mail
Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
mail [2017/11/04 18:30] – Ajout dovecot mirtouf | mail [2017/11/26 10:42] (Version actuelle) – [3.1. main.cf] Modification DH mirtouf | ||
---|---|---|---|
Ligne 40: | Ligne 40: | ||
puis dovecot: | puis dovecot: | ||
< | < | ||
- | apt install dovecot-imapd | + | apt install dovecot-imapd |
</ | </ | ||
Ligne 51: | Ligne 51: | ||
< | < | ||
apt install nginx-full uwsgi-python | apt install nginx-full uwsgi-python | ||
+ | </ | ||
+ | |||
+ | puis redis-server: | ||
+ | < | ||
+ | apt install redis-server | ||
+ | </ | ||
+ | |||
+ | puis clamav: | ||
+ | < | ||
+ | apt install clamav clamav-daemon | ||
</ | </ | ||
Ligne 63: | Ligne 73: | ||
===== 2. Installation et configuration de modoboa ===== | ===== 2. Installation et configuration de modoboa ===== | ||
+ | ==== 2.1. Installation de modoboa via pip ==== | ||
C'est du python et donc il faut mieux travailler dans un // | C'est du python et donc il faut mieux travailler dans un // | ||
Avec votre utilisateur non privilégié il faut passer dans un environnement virtuel pour installer modoboa: | Avec votre utilisateur non privilégié il faut passer dans un environnement virtuel pour installer modoboa: | ||
Ligne 73: | Ligne 84: | ||
</ | </ | ||
- | puis déployer une instance (référez-vous à la [[https:// | + | ==== 2.2. Déploiement de modoboa ==== |
+ | Ensuite il faut déployer une instance (référez-vous à la [[https:// | ||
< | < | ||
- | pour de belles statistiques (utilisateur privilégié): | + | pour de belles statistiques (utilisateur privilégié |
< | < | ||
où ce chemin sera renseigné dans l' | où ce chemin sera renseigné dans l' | ||
Ligne 85: | Ligne 97: | ||
Veuillez noter que selon votre configuration, | Veuillez noter que selon votre configuration, | ||
- | Le fichier à placer | + | ==== 2.3. Crontab pour modoboa ==== |
+ | Le fichier à éditer | ||
< | < | ||
# Modoboa specific cron jobs | # Modoboa specific cron jobs | ||
Ligne 113: | Ligne 126: | ||
===== 3. Postfix ===== | ===== 3. Postfix ===== | ||
+ | ==== 3.1. main.cf ==== | ||
Pour postfix c'est assez simple, le main.cf (avec une mise en forme qui plairait à hardware): | Pour postfix c'est assez simple, le main.cf (avec une mise en forme qui plairait à hardware): | ||
< | < | ||
Ligne 203: | Ligne 217: | ||
smtpd_tls_cert_file | smtpd_tls_cert_file | ||
smtpd_tls_key_file | smtpd_tls_key_file | ||
- | smtpd_tls_dh1024_param_file | + | smtpd_tls_dh1024_param_file |
- | smtpd_tls_dh512_param_file | + | |
tls_preempt_cipherlist = yes | tls_preempt_cipherlist = yes | ||
Ligne 248: | Ligne 261: | ||
transport_maps | transport_maps | ||
mysql:/ | mysql:/ | ||
- | mysql:/ | + | mysql:/ |
+ | hash:/ | ||
###################### | ###################### | ||
Ligne 384: | Ligne 398: | ||
:!: Veuillez noter que / | :!: Veuillez noter que / | ||
+ | Le fichier Diffie-Hellman contient ceci et est préférentiellement choisi car audité de façon régulière: | ||
+ | < | ||
+ | -----BEGIN DH PARAMETERS----- | ||
+ | MIIBCAKCAQEA////////// | ||
+ | +8yTnc4kmz75fS/ | ||
+ | 87VXE15/ | ||
+ | YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi | ||
+ | 7MA0BM0oNC9hkXL+nOmFg/ | ||
+ | ssbzSibBsu/ | ||
+ | -----END DH PARAMETERS----- | ||
+ | </ | ||
+ | ==== 3.2. master.cf ==== | ||
Le master.cf: | Le master.cf: | ||
< | < | ||
Ligne 498: | Ligne 524: | ||
-o smtp_dns_support_level=dnssec | -o smtp_dns_support_level=dnssec | ||
-o smtp_tls_security_level=dane | -o smtp_tls_security_level=dane | ||
+ | |||
+ | # Modoboa DMARC | ||
+ | dmarc-rua-parser unix - | ||
+ | flags= user=vmail: | ||
# Zeyple | # Zeyple | ||
Ligne 515: | Ligne 545: | ||
