQ==
# perl -MMIME::Base64 -e 'print encode_base64("000000");'
MDAwMDAw

上方有下划线的一行主意不要直接复制,@符号前的斜线自己敲因为sohu博客会把斜线显示成反斜线,这里我用的是全角状态的斜线

测试25发送:

# telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.test.com.
Escape character is '^]'.
220 mail.test.com ESMTP Postfix
ehlo mail
250-mail.test.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
auth login
334 VXNlcm5hbWU6
dGVzdEB0ZXN0LmNvbQ==
334 UGFzc3dvcmQ6
MDAwMDAw
235 Authentication successful
MAIL FROM:
250 Ok
RCPT TO:
250 Ok
DATA
354 End data with .
SUBJECT:test

test

.
250 Ok: queued as 47C6CB83E
quit
221 Bye
Connection closed by foreign host.

测试110收邮件:

# telnet localhost 110
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.test.com.
Escape character is '^]'.
+OK Hello there.
user [email protected]
+OK Password required.
pass 000000
+OK logged in.
list
+OK POP3 clients that break here, they violate STD53.
1 1563
2 401
.
retr 2
+OK 401 octets follow.
Return-Path:
Delivered-To: [email protected]
Received: from mail (localhost.test.com [127.0.0.1])
    by mail.test.com (Postfix) with ESMTP id 47C6CB83E
    for ; Tue, 11 Jul 2006 13:47:28 +0800 (CST)
SUBJECT:test
Message-Id: <[email protected]>
Date: Tue, 11 Jul 2006 13:47:28 +0800 (CST)
From: [email protected]
To: undisclosed-recipients:;

test

.
dele 2
+OK Deleted.
quit
+OK Bye-bye.
Connection closed by foreign host.

26、安装Tmail

“开源邮件技术社区”取得最新的Tmail

下载后传到服务器上的web目录

Tmail中察看带附件的邮件时,在两个地方显示附件信息,一个在邮件处理按钮的右边有个下拉菜单,另一个在左下角有个链接如果你想使左下角的那个起作用(个人名片等功能也与此相关),还想让webadmin能删除域名和用户,记得修改/usr/local/etc/php.ini中的:

register_globals = On

并编辑/usr/local/www/apache22/tmail/config/config_inc.php中如下参数:

$CFG_BASEPATH = "/tmp/tmail/temp"; //临时目录,如果不存在,修改完配置文件后再手动创建,并附于相关的权限

// Mysql
define(MYSQL_HOST, 'localhost'); //数据库主机名
define(MYSQL_USER, 'postfix');   //数据库用户名
define(MYSQL_PASS, 'postfix');   //数据库密码
define(MYSQL_DATA, 'postfix');   //数据库名称
$CFG_NETDISK_PATH = "/mail/netdisk"; //文件管理(网络磁盘所在的系统路径)如果不存在,修改完配置文件后再手动创建,并附于相关的权限
$CFG_NETDISK_DEFAULT_QUOTA = 10;       //文件管理(网络磁盘)默认大小为10MB,用户可根据自己的需要改变大小。

# mkdir -p /tmp/tmail/temp/
# chown -R vmail:vmail /tmp/tmail
# mkdir -p /mail/netdisk
# chown -R vmail:vmail /mail/netdisk

为了webmail能配合maildrop做中文邮件的过滤,请创建/usr/sbin/maildecode文件:

# ee /usr/sbin/maildecode 
#!/usr/bin/perl

# Convert Base64 Or Quoted-printable TO Text

my $a = $ARGV[0] || '';

#Maybe arg is include Subject
if ($a=~/^Subject/) {
    $a = $ARGV[1] || '';
};

if ($a=~/=\?[\w-]+\?B\?(.*)\?=$/) {
  use MIME::Base64;
  $a = decode_base64($1);
};
if ($a=~/=\?[\w-]+\?Q\?(.*)\?=$/) {
  use MIME::QuotedPrint;
  $a = decode_qp($1);
};

#open(OUTFILE, ">/tmp/list.log");
#print OUTFILE $a;
#close(OUTFILE);

print $a;

exit(0);

并改变相关的权限

# chmod 755 /usr/sbin/maildecode
# chown -R vmail:vmail /usr/sbin/maildecode

为了安全和方便,对/usr/local/etc/apache22/httpd.conf作一些设置:

根据自己的情况设置DocumentRoot:

DocumentRoot "/usr/local/www/apache22/data/webmail"

同时设置:

为了能够以http://yourdomain/phpmyadmin等形式访问管理系统,在后面根据需要添加:

Alias /webadmin /usr/local/www/apache22/data/webadmin

    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all

Alias /phpmyadmin /usr/local/www/apache22/data/phpmyadmin

    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all

保存后重起apache就可以了

27、防火墙规则设定

# ee /etc/ipf.rules

将之前的规则删除,根据需要修改添加如下规则:

block in log quick all with short
block in log quick all with ipopts
block in log quick all with frag
block in log quick all with opt lsrr
block in log quick all with opt ssrr

pass in log quick on lo0
pass out log quick on lo0

pass in log quick on lnc0 proto tcp from any to any port=22 flags S/SA keep state

pass in log quick on lnc0 proto tcp from any to any port=80 flags S/SA keep state
pass out log quick on lnc0 proto tcp from any to any port=80 flags S/SA keep state


pass in log quick on lnc0 proto tcp from any to any port=25 flags S/SA keep state
pass out log quick on lnc0 proto tcp from any to any port=25 flags S/SA keep state

pass in log quick on lnc0 proto tcp from any to any port=110 flags S/SA keep state
pass in log quick on lnc0 proto tcp from any to any port=143 flags S/SA keep state

pass out log quick on lnc0 proto udp from any to any port=53 flags S/SA keep state

block in log all
block out log all

修改好后执行下面的命令使之生效:

# /etc/rc.d/ipfilter reload

此外,在/etc/sysctl.conf中加入:

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

能够有效地避免端口扫描

28、致谢

本文参考《基于FreeBSD和Postfix的反垃圾、反病毒邮件系统与web mail安装5.1》完成,感谢作者:Jacky 杨廷勇,没有他的大作就没有本文的产生

感谢PowerUP提供《基于FreeBSD和Postfix的反垃圾邮件系统5.1(PowerUP补充版V2.0)》,对于完成本文起了关键作用

感谢《FreeBSD使用手册》的作者们,感谢《FreeBSD 6.0架设管理与应用》的作者王俊斌,这两本书的内容为本文提供了基础技术支持

感谢韬光晦影的《FreeBSD 5.2.1R Web Server架设实例过程》为本文提供了SSH方面的参考

感谢heiyeluren的《FreeBSD下构建安全的Web服务器》,为本文提供了系统安全方面的参考

感谢《IP Fliter防火墙简介》的作者,很抱歉找不到原著和作者信息,只找到下载地址,感谢Jacky老大的《邮件服务器的IPF的配置(根据4.05文档所写)》,这两篇文章为本文提供了IP Filter防火墙方面的参考

感谢《FreeBSD4.7环境下使用IPFILTER设置小型企业防火墙》的作者,很抱歉找不到原著和作者信息,这篇文章为本文提供了IP Filter防火墙的参考

感谢硬-盘在《如果只有SATA硬盘,内核编译的选项有哪些是必要的啊?》一文中对于SATA硬盘的提示

感谢论坛“开源邮件技术社区”“FreeBSD China”里的朋友们的支持和帮助

感谢QQ群“18990150”中的朋友们的支持和帮助

再次感谢为本文完成提供无私帮助的朋友们!

你可能感兴趣的:(个人收录)