opensmtpd for the real world mail server tutorial...introduction–background softwaredeveloper...
TRANSCRIPT
OpenSMTPD for the Real WorldMail Server Tutorial
Aaron Poffenberger
2016-06-09 Thu
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 1 38
Outline
1 Introduction
2 Tutorial Goals and Prerequisites
3 OpenSMTPD
4 PF
5 BGP-Spamd
6 Amavisd Overview
7 ClamAV
8 Dovecot
9 SpamAssassin
10 Conclusion
11 Resources
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 2 38
Introduction ndash Background
Software developer30+ years17+ years professionallySecurity software developerDesign and implementsecure APIsConsulting
IT BackgroundBoeingISP (dial-up land)ConsultingDevOps
Software DevelopmentExperience
PentaSafe TechnologiesNetIQTheAnimenetworkcomBRS LabsGiant Gray
InfoSecSoftware vulnerabilityassessmentAuditingCISSP 2005+US Army
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 3 38
Introduction ndash Other
OpenBSD userAmateur radio enthusiastElectronics hobbyist
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 4 38
Introduction ndash You
Enough about me letrsquos talk about you
Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSD
FreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSD
NetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSD
DragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSD
HardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSD
MidnightBSDAnyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSD
UbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD
Windows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Outline
1 Introduction
2 Tutorial Goals and Prerequisites
3 OpenSMTPD
4 PF
5 BGP-Spamd
6 Amavisd Overview
7 ClamAV
8 Dovecot
9 SpamAssassin
10 Conclusion
11 Resources
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 2 38
Introduction ndash Background
Software developer30+ years17+ years professionallySecurity software developerDesign and implementsecure APIsConsulting
IT BackgroundBoeingISP (dial-up land)ConsultingDevOps
Software DevelopmentExperience
PentaSafe TechnologiesNetIQTheAnimenetworkcomBRS LabsGiant Gray
InfoSecSoftware vulnerabilityassessmentAuditingCISSP 2005+US Army
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 3 38
Introduction ndash Other
OpenBSD userAmateur radio enthusiastElectronics hobbyist
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 4 38
Introduction ndash You
Enough about me letrsquos talk about you
Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSD
FreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSD
NetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSD
DragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSD
HardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSD
MidnightBSDAnyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSD
UbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD
Windows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Introduction ndash Background
Software developer30+ years17+ years professionallySecurity software developerDesign and implementsecure APIsConsulting
IT BackgroundBoeingISP (dial-up land)ConsultingDevOps
Software DevelopmentExperience
PentaSafe TechnologiesNetIQTheAnimenetworkcomBRS LabsGiant Gray
InfoSecSoftware vulnerabilityassessmentAuditingCISSP 2005+US Army
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 3 38
Introduction ndash Other
OpenBSD userAmateur radio enthusiastElectronics hobbyist
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 4 38
Introduction ndash You
Enough about me letrsquos talk about you
Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSD
FreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSD
NetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSD
DragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSD
HardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSD
MidnightBSDAnyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSD
UbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD
Windows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Introduction ndash Other
OpenBSD userAmateur radio enthusiastElectronics hobbyist
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 4 38
Introduction ndash You
Enough about me letrsquos talk about you
Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSD
FreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSD
NetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSD
DragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSD
HardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSD
MidnightBSDAnyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSD
UbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD
Windows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Introduction ndash You
Enough about me letrsquos talk about you
Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSD
FreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSD
NetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSD
DragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSD
HardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSD
MidnightBSDAnyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSD
UbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD
Windows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSD
FreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSD
NetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSD
DragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSD
HardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSD
MidnightBSDAnyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSD
UbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD
Windows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSD
FreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSD
NetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSD
DragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSD
HardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSD
MidnightBSDAnyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSD
UbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD
Windows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSD
NetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSD
DragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSD
HardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSD
MidnightBSDAnyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSD
UbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD
Windows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSD
DragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSD
HardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSD
MidnightBSDAnyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSD
UbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD
Windows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSD
HardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSD
MidnightBSDAnyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSD
UbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD
Windows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSD
MidnightBSDAnyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSD
UbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD
Windows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSD
UbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD
Windows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit to
Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSD
UbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD
Windows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSD
UbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD
Windows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD
Windows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Introduction ndash You
Enough about me letrsquos talk about you Who runs
OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD
Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 5 38
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Tutorial Goals
Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 6 38
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Tutorial Goals
Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 7 38
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Tutorial Prerequisites
One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)
Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended
OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
OpenSMPTD Overview
man smtpd(8)History The smtpd program first appeared in OpenBSD 46
Started by Gilles Chehade in late 2008ISC licensePrimarily developed by
Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others
Portable version begun by Charles LongeauFound on
NetBSD FreeBSD DragonFlyBSD Mac OS X Linux
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 9 38
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
OpenSMTPD Overview - Notes
OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection
If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg
Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 10 38
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Important Keywords
includeMacrostablepkilistentagaccept|rejectdeliveruserbase
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 11 38
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Important Keywords - Macros
Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 12 38
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Important Keywords - table
Use to provide additional configuration informationLists or key-value mappings
Types db or fileMay also be inlined with comma-separated values (list orkey=value)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 13 38
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Important Keywords - pki
Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 14 38
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Important Keywords - listen
Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify
hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname
porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 15 38
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Important Keywords - accept|reject
Accept or reject messages based on SMTP session infoCriteria for evaluation
tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 16 38
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Important Keywords - accept|reject
Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 17 38
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Important Keywords - accept|reject
Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 18 38
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Important Keywords - deliver
Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol
lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd
deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 19 38
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
OpenSMTPD Configuration
man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files
include etcmailsmtpdconflocal
See example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 20 38
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
PF Overview
man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30
Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to
FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 21 38
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
PF Configuration
Need to add a few rulesSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 22 38
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
BGP-Spamd - Overview
Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd
pf by modifying a specific white-list tablespamd by creating file create by a cron job
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 23 38
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
BGP-Spamd - Configuration
$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 24 38
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
BGP-Spamd - Configuration
Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 25 38
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
BGP-Spamd Cron Job
Add line to root crontab
0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 26 38
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Amavisd Overview
amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP
Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 27 38
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Amavisd - Configuration
Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary
Lots of optional dials and knobs
See example in etcamavisdconf in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 28 38
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
ClamAV - Overview
ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 29 38
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
ClamAV - Configuration
Just a few changes are necessaryLots of optional dials and knobs
See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file
Already done in example in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 30 38
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Dovecot - Overview
Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 31 38
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Dovecot - Configuration
Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 32 38
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
SpamAssassin - Overview
Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 33 38
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
SpamAssassin - Configuration
Not many necessary changesLots of optional dials and knobs
Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 34 38
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Conclusion
You have questions I may have answers
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 35 38
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Contact Details
Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 36 38
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Resources
NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 37 38
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-
Blogs and Other Information
Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users
That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping
Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 38 38
- Introduction
- Tutorial Goals and Prerequisites
- OpenSMTPD
- PF
- BGP-Spamd
- Amavisd Overview
- ClamAV
- Dovecot
- SpamAssassin
- Conclusion
- Resources
-