# Vacation (modoboa) | # Vacation (modoboa) | ||
autoreply | autoreply | ||
- | | + | |
</ | </ | ||
+ | ==== 3.3. Complément DMARC ==== | ||
+ | Il faut ajouter le fichier suivant dans / | ||
+ | < | ||
+ | adresse_dmarc_enregistrement_DNS@domaine.tld dmarc-rua-parser: | ||
+ | </ | ||
+ | puis un coup de postmap bien placé: | ||
+ | < | ||
+ | postmap / | ||
+ | </ | ||
===== 4.Dovecot ===== | ===== 4.Dovecot ===== | ||
+ | ==== 4.1. Configuration générale ==== | ||
La configuration générale de dovecot dans / | La configuration générale de dovecot dans / | ||
- | / | + | |
+ | ==>/ | ||
< | < | ||
disable_plaintext_auth = no | disable_plaintext_auth = no | ||
Ligne 529: | Ligne 570: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
service director { | service director { | ||
Ligne 557: | Ligne 598: | ||
</ | </ | ||
- | etc/ | + | ==>etc/ |
< | < | ||
mail_location = maildir: | mail_location = maildir: | ||
Ligne 570: | Ligne 611: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
service imap-login { | service imap-login { | ||
Ligne 629: | Ligne 670: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
ssl = required | ssl = required | ||
Ligne 638: | Ligne 679: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
postmaster_address = postmaster@domaine.tld | postmaster_address = postmaster@domaine.tld | ||
Ligne 652: | Ligne 693: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
namespace inbox { | namespace inbox { | ||
Ligne 678: | Ligne 719: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
protocol imap { | protocol imap { | ||
Ligne 685: | Ligne 726: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
protocol lmtp { | protocol lmtp { | ||
Ligne 693: | Ligne 734: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
protocols = $protocols sieve | protocols = $protocols sieve | ||
Ligne 718: | Ligne 759: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
protocol pop3 { | protocol pop3 { | ||
Ligne 725: | Ligne 766: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
plugin { | plugin { | ||
Ligne 733: | Ligne 774: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
plugin { | plugin { | ||
Ligne 749: | Ligne 790: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
plugin { | plugin { | ||
Ligne 770: | Ligne 811: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
plugin { | plugin { | ||
Ligne 776: | Ligne 817: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
passdb { | passdb { | ||
Ligne 787: | Ligne 828: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
passdb { | passdb { | ||
Ligne 796: | Ligne 837: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
passdb { | passdb { | ||
Ligne 808: | Ligne 849: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
passdb { | passdb { | ||
Ligne 818: | Ligne 859: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
passdb { | passdb { | ||
Ligne 830: | Ligne 871: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
passdb { | passdb { | ||
Ligne 842: | Ligne 883: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
passdb { | passdb { | ||
Ligne 852: | Ligne 893: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
passdb { | passdb { | ||
Ligne 864: | Ligne 905: | ||
</ | </ | ||
- | Les autres fichiers utiles tels / | + | ==== 4.2. Gestion de la db ==== |
+ | Les autres fichiers utiles tels ==>/ | ||
< | < | ||
default_pass_scheme = MD5 | default_pass_scheme = MD5 | ||
Ligne 888: | Ligne 930: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
connect = host=127.0.0.1 dbname=DB user=USER password=PWD | connect = host=127.0.0.1 dbname=DB user=USER password=PWD | ||
