opensmtpd for the real world - bsdcan mail server tutorial · 2017-06-07wed aaronpoffenberger...
TRANSCRIPT
![Page 1: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/1.jpg)
OpenSMTPD for the Real WorldBSDCan – Mail Server Tutorial
Aaron Poffenberger
2017-06-07 Wed
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 1 / 46
![Page 2: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/2.jpg)
Outline
1 Introduction2 Tutorial Goals and Prerequisites3 OpenSMTPD4 PF5 SPF_Fetch6 BGP-Spamd7 Amavisd Overview8 ClamAV9 DKIMProxy10 Dovecot11 SpamAssassin12 Conclusion13 Resources
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 2 / 46
![Page 3: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/3.jpg)
Introduction – Background
Software developer30+ years19+ years professionallySecurity software developerDesign and implementsecure APIsConsulting
IT BackgroundBoeingISP (dial-up land)ConsultingDevOps
Software DevelopmentExperience
ExxonMobilBRS Labs/Giant GrayTheAnimeNetwork.comNetIQPentaSafe Technologies
InfoSecSoftware vulnerabilityassessmentAuditingCISSP 2005+US Army
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 3 / 46
![Page 4: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/4.jpg)
Introduction – Other
OpenBSD userAmateur radio enthusiastElectronics hobbyist
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 4 / 46
![Page 5: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/5.jpg)
Introduction – You
Enough about me, let’s talk about you. . .Who runs:
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to:Debian GNU/kFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 5 / 46
![Page 6: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/6.jpg)
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient, source,sender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin, ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 6 / 46
![Page 7: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/7.jpg)
Tutorial Goals
Use a database with OpenSMTPD and Dovecot for managingvirtual usersSign Outbound Email with DKIMProxyDeliver mail to DovecotTroubleshoot smtpd issues using smtpd’s syntax checker, logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 7 / 46
![Page 8: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/8.jpg)
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS ;-)N.B. - If you brought a Linux box to the tutorial you will beheckled ;-)
Amavisd (amavisd-new)ClamAVDKIMProxyDovecotmail/mailxOpenSMTPDOpenSSL/LibreSSLSpamAssasin
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 8 / 46
![Page 9: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/9.jpg)
Tutorial Prerequisites
SpamdSQLite3Optional but Recommended:
OpenBGPD
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 9 / 46
![Page 10: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/10.jpg)
OpenSMPTD Overview
Current version: 6.0.2, released 2016-10-13man smtpd(8):
History: The smtpd program first appeared in OpenBSD 4.6.
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by:
Gilles Chehade, Eric Faurot, Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on:
NetBSD, FreeBSD, DragonFlyBSD, Mac OS X, Linux
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 10 / 46
![Page 11: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/11.jpg)
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCsIt’s a good ideaSpammers don’t . . . extra layer of protection
If you’re trying a manual process (e.g., sending mail manuallyvia telnet) and it fails, you’re probably doing it incorrectly. E.g.:
Correct: rcpt to:<user@domain>Incorrect: rcpt to:user@domainIncorrect: rcpt to: <user@domain>Incorrect: rcpt to: user@domain
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 11 / 46
![Page 12: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/12.jpg)
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbaseRefer to example in etc/mail/smtpd.conf
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 12 / 46
![Page 13: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/13.jpg)
Important Keywords - Macros
Expanded in contextNames must start with a letter, digit, or underscore, and maycontain any of those charactersMay not be reserved wordsN.B. - Macros are not expanded within quotation marks!
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 13 / 46
![Page 14: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/14.jpg)
Important Keywords - table
Use to provide additional configuration information:Lists or key-value mappings
Types: db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 14 / 46
![Page 15: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/15.jpg)
Important Keywords - pki
Several uses for this keyword:Specify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 15 / 46
![Page 16: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/16.jpg)
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify:
hostname to present in the greeting bannerdefault is server name or name in ${ETC}/mail/mailname
porttls/ssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 16 / 46
![Page 17: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/17.jpg)
Negate [!]
! negates the sense of the ruleShown as [!] in man pages and tutorial where optional
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 17 / 46
![Page 18: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/18.jpg)
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation:
tagged [!] tag-name: tag applied as part of client session fromany: match allfrom [!] local: match only local connections (default, notnecessary)from [!] source <table>: match connections from clients whoseaddress is declared in the specified tablesender [!] <senders>: match senders email address found intable senders. Address may specify entire domain with @:@example.org
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 18 / 46
![Page 19: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/19.jpg)
Important Keywords - accept|reject
Criteria for evaluation:for any [alias <aliases>]: Match regardless of the domain sentto. If an alias table is specified, lookup alternative destinationfor all addresses.for any virtual <vmap>: match regardless of domain sent to,lookup virtual-domain mapping in table vmap.for [!] domain domain [alias <aliases>]: Match based onspecified domain. If an alias table is specified, lookup alternativedestination for all addresses.for [!] domain <domain> [alias <aliases>]: Match based ondomains specified table domain. If an alias table is specified,lookup alternative destination for all addresses.
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 19 / 46
![Page 20: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/20.jpg)
Important Keywords - accept|reject
Criteria for evaluation:virtual <users> may be used with each of the above rather thanalias <aliases>.recipient [!] <recipients>: Match only if the recipient’s emailaddress is found table recipients.[userbase <table>]: Look-up users in table table instead oflooking users up using getpwnam(3).
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 20 / 46
![Page 21: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/21.jpg)
Important Keywords - deliver
Specify where the mail is to be delivered.deliver to lmtp [host:port | socket] [rcpt-to] [as user]: Delivermail via lmtp protocol.
lmtp - queue-less version of SMTP protocol. Useful for sendingto MDAs or filter applications like amavisd.
deliver to maildir [path]: Deliver to maildir directory. Default is~/Maildir.delivery to mbox: Deliver mail to system mailbox in /var/mail.deliver to mda program [as user]: Pipe mail to specifiedprogram. Optionally run mda as specified user.
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 21 / 46
![Page 22: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/22.jpg)
OpenSMTPD Configuration
man smtpd.conf(5)Simple, English-like syntax very similar to PF and otherOpenBSD-projectsTypical ${ETC}/mail/smtpd.confMay reference other configuration files
include "/etc/mail/smtpd.conf.local"
See example in etc/mail/smtpd.conf in tarball
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 22 / 46
![Page 23: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/23.jpg)
PF Overview
man pf(4)History: The pf packet filtering mechanism first appeared inOpenBSD 3.0.
Packet Filter (PF) is OpenBSD’s system for filtering TCP/IPtraffic and doing Network Address Translation. PF is alsocapable of normalizing and conditioning TCP/IP traffic, as wellas providing bandwidth control and packet prioritization.Originally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD team.Ported to:
FreeBSD (somewhat incompatible now), NetBSD, Mac OS XOracle (seriously . . . and doing really good work on SMP!)
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 23 / 46
![Page 24: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/24.jpg)
PF Configuration
Need to add a few rulesSee rules subset in etc/pf.conf in tarball
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 24 / 46
![Page 25: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/25.jpg)
SPF_Fetch
Find outbound mailers for domains by recursively searching theirDNS SPF recordsWritten by Aaron PoffenbergerTwo scripts: spf_fetch and spf_update_pfsp_fetch
Recursively finds SPF records for domains in file parameterspf_update_pf
Automates process of adding to pfPipes ‘spf_fetch ${ETC}/mail/common_domains‘ tocommon_domains_whiteLoads ${ETC}/mail/common_domains_white into<common_white> table in PF
See git repo in spf_fetch in tarballSee crontab sample in cronjobs in tarballAaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 25 / 46
![Page 26: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/26.jpg)
SPF_Fetch - Coming Soon
Scan log for outbound email connectionsIPV6 supportWatch https://github.com/akpoff/spf_fetch for updates
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 26 / 46
![Page 27: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/27.jpg)
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocol.BGP: purpose is to exchange information concerning "networkreachability" with other BGP systems.Project run by Peter Hessler (phessler@ OpenBSD)Receives blacklist and whitelist data from several sources,including Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 27 / 46
![Page 28: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/28.jpg)
BGP-Spamd - Configuration
${ETC}/bgpd.confSelect a private AS id (autonomous system): default == 65001Un-comment a neighbor close to youAdd pass rule to ${ETC}/pf.confSee rules subset in etc/pf.conf in tarball
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 28 / 46
![Page 29: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/29.jpg)
BGP-Spamd - Configuration
Add source to ${ETC}/mail/spamd.confSee bgp-spamd/bgp-spamd.black.sh in tarbarllSee example in etc/mail/spamd.conf in tarball
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 29 / 46
![Page 30: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/30.jpg)
BGP-Spamd Cron Job
Add line to root crontabSee crontab sample in cronjobs in tarball
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 30 / 46
![Page 31: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/31.jpg)
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers: virus scanners, and/orSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question: How do I ensure my mail isn’t lostwhile it’s in the LMTP receiver?Several solutions possible. Amavisd does not return success tothe caller until it has delivered the mail to the next hop.https://www.ijs.si/software/amavisd/#sec-loss
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 31 / 46
![Page 32: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/32.jpg)
Amavisd - Configuration
Amavisd configuration file is a dog’s breakfastFortunately, just a few changes are necessary
Lots of optional dials and knobs
See example in etc/amavisd.conf in tarball
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 32 / 46
![Page 33: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/33.jpg)
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojans,viruses, malware & other malicious threats.Runs as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 33 / 46
![Page 34: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/34.jpg)
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etc/clamd.conf in tarballSee example in etc/freshclam.conf in tarballN.B. - Must comment out word "Example" near top of file!
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 34 / 46
![Page 35: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/35.jpg)
DKIMProxy - Overview
Perl module that implements the new Domain Keys IdentifiedMail (DKIM) standardCan sign and verify emails using digital signatures and DNSrecordsAlso an SMTP-proxy that signs and/or verifies emails
Designed for Postfix but works with any MTA that supportsLMTP
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 35 / 46
![Page 36: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/36.jpg)
DKIMProxy_in - Verify
Option to handle in AmavisdCould enable DKIMProxy_in, but why?Amavisd already orchestrates email validation
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 36 / 46
![Page 37: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/37.jpg)
DKIMProxy_out - Sign
Generate TLS signing keyopenssl genrsa -out private/dkim_exmple.org.key 4096chmod 400 private/dkim_exmple.org.keyEnsure daemon user for dkimproxy_out has access to private key
Get public key from privateopenssl rsa -in private/dkim_example.org.key
Update DNS records to add public keySee var/nsd/etc/db.example.org
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 37 / 46
![Page 38: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/38.jpg)
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinux/UNIX-like systems, written with security primarily in mind.High performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 38 / 46
![Page 39: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/39.jpg)
Dovecot - Configuration
Very easy to configureEdit file ${ETC}/dovecot/local.conf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etc/dovecot/local.conf in tarballSee example in etc/dovecot/passwd in tarball
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 39 / 46
![Page 40: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/40.jpg)
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis, Bayesianfiltering, DNS blocklists, and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 40 / 46
![Page 41: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/41.jpg)
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably, the option: trusted_networksNot critical, but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 41 / 46
![Page 42: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/42.jpg)
Conclusion
You have questions, I may have answers
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 42 / 46
![Page 43: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/43.jpg)
Contact Details
Aaron [email protected]://akpoff.com@akpoffThis presentation, look for blog post on http://akpoff.comKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 43 / 46
![Page 44: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/44.jpg)
Support OpenBSD
Support OpenBSDhttp://www.openbsdfoundation.org/
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 44 / 46
![Page 45: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/45.jpg)
Resources
N.B. - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDKIMProxy
DKIM Tutorial
DovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 45 / 46
![Page 46: OpenSMTPD for the Real World - BSDCan Mail Server Tutorial · 2017-06-07Wed AaronPoffenberger OpenSMTPDfortheRealWorld 2017-06-07Wed 1/46. Outline 1 Introduction 2 TutorialGoalsandPrerequisites](https://reader034.vdocument.in/reader034/viewer/2022042919/5f63bab4eca1fb0f4e331e8b/html5/thumbnails/46.jpg)
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD, PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World 2017-06-07 Wed 46 / 46