368 lines
50 KiB
XML
368 lines
50 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Wxcafé</title><link>file:///home/wxcafe/code/blog-source/output/</link><description></description><atom:link href="file:///home/wxcafe/code/blog-source/output/feeds/feed.rss.tutorial.xml" rel="self"></atom:link><lastBuildDate>Fri, 07 Nov 2014 13:04:00 +0100</lastBuildDate><item><title>OpenSMTPd comme serveur mail sous debian</title><link>file:///home/wxcafe/code/blog-source/output/posts/opensmtpd-debian/</link><description><p>J'avais dit il y a un certain temps que j'allais écrire un tutoriel expliquant
|
|
comment gérer ses mails soi-même. Il se trouve que j'ai récemment décidé de
|
|
changer le serveur qui héberge (entre autres) ce blog, et que ce dernier héberge
|
|
aussi mes emails. J'ai donc totalement changé d'infrastructure quand a la
|
|
gestion de mon système de mails.</p>
|
|
<p>Ainsi, j'ai décidé de passer de Postfix a OpenSMTPd, changement que je voulais
|
|
effectuer depuis un certain temps. <a href="https://opensmtpd.org">OpenSMTPd</a> est un
|
|
projet originaire d'<a href="http://openbsd.org">OpenBSD</a> qui a pour but de fournir un
|
|
serveur SMTP fiable, simple, rapide, et surtout sécurisé (les même buts que ceux
|
|
qu'a le projet OpenBSD, globalement).</p>
|
|
<p>Pour rappel, le système d'emails fonctionne d'une façon très simple : votre MUA
|
|
(Mail User Agent, ou client email) contacte le MTA (Mail Transport Agent, ou
|
|
serveur SMTP) de votre fournisseur email, qui contacte le MTA du fournisseur du
|
|
destinataire, qui lui même contacte le MDA (Mail Delivery Agent) qui délivre le
|
|
mail au destinataire.</p>
|
|
<p>Si vous avez bien suivi, vous pouvez voir que je n'ai pas parlé de récupération
|
|
ni de lecture des mails. C'est pour une raison simple, qui est que ces taches
|
|
sont remplies par d'autres services encore (IMAP/POP pour la récupération depuis
|
|
le serveur, des yeux pour la lecture).</p>
|
|
<p>Or ce qui nous intéresse ici, ce n'est pas simplement d'envoyer et de recevoir
|
|
des emails mais bien aussi de pouvoir les récupérer et les lire, et c'est pour
|
|
ça que ce tutoriel ne parlera pas que d'OpenSMTPd mais aussi de
|
|
<a href="http://dovecot.org/">Dovecot</a> qui fait office de serveur IMAP et
|
|
<a href="http://www.ijs.si/software/amavisd/">amavis</a>/<a href="http://spamassassin.apache.org/">spamassassin</a>
|
|
pour filtrer les mails entrants et sortants.
|
|
Le schéma suivant explique la façon dont les mails sont gérés sur le système</p>
|
|
<div class="highlight"><pre> <span class="err">╭────────────────╮</span> <span class="err">╭──────────╮</span>
|
|
<span class="err">│╭──────────────</span><span class="o">&gt;</span><span class="err">│────</span><span class="o">&gt;</span> <span class="n">to</span> <span class="n">filter</span> <span class="err">───</span><span class="o">&gt;</span><span class="err">│─╮</span> <span class="err">│</span>
|
|
<span class="n">mail</span> <span class="n">in</span> <span class="err">││</span> <span class="err">│</span> <span class="err">│</span> <span class="err">│</span> <span class="n">amavis</span> <span class="err">│</span>
|
|
<span class="err">───────────</span><span class="o">&gt;</span><span class="err">│╯</span> <span class="n">OpenSMTPd</span> <span class="err">╭──│</span><span class="o">&lt;</span><span class="err">───</span> <span class="n">from</span> <span class="n">filter</span><span class="o">&lt;</span><span class="err">───│</span><span class="o">&lt;</span><span class="err">╯</span> <span class="err">│</span>
|
|
<span class="err">│</span> <span class="err">│</span> <span class="err">│</span> <span class="err">╰──────────╯</span>
|
|
<span class="n">mail</span> <span class="n">out</span> <span class="err">│</span> <span class="err">│</span> <span class="err">│</span> <span class="err">╭──────────╮</span>
|
|
<span class="o">&lt;</span><span class="err">───────────│</span><span class="o">&lt;</span><span class="err">────────────┴─</span><span class="o">&gt;</span><span class="err">│─────</span><span class="o">&gt;</span> <span class="n">to</span> <span class="n">MDA</span> <span class="err">─────</span><span class="o">&gt;</span><span class="err">│─────────</span><span class="o">&gt;</span><span class="err">│──</span><span class="o">&gt;</span> <span class="n">to</span> <span class="n">user</span><span class="err">&#39;</span><span class="n">s</span>
|
|
<span class="err">│</span> <span class="err">│</span> <span class="err">│</span> <span class="n">dovecot</span> <span class="err">│</span> <span class="n">mailbox</span>
|
|
<span class="err">╰────────────────╯</span> <span class="err">╰──────────╯</span>
|
|
</pre></div>
|
|
|
|
|
|
<p>Normalement, ceci devrait être a peu près clair.
