|
ot N. Antonov(25-11-2006)
reiting (23)
[ dobre ]
[ zle ]
Variant za otpechatvane
Tazi statiia opisva edin ot mnogoto nachini, po koito mozhete da integrirate poshtenskiia survur Postfix sus skener za antivirusna i antispam proverka. Sushtata konfiguratsiia raboti na mashinata, koiato obrabotva poshtenskiia trafik na "Linuks za bulgari". Statiiata e ogranichena do realizatsiiata na bazata na distributsiiata Debian GNU/Linux i e motivirana ot zasileniia interes kum temata i mnozhestvoto vuprosi, koito poluchavam po ICQ ili na lichna korespondentsiia.
Statiiata niama za tsel da obiasni detailno kak e nai-dobre da konfigurirate edno ili drugo. Samo dava informatsiia kakvo triabva da napravite, za da imate tezi neshta raboteshti na vashata sistema. Ostanaloto e vupros na lichen izbor, pretsenka, poznaniia i vuzmozhnosti. Dobre doshli sa vsiakakvi idei i trikove za dopulnitelno uvelichavane na efektivnostta pri borbata sreshtu nezhelanata poshta.
Neobhodimi paketi
Instalirane na paketite |
apt-get install postfix amavisd-new clamsmtp spamassassin razor spambayes |
Ako iskate antivirusniiat skener da analizira arhivi, kompresirani v razlichni formati, dostatuchno e samo da instalirate suotvetniia paket. Poddruzhkata na niakoi kompresirashti formati se namira v sektsiiata non-free na Debian.
Postfix
Na purvo miasto imame Postfix, koito posreshta vhodiashtata poshta na standartniia za tova port - 25. Kakto znaete, tozi poshtenski survur e "razbit" na mnozhestvo supodchineni demoni, koito se grizhat za razlichni neshta i mogat da budat konfigurirani individualno, koeto go pravi izklyuchitelno moshten i udoben za razlichni tseli. V konfiguratsiiata na Postfix imame ukazanie da nasochva vhodiashtata poshta kum vunshen filtur za sudurzhanie, koito "slusha" v nashiia sluchai na port 10024.
/etc/postfix/main.cf |
content_filter=smtp-amavis:[127.0.0.1]:10024 |
/etc/postfix/master.cf |
smtp-amavis unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o disable_dns_lookups=yes
-o lmtp_send_xforward_command=yes
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8 |
Amavisd-new
Kakto lichi po-gore, trafikut se nasochva kum Amavisd-new, koito ima grizhata da "posreshtne" pismata, da gi proveri chrez Spamassassin i ako preminat proverkata, da gi nasochi kum clamsmtp.
Konfiguratsionniiat fail na Amavis e goliam, no nie niama da promeniame mnogo neshta po nego. V obshti lini, niakolko drebolii. Ostanaloto prilozhenito si go pravi samo s nastroikite po podrazbirane. Eto redovete, koito se e nalozhilo da pipnem faila /etc/amavis/amavisd.conf:
Domein i FQDN na survura |
$mydomain = 'linux-bg.org';
$myhostname = 'kazan.linux-bg.org'; |
Izklyuchvame antivirusnata proverka i vklyuchvame antispam proverkata |
@bypass_virus_checks_acl = qw( . );
|
Nasochvame trafika kum clamsmtp |
$forward_method = 'smtp:127.0.0.1:10025';
$notify_method = $forward_method; |
Kakto mozhe bi se doseshtate, ostaviame na Amavis samo da se pogrizhi za spama, kato "izvika" na pomosht spamassassin. Virusite gi ostaviame na clamsmtp, koito predvaritelno e nastroen da "slusha" na port 10025.
ClamAV
Edinstveniiat konfiguratsionen fail, koito triabva da promenim, v nashiia sluchai e /etc/clamsmtpd.conf. Dve neshta triabva da posochim izrichno - na koi port "slusha" samiiat demon i kum koi port da nasochva pismata, sled kato sa preminali prez proverkata. Doseshtate se, che toi triabva da gi vurne obratno na Postfix, koito gi ochakva na port 10026.
clamsmtpd.conf |
OutAddress: 10026
Listen: 127.0.0.1:10025 |
Taka, sled kato pismata sa napravili edna goliama "razhodka", ako sa ostanali zhivi sled vsichki vidove proverki, se vrushtat otnovo na Postfix i produlzhavat po putia si do krainata poshtenska kutiia na poluchatelia. V obshti linii kontseptsiiata mozhe da bude predstavena po sledniia nachin:
Spamassassin
Kakto znaete, spamassassin podlezhi na mnozhestvo razlichni nastroiki, koito mogat da budat predmet na otdelna statiia. Spored nahodchivostta na tezi nastroiki se opredelia i dokolko efektivno shte si vurshi rabotata. Eto kak izglezhda negovata konfiguratsiia pri nas:
/etc/spamassassin/local.cf |
rewrite_header Subject *****SPAM*****
report_safe 1
required_score 5.0
use_bayes 1
bayes_auto_learn 1
use_razor2 1
razor_timeout 10
skip_rbl_checks 0 |
Oshte restriktsii
Ako iskate da namalite natovarvaneto na poshtenskata si sistema, kato otblusnete po-golemiia protsent ot vredniia trafik oshte "na vratata", t.e. predi Postfix da go propusne navutre kum Amavis, mozhete da polzvate restriktsiite po-dolu. Osven poznatite na vsichki RBL i RHSBL proverki tuk ima i strogi iziskvaniia kum drugite poshtenski survuri, koito shte se opitvat da ni izprashtat pisma, za suobraziavane s razlichni RFC preporuki.
/etc/postfix/main.cf |
strict_8bitmime = no
strict_8bitmime_body = no
strict_mime_encoding_domain = yes
strict_7bit_header = no
smtpd_etrn_restriction = reject
allow_untrusted_routing = no
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_error_sleep_time = 1s
smtpd_delay_reject = yes
disable_dns_lookups = no
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
smtp_always_send_ehlo = yes
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unknown_sender_domain,
reject_non_fqdn_sender,
reject_rhsbl_sender dsn.rfc-ignorant.org,
permit
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
permit_tls_clientcerts,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_hostname,
reject_unknown_recipient_domain,
reject_rbl_client bl.spamcop.net,
reject_rbl_client relays.ordb.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client dnsbl.ahbl.org,
reject_rbl_client dnsbl.sorbs.net,
reject_rhsbl_client blackhole.securitysage.com,
reject_rhsbl_sender blackhole.securitysage.com,
reject_rhsbl_client rhsbl.ahbl.org,
reject_rhsbl_sender rhsbl.ahbl.org,
reject_rhsbl_client rhsbl.sorbs.net,
reject_rhsbl_sender rhsbl.sorbs.net,
reject_rhsbl_client block.rhs.mailpolice.com,
reject_rhsbl_sender block.rhs.mailpolice.com,
reject_rhsbl_client dynamic.rhs.mailpolice.com,
reject_rhsbl_sender dynamic.rhs.mailpolice.com,
reject_rhsbl_client bogusmx.rfc-ignorant.org,
reject_rhsbl_sender bogusmx.rfc-ignorant.org,
reject_rhsbl_client dsn.rfc-ignorant.org,
reject_rhsbl_sender dsn.rfc-ignorant.org,
permit
smtpd_helo_restrictions =
reject_invalid_hostname,
permit_mynetworks,
permit |
Testvaite i spodeliaaite opita si. Ne vsichko, posocheno v tazi statiia, mozhe da vi dade optimalno reshenie, no pone e dokazano, che raboti. Niakoi nastroiki mozhe dori da se okazhe, che ne sa udobni za vashite nuzhdi, no s pravilno razbirane za neshtata shte namerite optimalniia variant. Tuk mozhete da sledite statistikata na poshtenskiia trafik, koito preminava prez survura na "Linuks za bulgari".
Drugi statii po temata:
SHTo e to SPF i kak shte ni pomogne da se zashtitim ot spam
Antivirusna proverka i SPF poddruzhka v Postfix (otraziava nashiia opit predi da integrirame v sistemata i Spamassassin)
Postfix s TLS poddruzhka
Instalatsiia na Postfix Admin s poddruzhka na PostgreSQL
<< Kak da kompilirame Falkon poddruzhka v MySQL 5 | Kak da izpolzvame Linux-BG kato RHSBL >>
|
|