ライン

ポイント:*

ライン

 はじめに

メールサーバのメンテナンス中に代理受信するサーバ

 バックアップMXサーバの構築はsendmailでは実施したことがありました。
しかしながら、SPAMにウィルスに…。対応の方が複雑で使わずに放置していました。

 最近、Postfixで動作させているメールサーバはすごく安定していて良い感じ。
Postfixを利用したセカンダリなMXサーバを動かして試してみることにしました。
 最近導入した一連のものも加えるつもりです。詳細の内容はそちらをみてください。

 導入

pkgを利用

 Postfixは、ユーザの考慮がいらないので、そのまま導入することにします。

#pkg install postfix
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 2 packages will be affected (of 0 checked):

New packages to be INSTALLED:
        postfix: 2.11.3_3,1
        pcre: 8.35_2

The process will require 17 MB more space.
3 MB to be downloaded.

Proceed with this action? [y/N]: y
Fetching postfix-2.11.3_3,1.txz: 100%    2 MB 395.4k/s    00:05
Fetching pcre-8.35_2.txz: 100%    1 MB 357.2k/s    00:03
Checking integrity... done (0 conflicting)
[1/2] Installing pcre-8.35_2...
[1/2] Extracting pcre-8.35_2: 100%
[2/2] Installing postfix-2.11.3_3,1...
===> Creating users and/or groups.
Using existing group 'mail'.
Creating group 'maildrop' with gid '126'.
Creating group 'postfix' with gid '125'.
Creating user 'postfix' with uid '125'.
Adding user 'postfix' to group 'mail'.
[2/2] Extracting postfix-2.11.3_3,1: 100%
Would you like to activate Postfix in /etc/mail/mailer.conf [n]? y
Message for postfix-2.11.3_3,1:
 To enable postfix startup script please add postfix_enable="YES" in
your rc.conf

If you not need sendmail anymore, please add in your rc.conf:

sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

And you can disable some sendmail specific daily maintenance routines in your
/etc/periodic.conf file:

daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

If /etc/periodic.conf does not exist please create it and add those values.

If you are using SASL, you need to make sure that postfix has access to read
the sasldb file.  This is accomplished by adding postfix to group mail and
making the /usr/local/etc/sasldb* file(s) readable by group mail (this should
be the default for new installs).

If you are upgrading from Postfix 2.6 or earlier, review the RELEASE_NOTES to
familiarize yourself with new features and incompatabilities.

 導入はこんな感じ。rc.confに加えるものは、

# Postfix
postfix_enable="YES"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

です。

前回はぼーっとしていたけど、今の時代に /etc/periodic.conf って意味あるんだっけかな。
今回指定しないで放置してみて、cronで文句いわれるかを様子見するつもり。

 次は、milter-managerを入れておきます。

事前にSPAMやウィルスを除去しておきたいですから。

#pkg install milter-manager
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 11 packages will be affected (of 0 checked):

New packages to be INSTALLED:
        milter-manager: 2.0.4
        ruby: 2.0.0.598_1,1
        libyaml: 0.1.6_2
        readline: 6.3.8
        rubygem-glib2: 2.2.3
        rubygem-pkg-config: 1.1.6
        ruby20-gems: 1.8.30
        glib: 2.42.1
        perl5: 5.18.4_11
        libiconv: 1.14_6
        libev: 4.15_1,1

The process will require 121 MB more space.
26 MB to be downloaded.

Proceed with this action? [y/N]: y
Fetching milter-manager-2.0.4.txz: 100%  767 KB 261.7k/s    00:03
Fetching ruby-2.0.0.598_1,1.txz: 100%    7 MB 482.2k/s    00:15
Fetching libyaml-0.1.6_2.txz: 100%   61 KB  62.9k/s    00:01
Fetching readline-6.3.8.txz: 100%  309 KB 316.4k/s    00:01
Fetching rubygem-glib2-2.2.3.txz: 100%  450 KB 230.4k/s    00:02
Fetching rubygem-pkg-config-1.1.6.txz: 100%   91 KB  93.6k/s    00:01
Fetching ruby20-gems-1.8.30.txz: 100%  506 KB 258.9k/s    00:02
Fetching glib-2.42.1.txz: 100%    3 MB 448.8k/s    00:06
Fetching perl5-5.18.4_11.txz: 100%   13 MB 555.2k/s    00:25
Fetching libiconv-1.14_6.txz: 100%  590 KB 301.9k/s    00:02
Fetching libev-4.15_1,1.txz: 100%  115 KB 118.2k/s    00:01
Checking integrity... done (0 conflicting)
[1/11] Installing libyaml-0.1.6_2...
[1/11] Extracting libyaml-0.1.6_2: 100%
[2/11] Installing readline-6.3.8...
[2/11] Extracting readline-6.3.8: 100%
[3/11] Installing ruby-2.0.0.598_1,1...
[3/11] Extracting ruby-2.0.0.598_1,1: 100%
[4/11] Installing ruby20-gems-1.8.30...
[4/11] Extracting ruby20-gems-1.8.30: 100%
[5/11] Installing perl5-5.18.4_11...
[5/11] Extracting perl5-5.18.4_11: 100%
[6/11] Installing libiconv-1.14_6...
[6/11] Extracting libiconv-1.14_6: 100%
[7/11] Installing rubygem-pkg-config-1.1.6...
[7/11] Extracting rubygem-pkg-config-1.1.6: 100%
[8/11] Installing glib-2.42.1...
[8/11] Extracting glib-2.42.1: 100%
No schema files found: doing nothing.
[9/11] Installing rubygem-glib2-2.2.3...
[9/11] Extracting rubygem-glib2-2.2.3: 100%
[10/11] Installing libev-4.15_1,1...
[10/11] Extracting libev-4.15_1,1: 100%
[11/11] Installing milter-manager-2.0.4...
[11/11] Extracting milter-manager-2.0.4: 100%
Message for ruby-2.0.0.598_1,1:
 ====
Some of the standard commands are provided as separate ports for ease
of upgrading:

        devel/ruby-gems:        gem - RubyGems package manager
        devel/rubygem-rake:     rake - Ruby Make

And some of the standard libraries are provided as separate ports
since they require extra dependencies:

        databases/ruby-gdbm:    GDBM module
        x11-toolkits/ruby-tk:   Tcl/Tk modules
        japanese/ruby-tk:       Tcl/Tk modules for Japanized Tcl/Tk

Install them as occasion demands.
====

これに対応するrc.confの内容は、

# milter-manager
miltermanager_enable="YES"
miltermanager_uid="milter-manager"
miltermanager_gid="milter-manager"

です。
前回、このユーザ特別に必要なんだっけ、という疑問は残ったけど、考えるのも面倒なので、追加することにしました。

# pw groupadd -n milter-manager -g 333
# pw useradd -n milter-manager -u 333 -g milter-manager -G mail -s /usr/sbin/nologin \
 -d /var/run/milter-manager -c "milter manager"
# service milter-manager start

のように実施しています。

#pkg install clamav-milter
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 8 packages will be affected (of 0 checked):

New packages to be INSTALLED:
        clamav-milter: 0.98.5_1
        curl: 7.40.0
        ca_root_nss: 3.17.3_1
        libltdl: 2.4.2.418
        unzoo: 4.4_2
        lha: 1.14i_6
        arj: 3.10.22_4
        arc: 5.21p

The process will require 16 MB more space.
5 MB to be downloaded.

Proceed with this action? [y/N]: y
Fetching clamav-milter-0.98.5_1.txz: 100%    3 MB 455.1k/s    00:07
Fetching curl-7.40.0.txz: 100%    1 MB 451.5k/s    00:03
Fetching ca_root_nss-3.17.3_1.txz: 100%  315 KB 322.4k/s    00:01
Fetching libltdl-2.4.2.418.txz: 100%   35 KB  35.9k/s    00:01
Fetching unzoo-4.4_2.txz: 100%   16 KB  16.2k/s    00:01
Fetching lha-1.14i_6.txz: 100%   33 KB  33.4k/s    00:01
Fetching arj-3.10.22_4.txz: 100%  217 KB 221.8k/s    00:01
Fetching arc-5.21p.txz: 100%   48 KB  49.4k/s    00:01
Checking integrity... done (0 conflicting)
[1/8] Installing ca_root_nss-3.17.3_1...
[1/8] Extracting ca_root_nss-3.17.3_1: 100%
[2/8] Installing curl-7.40.0...
[2/8] Extracting curl-7.40.0: 100%
[3/8] Installing libltdl-2.4.2.418...
[3/8] Extracting libltdl-2.4.2.418: 100%
[4/8] Installing unzoo-4.4_2...
[4/8] Extracting unzoo-4.4_2: 100%
[5/8] Installing lha-1.14i_6...
[5/8] Extracting lha-1.14i_6: 100%
[6/8] Installing arj-3.10.22_4...
[6/8] Extracting arj-3.10.22_4: 100%
[7/8] Installing arc-5.21p...
[7/8] Extracting arc-5.21p: 100%
[8/8] Installing clamav-milter-0.98.5_1...
===> Creating users and/or groups.
Creating group 'clamav' with gid '106'.
Using existing group 'mail'.
Creating user 'clamav' with uid '106'.
Adding user 'clamav' to group 'mail'.
[8/8] Extracting clamav-milter-0.98.5_1: 100%

前回に同じく、/etc/rc.conf

clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
clamav_milter_enable="YES"
clamav_milter_socket_mode="660"
clamav_milter_socket_group="mail"
clamav_freshclam_flags="--daemon-notify=/usr/local/etc/clamd.conf --checks=12 --user=clamav"

を追加。設定ファイルは、前回に同じなので、ここでは省略です。
サービスもあげておきました。

#pkg install milter-greylist
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 1 packages will be affected (of 0 checked):

New packages to be INSTALLED:
        milter-greylist: 4.4.3_4

The process will require 254 KB more space.
98 KB to be downloaded.

Proceed with this action? [y/N]: y
Fetching milter-greylist-4.4.3_4.txz: 100%   98 KB 100.4k/s    00:01
Checking integrity... done (0 conflicting)
[1/1] Installing milter-greylist-4.4.3_4...
[1/1] Extracting milter-greylist-4.4.3_4: 100%
Message for milter-greylist-4.4.3_4:
 ===> IMPORTANT NOTE

    A sample configuration file has been installed in /usr/local/etc/mail
    directory. Copy and edit it to suit your needs before launching
    milter-greylist.

    Add following lines

dnl j,{if_addr},{cert_subject},i,{auth_authen} are already enabled by default
define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO``, {verify}'')
define(`confMILTER_MACROS_ENVRCPT', confMILTER_MACROS_ENVRCPT``, {greylist}'')
INPUT_MAIL_FILTER(`greylist', `S=local:/var/milter-greylist/milter-greylist.sock, F=T, T=R:30s')

    to your /etc/mail/<your_host>.mc configuration.

    To run milter-greylist from startup, add miltergreylist_enable="YES"
    in your /etc/rc.conf or your /etc/rc.conf.local

    See /usr/local/share/doc/milter-greylist/README for operation details.
#cd /usr/ports/mail/milter-greylist
#make reinstall clean

設定ファイルは、前回に同じで終了。/etc/rc.conf には

# milter-greylist
miltergreylist_enable="YES"
miltergreylist_runas="mailnull:mail"

を加え、サービスをあげます。

#pkg install spamass-milter
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
Updating database digests format: 100%
The following 18 packages will be affected (of 0 checked):

New packages to be INSTALLED:
        spamass-milter: 0.4.0
        spamassassin: 3.4.0_17
        p5-HTTP-Date: 6.02_1
        p5-HTML-Parser: 3.71_1
        p5-HTML-Tagset: 3.20_1
        p5-IO-Socket-SSL: 2.009
        p5-Mozilla-CA: 20130114_1
        p5-Net-SSLeay: 1.67
        p5-Socket: 2.016_1
        p5-IO-Socket-IP: 0.36
        gnupg1: 1.4.18_2
        p5-NetAddr-IP: 4.069_2
        p5-Net-DNS: 0.81_1
        p5-Digest-HMAC: 1.03_1
        p5-IO-Socket-INET6: 2.72_1
        p5-Socket6: 0.25_2
        re2c: 0.13.6
        p5-Encode-Detect: 1.01_1

The process will require 12 MB more space.
3 MB to be downloaded.

Proceed with this action? [y/N]: y
Fetching spamass-milter-0.4.0.txz: 100%   47 KB  48.0k/s    00:01
Fetching spamassassin-3.4.0_17.txz: 100%  944 KB 483.4k/s    00:02
Fetching p5-HTTP-Date-6.02_1.txz: 100%   15 KB  15.2k/s    00:01
Fetching p5-HTML-Parser-3.71_1.txz: 100%   81 KB  82.7k/s    00:01
Fetching p5-HTML-Tagset-3.20_1.txz: 100%   10 KB  10.1k/s    00:01
Fetching p5-IO-Socket-SSL-2.009.txz: 100%  139 KB 142.1k/s    00:01
Fetching p5-Mozilla-CA-20130114_1.txz: 100%  129 KB 132.0k/s    00:01
Fetching p5-Net-SSLeay-1.67.txz: 100%  232 KB 237.2k/s    00:01
Fetching p5-Socket-2.016_1.txz: 100%   38 KB  38.8k/s    00:01
Fetching p5-IO-Socket-IP-0.36.txz: 100%   27 KB  27.4k/s    00:01
Fetching gnupg1-1.4.18_2.txz: 100%    1 MB 539.3k/s    00:02
Fetching p5-NetAddr-IP-4.069_2.txz: 100%   81 KB  82.4k/s    00:01
Fetching p5-Net-DNS-0.81_1.txz: 100%  271 KB 278.0k/s    00:01
Fetching p5-Digest-HMAC-1.03_1.txz: 100%    9 KB   9.6k/s    00:01
Fetching p5-IO-Socket-INET6-2.72_1.txz: 100%   17 KB  17.8k/s    00:01
Fetching p5-Socket6-0.25_2.txz: 100%   17 KB  17.7k/s    00:01
Fetching re2c-0.13.6.txz: 100%  150 KB 153.3k/s    00:01
Fetching p5-Encode-Detect-1.01_1.txz: 100%   65 KB  66.5k/s    00:01
Checking integrity... done (0 conflicting)
[1/18] Installing p5-Socket-2.016_1...
[1/18] Extracting p5-Socket-2.016_1: 100%
[2/18] Installing p5-Socket6-0.25_2...
[2/18] Extracting p5-Socket6-0.25_2: 100%
[3/18] Installing p5-HTML-Tagset-3.20_1...
[3/18] Extracting p5-HTML-Tagset-3.20_1: 100%
[4/18] Installing p5-Mozilla-CA-20130114_1...
[4/18] Extracting p5-Mozilla-CA-20130114_1: 100%
[5/18] Installing p5-Net-SSLeay-1.67...
[5/18] Extracting p5-Net-SSLeay-1.67: 100%
[6/18] Installing p5-IO-Socket-IP-0.36...
[6/18] Extracting p5-IO-Socket-IP-0.36: 100%
[7/18] Installing p5-Digest-HMAC-1.03_1...
[7/18] Extracting p5-Digest-HMAC-1.03_1: 100%
[8/18] Installing p5-IO-Socket-INET6-2.72_1...
[8/18] Extracting p5-IO-Socket-INET6-2.72_1: 100%
[9/18] Installing p5-HTTP-Date-6.02_1...
[9/18] Extracting p5-HTTP-Date-6.02_1: 100%
[10/18] Installing p5-HTML-Parser-3.71_1...
[10/18] Extracting p5-HTML-Parser-3.71_1: 100%
[11/18] Installing p5-IO-Socket-SSL-2.009...
[11/18] Extracting p5-IO-Socket-SSL-2.009: 100%
[12/18] Installing gnupg1-1.4.18_2...
[12/18] Extracting gnupg1-1.4.18_2: 100%
[13/18] Installing p5-NetAddr-IP-4.069_2...
[13/18] Extracting p5-NetAddr-IP-4.069_2: 100%
[14/18] Installing p5-Net-DNS-0.81_1...
[14/18] Extracting p5-Net-DNS-0.81_1: 100%
[15/18] Installing re2c-0.13.6...
[15/18] Extracting re2c-0.13.6: 100%
[16/18] Installing p5-Encode-Detect-1.01_1...
[16/18] Extracting p5-Encode-Detect-1.01_1: 100%
[17/18] Installing spamassassin-3.4.0_17...
===> Creating users and/or groups.
Creating group 'spamd' with gid '58'.
Creating user 'spamd' with uid '58'.
[17/18] Extracting spamassassin-3.4.0_17: 100%
[18/18] Installing spamass-milter-0.4.0...
[18/18] Extracting spamass-milter-0.4.0: 100%
Message for spamassassin-3.4.0_17:
 ==========================================================================

You should complete the following post-installation tasks:

        1) Read /usr/local/share/doc/spamassassin/INSTALL
           and /usr/local/share/doc/spamassassin/UPGRADE
           BEFORE enabling SpamAssassin for important changes

        2) Edit the configuration in /usr/local/etc/mail/spamassassin,
           in particular /usr/local/etc/mail/spamassassin/init.pre
           You may get lots of annoying (but harmless) error messages
           if you skip this step.

        3) To run spamd, add the following to /etc/rc.conf:
           spamd_enable="YES"

        4) Install mail/spamass-rules if you want some third-party
           spam-catching rulesets

SECURITY NOTE:
By default, spamd runs as root (the AS_ROOT option). If you wish
to change this, add the following to /etc/rc.conf:

        spamd_flags="-u spamd -H /var/spool/spamd"

==========================================================================
Message for spamass-milter-0.4.0:
 ------------------------------------------------------------------------
spamass-milter has been installed, but it must be activated manually.
Please refer to...

  /usr/local/share/doc/spamass-milter/activation.txt

...for details.

You may also want to tweak your spamd rc.subr(8) startup flags to
specify a username to switch credentials to when delivering mail, if
applicable.
------------------------------------------------------------------------

/etc/rc.conf は以下の通り。設定ファイルもこれまでに同じ。

# SpamAssassin
spamd_enable="YES"
spamd_flags="-s /var/log/spamd.log -u spamd -H /var/spool/spam"
spamass_milter_enable="YES"
spamass_milter_user="spamd"
spamass_milter_group="spamd"
spamass_milter_socket="/var/run/spamass-milter/spamass-milter.sock"
spamass_milter_socket_owner="spamd"
spamass_milter_socket_group="mail"
spamass_milter_socket_mode="660"
spamass_milter_localflags="-u spamd -- -u spamd"

これだけだとまた不足するので、

# mkdir /var/run/spamass-milter/
# chown spamd:spamd /var/run/spamass-milter
# sa-update
# cd /usr/local/etc/mail/spamassassin/
# fetch -o local.cf http://www.flcl.org/~yoh/user_prefs
# service sa-spamd start
Starting spamd.

という流れで動作開始させました。

 これで、ウィルス対策、SPAM対策ぐらいはできたと思います。
Postfixでは、RBLを加えたり、不正中継対策を入れるつもりです。

 設定

 mail.cfから準備していきます。

queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
mail_owner = postfix
myhostname = HOST.example.org
myorigin = $mydomain
local_recipient_maps =
unknown_local_recipient_reject_code = 550
mynetworks_style = host
mynetworks = 192.168.0.0/24, 127.0.0.0/8
relay_recipient_maps = hash:$config_directory/relay_recipients

debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = /usr/local/share/doc/postfix
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
milter_protocol = 6
milter_default_action = accept
milter_mail_macros = {auth_author} {auth_type} {auth_authen}
smtpd_milters = unix:/var/run/milter-manager/milter-manager.sock
milter_command_timeout = 90s
milter_connect_timeout = 60s
milter_connect_macros = j {daemon_name} v {if_name} _

smtpd_relay_restrictions =
 permit_mynetworks,
 reject_unauth_destination

smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
allow_percent_hack = yes
swap_bangpath = yes
allow_untrusted_routing = no

smtpd_client_restrictions =
 permit_mynetworks,
 reject_rbl_client all.rbl.jp,
 reject_rbl_client relays.ordb.org,
 reject_rbl_client spamcop.net,
 reject_rbl_client sbl.spamhaus.org,
 permit

transport_maps = hash:$config_directory/transport

まずはこんな感じで準備。

 試しに、第三者中継チェック RBL.JPを利用させていただいて、踏み台にされる可能性について問題が無いかをチェックしてもらいました。

...
第三者中継テストの結果

全てのテストが行われました, no relays accepted.

とりあえず、問題なしということで大丈夫のようです。

本体以外のファイルの設定だけ先に記載しておきます。
relay_recipientsの設定は、

@example.org        OK
foo@example.co.jp          OK
@example.ne.jp          OK

のように指定。

また、transportの設定は、

example.org     smtp:[smtp.example.org]
example.co.jp   smtp:[mail.example.co.jp]
example.ne.jp   smtp:[mail.example.co.jp]

のように付けています。example.ne.jpのメールサーバは、example.co.jpにあるというイメージです。

#postmap relay_recipients
#postmap transport
#service postfix reload

で情報を更新します。

※※※現在、この設定以降を準備中です。
メインのメールサーバの設置が大幅に遅れていたため、少し待ちになっていました※※※

(実際にまだ Backup MX経由でメールを受信していないので、待ち状態です)

(まだページが更新できる状態になっていません)

 DNS側の設定

MXレコードの記述は、小さい物が通常適用されて、そこへの配送ができなかった場合には、これよりも大きい物に配送が行われます。
以下は例です。

mail          IN      A       XXX.YYY.ZZZ.aaa
                IN      MX      1       ASPMX.L.GOOGLE.COM.
                IN      MX      5       ALT1.ASPMX.L.GOOGLE.COM.
                IN      MX      5       ALT2.ASPMX.L.GOOGLE.COM.
                IN      MX      10      ASPMX2.GOOGLEMAIL.COM.
                IN      MX      10      ASPMX3.GOOGLEMAIL.COM.
                IN      MX      10      ASPMX4.GOOGLEMAIL.COM.
                IN      MX      10      ASPMX5.GOOGLEMAIL.COM.

上記の例ですと、1の値のものが一番優先順位の高いメールサーバで、それ以外はセカンダリなBackup MXということになります。
そんなような記述を行い、

# rndc reload

などでDNSの更新を行ってください。


【改訂履歴】作成:2015-01-22 更新:2015-3-22

【リンク】


Copyright © 1996,1997-2006,2007- by F.Kimura,