ot N. Antonov(25-11-2006)

reiting (23)   [ dobre ]  [ zle ]

Printer Friendly Variant za otpechatvane


Tazi statiia opisva edin ot mnogoto nachini, po koito mozhete da integrirate poshtenskiia survur Postfix sus skener za antivirusna i antispam proverka. Sushtata konfiguratsiia raboti na mashinata, koiato obrabotva poshtenskiia trafik na "Linuks za bulgari". Statiiata e ogranichena do realizatsiiata na bazata na distributsiiata Debian GNU/Linux i e motivirana ot zasileniia interes kum temata i mnozhestvoto vuprosi, koito poluchavam po ICQ ili na lichna korespondentsiia.

Statiiata niama za tsel da obiasni detailno kak e nai-dobre da konfigurirate edno ili drugo. Samo dava informatsiia kakvo triabva da napravite, za da imate tezi neshta raboteshti na vashata sistema. Ostanaloto e vupros na lichen izbor, pretsenka, poznaniia i vuzmozhnosti. Dobre doshli sa vsiakakvi idei i trikove za dopulnitelno uvelichavane na efektivnostta pri borbata sreshtu nezhelanata poshta.


Neobhodimi paketi

Instalirane na paketite
apt-get install postfix amavisd-new clamsmtp spamassassin razor spambayes

Ako iskate antivirusniiat skener da analizira arhivi, kompresirani v razlichni formati, dostatuchno e samo da instalirate suotvetniia paket. Poddruzhkata na niakoi kompresirashti formati se namira v sektsiiata non-free na Debian.

Postfix

Na purvo miasto imame Postfix, koito posreshta vhodiashtata poshta na standartniia za tova port - 25. Kakto znaete, tozi poshtenski survur e "razbit" na mnozhestvo supodchineni demoni, koito se grizhat za razlichni neshta i mogat da budat konfigurirani individualno, koeto go pravi izklyuchitelno moshten i udoben za razlichni tseli. V konfiguratsiiata na Postfix imame ukazanie da nasochva vhodiashtata poshta kum vunshen filtur za sudurzhanie, koito "slusha" v nashiia sluchai na port 10024.

/etc/postfix/main.cf
content_filter=smtp-amavis:[127.0.0.1]:10024
/etc/postfix/master.cf
# Demonut lmtp nasochva trafika kum amavis
 smtp-amavis unix        -       -       n       -       2       lmtp
 -o lmtp_data_done_timeout=1200
 -o disable_dns_lookups=yes
 -o lmtp_send_xforward_command=yes
 
 # Demonut smtpd priema obratno pismata ot clamsmtp
 127.0.0.1:10026 inet  n -       n       -       16      smtpd
 -o content_filter=
 -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
 -o smtpd_helo_restrictions=
 -o smtpd_client_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o mynetworks_style=host
 -o smtpd_authorized_xforward_hosts=127.0.0.0/8

Amavisd-new

Kakto lichi po-gore, trafikut se nasochva kum Amavisd-new, koito ima grizhata da "posreshtne" pismata, da gi proveri chrez Spamassassin i ako preminat proverkata, da gi nasochi kum clamsmtp.

Konfiguratsionniiat fail na Amavis e goliam, no nie niama da promeniame mnogo neshta po nego. V obshti lini, niakolko drebolii. Ostanaloto prilozhenito si go pravi samo s nastroikite po podrazbirane. Eto redovete, koito se e nalozhilo da pipnem faila /etc/amavis/amavisd.conf:

Domein i FQDN na survura
$mydomain = 'linux-bg.org';
 $myhostname = 'kazan.linux-bg.org';
Izklyuchvame antivirusnata proverka i vklyuchvame antispam proverkata
@bypass_virus_checks_acl = qw( . );
 # @bypass_spam_checks_acl  = qw( . );
Nasochvame trafika kum clamsmtp
$forward_method = 'smtp:127.0.0.1:10025';
 $notify_method = $forward_method;

Kakto mozhe bi se doseshtate, ostaviame na Amavis samo da se pogrizhi za spama, kato "izvika" na pomosht spamassassin. Virusite gi ostaviame na clamsmtp, koito predvaritelno e nastroen da "slusha" na port 10025.

