apt install postfix postfwd dovecot-sieve dovecot-imapd groupadd -g 801 vmail useradd -r -u 801 -g 801 -G vmail,mail vmail ### POSTFIX cat >/etc/postfix/helo_whitelist </etc/postfix/main.cf << 'EOF' smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no append_dot_mydomain = no readme_directory = no html_directory = no compatibility_level = 3.6 mail_owner = postfix myhostname = mail.mrak.cz myorigin = mrak.cz inet_protocols = ipv4 mydestination = $myhostname, localhost.$mydomain, localhost unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases #debug_peer_level = 3 #debug_peer_list = pc-mrak.poda.cz #setgid_group = postdrop smtpd_tls_security_level = may smtp_tls_CApath = /etc/ssl/certs smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_security_level = may meta_directory = /etc/postfix #################### my setings ################# mynetworks = 127.0.0.0/8 89.29.40.88/29 # RELAY s heslem #relayhost = smtp.redigy.cz #smtp_sasl_auth_enable = yes #smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd #smtp_sasl_security_options = noanonymous message_size_limit = 0 mailbox_size_limit = 0 virtual_mailbox_limit = 0 recipient_delimiter = + inet_interfaces = all virtual_mailbox_domains = mrak.cz gryg.net virtual_mailbox_base = /var/vmail virtual_mailbox_maps = texthash:/etc/postfix/vmail #virtual_alias_domains = virtual_alias_maps = texthash:/etc/postfix/valias virtual_transport = dovecot dovecot_destination_recipient_limit = 1 #default_destination_recipient_limit = 1 virtual_minimum_uid = 800 virtual_uid_maps = static:801 virtual_gid_maps = static:801 maximal_queue_lifetime = 3d bounce_queue_lifetime = 3d ############# LIMITS ################## smtpd_soft_error_limit = 6 smtpd_hard_error_limit = 15 # castejsi vypis statisky pro ladeni anvil_status_update_time = 60s # rozhodovaci obdobi anvil_rate_time_unit = 600s # Clients that are excluded from connection count, connection rate, or SMTP request # rate restrictions. See the mynetworks parameter description for the parameter value syntax. # smtpd_client_event_limit_exceptions (default: $mynetworks) smtpd_client_event_limit_exceptions = 127.0.0.0/8 89.29.40.88/29 # How many simultaneous connections any client is allowed to make to this service. # By default, the limit is set to half the default process limit value. #smtpd_client_connection_count_limit (default: 50) smtpd_client_connection_count_limit = 2 # The maximal number of connection attempts any client is allowed to make to this service per time unit. # The time unit is specified with the anvil_rate_time_unit configuration parameter. #smtpd_client_connection_rate_limit (default: 0) smtpd_client_connection_rate_limit = 0 # The maximal number of message delivery requests that any client is allowed # to make to this service per time unit, regardless of whether or not Postfix # actually accepts those messages. The time unit is specified with the # anvil_rate_time_unit configuration parameter. #smtpd_client_message_rate_limit (default: 0) smtpd_client_message_rate_limit = 50 #The maximal number of recipient addresses that any client is allowed to send to this service per time unit, # regardless of whether or not Postfix actually accepts those recipients. # The time unit is specified with the anvil_rate_time_unit configuration parameter. # smtpd_client_recipient_rate_limit (default: 0) #smtpd_client_recipient_rate_limit = 150 ## jana@ski-pro.cz rozesila newslatery tak to snizime na 50 smtpd_client_recipient_rate_limit = 50 smtp_connect_timeout = 20s smtp_data_done_timeout = 160s smtp_data_init_timeout = 60s smtp_data_xfer_timeout = 160s smtp_helo_timeout = 20s smtp_mail_timeout = 20s smtp_quit_timeout = 20s smtp_rcpt_timeout = 20s smtp_rset_timeout = 10s smtp_starttls_timeout = 60s smtp_xforward_timeout = 130s # smtpd_policy_service_timeout = 120s smtpd_starttls_timeout = 120s smtpd_timeout = 130s ########### SSL/TLS ############## # SASL dovecot smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth #To report SASL login names in Received: message headers (Postfix version 2.3 and later): smtpd_sasl_authenticated_header = yes broken_sasl_auth_clients = yes # smtpd_tls_received_header = yes ### TLS ssl smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/ssl/certs/mail.mrak.cz.crt smtpd_tls_key_file = /etc/ssl/private/mail.mrak.cz.key smtpd_tls_CAfile = /etc/ssl/certs/mail.mrak.cz.fullchain.pem # POLICY # spf policy daemon lifetime #policy_time_limit = 3600 # Dame do HOLD fronty, kde si to vyzvedne Mailscanner