Re: New Installation of Postfix Server

[Roger Marquis]

Vishal Agarwal wrote:

I want to reinstall postfix server right from scratch with spam filter,
grey listing and antivirus support working on submission port. Pl
suggest/advise any practical working tutorial.


 

PostConf won't teach you how to edit postfix configuration files but it
will install and configure a fully functioning server.

If you do want to learn how to edit main.cf and other configuration files
directly: create a backup of the file, use PostConf to make an update,
then 'diff' the two files to see what changed.

Roger Marquis

Re: New Installation of Postfix Server

[Sahil Tandon]

On Sun, 2012-03-25 at 14:13:12 -0500, /dev/rob0 wrote:
> ...
> On Sun, Mar 25, 2012 at 02:01:05PM -0400, John Hudak wrote:
> > Sometimes, it is very helpful to get a view of how all the parts 
> > fit together, their inter-dependencies for configuration, some 
> > aspect of data flow, etc.  In some cases, these 'kitchen sink' 
> > articles serve that purpose very well, not to mention sometimes 
> > citing/or based on OS install specifics wrt directory structures, 
> > permissions, etc.
> 
> This is a valid point. You CAN use such tutorials to help gain the 
> "big picture" overview of what you need.
> ...

e.g. http://rob0.nodns4.us/howto/

-- 
Sahil Tandon

Re: New Installation of Postfix Server

[/dev/rob0]

> On Sun, Mar 25, 2012 at 10:34 AM, /dev/rob0  wrote:
> > On Sun, Mar 25, 2012 at 10:15:40AM +0600, Vishal Agarwal wrote:
> > > I want to reinstall postfix server right from scratch with
> > > spam filter, grey listing and antivirus support working on 
> > > submission port. Pl suggest/advise any practical working 
> > > tutorial.
> >
> > I have reviewed quite a few of what I call the "kitchen sink" 
> > tutorials on the web, those which include "everything but the 
> > kitchen sink" (a colloquial expression.) Most of them are very 
> > weak for various reasons. IMO they're trying to cover too much 
> > material. They cannot take the place of the software 
> > documentation.
> >
> > The right thing to do is to take it in pieces, so you understand
> > about each piece.

On Sun, Mar 25, 2012 at 02:01:05PM -0400, John Hudak wrote:
> Sometimes, it is very helpful to get a view of how all the parts 
> fit together, their inter-dependencies for configuration, some 
> aspect of data flow, etc.  In some cases, these 'kitchen sink' 
> articles serve that purpose very well, not to mention sometimes 
> citing/or based on OS install specifics wrt directory structures, 
> permissions, etc.

This is a valid point. You CAN use such tutorials to help gain the 
"big picture" overview of what you need.

> So, having pointed the OP to a wealth of detailed info,
> and having reviewed 'quite a few "kitchen sink" articles"
> perhaps you could suggest one or two of the better ones

I am not familiar with any such tutorial that precisely meets the 
OP's stated goals. Note also that the OS in use was not stated, 
neither could it be guessed from context.

Most of the tutorials one might find are for setting up virtual 
mailboxes with a MySQL database backend. That was not stated as a 
goal, nor should it be a goal in many cases. And as you note, in 
general they are specific to one OS or Linux distribution.

One tutorial to which I can give qualified approval is the one at 
workaround.org, "ISP-style mail". I know the author to be competent 
in Postfix and general Unix/Linux matters. But:

1. His howto is for Debian, which might not be suitable. Changing
   one's OS for the purpose of beginning a mail server is *not*
   advisable: one should be fluent in the OS/distro BEFORE one
   undertakes a project so complex as a mail server. (I should have
   mentioned this in my previous post.)

2. His howto is for MySQL-based virtual mailboxes, "ISP-style mail",
   which as I indicated above, is not what everyone needs. You may
   need that if you are running an ISP. Again, that was not stated
   in the OP.

2a. (Also, I did not like the SQL schema, so I made my own for
   SQLite, with the benefit -- and the drawbacks! -- of greater
   normalization.)

3. While it does cover content filtering, it does not cover the
   pre-DATA spam control tactics[1] as are usually a good idea. And
   I don't think the content filtering will block authenticating
   malware, which I inferred (right or wrong) was one of the goals.

4. Sender rate limiting is not covered at all, and if my inference
   was correct, that would be a good idea.

With those caveats, it might be useful to the OP. But I guess the 
bottom line is that there's no one-size-fits-all solution for mail 
servers.

