StuRa:Server/srs14
PT und bommel 2018-02-09 bauen nach der Doku Server/Jails/SRS14.
Verwendungszweck
- Ersatz von Server/Jails/SRS14
- Erhalt von Mails für Mail-Adressen für die Domain stura.htw-dresden.de
- Verwaltung von Mail-Adressen (von Personen und Funktionen)
- Verteilung von Mails für Mail-Adressen (für Funktionen)
- Archivierung von Mails für Mail-Adressen (für Funktionen)
- grafische Oberfläche für die Verwaltung von Mail-Verteilern
- Vermeidung der Weiterleitung von SPAM
- (Archivierung (als Sicherheitskopie) für Mail-Adressen von Angestellten)
Betriebssystem
- Maschine/nyx
- Jail FreeNAS
- FreeBSD
- STABLE
- (11.1)
Installation
- pkg update
- pkg install apache24 maildrop sudo
Mailman und Postfix muss aus den Ports gebaut werden, weil das Paket mailman sendmail als MTA unterstuetzt, wir aber Postfix benoetigen. Es gibt sonst Permission Probleme mit dem wrapper script zwischen postfix und mailman.
Verwaltung von Paketen
In erster Linie wird die normale (einfache) Verwaltung von Paketen (mit pkg) verwendet.
Aber die Verwendung der Sammlung von Ports (freebsd-handbook:ports-using) wurde notwendig.
- Die vorherige Instanz verwendete die Kombination der Pakete Postfix und Mailman. Das standardmäßige Paket für Mailman ist ohne die Option für Postfix gebaut (
pkg search -Q options mailman).- Damn!
- Anstatt das Risiko einzugehen sich mit der Konfiguration beim Verzicht auf Postfix auseinandersetzen, bauen wir das Paket eben einfach selbst. Dafür ist dann aber auch die Verwendung der Sammlung von Ports notwendig.
Sammlung von Ports
portsnap fetch extract
Pakete
Pakete für Anwendungen
Mailman
- Installieren des Paketes Mailman
- Erst einmal brauchen wir schnell Mailman mit Postfix.
Wechseln in den Ordner vom Port mailman
cd /usr/ports/mail/mailman
Festlegen der Konfiguration für das angepasste Bauen des Paketes (mailman)
- <?!?>Wozu müssen wir die Umgebungsvariable ALLOW_UNSUPPORTED_SYSTEM=1 setzen?</?!?>
ALLOW_UNSUPPORTED_SYSTEM=1 make config
DOCS=on: Build and/or install documentation
HTDIG=off: - EXPERIMENTAL - htdig integration patches
NAMAZU2=off: Make private archives searchable with namazu2
NLS=on: Native Language Support
Integrate with which MTA?: you have to select exactly one of them
COURIER=off: for use with courier
EXIM4=off: for use with exim4
OPENSMTPD=off: for use with opensmtpd - EXPERIMENTAL -
POSTFIX=on: for use with postfix
SENDMAIL=off: for use with sendmail
Bauen des Paketes (mailman) entsprechend der angepassten Konfiguration
ALLOW_UNSUPPORTED_SYSTEM=1 make install
sysrc mailman_enable=YES
Apache
sysrc apache24_enable=YES
Postfix
Wechseln in den Ordner vom Port postfix
cd /usr/ports/mail/postfix
Festlegen der Konfiguration für das angepasste Bauen des Paketes (postfix)
ALLOW_UNSUPPORTED_SYSTEM=1 make config
BDB : off
CDB : off
DOCS : on
EAI : on
INST_BASE : off
LDAP : off
LDAP_SASL : off
LMDB : off
MYSQL : off
NIS : off
PCRE : on
PGSQL : off
SASL : off
SASLKMIT : off
SASLKRB5 : off
SQLITE : off
TEST : off
TLS : on
Bauen des Paketes (postfix) entsprechend der angepassten Konfiguration
ALLOW_UNSUPPORTED_SYSTEM=1 make install
<?!? />
INFO: Alle folgenden Abfragen im build-Prozess werden mit der vorgeschlagenden Einstellung übernommen.
sysrc postfix_enable=YESsysrc sendmail_enable=NO
maildrop
sudo
Konfiguration
Dienste
SSH
SSH wird benötigt, um sich sicher auf Server/srs14 verbinden zu können. Das ist bei Server/srs14 insbesondere für die (leider noch leidliche) Verwaltung der Einträge für Mail-Adressen nötig.
