Re: Re: [suse-security] libwrap supported services
Good try guys, BUT...:-) I tried both rpm and ldd way and got plenty of services listed. After a quick look I could not find either portmap or telnet (both installed on the system), yet I know they are libwrap supported software. Petteri -----Original Message----- From: Christian Boltz <suse-security@cboltz.de> To: suse-security@suse.com Date: Thu, 17 Nov 2005 21:52:33 +0100 Subject: Re: [suse-security] libwrap supported services Hello, Am Donnerstag, 17. November 2005 12:31 schrieb Armin Schoech: [...]
Do you think this is a complete list of services (with the files in /etc/xinetd.d, of course)?
--> I don't really know. But if you really want to be sure, you could use a command like "ldd /usr/sbin/* /sbin/* ..."
to list all libraries used by the different programs. Then you have to look for "libwrap" to find the tcp-wrapper. This will list only programs using the shared version of libwrap, though.
For a fast overview, you can also try rpm -q --whatrequires libwrap.so.0 ;-)
Programs compiled linking libwrap statically are probably much harder to nail down.
I guess rpm also doesn't know about them. Regards, Christian Boltz -- One of the main reasons for the downfall of the Roman Empire was that, lacking zero, they had no way to indicate successful termination of their C programs. -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
strings /sbin/portmap | grep wrap libwrap.so.0 Dirk Petteri Hakkarainen wrote:
Good try guys, BUT...:-)
I tried both rpm and ldd way and got plenty of services listed. After a quick look I could not find either portmap or telnet (both installed on the system), yet I know they are libwrap supported software.
Petteri
-----Original Message----- From: Christian Boltz <suse-security@cboltz.de> To: suse-security@suse.com Date: Thu, 17 Nov 2005 21:52:33 +0100 Subject: Re: [suse-security] libwrap supported services
Hello,
Am Donnerstag, 17. November 2005 12:31 schrieb Armin Schoech: [...]
Do you think this is a complete list of services (with the files in /etc/xinetd.d, of course)? --> I don't really know. But if you really want to be sure, you could use a command like "ldd /usr/sbin/* /sbin/* ..."
to list all libraries used by the different programs. Then you have to look for "libwrap" to find the tcp-wrapper. This will list only programs using the shared version of libwrap, though.
For a fast overview, you can also try rpm -q --whatrequires libwrap.so.0 ;-)
Programs compiled linking libwrap statically are probably much harder to nail down.
I guess rpm also doesn't know about them.
Regards,
Christian Boltz
-- xcldsc TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: phakkarainen@myrealbox.com, suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
Hi,
I tried both rpm and ldd way and got plenty of services listed. After a quick look I could not find either portmap or telnet (both installed on the system), yet I know they are libwrap supported software.
