Home

Work the E-mail, Part I

Issue 162

From Issue #162
October 2007

Oct 01, 2007  By Marco Fioretti
 in
When it comes to e-mail, what do small organizations need? Why? And, how do you make it happen?

Listing 1. Snippet of a Typical master.cf File

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd -v
  
procmail  unix  -       n       n       -       -       pipe flags=R 
     ↪user=procmail_user  
     ↪argv=/usr/bin/procmail -t -m USER=${user} 
     ↪EXTENSION=${extension} /etc/procmailrc

Each line starts with the dæmon name (service) and the way it talks with Postfix (Internet/UNIX sockets or FIFOs). The next parameters show whether it's private to the mail system and whether it runs with or without privileges into a chroot (that is, into a restricted filesystem). Wakeup and maxproc define the wake-up interval and the maximum number of processes that may execute this service simultaneously. The line ends with the actual command that invokes the dæmon, with all its options. We'll look in detail at some dæmons in the upcoming articles. For now, it's enough to know that one or more -v switches enable verbose logging and that a - value means use the default value for that field.

Defining Variables: main.cf

Postfix has hundreds of configuration variables, but don't worry. To build a working system, you need to set only about 20 of them. To get an idea of Postfix's capabilities and the way it works, see Listing 2. It is an excerpt, by no means complete (or working), of a real main.cf file. More specifically, it shows only the main options that must be set to a different value than the default or the ones that are particularly important for spam fighting and not making an open relay. We will build a complete main.cf file in upcoming articles in this series.

Listing 2. Excerpt of a Postfix main.cf File

#Section 1: basic setup
myhostname         = the.full.name.of.your.server (eg mybox.home.network)
mydomain           = $myhostname
myorigin           = $mydomain
  
#Section 2: receiving mail
inet_interfaces = all
mydestination   = $myhostname, localhost
  
#Sections 3: define who can relay through this server
mynetworks = 127.0.0.0/8
relay_domains =
  
#Section 4: define virtual domains and virtual user maps
virtual_mailbox_domains = myfamily.net mybusiness.com
virtual_mailbox_base    = /var/mail/mail_storage
virtual_mailbox_maps    = hash:/etc/postfix/vmailbox
virtual_transport       = procmail
  
#Section 5: ignore spambots which don't respect the SMTP specs
#   from http://www.howtoforge.com/virtual_postfix_antispam
smtpd_helo_required          = yes
strict_rfc821_envelopes      = yes
disable_vrfy_command         = yes
  
#Section 6: ignore unknown senders or those which
#           don't show proper credentials
  
smtpd_helo_restrictions      =
  
smtpd_recipient_restrictions = 
                               reject_invalid_hostname,
                               reject_non_fqdn_hostname,
                               reject_non_fqdn_sender,
                               reject_non_fqdn_recipient,
                               permit_mynetworks,
                               reject_unauth_destination

Section 1 contains the full name of the VPS box. Section 2 defines from where we accept mail and for which destinations. The first law of each SMTP server is never to become a spambot by relaying messages of unknown origin or useless bounce notifications to the Internet. This is what Section 3 is for. As it is, it means that only messages originated on the server will be sent outside. Section 4 says that we accept e-mail for the two myfamily.net and mybusiness.com domains, but only for the users in the /etc/postfix/vmailbox map, and that we use procmail to store incoming messages into the /var/mail/mail_storage folder.

When proper SMTP filtering rules are available (as shown in Figure 1), an SMTP server can recognize and refuse a lot of spam as soon as it is contacted, without even downloading the whole message. This is what sections 5 and 6 do. Besides the official documentation, their content is described in full detail in the Postfix anti-UCE cheat sheet (see Resources). Note that the server actually will work only if you set DNS properly, but this, as well as the exact meaning of all those variables, is something I'll discuss in future articles. For now, let's finish by introducing Postfix maps.

______________________

Articles about Digital Rights and more at http://stop.zona-m.net CV, talks and bio at http://mfioretti.com

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions