How-to Integração Postfi

Instalação do Postfix integrado com Active DirectoryAutor: Thiago Cavalcante ([email protected])

Instalção dos pacotesapt-get install courier-authdaemon courier-authlib courier-authlib-dev courier-authlib-ldap courier-base courier-imap courier-maildrop postfix postfix-ldap postfix-policyd-spf-perl libsasl2-2 libsasl2-modules libsasl2-modules-ldap sasl2-bin clamav-base clamav-daemon clamav-freshclam spamassassin htop openssh-server build-essential linux-source-2.6.26 linux-headers-2.6.26-2-amd64 rcconf dnsutils locate htop nmap

Arquivos de configuraçãovim /etc/postfix/main.cf

smtpd_banner = $myhostname ESMTP biff = no append_dot_mydomain = no delay_warning_time = 4h myhostname = mailserver.solisc.org.br myorigin = solisc.org.brmydestination = solisc.org.br, mailserver.solisc.org.br, localhost relayhost = 172.86.41.230 mynetworks = 127.0.0.0/8, 172.86.0.0/16 inet_interfaces = all disable_vrfy_command = yes strict_rfc821_envelopes = yes home_mailbox = Maildir/ message_size_limit = 20000000 virtual_alias_expansion_limit = 5000 alias_maps = hash:/etc/aliases mailbox_transport = maildrop mailbox_command_maps = ldap:accounts local_recipient_maps = $alias_maps $virtual_mailbox_maps virtual_maps = ldap:grupos ldap:forward virtual_mailbox_maps = ldap:accounts debug_peer_level = 5 debug_peer_list = 127.0.0.1 accounts_server_host = 172.86.41.190 accounts_bind_dn = cn=bind,cn=Users,dc=solisc accounts_bind_pw = Solisc2010 accounts_search_base = ou=Usuarios,dc=soliscaccounts_query_filter = (&(objectClass=organizationalPerson)(mail=%s)) accounts_result_attribute = mail accounts_bind = yes grupos_server_host = 172.86.41.190 grupos_version = 3 grupos_search_base = ou=Usuarios,dc=soliscgrupos_query_filter = (&(objectClass=group)(mail=%s)) grupos_bind_dn = cn=bind,cn=Users,dc=soliscgrupos_bind_pw = Solisc2010 grupos_special_result_attribute = member grupos_result_attribute = mail grupos_recursion_limit = 5000 forward_server_host = 172.86.41.190 forward_version = 3 forward_timeout = 10 forward_chase_referral = 0 forward_search_base = ou=Usuarios,dc=solisc forward_query_filter = (&(mail=%s)(objectClass=organizationalPerson)) forward_bind_dn = cn=bind,cn=Users,dc=solisc forward_bind_pw = Solisc2010 forward_result_attribute = l smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_invalid_hostname, check_helo_access regexp:/etc/postfix/helo-invalid smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unauth_pipelining check_policy_service unix:private/policy smtpd_etrn_restrictions = permit_sasl_authenticated, reject header_checks = regexp:/etc/postfix/header_checks smtpd_data_restrictions = reject_unauth_pipelining

vim /etc/postfix/master.cf

smtp inet n - - - - smtpd -v -v -v -D pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - - - - smtp relay unix - - - - - smtp

-o fallback_relay= showq unix n - - - - showq error unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache maildrop unix - n n - 20 pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -w 90 -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} retry unix - - n - - error proxywrite unix - - n - 1 proxymap policy unix - n n - - spawn user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl smtp inet n - n - - smtpd -o content_filter=clamav:clamav clamav unix - n n - - pipe flags=Rq user=clamav argv=/usr/lib/postfix/clamav-filter.sh -f ${sender} -- ${recipient}

vim /etc/maildroprc

USER=`echo "$LOGNAME" | cut -d@ -f1` MAILBOX="$HOME/$USER/" MAILDIR="$HOME/$USER/Maildir/" MESSAGE="/etc/courier/overquota" DELIVERQUOTA="/usr/bin/deliverquota.courier" ASSUNTO="CAIXA CHEIA!" MAILER="[email protected]" if ( /^From: *.*/ ) { ADDR=getaddr($MATCH) } `test -d "$MAILDIR"` if ($RETURNCODE != 0) {

exception { `mkdir -p "$MAILBOX"` `maildirmake.courier "$MAILDIR"`

} } if (/^X-Spam-Status: Yes/) {

`test -d "$MAILDIR/.Spam/"` if ($RETURNCODE != 0) {

`maildirmake.courier -f Spam "$MAILDIR"` `echo "INBOX.Spam" >> $MAILDIR/courierimapsubscribed`

