Hi,

I do not have big experience in mail servers setup, so I wanted to share my current setup with You, If You have any comments, feel free to post them.

I needed a small and simple mail server and after a lot of googling I went with that setup:


postfix --> dspam --> dovecot
[MTA] [SPAM] [LDA]


I do not have a problem (or at least I am not aware of it) with making these cooperate together, postfix(1) work well with SASL authentification, dovecot(1) serves well the imap/pop3 services, dspam(1) passes mails from postfix(1) into dovecot(1) properly.

Generally this setup supports virtual domains with virtual users, all with simple passwd(5) format file for authentification, mails are kept in Maildir format like that: /usr/mail/${DOMAIN}/${USER}@${DOMAIN}. Of course there is separate passwd(1) file per domain, with format as: /usr/mail/${DOMAIN}/dovecot_passwd, here is how it looks like:

/usr/mail/${DOMAIN}/dovecot_passwd

admin@domain.com:{PLAIN}password:2000:2000::/usr/mail/domain.com/admin@domain.com
virtual@domain.com:{DIGEST-MD5}22e693858f955b38b1a0cc4f13c3d8fc:2000:2000::/usr/mail/domain.com/virtual@domain.com


All mail is kept under /usr/mail dir, here is how it looks right now:

% ls -l /usr/mail
total 136
drwxr-x--- 3 root virtual 4 Aug 9 13:35 dspam/
-rw-r----- 1 virtual virtual 80 Aug 9 13:41 dspam_transport
-rw-r----- 1 virtual virtual 65536 Aug 6 11:36 dspam_transport.db
drwxr-x--- 4 virtual virtual 5 Aug 9 13:35 domain.com/
-rw-r----- 1 virtual virtual 278 Aug 9 13:41 postfix_accounts
-rw-r----- 1 virtual virtual 65536 Aug 9 13:42 postfix_accounts.db
drwxr-x--- 2 virtual virtual 11 Aug 9 13:35 scripts/

% ls -l /usr/mail/domain.com
-rw-r----- 1 virtual virtual 277 Aug 5 11:04 dovecot_passwd
drwx------ 7 virtual virtual 13 Aug 9 13:46 admin@domain.com/
drwx------ 5 virtual virtual 9 Aug 6 11:22 virtual@domain.com/


Also, all accounts are listed (not per domain, but 'globally' in /usr/mail/postfix_accounts file, here:

/usr/mail/postfix_accounts

# mbox -----> admin@bot.pl bot.pl/admin
# maildir --> admin@bot.pl bot.pl/admin/
# FORMAT: user@domain domain/user@domain/

spam@domain.com x
ham@domain.com x

admin@domain.com domain.com/admin@domain.com/
virtual@domain.com domain.com/virtual@domain.com/


Here is the dovecot(1) configuration:

/usr/local/etc/dovecot.conf

ssl = no
disable_plaintext_auth = no

protocols = pop3 imap

protocol pop3 {
listen = *:110
login_processes_count = 1
login_max_processes_count = 32
pop3_client_workarounds = outlook-no-nuls
}

protocol imap {
listen = *:143
login_processes_count = 1
login_max_processes_count = 32
imap_client_workarounds = outlook-idle
}

auth default {
mechanisms = plain login digest-md5
userdb passwd-file {
args = /usr/mail/%d/dovecot_passwd
}
passdb passwd-file {
args = /usr/mail/%d/dovecot_passwd
}
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = virtual
group = virtual
}
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}

mail_location = maildir:/usr/mail/%d/%u

log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot_info.log
protocol lda {
postmaster_address = admin@domain.com
log_path = /var/log/dovecot_lda.log
}


Here is the dspam(1) configuration:

/usr/local/etc/dspam.conf

Home /usr/mail/dspam
StorageDriver /usr/local/lib/dspam/libhash_drv.so
TrustedDeliveryAgent "/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient}"

OnFail error

Trust root
Trust dspam
Trust virtual
Trust dovecot
Trust mail
Trust daemon

TrainingMode teft
TestConditionalTraining on
Feature whitelist
Algorithm graham burton
Tokenizer chain
PValue bcr
WebStats off