Ligne 914: | Ligne 956: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
driver = mysql | driver = mysql | ||
Ligne 924: | Ligne 966: | ||
</ | </ | ||
+ | ==== 4.3. scripts utiles ==== | ||
Il faut aussi des scripts utiles: | Il faut aussi des scripts utiles: | ||
- | / | + | ==>/ |
< | < | ||
#!/bin/sh | #!/bin/sh | ||
Ligne 938: | Ligne 981: | ||
</ | </ | ||
- | / | + | ==>/ |
< | < | ||
#!/bin/sh | #!/bin/sh | ||
Ligne 950: | Ligne 993: | ||
EOF | EOF | ||
</ | </ | ||
+ | |||
+ | ==== 4.4 antispam ==== | ||
+ | Pour l' | ||
+ | ==>/ | ||
+ | < | ||
+ | require [" | ||
+ | |||
+ | if environment :matches " | ||
+ | set " | ||
+ | } | ||
+ | |||
+ | if string " | ||
+ | stop; | ||
+ | } | ||
+ | |||
+ | if environment :matches " | ||
+ | set " | ||
+ | } | ||
+ | |||
+ | pipe :copy " | ||
+ | </ | ||
+ | |||
+ | ==>/ | ||
+ | < | ||
+ | require [" | ||
+ | |||
+ | if environment :matches " | ||
+ | set " | ||
+ | } | ||
+ | |||
+ | pipe :copy " | ||
+ | </ | ||
+ | |||
+ | ==>/ | ||
+ | < | ||
+ | #!/bin/bash | ||
+ | |||
+ | # rspamd client reads piped ham message from the standard input | ||
+ | exec / | ||
+ | </ | ||
+ | |||
+ | ==>/ | ||
+ | < | ||
+ | #!/bin/bash | ||
+ | |||
+ | # rspamd client reads piped spam message from the standard input | ||
+ | exec / | ||
+ | </ | ||
+ | |||
+ | ===== 5. nginx et uwsgi ===== | ||
+ | ==== 5.1. configuration du domaine principal ==== | ||
+ | Le domaine principal mail.domaine.tld sera configuré de cette façon: | ||
+ | < | ||
+ | server { | ||
+ | listen 80; | ||
+ | # listen [::]:80 ipv6only=on; | ||
+ | root / | ||
+ | |||
+ | # Make site accessible from http:// | ||
+ | server_name mail.domaine.tld localhost; | ||
+ | |||
+ | if ($ssl_protocol = "" | ||
+ | rewrite ^/ | ||
+ | } | ||
+ | } | ||
+ | |||
+ | server { | ||
+ | listen 443 ssl http2; | ||
+ | # listen [::]:443 ssl http2; | ||
+ | ssl on; | ||
+ | keepalive_timeout 70; | ||
+ | |||
+ | server_name mail.domaine.tld localhost; | ||
+ | root / | ||
+ | |||
+ | ssl_certificate / | ||
+ | ssl_certificate_key / | ||
+ | |||
+ | access_log | ||
+ | error_log / | ||
+ | |||
+ | location / | ||
+ | autoindex on; | ||
+ | alias / | ||
+ | } | ||
+ | |||
+ | # Whether or not Modoboa uses a media directory depends on how | ||
+ | # you configured Modoboa. It does not hurt to have this. | ||
+ | location /media/ { | ||
+ | autoindex on; | ||
+ | alias / | ||
+ | } | ||
+ | |||
+ | # This denies access to any file that begins with | ||
+ | # " | ||
+ | # Modoboa installed from scratch would not contain any such | ||
+ | # files, but you never know what the future holds. | ||
+ | location ~ /\.ht { | ||
+ | deny all; | ||
+ | } | ||
+ | |||
+ | location / { | ||
+ | include uwsgi_params; | ||
+ | uwsgi_pass unix:/ | ||
+ | uwsgi_param UWSGI_SCRIPT instance.wsgi: | ||
+ | uwsgi_param UWSGI_SCHEME https; | ||
+ | } | ||
+ | |||
+ | location /rspamd/ { | ||
+ | proxy_pass | ||
+ | proxy_set_header Host $host; | ||
+ | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==== 5.2. uwsgi ==== | ||
+ | et le fichier nécessaire pour uwsgi (à adapter à votre utilisation): | ||
+ | < | ||
+ | [uwsgi] | ||
+ | plugins = python | ||
+ | chdir = / | ||
+ | venv = / | ||
+ | module = < | ||
+ | master = true | ||
+ | harakiri = 60 | ||
+ | processes = 2 | ||
+ | vhost = true | ||
+ | no-default-app = true | ||
+ | </ | ||
+ | |||
+ | Je précise qu'il faudra modifier la configuration TLS par défaut de nginx que je trouve trop lâche mais je vous laisse faire vos choix. | ||
+ | |||
+ | ===== 6. Rspamd ===== | ||
+ | ==== 6.1. Configuration ==== | ||
