StuRa:Server/srs14: Unterschied zwischen den Versionen
(→DNSBL) |
|||
(55 dazwischenliegende Versionen von 4 Benutzern werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
[[PT]] und [[bommel]] 2018-02-09 bauen nach der Doku [[Server/Jails/SRS14]]. | |||
[[ | == Dienste == | ||
: Ersatz von [[Server/SRS14/2018]] | |||
* Erhalt von Mails für [[Mail-Adresse]]n für die Domain ''stura.htw-dresden.de'' | |||
*: [[postfix]] | |||
* Verwaltung von Mail-Adressen (von Personen und Funktionen) | |||
** Einträge für die Weiterleitung an andere Mail-Adressen | |||
**: [[aliases]] | |||
** Versand von Mails | |||
**: [[postfix]] | |||
** <s>grafische Oberfläche für die Verwaltung von Mail-Adressen</s> | |||
* Verteilung von Mails für Mail-Adressen (für Funktionen) | |||
*: [[mailman]] | |||
* Archivierung von Mails für Mail-Adressen (für Funktionen) | |||
*: [[mailman]] | |||
* grafische Oberfläche für die Verwaltung von Mail-Verteilern | |||
*: [[mailman]] | |||
* Vermeidung der Weiterleitung von SPAM | |||
*: [[postfix]] | |||
* <!-- Soll das so? Der Dienst wurde "nur" übernommen, da er wohl seit vielen Jahren schon läuft. --> (Archivierung (als Sicherheitskopie) für [[Mail-Adresse]]n von [[Angestellte]]n) | |||
*: [[maildrop]] | |||
== Betriebssystem == | |||
: [[Maschine/nyx]] | |||
:: Jail [[FreeNAS]] | |||
: [[FreeBSD]] | |||
:: STABLE | |||
:: (11.1) | |||
== Installation == | == Installation == | ||
== Konfiguration == | |||
=== eingehängter Massenspeicher === | |||
==== Datasets ==== | |||
Für die individuelle Behandlung der besonders nennenswerten Daten (z.B. Mail-Archive und Mail-Konten) zu erhalten, werden diese jeweils als ein separates Dataset (für ZFS) verwaltet. Die Datasets (für ZFS) sind als Dataset (für ZFS) auf dem Host erstellt ([[srs100034#Datasets]]) und Sind vom Host in die Jail eingehängt. | |||
<pre> | <pre> | ||
/mnt/znyx/data/maildrop/rossberg on /mnt/znyx/jails/srs14/usr/home/rossberg/Mail (nullfs, local) | |||
/mnt/znyx/data/maildrop/spam on /mnt/znyx/jails/srs14/usr/home/spam/Mail (nullfs, local) | |||
/mnt/znyx/data/mailman/archives on /mnt/znyx/jails/srs14/usr/local/mailman/archives (nullfs, local) | |||
/mnt/znyx/data/mailman/data on /mnt/znyx/jails/srs14/usr/local/mailman/data (nullfs, local) | |||
/mnt/znyx/data/mailman/lists on /mnt/znyx/jails/srs14/usr/local/mailman/lists (nullfs, local) | |||
</pre> | |||
=== Dienste === | |||
==== SSH ==== | |||
SSH wird benötigt, um sich sicher auf [[{{PAGENAME}}]] verbinden zu können. Das ist bei [[{{PAGENAME}}]] insbesondere für die (leider noch leidliche) Verwaltung der Einträge für [[Mail-Adresse]]n nötig. | |||
; andauernde Aktivierung des Dienstes SSH: | |||
: <code>service sshd status</code> | |||
<pre> | |||
Cannot 'status' sshd. Set sshd_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'. | |||
</pre> | |||
: <code>service sshd onestatus</code> | |||
<pre> | |||
sshd is not running. | |||
</pre> | |||
: <code>sysrc sshd_enable</code> | |||
<pre> | |||
sshd_enable: NO | |||
</pre> | |||
: <code>sysrc sshd_enable=YES</code> | |||
<pre> | |||
sshd_enable: NO -> YES | |||
</pre> | |||
: <code>service sshd status</code> | |||
<pre> | |||
sshd is not running. | |||
</pre> | |||
: <code>service sshd start</code> | |||
<pre> | |||
Generating RSA host key. | |||
</pre> | </pre> | ||
<pre> | |||
Performing sanity check on sshd configuration. | |||
Starting sshd. | |||
</pre> | |||
: Es wurden automatisch Schlüsselpaare für den Account ''root'' (für ''RSA'', ''ECDSA'' und ''ED25519'') generiert. | |||
: <code>service sshd status</code> | |||
<pre> | |||
sshd is running as pid 12345. | |||
</pre> | |||
: <code>sysrc sshd_enable</code> | |||
<pre> | |||
sshd_enable: YES | |||
</pre> | |||
; Konfiguration vom Dienst SSH (auf Schnell) | |||
(optionale) Sicherung der standardmäßigen Datei für die Konfiguration vom Dienst SSH | |||
: <code>cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default</code> | |||
Anpassen der Konfiguration vom Dienst SSH | |||
* Ändern vom Port an dem der Dienst SSH erreichbar ist | |||
*: aus "Tradition") | |||
* Zulassen vom der Anmeldung mit Passwort für den Dienst SSH | |||
*: Es gibt Menschen, denen nicht bekannt ist wie das Verwalten von persönlichen Schlüsselpaaren funktioniert (und auch nicht erklärten werden müssen soll), die dennoch bei der Verwaltung von Mail-Adressen mitwirken können sollen und sich dazu auch aus der Ferne anmelden können sollen. | |||
: <code>$EDITOR /etc/ssh/sshd_config</code> | |||
::: <code>diff /etc/ssh/sshd_config.default /etc/ssh/sshd_config</code> | |||
<pre> | |||
17a18 | |||
> Port 1234 | |||
75a77 | |||
> PasswordAuthentication yes | |||
</pre> | |||
:: oder | |||
::: <code>diff /etc/ssh/sshd_config.default /etc/ssh/sshd_config</code> | |||
<pre> | <pre> | ||
17c17 | |||
< #Port 22 | |||
--- | |||
> Port 1234 | |||
75c75 | |||
< #PasswordAuthentication no | |||
--- | |||
> PasswordAuthentication yes | |||
</pre> | </pre> | ||
Zeile 55: | Zeile 142: | ||
Shell: nologin | Shell: nologin | ||
==== | ===== Clean SPAM older 30 Days ===== | ||
Quelle des Programms http://forum.directadmin.com/attachment.php?s=b1485c6c4b4d501d922e5b7f48d6e07c&attachmentid=427&d=1167030675 und modifiziert durch [[PT]]. | |||
Datei ist abgelegt unter /etc/periodic/daily/900.cleanspam und wird taeglich ausgefuehrt. | |||
<pre> | |||
#!/bin/sh | |||
# Cleanning SPAM older than x days under Maildir system (Test under DA + Dovecot + SA) | |||
# Published 27 Oct 2006 under GNU/GPL License By, Pinkkeyhost.com, Korakot Eamopas (kkeonline[at]yahoo.com) | |||
# Bugfix 25 Dec 2006 | |||
# Modified 25.02.2018 from pwnytail to run under Postfix maildrop | |||
# settings | |||
# delete spam older than x days | |||
DAYS=30 ; | |||
# your logfile | |||
logfile="/var/log/cleanspam.log" ; | |||
if [ "$#" -lt 1 ] | |||
then | |||
echo -n "usage: $0 <list of users>" | |||
exit 1 | |||
fi | |||
# Start a new log or append to old one | |||
#echo "" > $logfile ; | |||
echo "" >> $logfile ; | |||
# Nothing to be change from here | |||
LOGDATE=`date "+%y-%m-%d %H:%M"` ; | |||
DA="/usr/home" ; | |||
SP="Mail" ; | |||
USERS=$@ | |||
echo "===============================" >> $logfile ; | |||
echo "SCRIPT RUNNING ON $LOGDATE" >> $logfile | |||
echo "===============================" >> $logfile ; | |||
# list users from da folder | |||
for user in $USERS ; do | |||
{ | |||
# skip if not a user folder | |||
if [ ! -d $DA/$user ] ; then | |||
continue | |||
fi | |||
echo " " >> $logfile | |||
echo "CHECKING USER : $user" >> $logfile | |||
# Check Main account | |||
if [ -d /home/$user/$SP ]; then | |||
echo " " >> $logfile | |||
echo "CHECKING FOR : $user" >> $logfile | |||
for nct in new cur tmp ; do | |||
{ | |||
if [ -d /home/$user/$SP/$nct ]; then | |||
# find file older than 30 days | |||
for oldfile in `find /home/$user/$SP/$nct/ -mtime +$DAYS`; do | |||
{ | |||
if [ -f $oldfile ]; then | |||
echo -n "DELETE : $oldfile" : >> $logfile | |||
# Keep a bit info of what we going to delete | |||
head -n 1 $oldfile >> $logfile | |||
# Bugfix 25 Dec 2006 | |||
#rm -f /home/$user/$SP/$nct/$oldfile >> /dev/null | |||
