Child pages
  • Serversetup multi-tenant Zarafa+Postfix+SASL+SpamAssassin+Clamav+openLDAP (Ubuntu 14.04 LTS)

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Not much to do here, just create databases, users and permissions for zarafa and dspam:

Code Block
~# mysql -uroot -p
mysql> create database zarafa;
mysql> grant all on zarafa.* to 'zarafa'@'localhost' identified by 'secret';
mysql> flush privileges;

...

This is the service which talks to postfix and delivers mails to zarafa postboxes. The dagent must be enabled in zarafa's default file. We adjust some values for spam management here that will later tie in nicely with dspam.spamassassin:

No Format
title/etc/default/zarafa
DAGENT_ENABLED=yes
DAGENT_CONFIG=/etc/zarafa/dagent.cfg
DAGENT_OPTS="-d"

...

No Format
title/etc/postfix/main.cf
smtpd_banner            = $myhostname ESMTP NO UCE
myhostname              = mail.example.com
biff                    = no
append_dot_mydomain     = no
mynetworks              = 127.0.0.0/8, 10.1.0.0/16
recipient_delimiter     = +
inet_interfaces         = all
myorigin                = $myhostname
mydestination           = $myhostname localhost.example.com, localhost

virtual_mailbox_domains = example.com, example.net, example.org
virtual_mailbox_maps    = ldap:/etc/postfix/ldap-users.cf
virtual_alias_maps      = ldap:/etc/postfix/ldap-aliases.cf
virtual_transport       = lmtp:127.0.0.1:2003

# SASL
smtpd_sasl_auth_enable          = yes
broken_sasl_auth_clients        = yes

# TLS encryptiion
smtpd_tls_security_level        = may
smtpd_tls_auth_only             = yes
smtpd_tls_cert_file             = /etc/postfix/keys/postfix.crt
smtpd_tls_key_file              = /etc/postfix/keys/postfix.key
smtpd_tls_CAfile                = /etc/postfix/keys/postfix.pem
smtpd_tls_loglevel              = 0
smtpd_tls_received_header       = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source               = dev:/dev/urandom

### Before-220 tests (postscreen / DNSBL)
postscreen_access_list          = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_reply_map      = pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_blacklist_action     = drop
postscreen_dnsbl_action         = enforce
postscreen_greet_action         = enforce
postscreen_dnsbl_threshold      = 4
postscreen_dnsbl_sites =
        zen.spamhaus.org*3
        b.barracudacentral.org*2
        bl.spameatingmonkey.net*2
        bl.spamcop.net
        dnsbl.sorbs.net
        psbl.surriel.com
        bl.mailspike.net
        swl.spamhaus.org*-4
postscreen_whitelist_interfaces = $mynetworks, static:all
 
### End of before-220 tests
### After-220 tests
### WARNING -- See "Tests after the 220 SMTP server greeting" in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests! This basically enables some kind of greylisting!
#postscreen_bare_newline_action = enforce
#postscreen_bare_newline_enable = yes
#postscreen_non_smtp_command_enable = yes
#postscreen_pipelining_enable = yes
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays.


# CLAMAV integration via clamsmtp proxy
content_filter                  = scan:127.0.0.1:10025
receive_override_options        = no_address_mappings
 
# check incoming mail for 'stuff'
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unknown_recipient_domain,
        reject_non_fqdn_recipient,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_unauth_destination,
        reject_unauth_pipelining,
        reject_invalid_hostname

smtpd_data_restrictions =
        reject_unauth_pipelining

# client restrictions
smtpd_client_restrictions =
        permit_mynetworks,
        permit_auth_destination,
        permit_sasl_authenticated,
        check_client_access pcre:/etc/postfix/dspam_filter_access

# anybody out there?
smtpd_helo_restrictions =
        permit_mynetworks,
        reject_invalid_hostname,
        reject_non_fqdn_hostname

# who may send
smtpd_sender_restrictions =
        reject_unknown_sender_domain,
        reject_non_fqdn_sender,
        permit_sasl_authenticated,
        permit_mynetworks

# mail reject codes
unknown_address_reject_code             = 554
unknown_client_reject_code              = 554
unknown_hostname_reject_code            = 554
unknown_local_recipient_reject_code     = 554
unknown_relay_recipient_reject_code     = 554
unknown_virtual_alias_reject_code       = 550
unknown_virtual_mailbox_reject_code     = 550
# deferred mail intervals

# (default: 300 seconds; before Postfix 2.4: 1000s)
# How often the queue manager scans the queue for deferred mail.
queue_run_delay                 = 900

# (default: 300 seconds; before Postfix 2.4: 1000s)
# The minimal amount of time a message won't be looked at, and the minimal amount of time to stay away from a "dead" destination.
minimal_backoff_time            = 450

# (default: 4000 seconds)
# The maximal amount of time a message won't be looked at after a delivery failure.
maximal_backoff_time            = 1800

# (default: 5 days)
# How long a message stays in the queue before it is sent back as undeliverable. Specify 0 for mail that should be returned immediately after the first unsuccessful delivery attempt.
maximal_queue_lifetime          = 14

# (default: 5 days, available with Postfix version 2.1 and later)
# How long a MAILER-DAEMON message stays in the queue before it is considered undeliverable. Specify 0 for mail that should be tried only once.
bounce_queue_lifetime           = 14

# (default: 20000)
# The size of many in-memory queue manager data structures. Among others, this parameter limits the size of the short-term, in-memory list of "dead" destinations. Destinations that don't fit the list are not added.
qmgr_message_recipient_limit    = 1000000

# max message size (15M)
message_size_limit              = 15360000

...