Tazi statiia opisva edin ot mnogoto nachini, po koito mozhete da integrirate poshtenskiia survur Postfix sus skener za antivirusna i antispam proverka. Sushtata konfiguratsiia raboti na mashinata, koiato obrabotva poshtenskiia trafik na "Linuks za bulgari". Statiiata e ogranichena do realizatsiiata na bazata na distributsiiata Debian GNU/Linux i e motivirana ot zasileniia interes kum temata i mnozhestvoto vuprosi, koito poluchavam po ICQ ili na lichna korespondentsiia.

Statiiata niama za tsel da obiasni detailno kak e nai-dobre da konfigurirate edno ili drugo. Samo dava informatsiia kakvo triabva da napravite, za da imate tezi neshta raboteshti na vashata sistema. Ostanaloto e vupros na lichen izbor, pretsenka, poznaniia i vuzmozhnosti. Dobre doshli sa vsiakakvi idei i trikove za dopulnitelno uvelichavane na efektivnostta pri borbata sreshtu nezhelanata poshta.

Neobhodimi paketi

apt-get install postfix amavisd-new clamsmtp spamassassin razor spambayes

Ako iskate antivirusniiat skener da analizira arhivi, kompresirani v razlichni formati, dostatuchno e samo da instalirate suotvetniia paket. Poddruzhkata na niakoi kompresirashti formati se namira v sektsiiata non-free na Debian.

Postfix

Na purvo miasto imame Postfix, koito posreshta vhodiashtata poshta na standartniia za tova port - 25. Kakto znaete, tozi poshtenski survur e "razbit" na mnozhestvo supodchineni demoni, koito se grizhat za razlichni neshta i mogat da budat konfigurirani individualno, koeto go pravi izklyuchitelno moshten i udoben za razlichni tseli. V konfiguratsiiata na Postfix imame ukazanie da nasochva vhodiashtata poshta kum vunshen filtur za sudurzhanie, koito "slusha" v nashiia sluchai na port 10024.

content_filter=smtp-amavis:[127.0.0.1]:10024

# Demonut lmtp nasochva trafika kum amavis
 smtp-amavis unix        -       -       n       -       2       lmtp
 -o lmtp_data_done_timeout=1200
 -o disable_dns_lookups=yes
 -o lmtp_send_xforward_command=yes
 
 # Demonut smtpd priema obratno pismata ot clamsmtp
 127.0.0.1:10026 inet  n -       n       -       16      smtpd
 -o content_filter=
 -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
 -o smtpd_helo_restrictions=
 -o smtpd_client_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o mynetworks_style=host
 -o smtpd_authorized_xforward_hosts=127.0.0.0/8

Amavisd-new

Kakto lichi po-gore, trafikut se nasochva kum Amavisd-new, koito ima grizhata da "posreshtne" pismata, da gi proveri chrez Spamassassin i ako preminat proverkata, da gi nasochi kum clamsmtp.

Konfiguratsionniiat fail na Amavis e goliam, no nie niama da promeniame mnogo neshta po nego. V obshti lini, niakolko drebolii. Ostanaloto prilozhenito si go pravi samo s nastroikite po podrazbirane. Eto redovete, koito se e nalozhilo da pipnem faila /etc/amavis/amavisd.conf:

$mydomain = 'linux-bg.org';
 $myhostname = 'kazan.linux-bg.org';

@bypass_virus_checks_acl = qw( . );
 # @bypass_spam_checks_acl  = qw( . );

$forward_method = 'smtp:127.0.0.1:10025';
 $notify_method = $forward_method;

Kakto mozhe bi se doseshtate, ostaviame na Amavis samo da se pogrizhi za spama, kato "izvika" na pomosht spamassassin. Virusite gi ostaviame na clamsmtp, koito predvaritelno e nastroen da "slusha" na port 10025.

ClamAV

Edinstveniiat konfiguratsionen fail, koito triabva da promenim, v nashiia sluchai e /etc/clamsmtpd.conf. Dve neshta triabva da posochim izrichno - na koi port "slusha" samiiat demon i kum koi port da nasochva pismata, sled kato sa preminali prez proverkata. Doseshtate se, che toi triabva da gi vurne obratno na Postfix, koito gi ochakva na port 10026.

OutAddress: 10026
 Listen: 127.0.0.1:10025

Taka, sled kato pismata sa napravili edna goliama "razhodka", ako sa ostanali zhivi sled vsichki vidove proverki, se vrushtat otnovo na Postfix i produlzhavat po putia si do krainata poshtenska kutiia na poluchatelia. V obshti linii kontseptsiiata mozhe da bude predstavena po sledniia nachin:

Spamassassin

Kakto znaete, spamassassin podlezhi na mnozhestvo razlichni nastroiki, koito mogat da budat predmet na otdelna statiia. Spored nahodchivostta na tezi nastroiki se opredelia i dokolko efektivno shte si vurshi rabotata. Eto kak izglezhda negovata konfiguratsiia pri nas:

rewrite_header Subject *****SPAM*****
 report_safe 1
 required_score  5.0
 use_bayes 1
 bayes_auto_learn 1
 use_razor2 1
 razor_timeout 10
 skip_rbl_checks 0

Oshte restriktsii

Ako iskate da namalite natovarvaneto na poshtenskata si sistema, kato otblusnete po-golemiia protsent ot vredniia trafik oshte "na vratata", t.e. predi Postfix da go propusne navutre kum Amavis, mozhete da polzvate restriktsiite po-dolu. Osven poznatite na vsichki RBL i RHSBL proverki tuk ima i strogi iziskvaniia kum drugite poshtenski survuri, koito shte se opitvat da ni izprashtat pisma, za suobraziavane s razlichni RFC preporuki.

strict_8bitmime = no
 strict_8bitmime_body = no
 strict_mime_encoding_domain = yes
 strict_7bit_header = no
 
 smtpd_etrn_restriction = reject
 allow_untrusted_routing = no
 smtpd_soft_error_limit = 10
 smtpd_hard_error_limit = 20
 smtpd_error_sleep_time = 1s
 smtpd_delay_reject = yes
 disable_dns_lookups = no
 smtpd_helo_required = yes
 strict_rfc821_envelopes = yes
 disable_vrfy_command = yes
 smtp_always_send_ehlo = yes
 
 smtpd_sender_restrictions =
 permit_sasl_authenticated,
 permit_mynetworks,
 reject_unknown_sender_domain,
 reject_non_fqdn_sender,
 reject_rhsbl_sender dsn.rfc-ignorant.org,
 permit
 
 smtpd_recipient_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 permit_tls_clientcerts,
 reject_non_fqdn_recipient,
 reject_unauth_destination,
 reject_invalid_hostname,
 reject_unauth_pipelining,
 reject_non_fqdn_sender,
 reject_unknown_sender_domain,
 reject_non_fqdn_recipient,
 reject_unknown_hostname,
 reject_unknown_recipient_domain,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client relays.ordb.org,
 reject_rbl_client sbl-xbl.spamhaus.org,
 reject_rbl_client list.dsbl.org,
 reject_rbl_client dnsbl.njabl.org,
 reject_rbl_client dnsbl.ahbl.org,
 reject_rbl_client dnsbl.sorbs.net,
 reject_rhsbl_client blackhole.securitysage.com,
 reject_rhsbl_sender blackhole.securitysage.com,
 reject_rhsbl_client rhsbl.ahbl.org,
 reject_rhsbl_sender rhsbl.ahbl.org,
 reject_rhsbl_client rhsbl.sorbs.net,
 reject_rhsbl_sender rhsbl.sorbs.net,
 reject_rhsbl_client block.rhs.mailpolice.com,
 reject_rhsbl_sender block.rhs.mailpolice.com,
 reject_rhsbl_client dynamic.rhs.mailpolice.com,
 reject_rhsbl_sender dynamic.rhs.mailpolice.com,
 reject_rhsbl_client bogusmx.rfc-ignorant.org,
 reject_rhsbl_sender bogusmx.rfc-ignorant.org,
 reject_rhsbl_client dsn.rfc-ignorant.org,
 reject_rhsbl_sender dsn.rfc-ignorant.org,
 permit
 
 smtpd_helo_restrictions =
 reject_invalid_hostname,
 permit_mynetworks,
 permit

Testvaite i spodeliaaite opita si. Ne vsichko, posocheno v tazi statiia, mozhe da vi dade optimalno reshenie, no pone e dokazano, che raboti. Niakoi nastroiki mozhe dori da se okazhe, che ne sa udobni za vashite nuzhdi, no s pravilno razbirane za neshtata shte namerite optimalniia variant. Tuk mozhete da sledite statistikata na poshtenskiia trafik, koito preminava prez survura na "Linuks za bulgari".

Drugi statii po temata: