La mia tesina d`esame... :D

Commenti

Transcript

La mia tesina d`esame... :D
THE DEFINITIVE GUIDE TO SETTING UP A LINUX RELAY
SERVER FOR MICROSOFT EXCHANGE SERVER 2000/2003
With Mandriva 2007.1 Spring, Postfix, Spamassassin, Clamav...
Index
INTRODUCTION................................................................................................................................ 2
What you will need:.........................................................................................................................2
1. Mandriva Linux Spring 2007.1 .............................................................................................. 2
2. A box with a DVD-ROM for the DVD version of Mandriva Spring 2007.1 ........................ 2
3. A Ms Exchange 2000/2003 box that you want to protect.......................................................3
4. A live working Internet connection (Preferrably broadband). ............................................... 3
Install Mandriva Spring 2007.1 ........................................................................................................... 3
* Mail server (Postfix)................................................................................................................ 3
* SSH server (Open ssh-server).................................................................................................. 3
* Line command tools.................................................................................................................3
urpmi wget.................................................................................................................................. 3
Remove Installation Media/Update Mandriva Sources:.......................................................................3
a) Create a script file under /root called update.2007.1.sh..........................................................3
b) Goto http://easyurpmi.zarb.org and select your distro............................................................4
c) Save your script and make it executable.................................................................................4
d) Type the following in your putty window and watch it go.....................................................4
Install Spamassassin, Razor, Pyzor, DCC and Amavisd-new..............................................................5
urpmi spamassassin (Say yes to the dependencies prompt)........................................................5
urpmi amavisd.............................................................................................................................5
urpmi razor.................................................................................................................................. 8
urpmi pyzor................................................................................................................................. 8
urpmi dcc.....................................................................................................................................8
urpmi amavisd-new ....................................................................................................................8
Configure Postfix................................................................................................................................10
Configure Relay Recipient Maps....................................................................................................... 12
urpmi perl-ldap..........................................................................................................................12
Install and configure Clam-AV.......................................................................................................... 15
urpmi clamav.............................................................................................................................15
urpmi clamd.............................................................................................................................. 15
Configure your Exchange Server....................................................................................................... 15
Try to send an e-mail.......................................................................................................................... 16
Written by Costamagna Gianfranco ([email protected])
Pag 1
INTRODUCTION
First a little explanation: this guide wants to be only a simple "how to" setting up a linux mail relay
server for microsoft exchange 2003. This is very important because microsoft's system doesn't
support any anti-virus, anti-spam programs (you can install some but it's very difficult to configure
them ;-)
If you use this guide, you acknowledge and agree that owner of this guide is not responsible for the
availability of such external sites or resources, and do not endorse and is not responsible or liable
for any content, advertising, products, or other materials on or available from such sites or
resources. You further acknowledge and agree that owner of this guide shall not be responsible or
liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in
connection with use of or reliance on any such content, goods or this websites available on or
through any such site or resource.
This guide is made by lots of guides but you can see a similar here:
http://www.howtoforge.com/mandriva_postfix_antispam_antivirus_exchange_p1
and an "how to setting up a Microsoft Exchange Server" (Called "Down and Dirty Guide to setting
up Exchange 2000/2003") here:
http://forums.theonpc.com/viewtopic.php?t=15
There is a couple of linux how-to floating on the Internet that deal with this subject. As a matter of
fact, those guides are what inspired to write this one. In the spirit of keeping it simple, let me
recommend the Mandrake or as it's currently known Mandriva Linux distro.
This guide has been written with this distro in mind.
What you will need:
1. Mandriva Linux Spring 2007.1
(I'm sure this will work on Mandriva 2005 Limited edition, Mandrake 10.1 or even older versions. I
just haven't tested it on anything earlier)
2. A box with a DVD-ROM for the DVD version of Mandriva Spring 2007.1
(The system specs do not have to be very high. It's basically going to be a mail server. Depending
on the amount of mail you expect, size the machine accordingly. I installed it on an Intel Desktop
with a single Pentium CPU (2.0 Ghz), Hdd 40Gb and 512MB of RAM. The computer wasn't my
choice).
