wxcafe/blog-source
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
blog-source/output/category/tutorial/index.html

576 lines
44 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Wxcafé - Tutorial</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="author" content="wxcafé">
<link rel="icon" type="image/png" href="//wxcafe.net/theme/img/favicon.ico">
<!-- Le styles -->
<link rel="stylesheet" href="//wxcafe.net/theme/css/bootstrap.css" type="text/css" />
<script type="text/javascript">
/* <![CDATA[ */
(function() {
var s = document.createElement('script');
var t = document.getElementsByTagName('script')[0];
s.type = 'text/javascript';
s.async = true;
s.src = '//api.flattr.com/js/0.6/load.js?'+
'mode=auto&uid=wxcafe&button=compact&popout=0';
t.parentNode.insertBefore(s, t);
})();
/* ]]> */
</script> <!-- flattr button loader -->
<style type="text/css">
body {
padding-top: 60px;
padding-bottom: 40px;
}
.sidebar-nav {
padding: 9px 0;
}
.tag-1 {
font-size: 13pt;
}
.tag-2 {
font-size: 10pt;
}
.tag-2 {
font-size: 8pt;
}
.tag-4 {
font-size: 6pt;
}
</style>
<link href="//wxcafe.net/theme/css/bootstrap-responsive.css" rel="stylesheet">
<link href="//wxcafe.net/theme/css/font-awesome.css" rel="stylesheet">
<link href="//wxcafe.net/theme/css/pygments.css" rel="stylesheet">
<!-- Le fav and touch icons -->
<link rel="shortcut icon" href="//wxcafe.net/theme/images/favicon.ico">
<link href="//wxcafe.net/feeds/feed.rss.xml" type="application/atom+xml" rel="alternate" title="Wxcafé RSS Feed" />
</head>
<body>
<div class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container-fluid">
<a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</a>
<a class="brand" href="//wxcafe.net/index.html">Wxcafé </a>
<div class="nav-collapse">
<ul class="nav">
<li><a href="//wxcafe.net/archives.html"><i class="icon-th-list"></i> Archives</a></li>
<li><a href="//wxcafe.net/pages/about/">A propos</a></li>
<li class="divider-vertical"></li>
<ul class="nav pull-right">
</ul>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
</div>
<div class="container-fluid">
<div class="row">
<div class="span9" id="content">
<div class="article">
<h1><a href="//wxcafe.net/posts/%D/opensmtpd-debian/">OpenSMTPd comme serveur mail sous debian</a></h1>
<div class="well small"><footer class="post-info">
<span class="label">Date</span>
<span class="published" title="2014-11-07T13:04:00+01:00">
<i class="icon-calendar"></i> Fri 07 November 2014
</span>
<br />
<span class="label">By</span>
<a href="//wxcafe.net/author/wxcafe.html"><i class="icon-user"></i>Wxcafé</a>
<br />
<span class="label">Category</span>
<a href="//wxcafe.net/category/tutorial/"><i class="icon-folder-open"></i>Tutorial</a>
<br />
</footer><!-- /.post-info --></div>
<div class="summary"><p>J'avais dit il y a un certain temps que j'allais écrire un tutoriel expliquant
comment gérer ses mails soi-même. Il se trouve que j'ai récemment décidé de
changer le serveur qui héberge (entre autres) ce blog, et que ce dernier héberge
aussi mes emails. J'ai donc totalement changé d'infrastructure quand a la
gestion de mon système de mails.</p>
<p>Ainsi, j'ai décidé de passer de Postfix a OpenSMTPd, changement que je voulais
effectuer depuis un certain temps. <a href="https://opensmtpd.org">OpenSMTPd</a> est un
projet originaire d'<a href="http://openbsd.org">OpenBSD</a> qui a pour but de fournir un
serveur SMTP fiable, simple, rapide, et surtout sécurisé (les même buts que ceux
qu'a le projet OpenBSD, globalement).</p>
<p>Pour rappel, le système d'emails fonctionne d'une façon très simple : votre MUA
(Mail User Agent, ou client email) contacte le MTA (Mail Transport Agent, ou
serveur SMTP) de votre fournisseur email, qui contacte le MTA du fournisseur du
destinataire, qui lui même contacte le MDA (Mail Delivery Agent) qui délivre le
mail au destinataire.</p>
<p>Si vous avez bien suivi, vous pouvez voir que je n'ai pas parlé de récupération
ni de lecture des mails. C'est pour une raison simple, qui est que ces taches
sont remplies par d'autres services encore (IMAP/POP pour la récupération depuis
le serveur, des yeux pour la lecture).</p>
<p>Or ce qui nous intéresse ici, ce n'est pas simplement d'envoyer et de recevoir
des emails mais bien aussi de pouvoir les récupérer et les lire, et c'est pour
ça que ce tutoriel ne parlera pas que d'OpenSMTPd mais aussi de
<a href="http://dovecot.org/">Dovecot</a> qui fait office de serveur IMAP et
<a href="http://www.ijs.si/software/amavisd/">amavis</a>/<a href="http://spamassassin.apache.org/">spamassassin</a>
pour filtrer les mails entrants et sortants.
