Spam filtering is not working.

Discussion in 'Installation/Configuration' started by beryl, Nov 1, 2016.

  1. beryl

    beryl New Member

    I have:
    - Installed the server as per the Perfect Server for Debian Jessie, down to the letter.
    - Activated spam filter on the domain and the mailbox and chosen "Non-paying" level.
    - I've read the manual and made sure that all settings are correct in Postfix.
    - I've set the policy to move tagged mail to Junk folder.

    Still, the account is not getting spam e-mails tagged at all and no spam is being moved to the Junk folder.
    If i setup a manual filter, those e-mails are moved the the Junk folder as i have configured them.

    I'm not new to operating e-mail servers, but this just boggles me completely - why isn't e-mails being spam-scanned?
    Here is a sample header that clearly shows that amavis is scanning the emails (Domains replaced with bogus names).

    What more can i do?

    Code:
    Return-Path: <[email protected]>
    Delivered-To: [email protected]
    Received: from localhost (localhost [127.0.0.1])
        by server1.server.com (Postfix) with ESMTP id 78F9F1E138D
        for <[email protected]>; Tue,  1 Nov 2016 19:24:48 +0000 (UTC)
    X-Virus-Scanned: Debian amavisd-new at server1.server.com
    Received: from server1.server.com ([127.0.0.1])
        by localhost (server1.server.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id apUibnoHEipB for <[email protected]>;
        Tue,  1 Nov 2016 19:24:48 +0000 (UTC)
    Received: from cpe-75-186-155-41.cinci.res.rr.com (cpe-75-186-155-41.cinci.res.rr.com [75.186.155.41])
        by server1.server.com (Postfix) with SMTP id 946EA1E136C
        for <[email protected]>; Tue,  1 Nov 2016 19:24:47 +0000 (UTC)
    Message-ID: <[email protected]>
    From: "Phyllis Wesley" <[email protected]>
    Subject: Re: 9 new ladies profiles (dating)
    To: [email protected]
    Date: Tue, 01 Nov 2016 21:56:47 +0300
    Mime-Version: 1.0
    Content-Type: text/html;
    Content-Transfer-Encoding: 7Bit
    
    Dear member of our Dating site!<br>You have 6 unread messages from ladies.<br>Please, <a href="http://sexy-dream7.top/?u=79h8kwf&o=epgkvze&t=">Check them here</a><br>Best wishes to you,<br>administrator
    
     
  2. cbj4074

    cbj4074 Member

    That header, X-Virus-Scanned, is not indicative of a spam scan. Even though amavis is the "glue" that performs both virus scans and spam scans, that header is exclusive to virus scanning.

    The spam-related headers would look more like this, if present:

    Code:
    X-Virus-Scanned: Debian amavisd-new at example.com
    X-Spam-Flag: NO
    X-Spam-Score: 0.82
    X-Spam-Level:
    X-Spam-Status: No, score=0.82 tagged_above=-999 required=4.5
    tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
    FROM_EXCESS_BASE64=0.105, HTML_IMAGE_RATIO_02=0.805,
    HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01]
    autolearn=no autolearn_force=no
    
    First, configure the effective policy to look like this:

    SPAM tag level -> -999
    SPAM tag2 level -> 4.5
    SPAM kill level -> 50
    SPAM dsn cutoff level -> 0
    SPAM quarantine cutoff level -> 0
    SPAM modifies subject -> Yes
    SPAM subject tag ->
    SPAM subject tag2-> ***SPAM (Score: _SCORE_)***

    This should force the headers to be added to each message.

    Do the headers demonstrated up above appear when you do this?
     
  3. beryl

    beryl New Member

    That's just it, they don't come up if i do this and set it on the mailbox.
    I've updated ISPConfig twice now and each time i chose to re-configure services.
    Kind of expecting it to set the spam configuration correctly.
    This is a clean install since ISPConfig 3.0 beta, now running 3.1 stable.
     
  4. cbj4074

    cbj4074 Member

    Can you please post the contents of /etc/amavis/conf.d/50-user to pastebin.com or similar? Even here would work, as long as you wrap it in appropriate pre-formatting (code) tags.