--> The executable "telnet" is the client. Only "telnetd" is the daemon that is linked against libwrap. But you seem to have a strange system. The suggested syntax works on my SuSE 9.1 and SuSE 9.3 systems. This is SuSE 9.1: hostname:/sbin # ldd portmap linux-gate.so.1 => (0xffffe000) libwrap.so.0 => /lib/libwrap.so.0 (0x40031000) libutil.so.1 => /lib/libutil.so.1 (0x40039000) libc.so.6 => /lib/tls/libc.so.6 (0x4003c000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) hostname:/sbin # rpm -q --whatrequires libwrap.so.0 tcpd-7.6-710 lprng-3.8.25-37 quota-3.11-22 portmap-5beta-728 nfs-utils-1.0.6-103 sendmail-8.12.10-158 openssh-3.8p1-37.17 net-snmp-5.1-80.22 mysql-4.0.18-32.20 Telnetd is not installed. This is SuSE 9.3: hostname:~ # ldd /sbin/portmap linux-gate.so.1 => (0xffffe000) libwrap.so.0 => /lib/libwrap.so.0 (0x40031000) libutil.so.1 => /lib/libutil.so.1 (0x40039000) libc.so.6 => /lib/tls/libc.so.6 (0x4003d000) /lib/ld-linux.so.2 (0x40000000) host:~ # rpm -q --whatrequires libwrap.so.0 tcpd-7.6-715 quota-3.12-4 syslog-ng-1.6.5-10 portmap-5beta-733 nfs-utils-1.0.7-3 openssh-3.9p1-12 cups-client-1.1.23-7 cups-1.1.23-7 xinetd-2.3.13-45.2 net-snmp-5.2.1-5.2 ethereal-0.10.13-2.2 openldap2-2.2.23-6 mysql-4.1.10a-3.4 Here's a way to find statically linked libwrap enabled programs: hostname:~/ strings super_daemon | grep hosts_access hosts_access_verbose @(#) hosts_access.c 1.21 97/02/12 02:13:22 where "super_daemon" is a program that is linked statically with libwrap. Cheers, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
Hello, I'm not sure if this question should be posted here, but I hope someone can help. I tried to install Postfix smtp server on suse 10 (64 bits). I did everything as it is written in some manuals have found online. Now, postfix works find but I have problem with sasl authorization. As I read I have to use cyrus-SASL for that and I installed it. I set it up to use shadow method (I start it with saslauthd -a shadow) for checking authorization. When I try to log in on smtp server in error log file I get: size read failed. I tried to test login with commenad: testauthd -u user -p password and I get same error message. Also, I tried to configure ldap or pam method but I didn't know how... Anyone have idea how to solve the problem with "size read" error? Thank you in advance. Please, if this question is not for here let me know where to post it. I tried at few forums but no one answered. -- Milan Milosevic http://www.mmilan.com/ "God give me the serenity to accept things which cannot be changed; Give me courage to change things which must be changed; And the wisdom to distinguish one from the other." - Reinhold Niebuhr
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! Milan Milosevic schrieb:
Hello,
I'm not sure if this question should be posted here, but I hope someone can help. I tried to install Postfix smtp server on suse 10 (64 bits). I did everything as it is written in some manuals have found online. Now, postfix works find but I have problem with sasl authorization. As I read I have to use cyrus-SASL for that and I installed it. I set it up to use shadow method (I start it with saslauthd -a shadow) for checking authorization. When I try to log in on smtp server in error log file I get: size read failed. I tried to test login with commenad: testauthd -u user -p password and I get same error message.
Also, I tried to configure ldap or pam method but I didn't know how...
Anyone have idea how to solve the problem with "size read" error? Thank you in advance.
Please, if this question is not for here let me know where to post it. I tried at few forums but no one answered.
That's a very complex setup and not to tell in a few words... Better search with google for postfix +cyrus (+smtpauth) e.g. read http://postfix.state-of-mind.de/patrick.koetter/smtpauth/ (this is a good article but with smtp-auth - you can leave "smtpauth" out if you don't want this, but this article describes how to setup your needs!) There is some help in /usr/share/doc/packages/cyrus. There is _no_help_ within yast - afaik this is not supported there! Other help you get by suscribing to postfix users list (sign-up for a few days and all your questions will be answered because of the mass of questions and answers there! If you found your answer unsuscribe because you will get alot 'o' mails there!). Regards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQ34KZENg1DRVIGjBAQIlfgcAgKSjfVoSwS19FseQv1fDwZLgt8LKZizT BFt37bPwGeZY1ef/NZXhR6WKdMLYbpPH2lqHEcJAfYTdK20vCLCx2u2pXVX9nNc2 m7dcN6OeXXu3HTAOow7VWCJVZFU/suPs63p6+8dXmCycREz40IF/NfnEzj10QBaB 5wlW3h7AGYS01HafX0OBkO8wksOmKEnpJZEiZliVAhgCm47/dk9vzdzUeThyIQoX ioYnzu4AheB3NWfj/VhvP7fUp/K4pdq1DRsTPffH4YPy0tTe+w9zSMgJ9iPXvz5W OR34Dqbtp5A= =13xe -----END PGP SIGNATURE-----
Hello Philippe,
e.g. read http://postfix.state-of-mind.de/patrick.koetter/smtpauth/ That's the article I used for installation (only difference is that I used RPM packages from Suse distribution
Other help you get by suscribing to postfix users list I'm not sure but I think that the problem is not with postfix. I used testsaslauthe even when postfix is not installed and the error is same.