Pag 2
3. A Ms Exchange 2000/2003 box that you want to protect.
4. A live working Internet connection (Preferrably broadband).
STEP 1:
Install Mandriva Spring 2007.1
with the following minimum packages and normal level security:
* Mail server (Postfix)
* SSH server (Open ssh-server)
* Line command tools
Ip Address 10.0.5.18
Net Mask 255.255.0.0
DNS Server 10.0.5.4
10.0.5.10
Gateway
10.0.5.15
Name
Stealth.vallauri.net
Domain Search vallauri.net
you can install some tools like as traceroute, www-browser, links for resolving problem like route
wrong, various problem...
you must install wget because is used to download repository from bo.mirror.garr.it (I don't use curl
because it can do some problem)
urpmi wget
STEP 2:
Remove Installation Media/Update Mandriva Sources:
It's important to remove the installation DVD or CD-ROM as the media of choice for your Linux
installation and instead use on-line media anytime we want to install or update anything on this
installation. The procedures below will help you accomplish this:
a) Create a script file under /root called update.2007.1.sh
or whatever you want. I usually name them by distro. For example, for 2007.1 Spring, I called it
"update.2007.1.sh". Open up a ssh (putty) windows to your server. It's a lot easier doing it though
putty than trying to type the sources in a console window manually. In a putty window it's just a
matter of copy and paste. Be careful that the cut and paste must be done under Unix system because
under Windows the enter key is stored by ASCII 10 and 13 (only one of them under Unix)
In the putty windows type the following:
Pag 3
vi update.2007.1.sh
Enter the following lines:
urpmi.removemedia -a
urpmi --auto-select --auto --wget
b) Goto http://easyurpmi.zarb.org and select your distro
and then click on the "Proceed to STEP 2 button. Then, under "2) Select a mirror for each source"
section under Core Distribution, check off the following: "Main", "Contrib", “Main_Updates”,
"Contrib_Updates" as a bare minimum. Then click on the Proceed to STEP 3 button. This will
generate a list of mirrors. Select them and copy the entire list. Go back to your putty window, click
the "i" key to put the editor in insert mode and paste what you just copied from your browser in
your putty window between the lines you type earlier. So, your screen should look similar to this:
urpmi.removemedia -a
urpmi --auto-select --auto --wget
urpmi.addmedia --wget main
ftp://bo.mirror.garr.it/mirrors/Mandrake/official/2007.1/i586/media/main/release with
media_info/hdlist.cz
urpmi.addmedia --wget --update main_updates
ftp://bo.mirror.garr.it/mirrors/Mandrake/official/2007.1/i586/media/main/updates with
media_info/hdlist.cz
urpmi.addmedia --wget contrib
ftp://bo.mirror.garr.it/mirrors/Mandrake/official/2007.1/i586/media/contrib/release with
media_info/hdlist.cz
urpmi.addmedia --wget --update contrib_updates
ftp://bo.mirror.garr.it/mirrors/Mandrake/official/2007.1/i586/media/contrib/updates with
media_info/hdlist.cz
c) Save your script and make it executable.
Type the following in your putty window: Presss the "ESC" key to take the editor out of insert
mode. Then press "SHIFT ZZ" or "ESC , wq ENTER" to save your file and exit from vi.
chmod 755 update.2007.1.sh
You should use --wget parameter because curl can do problem to connect the mirror.
Now you are ready to go.
d) Type the following in your putty window and watch it go.
Once completed, your sources are updated and your installation media has been removed.
./update.2007.1.sh
you can also type:
urpmi --auto-select --wget (or urpmi --auto-update --wget)
to update packet in your distro.
Pag 4
STEP 3:
Install Spamassassin, Razor, Pyzor, DCC and Amavisd-new
a) At the console prompt or a putty window type the following command:
urpmi spamassassin (Say yes to the dependencies prompt)
urpmi amavisd
If urpmi command doesn't work you can add --wget after it.