rm -f $oldfile >> /dev/null | |||
fi | |||
} | |||
done; | |||
fi | |||
} | |||
done; | |||
fi | |||
}; | |||
done; | |||
</pre> | |||
== Pakete == | |||
=== Verwaltung von Paketen === | |||
In erster Linie wird die normale (einfache) Verwaltung von Paketen (mit <code>[[man:pkg|pkg]]</code>) verwendet. | |||
Aber die Verwendung der Sammlung von Ports ([[freebsd-handbook:ports-using]]) wurde notwendig. | |||
: Die vorherige Instanz verwendete die Kombination der Pakete Postfix und Mailman. Das standardmäßige Paket für Mailman ist ohne die Option für Postfix gebaut (<code>[[man:pkg-search|pkg search]] -Q options mailman</code>). | |||
:: Damn! | |||
:: Anstatt das Risiko einzugehen sich mit der Konfiguration beim Verzicht auf Postfix auseinanderzusetzen und anstelle sendmail zu verwenden, bauen wir das Paket eben einfach selbst. Dafür ist dann aber auch die Verwendung der Sammlung von Ports notwendig. | |||
==== Sammlung von Ports ==== | |||
: <code>portsnap fetch extract</code> | |||
===== Notwendigkeit für die Verwendung der [[#Sammlung von Ports|Sammlung von Ports]] ===== | |||
Mailman und Postfix muss aus den Ports gebaut werden, weil das Paket mailman sendmail als MTA unterstuetzt, wir aber Postfix benoetigen. Es gibt sonst Permission Probleme mit dem wrapper script zwischen postfix | |||
und mailman. | |||
Error Nachricht 1 bevor Mailman aus den Ports gebaut wurde: | |||
: [...]Mailman mail-wrapper: Group mismatch error. Mailman expected the mail wrapper script to be executed as group "mailnull", but the system's mail server executed the mail script as group "mailman". Try tweaking the mail server to run the script as group "mailnull", or re-run configure, providing the command line option `--with-mail-gid=mailman'. | |||
dann aendert sich die Nachricht zu: | |||
Error Nachricht 2 bevor Postfix aus den Ports gebaut wurde: | |||
: [...]Mailman mail-wrapper: Group mismatch error. Mailman expected the mail wrapper script to be executed as group "mailman", but the system's mail server executed the mail script as group "nobody". Try tweaking the mail server to run the script as group "mailman", or re-run configure, providing the command line option `--with-mail-gid=nobody'. | |||
=== Aktualisierung von Paketen === | |||
: <code>pkg update && pkg upgrade -y</code> | |||
=== Pakete für Anwendungen === | |||
==== sendmail ==== | |||
==== Postfix ==== | |||
===== Installation von Postfix ===== | |||
Wechseln in den Ordner vom Port ''postfix'' | |||
: <code>cd /usr/ports/mail/postfix</code> | |||
Festlegen der Konfiguration für das angepasste Bauen des Paketes (''postfix'') | |||
: <code>make config</code> | |||
<pre> | |||
BDB : off | |||
CDB : off | |||
DOCS : on | |||
EAI : on | |||
INST_BASE : off | |||
LDAP : off | |||
LDAP_SASL : off | |||
LMDB : off | |||
MYSQL : off | |||
NIS : off | |||
PCRE : on | |||
PGSQL : off | |||
SASL : off | |||
SASLKMIT : off | |||
SASLKRB5 : off | |||
SQLITE : off | |||
TEST : off | |||
TLS : on | |||
</pre> | |||
<pre> | |||
/!\ ERROR: /!\ | |||
Ports Collection support for your FreeBSD version has ended, and no ports are | |||
guaranteed to build on this system. Please upgrade to a supported release. | |||
No support will be provided if you silence this message by defining | |||
ALLOW_UNSUPPORTED_SYSTEM. | |||
</pre> | |||
Bauen des Paketes (''postfix'') entsprechend der angepassten Konfiguration | |||
: <code>ALLOW_UNSUPPORTED_SYSTEM=1 make install clean</code> | |||
<?!? /> | |||
INFO: Alle folgenden Abfragen im build-Prozess werden mit der vorgeschlagenden Einstellung übernommen. | |||
: <code>sysrc postfix_enable=YES</code> | |||
: <code>sysrc sendmail_enable=NO</code> | |||
===== Konfiguration Postfix ===== | |||
'''/usr/local/etc/postfix/main.cf''' | '''/usr/local/etc/postfix/main.cf''' | ||
<pre> | |||
myhostname = mail.stura.htw-dresden.de | |||
mydomain = stura.htw-dresden.de | |||
#smtp_bind_address = 141.56.50.14 | |||
smtp_bind_address = 141.56.51.14 | |||
myorigin = $myhostname | |||
inet_interfaces = all | |||
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain | |||
local_recipient_maps = unix:passwd.byname $alias_maps | |||
# 141.56.16.134 - 141.56.16.136 mailexchanger vom RZ | |||
# 141.56.16.231 - 232 mailrelay vom RZ | |||
mynetworks = 141.56.16.131, 141.56.16.134, 141.56.16.135, 141.56.16.136, 141.56.16.231, 141.56.16.232, 141.56.50.0/26, 127.0.0.0/24, 192.168.100.12, 141.56.51.0/24 | |||
alias_maps = hash:/etc/aliases, hash:/etc/aliases.stura, hash:/usr/local/mailman/data/aliases | |||
alias_database = hash:/etc/aliases, hash:/etc/aliases.stura | |||
home_mailbox = Mail/ | |||
mail_spool_directory = /var/mail | |||
mailbox_command = /usr/local/bin/maildrop -d ${USER} | |||
header_checks = pcre:$config_directory/header_checks | |||
#### | |||
sendmail_path = /usr/local/sbin/sendmail | |||
newaliases_path = /usr/local/bin/newaliases | |||
mailq_path = /usr/local/bin/mailq | |||
setgid_group = maildrop | |||
html_directory = /usr/local/share/doc/postfix | |||
manpage_directory = /usr/local/man | |||
sample_directory = /usr/local/etc/postfix | |||
readme_directory = /usr/local/share/doc/postfix | |||
inet_protocols = ipv4 | |||
#### | |||
smtpd_sender_restrictions = | |||
permit_mynetworks, | |||
reject_non_fqdn_sender, | |||
reject_unknown_sender_domain, | |||
reject_rhsbl_sender blackhole.securitysage.com | |||
smtpd_recipient_restrictions = | |||
reject_invalid_hostname, | |||
reject_unknown_recipient_domain, | |||
check_client_access hash:/usr/local/etc/postfix/rbl_override, | |||
reject_rbl_client sbl.spamhaus.org, | |||
permit | |||
smtpd_helo_restrictions = | |||
permit_mynetworks, | |||
reject_invalid_helo_hostname, | |||
reject_non_fqdn_helo_hostname, | |||
reject_unknown_helo_hostname | |||
smtpd_client_restrictions = | |||
permit_mynetworks, | |||
reject_rbl_client bl.spamcop.net, | |||
reject_rbl_client dnsbl.sorbs.net | |||
smtpd_relay_restrictions = | |||
permit_mynetworks, | |||
defer_unauth_destination | |||
</pre> | |||
'''/usr/local/etc/postfix/master.cf''' | '''/usr/local/etc/postfix/master.cf''' | ||
Aktivate Mailman wrapper Script | |||
<pre> | |||
mailman unix - n n - - pipe | |||
flags=FR user=mailman:mailman argv=/usr/local/mailman/postfix-to-mailman.py ${nexthop} ${user} | |||
</pre> | |||
'''/usr/local/etc/postfix/header_checks''' | '''/usr/local/etc/postfix/header_checks''' | ||
<pre> | <pre> | ||
/^X-HTW-Spam-Flag:\s+YES/ REDIRECT spam@stura.htw-dresden.de | /^X-HTW-Spam-Flag:\s+YES/ REDIRECT spam@stura.htw-dresden.de | ||
/^X-Spam-Flag:\s+YES/ REDIRECT spam@stura.htw-dresden.de | |||
</pre> | </pre> | ||
Zeile 96: | Zeile 418: | ||
postfix/postfix-script: starting the Postfix mail system | postfix/postfix-script: starting the Postfix mail system | ||
=== Apache === | ===== Benutzung von Postfix ===== | ||
[[#Postfix]] ist der Ersatz von [[#sendmail]]. | |||
; Verwaltung von Einträgen für Mail-Adressen: | |||
Bearbeitung der Datei für Mail-Adressen (speziell für den StuRa) ''/etc/aliases.stura'' | |||
: <code>$EDITOR /etc/aliases.stura</code> | |||
(vielleicht notwendiges) Neubauen der Datenbank zwecks sendmail für Mail-Adressen | |||
: <code>newaliases</code> | |||
(vielleicht notwendiges) Neubauen der Datenbank zwecks postfix für Mail-Adressen (speziell für den StuRa) | |||
: <code>postalias /etc/aliases.stura</code> | |||
===== Problem zum Ableiten von SPAM wegen geänderter Eintrag von erkannten SPAM im Header ===== | |||
Seit 2020-02-27 wurde plötzlich (mutmaßlich nach den Wartungsarbeiten [https://www.htw-dresden.de/news/wartungsarbeiten-im-netzwerk]) (wieder) erkannter SPAM weitergeleitet. | |||
Es konnte festgestellt werden, dass im Header der Mail nicht mehr die Markierung ''X-HTW-Spam-Flag'' verwendet wird, sondern (wieder standardmäßig) ''X-Spam-Flag''. | |||
So wurde in der Datei <code>/usr/local/etc/postfix/header_checks</code> | |||
<pre> | |||
/^X-HTW-Spam-Flag:\s+YES/ REDIRECT spam@stura.htw-dresden.de | |||
</pre> | |||
<pre> | |||
/^X-Spam-Flag:\s+YES/ REDIRECT spam@stura.htw-dresden.de | |||
</pre> | |||
hinzugefügt. | |||
==== sudo ==== | |||
===== Installation ''sudo'' ===== | |||
Installation vom Paket ''sudo'' | |||
: <code>pkg install -y sudo</code> | |||
===== Konfiguration ''sudo'' ===== | |||
Eintragen der Accounts, die ''sudo'' benutzen dürfen sollen | |||
: <code>$EDITOR /usr/local/etc/sudoers</code> | |||
===== Problem ''Undefined symbol "memset_s"'' ===== | |||
; Problem: ''sudo'' funktioniert (für die einzelnen Accounts) nicht. | |||
: <code>sudo su</code> | |||
<pre> | |||
/usr/local/bin/sudo: Undefined symbol "memset_s" | |||
</pre> | |||
; Ursache: Ein Vergleich mit der standardmäßigen Datei zur Verwaltung des Verhaltens von ''sudo'' für berechtigte Accounts und Gruppen ''/usr/local/etc/sudoers'' ergab, dass sich der Fehler aus dem | |||
; Lösung: Berichtigung der Konfiguration in der Datei zur Verwaltung des Verhaltens von ''sudo'' für berechtigte Accounts und Gruppen ''/usr/local/etc/sudoers'' | |||
Hinzufügen der Festlegung, dass für ''sudo'' standardmäßig nach dem Password des jeweiligen Accounts gefragt wird | |||
: <code>$EDITOR /usr/local/etc/sudoers</code> | |||
<pre></pre> | |||
<pre> | |||
# Defaults targetpw # Ask for the password of the target user | |||
Defaults targetpw | |||
# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' | |||
</pre> | |||
<pre></pre> | |||
==== maildrop ==== | |||
===== Installation maildrop ===== | |||
Installieren vom Paket ''maildrop'' | |||
: <code>pkg install -y maildrop</code> | |||
===== Konfiguration maildrop ===== | |||
MDA: maildrop | |||
maildir in users homeverzeichnis anlegen | |||
maildrop-maildirmake Mail | |||
im Homeverzeichnis die Datei .mailfilter anlegen: | |||
MAILBOX="$HOME/Mail" | |||
DEFAULT="$MAILBOX" | |||
chmod 600 .mailfilter | |||
chown <user> .mailfilter | |||
maildrop in postfix main.cf einarbeiten | |||
mailbox_command = /usr/local/bin/maildrop -d ${USER} | |||
==== Mailman ==== | |||
; Installieren des Paketes Mailman: | |||
: Erst einmal brauchen wir schnell Mailman mit Postfix. | |||
Wechseln in den Ordner vom Port ''mailman'' | |||
: <code>cd /usr/ports/mail/mailman</code> | |||
Festlegen der Konfiguration für das angepasste Bauen des Paketes (''mailman'') | |||
:: <?!?>Wozu müssen wir die Umgebungsvariable ''ALLOW_UNSUPPORTED_SYSTEM=1'' setzen?</?!?> | |||
: <code>make config</code> | |||
<pre> | |||
DOCS=on: Build and/or install documentation | |||
HTDIG=off: - EXPERIMENTAL - htdig integration patches | |||
NAMAZU2=off: Make private archives searchable with namazu2 | |||
NLS=on: Native Language Support | |||
Integrate with which MTA?: you have to select exactly one of them | |||
COURIER=off: for use with courier | |||
EXIM4=off: for use with exim4 | |||
OPENSMTPD=off: for use with opensmtpd - EXPERIMENTAL - | |||
POSTFIX=on: for use with postfix | |||
SENDMAIL=off: for use with sendmail | |||
</pre> | |||
<pre> | |||
/!\ ERROR: /!\ | |||
Ports Collection support for your FreeBSD version has ended, and no ports are | |||
guaranteed to build on this system. Please upgrade to a supported release. | |||
No support will be provided if you silence this message by defining | |||
ALLOW_UNSUPPORTED_SYSTEM. | |||
</pre> | |||
Bauen des Paketes (''mailman'') entsprechend der angepassten Konfiguration | |||
: <code>ALLOW_UNSUPPORTED_SYSTEM=1 make install clean</code> | |||
: <code>sysrc mailman_enable=YES</code> | |||
===== Konfiguration Mailman ===== | |||
: Mailmanumzug :[[http://www.vuksan.com/linux/mailman_moving_lists.html]] | |||
remote: cd /usr/local/mailman && tar -cvf mailman.tar archives data lists Mailman/mm_cfg.py | |||
cd /usr/local/mailman && tar xvf mailman.tar | |||
====== Mailman/mm_cfg.py ====== | |||
<pre> | |||
MTA = 'Postfix' | |||
POSTFIX_ALIAS_CMD = '/usr/local/sbin/postalias' | |||
POSTFIX_MAP_CMD = '/usr/local/sbin/postmap' | |||
SMTPHOST = 'localhost' | |||
# The default language for this server. | |||
DEFAULT_SERVER_LANGUAGE = 'de' | |||
# Unset send_reminders on newly created lists | |||
DEFAULT_SEND_REMINDERS = 0 | |||
DEFAULT_SEND_WELCOME_MSG = 0 | |||
DEFAULT_SEND_GOODBYE_MSG = 0 | |||
DEFAULT_ADMIN_NOTIFY_MCHANGES = 1 | |||
DEFAULT_NEW_MEMBER_OPTIONS = 272 | |||
DEFAULT_RESPOND_TO_POST_REQUESTS = 0 | |||
DEFAULT_ADMINISTRIVIA = 0 | |||
DEFAULT_MAX_MESSAGE_SIZE = 0 | |||
DEFAULT_MAX_NUM_RECIPIENTS = 0 | |||
DEFAULT_REQUIRE_EXPLICIT_DESTINATION = 0 | |||
# SUBSCRIBE POLICY | |||
# 0 - open list (only when ALLOW_OPEN_SUBSCRIBE is set to 1) ** | |||
# 1 - confirmation required for subscribes | |||
# 2 - admin approval required for subscribes | |||
# 3 - both confirmation and admin approval required | |||
# | |||
# ** please do not choose option 0 if you are not allowing open | |||
# subscribes (next variable) | |||
DEFAULT_SUBSCRIBE_POLICY = 3 | |||
# Does this site allow completely unchecked subscriptions? | |||
ALLOW_OPEN_SUBSCRIBE = Yes | |||
# Private_roster == 0: anyone can see, 1: members only, 2: admin only. | |||
DEFAULT_PRIVATE_ROSTER = 0 | |||
# Are archives public or private by default? | |||
# 0=public, 1=private | |||
DEFAULT_ARCHIVE_PRIVATE = 1 | |||
# What shold happen to non-member posts which are do not match explicit | |||
# non-member actions? | |||
# 0 = Accept | |||
# 1 = Hold | |||
# 2 = Reject | |||
# 3 = Discard | |||
DEFAULT_GENERIC_NONMEMBER_ACTION = 0 | |||
#POSTFIX_STYLE_VIRTUAL_DOMAINS = ['stura.htw-dresden.de'] | |||
# Put YOUR site-specific settings below this line. | |||
DEFAULT_URL_PATTERN = 'http://%s/' | |||
DEFAULT_EMAIL_HOST = 'stura.htw-dresden.de' | |||
DEFAULT_URL_HOST = 'lists.stura.htw-dresden.de' | |||
add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST) | |||
add_virtualhost('lists.htw.stura-dresden.de',DEFAULT_EMAIL_HOST) | |||
OWNERS_CAN_DELETE_THEIR_OWN_LISTS = 'YES' | |||
VIRTUAL_HOST_OVERVIEW = On | |||
</pre> | |||
==== postfix-to-mailman.py ==== | |||
<pre> | |||
#! /usr/local/bin/python | |||
# Configuration variables - Change these for your site if necessary. | |||
MailmanHome = "/usr/local/mailman"; # Mailman home directory. | |||
MailmanOwner = "postmaster@stura.htw-dresden.de"; # Postmaster and abuse mail recipient. | |||