Le schéma suivant explique la façon dont les mails sont gérés sur le système</p>
<div class="highlight"><pre> <span class="err">╭────────────────╮</span> <span class="err">╭──────────╮</span>
<span class="err">│╭──────────────</span><span class="o">&gt;</span><span class="err">│────</span><span class="o">&gt;</span> <span class="n">to</span> <span class="n">filter</span> <span class="err">───</span><span class="o">&gt;</span><span class="err">│─╮</span> <span class="err"></span>
<span class="n">mail</span> <span class="n">in</span> <span class="err">││</span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="n">amavis</span> <span class="err"></span>
<span class="err">───────────</span><span class="o">&gt;</span><span class="err">│╯</span> <span class="n">OpenSMTPd</span> <span class="err">╭──│</span><span class="o">&lt;</span><span class="err">───</span> <span class="n">from</span> <span class="n">filter</span><span class="o">&lt;</span><span class="err">───│</span><span class="o">&lt;</span><span class="err"></span> <span class="err"></span>
<span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err">╰──────────╯</span>
<span class="n">mail</span> <span class="n">out</span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err">╭──────────╮</span>
<span class="o">&lt;</span><span class="err">───────────│</span><span class="o">&lt;</span><span class="err">────────────┴─</span><span class="o">&gt;</span><span class="err">│─────</span><span class="o">&gt;</span> <span class="n">to</span> <span class="n">MDA</span> <span class="err">─────</span><span class="o">&gt;</span><span class="err">│─────────</span><span class="o">&gt;</span><span class="err">│──</span><span class="o">&gt;</span> <span class="n">to</span> <span class="n">user</span><span class="err">&#39;</span><span class="n">s</span>
<span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="n">dovecot</span> <span class="err"></span> <span class="n">mailbox</span>
<span class="err">╰────────────────╯</span> <span class="err">╰──────────╯</span>
</pre></div>
<p>Normalement, ceci devrait être a peu près clair.
Pour expliquer vite fait, les emails entrants (venant des utilisateurs mais
aussi d'autres correspondants) sont transmis a OpenSMTPd, qui envoie tout a
<code>amavis</code>, qui vérifie a la fois les spams et les malwares pour les mails
venants de l'exterieur, et qui signe avec DKIM pour les mails venants de
nos utilisateurs, puis qui rentransmet les mails filtrés/signés a OpenSMTPd,
qui a ce moment-ci trie en fonction de la destination : les mails gérés
par le domaine vont via dovecot dans les boites mail des destinataires
locaux, les mails exterieurs vont directement vers le MTA du serveur
distant.</p>
<p>Voyons comment mettre cela en place. Tout d'abord, il faut décider de la façon
dont les différents services vont communiquer.</p>
<p>Déjà, amavis étant configuré par défaut pour écouter (en SMTP) sur le port
10024 et répondre sur le port 10025 quand il s'agit de filtrer et
écouter sur le port 10026 et répondre sur le port 10027 quand il s'agit de
signer, nous allons profiter de cette configuration et donc lui parler en SMTP
sur ces ports.</p>
<p>Quand a Dovecot, nous allons lui transmettre les emails en LMTP (Local Mail
Transfer Protocol), non pas sur un port mais via un socket (dans ce cas précis,
<code>/var/run/dovecot/lmtp</code>).</p>
<p>Ainsi, pour reprendre le schéma présenté plus haut :</p>
<div class="highlight"><pre> <span class="err">╭───────────────╮</span> <span class="err">╭───────────╮</span>
<span class="err">│╭─────────────</span><span class="o">&gt;</span><span class="err">│──</span><span class="o">&gt;</span> <span class="n">SMTP</span> <span class="p">(</span><span class="mi">10026</span><span class="p">)</span> <span class="err">──</span><span class="o">&gt;</span><span class="err">│─╮</span> <span class="err"></span>
<span class="n">SMTP</span> <span class="n">in</span> <span class="err">││</span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="n">amavis</span> <span class="err"></span>
<span class="err">────────</span><span class="o">&gt;</span> <span class="mi">25</span><span class="err">│╯</span> <span class="n">OpenSMTPd</span> <span class="err">╭──│</span><span class="o">&lt;</span><span class="err">──</span> <span class="n">SMTP</span> <span class="p">(</span><span class="mi">10027</span><span class="p">)</span> <span class="o">&lt;</span><span class="err">──│</span><span class="o">&lt;</span><span class="err"></span> <span class="p">(</span><span class="n">sign</span><span class="p">)</span> <span class="err"></span>
<span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err">╰───────────╯</span>
<span class="n">SMTP</span> <span class="n">out</span> <span class="err"></span> <span class="err"></span> <span class="err"></span>
<span class="mi">25</span> <span class="o">&lt;</span><span class="err">────────│</span><span class="o">&lt;</span><span class="err">───────────╯</span> <span class="err"></span>
<span class="err">╰───────────────╯</span>
</pre></div>
<p>Pour les mails sortants; et</p>
<div class="highlight"><pre> <span class="err">╭───────────────╮</span> <span class="err">╭────────────╮</span>
