版本:20241210-1
私網有架設一個一直不對外使用的私人郵件伺服器,但不常態使用的原因主要是考量單純個人研究用以外、對於管理、安全性和可靠度絕對不及一般大眾熟知使用的GMAIL、YAHOO或HOTMAIL服務商。
相安兩無事的好陣子的然而忽然某天開始,一直固定會出現奇怪的釣魚信件(恐嚇信件),花了一點時間反查點檢相關設備電腦們、陸續留意到logwatch其實蠻多奇怪的嘗試破門而入的不速之客痕跡。
後來陸續把fail2ban的監獄監控模式、防火牆和對外開放埠重審、VPN內網化工作,也試著調整改善防堵完整。
剩下郵件伺服器,是必須暴露在外給人亂槍打鳥寄垃圾信和釣魚信,遲早會被這些無聊人士發現、陸續寄送這台私網郵件主機(縱使我內部的郵件地址都還沒拿去外面用過)。
一路研究問題和相關主機服務的設定修修改改,花很長時間而催生出這篇整理的文章後記。
順便也給自己回顧和記錄一下相關的架設設定,畢竟主機上次修復重灌後,年齡也已經是累計起來。
哪天要再重新升級或全新安裝,至少還要有個紀錄讓我能最快速的參考去復原…。
由於考量到這是屬於後續自己編修的,而且有些是自己主機在用的方式和做法。
如果各方好友看到這邊文章有疑問、建議、或者適用性,請再留意彼此的差別和需求做調整。
我這邊盡量把懂得和可以呈現的,整理在接著的說明條列。
(因為我也花好多時間看別人的設定,似乎最後都會有自己專用的客製化設定項目和環境應用,XD)
因為我的idv.tw網域和DNS正反解都是外部託管的,以下就不太講到那邊的部分,重點在關於自己主機開放服務,主題大概分這樣:
1.Postfix郵件主機
2.Mailscanner整合Clamav防毒和Spamassassin擋廣告輔助郵件主機
3.Mailwatch輔助判讀郵件主機+MS的工作狀態
1.dovecot POP3/IMAP和Postfix MTA郵件主機收發系統
安裝相關的套件
sudo apt install postfix postfix-mysql postfix-policyd-spf-python dovecot-core dovecot-imapd dovecot-pop3d
第一次安裝的話,可以執行這個簡單的對話式設定
sudo dpkg-reconfigure postfix
然後依照需求,修改/etc/postfix/main.cf這個檔案。
sudo cp /etc/postfix/main.cf /etc/postfix/main.cf.origin
sudo nano /etc/postfix/main.cf
###
#mail_owner = postfix
mail_owner = postfix
#smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_banner = $myhostname ESMTP
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
# TLS parameters,利用certbot套件生成的SSL簽章,檔案連結這裡利用放置。
smtpd_tls_cert_file = /etc/letsencrypt/live/xxx.xxx.xxx.xxx/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/xxx.xxx.xxx.xxx/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
#Enable TLS Encryption when Postfix sends outgoing emails
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#Enforce TLSv1.3 or TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#
myhostname = xxx.xxx.xxx.xxx
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, xxx.xxx.xxx.xxx, localhost
### RELAY to send mail out因網路走中華電信的線路,中繼郵件走HINET主機轉寄,目的是降低被誤判垃圾郵件。
#relayhost =
relayhost = [msa.hinet.net]
#
mynetworks = all
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
#
virtual_alias_maps = hash:/etc/postfix/virtual
transport_maps = hash:/etc/postfix/transport
relay_recipient_maps = hash:/etc/postfix/relay_recipients
#
smtputf8_enable = no
disable_vrfy_command = yes
### Rules from my server to receiver
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_helo_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unverified_sender,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient
### openDKIM + OpenDMARC
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891, local:opendmarc/opendmarc.sock
non_smtpd_milters = $smtpd_milters
### Using Dovecot to Deliver Email to Message Store
mailbox_transport = lmtp:unix:private/dovecot-lmtp
### 1. Basical spam filter via regexp
### 2. Mailscanner function active
header_checks = regexp:/etc/postfix/header_checks
#body_checks = regexp:/etc/postfix/body_checks
###
接著依照需求,修改/etc/postfix/master.cf這個檔案。
sudo cp /etc/postfix/master.cf /etc/postfix/master.cf.origin
sudo nano /etc/postfix/master.cf
(...以上略...)
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
### to open and secure port 587:
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_tls_wrappermode=no
(...中略...)
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
### to open and secure port 465:
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_auth_only=yes
(...中略...)
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
### LOG多紀錄RELAY狀態的訊息。
-o syslog_name=postfix/$service_name
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
(...以下略...)
因在main.cf有定義一些項目,所以要新增和修改。
sudo touch /etc/postfix/virtual
sudo touch /etc/postfix/transport
sudo touch /etc/postfix/relay_recipients
sudo touch /etc/postfix/header_checks
sudo touch /etc/postfix/body_checks
sudo nano /etc/postfix/virtual
### 這個檔案是指定某個系統信件,為誰代理總接收
# (信箱) (帳號)
admin@xxx.xxx.xxx.xxx OOO
dmarc-reports@xxx.xxx.xxx.xxx OOO
www-data@xxx.xxx.xxx.xxx OOO
sudo nano /etc/postfix/header_checks
### Mailscanner function working
/^Received:/ HOLD
接著是修改Dovecot的服務設定,有幾個檔案要調整修改。
/etc/dovecot/dovecot.conf
sudo nano /etc/dovecot/dovecot.conf
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
### added if need,因為我有要查修,所以會開啟設定YES。
mail_debug = yes
### added for LMTP內網帳號的功能信件傳遞,然後預設的IMAP和POP3強制跑加密模式
#protocols = imaps pop3s
protocols = imap pop3 lmtp
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
/etc/dovecot/conf.d/10-auth.conf
sudo nano /etc/dovecot/conf.d/10-auth.conf
(...以上略...)
#disable_plaintext_auth = yes
disable_plaintext_auth = yes
(...中略...)
#auth_username_format = %Lu
auth_username_format = %n
(...中略...)
#auth_mechanisms = plain
auth_mechanisms = plain login
(...以下略...)
/etc/dovecot/conf.d/10-master.conf
sudo nano /etc/dovecot/conf.d/10-master.conf
(...以上略...)
service imap-login {
inet_listener imap {
#port = 143
#port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
(...中略...)
service pop3-login {
inet_listener pop3 {
#port = 110
#port = 0
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
(...中略...)
service lmtp {
# unix_listener lmtp {
#mode = 0666
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
# Create inet listener only if you can't use the above UNIX socket
#inet_listener lmtp {
# Avoid making LMTP visible for the entire internet
#address =
#port =
#}
}
(...中略...)
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
(...中略...)
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
#mode = 0666
mode = 0660
user = postfix
#group = postdrop
group = postfix
}
(...中略...)
}
(...以下略...)
/etc/dovecot/conf.d/10-ssl.conf
sudo nano /etc/dovecot/conf.d/10-ssl.conf
(...以上略...)
#ssl = required
ssl = yes
(...中略...)
#ssl_cert =
/etc/dovecot/conf.d/20-imap.conf
sudo nano /etc/dovecot/conf.d/20-imap.conf
(...以上略...)
protocol imap {
# Space separated list of plugins to load (default is global mail_plugins).
#mail_plugins = $mail_plugins
# Maximum number of IMAP connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
#mail_max_userip_connections = 10
}
#### added
mail_plugins = $mail_plugins
mailbox_list_index=yes
namespace inbox {
#prefix
mailbox Trash {
auto = no
special_use = \Trash
}
mailbox Drafts {
auto = no
special_use = \Drafts
}
mailbox Sent {
auto = subscribe #autocreate
special_use = \Sent
}
mailbox "Sent Messages" {
auto = no
special_use = \Sent
}
mailbox Spam {
auto = create #auto creat but not subscribe
special_use = \Junk
}
mailbox virtual/All { #if a virtual message
auto = no
special_use = \All
}
}
2.Mailscanner整合Clamav防毒和Spamassassin擋廣告輔助郵件主機
安裝MAILSCANNER套件(以下將會簡稱"MS")之前,先安裝好防毒和擋垃圾信的套件,不然會遇到安裝好MAILSCANNER結果不正常功能,查修找原因會耗在這邊找不到問題喔。
sudo apt install spamassassin clamav clamav-daemon
先把防毒功能開機啟用和使用。
sudo systemctl enable clamav-daemon
sudo systemctl enable clamav-freshclam
sudo systemctl start clamav-daemon
如果要加裝額外的病毒碼支援,可以到這個網站註冊,免費的帳號會提供幾個網址使用更新病毒碼,但是看起來僅提供一台主機,以上的就要付費、而且付費還會多額外的病毒碼網址。
https://www.securiteinfo.com/clamav-antivirus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml?lg=en
然後到官網抓最新的MAILSCANNER:https://github.com/MailScanner/v5/releases/。
目前最新的版本:v5.5.3-2 Release,然後我的系統是UBUNTU,則要抓.deb的檔案來安裝前導程式。
cd ~/Download/
wget https://github.com/MailScanner/v5/releases/download/5.5.3-2/MailScanner-5.5.3-2.noarch.deb
sudo apt -y install ./MailScanner-5.3.4-3.noarch.deb
安裝好MAILSCANNER前導程式以後,就可以按照它的提醒,執行安裝或更新。
第一次乾淨的系統,它會花蠻多時間在下載安裝相關必要的程式和套件(Clamav和Spamassassin要自己先安裝完成)。
所以要耐心等待下載和編譯。
sudo /usr/sbin/ms-configure
應該會等好一陣子才會完成MS安裝,不過先暫時關閉服務。
sudo systemctl disable mailscanner
然後要修改apparmor控制的權限項目,找個適合的位置加入這兩行定義Mailscanner的讀寫權限。
sudo nano /etc/apparmor.d/usr.sbin.clamd
(...以上略...)
/var/spool/qpsmtpd/* r,
/var/spool/p3scan/children/** r,
/var/spool/havp/** r,
# For use with MailScanner added
/var/spool/MailScanner/** rw,
/var/spool/MailScanner/incoming/** rw,
# For amavisd-new integration
/var/lib/amavis/tmp/** r,
# For mimedefang integration
/var/spool/MIMEDefang/mdefang-*/Work/ r,
/var/spool/MIMEDefang/mdefang-*/Work/** r,
(...以下略...)
然後重新啟用服務,外面的分享文章看到說明是重開機一次。但是我的主機在沒重開機的情形,這個服務是能正常重新啟動的使用。
sudo systemctl restart apparmor
然後,POSTFIX觸發mailscanner有兩種做法:
1. /etc/postfix/header_checks加入強制HOLD指令,讓Clamav和Spamassassin有時間去掃描和釋放到incoming發送。也是我這邊文章說明的作法。
/^Received:/ HOLD
2. 官方的安裝方式,是用milter的呼叫QMQP port: 628。但是後來成功啟用後,就懶得在實驗這個是不是也一並恢復正常。
以上兩種方式都可以,但是呼叫的in/out資料夾和使用者/群組權限要留意,有點不同。
再來,要把一些相關係的資料夾和權限設定好。
sudo mkdir /var/spool/postfix/hold
sudo mkdir /var/spool/postfix/incoming
sudo chown postfix. /var/spool/postfix/hold
sudo chown postfix. /var/spool/postfix/incoming
sudo chown postfix. /var/spool/MailScanner/incoming
sudo chown postfix. /var/spool/MailScanner/quarantine
sudo mkdir /var/spool/MailScanner/spamassassin
sudo chown postfix.postfix /var/spool/MailScanner/spamassassin
然後,postfix資料夾要map檔案更新設定,可以寫一個.sh執行擋來簡易操作。
sudo nano /usr/local/etc/postfix-db
sudo chmod a+x /usr/local/etc/postfix-db
sudo /usr/local/etc/postfix-db
內容為:
#!/bin/sh
cd /etc/postfix
newaliases
/usr/sbin/postmap /etc/postfix/virtual
/usr/sbin/postmap /etc/postfix/transport
/usr/sbin/postmap /etc/postfix/access
/usr/sbin/postmap /etc/postfix/relay_recipients
設定到這裡,幾乎快要完成全部架設了喔!
再來去MS設定/etc/MailScanner/MailScanner.conf參數值。
這幾行修改這樣:
sudo nano /etc/MailScanner/MailScanner.conf
#
Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix
Clamd Socket = /var/run/clamav/clamd.ctl
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
Multiple Headers = add
Place New Headers At Top Of Message = yes
然後CLAMAV防毒設定檔要再調整幾個參數值。
sudo nano /etc/clamav/clamd.conf
#
LocalSocketGroup mtagroup
相關的權限也要調整:
sudo chown -R postfix.mtagroup /etc/clamav/
sudo usermod -a -G mtagroup postfix
sudo usermod -a -G mtagroup clamav
讓MS預設啟動。
sudo nano /etc/MailScanner/defaults
#
run_mailscanner = 1
啟動預設開機和開始使用。
sudo systemctl enable postfix spamassassin dovecot clamav-daemon opendkim mailscanner
sudo systemctl restart postfix spamassassin dovecot clamav-daemon opendkim mailscanner
理論上應該要能正常開始使用。
而且測試輸出檢查應該會模擬掃到病毒的成功通知。
sudo MailScanner --lint
然後,這次的過程中所摸索出工作方式,是把DOVECOT接收到的信件,放到/var/spool/postfix/hold。
MS的配置,/var/spool/postfix/hold內的檔案,會有放置處理時間讓Clamav掃毒和Spamassassin掃垃圾信。
等安全排除放行後,就把相關信件轉移到/var/spool/postfix/incoming,POSTFIX就會取件送達到各個使用者帳號的門牌地址。
MS的掃瞄作業時間,有長有短,看當下設備的工作排程,不過這幾次的經驗應該有<5分鐘的差異性。
如果怕遺漏什麼,或是功能除錯不理解是哪一段有異常(像我耍笨好陣子在找原因為什麼信有進來,都寄不出去)。
可以試著加裝MailWatch (https://github.com/mailwatch/MailWatch)這個套件來輔助可視化管理和看狀態。
因為這個是跑網頁和SQL的運作,所以記得做好內網本機瀏覽限定,以及獨立一組帳號密碼管理。減少被外部無聊人士去多個機會踹後門。
安裝的教學可以參考這篇:https://docs.mailwatch.org/install/installing.html,SQL的新建帳號指令有一些新版調整的指令語法,要留意。
其他參考文章:
DNS、MAIL伺服器架設後,驗證是否符合相關規範的功能測試網站:
https://www.checktls.com/TestReceiver
https://www.mail-tester.com/ PS.有一天三次的免費限制
https://dkimvalidator.com/
https://mxtoolbox.com/
https://toolbox.googleapps.com/apps/checkmx
https://www.kitterman.com/spf/validate.html
https://openresolver.com/
關於POSTFIX伺服器的相關設定文章:
https://ubuntu.com/server/docs/install-and-configure-postfix
https://ubuntu.com/server/docs/install-and-configure-dovecot
在 Postfix/Dovecot 郵件伺服器上安裝並設定 SSL
https://www.tuxnoob.com/posts/Install-and-Configure-Mail-Server-ubuntu-part1/
https://www.tuxnoob.com/posts/Install-and-Configure-Mail-Server-ubuntu-part2/
啟用設定SPF、DKIM、DMARC的參考說明:
https://wiki.debian.org/opendkim
https://www.linuxbabe.com/mail-server/opendmarc-postfix-ubuntu
https://www.richesinfo.com.tw/index.php/mxmail/mxmail-faq/267-dkim-dmarc
https://makeityourway.de/enabling-spf-sender-policy-framework-checking-on-postfix/
關於MAILSCANNER輔助郵件伺服器相關的設定文章:
https://reintech.io/blog/configure-secure-email-gateway-mailscanner-ubuntu
https://blog.pmail.idv.tw/?p=14396
https://vanderboon.net/2021/06/01/installing-mailscanner-5-3-with-postfix-on-ubuntu-20-04-lts/
https://github.com/MailScanner/v5/issues/529
https://www.mailscanner.info/postfix/
其他可能會用到的參考:
https://bobcares.com/blog/clamav-postfix/
https://help.ubuntu.com/community/PostfixAmavisNew
https://docs.vultr.com/how-to-install-spamassassin-with-postfix-on-ubuntu
https://kafeiou.pw/2022/10/27/4351/%E5%9C%8B%E9%9A%9B%E6%93%8B%E5%BB%A3%E5%91%8A%E7%B5%84%E7%B9%94spamhaus-%E6%8F%90%E4%BE%9B-dqs-%E6%9C%8D%E5%8B%99/ PS.付費的檔信服務
https://think.unblog.ch/en/how-to-use-sender-policy-framework-on-debian-server/ PS.付費的檔信服務
https://aprilsoftware.github.io/personal-cloud/debian/bullseye/email/howto.html PS. spamass-milter
https://github.com/andybalholm/spamass-milter/issues/9 PS. spamass-milter + POSTFIX要修正的追加敘述(spamass-milter: Could not retrieve sendmail macro i Please add it to confMILTER_MACROS_ENVFROM for better spamassassin results)
把postfix預設放mbox的舊檔案,改成maildir到個人信箱的方法:
https://danielpocock.com/converting-from-unix-mbox-mailbox-to-maildir/
Be the first to reply