Difference between revisions of "Mailfilter FreeBSD Jail"
(stub out some sections as i've got them in mind -- TODO) |
m (9 revisions) |
||
(6 intermediate revisions by the same user not shown) | |||
Line 21: | Line 21: | ||
* And, of course.. the dependencies of all the above-mentioned software. | * And, of course.. the dependencies of all the above-mentioned software. | ||
* You may also want an IMAP or POP3 daemon of choice. This was done with dovecot in mind. | * You may also want an IMAP or POP3 daemon of choice. This was done with dovecot in mind. | ||
+ | * '''Keep in mind: ALL SERVICES MUST BIND TO THEIR JAIL'S IP, NOT 127.0.0.1''' | ||
Line 58: | Line 59: | ||
== Config Files == | == Config Files == | ||
=== main.cf === | === main.cf === | ||
+ | ### local additions (2007-02-14) -- jontow@ | ||
+ | ### make sure to replace XXX.XXX.XXX.XXX with your jail's IP | ||
+ | content_filter = amavisd-new:[65.172.243.8]:10024 | ||
+ | |||
=== master.cf === | === master.cf === | ||
+ | ### local additions (2007-02-14) -- jontow@ | ||
+ | ### make sure to replace XXX.XXX.XXX.XXX with your jail's IP | ||
+ | amavisd-new unix - - n - 2 lmtp | ||
+ | -o lmtp_data_done_timeout=1200s | ||
+ | -o disable_dns_lookups=yes | ||
+ | # content filter re-injection | ||
+ | XXX.XXX.XXX.XXX:10025 inet n - n - - smtpd | ||
+ | -o content_filter= | ||
+ | -o local_recipient_maps= | ||
+ | -o relay_recipient_maps= | ||
+ | -o smtpd_restriction_classes= | ||
+ | -o smtpd_client_restrictions= | ||
+ | -o smtpd_helo_restrictions= | ||
+ | -o smtpd_sender_restrictions= | ||
+ | -o smtpd_recipient_restrictions=permit_mynetworks,reject | ||
+ | -o mynetworks=XXX.XXX.XXX.XXX/32 | ||
+ | -o strict_rfc821_envelopes=yes | ||
== Notes == | == Notes == | ||
=== Starting on bootup === | === Starting on bootup === | ||
+ | * Add the following to /etc/rc.conf : | ||
+ | postfix_enable="YES" | ||
+ | sendmail_enable="NO" | ||
+ | sendmail_submit_enable="NO" | ||
+ | sendmail_outbound_enable="NO" | ||
+ | sendmail_msp_queue_enable="NO" | ||
+ | |||
= Amavisd-new Setup = | = Amavisd-new Setup = | ||
== Config Files == | == Config Files == | ||
=== amavisd.conf === | === amavisd.conf === | ||
+ | * Change/add the following, once again making sure XXX.XXX.XXX.XXX is actually you: | ||
+ | |||
+ | $mydomain = 'domain.com'; | ||
+ | $inet_socket_port = 10024; | ||
+ | $inet_socket_bind = 'XXX.XXX.XXX.XXX'; | ||
+ | $interface_policy('10024')='AM.INET'; | ||
+ | $policy_bank('AM.INET') = { inet_acl => [qw( XXX.XXX.XXX.XXX )] }; | ||
+ | |||
+ | * Also remember to uncomment the following lines to enable clamav: | ||
+ | |||
+ | ['ClamAV-clamd', | ||
+ | \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], | ||
+ | qr/\bOK$/, qr/\bFOUND$/, | ||
+ | qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], | ||
== Notes == | == Notes == | ||
=== Starting on bootup === | === Starting on bootup === | ||
+ | * Add the following to /etc/rc.conf : | ||
+ | amavisd_enable="YES" | ||
+ | |||
+ | === Directory Structure === | ||
+ | * You'll need to create a few directories before amavisd-new can run correctly: | ||
+ | # mkdir /var/amavis | ||
+ | # mkdir /var/amavis/db | ||
+ | # mkdir /var/amavis/tmp | ||
+ | # chown -R vscan:vscan /var/amavis | ||
= SpamAssassin Setup = | = SpamAssassin Setup = | ||
Line 76: | Line 128: | ||
== Notes == | == Notes == | ||
=== sa-update === | === sa-update === | ||
+ | * It would be reasonable to run 'sa-update -D' from [http://www.freebsd.org/cgi/man.cgi?query=cron&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html cron] regularly (once a week/day?) to keep your signatures up to date. | ||
+ | |||
=== Starting on bootup === | === Starting on bootup === | ||
+ | * You should not have to deal with this; SA is called from amavisd-new itself. We do not use the daemon. | ||
+ | |||
= ClamAV Setup = | = ClamAV Setup = | ||
== Config Files == | == Config Files == | ||
=== clamd.conf === | === clamd.conf === | ||
+ | * Make sure you enable 'User vscan' instead of 'User clamav' so the permissions are correct for amavisd-new. | ||
+ | |||
=== freshclam.conf === | === freshclam.conf === | ||
+ | * Make sure you enable 'User vscan' instead of 'User clamav' so the permissions are correct for amavisd-new. | ||
+ | * Uncomment the DatabaseMirror site line and use your country code (ie. db.us.clamav.net) for updates. | ||
== Notes == | == Notes == | ||
=== Starting on bootup === | === Starting on bootup === | ||
+ | * Add the following to /etc/rc.conf : | ||
+ | clamav_clamd_enable="YES" | ||
+ | clamav_freshclam_enable="YES" | ||
+ | |||
+ | === Directory Structure === | ||
+ | * You'll need to create a few directories before clamav can run correctly: | ||
+ | # mkdir /var/virusmails | ||
+ | # mkdir /var/log/clamav | ||
+ | # mkdir /var/run/clamav | ||
+ | # mkdir /var/db/clamav | ||
+ | # chown -R vscan:vscan /var/virusmails | ||
+ | # chown -R vscan:vscan /var/log/clamav | ||
+ | # chown -R vscan:vscan /var/run/clamav | ||
+ | # chown -R vscan:vscan /var/db/clamav |
Latest revision as of 22:47, 4 January 2013
Background
FreeBSD's jail(8) has some extraordinary side-effects when used in conjunction with
postfix as a mailserver. It gives you the ability to run many mailservers that are
logically separated on the same machine, in fact sharing resources like OpenBSD's spamd
and even the underlying software (including postfix, amavisd-new, etc). You can also
set this up in such a fashion as to keep separate config files for each jail. That is
the way that will be documented here.
