Mailfilter FreeBSD Jail

From WTFwiki
Revision as of 21:05, 14 February 2007 by Jontow (talk | contribs) (add some directory structure / permissions notes.)
Jump to navigation Jump to search

Background

FreeBSD's jail(8) has some extraordinary side-effects when used in conjunction with
postfix as a mailserver. It gives you the ability to run many mailservers that are
logically separated on the same machine, in fact sharing resources like OpenBSD's spamd
and even the underlying software (including postfix, amavisd-new, etc). You can also
set this up in such a fashion as to keep separate config files for each jail. That is
the way that will be documented here.


Requirements

  • FreeBSD (recommended: 6.2-RELEASE or newer)
  • a full /usr/src and /usr/obj tree built already with whatever custom options in make.conf
  • enough disk space for multiple installs of the OS to co-exist on the same partition(s)
  • enough RAM to delegate to many running instances of child software.
  • postfix (recommended: 2.3.5 or newer) (/usr/ports/mail/postfix)
  • amavisd-new (recommended: 2.4.4 or newer) (/usr/ports/security/amavisd-new)
  • ClamAV (recommended: 0.90 or newer) (/usr/ports/security/clamav)
  • SpamAssassin (recommended: 3.1.7 or newer) (/usr/ports/mail/p5-Mail-SpamAssassin)
  • And, of course.. the dependencies of all the above-mentioned software.
  • You may also want an IMAP or POP3 daemon of choice. This was done with dovecot in mind.
  • Keep in mind: ALL SERVICES MUST BIND TO THEIR JAIL'S IP, NOT 127.0.0.1


General Setup

I make heavy use of nullfs when deploying jails.
For instance, I have the following mounts defined per jail so far:

  • /usr/local as /var/jail/domain.com/usr/local.ext
  • /var/db/pkg as /var/jail/domain.com/var/db/pkg

I also use symbolic links like a madman to tie it all together, as such:

 # cd /var/jail/domain.com/usr/local
 # mkdir etc
 # ln -s ../local.ext/bin bin 
 # ln -s ../local.ext/include include
 # ln -s ../local.ext/info info
 # ln -s ../local.ext/lib lib
 # ln -s ../local.ext/libdata libdata
 # ln -s ../local.ext/libexec libexec
 # ln -s ../local.ext/man man
 # ln -s ../local.ext/sbin sbin
 # ln -s ../local.ext/share share
 # ln -s ../local.ext/var var
 # ln -s ../local.ext/www www

It is important that you follow the scheme above or the links won't dereference correctly inside the jail.

This makes sure that all software installed to the host machine is available on the jail(s).
Please be aware you'll have to keep synchronizing /usr/local/etc with a reasonable copy from
the host once in a while during upgrades, etc; it will not have its own sample installed
because it isn't part of the port/package at all.


Postfix Setup

Config Files

main.cf

 ### local additions (2007-02-14) -- jontow@
 ### make sure to replace XXX.XXX.XXX.XXX with your jail's IP
 content_filter = amavisd-new:[65.172.243.8]:10024

master.cf

 ### local additions (2007-02-14) -- jontow@
 ### make sure to replace XXX.XXX.XXX.XXX with your jail's IP
 amavisd-new     unix    -       -       n       -       2       lmtp
   -o lmtp_data_done_timeout=1200s
   -o disable_dns_lookups=yes
 # content filter re-injection
 XXX.XXX.XXX.XXX:10025      inet    n       -       n       -       -       smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks=XXX.XXX.XXX.XXX/32
   -o strict_rfc821_envelopes=yes

Notes

Starting on bootup

  • Add the following to /etc/rc.conf :
 postfix_enable="YES"
 sendmail_enable="NO"
 sendmail_submit_enable="NO"
 sendmail_outbound_enable="NO"
 sendmail_msp_queue_enable="NO"


Amavisd-new Setup

Config Files

amavisd.conf

  • Change/add the following, once again making sure XXX.XXX.XXX.XXX is actually you:
 $mydomain = 'domain.com';
 $inet_socket_port = 10024;
 $inet_socket_bind = 'XXX.XXX.XXX.XXX';
 $interface_policy('10024')='AM.INET';
 $policy_bank('AM.INET') = { inet_acl => [qw( XXX.XXX.XXX.XXX )] };
  • Also remember to uncomment the following lines to enable clamav:
 ['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
   qr/\bOK$/, qr/\bFOUND$/,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Notes

Starting on bootup

  • Add the following to /etc/rc.conf :
 amavisd_enable="YES"

Directory Structure

  • You'll need to create a few directories before amavisd-new can run correctly:
 # mkdir /var/amavis
 # mkdir /var/amavis/db
 # mkdir /var/amavis/tmp
 # chown -R vscan:vscan /var/amavis

SpamAssassin Setup

Config Files

  • We do not currently make any local modifications for SA.

Notes

sa-update

  • It would be reasonable to run 'sa-update -D' from cron regularly (once a week/day?) to keep your signatures up to date.

Starting on bootup

  • You should not have to deal with this; SA is called from amavisd-new itself. We do not use the daemon.


ClamAV Setup

Config Files

clamd.conf

  • Make sure you enable 'User vscan' instead of 'User clamav' so the permissions are correct for amavisd-new.

freshclam.conf

  • Make sure you enable 'User vscan' instead of 'User clamav' so the permissions are correct for amavisd-new.
  • Uncomment the DatabaseMirror site line and use your country code (ie. db.us.clamav.net) for updates.

Notes

Starting on bootup

  • Add the following to /etc/rc.conf :
 clamav_clamd_enable="YES"
 clamav_freshclam_enable="YES"

Directory Structure

  • You'll need to create a few directories before clamav can run correctly:
 # mkdir /var/virusmails
 # mkdir /var/log/clamav
 # mkdir /var/run/clamav
 # mkdir /var/db/clamav
 # chown -R vscan:vscan /var/virusmails
 # chown -R vscan:vscan /var/log/clamav
 # chown -R vscan:vscan /var/run/clamav
 # chown -R vscan:vscan /var/db/clamav