Preference "trainingMode=TEFT"
Preference "spamAction=quarantine"
Preference "spamSubject=[SPAM]"
Preference "statisticalSedation=5"
Preference "enableBNR=on"
Preference "enableWhitelist=on"
Preference "signatureLocation=message"
Preference "tagSpam=off"
Preference "tagNonspam=off"
Preference "showFactors=off"
Preference "optIn=off"
Preference "optOut=off"
Preference "whitelistThreshold=10"
Preference "makeCorpus=off"
Preference "storeFragments=off"
Preference "localStore="
Preference "processorBias=on"
Preference "fallbackDomain=off"
Preference "trainPristine=off"
Preference "optOutClamAV=off"
Preference "ignoreRBLLookups=off"
Preference "RBLInoculate=off"

AllowOverride enableBNR
AllowOverride enableWhitelist
AllowOverride fallbackDomain
AllowOverride ignoreGroups
AllowOverride ignoreRBLLookups
AllowOverride localStore
AllowOverride makeCorpus
AllowOverride optIn
AllowOverride optOut
AllowOverride optOutClamAV
AllowOverride processorBias
AllowOverride RBLInoculate
AllowOverride showFactors
AllowOverride signatureLocation
AllowOverride spamAction
AllowOverride spamSubject
AllowOverride statisticalSedation
AllowOverride storeFragments
AllowOverride tagNonspam
AllowOverride tagSpam
AllowOverride trainPristine
AllowOverride trainingMode
AllowOverride whitelistThreshold
AllowOverride dailyQuarantineSummary

HashRecMax 98317
HashAutoExtend on
HashMaxExtents 0
HashExtentSize 49157
HashPctIncrease 10
HashMaxSeek 10
HashConnectionCache 10

Notifications off
PurgeSignatures 14
PurgeNeutral 90
PurgeUnused 90
PurgeHapaxes 30
PurgeHits1S 15
PurgeHits1I 15

LocalMX 127.0.0.1
SystemLog on
UserLog on
Opt out
ServerMode standard

ServerParameters "--deliver=innocent -d %u"
ServerIdent "mail.domain.com"
ServerDomainSocketPath "/var/run/dspam.sock"

ProcessorURLContext on
ProcessorBias on
StripRcptDomain off


/usr/mail/dspam_transport

spam@domain.com dspam-retrain:spam
ham@domain.com dspam-retrain:innocent


The postfix(1) configuration:

/usr/local/etc/postfix/main.cf

queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
mail_owner = postfix
mynetworks_style = host
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = /usr/local/share/doc/postfix
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = /usr/local/share/doc/postfix
mailbox_command = /usr/local/libexec/dovecot/deliver
unknown_local_recipient_reject_code = 550

myhostname = mail.domain.com
mynetworks = 0.0.0.0/8,127.0.0.0/8

smtpd_use_tls = no
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
broken_sasl_auth_clients = yes
strict_rfc821_envelopes = no

virtual_mailbox_domains = domain.com
virtual_mailbox_base = /usr/mail
virtual_mailbox_maps = hash:/usr/mail/postfix_accounts
virtual_minimum_uid = 100
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
virtual_transport = lmtp:unix:/var/run/dspam.sock
transport_maps = hash:/usr/mail/dspam_transport
dspam_destination_recipient_limit = 1

/usr/local/etc/postfix/master.cf

# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - n - - smtpd
-o content_filter=lmtp:unix:/var/run/dspam.sock
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
dspam-retrain unix - n n - - pipe
flags=Rhq argv=/usr/local/bin/dspamc --client --mode=teft --class=${nexthop} --source=error --user ${sender}


System configuration:

/etc/rc.conf

hostname="mail.domain.com"
sshd_enable="YES"
postfix_enable="YES"
dspam_enable="YES"
dspam_pidfile="/var/run/dspam.pid"
dovecot_enable="YES"
syslogd_flags="-s -s"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"


/etc/group (important ones)

mail:*:6:postfix
virtual:*:2000:
dovecot:*:143:
postfix:*:125:


/etc/passwd (important ones)

virtual:*:2000:2000:virtual:/usr/mail:/usr/sbin/nologin
dovecot:*:143:143:Dovecot User:/var/empty:/usr/sbin/nologin
postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nologin


My current concerns are:
-- dspam(1) daemon runs on root, it should run on its user (like dspam for example), any tips how to make the permissions?

