This is a disclaimer: Using the notes below is dangerous for both your sanity and peace of mind. If you still want to read them beware of the fact that they may be "not even wrong". Everything I write in there is just a mnemonic device to give me a chance to fix things I badly broke because I'm bloody stupid and think I can tinker with stuff that is way above my head and go away with it. It reminds me of Gandalf's warning: "Perilous to all of us are the devices of an art deeper than we ourselves possess." Moreover, a lot of it I blatantly stole on the net from other obviously cleverer persons than me -- not very hard. Forgive me. My bad. Please consider it and go away. You have been warned!
(:#toc:)
Draft of the BIC Mail Infrastructure.
Old CVS tag, left for posterity
########################################################################### # # $Id: bic-mail.txt,v 1.7 2013-10-24 19:51:10 malin Exp $ # $Author: malin $ # $Date: 2013-10-24 19:51:10 $ # ###########################################################################
I like ascii diagrams so here it goes :)
..> /var/spool/mqueue ..> /var/spool/mqueue-client . . ---------- ---------- ..> /home/bic out <--> |smtphost| <--> |mailhost| ......> /var/mail ---------- ---------- ..> /var/spool/mqueue ^ ..> /var/spool/mqueue-client | | ------------- +--------- |nullclients| -------------
In a nutshell: smtphost.bic.mni.mcgill.ca
acts as a gateway for emails, sanitizing (virus and spams) inbound and outbound smtp connections. All hosts behind it at the BIC smarthost to it.
smtphost.bic.mni.mcgill.ca
relays incoming mails to mailhost.bic.mni.mcgill.ca
for final delivery. In a sense, smtphost.bic.mni.mcgill.ca
is the edge box
while mailhost.bic.mni.mcgill.ca
is the core box.
Mailbox access using IMAP
with TLS/SSL is available on mailhost
using University of Washington server software, UW-imapd
. Note that this will change soon as Debian/Wheezy don’t support it anymore. Testing is underway with dovecot
.
smtphost
runs 3 different type of Sendmail Mail Filter (Milters):
- Greylist Milter for
sendmail
,milter-greylist
version 4.5.11–1 - milter for filtering mail through spamassassin,
spamass-milter
version 0.3.2–1+b1 - CalmAV anti-virus utility for Unix - sendmail integration,
clamav-milter
version 0.99.2+dfsg-0+deb8u2 - OpenDKIM (DomainKeys Identified Mail Signatures) Milter version 2.6.8 in testing mode at present time (20160113).
DNS Setup
bic.mni.mcgill.ca. 86400 IN MX 10 krishna.bic.mni.mcgill.ca. kurma IN A 132.206.178.241 mail IN CNAME krishna.bic.mni.mcgill.ca. mailhost IN CNAME tubal.bic.mni.mcgill.ca. mailhub IN CNAME tubal.bic.mni.mcgill.ca. smtphost IN CNAME krishna.bic.mni.mcgill.ca. ; --------[ Sender Policy Framework (SPF) for domain ] ---------- bic.mni.mcgill.ca. IN TXT "v=spf1 a:smtphost.bic.mni.mcgill.ca. mx ip4:132.206.178.246 ~all" ; --------[ googgle site verification dung ] ---------- bic.mni.mcgill.ca. IN TXT "google-site-verification=gA-rxpZ4fHj09quaKKaDAr2ykkHLIMji8-9mlnY7kpM" ; --------[ DomainKeys Identified Mail (DKIM) for domain ] ---------- kurma._domainkey 3600 IN TXT "v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGS....jXESkwIDAQAB" ; ----- DKIM kurma for bic.mni.mcgill.ca in test mode t=y
EDGE SMTPHOST
- MX record for bic.mni.mcgill.ca points to
krishna.bic.mni.mcgill.ca.
. Note that one should not use the CNAMEsmtphost.bic.mni.mcgill.ca
for an MX. Allways use the True Name for an MX record. Using CNAMEs for MX records is considered a Sin. - No aliasing, no forwards, no NIS, no lusers info, no home dirs for lusers, ie no lusers logins allowed and no disks mounted except maybe the Debian mirror stuff for updates/upgrades.
- The only luser information on smtphost consists of luser remapping
namespace through the virtusertable and genericstable databases to
rewrite addresses <luser> → <joe.doe@bic.mni.mcgill.ca> and the users
who are greylisted (
/etc/mail/greylist.conf
) - This box is essentially an email sanitizer. Nothing is written to disk
except for
/var/spool/mqueue
(outbound connections timeouts) or/var/spool/mqueue-client
for inbound connections timeouts to the mailhost - All inbound or outbound messages are miltered using ClamAV, SpamAssassin and GreyList for virii and spams.
- Third-party ClamAV signature databases provided by Sanesecurity, SecuriteInfo, MalwarePatrol, OITC, INetMsg and ScamNailer are also used.
- GreyList is configured to whitelist all traffic originating from the
bic.mni.mcgill.ca
domain. Greylisting and blacklisting is done in smtphost:/etc/mail/greylist.conf
. The milter will detect changes in that file and will automatically reloads itself when it is modified. - The greylist milter on smtphost is SPF-aware and an entry in our DNS maps exists so that ONLY emails originating from our core smtp server is considered legit. Note: SPF HAS BEEN RE-ENABLED
- Spams are tagged but not discarted: it’s up to the user to intercept them with a procmail recipe (or whatever they fancy) and set its own tolerance level.
- If virii are detected, plonk! the message is discarded, no question asked. No bounce is generated either as it just generates more crap traffic and, anyways, the return address of such mail is bogus the vast majority of time.
- Clean inbound mail is relayed to
mailhost.bic.mni.mcgill.ca
for final delivery in/var/mail
or rerouted depending on aliases and/or forward files and users preferences. - Outbound mail coming from nullclients or
mailhost.bic.mni.mcgill.ca
is miltered and, if clean, sent out. Headers and envelope are masqueraded as ‘bic.mni.mcgill.ca’. smtphost.bic.mni.mcgill.ca
should have MAIL_HUB set to ``mailhost.bic.mni.mcgill.ca.′ in sendmail.mc:
(:source:)
define(MAIL_HUB’, `mailhost.bic.mni.mcgill.ca.’)
(:sourceend:)
/etc/mail/local-host-names
onsmtphost.bic.mni.mcgill.ca
should contain the name of all hosts considered local, ie, inbound mail directed to them will be considered local (in class =$w) and sent tomailhost.bic.mni.mcgill.ca
for final delivery.- virtusertable and generistable must be setup on
smtphost.bic.mni.mcgill.ca
as outbound mail from a nullclient is not processed onmailhost
. This is the only place where users info is required onsmtphost.bic.mni.mcgill.ca
if one wants to remap users addresses. - Relaying using
smtphost.bic.mni.mcgill.ca
is specified in the file/etc/mail/access
. Only BIC hosts can relay.
Sendmail Config
Version info:
ii sendmail 8.14.4-8+deb8u2 powerful, efficient, and scalable Mail Transport Agent (metapackage) ii sendmail-base 8.14.4-8+deb8u2 powerful, efficient, and scalable Mail Transport Agent (arch independent files) ii sendmail-bin 8.14.4-8+deb8u2 powerful, efficient, and scalable Mail Transport Agent ii sendmail-cf 8.14.4-8+deb8u2 powerful, efficient, and scalable Mail Transport Agent (config macros)
Sendmail is TCP wrapped as it is linked with libwrap:
root@krishna:/etc/mail# ldd /usr/sbin/sendmail | grep libwrap libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007fe537835000)
so one must setup proper access for smtphost in /etc/hosts.allow
(:source:)
sendmail: ALL
(:sourceend:)
First, configure sendmail’s /etc/mail/sendmail.conf
with the following values. Essentially they specify that sendmail will run as listener and queue runner with 10 minutes interval to run the queues. DAEMON_MAILSTATS=“Yes”
is for Munin statistics collection.
(:source:) root@kurma:~# ~malin/bin/crush /etc/mail/sendmail.conf DAEMON_NETMODE=“Static”; DAEMON_NETIF=“eth0”; DAEMON_MODE=“Daemon”; DAEMON_PARMS=“ ”; DAEMON_HOSTSTATS=“No”; DAEMON_MAILSTATS=“Yes”; QUEUE_MODE=“${DAEMON_MODE}”; QUEUE_INTERVAL=“10m”; QUEUE_PARMS=“ ”; MSP_MODE=“Daemon”; MSP_INTERVAL=“10m”; MSP_PARMS=“ ”; MSP_MAILSTATS=“${DAEMON_MAILSTATS}”; MISC_PARMS=“ ”; CRON_MAILTO=“root”; CRON_PARMS=“ ”; LOG_CMDS=“No”; HANDS_OFF=“No”; AGE_DATA=“ ”; DAEMON_RUNASUSER=“No”; DAEMON_STATS=“${DAEMON_MAILSTATS}”; MSP_STATS=“${MSP_MAILSTATS}”; (:sourceend:)
Now the hard ones: /etc/mail/sendmail.mc
and /etc/mail/submit.mc
.
I won’t comment on every single features in these files since that would require rewritting the Bat Book!
sendmail.mc
- Remove the default Message Submission Agent (MSA) and configure the daemon options:
(:source:) FEATURE(`no_default_msa’)dnl DAEMON_OPTIONS(Port=smtp, Name=MTA’)dnl (:sourceend:)
- Masquerade as the BIC and define a MAIL_HUB for local delivery (there is no local delivery so below we undefine it):
(:source:) dnl # MASQUERADE_AS(`bic.mni.mcgill.ca’)dnl define(MAIL_HUB’, `mailhub.bic.mni.mcgill.ca.’)dnl dnl # (:sourceend:)
- Undefine a bunch of stuff not needed on the edge server:
(:source:) dnl # Undefine those as they are not needed for this server. undefine(FORWARD_PATH’)dnl undefine(ALIAS_FILE’)dnl undefine(UUCP_RELAY’)dnl undefine(BITNET_RELAY’)dnl undefine(DECNET_RELAY’)dnl undefine(FAX_RELAY’)dnl dnl # (:sourceend:)
- Log level and paranoia/security level
- Note:
goaway
is a short hand forauthwarnings, noexpn, novrfy, noverb, needmailhelo, needexpnhelo, needvrfyhelo, nobodyreturn
noreceipts
is usually recommended as it might be useful DSN (Delivery S? Notification).
- Note:
(:source:) dnl # define(`confLOG_LEVEL’,`9’)dnl define(`confPRIVACY_FLAGS’,`goaway,restrictmailq,restrictqrun,nobodyreturn,noreceipts’)dnl dnl # (:sourceend:)
- Fine tune different windows lengths and throttling values to repel the cockroaches-spammers. Also set the maximum number of daemon children to 500, the timezone, the load average values for queuing only and connections delay and refusal (24,32,36), the maximum message size (10MB), and the number of days for deletion of undelivered queued messages (3d):
(:source:) dnl # dnl # Define connection throttling and window length define(`confCONNECTION_RATE_THROTTLE’, `10’)dnl define(`confCONNECTION_RATE_WINDOW_SIZE’,`60s’)dnl define(`confMAX_DAEMON_CHILDREN’, `500’)dnl define(`confTIME_ZONE’,EST5EDT’)dnl define(`confQUEUE_LA’,`24’)dnl define(`confDELAY_LA’,`32’)dnl define(`confREFUSE_LA’,`36’)dnl define(`confTO_ICONNECT’, `15s’)dnl define(`confTO_CONNECT’, `3m’)dnl define(`confTO_HELO’, `5m’)dnl define(`confTO_MAIL’, `5m’)dnl define(`confTO_RCPT’, `5m’)dnl define(`confTO_DATAINIT’, `2m’)dnl define(`confTO_DATABLOCK’, `10m’)dnl define(`confTO_DATAFINAL’, `10m’)dnl define(`confTO_RSET’, `5m’)dnl define(`confTO_QUIT’, `2m’)dnl define(`confTO_MISC’, `2m’)dnl define(`confTO_COMMAND’, `5m’)dnl define(`confTO_STARTTLS’, `2m’)dnl define(`confMAX_MESSAGE_SIZE’,`10485760’)dnl define(`confDONT_PROBE_INTERFACES’,True’)dnl define(`confTO_QUEUERETURN’,`3d’)dnl dnl # (:sourceend:)
- Security by obscurity: hide
sendmail
and .mc versions from the greetings, Received: headers and HELP command.
Note: using define(`HELP_FILE',`')
will actually display sendmail
version! Better to simply zero out the helpfile
.
(:source:)
dnl # Some security by obscurity.
dnl # Hide sendmail version from greeting, headers and help.
dnl # Default greeting is `$j Sendmail $v/$Z; $b; (No UCE/UBE) $?{client_addr}logging access from: ${client_name}(${client_resolve})-$_$.’
dnl # Remove the chunk “Sendmail $v/$Z”:
define(`confSMTP_LOGIN_MSG’,`$j MTA ready and waiting; $b; (No UCE/UBE) $?{client_addr}logging access from: ${client_name}(${client_resolve})-$_$.’)dnl
dnl # The HReceived header is defined in /usr/share/sendmail/cf/m4/proto.m4
dnl # as: HReceived: confRECEIVED_HEADER
dnl # confRECEIVED_HEADER in turn is build among other things from _REC_BY_ in /usr/share/sendmail/cf/m4/cfhead.m4
dnl # with default `$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}’.
dnl # Remove the ($v/$Z) chunk that displays the sendmail ($v) and m4 config file version ($Z):
define(`_REC_BY_’, `$.by $j $?r with $r$. id $i$?{tls_version}’)dnl
dnl # Remove the help file so the HELP command shows nothing:
dnl define(HELP_FILE’,’)dnl
(:sourceend:)
- Different sets of features for domain masquerading, flat files and databases defines:
(:source:) dnl # GENERICS_DOMAIN_FILE(÷etc/mail/generics_domain’)dnl FEATURE(`masquerade_envelope’)dnl FEATURE(`always_add_domain’)dnl FEATURE(`redirect’)dnl FEATURE(`use_ct_file’)dnl FEATURE(`use_cw_file’)dnl FEATURE(`access_db’)dnl FEATURE(`blacklist_recipients’)dnl FEATURE(`genericstable’)dnl FEATURE(`genericstable’)dnl FEATURE(`virtusertable’)dnl dnl # (:sourceend:)
- Even more stuff for the cockroaches shit-heads:
(:source:) dnl # dnl # The greet_pause feature stops some automail bots - but check the dnl # provided access db for details on excluding localhosts… dnl # Must be put after the FEATURE(`access_db’) line. FEATURE(`greet_pause’, `5000’)dnl 5 seconds dnl # dnl # Delay_checks allows sender↔recipient checking FEATURE(`delay_checks’, `friend’, `n’)dnl dnl FEATURE(`delay_checks’, `hater’, `n’)dnl dnl # dnl # If we get too many bad recipients, slow things down… dnl # Argument is the number of bad recipients. define(`confBAD_RCPT_THROTTLE’,`1’)dnl dnl # dnl # Stop connections that overflow our concurrent and time connection rates FEATURE(`conncontrol’, `nodelay’, `terminate’)dnl FEATURE(`ratecontrol’, `nodelay’, `terminate’)dnl dnl # dnl # DNS Black Listing. dnl # /JF/ 20160115. spamhaus.org has merged the SBL-XBL and PBL DNS zones to one zone, ZEN. dnl # dnl FEATURE(`enhdnsbl’, `sbl-xbl.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.2.’)dnl dnl FEATURE(`enhdnsbl’, `sbl-xbl.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.3.’)dnl dnl FEATURE(`enhdnsbl’, `sbl-xbl.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.4.’)dnl dnl FEATURE(`enhdnsbl’, `sbl-xbl.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.5.’)dnl dnl FEATURE(`enhdnsbl’, `sbl-xbl.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.6.’)dnl dnl # FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.2.’)dnl FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.4.’)dnl FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.10.’)dnl FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.11.’)dnl dnl # (:sourceend:)
- Finally the Milter stuff, again to repel the cockroaches slime-balls:
Explicitely include the m4 files necessary for the clamav milter since the packagers didn’t include them in the default sendmail
m4 tree /usr/share/sendmail/cf
. I stuff them in /etc/mail/m4
.
(:source:) dnl # dnl # Milters dnl # dnl #/JF/ INPUT_MAIL_FILTER options declares the Milters and also set their processing order. dnl # See the Bat Book, 4th Ed., Section 26.2.2 The InputMailFilters Option dnl # dnl #/JF/ greylist milter is already setup by FEATURE(`milter-greylist’) above. dnl INPUT_MAIL_FILTER(`greylist’, `S=local:/var/run/milter-greylist/milter-greylist.sock, F=, T=S:4m;R:4m′)dnl FEATURE(`milter-greylist’)dnl dnl #/JF/ clamav is already setup by the use of the include(÷etc/mail/m4/clamav-milter.m4’) dnl INPUT_MAIL_FILTER(`clamav’, `S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m′)dnl include(÷etc/mail/m4/clamav-milter.m4’)dnl INPUT_MAIL_FILTER(`spamassassin’, `S=local:/var/run/spamass/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m′)dnl INPUT_MAIL_FILTER(`opendkim’, `S=local:/var/run/opendkim/opendkim.sock, F=, T=C:10m;S:10m;R:20m;E:20m′)dnl dnl # dnl #/JF/ INPUT_MAIL_FILTERS option defines the processing order of the Milters. dnl # Needed only if MAIL_FILTER is used rather than the INPUT_MAIL_FILTER macros dnl # or if one needs/wants to force a specific Milter calling order. dnl define(`confINPUT_MAIL_FILTERS’, ``clamav,greylist,spamassassin,opendkim′)dnl dnl # dnl #/JF/ Modify the Milters End-of-Message handling routine from its default, ${msg_id}. dnl # See the Bat Book, 4th ed., Section 24.9.76.8 Milter.macros.eom define(`confMILTER_MACROS_EOM’, confMILTER_MACROS_EOM``, {mail_addr}, {rcpt_addr}, i′)dnl dnl # (:sourceend:)
The MILTER_MACROS_EOM
thingie at the end is needed in order for the clamAV milter
to log and report in verbose mode. More on this in the Bat Book, 4th ed., Section 24.9.76.8 Milter.macros.eom
.
- At last, the mailer define:
(:source:)
dnl # Mailer definitions. local
is not needed as nothing is delivered locally.
dnl MAILER(local)dnl
MAILER(smtp)dnl
(:sourceend:)
- For completeness, here it is in all its glory:
(:source:) divert(−1)dnl
- -----------------------------------------------------------------------------
- $Sendmail: debproto.mc,v 8.14.3 2010–09–21 11:05:34 cowboy Exp $
- Copyright (c) 1998–2009 Richard Nelson. All Rights Reserved.
- cf/debian/sendmail.mc. Generated from sendmail.mc.in by configure.
- sendmail.mc prototype config file for building Sendmail 8.14.3
- Note: the .in file supports 8.7.6 - 9.0.0, but the generated
- file is customized to the version noted above.
- This file is used to configure Sendmail for use with Debian systems.
- If you modify this file, you will have to regenerate /etc/mail/sendmail.cf
- by running this file through the m4 preprocessor via one of the following:
- * make (or make -C /etc/mail)
- * sendmailconfig
- * m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
- The first two options are preferred as they will also update other files
- that depend upon the contents of this file.
- The best documentation for this .mc file is:
- /usr/share/doc/sendmail-doc/cf.README.gz
- -----------------------------------------------------------------------------
divert(0)dnl
- Copyright (c) 1998–2005 Richard Nelson. All Rights Reserved.
- This file is used to configure Sendmail for use with Debian systems.
define(`_USE_ETC_MAIL_’)dnl include(÷usr/share/sendmail/cf/m4/cf.m4’)dnl VERSIONID(`$Id: sendmail.mc, v 8.14.3–9.4 2010–09–21 11:05:34 cowboy Exp $’) OSTYPE(`debian’)dnl DOMAIN(`debian-mta’)dnl undefine(`confHOST_STATUS_DIRECTORY’)dnl #DAEMON_HOSTSTATS= FEATURE(`no_default_msa’)dnl DAEMON_OPTIONS(Port=smtp, Name=MTA’)dnl MASQUERADE_AS(`bic.mni.mcgill.ca’)dnl MASQUERADE_EXCEPTION(`omega.bic.mni.mcgill.ca’) define(MAIL_HUB’, `mailhub.bic.mni.mcgill.ca.’)dnl undefine(FORWARD_PATH’)dnl undefine(ALIAS_FILE’)dnl undefine(UUCP_RELAY’)dnl undefine(BITNET_RELAY’)dnl undefine(DECNET_RELAY’)dnl undefine(FAX_RELAY’)dnl define(`confLOG_LEVEL’,`9’)dnl define(`confPRIVACY_FLAGS’,``goaway,restrictexpand,restrictmailq,restrictqrun,noreceipts′)dnl define(`confCONNECTION_RATE_THROTTLE’, `10’)dnl define(`confCONNECTION_RATE_WINDOW_SIZE’,`60s’)dnl define(`confMAX_DAEMON_CHILDREN’, `500’)dnl define(`confTIME_ZONE’,EST5EDT’)dnl define(`confQUEUE_LA’,`24’)dnl define(`confDELAY_LA’,`32’)dnl define(`confREFUSE_LA’,`36’)dnl define(`confTO_ICONNECT’, `15s’)dnl define(`confTO_CONNECT’, `3m’)dnl define(`confTO_HELO’, `5m’)dnl define(`confTO_MAIL’, `5m’)dnl define(`confTO_RCPT’, `5m’)dnl define(`confTO_DATAINIT’, `2m’)dnl define(`confTO_DATABLOCK’, `10m’)dnl define(`confTO_DATAFINAL’, `10m’)dnl define(`confTO_RSET’, `5m’)dnl define(`confTO_QUIT’, `2m’)dnl define(`confTO_MISC’, `2m’)dnl define(`confTO_COMMAND’, `5m’)dnl define(`confTO_STARTTLS’, `2m’)dnl define(`confMAX_MESSAGE_SIZE’,`10485760’)dnl define(`confDONT_PROBE_INTERFACES’,True’)dnl define(`confTO_QUEUERETURN’,`3d’)dnl define(`confSMTP_LOGIN_MSG’,`$j MTA ready and waiting; $b; (No UCE/UBE) $?{client_addr}logging access from: ${client_name}(${client_resolve})-$_$.’)dnl define(`_REC_BY_’, `$.by $j $?r with $r$. id $i$?{tls_version}’)dnl GENERICS_DOMAIN_FILE(÷etc/mail/generics_domain’)dnl FEATURE(`masquerade_envelope’)dnl FEATURE(`always_add_domain’)dnl FEATURE(`redirect’)dnl FEATURE(`use_ct_file’)dnl FEATURE(`use_cw_file’)dnl FEATURE(`access_db’)dnl FEATURE(`blacklist_recipients’)dnl FEATURE(`genericstable’)dnl FEATURE(`virtusertable’)dnl FEATURE(`greet_pause’, `5000’)dnl 5 seconds FEATURE(`delay_checks’, `friend’, `n’)dnl define(`confBAD_RCPT_THROTTLE’,`1’)dnl FEATURE(`conncontrol’, `nodelay’, `terminate’)dnl FEATURE(`ratecontrol’, `nodelay’, `terminate’)dnl FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.2.’)dnl FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.4.’)dnl FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.10.’)dnl FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.11.’)dnl FEATURE(`milter-greylist’)dnl include(÷etc/mail/m4/clamav-milter.m4’)dnl INPUT_MAIL_FILTER(`spamassassin’, `S=local:/var/run/spamass/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m′)dnl INPUT_MAIL_FILTER(`opendkim’, `S=local:/var/run/opendkim/opendkim.sock, F=, T=C:10m;S:10m;R:20m;E:20m′)dnl define(`confMILTER_MACROS_EOM’, confMILTER_MACROS_EOM``, {mail_addr}, {rcpt_addr}, i′)dnl MAILER(smtp)dnl (:sourceend:)
submit.mc
- The only line really required is for the message submission program (MSP) to listen to
localhost
: FEATURE(`msp', `[127.0.0.1]')dnl - By default, if not specified, the listening port is SMTP (25).
- Use FEATURE(`msp', `[127.0.0.1]', `MSA')dnl to submit mail to port MSA (587) on
localhost
. - In that case, in sendmail.mc the
DAEMON_OPTIONS
must also be specified: DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea, Addr=127.0.0.1′)dnl - Hide the MSP version from the Received: headers by modifying define(`_REC_BY_', `$.by $j $?r with $r$. id $i$?{tls_version}')
- See the section Security By Obscurity And Obfuscation for more details.
(:source:) divert(−1)dnl
- -----------------------------------------------------------------------------
- $Sendmail: submit.mc,v 8.14.3 2010–09–21 11:05:34 cowboy Exp $
- Copyright (c) 2000–2009 Richard Nelson. All Rights Reserved.
- cf/debian/submit.mc. Generated from submit.mc.in by configure.
- submit.mc prototype config file for building Sendmail 8.14.3
- Note: the .in file supports 8.7.6 - 9.0.0, but the generated
- file is customized to the version noted above.
- This file is used to configure Sendmail for use with Debian systems.
- If you modify this file, you will have to regenerate /etc/mail/submit.cf
- by running this file through the m4 preprocessor via one of the following:
- * make (or make -C /etc/mail)
- * sendmailconfig
- * m4 /etc/mail/submit.mc > /etc/mail/submit.cf
- The first two options are preferred as they will also update other files
- that depend upon the contents of this file.
- The best documentation for this .mc file is:
- /usr/share/doc/sendmail-doc/cf.README.gz
- -----------------------------------------------------------------------------
divert(0)dnl
- Copyright (c) 2000–2002 Richard Nelson. All Rights Reserved.
- This file is used to configure Sendmail for use with Debian systems.
define(`_USE_ETC_MAIL_’)dnl include(÷usr/share/sendmail/cf/m4/cf.m4’)dnl VERSIONID(`$Id: submit.mc, v 8.14.3–9.4 2010–09–21 11:05:34 cowboy Exp $’) OSTYPE(`debian’)dnl DOMAIN(`debian-msp’)dnl dnl # Some security by obscurity. dnl # The HReceived header is defined in /usr/share/sendmail/cf/m4/proto.m4 dnl # as: HReceived: confRECEIVED_HEADER dnl # confRECEIVED_HEADER in turn is build among other things from _REC_BY_ in /usr/share/sendmail/cf/m4/cfhead.m4 dnl # with default `$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}’. dnl # Remove the ($v/$Z) chunk that displays the sendmail ($v) and m4 config file version ($Z): define(`_REC_BY_’, `$.by $j $?r with $r$. id $i$?{tls_version}’)dnl dnl # dnl # dnl #--------------------------------------------------------------------- dnl # Masquerading information, if needed, should go here dnl # You likely will not need this, as the MTA will do it dnl #--------------------------------------------------------------------- dnl MASQUERADE_AS()dnl dnl FEATURE(`masquerade_envelope’)dnl dnl # dnl #--------------------------------------------------------------------- dnl # The real reason we’re here: the FEATURE(msp) dnl # NOTE WELL: MSA (587) should have M=Ea, so we need to use stock 25 dnl #--------------------------------------------------------------------- dnl FEATURE(`msp’, `[127.0.0.1]’, `25’)dnl FEATURE(`msp’, `[127.0.0.1]’)dnl dnl # dnl #--------------------------------------------------------------------- dnl # Some minor cleanup from FEATURE(msp) dnl #--------------------------------------------------------------------- dnl # dnl #--------------------------------------------------------------------- (:sourceend:)
Security By Obscurity And Obfuscation
- Walk safe: hide some of the information that can be gleaned from the outbound message headers and the SMTP daemons themselves.
- In submit.mc removes the MSA version information in the message headers.
(:source:) dnl # Obscurity With The Intent To Obfuscate. dnl # dnl # The HReceived header is defined in /usr/share/sendmail/cf/m4/proto.m4 dnl # as: HReceived: confRECEIVED_HEADER dnl # confRECEIVED_HEADER in turn is build among other things from _REC_BY_ in /usr/share/sendmail/cf/m4/cfhead.m4 dnl # with default `$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}’. dnl # ______________________^^^^^^^ dnl # Remove the ___________($v/$Z) chunk that displays the sendmail ($v) and m4 config file version ($Z): dnl # define(`_REC_BY_’, `$.by $j $?r with $r$. id $i$?{tls_version}’)dnl (:sourceend:)
- Using the above will remove the MSP version number from the message headers, viz:
Received: (from logcheck@localhost) by heitz.bic.mni.mcgill.ca (8.14.4/8.14.4/Submit) id u2FK23T2028453 for logcheck; Tue, 15 Mar 2016 16:02:03 -0400
- to something like this —on a nullclient that has been secured—
Received: (from malin@localhost) by agrippa.bic.mni.mcgill.ca id u2FK5ekb028871 for malin; Tue, 15 Mar 2016 16:05:40 -0400
- In sendmail.mc on the edge server, smtphost:
(:source:) dnl # /JF/ 20151126. Obscurity With The Intent To Obfuscate. dnl # dnl # /JF/ Hide sendmail version from greeting, headers and help. dnl # /JF/ Default greeting is `$j Sendmail $v/$Z; $b; (No UCE/UBE) $?{client_addr}logging access from: ${client_name}(${client_resolve})-$_$.’ dnl # /JF/ ________________________^^^^^^^^^^^^^^ dnl # /JF/ Remove the chunk_______”Sendmail $v/$Z”: dnl define(`confSMTP_LOGIN_MSG’,`$j MTA ready and waiting; $b; (No UCE/UBE) $?{client_addr}logging access from: ${client_name}(${client_resolve})-$_$.’)dnl dnl dnl # /JF/ The HReceived header is defined in /usr/share/sendmail/cf/m4/proto.m4 dnl # /JF/ as: HReceived: confRECEIVED_HEADER dnl # /JF/ confRECEIVED_HEADER in turn is build among other things from _REC_BY_ in /usr/share/sendmail/cf/m4/cfhead.m4 dnl # /JF/ with default `$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}’. dnl # /JF/ ______________________^^^^^^^ dnl # /JF/ Remove the____________($v/$Z) chunk that displays the sendmail ($v) and m4 config file version ($Z): dnl define(`_REC_BY_’, `$.by $j $?r with $r$. id $i$?{tls_version}’)dnl dnl dnl # /JF/ Remove the help file so the HELP command shows nothing: dnl dnl define(HELP_FILE’,’)dnl dnl dnl # /JF/ Actually doing this WILL somehow leak information about the server. dnl # /JF/ It is better to just zero the helpfile — DO NOT remove it. dnl # /JF/ 20151126. End. (:sourceend:)
Files and Databases for access, local delivery hosts, username remapping, etc
/etc/mail/access MUST contain the following to allow relaying from inside the BIC:
(:source:) Connect:localhost RELAY 132.206.178 RELAY (:sourceend:)
/etc/mail/genericstable for outbound username remapping:
(:source:) malin Jean-Francois.Malouin@bic.mni.mcgill.ca luser just.another.luser@bic.mni.mcgill.ca (:sourceend:)
/etc/mail/virtusertable for inbound username remapping: (:source:) Jean-Francois.Malouin@bic.mni.mcgill.ca malin just.another.luser@bic.mni.mcgill.ca luser (:sourceend:)
/etc/mail/generics_domain
(:source:) bic.mni.mcgill.ca (:sourceend:)
/etc/mail/local-host-names contains the name of the hosts that are considered local, ie messages addressed to them will be sent to the mailhub
for final delivery:
(:source:) aeneas.bic.mni.mcgill.ca agrippine.bic.mni.mcgill.ca ajax.bic.mni.mcgill.ca ambas.bic.mni.mcgill.ca andromache.bic.mni.mcgill.ca angus.bic.mni.mcgill.ca antenor.bic.mni.mcgill.ca ariel.bic.mni.mcgill.ca … (:sourceend:)
ClamAV (clamav, clamav-milter and freshclam) Config and Third Party Signature Databases
ClamAV is a suite of programs to allow filtering and possible disposing of virus-infected email messages. It also included the tools necesssary to update its virus databases and signatures.
Version info:
ii clamav 0.98.7+dfsg-0+deb6u2 anti-virus utility for Unix - command-line interface ii clamav-base 0.98.7+dfsg-0+deb6u2 anti-virus utility for Unix - base package ii clamav-daemon 0.98.7+dfsg-0+deb6u2 anti-virus utility for Unix - scanner daemon ii clamav-freshclam 0.98.7+dfsg-0+deb6u2 anti-virus utility for Unix - virus database update utility ii clamav-milter 0.98.7+dfsg-0+deb6u2 anti-virus utility for Unix - sendmail integration ii libclamav6 0.98.7+dfsg-0+deb6u2 anti-virus utility for Unix - library
- /etc/default/clamav-milter
(:source:)
- clamav-milter init options
OPTIONS=“—max-children=12 -olHNPq”
- SOCKET_RWGROUP
- by default, the socket created by the milter has permissions
- clamav:clamav:755. SOCKET_RWGROUP changes the group and changes the
- permissions to 775 to give read-write access to that group.
- If you are using postfix to speak to the milter, you have to give permission
- to the postfix group to write
- SOCKET_RWGROUP=postfix
(:sourceend:)
- /etc/clamav/clamav-milter.conf
Note that when the parameter LogInfected
(Off|Basic|Full)is set to something other than default (Off) sendmail must be configured to have the eom macros msg_id, mail_addr, rcpt_addr and i available. In order to do do set define(`confMILTER_MACROS_EOM’, `{msg_id}, {mail_addr}, {rcpt_addr}, i’)
in sendmail.mc
as explained above.
(:source:)
- Automatically Generated by clamav-milter postinst
- To reconfigure clamav-milter run #dpkg-reconfigure clamav-milter
- Please read /usr/share/doc/clamav-base/README.Debian.gz for details
MilterSocket /var/run/clamav/clamav-milter.ctl FixStaleSocket true User clamav AllowSupplementaryGroups true ReadTimeout 120 Foreground false PidFile /var/run/clamav/clamav-milter.pid ClamdSocket unix:/var/run/clamav/clamd.ctl OnClean Accept OnInfected Quarantine OnFail Defer AddHeader Replace LogSyslog false LogFacility LOG_LOCAL6 LogVerbose true LogInfected Full MaxFileSize 25M TemporaryDirectory /tmp LogFile /var/log/clamav/clamav-milter.log LogTime true LogFileUnlock false LogFileMaxSize 0M MilterSocketGroup clamav MilterSocketMode 666 (:sourceend:)
- /etc/clamav/clamd.conf
(:source:)
- Automatically Generated by clamav-base postinst
- To reconfigure clamd run #dpkg-reconfigure clamav-base
- Please read /usr/share/doc/clamav-base/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket true LocalSocketGroup clamav LocalSocketMode 666
- TemporaryDirectory is not set to its default /tmp here to make overriding
- the default with environment variables TMPDIR/TMP/TEMP possible
User clamav AllowSupplementaryGroups true ScanMail true ScanArchive true ArchiveBlockEncrypted false MaxDirectoryRecursion 15 FollowDirectorySymlinks false FollowFileSymlinks false ReadTimeout 180 MaxThreads 12 MaxConnectionQueueLength 15 LogSyslog false LogFacility LOG_LOCAL6 LogClean false LogVerbose false PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav SelfCheck 3600 Foreground false Debug false ScanPE true ScanOLE2 true ScanHTML true DetectBrokenExecutables false ExitOnOOM false LeaveTemporaryFiles false AlgorithmicDetection true ScanELF true IdleTimeout 30 PhishingSignatures true PhishingScanURLs true PhishingAlwaysBlockSSLMismatch false PhishingAlwaysBlockCloak false DetectPUA false ScanPartialMessages false HeuristicScanPrecedence false StructuredDataDetection false CommandReadTimeout 5 SendBufTimeout 200 MaxQueue 100 ExtendedDetectionInfo true OLE2BlockMacros false StreamMaxLength 25M LogFile /var/log/clamav/clamav.log LogTime true LogFileUnlock false LogFileMaxSize 0 Bytecode true BytecodeSecurity TrustSigned BytecodeTimeout 60000 OfficialDatabaseOnly false CrossFilesystems true (:sourceend:)
For the freshclam config /etc/clamav/freshclam.conf one must add the line:
DatabaseMirror db.ca.clamav.net
if one wants to check the ClamAV databases more than once per hour. The maximum allowed is 4 times an hour.
- /etc/clamav/freshclam.conf
(:source:)
- Automatically created by the clamav-freshclam postinst
- Comments will get lost when you reconfigure the clamav-freshclam package
DatabaseOwner clamav UpdateLogFile /var/log/clamav/freshclam.log LogVerbose false LogSyslog false LogFacility LOG_LOCAL6 LogFileMaxSize 0 LogTime true Foreground false Debug false MaxAttempts 5 DatabaseDirectory /var/lib/clamav DNSDatabaseInfo current.cvd.clamav.net DatabaseMirror db.ca.clamav.net AllowSupplementaryGroups false PidFile /var/run/clamav/freshclam.pid ConnectTimeout 30 ReceiveTimeout 30 TestDatabases yes ScriptedUpdates yes CompressLocalDatabase no Bytecode true
- Check for new database 4×24 times a day
Checks 96
- DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net (:sourceend:)
Third-party Signatures Databases
Third-party signatures databases from http://sanesecurity.com
compatible with the ClamAV engine have also been manually installed. Note that they all have a low probability of false positives, except the 3 foxhole databases who have medium false positive probability hit (Note: foxhole_all.cbd has a HIGH risk of false positive hit and so I don’t use it.)
Database Name | Description | False Positive |
---|---|---|
junk.ndb | General high hitting junk, containing spam/phishing/lottery/jobs/419s etc. | Low |
jurlbl.ndb | Junk Url based | Low |
phish.ndb | Phishing | Low |
rogue.hdb | Malware, Rogue anti-virus software and Fake codecs etc. | Low |
Updated hourly to cover the latest malware threats. | ||
Please send any Undetected virus samples to | ||
samples@sanesecurity.me.uk | ||
sanesecurity.ftm | Message file types (REQUIRED for best performance) | - |
scam.ndb | Spam/scams | Low |
spamimg.hdb | Spam images | Low |
winnow_malware.hdb | Current virus, trojan and other malware not yet detected by ClamAV. | Low |
Undetected virus samples can be sent to virus_samples@oitc.com | ||
winnow_malware_links.ndb | Links to malware | Low |
Foxhole Databases
Zero hour (0hr) emailed malware has always been an issue. There are various ways of blocking dangerous attachments within zip files, such as Mailscanner/SpamAssassin/Postfix, however ClamAV can also be used to block these attachments which in some environments may be useful.
The three new foxhole databases use the .cdb extension which uses the ClamAV engine to look inside certain container files for various filenames and it also allows the use of Regular Expressions, on those filenames.
The three new databases are:
- foxhole_generic.cdb
This database will block double extensions of certain common file formats that are contained within Zip/Rar and 7Zip files. These files will be detected only if they end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl, vbs.
Example of signatures name formats:
Sanesecurity.Foxhole.Zip_doc: blocks dangerous double extention .doc files, within zip files only
Sanesecurity.Foxhole.Rar_xls: blocks dangerous double extention .xls files, within Rar files only
Sanesecurity.Foxhole.Zip_hidden: blocks dangerous double extention files that are trying to hide their true extension, within zip files only
- foxhole_filename.cdb
This database will block certain commonly known malware filenames within Zip/Rar/7Zip files.
- foxhole_all.cdb
This database will block all files (single and double extensions) within Zip/Rar and 7Zip files that end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl, vbs. This will be the most effective database of the three but also has the highest risk of false positives, unless you are using scoring. Currently only .Zip, .7z and .Rar files container are used, however this can be extended to .Arj, .Cab and .Tar files.
Local Modifications
/etc/clamav-unofficial-sigs.conf
has been modified according to the way ClamAV is packaged by Debian.
(:source:)
- Set path to ClamAV database files location. If unsure, check
- your clamd.conf file for the “DatabaseDirectory” path setting.
clam_dbs=“/var/lib/clamav”
- Set path to clamd.pid file (see clamd.conf for path location).
clamd_pid=“/var/run/clamav/clamd.pid” work_dir=“/var/lib/clamav/unofficial-dbs”
- Log update information to ‘$log_file_path/$log_file_name’.
enable_logging=“yes” log_file_path=“/var/log/clamav” log_file_name=“clamav-unofficial-sigs.log” (:sourceend:)
Here is the full config file: (:source:)
- This file contains user configuration settings for the clamav-unofficial-sigs.sh
- script provide by Bill Landry (bill@inetmsg.com).
- Script documentation and updates can be viewed/downloaded from:
- http://www.inetmsg.com/pub/
- The latest version will always be named: clamav-unofficial-sigs.tar.gz
- Older versions can be found in the “archive” directory.
- USER CONFIGURATION FILE FOR SCRIPT: #
- * * * #
- clamav-unofficial-sigs.sh #
- * * * #
- SET PROGRAM PATHS AND OTHER VARIABLE OPTIONS FOR THE SCRIPT IN THIS FILE #
- Edit the quoted variables below to meet your own particular needs
- and requirements, but do not remove the “quote” marks.
- Be sure to set the appropriate shell for your OS Platform. It’s been
- reported that “sh” works best for BSD variants, “ksh” for Sun Solaris,
- and “bash” for Linux variants. If you experience problems running the
- script, please try editing the top line of the script file and changing
- “sh” to either “ksh” or “bash” before reporting a problem.
- Set and export the appropriate program paths for your OS platform. Required
- utilities include: find, xargs, sed, awk, cut, dig, grep, tail, chown, chmod,
- cmp, diff, gzip, ls, cp, mv, test, gpg, host, sleep, cksum, rsync, curl, perl,
- and optionally socat. It’s been reported that on Sun systems, the GNU utilities
- should be used rather than the default Sun OS versions of these utilities.
PATH=“/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin” export PATH
- Set the appropriate ClamD user and group accounts for your system.
- If you do not want the script to set user and group permissions on
- files and directories, comment the next two variables.
clam_user=“clamav” clam_group=“clamav”
- Set path to ClamAV database files location. If unsure, check
- your clamd.conf file for the “DatabaseDirectory” path setting.
clam_dbs=“/var/lib/clamav”
- Set path to clamd.pid file (see clamd.conf for path location).
clamd_pid=“/var/run/clamav/clamd.pid”
- To enable “ham” (non-spam) directory scanning and removal of
- signatures that trigger on ham messages, uncomment the following
- variable and set it to the appropriate ham message directory.
- ham_dir=“/path/to/ham-test/directory”
- If you would like to reload the clamd databases after an update,
- change the following variable to “yes”.
reload_dbs=“no”
- Set the reload or restart option if the “reload_dbs” variable above
- is set to “yes” (only select ‘ONE’ of the following variables or the
- last uncommented variable option will be the one used).
- - The next variable signals clamd daemon to reload databases (this is the recommended reload option)
reload_opt=“clamdscan —reload” # Default
- - The next variable signals clamd’s Process ID (PID) to reload databases
- reload_opt=“kill -USR2 `cat $clamd_pid”
- - The next variable signals linux based systems to do a full clamd service stop/start
- reload_opt=“service clamd restart”
- - Use the next variable to set a custom or system specific reload/restart option
- reload_opt=“ ”
- If running clamd in “LocalSocket” mode (*NOT* in TCP/IP mode), and
- either “SOcket Cat” (socat) or the “IO::Socket::UNIX” perl module
- are installed on the system, and you want to report whether clamd
- is running or not, uncomment the “clamd_socket” variable below (you
- will be warned if neither socat nor IO::Socket::UNIX are found, but
- the script will still run). You will also need to set the correct
- path to your clamd socket file (if unsure of the path, check the
- “LocalSocket” setting in your clamd.conf file for socket location).
clamd_socket=“/var/run/clamav/clamd.ctl”
- If you would like to attempt to restart ClamD if detected not running,
- uncomment the next 2 lines. Confirm the path to the “clamd_lock” file
- (usually can be found in the clamd init script) and also enter the clamd
- start command for your particular distro for the “start_clamd” variable
- (the sample start command shown below should work for most linux distros).
- NOTE: these 2 variables are dependant on the “clamd_socket” variable
- shown above - if not enabled, then the following 2 variables will be
- ignored, whether enabled or not.
