On 11/5/2013 5:41 AM, mark hardwick wrote:
> Hi All
> I'm setting up a new email server and I'm fairly green so I just wanted
> someone to confirm I'm not doing anything stupid.
>
> First I've followed the instructions from Falco here:
> http://www.howtoforge.com/virtual-users-and-domains-with-postfix-courier-mysql-and-squirrelmail-debian-wheezy
>
> this worked fine. it's all tested and gives the correct responses. even
> sends email :)
>
> I altered it slightly to forward inbound mail to offered+[code]@domain.com to
> a script. (Thanks to Noel for helping me to get that working.)
>
> Next I wanted to add support for DKIM.
>
> For this I followed some short instructions for postfix + amavisd-new here :
> http://blog.purrdeta.com/2012/06/guide-to-dkim-signing-with-amavisd-new-and-postfix/
>
> It required a bit of hacking of the amasid config and master.cf. My problem
> is I'm not 100% sure it's compatible with falcon's setup.
> I wondered if someone could scan this and tell me if and where it's broken?
> I don't want to accidentally create a relay or anything else nasty.
>
> The modifications to Amavisd seemed fine so I just went with what was in the
> post above, however I'm not 100% certain they're in the correct files. I
> changed the following;
>
I don't see any obviously dangerous errors, but I don't have time to
comb through a complex config looking for all possible errors.
Try it and test it. If it doesn't behave as expected, feel free to
come back with specific questions.
-- Noel Jones
> 20-debian_defaults:
> $inet_socket_port = [10024,10026];
>
> 25-amavisd-helpers ;
>
> ##
> ## Functionality required for amavis helpers like
> ## amavis-release.
> ##
>
> # Enable required AM.PDP protocol socket.
> #
> # this is incompatible with the old helpers, but one can
> # have multiple inet (not unix) sockets to overcome this
> # issue. Refer to the amavisd-new documentation for more
> # information
>
> $unix_socketname = "/var/lib/amavis/amavisd.sock";
>
> $interface_policy{'SOCK'} = 'AM.PDP-SOCK';
> $policy_bank{'AM.PDP-SOCK'} = {
> protocol => 'AM.PDP',
> auth_required_release => 0, # don't require secret-id for release
> };
>
> #NEW policy for user with DKIM signing - not sure if this is the correct
> location?
>
> $interface_policy{'10026'} = 'ORIGINATING';
>
> $policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
> originating => 1, # declare that mail was submitted by our smtp client
> allow_disclaimers => 1, # enables disclaimer insertion if available
> # notify administrator of locally originating malware
> virus_admin_maps => ["virusalert\@$mydomain"],
> spam_admin_maps => ["virusalert\@$mydomain"],
> warnbadhsender => 1,
> # forward to a smtpd service providing DKIM signing service
> forward_method => 'smtp:[127.0.0.1]:10027',
> # force MTA conversion to 7-bit (e.g. before DKIM signing)
> smtpd_discard_ehlo_keywords => ['8BITMIME'],
> bypass_banned_checks_maps => [1], # allow sending any file names and types
> terminate_dsn_on_notify_success => 0, # don’t remove NOTIFY=SUCCESS option
> };
>
> 1; # ensure a defined return
>
>
> Then in the master.cf I have (the main change is at the bottom).
>
> Master.cf:
>
> #
> # Postfix master process configuration file. For details on the format
> # of the file, see the master(5) manual page (command: "man 5 master").
> #
> # Do not forget to execute "postfix reload" after editing this file.
