Benutzer-Werkzeuge

Webseiten-Werkzeuge


freebsd:postfix_dovecot_virtual

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung
Vorhergehende Überarbeitung
freebsd:postfix_dovecot_virtual [2018/12/08 11:51]
127.0.0.1 Externe Bearbeitung
freebsd:postfix_dovecot_virtual [2019/02/21 23:42] (aktuell)
Zeile 49: Zeile 49:
 </​code>​ </​code>​
  
-===== Install ​amavisd-new =====+===== Install ​dcc-dccd =====
 <code console> <code console>
-cd /usr/ports/security/amavisd-new +pkg install dcc-dccd 
-make install clean +echo "​DCCM_LOG_AT=NEVER"​ >> ​/usr/local/dcc/dcc_conf 
-sysrc amavisd_enable="​YES"​+echo "​DCCM_REJECT_AT=MANY"​ >> /​usr/​local/​dcc/​dcc_conf 
 +echo "​DCCIFD_ENABLE=on"​ >> /​usr/​local/​dcc/​dcc_conf 
 +echo "​0 ​      ​2 ​      ​* ​      ​* ​      ​* ​      ​root ​   /​usr/​bin/​find /​usr/​local/​dcc/​log/​ -not -newermt '1 days ago' -delete"​ >> /​etc/​crontab 
 +sysrc dccifd_enable="​YES"​ 
 +service dccifd start
 </​code>​ </​code>​
- +===== Install clamav and clamav-unofficial-sigs ​=====
-===== Install clamav and clamsmtp ​=====+
 <code console> <code console>
-pkg install clamsmtp +pkg install clamav ​clamav-unofficial-sigs
-pkg install clamav +
-sysrc clamsmtpd_enable="​YES"​ +
-sysrc clamav_clamd_enable="​YES"​+
 sysrc clamav_freshclam_enable="​YES"​ sysrc clamav_freshclam_enable="​YES"​
 +sysrc clamav_clamd_enable="​YES"​
 +echo '​user_configuration_complete="​yes"'​ >> /​usr/​local/​etc/​clamav-unofficial-sigs/​user.conf
 +/​usr/​local/​bin/​clamav-unofficial-sigs.sh
 +# Seems not to work
 +# clamav-unofficial-sigs.sh --install-cron
 +echo "​0 ​      ​1 ​      ​* ​      ​* ​      ​* ​      ​root ​   /​usr/​local/​bin/​clamav-unofficial-sigs.sh"​ >> /​etc/​crontab
 +service clamav-freshclam restart
 +service clamav-clamd restart
 +</​code>​
 +
 +===== Install rspamd =====
 +<code console>
 +pkg install -qy rspamd redis
 +sysrc rspamd_enable="​YES"​
 +sysrc redis_enable="​YES"​
 </​code>​ </​code>​
  
Zeile 71: Zeile 86:
 (select DOCS, NLS, POSTFIX) (select DOCS, NLS, POSTFIX)
 </​code>​ </​code>​
-===== Install ​Apache/PHP =====+ 
 +===== Install PHP =====
 <code console> <code console>
-cd /​usr/​ports/​databases/​db6/​ +Make sure following PHP modules are available: MCRYPT, MYSQL, MYSQLI, PDO_MYSQL, IMAP, GETTEXT, JSON 
-make install clean +pkg install -qy php72 php72-extensions php72-composer 
-cd /​usr/​ports/​www/​apache24/​ +sysrc php_fpm_enable="​YES"​ 
-make install clean +cp -f /​usr/​local/​etc/​php.ini-production /​usr/​local/​etc/​php.ini 
-sysrc apache24_enable="​YES"​ +sed -i ''​ -e '​s/;​date.timezone =/​date.timezone = "​Europe\\/​Berlin"/​g' ​/usr/local/etc/php.ini 
-sysrc apache24ssl_enable="​YES"​ +service php-fpm restart
-sysrc apache24_http_accept_enable="​YES"​ +
-cd /​usr/​ports/​lang/​php5-extensions +
-select: MCRYPT, MYSQL, MYSQLI, PDO_MYSQL, IMAP, GETTEXT, JSON +
-make install ​clean +
-cd /​usr/​ports/​databases/​pecl-memcached +
-make install clean +
-cp /​usr/​local/​etc/​php.ini-production /​usr/​local/​etc/​php.ini +
-cd /usr/ports/devel/php-composer +
-make install clean+
 </​code>​ </​code>​
  
-Make sure correct timezone is set in php.ini+===== Install NGINX ===== 
-<code yaml /​usr/​local/​etc/​php.ini+<code console>​ 
-date.timezone = "Europe/Berlin"+pkg install -qy nginx 
 +sysrc nginx_enable="​YES"​ 
 +cd /​usr/​local/​etc/​nginx 
 +git clone https://​gitlab.fechner.net/​mfechner/​nginx_config.git snipets 
 +mkdir -p /​usr/​local/​etc/​nginx/​sites 
 +mkdir -p /​usr/​local/​etc/​nginx/​conf.d 
 +mkdir -p /​usr/​home/​http/​webmail/​logs 
 +chown www /​usr/​home/​http/​webmail/​logs 
 +sed -i ''​ -e "​s/ ​   listen 127.0.0.1:​8082 proxy_protocol;/ ​   listen *:​8082;/​g"​ /​usr/​local/​etc/​nginx/​snipets/​listen.conf 
 +sed -i ''​ -e "​s/​.*fastcgi_param HTTPS on;/                        fastcgi_param HTTPS off;/​g"​ /​usr/​local/​etc/​nginx/​snipets/​vimbadmin.conf 
 +echo "​load_module /​usr/​local/​libexec/​nginx/​ngx_http_brotli_filter_module.so;"​ > /​usr/​local/​etc/​nginx/​nginx.conf 
 +echo "​load_module /​usr/​local/​libexec/​nginx/​ngx_http_brotli_static_module.so;"​ >> /​usr/​local/​etc/​nginx/​nginx.conf 
 +echo "​worker_processes ​ 4;" >> /​usr/​local/​etc/​nginx/​nginx.conf 
 +echo "​events {" >> /​usr/​local/​etc/​nginx/​nginx.conf 
 +echo " ​   worker_connections ​ 1024;" >> /​usr/​local/​etc/​nginx/​nginx.conf 
 +echo "​}"​ >> /​usr/​local/​etc/​nginx/​nginx.conf 
 +echo "http {" >> /​usr/​local/​etc/​nginx/​nginx.conf 
 +echo " ​   include ​      ​mime.types;"​ >> /​usr/​local/​etc/​nginx/​nginx.conf 
 +echo " ​   default_type ​ application/​octet-stream;"​ >> /​usr/​local/​etc/​nginx/​nginx.conf 
 +echo " ​   sendfile ​       on;" >> /​usr/​local/​etc/​nginx/​nginx.conf 
 +echo " ​   keepalive_timeout ​ 65;" >> /​usr/​local/​etc/​nginx/​nginx.conf 
 +echo " ​   index index.php index.html;"​ >> /​usr/​local/​etc/​nginx/​nginx.conf 
 +echo " ​   include conf.d/​*.conf;"​ >> /​usr/​local/​etc/​nginx/​nginx.conf 
 +echo " ​   include sites/​*.conf;"​ >> /​usr/​local/​etc/​nginx/​nginx.conf 
 +echo "​}"​ >> /​usr/​local/​etc/​nginx/​nginx.conf 
 + 
 +echo "​upstream php-handler {" > /​usr/​local/​etc/​nginx/​conf.d/​php.conf 
 +echo " ​       server 127.0.0.1:9000;" >> /​usr/​local/​etc/​nginx/​conf.d/​php.conf 
 +echo "​}"​ >> ​/​usr/​local/​etc/​nginx/​conf.d/php.conf 
 + 
 +echo "​server {" ​/​usr/​local/​etc/​nginx/​sites/​${HOSTNAME}.conf 
 +echo " ​       server_name _ ${HOSTNAME};"​ >> /​usr/​local/​etc/​nginx/​sites/​${HOSTNAME}.conf 
 +echo " ​       ​root ​/usr/​local/​www/​roundcube;​" ​>> /​usr/​local/​etc/​nginx/​sites/​${HOSTNAME}.conf 
 +echo " ​       access_log /​usr/​home/​http/​webmail/​logs/​access.log;"​ >> /​usr/​local/​etc/​nginx/​sites/​${HOSTNAME}.conf 
 +echo " ​       error_log /​usr/​home/​http/​webmail/​logs/​error.log;"​ >> /​usr/​local/​etc/​nginx/​sites/​${HOSTNAME}.conf 
 +echo " ​       include snipets/​vimbadmin.conf;"​ >> /​usr/​local/​etc/​nginx/​sites/​${HOSTNAME}.conf 
 +echo " ​       include snipets/​rspamd.conf;"​ >> /​usr/​local/​etc/​nginx/​sites/​${HOSTNAME}.conf 
 +echo " ​       location ~ \.php(?:​$|/​) {" >> /​usr/​local/​etc/​nginx/​sites/​${HOSTNAME}.conf 
 +echo " ​               include fastcgi_params;"​ >> /​usr/​local/​etc/​nginx/​sites/​${HOSTNAME}.conf 
 +echo " ​               fastcgi_pass php-handler;"​ >> /​usr/​local/​etc/​nginx/​sites/​${HOSTNAME}.conf 
 +echo " ​       }" >> /​usr/​local/​etc/​nginx/​sites/​${HOSTNAME}.conf 
 +echo " ​       include snipets/​virtualhost.conf;"​ >> /​usr/​local/​etc/​nginx/​sites/​${HOSTNAME}.conf 
 +echo "​}"​ >> /​usr/​local/​etc/​nginx/​sites/​${HOSTNAME}.conf 
 +service nginx restart
 </​code>​ </​code>​
  
Zeile 213: Zeile 263:
 ./​bin/​doctrine2-cli.php orm:​schema-tool:​create ./​bin/​doctrine2-cli.php orm:​schema-tool:​create
 </​code>​ </​code>​
- 
-Add the config section to the virtual host configuration file you want to add vimbadmin available: 
-<code yaml /​usr/​local/​etc/​apache24/​Includes/​webmail.hostname.conf>​ 
-... 
-Alias /vimbadmin "/​usr/​local/​www/​ViMbAdmin/​public/"​ 
-<​Directory "/​usr/​local/​www/​ViMbAdmin/​public/">​ 
-    Options FollowSymLinks 
-    AllowOverride None 
- 
-    Require all granted 
- 
-    SetEnv APPLICATION_ENV production 
-    RewriteEngine On 
-    RewriteCond %{REQUEST_FILENAME} -s [OR] 
-    RewriteCond %{REQUEST_FILENAME} -l [OR] 
-    RewriteCond %{REQUEST_FILENAME} -d 
-    RewriteRule ^.*$ - [NC,L] 
-    RewriteRule ^.*$ /​vimbadmin/​index.php [NC,L] 
- 
-</​Directory>​ 
-... 
-</​code>​ 
- 
  
 Now access the website: Now access the website:
Zeile 252: Zeile 279:
 chmod 770 /​usr/​local/​vmail chmod 770 /​usr/​local/​vmail
 </​code>​ </​code>​
 +
 +===== Configure rspamd =====
 +Create a random password and hash it for rspamd:
 +<code console>
 +pwgen 20 1
 +rspamadm pw -p ${RSPAMD_PW}
 +</​code>​
 +
 +Create config files:
 +<code console>
 +# maybe set in /​usr/​local/​etc/​redis.conf
 +# echo "​maxmemory 512mb" >> /​usr/​local/​etc/​redis.conf
 +# echo "​maxmemory-policy volatile-lru"​ >> /​usr/​local/​etc/​redis.conf
 +mkdir -p /​usr/​local/​etc/​rspamd/​local.d
 +</​code>​
 +
 +<code yaml /​usr/​local/​etc/​rspamd/​local.d/​antivirus.conf>​
 +clamav {
 +  symbol = "​CLAM_VIRUS";​
 +  type = "​clamav";​
 +  servers = "/​var/​run/​clamav/​clamd.sock";​
 +  patterns {
 +    JUST_EICAR = '​^Eicar-Test-Signature$';​
 +  }
 +  action = "​reject";​
 +  whitelist = "/​usr/​local/​etc/​rspamd/​antivirus.wl";​
 +}
 +</​code>​
 +
 +<code yaml /​usr/​local/​etc/​rspamd/​local.d/​worker-controller.inc>​
 +password = "​${PASSWORD_HASH}";​
 +
 +# dovecot will use this socket to communicate with rspamd
 +bind_socket = "/​var/​run/​rspamd/​rspamd.sock mode=0666";​
 +
 +# you can comment this out if you don't need the web interface
 +bind_socket = "​127.0.0.1:​11334";​
 +</​code>​
 +
 +<code yaml /​usr/​local/​etc/​rspamd/​local.d/​worker-normal.inc>​
 +# we're not running rspamd in a distributed setup, so this can be disabled
 +# the proxy worker will handle all the spam filtering
 +enabled = false;
 +</​code>​
 +
 +<code yaml /​usr/​local/​etc/​rspamd/​local.d/​worker-proxy.inc>​
 +# this worker will be used as postfix milter
 +milter = yes;
 +
 +# note to self - tighten up these permissions
 +bind_socket = "/​var/​run/​rspamd/​milter.sock mode=0666";​
 +
 +# the following specifies self-scan mode, for when rspamd is on the same
 +# machine as postfix
 +timeout = 120s;
 +upstream "​local"​ {
 +  default = yes;
 +  self_scan = yes;
 +}
 +</​code>​
 +
 +<code yaml /​usr/​local/​etc/​rspamd/​local.d/​redis.conf>​
 +# just specifying a server enables redis for all modules that can use it
 +servers = "​127.0.0.1";​
 +</​code>​
 +
 +<code yaml /​usr/​local/​etc/​rspamd/​local.d/​classifier-bayes.conf>​
 +autolearn = true;
 +backend = "​redis";​
 +</​code>​
 +
 +<code yaml /​usr/​local/​etc/​rspamd/​local.d/​dcc.conf>​
 +# path to dcc socket
 +host = "/​usr/​local/​dcc/​dccifd";​
 +timeout = 5.0;
 +</​code>​
 +
 +<code yaml /​usr/​local/​etc/​rspamd/​local.d/​dkim_signing.conf>​
 +# enable dkim signing - we will set this up in the DKIM section later
 +path = "/​var/​db/​rspamd/​dkim/​$domain.$selector.key";​
 +selector = "​dkim";​
 +</​code>​
 +
 +<code yaml /​usr/​local/​etc/​rspamd/​local.d/​mx_check.conf>​
 +# checks if sender'​s domain has at least one connectable MX record
 +enabled = true;
 +</​code>​
 +
 +<code yaml /​usr/​local/​etc/​rspamd/​local.d/​phishing.conf>​
 +# check messages against some anti-phishing databases
 +openphish_enabled = true;
 +phishtank_enabled = true;
 +</​code>​
 +
 +<code yaml /​usr/​local/​etc/​rspamd/​local.d/​replies.conf>​
 +# whitelist messages from threads that have been replied to
 +action = "no action";​
 +</​code>​
 +
 +<code yaml /​usr/​local/​etc/​rspamd/​local.d/​surbl.conf>​
 +# follow redirects when checking URLs in emails for spaminess
 +redirector_hosts_map = "/​usr/​local/​etc/​rspamd/​redirectors.inc";​
 +</​code>​
 +
 +<code yaml /​usr/​local/​etc/​rspamd/​local.d/​url_reputation.conf>​
 +# check URLs within messages for spaminess
 +enabled = true;
 +</​code>​
 +
 +<code yaml /​usr/​local/​etc/​rspamd/​local.d/​url_tags.conf>​
 +# cache some URL tags in redis
 +enabled = true;
 +</​code>​
 +
 +<code console>
 +sysrc rspamd_enable="​YES"​
 +sysrc redis_enable="​YES"​
 +service redis start
 +service rspamd start
 +</​code>​
 +
  
