Clamav+Dovecot+Exim
Подготовка клетки для Clamav+Dovecot+Exim
Перед использованием этой статьи рекомендуется пройти по ссылке Qjail.
Создание отдельной файловой системы для клетки с Clamav+Dovecot+Exim в ZFS::
# zfs create zroot/usr/jails/mail
Создание клетки c именем "mail" и IPv4-адресом "192.168.0.105", запуск и управление клеткой:
# qjail create -4 192.168.0.105 mail # qjail start mail # qjail console mail
Установка security/clamav
Clam Antivirus - антивирусный сканер, который можно использовать для почтовых систем.
Подробная информация на сайте https://www.clamav.net/
Установка из пакета:
# pkg install clamav
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 19 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
arc: 5.21q_1
arj: 3.10.22_12
brotli: 1.1.0,1
clamav: 1.4.2_1,1
curl: 8.12.1
[пропущен список пакетов для установки]
Number of packages to be installed: 19
The process will require 95 MiB more space.
21 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/19] Fetching indexinfo-0.3.1_1.pkg: 100% 6 KiB 6.0kB/s 00:01
[2/19] Fetching libnghttp2-1.65.0.pkg: 100% 136 KiB 139.4kB/s 00:01
[3/19] Fetching libxml2-2.11.9.pkg: 100% 872 KiB 893.4kB/s 00:01
[4/19] Fetching libidn2-2.3.8.pkg: 100% 160 KiB 164.2kB/s 00:01
[5/19] Fetching liblz4-1.10.0,1.pkg: 100% 163 KiB 167.3kB/s 00:01
[пропущен список скачиваемых пакетов]
Checking integrity... done (0 conflicting)
[1/19] Installing arc-5.21q_1...
[1/19] Extracting arc-5.21q_1: 100%
[2/19] Installing arj-3.10.22_12...
[2/19] Extracting arj-3.10.22_12: 100%
[3/19] Installing brotli-1.1.0,1...
[3/19] Extracting brotli-1.1.0,1: 100%
[4/19] Installing indexinfo-0.3.1_1...
[4/19] Extracting indexinfo-0.3.1_1: 100%
[5/19] Installing json-c-0.18...
[5/19] Extracting json-c-0.18: 100%
[пропущен список устанавливаемых пакетов]
[19/19] Installing clamav-1.4.2_1,1...
===> Creating groups
Creating group 'clamav' with gid '106'
Using existing group 'mail'
===> Creating users
Creating user 'clamav' with uid '106'
Adding user 'clamav' to group 'mail'
[19/19] Extracting clamav-1.4.2_1,1: 100%
Проверка установки Clamav:
# pkg version -v | grep clamav clamav-1.4.2_1,1 = up-to-date with remote
Установка автозапуска Clam Antivirus в /etc/rc.conf:
# sysrc clamav_freshclam_enable="YES" clamav_freshclam_enable: -> YES # sysrc clamav_clamd_enable="YES" clamav_clamd_enable: -> YES
Настройка обхода санкций перед запуском freshclam (обновление антивирусных баз данных clamav) в файле /usr/local/etc/freshclam.conf:
#DatabaseMirror database.clamav.net DatabaseMirror packages.microsoft.com/clamav
Запуск clamav_freshclam:
# service clamav_freshclam start Starting clamav_freshclam.
Запуск clamav:
# service clamav_clamd start Starting clamav_clamd.
Проверка Clamav:
# sockstat -l | grep clamav clamav clamd 1333 4 stream /var/run/clamav/clamd.sock
Установка Dovecot
Установка из пакета:
# pkg install dovecot
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
cyrus-sasl: 2.1.28_5
dovecot: 2.3.21.1_2
openldap26-client: 2.6.9_1
Number of packages to be installed: 3
The process will require 36 MiB more space.
