Re: New Installation of Postfix Server

On Sun, Mar 25, 2012 at 10:15:40AM +0600, Vishal Agarwal wrote:
> I want to reinstall postfix server right from scratch with spam
> filter, grey listing and antivirus support working on submission
> port. Pl suggest/advise any practical working tutorial.

I have reviewed quite a few of what I call the "kitchen sink"
tutorials on the web, those which include "everything but the kitchen
sink" (a colloquial expression. Most of them are very weak for
various reasons. IMO they're trying to cover too much material. They
cannot take the place of the software documentation.

The right thing to do is to take it in pieces, so you understand
about each piece.

Installing Postfix:
http://www.postfix.org/INSTALL.html
http://www.postfix.org/BASIC_CONFIGURATION_README.html

Spam filter & greylisting:
http://www.postfix.org/POSTSCREEN_README.html
(and Google this mailing list for my example postscreen config)
http://www.postfix.org/SMTPD_ACCESS_README.html
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

I don't recommend greylisting other than what postscreen(8) does,
assuming you choose to activate the "deep protocol tests". YMMV of
course, but many spam zombies do go through their lists twice or
more.

Note that greylisting and postscreen make no sense at all and will
not work on submission. Likewise, such tactics as DNSBL lookups and
HELO checks are counterproductive when applied to submission users.

A submission example is in your master.cf, but it requires SASL and
strongly suggests the need for TLS:
http://www.postfix.org/SASL_README.html
http://www.postfix.org/TLS_README.html

Somewhere along the way (before SASL) you should choose an IMAP
server. Dovecot simplifies the SASL setup:
http://www.dovecot.org/
http://wiki2.dovecot.org/ for documentation

Antivirus / antizombie protection on submission is very important.
You're not going to be able to do that natively in Postfix. You'll
want rate limiting and content filtering.

For rate limiting, a policy service is useful. See this:
http://www.postfix.org/SMTPD_POLICY_README.html

Consider one of the following third-party packages:
http://www.postfwd.org/
http://www.policyd.org/

For content filtering, I'd recommend amavisd-new with SpamAssassin as
a post-queue filter. I think you will have to tweak the default
amavisd configuration to do filtering of submission mail. See here:
http://www.amavisd.org/

(And NB to Mark: I think now is the time to reconsider that default,
because authenticating malware is on the rise, and one such
experience can be devastating, getting you blocked everywhere.)

Amavisd-new can chain multiple filters, and it invokes SA internally
as perl modules, but you might also be interested in their sites:
http://spamassassin.apache.org/

IME clamav did not matter much on inbound mail when using the
aforementioned Postfix-based spam controls, but it might be useful
against authenticating malware, and it certainly does not hurt to
have it deployed and ready. See here:
http://www.clamav.net/

Yes, that is a lot of stuff to cover. Mail admin is not for the faint
of heart. :) Good luck.
-- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

• This message: [ Message body ]
• Next message: /dev/rob0: "Re: New Installation of Postfix Server"
• Previous message: Vishal Agarwal: "New Installation of Postfix Server"
• In reply to: Vishal Agarwal: "New Installation of Postfix Server"
• Next in thread: /dev/rob0: "Re: New Installation of Postfix Server"
• Reply: /dev/rob0: "Re: New Installation of Postfix Server"
• Reply: Charles Marcus: "Re: New Installation of Postfix Server"
• Reply: John Hudak: "Re: New Installation of Postfix Server"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]