|
|
Pour expliquer vite fait, les emails entrants (venant des utilisateurs mais
|
|
aussi d'autres correspondants) sont transmis a OpenSMTPd, qui envoie tout a
|
|
<code>amavis</code>, qui vérifie a la fois les spams et les malwares pour les mails
|
|
venants de l'exterieur, et qui signe avec DKIM pour les mails venants de
|
|
nos utilisateurs, puis qui rentransmet les mails filtrés/signés a OpenSMTPd,
|
|
qui a ce moment-ci trie en fonction de la destination : les mails gérés
|
|
par le domaine vont via dovecot dans les boites mail des destinataires
|
|
locaux, les mails exterieurs vont directement vers le MTA du serveur
|
|
distant.</p>
|
|
<p>Voyons comment mettre cela en place. Tout d'abord, il faut décider de la façon
|
|
dont les différents services vont communiquer.</p>
|
|
<p>Déjà, amavis étant configuré par défaut pour écouter (en SMTP) sur le port
|
|
10024 et répondre sur le port 10025 quand il s'agit de filtrer et
|
|
écouter sur le port 10026 et répondre sur le port 10027 quand il s'agit de
|
|
signer, nous allons profiter de cette configuration et donc lui parler en SMTP
|
|
sur ces ports.</p>
|
|
<p>Quand a Dovecot, nous allons lui transmettre les emails en LMTP (Local Mail
|
|
Transfer Protocol), non pas sur un port mais via un socket (dans ce cas précis,
|
|
<code>/var/run/dovecot/lmtp</code>).</p>
|
|
<p>Ainsi, pour reprendre le schéma présenté plus haut :</p>
|
|
<div class="highlight"><pre> <span class="err">╭───────────────╮</span> <span class="err">╭───────────╮</span>
|
|
<span class="err">│╭─────────────</span><span class="o">&gt;</span><span class="err">│──</span><span class="o">&gt;</span> <span class="n">SMTP</span> <span class="p">(</span><span class="mi">10026</span><span class="p">)</span> <span class="err">──</span><span class="o">&gt;</span><span class="err">│─╮</span> <span class="err">│</span>
|
|
<span class="n">SMTP</span> <span class="n">in</span> <span class="err">││</span> <span class="err">│</span> <span class="err">│</span> <span class="err">│</span> <span class="n">amavis</span> <span class="err">│</span>
|
|
<span class="err">────────</span><span class="o">&gt;</span> <span class="mi">25</span><span class="err">│╯</span> <span class="n">OpenSMTPd</span> <span class="err">╭──│</span><span class="o">&lt;</span><span class="err">──</span> <span class="n">SMTP</span> <span class="p">(</span><span class="mi">10027</span><span class="p">)</span> <span class="o">&lt;</span><span class="err">──│</span><span class="o">&lt;</span><span class="err">╯</span> <span class="p">(</span><span class="n">sign</span><span class="p">)</span> <span class="err">│</span>
|
|
<span class="err">│</span> <span class="err">│</span> <span class="err">│</span> <span class="err">╰───────────╯</span>
|
|
<span class="n">SMTP</span> <span class="n">out</span> <span class="err">│</span> <span class="err">│</span> <span class="err">│</span>
|
|
<span class="mi">25</span> <span class="o">&lt;</span><span class="err">────────│</span><span class="o">&lt;</span><span class="err">───────────╯</span> <span class="err">│</span>
|
|
<span class="err">╰───────────────╯</span>
|
|
</pre></div>
|
|
|
|
|
|
<p>Pour les mails sortants; et</p>
|
|
<div class="highlight"><pre> <span class="err">╭───────────────╮</span> <span class="err">╭────────────╮</span>
|
|
<span class="err">│╭─────────────</span><span class="o">&gt;</span><span class="err">│──</span><span class="o">&gt;</span> <span class="n">SMTP</span> <span class="p">(</span><span class="mi">10024</span><span class="p">)</span> <span class="err">──</span><span class="o">&gt;</span><span class="err">│─╮</span> <span class="err">│</span>
|
|
<span class="n">SMTP</span> <span class="n">in</span> <span class="err">││</span> <span class="err">│</span> <span class="err">│</span> <span class="err">│</span> <span class="n">amavis</span> <span class="err">│</span>
|
|
<span class="err">────────</span><span class="o">&gt;</span> <span class="mi">25</span><span class="err">│╯</span> <span class="n">OpenSMTPd</span> <span class="err">╭──│</span><span class="o">&lt;</span><span class="err">──</span> <span class="n">SMTP</span> <span class="p">(</span><span class="mi">10025</span><span class="p">)</span> <span class="o">&lt;</span><span class="err">──│</span><span class="o">&lt;</span><span class="err">╯</span><span class="p">(</span><span class="n">filter</span><span class="p">)</span> <span class="err">│</span>
|
|
<span class="err">│</span> <span class="err">│</span> <span class="err">│</span> <span class="err">╰────────────╯</span>
|
|
<span class="err">│</span> <span class="err">│</span> <span class="err">│</span> <span class="err">╭────────────╮</span>
|
|
<span class="err">│</span> <span class="err">╰─</span><span class="o">&gt;</span><span class="err">│──</span><span class="o">&gt;</span> <span class="n">LMTP</span> <span class="p">(</span><span class="n">socket</span><span class="p">)</span> <span class="err">─</span><span class="o">&gt;</span><span class="err">│───────────</span><span class="o">&gt;</span><span class="err">│──</span><span class="o">&gt;</span> <span class="n">to</span> <span class="n">user</span><span class="err">&#39;</span><span class="n">s</span>
|
|
<span class="err">│</span> <span class="err">│</span> <span class="err">│</span> <span class="n">dovecot</span> <span class="err">│</span> <span class="n">mailbox</span>
|
|
<span class="err">╰───────────────╯</span> <span class="err">╰────────────╯</span>
|
|
</pre></div>
|
|
|
|
|
|
<p>Pour les mails entrants.</p>
|
|
<p>Maintenant que la théorie est claire, mettons en place tout cela. Je me baserai
|
|
ici sur le fait que vous utilisiez une plateforme Debian ou OpenBSD. Pour
|
|
d'autres plateformes, la configuration devrait être sensiblement la même</p>
|
|
<p>(Vous aurez besoin de certificats SSL pour ce guide, même self-signés.
