Posts Tagged Postfix Training
Posted by mike Filed Under Compile Postfix with Comments Off
Building Postfix from source can be a rewarding experience with great results. This tutorial will show you how to do a basic build and then following tutorials will show you how to build in additional features.
Download Source Code From Here:
http://www.postfix.org/download.html
When you download the source and unpack it you will find a README_FILES directory that contains instructions for the aspects of compiling Postfix. This is very valuable information that you must read. All of the Postfix source files have their own manual page.
AAAREADME NFS_README
ADDRESS_CLASS_README OVERVIEW
ADDRESS_REWRITING_README PACKAGE_README
ADDRESS_VERIFICATION_README PCRE_README
BACKSCATTER_README PGSQL_README
BASIC_CONFIGURATION_README QMQP_README
BUILTIN_FILTER_README QSHAPE_README
CDB_README RELEASE_NOTES
CONNECTION_CACHE_README RESTRICTION_CLASS_README
CONTENT_INSPECTION_README SASL_README
CYRUS_README SCHEDULER_README
DATABASE_README SMTPD_ACCESS_README
DB_README SMTPD_POLICY_README
DEBUG_README SMTPD_PROXY_README
DSN_README SOHO_README
ETRN_README STANDARD_CONFIGURATION_README
FILTER_README STRESS_README
INSTALL TLS_LEGACY_README
IPV6_README TLS_README
LDAP_README TUNING_README
LINUX_README ULTRIX_README
LOCAL_RECIPIENT_README UUCP_README
MAILDROP_README VERP_README
MILTER_README VIRTUAL_README
MULTI_INSTANCE_README XCLIENT_README
MYSQL_README XFORWARD_README
Compile a Basic Postfix
CentOS
Once you have downloaded the source code, move it into the /usr/src directory, other options are available.
mv postfix-2.6.5.tar.gz /usr/lsrc/
Untar the file which will create a directory.
tar zxvf postfix-2.6.5.tar.gz
Move into the new postfix directory.
cd postfix-2.6.5
Install the prerequisites
CentOS
yum install db*-devel
Postfix is built in C so you will be compiling C code. Usually the options that you want to create for a project are contained in a Makefile. The make utility creates this Makefile which is used to determine dependencies, any requirements needed or changes you want to create like adding programs or locations of files. The compiler then takes this information and creates object files and links them together into executables.
However, since Postfix creates its own Makefile, you do not need to edit it at all. In fact, the problem with editing the Makefile for Postfix is that your edits will get written over. So, the way to make changes is to use the CCARGS.
Tools You will need
gcc
make
CentOS
yum install gcc make
When you start the dependencies will be located and installed for you.
Installing:
gcc i386 4.1.2-44.el5 base 5.2 M
Updating:
glibc i686 2.5-34.el5_3.1 updates 5.2 M
glibc-common i386 2.5-34.el5_3.1 updates 16 M
nscd i386 2.5-34.el5_3.1 updates 159 k
Installing for dependencies:
cpp i386 4.1.2-44.el5 base 2.7 M
glibc-devel i386 2.5-34.el5_3.1 updates 2.0 M
glibc-headers i386 2.5-34.el5_3.1 updates 598 k
kernel-headers i386 2.6.18-164.el5 updates 993 k
libgomp i386 4.3.2-7.el5 base 67 k
Since Postfix does not use GNU autotools and so does not have the configure script that you may be used to. Postfix will actually do this work for you by creating it’s own Makefile. Run make as a normal user.
make
Once the compile is complete you will need to create the user and groups for Postfix.
groupadd postfix
groupadd postdrop
The user postfix needs to have an account that cannot log in and be a part of the postfix group that was created.
CentOS
useradd postfix -c postfix -d /tmp -s /bin/false
postfix:x:500:500:postfix:/tmp:/bin/false
Now run the final command which will allow you to choose directories and locations that you want to use with your installation. Read each option closely so that when you run the command you have an idea on what you want to change, if anything. You can take the default settings by choosing ENTER. Note you will need to run this as root so you have permissions to write to these directories.
make install
Please specify the prefix for installed file names. Specify this ONLY if you are building ready-to-install packages for distribution to other machines.
install_root: [/]
Please specify a directory for scratch files while installing Postfix. You must have write permission in this directory.
tempdir: [/usr/local/src/postfix-2.5.5]
Please specify the final destination directory for installed Postfix configuration files.
