Mail Server Info

Hostname             : mail.0846101.nasa
IP Address           : 10.113.25.25/24

Install Postfix  

sudo dnf install postfix

vim /etc/postfix/main.cf

# General Settings
myhostname = mail.0846101.nasa
# The default of "mydomain" is to use $myhostname minus the first component
#mydomain = 0846101.nasa
myorigin = $mydomain

# RECEIVING MAIL
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, 0846101.nasa, localhost.$mydomain, localhost

# TRUST AND RELAY CONTROL
mynetworks = 10.113.25.0/24, 127.0.0.0/8

sudo systemctl enable postfix
sudo systemctl restart postfix

SASL 

假若你有流動的用戶想在總部以外的地方運用郵件伺服器,我們需要一個機制來驗證他們是獲信任的用戶,好讓他們能透過郵件伺服器發放電郵。

SASL(簡單鑑定和安全層)提供一個以名稱及密碼來驗證讓用戶的機制。最負盛名的 SASL 方案要算是 Cyrus SASL 提供的程式庫,但 dovecot 亦內置了它自行實施的 SASL,而既然我們已經運行 dovecot,我們不妨利用它作 SASL 之用,免除要安裝及設定另一個套件。

vim /etc/postfix/main.cf

# SASL
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous

Install Dovecot  

sudo dnf install dovecot

sudo vim /etc/dovecot/conf.d/10-master.conf

unix_listener auth-userdb {
#mode = 0666
#user =
#group =
}

# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}

sudo vim /etc/dovecot/conf.d/10-auth.conf

auth_mechanisms = plain login

SSL Settings

sudo vim /etc/dovecot/conf.d/10-ssl.conf

ssl = yes

記好SSL路徑

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

DNS Record  

/var/named/named.0846101.nasa
/var/named/named.0846101.nasa.one
/var/named/named.0846101.nasa.mysub

                IN      MX      10 mail.0846101.nasa.

mail            IN      A       10.113.25.25

Imgur

SPF 

Sender Policy Framework
SPF 用來規範在選定的郵件發送服務器位址,可以用來發送寄件人的網域郵件。這樣機制可以避免垃圾信濫發業者,偽裝網域發送假冒郵件。SPF 的設定裡面,列出明確許可的郵件發信機網域名稱,郵件收信服務器透過檢查發信人網域的 SPF,就知道這封電子郵件是否來自被允許的發信機位址。

                IN      TXT     "v=spf1 a mx ipv4:10.113.25.25 -all"

-all 表示除了有條列出來的主機允許其他都拒絕

DKIM 

DomainKeys Identified Mail
DKIM 是一種電腦數位簽章,採用公鑰與私鑰這種加密驗證法進行。在發送郵件時由發信服務器對郵件以私鑰進行簽章,而在郵件接收服務器上,會透過 DNS 到發信者的網域查詢 DKIM 紀錄,擷取上面記載的公鑰資料,然後對這封郵件做簽章解碼,如果公鑰與私鑰能配對成功,代表郵件確實為原始發信機所發出。

Install OpenDKIM  

sudo dnf install epel-release
sudo dnf install opendkim

vim /etc/opendkim.conf

##  Selects operating modes -> s (sign) and v (verify)
Mode    sv

##  Attempt to become the specified user before starting operations.
UserID  opendkim:opendkim

##  Create a socket through which your MTA can communicate.
Socket  inet:8891@localhost

Domain  0846101.nasa

##  Defines the name of the selector to be used when signing messages.
Selector        default

##  Gives the location of a private key to be used for signing ALL messages. This
##  directive is ignored if KeyTable is enabled.
KeyFile /etc/opendkim/keys/default.private

Generate Keys 

要先安裝

sudo dnf install perl-Getopt-Long

-s key名字 -d Domain

opendkim-genkey -s default -d 0846101.nasa

Keys會在/etc/opendkim/keys

改權限

cd /etc/opendkim/keys
chown opendkim:opendkim *

會產生一個txt

sudo cat /etc/opendkim/keys/default.txt

將txt內容複製到DNS record

default._domainkey	IN	TXT	( "v=DKIM1; k=rsa; "
	  "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmgi999nm4zsmTgvKIWL/RexLSfTtadHkkAL+k5ng3t6jSPHv00ctMKBr+ateRjdGAjnS6V4K/91dKEeG4+Duqozii4uaQnFnkX2KoNn6l05xwrx8clyz8HQaF/MpPvCYLJekjwM6FCJxdAffiJ0FUyfkC0YkTDPSMrlV0F4c6fwIDAQAB" )  ; ----- DKIM key default for 0846101.nasa

NSEC3 

改好zone files要再sign一次

sudo dnssec-signzone -3 55844b7f -H 100 -u -o 0846101.nasa -t -k /etc/named/keys/K0846101.nasa.+008+29014.key /var/named/{zone_files_name} /etc/named/keys/K0846101.nasa.+008+00945.key

在Postfix設定  

vim /etc/postfix/main.cf

# OpenDKIM
milter_protocol = 6
smtpd_milters = inet:localhost:8891 //Opendkim的socket port
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

DMARC 

用來讓發信端網域通知收件端郵件服務器,當遇到 SPF 與 DKIM 的設定檢查不過時,進行的處理方式。最知名的案例就是 Yahoo 在2014年,宣布 DMARC 設為「拒絕」,也就是說所有不是從 Yahoo 郵件服務器發出的郵件,寄信人都不能用 Yahoo 郵件地址。

DNS record 加

_dmarc          IN      TXT     "v=DMARC1; p=reject"

拒絕所有未通過DMARC檢查的信件
v 通訊協定版本
p 定義您的網域對可疑郵件的處理方式: none (無):不對郵件採取任何處置,僅將可疑郵件記錄於每日報告中。 quarantine (隔離):將郵件標示為垃圾郵件,並移至收件者的 Gmail 垃圾郵件資料夾中。收件者可以在 Gmail 中查看自己的垃圾郵件。 reject (拒絕):要求收件伺服器拒絕郵件。在這種情況下,收件伺服器應將退回的郵件傳送至寄件伺服器。

Create Users 

Create ta

sudo useradd -d -g mail -s /sbin/nologin ta

Create tu

sudo useradd -d -g mail -s /sbin/nologin tu

設定密碼為 VPN private key (WG_KEY)

passwd ta
passwd tu

Virtual Alias  

sudo vim /etc/postfix/main.cf

# Alias
virtual_alias_maps = hash:/etc/postfix/virtual regexp:/etc/postfix/virtual.regexp

for any mail to TO@ alias to TA@

sudo vim /etc/postfix/virtual

TO      ta

sudo postmap /etc/postfix/virtual

for any mail to |@ alias to @
e.g. i-am-a|TA@ send to TA@

sudo vim /etc/postfix/virtual.regexp

第一個()刮起來的是$1 第二個()是$2

/^.+\|([^@]+)@(.+)$/    $1@$2

sudo postmap /etc/postfix/virtual.regexp

Rewrite Sender  

sudo vim /etc/postfix/main.cf

# Rewrite Sender
# Rewrite @mail.{student_ID}.nasa to @{student_ID}.nasa 
masquerade_domains = 0846101.nasa
local_header_rewrite_clients = permit_mynetworks permit_sasl_authenticated
# Rewrite TU@ to TUTU@ 創一個map
sender_canonical_maps = hash:/etc/postfix/sender-canonical

Rewrite TU@ to TUTU@

sudo vim /etc/postfix/sender-canonical

TU      TUTU

sudo postmap /etc/postfix/sender-canonical

User Authentication on IMAP/SMTP 

  • Only send emails with authenticated username@
  • Avoid to fake other users on envelop from
  • No Open Relay
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sender_login_maps = regexp:/etc/postfix/login-maps
smtpd_sender_restrictions = reject_non_fqdn_sender reject_sender_login_mismatch

sudo vim /etc/postfix/login-maps 

/^TUTU@(mail\.)?0846101\.nasa$/ tu
/^(.+)@(mail\.)?0846101\.nasa$/ $1

sudo postmap /etc/postfix/login-maps

Firewall 

Turn off firewalld on Mail Server

sudo systemctl stop firewalld
sudo systemctl disable firewalld

Enable iptables for port 25, 143 on Router

sudo vim /etc/sysconfig/iptables

-A FORWARD -p tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp --dport 143 -j ACCEPT

Rspamd 

Greylist
DMARC

Install Rspamd 

安裝要先切換為root

sudo -s

curl https://rspamd.com/rpm-stable/centos-8/rspamd.repo > /etc/yum.repos.d/rspamd.repo
rpm --import https://rspamd.com/rpm-stable/gpg.key
yum update
yum install rspamd

啟動rspamd設定精靈  

sudo rspamadm configwizard

Imgur 看到greylist等等的功能都還是disable -> 要先裝、啟動redis

redis 

Install redis

dnf install redis

Start and enable redis

sudo systemctl start redis
sudo systemctl enable redis

Imgur

Greylist 

Greylist Settings

sudo vim /etc/rspamd/local.d/greylist.conf

記得把Judge測試ip加到whitelist
expire設定跟Judge的cool-down time 一樣為1小時

expire = 1h;
timeout = 30;
whitelisted_ip [
        "10.113.54.3"
]

不能直接改/etc/rspamd/actions.conf

sudo vim /etc/rspamd/local.d/actions.conf

reject = 100;
add_header = 50;
rewrite_subject = 50;
greylist = 0;

# /etc/rspamd/actions.conf中預設是***SPAM***
subject = "*** SPAM *** %s";

sudo vim /etc/rspamd/override.d/options.inc

local_addrs = [10.113.25.0/24];
enable_test_patterns = true;

Clamav 

掃毒軟體

Outgoing mail filter

Install clamav

sudo dnf install clamav

sudo vim /etc/clamd.d/scan.conf

# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /run/clamd.scan/clamd.sock

# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
LocalSocketMode 666

# Remove stale socket after unclean shutdown.
# Default: yes
FixStaleSocket yes

sudo systemctl start clamd@scan
sudo systemctl enable clamd@scan

sudo vim /etc/rspamd/local.d/antivirus.conf

clamav {

        servers = "/run/clamd.scan/clamd.sock";
        action = "rewrite_subject";
        scan_mime_parts = false;
}

Reject mails whose subject contains keyword “肺炎” or “wuhan”

sudo vim /etc/rspamd/local.d/regexp.conf

re一定要用單引號!!

"RE_SUBJECT_WUHAN" = {
        re = 'Subject=/.*wuhan.*/iums{header} || Subject=/.*\x{80ba}\x{708e}.*/iums{header}';
}

偵測到要執行的動作

sudo vim /etc/rspamd/local.d/force_actions.conf

rules {
        WUHAN_SUBJECT {
                action = "reject";
                expression = "RE_SUBJECT_WUHAN";
        }
}

sudo systemctl restart rspamd

Rspamd integrates with Postfix  

sudo vim /etc/postfix/main.cf

SMTP milter加上 rspamd的port 11332

smtpd_milters = inet:localhost:8891, inet:localhost:11332

Rspamd Milter support 

打開Rspamd proxy worker的self-scan mode

sudoedit /etc/rspamd/local.d/worker-proxy.inc

upstream "local" {
        self_scan = yes;
}

SPF 

Configuring SPF Policy Agent

sudo dnf install pypolicyd-spf

Then add a user for policyd-spf.

sudo adduser policyd-spf --user-group --no-create-home -s /bin/false

Telling Postfix to start the SPF policy daemon when it’s starting itself. Policyd-spf will run as the policyd-spf user.

sudo vim /etc/postfix/master.cf

policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/libexec/postfix/policyd-spf

sudo vim /etc/postfix/main.cf

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service unix:private/policyd-spf

policyd-spf_time_limit = 3600

Null User check  

sudo vim /etc/postfix/main.cf

smtpd_sender_restrictions = reject_non_fqdn_sender reject_sender_login_mismatch check_sender_access hash:/etc/postfix/sender-check

sudo vim /etc/postfix/sender-check

<>      REJECT  null users are not allowed

sudo postmap /etc/postfix/sender-check

sudo systemctl restart postfix

Debug 

greylist沒反應 

讓greylist開log 開debug

sudo vim /etc/rspamd/local.d/logging.inc

debug_modules = ["greylist"];

看log發現

2020-06-09 19:52:04 #1736(normal) <3o7zxy>; lua; lua_redis.lua:1199: cannot upload script to 127.0.0.1:6379: Connection refused; registered from: /usr/share/rspamd/plugins/ratelimit.lua:206

-> Rspamd的資料庫 : Redis 好像沒作用

sudoedit /etc/rspamd/local.d/redis.conf

localhost改成127.0.0.1 就好了

write_servers = "127.0.0.1";
read_servers = "127.0.0.1";

Filter: Virus FAILED 

看clamav的檔案權限

sudo ls -al /run/clamd.scan/

total 0
drwx--x---.  2 clamscan virusgroup  60 Jun 10 18:42 .
drwxr-xr-x. 28 root     root       780 Jun 10 18:42 ..
srw-rw-rw-.  1 clamscan clamscan     0 Jun 10 18:42 clamd.sock

現在要把rspamd加入virusgroup

看一下rspamd的username叫什麼?

sudo cat /etc/passwd

rspamd的username叫 _rspamd

sudo gpasswd -a _rspamd virusgroup

Restart rspamd

sudo systemctl restart rspamd

DMARC 

DMARC: Check policy 會寄送郵件至伺服器的郵件若無法通過 DMARC 時是否會正確的拒絕(550 5.7.1)

但我的/var/log/maillog卻是顯示 550 5.7.23

Jun  9 00:59:11 mail policyd-spf[1637]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=plain@0756125.nasa;ip=10.113.54.7;r=<UNKNOWN>
Jun  9 00:59:11 mail postfix/smtpd[1551]: NOQUEUE: reject: RCPT from unknown[10.113.54.7]: 550 5.7.23 <TA@0846101.nasa>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please
see http://www.openspf.net/Why?s=mfrom;id=plain@0756125.nasa;ip=10.113.54.7;r=<UNKNOWN>; from=<plain@0756125.nasa> to=<TA@0846101.nasa> proto=ESMTP helo=<judge-fake>

sudo vim /etc/python-policyd-spf/policyd-spf.conf

把pypolicyd的SPF Enhanced關掉

#  For a fully commented sample config file see policyd-spf.conf.commented
SPF_Enhanced_Status_Codes = No
debugLevel = 1
TestOnly = 1

HELO_reject = Fail
Mail_From_reject = Fail

PermError_reject = False
TempError_Defer = False

skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1