} exception {

to "$MAILDIR/.Spam/" }

} `test -f "$MAILDIR/vacation.txt"` if ($RETURNCODE==0) { `test -f "$MAILDIR/vacation_subject.txt"` if ($RETURNCODE==0) { SUBJECT=`cat "$MAILDIR/vacation_subject.txt"` cc "| mailbot -t "$MAILDIR/vacation.txt" -A 'From: $USER' -A 'Subject: $SUBJECT' /usr/sbin/sendmail -t $ADDR" } else { cc "| mailbot -t "$MAILDIR/vacation.txt" -A 'From: $USER' /usr/sbin/sendmail -t $ADDR" } `test -f "$MAILDIR/vacation_cc_addresses.txt"`

if ($RETURNCODE==0) { CCADDRESSES=`cat "$MAILDIR/vacation_cc_addresses.txt"` `test -f "$MAILDIR/vacation_keep_messages.txt"` if ($RETURNCODE==0) { cc "! -f \"$ADDR\" $CCADDRESSES" } else { to "! -f \"$ADDR\" $CCADDRESSES" } } } exception { to "$MAILDIR/" } exception { xfilter "$DELIVERQUOTA -w 90 $MAILDIR" } if ($RETURNCODE==75) {

cc "| mailbot -t "$MESSAGE" -A 'From: $MAILER' /usr/sbin/sendmail -t $ADDR" }

vim /usr/lib/postfix/clamav-filter.sh

#!/bin/sh export PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/usr/games INSPECT_DIR=/AV SENDMAIL="/usr/bin/spamc -f -e /usr/sbin/sendmail -i" MYHOSTNAME=`postconf -h myhostname` REPORTHOST=`postconf -h myhostname` EX_TEMPFAIL=75 EX_UNAVAILABLE=69 EX_DENIED=77 nome_arquivo=`date +%Y%m%d%H%M%S` nome_arquivo=in.$$.$nome_arquivo AVCMD="/usr/bin/clamdscan --disable-summary --stdout " NOTIFY_VIRUS=no NOTIFY_POSTMASTER=yes viruscan() { VIRUS=`$AVCMD $nome_arquivo` SAIDA=$? VIRUS=ècho $VIRUS | cut -d" " -f2-` if [ $SAIDA -eq 1 ]; then postlog -t postfix/virus-filter message-id=$msgid status=virus from=\<$from\> to=\<$rcpts\> 2>/dev/null if [ "$NOTIFY_VIRUS" = "yes" ]; then echo "From: Virus Scanner <mailer-daemon@$MYHOSTNAME> Subject: AVISO: Email rejeitado: VIRUS Detectado To: $from

Seu email para ($rcpts) com assunto ($subj) foi rejeitado por conter virus.

Virus encontrados: $VIRUS

" | $SENDMAIL -f MAILER-DAEMON -- $from fi if [ "$NOTIFY_POSTMASTER" = "yes" ]; then echo "From: Virus Scanner <mailer-daemon@$MYHOSTNAME> Subject: Postmaster Copy: VIRUS Detectado To: [email protected]

Um email de $from para $rcpts com assunto ($subj) foi rejeitado por conter virus.

Virus encontrados: $VIRUS

" | $SENDMAIL -f MAILER-DAEMON – [email protected] fi exit 0 fi } trap "rm -rf $nome_arquivo*" 0 1 2 3 15 cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; } cat >$nome_arquivo || { echo Cannot save mail to file; exit $EX_TEMPFAIL; } from=$2 if [ "$from" != "--" ]; then shift else $from="" fi shift ; shift dominio=ècho $from | cut -d"@" -f2` email=ècho $from | cut -d"@" -f1` subj=`head -n 200 $nome_arquivo | grep -i "^Subject:" | cut -d":" -f2- | head -n 1` msgid=`head -n 200 $nome_arquivo | grep -i "^message-id" | cut -d: -f 2- | sed 's/^ *//' | head -n 1` saida="-f $from -- $@" rcpts=$@ viruscan $SENDMAIL $saida <$nome_arquivo>

exit 0

vim /etc/courier/authldaprc

LDAP_URI ldap://172.86.23.171 LDAP_SERVER 172.86.23.171 LDAP_PORT 389 LDAP_PROTOCOL_VERSION 3 LDAP_AUTHBIND 1 LDAP_BASEDN dc=ad,dc=soliscLDAP_BINDDN cn=bind,cn=users,dc=soliscLDAP_BINDPW Solisc2010 LDAP_TIMEOUT 5 LDAP_FILTER (objectClass=organizationalPerson) LDAP_DOMAIN soliscLDAP_FULLNAME cn LDAP_CLEARPW clearPassword LDAP_CRYPTPW userPassword LDAP_MAIL mail LDAP_GLOB_UID 1000 LDAP_GLOB_GID 1000 LDAP_MAILDIR wWWHomePage LDAP_HOMEDIR streetAddress LDAP_DEREF never LDAP_MAILDIRQUOTA st

