You are here: Foswiki>HomeInfra Web>Postfix (30 Jun 2017, AdminUser)Edit Attach

digraph {

rankdir=LR;

message [color="red", shape="signature"]; Maildir [color="darkgreen",shape="folder"];

message -> haproxy [color="red",style="bold"]; haproxy -> postscreen [color="orange",style="bold"]; DROProuting -> haproxy [color="red",style="bold"];

subgraph cluster_0 { rankdir=TB; label="Postfix"; style="rounded,bold"; bgcolor="brown2:green2";

postscreen -> smtpd; } smtpd -> DNSBL [dir="both"]; smtpd -> Spamassassin [dir="both"]; smtpd -> Maildir [color="green",style="bold"]; }

Postfix

A nearly standard Postfix installation with only some minor customizations
  • Postscreen support, filter out the worst spambots
  • Proxy Protocol with HAProxy (the original ip-address is forwarded to Postfix)
  • DNSBL support

Installation 

apt-get install postfix

Postscreen

Changes to /etc/postfix/master.cf 

...
#smtp      inet  n       -       -       -       -       smtpd
smtp      inet  n       -       -       -       1       postscreen
smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
...

Proxy Protocol

Changes to /etc/postfix/main.cf which can be added to the end of the file

Receive the original client-ip address via the proxy procotol 
postscreen_upstream_proxy_protocol = haproxy

DNS black lists

Support for DNS Black lists. smtpd_recipient_restrictions happens at RCPT TO level, so before the message enters Spamassassin. 
smtpd_recipient_restrictions =
        reject_rbl_client sbl-xbl.spamhaus.org,
        permit

Maildir

Deliver mail in ~/Maildir 
home_mailbox = Maildir/

Follow the OpenLDAP client installation instructions on how the LDAP users are made know to Postfix.

Spamassassin

With small modifications from http://forums.sentora.org/showthread.php?tid=22 Spamassassin is very "expensive" compared to Postscreen and DNSBL.

Installation 

apt-get install spamassassin spamc libmail-dkim-perl libmail-spf-perl pyzor razor bzip2 file gzip unzip zip

Run as non-root user

In order to run SpamAssassin as non-root user, create a new user specific for this task. 
groupadd spamd
useradd -g spamd -s /bin/false -d /var/log/spamassassin spamd
mkdir /var/log/spamassassin
chown spamd:spamd /var/log/spamassassin

Configure Spamassassin

/etc/default/spamassassin 
ENABLED=1
CRON=1
...
SAHOME="/var/log/spamassassin/"
OPTIONS="--create-prefs --max-children 2 --username spamd -H ${SAHOME} -s ${SAHOME}spamd.log"

And change/update /etc/postfix/master.cf (again) so spamassassin is included, after the check performed by Postscreen. 
...
#smtp      inet  n       -       -       -       -       smtpd
smtp      inet  n       -       -       -       1       postscreen
smtpd     pass  -       -       -       -       -       smtpd -o content_filter=spamassassin
#dnsblog   unix  -       -       -       -       0       dnsblog
...

Add at the end of the master.cf 
spamassassin unix - n n - - pipe user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

/etc/spamassassin/local.cf 
rewrite_header Subject [*** SPAM ***]
required_score 3.0

Restart spamassassin and postfix.
Edit  | Attach | Print version | History: r12 < r11 < r10 < r9 | Backlinks | View wiki text | More topic actions
Topic revision: r12 - 30 Jun 2017, AdminUser - This page was cached on 03 Jul 2017 - 19:46.

This site is powered by FoswikiCopyright © by Eddy Vervest