# End of configuration variables. | |||
# postfix-to-mailman-2.1.py (to be installed as postfix-to-mailman.py) | |||
# | |||
# Interface mailman to a postfix with a mailman transport. Does not require | |||
# the creation of _any_ aliases to connect lists to your mail system. | |||
# | |||
# Dax Kelson, dkelson@gurulabs.com, Sept 2002. | |||
# coverted from qmail to postfix interface | |||
# Jan 2003: Fixes for Mailman 2.1 | |||
# Thanks to Simen E. Sandberg <senilix@gallerbyen.net> | |||
# Feb 2003: Change the suggested postfix transport to support VERP | |||
# Thanks to Henrique de Moraes Holschuh <henrique.holschuh@ima.sp.gov.br> | |||
# | |||
# This script was originally qmail-to-mailman.py by: | |||
# Bruce Perens, bruce@perens.com, March 1999. | |||
# This is free software under the GNU General Public License. | |||
# | |||
# This script is meant to be called from ~mailman/postfix-to-mailman.py. | |||
# It catches all mail to a virtual domain, eg "lists.example.com". | |||
# It looks at the recipient for each mail message and decides if the mail is | |||
# addressed to a valid list or not, and bounces the message with a helpful | |||
# suggestion if it's not addressed to a list. It decides if it is a posting, | |||
# a list command, or mail to the list administrator, by checking for the | |||
# -admin, -owner, and -request addresses. It will recognize a list as soon | |||
# as the list is created, there is no need to add _any_ aliases for any list. | |||
# It recognizes mail to postmaster, mailman-owner, abuse, mailer-daemon, root, | |||
# and owner, and routes those mails to MailmanOwner as defined in the | |||
# configuration variables, above. | |||
# | |||
# INSTALLATION: | |||
# | |||
# Install this file as ~mailman/postfix-to-mailman.py | |||
# | |||
# To configure a virtual domain to connect to mailman, edit Postfix thusly: | |||
# | |||
# /etc/postfix/main.cf: | |||
# relay_domains = ... lists.example.com | |||
# transport_maps = hash:/etc/postfix/transport | |||
# mailman_destination_recipient_limit = 1 | |||
# | |||
# /etc/postfix/transport: | |||
# lists.example.com mailman: | |||
# | |||
# /etc/postfix/master.cf | |||
# mailman unix - n n - - pipe | |||
# flags=FR user=mailman:mailman | |||
# argv=/var/mailman/postfix-to-mailman.py ${nexthop} ${user} | |||
# | |||
# | |||
# Replace list.example.com above with the name of the domain to be connected | |||
# to Mailman. Note that _all_ mail to that domain will go to Mailman, so you | |||
# don't want to put the name of your main domain here. Typically a virtual | |||
# domain lists.domain.com is used for Mailman, and domain.com for regular | |||
# email. | |||
# | |||
import sys, os, re, string | |||
def main(): | |||
os.nice(5) # Handle mailing lists at non-interactive priority. | |||
# delete this if you wish | |||
os.chdir(MailmanHome + "/lists") | |||
try: | |||
local = sys.argv[2] | |||
except: | |||
# This might happen if we're not using Postfix | |||
sys.stderr.write("LOCAL not set?\n") | |||
sys.exit(1) | |||
local = string.lower(local) | |||
local = re.sub("^mailman-","",local) | |||
names = ("root", "postmaster", "mailer-daemon", "mailman-owner", "owner", | |||
"abuse") | |||
for i in names: | |||
if i == local: | |||
os.execv("/usr/sbin/sendmail", | |||
("/usr/sbin/sendmail", MailmanOwner)) | |||
sys.exit(0) | |||
type = "post" | |||
types = (("-admin$", "admin"), | |||
("-owner$", "owner"), | |||
("-request$", "request"), | |||
("-bounces$", "bounces"), | |||
("-confirm$", "confirm"), | |||
("-join$", "join"), | |||
("-leave$", "leave"), | |||
("-subscribe$", "subscribe"), | |||
("-unsubscribe$", "unsubscribe")) | |||
for i in types: | |||
if re.search(i[0],local): | |||
type = i[1] | |||
local = re.sub(i[0],"",local) | |||
if os.path.exists(local): | |||
os.execv(MailmanHome + "/mail/mailman", | |||
(MailmanHome + "/mail/mailman", type, local)) | |||
else: | |||
bounce() | |||
sys.exit(75) | |||
def bounce(): | |||
bounce_message = """\ | |||
TO ACCESS THE MAILING LIST SYSTEM: Start your web browser on | |||
http://%s/ | |||
That web page will help you subscribe or unsubscribe, and will | |||
give you directions on how to post to each mailing list.\n""" | |||
sys.stderr.write(bounce_message % (sys.argv[1])) | |||
sys.exit(1) | |||
try: | |||
sys.exit(main()) | |||
except SystemExit, argument: | |||
sys.exit(argument) | |||
except Exception, argument: | |||
info = sys.exc_info() | |||
trace = info[2] | |||
sys.stderr.write("%s %s\n" % (sys.exc_type, argument)) | |||
sys.stderr.write("Line %d\n" % (trace.tb_lineno)) | |||
sys.exit(75) # Soft failure, try again later. | |||
</pre> | |||
==== Apache ==== | |||
===== Installation Apache ===== | |||
Installieren vom Paket ''apache24'' | |||
: <code>pkg install -y apache24</code> | |||
---- | |||
: <code>sysrc apache24_enable=YES</code> | |||
: <code>service apache24 start</code> | |||
===== Konfiguration Apache ===== | |||
'''/usr/local/etc/apache24/httpd.conf''' | '''/usr/local/etc/apache24/httpd.conf''' | ||
<pre></pre> | |||
<pre> | <pre> | ||
ServerAdmin webmaster@stura.htw-dresden.de | ServerAdmin webmaster@stura.htw-dresden.de | ||
</pre> | |||
<pre> | |||
ServerName lists.stura.htw-dresden.de:80 | ServerName lists.stura.htw-dresden.de:80 | ||
</pre> | |||
<pre> | |||
# Virtual hosts | # Virtual hosts | ||
Include etc/apache24/extra/httpd-vhosts.conf | Include etc/apache24/extra/httpd-vhosts.conf | ||
</pre> | </pre> | ||
<pre></pre> | |||
'''/usr/local/etc/apache24/extra/httpd-vhosts.conf''' | '''/usr/local/etc/apache24/extra/httpd-vhosts.conf''' | ||
Zeile 149: | Zeile 808: | ||
</pre> | </pre> | ||
=== | == Wartung == | ||
==== Aktualisierung von Paketen ==== | |||
{| | |||
| | |||
<pre> | |||
pkg lock -y postfix | |||
#Locking postfix-3.3.0.r1,1 | |||
pkg lock -y mailman | |||
#Locking mailman-2.1.26_4 | |||
pkg update | |||
pkg upgrade -y | |||
portsnap fetch update | |||
cd /usr/ports/mail/postfix | |||
ALLOW_UNSUPPORTED_SYSTEM=1 make build | |||
ALLOW_UNSUPPORTED_SYSTEM=1 make deinstall | |||
pkg unlock -y postfix | |||
#Unlocking postfix-3.3.0.r1,1 | |||
ALLOW_UNSUPPORTED_SYSTEM=1 make install clean | |||
pkg lock -y postfix | |||
cd /usr/ports/mail/mailman | |||
ALLOW_UNSUPPORTED_SYSTEM=1 make build | |||
ALLOW_UNSUPPORTED_SYSTEM=1 make deinstall | |||
pkg unlock -y mailman | |||
#Unlocking mailman-2.1.26_4 | |||
ALLOW_UNSUPPORTED_SYSTEM=1 make install clean | |||
pkg lock -y mailman | |||
</pre> | |||
| | |||
: <code>service postfix stop</code> | |||
: <code>service postfix status</code> | |||
<pre> | |||
postfix is not running. | |||
</pre> | |||
: <code>pkg lock -y postfix</code> | |||
: <code>service mailman stop</code> | |||
: <code>service mailman status</code> | |||
<pre> | |||
mailman is not running. | |||
</pre> | |||
: <code>pkg lock -y mailman</code> | |||
: <code>cd /usr/ports/mail/postfix</code> | |||
: <code>ALLOW_UNSUPPORTED_SYSTEM=YES make build</code> | |||
: <code>pkg unlock -y postfix</code> | |||
: <code>ALLOW_UNSUPPORTED_SYSTEM=YES make deinstall</code> | |||
: <code>ALLOW_UNSUPPORTED_SYSTEM=YES make install clean</code> | |||