 ===== Configure Dovecot ===== ===== Configure Dovecot =====
 Create dh.pem: Create dh.pem:
 <code console> <code console>
-dd if=/var/db/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /​usr/​local/​etc/​dovecot/dh.pem+mkdir -p /usr/local/etc/ssl 
 +cd /​usr/​local/​etc/​ssl 
 +openssl genpkey -genparam -algorithm DH -out dh_512.pem -pkeyopt dh_paramgen_prime_len:​512 
 +openssl genpkey -genparam -algorithm DH -out dh_1024.pem -pkeyopt dh_paramgen_prime_len:​1024 
 +openssl genpkey -genparam -algorithm DH -out dh_2048.pem -pkeyopt dh_paramgen_prime_len:​2048 
 +openssl genpkey -genparam -algorithm DH -out dh_4096.pem -pkeyopt dh_paramgen_prime_len:​4096
 </​code>​ </​code>​
  
Zeile 344: Zeile 497:
     group = vmail     group = vmail
   }   }
 + 
   # Postfix smtp-auth   # Postfix smtp-auth
   unix_listener /​var/​spool/​postfix/​private/​auth {   unix_listener /​var/​spool/​postfix/​private/​auth {
Zeile 351: Zeile 504:
     group = postfix     group = postfix
   }   }
 + 
   # Auth process is run as this user.   # Auth process is run as this user.
   #user = $default_internal_user   #user = $default_internal_user
   user=root   user=root
 } }
 + 
 service lmtp { service lmtp {
   unix_listener /​var/​spool/​postfix/​private/​dovecot-lmtp {   unix_listener /​var/​spool/​postfix/​private/​dovecot-lmtp {
Zeile 365: Zeile 518:
   user = vmail   user = vmail
 } }
 + 
 # ***** Configure location for mailbox # ***** Configure location for mailbox
 mail_location = maildir:/​usr/​local/​vmail/​%d/​%u mail_location = maildir:/​usr/​local/​vmail/​%d/​%u
 + 
 # ***** Authenticate against sql database ***** # ***** Authenticate against sql database *****
 auth_mechanisms = plain login auth_mechanisms = plain login
Zeile 382: Zeile 535:
   args = /​usr/​local/​etc/​dovecot/​dovecot-sql.conf.ext   args = /​usr/​local/​etc/​dovecot/​dovecot-sql.conf.ext
 } }
- +  
 + 
 # ***** use uid and gid for vmail # ***** use uid and gid for vmail
 mail_uid = 5000 mail_uid = 5000
Zeile 393: Zeile 546:
 first_valid_gid = 5000 first_valid_gid = 5000
 last_valid_gid = 5000 last_valid_gid = 5000
 + 
 maildir_copy_with_hardlinks = yes maildir_copy_with_hardlinks = yes
 + 
 # ***** Modules we use ***** # ***** Modules we use *****
 mail_plugins = $mail_plugins mail_plugins = $mail_plugins
- +  
 + 
 # **** SSL config ***** # **** SSL config *****
 ssl = yes ssl = yes
-ssl_cert = </​usr/​local/​etc/​letsencrypt/live/​webmail.fechner.net/​fullchain.pem +ssl_cert = </​usr/​local/​etc/​ssl/key.crt 
-ssl_key = </​usr/​local/​etc/​letsencrypt/​live/​webmail.fechner.net/privkey.pem+ssl_key = </​usr/​local/​etc/​ssl/key.key
 ssl_cipher_list = EDH+CAMELLIA:​EDH+aRSA:​EECDH+aRSA+AESGCM:​EECDH+aRSA+SHA384:​EECDH+aRSA+SHA256:​EECDH:​+CAMELLIA256:​+AES256:​+CAMELLIA128:​+AES128:​+SSLv3:​!aNULL:​!eNULL:​!LOW:​!3DES:​!MD5:​!EXP:​!PSK:​!DSS:​!RC4:​!SEED:​!ECDSA:​CAMELLIA256-SHA:​AES256-SHA:​CAMELLIA128-SHA:​AES128-SHA ssl_cipher_list = EDH+CAMELLIA:​EDH+aRSA:​EECDH+aRSA+AESGCM:​EECDH+aRSA+SHA384:​EECDH+aRSA+SHA256:​EECDH:​+CAMELLIA256:​+AES256:​+CAMELLIA128:​+AES128:​+SSLv3:​!aNULL:​!eNULL:​!LOW:​!3DES:​!MD5:​!EXP:​!PSK:​!DSS:​!RC4:​!SEED:​!ECDSA:​CAMELLIA256-SHA:​AES256-SHA:​CAMELLIA128-SHA:​AES128-SHA
 ssl_require_crl = no ssl_require_crl = no
 ssl_prefer_server_ciphers = yes ssl_prefer_server_ciphers = yes
-ssl_dh=</​usr/​local/​etc/​dovecot/dh.pem +ssl_dh=</​usr/​local/​etc/​ssl/dh_4096.pem 
- + 
- +
-# **** Configure IMAP ***** +
-protocol imap { +
-  # Space separated list of plugins to load (default is global mail_plugins). +
-  mail_plugins = $mail_plugins quota imap_quota +
-+
- +
 # ***** Configure POP3 ***** # ***** Configure POP3 *****
 protocol pop3 { protocol pop3 {
Zeile 424: Zeile 569:
 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
  