<span class="err">│╭─────────────</span><span class="o">&gt;</span><span class="err">│──</span><span class="o">&gt;</span> <span class="n">SMTP</span> <span class="p">(</span><span class="mi">10024</span><span class="p">)</span> <span class="err">──</span><span class="o">&gt;</span><span class="err">│─╮</span> <span class="err"></span>
<span class="n">SMTP</span> <span class="n">in</span> <span class="err">││</span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="n">amavis</span> <span class="err"></span>
<span class="err">────────</span><span class="o">&gt;</span> <span class="mi">25</span><span class="err">│╯</span> <span class="n">OpenSMTPd</span> <span class="err">╭──│</span><span class="o">&lt;</span><span class="err">──</span> <span class="n">SMTP</span> <span class="p">(</span><span class="mi">10025</span><span class="p">)</span> <span class="o">&lt;</span><span class="err">──│</span><span class="o">&lt;</span><span class="err"></span><span class="p">(</span><span class="n">filter</span><span class="p">)</span> <span class="err"></span>
<span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err">╰────────────╯</span>
<span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err">╭────────────╮</span>
<span class="err"></span> <span class="err">╰─</span><span class="o">&gt;</span><span class="err">│──</span><span class="o">&gt;</span> <span class="n">LMTP</span> <span class="p">(</span><span class="n">socket</span><span class="p">)</span> <span class="err"></span><span class="o">&gt;</span><span class="err">│───────────</span><span class="o">&gt;</span><span class="err">│──</span><span class="o">&gt;</span> <span class="n">to</span> <span class="n">user</span><span class="err">&#39;</span><span class="n">s</span>
<span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="n">dovecot</span> <span class="err"></span> <span class="n">mailbox</span>
<span class="err">╰───────────────╯</span> <span class="err">╰────────────╯</span>
</pre></div>
<p>Pour les mails entrants.</p>
<p>Maintenant que la théorie est claire, mettons en place tout cela. Je me baserai
ici sur le fait que vous utilisiez une plateforme Debian ou OpenBSD. Pour
d'autres plateformes, la configuration devrait être sensiblement la même</p>
<p>(Vous aurez besoin de certificats SSL pour ce guide, même self-signés.
Si vous ne savez pas comment en créer, vous pouvez aller voir <a href="http://wxcafe.net/posts/05/30/14/SSL-ou-la-securite-sur-internet/">ce
post</a>)</p>
<p>Tout d'abord, commençons par installer les programmes nécessaires :</p>
<div class="highlight"><pre><span class="n">sudo</span> <span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">opensmtpd</span> <span class="n">dovecot</span> <span class="n">dovecot</span><span class="o">-</span><span class="n">pigeonhole</span> <span class="n">amavisd</span><span class="o">-</span><span class="n">new</span> <span class="n">dovecot</span><span class="o">-</span><span class="n">managesieved</span>
<span class="n">sudo</span> <span class="n">pkg_add</span> <span class="n">dovecot</span> <span class="n">dovecot</span><span class="o">-</span><span class="n">pigeonhole</span> <span class="n">amavisd</span><span class="o">-</span><span class="n">new</span>
</pre></div>
<p>Continuons en configurant OpenSMTPd tel que nous avons vu plus haut :</p>
<p><code>/etc/smtpd.conf</code></p>
<div class="highlight"><pre><span class="err">#</span> <span class="nx">This</span> <span class="nx">is</span> <span class="nx">the</span> <span class="nx">smtpd</span> <span class="nx">server</span> <span class="nx">system</span><span class="na">-wide</span> <span class="nx">configuration</span> <span class="nx">file.</span>
<span class="err">#</span> <span class="nx">See</span> <span class="nx">smtpd.conf</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="nb">for</span> <span class="nx">more</span> <span class="nx">information.</span>
<span class="err">##</span> <span class="nx">Certs</span>
<span class="nx">pki</span> <span class="nx">exem.pl</span> <span class="nx">certificate</span> <span class="s2">&quot;/etc/certs/exem.pl.crt&quot;</span>
<span class="nx">pki</span> <span class="nx">exem.pl</span> <span class="nb">key</span> <span class="s2">&quot;/etc/certs/exem.pl.key&quot;</span>
<span class="err">##</span> <span class="nx">Ports</span> <span class="k">to</span> <span class="nb">listen</span> <span class="k">on</span><span class="p">,</span> <span class="ow">and</span> <span class="nx">how</span> <span class="k">to</span> <span class="nb">listen</span> <span class="k">on</span> <span class="nx">them</span>
<span class="nb">listen</span> <span class="k">on</span> <span class="nx">eth0</span> <span class="nb">port</span> <span class="mi">25</span> <span class="nx">tls</span> <span class="nx">pki</span> <span class="nx">exem.pl</span> <span class="nb">hostname</span> <span class="nx">exem.pl</span> <span class="nb">auth</span><span class="na">-optional</span>
<span class="nb">listen</span> <span class="k">on</span> <span class="nx">eth0</span> <span class="nb">port</span> <span class="mi">465</span> <span class="nx">tls</span><span class="na">-require</span> <span class="nx">pki</span> <span class="nx">exem.pl</span> <span class="nb">hostname</span> <span class="nx">exem.pl</span> <span class="nb">auth</span> <span class="nx">mask</span><span class="na">-source</span>
