Inhaltsverzeichnis

Zeilinger (1. August 2010)

Grundinstallation

ssh -X root@193…

virt-manager
name="zeilinger"
memory=6144
maxmem=6144
#memory=1024
#maxmem=2048
vcpus=2
on_poweroff="destroy"
on_reboot="restart"
on_crash="destroy"
localtime=0
keymap="de"
builder="linux"
bootloader="/usr/lib/xen/boot/domUloader.py"
bootargs="--entry=xvda2:/boot/vmlinuz-xen,/boot/initrd-xen"
extra=" textmode=1"
disk=[ 'file:/daten/xen/zeilinger/disk0,xvda,w' ]
vif=[ 'bridge=br0','bridge=br1','bridge=br2' ]
vfb=['type=vnc,vncunused=1']

SSH

insserv sshd; rcsshd start
...
AllowUsers root
...
rcsshd restart

Firewall

yast firewall

Netzwerkkonfiguration

Software-Repositories

Software

zypper in mc gcc gcc-c++ make htop munin-node
zypper in postfix cyrus-imapd cyrus-sasl cyrus-sasl-crammd5 cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-ldap-auxprop cyrus-sasl-ntlm cyrus-sasl-otp cyrus-sasl-plain cyrus-sasl-saslauthd amavisd-new clamav clamav-db zoo unzip unrar bzip2 unarj spamassassin pwgen bind expect

Hostnamen und DNS

yast dns

LDAP Client

yast ldap-client

DNS Server

insserv named; rcnamed start

NFS Client

...
# feynman
10.67.0.2:/daten        /nfs    nfs     defaults,exec,nolock 0 0 
# schroedinger
# 10.67.0.4:/daten      /nfs    nfs     defaults,exec,nolock 0 0 
...
mkdir /nfs
mount /nfs

Munin

insserv munin-node; rcmunin-node restart

Postfix mit Cyrus IMAP

Installation

ldap_servers: ldap://10.67.0.5/
ldap_version: 3
ldap_search_base: dc=bgweiz,dc=at
ldap_bind_dn: cn=bgldap,dc=bgweiz,dc=at
ldap_bind_pw: ...
ldap_filter: (uid=%U)
ldap_scope: sub
pwcheck_method: saslauthd
mech_list: plain login
log_level:4
ldapdb_uri: ldap://10.67.0.5/
ldapdb_id: cn=bgldap,dc=bgweiz,dc=at
ldapdb_pw: ...
ldapdb_mech: PLAIN
## Path:           System/Security/SASL
## Type:           list(getpwent,kerberos5,pam,rimap,shadow,ldap)
## Default:        pam
## ServiceRestart: saslauthd
#
# Authentication mechanism to use by saslauthd.
# See man 8 saslauthd for available mechanisms.
#
SASLAUTHD_AUTHMECH=ldap

## Path:           System/Security/SASL
## Type:           integer(0:)
## Default:        5
## ServiceRestart: saslauthd
#
# Number of processes that saslauthd should fork to responding to
# authentication queries. A value of zero will indicate that saslauthd
# should fork an individual process for each connection.
#
SASLAUTHD_THREADS=5

## Path:           System/Security/SASL
## Type:           string
## Default:        ""
## ServiceRestart: saslauthd
#
# Additional parameters to use by saslauthd.
# See the saslauthd(8) manpage for available parameters.
#
SASLAUTHD_PARAMS="/etc/saslauthd.conf"
zeilinger:~ # testsaslauthd -u matthias.praunegger -p ...
0: OK "Success."
ch: PLAIN
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
sievedir: /var/lib/sieve
admins: cyrus
allowanonymouslogin: no
allowplaintext: 1
autocreatequota: 200000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sasl_mech_list: plain login
lmtp_overquota_perm_failure: no
lmtp_downcase_rcpt: yes
#
# if you want TLS, you have to generate certificates and keys
#
#tls_cert_file: /usr/ssl/certs/cert.pem
#tls_key_file: /usr/ssl/certs/skey.pem
#tls_ca_file: /usr/ssl/CA/CAcert.pem
#tls_ca_path: /usr/ssl/CA
unixhierarchysep: yes
virtdomains: yes
defaultdomain: bgweiz.at
autosubscribe_all_sharedfolders: yes
autosubscribefolders: yes
autocreateinboxfolders: Gesendet|Entwurf|Spam|Papierkorb
autosubscribeinboxfolders: Gesendet|Entwurf|Spam|Papierkorb
# standard standalone server implementation

