Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?

2011-04-08 Thread Simon Brereton
 From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
 us...@postfix.org] On Behalf Of jeremy.als...@imap-mail.com
 Hi Victor.
 
 On Fri, 08 Apr 2011 00:59 -0400, Victor Duchovni
 victor.ducho...@morganstanley.com wrote:
  Start simple, and add features gradually. There is a steep learning
  curve for a novice to deploy a complex production system with no
 prior
  experience.
 
 It sure feels pretty steep already.  I guess I'm glad I'm not just
 imagining things.
 
 I'm pretty sure I want to stick with the single Instance setup.  Like
 you said, for now at the least.
 
 I found a pretty good example, Spamassassin + ClamAV + Postfix
 WITHOUT Amavis (Debian)
 http://www.xtarutaru.com/2009/04/16/spamassassin-clamav-postfix-
 without-amavis-debian/
 that along with Daniel's comments that's helping me to make sense of
 this a bit better.

There's a ton of howtos out there - I'm sure you can find one that suits all 
your needs.  The nice thing about this one is that it'll keep you on the track 
you've been advised on - i.e. keeping things simple and adding features as you 
go.

I would recommend using amavis for your spam and virus checking though.  The 
Howto you're looking at specifically doesn't use it because of resource 
constraints on the host.  However, it sounds like you don't have that 
constraint.

 I'm still going to read through some more of those Multiple Instance
 examples so maybe I can get some idea which road to point myself down
 for later.
 
 If I do any of the Multiple Instance setup is there a good Document
 that tells what configuration goes into what file?  Does
 configuration flow down from the 1st one you setup ?  So that
 PostScreen configuration, which looks to do some of the work I want
 done, goes into which config file?

Personally, I don't think you need multiple instances.  If the book you got was 
The Book of Postfix, then it was written by contributors to this list - and you 
can't go wrong.  Setting up my own mail server to handle mail for multiple 
domains with spam and virus checking is one of the most worthwhile and fun 
things I've ever done.  I really want to encourage you to stay on the learning 
curve you've chosen.  I've been successfully blocking up to 98% of traffic 
(when the Rustock botnet was running) using a very simple set up but my false 
negatives are almost non-existent and my false positives are very low.

I'm sure there are more valid opinions but my advice for what it's worth is:

.   Set up postfix to receive and send mail securely (i.e. don't be an 
open-relay!)
.   Get your delivery agent set up (Courier/Dovecot) and working
.   Implement some sort of sender authentication e.g. SASL - though it will 
depend on your choices above) even if your users will only send mail to the 
server from inside the network
.   Some sort of log reporting (pflogsumm/postfix-logwatch) working
.   Add in the postfix's native spam controls, limiting and checks
.   Then look at content filtering (spam, virus and other objectionable 
content) - as you've already learnt this can be handed off to a different 
server/service, even if they're on the same host
.   Then look at more advanced controls like grey-listing and postscreen

If in doubt, ask and remember that most defaults are there for a reason.  
Consider the implications before changing them (but some will need to be 
changed to suit your set-up).

Have fun.






Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?

2011-04-08 Thread Stan Hoeppner
Simon Brereton put forth on 4/8/2011 8:19 AM:

 . Add in the postfix's native spam controls, limiting and checks

In this regard, try this out in your initial setup.  A brief description
and instructions are at the top of the file.  It's very easy to
implement--one line in main.cf.  It will stop most bot spam in lieu of
Postscreen, and may stop some spam that Postscreen doesn't.  Myself and
others here use it with good results.  The rare FP will be folks sending
you legit mail from MTAs behind consumer broadband IPs.

http://www.hardwarefreak.com/fqrdns.pcre

Now would be a good time to look into the everything under
smtpd_recipient_restrictions main.cf style.  This is the currently
preferred main.cf layout for most setups.  Makes things easier on you,
the OP.

 . Then look at content filtering (spam, virus and other objectionable 
 content)

I'd probably reverse the order or priority of these last two.

 . Then look at more advanced controls like grey-listing and postscreen

I'd avoid greylisting at all costs unless all other anti bot spam
countermeasures fail.  With the combination of fqrdns.pcre, postscreen,
and the right dnsbls, you shouldn't need greylisting.  And all of these
combined checks will still be much faster and far less resource
intensive than greylisting.

-- 
Stan


To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?

2011-04-07 Thread jeremy . alsten
Hi everybody.

I've been reading up how to install a mailserver for my office.  At the
local computer users group I was told about using PostFix on an Ubuntu
system instead of Microsoft Exchange Server on Windows.  I saw a demo at
the user group, and thought it's worth a real look.  They told us about
this List as a User Community resource.

I want to just install a mailserver that listens on the Static address
Comcast gave me, protects against these bots, spam and viruses, and then
delivers it.

So far I've only been reading the website documentation.  I ordered a
book too that should get here to Topeka in a few days.  The book looked
old and I'm a bit worried it'll be out of date.  But for learning
technology I like a good book with examples I can follow.

On the website, I got to an article Postfix Before-Queue Content
Filter at http://www.postfix.org/SMTPD_PROXY_README.html that looks
like it does what I want.  But I'm confused.  It has boxes in the
diagram there for 3 servers.

Why 3?  Do I need to have multiple computers to run this server?

I was also looking at the Content Filters listed on the website. 
There's a lot of them.  I don't have a really big computer for this so
want to do something that doesn't use a lot of resources.  Reading
around I saw this Amvisd application which looks like overkill for me
and complicated to set up.  I found two applications that are listed and
seem to do what I need for spam and viruses, Spam Assassin and Clam
AntiVirus.  Are these good choices?

At the user group they mentioned a new feature built into PostFix.  I
found it, PostScreen.  Is that even another server to deal with?

Like I said I just don't understand if I can do all this with just one
computer server, or have to use lots.  If I can get this cleared up with
some pointers and figure out what to do with that diagram I think I'd be
off to the races.

I'd appreciate any help.

Jeremy Alsten


Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?

2011-04-07 Thread jeremy . alsten
Hi Daniel.

That was a quick reply.  Thanks a bunch.

Sorry, I got all the terminology wrong.  Thanks for the lesson, though. 
Hopefully it'll stick a bit.

 Even a simple modern desktop PC can easily run (host) many server 
 processes. Postfix is especially economical in this regard especially if 
 configured in a trimmed-down way. Especially compared to anything in the 
 Microsoft world. No need to buy new hardware.

Okay.  At least I'm not huntin' with the wrong dog.

 http://www.postfix.org/MULTI_INSTANCE_README.html to get the background 
 of multiple Postfix server processes running on one host.

Whoa.  I took a look at that and that's a bit much for me at this stage
of the came.

Do I need do it this Multi_Instace way?  Even with your explanation I
still don't understand how many PostFix servers I need to install on my
one host.  I really want to keep the bells and whistles to a minimum,
and just get to the point that, mail comes in, gets thrown away if it's
from one of those bots, has spam content or a virus, and if everything's
okay, gets delivered to my InBox.

I think I get what you're saying about servers, processes and hosts.  So
one host is good enough.  It'll have multiple processes running on it. 
So how many PostFix's, or these Instances of it, do I need to install to
just get what I want to do done?

If I'm looking in the wrong places, that'd be good to know.

Thanks for your time and help.

Jeremy Alsten


Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?

2011-04-07 Thread Stan Hoeppner
jeremy.als...@imap-mail.com put forth on 4/7/2011 8:39 PM:

 I think I get what you're saying about servers, processes and hosts.  So
 one host is good enough.  It'll have multiple processes running on it. 
 So how many PostFix's, or these Instances of it, do I need to install to
 just get what I want to do done?

You're way out in front of yourself.  Setting up spam filtering will
come well after you get the basic setup accomplished and working.  First
you need to cover the basics:

1.  Do you have an internet domain registered for which your Postfix
server will be accepting mail?  This is a prerequisite.  (If you simply
want to grab the mail from your Gmail or Yahoo account to your server
box, then you need something like fetchmail, not Postfix).  Do you have
DNS A and MX records configured for said domain pointing the public IP
address in front of the Postfix host box?  Have you port forwarded TCP
25 on your consumer broadband router to the internal address
(192.168.x.x) of the Postfix host machine?

2.  Have you considered a mail retrieval method?  For instance IMAP or
POP?  Postfix only accepts the mail and delivers it, in your case most
likely to the local disk on the Postfix host (physical box).  You must
then retrieve it at your client desktop PC with a mail user agent such
as ThunderBird or Outlook.  This will require an IMAP or POP3 server
running on the Postfix host, such as Dovecot or Courier.

These things must be up and working properly before considering
implementing content filters or anything else beyond the basics.

Answering your specific question, no, you absolutely don't need multiple
Postfix instances for a SOHO configuration:

http://www.postfix.org/SOHO_README.html

-- 
Stan


Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?

2011-04-07 Thread Daniel Bromberg

On 4/7/2011 9:39 PM, jeremy.als...@imap-mail.com wrote:

[snip]
Whoa.  I took a look at that and that's a bit much for me at this stage
of the came.

Do I need do it this Multi_Instace way?  Even with your explanation I
still don't understand how many PostFix servers I need to install on my
one host.  I really want to keep the bells and whistles to a minimum,
and just get to the point that, mail comes in, gets thrown away if it's
from one of those bots, has spam content or a virus, and if everything's
okay, gets delivered to my InBox.

I think I get what you're saying about servers, processes and hosts.  So
one host is good enough.  It'll have multiple processes running on it.
So how many PostFix's, or these Instances of it, do I need to install to
just get what I want to do done?

If I'm looking in the wrong places, that'd be good to know.

Thanks for your time and help.

Jeremy Alsten

Jeremy,

Let me ask one super-meta question first: if all you have is one Inbox, 
why is IMAP service from, say, Gmail, or your ISP, not adequate? You can 
configure your MUA (Thunderbird, Biff, Outlook...) very easily and be 
off to the races enjoying Gmail's vast spam-filtering capabilities for 
free. To run a server you'll need: a static IP (or dynamic IP with a 
dynamic DNS provider); availability of port 25 which most ISPs block 
incoming to residential service; a machine that is up and on the network 
more than 99% of the time; a decent reputation for the IP that your ISP 
gives you, which is unlikely if it's a residential IP; backup mail 
receivers for when your server does fail; a way of being paged or e-mail 
when your server is down; and other sysadmin headaches.


[Note: I am writing this as Stan's note just arrived; some of my points 
are very similar and redundant.]


Anyway...I'm doing everything you describe with the exception of clamav 
with a single instance. It was recommend that two instances would make 
things cleaner and more extensible. I will get there as needs grow. Look 
back in the archives for my name and the surrounding discussions such as 
http://tech.groups.yahoo.com/group/postfix-users/message/273634


At the risk of putting out incomplete information making things worse, 
here are two pieces of the puzzle I uses to filter with SpamAssassin. So 
this is illustrative, not prescriptive:


This is from master.cf. What it's meant to illustrate is that all mail 
that comes in on the standard SMTP port 25 (and thus public, 
unencrypted, unauthenticated) is sent through a filter before taking the 
next step. (I have a very simple next


smtp.example.com:smtp  inet  n   -   n   -   -   
smtpd

   -o content_filter=filter:dummy
   -o syslog_name=postfix-smtp

filterunix  -   n   n   -   -   pipe
  flags=Rq user=spam argv=/usr/local/bin/spamc -U /tmp/spamd.sock -e 
/usr/sbin/sendmail

  -i -f ${sender} ${recipient}

-Daniel



Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?

2011-04-07 Thread jeremy . alsten
Hi Stan. And Daniel.

 You're way out in front of yourself.  Setting up spam filtering will
 come well after you get the basic setup accomplished and working.  First
 you need to cover the basics:

I'm pretty sure I got most of these covered when we had Microsoft
Exchange set up.

 Do you have an internet domain registered for which your Postfix
server will be accepting mail?

Yes

 Do you have DNS A and MX records configured for said domain pointing the 
 public IP address in front of the Postfix host box?

Yes

 Have you port forwarded TCP 25 on your consumer broadband router
 to the internal address (192.168.x.x) of the Postfix host machine?

I'm not sure you'd call it just a consumer device, but there's an Astaro
Firewall Router box that does that.

 Have you considered a mail retrieval method?  For instance IMAP or
POP?

I was planning to do IMAP but I was told that that comes after getting
PostFix set up.

 such as Dovecot or Courier.

There's another fella here already looking at the Dovecot application.

 Answering your specific question, no, you absolutely don't need multiple
 Postfix instances for a SOHO configuration:
  http://www.postfix.org/SOHO_README.html

I read that but didn't see anything about filtering spam or viruses. 
That other link that mentions those talks about the multiple servers or
instances.

I still don't know for sure.  I'm hoping that book's gonna be a help for
the likes of me.


 Let me ask one super-meta question first: if all you have is one Inbox,
 why is IMAP service from, say, Gmail, or your ISP, not adequate?

I have about 50 employees that I need to have connected.

 To run a server you'll need:
 a static IP (or dynamic IP with a dynamic DNS provider);

Check

 availability of port 25 which most ISPs block incoming to residential service;

It's not residential service.  Check.

 a machine that is up and on the network more than 99% of the time;

We're trying.

 a decent reputation for the IP that your ISP gives you, which is unlikely if 
 it's a residential IP;

It's Comcast Business.  We had no problems so far.

 backup mail receivers for when your server does fail;

I'm looking at a couple already.

 Anyway...I'm doing everything you describe with the exception of clamav
 with a single instance. It was recommend that two instances would make
 things cleaner and more extensible. I will get there as needs grow. Look
 back in the archives for my name and the surrounding discussions such as
 http://tech.groups.yahoo.com/group/postfix-users/message/273634

Thanks for that.  I guess I got some good reading to do.

 This is from master.cf.  What it's meant to illustrate

That's a good example. That's all on one server or instance then?  I
mean you only have one master.cf and one main.cf for your setup?

Do you use that PostScreen application that's built into PostFix too? 
Would that go in the same configuration files too?

Thanks one more time.

Jeremy Alsten


Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?

2011-04-07 Thread Victor Duchovni
On Thu, Apr 07, 2011 at 09:33:33PM -0700, jeremy.als...@imap-mail.com wrote:

 That's a good example. That's all on one server or instance then?  I
 mean you only have one master.cf and one main.cf for your setup?

You don't have to use multiple instances if your configuration is
very simple. Multiple instances simplify complex configurations by
breaking them up into more manageable pieces. It also becomes easier
to diagnose performance issues with any content filters, when mail
queued in front of the filter is a different queue than already
filtered mail on its way to some remote destination.

If all you have is an SMTP server with some anti-spam RBLs, a single
instance is likely enough. You can add submission on port 587 with
master.cf overrides (as in the commented out example in master.cf),
but complexity starts to rise. You can add an amavisd-new content filter
and complexity increases further. At some point you may find multiple
instances more sane, that pain point is up to you.

Start simple, and add features gradually. There is a steep learning
curve for a novice to deploy a complex production system with no
prior experience.

-- 
Viktor.


Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?

2011-04-07 Thread jeremy . alsten
Hi Victor.

On Fri, 08 Apr 2011 00:59 -0400, Victor Duchovni
victor.ducho...@morganstanley.com wrote:
 Start simple, and add features gradually. There is a steep learning
 curve for a novice to deploy a complex production system with no
 prior experience.

It sure feels pretty steep already.  I guess I'm glad I'm not just
imagining things.

I'm pretty sure I want to stick with the single Instance setup.  Like
you said, for now at the least.

I found a pretty good example, Spamassassin + ClamAV + Postfix WITHOUT
Amavis (Debian)
http://www.xtarutaru.com/2009/04/16/spamassassin-clamav-postfix-without-amavis-debian/
that along with Daniel's comments that's helping me to make sense of
this a bit better.

I'm still going to read through some more of those Multiple Instance
examples so maybe I can get some idea which road to point myself down
for later.

If I do any of the Multiple Instance setup is there a good Document that
tells what configuration goes into what file?  Does configuration flow
down from the 1st one you setup ?  So that PostScreen configuration,
which looks to do some of the work I want done, goes into which config
file?

Thanks.  Maybe a fresh look in the morning will be good too.

Jeremy Alsten


Re: To install a PostFix-based mailserver with Content Filters do I need to have multiple servers?

2011-04-07 Thread Daniel Bromberg

On 4/8/2011 1:21 AM, jeremy.als...@imap-mail.com wrote:

If I do any of the Multiple Instance setup is there a good Document that
tells what configuration goes into what file?  Does configuration flow
down from the 1st one you setup ?  So that PostScreen configuration,
which looks to do some of the work I want done, goes into which config
file?

Thanks.  Maybe a fresh look in the morning will be good too.

Jeremy Alsten
From these questions your conceptual framework is wrong. Avoid forming 
bad mental frameworks that have to be torn down later. Let the advanced 
stuff be a pleasant fuzz. Multiple instances are more like large puzzle 
pieces that YOU carve out and decide how they interact. In short though 
they take specific ROLES: one listens on port smtp (25), one on 
submission...


You can 'get away' with not having postscreen for a while, because it's 
a qualitative thing, 'relieving pressure' in Wietse's words, pressure 
which depends on level of spambot attack. Even if it would help, set it 
aside for a while too.


I feel like I'm doing too much coaching which I'm not necessarily 
qualified to do, and may be a bit off-mission of the list, so...o  o.


-DB