<span class="nb">listen</span> <span class="k">on</span> <span class="nx">eth0</span> <span class="nb">port</span> <span class="mi">587</span> <span class="nx">tls</span><span class="na">-require</span> <span class="nx">pki</span> <span class="nx">exem.pl</span> <span class="nb">hostname</span> <span class="nx">exem.pl</span> <span class="nb">auth</span> <span class="nx">mask</span><span class="na">-source</span>
<span class="err">##</span> <span class="nx">Aliases</span>
<span class="nb">table</span> <span class="nx">aliases</span> <span class="nb">file</span><span class="p">:/</span><span class="nx">etc</span><span class="p">/</span><span class="nx">aliases</span>
<span class="err">#</span> <span class="nx">coming</span> <span class="nb">from</span> <span class="nx">amavisd</span><span class="p">,</span> <span class="nb">checked</span> <span class="nb">for</span> <span class="nx">spam</span><span class="p">/</span><span class="nx">malware</span>
<span class="nb">listen</span> <span class="k">on</span> <span class="nx">lo</span> <span class="nb">port</span> <span class="mi">10025</span> <span class="kt">tag</span> <span class="nx">Filtered</span>
<span class="err">#</span> <span class="nx">coming</span> <span class="nb">from</span> <span class="nx">amavisd</span><span class="p">,</span> <span class="nx">signed</span> <span class="k">with</span> <span class="nx">DKIM</span>
<span class="nb">listen</span> <span class="k">on</span> <span class="nx">lo</span> <span class="nb">port</span> <span class="mi">10027</span> <span class="kt">tag</span> <span class="nx">Signed</span>
<span class="err">##</span> <span class="nx">Receiving</span>
<span class="err">#</span> <span class="k">if</span> <span class="nx">the</span> <span class="p">(</span><span class="nx">incoming</span><span class="p">)</span> <span class="nx">mail</span> <span class="nx">has</span> <span class="nx">been</span> <span class="nx">through</span> <span class="nx">amavisd</span><span class="p">,</span> <span class="nx">then</span> <span class="nx">we</span> <span class="nx">can</span> <span class="nx">deliver</span> <span class="nx">it</span>
<span class="nb">accept</span> <span class="nx">tagged</span> <span class="nx">Filtered</span> <span class="nb">for</span> <span class="nb">any</span> <span class="nx">alias</span> <span class="o">&lt;</span><span class="nx">aliases</span><span class="o">&gt;</span> <span class="nx">deliver</span> <span class="k">to</span> <span class="nx">lmtp</span> <span class="s2">&quot;/var/run/dovecot/lmtp&quot;</span>
<span class="err">#</span> <span class="nx">we</span> <span class="nx">directly</span> <span class="nx">tranfer</span> <span class="nx">incoming</span> <span class="nx">mail</span> <span class="k">to</span> <span class="nx">amavisd</span> <span class="k">to</span> <span class="nx">be</span> <span class="nb">checked</span>
<span class="nb">accept</span> <span class="nb">from</span> <span class="nb">any</span> <span class="nb">for</span> <span class="nx">domain</span> <span class="s2">&quot;exem.pl&quot;</span> <span class="nx">relay</span> <span class="nx">via</span> <span class="s2">&quot;smtp://localhost:10024&quot;</span>
<span class="err">#</span> <span class="nx">we</span> <span class="nx">have</span> <span class="k">to</span> <span class="nx">put</span> <span class="nx">these</span> <span class="n">lines</span> <span class="k">in</span> <span class="nx">this</span> <span class="k">order</span> <span class="k">to</span> <span class="nx">avoid</span> <span class="nx">infinite</span> <span class="nx">loops</span>
<span class="err">##</span> <span class="nx">Sending</span>
<span class="err">#</span> <span class="k">if</span> <span class="nx">the</span> <span class="p">(</span><span class="nx">outgoint</span><span class="p">)</span> <span class="nx">mail</span> <span class="nx">has</span> <span class="nx">been</span> <span class="nx">through</span> <span class="nx">amavisd</span><span class="p">,</span> <span class="nx">then</span> <span class="nx">we</span> <span class="nx">can</span> <span class="nx">deliver</span> <span class="nx">it</span>
<span class="nb">accept</span> <span class="nx">tagged</span> <span class="nx">Signed</span> <span class="nb">for</span> <span class="nb">any</span> <span class="nx">relay</span>
<span class="err">#</span> <span class="nx">we</span> <span class="nx">tranfer</span> <span class="nx">the</span> <span class="nx">outgoing</span> <span class="nx">mail</span> <span class="k">to</span> <span class="nx">amavisd</span> <span class="k">to</span> <span class="nx">be</span> <span class="nx">signed</span>
<span class="nb">accept</span> <span class="nb">for</span> <span class="nb">any</span> <span class="nx">relay</span> <span class="nx">via</span> <span class="s2">&quot;smtp://localhost:10026&quot;</span>
<span class="err">#</span> <span class="nx">same</span><span class="p">,</span> <span class="nx">we</span> <span class="nx">have</span> <span class="k">to</span> <span class="nx">put</span> <span class="nx">these</span> <span class="n">lines</span> <span class="k">in</span> <span class="nx">this</span> <span class="k">order</span> <span class="ow">or</span> <span class="nx">infinite</span> <span class="nx">loops...</span>