Like I said before, any comments welcome.

Reserved because of 10000 char limit per post for the future.

I assume that there were zero responses here because not many experienced mail server admins here? ;)

Why didn't you post this in HOWTO section?

Here's my howto
http://forums.freebsd.org/showthread.php?t=10728
a little more complex and probably more buggy :) perhaps it can be of any help....
I will see If I can (and want to) integrate dspam in my setup :)

I'd love to recommend you mail/spamd with pf (I had trouble getting it to work with ipfw. I gave up)
It saves server from lots of spam... especially with China etc blacklisted :)
I don't expect any mail from China :)

Thanks for posting your howto

Why didn't you post this in HOWTO section?
Because I am not sure if this is well setup'ed mail server.

Here's my howto
http://forums.freebsd.org/showthread.php?t=10728
a little more complex and probably more buggy :) perhaps it can be of any help....
I will see If I can (and want to) integrate dspam in my setup :)
Nice mate, integrating dspam(1) should be relatively easy for your setup, You will only have to put dspam(1) between postfix(1) and dovecot(1).

I'd love to recommend you mail/spamd with pf (I had trouble getting it to work with ipfw. I gave up)
It saves server from lots of spam... especially with China etc blacklisted :)
I don't expect any mail from China :)
Thanks for recommendations ;)

Because I am not sure if this is well setup'ed mail server.

Anyone using this kind of howtos MUST be prepared, that he/she will have to dig, debug, fix, read, search and improvise...

It took me more than week to get my mail server up and running from various howtos and documentations.... and I still improve it from time to time

Also note on spamd.... emails from new IP's will be delayed.... and you need to manually white list google, because they use different IPs to retry sending mail

I can send you my google whitelist if you want


There is also postgray (google it), but I can't find it in ports....

btw, are you planning to use spamassasin? (I recommend it very much)
and you should install and configure mail/dovecot-sieve

I use sieve to move spam to spam folder :D

require "fileinto";

if anyof ( header :contains "X-Spam-Flag" "Yes",
header :matches ["X-Spam-score", "X-Remote-Spam-score"]
["5.?", "6.?", "7.?", "8.?", "9.?", "1?.?", "2?.?", "3?.?", "4?.?", "5?.?", "6?.?", "7?.?"], # 5.0 to 79.9
header :contains ["To", "Cc"] ["undisclosed-recipients", "undisclosed recipients"]
)
{
fileinto "Junk";
stop;
}

# http://www.okean.com/antispam/headers.html
if allof ( header :contains "Content-type" "text/html; charset",
header :contains "Content-type" ["big5", "ks", "euc-kr", "gb2312", "euc-tw", "iso-2022-kr", "ks_c_5601-1987"]
)
{
fileinto "Junk";
stop;
}


here's small part of my sieve script

Also note on spamd.... emails from new IP's will be delayed.... and you need to manually white list google, because they use different IPs to retry sending mail. I can send you my google whitelist if you want

I will see how this setup will carry on and let You know, it will be used by only a few accounts.

There is also postgray (google it), but I can't find it in ports....

Its postgrey, and its in packages/ports:
http://www.freshports.org/mail/postgrey/

... but I also typed postgrAy in google ;)


btw, are you planning to use spamassasin? (I recommend it very much)
I have chosen dspam(1) to avoid using spamassassin, and have read that dspam is better (and less resources hungry at the same time), but time will tell if I will use it.

Thanks for Your suggestions and feedback mate.

some rough stats:
since 1st June I received only 37 spams, of which only 3-4 were false negatives, 0 of many (some 2 hundred probably, maybe even more) false positives

since Jun 23 spamd stopped 94 spams from china etc (with blacklist)
and god know how many spamd didn't pass gray list :D every day it sops at least 3 spams

EDIT:
spamassasin ain't that resource hungry :D

ahh, almost forgot
http://wiki.apache.org/spamassassin/OtherTricks

Fake MX recors, I don't know how much spam they prevent, but it's quite easy to implement and I'm using it....