config_directory: [/etc/postfix]
Please specify the final destination directory for installed Postfix administrative commands. This directory should be in the command search path of administrative users.
command_directory: [/usr/sbin]
Please specify the final destination directory for installed Postfix daemon programs. This directory should not be in the command search path of any users.
daemon_directory: [/usr/libexec/postfix]
Please specify the final destination directory for Postfix-writable data files such as caches or random numbers. This directory should not be shared with non-Postfix software.
data_directory: [/var/lib/postfix]
Please specify the destination directory for the Postfix HTML files. Specify “no” if you do not want to install these files.
html_directory: [no]
Please specify the owner of the Postfix queue. Specify an account with numerical user ID and group ID values that are not used by any other accounts on the system.
mail_owner: [postfix]
Please specify the final destination pathname for the installed Postfix mailq command. This is the Sendmail-compatible mail queue listing command.
mailq_path: [/usr/bin/mailq]
Please specify the destination directory for the Postfix on-line manual pages. You can no longer specify “no” here.
manpage_directory: [/usr/local/man]
Please specify the final destination pathname for the installed Postfix newaliases command. This is the Sendmail-compatible command to build alias databases for the Postfix local delivery agent.
newaliases_path: [/usr/bin/newaliases]
Please specify the final destination directory for Postfix queues.
queue_directory: [/var/spool/postfix]
Please specify the destination directory for the Postfix README files. Specify “no” if you do not want to install these files.
readme_directory: [no]
Please specify the final destination pathname for the installed Postfix sendmail command. This is the Sendmail-compatible mail posting interface.
sendmail_path: [/usr/sbin/sendmail]
Please specify the group for mail submission and for queue management commands. Specify a group name with a numerical group ID that is not shared with other accounts, not even with the Postfix mail_owner account. You can no longer specify “no” here.
setgid_group: [postdrop]
This should complete a basic setup for Postfix and you can then start postfix with:
/usr/sbin/postfix start
You should see port 25 listening when you run netstat.
netstat -aunt
Default Postfix Install
Here are the basic features compiled in the default Postfix. You can see several features missing that you may want to compile into Postfix, SASL and MySQL are two that come up often.
ldd `postconf -h daemon_directory`/smtpd
linux-gate.so.1 => (0×00601000)
libdb-4.3.so => /lib/libdb-4.3.so (0×00411000)
libnsl.so.1 => /lib/libnsl.so.1 (0x001a1000)
libresolv.so.2 => /lib/libresolv.so.2 (0x003fc000)
libc.so.6 => /lib/libc.so.6 (0x00bdc000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00d28000)
/lib/ld-linux.so.2 (0x00bb9000)
Posted by mike Filed Under Troubleshooting with Comments Off
Mail Does Not Send
A common problem is finding that mail is not sending correctly and that the /var/spool/clientqueue is filling up with files. This directory can actually shut down your server if you do not have a separate directory for /var when this happen. The speed at which this happens is determined by the amount of mail that is being sent.
Cause of the Problem:
The cause of the problem is most often a mis configured firewall or a mis configured tcp_wrappers.
The firewall should allow connections on port 25 for Postfix, port 143 for IMAP (web based email) and port 110 for POP3. Check your firewall that these are open.
Here is an example of a tcp_wrappers hosts.allow from a working Mail Server. Note that the is mail server does not allow POP3 but allows IMAP, and POSTFIX .
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the ‘/usr/sbin/tcpd’ server.
#
POSTFIX: ALL
SMTP: ALL
IMAP: ALL
Cannot Create Mailboxes
Even if cyrus IMAP is set up correctly there are times when the user cyrus cannot login to create a mailbox. If the password is correct the problem is probably related to /etc/hosts.allow/
Add this line to etc/hosts.allow
ALL: 127.0.0.1
Savemail Panic
If you see the error “Losing.lqfj54koqLM019255:savmail panic”
or
“savemail: cannot save rejected email anywhere”
Add this line to etc/hosts.allow
ALL: 127.0.0.1
Posted by mike Filed Under Security with Comments Off
When you set up Postfix it is a critical service for your organization. It is important that you set up a way to verify that the mail server is up and running. Nagios 3 provides an easy set up to allow you to monitor your mail server. This tutorial will help you understand how to add mail service checks for your Postfix Mail Server. If you need help in setting up Nagios 3 please check THIS ARTICLE.
Step #1: Add a Host
An easy way to start setting up hosts is to choose a web server to monitor.
You will need to edit /etc/nagios3/Define your host, give it a host name and an alias, be sure to have the correct IP Address. Use the check_http command which will monitor your web server on port 80 tcp. This is a much easier way to monitor a web server using icmp because you have to modify so many firewalls to allow icmp.
define host{
use generic-host
host_name mail
alias mail
address 192.168.5.12
check_command check_smtp
max_check_attempts 10
notification_interval 120
notification_period 24×7
notification_options d,u,r
contact_groups admins
}
Step #2: Add Host to a Service
Edit the /etc/nagios3/conf.d/generic-service_nagios2.cfg. If you are using the same service you can just add the second host to the host_name line. This will make it very easy to add a number of hosts to modify. Note two host names listed.
define service{
use generic-service
host_name mail
service_description SMTP
check_command check_smtp
}
Step #3: Check Configuration and Restart
You will want to run this command to check your pre-flight check to verify you do not have typos or other errors.
nagios -v /etc/nagios3/nagios.cfg
This should result in no errors and no warnings before you proceed.
Now restart nagios and the web server for nagios.
/etc/init.d/nagios3 restart
/etc/init.d/apache2 restart
Now access the web interface of Nagios at:
http://your_ip_address/nagios3
You should see that the service is being monitored.
Posted by mike Filed Under Filters with Comments Off
Listed here are a number of header checks that do work but they are ineffective for the most part. Here is the problem. When you look at these examples they have a Subject that you are searching for. As a result you will be writing header checks until the day you die, not good. My thinking is that you will want to discard this methodology for header checks that are more general and throw a wider net over the problem. Two reason for this are; first you have SpamAssassin or some other program to do actual Spam testing later. Second, you need to preserver resources on your Postfix mail server. Actually this is the most important aspect of what you are doing is trying to save yourself money and time by reducing the load on your server. If you place too many header checks in Postfix you will begin to see a speed loss and resource loss.
So review your header checks and make sure you are using each line wisely.
/^Subject: Get Viagra Online Now !!!/ REJECT
/^Subject: ENLARGE YOUR PACAKGE GUARANTEED/ REJECT
/^Subject: Add REAL Inches To Your Package! GUARANTEED/ REJECT
/^Subject: At Last, Herbal V, the All Natural Alternative!/ REJECT
/^Subject: Have Hair Loss? We Can Help You!\.\.Read on\.\./ REJECT
/^Subject: Pill to Increase Your Ejaculation by \d{3}%/ REJECT
/^Subject: free trial herbal viagra good for men and women/ REJECT
/^Subject: STAYING POWER/ REJECT
/^Subject: Isn\’t It Time You Solved Your \”little\” Problem\?\s*\d{2,6}/ REJECT
/^Subject: Non Prescription Alternative to Viagra/ REJECT
# financial / money
/^Subject: INSTANT Daily PAY!/ REJECT
/^Subject: INSTANT Pay to \$\d{2,3} A Day!/ REJECT
/^Subject: The easiest way to make money on the internet!/ REJECT
/^Subject: INTEREST RATES HAVE DROPPED/ REJECT !
/^Subject: Make Money In Your Sleep! / REJECT
/^Subject: Lowest Rates In Years! / REJECT
/^Subject: make money now!!!!!/ REJECT
/^Subject: HOME-BASED BUSINESSES / REJECT
/^Subject: Sick of paying and paying and staying in debt? / REJECT
/^Subject: Recession Hurts!/ REJECT
/^Subject: Got Debt\?\s*Cut Your Bills in HALF!/ REJECT
/^Subject: Double your policy at No Extra Cost!/ REJECT
/^Subject: Make \d{2}% Yearly Fully Secured!/ REJECT
/^Subject: Have tax problems?\s*\[\w{4,6}\]/ REJECT
/^Subject: Got a Mortgage\?\s{1,9}\d.\d{2}% Fixed Rate Mortgage/ REJECT
/^Subject: Rates Have Fallen Again!\s{1,9}\d.\d{2}% Fixed Rate Mortgage/ REJECT
/^Subject: Take Advantage of Falling Interest Rates!/ REJECT
/^Subject: Double Your Life Insurance at NO EXTRA COST!/ REJECT
/^Subject: Got Debt\?.*\[\w{4,6}\\]/ REJECT
/^Subject: Are you in debt\?\s*\[\w{4,6}\\]/ REJECT
/^Subject: Refinance rates as low as \d.\d{2}%/ REJECT
/^Subject: Hot Casino Action – \d{2,3}% Bonus/ REJECT
/^Subject: Double your policy at No Extra Cost!/ REJECT
/^Subject: Need More Life Insurance\? Double it for No Extra Cost/ REJECT
/^Subject: Did you get your money\?/ REJECT
/^Subject: Tired of dropping stock prices\?\d{1,6}/ REJECT
/^Subject: \d{2,6}\s*Work From Home / REJECT
/^Subject: Debt Consolidation.\s*\[\w{4,6}\]/ REJECT
/^Subject: Mortgage interest rates are lowered AGAIN/ REJECT
/^Subject: Re: Easy money! Muy dinero! \(/ REJECT
/^Subject: Feel the Excitement of CyberXCasino/ REJECT
/^Subject: Free Loan Quotations\.\.\.\.\.Lower your Rate!/ REJECT
/^Subject: Free Vacation$/ REJECT
/^Subject: GUARANTEED MONTHLY INCOME- Join FREE NOW!/ REJECT
/^Subject: Is your mortgage APR as low as \d.\d{2}/ REJECT
/^Subject: Tired of the 40 X 40.*\?/ REJECT
/^Subject: NEVER REPAY, FREE CASH GRANTS\.*\s*\d{2,7}$/ REJECT
/^Subject: Are You Making \$\w{2,}\+ A Month Online\?\s*\d{2,7}$/ REJECT
/^Subject: Secure Your Financial Future!$/ REJECT
/^Subject: \d{2,3}% OFF Your Life Insurance/ REJECT
# piracy
/^Subject: Copy Your Favorite DVD Movies !!!/ REJECT
/^Subject: EASILY COPY ANY DVD MOVIE FOR FREE!/ REJECT
/^Subject: Favorite Movie not on DVD?/ REJECT
# random
/^Subject: Try this, it really works! / REJECT
/^Subject: Increased Emotional Stability / REJECT
/^Subject: Free Travel/ REJECT
/^Subject: Chart Returns – Charles Taylor / REJECT
/^Subject: You could search for a year and\.\.\.\.\./ REJECT
/^Subject: Escape the Ordinary\.\.\.\.\.\.New Opportunity for you\.\./ REJECT
/^Subject: This Is What You’ve Been Waiting For\..*\d{2,6}/ REJECT
/^Subject: Get Rid of those Paper Piles!\s*\d{2,6}/ REJECT
/^Subject: Imaging Software for the Home.*\d{2,6}/ REJECT
/^Subject: End static on the cell/ REJECT
/^Subject: Free Trials & HBC Updates!/ REJECT
/^Subject: Free Trials from Home Business Connection/ REJEC
/^Subject: Fw: Marketing your product or service just got easier!/ REJECT
/^Subject: Re: I did not hear back from you$/ REJECT
/^Subject: Safe, Easy Snoring Solution!\s*\w{2,7}/ REJECT
# search engines
/^Subject: Search Engine Bids Are Now Half Price!/ REJECT
/^Subject: Guaranteed Top Ten Search Engine Placement!!\s*\d{2,7}/ REJECT
# spamware / email addresses
/^Subject: \d{2,3} Million Fresh Email Addresses/ REJECT
/^Subject: \d{2,3} Million Email Addresses – \$\d{2,3}/ REJECT
/^Subject: Internet Marketing Works! -\w{48}/ REJECT
/^Subject: Lets Learn How to market successfully!\s*\d{2,7}/ REJECT
# spyware
/^Subject: Investigate Anyone or Anything now!/ REJECT
/^Subject: NEW!! Find out ANYTHING about ANYONE w\/ your PC!/ REJECT
# paranoia
/^Subject: Protect yourself from Small pox and Anthrax Naturally\s*\w{2,7}/ REJECT
# just plain unrealistic
/^Subject: Boost Your Windows Reliability/ REJECT
/^Subject: Give Windows Operating System A Boost In Reliability!/ REJECT
Posted by mike Filed Under Statistics with 2 Comments
This tutorial will show you how to set up your log statistics to be mailed to you every night so you know what is happening with your Postfix Mail Server.
Set up a cron job so that it will run at 11:55 PM, just before midnight as you want to get all of the logs for that day. Be sure to give enough time for the script to run before the next day. Here is the line to use if you have install pflogsumm at /usr/pflogsumm, see this article for installation.
As root run:
crontab -e
Now add this line with your email at the end. Note the \ which indicates a line break.
55 23 * * * /usr/pflogsumm/./pflogsumm.pl -u 5 -h 5 –problems_first -d today \
/var/log/maillog | mail -s “PostFix Report `date`” \someemail@somewhere.com
Here is an example
Postfix log summaries for Nov 13
Grand Totals
————
messages
19 received
16 delivered
0 forwarded
1 deferred (5 deferrals)
1 bounced
16 rejected (50%)
0 reject warnings
0 held
0 discarded (0%)
69610 bytes received
66259 bytes delivered
10 senders
9 sending hosts/domains
6 recipients
6 recipient hosts/domains
message deferral detail
———————–
smtp (total: 5)
3 hjeigb.info[69.64.157.16]: Connection refused
2 conversation with hjeigb.info[216.52.184.243] timed out while …
message bounce detail (by relay)
——————————–
none (total: 1)
1 Host not found
message reject detail
———————
cleanup
header (total: 2)
1 Content-Type: text/html; charset=”iso-2022-jp”
1 Content-Type: text/plain;??charset=”gb2312″
RCPT
blocked using sbl-xbl.spamhaus.org (total: 2)
1 125.187.32.174
1 konstantynow.mm.pl
Helo command rejected: need fully-qualified hostname (total: 
2 122.198.44.5
1 59.151.193.207
1 123.131.179.188
1 221.205.192.210
1 59.25.194.72
1 ppp85-141-130-24.pppoe.mtu-net.ru
1 117.104.245.29
Relay access denied (total: 4)
1 parestaurant.org
1 92.80.72.159
1 92.113.111.226
1 122.198.44.5
message reject warning detail: none
message hold detail: none
message discard detail: none
smtp delivery failures
———————-
connection refused (total: 3)
3 hjeigb.info
Warnings
——–
smtpd (total: 5)
1 99.178.220.164: hostname adsl-99-178-220-164.dsl.irvnca.sbcglob…
1 92.113.111.226: hostname 226-111-113-92.pool.ukrtel.net verific…
1 117.104.245.29: hostname 29.245.104.117.ids.service.eastern-tel…
1 Unable to look up MX host for pure1-mail.net: Host not found
1 Unable to look up MX host for amota8.co.il: Host not found
Fatal Errors: none
Panics: none
Master daemon messages: none
Per-Hour Traffic Summary
time received delivered deferred bounced rejected
——————————————————————–
0000-0100 2 1 1 1 1
0100-0200 3 3 1 0 3
0200-0300 3 2 1 0 2
0300-0400 4 4 1 0 0
0400-0500 3 2 0 0 4
0500-0600 4 4 1 0 6
0600-0700 0 0 0 0 0
0700-0800 0 0 0 0 0
0800-0900 0 0 0 0 0
0900-1000 0 0 0 0 0
1000-1100 0 0 0 0 0
1100-1200 0 0 0 0 0
1200-1300 0 0 0 0 0
1300-1400 0 0 0 0 0
1400-1500 0 0 0 0 0
1500-1600 0 0 0 0 0
1600-1700 0 0 0 0 0
1700-1800 0 0 0 0 0
1800-1900 0 0 0 0 0
1900-2000 0 0 0 0 0
2000-2100 0 0 0 0 0
2100-2200 0 0 0 0 0
2200-2300 0 0 0 0 0
2300-2400 0 0 0 0 0
Host/Domain Summary: Message Delivery (top 5)
sent cnt bytes defers avg dly max dly host/domain
——– ——- ——- ——- ——- ———–
3 8124 0 5.8 s 7.9 s yahoo.com
7 4175 0 3.2 s 3.2 s news.espacopublico.com.br
Host/Domain Summary: Messages Received (top 5)
msg cnt bytes host/domain
——– ——- ———–
3 6481 gmail.com
2 14562 alicensing.com
2 3238 chasey.com
top 5 Senders by message count
——————————
3 from=<>
2 c19remove@alicensing.com
2 ash22@chasey.com
top 5 Recipients by message count
———————————
1 noreply@news.espacopublico.com.br
top 5 Senders by message size
—————————–
17328 sophiew@ubi.com
14562 c19remove@alicensing.com
11353 from=<>
5238 noreply@news.espacopublico.com.br
top 5 Recipients by message size
——————————–
4175 noreply@news.espacopublico.com.br
Posted by mike Filed Under Filters with Comments Off
One way to implement content filtering is to use regular expressions in your header, mime_header, nested_header and body checks. This should be simple matches to regular expressions. The goal with this example is to eliminate non-English characters, since we cannot read them anyway. This will drop all non-English mail.
header_checks = pcre:/etc/postfix/header_checks
mime_header_checks = pcre:/etc/postfix/mime_header_checks
nested_header_checks = pcre:/etc/postfix/nested_header_checks
body_checks = pcre:/etc/postfix/body_checks
Notice that the map is pcre in these examples, you could use regexp. Best performance is with pcre (Perl Compatible Regular Expression) tables. Check that you can use pcre with:
postconf -m
If you do not have pcre support you can use regexp.
When you create the file header_checks here are a couple options, there are others.
/pattern/flags action
or
!/pattern/flags action
Decide which one you want to use. The example below uses pattern matches.
If you want to reject or discard all email that is non-English you can take these steps.
Before you set up the header_checks you need to be somewhat familiar with the actions that you want to take. Here is a list of actions with a brief description.
Actions
DISCARD drop out of existence
DUNNO pretend input line did not match pattern
FILTER write a content filter and sent to external filter
HOLD put in hold queue
IGNORE delete current line and move to next line
PREPEND prepend a one with text and inspect next line
REDIRECT enter an email to be directed to
REPLACE put text to replace line
REJECT optional text reply with message
WARN optional text warning with text message
In the example two actions are shown, the first is to DISCARD which means no message will be sent to the user, it is just dropped. The second is to REJECT and then send to message to indicate an unacceptable character set.
# Header Checks
header_checks = pcre:/etc/postfix/header_checks
Create a new file, you can move the default header_checks man page to header_checks_bk and then start a new page.
Contents of header_checks. Thanks to Wietse Venema for this suggestion.
/[^[:print:]]{8}/ DISCARD
# Chinese, Japanese and Korean
/^Content-Type:.*?charset\s*=\s*”?(Big5|gb2312|euc-cn)”?/
REJECT HDR2100: Unaccepted character set: “$1″
/^Content-Type:.*?charset\s*=\s*”?(euc-kr|iso-2022-kr)”?/
REJECT HDR2110: Unaccepted character set: “$1″
/^Content-Type:.*?charset\s*=\s*”?(iso-2022-\w+|euc-jp|shift_jis)”?/
REJECT HDR2120: Unaccepted character set: “$1″
# Cyrrilic character sets: Russian/Ukrainian
/^Content-Type:.*?charset\s*=\s*”?(koi8-(?:r|u))”?/
REJECT HDR2200: Unaccepted character set: “$1″
/^Content-Type:.*?charset\s*=\s*”?(windows-(?:1250|1251))”?/
REJECT HDR2210: Unaccepted character set: “$1″
Once you have the file created restart postfix and then test. Create a testpattern file and place an example in that file to test the header check.
postmap -q – pcre:/etc/postfix/header_checks < testpattern
If the pattern matches that you placed in testpattern then you will get a return on the command. If there is no match, you will get nothing in return.
:
Posted by mike Filed Under Security with 3 Comments
I recently checked mail stats on a server and discovered that 71% of the mail that the server handled was rejected. That means the server lost 71% of it’s total resources to connections that were either malicious in nature or intended to solicit resources from individuals. As a result I have gone into a campaign to begin dropping all subnets that I really do not need to allow connections from.
Selecting Countries to Drop
The criteria that I developed may not work for you so keep that in mind. However, I am giving you some idea on my reasoning to help in your decision making.
1. Countries that are frequent attackers
One of the things I have done is watch logs so that I can drop those who are constantly stealing my resources.
2. Countries I cannot read the mail
I have limited language skills. If I cannot speak Chinese why allow Chinese mail to arrive at my mail server?
3. Countries I do not do business with
There are a lot of countries that I do not do business with. Some countries like Indonesia have been constant sources of fraud, I have never had a legitimate order from Indonesia.
It is important to recognize that many of these subnets overlap and are used by other countries so you will need to be careful and do your own research.
USE THIS ONLY AS AN EXAMPLE…VERIFY YOUR CHOICES.
#####################################################
# BLOCK COUNTRY ATTACKS
#####################################################
# Asia
iptables -A INPUT -s 220.0.0.0/8 -j DROP
iptables -A INPUT -s 58.0.0.0/8 -j DROP
iptables -A INPUT -s 61.0.0.0/8 -j DROP
iptables -A INPUT -s 218.0.0.0/8 -j DROP
iptables -A INPUT -s 124.0.0.0/8 -j DROP
iptables -A INPUT -s 126.0.0.0/8 -j DROP
iptables -A INPUT -s 168.208.0/16 -j DROP
iptables -A INPUT -s 196.192.0/16 -j DROP
iptables -A INPUT -s 202.0.0.0/8 -j DROP
iptables -A INPUT -s 210.0.0.0/8 -j DROP
iptables -A INPUT -s 218.0.0.0/8 -j DROP
iptables -A INPUT -s 222.0.0.0/8 -j DROP
# Africa
iptables -A INPUT -s 41.0.0.0/8 -j DROP
# Brazil and Argentina
iptables -A INPUT -s 189.0.0.0/8 -j DROP
iptables -A INPUT -s 190.0.0.0/8 -j DROP
iptables -A INPUT -s 200.0.0.0/8 -j DROP
iptables -A INPUT -s 201.0.0.0/8 -j DROP
# China
iptables -A INPUT -s 62.0.0.0/8 -j DROP
iptables -A INPUT -s 77.0.0.0/8 -j DROP
iptables -A INPUT -s 78.0.0.0/8 -j DROP
iptables -A INPUT -s 79.0.0.0/8 -j DROP
iptables -A INPUT -s 130.0.0.0/8 -j DROP
iptables -A INPUT -s 131.0.0.0/8 -j DROP
iptables -A INPUT -s 137.0.0.0/8 -j DROP
iptables -A INPUT -s 146.0.0.0/8 -j DROP
iptables -A INPUT -s 147.0.0.0/8 -j DROP
iptables -A INPUT -s 150.0.0.0/8 -j DROP
# Indonesia
iptables -A INPUT -s 58.0.0.0/8 -j DROP
iptables -A INPUT -s 60.0.0.0/8 -j DROP
iptables -A INPUT -s 113.0.0.0/8 -j DROP
iptables -A INPUT -s 114.0.0.0/8 -j DROP
iptables -A INPUT -s 116.0.0.0/8 -j DROP
iptables -A INPUT -s 117.0.0.0/8 -j DROP
iptables -A INPUT -s 118.0.0.0/8 -j DROP
iptables -A INPUT -s 119.0.0.0/8 -j DROP
iptables -A INPUT -s 120.0.0.0/8 -j DROP
iptables -A INPUT -s 121.0.0.0/8 -j DROP
iptables -A INPUT -s 122.0.0.0/8 -j DROP
iptables -A INPUT -s 123.0.0.0/8 -j DROP
Posted by mike Filed Under Cyrus-Imap with Comments Off
Create Users
Create the users on the system. Create users with the false option so they cannot log into the server. This is an added security feature.
A. Create the User
useradd sue -s /bin/false
passwd sue
A common mistake is to forget to provide passwords for these users.
B. Use saslpasswd2 to create a cyrus account for the user.
echo linux23 | saslpasswd2 -p -c sue -p -u realm
Note that linux23 is the password that you are providing for this user sue.
The realm is the domain that you are using for the hostname. If you have no domain just use realm.
Here are several options for the saslpasswd2 program:
-p pipe mode
-c create
-d delete
-u domain
-f file
C. List the users to verify they were created.
Use this command to list the users created with saslpasswd2.
List Users Example
Here is an example of the sasldblistusers2 command. Notice that there are two methods of authentication; PLAIN, and CRAM-MD5.
# /usr/sbin/sasldblistusers2
user: cyrus realm: example.org mech: CRAM-MD5
user: tom realm: realm mech: CRAM-MD5
user: cyrus realm: example.org mech: PLAIN
user: tom realm: realm mech: PLAIN
user: tom realm: realm mech: DIGEST-MD5
user: cyrus realm: example.org mech: DIGEST-MD5
You may also want to send an email to the account.
echo test |/usr/sbin/sendmail -f root username
« Older Entries