vi /etc/amavisd/amavisd.comf
set $myhostname = 'Stealth.vallauri.net' (Remove sharp before $)
Save the file: ESC Shift ZZ
service amavisd start
Say yes to the dependencies prompt. This will automatically install spamassassin and razor
automatically. Configure spamassassin: If your mail server is behind a NAT firewall, you may
consider setting up the trusted_networks and internal_networks in spamassassin's local.cf file. This
is a well known problem with spamassassin on a private IP. Here's how to fix it. Edit the
/etc/mail/spamassassin/local.cf file:
vi /etc/mail/spamassassin/local.cf
Add the trusted_networks and internal_networks line for every PUBLIC ip address your mail server
is known for:
trusted_networks 123.456.789.123
trusted_networks 987.654.321.987
internal_networks 123.456.789.123
internal_networks 987.456.789.123
(Obviously substitute your own public IP address(es))
Add the following lines still in the /etc/mail/spamassassin/local.cf file to configure spamassassin to
use razor, pyzor and dcc:
bayes_auto_learn 1
bayes_path /etc/mail/spamassassin/bayes
bayes_file_mode 0666
use_razor2 1
razor_config /root/.razor/razor-agent.conf
razor_timeout 10
use_pyzor 1
pyzor_timeout 10
pyzor_max 5
add_header all Pyzor _PYZOR_
use_dcc 1
dcc_timeout 10
dcc_home /var/lib/dcc
dcc_path /usr/bin/dccproc
Pag 5
Create a custom rule set for spamassassin by typing the following in the console:
vi /etc/mail/spamassassin/sa_rules_update.sh
Copy and paste the following into the file:
#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/71_sare_redirect_pre3.0.0.cf -O 71_sare_redirect_pre3.0.0.cf
&> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_bayes_poison_nxm.cf -O
70_sare_bayes_poison_nxm.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_html.cf -O 70_sare_html.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_html4.cf -O 70_sare_html4.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_html_x30.cf -O 70_sare_html_x30.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_header0.cf -O 70_sare_header0.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_header3.cf -O 70_sare_header3.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_header_x30.cf -O 70_sare_header_x30.cf &>
/dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_specific.cf -O 70_sare_specific.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_adult.cf -O 70_sare_adult.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/72_sare_bml_post25x.cf -O 72_sare_bml_post25x.cf &>
/dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf -O 99_sare_fraud_post25x.cf &>
/dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_spoof.cf -O 70_sare_spoof.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_random.cf -O 70_sare_random.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_oem.cf -O 70_sare_oem.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_genlsubj0.cf -O 70_sare_genlsubj0.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_genlsubj3.cf -O 70_sare_genlsubj3.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_genlsubj_x30.cf -O 70_sare_genlsubj_x30.cf &>
/dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
Pag 6
http://www.rulesemporium.com/rules/70_sare_unsub.cf -O 70_sare_unsub.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/70_sare_uri.cf -O 70_sare_uri.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.timj.co.uk/linux/bogus-viruswarnings.cf -O bogus-virus-warnings.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.yackley.org/sarules/evilnumbers.cf -O evilnumbers.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.stearns.org/sablacklist/random.current.cf -O random.current.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/00_FVGT_File001.cf -O 00_FVGT_File001.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/88_FVGT_uri.cf -O 88_FVGT_uri.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/99_FVGT_DomainDigits.cf -O 99_FVGT_DomainDigits.cf
&> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/99_FVGT_Tripwire.cf -O 99_FVGT_Tripwire.cf &>
/dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.rulesemporium.com/rules/99_FVGT_meta.cf -O 99_FVGT_meta.cf &> /dev/null
cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget
http://www.nospamtoday.com/download/mime_validate.cf -O mime_validate.cf
/etc/init.d/amavisd restart
exit 0
(this script download some rules to update spamassassin)
when you wouldn't see a command on bash you can put &> /dev/null after the command.
Save the file and change the permissions to executable: Shift ZZ
chmod 755 /etc/mail/spamassassin/sa_rules_update.sh
Run the file and ensure there are no errors. On the console or putty window type:
/etc/mail/spamassassin/sa_rules_update.sh
Under the /etc/mail/spamassassin directory you should see a bunch of files ending in .cf. Examples
are: bogus_virus_warnings.cf, etc. That means the rules have been updated for spamassassin. Now,
you must schedule this script to run on a regular basis. On the console or putty window type the
following to schedule a cron job:
crontab -e
Paste the following in your putty window:
30 3 */2 * * /etc/mail/spamassassin/sa_rules_update.sh &> /dev/null
(This will schedule the script to run every two days on 3:30.
Save the file: Shift ZZ
b) At the console prompt or a putty window type the following command:
Pag 7
urpmi razor
(razor should be already installed...)
(accept all dependencies)
razor-admin -home=/etc/mail/spamassassin/.razor -register
razor-admin -home=/etc/mail/spamassassin/.razor -create
razor-admin -home=/etc/mail/spamassassin/.razor -discover
urpmi pyzor
(accept all dependencies)
urpmi dcc
(accept all dependencies)
urpmi amavisd-new
(amavis should be already installed...)
Say yes to the dependencies prompt. This will automatically install amavisd-new.
c) Configure amavisd by editing the /etc/amavisd/amavisd.conf:
vi /etc/amavisd/amavisd.conf
Hit "i" to start editing. Ensure the lines below are set as follows. Add them if they don't exist: This
bypasses all virus checks. Not needed in this particular situation since we will be installing clamav
further down. If you are having problems with clamav and cannot get it to work, it could potentially
stop your mail server from operating. In that case, remove the # from in front of the line and it will
bypass all virus checks.
#@bypass_virus_checks_acl = qw( . );
Ensure you enter the domain your mailserver belongs to. This setting is VERY important and
without this setting messages WILL NOT be tagged as spam in the subject line.
$mydomain = 'vallauri.net';
This line ensures that ALL domains this server delivers mail for will be processed through the spam
filter. Without this line, only the domain appearing in the $mydomain = line above will be
processed through the spam filter.
@local_domains_acl = qw( . );
Ensure this line is commented out with the # symbol just like it looks here.
#@local_domains_maps = ( [".$mydomain"] );
Email tagged as spam is passed but, subject is modified.
$sa_spam_modifies_subj = 1;
Add spam info headers. I suggest you set as high as possible. Setting to undef is highly
recommended so that all mail headers are modified no matter what.
$sa_tag_level_deflt = undef;
Pag 8
Add 'spam detected' headers at that level. This is the minimum score the system will need to add
spam headers to a message. It's pretty low. Start out low and increase the value as you see fit. If you
start to get a lot of false positives, you should increase this value.
$sa_tag2_level_deflt = 3;
Triggers spam evasive actions
$sa_kill_level_deflt = 15;
Spam level beyond which a DSN is not sent
$sa_dsn_cutoff_level = 9;
The word appended to the subject line of spam emails before passed to the end user
$sa_spam_subject_tag = '***SPAM***';
Ensures spam is passed to the end user tagged as such. We never want the spam filter to kill
messages. We want the end user to decide whether it's spam or not.
$final_spam_destiny = D_PASS; # Or D_REJECT if you want to kill it
Ensures emails with bad headers is passed to the end user tagged as such.
$final_bad_header_destiny = D_PASS; # Or D_REJECT if you want to block it
$myhostname = 'Stealth.vallauri.net'; # must be a fully-qualified domain name!
HIT "ESC" and then "SHIFT ZZ" to save your amavisd.conf file. Edit your /etc/postfix/master.cf
file and add the following entry to it as follows or amavisd will simply not work:
vi /etc/postfix/master.cf
Add the following entry at the very bottom of your master.cf file right before the line
##### END OF CONTENT FILTER CUSTOMIZATIONS #####:
smtp-amavis unix - - y - 2 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
Once done with the editing, hit SHIFT, ZZ to save the file.
Now issue the following command for changes to take effect:
service amavisd reload
Pag 9
STEP 4:
Configure Postfix
The steps below outline how to configure postfix to receive e-mail for your Exchange box, forward
it to amavisd-new which in turns processes it with spamassasin and razor and if passes all the
checks it gets forwarded back to postfix which in turn delivers to your exchange box.
a) Issue the following command at your putty prompt to edit your /etc/postfix/main.cf file:
vi /etc/postfix/main.cf
Hit "i" to edit the file, and make sure the settings below are set obviously substituting your info
and/or adding lines as necessary:
# User configurable parameters
inet_interfaces = all
#mynetworks_style = host
local_recipient_maps =
delay_warning_time = 4h
Do not give out more info to potential hackers than necessary. A lot of people leave the server type
and version number on this field. I say, just be as vague as possible. Your choice.