- clamd_lock=“/var/lock/subsys/clamd”
- start_clamd=“service clamd start”
- Enable or disable download time randomization. This allows the script to
- be executed via cron, but the actual database file checking will pause
- for a random number of seconds between the “min” and “max” time settings
- specified below. This helps to more evenly distribute load on the host
- download sites. To disable, set the following variable to “no”.
enable_random=“yes”
- If download time randomization is enabled above (enable_random=“yes”),
- then set the min and max radomization times intervals (in seconds).
min_sleep_time=“60” # Default minimum is 60 seconds (1 minute). max_sleep_time=“600” # Default maximum is 600 seconds (10 minutes).
- Sanesecurity Database(s)
- Add or remove database file names between quote marks as needed. To
- disable usage of any of the Sanesecurity distributed database files
- shown, remove the database file name from the quoted section below.
- To disable usage of all Sanesecurity distributed databases, comment
- all of the quoted lines below. Only the following “low” risk define
- signature databases have been enabled by default (for additional
- information about the signature database ratings, see:
- http://www.sanesecurity.com/clamav/databases.htm). Finally, make
- sure that the database names are spelled correctly or you will
- experience issues when the script runs.
ss_dbs=“
junk.ndb jurlbl.ndb phish.ndb rogue.hdb sanesecurity.ftm scam.ndb spamimg.hdb winnow_malware.hdb winnow_malware_links.ndb foxhole_generic.cdb foxhole_filename.cdb
“
- Additional Sanesecruity distributed database that can be used and
- their associated potential fales-positive ratings:
- USE ‘ONLY’ ONE OF THE FOLLOWING TWO SIGNATURE DATABASES:
- INetMsg-SpamDomains-2w.ndb : MEDIUM false-positive rating
- INetMsg-SpamDomains-2m.ndb : MEDIUM false-positive rating
- ONE DATABASE CONTAINS THE LAST TWO WEEKS OF COLLECTED SPAM DOMAINS (2w), AND
- THE OTHER DATABASE CONTAINS THE LAST TWO MONTHS OF COLLECTED SPAM DOMAINS (2m).
- jurlbla.ndb : MEDIUM false-positive rating
- lott.ndb : MEDIUM false-positive rating
- spam.ldb : MEDIUM false-positive rating
- spear.ndb : MEDIUM false-positive rating
- scamnailer.ndb : MEDIUM false-positive rating
- winnow.complex.patterns.ldb : MEDIUM false-positive rating
- winnow_phish_complete.ndb : HIGH false-positive rating
- winnow_phish_complete_url.ndb : MEDIUM false-positive rating
- winnow_spam_complete.ndb : MEDIUM false-positive rating
- USE ‘ONLY’ ONE OF THE FOLLOWING TWO SIGNATURE DATABASES:
- winnow_phish_complete.ndb : HIGH false-positive rating
- winnow_phish_complete_url.ndb : MEDIUM false-positive rating
- ONE CONTAINS THE COMPLETE URL PATH (MEDIUM RISK), AND THE OTHER
- CONTAINS ONLY THE URL, WITHOUT THE FULL PATH (HIGH RISK).
- SecuriteInfo Database(s)
- Add or remove database file names between quote marks as needed. To
- disable any SecuriteInfo database downloads, remove the appropriate
- lines below. To disable all SecuriteInfo database file downloads,
- comment all of the following lines.
- si_dbs=“
- honeynet.hdb
- securiteinfobat.hdb
- securiteinfodos.hdb
- securiteinfoelf.hdb
- securiteinfo.hdb
- securiteinfohtml.hdb
- securiteinfooffice.hdb
- securiteinfopdf.hdb
- securiteinfosh.hdb
- “
- Since the SecuriteInfo databases are only updated a few time each
- month, set a time interval to do database update checks.
si_update_hours=“4” # Default is 4 hours (6 update checks daily).
- MalwarePatrol Database(s)
- Add or remove database file names between quote marks as needed. To
- disable any of the MalwarePatrol database file downloads, remove the
- appropriate database file name lines below. To disable MalwarePatrol
- database downloads, comment all of the following lines.
mbl_dbs=“
mbl.ndb
“
- Since the MalwarePatrol database file is dynamically created,
- there is no way to test for changes prior to downloading. For this
- reason, you will need to set a reasonable time interval in “hours”
- for MBL database file downloads. As shown below, this has been
- set to update every “6” hours, which seems appropriate (that’s 4
- file downloads per day) Change only if you REALLY feel you must.
- However, I would not suggest going below every 4 hour lest you risk
- being blacklisted by the MalwarePatrol site.
mbl_update_hours=“6” # Default is 6 hours (4 downloads daily).
- Additional signature databases can be specified here in the following
- format: PROTOCOL://URL-or-IP/PATH/TO/FILE-NAME (use a trailing “/” in
- place of the “FILE-NAME” to download all files from specified location,
- but this *ONLY* works for files downloaded via rsync). For non-rsync
- downloads, curl is used. For download protocols supported by curl, see
- “man curl”. This also works well for locations that have many ClamAV
- servers that use 3rd party signature databases, as only one server need
- download the remote databases, and all others can update from the local
- mirror’s copy. See format examples below. To use, remove the comments
- and examples shown and add your own sites between the quote marks.
- add_dbs=“
- rsync://192.168.1.50/new-db/sigs.hdb
- rsync://rsync.example.com/all-dbs/
- ftp://ftp.example.net/pub/sigs.ndb
- http://www.example.org/sigs.ldb
- “
- Set working directory paths (edit to meet your own needs). If these
- directories do not exist, the script will attempt to create them.
- Top level working directory path:
work_dir=“/var/lib/clamav/unofficial-dbs” #Top level working directory
- Sub-directory names:
ss_dir=“$work_dir/ss-dbs” # Sanesecurity sub-directory si_dir=“$work_dir/si-dbs” # SecuriteInfo sub-directory mbl_dir=“$work_dir/mbl-dbs” # MalwarePatrol sub-directory config_dir=“$work_dir/configs” # Script configs sub-directory gpg_dir=“$work_dir/gpg-key” # Sanesecurity GPG Key sub-directory add_dir=“$work_dir/add-dbs” # User defined databases sub-directory
- If you would like to make a backup copy of the current running database
- file before updating, leave the following variable set to “yes”.
keep_db_backup=“yes”
- If you want to silence the information reported by curl, rsync, gpg
- or the general script comments, change the following variables to
- “yes”. If all variables are set to “yes”, the script will output
- nothing except error conditions.
curl_silence=“no” # Default is “no” to report curl statistics rsync_silence=“no” # Default is “no” to report rsync statistics gpg_silence=“no” # Default is “no” to report gpg signature status comment_silence=“no” # Default is “no” to report script comments
- Log update information to ‘$log_file_path/$log_file_name’.
enable_logging=“yes” log_file_path=“/var/log/clamav” log_file_name=“clamav-unofficial-sigs.log”
- If necessary to proxy database downloads, define the rsync and/or curl
- proxy settings here. For rsync, the proxy must support connections to
- port 873. Both curl and rsync proxy setting need to be defined in the
- format of “hostname:port”. For curl, also note the -x and -U flags,
- which must be set as “-x hostname:port” and “-U username:password”.
rsync_proxy=“ ” curl_proxy=“ ”
- After you have completed the configuration of this file, set the
- following variable to “yes”.
user_configuration_complete=“yes”
- END OF USER CONFIGURATION #
(:sourceend:)
A cronjob calling the script /root/bin/clamav-unofficial-sigs.sh
is installed on the smtphost. This script will update the signatures databases every 45m ± some random time.
Quarantined Messages
- Messages flagged as infected by the clamav milter will not be disposed of: they are simply put in the queue directory
/var/spool/mqueue
. The quarantined envelopes are prefixed with “hf”. The milter can be configured to remove them by using the configuration option “OnInfected Reject” in/etc/clamav/clamav-milter.conf
. Presently they are just left in the queue directory. - The quarantined messages are invisibles as far as
sendmail
goes, unless specifically configured. I didn’t. Note that sincesendmail
doesn’t deal with them once flagged, those quarantined messages will just accumulate over time, and very fast at that as over 90% of our smtp traffic is just spam and virus… - To purge them use the command: /usr/share/sendmail/qtool.pl -d -Q /var/spool/mqueue
An example of a quarantined envelope is: (:source:) V8 T1382543405 K1382543579 N0 P39663 qquarantined by clamav-milter Fbs $_[39.45.86.93] $rESMTP $s544275.com ${daemon_flags} ${if_addr}132.206.178.241 S<Lisa68@9802.com>
- cc
- <luser@bic.mni.mcgill.ca>
rRFC822; luser@bic.mni.mcgill.ca RPFD:<luser@bic.mni.mcgill.ca> H?P?Return-Path: <<81>g> H??Received: from 544275.com ([39.45.86.93])
by kurma.bic.mni.mcgill.ca (8.14.3/8.14.3/Debian-9.4) with ESMTP id r9NFnjvo020352 for <luser@bic.mni.mcgill.ca>; Wed, 23 Oct 2013 11:50:05 −0400
H??Received: (qmail 22203 invoked by uid 222); 23 Oct 2013 08:49:55 −0700 H??From: Lisa68@9802.com H??To: luser@bic.mni.mcgill.ca H??Subject: This is the funniest picture ever! H??Date: Wed, 23 Oct 2013 08:50:47 −0700 H??Message-ID: <22203763478295.8441.qmail@544275.com> H??Mime-Version: 1.0 H??Content-Type: multipart/mixed; boundary=“----------=_5267F0D8.7940A1CE” H??X-Spam-Flag: YES H??X-Spam-Status: Yes, score=7.9 required=5.0 tests=BASE64_LENGTH_79_INF,BAYES_50,
RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RDNS_NONE autolearn=no version=3.3.1
H??X-Spam-Level: ******* H??X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010–03–16) on
kurma.bic.mni.mcgill.ca
H??X-Virus-Scanned: clamav-milter 0.97.8 at kurma H??X-Virus-Status: Infected (Sanesecurity.Foxhole.Zip_jpg.UNOFFICIAL) H??X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-4.3.7 (kurma.bic.mni.mcgill.ca [132.206.178.241]); Wed, 23 Oct 2013 11:52:56 −0400 (EDT) (:sourceend:)
To display the quarantine messages and the reason why they were quarantined use the command mailq -qQ
:
(:source:) ~# mailq -qQ MSP Queue status... /var/spool/mqueue-client is empty Total requests: 0 MTA Queue status... /var/spool/mqueue (7 requests) -----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient----------- r9NGSAIw026131 2894 Wed Oct 23 12:28 <> QUARANTINE: quarantined by clamav-milter <adrian@bic.mni.mcgill.ca> r9NG0xIM022166 2796 Wed Oct 23 12:01 <> QUARANTINE: quarantined by clamav-milter <jorge@bic.mni.mcgill.ca> r9NGL1Na025588 2643 Wed Oct 23 12:21 <> QUARANTINE: quarantined by clamav-milter <dr.jack.loken@bic.mni.mcgill.ca> r9NGTwIw026164 3005 Wed Oct 23 12:30 <> QUARANTINE: quarantined by clamav-milter <berto@bic.mni.mcgill.ca> r9NG4Dsm023427 3108 Wed Oct 23 12:04 <> QUARANTINE: quarantined by clamav-milter <dana@bic.mni.mcgill.ca> r9NGLwWa025592 527 Wed Oct 23 12:22 <service@scotiabank.com> QUARANTINE: quarantined by clamav-milter <garys@bic.mni.mcgill.ca> r9NFnjvo020352 11661 Wed Oct 23 11:50 <Lisa68@9802.com> QUARANTINE: quarantined by clamav-milter <greg@bic.mni.mcgill.ca> Total requests: 7 (:sourceend:)
- To remove quarantined messages from the queue directory, you can use a tool provided with sendmail:
(:source:) /usr/share/sendmail/qtool.pl -d -Q /var/spool/mqueue (:sourceend:)
Spamassassin (spamd and spamass-milter) Config
Version info:
ii spamass-milter 0.3.1-10 milter for filtering mail through spamassassin ii spamassassin 3.3.1-1 Perl-based spam filter using text analysis ii spamc 3.3.1-1 Client for SpamAssassin spam filtering daemon
Enable spamd in /etc/default/spamassassin and change the default user (‘nobody’) to an already existing user, say ‘clamav-milter’. As the ‘clamav-milter’ has a home directory (‘nobody’ has no home, hence /nonexistent) that will get rid of the annoying messages from spamd in the mail logs:
spamd: connection from localhost [127.0.0.1] at port 39928 spamd: processing message <201103011602.p21G24lU029558@kurma.bic.mni.mcgill.ca> for logcheck:65534 spamd[15892]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /nonexistent/.spamassassin \ /bayes.lock.kurma.bic.mni.mcgill.ca.15892 for /nonexistent/.spamassassin/bayes.lock: No such file or directory
/etc/default/spamassassin (:source:)
- /etc/default/spamassassin
- Duncan Findlay
- WARNING: please read README.spamd before using.
