Protecting your email server with Alpine: Difference between revisions

From Alpine Linux
No edit summary
m (These directions are grossly out of date.)
 
(27 intermediate revisions by 6 users not shown)
Line 1: Line 1:
== Introduction ==
{{Obsolete|These directions are for Alpine 1.7..............}}


This document will outline how you can setup a spam/virus gateway with Alpine Linux. I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!
This document will outline how you can setup a spam/virus gateway with Alpine Linux. I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!
Line 15: Line 15:
* Alpine Linux 1.7.19 (some packages are not available before this version)
* Alpine Linux 1.7.19 (some packages are not available before this version)


 
== Setting up the Mailer daemon ==
== Setting up Postfix ==
 
The first thing we are going to install is our mailer daemon:
The first thing we are going to install is our mailer daemon:


''apkl_add postfix''
{{Cmd|apk add postfix}}


This will install Postfix with a default configuration in /etc/postfix. Lets first take a look at main.cf, this is the (as the name implies) main configuration file for Postfix. I will show you my configuration file which you can use (I've commented out some options which we enable later on):
This will install Postfix with a default configuration in /etc/postfix. Lets first take a look at main.cf, this is the (as the name implies) main configuration file for Postfix. I will show you my configuration file which you can use (I've commented out some options which we enable later on):
Line 28: Line 26:
  relay_domains = $transport_maps
  relay_domains = $transport_maps
  smtpd_helo_required = yes
  smtpd_helo_required = yes
  disable_vrfy_command = yes
  '''disable_vrfy_command = yes'''
  #relay_recipient_maps = hash:/etc/postfix/exchange_receipients
  #relay_recipient_maps = hash:/etc/postfix/exchange_receipients


Line 41: Line 39:
     reject_unauth_destination,
     reject_unauth_destination,
     #check_policy_service inet:127.0.0.1:5525,
     #check_policy_service inet:127.0.0.1:5525,
    #
    # in case you want reject DNS blacklists rather than greylist them
    # with gross, uncomment the lines below
    #
    #  reject_rbl_client cbl.abuseat.org,
    #  reject_rbl_client sbl.spamhaus.org,
    #  reject_rbl_client pbl.spamhaus.org,
    #  reject_rbl_client bl.spamcop.net,
    #  reject_rbl_client list.dsbl.org,
     permit
     permit


Line 48: Line 55:


  #content_filter = scan:[127.0.0.1]:10025
  #content_filter = scan:[127.0.0.1]:10025
{{Note|Don't forget to change '''lan-net''' to your lan subnet.}}


These are the minimal settings I use to setup a postfix mail gateway. If you are looking for other settings please issue the following command:
These are the minimal settings I use to setup a postfix mail gateway. If you are looking for other settings please issue the following command:


{{Cmd|postconf |more}}


''postconf |more''
This will display your current default configuration. If you want to change any of these settings you can add them to main.cf and reload postfix. Looking at my main.cf file you will see the setting "transport_maps". This setting refers to a file inside the postfix config directory which will hold information for postfix to which server it should forward email to. It should look similar like this:
 
 
This will display your current default configuration. If you want to change any of these settings you can add them to main.cf and reload postfix.
 
Looking at my main.cf file you will see the setting "transport_maps". This setting refers to a file inside the postfix config directory which will hold information for postfix to which server it should forward email to. It should look similar like this:


  domain-a.tld  smtp:[192.168.1.1]
  domain-a.tld  smtp:[192.168.1.1]
Line 64: Line 69:
When ever an email enters our mail gateway for a domain specified in our "transport_maps" file it will forward this email after processing to the IP address assigned. For complete documentation please refer to the postfix docs. When are ready editing this file, issue the following command:
When ever an email enters our mail gateway for a domain specified in our "transport_maps" file it will forward this email after processing to the IP address assigned. For complete documentation please refer to the postfix docs. When are ready editing this file, issue the following command:


{{Cmd|postmap /etc/postfix/transport}}


''postmap /etc/postfix/transport''
This will create a hash db of this file which will be easier/faster for postfix to read. The second setting we will look at is 'relay_domains". This setting will tell postfix for which domains it will relay emails. Because this setting will most probably be the same as the domains we mention in "transport_maps" we can just link to it. Now your basic email gateway is ready and you can start it but remember there will be no virus or spam filtering.
 