|
|
Si vous ne savez pas comment en créer, vous pouvez aller voir <a href="http://wxcafe.net/posts/05/30/14/SSL-ou-la-securite-sur-internet/">ce
|
|
post</a>)</p>
|
|
<p>Tout d'abord, commençons par installer les programmes nécessaires :</p>
|
|
<div class="highlight"><pre><span class="n">sudo</span> <span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">opensmtpd</span> <span class="n">dovecot</span> <span class="n">dovecot</span><span class="o">-</span><span class="n">pigeonhole</span> <span class="n">amavisd</span><span class="o">-</span><span class="n">new</span> <span class="n">dovecot</span><span class="o">-</span><span class="n">managesieved</span>
|
|
<span class="n">sudo</span> <span class="n">pkg_add</span> <span class="n">dovecot</span> <span class="n">dovecot</span><span class="o">-</span><span class="n">pigeonhole</span> <span class="n">amavisd</span><span class="o">-</span><span class="n">new</span>
|
|
</pre></div>
|
|
|
|
|
|
<p>Continuons en configurant OpenSMTPd tel que nous avons vu plus haut :</p>
|
|
<p><code>/etc/smtpd.conf</code></p>
|
|
<div class="highlight"><pre><span class="err">#</span> <span class="nx">This</span> <span class="nx">is</span> <span class="nx">the</span> <span class="nx">smtpd</span> <span class="nx">server</span> <span class="nx">system</span><span class="na">-wide</span> <span class="nx">configuration</span> <span class="nx">file.</span>
|
|
<span class="err">#</span> <span class="nx">See</span> <span class="nx">smtpd.conf</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="nb">for</span> <span class="nx">more</span> <span class="nx">information.</span>
|
|
|
|
<span class="err">##</span> <span class="nx">Certs</span>
|
|
<span class="nx">pki</span> <span class="nx">exem.pl</span> <span class="nx">certificate</span> <span class="s2">&quot;/etc/certs/exem.pl.crt&quot;</span>
|
|
<span class="nx">pki</span> <span class="nx">exem.pl</span> <span class="nb">key</span> <span class="s2">&quot;/etc/certs/exem.pl.key&quot;</span>
|
|
|
|
<span class="err">##</span> <span class="nx">Ports</span> <span class="k">to</span> <span class="nb">listen</span> <span class="k">on</span><span class="p">,</span> <span class="ow">and</span> <span class="nx">how</span> <span class="k">to</span> <span class="nb">listen</span> <span class="k">on</span> <span class="nx">them</span>
|
|
<span class="nb">listen</span> <span class="k">on</span> <span class="nx">eth0</span> <span class="nb">port</span> <span class="mi">25</span> <span class="nx">tls</span> <span class="nx">pki</span> <span class="nx">exem.pl</span> <span class="nb">hostname</span> <span class="nx">exem.pl</span> <span class="nb">auth</span><span class="na">-optional</span>
|
|
<span class="nb">listen</span> <span class="k">on</span> <span class="nx">eth0</span> <span class="nb">port</span> <span class="mi">465</span> <span class="nx">tls</span><span class="na">-require</span> <span class="nx">pki</span> <span class="nx">exem.pl</span> <span class="nb">hostname</span> <span class="nx">exem.pl</span> <span class="nb">auth</span> <span class="nx">mask</span><span class="na">-source</span>
|
|
<span class="nb">listen</span> <span class="k">on</span> <span class="nx">eth0</span> <span class="nb">port</span> <span class="mi">587</span> <span class="nx">tls</span><span class="na">-require</span> <span class="nx">pki</span> <span class="nx">exem.pl</span> <span class="nb">hostname</span> <span class="nx">exem.pl</span> <span class="nb">auth</span> <span class="nx">mask</span><span class="na">-source</span>
|
|
|
|
<span class="err">##</span> <span class="nx">Aliases</span>
|
|
<span class="nb">table</span> <span class="nx">aliases</span> <span class="nb">file</span><span class="p">:/</span><span class="nx">etc</span><span class="p">/</span><span class="nx">aliases</span>
|
|
|
|
<span class="err">#</span> <span class="nx">coming</span> <span class="nb">from</span> <span class="nx">amavisd</span><span class="p">,</span> <span class="nb">checked</span> <span class="nb">for</span> <span class="nx">spam</span><span class="p">/</span><span class="nx">malware</span>
|
|
<span class="nb">listen</span> <span class="k">on</span> <span class="nx">lo</span> <span class="nb">port</span> <span class="mi">10025</span> <span class="kt">tag</span> <span class="nx">Filtered</span>
|
|
<span class="err">#</span> <span class="nx">coming</span> <span class="nb">from</span> <span class="nx">amavisd</span><span class="p">,</span> <span class="nx">signed</span> <span class="k">with</span> <span class="nx">DKIM</span>
