Записки старого админа

Фев

Exim на FreeBSD

admin description 2010-02-27

Попросил меня товарищ настроить ему почту на домашнем роутере с FreeBSD и я решил поставиь EXIM.

Exim — это агент пересылки сообщений, используемый на операционных системах семейства Unix.

На FreeBSD exim устанавливается предельно просто, начнем:

# cd /usr/ports/mail/exim
# make config && make install clean

Выбрал такие дополнительные пункты, помимо того что уже по умолчанию:
|x| CONTENT_SCAN |x| MYSQL |x| SASLAUTHD |x| OPENLDAP |x| AUTH_SASL

После установки exim, ставим антивирус clamav:

# cd /usr/ports/security/clamav
# make install clean

Далее правим /etc/mail/mailer.conf и доводим до вида:

sendmail         /usr/local/sbin/exim
send-mail       /usr/local/sbin/exim
mailq          /usr/local/sbin/exim -bp
newaliases     /usr/local/sbin/exim -bi
hoststat        /usr/local/sbin/exim
purgestat      /usr/local/sbin/exim

Подготовительные работы закончены, приступаем к самому интересному — конфигурирование файла конфигурации exima:

# cat /usr/local/etc/exim/configure | grep -v '#'
primary_hostname = mail.domain.pp.ua
domainlist local_domains = @
domainlist relay_to_domains =
hostlist   relay_from_hosts = localhost:127.0.0.0/8:10.10.1.0/24
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
av_scanner = clamd:/var/run/clamav/clamd
qualify_domain = mail.domain.pp.ua
qualify_recipient = mail.domain.pp.ua
allow_domain_literals = false
exim_user = mailnull
exim_group = mail
never_users = root
rfc1413_query_timeout = 0s
sender_unqualified_hosts = +relay_from_hosts
recipient_unqualified_hosts = +relay_from_hosts
ignore_bounce_errors_after = 45m
timeout_frozen_after = 15d
helo_accept_junk_hosts = 10.10.1.0/24
auto_thaw = 1h
smtp_banner = "$primary_hostname, ESMTP EXIM $version_number"
smtp_accept_max = 50
smtp_accept_max_per_connection = 25
smtp_connect_backlog = 30
smtp_accept_max_per_host = 20
split_spool_directory = true
remote_max_parallel = 15
return_size_limit = 70k
message_size_limit = 64M
helo_allow_chars = _
smtp_enforce_sync = true
log_selector = \
    +all_parents \
    +connection_reject \
    +incoming_interface \
    +lost_incoming_connection \
    +received_sender \
    +received_recipients \
    +smtp_confirmation \
    +smtp_syntax_error \
    +smtp_protocol_error \
    -queue_run
syslog_timestamp = no
begin acl
acl_check_rcpt:
accept  hosts = :
deny    message       = "incorrect symbol in address"
        domains       = +local_domains
        local_parts   = ^[.] : ^.*[@%!/|]
deny    message       = "incorrect symbol in address"
        domains       = !+local_domains
        local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept  local_parts   = postmaster
        domains       = +local_domains
deny    message       = "HELO/EHLO require by SMTP RFC"
        condition     = ${if eq{$sender_helo_name}{}{yes}{no}}
accept  authenticated = *		
deny    message       = "Your IP in HELO - access denied!"
        hosts         =  * : !+relay_from_hosts : !81-196.adsl.com
        condition     = ${if eq{$sender_helo_name}\
						{$sender_host_address}{true}{false}}
deny    condition     = ${if eq{$sender_helo_name}\
						{$interface_address}{yes}{no}}
        hosts         = !127.0.0.1 : !localhost : *
        message       = "main IP in your HELO! Access denied!"
deny    condition     = ${if match{$sender_helo_name}\
						{\N^\d+$\N}{yes}{no}}
        hosts         = !127.0.0.1 : !localhost : *
        message       = "can not be only number in HELO!"
deny    message       = "your hostname is bad (adsl, poll, ppp & etc)."
        condition     = ${if match{$sender_host_name} \
                        {adsl|dialup|pool|peer|dhcp} \
                        {yes}{no}}		  
warn
        set acl_m0 = 30s
  warn
        hosts = +relay_from_hosts:80.15.42.0/24:81.23.17.0/24:10.10.1.0/24
        set acl_m0 = 0s
  warn
        logwrite = Delay $acl_m0 for $sender_host_name \
		[$sender_host_address] with HELO=$sender_helo_name. Mail \
		from $sender_address to $local_part@$domain.
        delay = $acl_m0
accept  domains       = +local_domains
        endpass
        message       = "In my mailserver not stored this user"
        verify        = recipient	
accept  domains       = +relay_to_domains
        endpass
        message       = "main server not know how relay to this address"
        verify        = recipient
deny    message       = "you in blacklist - $dnslist_domain --> $dnslist_text"
        dnslists      = opm.blitzed.org : \
                        cbl.abuseat.org
 
