Postfix

From Segfault
Jump to: navigation, search

Installation

We want to enable ClamAV and Spamassassin scanning, but without AMaViS inbetween:

 # apt-get install postfix spamassassin spamc clamav-daemon clamsmtp

ClamSMTP is needed as a proxy between the MTA and clamd. Although clamd can listen on a network socket, postfix cannot talk directly to it.

Configuration

This is basically explained here, here's the short version again, with snippets from the configuration files:

/etc/postfix/master.cf

 # ClamSMTPd
 smtp      inet  n       -       -       -       -       smtpd
       -o content_filter=scan:127.0.0.1:10025
 [...]
 
 # Maildrop
 maildrop  unix  -       n       n       -       -       pipe
 flags=DRhu argv=/usr/bin/maildrop -d ${recipient}
 
 # SpamAssassin
 spamassassin unix -     n       n       -       -       pipe
       user=mail argv=/usr/bin/spamc -u ${user} -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
 
 # ClamAV
 scan    unix    -       -       n       -       16      smtp
       -o smtp_send_xforward_command=yes
 
 127.0.0.1:10026 inet n  -       n       -       16      smtpd
       -o content_filter=spamassassin
       -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
       -o smtpd_helo_restrictions=
       -o smtpd_client_restrictions=
       -o smtpd_sender_restrictions=
       -o smtpd_recipient_restrictions=permit_mynetworks,reject
       -o mynetworks_style=host
       -o smtpd_authorized_xforward_hosts=127.0.0.0/8

Note: somehow it's important that the spamassassin filter has a user= option, otherwise we might get errors like:

 postfix/pipe[9911]: fatal: missing user= command-line attribute
 postfix/qmgr[9876]: warning: private/spamassassin socket: malformed response
 postfix/qmgr[9876]: warning: transport spamassassin failure -- see a previous warning/fatal/panic
                     logfile record for the problem description
 postfix/master[9874]: warning: process /usr/lib/postfix/pipe pid 9911 exit status 1
 postfix/master[9874]: warning: /usr/lib/postfix/pipe: bad command startup -- throttling
 postfix/error[9922]: DD05E3DD5C: to=<bob@localhost>, relay=none, delay=1.1, delays=0.07/1/0/0.05,
                      dsn=4.3.0, status=deferred (unknown mail transport error

/etc/postfix/main.cf

A few basic configuration parameters[1]:

[...]
home_mailbox = Maildir/
mailbox_command = /usr/bin/maildrop -d ${USER}
maildrop_destination_recipient_limit = 1
mailbox_size_limit = 0
message_size_limit[2] = 0

smtpd_tls_cert_file=/etc/ssl/private/server.crt
smtpd_tls_key_file=/etc/ssl/private/server.key
smtp_tls_security_level[3] = may
 
mydestination = mail.example.com, mail, localhost, 127.0.0.1
mynetworks = 127.0.0.0/8 10.0.0.0/24 [::ffff:127.0.0.0]/104 [::1]/128

Postfix settings can be queried (and modified) via postconf:

$ postconf inet_protocols
inet_protocols = ipv4

$ postconf inet_protocols="ipv4 ipv6"
$ service postfix restart

/etc/clamsmtpd.conf

 OutAddress: 10026
 Listen: 127.0.0.1:10025
 ClamAddress: /var/run/clamav/clamd.ctl
 TempDirectory: /var/spool/clamsmtp
 Action: pass

Note: setting TempDirectory is important too, otherwise clamsmtpd may not be able to access TMPDIR, which may be set in root's environment and will produce errors like:

 clamsmtpd: 100058: clamav error: /var/spool/clamsmtp/clamsmtpd.1Lp6Vz: Can't create temporary directory ERROR
 clamsmtpd: 100058: from=alice@example.com, 
                    to=bob@localhost, status=CLAMAV-ERROR
 postfix/smtp[16155]: E563C11E89: to=<bob@localhost>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08,
                      delays=0.03/0/0.04/0, dsn=4.0.0, status=deferred (host 127.0.0.1[127.0.0.1]
                      said: 451 Local Error (in reply to end of DATA command))

While we're at it, we might want to set "LocalSocketMode 0660" in /etc/clamav/clamd.conf to restrict permissions to the control socket. Be sure to make clamav (i.e. the group "clamd" is running under) the primary group of clamsmtp:

$ usermod -g clamav -G clamsmtp clamsmtp
$ service clamsmtp restart

$ ps -e -o pid,user,group,euser,egroup,comm | grep cla[m]
10103 clamav   clamav   clamav   clamav   clamd
10396 clamsmtp clamav   clamsmtp clamav   clamsmtpd

For added security, disable the login shell for the system users:

for i in postfix clamav clamsmtp mail; do echo $i; chsh -s /bin/false $i; done

TODO: When clamsmtp is scanning, it sets the following variables, which can be used by VirusAction afterwards:

 RECIPIENTS
 SENDER
 VIRUS
 SERVER
 CLIENT
 REMOTE

I'm still looking for a way to pass these variables to maildrop...

Troubleshooting

Sometimes postfix is running, but its transports (spam engines, virus scanners) or its destinations (/home not mounted to deliver mails) are still missing. Nasty error messages are generated:

 postfix/master[21760]: daemon started -- version 2.5.5, configuration /etc/postfix
 postfix/qmgr[21763]: 4B63511EA5: from=<alice@example.com>, size=7763, nrcpt=1 (queue active)
 postfix/qmgr[21763]: warning: connect to transport spamassassin: Connection refused
 [...]
 postfix/error[21765]: 4B63511EA5: to=<bob@localhost>, relay=none, status=deferred (mail transport unavailable)

Often it's just a matter of requeueing the messages:

 postqueue -p                         # print mail queue (mailq)
 postsuper -r ALL                     # requeue all messages
 postqueue -f  or  postfix flush      # flush mail queue (exim -qff), should happen automatically[4]

Open Relay Tests

Once our MTA is configured, we should make sure that it's not an open relay:

Links

  • SpamAssassinRules - "if you use spamd, rules placed in user_prefs will be IGNORED by default."

References