#1 Le 09/01/2011, à 16:05
- chapodepay
[resolu]cherche conseil : Postfix (mysql/tls/sasl/clamav/spamassassin)
Bonjour,
Une fois n'est pas coutume, je viens sur ce forum non pas pour un problème,
mais juste pour demander des conseils d'experts.
Ma demande concerne la configuration de postfix.
Situation : le serveur est un bi-quad core/12goDDR3 sous ubuntu 10.04.
Destination : serveur web pour siteweb de vente en ligne.
Configuration :
Apache2.2/PHP5.3.2/MySQL5.1.41
postfix2.7/OpenSSH_5.3p1/SpamAssassin3.3.1/ClamAV0.96.5/amavisd-new2.6.4
L'utilisation de postfix se limite à recevoir les mails du commerce en ligne (traitement des commandes/confirmations en tout genres), recevoir les mails des visiteurs.
Les destinations ne sont donc qu'une liste d'adresse mail limité.
La volonté est une sécurité accrue, les connexions avec le serveur de mail sont en SSL/TLS, que tous le monde puisse envoyer des mails a destination d'un compte connu sur le serveur, et que seul les comptes connus du serveur puisse en envoyer (+ script interne). Il doit avoir un anti-spam performant et un anti-virus.
Je précise qu'il y a plusieurs nom de domaines vers le serveur.
J'espere avoir suffisamment décris pour que vous puissiez visualiser mes besoins.
Mes fichiers config :
Postfix main.cf
mydomain = mondomaine.com
smtpd_banner = $myhostname ESMTP $mail_name (By chapodepay)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
#Impose que les serveurs SMTP extérieurs utilisent le chiffrement TLS
smtp_enforce_tls = no
#Annonce le support STARTTLS et requiert que les clients SMTP distants utilisent le chiffrement TLS
smtpd_enforce_tls = no
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_auth_only = yes
smtp_tls_CAfile=/etc/postfix/ssl/cacert.pem
smtp_tls_cert_file=/etc/postfix/ssl/mail-cert.pem
smtp_tls_key_file=/etc/postfix/ssl/mail-key.pem
smtpd_tls_CAfile=/etc/postfix/ssl/cacert.pem
smtpd_tls_cert_file=/etc/postfix/ssl/mail-cert.pem
smtpd_tls_key_file=/etc/postfix/ssl/mail-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 10s
tls_random_source = dev:/dev/urandom
smtpd_recipient_limit = 1000
smtpd_helo_restrictions = reject_invalid_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_sender_restrictions = reject_unknown_address,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_rbl_client combined.njabl.org,
reject_rhsbl_sender zen.spamhaus.org
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client rbl-plus.mail-abuse.org,
reject_rbl_client will-spam-for-food.eu.org,
reject_rbl_client relays.mail-abuse.org,
reject_rbl_client blackholes.mail-abuse.org,
## reject_rbl_client relays.visi.com,
reject_rbl_client wingate.opm.blitzed.org,
## reject_rbl_client korea.rominet.net,
# reject_rbl_client china.rominet.net,
# reject_rbl_client taiwan.rominet.net,
# reject_rbl_client hong-kong.rominet.net,
permit
smtpd_recipient_restrictions = permit_sasl_authenticated,
# permit_mynetworks,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_unknown_client,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client rbl-plus.mail-abuse.org,
reject_rbl_client will-spam-for-food.eu.org,
reject_rbl_client relays.mail-abuse.org,
reject_rbl_client blackholes.mail-abuse.org,
## reject_rbl_client relays.visi.com,
reject_rbl_client wingate.opm.blitzed.org,
## reject_rbl_client korea.rominet.net,
# reject_rbl_client china.rominet.net,
# reject_rbl_client taiwan.rominet.net,
# reject_rbl_client hong-kong.rominet.net,
permit
smtpd_client_restrictions = permit_mynetworks,
# warn_if_reject,
permit_sasl_authenticated,
# warn_if_reject,
reject_unknown_client_hostname,
reject_rbl_client rbl-plus.mail-abuse.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client will-spam-for-food.eu.org,
reject_rbl_client relays.mail-abuse.org,
reject_rbl_client blackholes.mail-abuse.org,
## reject_rbl_client relays.visi.com,
reject_rbl_client wingate.opm.blitzed.org,
# reject_rbl_client korea.rominet.net,
# reject_rbl_client china.rominet.net,
# reject_rbl_client taiwan.rominet.net,
# reject_rbl_client hong-kong.rominet.net
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 0
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = $mydomain
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
#virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_forwardings.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
#transport_maps = mysql:/etc/postfix/mysql-virtual_transports.cf
#transport_maps = local
virtual_create_maildirsize = yes
virtual_mailbox_extended = yes
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes
local_transport = local
local_recipient_maps =
smtp_use_tls = yes
# Support Amavis
content_filter = smtp-amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
always_bcc = save_mail@ns212907.ovh.net
##ci dessous la config d'envoie des erreurs sur le traitement des mails
2bounce_notice_recipient = server_mail
bounce_notice_recipient = server_mail
delay_notice_recipient = server_mail
error_notice_recipient = server_mail
#liste des erreur à rapporter :
notify_classes = bounce, delay, policy, protocol, resource, software
##ci dessous optimise la livraison des mails
#active le cache de connexion
smtp_connection_cache_destinations = mondomaine.com
smtp_connection_cache_time_limit = 30s
#Temps limite pour que le client SMTP envoie le "." SMTP et reçoive la réponse du serveur
smtp_data_done_timeout = 60s
#Temps limite pour que le client SMTP envoie la commande SMTP DATA et pour que le serveur réponde.
smtp_data_init_timeout = 10s
#Temps limite pour que le client SMTP envoie le contenu du message SMTP
smtp_data_xfer_timeout = 30s
#Temps limite pour que le client SMTP envoie la commande HELO ou EHLO et reçoive la réponse.
smtp_helo_timeout = 30s
#Temps limite pour que le client SMTP envoie la commande MAIL FROM et reçoive la réponse su serveur.
smtp_mail_timeout = 30s
#Temps limite pour que le client SMTP envoie la commande QUIT et reçoive la réponse.
smtp_quit_timeout = 60s
#Temps limite pour que le client SMTP envoie la commande SMTP RCPT TO et reçoive la réponse.
smtp_rcpt_timeout = 30s
#Temps limite pour que le client SMTP envoie la commande RSET et reçoive la réponse.
smtp_rset_timeout = 30s
#Temps limite pour que le client SMTP de Postfix écrive et reçoive les éléments des procédures de démarrage et d'arrêt de TLS.
smtp_starttls_timeout = 60s
#Temps limite pour que le client SMTP envoie la commande XFORWARD et reçoive la réponse.
smtp_xforward_timeout = 30s
#Longueur maximale des lignes du corps ou de l'en-tête du message
smtp_line_length_limit = 100
#Temps limite pour que le serveur SMTP de Postfix envoie une réponse et pour que le client SMTP envoie une requête.
smtpd_timeout = 30s
#la réponse du serveur SMTP n'est envoyée qu'après un délai lorsque le client a fait
#plus de $smtpd_soft_error_limit et moins de $smtpd_hard_error_limit erreurs,
#sans livrer de courrier.
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
#Nombre maximum d'erreurs qu'un client SMTP distant est autorisé à commettre sans livrer de message.
smtpd_hard_error_limit = 20
#Délai à partir duquel les taux de connexion client et autres taux sont calculés.
anvil_rate_time_unit = 120
# Nb maxi de connexions simultannées d.un client
smtpd_client_connection_count_limit = 0
#Nombre maximum de tentatives de connexion qu'un client est autorisé à faire à ce service par unité de temps.
smtpd_client_connection_rate_limit = 0
#Clients exclus des restrictions sur le compte
smtpd_client_event_limit_exceptions = $mydomain,$mynetworks
#Nombre maximal de requêtes de livraison de messages que tout client est autorisé à faire à ce service
smtpd_client_message_rate_limit = 0
#Nombre maximal de nouvelles (c'est à dire non cachées) sessions TLS qu'un client SMTP extérieur est autorisé à négocier avec ce service
smtpd_client_new_tls_session_rate_limit = 0
#Nombre maximal d'adresses de destination qu'un client est autorisé à envoyer à ce service
smtpd_client_recipient_rate_limit = 0
#Active l'enregistrement additionnel de l'activité TLS du client SMTP de Postfix.
#Chaque niveau de log inclus également les informations des niveaux inférieurs.
##0 Désactive l'enregistrement de l'activité TLS.
##1 Enregistre les informations concernat la négociation et les certificat.
##2 Enregistre les niveaux durant la négociation TLS.
##3 Enregistre la copie hexadecimale et ASCII du processus de négociation TLS.
##4 Enregistre également la retranscription complète hexadecimale et ASCII de la session après STARTTLS.
smtp_tls_loglevel = 0
#Temps d'expiration des informations du cache des sessions TLS du client SMTP de Postfix.
smtp_tls_session_cache_timeout = 7200s
debug_peer_level = 1
smtpd_tls_loglevel = 0
#### Codes de rejets modifiés.
#Ces rejets augmentent le trafic sortant notament à destination des spammeurs qui n.en tiennent pas compte mais surtout informent les clients valides du motif de rejet.
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
postconf -n
2bounce_notice_recipient = server_mail
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
always_bcc = save_mail@ns212907.ovh.net
anvil_rate_time_unit = 120
append_dot_mydomain = no
biff = no
bounce_notice_recipient = server_mail
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
debug_peer_level = 1
delay_notice_recipient = server_mail
error_notice_recipient = server_mail
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
local_recipient_maps =
local_transport = local
mailbox_size_limit = 0
mydestination = localhost, localhost.localdomain
mydomain = mondomaine.com
myhostname = $mydomain
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
notify_classes = bounce, delay, policy, protocol, resource, software
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relayhost =
smtp_connection_cache_destinations = mondomaine.com
smtp_connection_cache_time_limit = 30s
smtp_data_done_timeout = 60s
smtp_data_init_timeout = 10s
smtp_data_xfer_timeout = 30s
smtp_enforce_tls = no
smtp_helo_timeout = 30s
smtp_line_length_limit = 100
smtp_mail_timeout = 30s
smtp_quit_timeout = 60s
smtp_rcpt_timeout = 30s
smtp_rset_timeout = 30s
smtp_starttls_timeout = 60s
smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtp_tls_cert_file = /etc/postfix/ssl/mail-cert.pem
smtp_tls_key_file = /etc/postfix/ssl/mail-key.pem
smtp_tls_loglevel = 0
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_timeout = 7200s
smtp_use_tls = yes
smtp_xforward_timeout = 30s
smtpd_banner = $myhostname ESMTP $mail_name (By chapodepay)
smtpd_client_connection_count_limit = 0
smtpd_client_connection_rate_limit = 0
smtpd_client_event_limit_exceptions = $mydomain,$mynetworks
smtpd_client_message_rate_limit = 0
smtpd_client_new_tls_session_rate_limit = 0
smtpd_client_recipient_rate_limit = 0
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, reject_rbl_client rbl-plus.mail-abuse.org, reject_rbl_client bl.spamcop.net, reject_rbl_client will-spam-for-food.eu.org, reject_rbl_client relays.mail-abuse.org, reject_rbl_client blackholes.mail-abuse.org, reject_rbl_client wingate.opm.blitzed.org,
smtpd_enforce_tls = no
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_restrictions = reject_invalid_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
smtpd_recipient_limit = 1000
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = reject_unknown_address, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client combined.njabl.org, reject_rhsbl_sender zen.spamhaus.org reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client rbl-plus.mail-abuse.org, reject_rbl_client will-spam-for-food.eu.org, reject_rbl_client relays.mail-abuse.org, reject_rbl_client blackholes.mail-abuse.org, reject_rbl_client wingate.opm.blitzed.org, permit
smtpd_soft_error_limit = 10
smtpd_timeout = 30s
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/mail-cert.pem
smtpd_tls_key_file = /etc/postfix/ssl/mail-key.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 10s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_uid_maps = static:5000
Postfix master.cf
smtp inet n - - - - smtpd
smtps inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - n - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o smtp_fallback_relay=
-o smtp_helo_timeout=10 -o smtp_connect_timeout=10
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
smtp-amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=12000
-o smtp_send_xforward_command=yes
# -o content_filter=spamassassin
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_bind_address=127.0.0.1
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o smtpd_client_message_rate_limit=0
-o smtpd_client_new_tls_session_rate_limit=0
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
Amavisd-new amavisd.conf
use strict;
$MYHOME = '/var/lib/amavis'; # (default is '/var/amavis')
$mydomain = 'mondomaine.com';
$TEMPBASE = $MYHOME; # (must be set if other config vars use is)
$pid_file = "/var/run/amavis/amavisd.pid"; # (default: "$MYHOME/amavisd.pid")
$lock_file = "/var/run/amavis/amavisd.lock"; # (default: "$MYHOME/amavisd.lock")
$ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory
$max_servers = 4; # number of pre-forked children (default 2)
$max_requests = 10; # retire a child after that many accepts (default 10)
$child_timeout=5*60; # abort child if it does not complete each task in n sec
# (default: 8*60 seconds)
# @bypass_virus_checks_acl = qw( . ); # uncomment to DISABLE anti-virus code
# @bypass_spam_checks_acl = qw( . ); # uncomment to DISABLE anti-spam code
@local_domains_acl = ( "." ); # $mydomain and its subdomains
$relayhost_is_client = 0; # (defaults to false)
$insert_received_line = 1;
$unix_socketname = undef;
$inet_socket_port = 10024;
$inet_socket_bind = '127.0.0.1';
@inet_acl = qw( 127.0.0.1 );
$DO_SYSLOG = 1;
$LOGFILE = "/var/log/amavis/amavis.log"; # (defaults to empty, no log)
#$log_level = 2; # (defaults to 0)
$log_level = 1;
$log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], #
[?%o|(?)|<%o>] -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c';
read_l10n_templates('en_US', '/etc/amavis');
$final_virus_destiny = D_REJECT; # (defaults to D_BOUNCE)
$final_banned_destiny = D_REJECT; # (defaults to D_BOUNCE)
$final_spam_destiny = D_PASS; # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested
$viruses_that_fake_sender_re = new_RE(
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan
qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc
[qr'^(EICAR|Joke\.|Junk\.)'i => 0],
[qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
[qr/.*/ => 1], # true by default (remove or comment-out if undesired)
);
$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
$mailfrom_to_quarantine = ''; # override sender address with null return path
$QUARANTINEDIR = '/var/lib/amavis/virusmails';
$virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine
$spam_quarantine_to = 'spam-quarantine';
$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it
#$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone
$remove_existing_x_scanned_headers= 1; # remove existing headers
# (defaults to false)
#$remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone
$remove_existing_spam_headers = 1; # remove existing spam headers if
# spam scanning is enabled (default)
$keep_decoded_original_re = new_RE(
# qr'^MAIL$', # retain full original message for virus checking (can be slow)
qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data',
);
$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, # some double extensions
qr'[{}]', # curly braces in names (serve as Class ID extensions - CLSID)
# qr'.\.(exe|vbs|pif|scr|bat|cmd|com)$'i, # banned extension - basic
# qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
# jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|
# vbe|vbs|wsc|wsf|wsh)$'ix, # banned extension - long
# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
# qr'^\.(zip|lha|tnef|cab)$'i, # banned file(1) types
# qr'^\.exe$'i, # banned file(1) types
# qr'^application/x-msdownload$'i, # banned MIME types
# qr'^application/x-msdos-program$'i,
qr'^message/partial$'i, # rfc2046. this one is deadly for Outcrook
# qr'^message/external-body$'i, # block rfc2046
);
@lookup_sql_dsn =
( ['DBI:mysql:database=postfix;host=127.0.0.1;port=3306', 'postfix', 'postfixch4p0'] );
$sql_select_policy = 'SELECT "Y" as local FROM domains WHERE CONCAT("@",domain) IN (%k)';
$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting
$recipient_delimiter = '+'; # (default is '+')
$replace_existing_extension = 1; # (default is false)
$localpart_is_case_sensitive = 0; # (default is false)
$blacklist_sender_re = new_RE(
qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,
qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i,
qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonl|smoking2002k)@'i,
qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,
qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,
qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
);
map { $whitelist_sender{lc($_)}=1 } (qw(
nobody@cert.org
owner-alert@iss.net
slashdot@slashdot.org
bugtraq@securityfocus.com
NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
security-alerts@linuxsecurity.com
amavis-user-admin@lists.sourceforge.net
razor-users-admin@lists.sourceforge.net
notification-return@lists.sophos.com
mailman-announce-admin@python.org
zope-announce-admin@zope.org