Fake MX records do help, though I've abandoned them in favour of greylisting now.

I used three MX records, and only the middle one was real. So for example:


IN MX 100 fake.smtp
IN MX 105 real.smtp
IN MX 110 fake.smtp


The fake ones can be one and the same. Spammer and bots usually pick the best or the worst MX, without falling back to the 2nd one. You should make sure that the fake IPs deliver an immediate tcp reset on port 25, or all genuine mail will hang for about 75 seconds.

Again: greylisting is a more elegant option, but the above served me well before that.

I use both fake MX and gray listing


DutchDaemon, what do you use spamd or postgrey, or something else?

I use mail/milter-greylist. And it's still 'both' ;)

Hello vermaden, thanks for the dspam part.

I am thinking of replacing MailScanner for dspam.
The only thing is the webinterface of dspam, i can not get it to work.

Do you have that enabled, and if so can you extend the HOW TO

regards,
Sylhouette

@Sylhouette

Welcome mate.

I havent 'done' the web interface part because that machine was intended to be small (or oven tiny) because it has 128MB RAM and needs only about 400MB for everything (it will be running in VMware ESX/vSphere virtual machine to be precise), I even replaced 'stock' ssh daemon with security/dropbear because sshd consumes a lot more memory then dropbear.

If I will be adding the web interface, I would definitely add that info here.

You might want to use some of rfc-ignorant.org RHSBLs in postfix.

Basically you should block all messages that have sender or recipient address in bogusmx.rfc-ignorant.org because sending mail to those domains or bouncing those messages is not going to work and it's best just to reject them in smtpd_sender_restrictions and smtpd_recipient_restrictions.

The other useful rhsbl is dsn.rfc-ignorant.org, it blocks any email with domain name that does not accept NULL sender (<>) that a DSN (delivery status notification message) uses, making proper bouncing of undelivered mail very hard. You might come across some MTAs that are listed in dsn.rfc-ignorant.org but you'd still want to accept email from them, whitelist those in smtpd_client_restrictions (or smtpd_sender_restrictions or both).

I do not recommend using postmaster.rfc-ignorant.org rhsbl, there are some very big domains that just don't have a working postmaster address.

http://www.rfc-ignorant.org/how_to_domain.php

@kpa

Thanks for suggestion, I will read about it.

Hi there,

first of all thanks for this quite nice tutorial. It fits almost all my needs :)

Unfortunately I have some problems which I think could be solved one after another.


/var/log/maillog
[...]
Jan 28 17:24:09 mail2 postfix/master[54620]: warning: process /usr/local/libexec/postfix/smtpd pid 54788 exit status 1
Jan 28 17:24:09 mail2 postfix/master[54620]: warning: /usr/local/libexec/postfix/smtpd: bad command startup -- throttling
Jan 28 17:25:04 mail2 postfix/smtpd[54793]: fatal: open database /usr/mail/postfix_accounts.db: No such file or directory
Jan 28 17:25:05 mail2 postfix/master[54620]: warning: process /usr/local/libexec/postfix/smtpd pid 54793 exit status 1
[...]


How can I create this .db file (maybe postfix should create it itself at startup but it doesn't) and what does this "bad command startup" mean?
These errors happen when I try connecting to postfix using thunderbird.

If needed:
/usr/local/etc/postfix/mail.cf

queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
mail_owner = postfix
mynetworks_style = host
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = /usr/local/share/doc/postfix
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = /usr/local/share/doc/postfix
mailbox_command = /usr/local/libexec/dovecot/deliver
unknown_local_recipient_reject_code = 550

myhostname = mail2
#mynetworks = 0.0.0.0/8,127.0.0.0/8,10.0.0.0/8
#Note: 10.0.0.0/8 is my subnet for ezjails

smtpd_use_tls = yes
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom



smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot


smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_unauth_pipelining,
reject_invalid_hostname,
reject_rbl_client bl.spamcop.net


#smtpd_recipient_restrictions =
# permit_mynetworks,
# permit_sasl_authenticated,
# reject_unauth_destination

broken_sasl_auth_clients = yes
strict_rfc821_envelopes = no

virtual_mailbox_domains = extraneous.for.this
virtual_mailbox_base = /usr/mail
virtual_mailbox_maps = hash:/usr/mail/postfix_accounts
virtual_minimum_uid = 100
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
virtual_transport = lmtp:unix:/var/run/dspam.sock
transport_maps = hash:/usr/mail/dspam_transport
dspam_destination_recipient_limit = 1


/usr/local/etc/postfix/master.cf

# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - n - - smtpd
-o content_filter=lmtp:unix:/var/run/dspam.sock

smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticate d,reject
-o message_size_limit=26214400

pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
dspam-retrain unix - n n - - pipe
flags=Rhq argv=/usr/local/bin/dspamc --client --mode=teft --class=${nexthop} --source=error --user ${sender}


I added SSL support to dovecot and postfix using this tutorial (thanks too ;)) : http://forums.freebsd.org/showthread.php?t=10728

Greetings
Werner

Hi there,

first of all thanks for this quite nice tutorial. It fits almost all my needs :)

Welcome mate.

How can I create this .db file (maybe postfix should create it itself at startup but it doesn't) and what does this "bad command startup" mean?

Try that one:
# cd /usr/mail
# postmap postfix_accounts


... also, I have moved from DSPAM to SpamAssassin since DSPAM stopped working at non deterministic way, just hang without any significant error ...

I really liked DSPAM because of its small code written in C, it was really fast and low on memory, a great scanner ... but really unmaintained. I regret that SpamAssassin takes a lot more 'momentum' then DSPAM and that DSPAM has so little community.

Hi there,

fast answer wow :-)

postmap postfix_accounts
working very well. I did the same with dspam_transport, 'cause postfix wanted it :D.

Now everything seems working well, even SSL :h.

Would you edit your Howto and add Spamassassin?

Grettings
Werner


Update:

I tried to integrate sa and clamav using amavisd myself using a view tutorials found with google, but I wasn't successfull.

Postfix doesnt receive emails from outside and emails sent by myself being dropt by amavis:
Jan 29 09:39:15 mail2 amavis[58098]: (!)DENIED ACCESS from IP 10.0.0.3, policy bank ''

/etc/hosts
127.0.0.1 localhost localhost.localdomain
10.0.0.3 mail2 mail2.localdomain

I edited inet_interfaces and hosts based on this:
http://www.mail-archive.com/freebsd-questions@freebsd.org/msg05604.html

/usr/local/etc/amavisd.conf
use strict;

# a minimalistic configuration file for amavisd-new with all necessary settings
[...]

$max_servers = 2; # num of pre-forked children (2..30 is common), -m
$daemon_user = 'vscan'; # (no default; customary: vscan or amavis), -u
$daemon_group = 'vscan'; # (no default; customary: vscan or amavis), -g

$mydomain = 'mail2.localdomain'; # a convenient default for other settings

# $MYHOME = '/var/amavis'; # a convenient default for other settings, -H
$TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc.
$QUARANTINEDIR = '/var/virusmails'; # -Q
# $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine
# $release_format = 'resend'; # 'attach', 'plain', 'resend'
# $report_format = 'arf'; # 'attach', 'plain', 'resend', 'arf'

# $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R

# $db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D
# $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S
# $lock_file = "$MYHOME/var/amavisd.lock"; # -L
# $pid_file = "$MYHOME/var/amavisd.pid"; # -P
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually

$log_level = 5; # verbosity 0..5, -d
$log_recip_templ = undef; # disable by-recipient level-0 log entries
$DO_SYSLOG = 1; # log via syslogd (preferred)
$syslog_facility = 'mail'; # Syslog facility as a string
# e.g.: mail, daemon, user, local0, ... local7
$syslog_priority = 'debug'; # Syslog base (minimal) priority as a string,
# choose from: emerg, alert, crit, err, warning, notice, info, debug

$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
$nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed
$enable_dkim_verification = 1; # enable DKIM signatures verification
$enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key

@local_domains_maps = ( [".$mydomain"] ); # list of all local domains

@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );

$unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter
# option(s) -p overrides $inet_socket_port and $unix_socketname

$inet_socket_port = 10024; # listen on this local TCP port(s)
# $inet_socket_port = [10024,10026]; # listen on multiple TCP ports

$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
originating => 1, # is true in MYNETS by default, but let's make it explicit
os_fingerprint_method => undef, # don't query p0f for internal clients
};

# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10026) for filtering
$interface_policy{'10026'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 1, # enables disclaimer insertion if available
# notify administrator of locally originating malware
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 1,
# forward to a smtpd service providing DKIM signing service
forward_method => 'smtp:[127.0.0.1]:10027',
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1], # allow sending any file names and types
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
};

$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname

[...]
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
# $dspam = 'dspam';

$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)

$sa_spam_subject_tag = '***SPAM*** ';
$defang_virus = 1; # MIME-wrap passed infected mail
$defang_banned = 1; # MIME-wrap passed mail containing banned name
# for defanging bad headers only turn on certain minor contents categories:
$defang_by_ccat{+CC_BADH.",3"} = 1; # NUL or CR character in header
$defang_by_ccat{+CC_BADH.",5"} = 1; # header line longer than 998 characters
$defang_by_ccat{+CC_BADH.",6"} = 1; # header field syntax error


# OTHER MORE COMMON SETTINGS (defaults may suffice):

$myhostname = 'mail2.localdomain'; # must be a fully-qualified domain name!

# $notify_method = 'smtp:[127.0.0.1]:10025';
# $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter!

$final_virus_destiny = D_PASS;
# $final_banned_destiny = D_DISCARD;
$final_spam_destiny = D_PASS;
# $final_bad_header_destiny = D_PASS;
# $bad_header_quarantine_method = undef;

$os_fingerprint_method = 'p0f:*:2345'; # to query p0f-analyzer.pl


# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all)
[...]

/usr/local/etc/postfix/main.cf
[...]
myhostname = mail2
mynetworks = 127.0.0.0/8, 10.0.0.0/8
inet_interfaces = $myhostname, 10.0.0.3
[...]
virtual_transport = dovecot
#transport_maps = hash:/usr/mail/dspam_transport
dovecot_destination_recipient_limit = 1
content_filter = smtp-amavis:[127.0.0.1]:10024
max_use = 10


/usr/local/etc/master.cf
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
#smtp inet n - n - - smtpd

smtp-amavis unix - - y - 2 lmtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes

127.0.0.1:10025 inet n - y - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,rej ect
-o mynetworks=10.0.0.0/8,127.0.0.0/8
-o strict_rfc821_envelopes=yes

smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticate d,reject
-o message_size_limit=26214400

pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#dspam-retrain unix - n n - - pipe
# flags=Rhq argv=/usr/local/bin/dspamc --client --mode=teft --class=${nexthop} --source=error --user ${sender}

I omit some comments and unnessecary parts of these config files to fall below the 10000 character limit ;)

Werner

Would you edit your Howto and add Spamassassin?


I would rather create new howto, but yes, I will add it some day ;)

Hey,

Did you set any special options when installing each package? Basically you didn't touch any of the other options in the config files when preparing your mail server? Also, what kind of port forwarding has to be done? Obviously the ports that you set in your dovecot.conf has to be forwarded... any others?

Hey,

Did you set any special options when installing each package? Basically you didn't touch any of the other options in the config files when preparing your mail server? Also, what kind of port forwarding has to be done? Obviously the ports that you set in your dovecot.conf has to be forwarded... any others?

You need to compile postfix with one of these:
[ ] DOVECOT Dovecot 1.x SASL authentication method
[ ] DOVECOT2 Dovecot 2.x SASL authentication method

I have used dovecot 1.2, but I have also read recently that dovecot 2.x has many good improvements:
http://wiki2.dovecot.org/Upgrading/2.0

I assume that there were zero responses here because not many experienced mail server admins here? ;)

Well, I have to work with sendmail and most of the time I don't have many time because of this fact :P ;-)

I haven't tried sendmail, I started 'mail experience' with postfix, but I have heard that sendmail has its 'downsides' ;)