-- Best regards, Milan mailto:mmilan@seenet-mtp.pmf.ni.ac.yu
Am Friday 18 November 2005 15:44 schrieb Milan Milosevic:
I'm not sure if this question should be posted here, but I hope someone can help. I tried to install Postfix smtp server on suse 10 (64 bits). I did everything as it is written in some manuals have found online. Now, postfix works find but I have problem with sasl authorization. As I read I have to use cyrus-SASL for that and I installed it. I set it up to use shadow method (I start it with saslauthd -a shadow) for checking authorization. When I try to log in on smtp server in error log file I get: size read failed. I tried to test login with commenad: testauthd -u user -p password and I get same error message.
Also, I tried to configure ldap or pam method but I didn't know how...
Stop saslauthd and start it in a shell manually with an additional "-d". # saslauthd -da pam And you will see some debug-Outputs. Try it with testsaslauthd and check the Output in the other Window. Show the Complete Messages.
Anyone have idea how to solve the problem with "size read" error? Thank you in advance.
Please, if this question is not for here let me know where to post it. I tried at few forums but no one answered.
-- Andreas
Hello Andreas,
# saslauthd -da pam Try it with testsaslauthd and check the Output in the other Window. Show the Complete Messages.
seenet-mtp:~ # saslauthd -da pam saslauthd[5273] :main : num_procs : 5 saslauthd[5273] :main : mech_option: NULL saslauthd[5273] :main : run_path : /var/run/sasl2/ saslauthd[5273] :main : auth_mech : pam saslauthd[5273] :ipc_init : using accept lock file: /var/run/sasl2//mux.accept saslauthd[5273] :detach_tty : master pid is: 0 saslauthd[5273] :ipc_init : listening on socket: /var/run/sasl2//mux saslauthd[5273] :main : using process model saslauthd[5274] :get_accept_lock : acquired accept lock saslauthd[5273] :have_baby : forked child: 5274 saslauthd[5273] :have_baby : forked child: 5275 saslauthd[5273] :have_baby : forked child: 5276 saslauthd[5273] :have_baby : forked child: 5277 saslauthd[5274] :rel_accept_lock : released accept lock saslauthd[5275] :get_accept_lock : acquired accept lock saslauthd[5274] :do_auth : auth failure: [user=mmilan] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] I tried same for saslauthd -da shadow (method I used) and result is: seenet-mtp:~ # saslauthd -da shadow saslauthd[5319] :main : num_procs : 5 saslauthd[5319] :main : mech_option: NULL saslauthd[5319] :main : run_path : /var/run/sasl2/ saslauthd[5319] :main : auth_mech : shadow saslauthd[5319] :ipc_init : using accept lock file: /var/run/sasl2//mux.accept saslauthd[5319] :detach_tty : master pid is: 0 saslauthd[5319] :ipc_init : listening on socket: /var/run/sasl2//mux saslauthd[5319] :main : using process model saslauthd[5320] :get_accept_lock : acquired accept lock saslauthd[5319] :have_baby : forked child: 5320 saslauthd[5319] :have_baby : forked child: 5321 saslauthd[5319] :have_baby : forked child: 5322 saslauthd[5319] :have_baby : forked child: 5323 saslauthd[5320] :rel_accept_lock : released accept lock saslauthd[5321] :get_accept_lock : acquired accept lock saslauthd[5319] :handle_sigchld : child exited: 5320 -- Milan Milosevic http://www.mmilan.com/ "When I am right, No one remembers. When I am wrong, No one forgets." - Elizabeth Arden (1884-1966)
Am Friday 18 November 2005 20:00 schrieb Milan Milosevic:
# saslauthd -da pam Try it with testsaslauthd and check the Output in the other Window. Show the Complete Messages.
seenet-mtp:~ # saslauthd -da pam saslauthd[5273] :main : num_procs : 5 saslauthd[5273] :main : mech_option: NULL saslauthd[5273] :main : run_path : /var/run/sasl2/ saslauthd[5273] :main : auth_mech : pam saslauthd[5273] :ipc_init : using accept lock file: /var/run/sasl2//mux.accept saslauthd[5273] :detach_tty : master pid is: 0 saslauthd[5273] :ipc_init : listening on socket: /var/run/sasl2//mux saslauthd[5273] :main : using process model saslauthd[5274] :get_accept_lock : acquired accept lock saslauthd[5273] :have_baby : forked child: 5274 saslauthd[5273] :have_baby : forked child: 5275 saslauthd[5273] :have_baby : forked child: 5276 saslauthd[5273] :have_baby : forked child: 5277 saslauthd[5274] :rel_accept_lock : released accept lock saslauthd[5275] :get_accept_lock : acquired accept lock saslauthd[5274] :do_auth : auth failure: [user=mmilan] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
Check your /etc/pam.d/imap. If it is not there check for a File "other" in your ./pam.d/. I don't see "size read" Errors, or similar.
I tried same for saslauthd -da shadow (method I used) and result is:
seenet-mtp:~ # saslauthd -da shadow saslauthd[5319] :main : num_procs : 5 saslauthd[5319] :main : mech_option: NULL saslauthd[5319] :main : run_path : /var/run/sasl2/ saslauthd[5319] :main : auth_mech : shadow saslauthd[5319] :ipc_init : using accept lock file: /var/run/sasl2//mux.accept saslauthd[5319] :detach_tty : master pid is: 0 saslauthd[5319] :ipc_init : listening on socket: /var/run/sasl2//mux saslauthd[5319] :main : using process model saslauthd[5320] :get_accept_lock : acquired accept lock saslauthd[5319] :have_baby : forked child: 5320 saslauthd[5319] :have_baby : forked child: 5321 saslauthd[5319] :have_baby : forked child: 5322 saslauthd[5319] :have_baby : forked child: 5323 saslauthd[5320] :rel_accept_lock : released accept lock saslauthd[5321] :get_accept_lock : acquired accept lock saslauthd[5319] :handle_sigchld : child exited: 5320
Did you run testsaslauthd with that? -- Andreas
Hello Andreas,
Check your /etc/pam.d/imap. If it is not there check for a File "other" in your ./pam.d/.
There is no imap file, in "other" file I have: #%PAM-1.0 auth required pam_warn.so auth required pam_deny.so account required pam_warn.so account required pam_deny.so password required pam_warn.so password required pam_deny.so session required pam_warn.so session required pam_deny.so
I don't see "size read" Errors, or similar. I have never got "size read" error for pam. I never succeed in configurating pam. I used shadow.
Did you run testsaslauthd with that? Yes, I run testsaslauthd in 2nd window. "Size read" error I get in a console after I run testsaslauthd (when I use shadow). In case of pam I get: NO "authentication failed"
-- Milan Milosevic http://www.mmilan.com/ The only winner in the War of 1812 was Tchaikovsky. - Solomon Short
Am Friday 18 November 2005 21:30 schrieb Milan Milosevic:
Check your /etc/pam.d/imap. If it is not there check for a File "other" in your ./pam.d/.