> #
> # ==========================================================================
> # service type private unpriv chroot wakeup maxproc command + args
> # (yes) (yes) (yes) (never) (100)
> # ==========================================================================
> smtp inet n - - - - smtpd
> #smtp inet n - - - 1 postscreen
> #smtpd pass - - - - - smtpd
> #dnsblog unix - - - - 0 dnsblog
> #tlsproxy unix - - - - 0 tlsproxy
> submission inet n - n - - smtpd
> # -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=encrypt
> -o content_filter=amavis:[127.0.0.1]:10026
> # -o smtpd_sasl_auth_enable=yes
> # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> # -o milter_macro_daemon_name=ORIGINATING
> #smtps inet n - - - - smtpd
> # -o syslog_name=postfix/smtps
> # -o smtpd_tls_wrappermode=yes
> # -o smtpd_sasl_auth_enable=yes
> # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> # -o milter_macro_daemon_name=ORIGINATING
> #628 inet n - - - - qmqpd
> #pickup fifo n - - 60 1 pickup
> pickup fifo n - - 60 1 pickup
> -o smtpd_tls_security_level=encrypt
> -o content_filter=smtp-amavis:[127.0.0.1]:10026
> cleanup unix n - - - 0 cleanup
> qmgr fifo n - n 300 1 qmgr
> #qmgr fifo n - n 300 1 oqmgr
> tlsmgr unix - - - 1000? 1 tlsmgr
> rewrite unix - - - - - trivial-rewrite
> bounce unix - - - - 0 bounce
> defer unix - - - - 0 bounce
> trace unix - - - - 0 bounce
> verify unix - - - - 1 verify
> flush unix n - - 1000? 0 flush
> proxymap unix - - n - - proxymap
> proxywrite unix - - n - 1 proxymap
> smtp unix - - - - - smtp
> relay unix - - - - - smtp
> # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
> showq unix n - - - - showq
> error unix - - - - - error
> retry unix - - - - - error
> discard unix - - - - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - - - - lmtp
> anvil unix - - - - 1 anvil
> scache unix - - - - 1 scache
> #
> # ====================================================================
> # Interfaces to non-Postfix software. Be sure to examine the manual
> # pages of the non-Postfix software to find out what options it wants.
> #
> # Many of the following services use the Postfix pipe(8) delivery
> # agent. See the pipe(8) man page for information about ${recipient}
> # and other message envelope options.
> # ====================================================================
> #
> # maildrop. See the Postfix MAILDROP_README file for details.
> # Also specify in main.cf: maildrop_destination_recipient_limit=1
> #
> maildrop unix - n n - - pipe
> flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
> #
> # ====================================================================
> # See the Postfix UUCP_README file for configuration details.
> #
> uucp unix - n n - - pipe
> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient)
> #
> # Other external delivery methods.
> #
> ifmail unix - n n - - pipe
> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp unix - n n - - pipe
> flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
> $recipient
> scalemail-backend unix - n n - 2 pipe
> flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
> ${nexthop} ${user} ${extension}
> mailman unix - n n - - pipe
> flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
> ${nexthop} ${user}
>
> parser unix - n n - - pipe
> user=virtual argv=/bin/bash /usr/local/bin/ssh_parser
>
> amavis unix - - - - 2 smtp
> -o smtp_data_done_timeout=1200
> -o smtp_send_xforward_command=yes
>
> 127.0.0.1:10025 inet n - - - - smtpd
> -o content_filter=
> -o local_recipient_maps=
> -o relay_recipient_maps=
> -o smtpd_restriction_classes=
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o mynetworks=127.0.0.0/8
> -o strict_rfc821_envelopes=yes
> -o
> receive_override_options=no_unknown_recipient_checks,no_header_body_checks
>
>
> 127.0.0.1:10027 inet n - n - - smtpd
> -o content_filter=
> -o smtpd_delay_reject=no
> -o smtpd_client_restrictions=permit_mynetworks,reject
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_data_restrictions=reject_unauth_pipelining
> -o smtpd_end_of_data_restrictions=
> -o smtpd_restriction_classes=
> -o mynetworks=127.0.0.0/8
> -o smtpd_error_sleep_time=0
> -o smtpd_soft_error_limit=1001
> -o smtpd_hard_error_limit=1000
> -o smtpd_client_connection_count_limit=0
> -o smtpd_client_connection_rate_limit=0
> -o
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
> -o local_header_rewrite_clients=
>
> Any thought greatly received.
> Please ask if I need to send more files.
>
> Thanks
> Mark.
>