</pre></div>
<p>Expliquons un peu ce fichier de configuration :</p>
<ul>
<li>Tout d'abord, le paragraphe nommé "Certs" contient les déclaration
d'emplacement des certificats SSL.</li>
<li>Ensuite, le paragraphe contenant les ports externes sur lesquels nous écoutons :
port 25 avec TLS optionel et ports 465 et 587 avec TLS obligatoire</li>
<li>Les alias sont définis juste après</li>
<li>Le paragraphe suivant contient les ports locaux sur lesquels nous écoutons :
10025 (port de sortie du filtre de amavis) dont on taggue les mails sortants
comme "Filtered" et 10027 (port de sortie des mails signés par amavis) dont on
taggue les mails sortants comme "Signed"</li>
<li>Nous avons ensuite le paragraphe qui traite les mails rentrants. Si le mail
traité est taggué comme Filtered, alors il a été vérifié par amavis, et on
peut donc le transmettre au destinataire. Sinon, c'est qu'il n'a pas encore
été vérifié par amavis, donc on lui transmet pour analyse (sur le port 10024
donc). Il est important de mettre les déclarations dans ce sens, car la
première règle qui matche l'état du paquet est appliquée. Ici, la deuxième
ligne matchant tous les mails arrivant et la première seulement ceux filtrés,
inverser leur sens voudrait dire que les mails seraient toujours renvoyés a
amavis</li>
<li>Enfin, le dernier paragraphe traite les mails sortants. De la même façon que
pour le paragraphe précédent, si le mail sortant est déjà taggué comme Signed
on le transmet au MTA du destinataire, sinon il n'a pas encore été signé par
DKIM par amavis et on le transmet donc a amavis pour qu'il le signe. Le
problème de l'ordre des lignes se pose encore, pour la même raison qu'au
dessus.</li>
</ul>
<p>Nous allons maintenant configurer dovecot. Comme nous l'avons vu, dovecot doit
écouter en LMTP via la socket <code>/var/run/dovecot/lmtp</code> et transmettre les
emails a la boite email de l'utilisateur. Il serait aussi interessant
qu'il nous permette de récuperer les mails. Pour cette configuration, on ne
mettra en place que du IMAPS. Cependant, si vous voulez mettre en place du
POP3[s], différents guides sont trouvables facilement sur internet.</p>
<p><code>/etc/dovecot/dovecot.conf</code></p>
<div class="highlight"><pre><span class="cp">## Dovecot configuration file</span>
<span class="cp"># basic config</span>
<span class="n">info_log_path</span> <span class="o">=</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">dovecot</span><span class="o">-</span><span class="n">info</span><span class="p">.</span><span class="n">log</span>
<span class="n">log_path</span> <span class="o">=</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">dovecot</span><span class="p">.</span><span class="n">log</span>
<span class="n">log_timestamp</span> <span class="o">=</span> <span class="s">&quot;%Y-%m-%d %H:%M:%S &quot;</span>
<span class="n">mail_location</span> <span class="o">=</span> <span class="n">maildir</span><span class="o">:%</span><span class="n">h</span><span class="o">/</span><span class="n">mail</span>
<span class="cp"># authentication</span>
<span class="n">passdb</span> <span class="p">{</span>
<span class="n">driver</span> <span class="o">=</span> <span class="n">pam</span>
<span class="p">}</span>
<span class="n">userdb</span> <span class="p">{</span>
<span class="n">driver</span> <span class="o">=</span> <span class="n">passwd</span>
<span class="p">}</span>
<span class="cp"># the protocols we use</span>
<span class="n">protocols</span> <span class="o">=</span> <span class="n">imap</span> <span class="n">lmtp</span> <span class="n">sieve</span>
<span class="cp"># ssl config</span>
<span class="n">ssl_cert</span> <span class="o">=</span> <span class="o">&lt;/</span><span class="n">etc</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">exem</span><span class="p">.</span><span class="n">pl</span><span class="p">.</span><span class="n">cert</span>
<span class="n">ssl_key</span> <span class="o">=</span> <span class="o">&lt;/</span><span class="n">etc</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">exem</span><span class="p">.</span><span class="n">pl</span><span class="p">.</span><span class="n">key</span>
<span class="n">ssl_cipher_list</span> <span class="o">=</span> <span class="n">HIGH</span><span class="o">+</span><span class="n">kEDH</span><span class="o">:</span><span class="n">HIGH</span><span class="o">+</span><span class="n">kEECDH</span><span class="o">:</span><span class="n">HIGH</span><span class="o">:!</span><span class="n">PSK</span><span class="o">:!</span><span class="n">SRP</span><span class="o">:!</span><span class="mi">3</span><span class="n">DES</span><span class="o">:!</span><span class="n">aNULL</span>
<span class="n">ssl</span> <span class="o">=</span> <span class="n">yes</span>
<span class="cp">## configuring services </span>
<span class="cp"># disables imap login without SSL (yes dovecot is dumb that way)</span>
<span class="n">service</span> <span class="n">imap</span><span class="o">-</span><span class="n">login</span> <span class="p">{</span>
<span class="n">inet_listener</span> <span class="n">imap</span> <span class="p">{</span>