There is no imap file, in "other" file I have:
#%PAM-1.0 auth required pam_warn.so auth required pam_deny.so account required pam_warn.so account required pam_deny.so password required pam_warn.so password required pam_deny.so session required pam_warn.so session required pam_deny.so
This cannot work. Hmm, the Pitfall if you start testsaslauthd without the Servicename? In Case of PAM the Servicename decides the PAM-Config File. If you don't specify a Servicename for testsaslauthd it uses imap. If you have setup smtp specify it after testsaslauthd. # testsaslauthd -u user -p password -s smtp So /etc/pam.d/smtp will be used.
I don't see "size read" Errors, or similar.
I have never got "size read" error for pam. I never succeed in configurating pam. I used shadow.
Did you run testsaslauthd with that?
Yes, I run testsaslauthd in 2nd window. "Size read" error I get in a console after I run testsaslauthd (when I use shadow). In case of pam I get: NO "authentication failed"
A "size error" from testsaslauthd? It makes no difference if you use shadow instead of pam from testsaslauthd. The only part which changes something in doing is saslauthd itself. testsaslauthd only talks to the socket of saslauthd and sends the 4 values to it. username, password, realm and servicename. -- Andreas
Hello Andreas,
This cannot work. Hmm, the Pitfall if you start testsaslauthd without the Servicename? In Case of PAM the Servicename decides the PAM-Config File. If you don't specify a Servicename for testsaslauthd it uses imap. If you have setup smtp specify it after testsaslauthd. # testsaslauthd -u user -p password -s smtp
Thank you very much! I finally make it work. Thank's again -- Milan Milosevic http://www.mmilan.com/ Love the neighbor as yourself, but choose your neighborhood. -Louise Beal
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! As this is too complicated I give you a copy of all important config settings. Milan Milosevic schrieb:
Hello Andreas,
# saslauthd -da pam Try it with testsaslauthd and check the Output in the other Window. Show the Complete Messages.
seenet-mtp:~ # saslauthd -da pam saslauthd[5273] :main : num_procs : 5 saslauthd[5273] :main : mech_option: NULL saslauthd[5273] :main : run_path : /var/run/sasl2/ saslauthd[5273] :main : auth_mech : pam saslauthd[5273] :ipc_init : using accept lock file: /var/run/sasl2//mux.accept saslauthd[5273] :detach_tty : master pid is: 0 saslauthd[5273] :ipc_init : listening on socket: /var/run/sasl2//mux saslauthd[5273] :main : using process model saslauthd[5274] :get_accept_lock : acquired accept lock saslauthd[5273] :have_baby : forked child: 5274 saslauthd[5273] :have_baby : forked child: 5275 saslauthd[5273] :have_baby : forked child: 5276 saslauthd[5273] :have_baby : forked child: 5277 saslauthd[5274] :rel_accept_lock : released accept lock saslauthd[5275] :get_accept_lock : acquired accept lock saslauthd[5274] :do_auth : auth failure: [user=mmilan] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
I tried same for saslauthd -da shadow (method I used) and result is:
seenet-mtp:~ # saslauthd -da shadow saslauthd[5319] :main : num_procs : 5 saslauthd[5319] :main : mech_option: NULL saslauthd[5319] :main : run_path : /var/run/sasl2/ saslauthd[5319] :main : auth_mech : shadow saslauthd[5319] :ipc_init : using accept lock file: /var/run/sasl2//mux.accept saslauthd[5319] :detach_tty : master pid is: 0 saslauthd[5319] :ipc_init : listening on socket: /var/run/sasl2//mux saslauthd[5319] :main : using process model saslauthd[5320] :get_accept_lock : acquired accept lock saslauthd[5319] :have_baby : forked child: 5320 saslauthd[5319] :have_baby : forked child: 5321 saslauthd[5319] :have_baby : forked child: 5322 saslauthd[5319] :have_baby : forked child: 5323 saslauthd[5320] :rel_accept_lock : released accept lock saslauthd[5321] :get_accept_lock : acquired accept lock saslauthd[5319] :handle_sigchld : child exited: 5320
