Linux Server

Postfix + SSL + IPv6 + ClamAV + SpamAssassin + SPF + DKIM + DMARCの構築方法

  

ご注意下さい

この記事は3年以上前に書かれた記事ですので、内容が古い可能性があります。

0
(0)

お知らせ

  • 設定に関して過不足や勘違い等の不備がありますので適宜見直しをかけています。

(2021/2/8)以下の修正を行いました

  • ClamAVに関してパターンファイルのアップデート方法について追記
  • SpamAssassinに関してアップデート方法についての追記

永らく愛用してきたqmailですが、CentOS8化に伴いIPv6に対応しようとしたところIPv6対応が難しかったため、Qmail+Courier-Imapとは訣別し、Postfix+Dovecotで新たに構築しようと思います。またF-Protも残念ながら2021年7月末を以て個人用とのサポートは打ち切られるようです。これを機にアンチウィルスソフトはClamAVに変更しようと思います。

2021年7月31日でサポートが切れるようです

なお、Sophos Antivirus for Linuxについてもサポートが終了した模様です。

[Linuxウィルス対策]Sophos Antivirus for Linux のインストール方法
主に法人向けのウィルス対策ソフトを提供しているSophosの個人向けLinuxウィルス対策ソフト「Sophos Antivirus for Linux」をインストールする方法を紹介します。…
[Linuxウィルス対策]Sophos Antivirus for Linux のインストール方法

構築したいメール環境

さて、構築方法を解説する前に今回私が構築しようとしている環境について説明します。

ざっくりとした環境説明の図

簡単に解説しますと、私の自宅環境では外部メールサーバーと内部メールサーバーの2台構成です。

メール受信時は、外部メールサーバーはSMTP(25/tcp)を受け付けて、コンテンツチェッカーであるamavisd-newに渡します(tcp/10024)。amavisd-newはウィルスチェックソフトであるClamAVとSpamAssassinを呼び出してメールのチェックをします。

問題が無ければ、Virtualファイルに従いローカル配送かリレー配送します。リレーの場合はtransportファイルでリレールートが決定されます。上記に加えて、iphoneから外部接続しますので、SMTPS(465/tcp)とIMAPS(993/tcp)の口を用意しておく必要があります。また、Postfix + pypolicyd-spfでSPFのチェックもメール受信時に実行していますが、図には表していません。

メール送信時には(図がありませんが)、opendkimにてDKIM署名をして送信、という流れになります。

さて、では設定について見ていきましょう。PostfixとDovecotはインストール済みであるとしています。

Amavisd-New

インストール

Amavisd-newをインストールします。

# dnf install amavisd-new
メタデータの期限切れの最終確認: 0:26:55 時間前の 2021年02月03日 19時37分45秒 に実施しました。
エラー: 
 問題: conflicting requests
  - nothing provides perl(IO::Stringy) needed by amavis-2.12.1-5.el8.noarch
(インストール不可のパッケージをスキップするには、'--skip-broken' を追加してみてください または、'--nobest' を追加して、最適候補のパッケージのみを使用しないでください)
# 

なんだかperl(IO::stringy)の依存関係チェックでエラーとなりますのでPowertoolsレポジトリを有効にします。

/etc/yum.repos.d/CentOS-Linux-PowerTools.repoを編集して、レポジトリを有効にしましょう。

[powertools]
name=CentOS Linux $releasever - PowerTools
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=PowerTools&infra=$infra
#baseurl=http://mirror.centos.org/$contentdir/$releasever/PowerTools/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

# dnf install amavisd-new
CentOS Linux 8 - PowerTools                                                                                                                              1.5 MB/s | 2.0 MB     00:01    
依存関係が解決しました。
=========================================================================================================================================================================================
 パッケージ                                         アーキテクチャー                      バージョン                                     リポジトリー                              サイズ
=========================================================================================================================================================================================
インストール:
 amavis                                             noarch                                2.12.1-5.el8                                   epel                                      413 k
依存関係のインストール:
 altermime                                          x86_64                                0.3.10-21.el8                                  epel                                       66 k
 clamav-data                                        noarch                                0.103.0-1.el8                                  epel                                      220 M
 clamav-filesystem                                  noarch                                0.103.0-1.el8                                  epel                                       43 k
 clamav-lib                                         x86_64                                0.103.0-1.el8                                  epel                                      853 k
 libidn                                             x86_64                                1.34-5.el8                                     appstream                                 239 k
 libprelude                                         x86_64                                5.2.0-1.el8                                    epel                                      326 k
 perl-Archive-Zip                                   noarch                                1.60-3.el8                                     appstream                                 108 k
 perl-Authen-SASL                                   noarch                                2.16-13.el8                                    appstream                                  57 k
 perl-BerkeleyDB                                    x86_64                                0.63-2.el8                                     epel                                      154 k
 perl-Convert-ASN1                                  noarch                                0.27-17.el8                                    appstream                                  60 k
 perl-Convert-BinHex                                noarch                                1.125-13.el8                                   epel                                       49 k
 perl-File-LibMagic                                 x86_64                                1.16-9.el8                                     epel                                       44 k
 perl-GSSAPI                                        x86_64                                0.28-23.el8                                    appstream                                  63 k
 perl-IO-Multiplex                                  noarch                                1.16-9.el8                                     appstream                                  31 k
 perl-IO-stringy                                    noarch                                2.111-9.el8                                    powertools                                 71 k
 perl-JSON                                          noarch                                2.97.001-2.el8                                 appstream                                  96 k
 perl-MIME-tools                                    noarch                                5.509-9.el8                                    epel                                      249 k
 perl-Net-LibIDN                                    x86_64                                0.12-35.el8                                    epel                                       34 k
 perl-Net-Server                                    noarch                                2.009-3.el8                                    appstream                                 209 k
 perl-Razor-Agent                                   x86_64                                2.85-33.el8                                    epel                                      123 k
 perl-Text-Soundex                                  x86_64                                3.05-8.el8                                     appstream                                  32 k
 perl-Text-Unidecode                                noarch                                1.30-5.el8                                     appstream                                 149 k
 perl-Unix-Syslog                                   x86_64                                1.1-29.el8                                     appstream                                  35 k
 perl-common-sense                                  x86_64                                3.7.4-8.el8                                    powertools                                 35 k
弱い依存関係のインストール:
 arj                                                x86_64                                3.10.22-30.el8                                 epel                                      184 k
 clamd                                              x86_64                                0.103.0-1.el8                                  epel                                      121 k
 freeze                                             x86_64                                2.5.0-26.el8                                   epel                                       38 k
 lzop                                               x86_64                                1.03-20.el8                                    baseos                                     62 k
 nomarch                                            x86_64                                1.4-21.el8                                     epel                                       26 k
 p7zip                                              x86_64                                16.02-16.el8                                   epel                                      691 k
 p7zip-plugins                                      x86_64                                16.02-16.el8                                   epel                                      1.1 M
 perl-Convert-TNEF                                  noarch                                0.18-17.el8                                    epel                                       26 k
 perl-Convert-UUlib                                 x86_64                                3:1.8-1.el8                                    epel                                      243 k
 perl-LDAP                                          noarch                                1:0.66-7.el8                                   appstream                                 386 k
 unzoo                                              x86_64                                4.4-27.el8                                     epel                                       30 k

トランザクションの概要
=========================================================================================================================================================================================
インストール  36 パッケージ

ダウンロードサイズの合計: 227 M
インストール済みのサイズ: 239 M
これでよろしいですか? [y/N]: 
〜〜

設定

Amavisd-New

/etc/amavisd/amavisd.confを編集します。

use strict;

# a minimalistic configuration file for amavisd-new with all necessary settings
#
#   see amavisd.conf-default for a list of all variables with their defaults;
#   for more details see documentation in INSTALL, README_FILES/*
#   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html


# COMMONLY ADJUSTED SETTINGS:

#@bypass_virus_checks_maps = (1);  # controls running of anti-virus code
#@bypass_spam_checks_maps  = (1);  # controls running of anti-spam code
# $bypass_decode_parts = 1;         # controls running of decoders&dearchivers

# $myprogram_name = $0; # set to 'amavisd' or similar to avoid process name
                        # truncation in /proc/<pid>/stat and ps -e output

$max_servers = 2;            # num of pre-forked children (2..30 is common), -m
$daemon_user  = 'amavis';    # (no default;  customary: vscan or amavis), -u
$daemon_group = 'amavis';    # (no default;  customary: vscan or amavis), -g

$mydomain = 'kamata-net.com';   # a convenient default for other settings

$MYHOME = '/var/spool/amavisd';   # a convenient default for other settings, -H
$TEMPBASE = "$MYHOME/tmp";   # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR, used by SA, etc.
$QUARANTINEDIR = undef;      # -Q
# $quarantine_subdir_levels = 1;  # add level of subdirs to disperse quarantine
# $release_format = 'resend';     # 'attach', 'plain', 'resend'
# $report_format  = 'arf';        # 'attach', 'plain', 'resend', 'arf'

# $daemon_chroot_dir = $MYHOME;   # chroot directory or undef, -R

$db_home   = "$MYHOME/db";        # dir for bdb nanny/cache/snmp databases, -D
# $helpers_home = "$MYHOME/var";  # working directory for SpamAssassin, -S
$lock_file = "/run/amavisd/amavisd.lock";  # -L
$pid_file  = "/run/amavisd/amavisd.pid";   # -P
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually

$log_level = 0;              # verbosity 0..5, -d
$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$do_syslog = 1;              # log via syslogd (preferred)
$syslog_facility = 'mail';   # Syslog facility as a string
           # e.g.: mail, daemon, user, local0, ... local7

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
# $enable_zmq = 1;           # enable use of ZeroMQ (SNMP and nanny)
$nanny_details_level = 2;    # nanny verbosity: 1: traditional, 2: detailed
$enable_dkim_verification = 1;  # enable DKIM signatures verification
$enable_dkim_signing = 1;    # load DKIM signing code, keys defined by dkim_key

#@local_domains_maps = ( [".$mydomain","kamata-net.com","kamata-net.jp"] );  # list of all local domains
@local_domains_maps = (1);

@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 [2405:6580:27e0:1300::]/64
                  10.0.0.0/8 172.16.0.0/12 192.168.10.0/24 192.168.30.0/24 );

$unix_socketname = "/run/amavisd/amavisd.sock";  # amavisd-release or amavis-milter
               # option(s) -p overrides $inet_socket_port and $unix_socketname

# The default receiving port in the Fedora and RHEL SELinux policy is 10024.
# To allow additional ports you need to label them as 'amavisd_recv_port_t'
# For example: semanage port -a -t amavisd_recv_port_t -p tcp 10022
$inet_socket_port = 10024;   # listen on this local TCP port(s)
# $inet_socket_port = [10022,10024];  # listen on multiple TCP ports

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients
};

# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10022) for filtering
$interface_policy{'10022'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["virusalert\@$mydomain"],
  spam_admin_maps  => ["virusalert\@$mydomain"],
  warnbadhsender   => 1,
  # forward to a smtpd service providing DKIM signing service
  forward_method => 'smtp:[127.0.0.1]:10025',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and types
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};

$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname

# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c
# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'):
$policy_bank{'AM.PDP-SOCK'} = {
  protocol => 'AM.PDP',
  auth_required_release => 0,  # do not require secret_id for amavisd-release
};

#$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag_level_deflt  = -999;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.2;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.9;  # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is suppressed
$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
$penpals_bonus_score = 8;    # (no effect without a @storage_sql_dsn database)
$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi spam
$bounce_killer_score = 100;  # spam score points to add for joe-jobbed bounces

$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;    # only tests which do not require internet access?

# @lookup_sql_dsn =
#   ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
#     ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
#     ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
# @storage_sql_dsn = @lookup_sql_dsn;  # none, same, or separate database
# @storage_redis_dsn = ( {server=>'127.0.0.1:6379', db_id=>1} );
# $redis_logging_key = 'amavis-log';
# $redis_logging_queue_size_limit = 300000;  # about 250 MB / 100000

# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
#   defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)

#$virus_admin               = undef;                    # notifications recip.

$mailfrom_notify_admin     = undef;                    # notifications sender
$mailfrom_notify_recip     = undef;                    # notifications sender
$mailfrom_notify_spamadmin = undef;                    # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef

@addr_extension_virus_maps      = ('virus');
@addr_extension_banned_maps     = ('banned');
@addr_extension_spam_maps       = ('spam');
@addr_extension_bad_header_maps = ('badh');
# $recipient_delimiter = '+';  # undef disables address extensions altogether
# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
# $dspam = 'dspam';

$MAXLEVELS = 14;
$MAXFILES = 3000;
$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 500*1024*1024;  # bytes  (default undef, not enforced)

$sa_spam_subject_tag = '***Spam*** ';
$defang_virus  = 1;  # MIME-wrap passed infected mail
$defang_banned = 1;  # MIME-wrap passed mail containing banned name
# for defanging bad headers only turn on certain minor contents categories:
$defang_by_ccat{CC_BADH.",3"} = 1;  # NUL or CR character in header
$defang_by_ccat{CC_BADH.",5"} = 1;  # header line longer than 998 characters
$defang_by_ccat{CC_BADH.",6"} = 1;  # header field syntax error


# OTHER MORE COMMON SETTINGS (defaults may suffice):

# $myhostname = 'host.example.com';  # must be a fully-qualified domain name!
$myhostname = 'smtp.kamata-net.com';  # must be a fully-qualified domain name!

# The default forwarding port in the Fedora and RHEL SELinux policy is 10025.
# To allow additional ports you need to label them as 'amavisd_send_port_t'.
# For example: semanage port -a -t amavisd_send_port_t -p tcp 10023
# $notify_method  = 'smtp:[127.0.0.1]:10023';
# $forward_method = 'smtp:[127.0.0.1]:10023';  # set to undef with milter!

$final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_BOUNCE;
$final_spam_destiny       = D_DISCARD;  #!!!  D_DISCARD / D_REJECT
$final_bad_header_destiny = D_BOUNCE;
# $bad_header_quarantine_method = undef;
12行目 #@bypass_virus_checks_maps = (1); Virusチェックをバイパスする指定(つまりウィルスチェックしない)ですのでコメントアウトされていることを確認してください。
13行目 #@bypass_spam_checks_maps  = (1); スパムメールチェックをバイパスする指定ですのでコメントアウトされているこを確認してください。
23行目 $mydomain = 'smtp.kamata-net.com'; 自ドメインを指定します
56-57行目 @mynetworks 信頼するLANアドレスの記載をします。IPv6アドレスについても[]で囲って記載可能です。
101-102行目 $sa_tag_level_deflt = -999; SpamAssassinで必ずX-Spam-Statusなどのヘッダを出力するための設定です。スコアが−999以上のときにヘッダを付加するようにしています
161行目 $myhostname = 'mail.kamata-net.com'; 自身のホスト名
169行目 $final_virus_destiny      = D_DISCARD; ウィルスメールは破棄します

 

12行目、13行目のbypassについてはネット上ではコメントアウトを外すように記載されている記事が多いですが、これは間違いだと思います。コメントアウトを外してしまうと処理をバイパスされてしまいますのでご注意ください。私の環境では少なくともコメントアウトを外してbypassを有効にすると処理がされません。

自動起動されるようにします。

# systemctl start amavisd
# systemctl enable amavisd
Created symlink /etc/systemd/system/multi-user.target.wants/amavisd.service → /usr/lib/systemd/system/amavisd.service.
#

Postfix

/etc/postfix/main.cf

content_filter = smtp-amavis:[127.0.0.1]:10024

を追加します。

また、/etc/postfix/master.cf

smtp-amavis unix -    -    n    -    2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes

を追加します。

設定ファイルをリロードします。

# postfix reload

SpamAssassin

インストール

SpamAssassinをインストールします。

# dnf install spamassassin
メタデータの期限切れの最終確認: 0:00:58 時間前の 2021年02月03日 19時37分45秒 に実施しました。
依存関係が解決しました。
=========================================================================================================================================================================================
 パッケージ                                        アーキテクチャー               バージョン                                                     リポジトリー                      サイズ
=========================================================================================================================================================================================
インストール:
 spamassassin                                      x86_64                         3.4.2-10.el8                                                   appstream                         1.2 M
依存関係のインストール:
 perl-Algorithm-Diff                               noarch                         1.1903-9.el8                                                   baseos                             52 k
 perl-Archive-Tar                                  noarch                         2.30-1.el8                                                     baseos                             79 k
 perl-Compress-Raw-Bzip2                           x86_64                         2.081-1.el8                                                    baseos                             40 k
 perl-Compress-Raw-Zlib                            x86_64                         2.081-1.el8                                                    baseos                             68 k
 perl-Crypt-OpenSSL-Bignum                         x86_64                         0.09-5.el8                                                     appstream                          46 k
 perl-Crypt-OpenSSL-RSA                            x86_64                         0.31-1.el8                                                     appstream                          47 k
 perl-Crypt-OpenSSL-Random                         x86_64                         0.15-3.el8                                                     appstream                          31 k
 perl-DB_File                                      x86_64                         1.842-1.el8                                                    appstream                          83 k
 perl-Data-Dump                                    noarch                         1.23-7.module_el8.3.0+416+dee7bcef                             appstream                          37 k
 perl-Digest-HMAC                                  noarch                         1.03-17.module_el8.3.0+416+dee7bcef                            appstream                          20 k
 perl-Digest-SHA                                   x86_64                         1:6.02-1.el8                                                   appstream                          66 k
 perl-Encode-Detect                                x86_64                         1.01-28.el8                                                    appstream                          90 k
 perl-Encode-Locale                                noarch                         1.05-10.module_el8.3.0+416+dee7bcef                            appstream                          22 k
 perl-Error                                        noarch                         1:0.17025-2.el8                                                appstream                          46 k
 perl-File-Listing                                 noarch                         6.04-17.module_el8.3.0+416+dee7bcef                            appstream                          18 k
 perl-HTML-Parser                                  x86_64                         3.72-15.module_el8.3.0+416+dee7bcef                            appstream                         119 k
 perl-HTML-Tagset                                  noarch                         3.20-34.module_el8.3.0+416+dee7bcef                            appstream                          24 k
 perl-HTTP-Cookies                                 noarch                         6.04-2.module_el8.3.0+416+dee7bcef                             appstream                          39 k
 perl-HTTP-Date                                    noarch                         6.02-19.module_el8.3.0+416+dee7bcef                            appstream                          19 k
 perl-HTTP-Message                                 noarch                         6.18-1.module_el8.3.0+416+dee7bcef                             appstream                         100 k
 perl-HTTP-Negotiate                               noarch                         6.01-19.module_el8.3.0+416+dee7bcef                            appstream                          22 k
 perl-IO-Compress                                  noarch                         2.081-1.el8                                                    baseos                            258 k
 perl-IO-HTML                                      noarch                         1.001-11.module_el8.3.0+416+dee7bcef                           appstream                          28 k
 perl-IO-Socket-INET6                              noarch                         2.72-12.el8                                                    appstream                          33 k
 perl-IO-Zlib                                      noarch                         1:1.10-416.el8                                                 baseos                             80 k
 perl-LWP-MediaTypes                               noarch                         6.02-15.module_el8.3.0+416+dee7bcef                            appstream                          29 k
 perl-Mail-DKIM                                    noarch                         0.54-1.el8                                                     appstream                         162 k
 perl-Mail-SPF                                     noarch                         2.9.0-15.el8                                                   appstream                         153 k
 perl-MailTools                                    noarch                         2.20-2.el8                                                     appstream                         113 k
 perl-NTLM                                         noarch                         1.09-17.module_el8.3.0+416+dee7bcef                            appstream                          24 k
 perl-Net-DNS                                      noarch                         1.15-1.el8                                                     appstream                         369 k
 perl-Net-HTTP                                     noarch                         6.17-2.module_el8.3.0+416+dee7bcef                             appstream                          43 k
 perl-Net-SMTP-SSL                                 noarch                         1.04-5.el8                                                     appstream                          15 k
 perl-NetAddr-IP                                   x86_64                         4.079-7.el8                                                    appstream                         132 k
 perl-Socket6                                      x86_64                         0.28-6.el8                                                     appstream                          36 k
 perl-Sys-Syslog                                   x86_64                         0.35-397.el8                                                   appstream                          50 k
 perl-Text-Diff                                    noarch                         1.45-2.el8                                                     baseos                             45 k
 perl-Time-HiRes                                   x86_64                         1.9758-1.el8                                                   appstream                          61 k
 perl-TimeDate                                     noarch                         1:2.30-15.module_el8.3.0+416+dee7bcef                          appstream                          53 k
 perl-Try-Tiny                                     noarch                         0.30-7.module_el8.3.0+416+dee7bcef                             appstream                          45 k
 perl-WWW-RobotRules                               noarch                         6.02-18.module_el8.3.0+416+dee7bcef                            appstream                          23 k
 perl-libwww-perl                                  noarch                         6.34-1.module_el8.3.0+416+dee7bcef                             appstream                         212 k
 perl-version                                      x86_64                         6:0.99.24-1.el8                                                appstream                          67 k

トランザクションの概要
=========================================================================================================================================================================================
インストール  44 パッケージ

ダウンロードサイズの合計: 4.2 M
インストール済みのサイズ: 9.8 M
これでよろしいですか? [y/N]: y
〜〜

設定

/etc/mail/spamassassin/v310.preを編集します。

# TextCat - language guesser
#
loadplugin Mail::SpamAssassin::Plugin::TextCat

上記のコメントアウトを外して日本語に対応するようにします。

/etc/mail/spamassassin/local.cfを編集します。すでに秘伝のタレのようになっていますが…。http://www.flcl.org/~yoh/user_prefs をダウンロードしてlocal.cfにコピーして使うといいのですが、現在はダウンロードできなくなっているようです。

blacklist_from 指定したメールアドレスをブラックリストとして扱います blacklist_from *@*.ar
blacklist_from *@*.au
blacklist_from *@*.br
blacklist_from *@*.ca
blacklist_from *@*.cc
#blacklist_from *@*.cn
blacklist_from *@*.cz
blacklist_from *@*.de
blacklist_from *@*.dk
blacklist_from *@*.edu
blacklist_from *@*.es
blacklist_from *@*.fr
#blacklist_from *@*.fi
blacklist_from *@*.gov
blacklist_from *@*.it
blacklist_from *@*.kr
blacklist_from *@*.mx
blacklist_from *@*.me
blacklist_from *@*.nl
blacklist_from *@*.no
blacklist_from *@*.nu
blacklist_from *@*.pt
blacklist_from *@*.ph
blacklist_from *@*.ru
blacklist_from *@*.sc
blacklist_from *@*.th
blacklist_from *@*.tw
blacklist_from *@*.uk
blacklist_from *@*.za
blacklist_from *@*.xyz
blacklist_from *@*.co
blacklist_from *@*.hu
blacklist_from *@*.vn
blacklist_from *@*.ru
blacklist_from *@*.at
blacklist_from *@*.ca
blacklist_from *@*.il
blacklist_from *@*.link
blacklist_from *@*.click
blacklist_from *@*.space
blacklist_from *@*.date
blacklist_from *@*.host
whitelist_from_dkim DKIMチェックをpassしたメールアドレスのうち指定されたアドレスを無条件に通過させます whitelist_from_dkim *@*.co.jp
whitelist_from_spf SPFチェックをpassしたメールアドrすのうち指定されたアドレスを無条件に通過させます whitelist_from_spf *@*.go.jp
whitelist_from_spf *@*.ac.jp
whitelist_from 個別のホワイトリストです(Fromアドレスで判定) whitelist_from *@fujissl.jp
whitelist_from do_not_reply@line.me
whitelist_to

個別のホワイトリストです(Toアドレスで判定)

主にメーリングリストなどで指定するのに使っています

whitelist_to (メーリングリストアドレス)

 

続いて自動起動設定です。

# systemctl start spamassassin
# systemctl enable spamassassin
Created symlink /etc/systemd/system/multi-user.target.wants/spamassassin.service → /usr/lib/systemd/system/spamassassin.service.
#

続いてspamassassinのルールが自動更新されるようにsa-update.serviceも自動起動登録します。

# systemctl start sa-update
# systemctl enable sa-update
The unit files have no installation config (WantedBy, RequiredBy, Also, Alias
settings in the [Install] section, and DefaultInstance for template units).
This means they are not meant to be enabled using systemctl.
Possible reasons for having this kind of units are:
1) A unit may be statically enabled by being symlinked from another unit's
   .wants/ or .requires/ directory.
2) A unit's purpose may be to act as a helper for some other unit which has
   a requirement dependency on it.
3) A unit may be started when needed via activation (socket, path, timer,
   D-Bus, udev, scripted systemctl call, ...).
4) In case of template units, the unit is meant to be enabled with some
   instance name specified.
#

上記のようにエラーメッセージが表示されました。/usr/lib/systemd/system/sa-update.serviceファイルの内容に不備があるようなので修正します。

### Spamassassin Rules Updates ###
#
# http://wiki.apache.org/spamassassin/RuleUpdates
# 
# sa-update automatically updates your rules once per day if a spam daemon like
# spamd or amavisd are running.

[Unit]
Description=Spamassassin Rules Update
Documentation=man:sa-update(1)

[Service]
# Note that the opposite of "yes" is the empty string, NOT "no"
# Options for the actual sa-update command
# These are added to the channel configuration from 
# /etc/mail/spamassassin/channel.d/*.conf
Environment=OPTIONS=-v

# Debug script - send mail even if no update available
#Environment=DEBUG=yes

# Send mail when updates successfully processed
# Default: send mail only on error
#Environment=NOTIFY_UPD=yes

ExecStart=/usr/share/spamassassin/sa-update.cron

SuccessExitStatus=1

[Install]
WantedBy = multi-user.target

上記30−31行目を追加しています。依存関係はありませんのであまり気にする必要はなく上記のコピペで問題ありません。

ClamAV

インストール

# dnf install clamd clamav-update

〜〜

設定

/etc/clamd.d配下に設定ファイルがありますが、基本的には何も変更しなくても大丈夫です。ログにタイムスタンプを入れたい、などの要望があれば変更してください。

また、パターンファイルの更新ジョブの登録が必要です。

/etc/cron.daily/freshclamとして以下のシェルスクリプトを格納します。

#!/bin/sh

/usr/bin/freshclam --daemon-notify --quiet --log=/var/log/freshclam.log

上記でも問題ないのですが、clamav-freshclam.serviceを登録することで1時間に1度チェックが走るようになりますのでこちらを利用することにします。

# systemctl start clamav-freshclam
# systemctl enable clamav-freshclam
Created symlink /etc/systemd/system/multi-user.target.wants/clamav-freshclam.service → /usr/lib/systemd/system/clamav-freshclam.service.
#

また、ClamAVの自動起動設定を行います。

# systemctl start clamd@amavisd
# systemctl enable clamd@amavisd
Created symlink /etc/systemd/system/multi-user.target.wants/clamd@amavisd.service → /usr/lib/systemd/system/clamd@.service.

注意ポイント

  • いろいろなサイトを見てclamd@scanを有効にするのはこの場合間違いです。
  • clamd@scanはサーバー内のウィルスチェックでありメールのリアルタイムチェックではありません。
  • clamd@scanとclamd@amavisdはそれぞれ別のプロセスが起動します。

しかしメモリ使用率1.1GBとは少々リソース食いますね

ClamAVはネットでも騒がれていますが確かにメモリの使用率が高いですね。今後チューニングしていきたいと思います。

Pypolicyd-spf

インストール

# dnf install pypolicyd-spf
メタデータの期限切れの最終確認: 0:37:32 時間前の 2021年02月03日 23時44分11秒 に実施しました。
依存関係が解決しました。
=========================================================================================================================================================================================
 パッケージ                                   アーキテクチャー                 バージョン                                                      リポジトリー                        サイズ
=========================================================================================================================================================================================
インストール:
 pypolicyd-spf                                noarch                           2.0.2-7.el8                                                     epel                                 56 k
依存関係のインストール:
 python3-pip                                  noarch                           9.0.3-18.el8                                                    appstream                            20 k
 python3-py3dns                               noarch                           3.2.1-1.el8                                                     epel                                 50 k
 python3-pyspf                                noarch                           2.0.14-8.el8                                                    epel                                 56 k
 python3-setuptools                           noarch                           39.2.0-6.el8                                                    baseos                              163 k
 python36                                     x86_64                           3.6.8-2.module_el8.3.0+562+e162826a                             appstream                            19 k
モジュールストリームの有効化中:
 python36                                                                      3.6                                                                                                      

トランザクションの概要
=========================================================================================================================================================================================
インストール  6 パッケージ

ダウンロードサイズの合計: 363 k
インストール済みのサイズ: 882 k
これでよろしいですか? [y/N]: y
~~

設定

pypolicyd-spf

/etc/python-policyd-spf/policyd-spf.confを修正します。

"policyd-spf.conf" 15L, 302C                                                                                                                 1,1          全て
#  For a fully commented sample config file see policyd-spf.conf.commented

debugLevel = 1
TestOnly = 1

#HELO_reject = Fail
#Mail_From_reject = Fail
HELO_reject = False
Mail_From_reject = False

PermError_reject = False
TempError_Defer = False

skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
7行目 HELO_reject = False Failでは破棄となってしまうのでここではチェックのみに留めます
8行目 Mail_From_reject = False 同上

Postfix

/etc/postfix/main.cf

smtpd_recipient_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    check_policy_service unix:private/policy-spf

5行目を追加します。

/etc/postfix/master.cfに以下の行を追加してください。

policy-spf unix - n n - 0 spawn user=nobody argv=/usr/bin/python3 /usr/libexec/postfix/policyd-spf /etc/python-policyd-spf/policyd-spf.conf

設定のリロードを行います。

# postfix reload

SMTP-AUTH設定

インストール

さて、どんどん行きましょう。SMTP-AUTHを実現するためのモジュールとしてcyrus-saslをインストールします。

# dnf install cyrus-sasl
メタデータの期限切れの最終確認: 0:29:27 時間前の 2021年02月04日 20時58分28秒 に実施しました。
依存関係が解決しました。
================================================================================================================================================================================
 パッケージ                                 アーキテクチャー                       バージョン                                      リポジトリー                           サイズ
================================================================================================================================================================================
インストール:
 cyrus-sasl                                 x86_64                                 2.1.27-5.el8                                    baseos                                  96 k

トランザクションの概要
================================================================================================================================================================================
インストール  1 パッケージ

ダウンロードサイズの合計: 96 k
インストール済みのサイズ: 150 k
これでよろしいですか? [y/N]: y
〜〜

設定

/etc/sysconfig/saslauthdを以下のように編集します。

# Directory in which to place saslauthd's listening socket, pid file, and so
# on.  This directory must already exist.
SOCKETDIR=/run/saslauthd

# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
#MECH=pam
MECH=shadow

# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
FLAGS=

動作確認

telnetでSMTP(25/tcp)に接続して確認します。

# printf "%s\0%s\0%s" test@kamata-net.com user password | openssl base64 -e | tr -d '\n'; echo
dGVzdEBrYW1hdGEtbmV0LmNvbQB1c2VyAHBhc3N3b3Jk
# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.kamata-net.com ESMTP
EHLO localhost
250-mail.kamata-net.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
AUTH LOGIN dGVzdEBrYW1hdGEtbmV0LmNvbQB1c2VyAHBhc3N3b3Jk 
334 UGFzc3dvcmQ6

エラーが出なければOKです。

SMTP over SSL(SMTPS)の設定

iPhoneやWindowsのOutlookからの接続するためにSMTPSとIMAPSを設定します。まずはSMTPSから。

opensslを使ってオレオレ認証局とそのオレオレ認証局で署名したオレオレ証明書を作成していきます。

自己認証局(CA)の作成

自己認証局の秘密鍵作成

/etc/pki/tls配下にすでにいろいろと格納されているのですが、ここは何が参照しているのか不明なため、/etc/pki/配下に新たにCAと証明書類を格納していくこととします。

# cd /etc/pki
# mkdir postfix
# cd postfix
# mkdir private certs newcerts crl
# cp ../tls/openssl.ca.cnf .
# touch index.txt
# echo "00" > serial

/etc/pki/postfix/openssl.ca.cnfを自己認証局用に編集していきます。

〜〜
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = JP
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Tokyo

localityName                    = Locality Name (eg, city)
localityName_default            = Ota-ku

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Kamata-Net

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = CA (Certification Authority)

commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_default              = CA.kamata-net.com
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_default            = webmaster@kamata-net.com
emailAddress_max                = 64

# SET-ex3                       = SET extension number 3

[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20

unstructuredName                = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

#basicConstraints=CA:FALSE
basicConstraints=CA:TRUE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType                    = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email
nsCertType = client, email
〜〜
171、175行目 デフォルトの値を設定しておきます エントリーが無かったので追加しています。
194、195,行目 CA証明書の場合はCA:Trueが必須です  
207、208行目 今回はサーバー証明書ではなくmail用途なので変更しておきます 必須かどうか不明…。

さて、CA用の公開鍵、秘密鍵のキーペアを作成します。

# openssl genrsa -aes256 -out /etc/pki/postfix/private/cakey.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
...............................++++
........++++
e is 65537 (0x010001)
Enter pass phrase for /etc/pki/postfix/private/cakey.pem:★パスフレーズ入力
Verifying - Enter pass phrase for /etc/pki/postfix/private/cakey.pem:
# 

証明書発行要求 CSRファイル 作成

コマンドを入力してパスフレーズを入れたらエンターのみ押していけば問題ありません。

# openssl req -config ./openssl.ca.cnf -new -key /etc/pki/postfix/private/cakey.pem -out /etc/pki/postfix/cacert.csr 
Enter pass phrase for /etc/pki/postfix/private/cakey.pem:★設定したパスフレーズを入力
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [Ota-ku]:
Organization Name (eg, company) [Kamata-Net]:
Organizational Unit Name (eg, section) [CA (Certification Authority)]:
Common Name (eg, your name or your server's hostname) [CA.kamata-net.com]:
Email Address [webmaster@kamata-net.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:★入力しない。エンターのみ
An optional company name []:★入力しない。エンターのみ
# 


自己認証局用証明書発行

認証局証明書の有効期限は3650日(10年)で作ります。

# openssl x509 -days 3650 -in /etc/pki/postfix/cacert.csr -req -signkey /etc/pki/postfix/private/cakey.pem -out /etc/pki/postfix/cacert.pem
Signature ok
subject=C = JP, ST = Tokyo, L = Ota-ku, O = Kamata-Net, OU = CA (Certification Authority), CN = CA.kamata-net.com, emailAddress = webmaster@kamata-net.com
Getting Private key
Enter pass phrase for /etc/pki/postfix/private/cakey.pem:
# ls -al
合計 28
drwxr-xr-x   6 root root   164  2月  5 01:24 .
drwxr-xr-x. 14 root root   191  2月  5 00:04 ..
-rw-r--r--   1 root root  1781  2月  5 01:26 cacert.csr
-rw-r--r--   1 root root  2078  2月  5 01:27 cacert.pem
drwxr-xr-x   2 root root    43  2月  5 01:06 certs
drwxr-xr-x   2 root root     6  2月  5 00:22 crl
-rw-r--r--   1 root root     3  2月  5 00:46 crlnumber
-rw-r--r--   1 root root     0  2月  5 00:22 index.txt
drwxr-xr-x   2 root root     6  2月  5 00:22 newcerts
-rw-r--r--   1 root root 11433  2月  5 01:24 openssl.cnf
drwxr-xr-x   2 root root    42  2月  5 00:58 private
-rw-r--r--   1 root root     3  2月  5 00:22 serial
# 

作成したルート証明書、cacert.pemを見てみましょう。

# openssl x509 -in cacert.pem -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            3e:e6:78:aa:5d:cd:34:3c:c3:ba:1f:6d:f7:b2:2e:6c:07:8b:55:97
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = JP, ST = Tokyo, L = Ota-ku, O = Kamata-Net, OU = CA (Certification Authority)
        Validity
            Not Before: Feb  4 15:53:59 2021 GMT
            Not After : Feb  2 15:53:59 2031 GMT
        Subject: C = JP, ST = Tokyo, L = Ota-ku, O = Kamata-Net, OU = CA (Certification Authority)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:cd:94:98:61:2e:92:32:0f:50:72:c9:9a:a1:3d:

〜〜

Postfix用の証明書作成

続いて、Postfix用の証明書を作成していきます。

秘密鍵作成

/etc/postfix/main.cfを見ると、パスフレーズなしでアクセスできる必要があるとのことです。

# The full pathname of a file with the Postfix SMTP server RSA private key
# in PEM format. The private key must be accessible without a pass-phrase,
# i.e. it must not be encrypted.
#

ですのでパスフレーズなしでキーペアの作成を行います。

# openssl genrsa -out /etc/pki/postfix/private/privkey.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
......................................................................................................++++
.............++++
e is 65537 (0x010001)
# 

証明書発行要求 CSR 作成

# openssl req -config ./openssl.smtp.cnf -new -key /etc/pki/postfix/private/privkey.pem -out /etc/pki/postfix/certs/postfix.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [Ota-ku]:
Organization Name (eg, company) [Kamata-Net]:
Organizational Unit Name (eg, section) [Blog.Kamata-Net.Com]:
Common Name (eg, your name or your server's hostname) [mail.kamata-net.com]:
Email Address [webmaster@kamata-net.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@kamatans postfix]# 

おわかりの通り、openssl.ca.cnfをopenssl.smtp.cnfにコピーして使っています。

証明書発行

# openssl ca -config ./openssl.smtp.cnf -in /etc/pki/postfix/certs/postfix.csr -out /etc/pki/postfix/certs/postfix.pem -days 3650
Using configuration from ./openssl.smtp.cnf
Enter pass phrase for /etc/pki/postfix/private/cakey.pem: ★CA証明書で設定したパスフレーズを入力します
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb  4 16:30:19 2021 GMT
            Not After : Feb  2 16:30:19 2031 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = Kamata-Net
            organizationalUnitName    = Blog.Kamata-Net.Com
            commonName                = mail.kamata-net.com
            emailAddress              = webmaster@kamata-net.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            Netscape Cert Type: 
                SSL Client, S/MIME
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                11:96:E8:FE:42:1A:05:14:52:73:0D:31:7D:D5:16:08:77:B9:14:0A
            X509v3 Authority Key Identifier: 
                DirName:/C=JP/ST=Tokyo/L=Ota-ku/O=Kamata-Net/OU=Blog.Kamata-Net.Com/CN=mail.kamata-net.com/emailAddress=webmaster@kamata-net.com
                serial:09:ED:2D:C9:6F:33:CF:1D:63:E3:8C:4D:88:2E:1C:23:E4:67:CB:B3

Certificate is to be certified until Feb  2 16:30:19 2031 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 

Postfix設定

/etc/postfix/main.cfを編集します。

# TLS CONFIGURATION
#
# Basic Postfix TLS configuration by default with self-signed certificate
# for inbound SMTP and also opportunistic TLS for outbound SMTP.

# The full pathname of a file with the Postfix SMTP server RSA certificate
# in PEM format. Intermediate certificates should be included in general,
# the server certificate first, then the issuing CA(s) (bottom-up order).
#
smtpd_tls_cert_file = /etc/pki/postfix/certs/postfix.pem

# The full pathname of a file with the Postfix SMTP server RSA private key
# in PEM format. The private key must be accessible without a pass-phrase,
# i.e. it must not be encrypted.
#
smtpd_tls_key_file = /etc/pki/postfix/private/privkey.pem

# Announce STARTTLS support to remote SMTP clients, but do not require that
# clients use TLS encryption (opportunistic TLS inbound).
#
smtpd_tls_security_level = may

# Directory with PEM format Certification Authority certificates that the
# Postfix SMTP client uses to verify a remote SMTP server certificate.
#
smtp_tls_CApath = /etc/pki/postfix/certs

# The full pathname of a file containing CA certificates of root CAs
# trusted to sign either remote SMTP server certificates or intermediate CA
# certificates.
#
#smtp_tls_CAfile = /etc/pki/postfix/certs/ca-bundle.crt
smtp_tls_CAfile = /etc/pki/postfix/cacert.pem

# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext (opportunistic TLS outbound).
#
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix

環境に合わせてパスの設定をします。

さらに、以下の設定が必要です。

# SMTP-Auth
# SASL認証有効化
#自身のSMTP-AUTH化
smtpd_sasl_auth_enable = yes
#接続先(Submission用)のSMTP-AUTH
smtp_sasl_auth_enable = yes

# mynetworks以外で匿名での接続を拒否
smtpd_sasl_security_options = noanonymous
smtp_sasl_security_options = noanonymous

# 規格外の動作に対応
broken_sasl_auth_clients = yes

#SMTP-Auth User:Password
smtp_sasl_password_maps = hash:/etc/postfix/relay_password

ややこしいのですが(はまりました)、smtpd_xxxxxは自身がSMTP-AUTH認証を行う場合、smtp_xxxxは外部のメールサーバーのサブミッションポートなどにSMTP-AUTHで接続する場合の設定になります。

実は直接メールを配送するとスパムで弾かれてしまうケースが多々あり、私の家ではAsahi-netのメールサーバにほぼリレーしています。

ISPのメールサーバを使う場合のSPFレコード(asahi-netの場合)
自メールサーバではなくISPのメールサーバにリレーしてメールを配信している場合のSPF公開レコードの設定方法についてのご紹介。@setoatuはasa …