<span class="n">port</span><span class="o">=</span><span class="mi">0</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="n">service</span> <span class="n">lmtp</span> <span class="p">{</span>
<span class="n">unix_listener</span> <span class="n">lmtp</span> <span class="p">{</span>
<span class="n">mode</span> <span class="o">=</span> <span class="mo">0666</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="cp">## configuring protocols</span>
<span class="cp"># the dovecot lda, we set it to use sieve</span>
<span class="n">protocol</span> <span class="n">lda</span> <span class="p">{</span>
<span class="n">mail_plugins</span> <span class="o">=</span> <span class="err">$</span><span class="n">mail_plugins</span> <span class="n">sieve</span>
<span class="p">}</span>
<span class="n">protocol</span> <span class="n">lmtp</span> <span class="p">{</span>
<span class="n">postmaster_address</span> <span class="o">=</span> <span class="n">whoever</span><span class="err">@</span><span class="n">exem</span><span class="p">.</span><span class="n">pl</span>
<span class="n">mail_plugins</span> <span class="o">=</span> <span class="err">$</span><span class="n">mail_plugins</span> <span class="n">sieve</span>
<span class="p">}</span>
<span class="n">plugin</span> <span class="p">{</span>
<span class="n">sieve</span> <span class="o">=</span> <span class="o">~/</span><span class="p">.</span><span class="n">dovecot</span><span class="p">.</span><span class="n">sieve</span>
<span class="n">sieve_dir</span> <span class="o">=</span> <span class="o">~/</span><span class="n">sieve</span>
<span class="p">}</span>
</pre></div>
<p><strong>ATTENTION: Sous OpenBSD, remplacez</strong></p>
<div class="highlight"><pre><span class="n">passdb</span> <span class="p">{</span>
<span class="n">driver</span> <span class="o">=</span> <span class="n">pam</span>
<span class="p">}</span>
</pre></div>
<p><strong>par</strong></p>
<div class="highlight"><pre><span class="n">passdb</span> <span class="p">{</span>
<span class="n">driver</span> <span class="o">=</span> <span class="n">bsdauth</span>
<span class="p">}</span>
</pre></div>
<p><strong>pour identifier les utilisateurs système</strong></p>
<p>Ici aussi, voyons comment ce fichier est structuré :</p>
<ul>
<li>Tout d'abord, les configurations de base : ou iront les logs, comment formater
leur datation, et l'endroit ou seront stockés les mails des utilisateurs.</li>
<li>Nous configurons ensuite la gestion de l'authentification des utilisateurs.
Ici nous identifions les utilisateurs avec le fichier /etc/passwd et leurs
mots de passe avec PAM (ou BSDAuth)</li>
<li>Nous configurons ensuite les protocoles que nous servons. Ici, nous voulons de
l'IMAPS, du LMTP local et Sieve (qui sert pour trier les messages).</li>
<li>Nous configurons le SSL</li>
<li>Le section suivante contient la configuration des services. Nous avons en
premier lieu le service IMAP, dont la configuration sert uniquement a
désactiver IMAP. En effet, dovecot ne permet d'activer IMAPS qu'en activant
IMAP avec. Comme nous ne voulons pas d'IMAP sans SSL, nous le désactivons.
La configuration de lmtp sert a attribuer des permissions plus correctes au
fifo qu'il utilise</li>
<li>Nous configurons maintenant les protocoles, pour faire fonctionner Sieve</li>
<li>enfin, nous configurons le plugin sieve en lui indiquant quel fichier et
quel dossier utiliser pour sa configuration.</li>
</ul>
<p>Enfin, il nous reste a configurer amavis. Comme expliqué, amavis va nous servir
a deux choses : signer les emails sortants, et filtrer les emails entrants. Il
doit donc écouter sur les port 10026 pour les signatures et 10024 pour le
filtrage, et répondre respectivement sur les ports 10027 et 10025 (le tout, en
SMTP. Comme toutes les transactions se font sur le loopback, il n'y a aucun
risque a utiliser des protocoles non chiffrés.
Pour OpenBSD, pensez a copier la configuration par défaut depuis
<code>/usr/local/share/examples/amavisd-new/amavisd.conf</code> et ajoutez les
modifications nécessaires a la fin du fichier.</p>
<p><code>/etc/amavis/conf.d/99-local.conf</code> (debian)
<code>/etc/amavis.conf</code> (OpenBSD)</p>
<div class="highlight"><pre><span class="n">use</span> <span class="n">strict</span><span class="p">;</span>
<span class="err">$</span><span class="n">enable_dkim_verification</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span>
<span class="err">$</span><span class="n">enable_dkim_signing</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span>
<span class="n">dkim_key</span><span class="p">(</span><span class="s">&quot;exem.pl&quot;</span><span class="p">,</span> <span class="s">&quot;main&quot;</span><span class="p">,</span> <span class="s">&quot;/etc/certs/dkim.key&quot;</span> <span class="p">);</span>
<span class="err">@</span><span class="n">dkim_signature_options_bysender_maps</span> <span class="o">=</span> <span class="p">(</span>
<span class="p">{</span> <span class="sc">&#39;.&#39;</span> <span class="o">=&gt;</span>
<span class="p">{</span> <span class="n">ttl</span> <span class="o">=&gt;</span> <span class="mi">21</span><span class="o">*</span><span class="mi">24</span><span class="o">*</span><span class="mi">3600</span><span class="p">,</span> <span class="n">c</span> <span class="o">=&gt;</span> <span class="err">&#39;</span><span class="n">relaxed</span><span class="o">/</span><span class="n">simple</span><span class="err">&#39;</span> <span class="p">}</span>