 +  
 +# **** Configure IMAP ***** 
 +protocol imap { 
 +  # Space separated list of plugins to load (default is global mail_plugins). 
 +  mail_plugins = $mail_plugins quota imap_quota imap_sieve 
 +}  
 + 
 # ***** LDA Config ***** # ***** LDA Config *****
 postmaster_address = postmaster@%d postmaster_address = postmaster@%d
-hostname = anny.lostinspace.de+hostname =
 quota_full_tempfail = yes quota_full_tempfail = yes
 recipient_delimiter = + recipient_delimiter = +
 lda_mailbox_autocreate = yes lda_mailbox_autocreate = yes
 lda_mailbox_autosubscribe = yes lda_mailbox_autosubscribe = yes
 + 
 protocol lda { protocol lda {
   mail_plugins = $mail_plugins sieve quota   mail_plugins = $mail_plugins sieve quota
 } }
- +  
 + 
 # ***** LMTP Config ***** # ***** LMTP Config *****
 protocol lmtp { protocol lmtp {
Zeile 443: Zeile 594:
     mail_plugins = quota sieve     mail_plugins = quota sieve
 } }
 + 
 # ***** Plugin Configuration ***** # ***** Plugin Configuration *****
 plugin { plugin {
-# autocreate plugin +  ​# autocreate plugin 
-# This plugin allows administrator to specify mailboxes that must always +  # This plugin allows administrator to specify mailboxes that must always 
-# exist for all users. They can optionally also be subscribed. The +  # exist for all users. They can optionally also be subscribed. The 
-# mailboxes are created and subscribed always after user logs in. +  # mailboxes are created and subscribed always after user logs in. 
-# Namespaces are fully supported, so namespace prefixes need to be used +  # Namespaces are fully supported, so namespace prefixes need to be used 
-# where necessary.+  # where necessary.
   autocreate = Sent   autocreate = Sent
   autocreate2 = Drafts   autocreate2 = Drafts
Zeile 462: Zeile 613:
   autosubscribe4 = Trash   autosubscribe4 = Trash
   #​autosubscribe5 = ..etc   #​autosubscribe5 = ..etc
 + 
   sieve = ~/​sieve/​dovecot.sieve   sieve = ~/​sieve/​dovecot.sieve
   sieve_dir = ~/sieve   sieve_dir = ~/sieve
   sieve_extensions = +notify +imapflags +spamtest +spamtestplus +relational +comparator-i;​ascii-numeric   sieve_extensions = +notify +imapflags +spamtest +spamtestplus +relational +comparator-i;​ascii-numeric
   sieve_before = /​usr/​local/​etc/​dovecot/​sieve/​   sieve_before = /​usr/​local/​etc/​dovecot/​sieve/​
 + 
 +  # ***** Quota Configuration *****
 +  quota = maildir:​User quota
  
-# ***** Quota Configuration ***** +  sieve_plugins ​sieve_imapsieve sieve_extprograms
-  quota maildir:​User quota +
-}+
  
 +  # From elsewhere to Junk folder
 +  imapsieve_mailbox1_name = Junk
 +  imapsieve_mailbox1_causes = COPY FLAG
 +  imapsieve_mailbox1_before = file:/​usr/​local/​etc/​dovecot/​sieve/​report-spam.sieve
  
 +  # From Spam folder to elsewhere
 +  imapsieve_mailbox2_name = *
 +  imapsieve_mailbox2_from = Junk
 +  imapsieve_mailbox2_causes = COPY
 +  imapsieve_mailbox2_before = file:/​usr/​local/​etc/​dovecot/​sieve/​report-ham.sieve
 +
 +  sieve_pipe_bin_dir = /​usr/​local/​etc/​dovecot/​sieve
 +  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
 +}
 + 
 + 
 # ***** Configure Sieve ***** # ***** Configure Sieve *****
 protocols = $protocols sieve protocols = $protocols sieve
Zeile 482: Zeile 649:
 service managesieve { service managesieve {
 } }
 + 
 protocol sieve { protocol sieve {
 } }
 + 
 ## ##
 ## Mailbox definitions ## Mailbox definitions
 ## ##
 + 
 # NOTE: Assumes "​namespace inbox" has been defined in 10-mail.conf. # NOTE: Assumes "​namespace inbox" has been defined in 10-mail.conf.
 namespace inbox { namespace inbox {
 + 
   #mailbox name {   #mailbox name {
     # auto=create will automatically create this mailbox.     # auto=create will automatically create this mailbox.
     # auto=subscribe will both create and subscribe to the mailbox.     # auto=subscribe will both create and subscribe to the mailbox.
     #auto = no     #auto = no
 + 
     # Space separated list of IMAP SPECIAL-USE attributes as specified by     # Space separated list of IMAP SPECIAL-USE attributes as specified by
     # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash     # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash
     #​special_use =     #​special_use =
   #}   #}
 + 
   # These mailboxes are widely used and could perhaps be created automatically:​   # These mailboxes are widely used and could perhaps be created automatically:​
   mailbox Drafts {   mailbox Drafts {
Zeile 513: Zeile 680:
     special_use = \Trash     special_use = \Trash
   }   }
 + 
   # For \Sent mailboxes there are two widely used names. We'll mark both of   # For \Sent mailboxes there are two widely used names. We'll mark both of
   # them as \Sent. User typically deletes one of them if duplicates are created.   # them as \Sent. User typically deletes one of them if duplicates are created.
Zeile 522: Zeile 689:
     special_use = \Sent     special_use = \Sent
   }   }
 + 
   # If you have a virtual "All messages"​ mailbox:   # If you have a virtual "All messages"​ mailbox:
   #mailbox virtual/All {   #mailbox virtual/All {
   #  special_use = \All   #  special_use = \All
   #}   #}
 + 
   # If you have a virtual "​Flagged"​ mailbox:   # If you have a virtual "​Flagged"​ mailbox:
   #mailbox virtual/​Flagged {   #mailbox virtual/​Flagged {
Zeile 533: Zeile 700:
   #}   #}
 } }
 + 
 # ***** Logging ***** # ***** Logging *****
-auth_verbose = yes +auth_verbose = no 
-auth_debug_passwords = yes +auth_debug_passwords = no 
-mail_debug = yes+mail_debug = no
 </​code>​ </​code>​
 To use the sieve plugin in Thunderbird use this here: https://​github.com/​thsmi/​sieve/​blob/​master/​nightly/​README.md To use the sieve plugin in Thunderbird use this here: https://​github.com/​thsmi/​sieve/​blob/​master/​nightly/​README.md
Zeile 550: Zeile 717:
 Now create a new file with content: Now create a new file with content:
 <code sieve /​usr/​local/​dovecot/​etc/​dovecot/​sieve/​move-spam.sieve>​ <code sieve /​usr/​local/​dovecot/​etc/​dovecot/​sieve/​move-spam.sieve>​
-require ["​fileinto"​];​ +require ["​fileinto","​mailbox"]; 
-if anyof (header :contains "​X-Spam-Flag"​ "​YES"​)+if anyof (header :​contains ​["​X-Spam-Flag"​"​YES"​
 +          header :contains ["​X-Spam"​] "​YES",​ 
 +          header :contains ["​Subject"​] "*** SPAM ***" 
 +         )
 { {
- ​fileinto "​Junk";​+ ​fileinto ​:​create ​"​Junk";​
 } }
 /* Other messages get filed into INBOX */ /* Other messages get filed into INBOX */
 </​code>​ </​code>​
 +
 +<code sieve /​usr/​local/​dovecot/​etc/​dovecot/​sieve/​report-ham.sieve>​
 +require ["​vnd.dovecot.pipe",​ "​copy",​ "​imapsieve",​ "​environment",​ "​variables"​];​
 +
 +if environment :matches "​imap.mailbox"​ "​*"​ {
 +  set "​mailbox"​ "​${1}";​
 +}
 +
 +if string "​${mailbox}"​ "​Trash"​ {
 +  stop;
 +}
 +
 +if environment :matches "​imap.email"​ "​*"​ {
 +  set "​email"​ "​${1}";​
 +}
 +
 +pipe :copy "​train-ham.sh"​ [ "​${email}"​ ];
 +</​code>​
 +
 +<code sieve /​usr/​local/​dovecot/​etc/​dovecot/​sieve/​report-spam.sieve>​
 +require ["​vnd.dovecot.pipe",​ "​copy",​ "​imapsieve",​ "​environment",​ "​variables"​];​
 +
 +if environment :matches "​imap.email"​ "​*"​ {
 +  set "​email"​ "​${1}";​
 +}
 +
 +pipe :copy "​train-spam.sh"​ [ "​${email}"​ ];
 +</​code>​
 +
 Compile all rules: Compile all rules:
 <code console> <code console>
 cd /​usr/​local/​etc/​dovecot/​sieve cd /​usr/​local/​etc/​dovecot/​sieve
 sievec . sievec .
 +</​code>​
 +
 +<code sh /​usr/​local/​etc/​dovecot/​sieve/​train-ham.sh>​
 +#!/bin/sh
 +exec /​usr/​local/​bin/​rspamc -h /​var/​run/​rspamd/​rspamd.sock learn_ham
 +</​code>​
 +
 +<code sh /​usr/​local/​etc/​dovecot/​sieve/​train-spam.sh>​
 +#!/bin/sh
 +exec /​usr/​local/​bin/​rspamc -h /​var/​run/​rspamd/​rspamd.sock learn_spam
 +</​code>​
 +
 +<code console>
 chown vmail . chown vmail .
 chown vmail * chown vmail *
 chgrp vmail . chgrp vmail .
 chgrp vmail * chgrp vmail *
 +chmod +x *.sh
 +service dovecot restart
 </​code>​ </​code>​
  
Zeile 665: Zeile 879:
  
 ===== Configure Postfix ===== ===== Configure Postfix =====
-Create SSL related files: 
-<code console> 
-cd /​etc/​mail/​certs 
-cd /​usr/​local/​etc/​apache24/​ssl_keys 
-openssl gendh -out dh_512.pem -2 512 
-openssl gendh -out dh_1024.pem -2 1024 
-openssl gendh -out dh_2048.pem -2 2048 
-openssl gendh -out dh_4096.pem -2 4096 
-</​code>​ 
 Add the following lines to main.cf Add the following lines to main.cf
 <code yaml /​usr/​local/​etc/​postfix/​main.cf>​ <code yaml /​usr/​local/​etc/​postfix/​main.cf>​
Zeile 679: Zeile 884:
 tls_append_default_CA = yes tls_append_default_CA = yes
 smtpd_tls_received_header = yes smtpd_tls_received_header = yes
-smtpd_tls_key_file = /usr/local/etc/apache24/ssl_keys/req.pem +#smtpd_tls_key_file = /etc/mail/certs/req.pem 
-smtpd_tls_cert_file = /usr/local/etc/apache24/ssl_keys/​newcert.pem +#smtpd_tls_cert_file = /etc/mail/certs/​newcert.pem 
-#​smtp_tls_CAfile= /etc/mail/certs/newcert.pem +smtpd_tls_key_file ​/usr/local/etc/letsencrypt/live/${DOMAIN}/​privkey.pem 
-#​smtp_tls_CApath ​= /etc/mail/certs/+smtpd_tls_cert_file ​/usr/local/etc/letsencrypt/live/${DOMAIN}/​fullchain.pem
 smtpd_tls_loglevel = 1 smtpd_tls_loglevel = 1
 + 
 # enable smtp auth as Server # enable smtp auth as Server
 smtpd_sasl_auth_enable = yes smtpd_sasl_auth_enable = yes
Zeile 705: Zeile 910:
         check_policy_service unix:​private/​spf-policy,​         check_policy_service unix:​private/​spf-policy,​
         reject_rbl_client zen.spamhaus.org         reject_rbl_client zen.spamhaus.org
 + 
 smtpd_helo_restrictions = smtpd_helo_restrictions =
         permit_mynetworks,​         permit_mynetworks,​
Zeile 712: Zeile 917:
         reject_invalid_hostname         reject_invalid_hostname
  
 +#​mua_client_restrictions =
 +mua_helo_restrictions = permit_sasl_authenticated,​reject
 +#​mua_sender_restrictions =
 + 
 smtpd_sasl_type = dovecot smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/​auth smtpd_sasl_path = private/​auth
 broken_sasl_auth_clients = yes broken_sasl_auth_clients = yes
 + 
 smtpd_helo_required = yes smtpd_helo_required = yes
 strict_rfc821_envelopes = yes strict_rfc821_envelopes = yes
 disable_vrfy_command = yes disable_vrfy_command = yes
 smtpd_delay_reject = yes smtpd_delay_reject = yes
 + 
 smtpd_sender_restrictions = smtpd_sender_restrictions =
         permit_mynetworks,​         permit_mynetworks,​
         reject_unknown_sender_domain         reject_unknown_sender_domain
 #       ​check_sender_access hash:/​etc/​postfix/​sender_access,​ #       ​check_sender_access hash:/​etc/​postfix/​sender_access,​
 + 
 smtpd_data_restrictions = smtpd_data_restrictions =
         reject_unauth_pipelining         reject_unauth_pipelining
 + 
 smtpd_client_restrictions = smtpd_client_restrictions =
         permit_sasl_authenticated,​         permit_sasl_authenticated,​
         reject_rbl_client zen.spamhaus.org         reject_rbl_client zen.spamhaus.org
 #       ​check_client_access hash:/​etc/​postfix/​client_access,​ #       ​check_client_access hash:/​etc/​postfix/​client_access,​
 + 
 # enable ipv6 and ipv4 # enable ipv6 and ipv4
-inet_protocols = all +inet_protocols = all 
 + 
 # limit message size to 100MB # limit message size to 100MB
 message_size_limit = 104857600 message_size_limit = 104857600
 mailbox_size_limit = 512000000 mailbox_size_limit = 512000000
 +virtual_mailbox_limit = 512000000 
 + 
 # increase timeouts to prevent queue write file errors # increase timeouts to prevent queue write file errors
 #​smtpd_timeout=600s #​smtpd_timeout=600s
 smtpd_proxy_timeout=600s smtpd_proxy_timeout=600s
- +  
-smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated ​     defer_unauth_destination +#smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated ​     defer_unauth_destination 
 + 
 # Virtual Domain Configuration # Virtual Domain Configuration
-virtual_alias_maps = mysql:/​usr/​local/​etc/​postfix/​mysql/​virtual_alias_maps.cf, +virtual_alias_maps = mysql:/​usr/​local/​etc/​postfix/​mysql/​virtual_alias_maps.cf 
-                     ​hash:/​usr/​local/​mailman/​data/​virtual-mailman+#, hash:/​usr/​local/​mailman/​data/​virtual-mailman
 virtual_gid_maps = static:5000 virtual_gid_maps = static:5000
 virtual_mailbox_base = /​usr/​local/​vmail virtual_mailbox_base = /​usr/​local/​vmail
Zeile 758: Zeile 968:
 #​dovecot_destination_recipient_limit = 1 #​dovecot_destination_recipient_limit = 1
 virtual_transport = lmtp:​unix:​private/​dovecot-lmtp virtual_transport = lmtp:​unix:​private/​dovecot-lmtp
 + 
 home_mailbox = Maildir/ home_mailbox = Maildir/
 smtpd_sasl_authenticated_header = yes smtpd_sasl_authenticated_header = yes
 smtpd_sasl_security_options = noanonymous smtpd_sasl_security_options = noanonymous
 smtpd_sasl_local_domain = $myhostname smtpd_sasl_local_domain = $myhostname
 + 
 # Mailman # Mailman
 alias_maps = hash:/​etc/​mail/​aliases,​ alias_maps = hash:/​etc/​mail/​aliases,​
-             ​hash:/​etc/​mail/​aliases.own, +             ​hash:/​etc/​mail/​aliases.own 
-             ​hash:/​usr/​local/​mailman/​data/​aliases +#, hash:/​usr/​local/​mailman/​data/​aliases 
 + 
 # SPF # SPF
 spf-policy_time_limit = 3600 spf-policy_time_limit = 3600
 + 
 # optimize SSL configuration # optimize SSL configuration
 smtpd_tls_security_level = may smtpd_tls_security_level = may
 smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
 smtpd_tls_protocols = !SSLv2 !SSLv3 smtpd_tls_protocols = !SSLv2 !SSLv3
-smtpd_tls_dh1024_param_file = /​usr/​local/​etc/​apache24/​ssl_keys/​dh_2048.pem +smtpd_tls_dh1024_param_file = /​usr/​local/​etc/​ssl/​dh_2048.pem 
-smtpd_tls_dh512_param_file = /​usr/​local/​etc/​apache24/​ssl_keys/dh_512.pem+smtpd_tls_dh512_param_file = /​usr/​local/​etc/​ssl/dh_512.pem
 smtpd_tls_eecdh_grade = strong smtpd_tls_eecdh_grade = strong
 tls_preempt_cipherlist = yes tls_preempt_cipherlist = yes
 smtpd_tls_loglevel = 1 smtpd_tls_loglevel = 1
 + 
 smtp_dns_support_level = dnssec smtp_dns_support_level = dnssec
 smtp_tls_security_level=dane smtp_tls_security_level=dane
Zeile 789: Zeile 999:
 smtp_tls_loglevel = 1 smtp_tls_loglevel = 1
  
 +# Sender Rewriting
 +sender_canonical_maps = tcp:​127.0.0.1:​10001
 +sender_canonical_classes = envelope_sender
 +recipient_canonical_maps = tcp:​127.0.0.1:​10002
 +recipient_canonical_classes= envelope_recipient
 +
 +## Postscreen setup
 +postscreen_access_list = permit_mynetworks,​cidr:/​usr/​local/​etc/​postfix/​postscreen_access.cidr
 +postscreen_blacklist_action = drop
 +
 +# DNS Blackhole Lists
 +postscreen_dnsbl_threshold = 8
 +postscreen_dnsbl_sites =
 +        b.barracudacentral.org=127.0.0.2*7
 +        dnsbl.inps.de=127.0.0.2*7
 +        bl.mailspike.net=127.0.0.2*5
 +        bl.mailspike.net=127.0.0.[10;​11;​12]*4
 +        dnsbl.sorbs.net=127.0.0.10*8
 +        dnsbl.sorbs.net=127.0.0.5*6
 +        dnsbl.sorbs.net=127.0.0.7*3
 +        dnsbl.sorbs.net=127.0.0.8*2
 +        dnsbl.sorbs.net=127.0.0.6*2
 +        dnsbl.sorbs.net=127.0.0.9*2
 +        zen.spamhaus.org=127.0.0.[10..11]*8
 +        zen.spamhaus.org=127.0.0.[4..7]*6
 +        zen.spamhaus.org=127.0.0.3*4
 +        zen.spamhaus.org=127.0.0.2*3
 +        bl.spamcop.net*2
 +        hostkarma.junkemailfilter.com=127.0.0.2*3
 +        hostkarma.junkemailfilter.com=127.0.0.4*1
 +        hostkarma.junkemailfilter.com=127.0.1.2*1
 +        dnsbl-1.uceprotect.net*2
 +        dnsbl-2.uceprotect.net*2
 +        dnsbl-3.uceprotect.net*3
 +        wl.mailspike.net=127.0.0.[18;​19;​20]*-2
 +        list.dnswl.org=127.0.[0..255].0*-3
 +        list.dnswl.org=127.0.[0..255].1*-4
 +        list.dnswl.org=127.0.[0..255].[2..255]*-6
 +        hostkarma.junkemailfilter.com=127.0.0.1*-2
 +postscreen_dnsbl_action = enforce
 +
 +# Pregreeting
 +postscreen_greet_action = enforce
 +
 +# Additional Postscreen Tests
 +postscreen_pipelining_enable = no
 +postscreen_non_smtp_command_enable = no
 +postscreen_non_smtp_command_action = drop
 +postscreen_bare_newline_enable = no
 +
 +# OpenDKIM (port 8891), OpenDMARC (port 8893)
 +#​milter_default_action = accept
 +#​smtpd_milters = inet:​localhost:​8891
 +#​non_smtpd_milters = inet:​localhost:​8891
 +
 +compatibility_level = 2
 +
 +# Milter configuration used for rspamd
 +# milter_default_action = accept
 +smtpd_milters = unix:/​var/​run/​rspamd/​milter.sock
 +milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
 </​code>​ </​code>​
  