続きを見る

Yahoo!メールで迷惑メールとして判定されてしまう件
Yahoo!メールに送ったメールが迷惑フォルダに振分けられているのを発見。X-YahooFilteredBulkというヘッダが問題のようなのでYaho …

続きを見る

Asahi-netではサブミッションポートを用意しておりSMTP-AUTHが必要となります。ちなみに、relay_passwordの設定は以下のようになっています。

/etc/postfix/relay_password

[mail.asahi-net.or.jp]:587      (ユーザー名):(パスワード)

接続先のポートは、サブミッションポート(587/tcp)ですのでホスト名を[]:ポート番号と記述します。

# cd /etc/postfix
# portmap relay_password
# postfix reload

として、設定をDB化しPostfixの設定リロードを行います。

IMAP over SSL(IMAPS)の設定

Dovecotの設定

さて、続いてIMAPSの設定です。Dovecotで実現します。

/etc/dovecot/conf.d/10-mail.conf

##
## Mailbox locations and namespaces
##

# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if there's no domain
#   %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
#   mail_location = maildir:~/Maildir
#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
mail_location = maildir:~/Maildir

一応おさらいですが、メールボックスの形式はMaildir形式としています。

#default_process_limit = 100
#default_client_limit = 1000

# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M

# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull

# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot

service imap-login {
  inet_listener imap {
    #port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }

993/tcpをListenします。

##
## SSL settings
##

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
# plain imap and pop3 are still allowed for local connections
ssl = required

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
#ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
#ssl_key = </etc/pki/dovecot/private/dovecot.pem
ssl_cert = </etc/pki/postfix/certs/dovecot.pem
ssl_key = </etc/pki/postfix/private/dovecot.pem

dovecot用の証明書をPostfixと同様に作成して配置しています。もちろん先程作った/etc/pki/postfix/certs/postfix.pem、/etc/pki/postfix/private/privkey.pemを指定しても構いません。

動作確認

opensslコマンドを用いて接続確認を行います。

# openssl s_client -connect mail.kamata-net.com:993
CONNECTED(00000003)
depth=0 C = JP, ST = Tokyo, O = Kamata-Net, OU = Blog.Kamata-Net.Com, CN = mail.kamata-net.com, emailAddress = webmaster@kamata-net.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = JP, ST = Tokyo, O = Kamata-Net, OU = Blog.Kamata-Net.Com, CN = mail.kamata-net.com, emailAddress = webmaster@kamata-net.com
verify error:num=26:unsupported certificate purpose
verify return:1
depth=0 C = JP, ST = Tokyo, O = Kamata-Net, OU = Blog.Kamata-Net.Com, CN = mail.kamata-net.com, emailAddress = webmaster@kamata-net.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:C = JP, ST = Tokyo, O = Kamata-Net, OU = Blog.Kamata-Net.Com, CN = mail.kamata-net.com, emailAddress = webmaster@kamata-net.com
   i:C = JP, ST = Tokyo, L = Ota-ku, O = Kamata-Net, OU = CA (Certification Authority), CN = CA.kamata-net.com, emailAddress = webmaster@kamata-net.com
---
Server certificate
-----BEGIN CERTIFICATE-----
〜〜
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot ready.
1 login "(ユーザー名)" "(パスワード)"
1 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY SPECIAL-USE] Logged in
2 list "" *
* LIST (\HasNoChildren \UnMarked) "." &Tgtm+DBN-
* LIST (\HasNoChildren \UnMarked) "." &j,dg0TDhMPww6w-
* LIST (\HasNoChildren \UnMarked) "." Notes
* LIST (\HasNoChildren \UnMarked \Sent) "." Sent
* LIST (\HasNoChildren \UnMarked \Junk) "." Junk
* LIST (\HasNoChildren \UnMarked) "." FaceBook
* LIST (\HasNoChildren \UnMarked \Drafts) "." Drafts
* LIST (\HasNoChildren \UnMarked) "." Archive
* LIST (\HasNoChildren \UnMarked) "." LS
* LIST (\HasNoChildren \UnMarked \Trash) "." Trash
* LIST (\HasNoChildren) "." INBOX
2 OK List completed (0.001 + 0.000 secs).
select INBOX
select BAD Error in IMAP command INBOX: Unknown command (0.001 + 0.000 secs).
3 select INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 1230 EXISTS
* 0 RECENT
* OK [UNSEEN 1220] First unseen.
* OK [UIDVALIDITY 1612527330] UIDs valid
* OK [UIDNEXT 1250] Predicted next UID
* OK [HIGHESTMODSEQ 79] Highest
3 OK [READ-WRITE] Select completed (0.002 + 0.000 + 0.001 secs).
4 fetch 1 body[]
* 1 FETCH (BODY[] {42039}
Received: (qmail 30054 invoked by alias); 6 Dec 2020 09:41:40 +0900
〜〜

ファイアウォールの設定

ここまで来たら外部から接続できるようにファイアウォールに穴あけをしておきます。

# firewalld-cmd --permanent --add-service=smtp
# firewalld-cmd --permanent --add-service=smtps
# firewalld-cmd --permanent --add-service=imaps
# systemctl reload firewalld 

DKIM設定

DKIM署名とチェックをするための設定です。opendkimを利用して実現します。

インストール

# dnf install opendkim
〜〜

公開鍵・秘密鍵ペアの作成

# cd /etc/opendkim/keys
# mkdir kamata-net.com
# opendkim-genkey -D /etc/opendkim/keys/kamata-net.com -d kamata-net.com -s default
# chown -R opendkim:opendkim .

defaultとなっているのはセパレータなのでどんな文字列でも構いませんが、DNSで公開することになりますので恥ずかしいセパレータ名にするのはやめましょう。defaultが一般的なセパレータ名です。

設定

opendkim

/etc/opendkim/KeyTableで秘密鍵の格納場所を指定します。複数のドメインを運用している場合にはすべてこちらの記載します。

"KeyTable" 11L, 847C                                                                                                                         1,1          全て
# OPENDKIM KEY TABLE
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.

#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
default._domainkey.kamata-net.com kamata-net.com:default:/etc/opendkim/keys/kamata-net.com/default.private
default._domainkey.kamata-net.jp kamata-net.jp:default:/etc/opendkim/keys/kamata-net.jp/default.private
…

続いて、/etc/opendkim/SigningTableにて署名を行う対象のドメイン(というよりメールアドレス)を指定します。

"SigningTable" 30L, 1458C                                                                                                                    1,1          全て
# OPENDKIM SIGNING TABLE
# This table controls how to apply one or more signatures to outgoing messages based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM "how" to apply your keys.

# To use this file, uncomment the SigningTable option in /etc/opendkim.conf,
# then uncomment one of the usage examples below and replace example.com with your
# domain name, then restart OpenDKIM.

# WILDCARD EXAMPLE
# Enables signing for any address on the listed domain(s), but will work only if
# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
# Create additional lines for additional domains.

#*@example.com default._domainkey.example.com

# NON-WILDCARD EXAMPLE
# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then
# wildcards will not work. Instead, full user@host is checked first, then simply host,
# then user@.domain (with all superdomains checked in sequence, so "foo.example.com"
# would first check "user@foo.example.com", then "user@.example.com", then "user@.com"),
# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under
# "SigningTable" for more details.

#example.com default._domainkey.example.com
*@kamata-net.com default._domainkey.kamata-net.com
*@kamata-net.jp default._domainkey.kamata-net.jp
…

ちなみに

kamata-net.com default._domainkey.kamata-net.com

とドメイン指定したのですが、うまく署名してくれませんでした。

続いて信頼するホスト(接続を許可するアドレス)を/etc/opendkim/TrustedHostsファイルにて指定します。同一ホストのPostfixからの接続しかありませんのでループバックアドレスのみ記載しておきます。

"TrustedHosts" 9L, 378C                                                                                                                      1,1          全て
# OPENDKIM TRUSTED HOSTS
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should always be the first entry in this file.
127.0.0.1
::1
#host.example.com
#192.168.1.0/24

Postfix

/etc/postfix/master.cfにDKIM署名の設定を追加します。

# DKIM署名
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept

Amavisd-New

/etc/amavisd/amavisd.confにて51-52行目でAmavisによるDKIMチェック、DKIM署名を実行する指定がありますが、opendkimを使っていますのでここは不要です。1→0として無効化します。

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
# $enable_zmq = 1;           # enable use of ZeroMQ (SNMP and nanny)
$nanny_details_level = 2;    # nanny verbosity: 1: traditional, 2: detailed
$enable_dkim_verification = 0;  # enable DKIM signatures verification
$enable_dkim_signing = 0;    # load DKIM signing code, keys defined by dkim_key

DNSレコードの作成

SPF、DKIM、DMARC用のレコードをDNSに登録します。また合わせてIPv6対応も実施しておきます(IPv6レコード、AAAAの追加)。

$TTL 3600
@       IN      SOA     ns.kamata-net.com. root.ns.kamata-net.com. (
        2021020503      ; Serial
        10800           ; Refresh 3 hours
        1800            ; Retry 30 minutes
        43200           ; Expire 12 hours
        3600 )          ; Minimum 1 hour
;$origin kamata-net.com.

                IN      AAAA    2405:6580:27e0:1300:20c:29ff:fe91:e989
                IN      A       218.45.184.224
                IN      NS      ns.kamata-net.com.
                IN      MX      10      mail.kamata-net.com.
                IN      TXT     "v=spf1 +mx +include:spf-01.asahi-net.or.jp -all"
default._domainkey      IN      TXT     "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9LVK7mIQmGdDPvdfUTZXnOlsaY0p4YMwDmuBK+vyQrH+V7fNULyGXn5nuMeRFbMKwos72Uuw4Af/YQ6ppGxRNrCdu7g8jnGGmMSU165xgNvLUKr/qjaoNdBK/8W5V7EhpEinKC5+9OeSeh5io24gLPZwIjeRTfiF5T3jW7eo6nQIDAQAB"
_adsp._domainkey        IN      TXT     "dkim=all"
_dmarc          IN      TXT     "v=DMARC1;p=none;rua=mailto:postmaster@kamata-net.com;ruf=mailto:postmaster@kamata-net.com;rf=afrf;pct=100"
;
;
mail            IN      A       218.45.184.224
mail            IN      AAAA    2405:6580:27e0:1300:d224:43aa:890a:f888
smtp            IN      A       218.45.184.224
smtp            IN      AAAA    2405:6580:27e0:1300:d224:43aa:890a:f888
imap            IN      A       218.45.184.224
imap            IN      AAAA    2405:6580:27e0:1300:d224:43aa:890a:f888
ns              IN      A       218.45.184.224
ns              IN      AAAA    2405:6580:27e0:1300:d224:43aa:890a:f888
static          IN      A       218.45.184.224
static          IN      AAAA    2405:6580:27e0:1300:20c:29ff:fe91:e989
blog            IN      A       218.45.184.224
blog            IN      AAAA    2405:6580:27e0:1300:20c:29ff:fe91:e989
blog            IN      TXT     "google-site-verification: kAyWyOulCwAZZIBOSqgBZUmPcJ74T3nsEejnU58Ttw8"
blog            IN      MX      10      mail.kamata-net.com.
www             IN      A       218.45.184.224
www             IN      AAAA    2405:6580:27e0:1300:20c:29ff:fe91:e989
www             IN      TXT     "google-site-verification: cyjBNfZDifARLZ1jrPNotZFmYk4KshcjGnppX59zN8Q"
old             IN      A       218.45.184.224
old             IN      AAAA    2405:6580:27e0:1300:20c:29ff:fe91:e989
sip             IN      A       218.45.184.224
;
;
localhost       IN      A       127.0.0.1
loghost         IN      CNAME   localhost

14行目

SPF用レコード

送信される可能性のあるホストを羅列します。自身(mx)とAsahi-net(include:spf-01.asahi-net.or.jp)以外はすべて拒否(-all)しています。

(※)下記の記事もご参考にどうぞ

15行目 DKIM用レコード /etc/opendkim/keys/(ドメイン名)/default.txtの内容を記載します
16行目 DKIM用ADSPレコード(Author Domain Signing Practice)

DKIMの認証結果をどのように扱うべきかを示すポリシーを送信側で公開するものです。

all: すべてのメールに署名が付与される

unknown:いくつかのメールに署名が付与される

discardable:署名が付いていなかったら破棄するように指示

17行目 DMARC用レコード

相手側メールホストにて実施されるDMARC認証に失敗した場合のポリシーの設定です。大事なのはポリシーを指定しているp=の部分です。

none:何もしない

quarantine:隔離する

reject:メール受信拒否

ISPのメールサーバを使う場合のSPFレコード(asahi-netの場合)
自メールサーバではなくISPのメールサーバにリレーしてメールを配信している場合のSPF公開レコードの設定方法についてのご紹介。@setoatuはasa …

続きを見る

最終動作確認

Email Sender Identity Verification, Authentication & Security Solutions | Valimail
A fully automated cybersecurity solution, Valimail blocks phishing emails, protects against business email compromise & completes your secure email gateway.

SPFレコードとDMARCレコードのチェックを行ってくれます。

p=noneだと怒られちゃいました

 

p=quarantineでパスしました

p=noneで設定していたのですが、これだと保護されていない、とのことなのでp=quarantine(隔離)に変更しました。

以下のサイトでは基本となるオープンリレーのチェックをしてくれます。踏み台サーバにならないように必ずチェックをしましょう。

オープンリレー診断結果

以下のサイトでもチェックが可能です。シンプルにcheck@naritai.jpに空メールを送るだけで診断してもらえます。

なりすまし対策ポータル ナリタイ
「ナリタイ」はなりすましメールについての理解を深めて、セキュリティ対策の導入やユーザーの注意喚起を目的とした情報発信サイトです。
なりすまし対策ポータル ナリタイ

診断結果メール

参考資料(各種設定ファイル)

少々長くなりましたがいかがでしたでしょうか?参考になれば幸いです。最後に我が家のPostfix関連の設定ファイルを掲載致します。

Postfix

main.cf

# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
#
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.

# COMPATIBILITY
#
# The compatibility_level determines what default settings Postfix
# will use for main.cf and master.cf settings. These defaults will
# change over time.
#
# To avoid breaking things, Postfix will use backwards-compatible
# default settings and log where it uses those old backwards-compatible
# default settings, until the system administrator has determined
# if any backwards-compatible default settings need to be made
# permanent in main.cf or master.cf.
#
# When this review is complete, update the compatibility_level setting
# below as recommended in the RELEASE_NOTES file.
#
# The level below is what should be used with new (not upgrade) installs.
#
compatibility_level = 2

# SOFT BOUNCE
#
# The soft_bounce parameter provides a limited safety net for
# testing.  When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#
#soft_bounce = no

# LOCAL PATHNAME INFORMATION
#
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
#
queue_directory = /var/spool/postfix

# The command_directory parameter specifies the location of all
# postXXX commands.
#
command_directory = /usr/sbin

# The daemon_directory parameter specifies the location of all Postfix
# daemon programs (i.e. programs listed in the master.cf file). This
# directory must be owned by root.
#
daemon_directory = /usr/libexec/postfix

# The data_directory parameter specifies the location of Postfix-writable
# data files (caches, random numbers). This directory must be owned
# by the mail_owner account (see below).
#
data_directory = /var/lib/postfix

# QUEUE AND PROCESS OWNERSHIP
#
# The mail_owner parameter specifies the owner of the Postfix queue
# and of most Postfix daemon processes.  Specify the name of a user
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.  In
# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
# USER.
#
mail_owner = postfix

# The default_privs parameter specifies the default rights used by
# the local delivery agent for delivery to external file or command.
# These rights are used in the absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#
#default_privs = nobody

# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
myhostname = mail.kamata-net.com

# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
#mydomain = domain.tld
mydomain = kamata-ne.tcom

# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites.  If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#
#myorigin = $myhostname
#myorigin = $mydomain

# RECEIVING MAIL

# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on.  By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
inet_interfaces = all
#inet_interfaces = localhost

# Enable IPv4, and IPv6 if supported
inet_protocols = all

# The proxy_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on by way of a
# proxy or network address translation unit. This setting extends
# the address list specified with the inet_interfaces parameter.
#
# You must specify your proxy/NAT addresses when your system is a
# backup MX host for other domains, otherwise mail delivery loops
# will happen when the primary MX host is down.
#
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4

# The mydestination parameter specifies the list of domains that this
# machine considers itself the final destination for.
#
# These domains are routed to the delivery agent specified with the
# local_transport parameter setting. By default, that is the UNIX
# compatible delivery agent that lookups all recipients in /etc/passwd
# and /etc/aliases or their equivalent.
#
# The default is $myhostname + localhost.$mydomain + localhost.  On
# a mail domain gateway, you should also include $mydomain.
#
# Do not specify the names of virtual domains - those domains are
# specified elsewhere (see VIRTUAL_README).
#
# Do not specify the names of domains that this machine is backup MX
# host for. Specify those names via the relay_domains settings for
# the SMTP server, or use permit_mx_backup if you are lazy (see
# STANDARD_CONFIGURATION_README).
#
# The local machine is always the final destination for mail addressed
# to user@[the.net.work.address] of an interface that the mail system
# receives mail on (see the inet_interfaces parameter).
#
# Specify a list of host or domain names, /file/name or type:table
# patterns, separated by commas and/or whitespace. A /file/name
# pattern is replaced by its contents; a type:table is matched when
# a name matches a lookup key (the right-hand side is ignored).
# Continue long lines by starting the next line with whitespace.
#
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#
mydestination = $myhostname, localhost.$mydomain, localhost
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
#       mail.$mydomain, www.$mydomain, ftp.$mydomain

# REJECTING MAIL FOR UNKNOWN LOCAL USERS
#
# The local_recipient_maps parameter specifies optional lookup tables
# with all names or addresses of users that are local with respect
# to $mydestination, $inet_interfaces or $proxy_interfaces.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by default.
#
# To turn off local recipient checking in the SMTP server, specify
# local_recipient_maps = (i.e. empty).
#
# The default setting assumes that you use the default Postfix local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
#
# - You define $mydestination domain recipients in files other than
#   /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
#   For example, you define $mydestination domain recipients in
#   the $virtual_mailbox_maps files.
#
# - You redefine the local delivery agent in master.cf.
#
# - You redefine the "local_transport" setting in main.cf.
#
# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
#   feature of the Postfix local delivery agent (see local(8)).
#
# Details are described in the LOCAL_RECIPIENT_README file.
#
# Beware: if the Postfix SMTP server runs chrooted, you probably have
# to access the passwd file via the proxymap service, in order to
# overcome chroot restrictions. The alternative, having a copy of
# the system passwd file in the chroot jail is just not practical.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify a bare username, an @domain.tld
# wild-card, or specify a user@domain.tld address.
#
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =

# The unknown_local_recipient_reject_code specifies the SMTP server
# response code when a recipient domain matches $mydestination or
# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
# and the recipient address or address local-part is not found.
#
# The default setting is 550 (reject mail) but it is safer to start
# with 450 (try again later) until you are certain that your
# local_recipient_maps settings are OK.
#
unknown_local_recipient_reject_code = 550

# TRUST AND RELAY CONTROL

# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix.  See the smtpd_recipient_restrictions parameter
# in postconf(5).
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network.  Instead, specify an explicit
# mynetworks list by hand, as described below.
#
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host

# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
mynetworks = 192.168.10.0/24,192.168.30.0/24,[2405:6580:27e0:1300::]/64,[::1],[FE80::]/10,[FEC0::]/10

# The relay_domains parameter restricts what destinations this system will
# relay mail to.  See the smtpd_recipient_restrictions description in
# postconf(5) for detailed information.
#
# By default, Postfix relays mail
# - from "trusted" clients (IP address matches $mynetworks) to any destination,
# - from "untrusted" clients to destinations that match $relay_domains or
#   subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces or $proxy_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_alias_domains,
# - destinations that match $virtual_mailbox_domains.
# These destinations do not need to be listed in $relay_domains.
virtual_alias_domains = kamata-net.com, kamata-net.jp, mail.kamata-net.com
virtual_alias_maps = hash:/etc/postfix/virtual

# Specify a list of hosts or domains, /file/name patterns or type:name
# lookup tables, separated by commas and/or whitespace.  Continue
# long lines by starting the next line with whitespace. A file name
# is replaced by its contents; a type:name table is matched when a
# (parent) domain appears as lookup key.
#
# NOTE: Postfix will not automatically forward mail for domains that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction description in postconf(5).
#
relay_domains = $mydestination

# INTERNET OR INTRANET

# The relayhost parameter specifies the default host to send mail to
# when no entry is matched in the optional transport(5) table. When
# no relayhost is given, mail is routed directly to the destination.
#
# On an intranet, specify the organizational domain name. If your
# internal DNS uses no MX records, specify the name of the intranet
# gateway host instead.
#
# In the case of SMTP, specify a domain, host, host:port, [host]:port,
# [address] or [address]:port; the form [host] turns off MX lookups.
#
# If you're connected via UUCP, see also the default_transport parameter.
#
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
#relayhost = [192.168.30.104]

# REJECTING UNKNOWN RELAY USERS
#
# The relay_recipient_maps parameter specifies optional lookup tables
# with all addresses in the domains that match $relay_domains.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown relay users. This feature is off by default.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify an @domain.tld wild-card, or specify
# a user@domain.tld address.
#
#relay_recipient_maps = hash:/etc/postfix/relay_recipients

# INPUT RATE CONTROL
#
# The in_flow_delay configuration parameter implements mail input
# flow control. This feature is turned on by default, although it
# still needs further development (it's disabled on SCO UNIX due
# to an SCO bug).
#
# A Postfix process will pause for $in_flow_delay seconds before
# accepting a new message, when the message arrival rate exceeds the
# message delivery rate. With the default 100 SMTP server process
# limit, this limits the mail inflow to 100 messages a second more
# than the number of messages delivered per second.
#
# Specify 0 to disable the feature. Valid delays are 0..10.
#
#in_flow_delay = 1s

# ADDRESS REWRITING
#
# The ADDRESS_REWRITING_README document gives information about
# address masquerading or other forms of address rewriting including
# username->Firstname.Lastname mapping.

# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
#
# The VIRTUAL_README document gives information about the many forms
# of domain hosting that Postfix supports.

# "USER HAS MOVED" BOUNCE MESSAGES
#
# See the discussion in the ADDRESS_REWRITING_README document.

# TRANSPORT MAP
#
# See the discussion in the ADDRESS_REWRITING_README document.

# ALIAS DATABASE
#
# The alias_maps parameter specifies the list of alias databases used
# by the local delivery agent. The default list is system dependent.
#
# On systems with NIS, the default is to search the local alias
# database, then the NIS alias database. See aliases(5) for syntax
# details.
#
# If you change the alias database, run "postalias /etc/aliases" (or
# wherever your system stores the mail alias file), or simply run
# "newaliases" to build the necessary DBM or DB file.
#
# It will take a minute or so before changes become visible.  Use
# "postfix reload" to eliminate the delay.
#
#alias_maps = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases

# The alias_database parameter specifies the alias database(s) that
# are built with "newaliases" or "sendmail -bi".  This is a separate
# configuration parameter, because alias_maps (see above) may specify
# tables that are not necessarily all under control by Postfix.
#
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases

# ADDRESS EXTENSIONS (e.g., user+foo)
#
# The recipient_delimiter parameter specifies the separator between
# user names and address extensions (user+foo). See canonical(5),
# local(8), relocated(5) and virtual(5) for the effects this has on
# aliases, canonical, virtual, relocated and .forward file lookups.
# Basically, the software tries user+foo and .forward+foo before
# trying user and .forward.
#
#recipient_delimiter = +

# DELIVERY TO MAILBOX
#
# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user.  Specify
# "Maildir/" for qmail-style delivery (the / is required).
#
#home_mailbox = Mailbox
home_mailbox = Maildir/

# The mail_spool_directory parameter specifies the directory where
# UNIX-style mailboxes are kept. The default setting depends on the
# system type.
#
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail

# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery. The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
# Exception:  delivery for root is done as $default_user.
#
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
#
# Unlike other Postfix configuration parameters, the mailbox_command
# parameter is not subjected to $parameter substitutions. This is to
# make it easier to specify shell syntax (see example below).
#
# Avoid shell meta characters because they will force Postfix to run
# an expensive shell process. Procmail alone is expensive enough.
#
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"

# The mailbox_transport specifies the optional transport in master.cf
# to use after processing aliases and .forward files. This parameter
# has precedence over the mailbox_command, fallback_transport and
# luser_relay parameters.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf.  The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
# Cyrus IMAP over LMTP. Specify ``lmtpunix      cmd="lmtpd"
# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp

# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
# server using LMTP (Local Mail Transport Protocol), this is prefered
# over the older cyrus deliver program by setting the
# mailbox_transport as below:
#
# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#
# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
# these settings.
#
# local_destination_recipient_limit = 300
# local_destination_concurrency_limit = 5
#
# Of course you should adjust these settings as appropriate for the
# capacity of the hardware you are using. The recipient limit setting
# can be used to take advantage of the single instance message store
# capability of Cyrus. The concurrency limit can be used to control
# how many simultaneous LMTP sessions will be permitted to the Cyrus
# message store.
#
# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
# subsequent line in master.cf.
#mailbox_transport = cyrus

# The fallback_transport specifies the optional transport in master.cf
# to use for recipients that are not found in the UNIX passwd database.
# This parameter has precedence over the luser_relay parameter.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf.  The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =

# The luser_relay parameter specifies an optional destination address
# for unknown recipients.  By default, mail for unknown@$mydestination,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
# as undeliverable.
#
# The following expansions are done on luser_relay: $user (recipient
# username), $shell (recipient shell), $home (recipient home directory),
# $recipient (full recipient address), $extension (recipient address
# extension), $domain (recipient domain), $local (entire recipient
# localpart), $recipient_delimiter. Specify ${name?value} or
# ${name:value} to expand value only when $name does (does not) exist.
#
# luser_relay works only for the default Postfix local delivery agent.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must specify "local_recipient_maps =" (i.e. empty) in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local

# JUNK MAIL CONTROLS
#
# The controls listed here are only a very small subset. The file
# SMTPD_ACCESS_README provides an overview.

# The header_checks parameter specifies an optional table with patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
#
# By default, these patterns also apply to MIME headers and to the
# headers of attached messages. With older Postfix versions, MIME and
# attached message headers were treated as body text.
#
# For details, see "man header_checks".
#
#header_checks = regexp:/etc/postfix/header_checks

# FAST ETRN SERVICE
#
# Postfix maintains per-destination logfiles with information about
# deferred mail, so that mail can be flushed quickly with the SMTP
# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
# See the ETRN_README document for a detailed description.
#
# The fast_flush_domains parameter controls what destinations are
# eligible for this service. By default, they are all domains that
# this server is willing to relay mail to.
#
#fast_flush_domains = $relay_domains

# SHOW SOFTWARE VERSION OR NOT
#
# The smtpd_banner parameter specifies the text that follows the 220
# code in the SMTP server's greeting banner. Some people like to see
# the mail version advertised. By default, Postfix shows no version.
#
# You MUST specify $myhostname at the start of the text. That is an
# RFC requirement. Postfix itself does not care.
#
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_banner = $myhostname ESMTP

# PARALLEL DELIVERY TO THE SAME DESTINATION
#
# How many parallel deliveries to the same user or domain? With local
# delivery, it does not make sense to do massively parallel delivery
# to the same user, because mailbox updates must happen sequentially,
# and expensive pipelines in .forward files can cause disasters when
# too many are run at the same time. With SMTP deliveries, 10
# simultaneous connections to the same domain could be sufficient to
# raise eyebrows.
#
# Each message delivery transport has its XXX_destination_concurrency_limit
# parameter.  The default is $default_destination_concurrency_limit for
# most delivery transports. For the local delivery agent the default is 2.

#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20

# DEBUGGING CONTROL
#
# The debug_peer_level parameter specifies the increment in verbose
# logging level when an SMTP client or server host name or address
# matches a pattern in the debug_peer_list parameter.
#
debug_peer_level = 2

# The debug_peer_list parameter specifies an optional list of domain
# or network patterns, /file/name patterns or type:name tables. When
# an SMTP client or server host name or address matches a pattern,
# increase the verbose logging level by the amount specified in the
# debug_peer_level parameter.
#
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain
#debug_peer_list = asahi-net.or.jp

# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5

# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
#
# debugger_command =
#       PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
#       echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
#       >$config_directory/$process_name.$process_id.log & sleep 5
#
# Another possibility is to run gdb under a detached screen session.
# To attach to the screen session, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the detached
# sessions (from "screen -list").
#
# debugger_command =
#       PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
#       -dmS $process_name gdb $daemon_directory/$process_name
#       $process_id & sleep 1

# INSTALL-TIME CONFIGURATION INFORMATION
#
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail.postfix

# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases.postfix

# mailq_path: The full pathname of the Postfix mailq command.  This
# is the Sendmail-compatible mail queue listing command.
#
mailq_path = /usr/bin/mailq.postfix

# setgid_group: The group for mail submission and queue management
# commands.  This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
#
setgid_group = postdrop

# html_directory: The location of the Postfix HTML documentation.
#
html_directory = no

# manpage_directory: The location of the Postfix on-line manual pages.
#
manpage_directory = /usr/share/man

# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
#
sample_directory = /usr/share/doc/postfix/samples

# readme_directory: The location of the Postfix README files.
#
readme_directory = /usr/share/doc/postfix/README_FILES

# TLS CONFIGURATION
#
# Basic Postfix TLS configuration by default with self-signed certificate
# for inbound SMTP and also opportunistic TLS for outbound SMTP.

# The full pathname of a file with the Postfix SMTP server RSA certificate
# in PEM format. Intermediate certificates should be included in general,
# the server certificate first, then the issuing CA(s) (bottom-up order).
#
smtpd_tls_cert_file = /etc/pki/postfix/certs/postfix.pem

# The full pathname of a file with the Postfix SMTP server RSA private key
# in PEM format. The private key must be accessible without a pass-phrase,
# i.e. it must not be encrypted.
#
smtpd_tls_key_file = /etc/pki/postfix/private/privkey.pem

# Announce STARTTLS support to remote SMTP clients, but do not require that
# clients use TLS encryption (opportunistic TLS inbound).
#
smtpd_tls_security_level = may

# Directory with PEM format Certification Authority certificates that the
# Postfix SMTP client uses to verify a remote SMTP server certificate.
#
smtp_tls_CApath = /etc/pki/postfix/certs

# The full pathname of a file containing CA certificates of root CAs
# trusted to sign either remote SMTP server certificates or intermediate CA
# certificates.
#
#smtp_tls_CAfile = /etc/pki/postfix/certs/ca-bundle.crt
smtp_tls_CAfile = /etc/pki/postfix/cacert.pem

# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext (opportunistic TLS outbound).
#
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix

transport_maps = hash:/etc/postfix/transport
content_filter = smtp-amavis:[127.0.0.1]:10024

# VRFYコマンド無効化
disable_vrfy_command = yes

# HELOコマンドを要求する(スパム対策)
smtpd_helo_required = yes

# MAIL FROMやRCPT TOコマンドに不正な文法を認めない
strict_rfc821_envelopes = yes

# SMTP DATA コマンドの場面で適用するオプションの制限
smtpd_data_restrictions =
   reject_unauth_pipelining,
   reject_multi_recipient_bounce

# SMTP HELO コマンドの場面で適用するオプションの制限
smtpd_helo_restrictions =
   permit_mynetworks,
   reject_invalid_hostname,
   reject_non_fqdn_hostname,
   reject_unknown_hostname,
   permit

# MAIL FROM コマンドの場面で適用するオプションの制限
smtpd_sender_restrictions =
   permit_mynetworks,
   reject_unknown_sender_domain,
   reject_non_fqdn_sender,
   permit

# ETRN 要求の場面で適用するオプションの制限
smtpd_etrn_restrictions =
   permit_mynetworks,
   reject_invalid_hostname,
   permit

# SMTP-Auth
# SASL認証有効化
#自身のSMTP-AUTH化
smtpd_sasl_auth_enable = yes
#接続先(Submission用)のSMTP-AUTH
smtp_sasl_auth_enable = yes

# mynetworks以外で匿名での接続を拒否
smtpd_sasl_security_options = noanonymous
smtp_sasl_security_options = noanonymous

# 規格外の動作に対応
broken_sasl_auth_clients = yes

#SMTP-Auth User:Password
smtp_sasl_password_maps = hash:/etc/postfix/relay_password

# RCPT TO コマンドの場面で適用するアクセス制限。SMTP_Authを利用したクラアントを許可
smtpd_recipient_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    check_policy_service unix:private/policy-spf

# DKIM署名
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept

master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop  unix  -       n       n       -       -       pipe
#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp      unix  -       n       n       -       -       pipe
#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail    unix  -       n       n       -       -       pipe
#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp     unix  -       n       n       -       -       pipe
#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix -       n       n       -       2       pipe
#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
#  ${nexthop} ${user} ${extension}
#
#mailman   unix  -       n       n       -       -       pipe
#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
#  ${nexthop} ${user}
policy-spf unix - n n - 0 spawn user=nobody argv=/usr/bin/python3 /usr/libexec/postfix/policyd-spf /etc/python-policyd-spf/policyd-spf.conf
#spamassassin unix - n n - - pipe flags=R user=spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
smtp-amavis unix -    -    n    -    2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
127.0.0.1:10025 inet n    -    n    -    - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

#    -o content_filter=
#    -o local_recipient_maps=
#    -o relay_recipient_maps=
#    -o smtpd_restriction_classes=
#    -o smtpd_client_restrictions=
#    -o smtpd_helo_restrictions=
#    -o smtpd_sender_restrictions=
#    -o smtpd_recipient_restrictions=permit_mynetworks,reject
#    -o mynetworks=127.0.0.0/8
#    -o strict_rfc821_envelopes=yes
#    -o smtpd_error_sleep_time=0
#    -o smtpd_soft_error_limit=1001
#    -o smtpd_hard_error_limit=1000
smtps inet n - n - - smtpd
    # -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    # -o smtpd_reject_unlisted_recipient=no
    # -o smtpd_client_restrictions=$mua_client_restrictions
    # -o smtpd_helo_restrictions=$mua_helo_restrictions
    # -o smtpd_sender_restrictions=$mua_sender_restrictions
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    # -o milter_macro_daemon_name=ORIGINATING

virtual

# VIRTUAL(5)                                                          VIRTUAL(5)
#
# NAME
#        virtual - Postfix virtual alias table format
#
〜〜
#
# AUTHOR(S)
#        Wietse Venema
#        IBM T.J. Watson Research
#        P.O. Box 704
#        Yorktown Heights, NY 10598, USA
#
#        Wietse Venema
#        Google, Inc.
#        111 8th Avenue
#        New York, NY 10011, USA
#
#                                                                     VIRTUAL(5)
mailaccount@kamata-net.com mailaccount@(内部メールサーバー名).kamata-net.com  ★ 内部メールサーバーへ転送したい
mailaccount2@kamata-net.com localaccount mailaccount2@(内部メールサーバ名).kamata-net.com ★内部メールサーバーへ転送するとともにローカル配送もしたい(iPhoneで読みたい)
localaccount@mail.kamata-net.com localacount ★ ローカル配送のみ

# Catch-all
@kamata-net.com @(内部メールサーバー名).kamata-net.com ★その他のメールはすべて内部メールサーバーへ転送
#
postmaster@kamata-net.jp postmaster@(内部メールサーバー名).kamata-net.com
#
webmaster@kamata-net.jp webmaster@(内部メールサーバー名).kamata-net.com

transport

# TRANSPORT(5)                                                      TRANSPORT(5)
#
# NAME
#        transport - Postfix transport table format
#
〜〜
# AUTHOR(S)
#        Wietse Venema
#        IBM T.J. Watson Research
#        P.O. Box 704
#        Yorktown Heights, NY 10598, USA
#
#        Wietse Venema
#        Google, Inc.
#        111 8th Avenue
#        New York, NY 10011, USA
#
#                                                                   TRANSPORT(5)

localhost : ★ローカル配送指定
localhost.localdomain : ★ローカル配送指定
mail.kamata-net.com : ★ローカル配送指定
yahoo.co.jp     smtp: ★yahooは直接配送
(内部メールサーバー).kamata-net.com smtp:[192.168.30.xxx]:25 ★内部向けのルート設定
*       smtp:[mail.asahi-net.or.jp]:587  ★ 上記以外はすべてAsahi-netへ

Amavisd-New

amavisd.conf

use strict;

# a minimalistic configuration file for amavisd-new with all necessary settings
#
#   see amavisd.conf-default for a list of all variables with their defaults;
#   for more details see documentation in INSTALL, README_FILES/*
#   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html


# COMMONLY ADJUSTED SETTINGS:

#@bypass_virus_checks_maps = (1);  # controls running of anti-virus code
#@bypass_spam_checks_maps  = (1);  # controls running of anti-spam code
# $bypass_decode_parts = 1;         # controls running of decoders&dearchivers

# $myprogram_name = $0; # set to 'amavisd' or similar to avoid process name
                        # truncation in /proc/<pid>/stat and ps -e output

$max_servers = 2;            # num of pre-forked children (2..30 is common), -m
$daemon_user  = 'amavis';    # (no default;  customary: vscan or amavis), -u
$daemon_group = 'amavis';    # (no default;  customary: vscan or amavis), -g

$mydomain = 'mailexchange.jp';   # a convenient default for other settings

$MYHOME = '/var/spool/amavisd';   # a convenient default for other settings, -H
$TEMPBASE = "$MYHOME/tmp";   # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR, used by SA, etc.
$QUARANTINEDIR = undef;      # -Q
# $quarantine_subdir_levels = 1;  # add level of subdirs to disperse quarantine
# $release_format = 'resend';     # 'attach', 'plain', 'resend'
# $report_format  = 'arf';        # 'attach', 'plain', 'resend', 'arf'

# $daemon_chroot_dir = $MYHOME;   # chroot directory or undef, -R

$db_home   = "$MYHOME/db";        # dir for bdb nanny/cache/snmp databases, -D
# $helpers_home = "$MYHOME/var";  # working directory for SpamAssassin, -S
$lock_file = "/run/amavisd/amavisd.lock";  # -L
$pid_file  = "/run/amavisd/amavisd.pid";   # -P
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually

$log_level = 0;              # verbosity 0..5, -d
$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$do_syslog = 1;              # log via syslogd (preferred)
$syslog_facility = 'mail';   # Syslog facility as a string
           # e.g.: mail, daemon, user, local0, ... local7

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
# $enable_zmq = 1;           # enable use of ZeroMQ (SNMP and nanny)
$nanny_details_level = 2;    # nanny verbosity: 1: traditional, 2: detailed
$enable_dkim_verification = 0;  # enable DKIM signatures verification
$enable_dkim_signing = 0;    # load DKIM signing code, keys defined by dkim_key

#@local_domains_maps = ( [".$mydomain","hne.jp","kamata-net.com","kamata-net.jp","nishimine.net","mailexchange.jp"] );  # list of all local domains
@local_domains_maps = (1);

@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 [2405:6580:27e0:1300::]/64
                  10.0.0.0/8 172.16.0.0/12 192.168.10.0/24 192.168.30.0/24 );

$unix_socketname = "/run/amavisd/amavisd.sock";  # amavisd-release or amavis-milter
               # option(s) -p overrides $inet_socket_port and $unix_socketname

# The default receiving port in the Fedora and RHEL SELinux policy is 10024.
# To allow additional ports you need to label them as 'amavisd_recv_port_t'
# For example: semanage port -a -t amavisd_recv_port_t -p tcp 10022
$inet_socket_port = 10024;   # listen on this local TCP port(s)
# $inet_socket_port = [10022,10024];  # listen on multiple TCP ports

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients
};

# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10022) for filtering
$interface_policy{'10022'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["virusalert\@$mydomain"],
  spam_admin_maps  => ["virusalert\@$mydomain"],
  warnbadhsender   => 1,
  # forward to a smtpd service providing DKIM signing service
  forward_method => 'smtp:[127.0.0.1]:10025',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and types
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};

$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname

# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c
# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'):
$policy_bank{'AM.PDP-SOCK'} = {
  protocol => 'AM.PDP',
  auth_required_release => 0,  # do not require secret_id for amavisd-release
};

#$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag_level_deflt  = -999;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.2;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.9;  # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is suppressed
$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
$penpals_bonus_score = 8;    # (no effect without a @storage_sql_dsn database)
$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi spam
$bounce_killer_score = 100;  # spam score points to add for joe-jobbed bounces

$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;    # only tests which do not require internet access?

# @lookup_sql_dsn =
#   ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
#     ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
#     ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
# @storage_sql_dsn = @lookup_sql_dsn;  # none, same, or separate database
# @storage_redis_dsn = ( {server=>'127.0.0.1:6379', db_id=>1} );
# $redis_logging_key = 'amavis-log';
# $redis_logging_queue_size_limit = 300000;  # about 250 MB / 100000

# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
#   defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)

#$virus_admin               = undef;                    # notifications recip.

$mailfrom_notify_admin     = undef;                    # notifications sender
$mailfrom_notify_recip     = undef;                    # notifications sender
$mailfrom_notify_spamadmin = undef;                    # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef

@addr_extension_virus_maps      = ('virus');
@addr_extension_banned_maps     = ('banned');
@addr_extension_spam_maps       = ('spam');
@addr_extension_bad_header_maps = ('badh');
# $recipient_delimiter = '+';  # undef disables address extensions altogether
# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
# $dspam = 'dspam';

$MAXLEVELS = 14;
$MAXFILES = 3000;
$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 500*1024*1024;  # bytes  (default undef, not enforced)

$sa_spam_subject_tag = '***Spam*** ';
$defang_virus  = 1;  # MIME-wrap passed infected mail
$defang_banned = 1;  # MIME-wrap passed mail containing banned name
# for defanging bad headers only turn on certain minor contents categories:
$defang_by_ccat{CC_BADH.",3"} = 1;  # NUL or CR character in header
$defang_by_ccat{CC_BADH.",5"} = 1;  # header line longer than 998 characters
$defang_by_ccat{CC_BADH.",6"} = 1;  # header field syntax error


# OTHER MORE COMMON SETTINGS (defaults may suffice):

# $myhostname = 'host.example.com';  # must be a fully-qualified domain name!
$myhostname = 'smtp.mailexchange.jp';  # must be a fully-qualified domain name!

# The default forwarding port in the Fedora and RHEL SELinux policy is 10025.
# To allow additional ports you need to label them as 'amavisd_send_port_t'.
# For example: semanage port -a -t amavisd_send_port_t -p tcp 10023
# $notify_method  = 'smtp:[127.0.0.1]:10023';
# $forward_method = 'smtp:[127.0.0.1]:10023';  # set to undef with milter!

$final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_BOUNCE;
$final_spam_destiny       = D_DISCARD;  #!!!  D_DISCARD / D_REJECT
$final_bad_header_destiny = D_BOUNCE;
# $bad_header_quarantine_method = undef;

# $os_fingerprint_method = 'p0f:*:2345';  # to query p0f-analyzer.pl

## hierarchy by which a final setting is chosen:
##   policy bank (based on port or IP address) -> *_by_ccat
##   *_by_ccat (based on mail contents) -> *_maps
##   *_maps (based on recipient address) -> final configuration value


# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all)

# $warnbadhsender,
# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps)
#
# @bypass_virus_checks_maps, @bypass_spam_checks_maps,
# @bypass_banned_checks_maps, @bypass_header_checks_maps,
#
# @virus_lovers_maps, @spam_lovers_maps,
# @banned_files_lovers_maps, @bad_header_lovers_maps,
#
# @blacklist_sender_maps, @score_sender_maps,
#
# $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to,
# $bad_header_quarantine_to, $spam_quarantine_to,
#
# $defang_bad_header, $defang_undecipherable, $defang_spam

# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS

@keep_decoded_original_maps = (new_RE(
  qr'^MAIL$',                # let virus scanner see full original message
  qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data',     # don't trust Archive::Zip
));


$banned_filename_re = new_RE(

### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
#  qr'^\.(exe-ms|dll)$',                   # banned file(1) types, rudimentary
# qr'^\.(exe|lha|cab|dll)$',              # banned file(1) types

### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
# [ qr'^\.(gz|bz2)$'             => 0 ],  # allow any in gzip or bzip2
  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives

  qr'.\.(pif|scr)$'i,                     # banned extensions - rudimentary
# qr'^\.zip$',                            # block zip type

### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within these archives

  qr'^application/x-msdownload$'i,        # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,

# qr'^message/partial$'i,         # rfc2046 MIME type
# qr'^message/external-body$'i,   # rfc2046 MIME type

# qr'^(application/x-msmetafile|image/x-wmf)$'i,  # Windows Metafile MIME type
# qr'^\.wmf$',                            # Windows Metafile file(1) type

  # block certain double extensions in filenames
  qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,

# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict
# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose

  qr'.\.(exe|vbs|pif|scr|cpl)$'i,             # banned extension - basic
# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
#        inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|
#        msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|
#        wmf|wsc|wsf|wsh)$'ix,                # banned extensions - long
# qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i,     # consider also
# qr'.\.(ani|cur|ico)$'i,                 # banned cursors and icons filename
# qr'^\.ani$',                            # banned animated cursor file(1) type
# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm


# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING

@score_sender_maps = ({ # a by-recipient hash lookup table,
                        # results from all matching recipient tables are summed

# ## per-recipient personal tables  (NOTE: positive: black, negative: white)
# 'user1@example.com'  => [{'bla-mobile.press@example.com' => 10.0}],
# 'user3@example.com'  => [{'.ebay.com'                 => -3.0}],
# 'user4@example.com'  => [{'cleargreen@cleargreen.com' => -7.0,
#                           '.cleargreen.com'           => -5.0}],

  ## site-wide opinions about senders (the '.' matches any recipient)
  '.' => [  # the _first_ matching sender determines the score boost

   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
    [qr'^(your_friend|greatoffers)@'i                                => 5.0],
    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
   ),

#  read_hash("/var/amavis/sender_scores_sitewide"),

   { # a hash-type lookup table (associative array)
     'nobody@cert.org'                        => -3.0,
     'cert-advisory@us-cert.gov'              => -3.0,
     'owner-alert@iss.net'                    => -3.0,
     'slashdot@slashdot.org'                  => -3.0,
     'securityfocus.com'                      => -3.0,
     'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,
     'security-alerts@linuxsecurity.com'      => -3.0,
     'mailman-announce-admin@python.org'      => -3.0,
     'amavis-user-admin@lists.sourceforge.net'=> -3.0,
     'amavis-user-bounces@lists.sourceforge.net' => -3.0,
     'spamassassin.apache.org'                => -3.0,
     'notification-return@lists.sophos.com'   => -3.0,
     'owner-postfix-users@postfix.org'        => -3.0,
     'owner-postfix-announce@postfix.org'     => -3.0,
     'owner-sendmail-announce@lists.sendmail.org'   => -3.0,
     'sendmail-announce-request@lists.sendmail.org' => -3.0,
     'donotreply@sendmail.org'                => -3.0,
     'ca+envelope@sendmail.org'               => -3.0,
     'noreply@freshmeat.net'                  => -3.0,
     'owner-technews@postel.acm.org'          => -3.0,
     'ietf-123-owner@loki.ietf.org'           => -3.0,
     'cvs-commits-list-admin@gnome.org'       => -3.0,
     'rt-users-admin@lists.fsck.com'          => -3.0,
     'clp-request@comp.nus.edu.sg'            => -3.0,
     'surveys-errors@lists.nua.ie'            => -3.0,
     'emailnews@genomeweb.com'                => -5.0,
     'yahoo-dev-null@yahoo-inc.com'           => -3.0,
     'returns.groups.yahoo.com'               => -3.0,
     'clusternews@linuxnetworx.com'           => -3.0,
     lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,
     lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,

     # soft-blacklisting (positive score)
     'sender@example.net'                     =>  3.0,
     '.example.net'                           =>  1.0,

   },
  ],  # end of site-wide tables
});


@decoders = (
  ['mail', \&do_mime_decode],
# [[qw(asc uue hqx ync)], \&do_ascii],  # not safe
  ['F',    \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
  ['Z',    \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
  ['gz',   \&do_uncompress, 'gzip -d'],
  ['gz',   \&do_gunzip],
  ['bz2',  \&do_uncompress, 'bzip2 -d'],
  ['xz',   \&do_uncompress,
           ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
  ['lzma', \&do_uncompress,
           ['lzmadec', 'xz -dc --format=lzma',
            'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
#  ['lrz',  \&do_uncompress,
#           ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
  ['lzo',  \&do_uncompress, 'lzop -d'],
  ['lz4',  \&do_uncompress, ['lz4c -d'] ],
  ['rpm',  \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
  [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
           # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio']
  ['deb',  \&do_ar, 'ar'],
# ['a',    \&do_ar, 'ar'],  # unpacking .a seems an overkill
  ['rar',  \&do_unrar, ['unrar', 'rar'] ],
  ['arj',  \&do_unarj, ['unarj', 'arj'] ],
  ['arc',  \&do_arc,   ['nomarch', 'arc'] ],
  ['zoo',  \&do_zoo,   ['zoo', 'unzoo'] ],
# ['doc',  \&do_ole,   'ripole'],  # no ripole package so far
  ['cab',  \&do_cabextract, 'cabextract'],
# ['tnef', \&do_tnef_ext, 'tnef'],  # use internal do_tnef() instead
  ['tnef', \&do_tnef],
# ['lha',  \&do_lha,   'lha'],  # not safe, use 7z instead
# ['sit',  \&do_unstuff, 'unstuff'],  # not safe
  [['zip','kmz'], \&do_7zip,  ['7za', '7z'] ],
  [['zip','kmz'], \&do_unzip],
  ['7z',   \&do_7zip,  ['7zr', '7za', '7z'] ],
  [[qw(gz bz2 Z tar)],
           \&do_7zip,  ['7za', '7z'] ],
  [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
           \&do_7zip,  '7z' ],
  ['exe',  \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
);


@av_scanners = (

# ### http://www.sophos.com/
# ['Sophos-SSSP',  # SAV Dynamic Interface
#   \&ask_daemon, ["{}", 'sssp:/run/savdi/sssp.sock'],
#           # or: ["{}", 'sssp:[127.0.0.1]:4010'],
#   qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ],

# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)
# ['Sophie',
#   \&ask_daemon, ["{}/\n", 'sophie:/run/sophie'],
#   qr/(?x)^ 0+ ( : | [\000\r\n]* $)/,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
#   qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],

# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
# ['Sophos SAVI', \&ask_daemon, ['{}','savi-perl:'] ],

# ['Avira SAVAPI',
#   \&ask_daemon, ["*", 'savapi:/var/tmp/.savapi3', 'product-id'],
#   qr/^(200|210)/m,  qr/^(310|420|319)/m,
#   qr/^(?:310|420)[,\s]*(?:.* <<< )?(.+?)(?: ; |$)/m ],
# settings for the SAVAPI3.conf: ArchiveScan=1, HeurLevel=2, MailboxScan=1

  ### http://www.clamav.net/
  ['ClamAV-clamd',
    \&ask_daemon, ["CONTSCAN {}\n", "/run/clamd.amavisd/clamd.sock"],
    qr/\bOK$/m, qr/\bFOUND$/m,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

  # NOTE: run clamd under the same user as amavisd - or run it under its own
  #   uid such as clamav, add user clamav to the amavis group, and then add
  #   AllowSupplementaryGroups to clamd.conf;
  # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
  #   this entry; when running chrooted one may prefer a socket under $MYHOME.

# ### http://www.clamav.net/ and CPAN  (memory-hungry! clamd is preferred)
# # note that Mail::ClamAV requires perl to be build with threading!
# ['Mail::ClamAV', \&ask_daemon, ['{}','clamav-perl:'],
#   [0], [1], qr/^INFECTED: (.+)/m],

# ### http://www.openantivirus.org/
# ['OpenAntiVirus ScannerDaemon (OAV)',
#   \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],
#   qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ],

# ### http://www.vanja.com/tools/trophie/
# ['Trophie',
#   \&ask_daemon, ["{}/\n", 'trophie:/run/trophie'],
#   qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
#   qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],

# ### http://www.grisoft.com/
# ['AVG Anti-Virus',
#   \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'],
#   qr/^200/m, qr/^403/m, qr/^403[- ].*: ([^\r\n]+)/m ],

# ### http://www.f-prot.com/
# ['F-Prot fpscand',  # F-PROT Antivirus for BSD/Linux/Solaris, version 6
#   \&ask_daemon,
#   ["SCAN FILE {}/*\n", '127.0.0.1:10200'],
#   qr/^(0|8|64) /m,
#   qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m,
#   qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ],

# ### http://www.f-prot.com/
# ['F-Prot f-protd',  # old version
#   \&ask_daemon,
#   ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
#     ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202',
#      '127.0.0.1:10203', '127.0.0.1:10204'] ],
#   qr/(?i)<summary[^>]*>clean<\/summary>/m,
#   qr/(?i)<summary[^>]*>infected<\/summary>/m,
#   qr/(?i)<name>(.+)<\/name>/m ],

# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/
# ['DrWebD', \&ask_daemon,   # DrWebD 4.31 or later
#   [pack('N',1).  # DRWEBD_SCAN_CMD
#    pack('N',0x00280001).   # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
#    pack('N',     # path length
#      length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")).
#    '{}/*'.       # path
#    pack('N',0).  # content size
#    pack('N',0),
#    '/var/drweb/run/drwebd.sock',
#  # '/var/amavis/run/drwebd.sock',   # suitable for chroot
#  # '/usr/local/drweb/run/drwebd.sock',  # FreeBSD drweb ports default
#  # '127.0.0.1:3000',                    # or over an inet socket
#   ],
#   qr/\A\x00[\x10\x11][\x00\x10]\x00/sm,        # IS_CLEAN,EVAL_KEY; SKIPPED
#   qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF
#   qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm,
# ],
# # NOTE: If using amavis-milter, change length to:
# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx").

  ### http://www.kaspersky.com/  (kav4mailservers)
  ['KasperskyLab AVP - aveclient',
    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
     '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
    '-p /run/aveserver -s {}/*',
    [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m,
    qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m,
  ],
  # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
  # currupted or protected archives are to be handled

  ### http://www.kaspersky.com/
  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?
    qr/infected: (.+)/m,
    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
  ],

  ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
  ### products and replaced by aveserver and aveclient
  ['KasperskyLab AVPDaemonClient',
    [ '/opt/AVP/kavdaemon',       'kavdaemon',
      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',
      '/opt/AVP/avpdc', 'avpdc' ],
    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ],
    # change the startup-script in /etc/init.d/kavd to:
    #   DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
    #   (or perhaps:   DPARMS="-I0 -Y -* /var/amavis" )
    # adjusting /var/amavis above to match your $TEMPBASE.
    # The '-f=/var/amavis' is needed if not running it as root, so it
    # can find, read, and write its pid file, etc., see 'man kavdaemon'.
    # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
    #   directory $TEMPBASE specifies) in the 'Names=' section.
    # cd /opt/AVP/DaemonClients; configure; cd Sample; make
    # cp AvpDaemonClient /opt/AVP/
    # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"

  ### http://www.centralcommand.com/
  ['CentralCommand Vexira (new) vascan',
    ['vascan','/usr/lib/Vexira/vascan'],
    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
    "--log=/var/log/vascan.log {}",
    [0,3], [1,2,5],
    qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ],
    # Adjust the path of the binary and the virus database as needed.
    # 'vascan' does not allow to have the temp directory to be the same as
    # the quarantine directory, and the quarantine option can not be disabled.
    # If $QUARANTINEDIR is not used, then another directory must be specified
    # to appease 'vascan'. Move status 3 to the second list if password
    # protected files are to be considered infected.

  ### http://www.avira.com/
  ### old Avira AntiVir 2.x (ex H+BEDV) or old CentralCommand Vexira Antivirus
  ['Avira AntiVir', ['antivir','vexira'],
    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m,
    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ],
    # NOTE: if you only have a demo version, remove -z and add 214, as in:
    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,

  ### http://www.avira.com/
  ### Avira for UNIX 3.x
  ['Avira AntiVir', ['avscan'],
   '-s --batch --alert-action=none {}', [0,4], qr/(?:ALERT|FUND):/m,
   qr/(?:ALERT|FUND): (?:.* <<< )?(.+?)(?: ; |$)/m ],

  ### http://www.commandsoftware.com/
  ['Command AntiVirus for Linux', 'csav',
    '-all -archive -packed {}', [50], [51,52,53],
    qr/Infection: (.+)/m ],

  ### http://www.symantec.com/
  ['Symantec CarrierScan via Symantec CommandLineScanner',
    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
    qr/^Files Infected:\s+0$/m, qr/^Infected\b/m,
    qr/^(?:Info|Virus Name):\s+(.+)/m ],

  ### http://www.symantec.com/
  ['Symantec AntiVirus Scan Engine',
    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
    [0], qr/^Infected\b/m,
    qr/^(?:Info|Virus Name):\s+(.+)/m ],
    # NOTE: check options and patterns to see which entry better applies

# ### http://www.f-secure.com/products/anti-virus/  version 5.52
#  ['F-Secure Antivirus for Linux servers',
#   ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
#   '--virus-action1=report --archive=yes --auto=yes '.
#   '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8],
#   qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
#   # NOTE: internal archive handling may be switched off by '--archive=no'
#   #   to prevent fsav from exiting with status 9 on broken archives

  ### http://www.f-secure.com/ version 9.14
   ['F-Secure Linux Security',
    ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
    '--virus-action1=report --archive=yes --auto=yes '.
    '--list=no --nomimeerr {}', [0], [3,4,6,8],
    qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
    # NOTE: internal archive handling may be switched off by '--archive=no'
    #   to prevent fsav from exiting with status 9 on broken archives

# ### http://www.avast.com/
# ['avast! Antivirus daemon',
#   \&ask_daemon,  # greets with 220, terminate with QUIT
#   ["SCAN {}\015\012QUIT\015\012", '/run/avast4/mailscanner.sock'],
#   qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t[0-9]+\s+([^[ \t\015\012]+)/m ],

# ### http://www.avast.com/
# ['avast! Antivirus - Client/Server Version', 'avastlite',
#   '-a /run/avast4/mailscanner.sock -n {}', [0], [1],
#   qr/\t\[L\]\t([^[ \t\015\012]+)/m ],

  ['CAI InoculateIT', 'inocucmd',  # retired product
    '-sec -nex {}', [0], [100],
    qr/was infected by virus (.+)/m ],
  # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html

  ### http://www3.ca.com/Solutions/Product.asp?ID=156  (ex InoculateIT)
  ['CAI eTrust Antivirus', 'etrust-wrapper',
    '-arc -nex -spm h {}', [0], [101],
    qr/is infected by virus: (.+)/m ],
    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
    # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783

  ### http://mks.com.pl/english.html
  ['MkS_Vir for Linux (beta)', ['mks32','mks'],
    '-s {}/*', [0], [1,2],
    qr/--[ \t]*(.+)/m ],

  ### http://mks.com.pl/english.html
  ['MkS_Vir daemon', 'mksscan',
    '-s -q {}', [0], [1..7],
    qr/^... (\S+)/m ],

# ### http://www.nod32.com/,  version v2.52 (old)
# ['ESET NOD32 for Linux Mail servers',
#   ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
#    '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '.
#    '-w -a --action-on-infected=accept --action-on-uncleanable=accept '.
#    '--action-on-notscanned=accept {}',
#   [0,3], [1,2], qr/virus="([^"]+)"/m ],

# ### http://www.eset.com/, version v2.7 (old)
# ['ESET NOD32 Linux Mail Server - command line interface',
#   ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
#   '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ],

# ### http://www.eset.com/, version 2.71.12
# ['ESET Software ESETS Command Line Interface',
#   ['/usr/bin/esets_cli', 'esets_cli'],
#   '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ],

  ### http://www.eset.com/, version 3.0
  ['ESET Software ESETS Command Line Interface',
    ['/usr/bin/esets_cli', 'esets_cli'],
    '--subdir {}', [0], [1,2,3],
    qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],

  ## http://www.nod32.com/,  NOD32LFS version 2.5 and above
  ['ESET NOD32 for Linux File servers',
    ['/opt/eset/nod32/sbin/nod32','nod32'],
    '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
    '-w -a --action=1 -b {}',
    [0], [1,10], qr/^object=.*, virus="(.*?)",/m ],

# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31
# ['ESET Software NOD32 Client/Server (NOD32SS)',
#   \&ask_daemon2,    # greets with 200, persistent, terminate with QUIT
#   ["SCAN {}/*\r\n", '127.0.0.1:8448' ],
#   qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ],

  ### http://www.norman.com/products_nvc.shtml
  ['Norman Virus Control v5 / Linux', 'nvcc',
    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
    qr/(?i).* virus in .* -> \'(.+)\'/m ],

  ### http://www.pandasoftware.com/
  ['Panda CommandLineSecure 9 for Linux',
    ['/opt/pavcl/usr/bin/pavcl','pavcl'],
    '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
    qr/Number of files infected[ .]*: 0+(?!\d)/m,
    qr/Number of files infected[ .]*: 0*[1-9]/m,
    qr/Found virus :\s*(\S+)/m ],
  # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
  # before starting amavisd - the bases are then loaded only once at startup.
  # To reload bases in a signature update script:
  #   /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
  # Please review other options of pavcl, for example:
  #  -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies

# ### http://www.pandasoftware.com/
# ['Panda Antivirus for Linux', ['pavcl'],
#   '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}',
#   [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0],
#   qr/Found virus :\s*(\S+)/m ],

# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
# Check your RAV license terms before fiddling with the following two lines!
# ['GeCAD RAV AntiVirus 8', 'ravav',
#   '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ],
# # NOTE: the command line switches changed with scan engine 8.5 !
# # (btw, assigning stdin to /dev/null causes RAV to fail)

  ### http://www.nai.com/
  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
    '--secure -rv --mime --summary --noboot - {}', [0], [13],
    qr/(?x) Found (?:
        \ the\ (.+)\ (?:virus|trojan)  |
        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |
        :\ (.+)\ NOT\ a\ virus)/m,
  # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
  # sub {delete $ENV{LD_PRELOAD}},
  ],
  # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
  # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
  # and then clear it when finished to avoid confusing anything else.
  # NOTE2: to treat encrypted files as viruses replace the [13] with:
  #  qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/

  ### http://www.virusbuster.hu/en/
  ['VirusBuster', ['vbuster', 'vbengcl'],
    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
    qr/: '(.*)' - Virus/m ],
  # VirusBuster Ltd. does not support the daemon version for the workstation
  # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
  # binaries, some parameters AND return codes have changed (from 3 to 1).
  # See also the new Vexira entry 'vascan' which is possibly related.

# ### http://www.virusbuster.hu/en/
# ['VirusBuster (Client + Daemon)', 'vbengd',
#   '-f -log scandir {}', [0], [3],
#   qr/Virus found = (.*);/m ],
# # HINT: for an infected file it always returns 3,
# # although the man-page tells a different story

  ### http://www.cyber.com/
  ['CyberSoft VFind', 'vfind',
    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m,
  # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
  ],

# ### http://www.avast.com/  (old)
# ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
#   '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ],

# ### http://www.avast.com/
# ['avast! Antivirus', '/bin/scan', '{}', [0], [1], qr/\t(.+)/m ],

  ### http://www.ikarus-software.com/
  ['Ikarus AntiVirus for Linux', 'ikarus',
    '{}', [0], [40], qr/Signature (.+) found/m ],

  ### http://www.bitdefender.com/
  ['BitDefender', 'bdscan',  # new version
    '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m,
    qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m,
    qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ],

  ### http://www.bitdefender.com/
  ['BitDefender', 'bdc',  # old version
    '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m,
    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
    qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
  # consider also: --all --nowarn --alev=15 --flev=15.  The --all argument may
  # not apply to your version of bdc, check documentation and see 'bdc --help'

  ### ArcaVir for Linux and Unix http://www.arcabit.pl/
  ['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
    '-v 1 -summary 0 -s {}', [0], [1,2],
    qr/(?:VIR|WIR):[ \t]*(.+)/m ],

# ### a generic SMTP-client interface to a SMTP-based virus scanner
# ['av_smtp', \&ask_av_smtp,
#   ['{}', 'smtp:[127.0.0.1]:5525', 'dummy@localhost'],
#   qr/^2/, qr/^5/, qr/^\s*(.*?)\s*$/m ],

# ['File::Scan', sub {Amavis::AV::ask_av(sub{
#   use File::Scan; my($fn)=@_;
#   my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0);
#   my($vname) = $f->scan($fn);
#   $f->error ? (2,"Error: ".$f->error)
#   : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) },
#   ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ],

# ### fully-fledged checker for JPEG marker segments of invalid length
# ['check-jpeg',
#   sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) },
#   ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ],
# # NOTE: place file JpegTester.pm somewhere where Perl can find it,
# #       for example in /usr/local/lib/perl5/site_perl

);


@av_scanners_backup = (

  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
  ['ClamAV-clamscan', 'clamscan',
    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
    [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

# ### http://www.clamav.net/ - using remote clamd scanner as a backup
# ['ClamAV-clamdscan', 'clamdscan',
#   "--stdout --no-summary --config-file=/etc/clamd-client.conf {}",
#   [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

# ['ClamAV-clamd-stream',
#   \&ask_daemon, ["*", 'clamd:/run/clamav/clamd.sock'],
#   qr/\bOK$/m, qr/\bFOUND$/m,
#   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

  ### http://www.f-prot.com/   - backs up F-Prot Daemon, V6
  ['F-PROT Antivirus for UNIX', ['fpscan'],
    '--report --mount --adware {}',  # consider: --applications -s 4 -u 3 -z 10
    [0,8,64],  [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
    qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ],

  ### http://www.f-prot.com/   - backs up F-Prot Daemon (old)
  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
    '-dumb -archive -packed {}', [0,8], [3,6],   # or: [0], [3,6,8],
    qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ],

  ### http://www.trendmicro.com/   - backs up Trophie
  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
    '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],

  ### http://www.sald.com/, http://drweb.imshop.de/   - backs up DrWebD
  ['drweb - DrWeb Antivirus',  # security LHA hole in Dr.Web 4.33 and earlier
    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
    '-path={} -al -go -ot -cn -upn -ok-',
    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ],

   ### http://www.kaspersky.com/
   ['Kaspersky Antivirus v5.5',
     ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
      '/opt/kav/5.5/kav4unix/bin/kavscanner',
      '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
     '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
     qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
#    sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
#    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
   ],

  ### http://www.sophos.com/
  ['Sophos Anti Virus (savscan)',   # formerly known as 'sweep'
    ['/opt/sophos-av/bin/savscan', 'savscan'],  # 'sweep'
    '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
    '--no-reset-atime {}',
    [0,2], qr/Virus .*? found/m,
    qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
  ],
  # other options to consider: -idedir=/usr/local/sav
  # A name 'sweep' clashes with a name of an audio editor (Debian and FreeBSD).
  # Make sure the correct 'sweep' is found in the path if using the old name.

# Always succeeds and considers mail clean.
# Potentially useful when all other scanners fail and it is desirable
# to let mail continue to flow with no virus checking (when uncommented).
# ['always-clean', sub {0}],

);


1;  # insure a defined return value

Windows Outlookの設定

WindowsのOutlookから、当該メールサーバーへ接続した場合に、自己証明書を利用していることから以下の警告「証明書チェーンは処理されましたが、信頼プロバイダーが信頼していないルート証明書で強制終了しました。」が表示されます。このサーバーの使用を続けますか?「はい」でメールの送受信は可能ですが、少々煩わしいです。

これを回避するには、メールサーバー上で作成した認証局の証明書をWindowsにインストールすれば回避できます。ただしWindowsではPEM形式の証明書は読み込みができませんのでDER形式に変換する必要があります。

# cd /etc/pki/postfix
# openssl x509 -inform PEM -in cacert.pem -outform DER -out cacert.der

上記で作成されたcacert.derをWindows側に移送し、ダブルクリックし、「証明書のインストール」ボタンを押下すると証明書インポートウィザードが起動しますので、「信頼されたルート証明機関」として保存しましょう。

証明書のインストールをクリック

 

ローカルコンピュータにインストールします

証明書をすべて次のストアに配置する→参照を選択

信頼されたルート証明機関として登録します

完了

 

これで煩わしい警告ポップアップはでなくなるはずです。

記事は以上!

この記事は役に立ちましたか? | Is this article useful for you?

評価をお願いします | Please leave your rating.

平均 | Av.: 0 / 5. 投票数 | Votes: 0

最初の評価を下さい | Please vote for the first rating.

-Linux Server
-, , , , , , , , ,

© 1999 - 2021 蒲田ネット