Here are some configs helping to setup stuff. To not get to complicated turn off chroot environment in /etc/sysconfig/postfix (later you may do so if no error occurs, because this is mostly the problem and finding errors within chroot is more complicated than finding the error in your config). Due to the complexity of this theme I can't give guarantee for correctness or completeness of my settings! This is how I did with postifx + tls (protocols: pop3, imap, smtp, tls: pop3s, smtps, imaps) + cyrus + sasl + smtp-auth + amavids_new + spamassassin (incl. with amavisd_new): 1) Make a backup of your mailsetup! 2) make shure you have following required packets installed: postfix, cyrus, cyrus sasl, amavisd_new, spamassassin, spamd, razor agents, openssl, perl, perl modules needed (don't exactly know all of them right now) 3) Use your editor of choice and configure stuff: less /etc/cyrus.conf # standard standalone server implementation START { # do not delete this entry! recover cmd="ctl_cyrusdb -r" # this is only necessary if using idled for IMAP IDLE idled cmd="idled" } # UNIX sockets start with a slash and are put into /var/lib/imap/socket SERVICES { # add or remove based on preferences imap cmd="imapd" listen="imap" prefork=0 imaps cmd="imapd -s" listen="imaps" prefork=0 pop3 cmd="pop3d" listen="pop3" prefork=0 pop3s cmd="pop3d -s" listen="pop3s" prefork=0 sieve cmd="timsieved" listen="sieve" prefork=0 lmtpunix cmd="lmtpd" listen="/var/spool/postfix/public/lmtp" prefork=1 refork=1 } EVENTS { # this is required checkpoint cmd="ctl_cyrusdb -c" period=30 # this is only necessary if using duplicate delivery suppression delprune cmd="cyr_expire -E 3" at=0400 # this is only necessary if caching TLS sessions tlsprune cmd="tls_prune" at=0400 } less /etc/postfix/main.cf [...] unknown_local_recipient_reject_code = 450 [...] readme_directory = /usr/share/doc/packages/postfix/README_FILES mail_spool_directory = /var/spool/mail canonical_maps = hash:/etc/postfix/canonical virtual_maps = hash:/etc/postfix/virtual relocated_maps = hash:/etc/postfix/relocated transport_maps = hash:/etc/postfix/transport sender_canonical_maps = hash:/etc/postfix/sender_canonical masquerade_exceptions = root masquerade_classes = envelope_sender, header_sender, header_recipient myhostname = #put your fdqn here! program_directory = /usr/lib/postfix inet_interfaces = all masquerade_domains = mydestination = # put all your destinations here! defer_transports = disable_dns_lookups = no relayhost = content_filter = vscan: mailbox_command = mailbox_transport = lmtp:unix:public/lmtp fallback_transport = cyrus smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_helo_required = no smtpd_helo_restrictions = strict_rfc821_envelopes = no smtpd_use_tls = yes smtpd_tls_CAfile = /etc/postfix/ssl/certs/cert.pem smtpd_tls_cert_file = /etc/postfix/ssl/certs/cert.crt smtpd_tls_key_file = /etc/postfix/ssl/certs/cert.key smtpd_tls_capath = /etc/postfix/ssl/certs smtpd_tls_received_header = yes tls_daemon_random_source = dev:/dev/urandom tls_random_source = dev:/dev/urandom relay_clientcerts = hash:/etc/postfix/relay_ccerts smtpd_tls_ask_ccert = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destinationsmtp_use_tls = yes #SMTP-Auth for relaying smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_tls_security_options = $smtp_sasl_security_options broken_sasl_auth_clients = yes #SMTP-Auth for relaying alias_maps = hash:/etc/aliases #setup your limits to your desire, this