Thank you for reading this post, don't forget to subscribe!
Что бы не завалить Exchange кучей писем, я обычно устанавливаю пограничный сервер на Linux с Postfix и SpamAssassin. Такое решение позволяет еще на входе отфильтровать совсем уж спамовские письма и не нагружать ими внутренний сервер. При этом таких серверов лучше сразу поднять несколько для отказоустойчивости.
yum -y install spamassassin postfix systemctl enable spamassassin systemctl enable postfix |
Создаем каталоги и файлы для postfix
mkdir /etc/postfix/db #каталог для баз mkdir /etc/postfix/ad #каталог для скриптов AD mkdir /etc/postfix/ssl #каталог для сертификатов |
В каталоге db у меня созданы такие файлы:
bad_clients — ручная блокировки мэйлов
good_clients — белый список
header_checks — для анализа заголовков
helo_regexp — для анализа helo
relay_domains — список доменов для пересылки
relay_recipients — список ящиков
virtual_transport — список smtp серверов (в нашем случае exchange)
Конвертируем эти файлы в индексированные базы для Postfix.
postmap bad_clients good_clients header_checks helo_regexp relay_domains relay_recipients virtual_transport |
В каталог /etc/postfix/ssl нужно положить сертификат в формате .pem, хотя можно и в других. У меня этот сертификат от Lets Encrypt, но пойдут и самоподписные.
Далее я просто приведу пример Postfix конфигов:
1 |
main.cf |
[codesyntax lang="php"]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 |
smtpd_banner = $myhostname Microsoft ESMTP MAIL Service ready biff = no header_checks = regexp:/etc/postfix/db/header_checks append_dot_mydomain = no queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix delay_warning_time = 1h bounce_queue_lifetime = 1d maximal_queue_lifetime = 2d notify_classes = bounce, delay, policy, protocol, resource, software bounce_notice_recipient = postf error_notice_recipient = postf readme_directory = no smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file=/etc/postfix/ssl/domain.key smtpd_tls_cert_file=/etc/postfix/ssl/domain.pem smtpd_tls_CAfile = /etc/postfix/ssl/domain.pem smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_use_tls = yes smtp_tls_key_file=/etc/postfix/ssl/domain.key smtp_tls_cert_file=/etc/postfix/ssl/domain.pem smtp_tls_CAfile = /etc/postfix/ssl/domain.pem smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_soft_error_limit = 5 smtpd_hard_error_limit = 10 smtpd_error_sleep_time = 1s smtpd_client_restrictions = check_client_access hash:/etc/postfix/db/good_clients, check_client_access hash:/etc/postfix/db/bad_clients, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, permit smtpd_helo_required = yes smtp_always_send_ehlo = yes smtpd_reject_unlisted_sender = yes smtpd_helo_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/db/good_clients, check_helo_access regexp:/etc/postfix/db/helo_regexp, reject_invalid_helo_hostname, reject_invalid_hostname, reject_non_fqdn_helo_hostname, permit smtpd_sender_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/db/good_clients, reject_non_fqdn_sender, reject_rhsbl_sender dsn.rfc-ignorant.org, permit smtpd_recipient_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/db/good_clients, reject_unauth_destination, reject_non_fqdn_recipient, reject_unauth_pipelining, reject_unverified_sender, permit unknown_local_recipient_reject_code = 550 unknown_client_reject_code = 550 unknown_hostname_reject_code = 550 unknown_address_reject_code = 550 myhostname = mail.domain.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydomain = domain.com myorigin = $mydomain mydestination = localhost, mail.domain.com, $mydomain relayhost = mynetworks = 127.0.0.0/8 10.1.1.1 #ip Exchange mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all message_size_limit = 40000000 local_recipient_maps = virtual_transport = hash:/etc/postfix/db/virtual_transport transport_maps = hash:/etc/postfix/db/virtual_transport relay_domains = domain.com relay_recipient_maps = hash:/etc/postfix/db/relay_recipients |
[/codesyntax]
1 |
master.cf |
[codesyntax lang="php"]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 |
# # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd -o content_filter=spamassassin #smtp inet n - n - 1 postscreen #smtpd pass - - n - - smtpd #dnsblog unix - - n - 0 dnsblog #tlsproxy unix - - n - 0 tlsproxy #submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - n - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # #maildrop unix - n n - - pipe # flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # #uucp unix - n n - - pipe # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # ==================================================================== # # Other external delivery methods. # #ifmail unix - n n - - pipe # flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) # #bsmtp unix - n n - - pipe # flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient # #scalemail-backend unix - n n - 2 pipe # flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store # ${nexthop} ${user} ${extension} # #mailman unix - n n - - pipe # flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # ${nexthop} ${user} spamassassin unix - n n - - pipe user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} |
[/codesyntax]
1 |
header_checks |
/^Subject:.*SPAM/ REDIRECT spam@domain.com |
1 |
helo_regexp |
/([0-9]{1,3}(\.|-)){3}[0-9]{1,3} /i REJECT Dynamic address |
1 |
relay_domains |
domain.com OK |
1 |
virtual_transport |
domain.com smtp:[10.1.1.1] |
Теперь немного настроим SpamAssassin
adduser --system spamd mkdir /home/spamd/ .spamassassin/ vim /home/spamd/ .spamassassin /user_prefs #просто создаем пустой файл |
Настроим firewall для 25 порта:
firewall-cmd --zone=public --add-service=smtp --permanent firewall-cmd --reload |
Запустим сервисы:
systemctl start spamassassin systemctl start postfix |