Mailgw for FJFI Petr Vokáč April previous presentations and configuration info

Content ● Data flow ● Postfix ● PPolicy ● Amavis ● DKIM, OpenLDAP,... ● Links

Mailgw for FJFI – data flow Internet FJFI Mailgw mail routing -> <- smart host Local mailserver mailgw1 mailgw2 PDA PDA

Mailgw for FJFI – Postfix default restrictions ppolicy amavis-new Queue SMTP send data Queue (mynetworks, SMTP AUTH) antivir antispam dkimproxy (DKIM signing) Queue SMTP communication with remote server incomming mail smtp:25,smtps:465,s mtp:587 :10024 :10026 :10025 :10027:10028 :10030 name canonization :10029 SMTP AUTH

Default restrictions I 1) ~]$ telnet mailgw1.fjfi.cvut.cz 25 2) Trying ) Connected to mailgw1.fjfi.cvut.cz ( ). 4) Escape character is '^]'. 5) 220 mailgw1.fjfi.cvut.cz ESMTP CTU FNSPE 1st MX NO UCE NO SPAM 6) EHLO kmlinux.fjfi.cvut.cz 7) 250-mailgw1.fjfi.cvut.cz 8) 250-PIPELINING 9) 250-SIZE ) 250-VRFY 11) 250-ETRN 12) 250-STARTTLS 13) 250 8BITMIME 14) MAIL FROM: 15) 250 Ok 16) RCPT TO: 17) 250 Ok 18) DATA 19) 354 End data with. 20) From: 21) To: 22) Subject: SMTP test 23) This is SMTP conversation. 24). 25) 250 Ok: queued as 4ED6843DAB smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions smtpd_data_restrictions smtpd_end_of_data_restrictions

Default restrictions II ● smtpd_client_restrictions – none – all rules stop a lot of legal mails ● reject_unknown_client is too restrictive (A->PTR-A) ● reject_rbl_client – blacklists – reject_unknown_reverse_client_hostname (A->PTR) ● smtpd_helo_restrictions – none for FJFI domain – reject invalid hello (554) ● fjfi.cvut.cz, , , localhost – reject_invalid_hostname (501) ● invalid HELO/EHLO syntax (illegal characters,...) – other restriction could stop legal mail (1/3 smtpd) ● reject_non_fqdn_hostname ● reject_unknown_hostname

Default restrictions III ● smtpd_sender_restrictions – none for FJFI domain and sasl authenticated – reject_unknown_sender_domain (450) ● – reject_non_fqdn_sender (504) ● apply this rule also for FJFI domain? – mailgw append its name (mailgwX.fjfi.cvut.cz) – illegal FROM address – check_sender_mx_access (554) ● reject mail with incorrect MX records (private net,...) – check_sender_access (554) ● reject mail – dangerous – not used ● reject_unverified_sender (use for selected domains?) – used only sender from IP outside CTU FNSPE range

Default restrictions IV ● smtpd_recipient_restrictions – none for FJFI domain and sasl authenticated ● allow only from – reject_unauth_destination (554) ● “open-relay” rule (allow only forwarded and local mails) – reject_unknown_recipient_domain (450) ● recipient domain must exist – reject_unverified_recipient (550) ● only if recipient is in FJFI domain ● require correct configuration of local mail servers – check_recipient_mx_access (554) ● Reject mail with incorrect MX – otherwise they stay in queue – check_policy_service ● ppolicy daemon – see next slides ● smtpd_data_restriction – pipelining, multibounce

ppolicy daemon I ● Postfix SMTP Access Policy Delegation – – checking mail during SMTP connection ✔ rejecting mail early stage of mail reception – use less resources (bandwidth, cpu – antivir/antispam,...) ✔ we don't send any bounce mail (backscatter mail) ✔ it is up to sender mail server to generate correct delivery failure message (using information from our reject code) ✗ less informations – client ip/name, sender, recipient, hello name, sasl info,... ✗ short time to check (otherwise SMTP conn. can timeout) ✗ problems in case of fatal error – temporary rejecting mail (mailing lists, incorr. conf. servers ) – depends on correct configuration of ppolicy daemon ✗ rejecting mail with code 450 => it will come again, again,... – any ideas what to check/reject? Stat. analysis.