    Having installed ISPConfig probably 50 times on different servers (all Ubuntu), using the Perfect Server tutorial series as a guide, I can say that amavis usually works as expected out-of-the-box, so something else is likely amiss with your configuration.
     
  5. beryl

    beryl New Member

    Code:
    cat /etc/amavis/conf.d/50-user
    use strict;
    
    #
    # Place your configuration directives here.  They will override those in
    # earlier files.
    #
    # See /usr/share/doc/amavisd-new/ for documentation and examples of
    # the directives you can use in this file
    #
    
    @bypass_virus_checks_maps = (
       \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
    
    @bypass_spam_checks_maps = (
       \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
    
    #
    # Database connection settings
    #
    
    @lookup_sql_dsn =
       ( ['DBI:mysql:database=dbispconfig;host=127.0.0.1;port=3306', 'ispconfig', '47d204e259fc433502cf4685235659a4'] );
    
    # @storage_sql_dsn = @lookup_sql_dsn;  # none, same, or separate database
    #$sql_select_policy = 'SELECT "Y" as local FROM mail_domain WHERE CONCAT("@",domain) IN (%k)';
    # $banned_files_quarantine_method = 'sql';
    # $spam_quarantine_method         = 'sql';
    
    #
    # SQL Select statements
    #
    
    $sql_select_policy =
       'SELECT *,spamfilter_users.id'.
       ' FROM spamfilter_users LEFT JOIN spamfilter_policy ON spamfilter_users.policy_id=spamfilter_policy.id'.
       ' WHERE spamfilter_users.email IN (%k) ORDER BY spamfilter_users.priority DESC';
    
    
    $sql_select_white_black_list = 'SELECT wb FROM spamfilter_wblist'.
        ' WHERE (spamfilter_wblist.rid=?) AND (spamfilter_wblist.email IN (%k)) AND (spamfilter_wblist.active="y")' .
        ' ORDER BY spamfilter_wblist.priority DESC';
    
    #
    # Quarantine settings
    #
    
    $final_virus_destiny = D_BOUNCE;
    $final_spam_destiny = D_DISCARD;
    $final_banned_destiny = D_BOUNCE;
    $final_bad_header_destiny = D_PASS;
    
    # Default settings, we st this very high to not filter aut emails accidently
    $sa_spam_subject_tag = '***SPAM*** ';
    $sa_tag_level_deflt  = 20.0;  # add spam info headers if at, or above that level
    $sa_tag2_level_deflt = 60.0; # add 'spam detected' headers at that level
    $sa_kill_level_deflt = 60.0; # triggers spam evasive actions
    $sa_dsn_cutoff_level = 100;   # spam level beyond which a DSN is not sent
    
    #
    # Disable spam and virus notifications for the admin user.
    # Can be overridden by the policies in mysql
    #
    
    $virus_admin = undef;
    $spam_admin = undef;
    
    
    #
    # Enable Logging
    #
    
    $DO_SYSLOG = 1;
    $LOGFILE = "/var/log/amavis.log";  # (defaults to empty, no log)
    
    # Set the log_level to 5 for debugging
    $log_level = 0;                # (defaults to 0)
    
    $inet_socket_port = [10024,10026];
    
    # :* = send to incoming Port + 1
    $forward_method = 'smtp:127.0.0.1:*';
    $notify_method = 'smtp:127.0.0.1:*';
    $interface_policy{'10026'} = 'ORIGINATING';
    $policy_bank{'ORIGINATING'} = {
      originating => 1,
      smtpd_discard_ehlo_keywords => ['8BITMIME'],
    };
    
    # IP-Addresses for internal networks => load policy MYNETS
    # - requires -o smtp_send_xforward_command=yes in postfix master.cf
    @mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 [::1] [FE80::]/10 [FEC0::]/10);
    
    # Allow SMTP access from IPs in @inet_acl to amvisd SMTP Port
    @inet_acl = qw( 127.0.0.1 [::1] 192.168.0.0/16 );
    
    # DKIM
    $enable_dkim_verification = 1;
    $enable_dkim_signing = 1; # load DKIM signing code
    $signed_header_fields{'received'} = 0;  # turn off signing of Received
    @dkim_signature_options_bysender_maps = (
    { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
    
    #------------ Do not modify anything below this line -------------
    1;  # insure a defined return
    
    If i try to restart amavis i get this:

    service clamav restart
    Failed to restart clamav.service: Unit clamav.service failed to load: No such file or directory.

    No errors in the logs at all.

    It is running, however:

    ps -U clamav
    PID TTY TIME CMD
    736 ? 00:00:00 freshclam
    858 ? 00:00:13 clamd
     
  6. cbj4074

    cbj4074 Member

    Okay, that configuration file looks good. Mine is identical, excepting the password, of course. (You may want to scrub the password from the
    @lookup_sql_dsn value, especially if this is a production system, just so somebody malicious doesn't see it; sorry, I should have thought to mention that.)

    Odd that you can't restart amavis due to the clamav issue. Did you in fact install clamav? What does this return (executed as root)?

    Code:
    # systemctl status clamav-daemon
    
    For that matter, what does this return?

    Code:
    # systemctl status amavis
    
     
  7. beryl

    beryl New Member

    Don't worry, I changed the password before posting - can't be too careful ;)

    Code:
    systemctl status clamav-daemon
    ● clamav-daemon.service - Clam AntiVirus userspace daemon
       Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled)
       Active: active (running) since Thu 2016-11-03 17:47:24 UTC; 12min ago
         Docs: man:clamd(8)
               man:clamd.conf(5)
               http://www.clamav.net/lang/en/doc/
     Main PID: 858 (clamd)
       CGroup: /system.slice/clamav-daemon.service
               └─858 /usr/sbin/clamd --foreground=true
    
    Nov 03 17:45:59 server1 clamd[858]: Portable Executable support enabled.
    Nov 03 17:45:59 server1 clamd[858]: ELF support enabled.
    Nov 03 17:45:59 server1 clamd[858]: Mail files support enabled.
    Nov 03 17:45:59 server1 clamd[858]: OLE2 support enabled.
    Nov 03 17:45:59 server1 clamd[858]: PDF support enabled.
    Nov 03 17:45:59 server1 clamd[858]: SWF support enabled.
    Nov 03 17:45:59 server1 clamd[858]: HTML support enabled.
    Nov 03 17:45:59 server1 clamd[858]: XMLDOCS support enabled.
    Nov 03 17:45:59 server1 clamd[858]: HWP3 support enabled.
    Nov 03 17:45:59 server1 clamd[858]: Self checking every 3600 seconds.
    
    Code:
    systemctl status amavis
    ● amavis.service - LSB: Starts amavisd-new mailfilter
       Loaded: loaded (/etc/init.d/amavis)
       Active: active (running) since Thu 2016-11-03 19:06:48 UTC; 1h 6min left
       CGroup: /system.slice/amavis.service
               ├─1847 /usr/sbin/amavisd-new (master)
               ├─1986 /usr/sbin/amavisd-new (ch1-avail)
               └─1987 /usr/sbin/amavisd-new (ch2-avail)
    
    Nov 03 19:06:48 server1 amavis[1847]: No decoder for       .rar
    Nov 03 19:06:48 server1 amavis[1847]: No decoder for       .rpm
    Nov 03 19:06:48 server1 amavis[1847]: No decoder for       .swf
    Nov 03 19:06:48 server1 amavis[1847]: Using primary internal av scanner code for ClamAV-clamd
    Nov 03 19:06:48 server1 amavis[1847]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
    Nov 03 19:06:48 server1 amavis[1847]: Deleting db files __db.003,nanny.db,__db.002,snmp.db,__db.001 in /var/lib/amavis/db
    Nov 03 19:06:48 server1 amavis[1847]: Creating db in /var/lib/amavis/db/; BerkeleyDB 0.54, libdb 5.3
    Nov 03 17:46:04 server1 amavis[1987]: (01987-01) Passed CLEAN {RelayedInbound}, [91.230.171.73]:21256 [91.230.171.73] <[email protected]> -> <svetlan...
    Nov 03 17:46:35 server1 amavis[1986]: (01986-01) Passed CLEAN {RelayedInbound}, [45.59.120.172]:35768 [45.59.120.172] <[email protected]> -> ...
    Nov 03 17:50:39 server1 amavis[1987]: (01987-02) Passed CLEAN {RelayedInbound}, [160.20.15.82]:38405 [160.20.15.82] <[email protected]> -> <[email protected]...
    Hint: Some lines were ellipsized, use -l to show in full.
    