<span class="p">}</span>
<span class="p">);</span>
<span class="err">$</span><span class="n">inet_socket_port</span> <span class="o">=</span> <span class="p">[</span><span class="mi">10024</span><span class="p">,</span> <span class="mi">10026</span><span class="p">];</span>
<span class="err">$</span><span class="n">policy_bank</span><span class="p">{</span><span class="err">&#39;</span><span class="n">MYNETS</span><span class="err">&#39;</span><span class="p">}</span> <span class="o">=</span> <span class="p">{</span>
<span class="n">originating</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">,</span>
<span class="n">os_fingerprint_method</span> <span class="o">=&gt;</span> <span class="n">undef</span><span class="p">,</span>
<span class="p">};</span>
<span class="err">$</span><span class="n">interface_policy</span><span class="p">{</span><span class="err">&#39;</span><span class="mi">10026</span><span class="err">&#39;</span><span class="p">}</span> <span class="o">=</span> <span class="err">&#39;</span><span class="n">ORIGINATING</span><span class="err">&#39;</span><span class="p">;</span>
<span class="err">$</span><span class="n">policy_bank</span><span class="p">{</span><span class="err">&#39;</span><span class="n">ORIGINATING</span><span class="err">&#39;</span><span class="p">}</span> <span class="o">=</span> <span class="p">{</span>
<span class="n">originating</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">,</span>
<span class="n">allow_disclaimers</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">,</span>
<span class="n">virus_admin_maps</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s">&quot;root\@$mydomain&quot;</span><span class="p">],</span>
<span class="n">spam_admin_maps</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s">&quot;root\@$mydomain&quot;</span><span class="p">],</span>
<span class="n">warnbadhsender</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">,</span>
<span class="n">forward_method</span> <span class="o">=&gt;</span> <span class="err">&#39;</span><span class="n">smtp</span><span class="o">:</span><span class="n">localhost</span><span class="o">:</span><span class="mi">10027</span><span class="err">&#39;</span><span class="p">,</span>
<span class="n">smtpd_discard_ehlo_keywords</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="err">&#39;</span><span class="mi">8</span><span class="n">BITMIME</span><span class="err">&#39;</span><span class="p">],</span>
<span class="n">bypass_banned_checks_maps</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="mi">1</span><span class="p">],</span>
<span class="n">terminate_dsn_on_notify_success</span> <span class="o">=&gt;</span> <span class="mi">0</span><span class="p">,</span>
<span class="p">};</span>
<span class="cp">#------------ Do not modify anything below this line -------------</span>
<span class="mi">1</span><span class="p">;</span> <span class="err">#</span> <span class="n">ensure</span> <span class="n">a</span> <span class="n">defined</span> <span class="k">return</span>
</pre></div>
<p>A nouveau, expliquons ce fichier :
- le premier paragraphe définit que nous voulons qu'amavis signe les emails
sortants, vérifie la signature DKIM des emails rentrants, et l'endroit ou se
trouve la clé privée servant a signer les emails.
- le second définit les options DKIM que nous souhaitons utiliser comme défaut.
Je vous invite a consulter la <a href="https://tools.ietf.org/html/rfc4871">RFC 4871</a>
- nous définissons ensuite les ports sur lesquels nous allons écouter, puis les
paramètres que nous utiliserons pour les emails venant de nos utilisateurs :
ils seront traités comme "originating" et nous ne vérifierons pas l'OS duquel
ils viennent.
- nous savons que les emails venants du port 10026 sont sortants, nous les
traitons donc comme tel
- le paragraphe suivant décrit le traitement que nous faisons subir aux emails
sortants : tout d'abord, nous réaffirmons qu'ils viennent bien de notre
serveur. Nous autorisons les disclaimers (voire encore une fois la <a href="https://tools.ietf.org/html/rfc4871">RFC
4871</a>. Nous déclarons l'adresse a
prévenir en cas de spam/virus venants de notre système, et que nous voulons
être prévenus. Nous déclarons ou envoyer les mails une fois signés et filtrés,
puis qu'il est nécessaire de convertir les emails au format 7 bits avant de
les envoyer au MTA, que nous autorisons tous les types et noms de fichiers, et
les notifications de succès d'envoi. Et voila!</p>
<p>Vous avez pu remarquer qu'a aucun moment nous ne configurions ni la signature
des emails sortants ni le filtrage des emails entrants. Ces paramètres sont en
fait inclus par défaut dans amavis.</p>
<p>Il nous reste cependant quelques opérations a faire, encore.
Tout d'abord, il nous faut générer notre clé DKIM. Pour cela, il existe
différentes méthodes, j'ai personnellement utilisé opendkim (<a href="https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy">un
tutorial</a>)
mais de nombreuses autre méthodes existent.