 Edit master.cf to have this: Edit master.cf to have this:
 <code yaml /​usr/​local/​etc/​postfix/​master.cf>​ <code yaml /​usr/​local/​etc/​postfix/​master.cf>​
-smtp      inet  n       ​- ​      ​n ​      ​- ​      ​- ​      smtpd+
 +# Postfix master process configuration file.  For details on the format 
 +# of the file, see the master(5) manual page (command: "man 5 master"​ or 
 +# on-line: http://​www.postfix.org/​master.5.html). 
 +
 +# Do not forget to execute "​postfix reload"​ after editing this file. 
 +
 +# ========================================================================== 
 +# service type  private unpriv ​ chroot ​ wakeup ​ maxproc command + args 
 +#               ​(yes) ​  ​(yes) ​  ​(yes) ​  ​(never) (100) 
 +# ========================================================================== 
 +#smtp      inet  n       ​- ​      ​n ​      ​- ​      ​- ​      smtpd 
 +smtp      inet  n       ​- ​      ​n ​      ​- ​      ​1 ​      ​postscreen
 smtpd     ​pass ​ -       ​- ​      ​n ​      ​- ​      ​- ​      smtpd smtpd     ​pass ​ -       ​- ​      ​n ​      ​- ​      ​- ​      smtpd
-        ​-o content_filter=smtp-amavis:​[127.0.0.1]:10024+dnsblog ​  ​unix  ​      ​      n       ​- ​            dnsblog 
 +tlsproxy ​ unix  -       ​- ​      ​n ​      ​- ​            tlsproxy
 submission inet n       ​- ​      ​n ​      ​- ​      ​- ​      smtpd submission inet n       ​- ​      ​n ​      ​- ​      ​- ​      smtpd
   -o syslog_name=postfix/​submission   -o syslog_name=postfix/​submission
Zeile 802: Zeile 1086:
   -o smtpd_reject_unlisted_recipient=no   -o smtpd_reject_unlisted_recipient=no
 #  -o smtpd_client_restrictions=$mua_client_restrictions #  -o smtpd_client_restrictions=$mua_client_restrictions
-#  ​-o smtpd_helo_restrictions=$mua_helo_restrictions+  ​-o smtpd_helo_restrictions=$mua_helo_restrictions
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions #  -o smtpd_sender_restrictions=$mua_sender_restrictions
   -o smtpd_recipient_restrictions=   -o smtpd_recipient_restrictions=
Zeile 813: Zeile 1097:
   -o smtpd_reject_unlisted_recipient=no   -o smtpd_reject_unlisted_recipient=no
 #  -o smtpd_client_restrictions=$mua_client_restrictions #  -o smtpd_client_restrictions=$mua_client_restrictions
-#  ​-o smtpd_helo_restrictions=$mua_helo_restrictions+  ​-o smtpd_helo_restrictions=$mua_helo_restrictions
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions #  -o smtpd_sender_restrictions=$mua_sender_restrictions
   -o smtpd_recipient_restrictions=   -o smtpd_recipient_restrictions=
   -o smtpd_relay_restrictions=permit_sasl_authenticated,​reject   -o smtpd_relay_restrictions=permit_sasl_authenticated,​reject
   -o milter_macro_daemon_name=ORIGINATING   -o milter_macro_daemon_name=ORIGINATING
-options for amavis +#628       ​inet ​ n       ​- ​      ​n ​      ​- ​      ​- ​      qmqpd 
-smtp-amavis ​            unix    -               ​              ​              ​              2               lmtp +pickup ​   unix  n             n       ​60 ​     1       ​pickup 
-    -o lmtp_data_done_timeout=1200 +cleanup ​  unix  ​n ​      ​- ​      ​n ​      ​- ​      ​0 ​      ​cleanup 
-    -o lmtp_send_xforward_command=yes +qmgr      unix  n       ​- ​      ​n ​      ​300 ​    ​1 ​      ​qmgr 
-    -o disable_dns_lookups=yes +#qmgr     ​unix ​ n       ​- ​      ​n ​      ​300 ​    ​1 ​      ​oqmgr 
- +tlsmgr ​   unix  ​      ​      ​      1000?   ​1 ​      ​tlsmgr 
- -o content_filter=lmtp:unix:/var/run/dspam.sock +rewrite ​  ​unix  ​      -       ​n ​      ​- ​      ​- ​      ​trivial-rewrite 
-reinject mail from amavisd +bounce ​   unix  ​      -       ​n ​      ​- ​      ​0 ​      ​bounce 
-[localhost]:10025 inet  ​-       ​n ​      ​- ​      ​- ​       smtpd +defer     ​unix ​ -       ​- ​      ​n ​      ​- ​      ​0 ​      ​bounce 
-  -o content_filter=clamav:[127.0.0.1]:​10028 +trace     ​unix ​ -       ​- ​      ​n ​      ​- ​      ​0 ​      ​bounce 
-  -o receive_override_options=no_unknown_recipient_checks,​no_header_body_checks +verify ​   unix  -       ​- ​      ​n ​      ​- ​      ​1 ​      ​verify 
-  -o smtpd_helo_restrictions+flush     ​unix ​ n       ​- ​      ​n ​      ​1000? ​  ​0 ​      ​flush 
-  -o smtpd_client_restrictions= +proxymap ​ unix  -       ​- ​      ​n ​      ​- ​      ​- ​      ​proxymap 
-  -o smtpd_sender_restrictions+proxywrite unix -       ​- ​      ​n ​      ​- ​      ​1 ​      ​proxymap 
-  -o smtpd_recipient_restrictions=permit_mynetworks,​reject +smtp      unix  -       ​- ​      ​n ​      ​- ​      ​- ​      ​smtp 
-  -o mynetworks=localhost +relay     ​unix ​ -       ​- ​      ​n ​      ​- ​      ​- ​      ​smtp 
-  -o smtpd_authorized_xforward_hosts=localhost+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 
 +showq     ​unix ​ n       ​- ​      ​n ​      ​- ​      ​- ​      ​showq 
 +error     ​unix ​ -       ​- ​      ​n ​      ​- ​      ​- ​      ​error 
 +retry     ​unix ​ -       ​- ​      ​n ​      ​- ​      ​- ​      ​error 
 +discard ​  ​unix ​ -       ​- ​      ​n ​      ​- ​      ​- ​      ​discard 
 +local     ​unix ​ -       ​n ​      ​n ​      ​- ​      ​- ​      ​local 
 +virtual ​  ​unix ​ -       ​n ​      ​n ​      ​- ​      ​- ​      ​virtual 
 +lmtp      unix  -       ​- ​      ​n ​      ​- ​      ​- ​      ​lmtp 
 +anvil     ​unix ​ -       ​- ​      ​n ​      ​- ​      ​1 ​      ​anvil 
 +scache ​   unix  ​      -       ​n ​      ​- ​      ​1 ​      ​scache 
 +
 +# ===================================================================
 +# Interfaces to non-Postfix software. Be sure to examine the manual 
 +pages of the non-Postfix software to find out what options it wants. 
 +
 +# Many of the following services use the Postfix pipe(8) delivery 
 +# agent. ​ See the pipe(8) man page for information about ${recipient} 
 +# and other message envelope options. 
 +==================================================================== 
 +
 +# maildrop. See the Postfix MAILDROP_README file for details. 
 +# Also specify in main.cfmaildrop_destination_recipient_limit=1 
 +
 +#​maildrop  ​unix  ​- ​      ​n ​      ​n ​      ​- ​      ​- ​      ​pipe 
 +#  flags=DRhu user=vmail argv=/usr/local/bin/​maildrop -d ${recipient} 
 +
 +# ==================================================================== 
 +
 +# Recent Cyrus versions can use the existing "​lmtp"​ master.cf entry
 +
 +# Specify in cyrus.conf:​ 
 +#   ​lmtp ​   cmd="​lmtpd -a" listen="​localhost:lmtp" proto=tcp4 
 +
 +# Specify in main.cf one or more of the following:​ 
 +#  mailbox_transport = lmtp:inet:​localhost 
 +#  virtual_transport = lmtp:​inet:​localhost 
 +
 +# ==================================================================== 
 +
 +# Cyrus 2.1.5 (Amos Gouaux) 
 +# Also specify in main.cf: cyrus_destination_recipient_limit=1 
 +
 +#​cyrus ​    ​unix ​ ​- ​      n       n       ​- ​      ​- ​      pipe 
 + user=cyrus argv=/​cyrus/​bin/​deliver ​-e -r ${sender} -m ${extension} ${user} 
 +
 +==================================================================== 
 +
 +# Old example of delivery via Cyrus
 +
 +#old-cyrus unix  ​- ​      n       ​n ​      ​- ​      ​- ​      pipe 
 + flags=R user=cyrus argv=/​cyrus/​bin/​deliver ​-e -m ${extension} ${user} 
 +
 +# ===================================================================
 +
 +# See the Postfix UUCP_README file for configuration details. 
 +
 +#uucp      unix  ​- ​      n       ​n ​      ​- ​      ​- ​      pipe 
 + flags=Fqhu user=uucp argv=uux ​-r -n -z -a$sender - $nexthop!rmail ($recipient) 
 +
 +# ===================================================================
 +
 +# Other external delivery methods. 
 +
 +#​ifmail ​   unix  ​- ​      n       ​n ​      ​- ​      ​- ​      ​pipe 
 +#  flags=F user=ftn argv=/​usr/​lib/​ifmail/​ifmail -r $nexthop ($recipient) 
 +
 +#​bsmtp ​    ​unix ​ ​- ​      n       ​n ​      ​- ​      ​- ​      ​pipe 
 +#  flags=Fq. user=bsmtp argv=/​usr/​local/​sbin/​bsmtp -f $sender $nexthop $recipient 
 +
 +#​scalemail-backend unix -       ​n ​      ​n ​      ​- ​      ​2 ​      ​pipe 
 + flags=R user=scalemail argv=/​usr/​lib/​scalemail/​bin/​scalemail-store 
 +#  ${nexthop} ${user} ${extension} 
 +
 +#​mailman ​  ​unix ​ -       ​n ​      ​n ​      ​- ​      ​- ​      ​pipe 
 +#  flags=FR user=list argv=/​usr/​lib/​mailman/​bin/​postfix-to-mailman.py 
 +#  ${nexthop} ${user}
  
