Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?
From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of jeremy.als...@imap-mail.com Hi Victor. On Fri, 08 Apr 2011 00:59 -0400, Victor Duchovni victor.ducho...@morganstanley.com wrote: Start simple, and add features gradually. There is a steep learning curve for a novice to deploy a complex production system with no prior experience. It sure feels pretty steep already. I guess I'm glad I'm not just imagining things. I'm pretty sure I want to stick with the single Instance setup. Like you said, for now at the least. I found a pretty good example, Spamassassin + ClamAV + Postfix WITHOUT Amavis (Debian) http://www.xtarutaru.com/2009/04/16/spamassassin-clamav-postfix- without-amavis-debian/ that along with Daniel's comments that's helping me to make sense of this a bit better. There's a ton of howtos out there - I'm sure you can find one that suits all your needs. The nice thing about this one is that it'll keep you on the track you've been advised on - i.e. keeping things simple and adding features as you go. I would recommend using amavis for your spam and virus checking though. The Howto you're looking at specifically doesn't use it because of resource constraints on the host. However, it sounds like you don't have that constraint. I'm still going to read through some more of those Multiple Instance examples so maybe I can get some idea which road to point myself down for later. If I do any of the Multiple Instance setup is there a good Document that tells what configuration goes into what file? Does configuration flow down from the 1st one you setup ? So that PostScreen configuration, which looks to do some of the work I want done, goes into which config file? Personally, I don't think you need multiple instances. If the book you got was The Book of Postfix, then it was written by contributors to this list - and you can't go wrong. Setting up my own mail server to handle mail for multiple domains with spam and virus checking is one of the most worthwhile and fun things I've ever done. I really want to encourage you to stay on the learning curve you've chosen. I've been successfully blocking up to 98% of traffic (when the Rustock botnet was running) using a very simple set up but my false negatives are almost non-existent and my false positives are very low. I'm sure there are more valid opinions but my advice for what it's worth is: . Set up postfix to receive and send mail securely (i.e. don't be an open-relay!) . Get your delivery agent set up (Courier/Dovecot) and working . Implement some sort of sender authentication e.g. SASL - though it will depend on your choices above) even if your users will only send mail to the server from inside the network . Some sort of log reporting (pflogsumm/postfix-logwatch) working . Add in the postfix's native spam controls, limiting and checks . Then look at content filtering (spam, virus and other objectionable content) - as you've already learnt this can be handed off to a different server/service, even if they're on the same host . Then look at more advanced controls like grey-listing and postscreen If in doubt, ask and remember that most defaults are there for a reason. Consider the implications before changing them (but some will need to be changed to suit your set-up). Have fun.
Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?
Simon Brereton put forth on 4/8/2011 8:19 AM: . Add in the postfix's native spam controls, limiting and checks In this regard, try this out in your initial setup. A brief description and instructions are at the top of the file. It's very easy to implement--one line in main.cf. It will stop most bot spam in lieu of Postscreen, and may stop some spam that Postscreen doesn't. Myself and others here use it with good results. The rare FP will be folks sending you legit mail from MTAs behind consumer broadband IPs. http://www.hardwarefreak.com/fqrdns.pcre Now would be a good time to look into the everything under smtpd_recipient_restrictions main.cf style. This is the currently preferred main.cf layout for most setups. Makes things easier on you, the OP. . Then look at content filtering (spam, virus and other objectionable content) I'd probably reverse the order or priority of these last two. . Then look at more advanced controls like grey-listing and postscreen I'd avoid greylisting at all costs unless all other anti bot spam countermeasures fail. With the combination of fqrdns.pcre, postscreen, and the right dnsbls, you shouldn't need greylisting. And all of these combined checks will still be much faster and far less resource intensive than greylisting. -- Stan
To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?
Hi everybody. I've been reading up how to install a mailserver for my office. At the local computer users group I was told about using PostFix on an Ubuntu system instead of Microsoft Exchange Server on Windows. I saw a demo at the user group, and thought it's worth a real look. They told us about this List as a User Community resource. I want to just install a mailserver that listens on the Static address Comcast gave me, protects against these bots, spam and viruses, and then delivers it. So far I've only been reading the website documentation. I ordered a book too that should get here to Topeka in a few days. The book looked old and I'm a bit worried it'll be out of date. But for learning technology I like a good book with examples I can follow. On the website, I got to an article Postfix Before-Queue Content Filter at http://www.postfix.org/SMTPD_PROXY_README.html that looks like it does what I want. But I'm confused. It has boxes in the diagram there for 3 servers. Why 3? Do I need to have multiple computers to run this server? I was also looking at the Content Filters listed on the website. There's a lot of them. I don't have a really big computer for this so want to do something that doesn't use a lot of resources. Reading around I saw this Amvisd application which looks like overkill for me and complicated to set up. I found two applications that are listed and seem to do what I need for spam and viruses, Spam Assassin and Clam AntiVirus. Are these good choices? At the user group they mentioned a new feature built into PostFix. I found it, PostScreen. Is that even another server to deal with? Like I said I just don't understand if I can do all this with just one computer server, or have to use lots. If I can get this cleared up with some pointers and figure out what to do with that diagram I think I'd be off to the races. I'd appreciate any help. Jeremy Alsten
Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?
Hi Daniel. That was a quick reply. Thanks a bunch. Sorry, I got all the terminology wrong. Thanks for the lesson, though. Hopefully it'll stick a bit. Even a simple modern desktop PC can easily run (host) many server processes. Postfix is especially economical in this regard especially if configured in a trimmed-down way. Especially compared to anything in the Microsoft world. No need to buy new hardware. Okay. At least I'm not huntin' with the wrong dog. http://www.postfix.org/MULTI_INSTANCE_README.html to get the background of multiple Postfix server processes running on one host. Whoa. I took a look at that and that's a bit much for me at this stage of the came. Do I need do it this Multi_Instace way? Even with your explanation I still don't understand how many PostFix servers I need to install on my one host. I really want to keep the bells and whistles to a minimum, and just get to the point that, mail comes in, gets thrown away if it's from one of those bots, has spam content or a virus, and if everything's okay, gets delivered to my InBox. I think I get what you're saying about servers, processes and hosts. So one host is good enough. It'll have multiple processes running on it. So how many PostFix's, or these Instances of it, do I need to install to just get what I want to do done? If I'm looking in the wrong places, that'd be good to know. Thanks for your time and help. Jeremy Alsten
Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?
jeremy.als...@imap-mail.com put forth on 4/7/2011 8:39 PM: I think I get what you're saying about servers, processes and hosts. So one host is good enough. It'll have multiple processes running on it. So how many PostFix's, or these Instances of it, do I need to install to just get what I want to do done? You're way out in front of yourself. Setting up spam filtering will come well after you get the basic setup accomplished and working. First you need to cover the basics: 1. Do you have an internet domain registered for which your Postfix server will be accepting mail? This is a prerequisite. (If you simply want to grab the mail from your Gmail or Yahoo account to your server box, then you need something like fetchmail, not Postfix). Do you have DNS A and MX records configured for said domain pointing the public IP address in front of the Postfix host box? Have you port forwarded TCP 25 on your consumer broadband router to the internal address (192.168.x.x) of the Postfix host machine? 2. Have you considered a mail retrieval method? For instance IMAP or POP? Postfix only accepts the mail and delivers it, in your case most likely to the local disk on the Postfix host (physical box). You must then retrieve it at your client desktop PC with a mail user agent such as ThunderBird or Outlook. This will require an IMAP or POP3 server running on the Postfix host, such as Dovecot or Courier. These things must be up and working properly before considering implementing content filters or anything else beyond the basics. Answering your specific question, no, you absolutely don't need multiple Postfix instances for a SOHO configuration: http://www.postfix.org/SOHO_README.html -- Stan
Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?
On 4/7/2011 9:39 PM, jeremy.als...@imap-mail.com wrote: [snip] Whoa. I took a look at that and that's a bit much for me at this stage of the came. Do I need do it this Multi_Instace way? Even with your explanation I still don't understand how many PostFix servers I need to install on my one host. I really want to keep the bells and whistles to a minimum, and just get to the point that, mail comes in, gets thrown away if it's from one of those bots, has spam content or a virus, and if everything's okay, gets delivered to my InBox. I think I get what you're saying about servers, processes and hosts. So one host is good enough. It'll have multiple processes running on it. So how many PostFix's, or these Instances of it, do I need to install to just get what I want to do done? If I'm looking in the wrong places, that'd be good to know. Thanks for your time and help. Jeremy Alsten Jeremy, Let me ask one super-meta question first: if all you have is one Inbox, why is IMAP service from, say, Gmail, or your ISP, not adequate? You can configure your MUA (Thunderbird, Biff, Outlook...) very easily and be off to the races enjoying Gmail's vast spam-filtering capabilities for free. To run a server you'll need: a static IP (or dynamic IP with a dynamic DNS provider); availability of port 25 which most ISPs block incoming to residential service; a machine that is up and on the network more than 99% of the time; a decent reputation for the IP that your ISP gives you, which is unlikely if it's a residential IP; backup mail receivers for when your server does fail; a way of being paged or e-mail when your server is down; and other sysadmin headaches. [Note: I am writing this as Stan's note just arrived; some of my points are very similar and redundant.] Anyway...I'm doing everything you describe with the exception of clamav with a single instance. It was recommend that two instances would make things cleaner and more extensible. I will get there as needs grow. Look back in the archives for my name and the surrounding discussions such as http://tech.groups.yahoo.com/group/postfix-users/message/273634 At the risk of putting out incomplete information making things worse, here are two pieces of the puzzle I uses to filter with SpamAssassin. So this is illustrative, not prescriptive: This is from master.cf. What it's meant to illustrate is that all mail that comes in on the standard SMTP port 25 (and thus public, unencrypted, unauthenticated) is sent through a filter before taking the next step. (I have a very simple next smtp.example.com:smtp inet n - n - - smtpd -o content_filter=filter:dummy -o syslog_name=postfix-smtp filterunix - n n - - pipe flags=Rq user=spam argv=/usr/local/bin/spamc -U /tmp/spamd.sock -e /usr/sbin/sendmail -i -f ${sender} ${recipient} -Daniel
Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?
Hi Stan. And Daniel. You're way out in front of yourself. Setting up spam filtering will come well after you get the basic setup accomplished and working. First you need to cover the basics: I'm pretty sure I got most of these covered when we had Microsoft Exchange set up. Do you have an internet domain registered for which your Postfix server will be accepting mail? Yes Do you have DNS A and MX records configured for said domain pointing the public IP address in front of the Postfix host box? Yes Have you port forwarded TCP 25 on your consumer broadband router to the internal address (192.168.x.x) of the Postfix host machine? I'm not sure you'd call it just a consumer device, but there's an Astaro Firewall Router box that does that. Have you considered a mail retrieval method? For instance IMAP or POP? I was planning to do IMAP but I was told that that comes after getting PostFix set up. such as Dovecot or Courier. There's another fella here already looking at the Dovecot application. Answering your specific question, no, you absolutely don't need multiple Postfix instances for a SOHO configuration: http://www.postfix.org/SOHO_README.html I read that but didn't see anything about filtering spam or viruses. That other link that mentions those talks about the multiple servers or instances. I still don't know for sure. I'm hoping that book's gonna be a help for the likes of me. Let me ask one super-meta question first: if all you have is one Inbox, why is IMAP service from, say, Gmail, or your ISP, not adequate? I have about 50 employees that I need to have connected. To run a server you'll need: a static IP (or dynamic IP with a dynamic DNS provider); Check availability of port 25 which most ISPs block incoming to residential service; It's not residential service. Check. a machine that is up and on the network more than 99% of the time; We're trying. a decent reputation for the IP that your ISP gives you, which is unlikely if it's a residential IP; It's Comcast Business. We had no problems so far. backup mail receivers for when your server does fail; I'm looking at a couple already. Anyway...I'm doing everything you describe with the exception of clamav with a single instance. It was recommend that two instances would make things cleaner and more extensible. I will get there as needs grow. Look back in the archives for my name and the surrounding discussions such as http://tech.groups.yahoo.com/group/postfix-users/message/273634 Thanks for that. I guess I got some good reading to do. This is from master.cf. What it's meant to illustrate That's a good example. That's all on one server or instance then? I mean you only have one master.cf and one main.cf for your setup? Do you use that PostScreen application that's built into PostFix too? Would that go in the same configuration files too? Thanks one more time. Jeremy Alsten
Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?
On Thu, Apr 07, 2011 at 09:33:33PM -0700, jeremy.als...@imap-mail.com wrote: That's a good example. That's all on one server or instance then? I mean you only have one master.cf and one main.cf for your setup? You don't have to use multiple instances if your configuration is very simple. Multiple instances simplify complex configurations by breaking them up into more manageable pieces. It also becomes easier to diagnose performance issues with any content filters, when mail queued in front of the filter is a different queue than already filtered mail on its way to some remote destination. If all you have is an SMTP server with some anti-spam RBLs, a single instance is likely enough. You can add submission on port 587 with master.cf overrides (as in the commented out example in master.cf), but complexity starts to rise. You can add an amavisd-new content filter and complexity increases further. At some point you may find multiple instances more sane, that pain point is up to you. Start simple, and add features gradually. There is a steep learning curve for a novice to deploy a complex production system with no prior experience. -- Viktor.
Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?
Hi Victor. On Fri, 08 Apr 2011 00:59 -0400, Victor Duchovni victor.ducho...@morganstanley.com wrote: Start simple, and add features gradually. There is a steep learning curve for a novice to deploy a complex production system with no prior experience. It sure feels pretty steep already. I guess I'm glad I'm not just imagining things. I'm pretty sure I want to stick with the single Instance setup. Like you said, for now at the least. I found a pretty good example, Spamassassin + ClamAV + Postfix WITHOUT Amavis (Debian) http://www.xtarutaru.com/2009/04/16/spamassassin-clamav-postfix-without-amavis-debian/ that along with Daniel's comments that's helping me to make sense of this a bit better. I'm still going to read through some more of those Multiple Instance examples so maybe I can get some idea which road to point myself down for later. If I do any of the Multiple Instance setup is there a good Document that tells what configuration goes into what file? Does configuration flow down from the 1st one you setup ? So that PostScreen configuration, which looks to do some of the work I want done, goes into which config file? Thanks. Maybe a fresh look in the morning will be good too. Jeremy Alsten
Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?
On 4/8/2011 1:21 AM, jeremy.als...@imap-mail.com wrote: If I do any of the Multiple Instance setup is there a good Document that tells what configuration goes into what file? Does configuration flow down from the 1st one you setup ? So that PostScreen configuration, which looks to do some of the work I want done, goes into which config file? Thanks. Maybe a fresh look in the morning will be good too. Jeremy Alsten From these questions your conceptual framework is wrong. Avoid forming bad mental frameworks that have to be torn down later. Let the advanced stuff be a pleasant fuzz. Multiple instances are more like large puzzle pieces that YOU carve out and decide how they interact. In short though they take specific ROLES: one listens on port smtp (25), one on submission... You can 'get away' with not having postscreen for a while, because it's a qualitative thing, 'relieving pressure' in Wietse's words, pressure which depends on level of spambot attack. Even if it would help, set it aside for a while too. I feel like I'm doing too much coaching which I'm not necessarily qualified to do, and may be a bit off-mission of the list, so...o o. -DB