Contenu | Rechercher | Menus

Annonce

Si vous avez des soucis pour rester connecté, déconnectez-vous puis reconnectez-vous depuis ce lien en cochant la case
Me connecter automatiquement lors de mes prochaines visites.

À propos de l'équipe du forum.

Pages : 1

#1 Le 09/01/2011, à 16:05

chapodepay

[resolu]cherche conseil : Postfix (mysql/tls/sasl/clamav/spamassassin)

Bonjour,
Une fois n'est pas coutume, je viens sur ce forum non pas pour un problème,
mais juste pour demander des conseils d'experts.

Ma demande concerne la configuration de postfix.

Situation : le serveur est un bi-quad core/12goDDR3 sous ubuntu 10.04.
Destination : serveur web pour siteweb de vente en ligne.
Configuration :
Apache2.2/PHP5.3.2/MySQL5.1.41
postfix2.7/OpenSSH_5.3p1/SpamAssassin3.3.1/ClamAV0.96.5/amavisd-new2.6.4


L'utilisation de postfix se limite à recevoir les mails du commerce en ligne (traitement des commandes/confirmations en tout genres), recevoir les mails des visiteurs.
Les destinations ne sont donc qu'une liste d'adresse mail limité.

La volonté est une sécurité accrue, les connexions avec le serveur de mail sont en SSL/TLS, que tous le monde puisse envoyer des mails a destination d'un compte connu sur le serveur, et que seul les comptes connus du serveur puisse en envoyer (+ script interne). Il doit avoir un anti-spam performant et un anti-virus.
Je précise qu'il y a plusieurs nom de domaines vers le serveur.


J'espere avoir suffisamment décris pour que vous puissiez visualiser mes besoins.

Mes fichiers config :

Postfix main.cf

mydomain = mondomaine.com
smtpd_banner = $myhostname ESMTP $mail_name (By chapodepay)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes

#Impose que les serveurs SMTP extérieurs utilisent le chiffrement TLS
smtp_enforce_tls = no
#Annonce le support STARTTLS et requiert que les clients SMTP distants utilisent le chiffrement TLS
smtpd_enforce_tls = no


#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_auth_only = yes
smtp_tls_CAfile=/etc/postfix/ssl/cacert.pem
smtp_tls_cert_file=/etc/postfix/ssl/mail-cert.pem
smtp_tls_key_file=/etc/postfix/ssl/mail-key.pem
smtpd_tls_CAfile=/etc/postfix/ssl/cacert.pem
smtpd_tls_cert_file=/etc/postfix/ssl/mail-cert.pem
smtpd_tls_key_file=/etc/postfix/ssl/mail-key.pem
smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 10s
tls_random_source = dev:/dev/urandom
smtpd_recipient_limit = 1000

smtpd_helo_restrictions = reject_invalid_hostname,
 reject_non_fqdn_helo_hostname,
 reject_unknown_helo_hostname

smtpd_sender_restrictions = reject_unknown_address,
 reject_non_fqdn_sender,
 reject_unknown_sender_domain,
 reject_rbl_client combined.njabl.org,
 reject_rhsbl_sender zen.spamhaus.org
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client cbl.abuseat.org,
 reject_rbl_client rbl-plus.mail-abuse.org,
 reject_rbl_client will-spam-for-food.eu.org,
 reject_rbl_client relays.mail-abuse.org,
 reject_rbl_client blackholes.mail-abuse.org,
## reject_rbl_client relays.visi.com,
 reject_rbl_client wingate.opm.blitzed.org,
## reject_rbl_client korea.rominet.net,
# reject_rbl_client china.rominet.net,
# reject_rbl_client taiwan.rominet.net,
# reject_rbl_client hong-kong.rominet.net,
 permit


smtpd_recipient_restrictions = permit_sasl_authenticated,
# permit_mynetworks,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unauth_destination,
 reject_unknown_sender_domain,
 reject_unknown_client,
 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client cbl.abuseat.org,
 reject_rbl_client rbl-plus.mail-abuse.org,
 reject_rbl_client will-spam-for-food.eu.org,
 reject_rbl_client relays.mail-abuse.org,
 reject_rbl_client blackholes.mail-abuse.org,
## reject_rbl_client relays.visi.com,
 reject_rbl_client wingate.opm.blitzed.org,
## reject_rbl_client korea.rominet.net,
# reject_rbl_client china.rominet.net,
# reject_rbl_client taiwan.rominet.net,
# reject_rbl_client hong-kong.rominet.net,
 permit