|
|
<span class="nb">listen</span> <span class="k">on</span> <span class="nx">lo</span> <span class="nb">port</span> <span class="mi">10027</span> <span class="kt">tag</span> <span class="nx">Signed</span>
|
|
|
|
<span class="err">##</span> <span class="nx">Receiving</span>
|
|
<span class="err">#</span> <span class="k">if</span> <span class="nx">the</span> <span class="p">(</span><span class="nx">incoming</span><span class="p">)</span> <span class="nx">mail</span> <span class="nx">has</span> <span class="nx">been</span> <span class="nx">through</span> <span class="nx">amavisd</span><span class="p">,</span> <span class="nx">then</span> <span class="nx">we</span> <span class="nx">can</span> <span class="nx">deliver</span> <span class="nx">it</span>
|
|
<span class="nb">accept</span> <span class="nx">tagged</span> <span class="nx">Filtered</span> <span class="nb">for</span> <span class="nb">any</span> <span class="nx">alias</span> <span class="o">&lt;</span><span class="nx">aliases</span><span class="o">&gt;</span> <span class="nx">deliver</span> <span class="k">to</span> <span class="nx">lmtp</span> <span class="s2">&quot;/var/run/dovecot/lmtp&quot;</span>
|
|
<span class="err">#</span> <span class="nx">we</span> <span class="nx">directly</span> <span class="nx">tranfer</span> <span class="nx">incoming</span> <span class="nx">mail</span> <span class="k">to</span> <span class="nx">amavisd</span> <span class="k">to</span> <span class="nx">be</span> <span class="nb">checked</span>
|
|
<span class="nb">accept</span> <span class="nb">from</span> <span class="nb">any</span> <span class="nb">for</span> <span class="nx">domain</span> <span class="s2">&quot;exem.pl&quot;</span> <span class="nx">relay</span> <span class="nx">via</span> <span class="s2">&quot;smtp://localhost:10024&quot;</span>
|
|
<span class="err">#</span> <span class="nx">we</span> <span class="nx">have</span> <span class="k">to</span> <span class="nx">put</span> <span class="nx">these</span> <span class="n">lines</span> <span class="k">in</span> <span class="nx">this</span> <span class="k">order</span> <span class="k">to</span> <span class="nx">avoid</span> <span class="nx">infinite</span> <span class="nx">loops</span>
|
|
|
|
<span class="err">##</span> <span class="nx">Sending</span>
|
|
<span class="err">#</span> <span class="k">if</span> <span class="nx">the</span> <span class="p">(</span><span class="nx">outgoint</span><span class="p">)</span> <span class="nx">mail</span> <span class="nx">has</span> <span class="nx">been</span> <span class="nx">through</span> <span class="nx">amavisd</span><span class="p">,</span> <span class="nx">then</span> <span class="nx">we</span> <span class="nx">can</span> <span class="nx">deliver</span> <span class="nx">it</span>
|
|
<span class="nb">accept</span> <span class="nx">tagged</span> <span class="nx">Signed</span> <span class="nb">for</span> <span class="nb">any</span> <span class="nx">relay</span>
|
|
<span class="err">#</span> <span class="nx">we</span> <span class="nx">tranfer</span> <span class="nx">the</span> <span class="nx">outgoing</span> <span class="nx">mail</span> <span class="k">to</span> <span class="nx">amavisd</span> <span class="k">to</span> <span class="nx">be</span> <span class="nx">signed</span>
|
|
<span class="nb">accept</span> <span class="nb">for</span> <span class="nb">any</span> <span class="nx">relay</span> <span class="nx">via</span> <span class="s2">&quot;smtp://localhost:10026&quot;</span>
|
|
<span class="err">#</span> <span class="nx">same</span><span class="p">,</span> <span class="nx">we</span> <span class="nx">have</span> <span class="k">to</span> <span class="nx">put</span> <span class="nx">these</span> <span class="n">lines</span> <span class="k">in</span> <span class="nx">this</span> <span class="k">order</span> <span class="ow">or</span> <span class="nx">infinite</span> <span class="nx">loops...</span>
|
|
</pre></div>
|
|
|
|
|
|
<p>Expliquons un peu ce fichier de configuration :</p>
|
|
<ul>
|
|
<li>Tout d'abord, le paragraphe nommé "Certs" contient les déclaration
|
|
d'emplacement des certificats SSL.</li>
|
|
<li>Ensuite, le paragraphe contenant les ports externes sur lesquels nous écoutons :
|
|
port 25 avec TLS optionel et ports 465 et 587 avec TLS obligatoire</li>
|
|
<li>Les alias sont définis juste après</li>
|
|
<li>Le paragraphe suivant contient les ports locaux sur lesquels nous écoutons :
|
|
