Filtros para Spam
En esta parte nos vamos a centrar en configurar un servicio anti spam en nuestro servidor ya configurado. Vamos a configurar OpenDKIM, SPF y PTR.
Instalamos OpenDKIM con sus herramientas:
1 2 3 4 5 6 7 8 |
apt-get install opendkim opendkim-tools mkdir -pv /etc/opendkim/ chown -Rv opendkim:opendkim /etc/opendkim chmod go-rwx /etc/opendkim/* cd /etc/opendkim/ opendkim-genkey -r -h rsa-sha256 -d cyberantigone.net -s mail mv -v mail.private mail cat mail.txt |
Nos debe mostrar entonces la clave DKIM. Entonces se instala en nuestro servidor DNS.
1 2 3 4 5 6 7 8 |
mail._domainkey.cyberantigone 300 TXT "v=DKIM1; h=rsa-sha256; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbLRiNXX9zxAtdw45 Vsd35d/1VQZUFG8ejfQu6aql74obJhTESaqANBbOkNaD0xb+2kuN/w+272 5Gv2tTPAcHfBZogyazkwtNrlNQV2h3q4ub/UTkn0AHeq0P/RMtmhV+hKR zk0hcYWPlzWMoR5ZGWwMYdhbocTeBX4Mc2pWEYewIDAQAB" |
En nuestro servidor ahora configuramos el postfix para usar la dicha clave:
1 2 3 4 5 6 |
nano /etc/opendkim/KeyTable cyberantigone.net cyberantigone.net:mail:/etc/opendkim/mail nano /etc/opendkim/SigningTable *@cyberantigone.net cyberantigone.net nano /etc/opendkim/TrustedHosts 127.0.0.1 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
nano /etc/opendkim.conf ## ## opendkim.conf -- configuration file for OpenDKIM filter ## Canonicalization relaxed/relaxed ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable LogWhy Yes MinimumKeyBits 1024 Mode sv PidFile /var/run/opendkim/opendkim.pid SigningTable refile:/etc/opendkim/SigningTable Socket inet:8891@localhost Syslog Yes SyslogSuccess Yes TemporaryDirectory /var/tmp UMask 022 UserID opendkim:opendkim |
Ahora nos regresamos a /etc/postfix/main.cf y agregamos al final del archivo:
1 2 3 |
smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept |
Reiniciamos:
service opendkim restart
service postfix restart
SPF
Es muy simple de configurar, solamente escribe: cyberantigone 300 TXT "v=spf1 mx -all". Esta linea significa que el servidor cyberantigone envía correo a cyberantigone, bastante raro pero así funciona.
SPAM
Aquí viene lo bueno, muchas herramientas anti spam existen, aquí vamos a usar dspam. Se instala con: apt-get install dspam dovecot-antispam postfix-pcre dovecot-sieve
Entonces editamos: /etc/dspam/dspam.conf con:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
Home /decrypted-mail/dspam TrustedDeliveryAgent "/usr/sbin/sendmail" UntrustedDeliveryAgent "/usr/lib/dovecot/deliver -d %u" Tokenizer osb IgnoreHeader X-Spam-Status IgnoreHeader X-Spam-Scanned IgnoreHeader X-Virus-Scanner-Result IgnoreHeader X-Virus-Scanned IgnoreHeader X-DKIM IgnoreHeader DKIM-Signature IgnoreHeader DomainKey-Signature IgnoreHeader X-Google-Dkim-Signature ParseToHeaders on ChangeModeOnParse off ChangeUserOnParse full ServerPID /var/run/dspam/dspam.pid ServerDomainSocketPath "/var/run/dspam/dspam.sock" ClientHost /var/run/dspam/dspam.sock |
Creamos el directorio:
mkdir /decrypted-mail/dspam
chown dspam:dspam /decrypted-mail/dspam
Las preferencias en /etc/dpsam/dspam.conf se editan en /etc/dspam/default.prefs. con estos valores:
1 2 3 |
spamAction=deliver # { quarantine | tag | deliver } -> default:quarantine signatureLocation=headers # { message | headers } -> default:message showFactors=on |
Ahora editamos /etc/postfix/master.cf. con:
1 2 3 4 |
dspam unix - n n - 10 pipe flags=Ru user=dspam argv=/usr/bin/dspam --deliver=innocent,spam --user $recipient -i -f $sender -- $recipient dovecot unix - n n - - pipe flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} |
Luego:
nano /etc/postfix/dspam_filter_access
/./ FILTER dspam:unix:/run/dspam/dspam.sock
Y al final de /etc/postfix/main.cf pegamos:
1 2 3 4 5 |
# new settings for dspam dspam_destination_recipient_limit = 1 #only scan one mail at a time smtpd_client_restrictions = permit_sasl_authenticated #localhost doesn't get scanned check_client_access pcre:/etc/postfix/dspam_filter_access #run dspam on everything else |
Ahora integramos (no es la clase de cálculo) imap y dspam:
nano /etc/dovecot/conf.d/20-imap.conf
mail_plugins = $mail_plugins antispam
Y viceversa:
1 2 3 4 |
protocol lmtp { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = $mail_plugins sieve } |
A continuación definiremos nuestra carpeta de spam en
/decrypted-mail/cyberantigone.net/drew/.dovecot.sieve
1 2 3 4 5 6 7 8 9 10 11 |
require ["regex", "fileinto", "imap4flags"]; # Catch mail tagged as Spam, except Spam retrained and delivered to the mailbox if allof (header :regex "X-DSPAM-Result" "^(Spam|Virus|Bl[ao]cklisted)$", not header :contains "X-DSPAM-Reclassified" "Innocent") { # Mark as read setflag "\\Seen"; # Move into the Junk folder fileinto "Spam"; # Stop processing here stop; } |
Y configuramos /etc/dovecot/conf.d/90-plugin.conf. con esto:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
plugin { ... # Antispam (DSPAM) antispam_backend = dspam antispam_allow_append_to_spam = YES antispam_spam = Spam;Junk antispam_trash = trash;Trash antispam_signature = X-DSPAM-Signature antispam_signature_missing = error antispam_dspam_binary = /usr/bin/dspam antispam_dspam_args = --user;%u;--deliver=;--source=error antispam_dspam_spam = --class=spam antispam_dspam_notspam = --class=innocent antispam_dspam_result_header = X-DSPAM-Result } |
Reiniciamos la cosa:
service postfix restart
service dovecot restart
Con esto hemos terminado nuestra configuración, ahora tenemos un servidor de correo seguro, rápido y confiable; obviamente nos falta el webmail y detalles en nuestro servidor, investigalos, es de lo más fácil, aquí solo me he enfocado en cuestiones técnicas para la seguridad y configurar el filtro antispam del servidor.