- There may be security risks.
- Change to one to enable spamd
ENABLED=1
- Options
- See man spamd for possible options. The -d option is automatically added.
- SpamAssassin uses a preforking model, so be careful! You need to
- make sure —max-children is not set to anything higher than 5,
- unless you know what you’re doing.
- OPTIONS=“—create-prefs —max-children 5 —helper-home-dir”
OPTIONS=“—nouser-config —max-children 5 —username=spamass-milter”
- Pid file
- Where should spamd write its PID to file? If you use the -u or
- —username option above, this needs to be writable by that user.
- Otherwise, the init script will not be able to shut spamd down.
PIDFILE=“/var/run/spamd.pid”
- Set nice level of spamd
- NICE=“—nicelevel 15”
- Cronjob
- Set to anything but 0 to enable the cron job to automatically update
- spamassassin’s rules on a nightly basis
CRON=0 (:sourceend:)
Remove the -i 127.0.0.1 in /etc/default/spamass-milter (:source:)
- spamass-milt startup defaults
- OPTIONS are passed directly to spamass-milter.
- man spamass-milter for details
- Non-standard configuration notes:
- See README.Debian if you use the -x option with sendmail
- You should not pass the -d option in OPTIONS; use SOCKET for that.
- Default, use the spamass-milter user as the default user, ignore
- messages from localhost
- OPTIONS=“-u spamass-milter -i 127.0.0.1”
OPTIONS=“-u spamass-milter”
- Reject emails with spamassassin scores > 15.
- OPTIONS=“-r 15”
- Do not modify Subject:, Content-Type: or body.
- OPTIONS=“-m”
- If /usr/sbin/postfix is executable, the following are set by
- default. You can override them by uncommenting and changing them
- here.
- SOCKET=“/var/spool/postfix/spamass/spamass.sock”
- SOCKETOWNER=“postfix:postfix”
- SOCKETMODE=“0660”
(:sourceend:)
Greylist Config
Version info:
ii milter-greylist 4.3.7-1 Greylist milter for sendmail
Enable the greylist milter in /etc/default/milter-greylist
with ENABLED=1
. Note that Debian/Squeeze ships milter-greylist configuration file in /etc/milter-greylist/greylist.conf
. However if you want to use it you must setup the options field to have -f /etc/milter-greylist/greylist.conf
as the milter-greylist is configured by default to look for it’s config file in /etc/mail/greylist.conf
.
(:source:)
root@kurma:/etc/mail# cat /etc/default/milter-greylist
- Defaults for milter-greylist initscript
- sourced by /etc/init.d/milter-greylist
- installed at /etc/default/milter-greylist by the maintainer scripts
- 2006–08–18 Herbert Straub
- Change to one to enable milter-greylist
- Don’t forget to edit the configuration file
- /etc/milter-greylist/greylist.conf
ENABLED=1
- PIDFILE=“/var/run/milter-greylist.pid”
- SOCKET=“/var/run/milter-greylist/greylist.sock”
- USER=“root”
- Other options
- OPTIONS=“ ”
(:sourceend:)
In the (legacy) config file /etc/mail/greylist.conf
- Disable SPF
(:source:) nospf (:sourceend:)
- Pay attention to the permissions of the db
dumpfile
directory: the user under which the milter is running (smmsp) must be able to write in it. - Add the stuff to whitelist bic and other domains, and greylist some local users, blacklists domains and add the control list.
- I’ve merged the difference between the old and new config files, notably a missing entry for the
list “broken mta” addr { }
block:74.125.0.0/16 \ # Google
(:source:)
- Simple greylisting config file using the new features
- See greylist2.conf for a more detailed list of available options
- $Id: greylist.conf,v 1.42 2007/10/25 03:20:11 manu Exp $
pidfile “/var/run/milter-greylist.pid” dumpfile “/var/lib/milter-greylist/greylist.db” dumpfreq 10m
- For sendmail use the following two lines
socket “/var/run/milter-greylist/milter-greylist.sock” user “smmsp”
nospf
delayedreject logexpired
- Log milter-greylist activity to a file
- stat “/var/log/milter-greylist/greylist.log” # “%T{%Y/%m/T} %d [%i] %r → S (ACL Xc Xm %Xh”
- Same, sent to syslog
- stat “|logger -p local7.info” # “%T{%Y/%m/T} %d [%i] %r → S (ACL Xc Xm %Xh”
- Be verbose (or use -v flag)
verbose
- Do not tell spammer how long they have to wait
quiet
- MX peering
- peer 192.0.2.17
- peer 192.0.2.18
- Your own network, which should not suffer greylisting
list “bic network” addr { 127.0.0.1/8 10.0.0.0/8 192.0.2.0/24 132.206.178.0/24} list “mcgill” domain { mcgill.ca mail.mcgill.ca azuris.ca bellnexxia.net sigmawave.com openstore.com apcc.com linbit.com } list “grey users” rcpt { malin@bic.mni.mcgill.ca malouin@bic.mni.mcgill.ca man@bic.mni.mcgill.ca } list “blacklisted domains” domain { bezeqint.net avangarddsl.ru terra.cl telecomitalia.it consultingweb.it nasx-media.com airtelbroadband.in ttnet.net.tr asianet.co.th georgbell.com svservers.com www.tilburg-enterprise.com icpbounce.com }
- And here is the access list
racl blacklist list “blacklisted domains”
- racl blacklist list “blacklisted users” flushaddr
racl blacklist rcpt /[0–9][0–9]*\.[0–9][0–9]*@bic\.mni\.mcgill\.ca/ flushaddr racl blacklist rcpt /test\.greylist@bic\.mni\.mcgill\.ca/ flushaddr racl whitelist list “bic network” racl whitelist list “mcgill” racl whitelist list “broken mta”
- racl whitelist dnsrbl “MTAWL”
- racl blacklist urlcheck “userpref” $usrRBL “CBL” dnsrbl “CBL” # msg “Sender IP caught in CBL blacklist”
- racl blacklist $usrRBL “SBL” dnsrbl “BBL” # msg “Sender IP caught in SBL blacklist”
- racl blacklist $usrRBL “NJABL” dnsrbl “NJABL” # msg “Sender IP caught in NJABL blacklist”
- racl greylist list “grey users” dnsrbl “SORBS DUN” delay 24h autowhite 3d
racl greylist list “grey users” delay 15m autowhite 3d racl whitelist default (:sourceend:)
OpenDKIM (DomainKeys Identified Mail)
Intro
- https://tools.ietf.org/html/rfc6376 IETF RFC6376
DomainKeys Identified Mail (DKIM) Signatures
specifies the standard for DKIM. - https://tools.ietf.org/html/rfc5451 IETF RFC5451
Authentication-Results Header Field
also relates to DKIM (and SPF too). - The most salient features:
- DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message.
- Message signature is written as a message email header, not part of the message body.
- Uses asymmetric cryptographic keys.
- Not dependent on public/private keys or certificates issued by 3rd party authorities.
- Not dependent on the deployment of internet services related to keys distribution or revocation.
- A signature verification failure does not force rejection of the message.
- Is compatible with the existing email infrastructure and transparent to the fullest extent possible.
- Requires minimal new infrastructure.
- Can be deployed incrementally.
- The deployment will consist in a few steps:
- Install and configure OpenDKIM itself then test and debug.
- Add a TXT record to the master DNS server to advertise the DKIM public selector key.
- Make sendmail aware of the new Milter. Test and Debug.
- There might be problems with MASQUERADE_AS and GENERICSTABLE rewrite rules on smtphost. Will see.
I initially installed dkim-filter on smtphost
but noticed that since being approved by the IETF, a new open source project named OpenDKIM was started. The OpenDKIM Project is a community effort. The project started from a code fork of version 2.8.3 of the open source dkim-milter package developed and maintained by Sendmail, Inc.
- Install opendkim version 2.6.8 from the squeeze-backports repository.
kurma:~# apt-get install -t squeeze-backports opendkim opendkim-tools Reading package lists... Done Building dependency tree Reading state information... Done The following package was automatically installed and is no longer required: libopendkim1 Use 'apt-get autoremove' to remove them. The following extra packages will be installed: libopendkim7 libvbr2 The following NEW packages will be installed: libopendkim7 libvbr2 opendkim-tools The following packages will be upgraded: opendkim
OpenDKIM Configuration
As a test bed, I’m using audrey
(BIC mail server in a previous life) as a proof of concept. Even though these notes use audrey
it should be understood that the final intent is to make smtphost
the DKIM signer/verifier. Note that OpenDKIM version on audrey is at 2.9.2 compared to 2.6.8 on kurma. Sendmail versions are different too (8.14.3 compared to 8.14.4 on audrey) but it shouldn’t really make any difference.