    Like i wrote, I'm completely boggled by this!
     
  8. cbj4074

    cbj4074 Member

    That all looks okay to me.

    Let's double-check the configuration in the ISPConfig interface.

    There are several places that affect the spam-scanning behavior:

    1.) Email -> Domain -> example.com -> spamfilter

    What's selected here for the domain in question?

    2.) Email -> Email Mailbox -> [email protected] -> Mailbox (tab) -> Spamfilter

    What's selected there for the mailbox in question?

    3.) Email -> Spamfilter > User / Domain (left-nav)

    Do the values here look reasonable? You should see one entry for the mail domain (with Priority 5), and one entry for the specific user's mailbox (with Priority 10). A screenshot would be ideal.
     
  9. beryl

    beryl New Member

    1. All Tags (The one that tags all mail)
    2. All Tags (The one that tags all mail)
    3. Screenshot(s) attached.
     

    Attached Files:

  10. beryl

    beryl New Member

    I finally found it - in Spamfilter -> User/Domain -> There was two entries with the same user and domain for the account that isn't working - i removed one of them and then it started working again.

    Why is double entries even allowed if it causes it to not work at all?
     
  11. cbj4074

    cbj4074 Member

    Glad to see it resolved!

    As to why it's even possible to create two entries with the same user and the same domain there, that is an excellent question. Unfortunately, I don't know the answer.

    If you're willing to spend the time with it, you might be able to arrive at an answer by analyzing the queries in that file from earlier,
    /etc/amavis/conf.d/50-user.

    You may be able to execute some of the queries in there manually and determine what was happening when you had duplicate entries present. Maybe the results were being discarded if more than one row was returned, or something like that.

    If after that you suspect a bug, I would open a report at https://git.ispconfig.org/ispconfig/ispconfig3/issues .

    Also, the most effective method I've found for combating spam is to do so right at the Postfix layer. Something like this, in /etc/postfix/main.cf:

    Code:
    #Default:
    #smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf
    smtpd_recipient_restrictions =
       permit_mynetworks,
       permit_sasl_authenticated,
       reject_unauth_destination,
       check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
       check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf
       reject_sender_login_mismatch,
       reject_invalid_hostname,
       reject_non_fqdn_hostname,
       reject_non_fqdn_sender,
       reject_non_fqdn_recipient,
       reject_unknown_sender_domain,
       reject_unknown_recipient_domain,
       check_policy_service unix:private/policy-spf,
       reject_rbl_client zen.spamhaus.org,
       reject_rhsbl_helo dbl.spamhaus.org,
       reject_rhsbl_sender dbl.spamhaus.org,
       reject_rbl_client bl.spamcop.net
    
    And the following at the bottom of the file:

    Code:
    # Required to fully enforce the "reject_invalid_helo_hostname" or
    # "reject_non_fqdn_helo_hostname" restriction (without "smtpd_helo_required = yes",
    # a client can simply skip either restriction by not sending HELO or EHLO).
    smtpd_helo_required = yes
    
    # Don't talk to mail systems that don't know their own hostname.
    smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
    
    # Block clients that speak too early.
    smtpd_data_restrictions = reject_unauth_pipelining
    
    # Reject non-replyable sender addresses,  like @yahoo.com and ""@yahoo.com, straight away.
    strict_rfc821_envelopes = yes
    
    # This option is enabled by default, but it is important enough to be set explicitly.
    # Several directives (such as smtpd_helo_restrictions) are effective only when this directive is set to "yes".
    smtpd_delay_reject = yes
    
    policy-spf_time_limit = 3600s
    
    postscreen_greet_action = enforce
    
    You may have to tailor that list slightly, or ensure that you have all of the requisites installed, to avoid invalid configuration errors in Postfix.

    In short, you'd need the pyzor, razor2, postfix-policyd-spf-python, postscreen, and postgrey packages. Happy to provide further guidance if it's of interest to you.
     
    Last edited: Nov 3, 2016
  12. beryl

    beryl New Member

    Thanks a million for the kind help, I'll try adding on the settings you suggest as well!

    If there's additional settings to using postscreen or postgrey, I'd be interested - We already added Pyzor since we use that on another server.

    Here is how to enable razor and pyzor:

    Most people don't think spam-assassin configuration is not used when amavis is used - but it is, pyzor need to be enabled in /etc/spamassassin/local.cf

    Note: This is usually added by default, so shouldn't nee to be added!
    Code:
    # Enable or disable network checks
    skip_rbl_checks         0
    use_razor2              1
    use_dcc                 1
    use_pyzor               1
    
    You need to register with an identity to the razor network:
    Code:
    su - amavis -s /bin/bash
    razor-admin -create
    razor-admin -register
    pyzor discover
    exit
    
    And port 2703 need to be open.

    You can check if pyzor is running with:
    Code:
    echo "test" | spamassassin -D pyzor 2>&1 | less
    
     
    Last edited: Nov 4, 2016
  13. cbj4074

    cbj4074 Member

    You are very welcome! Happy to help you!

    This is excellent information here, in your previous post.

    The only corrections/additions I would offer are in regard to more specific firewall requirements, and how best to test pyzor and razor2.

    The easiest way to do this might be with some comments that one could add to /etc/spamassassin/local.cf:

    Code:
    # Ensure that Real-Time Blacklist checking is enabled.
    skip_rbl_checks 0
    
    # pyzor
    # Be sure to allow OUTGOING port 24441 UDP on firewall!
    # Be sure to allow INCOMING port 24441 TCP on firewall!
    
    use_pyzor 1
    pyzor_path /usr/bin/pyzor
    add_header all Pyzor _PYZOR_
    # Increase timeout to prevent failure; see http://atomicorp.com/forums/viewtopic.php?f=4&t=5457
    pyzor_timeout 20
    
    # razor2
    # Be sure to allow OUTGOING port 2703 TCP on firewall!
    
    use_razor2 1
    razor_config /etc/razor/razor-agent.conf
    
    I should note that because most firewalls are configured to allow all outbound traffic, opening the outbound ports that pyzor and razor2 use, explicitly, is usually unnecessary. In other words, in most firewall configurations, it is necessary only to open inbound port 24441 UDP for pyzor to work.

    With regard to testing pyzor, it is more useful to pass a well-formed email message (per RFC-822) than the string "test", because the log output will say something like

    Code:
    dbg: pyzor: check failed: no response
    
    which is confusing (and misleading, because pyzor is, in fact, working). It would be better to use the GTUBE (Generic Test for Unsolicited Bulk Email) file.

    Code:
    # su - amavis
    $ wget https://spamassassin.apache.org/gtube/gtube.txt
    $ spamassassin -D pyzor 2>&1 < ./gtube.txt
    
    in which case that line changes to

    Code:
    dbg: pyzor: got response: public.pyzor.org:24441 (200, 'OK') 0 3
    
    pyzor will report that the result is "X-Spam-Pyzor: Whitelisted", because the message is originating from localhost, but this method serves the purpose at hand.

    Testing razor2 is similar:

    Code:
    # su - amavis
    $ razor-check -d < ./gtube.txt
    
    This will almost certainly result in "No queries, no spam", because the gtube.txt message is unlikely to generate a hit with razor2, but the other output demonstrates that razor2 is working.

    I'll follow-up regarding postscreen and postgrey in a separate post, so as to stay organized. :)
     
    Last edited: Nov 5, 2016
  14. cbj4074

    cbj4074 Member

    Regarding Postscreen and Postgrey, have a peek at the official tutorial for Hardening Postfix:

    https://www.howtoforge.com/hardening-postfix-for-ispconfig-3

    Based on that tutorial and other tips/tricks I've learned over the years, I've created this synthesized "How To" that I use every time that I deploy a mail stack.

    (Looks like I have to split it up into two posts, due to a length restriction.)