smtpd_client_restrictions = permit_mynetworks,
# warn_if_reject,
 permit_sasl_authenticated,
# warn_if_reject,
 reject_unknown_client_hostname,
 reject_rbl_client rbl-plus.mail-abuse.org,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client will-spam-for-food.eu.org,
 reject_rbl_client relays.mail-abuse.org,
 reject_rbl_client blackholes.mail-abuse.org,
## reject_rbl_client relays.visi.com,
 reject_rbl_client wingate.opm.blitzed.org,
# reject_rbl_client korea.rominet.net,
# reject_rbl_client china.rominet.net,
# reject_rbl_client taiwan.rominet.net,
# reject_rbl_client hong-kong.rominet.net
 



smtpd_sasl_local_domain = $mydomain
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes

#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_note_starttls_offer = yes


smtpd_tls_loglevel = 0


# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = $mydomain
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
#virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_forwardings.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

smtpd_sasl_auth_enable = yes

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

#transport_maps = mysql:/etc/postfix/mysql-virtual_transports.cf
#transport_maps = local
virtual_create_maildirsize = yes
virtual_mailbox_extended = yes
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes
local_transport = local
local_recipient_maps =
smtp_use_tls = yes

# Support Amavis
content_filter = smtp-amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

always_bcc = save_mail@ns212907.ovh.net

##ci dessous la config d'envoie des erreurs sur le traitement des mails
2bounce_notice_recipient = server_mail
bounce_notice_recipient = server_mail
delay_notice_recipient  = server_mail
error_notice_recipient = server_mail
    
#liste des erreur à rapporter : 
notify_classes = bounce, delay, policy, protocol, resource, software


##ci dessous optimise la livraison des mails
#active le cache de connexion
smtp_connection_cache_destinations = mondomaine.com
smtp_connection_cache_time_limit = 30s

#Temps limite pour que le client SMTP envoie le "." SMTP et reçoive la réponse du serveur
smtp_data_done_timeout = 60s

#Temps limite pour que le client SMTP envoie la commande SMTP DATA et pour que le serveur réponde.
smtp_data_init_timeout = 10s

#Temps limite pour que le client SMTP envoie le contenu du message SMTP
smtp_data_xfer_timeout = 30s

#Temps limite pour que le client SMTP envoie la commande HELO ou EHLO et reçoive la réponse.
smtp_helo_timeout = 30s

#Temps limite pour que le client SMTP envoie la commande MAIL FROM et reçoive la réponse su serveur.
smtp_mail_timeout = 30s

#Temps limite pour que le client SMTP envoie la commande QUIT et reçoive la réponse.
smtp_quit_timeout = 60s

#Temps limite pour que le client SMTP envoie la commande SMTP RCPT TO et reçoive la réponse.
smtp_rcpt_timeout = 30s

#Temps limite pour que le client SMTP envoie la commande RSET et reçoive la réponse. 
smtp_rset_timeout = 30s

#Temps limite pour que le client SMTP de Postfix écrive et reçoive les éléments des procédures de démarrage et d'arrêt de TLS.
smtp_starttls_timeout = 60s

#Temps limite pour que le client SMTP envoie la commande XFORWARD et reçoive la réponse.
smtp_xforward_timeout = 30s

#Longueur maximale des lignes du corps ou de l'en-tête du message 
smtp_line_length_limit = 100

#Temps limite pour que le serveur SMTP de Postfix envoie une réponse et pour que le client SMTP envoie une requête.
smtpd_timeout = 30s

#la réponse du serveur SMTP n'est envoyée qu'après un délai lorsque le client a fait 
#plus de $smtpd_soft_error_limit et moins de $smtpd_hard_error_limit erreurs,
#sans livrer de courrier.
smtpd_error_sleep_time = 1s

smtpd_soft_error_limit = 10

#Nombre maximum d'erreurs qu'un client SMTP distant est autorisé à commettre sans livrer de message.
smtpd_hard_error_limit = 20

#Délai à partir duquel les taux de connexion client et autres taux sont calculés.
anvil_rate_time_unit = 120

# Nb maxi de connexions simultannées d.un client
smtpd_client_connection_count_limit = 0

#Nombre maximum de tentatives de connexion qu'un client est autorisé à faire à ce service par unité de temps. 
smtpd_client_connection_rate_limit = 0

#Clients exclus des restrictions sur le compte
smtpd_client_event_limit_exceptions = $mydomain,$mynetworks

#Nombre maximal de requêtes de livraison de messages que tout client est autorisé à faire à ce service
smtpd_client_message_rate_limit = 0

#Nombre maximal de nouvelles (c'est à dire non cachées) sessions TLS qu'un client SMTP extérieur est autorisé à négocier avec ce service 
smtpd_client_new_tls_session_rate_limit = 0

#Nombre maximal d'adresses de destination qu'un client est autorisé à envoyer à ce service 
smtpd_client_recipient_rate_limit = 0



#Active l'enregistrement additionnel de l'activité TLS du client SMTP de Postfix. 
#Chaque niveau de log inclus également les informations des niveaux inférieurs.
##0 Désactive l'enregistrement de l'activité TLS. 
##1 Enregistre les informations concernat la négociation et les certificat. 
##2 Enregistre les niveaux durant la négociation TLS. 
##3 Enregistre la copie hexadecimale et ASCII du processus de négociation TLS. 
##4 Enregistre également la retranscription complète hexadecimale et ASCII de la session après STARTTLS. 
smtp_tls_loglevel = 0

#Temps d'expiration des informations du cache des sessions TLS du client SMTP de Postfix.
smtp_tls_session_cache_timeout = 7200s

debug_peer_level = 1
smtpd_tls_loglevel = 0

#### Codes de rejets modifiés.
#Ces rejets augmentent le trafic sortant notament à destination des spammeurs qui n.en tiennent pas compte mais surtout informent les clients valides du motif de rejet.
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550

postconf -n

2bounce_notice_recipient = server_mail
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
always_bcc = save_mail@ns212907.ovh.net
anvil_rate_time_unit = 120
append_dot_mydomain = no
biff = no
bounce_notice_recipient = server_mail
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
debug_peer_level = 1
delay_notice_recipient = server_mail
error_notice_recipient = server_mail
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
local_recipient_maps = 
local_transport = local
mailbox_size_limit = 0
mydestination = localhost, localhost.localdomain
mydomain = mondomaine.com
myhostname = $mydomain
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
notify_classes = bounce, delay, policy, protocol, resource, software
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relayhost = 
smtp_connection_cache_destinations = mondomaine.com
smtp_connection_cache_time_limit = 30s
smtp_data_done_timeout = 60s
smtp_data_init_timeout = 10s
smtp_data_xfer_timeout = 30s
smtp_enforce_tls = no
smtp_helo_timeout = 30s
smtp_line_length_limit = 100
smtp_mail_timeout = 30s
smtp_quit_timeout = 60s
smtp_rcpt_timeout = 30s
smtp_rset_timeout = 30s
smtp_starttls_timeout = 60s
smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtp_tls_cert_file = /etc/postfix/ssl/mail-cert.pem
smtp_tls_key_file = /etc/postfix/ssl/mail-key.pem
smtp_tls_loglevel = 0
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_timeout = 7200s
smtp_use_tls = yes
smtp_xforward_timeout = 30s
smtpd_banner = $myhostname ESMTP $mail_name (By chapodepay)
smtpd_client_connection_count_limit = 0
smtpd_client_connection_rate_limit = 0
smtpd_client_event_limit_exceptions = $mydomain,$mynetworks
smtpd_client_message_rate_limit = 0
smtpd_client_new_tls_session_rate_limit = 0
smtpd_client_recipient_rate_limit = 0
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, reject_rbl_client rbl-plus.mail-abuse.org, reject_rbl_client bl.spamcop.net, reject_rbl_client will-spam-for-food.eu.org, reject_rbl_client relays.mail-abuse.org, reject_rbl_client blackholes.mail-abuse.org, reject_rbl_client wingate.opm.blitzed.org,
smtpd_enforce_tls = no
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_restrictions = reject_invalid_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
smtpd_recipient_limit = 1000
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = reject_unknown_address, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client combined.njabl.org, reject_rhsbl_sender zen.spamhaus.org reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client rbl-plus.mail-abuse.org, reject_rbl_client will-spam-for-food.eu.org, reject_rbl_client relays.mail-abuse.org, reject_rbl_client blackholes.mail-abuse.org, reject_rbl_client wingate.opm.blitzed.org, permit
smtpd_soft_error_limit = 10
smtpd_timeout = 30s
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/mail-cert.pem
smtpd_tls_key_file = /etc/postfix/ssl/mail-key.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 10s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
virtual_alias_domains = 
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_uid_maps = static:5000

Postfix master.cf

smtp      inet  n       -       -       -       -       smtpd
smtps     inet  n       -       y       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
         -o content_filter=
         -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o smtp_fallback_relay=
       -o smtp_helo_timeout=10 -o smtp_connect_timeout=10
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

smtp-amavis unix - - - - 2 smtp
 -o smtp_data_done_timeout=12000
 -o smtp_send_xforward_command=yes
# -o content_filter=spamassassin

127.0.0.1:10025 inet n - - - - smtpd
 -o content_filter=
 -o local_recipient_maps=
 -o relay_recipient_maps=
 -o smtpd_restriction_classes=
 -o smtpd_client_restrictions=
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o mynetworks=127.0.0.0/8
 -o strict_rfc821_envelopes=yes
 -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
 -o smtpd_bind_address=127.0.0.1
 -o smtpd_client_connection_count_limit=0
 -o smtpd_client_connection_rate_limit=0
 -o smtpd_client_message_rate_limit=0
 -o smtpd_client_new_tls_session_rate_limit=0

spamassassin  unix  -   n     n     -   -   pipe
    user=spamd    argv=/usr/bin/spamc -f  -e
    /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Amavisd-new amavisd.conf

use strict;
$MYHOME = '/var/lib/amavis';   # (default is '/var/amavis')
$mydomain = 'mondomaine.com';

$TEMPBASE = $MYHOME;           # (must be set if other config vars use is)
$pid_file  = "/var/run/amavis/amavisd.pid";  # (default: "$MYHOME/amavisd.pid")
$lock_file = "/var/run/amavis/amavisd.lock"; # (default: "$MYHOME/amavisd.lock")
$ENV{TMPDIR} = $TEMPBASE;       # wise to set TMPDIR, but not obligatory
$max_servers  =  4;   # number of pre-forked children          (default 2)
$max_requests = 10;   # retire a child after that many accepts (default 10)
$child_timeout=5*60;  # abort child if it does not complete each task in n sec
                      # (default: 8*60 seconds)
# @bypass_virus_checks_acl = qw( . );  # uncomment to DISABLE anti-virus code
# @bypass_spam_checks_acl  = qw( . );  # uncomment to DISABLE anti-spam code

@local_domains_acl = ( "." );  # $mydomain and its subdomains

$relayhost_is_client = 0;         # (defaults to false)

$insert_received_line = 1;
$unix_socketname = undef;
$inet_socket_port = 10024;
$inet_socket_bind = '127.0.0.1';
@inet_acl = qw( 127.0.0.1 );
$DO_SYSLOG = 1;
$LOGFILE = "/var/log/amavis/amavis.log";  # (defaults to empty, no log)
#$log_level = 2;                # (defaults to 0)
$log_level = 1;
$log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], #
[?%o|(?)|<%o>] -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c';
read_l10n_templates('en_US', '/etc/amavis');





$final_virus_destiny      = D_REJECT; # (defaults to D_BOUNCE)
$final_banned_destiny     = D_REJECT;  # (defaults to D_BOUNCE)
$final_spam_destiny       = D_PASS;  # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested

$viruses_that_fake_sender_re = new_RE(
  qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
  qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
  qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
  qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
  qr'@mm|@MM',    # mass mailing viruses as labeled by f-prot and uvscan
  qr'Worm'i,      # worms as labeled by ClamAV, Kaspersky, etc
  [qr'^(EICAR|Joke\.|Junk\.)'i         => 0],
  [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i  => 0],
  [qr/.*/ => 1],  # true by default  (remove or comment-out if undesired)
);

$virus_admin = "postmaster\@$mydomain";                # due to D_DISCARD default

$mailfrom_to_quarantine = '';   # override sender address with null return path

$QUARANTINEDIR = '/var/lib/amavis/virusmails';


$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine
$spam_quarantine_to = 'spam-quarantine';

$undecipherable_subject_tag = '***UNCHECKED*** ';  # undef disables it


#$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone
$remove_existing_x_scanned_headers= 1; # remove existing headers
                                        # (defaults to false)
#$remove_existing_spam_headers = 0;     # leave existing X-Spam* headers alone
$remove_existing_spam_headers  = 1;     # remove existing spam headers if
                                        # spam scanning is enabled (default)

$keep_decoded_original_re = new_RE(
# qr'^MAIL$',   # retain full original message for virus checking (can be slow)
  qr'^MAIL-UNDECIPHERABLE$',  # retain full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data',
);

$banned_filename_re = new_RE(
#  qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
   qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, # some double extensions
   qr'[{}]',     # curly braces in names (serve as Class ID extensions - CLSID)
#  qr'.\.(exe|vbs|pif|scr|bat|cmd|com)$'i,           # banned extension - basic
#  qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
#         jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|
#         vbe|vbs|wsc|wsf|wsh)$'ix,                  # banned extension - long
#  qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
#  qr'^\.(zip|lha|tnef|cab)$'i,                      # banned file(1) types
#  qr'^\.exe$'i,                                     # banned file(1) types
#  qr'^application/x-msdownload$'i,                  # banned MIME types
#  qr'^application/x-msdos-program$'i,
   qr'^message/partial$'i,  # rfc2046. this one is deadly for Outcrook
#  qr'^message/external-body$'i, # block rfc2046
);

@lookup_sql_dsn =
   ( ['DBI:mysql:database=postfix;host=127.0.0.1;port=3306', 'postfix', 'postfixch4p0'] );

$sql_select_policy = 'SELECT "Y" as local FROM domains WHERE CONCAT("@",domain) IN (%k)';

$sql_select_white_black_list = undef;  # undef disables SQL white/blacklisting

$recipient_delimiter = '+';                # (default is '+')

$replace_existing_extension = 1;        # (default is false)

$localpart_is_case_sensitive = 0;        # (default is false)

$blacklist_sender_re = new_RE(
    qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,
    qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i,
    qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonl|smoking2002k)@'i,
    qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,
    qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,
    qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
);

map { $whitelist_sender{lc($_)}=1 } (qw(
  nobody@cert.org
  owner-alert@iss.net
  slashdot@slashdot.org
  bugtraq@securityfocus.com
  NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
  security-alerts@linuxsecurity.com
  amavis-user-admin@lists.sourceforge.net
  razor-users-admin@lists.sourceforge.net
  notification-return@lists.sophos.com
  mailman-announce-admin@python.org
  zope-announce-admin@zope.org
  owner-postfix-users@postfix.org
  owner-postfix-announce@postfix.org
  owner-sendmail-announce@lists.sendmail.org
  sendmail-announce-request@lists.sendmail.org
  ca+envelope@sendmail.org
  owner-technews@postel.ACM.ORGuse strict;
  lvs-users-admin@LinuxVirtualServer.org
  ietf-123-owner@loki.ietf.org
  cvs-commits-list-admin@gnome.org
  rt-users-admin@lists.fsck.com
  owner-announce@mnogosearch.org
  owner-hackers@ntp.org
  owner-bugs@ntp.org
  clp-request@comp.nus.edu.sg
  surveys-errors@lists.nua.ie
  emailNews@genomeweb.com
  owner-textbreakingnews@CNNIMAIL12.CNN.COM
  yahoo-dev-null@yahoo-inc.com
));

$MAXLEVELS = 14;                # (default is undef, no limit)

$MAXFILES = 1500;                # (default is undef, no limit)

$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not enforced)
$MIN_EXPANSION_FACTOR =   5;  # times original mail size  (must be specified)
$MAX_EXPANSION_FACTOR = 500;  # times original mail size  (must be specified)

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';

$file   = 'file';   # file(1) utility; use 3.41 or later to avoid vulnerability


$gzip   = 'gzip';
$bzip2  = 'bzip2';

$lzop   = 'lzop';
$uncompress = ['uncompress', 'gzip -d', 'zcat'];
$unfreeze   = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
$arc        = ['nomarch', 'arc'];
$unarj      = ['arj', 'unarj'];  # both can extract, arj is recommended
$unrar      = ['rar', 'unrar'];  # both can extract, same options
$zoo    = 'zoo';
$lha    = 'lha';
$cpio   = 'cpio';   # comment out if cpio does not support GNU options

$sa_local_tests_only = 0;   # (default: false)
#$sa_auto_whitelist = 1;    # turn on AWL (default: false)

# Timout for SpamAssassin. This is only used if spamassassin does NOT
# override it (which it often does if sa_local_tests_only is not true)
$sa_timeout = 30;           # timeout in seconds for a call to SpamAssassin
                            # (default is 30 seconds, undef disables it)

# AWL (auto whitelisting), requires spamassassin 2.44 or better
# $sa_auto_whitelist = 1;   # defaults to undef

$sa_mail_body_size_limit = 150*1024;

@av_scanners = (

### http://www.clamav.net/
#/var/run/clamav/clamd.ctl
['Clam Antivirus-clamd',
  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
  qr/\bOK$/, qr/\bFOUND$/,
  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# NOTE: run clamd under the same user as amavisd;  match the socket
# name (LocalSocket) in clamav.conf to the socket name in this entry
# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],

);

@av_scanners_backup = (

  ### http://www.clamav.net/
  ['Clam Antivirus - clamscan', 'clamscan',
    "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], [1],
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

);

1;

Dernière modification par chapodepay (Le 14/01/2011, à 20:07)

PC1: MSI P35 Platinum, DD: 72Go 10.000rpm, Q6600 @3.15Ghz, 4Go ddr2 corsair, 8800GTS... CPU + GPU sous watercooling zalman, DD: 4.5To
Serveur : Intel Bi-Xeon i7 2x2.93Ghz, mémoire vive : 24Go DDR3

Hors ligne

#2 Le 10/01/2011, à 12:05

sylvain1970

Re : [resolu]cherche conseil : Postfix (mysql/tls/sasl/clamav/spamassassin)

Bonjour,
il y a un excellent tuto pour une conf serveur mail ici. Il pourra surement t'aider à configurer ton serveur.

http://mdl29.net

Hors ligne

#3 Le 10/01/2011, à 15:20

chapodepay

Re : [resolu]cherche conseil : Postfix (mysql/tls/sasl/clamav/spamassassin)

Merci pour ta réponse, mais ce n'est pas tout a fait ce que j'attendais ; j'attend une analyse de ma conf pour recevoir des conseils d'optimisation, des erreurs que j'aurai faite, ou des oublis etc

PC1: MSI P35 Platinum, DD: 72Go 10.000rpm, Q6600 @3.15Ghz, 4Go ddr2 corsair, 8800GTS... CPU + GPU sous watercooling zalman, DD: 4.5To
Serveur : Intel Bi-Xeon i7 2x2.93Ghz, mémoire vive : 24Go DDR3

Hors ligne

#4 Le 14/01/2011, à 20:03

Uggy

Re : [resolu]cherche conseil : Postfix (mysql/tls/sasl/clamav/spamassassin)

chapodepay a écrit :

j'attend une analyse de ma conf pour recevoir des conseils d'optimisation

Tu peux deja supprimer de ton main.cf tous les parametres inutiles car ce sont les valeurs par defaut (exemple inet_interfaces, relayhost, etc.... )

Hors ligne

#5 Le 14/01/2011, à 20:07

chapodepay

Re : [resolu]cherche conseil : Postfix (mysql/tls/sasl/clamav/spamassassin)

Excusez moi, je n'avais pa smis à jour.

j'ai complètement recommencé la config, avec dovecot/amavis/spamassassin et j'ai un gros gain de performance, j'avais surtout besoin des possibilité de gestion/filtrage de sieve qui est inclu avec dovecot.

Je suis satisfait de ma nouvelle config : identique à celle-ci : http://www.starbridge.org/spip/spip.php?article12

PC1: MSI P35 Platinum, DD: 72Go 10.000rpm, Q6600 @3.15Ghz, 4Go ddr2 corsair, 8800GTS... CPU + GPU sous watercooling zalman, DD: 4.5To
Serveur : Intel Bi-Xeon i7 2x2.93Ghz, mémoire vive : 24Go DDR3

Hors ligne

Pages : 1