ClamAV

Edinstveniiat konfiguratsionen fail, koito triabva da promenim, v nashiia sluchai e /etc/clamsmtpd.conf. Dve neshta triabva da posochim izrichno - na koi port "slusha" samiiat demon i kum koi port da nasochva pismata, sled kato sa preminali prez proverkata. Doseshtate se, che toi triabva da gi vurne obratno na Postfix, koito gi ochakva na port 10026.

clamsmtpd.conf
OutAddress: 10026
 Listen: 127.0.0.1:10025

Taka, sled kato pismata sa napravili edna goliama "razhodka", ako sa ostanali zhivi sled vsichki vidove proverki, se vrushtat otnovo na Postfix i produlzhavat po putia si do krainata poshtenska kutiia na poluchatelia. V obshti linii kontseptsiiata mozhe da bude predstavena po sledniia nachin:

Spamassassin

Kakto znaete, spamassassin podlezhi na mnozhestvo razlichni nastroiki, koito mogat da budat predmet na otdelna statiia. Spored nahodchivostta na tezi nastroiki se opredelia i dokolko efektivno shte si vurshi rabotata. Eto kak izglezhda negovata konfiguratsiia pri nas:

/etc/spamassassin/local.cf
rewrite_header Subject *****SPAM*****
 report_safe 1
 required_score  5.0
 use_bayes 1
 bayes_auto_learn 1
 use_razor2 1
 razor_timeout 10
 skip_rbl_checks 0

Oshte restriktsii

Ako iskate da namalite natovarvaneto na poshtenskata si sistema, kato otblusnete po-golemiia protsent ot vredniia trafik oshte "na vratata", t.e. predi Postfix da go propusne navutre kum Amavis, mozhete da polzvate restriktsiite po-dolu. Osven poznatite na vsichki RBL i RHSBL proverki tuk ima i strogi iziskvaniia kum drugite poshtenski survuri, koito shte se opitvat da ni izprashtat pisma, za suobraziavane s razlichni RFC preporuki.

/etc/postfix/main.cf
strict_8bitmime = no
 strict_8bitmime_body = no
 strict_mime_encoding_domain = yes
 strict_7bit_header = no
 
 smtpd_etrn_restriction = reject
 allow_untrusted_routing = no
 smtpd_soft_error_limit = 10
 smtpd_hard_error_limit = 20
 smtpd_error_sleep_time = 1s
 smtpd_delay_reject = yes
 disable_dns_lookups = no
 smtpd_helo_required = yes
 strict_rfc821_envelopes = yes
 disable_vrfy_command = yes
 smtp_always_send_ehlo = yes
 
 smtpd_sender_restrictions =
 permit_sasl_authenticated,
 permit_mynetworks,
 reject_unknown_sender_domain,
 reject_non_fqdn_sender,
 reject_rhsbl_sender dsn.rfc-ignorant.org,
 permit
 
 smtpd_recipient_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 permit_tls_clientcerts,
 reject_non_fqdn_recipient,
 reject_unauth_destination,
 reject_invalid_hostname,
 reject_unauth_pipelining,
 reject_non_fqdn_sender,
 reject_unknown_sender_domain,
 reject_non_fqdn_recipient,
 reject_unknown_hostname,
 reject_unknown_recipient_domain,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client relays.ordb.org,
 reject_rbl_client sbl-xbl.spamhaus.org,
 reject_rbl_client list.dsbl.org,
 reject_rbl_client dnsbl.njabl.org,
 reject_rbl_client dnsbl.ahbl.org,
 reject_rbl_client dnsbl.sorbs.net,
 reject_rhsbl_client blackhole.securitysage.com,
 reject_rhsbl_sender blackhole.securitysage.com,
 reject_rhsbl_client rhsbl.ahbl.org,
 reject_rhsbl_sender rhsbl.ahbl.org,
 reject_rhsbl_client rhsbl.sorbs.net,
 reject_rhsbl_sender rhsbl.sorbs.net,
 reject_rhsbl_client block.rhs.mailpolice.com,
 reject_rhsbl_sender block.rhs.mailpolice.com,
 reject_rhsbl_client dynamic.rhs.mailpolice.com,
 reject_rhsbl_sender dynamic.rhs.mailpolice.com,
 reject_rhsbl_client bogusmx.rfc-ignorant.org,
 reject_rhsbl_sender bogusmx.rfc-ignorant.org,
 reject_rhsbl_client dsn.rfc-ignorant.org,
 reject_rhsbl_sender dsn.rfc-ignorant.org,
 permit
 
 smtpd_helo_restrictions =
 reject_invalid_hostname,
 permit_mynetworks,
 permit

Testvaite i spodeliaaite opita si. Ne vsichko, posocheno v tazi statiia, mozhe da vi dade optimalno reshenie, no pone e dokazano, che raboti. Niakoi nastroiki mozhe dori da se okazhe, che ne sa udobni za vashite nuzhdi, no s pravilno razbirane za neshtata shte namerite optimalniia variant. Tuk mozhete da sledite statistikata na poshtenskiia trafik, koito preminava prez survura na "Linuks za bulgari".


Drugi statii po temata:

  • SHTo e to SPF i kak shte ni pomogne da se zashtitim ot spam
  • Antivirusna proverka i SPF poddruzhka v Postfix (otraziava nashiia opit predi da integrirame v sistemata i Spamassassin)
  • Postfix s TLS poddruzhka
  • Instalatsiia na Postfix Admin s poddruzhka na PostgreSQL


    << Kak da kompilirame Falkon poddruzhka v MySQL 5 | Kak da izpolzvame Linux-BG kato RHSBL >>