- andauernde Aktivierung des Dienstes SSH
service sshd status
Cannot 'status' sshd. Set sshd_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'.
service sshd onestatus
sshd is not running.
sysrc sshd_enable
sshd_enable: NO
sysrc sshd_enable=YES
sshd_enable: NO -> YES
service sshd status
sshd is not running.
service sshd start
Generating RSA host key.
Performing sanity check on sshd configuration.
Starting sshd.
- Es wurden automatisch Schlüsselpaare für den Account root (für RSA, ECDSA und ED25519) generiert.
service sshd status
sshd is running as pid 12345.
sysrc sshd_enable
sshd_enable: YES
- Konfiguration vom Dienst SSH (auf Schnell)
(optionale) Sicherung der standardmäßigen Datei für die Konfiguration vom Dienst SSH
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
Anpassen der Konfiguration vom Dienst SSH
- Ändern vom Port an dem der Dienst SSH erreichbar ist
- aus "Tradition")
- Zulassen vom der Anmeldung mit Passwort für den Dienst SSH
- Es gibt Menschen, denen nicht bekannt ist wie das Verwalten von persönlichen Schlüsselpaaren funktioniert (und auch nicht erklärten werden müssen soll), die dennoch bei der Verwaltung von Mail-Adressen mitwirken können sollen und sich dazu auch aus der Ferne anmelden können sollen.
$EDITOR /etc/ssh/sshd_config
diff /etc/ssh/sshd_config.default /etc/ssh/sshd_config
17a18
> Port 1234
75a77
> PasswordAuthentication yes
- oder
diff /etc/ssh/sshd_config.default /etc/ssh/sshd_config
17c17
< #Port 22
---
> Port 1234
75c75
< #PasswordAuthentication no
---
> PasswordAuthentication yes
Konten
Hinzufuegen von System Konten.
Mail - Angestellten
- Rossberg
Shell: nologin
remote: cd /home/rossberg && tar -cvf rossberg.tar .mailfilter Mail .mail_aliases .rhosts
cd /home/rossberg && tar -xvf rossberg.tar
Mail - spam
- Spam
Shell: nologin
Clean SPAM older 30 Days
Quelle des Programms http://forum.directadmin.com/attachment.php?s=b1485c6c4b4d501d922e5b7f48d6e07c&attachmentid=427&d=1167030675 und modifiziert durch PT.
Datei ist abgelegt unter /etc/periodic/daily/900.cleanspam und wird taeglich ausgefuehrt.
#!/bin/sh
# Cleanning SPAM older than x days under Maildir system (Test under DA + Dovecot + SA)
# Published 27 Oct 2006 under GNU/GPL License By, Pinkkeyhost.com, Korakot Eamopas (kkeonline[at]yahoo.com)
# Bugfix 25 Dec 2006
# Modified 25.02.2018 from pwnytail to run under Postfix maildrop
# settings
# delete spam older than x days
DAYS=30 ;
# your logfile
logfile="/var/log/cleanspam.log" ;
if [ "$#" -lt 1 ]
then
echo -n "usage: $0 <list of users>"
exit 1
fi
# Start a new log or append to old one
#echo "" > $logfile ;
echo "" >> $logfile ;
# Nothing to be change from here
LOGDATE=`date "+%y-%m-%d %H:%M"` ;
DA="/usr/home" ;
SP="Mail" ;
USERS=$@
echo "===============================" >> $logfile ;
echo "SCRIPT RUNNING ON $LOGDATE" >> $logfile
echo "===============================" >> $logfile ;
# list users from da folder
for user in $USERS ; do
{
# skip if not a user folder
if [ ! -d $DA/$user ] ; then
continue
fi
echo " " >> $logfile
echo "CHECKING USER : $user" >> $logfile
# Check Main account
if [ -d /home/$user/$SP ]; then
echo " " >> $logfile
echo "CHECKING FOR : $user" >> $logfile
for nct in new cur tmp ; do
{
if [ -d /home/$user/$SP/$nct ]; then
# find file older than 30 days
for oldfile in `find /home/$user/$SP/$nct/ -mtime +$DAYS`; do
{
if [ -f $oldfile ]; then
echo -n "DELETE : $oldfile" : >> $logfile
# Keep a bit info of what we going to delete
head -n 1 $oldfile >> $logfile
# Bugfix 25 Dec 2006
#rm -f /home/$user/$SP/$nct/$oldfile >> /dev/null
rm -f $oldfile >> /dev/null
fi
}
done;
fi
}
done;
fi
};
done;
Aliases
/etc/aliases.stura
newaliases
postmap /etc/aliases.stura
Sudo
/usr/local/etc/sudoers
Eintragen welche Systemkonten sudo nutzen duerfen.
Postfix
/usr/local/etc/postfix/main.cf
myhostname = mail.stura.htw-dresden.de
mydomain = stura.htw-dresden.de
smtp_bind_address = 141.56.50.14
myorigin = $myhostname
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
local_recipient_maps = unix:passwd.byname $alias_maps
# 141.56.16.134 - 141.56.16.136 mailexchanger vom RZ
# 141.56.16.231 - 232 mailrelay vom RZ
mynetworks = 141.56.16.131, 141.56.16.134, 141.56.16.135, 141.56.16.136, 141.56.16.231, 141.56.16.232, 141.56.50.0/26, 127.0.0.0/24, 192.168.100.12
alias_maps = hash:/etc/aliases, hash:/etc/aliases.stura, hash:/usr/local/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/etc/aliases.stura
home_mailbox = Mail/
mail_spool_directory = /var/mail
mailbox_command = /usr/local/bin/maildrop -d ${USER}
header_checks = pcre:$config_directory/header_checks
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_rhsbl_sender blackhole.securitysage.com
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_unknown_recipient_domain,
check_client_access hash:/usr/local/etc/postfix/rbl_override,
reject_rbl_client sbl.spamhaus.org,
permit
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_client_restrictions =
permit_mynetworks,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.sorbs.net
smtpd_relay_restrictions =
permit_mynetworks,
defer_unauth_destination
/usr/local/etc/postfix/master.cf
Aktivate Mailman wrapper Script
mailman unix - n n - - pipe
flags=FR user=mailman:mailman argv=/usr/local/mailman/postfix-to-mailman.py ${nexthop} ${user}
/usr/local/etc/postfix/header_checks
/^X-HTW-Spam-Flag:\s+YES/ REDIRECT spam@stura.htw-dresden.de
/usr/local/etc/postfix/rbl_override
<rz mail server als domain und ip-adresse>
/usr/local/etc/postfix/relay_recipients
@stura.htw-dresden.de OK
/usr/local/etc/postfix/transport
kss-sachsen.de smtp:lrs0x018.kss-sachsen.de
postmap rbl_override relay_recipients transport header_checks
starte postfix
$ service postfix restart
postfix: Postfix is running with backwards-compatible default settings
postfix: See http://www.postfix.org/COMPATIBILITY_README.html for details
postfix: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
postfix/postfix-script: starting the Postfix mail system
Apache
/usr/local/etc/apache24/httpd.conf
...
ServerAdmin webmaster@stura.htw-dresden.de
...
ServerName lists.stura.htw-dresden.de:80
...
# Virtual hosts
Include etc/apache24/extra/httpd-vhosts.conf
...
/usr/local/etc/apache24/extra/httpd-vhosts.conf
<VirtualHost lists.stura.htw-dresden.de:80>
ServerAdmin webmaster@stura.htw-dresden.de
DocumentRoot "/usr/local/mailman/lists"
ServerName lists.stura.htw-dresden.de
ServerAlias lists.stura.htw-dresden.de
<Directory /usr/local/mailman/archives/>
Options FollowSymLinks
AllowOverride None
</Directory>
Alias /pipermail/ /usr/local/mailman/archives/public/
Alias /images/mailman/ /usr/share/images/mailman/
ScriptAlias /admin /usr/local/mailman/cgi-bin/admin
ScriptAlias /admindb /usr/local/mailman/cgi-bin/admindb
ScriptAlias /confirm /usr/local/mailman/cgi-bin/confirm
ScriptAlias /create /usr/local/mailman/cgi-bin/create
ScriptAlias /edithtml /usr/local/mailman/cgi-bin/edithtml
ScriptAlias /listinfo /usr/local/mailman/cgi-bin/listinfo
ScriptAlias /options /usr/local/mailman/cgi-bin/options
ScriptAlias /private /usr/local/mailman/cgi-bin/private
ScriptAlias /rmlist /usr/local/mailman/cgi-bin/rmlist
ScriptAlias /roster /usr/local/mailman/cgi-bin/roster
ScriptAlias /subscribe /usr/local/mailman/cgi-bin/subscribe
ScriptAlias /mailman/ /usr/local/mailman/cgi-bin/
ScriptAlias / /usr/local/mailman/cgi-bin/listinfo
<Directory "/usr/local/mailman">
AllowOverride All
Options FollowSymlinks
Require all granted
</Directory>
ErrorLog /var/log/mailman-error.log
# CustomLog /var/log/mailman-access.log combined
</VirtualHost>
maildrop
MDA: maildrop
maildir in users homeverzeichnis anlegen
maildrop-maildirmake Mail
im Homeverzeichnis die Datei .mailfilter anlegen:
MAILBOX="$HOME/Mail"
DEFAULT="$MAILBOX"
chmod 600 .mailfilter
chown <user> .mailfilter
maildrop in postfix main.cf einarbeiten
mailbox_command = /usr/local/bin/maildrop -d ${USER}
Mailman
- Mailmanumzug :[[1]]
remote: cd /usr/local/mailman && tar -cvf mailman.tar archives data lists Mailman/mm_cfg.py
cd /usr/local/mailman && tar xvf mailman.tar
Mailman/mm_cfg.py
MTA = 'Postfix'
POSTFIX_ALIAS_CMD = '/usr/local/sbin/postalias'
POSTFIX_MAP_CMD = '/usr/local/sbin/postmap'
SMTPHOST = 'localhost'
# The default language for this server.
DEFAULT_SERVER_LANGUAGE = 'de'
# Unset send_reminders on newly created lists
DEFAULT_SEND_REMINDERS = 0
DEFAULT_SEND_WELCOME_MSG = 0
DEFAULT_SEND_GOODBYE_MSG = 0
DEFAULT_ADMIN_NOTIFY_MCHANGES = 1
DEFAULT_NEW_MEMBER_OPTIONS = 272
DEFAULT_RESPOND_TO_POST_REQUESTS = 0
DEFAULT_ADMINISTRIVIA = 0
DEFAULT_MAX_MESSAGE_SIZE = 0
DEFAULT_MAX_NUM_RECIPIENTS = 0
DEFAULT_REQUIRE_EXPLICIT_DESTINATION = 0
# SUBSCRIBE POLICY
# 0 - open list (only when ALLOW_OPEN_SUBSCRIBE is set to 1) **
# 1 - confirmation required for subscribes
# 2 - admin approval required for subscribes
# 3 - both confirmation and admin approval required
#
# ** please do not choose option 0 if you are not allowing open
# subscribes (next variable)
DEFAULT_SUBSCRIBE_POLICY = 3
# Does this site allow completely unchecked subscriptions?
ALLOW_OPEN_SUBSCRIBE = Yes
# Private_roster == 0: anyone can see, 1: members only, 2: admin only.
DEFAULT_PRIVATE_ROSTER = 0
# Are archives public or private by default?
# 0=public, 1=private
DEFAULT_ARCHIVE_PRIVATE = 1
# What shold happen to non-member posts which are do not match explicit
# non-member actions?
# 0 = Accept
# 1 = Hold
# 2 = Reject
# 3 = Discard
DEFAULT_GENERIC_NONMEMBER_ACTION = 0
#POSTFIX_STYLE_VIRTUAL_DOMAINS = ['stura.htw-dresden.de']
# Put YOUR site-specific settings below this line.
DEFAULT_URL_PATTERN = 'http://%s/'
DEFAULT_EMAIL_HOST = 'stura.htw-dresden.de'
DEFAULT_URL_HOST = 'lists.stura.htw-dresden.de'
add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
add_virtualhost('lists.htw.stura-dresden.de',DEFAULT_EMAIL_HOST)
OWNERS_CAN_DELETE_THEIR_OWN_LISTS = 'YES'
VIRTUAL_HOST_OVERVIEW = On
postfix-to-mailman.py
#! /usr/local/bin/python
# Configuration variables - Change these for your site if necessary.
MailmanHome = "/usr/local/mailman"; # Mailman home directory.
MailmanOwner = "postmaster@stura.htw-dresden.de"; # Postmaster and abuse mail recipient.
# End of configuration variables.
# postfix-to-mailman-2.1.py (to be installed as postfix-to-mailman.py)
#
# Interface mailman to a postfix with a mailman transport. Does not require
# the creation of _any_ aliases to connect lists to your mail system.
#
# Dax Kelson, dkelson@gurulabs.com, Sept 2002.
# coverted from qmail to postfix interface
# Jan 2003: Fixes for Mailman 2.1
# Thanks to Simen E. Sandberg <senilix@gallerbyen.net>
# Feb 2003: Change the suggested postfix transport to support VERP
# Thanks to Henrique de Moraes Holschuh <henrique.holschuh@ima.sp.gov.br>
#
# This script was originally qmail-to-mailman.py by:
# Bruce Perens, bruce@perens.com, March 1999.
# This is free software under the GNU General Public License.
#
# This script is meant to be called from ~mailman/postfix-to-mailman.py.
# It catches all mail to a virtual domain, eg "lists.example.com".
# It looks at the recipient for each mail message and decides if the mail is
# addressed to a valid list or not, and bounces the message with a helpful
# suggestion if it's not addressed to a list. It decides if it is a posting,
# a list command, or mail to the list administrator, by checking for the
# -admin, -owner, and -request addresses. It will recognize a list as soon
# as the list is created, there is no need to add _any_ aliases for any list.
# It recognizes mail to postmaster, mailman-owner, abuse, mailer-daemon, root,
# and owner, and routes those mails to MailmanOwner as defined in the
# configuration variables, above.
#
# INSTALLATION:
#
# Install this file as ~mailman/postfix-to-mailman.py
#
# To configure a virtual domain to connect to mailman, edit Postfix thusly:
#
# /etc/postfix/main.cf:
# relay_domains = ... lists.example.com
# transport_maps = hash:/etc/postfix/transport
# mailman_destination_recipient_limit = 1
#
# /etc/postfix/transport:
# lists.example.com mailman:
#
# /etc/postfix/master.cf
# mailman unix - n n - - pipe
# flags=FR user=mailman:mailman
# argv=/var/mailman/postfix-to-mailman.py ${nexthop} ${user}
#
#
# Replace list.example.com above with the name of the domain to be connected
# to Mailman. Note that _all_ mail to that domain will go to Mailman, so you
# don't want to put the name of your main domain here. Typically a virtual
# domain lists.domain.com is used for Mailman, and domain.com for regular
# email.
#
import sys, os, re, string
def main():
os.nice(5) # Handle mailing lists at non-interactive priority.
# delete this if you wish
os.chdir(MailmanHome + "/lists")
try:
local = sys.argv[2]
except:
# This might happen if we're not using Postfix
sys.stderr.write("LOCAL not set?\n")
sys.exit(1)
local = string.lower(local)
local = re.sub("^mailman-","",local)
names = ("root", "postmaster", "mailer-daemon", "mailman-owner", "owner",
"abuse")
for i in names:
if i == local:
os.execv("/usr/sbin/sendmail",
("/usr/sbin/sendmail", MailmanOwner))
sys.exit(0)
type = "post"
types = (("-admin$", "admin"),
("-owner$", "owner"),
("-request$", "request"),
("-bounces$", "bounces"),
("-confirm$", "confirm"),
("-join$", "join"),
("-leave$", "leave"),
("-subscribe$", "subscribe"),
("-unsubscribe$", "unsubscribe"))
for i in types:
if re.search(i[0],local):
type = i[1]
local = re.sub(i[0],"",local)
if os.path.exists(local):
os.execv(MailmanHome + "/mail/mailman",
(MailmanHome + "/mail/mailman", type, local))
else:
bounce()
sys.exit(75)
def bounce():
bounce_message = """\
TO ACCESS THE MAILING LIST SYSTEM: Start your web browser on
http://%s/
That web page will help you subscribe or unsubscribe, and will
give you directions on how to post to each mailing list.\n"""
sys.stderr.write(bounce_message % (sys.argv[1]))
sys.exit(1)
try:
sys.exit(main())
except SystemExit, argument:
sys.exit(argument)
except Exception, argument:
info = sys.exc_info()
trace = info[2]
sys.stderr.write("%s %s\n" % (sys.exc_type, argument))
sys.stderr.write("Line %d\n" % (trace.tb_lineno))
sys.exit(75) # Soft failure, try again later.
Mounts
Um eine bessere Handhabung fuer die Daten (z.B. Mail Archive und Mailkonten) zu erhalten, werden diese in ein separates ZFS Dataset ausgelagert und dann in die Jail gehangen.
/mnt/znyx/data/maildrop/rossberg on /mnt/znyx/jails/srs14/usr/home/rossberg/Mail (nullfs, local)
/mnt/znyx/data/maildrop/spam on /mnt/znyx/jails/srs14/usr/home/spam/Mail (nullfs, local)
/mnt/znyx/data/mailman/archives on /mnt/znyx/jails/srs14/usr/local/mailman/archives (nullfs, local)
/mnt/znyx/data/mailman/data on /mnt/znyx/jails/srs14/usr/local/mailman/data (nullfs, local)
/mnt/znyx/data/mailman/lists on /mnt/znyx/jails/srs14/usr/local/mailman/lists (nullfs, local)
Wartung
Aktualisierung von Paketen