owner-postfix-users@postfix.org
owner-postfix-announce@postfix.org
owner-sendmail-announce@lists.sendmail.org
sendmail-announce-request@lists.sendmail.org
ca+envelope@sendmail.org
owner-technews@postel.ACM.ORGuse strict;
lvs-users-admin@LinuxVirtualServer.org
ietf-123-owner@loki.ietf.org
cvs-commits-list-admin@gnome.org
rt-users-admin@lists.fsck.com
owner-announce@mnogosearch.org
owner-hackers@ntp.org
owner-bugs@ntp.org
clp-request@comp.nus.edu.sg
surveys-errors@lists.nua.ie
emailNews@genomeweb.com
owner-textbreakingnews@CNNIMAIL12.CNN.COM
yahoo-dev-null@yahoo-inc.com
));
$MAXLEVELS = 14; # (default is undef, no limit)
$MAXFILES = 1500; # (default is undef, no limit)
$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
$MIN_EXPANSION_FACTOR = 5; # times original mail size (must be specified)
$MAX_EXPANSION_FACTOR = 500; # times original mail size (must be specified)
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability
$gzip = 'gzip';
$bzip2 = 'bzip2';
$lzop = 'lzop';
$uncompress = ['uncompress', 'gzip -d', 'zcat'];
$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
$arc = ['nomarch', 'arc'];
$unarj = ['arj', 'unarj']; # both can extract, arj is recommended
$unrar = ['rar', 'unrar']; # both can extract, same options
$zoo = 'zoo';
$lha = 'lha';
$cpio = 'cpio'; # comment out if cpio does not support GNU options
$sa_local_tests_only = 0; # (default: false)
#$sa_auto_whitelist = 1; # turn on AWL (default: false)
# Timout for SpamAssassin. This is only used if spamassassin does NOT
# override it (which it often does if sa_local_tests_only is not true)
$sa_timeout = 30; # timeout in seconds for a call to SpamAssassin
# (default is 30 seconds, undef disables it)
# AWL (auto whitelisting), requires spamassassin 2.44 or better
# $sa_auto_whitelist = 1; # defaults to undef
$sa_mail_body_size_limit = 150*1024;
@av_scanners = (
### http://www.clamav.net/
#/var/run/clamav/clamd.ctl
['Clam Antivirus-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# NOTE: run clamd under the same user as amavisd; match the socket
# name (LocalSocket) in clamav.conf to the socket name in this entry
# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],
);
@av_scanners_backup = (
### http://www.clamav.net/
['Clam Antivirus - clamscan', 'clamscan',
"--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], [1],
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);
1;
Dernière modification par chapodepay (Le 14/01/2011, à 20:07)
PC1: MSI P35 Platinum, DD: 72Go 10.000rpm, Q6600 @3.15Ghz, 4Go ddr2 corsair, 8800GTS... CPU + GPU sous watercooling zalman, DD: 4.5To
Serveur : Intel Bi-Xeon i7 2x2.93Ghz, mémoire vive : 24Go DDR3
Hors ligne
#2 Le 10/01/2011, à 12:05
- sylvain1970
Re : [resolu]cherche conseil : Postfix (mysql/tls/sasl/clamav/spamassassin)
Bonjour,
il y a un excellent tuto pour une conf serveur mail ici. Il pourra surement t'aider à configurer ton serveur.
Hors ligne
#3 Le 10/01/2011, à 15:20
- chapodepay
Re : [resolu]cherche conseil : Postfix (mysql/tls/sasl/clamav/spamassassin)
Merci pour ta réponse, mais ce n'est pas tout a fait ce que j'attendais ; j'attend une analyse de ma conf pour recevoir des conseils d'optimisation, des erreurs que j'aurai faite, ou des oublis etc
PC1: MSI P35 Platinum, DD: 72Go 10.000rpm, Q6600 @3.15Ghz, 4Go ddr2 corsair, 8800GTS... CPU + GPU sous watercooling zalman, DD: 4.5To
Serveur : Intel Bi-Xeon i7 2x2.93Ghz, mémoire vive : 24Go DDR3
Hors ligne
#4 Le 14/01/2011, à 20:03
- Uggy
Re : [resolu]cherche conseil : Postfix (mysql/tls/sasl/clamav/spamassassin)
j'attend une analyse de ma conf pour recevoir des conseils d'optimisation
Tu peux deja supprimer de ton main.cf tous les parametres inutiles car ce sont les valeurs par defaut (exemple inet_interfaces, relayhost, etc.... )
Hors ligne
#5 Le 14/01/2011, à 20:07
- chapodepay
Re : [resolu]cherche conseil : Postfix (mysql/tls/sasl/clamav/spamassassin)
Excusez moi, je n'avais pa smis à jour.
j'ai complètement recommencé la config, avec dovecot/amavis/spamassassin et j'ai un gros gain de performance, j'avais surtout besoin des possibilité de gestion/filtrage de sieve qui est inclu avec dovecot.
Je suis satisfait de ma nouvelle config : identique à celle-ci : http://www.starbridge.org/spip/spip.php?article12
PC1: MSI P35 Platinum, DD: 72Go 10.000rpm, Q6600 @3.15Ghz, 4Go ddr2 corsair, 8800GTS... CPU + GPU sous watercooling zalman, DD: 4.5To
Serveur : Intel Bi-Xeon i7 2x2.93Ghz, mémoire vive : 24Go DDR3
Hors ligne