vim /etc/courier/authdaemonrc

authmodulelist="authldap" authmodulelistorig="authldap" daemons=50 authdaemonvar=/var/run/courier/authdaemon DEBUG_LOGIN=0 DEFAULTOPTIONS="" LOGGEROPTS=""

vim /etc/spamassassin/local.cf

rewrite_header Subject *****SPAM***** trusted_networks 172.86.0.0/16 required_score 5.0 use_bayes 1 bayes_auto_learn 1 bayes_ignore_header X-Bogosity bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Status

touch /etc/postfix/helo-invalid; touch /etc/postfix/header_checks; postmap /etc/postfix/helo-invalid; postmap /etc/postfix/header_checks

adduser vmail (senha vmail)Alterar o home do usuário para /vmail

mkdir /AV; chown clamav /AV; chgrp clamav /AV; mkdir /vmail; chown vmail /vmail; chgrp vmail /vmailln -s /etc/maildroprc /etc/courier/maildroprcHabilite o Spamassassin, substituindo o 0 por 1 no arquivo /etc/default/spamassassin – ENABLED=1

Campos utilizados no Active Directory

Criação de usuários:

E-mail: Preencher com e-mail do usuário.Página do Web: Preencher com o Maildir do usuário.

Rua: Home do Postfix (igual para todos usuários)Cidade: Redirecionamento (repetir email do usuario para desabilitar)Estado: Quota de disco em bytes (não esquecer do S no final)

Criação de listas:Para cada lista deve ser criada uma ACL no arquivo no Posftix e criado um grupo no AD com o mesmo username do email da lista.

Nome do grupo: Deve ser o mesmo username do email da listaE-Mail: Endereço de e-mail da lista.

Incluir e/ou remover aqui os usuários ativos na lista.

Configuração do SPFperl -MCPAN -e shell install Mail::SPF q

Editar o arquivo de DNS e incluir a linha do SPF abaixo do MX

mailserver.solisc.org.br. IN TXT "v=spf1 ipv4:172.86.23.39/32 mx -all"

Incluir no final do arquivo /etc/postfix/master.cf

vim /etc/postfix/master.cf

policy unix - n n - - spawn user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl

Testando: host -t txt mailserver.solisc.org.br mailserver.solisc.org.br descriptive text "v=spf1 ipv4:172.86.23.39/32 mx -all"

Obs.: OS ARQUIVOS INCLUIDOS NESSE DOCUMENTO JÁ INCLUEN AS ALTERAÇÕES ACIMA.

Disco virtua RAMDISK para a QueueInlcuir no /etc/rc.local: mount -t tmpfs none /AV

Configuração do OpenISCSIiscsiadm -m iface -I iface4 --op=new iscsiadm -m iface -I iface4 --op=update -n iface.hwaddress -v d8:d3:85:b8:5d:8a iscsiadm -m discovery -t st -p 10.0.30.2 iface4 -P 1 iscsiadm -m node -T iqn.1986-03.com.hp:storage.msa2324i.0944da4fac -l mount -t ext3 /dev/sdg1 /vmailvim /etc/iscsi/iscsid.conf

isns.address = 10.0.30.2 isns.port = 3260 node.startup = automatic node.session.timeo.replacement_timeout = 120 node.conn[0].timeo.login_timeout = 15 node.conn[0].timeo.logout_timeout = 15 node.conn[0].timeo.noop_out_interval = 5 node.conn[0].timeo.noop_out_timeout = 5 node.session.err_timeo.abort_timeout = 15 node.session.err_timeo.lu_reset_timeout = 20 node.session.initial_login_retry_max = 8 node.session.queue_depth = 32 node.session.iscsi.InitialR2T = No node.session.iscsi.ImmediateData = Yes node.session.iscsi.FirstBurstLength = 262144 node.session.iscsi.MaxBurstLength = 16776192 node.conn[0].iscsi.MaxRecvDataSegmentLength = 131072 discovery.sendtargets.iscsi.MaxRecvDataSegmentLength = 32768 node.session.iscsi.FastAbort = Yes

vim /etc/fstab

/dev/sda1 /vmail ext3 rw,sync,auto,_netdev 0 0

Verificação de portasnmap 127.0.0.122/tcp | 25/tcp | 111/tcp | 143/tcp | 734/tcp | 783/tcp

Relação de arquivos utilizados:/etc/passwd/etc/group/etc/rc.local/etc/fstab/etc/crontab/etc/resolv.conf/etc/iscsi/iscsid.conf/etc/postfix/main.cf/etc/postfix/master.cf/etc/postfix/helo-invalid/etc/postfix/header_checks/etc/courier/authldaprc/etc/courier/authdaemonrc/etc/spamassassin/local.cf/etc/maildroprc/etc/default/spamassassin/usr/lib/postfix/clamav-filter.sh

Obs.: Os arquivos de configuração não podem conter espaços em branco no final das linhas.

How-to Integração Postfi

Documents

Transcript of How-to Integração Postfi