START {
  # do not delete this entry!
  recover       cmd="ctl_cyrusdb -r"

  # this is only necessary if using idled for IMAP IDLE
  idled         cmd="idled"
}

# UNIX sockets start with a slash and are put into /var/lib/imap/socket
SERVICES {
  # add or remove based on preferences
  imap          cmd="imapd" listen="imap" prefork=0
#  imaps                cmd="imapd -s" listen="imaps" prefork=0
  pop3          cmd="pop3d" listen="pop3" prefork=0
#  pop3s                cmd="pop3d -s" listen="pop3s" prefork=0
#  sieve                cmd="timsieved" listen="sieve" prefork=0

  # at least one LMTP is required for delivery
#  lmtp         cmd="lmtpd" listen="lmtp" prefork=0
  lmtpunix      cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1

  # this is only necessary if using notifications
#  notify       cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1
}

EVENTS {
  # this is required
  checkpoint    cmd="ctl_cyrusdb -c" period=30

  # this is only necessary if using duplicate delivery suppression
  delprune      cmd="cyr_expire -E 3" at=0400

  # this is only necessary if caching TLS sessions
  tlsprune      cmd="tls_prune" at=0400

  squatter   cmd="squatter -r user" period=1440

  # Uncomment the next entry, if you want to automatically remove
  # old messages of EVERY user.
  # This example calls ipurge every 60 minutes and ipurge will delete
  # ALL messages older then 30 days.
  # enter 'man 8 ipurge' for more details

  # cleanup      cmd="ipurge -d 30 -f" period=60
}
[global]
config_file     = /etc/cyrus-mbox.conf

[imap]
imap_server             = localhost
cyrus_admin             = cyrus
cyrus_pwd               = ...
#cyrus_pwd_file          = /etc/imap.pwd

@force_subfolders       = Gesendet Entwurf Spam Papierkorb
@subfolders             =

# default quota in MBytes (0: no quota)
#quota                  = 200
rcsaslauthd restart
rccyrus restart
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix

mail_owner = postfix
mydomain = bgweiz.at
myhostname = bgweiz.at
myorigin = $mydomain

inet_interfaces = all
mydestination = einstein.bgweiz.at, mail.bgweiz.at, bgweiz.at, localhost, mamasbest.at, kleinhofer.at, stadtkapelle.weiz.at, orgelverein.at, peer.st, d4e.at, mail.d4e.at poesi.at
local_recipient_maps = ldap:mailrelay $alias_maps unix:passwd.byname
unknown_local_recipient_reject_code = 550

mynetworks = 127.0.0.0/8, 193.170.221.0/24, 192.168.100.0/24, 192.168.238.0/24
relay_domains = $mydestination
mail_spool_directory = /var/spool/mail
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = maildrop
html_directory = /usr/share/doc/packages/postfix/html
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/packages/postfix/samples

readme_directory = /usr/share/doc/packages/postfix/README_FILES
inet_protocols = all
biff = no
canonical_maps = hash:/etc/postfix/canonical
virtual_maps = hash:/etc/postfix/virtual
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
program_directory = /usr/lib/postfix
masquerade_domains =
defer_transports =
disable_dns_lookups = no
relayhost =
mailbox_command =
mailbox_transport = cyrus
#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp

alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
message_size_limit = 0
#message_size_limit = 10240000
smtpd_recipient_limit = 99
bounce_size_limit = 990

### ldap
mailrelay_timeout = 300
mailrelay_cache = no
#mailrelay_cache_expiry = 600
mailrelay_search_base = dc=bgweiz,dc=at
#mailrelay_server_host = 10.67.0.1
mailrelay_server_host = 10.67.0.5
mailrelay_server_port = 389
mailrelay_bind = yes
#mailrelay_bind_dn = uid=ldapkeeper,dc=bgweiz,dc=at
mailrelay_bind_dn = cn=bgldap,dc=bgweiz,dc=at
mailrelay_bind_pw=ldap4bg
mailrelay_search_filter=(uid=%s)

### smtp
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes

### TLS
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

## amavis
content_filter = smtp-amavis:[127.0.0.1]:10024

default_process_limit = 20
max_use = 210
#-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission   inet    n       -       n       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
#pickup    fifo  n       -       n       60      10       pickup
pickup    fifo  n       -       n       60      1       pickup
#cleanup   unix  n       -       n       -       20       cleanup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
#smtp      inet  n       -       y       -       -       smtpd -o content_filter=procmail:filter
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
#localhost:10025 inet   n       -       n       -       -       smtpd -o content_filter=
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus     unix  -       n       n       -       20      pipe
  user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
procmail  unix  -       n       n       -       -       pipe
  flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient}

#amavis-new
smtp-amavis unix -   -   n   -   20  lmtp
    -o smtp_data_done_timeout=1200
    -o disable_dns_lookups=yes

127.0.0.1:10025 inet n   -  y   -   20  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes

Datenbank und E-Mail Verzeichnisse

#/bin/bash

chown -R cyrus:mail /var/lib/imap/domain/
find /var/lib/imap/domain -type f -exec chmod 600 {} \;
find /var/lib/imap/domain -type d -exec chmod 755 {} \;

chown -R cyrus:mail /var/spool/imap/user
find /var/spool/imap/user -type f -exec chmod 600 {} \;
find /var/spool/imap/user -type d -exec chmod 755 {} \;
su cyrus
imtest -m login -p imap localhost

Dienste

insserv saslauthd
insserv postfix
insserv cyrus
rcsaslauthd start
rcpostfix start
rccyrus start

Postfix Datenbanken

cd /etc/postfix
postmap /etc/postfix/access
postmap /etc/postfix/relocated
postmap /etc/postfix/canonical
postmap /etc/postfix/virtual
postmap /etc/postfix/transport

ALT: Migration von alten, reinen POP Postfächern

cd /var/spool/mail
ls > /root/postfach.list
cd /root
cat postfach.list | awk '{print "cm user."$1}' | cyradm –user cyrus localhost
formail -Y -s /usr/sbin/sendmail newaddress@xxxxxxxxxxx < /path/to/mbox
cd /tmp/mails
for i in *; do formail -Y -s /usr/sbin/sendmail vorname.zuname@mail.bgweiz.at < $i; done

Viren- und Spamschutz: amavisd. spamd, clamd

use strict;

# a minimalistic configuration file for amavisd-new with all necessary settings
#
#   see amavisd.conf-default for a list of all variables with their defaults;
#   see amavisd.conf-sample for a traditional-style commented file;
#   for more details see documentation in INSTALL, README_FILES/*
#   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html


# COMMONLY ADJUSTED SETTINGS:

# @bypass_virus_checks_maps = (1);  # uncomment to DISABLE anti-virus code
# @bypass_spam_checks_maps  = (1);  # uncomment to DISABLE anti-spam code

$sa_timeout = 60;

$max_servers = 15;            # number of pre-forked children (2..15 is common)
$daemon_user = 'vscan';
$daemon_group = 'vscan';

$mydomain = 'bgweiz.at';   # a convenient default for other settings

$MYHOME = '/var/spool/amavis';
$TEMPBASE = "$MYHOME/tmp";   # working directory, needs to be created manually
$ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR
$QUARANTINEDIR = '/var/spool/amavis/virusmails';
# $quarantine_subdir_levels = 1;  # add level of subdirs to disperse quarantine

# $daemon_chroot_dir = $MYHOME;   # chroot directory or undef

# $db_home   = "$MYHOME/db";
# $helpers_home = "$MYHOME/var";  # prefer $MYHOME clean and owned by root?
# $pid_file  = "$MYHOME/var/amavisd.pid";
# $lock_file = "$MYHOME/var/amavisd.lock";
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually

@local_domains_maps = ( [".$mydomain"] );
# @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
#                   10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );

$log_level = 2;              # verbosity 0..5
$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$SYSLOG_LEVEL = 'mail.debug';

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

$inet_socket_port = 10024;   # listen on this local TCP port(s) (see $protocol)
$unix_socketname = "$MYHOME/amavisd.sock";  # when using sendmail milter
$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 4.0;
$sa_kill_level_deflt = 5.0; # triggers spam evasive actions
$sa_dsn_cutoff_level = 6;    # spam level beyond which a DSN is not sent
$sa_quarantine_cutoff_level = 20; # spam level beyond which quarantine is off

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;    # only tests which do not require internet access?
$sa_auto_whitelist = 1;      # turn on AWL in SA 2.63 or older (irrelevant
                             # for SA 3.0, cf option is 'use_auto_whitelist')

# @lookup_sql_dsn =
#   ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
#     ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
#     ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
# @storage_sql_dsn = @lookup_sql_dsn;  # none, same, or separate database

$virus_admin               = "virusalert\@$mydomain";  # notifications recip.

$mailfrom_notify_admin     = "virusalert\@$mydomain";  # notifications sender
$mailfrom_notify_recip     = "virusalert\@$mydomain";  # notifications sender
$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef

@addr_extension_virus_maps      = ('virus');
@addr_extension_spam_maps       = ('spam');
@addr_extension_banned_maps     = ('banned');
@addr_extension_bad_header_maps = ('badh');
# $recipient_delimiter = '+';  # undef disables address extensions altogether
# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
# $dspam = 'dspam';

$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not enforced)

$sa_spam_subject_tag = '***SPAM*** ';
$defang_virus  = 1;  # MIME-wrap passed infected mail
$defang_banned = 1;  # MIME-wrap passed mail containing banned name


# OTHER MORE COMMON SETTINGS (defaults may suffice):

$myhostname = 'bgweiz.at';

$notify_method  = 'smtp:[127.0.0.1]:10025';
 $forward_method = 'smtp:[127.0.0.1]:10025';  # set to undef with milter!
#$forward_method = undef; # set to undef with milter!

$final_virus_destiny            = D_DISCARD;
$final_banned_destiny           = D_BOUNCE;
$final_spam_destiny             = D_DISCARD;
$final_bad_header_destiny       = D_PASS;
# $final_virus_destiny      = D_DISCARD;
# $final_banned_destiny     = D_BOUNCE;
# $final_spam_destiny = D_PASS;
# $final_bad_header_destiny = D_PASS;


# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all)

# $warnbadhsender,
# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps)
#
# @bypass_virus_checks_maps, @bypass_spam_checks_maps,
# @bypass_banned_checks_maps, @bypass_header_checks_maps,
#
# @virus_lovers_maps, @spam_lovers_maps,
# @banned_files_lovers_maps, @bad_header_lovers_maps,
#
# @blacklist_sender_maps, @score_sender_maps,
#
# $virus_quarantine_to, $banned_quarantine_to,
# $bad_header_quarantine_to, $spam_quarantine_to,
#
# $defang_bad_header, $defang_undecipherable, $defang_spam


# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS

@viruses_that_fake_sender_maps = (new_RE(
# [qr'\bEICAR\b'i => 0],            # av test pattern name
# [qr'^(WM97|OF97|Joke\.)'i => 0],  # adjust names to match your AV scanner
  [qr/^/ => 1],  # true for everything else
));

@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$',   # retain full original message for virus checking (can be slow)
  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data',     # don't trust Archive::Zip
));


# for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample

$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components

  # block certain double extensions anywhere in the base name
  qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i,  # Class ID extensions - CLSID

  qr'^application/x-msdownload$'i,                  # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,
# qr'^message/partial$'i,         # rfc2046 MIME type
# qr'^message/external-body$'i,   # rfc2046 MIME type

# [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives

  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
#        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
#        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
#        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.

  qr'^\.(exe-ms)$',                       # banned file(1) types
# qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm


# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING

@score_sender_maps = ({ # a by-recipient hash lookup table,
                        # results from all matching recipient tables are summed

# ## per-recipient personal tables  (NOTE: positive: black, negative: white)
# 'user1@example.com'  => [{'bla-mobile.press@example.com' => 10.0}],
# 'user3@example.com'  => [{'.ebay.com'                 => -3.0}],
# 'user4@example.com'  => [{'cleargreen@cleargreen.com' => -7.0,
#                           '.cleargreen.com'           => -5.0}],

  ## site-wide opinions about senders (the '.' matches any recipient)
  '.' => [  # the _first_ matching sender determines the score boost

   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
    [qr'^(your_friend|greatoffers)@'i                                => 5.0],
    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
   ),

#  read_hash("/var/amavis/sender_scores_sitewide"),

   { # a hash-type lookup table (associative array)
    'nobody@cert.org'                        => -3.0,
     'cert-advisory@us-cert.gov'              => -3.0,
     'owner-alert@iss.net'                    => -3.0,
     'slashdot@slashdot.org'                  => -3.0,
     'bugtraq@securityfocus.com'              => -3.0,
     'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,
     'security-alerts@linuxsecurity.com'      => -3.0,
     'mailman-announce-admin@python.org'      => -3.0,
     'amavis-user-admin@lists.sourceforge.net'=> -3.0,
     'notification-return@lists.sophos.com'   => -3.0,
     'owner-postfix-users@postfix.org'        => -3.0,
     'owner-postfix-announce@postfix.org'     => -3.0,
     'owner-sendmail-announce@lists.sendmail.org'   => -3.0,
     'sendmail-announce-request@lists.sendmail.org' => -3.0,
     'donotreply@sendmail.org'                => -3.0,
     'ca+envelope@sendmail.org'               => -3.0,
     'noreply@freshmeat.net'                  => -3.0,
     'owner-technews@postel.acm.org'          => -3.0,
     'ietf-123-owner@loki.ietf.org'           => -3.0,
     'cvs-commits-list-admin@gnome.org'       => -3.0,
     'rt-users-admin@lists.fsck.com'          => -3.0,
     'clp-request@comp.nus.edu.sg'            => -3.0,
     'surveys-errors@lists.nua.ie'            => -3.0,
     'emailnews@genomeweb.com'                => -5.0,
     'yahoo-dev-null@yahoo-inc.com'           => -3.0,
     'returns.groups.yahoo.com'               => -3.0,
     'clusternews@linuxnetworx.com'           => -3.0,
     lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,
     lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,

     # soft-blacklisting (positive score)
     'sender@example.net'                     =>  3.0,
     '.example.net'                           =>  1.0,

   },
  ],  # end of site-wide tables
});


@decoders = (
  ['mail', \&do_mime_decode],
  ['asc',  \&do_ascii],
  ['uue',  \&do_ascii],
  ['hqx',  \&do_ascii],
  ['ync',  \&do_ascii],
  ['F',    \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
  ['Z',    \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
  ['gz',   \&do_gunzip],
  ['gz',   \&do_uncompress,  'gzip -d'],
  ['bz2',  \&do_uncompress,  'bzip2 -d'],
  ['lzo',  \&do_uncompress,  'lzop -d'],
  ['rpm',  \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
  ['cpio', \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['tar',  \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['tar',  \&do_tar],
  ['deb',  \&do_ar,          'ar'],
# ['a',    \&do_ar,          'ar'],  # unpacking .a seems an overkill
  ['zip',  \&do_unzip],
  ['rar',  \&do_unrar,      ['rar','unrar'] ],
  ['arj',  \&do_unarj,      ['arj','unarj'] ],
  ['arc',  \&do_arc,        ['nomarch','arc'] ],
  ['zoo',  \&do_zoo,         'zoo'],
  ['lha',  \&do_lha,         'lha'],
# ['doc',  \&do_ole,         'ripole'],
  ['cab',  \&do_cabextract,  'cabextract'],
  ['tnef', \&do_tnef_ext,    'tnef'],
  ['tnef', \&do_tnef],
  ['exe',  \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
);


@av_scanners = (

#  ### http://www.hbedv.com/
#  ['H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus',
#    ['antivir','vexira'],
#    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
#    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
#         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
#    # NOTE: if you only have a demo version, remove -z and add 214, as in:
#    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,


#### Avira for UNIX 3.x ENGLISH
#  ['Avira AntiVir', ['avscan'],
#    '-s --batch --alert-action=none {}', [0], qr/ALERT:/,
#    qr/ALERT: (.+)/m ],
#

# ### http://www.clamav.net/
 ['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/lib/clamav/clamd-socket"],
   qr/\bOK$/m, qr/\bFOUND$/m,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
# # NOTE: run clamd under the same user as amavisd, or run it under its own
# #   uid such as clamav, add user clamav to the amavis group, and then add
# #   AllowSupplementaryGroups to clamd.conf;
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
# #   this entry; when running chrooted one may prefer socket "$MYHOME/clamd".

# ### http://www.clamav.net/ and CPAN  (memory-hungry! clamd is preferred)
# # note that Mail::ClamAV requires perl to be build with threading!
# ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/m ],


);

@av_scanners_backup = (
  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
  ['ClamAV-clamscan', 'clamscan',
    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
    [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],


);

1;  # insure a defined return

Dienste

insserv clamd
insserv amavis
insserv spamd
rcclamd start
rcamavis start
rcspamd start
freshclam
sa-update

Wartungsarbeiten

Mailbox manuell hinzufügen

cd /opt/imap
./cyr_adduser.pl vorname^zuname

Mailbox manuell löschen

cd /opt/imap
./cyr_deleteuser.pl vorname^zuname

Mehrere Mailboxen manuell hinzufügen

cd /opt/imap
./multi_cyr_adduser.sh /pfad/zu/textdatei.txt

Mehrere Mailboxen manuell löschen

cd /opt/imap
./multi_cyr_deleteuser.sh /pfad/zu/verwaist.txt

Erstellung von verwaist.txt - siehe weiter unten: Verwaiste Mailboxen löschen

mailq

mailq | tail +2 | awk  'BEGIN { RS = "" } / vorname\.zuname@bgweiz\.at$/ { print $1 } ' | tr -d '*!' | postsuper -d -
mailq | awk '/.*root@bgweiz\.at$/ { print $1 } ' | tr -d '*!' | postsuper -d -
mailq | tail +2 | awk  'BEGIN { RS = "" } /temporary failure/ { print $1 } ' | tr -d '*!' | postsuper -d -
postsuper -d ALL

Mailboxen reparieren

cd /opt/imap
./multi_cyr_repair.sh
cd /opt/imap
./cyr_repair.sh vorname.zuname

Quota

cd /opt/imap
./quota_auslesen.sh
zeilinger:~ # su cyrus
cyrus@zeilinger:/root> cyradm localhost
IMAP Password: Un....
localhost> lq user/vorname.zuname
 STORAGE 202452/200000 (101.226%)
localhost> sq user/theo.sagmeister 250000
 STORAGE 178801/250000 (71.5204%)
localhost> cyrus@zeilinger:/root> 

Spamfilter sa-learn

mutt -f /var/mail/vorname.zuname
mutt -f imap://vorname.nachname@mail.bgweiz.at

@data = qx</usr/sbin/postqueue -p>; for (@data) {

if (/^(\w+)(\*|\!)?\s/) {
   $queue_id = $1;
}
if($queue_id) {
  if (/$REGEXP/i) {
    $Q{$queue_id} = 1;
    $queue_id = "";
  }
}

}

#open(POSTSUPER,"|cat") || die "couldn't open postsuper" ; open(POSTSUPER,"|postsuper -d -") || die "couldn't open postsuper" ;

foreach (keys %Q) {

print POSTSUPER "$_\n";

}; close(POSTSUPER); </code>

Datenbank reparieren

rccyrus stop
su cyrus -c "/usr/lib/cyrus/bin/ctl_mboxlist -d" > mailboxes.txt
...
user.matthias^praunegger        0 default matthias.praunegger   lrswipkxtecda   
user.matthias^praunegger.Andrea 0 default matthias.praunegger   lrswipkxtecda   
user.matthias^praunegger.Archives       0 default matthias.praunegger   lrswipcda       
user.matthias^praunegger.Archives.2010  0 default matthias.praunegger   lrswipcda       
user.matthias^praunegger.Archives.Feeds 0 default matthias.praunegger   lrswipcda       
user.matthias^praunegger.Entwurf        0 default matthias.praunegger   lrswipkxtecda   
user.matthias^praunegger.Freunde        0 default matthias.praunegger   lrswipcda       
user.matthias^praunegger.Gesendet       0 default matthias.praunegger   lrswipkxtecda   
user.matthias^praunegger.Papierkorb     0 default matthias.praunegger   lrswipkxtecda   
user.matthias^praunegger.Privat 0 default matthias.praunegger   lrswipcda       
...
rm mailboxes.db
su cyrus -c "/usr/lib/cyrus/bin/ctl_mboxlist -u" < mailboxes.txt
rccyrus start

Ordner mit cyradm abonnieren

cyradm -u vorname.zuname localhost
localhost> lm ... listet alle Mailboxen auf
localhost> lm --subscribed ... listet alle abonnierten Ordner auf
localhost> sub INBOX/ordnername ... abonniert Ornder

Benutzer in Whitelist aufnehmen

whitelist_from vorname.zuname@bgweiz.at
rcspamd restart; rcamavis restart

Abonnierte Ordner wiederherstellen (bei Migration)

cd /opt/imap
./make_sub.sh

Spamer blockieren

/etc/postfix/sender_access
...
user@abadboy.com REJECT
...
postmap hash:sender_access
/etc/postfix/main.cf
...
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access
...
rcpostfix restart
/etc/mail/spamassassin/local.cf
...
blacklist_from user@abadboy.com
...
rcamavis restart

Diverse Anleitungen

Configuring a Mail Server on SLES
Gmail als smarthost
Fetchmail
11. Basic Postfix configuration and preparation for SMTP AUTH
Grundabsicherung von Postfix

Problem - löschen von E-Mails

Fehlermeldung: UID COPY: Mailbox does not exist

Lösung

Löschen von Mails mit bestimmten Inhalt

cd /var/spool/imap/user/vorname^zuname
grep -l 'Undeliver' * | tr '\n' ' ' | xargs  rm -rf
grep -l 'delivery' * | tr '\n' ' ' | xargs  rm -rf
cd /opt/imap
sh cyr_repair.sh vorname^zuname