is what our users wanted ;) mailbox_size_limit = 409600000 message_size_limit = 102400000 html_directory = /usr/share/doc/packages/postfix/html virtual_alias_maps = hash:/etc/postfix/virtual #Don't forget to make certificates for postfix! less /etc/postfix/master.cf [...] smtp inet n - y - 2 smtpd -o content_filter= smtp:[localhost]:10024 smtps inet n - y - 2 smtpd -o smtpd_tls_wrapp ermode=yes -o content_filter=smtp:[localhost]:10024 -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes #submission inet n - n - - smtpd # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes #628 inet n - n - - qmqpd pickup fifo n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr fifo n - y 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - y - - smtp relay unix - - n - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - y - - showq error unix - - y - - error local unix - n n - - local virtual unix - n y - - virtual lmtp unix - - y - - lmtp anvil unix - - n - 1 anvil localhost:10025 inet n - y - - smtpd - -o content _filter= # # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # maildrop. See the Postfix MAILDROP_README file for details. # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} cyrus unix - n n - - pipe user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${u ser} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient vscan unix - n n - 10 pipe user=vscan argv=/usr/sbin/amavis ${sender} ${recipient} procmail unix - n n - - pipe flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${r ecipient} /etc/amavisd.conf only important settings are highlighted: Section I: #_Enter name for $mydomain, this is used for a lot 'o' config settings!!!_ Section III: # log spam to see if false positives are found for later finding problems $log_level = 2; Section IV: # prevent spam through notification of sender! $warnvirussender = 0; $warnspamsender = 0; $warnbannedsender = 0; $warnbadhsender = 0; $warnvirusrecip = 1; $warnbannedrecip = 0; $warn_offsite = 0; $virus_quarantine_to = undef; $spam_quarantine_to = undef; $remove_existing_x_scanned_headers = 1; $remove_existing_spam_headers = 1; under banned_filename_re = [...] uncommend (or commend) lines for extensions you don't want (you want)! Section V: # spare time and don't lookup mailadresses $localpart_is_case_sensitive = 0; Section VI: # dos-prevention, don't scan inside multiple recursive attachements like 42.zip $MAXLEVELS = 14; $MAXFILES = 1500; Section VII: # spam handling sa_local_test_only = 1; $sa_timeout = 30; # limit size to 150kB per mail for spam scanning $sa_mail_body_size_limit = 150*1024; $sa_tag_level_deflt = 3.0; $sa_tag2_level_deflt = 4.0; $sa_kill_level_deflt = $sa_tag_level_deflt; $sa_dsn_cutoff_level = 8; $sa_spam_subject_tag = '***SPAM***'; # or whatever name you like! $sa_spam_modifies_subj = 1; 4) restart daemons to take changes affect: amavis, cyrus, postfix, spamd 5) Send test-mail with spam, virus and normal one to test your setup! For errors look in /var/log/mail* for messages (less /var/log/mail* | grep EXPRESSION). If there are no errors enjoy your setup! Take care of new updates and restart them after updating! Regards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQ4B4q0Ng1DRVIGjBAQLAagcAkop+sw1zw8sR6nPbGgLoYGGq7r1w1V8G z87ATahYwPqTFw6q3advPBLkAcxuiS53RcrbuD0gDLCVCi48rKO7Y7BD/iZ7lGrq LFrzSRX4UVCOnzSq3PoPml4bJKt0KS0p4u29l0LKLxLXnMhjZY7NDw4Fx2s/aAPZ qtzdugKXMbpat/QkltRunbgu0vEK8JuwIpWGh1x4T1Avvb9e9W5bAZUamVjY8aaW LZSbNwSzzBnqfx2tgWxuhrr+l1bn7Kj7oim5FWRRWdva/XsS0kNZyQIf6NIrswiI ucR1XQawRiQ= =GDKj -----END PGP SIGNATURE-----
participants (6)
-
Andreas Winkelmann -
Armin Schoech -
Dirk Schreiner -
Milan Milosevic -
Petteri Hakkarainen -
Philippe Vogel