accept  hosts         = +relay_from_hosts
deny    message       = "relay not permitted"						  
 
acl_check_data:
deny malware = *
message = "In e-mail found VIRUS - $malware_name"
accept
 
begin routers
 
dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  no_more
 
system_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup{$local_part}lsearch{/etc/aliases}}
  user = mailnull
  group = mail
  file_transport = address_file
  pipe_transport = address_pipe 
 
userforward:
  driver = redirect
  check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
  file = $home/.forward
# allow_filter
  no_verify
  no_expn
  check_ancestor
  file_transport = address_file
  pipe_transport = address_pipe
  reply_transport = address_reply
  condition = ${if exists{$home/.forward} {yes} {no} }
 
localuser:
  driver = accept
  check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
  transport = local_delivery
  cannot_route_message = Unknown user
 
begin transports
 
remote_smtp:
  driver = smtp
 
local_delivery:
  driver = appendfile
  file = /var/mail/$local_part
  delivery_date_add
  envelope_to_add
  return_path_add
  group = mail
  user = $local_part
  mode = 0660
  no_mode_fail_narrower
 
address_pipe:
  driver = pipe
  return_output
 
address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add
 
address_reply:
  driver = autoreply
 
begin retry 
*                    *       F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
begin authenticators
 
plain:
  driver = plaintext
  public_name = PLAIN
  server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
  server_set_id = $2
 
login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
  server_set_id = $1
 
#cram_md5:
#  driver = cram_md5
#  public_name = CRAM-MD5
#  server_secret = "тут кондишен :)"
#  server_set_id = $1

# cat /usr/local/etc/exim/configure | grep -v '#' primary_hostname = mail.domain.pp.ua domainlist local_domains = @ domainlist relay_to_domains = hostlist relay_from_hosts = localhost:127.0.0.0/8:10.10.1.0/24 acl_smtp_rcpt = acl_check_rcpt acl_smtp_data = acl_check_data av_scanner = clamd:/var/run/clamav/clamd qualify_domain = mail.domain.pp.ua qualify_recipient = mail.domain.pp.ua allow_domain_literals = false exim_user = mailnull exim_group = mail never_users = root rfc1413_query_timeout = 0s sender_unqualified_hosts = +relay_from_hosts recipient_unqualified_hosts = +relay_from_hosts ignore_bounce_errors_after = 45m timeout_frozen_after = 15d helo_accept_junk_hosts = 10.10.1.0/24 auto_thaw = 1h smtp_banner = "$primary_hostname, ESMTP EXIM $version_number" smtp_accept_max = 50 smtp_accept_max_per_connection = 25 smtp_connect_backlog = 30 smtp_accept_max_per_host = 20 split_spool_directory = true remote_max_parallel = 15 return_size_limit = 70k message_size_limit = 64M helo_allow_chars = _ smtp_enforce_sync = true log_selector = \ +all_parents \ +connection_reject \ +incoming_interface \ +lost_incoming_connection \ +received_sender \ +received_recipients \ +smtp_confirmation \ +smtp_syntax_error \ +smtp_protocol_error \ -queue_run syslog_timestamp = no begin acl acl_check_rcpt: accept hosts = : deny message = "incorrect symbol in address" domains = +local_domains local_parts = ^[.] : ^.*[@%!/|] deny message = "incorrect symbol in address" domains = !+local_domains local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ accept local_parts = postmaster domains = +local_domains deny message = "HELO/EHLO require by SMTP RFC" condition = ${if eq{$sender_helo_name}{}{yes}{no}} accept authenticated = * deny message = "Your IP in HELO - access denied!" hosts = * : !+relay_from_hosts : !81-196.adsl.com condition = ${if eq{$sender_helo_name}\ {$sender_host_address}{true}{false}} deny condition = ${if eq{$sender_helo_name}\ {$interface_address}{yes}{no}} hosts = !127.0.0.1 : !localhost : * message = "main IP in your HELO! Access denied!" deny condition = ${if match{$sender_helo_name}\ {\N^\d+$\N}{yes}{no}} hosts = !127.0.0.1 : !localhost : * message = "can not be only number in HELO!" deny message = "your hostname is bad (adsl, poll, ppp & etc)." condition = ${if match{$sender_host_name} \ {adsl|dialup|pool|peer|dhcp} \ {yes}{no}} warn set acl_m0 = 30s warn hosts = +relay_from_hosts:80.15.42.0/24:81.23.17.0/24:10.10.1.0/24 set acl_m0 = 0s warn logwrite = Delay $acl_m0 for $sender_host_name \ [$sender_host_address] with HELO=$sender_helo_name. Mail \ from $sender_address to $local_part@$domain. delay = $acl_m0 accept domains = +local_domains endpass message = "In my mailserver not stored this user" verify = recipient accept domains = +relay_to_domains endpass message = "main server not know how relay to this address" verify = recipient deny message = "you in blacklist - $dnslist_domain --> $dnslist_text" dnslists = opm.blitzed.org : \ cbl.abuseat.org accept hosts = +relay_from_hosts deny message = "relay not permitted" acl_check_data: deny malware = * message = "In e-mail found VIRUS - $malware_name" accept begin routers dnslookup: driver = dnslookup domains = ! +local_domains transport = remote_smtp ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 no_more system_aliases: driver = redirect allow_fail allow_defer data = ${lookup{$local_part}lsearch{/etc/aliases}} user = mailnull group = mail file_transport = address_file pipe_transport = address_pipe userforward: driver = redirect check_local_user # local_part_suffix = +* : -* # local_part_suffix_optional file = $home/.forward # allow_filter no_verify no_expn check_ancestor file_transport = address_file pipe_transport = address_pipe reply_transport = address_reply condition = ${if exists{$home/.forward} {yes} {no} } localuser: driver = accept check_local_user # local_part_suffix = +* : -* # local_part_suffix_optional transport = local_delivery cannot_route_message = Unknown user begin transports remote_smtp: driver = smtp local_delivery: driver = appendfile file = /var/mail/$local_part delivery_date_add envelope_to_add return_path_add group = mail user = $local_part mode = 0660 no_mode_fail_narrower address_pipe: driver = pipe return_output address_file: driver = appendfile delivery_date_add envelope_to_add return_path_add address_reply: driver = autoreply begin retry * * F,2h,15m; G,16h,1h,1.5; F,4d,6h begin rewrite begin authenticators plain: driver = plaintext public_name = PLAIN server_condition = ${if saslauthd{{$1}{$2}}{1}{0}} server_set_id = $2 login: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = ${if saslauthd{{$1}{$2}}{1}{0}} server_set_id = $1 #cram_md5: # driver = cram_md5 # public_name = CRAM-MD5 # server_secret = "тут кондишен :)" # server_set_id = $1