Il nous reste encore a configurer spamassassin :</p>
<div class="highlight"><pre><span class="cp">#rewrite_header Subject *****SPAM*****</span>
<span class="cp"># report_safe 1</span>
<span class="n">required_score</span> <span class="mf">2.0</span>
<span class="cp"># use_bayes 1</span>
<span class="cp"># bayes_auto_learn 1</span>
<span class="cp"># bayes_ignore_header X-Bogosity</span>
<span class="cp"># bayes_ignore_header X-Spam-Flag</span>
<span class="cp"># bayes_ignore_header X-Spam-Status</span>
<span class="n">ifplugin</span> <span class="n">Mail</span><span class="o">::</span><span class="n">SpamAssassin</span><span class="o">::</span><span class="n">Plugin</span><span class="o">::</span><span class="n">Shortcircuit</span>
<span class="cp"># shortcircuit USER_IN_WHITELIST on</span>
<span class="cp"># shortcircuit USER_IN_DEF_WHITELIST on</span>
<span class="cp"># shortcircuit USER_IN_ALL_SPAM_TO on</span>
<span class="cp"># shortcircuit SUBJECT_IN_WHITELIST on</span>
<span class="cp"># shortcircuit USER_IN_BLACKLIST on</span>
<span class="cp"># shortcircuit USER_IN_BLACKLIST_TO on</span>
<span class="cp"># shortcircuit SUBJECT_IN_BLACKLIST on</span>
<span class="n">shortcircuit</span> <span class="n">ALL_TRUSTED</span> <span class="n">off</span>
<span class="cp"># shortcircuit BAYES_99 spam</span>
<span class="cp"># shortcircuit BAYES_00 ham</span>
<span class="n">endif</span> <span class="err">#</span> <span class="n">Mail</span><span class="o">::</span><span class="n">SpamAssassin</span><span class="o">::</span><span class="n">Plugin</span><span class="o">::</span><span class="n">Shortcircuit</span>
</pre></div>
<p>Comme vous pouvez le voir, les modifications se résument globalement a baisser
le required_score pour ma part.</p>
<p>Pour finir, activez les services nécessaires : opensmtpd, dovecot, amavisd, et
spamassassin, et tout devrait fonctionner parfaitement</p>
<p>Bon courage pour votre hosting de mail ensuite...</p></div>
</div>
<hr />
<section id="content" class="body">
<h1>Pages</h1>
<li><a href="//wxcafe.net/pages/about/">A propos</a></li>
</section>
</div><!--/span-->
<div class="span3 well sidebar-nav" id="sidebar">
<ul class="nav nav-list">
<!-- Categories links -->
<li class="nav-header"><h4><i class="icon-folder-close icon-large"></i> Categories</h4></li>
<li>
<a href="//wxcafe.net/category/hacking/">
<i class="icon-folder-open icon-large"></i>Hacking
</a>
</li>
<li>
<a href="//wxcafe.net/category/language/">
<i class="icon-folder-open icon-large"></i>Language
</a>
</li>
<li>
<a href="//wxcafe.net/category/notes/">
<i class="icon-folder-open icon-large"></i>Notes
</a>
</li>
<li>
<a href="//wxcafe.net/category/oses/">
<i class="icon-folder-open icon-large"></i>OSes
</a>
</li>
<li>
<a href="//wxcafe.net/category/programmation/">
<i class="icon-folder-open icon-large"></i>Programmation
</a>
</li>
<li>
<a href="//wxcafe.net/category/ranting/">
<i class="icon-folder-open icon-large"></i>Ranting
</a>
</li>
<li>
<a href="//wxcafe.net/category/teaching/">
<i class="icon-folder-open icon-large"></i>Teaching
</a>
</li>
<li>
<a href="//wxcafe.net/category/tutorial/">
<i class="icon-folder-open icon-large"></i>Tutorial
</a>
</li>
<li>
<a href="//wxcafe.net/category/tutoriel/">
<i class="icon-folder-open icon-large"></i>Tutoriel
</a>
</li>
<hr>
<!-- Social links -->
<li class="nav-header"><h4><i class="icon-exchange"></i> social</h4></li>
<a class="FlattrButton" style="display:none;"
title="//wxcafe.net"
style="padding-top: 10px;"
rel="flattr;
url://wxcafe.net;
title://wxcafe.net;
button:compact;
popout:0;
uid:wxcafe;
category:blog;"
href="//wxcafe.net">flattr</a>
<li><a href="https://twitter.com/wxcafe"><i class="icon-twitter icon-large"></i> Twitter</a></li>
<li><a href="https://github.com/wxcafe"><i class="icon-github icon-large"></i> Github</a></li>
<li><a href="mailto://wxcafe@wxcafe.net"><i class="icon-envelope icon-large"></i> Email</a></li>
<li><a href="https://data.wxcafe.net/wxcafe.asc"><i class="icon-key icon-large"></i> Gpg</a></li>
<li><a href="finger://wxcafe@wxcafe.net"><i class="icon-terminal icon-large"></i> Finger</a></li>
<li><a href="http://leloop.org/where.html"><i class="icon-map-marker icon-large"></i> IRL</a></li>
<hr>
<!-- Links -->
<li class="nav-header"><h4><i class="icon-external-link"></i> Links</h4></li>
<li><a href="https://github.com/wxcafe/blog-source"><i class="icon-code icon-large "></i> Source!</a></li>
<li><a href="http://paste.wxcafe.net"><i class="icon-paste icon-large "></i> Zerobin</a></li>
<li><a href="http://git.wxcafe.net"><i class="icon-github-sign icon-large "></i> Public Git</a></li>
<hr>
<!--- RSS feed -->
<li class="nav-header"><h4><i class="icon-rss"></i> feeds</h4></li>
<li><a href="//wxcafe.net/feeds/feed.rss.xml" rel="alternate"><i class="icon-bookmark-empty icon-large"></i> RSS</a></li>
<li><a href="//wxcafe.net/feeds/feed.atom.xml" rel="alternate"><i class="icon-bookmark-empty icon-large"></i> Atom</a></li>
</ul> </div><!--/.well -->
</div><!--/row-->
<hr>
<footer>
<address id="about">
Proudly powered by <a href="http://pelican.notmyidea.org/">Pelican</a>,
which takes great advantage of <a href="http://python.org">Python</a>.<br />
Powered by <a href="https://github.com/getpelican/pelican-themes/tree/master/bootstrap2">bootstrap2</a> theme, thanks!
</address>
</footer>
</div><!--/.fluid-container-->
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink