Protecting your email server with Alpine
This document will outline how you can setup a spam/virus gateway with Alpine Linux. I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!
First thing I want to mention is, it is probably not a good way to setup Postfix on a disk less system (having the mailer spool in memory). If you would ever suffer from power failure you would loose the contents of your Postfix spool. That said, in our organization we are using a UPS device to supply our servers with backup power, so the chances that our server would shutdown because of power failure is minimal (and we are prepared to take this risk).
For this particular setup we are going to use the following:
- Mailer daemon: Postfix
- Virus scanner: Clamav
- SMTP filter: Clamsmtp
- Greylisting server: Gross
- Extra definitions: SaneSecurity & MSRBL
- Exchange 2003 users/groups in relay_recipient_maps
- Alpine Linux 1.7.19 (some packages are not available before this version)
Setting up Postfix
The first thing we are going to install is our mailer daemon:
This will install Postfix with a default configuration in /etc/postfix. Lets first take a look at main.cf, this is the (as the name implies) main configuration file for Postfix. I will show you my configuration file which you can use (I've commented out some options which we enable later on):
mynetworks = lan-net/24, 127.0.0.0/8 transport_maps = hash:/etc/postfix/transport relay_domains = $transport_maps smtpd_helo_required = yes disable_vrfy_command = yes #relay_recipient_maps = hash:/etc/postfix/exchange_receipients
smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, #check_policy_service inet:127.0.0.1:5525, permit
smtpd_data_restrictions = reject_unauth_pipelining, permit
#content_filter = scan:[127.0.0.1]:10025
These are the minimal settings I use to setup a postfix mail gateway. If you are looking for other settings please issue the following command:
This will display your current default configuration. If you want to change any of these settings you can add them to main.cf and reload postfix.
Looking at my main.cf file you will see the setting "transport_maps". This setting refers to a file inside the postfix config directory which will hold information for postfix to which server it should forward email to. It should look similar like this:
domain-a.tld smtp:[192.168.1.1] domain-b.tld smtp:[192.168.1.2]
When ever an email enters our mail gateway for a domain specified in our "transport_maps" file it will forward this email after processing to the IP address assigned. For complete documentation please refer to the postfix docs. When are ready editing this file, issue the following command:
This will create a hash db of this file which will be easier/faster for postfix to read.
The second setting we will look at is 'relay_domains". This setting will tell postfix for which domains it will relay emails. Because this setting will most probably be the same as the domains we mention in "transport_maps" we can just link to it.
Now your basic email gateway is ready and you can start it but remember there will be no virus or spam filtering.
We can start it at boot:
rc_add -k postfix
Setting up Clamav
To be able to filter out viruses from our emails we need a virus scanner. The only real open-source solution available is Clamav. Lets install it:
We will be using the daemonized version of Clamav "clamd". There is nothing we need to change for Clamav, we can use the default settings. The virus definitions are automatically updated with freshclam. Lets start it:
Lets start it at boot:
rc_add -k clamd
Setting up Clamsmtp
Ok so now we got a mail daemon and a virus daemon installed and setup ready. Now we need the two daemons to talk to each other. The most popular tool to do so is amavisd-new but it is based on Perl and I don't like it because Perl can be a resource hog and I'm not planning to install it on my Alpine install. Another lighter C-based solution is Clamsmtp. It is a SMTP filter which listens for incoming connections and scans the emails with clamd and forwards it back again to the MTA. It doesn't come with a lot of features like amavisd-new does but its enough for me. Lets install it:
Here is my clamsmtp.conf configuration file:
OutAddress: 127.0.0.1:10026 Listen: 127.0.0.1:10025 ClamAddress: /var/run/clamav/clamd.sock TempDirectory: /tmp Action: drop Quarantine: on User: clamav VirusAction: /etc/postfix/scripts/virus_action.sh
To Be Continued....