[ale] Mail server config & SPAM control
Chris Egolf
cegolf at ugholf.net
Wed Nov 22 18:49:15 EST 2006
Jay Loden wrote:
> What I'm looking for is recommendations (links, how-to guides, books are
> also appreciated) on:
I've recently completed the same thing over the last few months and choose the
postfix/amavisd-new/spamassassin/clamav/razor combo. Here are some of the links
I found useful (although there are many others I forgot to bookmark):
http://ezine.daemonnews.org/200309/postfix-spamassassin.html
http://www.freespamfilter.org/FC4.html
http://genco.gen.tc/postfix_virtual.php
http://www.howtoforge.com/mail_statistics_mailgraph_pflogsumm
http://www.caspergasper.com/spam.shtml
http://www.freespamfilter.org
http://www.freespamfilter.org/forum/viewtopic.php?t=397&view=previous&sid=d22d6f3a1049ed69ac807e7f4805c953
http://www.freespamfilter.org/forum/viewtopic.php?t=208
I also highly recommend the Postfix and SpamAssassin books by O'Reilly.
> 1) reducing incoming SPAM through better tuning/use of SpamAssassin or
> another filtering system (not interested in blacklisting/RBLs or
> greylisting). I'm ok with using the Thunderbird spam filter here at home
> but that doesn't work on a mobile phone client, or when I use webmail or
> other clients, so I need something server-side.
Well, you might want the reconsider the RBL's. Including a number of RBL's has
significantly dropped the amount of SPAM I receive. Plus, since it's done at
the Postfix (SMTP) level and isnt' a content filter, it's very fast and doesn't
suck up bandwidth. I'm using a number in my /etc/postfix/main.cf file:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client relays.ordb.org,
reject_rbl_client sbl-xbl.spamhaus.org,
#reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client http.dnsbl.sorbs.net,
reject_rbl_client socks.dnsbl.sorbs.net,
reject_rbl_client misc.dnsbl.sorbs.net,
reject_rbl_client smtp.dnsbl.sorbs.net,
reject_rbl_client web.dnsbl.sorbs.net,
reject_rbl_client list.dsdl.org,
reject_rbl_client cbl.abuseat.org
> 4) SMTP with some form of encrypted authentication (don't really know
> what the differences are between TLS or SSL or any other options) for users
Again, here's the snipit from /etc/postfix/main.cf:
# SMTPd Authentication through SASL/TLS
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_key_file = /etc/pki/tls/certs/sendmail.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/sendmail.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_sasl_auth_enable = yes
Of course, you have to create the sendmail.pem by going to the above directory
and typing 'make sendmail.pem' (assuming Fedora Core 5/6).
> 5) Configuring POP and IMAP to use encrypted authentication so that my
> passwords aren't being sent in the clear (again, not sure what options
> are available there).
This is the last part of my old, creaking system that's still in place. I'm
using the uw-imap packages and created certificates for ipop3d.pem and imapd.pem
in the same directory as above. Then, at least for Fedora, you'll need to edit
the appropriate files in /etc/xinetd.d/ and "enabled=yes" the imaps and pop3s
services. I also disable the non-ssl/tls versions to make sure they're not
accidentally used. Then, open up those ports in your firewall/router and close
the unencrypted ports -- 993 for IMAP over SSL and 995 for POP-3 over SSL.
I've heard that the University of Wash. IMAPd will eventually be removed from
Fedora since it's an "extras" package and not part of the "core", so I plan on
replacing this with either Dovecot or Cyrus-imap one of these days. Dovecot
looks pretty simple, especially for migrating from uw-imap.
--
============================================================================
Chris Egolf
http://www.ugholf.net cegolf [AT] ugholf [DOT] net
============================================================================
More information about the Ale
mailing list