smtpd_client_restrictions=static:hold smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_sasl_authenticated check_client_access texthash:/etc/postfix/helo_whitelist, reject_non_fqdn_helo_hostname smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_sender_domain check_policy_service inet:127.0.0.1:10040 # check_client_access hash:/etc/postfix/access # reject_unknown_reverse_client_hostname # check_policy_service unix:private/policy # warn_if_reject, reject_unverified_sender smtpd_recipient_restrictions = permit_sasl_authenticated reject_invalid_hostname # # reseno helo filtrem a whitelistem reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks # check_policy_service inet:127.0.0.1:10041 # check_recipient_access proxy:mysql:/etc/postfix/mysql_vaccess.cf # permit_auth_destination reject_unauth_destination # reject_unverified_recipient # reject # reject_unknown_reverse_client_hostname # check_policy_service unix:private/policy # warn_if_reject, reject_unverified_sender smtpd_data_restrictions = reject_unauth_pipelining, permit 127.0.0.1:10040_time_limit = 3600 smtpd_policy_service_timeout = 160 EOF cat >>/etc/postfix/master.cf << 'EOF' dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -a ${original_recipient} -d ${user}@${nexthop} EOF cat >/etc/postfix/valias </etc/postfix/vmail << EOF mrak@mrak.czz mrak.czz/mrak EOF ### POSTFWD cat >/etc/postfix/postfwd.cf << 'EOF' #&&GREYLIST { \ # ask(127.0.0.1:10031); \ #}; &&TRUSTED_NETS { \ client_address=89.29.40.88/29 ; \ client_address=192.168.255.0/24 ; \ client_address=77.75.76.0/23 ; \ client_address=77.75.72.0/23 ; \ client_address=213.168.187.30/32 ; \ client_address=213.199.154.0/24 ;\ }; &&TRUSTED_HOSTS { \ client_name~=\.savana\.cz$ ; \ client_name~=outlook\.com$ ; \ helo_name~=mxh\d.seznam.cz$ ; \ helo_name~=outlook\.com$ ; \ }; &&TRUSTED_USERS { \ sasl_username==mrak ; \ }; &&FREEMAIL { \ client_name~=\.gmx\.net$ ; \ client_name~=\.web\.de$ ; \ client_name~=\.(aol|yahoo|h(ush|ot)mail)\.com$ ; \ }; &&STATIC { \ # contains freemailers &&FREEMAIL ; \ client_name~=[\.\-]static[[\.\-] ; \ client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. ; \ }; &&DNSWLS { \ rbl=list.dnswl.org ; \ rbl=query.bondedsender.org ; \ rbl=wl.mailspike.net ; \ }; # rbl=exemptions.ahbl.org ; \ # rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \ # rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \ # Spamchecks &&BADHELO { \ client_name==!!($$(helo_name)) ; \ }; # obcas to neprelozi reverz tak jsem radeji pouzil selektivni greylisting # unknown client_name AND (client_ip =! mx_ip) OR (client_ip =! helo_ip) &&REVERSE { \ client_name~=^unknown$; \ sender_mx_addrs!=($$client_address); \ }; #helo_address!=($$client_address); \ &&DYNAMIC { \ client_name==unknown ; \ client_name~=\d{1,3}[\-\.]\d{1,3}[\-\.]\d{1,3}; \ client_name~=\d{5,12} ; \ client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|customer|dhcp|leased)[_\.\-] ; \ }; &&DNSBLS { \ rbl=bl.spamcop.net ; \ rbl=dnsbl.sorbs.net ; \ rbl=psbl.surriel.com ; \ rbl=bl.mailspike.net ; \ rbl=zen.spamhaus.org ; \ rhsbl=rhsbl.sorbs.net ; \ }; ## ## Ruleset ## #pravidlo pro omezeni poctu zprav prijmutych ze serveru se “spatnou karmou” pokud je splneno pravidlo &&DYNAMIC # (reverzni zaznam vypadajici jako adsl, dialup a pod.), nebo &&BADHELO (HELO neodpovida PTR zaznamu), # je takovy “podezdrely” opravnen posilat jen 10 zprav za 10min.Toto je hodne dobre pravdilo, ktere pomohlo # vyrazne snizit zatez pri spam utocich z botnet siti a zaroven je tolerantni pro spatne konfigurovane mail servery # # Rate limits #id=RATE01 ; &&DYNAMIC; &&BADHELO; protocol_state==RCPT; \ id=RATE01 ; &&DYNAMIC; &&BADHELO; \ action=rate(client_address/2/600/450 4.7.1 sorry, max 2 requests per 10min for poorly configured servers) # stress-friendly behaviour (will not match on postfix version pre 2.5) #id=STRESS ; stress==yes ; action=dunno # Whitelists id=WL_001 ; &&TRUSTED_NETS ; action=dunno id=WL_002 ; &&TRUSTED_HOSTS ; action=dunno #id=WL_003 ; &&TRUSTED_USERS ; action=dunno # obcas to neprelozi reverz tak jsem radeji pouzil selektivni greylisting #id=RV_001 ; &&REVERSE ; action=REJECT Cannot find your reverse hostname and MX not mach client address # serverum v DNS whitelistech to pomaha vyhnout se omezenim #DNSWL checks - lookup id=RWL_001 ; &&DNSWLS ; rhsblcount=all ; rblcount=all ; \ action=set(HIT_dnswls=$$rhsblcount,HIT_dnswls+=$$rblcount,DSWL_text=$$dnsbltext) # DNSWL - whitelisting id=RWL_002 ; HIT_dnswls>=2 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] id=RWL_003 