+ | Les fichiers de configuration de rspamd ne doivent pas être modifiés, il faut soit les compléter (dossier local.d) ou les remplacer (override.d), | ||
+ | ==>/ | ||
+ | < | ||
+ | worker " | ||
+ | count = 1; | ||
+ | } | ||
+ | |||
+ | multimap { | ||
+ | # ip - matches source IP of message (radix map) | ||
+ | # from - matches envelope from (or header From if envelope from is absent) | ||
+ | # rcpt - matches any of envelope rcpt or header To if envelope info is missing | ||
+ | # header - matches any header specified (must have header = " | ||
+ | # dnsbl - matches source IP against some DNS blacklist (consider using RBL module for this) | ||
+ | local_bl_ip { type = " | ||
+ | local_bl_from { type = " | ||
+ | local_bl_rcpt { type = " | ||
+ | local_wl_ip { type = " | ||
+ | local_wl_from { type = " | ||
+ | local_wl_rcpt { type = " | ||
+ | } | ||
+ | |||
+ | metric { | ||
+ | name = " | ||
+ | group { | ||
+ | name = " | ||
+ | symbol { | ||
+ | weight = 3; | ||
+ | description = " | ||
+ | name = " | ||
+ | } | ||
+ | symbol { | ||
+ | weight = 3; | ||
+ | description = " | ||
+ | name = " | ||
+ | } | ||
+ | symbol { | ||
+ | weight = 3; | ||
+ | description = " | ||
+ | name = " | ||
+ | } | ||
+ | symbol { | ||
+ | weight = -10; | ||
+ | description = " | ||
+ | name = " | ||
+ | } | ||
+ | symbol { | ||
+ | weight = -5; | ||
+ | description = " | ||
+ | name = " | ||
+ | } | ||
+ | symbol { | ||
+ | weight = -5; | ||
+ | description = " | ||
+ | name = " | ||
+ | } | ||
+ | } | ||
+ | |||
+ | } | ||
+ | </ | ||
+ | |||
+ | Les fichiers créés pour l' | ||
+ | ==> / | ||
+ | < | ||
+ | # multiple scanners could be checked, for each we create a configuration block with an arbitrary name | ||
+ | clamav { | ||
+ | enabled = true; | ||
+ | # If set force this action if any virus is found (default unset: no action is forced) | ||
+ | action = " | ||
+ | # if `true` only messages with non-image attachments will be checked (default true) | ||
+ | attachments_only = false; | ||
+ | # If `max_size` is set, messages > n bytes in size are not scanned | ||
+ | #max_size = 20000000; | ||
+ | # symbol to add (add it to metric if you want non-zero weight) | ||
+ | symbol = " | ||
+ | # type of scanner: " | ||
+ | type = " | ||
+ | # If set true, log message is emitted for clean messages | ||
+ | #log_clean = false; | ||
+ | # For " | ||
+ | #product_id = 12345; | ||
+ | # For " | ||
+ | log_clean = true; | ||
+ | # servers to query (if port is unspecified, | ||
+ | # can be specified multiple times to pool servers | ||
+ | # can be set to a path to a unix socket | ||
+ | servers = " | ||
+ | # if `patterns` is specified virus name will be matched against provided regexes and the related | ||
+ | # symbol will be yielded if a match is found. If no match is found, default symbol is yielded. | ||
+ | patterns { | ||
+ | # symbol_name = " | ||
+ | JUST_EICAR = " | ||
+ | } | ||
+ | # `whitelist` points to a map of IP addresses. Mail from these addresses is not scanned. | ||
+ | #whitelist = "/ | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | # local.d/ | ||
+ | |||
+ | # If false, messages with empty envelope from are not signed | ||
+ | allow_envfrom_empty = false; | ||
+ | # If true, envelope/ | ||
+ | allow_hdrfrom_mismatch = false; | ||
+ | # If true, multiple from headers are allowed (but only first is used) | ||
+ | allow_hdrfrom_multiple = true; | ||
+ | # If true, username does not need to contain matching domain | ||
+ | allow_username_mismatch = true; | ||
+ | # If false, messages from authenticated users are not selected for signing | ||
+ | auth_only = true; | ||
+ | # Default path to key, can include ' | ||
+ | path = "/ | ||
+ | # Default selector to use | ||
+ | selector = " | ||
+ | # If false, messages from local networks are not selected for signing | ||
+ | sign_local = true; | ||
+ | # Symbol to add when message is signed | ||
+ | symbol_signed = " | ||
+ | # Whether to fallback to global config | ||
+ | try_fallback = true; | ||
+ | # Domain to use for ARC signing: can be " | ||
+ | use_domain = " | ||
+ | # Whether to normalise domains to eSLD | ||
+ | use_esld = false; | ||
+ | # Whether to get keys from Redis | ||
+ | use_redis = false; | ||
+ | # Hash for ARC keys in Redis | ||
+ | key_prefix = " | ||
+ | # map of domains -> names of selectors (since rspamd 1.5.3) | ||
+ | # | ||
+ | # map of domains -> paths to keys (since rspamd 1.5.3) | ||
+ | #path_map = "/ | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | servers = " | ||
+ | backend = " | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | # If false, messages with empty envelope from are not signed | ||
+ | allow_envfrom_empty = true; | ||
+ | |||
+ | # If true, envelope/ | ||
+ | allow_hdrfrom_mismatch = false; | ||
+ | |||
+ | # If true, multiple from headers are allowed (but only first is used) | ||
+ | allow_hdrfrom_multiple = true; | ||
+ | |||
+ | # If true, username does not need to contain matching domain | ||
+ | allow_username_mismatch = true; | ||
+ | |||
+ | # If false, messages from authenticated users are not selected for signing | ||
+ | auth_only = true; | ||
+ | |||
+ | # Default path to key, can include ' | ||
+ | path = "/ | ||
+ | |||
+ | # Default selector to use | ||
+ | selector = " | ||
+ | |||
+ | # If false, messages from local networks are not selected for signing | ||
+ | sign_local = true; | ||
+ | |||
+ | # Map file of IP addresses/ | ||
+ | # sign_networks = "/ | ||
+ | |||
+ | # Symbol to add when message is signed | ||
+ | symbol = " | ||
+ | |||
+ | # Whether to fallback to global config | ||
+ | try_fallback = true; | ||
+ | |||
+ | # Domain to use for DKIM signing: can be " | ||
+ | use_domain = " | ||
+ | |||
+ | # Domain to use for DKIM signing when sender is in sign_networks (" | ||
+ | # | ||
+ | |||
+ | # Domain to use for DKIM signing when sender is a local IP (" | ||
+ | # | ||
+ | |||
+ | # Whether to normalise domains to eSLD | ||
+ | use_esld = falsee; | ||
+ | |||
+ | # Whether to get keys from Redis | ||
+ | use_redis = false; | ||
+ | |||
+ | # Hash for DKIM keys in Redis | ||
+ | key_prefix = " | ||
+ | |||
+ | # map of domains -> names of selectors (since rspamd 1.5.3) | ||
+ | # | ||
+ | |||
+ | # map of domains -> paths to keys (since rspamd 1.5.3) | ||
+ | #path_map = "/ | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | dmarc { | ||
+ | # Enables storing reporting information to redis | ||
+ | reporting = true; | ||
+ | # If Redis server is not configured below, settings from redis {} will be used | ||
+ | #servers = " | ||
+ | # Alternatively set read_servers / write_servers to split reads and writes | ||
+ | # To set custom prefix for redis keys: | ||
+ | # | ||
+ | # Actions to enforce based on DMARC disposition (empty by default) | ||
+ | actions = { | ||
+ | quarantine = " | ||
+ | reject = " | ||
+ | } | ||
+ | # Ignore " | ||
+ | # no_sampling_domains = "/ | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | servers = " | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | greylist { | ||
+ | servers = " | ||
+ | # | ||
+ | # | ||
+ | # ] | ||
+ | # | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | # Whitelist for greylist | ||
+ | debian.org | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | ip_score { | ||
+ | # servers = " | ||
+ | # threshold = 100; | ||
+ | # reject_score = 3; | ||
+ | # no_action_score = -2; | ||
+ | # add_header_score = 1; | ||
+ | # whitelist = " | ||
+ | # how each action is treated in scoring | ||
+ | actions { | ||
+ | reject = 1.0; | ||
+ | "add header" | ||
+ | " | ||
+ | "no action" | ||
+ | } | ||
+ | # how each component is evaluated | ||
+ | scores { | ||
+ | asn = 0.5; | ||
+ | country = 0.1; | ||
+ | ipnet = 0.8; | ||
+ | ip = 1.0; | ||
+ | } | ||
+ | # prefix for asn hashes | ||
+ | asn_prefix = " | ||
+ | # prefix for country hashes | ||
+ | country_prefix = " | ||
+ | # hash table in redis used for storing scores | ||
+ | hash = " | ||
+ | # prefix for subnet hashes | ||
+ | ipnet_prefix = " | ||
+ | # minimum number of messages to be scored | ||
+ | lower_bound = 10; | ||
+ | # the metric to score (usually " | ||
+ | metric = " | ||
+ | # upper and lower bounds at which to cap total score | ||
+ | #max_score = 10; | ||
+ | #min_score = -5; | ||
+ | # Amount to divide subscores by before applying tanh | ||
+ | score_divisor = 10; | ||
+ | # list of servers (or configure redis globally) | ||
+ | #servers = " | ||
+ | # symbol to be inserted | ||
+ | symbol = " | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | # A remplir | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | # A remplir | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | # A remplir | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | # A remplir | ||
+ | debian.org | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | # A remplir | ||
+ | ::1 | ||
+ | 127.0.0.1 | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | # A remplir | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | actions { | ||
+ | reject = 20; | ||
+ | # soft_reject = 15; | ||
+ | rewrite_subject = 8; | ||
+ | add_header = 6; | ||
+ | greylist = 4; | ||
+ | } | ||
+ | |||
+ | subject = "*** SPAM *** %s"; | ||
+ | |||
+ | symbol " | ||
+ | score = 1.0; | ||
+ | description = "No connectable MX"; | ||
+ | one_shot = " | ||
+ | } | ||
+ | |||
+ | symbol " | ||
+ | score = 2.0; | ||
+ | description = "No MX record"; | ||
+ | one_shot = " | ||
+ | } | ||
+ | |||
+ | symbol " | ||
+ | score = -0.5; | ||
+ | description = "MX was ok"; | ||
+ | one_shot = " | ||
+ | } | ||
+ | |||
+ | symbol " | ||
+ | weight = 2.0; | ||
+ | description = "IP reputation"; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | use = [" | ||
+ | |||
+ | skip_local = false; | ||
+ | skip_authenticated = true; | ||
+ | extended_spam_headers = true; | ||
+ | |||
+ | routines { | ||
+ | spam-header { | ||
+ | header = " | ||
+ | remove = 1; | ||
+ | value = " | ||
+ | } | ||
+ | x-spam-level { | ||
+ | header = " | ||
+ | remove = 1; | ||
+ | char = " | ||
+ | } | ||
+ | x-spam-status { | ||
+ | header = " | ||
+ | remove = 1; | ||
+ | } | ||
+ | x-virus { | ||
+ | header = " | ||
+ | remove = 1; | ||
+ | symbols = [" | ||
+ | } | ||
+ | authentication-results { | ||
+ | header = " | ||
+ | remove = 1; | ||
+ | spf_symbols { | ||
+ | pass = " | ||
+ | fail = " | ||
+ | softfail = " | ||
+ | neutral = " | ||
+ | temperror = " | ||
+ | none = " | ||
+ | permerror = " | ||
+ | } | ||
+ | dkim_symbols { | ||
+ | pass = " | ||
+ | fail = " | ||
+ | temperror = " | ||
+ | none = " | ||
+ | permerror = " | ||
+ | } | ||
+ | dmarc_symbols { | ||
+ | pass = " | ||
+ | permerror = " | ||
+ | temperror = " | ||
+ | none = " | ||
+ | reject = " | ||
+ | softfail = " | ||
+ | quarantine = " | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | # Extensions that are treated as ' | ||
+ | # Number is score multiply factor | ||
+ | bad_extensions = { | ||
+ | scr = 4, | ||
+ | lnk = 4, | ||
+ | exe = 1, | ||
+ | jar = 2, | ||
+ | com = 4, | ||
+ | bat = 4, | ||
+ | ace = 4, | ||
+ | arj = 4, | ||
+ | cab = 3, | ||
+ | }; | ||
+ | |||
+ | # Extensions that are particularly penalized for archives | ||
+ | bad_archive_extensions = { | ||
+ | pptx = 0.5, | ||
+ | docx = 0.5, | ||
+ | xlsx = 0.5, | ||
+ | pdf = 1.0, | ||
+ | jar = 3, | ||
+ | js = 0.5, | ||
+ | vbs = 7, | ||
+ | }; | ||
+ | |||
+ | # Used to detect another archive in archive | ||
+ | archive_extensions = { | ||
+ | zip = 1, | ||
+ | arj = 1, | ||
+ | rar = 1, | ||
+ | ace = 1, | ||
+ | 7z = 1, | ||
+ | cab = 1, | ||
+ | }; | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | enabled = true; | ||
+ | timeout = 1.0; | ||
+ | symbol_bad_mx = " | ||
+ | symbol_no_mx = " | ||
+ | symbol_good_mx = " | ||
+ | expire = 86400; | ||
+ | expire_novalid = 7200; | ||
+ | greylist_invalid = false; | ||
+ | key_prefix = " | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | map_watch_interval = 1min; | ||
+ | dns { | ||
+ | enable_dnssec = true; | ||
+ | timeout = 4s; | ||
+ | retransmits = 5; | ||
+ | nameserver = " | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | rates { | ||
+ | # Limit for all mail per recipient (rate 2 per minute) | ||
+ | to = "2 / 1m"; | ||
+ | # Limit for all mail per one source ip (rate 3 per minute) | ||
+ | to_ip = "3 / 1m"; | ||
+ | # Limit for all mail per one source ip and from address (rate 2 per minute) | ||
+ | to_ip_from = "2 / 1m"; | ||
+ | # Limit for all bounce mail (rate 2 per hour) | ||
+ | bounce_to = "2 / 1h"; | ||
+ | # Limit for bounce mail per one source ip (rate 1 per hour) | ||
+ | bounce_to_ip = "1 / 1h"; | ||
+ | # Limit for all mail per authenticated user (rate 2 per minute) | ||
+ | user = "2 / 1m"; | ||
+ | } | ||
+ | |||
+ | whitelisted_rcpts = " | ||
+ | max_rcpt = 5; | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | servers = " | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | classifier " | ||
+ | tokenizer { | ||
+ | name = " | ||
+ | } | ||
+ | |||
+ | backend = " | ||
+ | servers = " | ||
+ | min_tokens = 11; | ||
+ | min_learns = 10; | ||
+ | autolearn = true; | ||
+ | |||
+ | per_user = <<EOD | ||
+ | return function(task) | ||
+ | local rcpt = task: | ||
+ | |||
+ | if rcpt then | ||
+ | one_rcpt = rcpt[1] | ||
+ | if one_rcpt[' | ||
+ | return one_rcpt[' | ||
+ | end | ||
+ | end | ||
+ | |||
+ | return nil | ||
+ | end | ||
+ | EOD | ||
+ | |||
+ | statfile { | ||
+ | symbol = " | ||
+ | spam = false; | ||
+ | } | ||
+ | statfile { | ||
+ | symbol = " | ||
+ | spam = true; | ||
+ | } | ||
+ | learn_condition =<< | ||
+ | return function(task, | ||
+ | local prob = task: | ||
+ | |||
+ | if prob then | ||
+ | local in_class = false | ||
+ | local cl | ||
+ | if is_spam then | ||
+ | cl = ' | ||
+ | in_class = prob >= 0.95 | ||
+ | else | ||
+ | cl = ' | ||
+ | in_class = prob <= 0.05 | ||
+ | end | ||
+ | |||
+ | if in_class then | ||
+ | return false, | ||
+ | cl, math.abs((prob - 0.5) * 200.0)) | ||
+ | end | ||
+ | end | ||
+ | |||
+ | return true | ||
+ | end | ||
+ | EOD | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==> / | ||
+ | < | ||
+ | password = " | ||
+ | enable_password = " | ||
+ | </ | ||
+ | q1 et q2 sont les mots de passe à modifier. | ||
+ | |||
+ | ==== 6.2. Commandes utiles ==== | ||
+ | Changer les mots de passe q1 et q2: | ||
+ | < | ||
+ | rspamadm pw | ||
+ | </ | ||
+ | |||
+ | Générer une clef privée qui doit être absolument être lisible par l' | ||
+ | < | ||
+ | rspamadm dkim_keygen -s ' | ||
+ | </ | ||
+ | avec l' |
mail.1509820202.txt.gz · Dernière modification : 2017/11/04 18:30 de mirtouf