Let's download and install the current policyd-weight. You will want to begin by visiting
http://policyd-weight.org/
and write down the version number we are getting today. The last time I updated this,
the version was "0.1.15-beta-1", so we are going to make a directory that
reflects the version we download, and place the files there. The program
changes often, and sometimes there are issues with a new version, so
we always want to keep old versions in case we need to use them. If you are upgrading
policyd-weight from a version older than 0.1.15-beta-1, it is now required that
a user and group 'polw' is created; policyd-weight will no longer run as user 'nobody' and
policyd-weight.conf and master.cf must be updated to reflect this change. Also,
we will change from using a Unix socket to a TCP socket.
Modify the commands below as needed to reflect the current version:mkdir /usr/local/src/policyd-weight-0.1.15-beta-1
Edit policyd-weight.conf to see if you would like to change
or add other settings (read policyd-weight
or
policyd-weight.conf.sample to get an idea of the
settings you can change) then move it into place. I suggest using
the settings I provide until you get more familiar with the program. Note
that I'm using the vi editor here, but of course you can use a different
editor if you desire:vi policyd-weight.conf
Save and exit the file. Now we can move our program into place:
cp policyd-weight /usr/sbin/
If this is the first time installing policyd-weight,
create a user and group 'polw':groupadd polw
Then make our chrooted Postfix aware of the new user:cp /etc/passwd /var/spool/postfix/etc/passwd
Make sure we have Net::DNS installed: apt-get update
If using Etch, you may want to install the 'killall' utility: apt-get install psmisc
I personally like to cut in half the number of hard errors allowed before we cut a client off, this cuts off dictionary attackers a little quicker.
postconf -e "smtpd_hard_error_limit = 10"
Download an initscript from me. This part may also be new if you are familiar with older versions:
cd /etc/init.dIf you are upgrading from a previous version of policyd-weight, we will change from using a Unix socket to a TCP socket. Edit master.cf and remove (or comment out as I show here) these two lines: vi /etc/postfix/master.cf
# policy unix - n n - - spawn # user=polw argv=/usr/bin/perl /usr/lib/postfix/policyd-weightSave and exit the file. Now we may need to create a couple new hash files for Postfix to use: vi /etc/postfix/roleaccount_exceptions
And insert the following (insure you have a carriage return at the end of the last line):
# mail addressed to these recipients are allowed to bypass RBL checks
Save and exit the file, postmap it, and create and postmap the next file: postmap hash:/etc/postfix/roleaccount_exceptions
And insert the following:# these client IP addresses are allowed to bypass RBL checks
(that IP address is a 'picked at random' sourceforge server) Then postmap that file:postmap hash:/etc/postfix/rbl_client_exceptions
Now we need to vi /etc/postfix/main.cf and add a few things to
the smtpd_recipient_restrictions restriction stage. Let's make an
assumption your smtpd_recipient_restrictions looks similar to this at
this time:
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination
It is VERY important these lines are added AFTER "reject_unauth_destination".
We want to add three lines below (after) reject_unauth_destination, so the
result looks something like this:
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_unauth_pipelining,
check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
check_client_access hash:/etc/postfix/rbl_client_exceptions,
check_policy_service inet:127.0.0.1:12525
The TCP socket at port 12525 is policyd-weight. This has changed from
previous versions, so please make this change if you have used policyd-weight before.
The white space in front of the settings above is required. This is true
whenever you extend a Postfix setting to more than one line. Note that
the commas are actually optional, Postfix can use either a comma, or a space
to separate settings. Policyd-weight requires the use of reject_invalid_hostname.
You can place this in smtpd_recipient_restrictions prior to check_policy_service
or as is shown in this example in smtpd_helo_restrictions:
smtpd_helo_restrictions = reject_invalid_hostname
Save and exit your main.cf and stop Postfix:
postfix stop
If you have an older version of policyd-weight installed, you will need to manually kill those processes ('ps aux | grep pol' and 'kill xxxx' where xxxx is (are) the pid(s)) and delete the disk based cache in the /tmp directory (probably named /tmp/polw.sock or /tmp/policyd-weight or /tmp/.poliyd-weight/polw.sock). Start up policyd-weight:
/etc/init.d/policydweight start
Verify it starts up:
ps aux | grep policyd-weight
This should show policyd-weight is listening on port 12525: lsof | grep LISTEN | grep pol
Ok, policyd-weight is installed and running, and all that remains is to start Postfix, AND WATCH OUR LOG FOR ERRORS:
postfix start
Note that because we have "permit_mynetworks" prior to "check_policy_service", you cannot test policyd-weight by sending messages from a computer listed in $mynetworks, and you cannot test with messages sent to postmaster@ or abuse@. Keep an eye on the log as mail goes by. Watch it for at least 10 messages or so. Use [Ctrl]+c to return to the shell prompt. If there are errors that relate to policyd-weight, remove the "check_policy_service inet:127.0.0.1:12525" line in main.cf, and reload Postfix to get your mail going again. It is normal to get a "could not connect to cache" message the first time Postfix loads policyd-weight, but you should not get this error repeatedly. Hopefully all went well. Note that Postfix controls the startup and shutdown of policyd-weight, we do not start the daemon outside of Postfix. Now, assuming you have logcheck installed, ( apt-get install logcheck logcheck-database if you don't) every single line in our log that is created by policyd-weight will trigger a line in a logcheck report so we need to tell logcheck to ignore those lines: vi /etc/logcheck/ignore.d.server/postfixand at the top of the file, insert on a line by itself, the text: policydweight
I suggest you subscribe to the (low volume) policyd-weight mailing list. I also suggest you read more about the program to gain an understanding of how it works. I think of it as a 'miniature SpamAssassin'. Also read the somewhat incomplete man page: http://www.policyd-weight.org/policyd-weight.conf.5.html. Here is a useful command:
egrep -o rate:.* /var/log/mail.log
|
Now we move on to installing postgrey. Remember that normally I do not recommend Greylisting
on the primary MX. I believe it is quite appropriate for a
secondary MX however. Since most mail sent to a secondary server is spam, it
is also quite effective there. We start by installing postgrey:apt-get update
By default postgrey will Greylist for 300 seconds. I noticed that Yahoo
retries every 60 seconds, so I think it's a good idea to change the delay
from 300 to something like 29 seconds so a valid server like that does not
have to retry more than once. Shortening the time does not seem to make the
program any less effective.
vi /etc/default/postgrey
and change:POSTGREY_OPTS="--inet=127.0.0.1:60000"to: POSTGREY_OPTS="--inet=127.0.0.1:60000 --delay=29"
Since we made this change, we need to stop and start (not reload) postgrey: /etc/init.d/postgrey stopNow we need to vi /etc/postfix/main.cf and add a few things to
the smtpd_recipient_restrictions restriction stage. Let's make an
assumption your smtpd_recipient_restrictions looks similar to this at
this time:
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination
It is VERY important these lines are added AFTER "reject_unauth_destination".
We want to add four lines below (after) reject_unauth_destination, so the
result looks something like this:
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_unauth_pipelining,
check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
check_client_access hash:/etc/postfix/rbl_client_exceptions,
check_policy_service inet:127.0.0.1:60000
Postgrey is the server that listens on port 60000. By adding postgrey, the /etc/passwd file has changed, so we will give Postfix an updated copy of it: cp /etc/passwd /var/spool/postfix/etc/passwd
As we did on our other server:
postconf -e "smtpd_hard_error_limit = 10"
OK, postgrey is installed, and all that remains is to reload Postfix, AND WATCH OUR LOG FOR ERRORS: postfix stop
Keep an eye on the log as mail goes by. Watch it for at least 10 messages or so. If there are errors that relate to postgrey, remove (do NOT comment out) the "check_policy_service unix:private/policy" line in main.cf, and reload Postfix to get your mail going again. If someone complains they are unable to send you mail, you can whitelist their server in /etc/postgrey/whitelist_clients or our rbl_client_exceptions map. There is also a /etc/postgrey/whitelist_recipients file that does the same thing as our roleaccount_exceptions map. Now, adding the RBL client check is simply a matter of placing it in front of postgrey. It can be used by itself if you prefer.
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_unauth_pipelining,
check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
check_client_access hash:/etc/postfix/rbl_client_exceptions,
reject_rbl_client sbl-xbl.spamhaus.org,
check_policy_service inet:127.0.0.1:60000
You should also consider adding a check_sender_access map (or two) after the
check_client_access map that could be
used to bypass the RBL and greylist checks for particular senders or sender domains.
Also, if you have a valid populated relay_recipient_maps file (or other list
of valid recipients appropriate for your domain class) and wish to reject
mail to invalid recipients prior to greylisting, you should add 'reject_unlisted_recipient'
prior to check_policy_service. The result may look something like:
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_unlisted_recipient,
reject_unauth_pipelining,
check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
check_client_access hash:/etc/postfix/rbl_client_exceptions,
check_sender_access hash:/etc/postfix/rbl_sender_exceptions,
reject_rbl_client sbl-xbl.spamhaus.org,
check_sender_access hash:/etc/postfix/greylist_sender_exceptions,
check_policy_service inet:127.0.0.1:60000
OK, the RBL checks are installed, and all that remains is to reload Postfix,
AND WATCH OUR LOG FOR ERRORS:postfix stop
If you are interested in making postgrey safer (but less effective), take a look at: http://lists.ee.ethz.ch/postgrey/msg01214.html or http://www.arschkrebs.de/postfix/postfix_greylisting.shtml |