7 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/3] Fetching cyrus-sasl-2.1.28_5.pkg: 100% 1 MiB 1.1MB/s 00:01
[2/3] Fetching openldap26-client-2.6.9_1.pkg: 100% 1 MiB 1.1MB/s 00:01
[3/3] Fetching dovecot-2.3.21.1_2.pkg: 100% 5 MiB 4.9MB/s 00:01
Checking integrity... done (0 conflicting)
[1/3] Installing cyrus-sasl-2.1.28_5...
*** Added group `cyrus' (id 60)
*** Added user `cyrus' (id 60)
[1/3] Extracting cyrus-sasl-2.1.28_5: 100%
[2/3] Installing openldap26-client-2.6.9_1...
[2/3] Extracting openldap26-client-2.6.9_1: 100%
[3/3] Installing dovecot-2.3.21.1_2...
===> Creating groups
Creating group 'dovecot' with gid '143'
Creating group 'dovenull' with gid '144'
===> Creating users
Creating user 'dovecot' with uid '143'
Creating user 'dovenull' with uid '144'
[3/3] Extracting dovecot-2.3.21.1_2: 100%
=====
Message from cyrus-sasl-2.1.28_5:
--
You can use sasldb2 for authentication, to add users use:
saslpasswd2 -c username
If you want to enable SMTP AUTH with the system Sendmail, read
Sendmail.README
NOTE: This port has been compiled with a default pwcheck_method of
auxprop. If you want to authenticate your user by /etc/passwd,
PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and
set sasl_pwcheck_method to saslauthd after installing the
Cyrus-IMAPd 2.X port. You should also check the
/usr/local/lib/sasl2/*.conf files for the correct
pwcheck_method.
If you want to use GSSAPI mechanism, install
ports/security/cyrus-sasl2-gssapi.
If you want to use SRP mechanism, install
ports/security/cyrus-sasl2-srp.
If you want to use LDAP auxprop plugin, install
ports/security/cyrus-sasl2-ldapdb.
=====
Message from openldap26-client-2.6.9_1:
--
The OpenLDAP client package has been successfully installed.
Edit
/usr/local/etc/openldap/ldap.conf
to change the system-wide client defaults.
Try `man ldap.conf' and visit the OpenLDAP FAQ-O-Matic at
http://www.OpenLDAP.org/faq/index.cgi?file=3
for more information.
=====
Message from dovecot-2.3.21.1_2:
--
You must create the configuration files yourself. Copy them over
to /usr/local/etc/dovecot and edit them as desired:
cp -R /usr/local/etc/dovecot/example-config/* \
/usr/local/etc/dovecot
The default configuration includes IMAP and POP3 services, will
authenticate users agains the system's passwd file, and will use
the default /var/mail/$USER mbox files.
Next, enable dovecot in /etc/rc.conf:
dovecot_enable="YES"
To avoid a risk of mailbox corruption, do not set the
security.bsd.see_other_uids or .see_other_gids sysctls to 0
if Dovecot is storing mail for multiple concurrent users (PR 218392).
Similarly, setting sysctls security.bsd.hardlink_check_uid or
security.bsd.hardlink_check_gid to 1 might result in non-working
mailboxes, depending on what mailbox locking mechanism is used
(PR 242223).
If you want to be able to search within attachments using the
decode2text plugin, you'll need to install textproc/catdoc, and
one of graphics/xpdf or graphics/poppler-utils.
There are some potentially breaking changes in Dovecot 2.3. If you
are upgrading from Dovecot 2.2:
* https://doc.dovecot.org/2.3/installation_guide/upgrading/from-2.2-to-2.3/
* Merge the configuration file changes from
/usr/local/etc/dovecot/examples-config/
Установка автозапуска Dovecot в /etc/rc.conf:
# sysrc dovecot_enable="YES" dovecot_enable: -> YES
Настройка Dovecot
Копирование файлов настроек:
# cp -R /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot
Пример настроек в /usr/usr/local/etc/dovecot/dovecot.conf:
# Использование протокола IMAP: protocols = imap # Использование всех IPv4 данного хоста (можно использовать конкретные IP-адреса): listen = *
Пример настроек в /usr/local/etc/dovecot/dovecot-sql.conf.ext:
# Использование СУБД MySQL
driver = mysql
connect = host=<IP-адрес> dbname=<имя базы данных> user=<имя пользователя> password=<пароль>
# Пример при хранении паролей почтовых пользователей в базе данных в открытом виде:
default_pass_scheme = PLAIN
# Пример запроса пароля при использовании связки с PostfixAdmin
password_query = select username as user, password from mailbox where username = '%n@%d' and active = '1'
# Пример запроса имени почтового ящика при использовании связки с PostfixAdmin
user_query = select concat('/var/spool/dovecot/', maildir) as home, 143 as uid, 143 as gid from mailbox where username = '%n@%d' and active='1'
Пример настроек аутентификации в /usr/local/etc/dovecot/conf.d/10-auth.conf:
!include auth-sql.conf.ext
Пример настроек файлов журналов в /usr/local/etc/dovecot/conf.d/10-logging.conf:
# Определение расположения файлов журналов log_path = /var/log/dovecot.log # Включение регистрации неудачных попыток аутентификации и причин их неудач auth_verbose = yes
Настройки в файле /usr/local/etc/dovecot/conf.d/10-mail.conf:
# Размещение почты в корневой папке /var/spool/dovecot в формате <домен>/<имя ящика> mail_location = maildir:/var/spool/dovecot/%d/%n
Установка mail/exim
Exim - агент отправки почты для систем Unix.
Подробная информация на сайте http://www.exim.org/
Перед использованием этой статьи рекомендуется пройти по ссылке PKG.
Установка из пакета:
# pkg install exim
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 46 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
brotli: 1.1.0,1
curl: 8.12.1
cyrus-sasl: 2.1.28_5
exim: 4.98.2
gettext-runtime: 0.23.1
[пропущен список пакетов для установки]
Number of packages to be installed: 46
The process will require 308 MiB more space.
50 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/46] Fetching indexinfo-0.3.1_1.pkg: 100% 6 KiB 6.0kB/s 00:01
[2/46] Fetching cyrus-sasl-2.1.28_5.pkg: 100% 1 MiB 1.1MB/s 00:01
[3/46] Fetching libcjson-1.7.18_2.pkg: 100% 39 KiB 39.5kB/s 00:01
[4/46] Fetching libnghttp2-1.65.0.pkg: 100% 136 KiB 139.4kB/s 00:01
[5/46] Fetching p5-HTTP-Date-6.06.pkg: 100% 11 KiB 11.0kB/s 00:01
[пропущен список скачиваемых пакетов]
Checking integrity... done (0 conflicting)
[1/46] Installing brotli-1.1.0,1...
[1/46] Extracting brotli-1.1.0,1: 100%
[2/46] Installing cyrus-sasl-2.1.28_5...
*** Added group `cyrus' (id 60)
*** Added user `cyrus' (id 60)
[2/46] Extracting cyrus-sasl-2.1.28_5: 100%
[3/46] Installing icu-76.1,1...
[3/46] Extracting icu-76.1,1: 100%
[4/46] Installing indexinfo-0.3.1_1...
[4/46] Extracting indexinfo-0.3.1_1: 100%
[5/46] Installing gettext-runtime-0.23.1...
[5/46] Extracting gettext-runtime-0.23.1: 100%
[пропущен список устанавливаемых пакетов]
=====
Message from cyrus-sasl-2.1.28_5:
--
You can use sasldb2 for authentication, to add users use:
saslpasswd2 -c username
If you want to enable SMTP AUTH with the system Sendmail, read
Sendmail.README
NOTE: This port has been compiled with a default pwcheck_method of
auxprop. If you want to authenticate your user by /etc/passwd,
PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and
set sasl_pwcheck_method to saslauthd after installing the
Cyrus-IMAPd 2.X port. You should also check the
/usr/local/lib/sasl2/*.conf files for the correct
pwcheck_method.
If you want to use GSSAPI mechanism, install
ports/security/cyrus-sasl2-gssapi.
If you want to use SRP mechanism, install
ports/security/cyrus-sasl2-srp.
If you want to use LDAP auxprop plugin, install
ports/security/cyrus-sasl2-ldapdb.
=====
Message from openldap26-client-2.6.9_1:
--
The OpenLDAP client package has been successfully installed.
Edit
/usr/local/etc/openldap/ldap.conf
to change the system-wide client defaults.
Try `man ldap.conf' and visit the OpenLDAP FAQ-O-Matic at
http://www.OpenLDAP.org/faq/index.cgi?file=3
for more information.
=====
Message from groff-1.23.0_4:
--
In order to be able to use the html driver, you need to install the following
packages:
- ghostscript
- netpbm
--
===> NOTICE:
The groff port currently does not have a maintainer. As a result, it is
more likely to have unresolved issues, not be up-to-date, or even be removed in
the future. To volunteer to maintain this port, please create an issue at:
https://bugs.freebsd.org/bugzilla
More information about port maintainership is available at:
https://docs.freebsd.org/en/articles/contributing/#ports-contributing
=====
Message from mysql80-client-8.0.41:
--
This is the mysql CLIENT without the server.
for complete server and client, please install databases/mysql80-server
=====
Message from exim-4.98.2:
--
The following documentation has been installed:
man exim -> Exim options (command line)
/usr/local/share/doc/exim/spec.txt -> Exim Specification (User Guide)
/usr/local/share/doc/exim/filter.txt -> Exim Filter Specification (for end-users)
Postscript, PDF, HTML and texinfo versions of these documents can be
installed via one of the mail/exim-doc-* ports.
An online version as well as a comprehensive FAQ and a mailing list
archive is available at:
http://www.exim.org/
Descriptions of new features not available it the manual, and a listing
of all changes, including bug fixes are documented in:
/usr/local/share/doc/exim/NewStuff
/usr/local/share/doc/exim/ChangeLog
To use Exim instead of sendmail on startup:
*) Clear the sendmail queue and stop the sendmail daemon.
*) Adjust mailer.conf(5) as appropriate.
*) Set the 'sendmail_enable' rc.conf(5) variable to 'NONE'.
*) Set the 'daily_status_include_submit_mailq' and
'daily_clean_hoststat_enable' periodic.conf(5)
variables to 'NO'.
*) Consider setting 'daily_queuerun_enable' and
'daily_submit_queuerun' to "NO" in periodic.conf(5),
if you intend to manage queue runners / deliveries closely.
*) Set the 'exim_enable' rc.conf(5) variable to 'YES'.
*) Start exim with '/usr/local/etc/rc.d/exim start'.
You may also want to configure newsyslog(8) to rotate Exim log files:
/var/log/exim/mainlog mailnull:mail 640 7 * @T00 ZN
/var/log/exim/rejectlog mailnull:mail 640 7 * @T00 ZN
Additional scripts to help upgrading are installed in:
/usr/local/share/examples/exim
Установка автозапуска Exim в /etc/rc.conf:
# sysrc exim_enable="YES" exim_enable: -> YES
Расшифровка вывода установки mail/exim
Настройка ротации файлов журнала Exim добавлением строк в файл /etc/newslog.conf:
/var/log/exim/mainlog mailnull:mail 640 7 * @T00 ZN /var/log/exim/rejectlog mailnull:mail 640 7 * @T00 ZN
Настройка mail/exim
Определение списка локальных доменов, обслуживаемых сервером (использование "@" разрешает локальные доставки):
domainlist local_domains = @ : ${lookup mysql{select domain from domain where domain='${domain}' and active='1'}}
Определение списка хостов, которые могут использовать сервер для пересылки исходящей почты (это обычно относится ко всей локальной сети, а также к самому серверу):
hostlist relay_from_hosts = localhost : 192.168.0.0/24