    Reverse DNS (rDNS / PTR record)

    Many mail-related functions require a proper reverse-DNS record. Ensure that the correct domains are mapped to the server's IP address in the relevant DNS setup. Validate it with a tool like http://mxtoolbox.com .

    SPF (Sender Policy Framework) DNS Record

    Most mail systems reject mail from systems that for which a proper SPF DNS record does not exist. Before proceeding, ensure that a valid SPF record exists for the IP address in question.Again, use http://mxtoolbox.com or similar to validate the SPF record.

    Enhance Postfix Functionality

    Add the following directives to the end of /etc/postfix/main.cf:

    Code:
    # Required to fully enforce the "reject_invalid_helo_hostname" or
    # "reject_non_fqdn_helo_hostname" restriction (without "smtpd_helo_required = yes",
    # a client can simply skip either restriction by not sending HELO or EHLO).
    smtpd_helo_required = yes
    
    # Don't talk to mail systems that don't know their own hostname.
    smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
    
    # Block clients that speak too early.
    smtpd_data_restrictions = reject_unauth_pipelining
    
    # Reject non-replyable sender addresses, like @yahoo.com and ""@yahoo.com, straight away.
    strict_rfc821_envelopes = yes
    
    # This option is enabled by default, but it is important enough to be set explicitly.
    # Several directives (such as smtpd_helo_restrictions) are effective only when this directive is set to "yes".
    smtpd_delay_reject = yes
    
    Installing Pyzor and Razor2

    Code:
    # apt-get install pyzor razor
    
    Place the following directives near the bottom of /etc/spamassassin/local.cf:

    Code:
    #pyzor
    # Be sure to allow port 24441 TCP on firewall!
    use_pyzor 1
    pyzor_path /usr/bin/pyzor
    add_header all Pyzor _PYZOR_
    # Increase timeout to prevent failure; see http://atomicorp.com/forums/viewtopic.php?f=4&t=5457
    pyzor_timeout 20
    
    #razor
    use_razor2 1
    razor_config /etc/razor/razor-agent.conf
    
    Ensure that the Pyzor and Razor plug-in lines are un-commented in /etc/spamassassin/v310.pre:

    Code:
    # Pyzor - perform Pyzor message checks.
    #
    loadplugin Mail::SpamAssassin::plugin::pyzor
    
    # Razor2 - perform Razor2 message checks.
    #
    loadplugin Mail::SpamAssassin::plugin::Razor2
    
    Update Pyzor's server list:

    Code:
    # pyzor discover
    
    smtpd Client Restrictions

    NOTE: As of ISPConfig 3.1, I'm not sure that this is necessary anymore. We should confirm! -2016.08.16

    Update the smtpd_client_restrictions directive so that it rejects unwanted connections at the MTA level:

    Code:
    smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    
    smtpd Recipient Restrictions

    Update the smtpd_recipient_restrictions directive so that it rejects unwanted mail at the MTA level:

    Default value:

    Code:
    smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
    reject_unauth_destination
    
    Hardened value:

    IMPORTANT: Notice that the reject_unauth_destination value has been placed before check_recipient_access. Although this is not the default in some Linux distributions (including Debian and Ubuntu), this is crucial measure in preventing unexpected open-relay problems. See Postfix author's comments at http://comments.gmane.org/gmane.mail.postfix.user/237214 .

    Code:
    smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
    reject_sender_login_mismatch,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain
    
    (continued...)
     
  15. cbj4074

    cbj4074 Member

    Checking SPF Records for Incoming Mail

    Code:
    # apt-get install postfix-policyd-spf-python
    
    Add to /etc/postfix/main.cf:

    Code:
    policy-spf_time_limit = 3600s
    
    Add
    Code:
    check_policy_service unix:private/policy-spf
    to the end of smtpd_recipient_restrictions.

    Add to the end of /etc/postfix/master.cf:

    Code:
    policy-spf unix - n n - - spawn
    user=nobody argv=/usr/bin/policyd-spf
    
    Reload Postfix:

    Code:
    # service postfix reload
    
    Grey-listing with Postgrey

    NOTE: It seems as though ISPConfig 3.1 and later configure Postgrey automatically. This should be double-checked. -2016.08.16

    NOTE 2: In Ubuntu 16, and whichever version of Postfix comes with it, it looks like the directive has changed:

    Code:
    greylisting = check_policy_service inet:127.0.0.1:10023
    
    ISPConfig seems to install the Postgrey package(s) and add this line. (I don't recall doing it manually!)

    Code:
    # apt-get install postgrey
    
    The configuration options are in /etc/default/postgrey.

    For IPv4 interfaces, add check_policy_service inet:127.0.0.1:10023 to the end of smtpd_recipient_restrictions in /etc/postfix/main.cf.

    For IPv6 interfaces, add check_policy_service inet:[::1]:10023 to the end of smtpd_recipient_restrictions in /etc/postfix/main.cf.

    Optionally, create the the following two files, in which any custom whitelist rules can be stored (one hostname per line):

    Code:
    # touch /etc/postgrey/whitelist_clients.local
    # touch /etc/postgrey/whitelist_recipients.local
    
    Reload Postfix:

    Code:
    # service postfix reload
    
    DNS Black-Lists

    Building upon the previous examples, here we add MTA-level, real-time black-list checks. These checks should always be performed last, as they are the most "expensive" with respect to time and resource consumption.

    Code:
    smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
    reject_sender_login_mismatch,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    check_policy_service unix:private/policy-spf,
    check_policy_service inet:127.0.0.1:10023,
    reject_rbl_client zen.spamhaus.org,
    reject_rhsbl_helo dbl.spamhaus.org,
    reject_rhsbl_sender dbl.spamhaus.org,
    reject_rbl_client bl.spamcop.net
    
    Minimizing Resource Consumption with PostScreen

    Add to /etc/postfix/main.cf:

    Code:
    postscreen_greet_action = enforce
    
    Next, make /etc/postfix/master.cf reflect the following (these directives may already exist; just uncomment them if so). Be sure that the line smtp inet ... smtpd, including any parameter, is commented-out; any parameters that were present previously must be moved to the new smtpd service.

    Code:
    # Postfix master process configuration file. For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master").
    #
    # Do not forget to execute "postfix reload" after editing this file.
    #
    # ==========================================================================
    # service type private unpriv chroot wakeup maxproc command + args
    # (yes) (yes) (yes) (never) (100)
    # ==========================================================================
    #smtp inet n - - - - smtpd
    # -o ...
    smtpd pass - - n - - smtpd
    -o ... # Parameters moved from smtp service to the new smtpd service.(if any)
    smtp inet n - n - 1 postscreen
    tlsproxy unix - - n - 0 tlsproxy
    dnsblog unix - - n - 0 dnsblog
    
    Enabling Submission Port (587)

    Un-comment the following lines to enable the Submission port (587), which is required only for offering STARTTLS on a non-standard port (that is, a port other than 25):

    Code:
    submission inet n - - - - smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_reject_unlisted_recipient=no
    # -o smtpd_client_restrictions=$mua_client_restrictions
    # -o smtpd_helo_restrictions=$mua_helo_restrictions
    # -o smtpd_sender_restrictions=$mua_sender_restrictions
    -o smtpd_recipient_restrictions=
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
    
    Reload Postfix:

    Code:
    # service postfix reload
    
    Enabling SSL/TLS Port (465)

    Note: This port's use has been deprecated; it should be opened and enabled only if legacy support is required. The Submission Port (587) should be used instead. For more information, see: http://stackoverflow.com/questions/15796530/what-is-the-difference-between-ports-465-and-587

    Uncomment the following lines to enable the SSL/TLS port (465), which is required for SSL/TLS (not to be confused with STARTTLS):

    Code:
    smtps inet n - - - - smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_reject_unlisted_recipient=no
    # -o smtpd_client_restrictions=$mua_client_restrictions
    # -o smtpd_helo_restrictions=$mua_helo_restrictions
    # -o smtpd_sender_restrictions=$mua_sender_restrictions
    -o smtpd_recipient_restrictions=
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
    
    Reload Postfix:

    Code:
    # service postfix reload
    
    References
    http://www.howtoforge.com/hardening-postfix-for-ispconfig-3
     

Share This Page