 
This will create a hash db of this file which will be easier/faster for postfix to read.
 
The second setting we will look at is 'relay_domains". This setting will tell postfix for which domains it will relay emails. Because this setting will most probably be the same as the domains we mention in "transport_maps" we can just link to it.
 
Now your basic email gateway is ready and you can start it but remember there will be no virus or spam filtering.
 
 
''/etc/init.d/postfix start''


{{Cmd|rc-service postfix start}}


We can start it at boot:
We can start it at boot:


{{Cmd|rc-update add postfix}}


''rc_add -k postfix''
== Setting up the Virus scanner ==
 
 
== Setting up Clamav ==


To be able to filter out viruses from our emails we need a virus scanner. The only real open-source solution available is Clamav. Lets install it:
To be able to filter out viruses from our emails we need a virus scanner. The only real open-source solution available is Clamav. Lets install it:


{{Cmd|apk add clamav}}


''apk_add clamav''
We will be using the daemonized version of Clamav "clamd". There is nothing we need to change for Clamav, we can use the default settings and the virus definitions are automatically updated with freshclam. Lets start it:
 
 
We will be using the daemonized version of Clamav "clamd". There is nothing we need to change for Clamav, we can use the default settings. The virus definitions are automatically updated with freshclam. Lets start it:
 
 
''/etc/init.d/clamd start''


{{Cmd|rc-service clamd start}}


Lets start it at boot:
Lets start it at boot:


{{Cmd|rc-update add clamd}}


''rc_add -k clamd''
{{Note|I have had memory issues with clamd on Alpine. I am still looking for an solution regarding this. For now I advise you to restart clamd with cron everyday.}}


'''UPDATE:''' See https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1028 this should be fixed in clamav 0.93.1


 
== Setting up the SMTP filter ==
== Setting up Clamsmtp ==
 


Ok so now we got a mail daemon and a virus daemon installed and setup ready. Now we need the two daemons to talk to each other. The most popular tool to do so is amavisd-new but it is based on Perl and I don't like it because Perl can be a resource hog and I'm not planning to install it on my Alpine install. Another lighter C-based solution is Clamsmtp. It is a SMTP filter which listens for incoming connections and scans the emails with clamd and forwards it back again to the MTA. It doesn't come with a lot of features like amavisd-new does but its enough for me. Lets install it:
Ok so now we got a mail daemon and a virus daemon installed and setup ready. Now we need the two daemons to talk to each other. The most popular tool to do so is amavisd-new but it is based on Perl and I don't like it because Perl can be a resource hog and I'm not planning to install it on my Alpine install. Another lighter C-based solution is Clamsmtp. It is a SMTP filter which listens for incoming connections and scans the emails with clamd and forwards it back again to the MTA. It doesn't come with a lot of features like amavisd-new does but its enough for me. Lets install it:


 
{{Cmd|apk add clamsmtp}}
''apk_add clamsmtp''
 


Here is my clamsmtp.conf configuration file:
Here is my clamsmtp.conf configuration file:
Line 125: Line 114:
  VirusAction: /etc/postfix/scripts/virus_action.sh
  VirusAction: /etc/postfix/scripts/virus_action.sh


Clamsmtp has support for a virus action script which will be run each time clamd returns a positive detection. I have included my virus action script here but it has not been tested enough so use it at your own risk! Make sure you set the correct permissions on the /etc/postfix/scripts/ directory because clamsmtp will run as user clamav. Monitor the log file in your /tmp directory.
[[virus_action.sh]]
{{Note|Here in our organization we are running Exchange 2003. Exchange has support for public folders which is a good way of storing the files we filter with Clamsmtp. Make sure you have proper permissions and size limitations for the public folder so it doesn't get to big and other people cannot access the folder, remember it will contain viruses!}}