smtpd_banner = vallauri.net ESMTP
unknown_local_recipient_reject_code = 550
smtp-filter_destination_concurrency_limit = 2
lmtp-filter_destination_concurrency_limit = 2
smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
recipient_delimiter = +
owner_request_special = no
alias_maps = hash:/etc/postfix/aliases, hash:/var/lib/mailman/data/aliases
content_filter = smtp-amavis:[127.0.0.1]:10025
receive_override_options = no_address_mappings
#empty_address_recipient =
header_checks = regexp:/etc/postfix/header_checks
#message_size_limit = 1024000 remove this sharp if you don't want to block mail by message size
In the following line you specify the domains that you will allow this server to relay mail for. Be
careful here. Limit this to only your domains or you risk of becoming an open relay!
relay_domains = vallauri.net
Obviously your domain name goes here. Multiple domains can go there separated by commas
mydomain = vallauri.edu #or vallauri.net
Enter the FQDN for your box here
myhostname = Stealth.vallauri.net
Pag 10
In this field, ensure that you put the IP address of your network where you have your exchange
server is and your domain name.
mynetworks = 10.0.0.0/16, vallauri.edu
This field actually makes the whole relay thing work. Make a note of the file and the path, we'll deal
with it further down.
transport_maps = hash:/etc/postfix/transport
#myorigin =
queue_minfree = 0
Enter RBL lists in the following field. Please be very careful which lists you pick. Some lists are
ran by tyrrants and sometimes legitimate server go on there. Also, keep in mind, any e-mail
matched to a list gets rejected at the door. Which means it doesn't even get to your server which
means the user or you will NEVER see that e-mail. Be very wise about which lists you pick.
maps_rbl_domains = sbl.spamhaus.org, relays.ordb.org, opm.blitzed.org, dun.dnsrbl.net
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject, reject_non_fqdn_hostname,
reject_maps_rbl
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,
reject_non_fqdn_recipient
smtpd_sender_restrictions = reject_unauth_pipelining, reject_unknown_sender_domain,
reject_non_fqdn_sender
The field below is very very important. Make a note of it and we'll deal with it further down this
guide.
#relay_recipient_maps = hash:/etc/postfix/exchange_recipients
Once done with the editing, hit SHIFT, ZZ to save the file.
b) Next issue the following command at your putty prompt where vallauri.net is the name of the
domain this server is going to be relaying e-mail for and 10.0.5.15 is the actual IP address of your
exchange server. You can add as many domains as you like.
echo "vallauri.net smtp:[10.0.5.15]" >> /etc/postfix/transport
The following command will tell postfix to accept e-mail for ALL domains. I DO NOT recommend
you process the following command unless you are 150% sure you know what you are doing. I
merely put it there for reference.
echo "* smtp:[10.0.5.15]" >> /etc/postfix/transport
After you add the previous line(s) in your transport file, issue the following commands. One
command per line:
Pag 11
postmap /etc/postfix/transport
postfix reload
service postfix restart
You should first see the message postfix/postfix-script: refreshing the Postfix Mail system and then
Shutting Down postfix and Starting Postfix. You should see no errors during this. If you do, go
back and fix them. Then do the postfix reload and the service postfix restart commands again and
look for error. If no error, life is good! Proceed to next step.
This step is used if you want do download locally Active Directory from Exchange Server (if you
want to block inexistent user from your relay server)
STEP 5:
Configure Relay Recipient Maps
The steps below outline how to tell postfix who are valid recipients on your Exchange server so that
the postfix server doesn't forward e-mail to invalid e-mail addresses on your domain and have your
Exchange server logs fill up with undeliverable receipts. This step requires installing a few extra
packages as well as running Chris Covington's getadsmtp.pl script to get all the recipients from your
Exchange box. The recipients will be saved on the /etc/postfix/exchange_recipients file. Finally,
when we verify that the script works, we will schedule to run at regular intervals with crond
depending on how dynamic the accounts on our Exchange server are.
1. First, goto the following link: http://wwwpersonal.umich.edu/~malth/gaptuning/postfix/getadsmtp.pl You will be presented with Christ
Covington's getadsmtp.pl script. In your putty window, create the getadsmtp.pl under your /usr/bin
directory as follows:
vi /usr/bin/getadsmtp.pl
Now, hit "i" to start editing the file, then select and copy everything from your browser which has
the getadsmtp.pl script and paste it your putty window. Hit "ESC" to stop editing, and then "SHIFT
ZZ" to save the file.
(you can also download it typing /usr/bin/wget http://wwwpersonal.umich.edu/~malth/gaptuning/postfix/getadsmtp.pl -O /usr/bin/getadsmtp.pl)
2. Next you must install Net::LDAP. In your console/putty window type:
urpmi perl-ldap
Accept the the dependencies and have it install automatically.
3. Most of the instructions below have been taken verbatim from
http://doc.nettools.ru/Unix/Postfix&intserver/. I have copied and pasted them for convenience and
redundancy. These instructions will guide you through configuring and running the getadsmtp.pl
script against your exchange server to get a list of valid aliases. I have put some of my own
comments where necessary: Important: your spamfilter box will require port 389 access to your
Pag 12
Active Directory DC in order for this script to work, so adjust your firewalls accordingly! Open the
getadsmtp.pl script in your editor:
vi /usr/bin/getadsmtp.pl
Enter the path to your recipient maps file by changing the line:
$VALID = "/etc/postfix/example_recipients";
to:
$VALID = "/etc/postfix/exchange_recipients";
Next you will need to enter either the Fully Qualified Domain Name (FQDN) of your Active
Directory Domain Controller or you can enter the DC's local IP address. You may have to do the
latter if your DC uses the "yourdomain.local" naming scheme since your spamfilter would not be
able to resolve this address (unless you explicitly tell it). In any event, depending on your situation,
this parameter may need some tweaking in order for the spamfilter to "talk" to the DC. If you only
have one DC, make sure that both $dc1 and $dc2 lines are set with the same FQDN or IP address of
your one and only DC. Change the lines that say:
$dc1="domaincontroller1.example.com";
$dc2="domaincontroller1.example.com";
to:
$dc1="10.0.5.1";
$dc2="10.0.5.15"; if you have a domain controller (and a LDAP controller) here...
Where w.x.y.z is the local IP address of your DC, and Backup Domain Controller ($dc2), if you
have one. Again, enter the same IP address on both fields if you only have one DC.
Next, you will need to determine and enter the LDAP container of your user base. To do this you
should download and install the Windows 2000/2003 Support Tools and install them on your AD
DC. The tools are usually located under the /Support/Tools directory of your Windows 2000/2003
Server installation CD if you don't want to download them. Once you install the support tools, goto
your Exchange server and click on Start/Run and then type in "mmc". You should be presented with
the windows root console. Click on File and then "Add/Remove Snap-In". In the next window click
on the "Add" button. In the following "Add Remove Standalone Snap-In" you should see a list of
already installed snap-ins. If you installed the support tools correctly, you should see the "ADSI
Edit" snap in. Click on it, and then click on "Add" and then click on "Close" and then "Ok". You
should have the ADSI Edit snap-in under the Console Root window. Right-Click on ADSI Edit and
then click on "Connect To". On the next window just click "OK". Now under the ADSI Edit in your
Console Root you should see your domain. Expand the domain tree, then expand the "DC=" tree
and then click on the "CN=" tree that contains your Exchange users. Unless you moved your users
around different containers in your AD, this is most probably the "CN=Users" tree. Now on the
label of your console root window. It should something similar to this:
"Console Root\ADSI Edit\Domain [yourdc.yourdomain.tld]\DC=yourdomain,DC=tld\CN=users"
where yourdc.yourdomain.tld is the FQDN of your DC. So, on the getadsmtp.pl line below, change
Pag 13
the default values to the values of your domain using the settings you got from above:
$hqbase="cn=Accounts,dc=Vallauri,dc=Net";
Next, you will need to enter a username and password for a user in your Active Directory. This user
does not need any special privileges but you should make sure that the user's password is set to not
expire. The format of the user should be entered as "cn=username,cn=Users,dc=example,dc=com".
Again, I suggest you read the comments in the getadsmtp.pl script carefully. Note that because you
are entering a password here in clear text, I would make sure that this script is only readable by
root. Once you have the information you need, change the lines:
$user="cn=infotest,cn=Informatica,cn=Studenti,cn=Accounts,dc=Vallauri,dc=Net";
$passwd="infotest";
to the appropriate values.
* Please note that if the password you use contains the $ sign (and perhaps others? I am not familiar
with perl really, but some characters such as $ and probably also quotes have special meaning) you
will have to escape them appropriatly with the backslash or perl will complain. For exaple, if your
password is: pa$$word, you would have to enter: pa\$\$word here. Once you have made all the
changes to the getadsmtp.pl script you should save it (hit Esc, and then :wq): save and exit vi.
Now, make the script executable and test out the script and see if it works:
chmod 755 /usr/bin/getadsmtp.pl
/usr/bin/getadsmtp.pl
If the script runs successfully, you should now have a file in /etc/postfix called exchange_recipients
listing all your email addresses. To verify this, issue the command:
less /etc/postfix/exchange_recipients
(of course, replace this with the file name you chose earlier, if needed). You should see a list scroll
by with format similar to this:
[email protected] OK
[email protected] OK
[email protected] OK
...etc.
Some final comments: If you look at your main.cf file, you will see that the
unknown_local_recipient_reject_code is set to 550. However, this directive does not control the
rejection code for a recipient that is not listed in the relay_recipients_maps. The default rejection
code for unknown users is 550, which is most likely what you want, but if you ever wanted to
change it, the directive to change is
unknown_relay_recipient_reject_code
Pag 14
STEP 6:
Install and configure Clam-AV
At your putty window, type in the following to install Clam-AV:
urpmi clamav
urpmi clamd
Configure clamd to run as the amavis user. Edit /etc/clamd.conf:
vi /etc/clamd.conf
Hit "i" to start editing, find the line that reads "User clamav" and change to user amavis like below:
# Run as a selected user (clamd must be started by root).
# Default: disabled
User amavis
Change the owner under /var/lib/clamav to amavis as follows:
chown -R amavis:amavis /var/lib/clamav
Start the clamd daemon:
service clamd start
STEP 7:
Configure your Exchange Server
First, a little explanation how this whole SPAM thing works with our current setup. Potential
SPAM messages get received, they are processed, if found as spam, they are tagged as such in the
headers and most notably for the user's sake, the subject of the email gets appended with
***SPAM*** (If you followed this guide exactly) and it still gets delivered to the user. It's
important to understand that potential spam email does NOT get deleted but instead it's marked and
passed to the user. Now, the user has two choices. If the email really is spam the user can just delete
it. If the spam filter screwed up and the e-mail did get tagged as spam even though it shouldn't have,
the user has to have a way of telling you that the e-mail should not get tagged as spam anymore.
Vice versa, if the spam filter missed an email that should had been marked as spam but didn't, the
user has to be able to tell you that this e-mail must be marked as spam next time. So we have to give
the users a way of moving messages in two separate areas, one for SPAM and one for NON-SPAM
or HAM if you will.
Pag 15
STEP 8:
Try to send an e-mail
If you would try to send an e-mail to check if the server run correctly you can configure an account
(under outlook express, windows mail or thunderbird) in your internal network and try so send a
mail to yourself or at another account in your domain name (vallauri.edu)
es:
Name: Prova Costamagna
Mail Address: [email protected]
POP3: 10.0.5.15 (posta.vallauri.edu or hostpost.vallauri.net) (your exchange server)
SMTP: 10.0.5.18 (Stealth.vallauri.net) (your relay server)
Username: infotest
Password: infotest
Now you can send a mail with a virus or a spam to your account and, when you receive it, control
property message to check if all is gone well).
Be careful to send spam, because this server mark your mail address as spam for the future...
Written by Gianfranco Costamagna [email protected]
THIS GUIDE IS RELEASED WITH ARTISTIC LICENCE.
Pag 16

Documenti analoghi

Guida a NetBSD - Il progetto NetBSDit-docs

Guida a NetBSD - Il progetto NetBSDit-docs 3.5 MBR partitions .................................................................................................................13 3.6 Disklabel partitions.........................................

Dettagli

CommuniGate Pro

CommuniGate Pro High performance interface for external anti-virus, anti-spam, and content filtering programs. The RADIUS service for Network Access and Terminal Servers. Remote password modification using the pop...

Dettagli