Using RBL blacklists
Add to your /etc/mail/.mc the following lines:
FEATURE(blacklist_recipients)
FEATURE(delay_checks)
FEATURE(dnsbl, `sbl-xbl.spamhaus.org', `Rejected mail from $&{client_addr} - see http://www.spamhaus.org/')dnl
FEATURE(dnsbl, `relays.ordb.org', `Rejected mail from $&{client_addr} - see http://ordb.org/')dnl
FEATURE(dnsbl, `list.dsbl.org', `Rejected mail from $&{client_addr} - see http://dsbl.org/')dnl
FEATURE(dnsbl, `china.blackholes.us',`550 Mail from $&{client_addr} rejected - see http://china.blackholes.us/')
FEATURE(dnsbl, `cn-kr.blackholes.us',`550 Mail from $&{client_addr} rejected - see http://cn-kr.blackholes.us/')
FEATURE(dnsbl, `korea.blackholes.us',`550 Mail from $&{client_addr} rejected - see http://korea.blackholes.us/')
FEATURE(dnsbl, `comcast.blackholes.us',`550 Mail from $&{client_addr} rejected - see http://comcast.blackholes.us/')
FEATURE(dnsbl, `wanadoo-fr.blackholes.us',`550 Mail from $&{client_addr} rejected - see http://wanadoo-fr.blackholes.us/')Install the config:
cd /etc/mail
make
make install
make restartInstalling spamassassin and clamav
Install the two ports with milter-support:
cd /usr/ports/mail/p5-Mail-SpamAssassin/
make install clean
cd /usr/ports/security/clamav
make install clean
cd /usr/ports/mail/spamass-milter
make install cleanEnable the deamons in /etc/rc.conf:
- enable spamd
spamd_enable="YES"
- spamd_flags="-u spamd -a -c -d -r ${spamd_pidfile}"
- enable spamassmilter
spamass_milter_enable="YES"
spamass_milter_flags="-f -m -r 7 -p ${spamass_milter_socket} -- -u spamd"
- enable clamav (virus scanner)
clamav_freshclam_enable="YES"
clamav_clamd_enable="YES"
clamav_milter_enable="YES"Configuration for spamassassin can be found under /usr/local/etc/mail/spamassassin/local.cf.
To Configure sendmail add the following lines to the /etc/mail/.mc file:
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')
INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock,F=, T=S:4m;R:4m')dnl
define(`confINPUT_MAIL_FILTERS', `clmilter,spamassassin')Now start the deamons:
/usr/local/etc/rc.d/clamav-freshclam start
/usr/local/etc/rc.d/clamav-clamd start
chown clamav /var/log/clamav/clamd.log
/usr/local/etc/rc.d/clamav-milter start
/usr/local/etc/rc.d/sa-spamd start
/usr/local/etc/rc.d/spamass-milter.sh startCompile the config files, install them and restart sendmail with:
cd /etc/mail
make
make install
make restartCheck the configfiles for errors.
Installing SPF
Check if sendmail has milter support:
sendmail -d0.8 < /dev/null
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2
SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG```Search for the key MILTER.
At first install the milter:
/usr/ports/mail/sid-milter
make
make install
make cleanTo enable the SPF milter edit /etc/rc.conf:
- enable SPF milter
miltersid_enable="YES"
miltersid_socket="local:/var/run/sid-filter"
miltersid_pid="/var/run/sid-filter.pid"
miltersid_flags="-r 0 -t -h"Start the milter with:
/usr/local/etc/rc.d/milter-sid startInstalling Greylisting
Enable SPF support by editing /etc/make.conf:
- with SPF support
WITH_LIBSPF2="YES"
cd /usr/ports/mail/milter-greylist
make
make install
cd /usr/local/etc/mail
cp greylist.conf.sample greylist.confEdit the file greylist.conf to your needs, insert as last line:
acl greylist default
geoipdb "/usr/local/share/GeoIP/GeoIP.dat"To start the milter insert into /etc/rc.conf:
miltergreylist_enable="YES"Start it with:
/usr/local/etc/rc.d/milter-greylist.sh startTo check logging:
tail -f /var/log/maillogEdit the sendmail .mc file:
INPUT_MAIL_FILTER(`greylist', `S=local:/var/milter-greylist/milter-greylist.sock')
define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')
define(`confMILTER_MACROS_CONNECT', confMILTER_MACROS_CONNECT`, {daemon_port}')dnl
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')
define(`confMILTER_MACROS_ENVRCPT', `{greylist}')
define(`confINPUT_MAIL_FILTERS', `greylist')SSL Key
Create a CA:
- Edit /etc/ssl/openssl.cfn -> default_days = 10950
- Edit /etc/ssl/openssl.cfn -> default_bits = 4096
- Generate CAcertificate
-> /usr/src/crypto/openssl/apps/CA.pl -newca
cp demoCA/cacert.pem .
- Edit /etc/ssl/openssl.cfn -> default_days = 365Create a key:
/usr/src/crypto/openssl/apps/CA.pl -newreqRemove passphrase from key:
openssl rsa -in newkey.pem -out key.pemSign key:
/usr/src/crypto/openssl/apps/CA.pl -signSet permissions:
chmod 0600 *Sendmail:
define(`confCACERT_PATH',`/etc/mail/certs')
define(`confCACERT',`/etc/mail/certs/cacert.pem')
define(`confSERVER_CERT',`/etc/mail/certs/newcert.pem')
define(`confSERVER_KEY',`/etc/mail/certs/key.pem')
define(`confCLIENT_CERT',`/etc/mail/certs/newcert.pem')
define(`confCLIENT_KEY',`/etc/mail/certs/key.pem')
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
> Add client CERTS to me
/etc/mail/certs
C=FileName_of_CA_Certificate
ln -s $C `openssl x509 -noout -hash < $C`.0Renew Certificate
Make sure demoCA/index.txt.attr has the content:
unique_subject = noRenew the certificate then with:
cd /etc/mail/certs/
/usr/src/crypto/openssl/apps/CA.pl -sign
cd /etc/mail
make restartBackup MX
To configure a server as a backup MX we must create a second MX entry in the zone file which points to the backup mx with a higher number.
Then create an entry in mailertable on the backup machine:
domain smtp:mail.domainNow edit the access:
To:domain RELAY| Dec 27 | Beadm | 1 min read |
| Dec 16 | Awstats | 1 min read |
| Dec 16 | Cloning disks | 4 min read |
| Dec 16 | Encrypting harddisks | 1 min read |
| Dec 16 | Firewall PF | 2 min read |