Clamsmtp has support for a virus action script which will be run each time clamd returns and Positive detection. I have linked my virus action script here but it has not been tested enough so use it at your own risk! Make sure you set the correct permissions on the /etc/postfix/scripts/ directory because clamsmtp will run as user clamav.
Ok lets configure postfix for clamsmtp by editing our master.cf and adding the following lines to the end of the file:


[[virus_action.sh]]
# AV scan filter (used by content_filter)
scan      unix  -      -      n      -      16      smtp
        -o smtp_send_xforward_command=yes
        -o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet  n -      n      -      16      smtpd
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8


'''NOTE''': Here in our organization we are running Exchange 2003. Exchange has support for public folders which is a good way of storing the files we filter with Clamsmtp. Make sure you have proper permissions and size limitations for the public folder so it doesn't get to big and other people cannot access the folder, remember it will contain viruses!
Lets start Clamsmtp:


{{Cmd|rc-service clamstmp start}}


== Setting up Gross greylisting server ==
And add it to our system start:


I have used greylisting for several months now and while it has it positive affects it also has its negative. One of the positive affects is that you will get almost no spam/virus emails into your system anymore but it will introduce a delay to a part of you email traffic. If your organization is big enough you will start to notice people complain about delayed emails... This is where Gross will jump in, it still uses greylisting but it will not do so for all hosts but only the ones that are matched to the specified DNSBL databases. If you want to find out more regarding gross please go to their website:
{{Cmd|rc-update add clamsmtp}}


If you are sure all your settings are correct we can uncomment the "content_filter" line in our main.cf which will enable Clamsmtp for Postfix and run:


http://code.google.com/p/gross/
{{Cmd|postfix reload}}


== Setting up the Greylisting Server ==


Lets install gross:
I have used greylisting for several months now and while it has it positive affects it also has its negative. One of the positive affects is that you will get almost no spam/virus emails into your system anymore but it will introduce a delay to a part of you email traffic. If your organization is big enough you will start to notice people complain about delayed emails, this is where Gross will jump in. It still uses greylisting but it will not do so for all hosts but only the ones that are matched to the specified DNSBL databases. If you want to find out more regarding gross please go to their website:


https://code.google.com/p/gross/


''apk_add gross''
Lets install gross:


{{Cmd|apk add gross}}


Here is my grossd.conf file:
Here is my grossd.conf file:


  protocol = postfix
  protocol = postfix
Line 161: Line 172:
  dnsbl = dnsbl.sorbs.net
  dnsbl = dnsbl.sorbs.net
  rhsbl = rhsbl.sorbs.net
  rhsbl = rhsbl.sorbs.net


Lets start grossd:
Lets start grossd:


{{Cmd|rc-service grossd start}}


''/etc/init.d/grossd start''
{{Note| The init file for gross will automatically generate the grossd state file in the directory specified in its config file. Because we are running Alpine from memory the state file is not saved to disk so we need to add it to our backup with lbu_commit. The safest way to do this is the first stop grossd before committing the changes to our backup.}}


{{Cmd|lbu_include /var/db/gross/state}


'''Please note''': the init file for gross will automatically generate the grossd state file in the directory specified in its config file. Because we are running Alpine from memory the state file is not saved to disk so we need to add it to our backup with lbu_commit. The safest way to do this is the first stop grossd before committing the changes to our backup.
{{Cmd|rc-service grossd stop}}


{{Cmd|lbu_commit}}


''lbu_include /var/db/gross/state''
{{Cmd|rc-service grossd start}}
 
''/etc/init.d/grossd stop''
 
''lbu_commit''
 
''/etc/init.d/grossd start''
 


Let's start it at boot:
Let's start it at boot:


{{Cmd|rc-update add grossd}


''rc_add -k grossd''
Now we need to make Postfix use our greylisting service by uncommenting the "check_policy_service" line in our main.cf and run:
 


{{Cmd|postfix reload}}


== Setting up SaneSecurity & MSRBL extra definitions ==
== Setting up SaneSecurity & MSRBL extra definitions ==
Another good way of catching SPAM is Sanesecurity and MSRBL definitions. You can find more information regarding these definitions here:
Another good way of catching SPAM is Sanesecurity and MSRBL definitions. You can find more information regarding these definitions here:


 
https://www.sanesecurity.co.uk/  
http://www.sanesecurity.co.uk/  
 


To use the following script you will need to install the following packages:
To use the following script you will need to install the following packages:


 
{{Cmd|apk add curl rsync}}
''apk_add curl rsync''
 


[[up_clam_ex.sh]]
[[up_clam_ex.sh]]


 
Add this script to this /etc/postfix/scripts/ directory
Add this script to the follwing directory:
 
/etc/postfix/scripts/
 


And add this script to cron:
And add this script to cron:
echo "37 03 * * * /etc/postfix/scripts/up_clam_ex.sh &> /dev/nul" >> /etc/crontabs/root


{{Note|Please adjust the time so not everybody runs it at the same time.}}


''echo "37 03 * * * /etc/postfix/scripts/up_clam_ex.sh &> /dev/nul" > /etc/crontabs/root
And make sure cron is running at boot:
''


{{Cmd|rc-update add cron}}


'''NOTE''': Please adjust the time so not everybody runs it at the same time. and make sure cron is running at boot:
== Exchange 2003 & relay_recipient_maps ==
Postfix will process mail for every email address which are specified in "relay_domains". Because we want to prevent Postfix to process emails for destinations which do not exist, we add the relay_recipient_maps option to our main.cf file. I've already added it so it only needs to be uncommented. I have included a Visual Basic script here which will extract all valid email addresses of users and groups in exchange 2003 and put them in a text file inside the root of our IIS server. I've also included a script which will download this file and process it to a db which can be read by Postfix. Put the following file somewhere on your exchange server and make it run every so much time with a windows task:


[[export_receipts.vbs]]


''rc_add -k cron''
Download the following file and move it to:
 
 
== Exchange 2003 & relay_recipient_maps ==


[[exchange_receipients.sh]]


[[exchange_receipients.sh]]
/etc/postfix/scripts/


And change it's settings and add it to cron. I've setup a time 10 minutes after I run the vbs script on my exchange server:


[[export_receipts.vbs]]
echo "10,40 * * * * /etc/postfix/scripts/exchange_receipients.sh &> /dev/nul" >> /etc/crontabs/root


To Be Continued....
[[Category:Mail]]

Latest revision as of 09:44, 13 January 2024

This material is obsolete ...

These directions are for Alpine 1.7.............. (Discuss)

This document will outline how you can setup a spam/virus gateway with Alpine Linux. I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

First thing I want to mention is, it is probably not a good way to setup Postfix on a disk less system (having the mailer spool in memory). If you would ever suffer from power failure you would loose the contents of your Postfix spool. That said, in our organization we are using a UPS device to supply our servers with backup power, so the chances that our server would shutdown because of power failure is minimal (and we are prepared to take this risk).

For this particular setup we are going to use the following:

  • Mailer daemon: Postfix
  • Virus scanner: Clamav
  • SMTP filter: Clamsmtp
  • Greylisting server: Gross
  • Extra definitions: SaneSecurity & MSRBL
  • Exchange 2003 users/groups in relay_recipient_maps
  • Alpine Linux 1.7.19 (some packages are not available before this version)