: <code>pkg lock -y postfix</code> | |||
: <code>cd /usr/ports/mail/mailman</code> | |||
: <code>ALLOW_UNSUPPORTED_SYSTEM=YES make build</code> | |||
: <code>pkg unlock -y mailman</code> | |||
: <code>ALLOW_UNSUPPORTED_SYSTEM=YES make deinstall</code> | |||
: <code>ALLOW_UNSUPPORTED_SYSTEM=YES make install clean</code> | |||
: <code>pkg lock -y mailman</code> | |||
: <code>service mailman start</code> | |||
<pre> | |||
Fixing mailman permissions: | |||
Warning: Private archive directory is other-executable (o+x). | |||
This could allow other users on your system to read private archives. | |||
If you're on a shared multiuser system, you should consult the | |||
installation manual on how to fix this. | |||
No problems found | |||
Starting mailman. | |||
</pre> | |||
: <code>service postfix start</code> | |||
<pre> | |||
postfix: Postfix is running with backwards-compatible default settings | |||
postfix: See http://www.postfix.org/COMPATIBILITY_README.html for details | |||
postfix: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload" | |||
postfix/postfix-script: starting the Postfix mail system | |||
</pre> | |||
: <code>pkg info -ak | grep yes</code> | |||
<pre> | |||
mailman-2.1.26_4 yes | |||
postfix-3.3.1,1 yes | |||
</pre> | |||
| | |||
|} | |||
== Umzug == | |||
==== Einzug von [[Server/SRS14/2018]] ==== | |||
; Aktualisierung von ZFS: | |||
: <code>zfs upgrade</code> | |||
<pre> | |||
This system is currently running ZFS filesystem version 5. | |||
The following filesystems are out of date, and can be upgraded. After being | |||
upgraded, these filesystems (and any 'zfs send' streams generated from | |||
subsequent snapshots) will no longer be accessible by older software versions. | |||
VER FILESYSTEM | |||
--- ------------ | |||
4 znyx/migration/srs14 | |||
</pre> | |||
: <code>zfs upgrade znyx/migration/srs14</code> | |||
<pre> | |||
1 filesystems upgraded | |||
</pre> | |||
: <code>zfs upgrade</code> | |||
<pre> | |||
This system is currently running ZFS filesystem version 5. | |||
All filesystems are formatted with the current version. | |||
</pre> | |||
== Probleme == | |||
==== 403 bei den Archiven von öffentlichen Mail-Verteilern ==== | |||
Alle Inhalte von Mailman über den Webserver unter ''/pipermail/'', also insbesondere was auch einfach öffentlich archivierte Inhalte sind (zum Beispiel | |||
http://lists.stura.htw-dresden.de/pipermail/stg.htw-dresden.de/) konnten wegen [[wikipedia:de:HTTP-Statuscode#4xx – Client-Fehler|Fehler ''403'']] nicht einfach öffentlich ausgeliefert werden. Praktisch handelt es sich um alle Inhalte im Ordner <code>/usr/local/mailman/archives/public/</code> (Links). | |||
Der Webserver, der als Account ''www'' läuft, braucht Berechtigungen (und gehört (pauschal) zu ''[[wikipedia:de:Unix-Dateirechte#Benutzerklassen|others]]''). | |||
<code>chmod o=rx /usr/local/mailman/archives/private</code> | |||
: (Irgendwie erscheint das "falsch", aber …) Das hat früher wohl auch schon [https://www.freebsddiary.org/mailman.php dan.langille.org] so gemacht. :-D | |||
: | |||
=== DNSBL === | |||
[[wikipedia:de:DNS-based Blackhole List]] | |||
== | * http://dnsbllookup.com/ | ||
** http://dnsbllookup.com/?ip=141.56.51.14 | |||
** http://dnsbllookup.com/?ip=141.56.51.2 | |||
* http://multirbl.valli.org/dnsbl-lookup/ | |||
** http://multirbl.valli.org/dnsbl-lookup/141.56.51.14.html | |||
** http://multirbl.valli.org/dnsbl-lookup/srs14.stura.htw-dresden.de.html | |||
** http://multirbl.valli.org/dnsbl-lookup/mail.stura.htw-dresden.de.html | |||
** http://multirbl.valli.org/dnsbl-lookup/141.56.51.2.html | |||
** http://multirbl.valli.org/dnsbl-lookup/srs2.stura.htw-dresden.de.html |
Aktuelle Version vom 11. März 2021, 11:20 Uhr
PT und bommel 2018-02-09 bauen nach der Doku Server/Jails/SRS14.
Dienste[Bearbeiten]
- Ersatz von Server/SRS14/2018
- Erhalt von Mails für Mail-Adressen für die Domain stura.htw-dresden.de
- Verwaltung von Mail-Adressen (von Personen und Funktionen)
- Verteilung von Mails für Mail-Adressen (für Funktionen)
- Archivierung von Mails für Mail-Adressen (für Funktionen)
- grafische Oberfläche für die Verwaltung von Mail-Verteilern
- Vermeidung der Weiterleitung von SPAM
- (Archivierung (als Sicherheitskopie) für Mail-Adressen von Angestellten)
Betriebssystem[Bearbeiten]
- Maschine/nyx
- Jail FreeNAS
- FreeBSD
- STABLE
- (11.1)
Installation[Bearbeiten]
Konfiguration[Bearbeiten]
eingehängter Massenspeicher[Bearbeiten]
Datasets[Bearbeiten]
Für die individuelle Behandlung der besonders nennenswerten Daten (z.B. Mail-Archive und Mail-Konten) zu erhalten, werden diese jeweils als ein separates Dataset (für ZFS) verwaltet. Die Datasets (für ZFS) sind als Dataset (für ZFS) auf dem Host erstellt (srs100034#Datasets) und Sind vom Host in die Jail eingehängt.
/mnt/znyx/data/maildrop/rossberg on /mnt/znyx/jails/srs14/usr/home/rossberg/Mail (nullfs, local) /mnt/znyx/data/maildrop/spam on /mnt/znyx/jails/srs14/usr/home/spam/Mail (nullfs, local) /mnt/znyx/data/mailman/archives on /mnt/znyx/jails/srs14/usr/local/mailman/archives (nullfs, local) /mnt/znyx/data/mailman/data on /mnt/znyx/jails/srs14/usr/local/mailman/data (nullfs, local) /mnt/znyx/data/mailman/lists on /mnt/znyx/jails/srs14/usr/local/mailman/lists (nullfs, local)
Dienste[Bearbeiten]
SSH[Bearbeiten]
SSH wird benötigt, um sich sicher auf Server/srs14 verbinden zu können. Das ist bei Server/srs14 insbesondere für die (leider noch leidliche) Verwaltung der Einträge für Mail-Adressen nötig.
- andauernde Aktivierung des Dienstes SSH
service sshd status
Cannot 'status' sshd. Set sshd_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'.
service sshd onestatus
sshd is not running.
sysrc sshd_enable
sshd_enable: NO
sysrc sshd_enable=YES
sshd_enable: NO -> YES
service sshd status
sshd is not running.
service sshd start
Generating RSA host key.
Performing sanity check on sshd configuration. Starting sshd.
- Es wurden automatisch Schlüsselpaare für den Account root (für RSA, ECDSA und ED25519) generiert.
service sshd status
sshd is running as pid 12345.
sysrc sshd_enable
sshd_enable: YES
- Konfiguration vom Dienst SSH (auf Schnell)
(optionale) Sicherung der standardmäßigen Datei für die Konfiguration vom Dienst SSH
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
Anpassen der Konfiguration vom Dienst SSH
- Ändern vom Port an dem der Dienst SSH erreichbar ist
- aus "Tradition")
- Zulassen vom der Anmeldung mit Passwort für den Dienst SSH
- Es gibt Menschen, denen nicht bekannt ist wie das Verwalten von persönlichen Schlüsselpaaren funktioniert (und auch nicht erklärten werden müssen soll), die dennoch bei der Verwaltung von Mail-Adressen mitwirken können sollen und sich dazu auch aus der Ferne anmelden können sollen.
$EDITOR /etc/ssh/sshd_config
diff /etc/ssh/sshd_config.default /etc/ssh/sshd_config
17a18 > Port 1234 75a77 > PasswordAuthentication yes
- oder
diff /etc/ssh/sshd_config.default /etc/ssh/sshd_config
- oder
17c17 < #Port 22 --- > Port 1234 75c75 < #PasswordAuthentication no --- > PasswordAuthentication yes
Konten[Bearbeiten]
Hinzufuegen von System Konten.
Mail - Angestellten[Bearbeiten]
- Rossberg
Shell: nologin
remote: cd /home/rossberg && tar -cvf rossberg.tar .mailfilter Mail .mail_aliases .rhosts cd /home/rossberg && tar -xvf rossberg.tar
Mail - spam[Bearbeiten]
- Spam
Shell: nologin
Clean SPAM older 30 Days[Bearbeiten]
Quelle des Programms http://forum.directadmin.com/attachment.php?s=b1485c6c4b4d501d922e5b7f48d6e07c&attachmentid=427&d=1167030675 und modifiziert durch PT.
Datei ist abgelegt unter /etc/periodic/daily/900.cleanspam und wird taeglich ausgefuehrt.
#!/bin/sh # Cleanning SPAM older than x days under Maildir system (Test under DA + Dovecot + SA) # Published 27 Oct 2006 under GNU/GPL License By, Pinkkeyhost.com, Korakot Eamopas (kkeonline[at]yahoo.com) # Bugfix 25 Dec 2006 # Modified 25.02.2018 from pwnytail to run under Postfix maildrop # settings # delete spam older than x days DAYS=30 ; # your logfile logfile="/var/log/cleanspam.log" ; if [ "$#" -lt 1 ] then echo -n "usage: $0 <list of users>" exit 1 fi # Start a new log or append to old one #echo "" > $logfile ; echo "" >> $logfile ; # Nothing to be change from here LOGDATE=`date "+%y-%m-%d %H:%M"` ; DA="/usr/home" ; SP="Mail" ; USERS=$@ echo "===============================" >> $logfile ; echo "SCRIPT RUNNING ON $LOGDATE" >> $logfile echo "===============================" >> $logfile ; # list users from da folder for user in $USERS ; do { # skip if not a user folder if [ ! -d $DA/$user ] ; then continue fi echo " " >> $logfile echo "CHECKING USER : $user" >> $logfile # Check Main account if [ -d /home/$user/$SP ]; then echo " " >> $logfile echo "CHECKING FOR : $user" >> $logfile for nct in new cur tmp ; do { if [ -d /home/$user/$SP/$nct ]; then # find file older than 30 days for oldfile in `find /home/$user/$SP/$nct/ -mtime +$DAYS`; do { if [ -f $oldfile ]; then echo -n "DELETE : $oldfile" : >> $logfile # Keep a bit info of what we going to delete head -n 1 $oldfile >> $logfile # Bugfix 25 Dec 2006 #rm -f /home/$user/$SP/$nct/$oldfile >> /dev/null rm -f $oldfile >> /dev/null fi } done; fi } done; fi }; done;
Pakete[Bearbeiten]
Verwaltung von Paketen[Bearbeiten]
In erster Linie wird die normale (einfache) Verwaltung von Paketen (mit pkg
) verwendet.
Aber die Verwendung der Sammlung von Ports (freebsd-handbook:ports-using) wurde notwendig.
- Die vorherige Instanz verwendete die Kombination der Pakete Postfix und Mailman. Das standardmäßige Paket für Mailman ist ohne die Option für Postfix gebaut (
pkg search -Q options mailman
).- Damn!
- Anstatt das Risiko einzugehen sich mit der Konfiguration beim Verzicht auf Postfix auseinanderzusetzen und anstelle sendmail zu verwenden, bauen wir das Paket eben einfach selbst. Dafür ist dann aber auch die Verwendung der Sammlung von Ports notwendig.
Sammlung von Ports[Bearbeiten]
portsnap fetch extract
Notwendigkeit für die Verwendung der Sammlung von Ports[Bearbeiten]
Mailman und Postfix muss aus den Ports gebaut werden, weil das Paket mailman sendmail als MTA unterstuetzt, wir aber Postfix benoetigen. Es gibt sonst Permission Probleme mit dem wrapper script zwischen postfix und mailman.
Error Nachricht 1 bevor Mailman aus den Ports gebaut wurde:
- [...]Mailman mail-wrapper: Group mismatch error. Mailman expected the mail wrapper script to be executed as group "mailnull", but the system's mail server executed the mail script as group "mailman". Try tweaking the mail server to run the script as group "mailnull", or re-run configure, providing the command line option `--with-mail-gid=mailman'.
dann aendert sich die Nachricht zu: Error Nachricht 2 bevor Postfix aus den Ports gebaut wurde:
- [...]Mailman mail-wrapper: Group mismatch error. Mailman expected the mail wrapper script to be executed as group "mailman", but the system's mail server executed the mail script as group "nobody". Try tweaking the mail server to run the script as group "mailman", or re-run configure, providing the command line option `--with-mail-gid=nobody'.
Aktualisierung von Paketen[Bearbeiten]
pkg update && pkg upgrade -y
Pakete für Anwendungen[Bearbeiten]
sendmail[Bearbeiten]
Postfix[Bearbeiten]
Installation von Postfix[Bearbeiten]
Wechseln in den Ordner vom Port postfix
cd /usr/ports/mail/postfix
Festlegen der Konfiguration für das angepasste Bauen des Paketes (postfix)
make config
BDB : off CDB : off DOCS : on EAI : on INST_BASE : off LDAP : off LDAP_SASL : off LMDB : off MYSQL : off NIS : off PCRE : on PGSQL : off SASL : off SASLKMIT : off SASLKRB5 : off SQLITE : off TEST : off TLS : on
/!\ ERROR: /!\ Ports Collection support for your FreeBSD version has ended, and no ports are guaranteed to build on this system. Please upgrade to a supported release. No support will be provided if you silence this message by defining ALLOW_UNSUPPORTED_SYSTEM.
Bauen des Paketes (postfix) entsprechend der angepassten Konfiguration
ALLOW_UNSUPPORTED_SYSTEM=1 make install clean
<?!? /> INFO: Alle folgenden Abfragen im build-Prozess werden mit der vorgeschlagenden Einstellung übernommen.
sysrc postfix_enable=YES
sysrc sendmail_enable=NO
Konfiguration Postfix[Bearbeiten]
/usr/local/etc/postfix/main.cf
myhostname = mail.stura.htw-dresden.de mydomain = stura.htw-dresden.de #smtp_bind_address = 141.56.50.14 smtp_bind_address = 141.56.51.14 myorigin = $myhostname inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain local_recipient_maps = unix:passwd.byname $alias_maps # 141.56.16.134 - 141.56.16.136 mailexchanger vom RZ # 141.56.16.231 - 232 mailrelay vom RZ mynetworks = 141.56.16.131, 141.56.16.134, 141.56.16.135, 141.56.16.136, 141.56.16.231, 141.56.16.232, 141.56.50.0/26, 127.0.0.0/24, 192.168.100.12, 141.56.51.0/24 alias_maps = hash:/etc/aliases, hash:/etc/aliases.stura, hash:/usr/local/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/etc/aliases.stura home_mailbox = Mail/ mail_spool_directory = /var/mail mailbox_command = /usr/local/bin/maildrop -d ${USER} header_checks = pcre:$config_directory/header_checks #### sendmail_path = /usr/local/sbin/sendmail newaliases_path = /usr/local/bin/newaliases mailq_path = /usr/local/bin/mailq setgid_group = maildrop html_directory = /usr/local/share/doc/postfix manpage_directory = /usr/local/man sample_directory = /usr/local/etc/postfix readme_directory = /usr/local/share/doc/postfix inet_protocols = ipv4 #### smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rhsbl_sender blackhole.securitysage.com smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, check_client_access hash:/usr/local/etc/postfix/rbl_override, reject_rbl_client sbl.spamhaus.org, permit smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname smtpd_client_restrictions = permit_mynetworks, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net smtpd_relay_restrictions = permit_mynetworks, defer_unauth_destination
/usr/local/etc/postfix/master.cf
Aktivate Mailman wrapper Script
mailman unix - n n - - pipe flags=FR user=mailman:mailman argv=/usr/local/mailman/postfix-to-mailman.py ${nexthop} ${user}
/usr/local/etc/postfix/header_checks
/^X-HTW-Spam-Flag:\s+YES/ REDIRECT spam@stura.htw-dresden.de /^X-Spam-Flag:\s+YES/ REDIRECT spam@stura.htw-dresden.de
/usr/local/etc/postfix/rbl_override
<rz mail server als domain und ip-adresse>
/usr/local/etc/postfix/relay_recipients
@stura.htw-dresden.de OK
/usr/local/etc/postfix/transport
kss-sachsen.de smtp:lrs0x018.kss-sachsen.de
erstellen von Datenbank Dateien
postmap rbl_override relay_recipientstransportheader_checks
starte postfix
$ service postfix restart postfix: Postfix is running with backwards-compatible default settings postfix: See http://www.postfix.org/COMPATIBILITY_README.html for details postfix: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload" postfix/postfix-script: starting the Postfix mail system
Benutzung von Postfix[Bearbeiten]
#Postfix ist der Ersatz von #sendmail.
- Verwaltung von Einträgen für Mail-Adressen
Bearbeitung der Datei für Mail-Adressen (speziell für den StuRa) /etc/aliases.stura
$EDITOR /etc/aliases.stura
(vielleicht notwendiges) Neubauen der Datenbank zwecks sendmail für Mail-Adressen
newaliases
(vielleicht notwendiges) Neubauen der Datenbank zwecks postfix für Mail-Adressen (speziell für den StuRa)
postalias /etc/aliases.stura
Problem zum Ableiten von SPAM wegen geänderter Eintrag von erkannten SPAM im Header[Bearbeiten]
Seit 2020-02-27 wurde plötzlich (mutmaßlich nach den Wartungsarbeiten [1]) (wieder) erkannter SPAM weitergeleitet.
Es konnte festgestellt werden, dass im Header der Mail nicht mehr die Markierung X-HTW-Spam-Flag verwendet wird, sondern (wieder standardmäßig) X-Spam-Flag.
So wurde in der Datei /usr/local/etc/postfix/header_checks
/^X-HTW-Spam-Flag:\s+YES/ REDIRECT spam@stura.htw-dresden.de
/^X-Spam-Flag:\s+YES/ REDIRECT spam@stura.htw-dresden.de
hinzugefügt.
sudo[Bearbeiten]
Installation sudo[Bearbeiten]
Installation vom Paket sudo
pkg install -y sudo
Konfiguration sudo[Bearbeiten]
Eintragen der Accounts, die sudo benutzen dürfen sollen
$EDITOR /usr/local/etc/sudoers
Problem Undefined symbol "memset_s"[Bearbeiten]
- Problem
- sudo funktioniert (für die einzelnen Accounts) nicht.
sudo su
/usr/local/bin/sudo: Undefined symbol "memset_s"
- Ursache
- Ein Vergleich mit der standardmäßigen Datei zur Verwaltung des Verhaltens von sudo für berechtigte Accounts und Gruppen /usr/local/etc/sudoers ergab, dass sich der Fehler aus dem
- Lösung
- Berichtigung der Konfiguration in der Datei zur Verwaltung des Verhaltens von sudo für berechtigte Accounts und Gruppen /usr/local/etc/sudoers
Hinzufügen der Festlegung, dass für sudo standardmäßig nach dem Password des jeweiligen Accounts gefragt wird
$EDITOR /usr/local/etc/sudoers
# Defaults targetpw # Ask for the password of the target user Defaults targetpw # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
maildrop[Bearbeiten]
Installation maildrop[Bearbeiten]
Installieren vom Paket maildrop
pkg install -y maildrop
Konfiguration maildrop[Bearbeiten]
MDA: maildrop
maildir in users homeverzeichnis anlegen
maildrop-maildirmake Mail
im Homeverzeichnis die Datei .mailfilter anlegen:
MAILBOX="$HOME/Mail" DEFAULT="$MAILBOX"
chmod 600 .mailfilter chown <user> .mailfilter
maildrop in postfix main.cf einarbeiten
mailbox_command = /usr/local/bin/maildrop -d ${USER}
Mailman[Bearbeiten]
- Installieren des Paketes Mailman
- Erst einmal brauchen wir schnell Mailman mit Postfix.
Wechseln in den Ordner vom Port mailman
cd /usr/ports/mail/mailman
Festlegen der Konfiguration für das angepasste Bauen des Paketes (mailman)
- <?!?>Wozu müssen wir die Umgebungsvariable ALLOW_UNSUPPORTED_SYSTEM=1 setzen?</?!?>
make config
DOCS=on: Build and/or install documentation HTDIG=off: - EXPERIMENTAL - htdig integration patches NAMAZU2=off: Make private archives searchable with namazu2 NLS=on: Native Language Support Integrate with which MTA?: you have to select exactly one of them COURIER=off: for use with courier EXIM4=off: for use with exim4 OPENSMTPD=off: for use with opensmtpd - EXPERIMENTAL - POSTFIX=on: for use with postfix SENDMAIL=off: for use with sendmail
/!\ ERROR: /!\ Ports Collection support for your FreeBSD version has ended, and no ports are guaranteed to build on this system. Please upgrade to a supported release. No support will be provided if you silence this message by defining ALLOW_UNSUPPORTED_SYSTEM.
Bauen des Paketes (mailman) entsprechend der angepassten Konfiguration
ALLOW_UNSUPPORTED_SYSTEM=1 make install clean
sysrc mailman_enable=YES
Konfiguration Mailman[Bearbeiten]
- Mailmanumzug :[[2]]
remote: cd /usr/local/mailman && tar -cvf mailman.tar archives data lists Mailman/mm_cfg.py cd /usr/local/mailman && tar xvf mailman.tar
Mailman/mm_cfg.py[Bearbeiten]
MTA = 'Postfix' POSTFIX_ALIAS_CMD = '/usr/local/sbin/postalias' POSTFIX_MAP_CMD = '/usr/local/sbin/postmap' SMTPHOST = 'localhost' # The default language for this server. DEFAULT_SERVER_LANGUAGE = 'de' # Unset send_reminders on newly created lists DEFAULT_SEND_REMINDERS = 0 DEFAULT_SEND_WELCOME_MSG = 0 DEFAULT_SEND_GOODBYE_MSG = 0 DEFAULT_ADMIN_NOTIFY_MCHANGES = 1 DEFAULT_NEW_MEMBER_OPTIONS = 272 DEFAULT_RESPOND_TO_POST_REQUESTS = 0 DEFAULT_ADMINISTRIVIA = 0 DEFAULT_MAX_MESSAGE_SIZE = 0 DEFAULT_MAX_NUM_RECIPIENTS = 0 DEFAULT_REQUIRE_EXPLICIT_DESTINATION = 0 # SUBSCRIBE POLICY # 0 - open list (only when ALLOW_OPEN_SUBSCRIBE is set to 1) ** # 1 - confirmation required for subscribes # 2 - admin approval required for subscribes # 3 - both confirmation and admin approval required # # ** please do not choose option 0 if you are not allowing open # subscribes (next variable) DEFAULT_SUBSCRIBE_POLICY = 3 # Does this site allow completely unchecked subscriptions? ALLOW_OPEN_SUBSCRIBE = Yes # Private_roster == 0: anyone can see, 1: members only, 2: admin only. DEFAULT_PRIVATE_ROSTER = 0 # Are archives public or private by default? # 0=public, 1=private DEFAULT_ARCHIVE_PRIVATE = 1 # What shold happen to non-member posts which are do not match explicit # non-member actions? # 0 = Accept # 1 = Hold # 2 = Reject # 3 = Discard DEFAULT_GENERIC_NONMEMBER_ACTION = 0 #POSTFIX_STYLE_VIRTUAL_DOMAINS = ['stura.htw-dresden.de'] # Put YOUR site-specific settings below this line. DEFAULT_URL_PATTERN = 'http://%s/' DEFAULT_EMAIL_HOST = 'stura.htw-dresden.de' DEFAULT_URL_HOST = 'lists.stura.htw-dresden.de' add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST) add_virtualhost('lists.htw.stura-dresden.de',DEFAULT_EMAIL_HOST) OWNERS_CAN_DELETE_THEIR_OWN_LISTS = 'YES' VIRTUAL_HOST_OVERVIEW = On
postfix-to-mailman.py[Bearbeiten]
#! /usr/local/bin/python # Configuration variables - Change these for your site if necessary. MailmanHome = "/usr/local/mailman"; # Mailman home directory. MailmanOwner = "postmaster@stura.htw-dresden.de"; # Postmaster and abuse mail recipient. # End of configuration variables. # postfix-to-mailman-2.1.py (to be installed as postfix-to-mailman.py) # # Interface mailman to a postfix with a mailman transport. Does not require # the creation of _any_ aliases to connect lists to your mail system. # # Dax Kelson, dkelson@gurulabs.com, Sept 2002. # coverted from qmail to postfix interface # Jan 2003: Fixes for Mailman 2.1 # Thanks to Simen E. Sandberg <senilix@gallerbyen.net> # Feb 2003: Change the suggested postfix transport to support VERP # Thanks to Henrique de Moraes Holschuh <henrique.holschuh@ima.sp.gov.br> # # This script was originally qmail-to-mailman.py by: # Bruce Perens, bruce@perens.com, March 1999. # This is free software under the GNU General Public License. # # This script is meant to be called from ~mailman/postfix-to-mailman.py. # It catches all mail to a virtual domain, eg "lists.example.com". # It looks at the recipient for each mail message and decides if the mail is # addressed to a valid list or not, and bounces the message with a helpful # suggestion if it's not addressed to a list. It decides if it is a posting, # a list command, or mail to the list administrator, by checking for the # -admin, -owner, and -request addresses. It will recognize a list as soon # as the list is created, there is no need to add _any_ aliases for any list. # It recognizes mail to postmaster, mailman-owner, abuse, mailer-daemon, root, # and owner, and routes those mails