 # SPF check # SPF check
 spf-policy ​     unix    -       ​n ​      ​n ​      ​- ​      ​0 ​      spawn spf-policy ​     unix    -       ​n ​      ​n ​      ​- ​      ​0 ​      spawn
-  user=nobody ​argv=/​usr/​local/​libexec/​postfix-policyd-spf-perl +  user=spfcheck ​argv=/​usr/​local/​libexec/​postfix-policyd-spf-perl
- +
-# AV scan filter (used by content_filter) +
-clamav ​    ​unix ​ -       ​- ​      ​n ​      ​- ​      ​16 ​     smtp +
-    -o smtp_send_xforward_command=yes +
-    -o smtp_enforce_tls=no +
-    -o smtp_tls_security_level=none +
-# For injecting mail back into postfix from the clamav filter +
-127.0.0.1:​10029 inet  n -       ​n ​      ​- ​      ​16 ​     smtpd +
-    -o content_filter= +
-    -o receive_override_options=no_unknown_recipient_checks,​no_header_body_checks +
-    -o smtpd_helo_restrictions= +
-    -o smtpd_client_restrictions= +
-    -o smtpd_sender_restrictions= +
-    -o smtpd_recipient_restrictions=permit_mynetworks,​reject +
-    -o mynetworks_style=host +
-    -o smtpd_authorized_xforward_hosts=localhost +
-    -o smtp_enforce_tls=no +
-    -o smtp_tls_security_level=none+
 </​code>​ </​code>​
  
Zeile 901: Zeile 1242:
 If you would like to block domain add the following lines: If you would like to block domain add the following lines:
 <code yaml /​usr/​local/​etc/​postfix/​client_checks>​ <code yaml /​usr/​local/​etc/​postfix/​client_checks>​
-IP/​HOSTNAME ​   REJECT User unkown+IP/​HOSTNAME ​   REJECT User unkown
 </​code>​ </​code>​
 To block senders: To block senders:
 <code yaml /​usr/​local/​etc/​postfix/​sender_checks>​ <code yaml /​usr/​local/​etc/​postfix/​sender_checks>​
-email    REJECT User unkown+email    REJECT User unkown
 </​code>​ </​code>​
 Create the map with: Create the map with:
 <code console> <code console>
 cd /​usr/​local/​etc/​postfix cd /​usr/​local/​etc/​postfix
-postmap client_checks +postconf -e inet_protocols=all
-postmap sender_checks+
 </​code>​ </​code>​
  
-Make sure you build you alias databases+Make sure you build you required database files
 <code console> <code console>
 cd /etc/mail cd /etc/mail
 +touch aliases.own
 postalias aliases postalias aliases
 postalias aliases.own postalias aliases.own
-...+ cd /​usr/​local/​etc/​postfix 
 +touch client_checks 
 +touch sender_checks 
 +postmap client_checks 
 +postmap sender_checks
 </​code>​ </​code>​
  
Zeile 925: Zeile 1270:
 SRS is sender Rewriting Scheme daemon which is required if you forward mails and to not break SPF. SRS is sender Rewriting Scheme daemon which is required if you forward mails and to not break SPF.
 <code console> <code console>
-cd /​usr/​ports/​mail/​postsrsd +pkg install ​postsrsd
-make install ​clean+
 sysrc postsrsd_enable="​YES"​ sysrc postsrsd_enable="​YES"​
 sysrc postsrsd_flags="​ -4" sysrc postsrsd_flags="​ -4"
Zeile 954: Zeile 1298:
   * http://​www.postfix.org/​POSTSCREEN_README.html   * http://​www.postfix.org/​POSTSCREEN_README.html
 Postscreen is used to block spammers as early as possible using some checks including rbl lists. Postscreen is used to block spammers as early as possible using some checks including rbl lists.
- 
-Add the following lines in main.cf: 
-<code yaml /​usr/​local/​etc/​postfix/​main.cf>​ 
-## Postscreen setup 
-postscreen_access_list = permit_mynetworks,​cidr:/​usr/​local/​etc/​postfix/​postscreen_access.cidr 
-postscreen_blacklist_action = drop 
-# DNS Blackhole Lists 
-postscreen_dnsbl_threshold = 8 
-postscreen_dnsbl_sites = 
-        b.barracudacentral.org=127.0.0.2*7 
-        dnsbl.inps.de=127.0.0.2*7 
-        bl.mailspike.net=127.0.0.2*5 
-        bl.mailspike.net=127.0.0.[10;​11;​12]*4 
-        dnsbl.sorbs.net=127.0.0.10*8 
-        dnsbl.sorbs.net=127.0.0.5*6 
-        dnsbl.sorbs.net=127.0.0.7*3 
-        dnsbl.sorbs.net=127.0.0.8*2 
-        dnsbl.sorbs.net=127.0.0.6*2 
-        dnsbl.sorbs.net=127.0.0.9*2 
-        zen.spamhaus.org=127.0.0.[10..11]*8 
-        zen.spamhaus.org=127.0.0.[4..7]*6 
-        zen.spamhaus.org=127.0.0.3*4 
-        zen.spamhaus.org=127.0.0.2*3 
-        bl.spamcop.net*2 
-        hostkarma.junkemailfilter.com=127.0.0.2*3 
-        hostkarma.junkemailfilter.com=127.0.0.4*1 
-        hostkarma.junkemailfilter.com=127.0.1.2*1 
-        dnsbl-1.uceprotect.net*2 
-        dnsbl-2.uceprotect.net*2 
-        dnsbl-3.uceprotect.net*3 
-        wl.mailspike.net=127.0.0.[18;​19;​20]*-2 
-        list.dnswl.org=127.0.[0..255].0*-3 
-        list.dnswl.org=127.0.[0..255].1*-4 
-        list.dnswl.org=127.0.[0..255].[2..255]*-6 
-        hostkarma.junkemailfilter.com=127.0.0.1*-2 
-postscreen_dnsbl_action = enforce 
- 
-# Pregreeting 
-postscreen_greet_action = enforce 
- 
-# Additional Postscreen Tests 
-postscreen_pipelining_enable = no 
-postscreen_non_smtp_command_enable = no 
-postscreen_non_smtp_command_action = drop 
-postscreen_bare_newline_enable = no 
-</​code>​ 
- 
-In master.cf remove the smtp line and add/change the following: 
-<code yaml /​usr/​local/​etc/​postfix/​master.cf>​ 
-smtp      inet  n       ​- ​      ​n ​      ​- ​      ​1 ​      ​postscreen 
-smtpd     ​pass ​ -       ​- ​      ​n ​      ​- ​      ​- ​      smtpd 
-        -o content_filter=smtp-amavis:​[127.0.0.1]:​10024 
-dnsblog ​  ​unix ​ -       ​- ​      ​n ​      ​- ​      ​0 ​      ​dnsblog 
-tlsproxy ​ unix  -       ​- ​      ​n ​      ​- ​      ​0 ​      ​tlsproxy 
-</​code>​ 
  
 Create the file: Create the file:
Zeile 1017: Zeile 1306:
 </​code>​ </​code>​
 You must restart postfix if you have change the postscreen_access.cidr! You must restart postfix if you have change the postscreen_access.cidr!
 +
 ===== OpenDKIM (WIP) ===== ===== OpenDKIM (WIP) =====
 References: References:
freebsd/postfix_dovecot_virtual.1544266315.txt.gz · Zuletzt geändert: 2018/12/08 11:51 von 127.0.0.1