Setting up the Mailer daemon

The first thing we are going to install is our mailer daemon:

apk add postfix

This will install Postfix with a default configuration in /etc/postfix. Lets first take a look at main.cf, this is the (as the name implies) main configuration file for Postfix. I will show you my configuration file which you can use (I've commented out some options which we enable later on):

mynetworks = lan-net/24, 127.0.0.0/8
transport_maps = hash:/etc/postfix/transport
relay_domains = $transport_maps
smtpd_helo_required = yes
disable_vrfy_command = yes
#relay_recipient_maps = hash:/etc/postfix/exchange_receipients
smtpd_recipient_restrictions =
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    permit_mynetworks,
    reject_unauth_destination,
    #check_policy_service inet:127.0.0.1:5525,
    #
    # in case you want reject DNS blacklists rather than greylist them
    # with gross, uncomment the lines below
    #
    #  reject_rbl_client cbl.abuseat.org,
    #  reject_rbl_client sbl.spamhaus.org,
    #  reject_rbl_client pbl.spamhaus.org,
    #  reject_rbl_client bl.spamcop.net,
    #  reject_rbl_client list.dsbl.org,
    permit
smtpd_data_restrictions =
    reject_unauth_pipelining,
    permit
#content_filter = scan:[127.0.0.1]:10025
Note: Don't forget to change lan-net to your lan subnet.

These are the minimal settings I use to setup a postfix mail gateway. If you are looking for other settings please issue the following command:

postconf

This will display your current default configuration. If you want to change any of these settings you can add them to main.cf and reload postfix. Looking at my main.cf file you will see the setting "transport_maps". This setting refers to a file inside the postfix config directory which will hold information for postfix to which server it should forward email to. It should look similar like this:

domain-a.tld   smtp:[192.168.1.1]
domain-b.tld   smtp:[192.168.1.2]

When ever an email enters our mail gateway for a domain specified in our "transport_maps" file it will forward this email after processing to the IP address assigned. For complete documentation please refer to the postfix docs. When are ready editing this file, issue the following command:

postmap /etc/postfix/transport

This will create a hash db of this file which will be easier/faster for postfix to read. The second setting we will look at is 'relay_domains". This setting will tell postfix for which domains it will relay emails. Because this setting will most probably be the same as the domains we mention in "transport_maps" we can just link to it. Now your basic email gateway is ready and you can start it but remember there will be no virus or spam filtering.

rc-service postfix start

We can start it at boot:

rc-update add postfix

Setting up the Virus scanner

To be able to filter out viruses from our emails we need a virus scanner. The only real open-source solution available is Clamav. Lets install it:

apk add clamav

We will be using the daemonized version of Clamav "clamd". There is nothing we need to change for Clamav, we can use the default settings and the virus definitions are automatically updated with freshclam. Lets start it:

rc-service clamd start

Lets start it at boot:

rc-update add clamd

Note: I have had memory issues with clamd on Alpine. I am still looking for an solution regarding this. For now I advise you to restart clamd with cron everyday.

UPDATE: See https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1028 this should be fixed in clamav 0.93.1

Setting up the SMTP filter

Ok so now we got a mail daemon and a virus daemon installed and setup ready. Now we need the two daemons to talk to each other. The most popular tool to do so is amavisd-new but it is based on Perl and I don't like it because Perl can be a resource hog and I'm not planning to install it on my Alpine install. Another lighter C-based solution is Clamsmtp. It is a SMTP filter which listens for incoming connections and scans the emails with clamd and forwards it back again to the MTA. It doesn't come with a lot of features like amavisd-new does but its enough for me. Lets install it:

apk add clamsmtp

Here is my clamsmtp.conf configuration file:

OutAddress: 127.0.0.1:10026
Listen: 127.0.0.1:10025
ClamAddress: /var/run/clamav/clamd.sock
TempDirectory: /tmp
Action: drop
Quarantine: on
User: clamav
VirusAction: /etc/postfix/scripts/virus_action.sh

Clamsmtp has support for a virus action script which will be run each time clamd returns a positive detection. I have included my virus action script here but it has not been tested enough so use it at your own risk! Make sure you set the correct permissions on the /etc/postfix/scripts/ directory because clamsmtp will run as user clamav. Monitor the log file in your /tmp directory.

virus_action.sh

Note: Here in our organization we are running Exchange 2003. Exchange has support for public folders which is a good way of storing the files we filter with Clamsmtp. Make sure you have proper permissions and size limitations for the public folder so it doesn't get to big and other people cannot access the folder, remember it will contain viruses!