to MailmanOwner as defined in the # configuration variables, above. # # INSTALLATION: # # Install this file as ~mailman/postfix-to-mailman.py # # To configure a virtual domain to connect to mailman, edit Postfix thusly: # # /etc/postfix/main.cf: # relay_domains = ... lists.example.com # transport_maps = hash:/etc/postfix/transport # mailman_destination_recipient_limit = 1 # # /etc/postfix/transport: # lists.example.com mailman: # # /etc/postfix/master.cf # mailman unix - n n - - pipe # flags=FR user=mailman:mailman # argv=/var/mailman/postfix-to-mailman.py ${nexthop} ${user} # # # Replace list.example.com above with the name of the domain to be connected # to Mailman. Note that _all_ mail to that domain will go to Mailman, so you # don't want to put the name of your main domain here. Typically a virtual # domain lists.domain.com is used for Mailman, and domain.com for regular # email. # import sys, os, re, string def main(): os.nice(5) # Handle mailing lists at non-interactive priority. # delete this if you wish os.chdir(MailmanHome + "/lists") try: local = sys.argv[2] except: # This might happen if we're not using Postfix sys.stderr.write("LOCAL not set?\n") sys.exit(1) local = string.lower(local) local = re.sub("^mailman-","",local) names = ("root", "postmaster", "mailer-daemon", "mailman-owner", "owner", "abuse") for i in names: if i == local: os.execv("/usr/sbin/sendmail", ("/usr/sbin/sendmail", MailmanOwner)) sys.exit(0) type = "post" types = (("-admin$", "admin"), ("-owner$", "owner"), ("-request$", "request"), ("-bounces$", "bounces"), ("-confirm$", "confirm"), ("-join$", "join"), ("-leave$", "leave"), ("-subscribe$", "subscribe"), ("-unsubscribe$", "unsubscribe")) for i in types: if re.search(i[0],local): type = i[1] local = re.sub(i[0],"",local) if os.path.exists(local): os.execv(MailmanHome + "/mail/mailman", (MailmanHome + "/mail/mailman", type, local)) else: bounce() sys.exit(75) def bounce(): bounce_message = """\ TO ACCESS THE MAILING LIST SYSTEM: Start your web browser on http://%s/ That web page will help you subscribe or unsubscribe, and will give you directions on how to post to each mailing list.\n""" sys.stderr.write(bounce_message % (sys.argv[1])) sys.exit(1) try: sys.exit(main()) except SystemExit, argument: sys.exit(argument) except Exception, argument: info = sys.exc_info() trace = info[2] sys.stderr.write("%s %s\n" % (sys.exc_type, argument)) sys.stderr.write("Line %d\n" % (trace.tb_lineno)) sys.exit(75) # Soft failure, try again later.
Apache[Bearbeiten]
Installation Apache[Bearbeiten]
Installieren vom Paket apache24
pkg install -y apache24
sysrc apache24_enable=YES
service apache24 start
Konfiguration Apache[Bearbeiten]
/usr/local/etc/apache24/httpd.conf
ServerAdmin webmaster@stura.htw-dresden.de
ServerName lists.stura.htw-dresden.de:80
# Virtual hosts Include etc/apache24/extra/httpd-vhosts.conf
/usr/local/etc/apache24/extra/httpd-vhosts.conf
<VirtualHost lists.stura.htw-dresden.de:80> ServerAdmin webmaster@stura.htw-dresden.de DocumentRoot "/usr/local/mailman/lists" ServerName lists.stura.htw-dresden.de ServerAlias lists.stura.htw-dresden.de <Directory /usr/local/mailman/archives/> Options FollowSymLinks AllowOverride None </Directory> Alias /pipermail/ /usr/local/mailman/archives/public/ Alias /images/mailman/ /usr/share/images/mailman/ ScriptAlias /admin /usr/local/mailman/cgi-bin/admin ScriptAlias /admindb /usr/local/mailman/cgi-bin/admindb ScriptAlias /confirm /usr/local/mailman/cgi-bin/confirm ScriptAlias /create /usr/local/mailman/cgi-bin/create ScriptAlias /edithtml /usr/local/mailman/cgi-bin/edithtml ScriptAlias /listinfo /usr/local/mailman/cgi-bin/listinfo ScriptAlias /options /usr/local/mailman/cgi-bin/options ScriptAlias /private /usr/local/mailman/cgi-bin/private ScriptAlias /rmlist /usr/local/mailman/cgi-bin/rmlist ScriptAlias /roster /usr/local/mailman/cgi-bin/roster ScriptAlias /subscribe /usr/local/mailman/cgi-bin/subscribe ScriptAlias /mailman/ /usr/local/mailman/cgi-bin/ ScriptAlias / /usr/local/mailman/cgi-bin/listinfo <Directory "/usr/local/mailman"> AllowOverride All Options FollowSymlinks Require all granted </Directory> ErrorLog /var/log/mailman-error.log # CustomLog /var/log/mailman-access.log combined </VirtualHost>
Wartung[Bearbeiten]
Aktualisierung von Paketen[Bearbeiten]
pkg lock -y postfix #Locking postfix-3.3.0.r1,1 pkg lock -y mailman #Locking mailman-2.1.26_4 pkg update pkg upgrade -y portsnap fetch update cd /usr/ports/mail/postfix ALLOW_UNSUPPORTED_SYSTEM=1 make build ALLOW_UNSUPPORTED_SYSTEM=1 make deinstall pkg unlock -y postfix #Unlocking postfix-3.3.0.r1,1 ALLOW_UNSUPPORTED_SYSTEM=1 make install clean pkg lock -y postfix cd /usr/ports/mail/mailman ALLOW_UNSUPPORTED_SYSTEM=1 make build ALLOW_UNSUPPORTED_SYSTEM=1 make deinstall pkg unlock -y mailman #Unlocking mailman-2.1.26_4 ALLOW_UNSUPPORTED_SYSTEM=1 make install clean pkg lock -y mailman |
postfix is not running.
mailman is not running.
Fixing mailman permissions: Warning: Private archive directory is other-executable (o+x). This could allow other users on your system to read private archives. If you're on a shared multiuser system, you should consult the installation manual on how to fix this. No problems found Starting mailman.
postfix: Postfix is running with backwards-compatible default settings postfix: See http://www.postfix.org/COMPATIBILITY_README.html for details postfix: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload" postfix/postfix-script: starting the Postfix mail system
mailman-2.1.26_4 yes postfix-3.3.1,1 yes |
Umzug[Bearbeiten]
Einzug von Server/SRS14/2018[Bearbeiten]
- Aktualisierung von ZFS
zfs upgrade
This system is currently running ZFS filesystem version 5. The following filesystems are out of date, and can be upgraded. After being upgraded, these filesystems (and any 'zfs send' streams generated from subsequent snapshots) will no longer be accessible by older software versions. VER FILESYSTEM --- ------------ 4 znyx/migration/srs14
zfs upgrade znyx/migration/srs14
1 filesystems upgraded
zfs upgrade
This system is currently running ZFS filesystem version 5. All filesystems are formatted with the current version.
Probleme[Bearbeiten]
403 bei den Archiven von öffentlichen Mail-Verteilern[Bearbeiten]
Alle Inhalte von Mailman über den Webserver unter /pipermail/, also insbesondere was auch einfach öffentlich archivierte Inhalte sind (zum Beispiel
http://lists.stura.htw-dresden.de/pipermail/stg.htw-dresden.de/) konnten wegen Fehler 403 nicht einfach öffentlich ausgeliefert werden. Praktisch handelt es sich um alle Inhalte im Ordner /usr/local/mailman/archives/public/
(Links).
Der Webserver, der als Account www läuft, braucht Berechtigungen (und gehört (pauschal) zu others).
chmod o=rx /usr/local/mailman/archives/private
- (Irgendwie erscheint das "falsch", aber …) Das hat früher wohl auch schon dan.langille.org so gemacht. :-D
DNSBL[Bearbeiten]
wikipedia:de:DNS-based Blackhole List
- http://dnsbllookup.com/
- http://multirbl.valli.org/dnsbl-lookup/
- http://multirbl.valli.org/dnsbl-lookup/141.56.51.14.html
- http://multirbl.valli.org/dnsbl-lookup/srs14.stura.htw-dresden.de.html
- http://multirbl.valli.org/dnsbl-lookup/mail.stura.htw-dresden.de.html
- http://multirbl.valli.org/dnsbl-lookup/141.56.51.2.html
- http://multirbl.valli.org/dnsbl-lookup/srs2.stura.htw-dresden.de.html