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; &&STATIC id=RWL_004 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; $$client_name~=$$(sender_domain)$ # Servery co jsou na 3 a vice BL na tvrdo odmita (bez moznosti “odvolani”) {puvodne bylo na staveno na 2}. # Servery ktere se obevi na 1-2 BL a maji spatne HELO ci DYNAMIC reverz, jsou take odmitnuty. # DNSBL checks - lookup id=RBL_001 ; &&DNSBLS ; rhsblcount=all ; rblcount=all ; \ action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext) # DNSBL checks - evaluation id=RBL_002 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text] id=RBL_003 ; HIT_dnsbls>=1 ; &&DYNAMIC ; action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text] id=RBL_004 ; HIT_dnsbls>=1 ; &&BADHELO ; action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text] id=RBL_005 ; HIT_dnsbls>=1 ; &&REVERSE ; action=REJECT listed on dnsbl and PTR does not match MX record, INFO: [$$DSBL_text] # Pokud je server na 1 a vice BL, nebo ma spatne HELO ci DYNAMIC, je greylistovan. # Selective greylisting #id=GREY_001 ; action=dunno ; &&STATIC #id=GREY_002 ; action=dunno ; $$client_name~=$$(sender_domain)$ #id=GREY_003 ; action=dunno ; HIT_dnswls>=1 #id=GREY_004 ; action=&&GREYLIST ; &&DYNAMIC #id=GREY_005 ; action=&&GREYLIST ; HIT_dnsbls>=1 #id=GREY_006 ; action=&&GREYLIST ; &&REVERSE EOF systemctl --now enable postfwd.service ### DOVECOT IMAP cat >/etc/dovecot/default.sieve << "EOF" #require ["fileinto","envelope","reject","vacation","imap4flags","relational","comparator-i;ascii-numeric","regex","body","date"]; # dafault identified spam filtering require ["fileinto"]; if header :matches "X-Spam-Status" "Yes" { fileinto "Spam"; } EOF mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig cat >/etc/dovecot/dovecot.conf << "EOF" protocols = imap pop3 lmtp listen = *, :: base_dir = /run/dovecot/ dict { #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext } !include conf.d/*.conf !include_try local.conf EOF cat >/etc/dovecot/users << "EOF" #user:{plain}pass:1000:1000::/home/user::userdb_mail=maildir:~/Maildir allow_nets=192.168.0.0/24 #user2:{plain}pass2:1001:1001::/home/user2 # doveadm pw -s md5-CRYPT #smarthost:{MD5-CRYPT}$1$********:801:801::/var/vmail/mrak.cz/smarthost:: EOF mv /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig cat >/etc/dovecot/conf.d/10-auth.conf << "EOF" auth_mechanisms = plain !include auth-passwdfile.conf.ext EOF cat >>/etc/dovecot/conf.d/10-logging.conf << "EOF" auth_verbose = yes EOF mv /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig cat >/etc/dovecot/conf.d/10-mail.conf << "EOF" namespace inbox { inbox = yes } mail_plugin_dir = /usr/lib64/dovecot protocol !indexer-worker { } mbox_write_locks = fcntl mail_location = maildir:/var/vmail/mrak.cz/%n mail_uid = 801 mail_gid = 801 mail_privileged_group = mail EOF mv /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/10-master.conf.orig cat >/etc/dovecot/conf.d/10-master.conf << "EOF" service imap-login { inet_listener imap { address = localhost port = 143 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { address = localhost } inet_listener pop3s { address = localhost } } service lmtp { unix_listener lmtp { } } service imap { } service pop3 { } service auth { unix_listener auth-userdb { mode = 0660 group = vmail } unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } } service auth-worker { } service dict { unix_listener dict { } } service stats { client_limit = 10000 # make this large enough so all Dovecot processes unix_listener stats-writer { user = vmail } } EOF mv /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.orig cat >/etc/dovecot/conf.d/10-ssl.conf << "EOF" ssl = required ssl_cert = /etc/dovecot/conf.d/15-lda.conf << "EOF" postmaster_address = postmaster@mrak.cz hostname = mail.mrak.cz lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes protocol lda { mail_plugins = sieve } EOF mv /etc/dovecot/conf.d/90-sieve-extprograms.conf /etc/dovecot/conf.d/90-sieve-extprograms.conf.orig cat >/etc/dovecot/conf.d/90-sieve-extprograms.conf << "EOF" plugin { sieve = file:~/.dovecot.sieve;name=personal sieve_default = /etc/dovecot/default.sieve sieve_default_name = default } EOF mv /etc/dovecot/conf.d/auth-passwdfile.conf.ext /etc/dovecot/conf.d/auth-passwdfile.conf.ext.orig cat >/etc/dovecot/conf.d/auth-passwdfile.conf.ext << "EOF" passdb { driver = passwd-file args = scheme=md5 username_format=%n /etc/dovecot/users } userdb { driver = passwd-file args = username_format=%n /etc/dovecot/users } EOF ###