10025 (port de sortie du filtre de amavis) dont on taggue les mails sortants
|
|
comme "Filtered" et 10027 (port de sortie des mails signés par amavis) dont on
|
|
taggue les mails sortants comme "Signed"</li>
|
|
<li>Nous avons ensuite le paragraphe qui traite les mails rentrants. Si le mail
|
|
traité est taggué comme Filtered, alors il a été vérifié par amavis, et on
|
|
peut donc le transmettre au destinataire. Sinon, c'est qu'il n'a pas encore
|
|
été vérifié par amavis, donc on lui transmet pour analyse (sur le port 10024
|
|
donc). Il est important de mettre les déclarations dans ce sens, car la
|
|
première règle qui matche l'état du paquet est appliquée. Ici, la deuxième
|
|
ligne matchant tous les mails arrivant et la première seulement ceux filtrés,
|
|
inverser leur sens voudrait dire que les mails seraient toujours renvoyés a
|
|
amavis</li>
|
|
<li>Enfin, le dernier paragraphe traite les mails sortants. De la même façon que
|
|
pour le paragraphe précédent, si le mail sortant est déjà taggué comme Signed
|
|
on le transmet au MTA du destinataire, sinon il n'a pas encore été signé par
|
|
DKIM par amavis et on le transmet donc a amavis pour qu'il le signe. Le
|
|
problème de l'ordre des lignes se pose encore, pour la même raison qu'au
|
|
dessus.</li>
|
|
</ul>
|
|
<p>Nous allons maintenant configurer dovecot. Comme nous l'avons vu, dovecot doit
|
|
écouter en LMTP via la socket <code>/var/run/dovecot/lmtp</code> et transmettre les
|
|
emails a la boite email de l'utilisateur. Il serait aussi interessant
|
|
qu'il nous permette de récuperer les mails. Pour cette configuration, on ne
|
|
mettra en place que du IMAPS. Cependant, si vous voulez mettre en place du
|
|
POP3[s], différents guides sont trouvables facilement sur internet.</p>
|
|
<p><code>/etc/dovecot/dovecot.conf</code></p>
|
|
<div class="highlight"><pre><span class="cp">## Dovecot configuration file</span>
|
|
|
|
<span class="cp"># basic config</span>
|
|
<span class="n">info_log_path</span> <span class="o">=</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">dovecot</span><span class="o">-</span><span class="n">info</span><span class="p">.</span><span class="n">log</span>
|
|
<span class="n">log_path</span> <span class="o">=</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">dovecot</span><span class="p">.</span><span class="n">log</span>
|
|
<span class="n">log_timestamp</span> <span class="o">=</span> <span class="s">&quot;%Y-%m-%d %H:%M:%S &quot;</span>
|
|
<span class="n">mail_location</span> <span class="o">=</span> <span class="n">maildir</span><span class="o">:%</span><span class="n">h</span><span class="o">/</span><span class="n">mail</span>
|
|
|
|
<span class="cp"># authentication</span>
|
|
<span class="n">passdb</span> <span class="p">{</span>
|
|
<span class="n">driver</span> <span class="o">=</span> <span class="n">pam</span>
|
|
<span class="p">}</span>
|
|
<span class="n">userdb</span> <span class="p">{</span>
|
|
<span class="n">driver</span> <span class="o">=</span> <span class="n">passwd</span>
|
|
<span class="p">}</span>
|
|
|
|
<span class="cp"># the protocols we use</span>
|
|
<span class="n">protocols</span> <span class="o">=</span> <span class="n">imap</span> <span class="n">lmtp</span> <span class="n">sieve</span>
|
|
|
|
<span class="cp"># ssl config</span>
|
|
<span class="n">ssl_cert</span> <span class="o">=</span> <span class="o">&lt;/</span><span class="n">etc</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">exem</span><span class="p">.</span><span class="n">pl</span><span class="p">.</span><span class="n">cert</span>
|
|
<span class="n">ssl_key</span> <span class="o">=</span> <span class="o">&lt;/</span><span class="n">etc</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">exem</span><span class="p">.</span><span class="n">pl</span><span class="p">.</span><span class="n">key</span>
|
|
<span class="n">ssl_cipher_list</span> <span class="o">=</span> <span class="n">HIGH</span><span class="o">+</span><span class="n">kEDH</span><span class="o">:</span><span class="n">HIGH</span><span class="o">+</span><span class="n">kEECDH</span><span class="o">:</span><span class="n">HIGH</span><span class="o">:!</span><span class="n">PSK</span><span class="o">:!</span><span class="n">SRP</span><span class="o">:!</span><span class="mi">3</span><span class="n">DES</span><span class="o">:!</span><span class="n">aNULL</span>
|
|
<span class="n">ssl</span> <span class="o">=</span> <span class="n">yes</span>
|
|
|
|
<span class="cp">## configuring services </span>
|
|
<span class="cp"># disables imap login without SSL (yes dovecot is dumb that way)</span>
|
|
<span class="n">service</span> <span class="n">imap</span><span class="o">-</span><span class="n">login</span> <span class="p">{</span>
|
|
<span class="n">inet_listener</span> <span class="n">imap</span> <span class="p">{</span>
|
|
<span class="n">port</span><span class="o">=</span><span class="mi">0</span>
|
|
<span class="p">}</span>
|
|
<span class="p">}</span>
|
|
|
|
<span class="n">service</span> <span class="n">lmtp</span> <span class="p">{</span>
|
|
<span class="n">unix_listener</span> <span class="n">lmtp</span> <span class="p">{</span>
|
|
<span class="n">mode</span> <span class="o">=</span> <span class="mo">0666</span>
|
|
<span class="p">}</span>
|
|
<span class="p">}</span>
|
|
|
|
<span class="cp">## configuring protocols</span>
|
|
<span class="cp"># the dovecot lda, we set it to use sieve</span>
|
|
<span class="n">protocol</span> <span class="n">lda</span> <span class="p">{</span>
|
|
<span class="n">mail_plugins</span> <span class="o">=</span> <span class="err">$</span><span class="n">mail_plugins</span> <span class="n">sieve</span>
|
|
<span class="p">}</span>
|
|
|
|
<span class="n">protocol</span> <span class="n">lmtp</span> <span class="p">{</span>
|
|
<span class="n">postmaster_address</span> <span class="o">=</span> <span class="n">whoever</span><span class="err">@</span><span class="n">exem</span><span class="p">.</span><span class="n">pl</span>
|
|
<span class="n">mail_plugins</span> <span class="o">=</span> <span class="err">$</span><span class="n">mail_plugins</span> <span class="n">sieve</span>
|
|
<span class="p">}</span>
|
|
|
|
<span class="n">plugin</span> <span class="p">{</span>
|
|
<span class="n">sieve</span> <span class="o">=</span> <span class="o">~/</span><span class="p">.</span><span class="n">dovecot</span><span class="p">.</span><span class="n">sieve</span>
|
|
<span class="n">sieve_dir</span> <span class="o">=</span> <span class="o">~/</span><span class="n">sieve</span>
|
|
<span class="p">}</span>
|
|
</pre></div>
|
|
|
|
|
|
<p><strong>ATTENTION: Sous OpenBSD, remplacez</strong></p>
|
|
<div class="highlight"><pre><span class="n">passdb</span> <span class="p">{</span>
|
|
<span class="n">driver</span> <span class="o">=</span> <span class="n">pam</span>
|
|
<span class="p">}</span>
|
|
</pre></div>
|
|
|
|
|
|
<p><strong>par</strong></p>
|
|
<div class="highlight"><pre><span class="n">passdb</span> <span class="p">{</span>
|
|
<span class="n">driver</span> <span class="o">=</span> <span class="n">bsdauth</span>
|
|
<span class="p">}</span>
|
|
</pre></div>
|
|
|
|
|
|
<p><strong>pour identifier les utilisateurs système</strong></p>
|
|
<p>Ici aussi, voyons comment ce fichier est structuré :</p>
|
|
<ul>
|
|
<li>Tout d'abord, les configurations de base : ou iront les logs, comment formater
|
|
leur datation, et l'endroit ou seront stockés les mails des utilisateurs.</li>
|
|
<li>Nous configurons ensuite la gestion de l'authentification des utilisateurs.
|
|
Ici nous identifions les utilisateurs avec le fichier /etc/passwd et leurs
|
|
mots de passe avec PAM (ou BSDAuth)</li>
|
|
<li>Nous configurons ensuite les protocoles que nous servons. Ici, nous voulons de
|
|
l'IMAPS, du LMTP local et Sieve (qui sert pour trier les messages).</li>
|
|
<li>Nous configurons le SSL</li>
|
|
<li>Le section suivante contient la configuration des services. Nous avons en
|
|
premier lieu le service IMAP, dont la configuration sert uniquement a
|
|
désactiver IMAP. En effet, dovecot ne permet d'activer IMAPS qu'en activant
|
|
IMAP avec. Comme nous ne voulons pas d'IMAP sans SSL, nous le désactivons.
|
|
La configuration de lmtp sert a attribuer des permissions plus correctes au
|
|
fifo qu'il utilise</li>
|
|
<li>Nous configurons maintenant les protocoles, pour faire fonctionner Sieve</li>
|
|
<li>enfin, nous configurons le plugin sieve en lui indiquant quel fichier et
|
|
quel dossier utiliser pour sa configuration.</li>
|
|
</ul>
|
|
<p>Enfin, il nous reste a configurer amavis. Comme expliqué, amavis va nous servir
|
|
a deux choses : signer les emails sortants, et filtrer les emails entrants. Il
|
|
doit donc écouter sur les port 10026 pour les signatures et 10024 pour le
|
|
filtrage, et répondre respectivement sur les ports 10027 et 10025 (le tout, en
|
|
SMTP. Comme toutes les transactions se font sur le loopback, il n'y a aucun
|
|
risque a utiliser des protocoles non chiffrés.
|
|
Pour OpenBSD, pensez a copier la configuration par défaut depuis
|
|
<code>/usr/local/share/examples/amavisd-new/amavisd.conf</code> et ajoutez les
|
|
modifications nécessaires a la fin du fichier.</p>
|
|
<p><code>/etc/amavis/conf.d/99-local.conf</code> (debian)
|
|
<code>/etc/amavis.conf</code> (OpenBSD)</p>
|
|
<div class="highlight"><pre><span class="n">use</span> <span class="n">strict</span><span class="p">;</span>
|
|
|
|
<span class="err">$</span><span class="n">enable_dkim_verification</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span>
|
|
<span class="err">$</span><span class="n">enable_dkim_signing</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span>
|
|
<span class="n">dkim_key</span><span class="p">(</span><span class="s">&quot;exem.pl&quot;</span><span class="p">,</span> <span class="s">&quot;main&quot;</span><span class="p">,</span> <span class="s">&quot;/etc/certs/dkim.key&quot;</span> <span class="p">);</span>
|
|
|
|
<span class="err">@</span><span class="n">dkim_signature_options_bysender_maps</span> <span class="o">=</span> <span class="p">(</span>
|
|
<span class="p">{</span> <span class="sc">&#39;.&#39;</span> <span class="o">=&gt;</span>
|
|
<span class="p">{</span> <span class="n">ttl</span> <span class="o">=&gt;</span> <span class="mi">21</span><span class="o">*</span><span class="mi">24</span><span class="o">*</span><span class="mi">3600</span><span class="p">,</span> <span class="n">c</span> <span class="o">=&gt;</span> <span class="err">&#39;</span><span class="n">relaxed</span><span class="o">/</span><span class="n">simple</span><span class="err">&#39;</span> <span class="p">}</span>
|
|
<span class="p">}</span>
|
|
<span class="p">);</span>
|
|
|
|
<span class="err">$</span><span class="n">inet_socket_port</span> <span class="o">=</span> <span class="p">[</span><span class="mi">10024</span><span class="p">,</span> <span class="mi">10026</span><span class="p">];</span>
|
|
<span class="err">$</span><span class="n">policy_bank</span><span class="p">{</span><span class="err">&#39;</span><span class="n">MYNETS</span><span class="err">&#39;</span><span class="p">}</span> <span class="o">=</span> <span class="p">{</span>
|
|
<span class="n">originating</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">,</span>
|
|
<span class="n">os_fingerprint_method</span> <span class="o">=&gt;</span> <span class="n">undef</span><span class="p">,</span>
|
|
<span class="p">};</span>
|
|
|
|
<span class="err">$</span><span class="n">interface_policy</span><span class="p">{</span><span class="err">&#39;</span><span class="mi">10026</span><span class="err">&#39;</span><span class="p">}</span> <span class="o">=</span> <span class="err">&#39;</span><span class="n">ORIGINATING</span><span class="err">&#39;</span><span class="p">;</span>
|
|
|
|
<span class="err">$</span><span class="n">policy_bank</span><span class="p">{</span><span class="err">&#39;</span><span class="n">ORIGINATING</span><span class="err">&#39;</span><span class="p">}</span> <span class="o">=</span> <span class="p">{</span>
|
|
<span class="n">originating</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">,</span>
|
|
<span class="n">allow_disclaimers</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">,</span>
|
|
<span class="n">virus_admin_maps</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s">&quot;root\@$mydomain&quot;</span><span class="p">],</span>
|
|
<span class="n">spam_admin_maps</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s">&quot;root\@$mydomain&quot;</span><span class="p">],</span>
|
|
<span class="n">warnbadhsender</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">,</span>
|
|
<span class="n">forward_method</span> <span class="o">=&gt;</span> <span class="err">&#39;</span><span class="n">smtp</span><span class="o">:</span><span class="n">localhost</span><span class="o">:</span><span class="mi">10027</span><span class="err">&#39;</span><span class="p">,</span>
|
|
<span class="n">smtpd_discard_ehlo_keywords</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="err">&#39;</span><span class="mi">8</span><span class="n">BITMIME</span><span class="err">&#39;</span><span class="p">],</span>
|
|
<span class="n">bypass_banned_checks_maps</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="mi">1</span><span class="p">],</span>
|
|
<span class="n">terminate_dsn_on_notify_success</span> <span class="o">=&gt;</span> <span class="mi">0</span><span class="p">,</span>
|
|
<span class="p">};</span>
|
|
|
|
<span class="cp">#------------ Do not modify anything below this line -------------</span>
|
|
<span class="mi">1</span><span class="p">;</span> <span class="err">#</span> <span class="n">ensure</span> <span class="n">a</span> <span class="n">defined</span> <span class="k">return</span>
|
|
</pre></div>
|
|
|
|
|
|
<p>A nouveau, expliquons ce fichier :
|
|
- le premier paragraphe définit que nous voulons qu'amavis signe les emails
|
|
sortants, vérifie la signature DKIM des emails rentrants, et l'endroit ou se
|
|
trouve la clé privée servant a signer les emails.
|
|
- le second définit les options DKIM que nous souhaitons utiliser comme défaut.
|
|
Je vous invite a consulter la <a href="https://tools.ietf.org/html/rfc4871">RFC 4871</a>
|
|
- nous définissons ensuite les ports sur lesquels nous allons écouter, puis les
|
|
paramètres que nous utiliserons pour les emails venant de nos utilisateurs :
|
|
ils seront traités comme "originating" et nous ne vérifierons pas l'OS duquel
|
|
ils viennent.
|
|
- nous savons que les emails venants du port 10026 sont sortants, nous les
|
|
traitons donc comme tel
|
|
- le paragraphe suivant décrit le traitement que nous faisons subir aux emails
|
|
sortants : tout d'abord, nous réaffirmons qu'ils viennent bien de notre
|
|
serveur. Nous autorisons les disclaimers (voire encore une fois la <a href="https://tools.ietf.org/html/rfc4871">RFC
|
|
4871</a>. Nous déclarons l'adresse a
|
|
prévenir en cas de spam/virus venants de notre système, et que nous voulons
|
|
être prévenus. Nous déclarons ou envoyer les mails une fois signés et filtrés,
|
|
puis qu'il est nécessaire de convertir les emails au format 7 bits avant de
|
|
les envoyer au MTA, que nous autorisons tous les types et noms de fichiers, et
|
|
les notifications de succès d'envoi. Et voila!</p>
|
|
<p>Vous avez pu remarquer qu'a aucun moment nous ne configurions ni la signature
|
|
des emails sortants ni le filtrage des emails entrants. Ces paramètres sont en
|
|
fait inclus par défaut dans amavis.</p>
|
|
<p>Il nous reste cependant quelques opérations a faire, encore.
|
|
Tout d'abord, il nous faut générer notre clé DKIM. Pour cela, il existe
|
|
différentes méthodes, j'ai personnellement utilisé opendkim (<a href="https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy">un
|
|
tutorial</a>)
|
|
mais de nombreuses autre méthodes existent.
|
|
Il nous reste encore a configurer spamassassin :</p>
|
|
<div class="highlight"><pre><span class="cp">#rewrite_header Subject *****SPAM*****</span>
|
|
<span class="cp"># report_safe 1</span>
|
|
<span class="n">required_score</span> <span class="mf">2.0</span>
|
|
<span class="cp"># use_bayes 1</span>
|
|
<span class="cp"># bayes_auto_learn 1</span>
|
|
<span class="cp"># bayes_ignore_header X-Bogosity</span>
|
|
<span class="cp"># bayes_ignore_header X-Spam-Flag</span>
|
|
<span class="cp"># bayes_ignore_header X-Spam-Status</span>
|
|
<span class="n">ifplugin</span> <span class="n">Mail</span><span class="o">::</span><span class="n">SpamAssassin</span><span class="o">::</span><span class="n">Plugin</span><span class="o">::</span><span class="n">Shortcircuit</span>
|
|
<span class="cp"># shortcircuit USER_IN_WHITELIST on</span>
|
|
<span class="cp"># shortcircuit USER_IN_DEF_WHITELIST on</span>
|
|
<span class="cp"># shortcircuit USER_IN_ALL_SPAM_TO on</span>
|
|
<span class="cp"># shortcircuit SUBJECT_IN_WHITELIST on</span>
|
|
<span class="cp"># shortcircuit USER_IN_BLACKLIST on</span>
|
|
<span class="cp"># shortcircuit USER_IN_BLACKLIST_TO on</span>
|
|
<span class="cp"># shortcircuit SUBJECT_IN_BLACKLIST on</span>
|
|
<span class="n">shortcircuit</span> <span class="n">ALL_TRUSTED</span> <span class="n">off</span>
|
|
<span class="cp"># shortcircuit BAYES_99 spam</span>
|
|
<span class="cp"># shortcircuit BAYES_00 ham</span>
|
|
|
|
<span class="n">endif</span> <span class="err">#</span> <span class="n">Mail</span><span class="o">::</span><span class="n">SpamAssassin</span><span class="o">::</span><span class="n">Plugin</span><span class="o">::</span><span class="n">Shortcircuit</span>
|
|
</pre></div>
|
|
|
|
|
|
<p>Comme vous pouvez le voir, les modifications se résument globalement a baisser
|
|
le required_score pour ma part.</p>
|
|
<p>Pour finir, activez les services nécessaires : opensmtpd, dovecot, amavisd, et
|
|
spamassassin, et tout devrait fonctionner parfaitement</p>
|
|
<p>Bon courage pour votre hosting de mail ensuite...</p></description><dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">Wxcafé</dc:creator><pubDate>Fri, 07 Nov 2014 13:04:00 +0100</pubDate><guid>tag:,2014-11-07:home/wxcafe/code/blog-source/output/posts/opensmtpd-debian/</guid></item></channel></rss> |