SpamAssassin

step 7

Finally we can add a layer of antivirus and spam protection to our postfix email server using the best tools available in the open source community: amavis, clamav and spamassasin.

Amavis is the main content filter that postfix is using. Once an email enters in the postfix queue, it is then redirected to the amavis daemon, who is responbile for calling both SpamAssassin and ClamAV to check for spam or virus respectively.

The postfix redirection to the amavis content filter is performed with this line in the postfix configuration file main.cf:

content_filter=smtp-amavis:[127:0:0:1]:10024

The meaning of this configuration is to tell postfix to create a unix-domain socket called smtp-amavis, with IP loopback address (the same machine) and listening to port 10024. This is the port the amavis-new daemon is already listening to.

With this configuration postfix will redirect all incoming mail to the amavis daemon

This postfix service/daemons are defined in the master.cf file in the following instructions:

  smtp-amavis	unix	-	-	-	-	2 smtp
	-o smtp_data_done_timeout=1200
	-o smtp_send_xforward_command=yes
	-o disable_dns_lookups=yes
	-o max_use=20

  127.0.0.1:10025 inet	n	-	-	-	- smtpd
	-o content_filter=
	-o local_recipient_maps=
	-o relay_recipient_maps=
	-o smtpd_restriction_classes=
	-o smtpd_delay_reject=no
	-o smtpd_client_restrictions=permit_mynetworks,reject
	-o smtpd_helo_restrictions=
	-o smtpd_sender_restrictions=
	-o smtpd_recipient_restrictions=permit_mynetworks,
reject
	-o smtpd_data_restrictions=reject_unauth_pipelining
	-o smtpd_end_of_data_restrictions=
	-o mynetworks=127.0.0.0/8
	-o smtpd_error_sleep_time=0
	-o smtpd_soft_error_limit=1001
	-o smtpd_hard_error_limit=1000
	-o smtpd_client_connection_count_limit=0
	-o smtpd_client_connection_rate_limit=0
	-o receive_override_options=no_header_body_checks,
no_unknown_recipient_checks

The first group of instructions defines the incoming traffic, on port 10024 where the amavis daemon is listening. The second group of instruction defines the outgoing traffic from amavis that needs to be re-injected in the postfix queue at port 10025.

The -o options attached to the command (last field) in these instructions represent an override to the postfix configuration parameters as defined in main.cf. For example the content_filter parameter is disabled when re-injecting into the postfix queue, to prevent an infinite loop: postfix->amavis->postfix->amavis->...

Tags : amavis, clamav, raspberry pi, spamassassin

Add a comment

Posted by Gualtiero Chiaia on 21 January 2013 08:09:00 GMT #

Secure POP3 with stunnel

step 6

Back to the introduction

Now that postfix is up & running, and that xinet is serving a POP3 daemon on port 110, we will oppen a SSL port (995) for remote checking emails, outside the LAN. The typical desired usage is as follows:

Inside the LAN, my desktop computer retrieves email stored on the Pi card by accessing its POP3 service on port 110. This port is closed for outside traffic, so this is a secure and simple way to retrieve emails internally.
From outside the LAN, e.g. from my mobile phone, I access my emails using a POP3S (SSL) service, after opening port 995 for traffic and rerouting traffic on this port, from my router to the Pi card. I use stunnel to wrap the internal POP3 service into a POP3S servive. Please refer to the stunnel documentation.

Hence here are the steps I am taking:

Install stunnel4 with apt-get
Generate a SSL certificate running:
sudo openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
This should give you a self signed cerificate for 365 days. You can change the period of days as you like.
Store this certificate in an apprpriate directory, e.g. /etc/stunnel

In the same directory create a stunnel configuration file corresponding to the pop3 service. In my case I call it pop3s.conf and the relevant content is as follow:

client = no
chroot = /var/lib/stunnel4
setuid = stunnel4
setgid = stunnel4
pid = /stunnel4.pid
debug = 3
output = /stunnel.log
cert = /etc/stunnel/stunnel.pem

[pop3s]
accept  = 995
connect = 110

In order for stunnel4 to be enabled, and to read the configuration files in /etc/stunnel, it is required to change the settings in the main configuration file /etc/default/stunnel4, setting ENABLED=1 (0 is the default).
Now by rebooting the system or by restarting stunnel with:
sudo /etc/init.d/stunnel4 restart
the stunnel4 daemon should be up and running. This can be tested with
ps -e | grep stunnel
which should results in a bunch of process-ids dedicated to this service.
Check that there is a listening port at 995 with
netstat -aln | grep 995
or telnet into it from another PC on the lan
telnet raspberrypy 995
Finally make sure that the port 995 is open from outside and that your router forward communication through this port to your Pi card. I verify the functioning of my POP3S service from my Android phone using a SSL client on the phone. Typically for the first connection I need to accept the self signed cerificate sent from the Pi card. This is a good sign that is all up & running.

Tags : raspberry pi, stunnel

Add a comment

Posted by Gualtiero Chiaia on 18 January 2013 22:31:00 GMT #

Postfix and POP3 server

step 5

Back to the introduction

In this step I am testing a firts version of the email server with postfix (SMTP on port 25) and POP3 server (on port 110) of the Pi card. You also need xinetd to host the pop3 daemon

Install (apt-get) the following three packages: postfix, solid-pop3d, xinetd
Configure postfix by editing /etc/postfix/main.cf. I have applied to that file all the settings inherited from my existing postfix email server (on my main computer), including filters, blacklists and other. To understand all the configuration required, please refer to the postfix documentation.
After installing xinetd, you can add a pop3 service by creating a file pop3 in /etc/xinet.d with this section in it
```
service pop3
{
        id              = pop3
        port            = 110
        socket_type     = stream
        protocol        = tcp
        wait            = no
        user            = root
        server          = /usr/sbin/solid-pop3d
        flags           = IPv4
}
```
Then restart xinet
sudo /etc/init.d/xinet restart
check that pop3 is available
chkconfig -l
and test that port 110 is open on your local network. This can be done from another computer on your LAN by:
telnet raspberrypi 110
Create a new account on your system to receive emails, and, if required, modify the /etc/aliases file to include rerouting from your public email address to this new account: Add an entry in that file like
x: y
where x is the first part of my official email address (e.g. x@mydomain.com), and y is my new account login name in the Pi card. Remember to run the newaliases comand to save the changes from this text file
Now your card should have both ports 25 and 110 open, and you can reconfigure your router to open these channels to the outside word and test sending an email from outside and retrieving it back using the POP3 server.
Check the mail logs in /var/log to see the communication on port 25 (when an email arrives). These logs are very useful to spot wrong configuration in postfix (when restarting the postfix daemon) and other problems. I am using gnome-system-log

Tags : pop3, postfix, raspberry pi

Add a comment

Posted by Gualtiero Chiaia on 17 January 2013 18:34:00 GMT #

January 2025
Mon	Tue	Wed	Thu	Fri	Sat	Sun
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31
Dec \| Today \| Feb

2025	2024
2023	2022
2021	2020
2019	2018
2017 April (1) January (1)	2016 November (1)
2015	2014 December (1) October (1) September (1) April (1) February (2) January (4)
2013 December (1) June (1) May (2) January (8)	2012 December (3) November (1)