- Configure OpenDKIM with a
selector
set to audrey20160119. - Set the
domain
toaudrey.bic.mni.mcgill.ca
. - Peeve: I don’t like the location of the config file
/etc/opendkim.config
. Why not in/etc/opendkim/opendkim.conf
as it is usually done on Debian systems? - Edit
/etc/default/opendkim
and setDAEMON_OPTS=“-x /etc/opendkim/opendkim.conf”
chown opendkim.opendkim /etc/opendkim
chmod g+s /etc/opendkim
chown opendkim.opendkim /etc/opendkim/*
- Where to put the private key file? Answer:
/etc/opendkim/keys/audrey.bic.mni.mcgill.ca/audrey20160119.private
- Check ownerships and permissions in
/etc/opendkim
as the Milter might run not as root. Answer: run as opendkim user. - Make sure only user
opendkim
can read the private key file/etc/opendkim/keys/bic.mni.mcgill.ca/kurma.private
- Configure OpenDKIM with a
~# mkdir /etc/opendkim/keys/bic.mni.mcgill.ca ~# /usr/sbin/opendkim-genkey -D /etc/opendkim/keys/audrey.bic.mni.mcgill.ca -d audrey.bic.mni.mcgill.ca -s audrey20160119 ~# chmod 640 /etc/opendkim/keys/audrey.bic.mni.mcgill.ca/audrey20160119.private ~# chmod 644 /etc/opendkim/keys/audrey.bic.mni.mcgill.ca/audrey20160119.txt
/etc/default/opendkim
# Command-line options specified here will override the contents of # /etc/opendkim.conf. See opendkim(8) for a complete list of options. #DAEMON_OPTS="" # # Uncomment to specify an alternate socket # Note that setting this will override any Socket value in opendkim.conf SOCKET="local:/var/run/opendkim/opendkim.sock" # default #SOCKET="inet:54321" # listen on all interfaces on port 54321 #SOCKET="inet:12345@localhost" # listen on loopback on port 12345 #SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345
/etc/opendkim/opendkim.conf
# This is a basic configuration that can easily be adapted to suit a standard # installation. For more advanced options, see opendkim.conf(5) and/or # /usr/share/doc/opendkim/examples/opendkim.conf.sample. # Log to syslog Syslog yes # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) UMask 002 UserID opendkim:opendkim ## Signing options # # Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v. Mode sv # Domain(s) whose mail should be signed by this filter. Mail from other domains will # be verified rather than being signed. Uncomment and use your domain name. # This parameter is not required if a SigningTable is in use. #Domain audrey.bic.mni.mcgill.ca # Defines the name of the selector to be used when signing messages. Selector audrey20160119 #Keyfile /etc/opendkim/keys/audrey.bic.mni.mcgill.ca/audrey20160119.private # # Gives the location of a file mapping key names to signing keys. In simple terms, # this tells OpenDKIM where to find your keys. If present, overrides any KeyFile # setting in the configuration file. # KeyTable /etc/opendkim/KeyTable # Defines a table used to select one or more signatures to apply to a message based # on the address found in the From: header field. In simple terms, this tells # OpenDKIM how to use your keys. refile: -> file referenced contains regex. SigningTable refile:/etc/opendkim/SigningTable # Identifies a set internal hosts whose mail should be signed rather than verified. InternalHosts refile:/etc/opendkim/InternalHosts # Selects the canonicalization method(s) to be used when signing messages. Canonicalization relaxed/relaxed # Add an "DKIM-Filter" header field. SoftwareHeader yes SyslogSuccess yes MilterDebug 1 SignatureAlgorithm rsa-sha256 # Always oversign From (sign using actual From and a null From to prevent # malicious signatures header fields (From and/or others) between the signer # and the verifier. From is oversigned by default in the Debian pacakge # because it is often the identity key used by reputation systems and thus # somewhat security sensitive. OversignHeaders From
A few comments about the config file above:
Domain
parameter is not needed if one uses the parameterSigningTable
.KeyFile
parameter is also not needed and is in fact overridden by parameterKeyTable
if one uses it.InternalHosts
file specifies which hosts OpenDKIM will sign outgoing messages.127.0.0.1
must be present./etc/opendkim/InternalHosts
127.0.0.1
- The
KeyTable
file tells OpenDKIM where to find your keys. - Each entry in the
KeyTable
file is a single line for each key location. - The key name maps to 3 fields delimited by “:”, the domain name
d=
and selector names=
in the signature and the location of the private key. - See https://tools.ietf.org/html/rfc6376#section-3.5 for the meaning of the tags in the DKIM signature header field.
/etc/opendkim/KeyTable
audrey20160119._domainkey.audrey.bic.mni.mcgill.ca audrey.bic.mni.mcgill.ca:audrey20160119:/etc/opendkim/keys/audrey.bic.mni.mcgill.ca/audrey20160119.private
- The
SigningTable
file tells OpenDKIM how to use your keys, as in which senders should use which selectors for their signatures. - A wildcard “*” requires that it must be specified using the dataset
refile:
in/etc/opendkim/opendkim.conf
. - Meaning: use selector
audrey20160119
in the domainaudrey.bic.mni.mcgill.ca
for all (“*”) users inaudrey.bic.mni.mcgill.ca
. /etc/opendkim/SigningTable
*@audrey.bic.mni.mcgill.ca audrey20160119._domainkey.audrey.bic.mni.mcgill.ca
Advertise DKIM Selector Public Key on DNS Master
- Generate a private key with selector name
audrey201160119
with
- Generate a private key with selector name
~# opendkim-genkey -t -D /etc/opendkim/keys/audrey.bic.mni.mcgill.ca -s audrey20160119 -d audrey.bic.mni.mcgill.ca
- The
-t
indicates that the generated key record is tagged as a test signing domain. - The
-D
option specifies the directory where to create the private keyaudrey20160119.private
and its associated txt record. - The selector name is
audrey20160119
. - The file
audrey20160119.private
contains theRSA
private key with a key size of 1024 bits (default). - The file
audrey20160119.txt
contains the DNS TXT record suitable for inclusion in the domain DNS zone file. - Note: as per the RFC6376, the selector name should not be a single name as
audrey
as it can/will lead to problems later on when or if the key needs to be updated. From Section 3.1 of RFC6376:
- The
INFORMATIVE OPERATIONS NOTE: Reusing a selector with a new key (for example, changing the key associated with a user's name) makes it impossible to tell the difference between a message that didn't verify because the key is no longer valid and a message that is actually forged. For this reason, Signers are ill-advised to reuse selectors for new keys. A better strategy is to assign new keys to new selectors.
- Create a DNS TXT record in the DNS master zone file.
- Set a small TTL (say 3600s/1hr) while tinkering with this. Change it back to default value when setup is validated.
- Test it by probing the DNS master directly (key in p= has been truncated)
~$ dig +short @132.206.178.7 audrey20160119._domainkey.audrey.bic.mni.mcgill.ca txt "v=DKIM1\; k=rsa\; p=MIGfMA0GC.................................kuCFAm34U3V8wIDAQAB"
Sendmail and OpenDKIM Milter
- Add the bit for sendmail to connect to the OpenDKIM milter in
/etc/mail/sendmail.mc
. - Note that the socket file is as specified in
/etc/default/opendkim
. - Some care as to be taken with the
INPUT_MAIL_FILTER
andMAIL_FILTER
as I think there might be some overrides. - Go back the to Bat Book to make sure.
- Add
opendkim
toconfINPUT_MAIL_FILTERS
and recomoilesendmail.cf
and restart sendmail.
dnl # Milters dnl # dnl # /JF/ INPUT_MAIL_FILTER options declares the Milters and also set their processing order. dnl # See the Bat Book, 4th Ed., Section 26.2.2 The InputMailFilters Option dnl # dnl # /JF/ greylist milter is already setup using FEATURE(`milter-greylist'). dnl INPUT_MAIL_FILTER(`greylist', ``S=local:/var/run/milter-greylist/milter-greylist.sock, F=, T=S:4m;R:4m'')dnl FEATURE(`milter-greylist')dnl dnl # /JF/ clamav is already setup by the use of the include(`/etc/mail/m4/clamav-milter.m4') dnl INPUT_MAIL_FILTER(`clamav', ``S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m'')dnl include(`/etc/mail/m4/clamav-milter.m4')dnl INPUT_MAIL_FILTER(`spamassassin', ``S=local:/var/run/spamass/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m'')dnl INPUT_MAIL_FILTER(`opendkim', ``S=local:/var/run/opendkim/opendkim.sock, F=, T=C:10m;S:10m;R:20m;E:20m'')dnl dnl # dnl # /JF/ INPUT_MAIL_FILTERS option defines the processing order of the Milters. dnl # Needed only if MAIL_FILTER is used rather than the INPUT_MAIL_FILTER macros dnl # or if one needs/wants to force a specific Milter calling order. dnl define(`confINPUT_MAIL_FILTERS', ``clamav,greylist,spamassassin,opendkim'')dnl dnl # dnl # /JF/ Modify the Milters End-of-Message handling routine from its default, ${msg_id}. dnl # See the Bat Book, 4th ed., Section 24.9.76.8 Milter.macros.eom define(`confMILTER_MACROS_EOM', confMILTER_MACROS_EOM``, {mail_addr}, {rcpt_addr}, i'')dnl
Testing DKIM Signatures with gmail.com
- A simple signature check with my gmail address.
- No MASQUERADE_AS or header rewritting rules on audrey at first.
- The header
Authentication-Results:
showsdkim=fail
is the important tag to check.
Delivered-To: jfmalouin@gmail.com Received: by 10.37.42.15 with SMTP id q15csp3256135ybq; Wed, 20 Jan 2016 07:17:03 -0800 (PST) X-Received: by 10.50.88.7 with SMTP id bc7mr4201679igb.24.1453303023395; Wed, 20 Jan 2016 07:17:03 -0800 (PST) Return-Path: <jf@audrey.bic.mni.mcgill.ca> Received: from audrey.bic.mni.mcgill.ca (audrey.bic.mni.mcgill.ca. [132.206.178.45]) by mx.google.com with ESMTPS id o67si6660631ioi.5.2016.01.20.07.17.03 for <jfmalouin@gmail.com> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Jan 2016 07:17:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of jf@audrey.bic.mni.mcgill.ca designates 132.206.178.45 as permitted sender) client-ip=132.206.178.45; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of jf@audrey.bic.mni.mcgill.ca designates 132.206.178.45 as permitted sender) smtp.mailfrom=jf@audrey.bic.mni.mcgill.ca; dkim=pass header.i=@audrey.bic.mni.mcgill.ca Received: from audrey.bic.mni.mcgill.ca (localhost [127.0.0.1]) by audrey.bic.mni.mcgill.ca (8.14.4/8.14.4/Debian-8) with ESMTP id u0KFH2nq014018 for <jfmalouin@gmail.com>; Wed, 20 Jan 2016 10:17:02 -0500 DKIM-Filter: OpenDKIM Filter v2.9.2 audrey.bic.mni.mcgill.ca u0KFH2nq014018 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=audrey.bic.mni.mcgill.ca; s=audrey20160119; t=1453303022; bh=E797MDnGO/WlBJH6PP2OtOaZ0boUNjFa75y+VxFTA1Q=; h=Date:From:To:Subject:From; b=NcmV1sxkBMq4jfA0gvY0r7/K42O4StdYM7IYrg8jHvFxMjpi4kCaUgRcXq9rAS09C McoFffXj/QvhmlzUTrHy85KVixw4+u3IlJbbeihw4FYIlTgsbOn7wWfLYkOd/3ex7P yAbkjvRh6GD0RoF5lQ5lgyLQLGOWPuWQ25uFLkek= Received: (from jf@localhost) by audrey.bic.mni.mcgill.ca (8.14.4/8.14.4/Submit) id u0KFH2bL014017 for jfmalouin@gmail.com; Wed, 20 Jan 2016 10:17:02 -0500 Date: Wed, 20 Jan 2016 10:17:02 -0500 From: Jean-Francois Malouin <jf@audrey.bic.mni.mcgill.ca> To: jfmalouin@gmail.com Subject: 0 Message-ID: <20160120151702.GA13996@audrey.bic.mni.mcgill.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12)
- Success!