Regarding the matter of authenticating malware, I'm working on that 
issue myself, and in due time I might put forth a howto therefor.


[1] A link to such a page exists, but is 404 at this time:
   http://workaround.org/ispmail/squeeze/postfix-smtpd-restrictions
   Perhaps it exists for previous versions?
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: New Installation of Postfix Server

[Stan Hoeppner]

On 3/24/2012 11:15 PM, Vishal Agarwal wrote:

> I want to reinstall postfix server right from scratch with spam filter, grey
> listing and antivirus support working on submission port.

You probably don't want greylisting on your submission port.

-- 
Stan

Re: New Installation of Postfix Server

[John Hudak]

Sometimes, it is very helpful to get a view of how all the parts fit
together, their inter-dependencies for configuration, some aspect of data
flow, etc.  In some cases, these 'kitchen sink' articles serve that purpose
very well, not to mention sometimes citing/or based on OS install specifics
wrt directory structures, permissions, etc.
So, having pointed the OP to a wealth of detailed info, and having reviewed
'quite a few "kitchen sink" articles" perhaps you could suggest one or two
of the better ones

On Sun, Mar 25, 2012 at 10:34 AM, /dev/rob0  wrote:

> On Sun, Mar 25, 2012 at 10:15:40AM +0600, Vishal Agarwal wrote:
> > I want to reinstall postfix server right from scratch with spam
> > filter, grey listing and antivirus support working on submission
> > port. Pl suggest/advise any practical working tutorial.
>
> I have reviewed quite a few of what I call the "kitchen sink"
> tutorials on the web, those which include "everything but the kitchen
> sink" (a colloquial expression. Most of them are very weak for
> various reasons. IMO they're trying to cover too much material. They
> cannot take the place of the software documentation.
>
> The right thing to do is to take it in pieces, so you understand
> about each piece.
>
> Installing Postfix:
> http://www.postfix.org/INSTALL.html
> http://www.postfix.org/BASIC_CONFIGURATION_README.html
>
> Spam filter & greylisting:
> http://www.postfix.org/POSTSCREEN_README.html
> (and Google this mailing list for my example postscreen config)
> http://www.postfix.org/SMTPD_ACCESS_README.html
> http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
>
> I don't recommend greylisting other than what postscreen(8) does,
> assuming you choose to activate the "deep protocol tests". YMMV of
> course, but many spam zombies do go through their lists twice or
> more.
>
> Note that greylisting and postscreen make no sense at all and will
> not work on submission. Likewise, such tactics as DNSBL lookups and
> HELO checks are counterproductive when applied to submission users.
>
> A submission example is in your master.cf, but it requires SASL and
> strongly suggests the need for TLS:
> http://www.postfix.org/SASL_README.html
> http://www.postfix.org/TLS_README.html
>
> Somewhere along the way (before SASL) you should choose an IMAP
> server. Dovecot simplifies the SASL setup:
> http://www.dovecot.org/
> http://wiki2.dovecot.org/ for documentation
>
> Antivirus / antizombie protection on submission is very important.
> You're not going to be able to do that natively in Postfix. You'll
> want rate limiting and content filtering.
>
> For rate limiting, a policy service is useful. See this:
> http://www.postfix.org/SMTPD_POLICY_README.html
>
> Consider one of the following third-party packages:
> http://www.postfwd.org/
> http://www.policyd.org/
>
> For content filtering, I'd recommend amavisd-new with SpamAssassin as
> a post-queue filter. I think you will have to tweak the default
> amavisd configuration to do filtering of submission mail. See here:
> http://www.amavisd.org/
>
> (And NB to Mark: I think now is the time to reconsider that default,
> because authenticating malware is on the rise, and one such
> experience can be devastating, getting you blocked everywhere.)
>
> Amavisd-new can chain multiple filters, and it invokes SA internally
> as perl modules, but you might also be interested in their sites:
> http://spamassassin.apache.org/
>
> IME clamav did not matter much on inbound mail when using the
> aforementioned Postfix-based spam controls, but it might be useful
> against authenticating malware, and it certainly does not hurt to
> have it deployed and ready. See here:
> http://www.clamav.net/
>
> Yes, that is a lot of stuff to cover. Mail admin is not for the faint
> of heart. :) Good luck.
> --
>  http://rob0.nodns4.us/ -- system administration and consulting
>  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>

Re: New Installation of Postfix Server

[Charles Marcus]

On 2012-03-25 10:34 AM, /dev/rob0  wrote:

Somewhere along the way (before SASL) you should choose an IMAP
server. Dovecot simplifies the SASL setup:
http://www.dovecot.org/
http://wiki2.dovecot.org/  for documentation


Just to point out something that isn't clear from your (otherwise 
excellent) response:


Using dovecot-sasl does *not* require you to also use the dovecot IMAP 
server. You could use any other IMAP server, and still use dovecot-sasl 
for a much simplified sasl setup (at least as opposed to cyrus-sasl).