После того как закончили с кофигом, переходим к консоли, грохаем sendmail и переезжаем на exim:

# echo 'exim_enable="YES"' >> /etc/rc.conf
# killall -9 sendmail
# killall -9 sendmail
No matching processes were found
# echo 'saslauthd_enable="YES"' >> /etc/rc.conf
# /usr/local/etc/rc.d/saslauthd start
# /usr/local/etc/rc.d/exim start
WARNING: sendmail_submit_enable should be set to NO Starting exim.
# echo 'sendmail_enable="NONE"' >>  /etc/rc.conf
# /usr/local/etc/rc.d/exim restart
Stopping exim.
Starting exim.
# ps -axj | grep exim
817  ??  Is     0:07.18 /usr/local/sbin/exim -bd -q30m (exim-4.68-0)
832  p1  S+     0:00.01 grep exim
# sockstat | grep exim
mailnull exim-4.68- 817   4  tcp4   *:25                  *:*
# sockstat | grep sasl
root     saslauthd  829 2  dgram  -> /var/run/logpriv
root     saslauthd  829 4  stream /var/run/saslauthd/mux
..............

Самое время запустить антивирус:

# echo 'clamav_clamd_enable="YES"' >> /etc/rc.conf
# echo 'clamav_freshclam_enable="YES"' >> /etc/rc.conf
# /usr/local/etc/rc.d/clamav-clamd start
Starting clamav_clamd.
LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days.  ***
LibClamAV Warning: ***        Please update it IMMEDIATELY!       ***
LibClamAV Warning: **************************************************
# /usr/local/etc/rc.d/clamav-freshclam  start
Starting clamav_freshclam.

Со стандартным конфигом exima покончено. Почта заработала и товарищ остался доволен как слон 😉

Напоминаю всем копирующим мой контент о существовании закона "Об авторском праве".
В связи с этим, прошу во избежании конфликтов при копировании данного материала, ставить на него ссылку:

http://noted.org.ua/822

Также, вы можете отблагодарить меня переслав любую сумму на любой кошелек WebMoney, для поддержания данного ресурса. Или просто админу на пиво ;)

Кошельки для получения благодарности:
R386985788805
U234140473141
Z147712360455

« Ограничение памяти и процессов в apache

FreeRadius + mysql на FreeBSD »