[PLUG] MTA thoughts?
Kris
krisa at subtend.net
Wed Jul 18 18:17:30 UTC 2007
Quentin Hartman wrote:
> It's getting to be time to setup a mail gateway at the edge of my
> network to
> sanitize stuff before it hits the company Exchange box. Originally I had
> planned on setting it up using Sendmail, but I have had some recent
> exposure
My standard recipe:
* Postfix
* Amavisd-new
* Spamassassin
* ClamAV
* Postgrey
Here is a fairly simple config to get you started. Note there is no
SASL auth on this one (let me know if you need this). I do have SSL in
this one, so you can create some keys/certs of your own, or comment that
stuff out.
BTW, for those out there that *loath* cyrus-sasl, dovecote does a fine
job now for handling SASL auth. Even if you don't use it for IMAP it
will probably save some head smashing just for SASL.
=== main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
myhostname = mail.subtend.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = subtend.net
mydestination =
subtend.net,
mail.subtend.net,
cylon.subtend.net,
halcyon.subtend.net
relayhost =
# Backup MX
relay_domains =
foo.com
bar.com
# Relay IP's
mynetworks = 127.0.0.0/8
home_mailbox = Maildir/
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# Mailman
transport_maps = hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1
# Virtual domains
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_domains =
bar.com
# Accept TLS Connections
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/private/mail.subtend.net.key
smtpd_tls_cert_file = /etc/ssl/certs/mail.subtend.net.pem
smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# Attempt to use TLS when Connecting
smtp_use_tls = yes
smtp_tls_key_file = /etc/ssl/private/mail.subtend.net.key
smtp_tls_cert_file = /etc/ssl/certs/mail.subtend.net.pem
smtp_tls_CAfile = /etc/ssl/certs/cacert.org.pem
# SASL Auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
# Anti-UCE, http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
check_policy_service inet:127.0.0.1:60000,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit
# Pass to amavisd-new
content_filter = smtp-amavis:127.0.0.1:10024
# Changes transient error to permanent error for non existant
# user. Keeps postfix from retrying for 5 days.
unknown_local_recipient_reject_code = 550
=== master.cf (just the amavis stuff)
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
--
I'm just a packet pusher.
More information about the PLUG
mailing list