Requirements
- FreeBSD (recommended: 6.2-RELEASE or newer)
- a full /usr/src and /usr/obj tree built already with whatever custom options in make.conf
- enough disk space for multiple installs of the OS to co-exist on the same partition(s)
- enough RAM to delegate to many running instances of child software.
- postfix (recommended: 2.3.5 or newer) (/usr/ports/mail/postfix)
- amavisd-new (recommended: 2.4.4 or newer) (/usr/ports/security/amavisd-new)
- ClamAV (recommended: 0.90 or newer) (/usr/ports/security/clamav)
- SpamAssassin (recommended: 3.1.7 or newer) (/usr/ports/mail/p5-Mail-SpamAssassin)
- And, of course.. the dependencies of all the above-mentioned software.
- You may also want an IMAP or POP3 daemon of choice. This was done with dovecot in mind.
- Keep in mind: ALL SERVICES MUST BIND TO THEIR JAIL'S IP, NOT 127.0.0.1
General Setup
I make heavy use of nullfs when deploying jails.
For instance, I have the following mounts defined per jail so far:
- /usr/local as /var/jail/domain.com/usr/local.ext
- /var/db/pkg as /var/jail/domain.com/var/db/pkg
I also use symbolic links like a madman to tie it all together, as such:
# cd /var/jail/domain.com/usr/local # mkdir etc # ln -s ../local.ext/bin bin # ln -s ../local.ext/include include # ln -s ../local.ext/info info # ln -s ../local.ext/lib lib # ln -s ../local.ext/libdata libdata # ln -s ../local.ext/libexec libexec # ln -s ../local.ext/man man # ln -s ../local.ext/sbin sbin # ln -s ../local.ext/share share # ln -s ../local.ext/var var # ln -s ../local.ext/www www
It is important that you follow the scheme above or the links won't dereference correctly inside the jail.
This makes sure that all software installed to the host machine is available on the jail(s).
Please be aware you'll have to keep synchronizing /usr/local/etc with a reasonable copy from
the host once in a while during upgrades, etc; it will not have its own sample installed
because it isn't part of the port/package at all.
Postfix Setup
Config Files
main.cf
### local additions (2007-02-14) -- jontow@ ### make sure to replace XXX.XXX.XXX.XXX with your jail's IP content_filter = amavisd-new:[65.172.243.8]:10024
master.cf
### local additions (2007-02-14) -- jontow@ ### make sure to replace XXX.XXX.XXX.XXX with your jail's IP amavisd-new unix - - n - 2 lmtp -o lmtp_data_done_timeout=1200s -o disable_dns_lookups=yes # content filter re-injection XXX.XXX.XXX.XXX:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=XXX.XXX.XXX.XXX/32 -o strict_rfc821_envelopes=yes
Notes
Starting on bootup
- Add the following to /etc/rc.conf :
postfix_enable="YES" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO"
Amavisd-new Setup
Config Files
amavisd.conf
- Change/add the following, once again making sure XXX.XXX.XXX.XXX is actually you:
$mydomain = 'domain.com'; $inet_socket_port = 10024; $inet_socket_bind = 'XXX.XXX.XXX.XXX'; $interface_policy('10024')='AM.INET'; $policy_bank('AM.INET') = { inet_acl => [qw( XXX.XXX.XXX.XXX )] };
- Also remember to uncomment the following lines to enable clamav:
['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
Notes
Starting on bootup
- Add the following to /etc/rc.conf :
amavisd_enable="YES"
Directory Structure
- You'll need to create a few directories before amavisd-new can run correctly:
# mkdir /var/amavis # mkdir /var/amavis/db # mkdir /var/amavis/tmp # chown -R vscan:vscan /var/amavis
SpamAssassin Setup
Config Files
- We do not currently make any local modifications for SA.
Notes
sa-update
- It would be reasonable to run 'sa-update -D' from cron regularly (once a week/day?) to keep your signatures up to date.
Starting on bootup
- You should not have to deal with this; SA is called from amavisd-new itself. We do not use the daemon.
ClamAV Setup
Config Files
clamd.conf
- Make sure you enable 'User vscan' instead of 'User clamav' so the permissions are correct for amavisd-new.
freshclam.conf
- Make sure you enable 'User vscan' instead of 'User clamav' so the permissions are correct for amavisd-new.
- Uncomment the DatabaseMirror site line and use your country code (ie. db.us.clamav.net) for updates.
Notes
Starting on bootup
- Add the following to /etc/rc.conf :
clamav_clamd_enable="YES" clamav_freshclam_enable="YES"
Directory Structure
- You'll need to create a few directories before clamav can run correctly:
# mkdir /var/virusmails # mkdir /var/log/clamav # mkdir /var/run/clamav # mkdir /var/db/clamav # chown -R vscan:vscan /var/virusmails # chown -R vscan:vscan /var/log/clamav # chown -R vscan:vscan /var/run/clamav # chown -R vscan:vscan /var/db/clamav