But that said, dovecot being the best IMAP server out there bar none - 
yes, Cyrus is more mature, and still has some features that dovecot 
lacks, but the latter is only temporary, as dovecot is quickly catching 
up and will soon *surpass* cyrus' feature set.


--

Best regards,

Charles

Re: New Installation of Postfix Server

[/dev/rob0]

On Sun, Mar 25, 2012 at 09:34:48AM -0500, I wrote:
> I have reviewed quite a few of what I call the "kitchen sink" 
> tutorials on the web, those which include "everything but the 
> kitchen sink" (a colloquial expression. Most of them are very weak 
^)
> for various reasons. IMO they're trying to cover too much material. 
> They cannot take the place of the software documentation.

An unterminated parenthetical expression, sorry. :)
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: New Installation of Postfix Server

[/dev/rob0]

On Sun, Mar 25, 2012 at 10:15:40AM +0600, Vishal Agarwal wrote:
> I want to reinstall postfix server right from scratch with spam 
> filter, grey listing and antivirus support working on submission 
> port. Pl suggest/advise any practical working tutorial.

I have reviewed quite a few of what I call the "kitchen sink" 
tutorials on the web, those which include "everything but the kitchen 
sink" (a colloquial expression. Most of them are very weak for 
various reasons. IMO they're trying to cover too much material. They 
cannot take the place of the software documentation.

The right thing to do is to take it in pieces, so you understand 
about each piece.

Installing Postfix:
http://www.postfix.org/INSTALL.html
http://www.postfix.org/BASIC_CONFIGURATION_README.html

Spam filter & greylisting:
http://www.postfix.org/POSTSCREEN_README.html
(and Google this mailing list for my example postscreen config)
http://www.postfix.org/SMTPD_ACCESS_README.html
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

I don't recommend greylisting other than what postscreen(8) does, 
assuming you choose to activate the "deep protocol tests". YMMV of 
course, but many spam zombies do go through their lists twice or 
more.

Note that greylisting and postscreen make no sense at all and will 
not work on submission. Likewise, such tactics as DNSBL lookups and 
HELO checks are counterproductive when applied to submission users.

A submission example is in your master.cf, but it requires SASL and 
strongly suggests the need for TLS:
http://www.postfix.org/SASL_README.html
http://www.postfix.org/TLS_README.html

Somewhere along the way (before SASL) you should choose an IMAP 
server. Dovecot simplifies the SASL setup:
http://www.dovecot.org/
http://wiki2.dovecot.org/ for documentation

Antivirus / antizombie protection on submission is very important. 
You're not going to be able to do that natively in Postfix. You'll 
want rate limiting and content filtering.

For rate limiting, a policy service is useful. See this:
http://www.postfix.org/SMTPD_POLICY_README.html

Consider one of the following third-party packages:
http://www.postfwd.org/
http://www.policyd.org/

For content filtering, I'd recommend amavisd-new with SpamAssassin as 
a post-queue filter. I think you will have to tweak the default 
amavisd configuration to do filtering of submission mail. See here:
http://www.amavisd.org/

(And NB to Mark: I think now is the time to reconsider that default, 
because authenticating malware is on the rise, and one such 
experience can be devastating, getting you blocked everywhere.)

Amavisd-new can chain multiple filters, and it invokes SA internally 
as perl modules, but you might also be interested in their sites:
http://spamassassin.apache.org/

IME clamav did not matter much on inbound mail when using the 
aforementioned Postfix-based spam controls, but it might be useful 
against authenticating malware, and it certainly does not hurt to 
have it deployed and ready. See here:
http://www.clamav.net/

Yes, that is a lot of stuff to cover. Mail admin is not for the faint 
of heart. :) Good luck.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

New Installation of Postfix Server

[Vishal Agarwal]

Hi,

 

I want to reinstall postfix server right from scratch with spam filter, grey
listing and antivirus support working on submission port. Pl suggest/advise
any practical working tutorial.

 

Thanks/regards,

Vishal Agarwal