7/27/2019 spam guja

1/6

I will use the following software: Web Server: Nginx v1.1.19/Uwsgi v1.0.3 Database Server: MySQL v5.5.28 Mail Server: Postfix v2.9.3 Caching DNS Server: Dnsmasq 2.59 Filter: MailScanner v4.84.5-3 Frontend: Baruwa v1.1.2-4sn

Credit goes to the guys at HowToForge and the developers of MailScanner, Baruwa,Clamav, Nginx/Uwsgi, Mysql, Postfix, Spamassassin, Razor/Pyzor/DCC and Firehol.

BASE INSTALL

1. Install minimum vm optionSet hostname to server1

2. Default guided partition method3. Setup user:

u: administratorp: passwordNo encryption

4. No auto-updates5. Install OpenSSH

POST INSTALLATION1. Get root Privileges

Enable the root login by running the following and giving root a password. You can then directly log in as root:

sudo passwd root

2. Configure The Network

Because the Ubuntu installer has configured our system to get its network settin

gs via DHCP, we have to change that now because a server should have a static IPaddress. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):

vi /etc/network/interfaces

and make it look like the following:

# This file describes the network interfaces available on your system# and how to activate them. For more information, see interfaces(5).# The loopback network interfaceauto loiface lo inet loopback

# The primary network interfaceauto eth0iface eth0 inet static

address 192.168.0.100netmask 255.255.255.0network 192.168.0.0broadcast 192.168.0.255gateway 192.168.0.1dns-nameservers 192.168.0.1

7/27/2019 spam guja

2/6

Then restart your network:

/etc/init.d/networking restart

vi /etc/hosts

and make it look like this:

127.0.0.1 localhost.localdomain localhost192.168.0.100 server1.example.com server1# The following lines are desirable for IPv6 capable hosts::1 localhost ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allroutersff02::3 ip6-allhosts

Now run:

echo server1.example.com > /etc/hostnamereboot now

Afterwards, run:

hostnamehostname -f

Both should show server1.example.com now.

3. Change The Default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash

Install dash as /bin/sh?

7/27/2019 spam guja

3/6

apt-get install mysql-client mysql-server libdbd-mysql-perl -y

You will be asked to provide a password for the MySQL root user - this passwordis valid for the user root@localhost as well as root@server1.example.com, so wedon't have to specify a MySQL root password manually later on:

New password for the MySQL "root" user: server1.example.com

Stop Postfix:

postfix stop

vi /etc/postfix/master.cf

and make it look like the following:

pickup fifo n - - 60 1 pickup-o content_filter=-o receive_override_options=no_header_body_checks

Edit main.cf:

vi /usr/src/postfix.sh

with the following:

#!/bin/shpostconf -e "alias_maps = hash:/etc/aliases"newaliasespostconf -e "myorigin = domain.tld"postconf -e "myhostname = server1.domain.tld"postconf -e "mynetworks = 127.0.0.0/8, 192.168.0.0/24"postconf -e "message_size_limit = 10485760"postconf -e "local_transport = error:No local mail delivery"postconf -e "mydestination = "postconf -e "local_recipient_maps = "postconf -e "relay_domains = mysql:/etc/postfix/mysql-relay_domains.cf"postconf -e "relay_recipient_maps = mysql:/etc/postfix/mysql-relay_recipients.cf"

postconf -e "transport_maps = mysql:/etc/postfix/mysql-transports.cf"postconf -e "virtual_alias_maps = hash:/etc/postfix/virtual"postconf -e "disable_vrfy_command = yes"postconf -e "strict_rfc821_envelopes = no"postconf -e "smtpd_banner = $myhostname ESMTP SpamSnake"postconf -e "smtpd_delay_reject = yes"postconf -e "smtpd_recipient_limit = 100"postconf -e "smtpd_helo_required = yes"postconf -e "smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, permit"

7/27/2019 spam guja

4/6

postconf -e "smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, permit"postconf -e "smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit"postconf -e "smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_recipient_domain, reject_unauth_destination, whitelist_policy, grey_policy, rbl_policy, spf_policy, permit"postconf -e "smtpd_data_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining"postconf -e "smtpd_restriction_classes = spf_policy, grey_policy, whitelist_policy"postconf -e "spf_policy = check_policy_service unix:private/policy-spf"postconf e "policy-spf_time_limit = 3600s"postconf -e "rbl_policy = reject_rbl_client zen.spamhaus.org, reject_rbl_clientbl.spamcop.net"postconf -e "grey_policy = check_policy_service unix:private/greyfix"postconf -e "whitelist_policy = check_client_access mysql:/etc/postfix/mysql-global_whitelist.cf, check_sender_access mysql:/etc/postfix/mysql-global_whitelist.cf"postconf -e "header_checks = regexp:/etc/postfix/header_checks"touch /etc/postfix/virtualecho "root administrator@example.com" >> /etc/postfix/virtual && echo "abuse administrator@example.com" >> /etc/postfix/virtual && echo "postmaster administrator@example.com" >> /etc/postfix/virtual

postmap /etc/postfix/virtualtouch /etc/postfix/header_checksecho "/^Received:/ HOLD" >> /etc/postfix/header_checkspostmap /etc/postfix/header_checkscat > /etc/postfix/mysql-global_whitelist.cf

7/27/2019 spam guja

5/6

query = select concat('smtp:[', mail_hosts.address, ']', ':', port) 'transport'from mail_hosts, user_addresses where user_addresses.address = '%s' AND user_addresses.id = mail_hosts.useraddress_id;hosts = 127.0.0.1EOF

Note: For this step, make sure to replace anything@example.com, example.com and@example.com with real values that matches your setup.

Make it executable and run it:

chmod +x /usr/src/postfix.sh./usr/src/postfix.sh

*Note: The user/password for the cf files needs to be the same as the user/password you'll use with your Baruwa DB setup later on. Make sure to change everything in red before running the script.

Postfix Recipient Callout(Optional)

This feature queries the recipient server to see if the recipient exists. If not, it replies with a 550 error to the sending server and drops the connection. Ifthe user does exist, the SpamSnake will continue processing the email. This is

just another method to prevent backscatter, but comes at a price. Read up on itat http://www.postfix.org/ADDRESS_VERIFICATION_README.html. You can skip this method and use the script method (later on in this guide) if you decide it will bog down your server.

vi /etc/postfix/main.cf and add the following:

verify_recipient = reject_unknown_recipient_domain, reject_unverified_recipientlook_ahead = check_recipient_access hash:/etc/postfix/accessunverified_recipient_reject_code = 550address_verify_map = btree:/var/lib/postfix/verify

Add this to your smtpd_restriction_classes:

verify_recipient, look_ahead

Add this to smptd_recipient_restrictions:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, look_ahead, whitelist_policy, grey_policy, rbl_policy, spf_policy, permit

Create the access file:

touch /etc/postfix/access

Add your domains:

cat > /etc/postfix/access

7/27/2019 spam guja

6/6

Postmap it:

postmap /etc/postfix/access

Final look at the Postfix install:

less /etc/postfix/main.cf

Check the contents of the file for errors and repair if needed. Fire up Postfix:

postfix start

Check that Postfix responds:

telnet 127.0.0.1 25

You should see:

220 [yourFQDNhere] ESMTP Postfix (Ubuntu)