Ok lets configure postfix for clamsmtp by editing our master.cf and adding the following lines to the end of the file:

# AV scan filter (used by content_filter)
scan      unix  -       -       n       -       16      smtp
        -o smtp_send_xforward_command=yes
        -o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet  n -       n       -       16      smtpd
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

Lets start Clamsmtp:

rc-service clamstmp start

And add it to our system start:

rc-update add clamsmtp

If you are sure all your settings are correct we can uncomment the "content_filter" line in our main.cf which will enable Clamsmtp for Postfix and run:

postfix reload

Setting up the Greylisting Server

I have used greylisting for several months now and while it has it positive affects it also has its negative. One of the positive affects is that you will get almost no spam/virus emails into your system anymore but it will introduce a delay to a part of you email traffic. If your organization is big enough you will start to notice people complain about delayed emails, this is where Gross will jump in. It still uses greylisting but it will not do so for all hosts but only the ones that are matched to the specified DNSBL databases. If you want to find out more regarding gross please go to their website:

https://code.google.com/p/gross/

Lets install gross:

apk add gross

Here is my grossd.conf file:

protocol = postfix
statefile = /var/db/gross/state
check = dnsbl
check = rhsbl
dnsbl = zen.spamhaus.org
dnsbl = list.dsbl.org
dnsbl = bl.spamcop.net
dnsbl = combined.njabl.org
dnsbl = cbl.abuseat.org
dnsbl = dnsbl.sorbs.net
rhsbl = rhsbl.sorbs.net

Lets start grossd:

rc-service grossd start

Note: The init file for gross will automatically generate the grossd state file in the directory specified in its config file. Because we are running Alpine from memory the state file is not saved to disk so we need to add it to our backup with lbu_commit. The safest way to do this is the first stop grossd before committing the changes to our backup.

{{Cmd|lbu_include /var/db/gross/state}

rc-service grossd stop

lbu_commit

rc-service grossd start

Let's start it at boot:

{{Cmd|rc-update add grossd}

Now we need to make Postfix use our greylisting service by uncommenting the "check_policy_service" line in our main.cf and run:

postfix reload

Setting up SaneSecurity & MSRBL extra definitions

Another good way of catching SPAM is Sanesecurity and MSRBL definitions. You can find more information regarding these definitions here:

https://www.sanesecurity.co.uk/

To use the following script you will need to install the following packages:

apk add curl rsync

up_clam_ex.sh

Add this script to this /etc/postfix/scripts/ directory

And add this script to cron:

echo "37 03 * * * /etc/postfix/scripts/up_clam_ex.sh &> /dev/nul" >> /etc/crontabs/root
Note: Please adjust the time so not everybody runs it at the same time.

And make sure cron is running at boot:

rc-update add cron

Exchange 2003 & relay_recipient_maps

Postfix will process mail for every email address which are specified in "relay_domains". Because we want to prevent Postfix to process emails for destinations which do not exist, we add the relay_recipient_maps option to our main.cf file. I've already added it so it only needs to be uncommented. I have included a Visual Basic script here which will extract all valid email addresses of users and groups in exchange 2003 and put them in a text file inside the root of our IIS server. I've also included a script which will download this file and process it to a db which can be read by Postfix. Put the following file somewhere on your exchange server and make it run every so much time with a windows task:

export_receipts.vbs

Download the following file and move it to:

exchange_receipients.sh

/etc/postfix/scripts/

And change it's settings and add it to cron. I've setup a time 10 minutes after I run the vbs script on my exchange server:

echo "10,40 * * * * /etc/postfix/scripts/exchange_receipients.sh &> /dev/nul" >> /etc/crontabs/root