ppolicy daemon II ● ppolicy daemon – ● RPM package, /etc/postfix/{main.cf,ppolicy.conf) – modular multi threaded daemon ● python + python-twisted (+dnspython+MySQL+GeoIP+...) ● flexible configuration (python code, combining res. of mod.) – Modules ● simple interface – easy to write own modules ● implemented – List, ListBW, ListMailDomain, ListDyn – Dnsbl, DnsblDynamic, DnsblScore, Resolve, SPF – Greylist, Verification – Country, DOS, Trap – DumpDataDB, DumpDataFile – User configurations (similar to Amavis)? – Discuss ppolicy.conf for FNSPE, modules,... CERN.CH rules ● Forbidden attachments ● No reverse DNS configured for IP ● Reverse SMTP Connect ● Flood stopper ● IP blacklist ● Hostname blacklist ● Sender blacklist ● Recipient blacklist FNAL.GOV rules ● Don't from outside

ppolicy daemon III ● Configuration (~70% rejected) – accept/reject mail from blacklist/whitelist ● client_address, client_name, sender mail/domain ● ● – score request ● use DNSBL and spamassassin score ● incorrect mailserver configuration (DNS PTR, HELO,...) ● average amavis score, auto-whitelist for sender, *.biz,... – requests with hight score ● apply “reject rules”, slowdown mail processing?! ● e.q. mailserver verification, greylist, DNS, HELO,...

Amavis daemon ● Antivirus – KAV – drop all infected mail – don't send any info – use database to log these events? ● Spamfilter – spamassassin (3.1) – sa-update+SARE rules (including adult,oem,drug,...) – my custom rules (geocity, vesmirni-lide,...) ● allow other administrators to create new rules? – learn bayes – ● User configuration – – LDAP amavisAccount, for all addresses (mail, mla) – multiple fjfiMailRoutingAddress, amavisSpamTag* – mail/domain blacklist/whitelist remove or change mime type of executable attachements?

DKIM daemon ● DomainKeys Identified Mail x SPF – signing mail headers by outgoing mail server ● we can verify this signature (public key in DNS) ● these headers can't be faked – it doesn't mean, that such mail is not spam – can be only used as one of spam decision criteria – still in process of standardization (IETF WG) – ● Supported by many big companies – AOL, Cisco, IBM, Sendmail, Yahoo,... – and used by many other ● Google, CERN,... ● Implementation – ● not yet mature, but Mail-DKIM is now part of spamassassin

OpenLDAP daemon ● data synchronization – automatic – Users ● require correct GAN in data source (NDS, ADS)!!! ● expired accounts? (ou=Odpad, entryStatus=K,...) – groups, special – required only for user conf. for mail – synchronization interval?, online (access) ● user configurations – mail address rewriting/canonization rules – mail routing, user configurations for amavis – see: ● addressbook – access restriction? (usermap from cvut.cz) – phone numbers and rooms in Usermap?

Other daemons ● SMTP AUTH – TLS (25, 578), SSL (465) – plain text login – global authentication source ● ● require secure connection to LDAP service (TLS, SSL) ✔ Usermap, Novell NDS, OpenLDAP ✗ Windows ADS ● MySQL – persistent cache for results of ppolicy modules – amavis quarantine info ● DNS – named (cache for faster DNS lookup – rbl, mx,...) ● SMTP unrelated daemons – RADIUS (eduroam), racoon (VPN), snmpd (monitoring), watchdog

Admin info ● User mail configuration, user whitelist – – ● Log & summary information accessible – – – – – rrd.cgi/?cfg=mailgw1.fjfi.cvut.cz_comp rrd.cgi/?cfg=mailgw1.fjfi.cvut.cz_comp – – ● Service status (SMTP, LDAP,...) – ?