SpamAssassin T_DKIM_INVALID Tag Problem
- On the receiving end, SpamAssassin complains about DKIM invalid signature (T_DKIM_INVALID is inserted in the X-Spam-Status: message header) even though
Authentication-Results:
saysdkim=pass
. - A hint from http://www.spamresource.com/2014/06/opendkim-spamassassin-gotchas-on-ubuntu.html: needed are
libmail-dkim-perl libcrypt-openssl-random-perl libcrypt-openssl-rsa-perl
- Installing those on
smtphost
still didn’t solve the problem even after restarting spamassassin. - Initially I thought the problem was on
smtphost
but it turned out to be on themailhub
! - On both
smtphost
andmailhub
install those:
tubal:~# apt-get install libmail-dkim-perl libcrypt-openssl-random-perl libcrypt-openssl-rsa-perl
- Headers displaying the problem before installing the packages: notice the
T_DKIM_INVALID
tag.
From jfmalouin@gmail.com Sat Dec 19 14:42:51 2015 Return-Path: <jfmalouin@gmail.com> X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tubal.bic.mni.mcgill.ca X-Spam-Level: X-Spam-Status: No, score=-98.2 required=4.5 tests=BAYES_50,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_SOFTFAIL,T_DKIM_INVALID,USER_IN_WHITELIST autolearn=no version=3.3.2 Received: from kurma.bic.mni.mcgill.ca (kurma.bic.mni.mcgill.ca [132.206.178.241]) by tubal.bic.mni.mcgill.ca with ESMTP id tBJJgpBe029566 for <malin@mailhub.bic.mni.mcgill.ca>; Sat, 19 Dec 2015 14:42:51 -0500 Received: from mail-yk0-f180.google.com (mail-yk0-f180.google.com [209.85.160.180]) by kurma.bic.mni.mcgill.ca with ESMTP id tBJJgjH6007317 for <malin@bic.mni.mcgill.ca>; Sat, 19 Dec 2015 14:42:50 -0500 Authentication-Results: kurma.bic.mni.mcgill.ca; dkim=pass reason="2048-bit key; insecure key" header.d=gmail.com header.i=@gmail.com header.b=DZLaqiKv; dkim-adsp=pass; dkim-atps=neutral Received: by mail-yk0-f180.google.com with SMTP id x184so95124517yka.3 for <malin@bic.mni.mcgill.ca>; Sat, 19 Dec 2015 11:42:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Fz4+HnCdt0HrklvbrusCCSM0GeMqoF0TspNjDUO+HuU=; b=DZLaqiKvOTRWUJ4O/Vg2wLEpaB67Z8fSgWo6Ss2th/NqSa8jZvx4d1RQISfQBCQaz3 8A91MBixfjDvizrl23QFRf8h9f9K8TGrTGSINLXBuaRFhwWUAzEmvI6tbUKuwjAvMfHR 3OfftdMD9Rbhm5KD81rSpFYoBAcbVz8syRkv7DIijIz5hs7ufU3SSiOitYL8JkJOmx2o +evkcufvZITebZaljwoS8E2wRJP2UTQOCtCaxbq0cJThb6Wq2ywg6V4JabA/Dnch82CI TCtoRpViSQr4tEVBdv/dKsY6bauhPb32VBnenASht3pF+uAkEbytEX2bX7Kuz1YZwtXA 5Prg==
- After installing the missing packages ON TUBAL.
- Notice the
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU
SpamAssassin tags. - The header
Authentication-Results:
is inserted by OpenDKIM onsmtphost
and indicates that the signature is ok and verified. See RFC5451.
From jfmalouin@gmail.com Sat Dec 19 14:57:21 2015 Return-Path: <jfmalouin@gmail.com> X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tubal.bic.mni.mcgill.ca X-Spam-Level: X-Spam-Status: No, score=-98.3 required=4.5 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW, SPF_SOFTFAIL,USER_IN_WHITELIST autolearn=no version=3.3.2 Received: from kurma.bic.mni.mcgill.ca (kurma.bic.mni.mcgill.ca [132.206.178.241]) by tubal.bic.mni.mcgill.ca with ESMTP id tBJJvLon010615 for <malin@mailhub.bic.mni.mcgill.ca>; Sat, 19 Dec 2015 14:57:21 -0500 Received: from mail-yk0-f174.google.com (mail-yk0-f174.google.com [209.85.160.174]) by kurma.bic.mni.mcgill.ca with ESMTP id tBJJvDiu010635 for <malin@bic.mni.mcgill.ca>; Sat, 19 Dec 2015 14:57:19 -0500 Authentication-Results: kurma.bic.mni.mcgill.ca; dkim=pass reason="2048-bit key; insecure key" header.d=gmail.com header.i=@gmail.com header.b=FNu+aZk/; dkim-adsp=pass; dkim-atps=neutral Received: by mail-yk0-f174.google.com with SMTP id 140so94699292ykp.0 for <malin@bic.mni.mcgill.ca>; Sat, 19 Dec 2015 11:57:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=GoWZxGQdDc8HzV6f8igaJWOClsIzjCrOecXJpb8CiN4=; b=FNu+aZk/DldzJBmmgVvOmCaJV25Sv+0KBI6ZzP+NbHqptjXCHr/Y3+C6OkE3JWGyYo eMzlesPK8Hc/fiUu/d0+o7nkZzQT1l9sk+lwKC/hCEd/jjNmxst8KwQcULV1335WqiwB OofHXRmagEPwnQVK0FXlEnZsTlllGw1ChKvAoGLouT0gHlT/VzQebmx/IXZXbBJfEQUg i42p8EiuXsqNkHHdSFVZ7G6S+Us4lTCxEgIZ3izeooZ08K15APUHdpQQ+rgE9HrBRSEW GchCpn7EByzzRUwtyedFVb4g+t3y6pzBETtiUGijMEsRsGgRuZPCpYcAeKHNfOJfsLeD A4vQ==
CORE MAILHOST
- Accept smtp connections from and only from
smtphost
. - Performs final delivery of mail coming from
smtphost.bic.mni.mcgill.ca
in /var/mail. - Performs aliasing and/or forwarding and also remaps addresses through virtusertable and generistable as it is currently done on shadow.
- Acts as a nullclient for outbound mail: message is relayed to
smtphost.bic.mni.mcgill.ca
for sanitization and sent out if clean. - Inbound mail (say from
host1.bic.mni.mcgill.ca
tohost2.bic.mni.mcgill.ca
) is first relayed tosmtphost
, sanitized and then (if clean) relayed tomailhost.bic.mni.mcgill.ca
who performs final delivery. - For that to happen
smtphost.bic.mni.mcgill.ca
needs to know which hosts are ‘local’, ie they must be listed in the Cw class in its sendmail config. - mailhost.bic.mni.mcgill.ca should have SMART_HOST set to ``smtphost.bic.mni.mcgill.ca′:
(:source:)
define(SMART_HOST’, `smtphost.bic.mni.mcgill.ca.’)
(:sourceend:)
- IMAP connections should be done on
mailhost.bic.mni.mcgill.ca
as users authentication information is not available on smtphost. Users authentication is in/etc/cram-md5.txt
. This is a flat text file (with TABS as separator!) so it must be readable by root only as the imapd daemon runs as root as per inetd.conf on imaphost. - /etc/hosts.allow should have this entry
(:source:)
sendmail: smtphost.bic.mni.mcgill.ca 127.0.0.1
(:sourceend:)
- Localhost is necessary because when delivery is done through files (or includes) as for mailman sendmail attemps a connection to 127.0.0.1
- Maximum message size set at 10MB.
- Quotas should be enabled for /var/mail.
Null Clients
The new host must be added to the file /etc/mail/local-host-names on smtphost.bic.mni.mcgill.ca and sendmail must be restarted.
Sendmail client
Do not run sendmail in daemon mode, just the msp. Edit the file /etc/mail/sendmail.conf: (:source:) DAEMON_NETMODE=“Static”; DAEMON_NETIF=“eth0”; DAEMON_MODE=“None”; DAEMON_PARMS=“ ”; DAEMON_HOSTSTATS=“No”; DAEMON_MAILSTATS=“No”; QUEUE_MODE=“Daemon”; QUEUE_INTERVAL=“10m”; QUEUE_PARMS=“ ”; MSP_MODE=“Daemon”; MSP_INTERVAL=“10m”; MSP_PARMS=“ ”; MSP_MAILSTATS=“${DAEMON_MAILSTATS}”; MISC_PARMS=“ ”; CRON_MAILTO=“root”; CRON_PARMS=“ ”; LOG_CMDS=“No”; HANDS_OFF=“No”; AGE_DATA=“ ”; DAEMON_RUNASUSER=“No”; DAEMON_STATS=“${DAEMON_MAILSTATS}”; MSP_STATS=“${MSP_MAILSTATS}”; (:sourceend:)
and run /usr/sbin/sendmailconfig to have the new settings take effect.
To just submit to smtphost.bic.mni.mcgill.ca stick the following in /etc/mail/submit.mc: (:source:) define(`_USE_ETC_MAIL_’)dnl include(÷usr/share/sendmail/cf/m4/cf.m4’)dnl VERSIONID(`$Id: submit.mc, v 8.13.4–3 2005–06–03 16:49:22 cowboy Exp $’) OSTYPE(`debian’)dnl DOMAIN(`debian-msp’)dnl FEATURE(`msp’, `smtphost.bic.mni.mcgill.ca.’)dnl (:sourceend:)
and remake the sendmail *.cf files with make -C /etc/mail.
Exim client
A exim client using a smarthost can be configured using the following. First, we only need a queuing daemon as the nullclient doesn’t listen for incoming connection.
(:source:)~# ~malin/bin/crush /etc/default/exim4 EX4DEF_VERSION='' QUEUERUNNER='queueonly' QUEUEINTERVAL='10m' COMMONOPTIONS='' QUEUERUNNEROPTIONS='' QFLAGS='' SMTPLISTENEROPTIONS=''
Modify /etc/exim4/update-exim4.conf.conf as below and reconfigure exim4-config with dpkg-reconfigure exim4-config.
There is a funny thing happening when using (the simpler) dc_eximconfig_configtype=‘satellite’: if you try to send an email to an local address (say blah@bic.mni.mcgill.ca) then you’ll get a ‘unroutable address’ if blah is not an exiting user! This obviously breaks the aliasing done on mailhost, and address remapping on smtphost. This might be related to NIS but I find the exim Debian package a bit weird and strange so rather than debuuging this I used the following config:
(:source:)# /etc/exim4/update-exim4.conf.conf # # Edit this file and /etc/mailname by hand and execute update-exim4.conf # yourself or use 'dpkg-reconfigure exim4-config' # # Please note that this is _not_ a dpkg-conffile and that automatic changes # to this file might happen. The code handling this will honor your local # changes, so this is usually fine, but will break local schemes that mess # around with multiple versions of the file. # # update-exim4.conf uses this file to determine variable values to generate # exim configuration macros for the configuration file. # # Most settings found in here do have corresponding questions in the # Debconf configuration, but not all of them. # # This is a Debian specific file dc_eximconfig_configtype='smarthost' dc_other_hostnames='' dc_local_interfaces='127.0.0.1' dc_readhost='bic.mni.mcgill.ca' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='smtphost.bic.mni.mcgill.ca' CFILEMODE='644' dc_use_split_config='false' dc_hide_mailname='false' dc_mailname_in_oh='true' dc_localdelivery='mail_spool'
boo
$Author: malin $ Last Modified on $Date: 2013-10-24 19:51:10 $