Differences

This shows you the differences between two versions of the page.

Link to this comparison view

en:ressources:dossiers:nectux [2013/07/24 03:57] (current)
Line 1: Line 1:
 +====== Necto Installation Instructions ======
  
 +{{:​en:​ressources:​dossiers:​dsc_7286.jpg?​500|}}
 +===== - System preparation =====
 +<​code>​
 +# aptitude install ssh vim smartmontools screen sysstat hdparm dstat tmux htop
 +</​code>​
 +
 +==== - smartd ====
 +
 +edit smartd default parameters
 +<​code>​
 +# grep -v "​^#"​ /​etc/​default/​smartmontools |grep -v "​^$"​
 +enable_smart="/​dev/​sda /​dev/​sdb"​
 +start_smartd=yes
 +smartd_opts="​--interval=1800"​
 +</​code>​
 +edit smartd.conf
 +<​code>​
 +# grep -v "​^#"​ /​etc/​smartd.conf |grep -v "​^$"​
 +/dev/sda -a -o on -S on -s (S/​../​../​./​02|L/​../​../​6/​03) -m root
 +/dev/sdb -a -o on -S on -s (S/​../​../​./​02|L/​../​../​6/​03) -m root
 +</​code>​
 +
 +==== - Disable write cache on both hard drives ====
 +<​code>​
 +# hdparm -W 0 /​dev/​sd{a,​b}
 +
 +/dev/sda:
 + ​setting drive write-caching to 0 (off)
 + ​write-caching =  0 (off)
 +
 +/dev/sdb:
 + ​setting drive write-caching to 0 (off)
 + ​write-caching =  0 (off)
 +</​code>​
 +===== - Necto account =====
 +Create the necto user and the **/​var/​necto** directory owned by necto.
 +<​code>​
 +# useradd -d /var/necto -m -r -s /bin/false necto
 +</​code>​
 +
 +===== - OpenLDAP =====
 +Install Slapd and the LDAP utils
 +<​code>​
 +# aptitude install slapd ldap-utils
 +</​code>​
 +==== - Activate syslog ====
 +Slapd logs in syslog facility 4.
 +<​code>​
 +# vim /​etc/​rsyslog.conf
 +
 +local4.* ​               -/​var/​log/​slapd.log
 +</​code>​
 +
 +==== - Give a password to admin config ====
 +During the SlapD installation,​ the debian installer asks for a root password. This password is a Salted SHA and used for the admin user of the local ldap database. We can copy the password value to use it with the cn=config database.
 +
 +<​code>​
 +root@samchiel:/​etc/​ldap/​slapd.d/​cn=config#​ grep RootPW olcDatabase\=\{1\}hdb.ldif ​
 +olcRootPW:: e1NTSEF9NFdZWlZ5MWpzTVMyTlA0a0pKa3M4bEV6NWJxeDdyNmQ=
 +</​code>​
 +
 +Now we add this value into olcDatabase\=\{0\}config.ldif
 +<​code>​
 +olcRootPW:: e1NTSEF9NFdZWlZ5MWpzTVMyTlA0a0pKa3M4bEV6NWJxeDdyNmQ=
 +</​code>​
 +
 +Then restart slapd:
 +<​code>​
 +# service slapd restart
 +[ ok ] Stopping OpenLDAP: slapd.
 +[ ok ] Starting OpenLDAP: slapd.
 +</​code>​
 +==== - Configuration using cn=config ====
 +
 +Unlike previous version of OpenLDAP, 2.4 can use the cn=config database to manage configuration parameters. cn=config is a standard LDAP tree that can be accessed with any LDAP browser (I recommend Apache Directory Studio). Configure a connection to the local SlapD instance using :
 +<​file>​
 +Bind DN: cn=admin,​cn=config
 +Bind PW: the root password you specified during the slapd installation
 +Root DN: cn=config
 +</​file>​
 +
 +=== - Change the log level ===
 +Once connected, you can change any configuration parameter. For example, to change the Log Level, go to the CN=Config branch and edit the **olcLogLevel** value to "stats sync ACL config filter";​
 +This is going to execute a ldapmodify command similar to the one below:
 +<​code>​
 +dn: cn=config
 +changetype: modify
 +replace: olcLogLevel
 +olcLogLevel:​ stats sync ACL config filter
 +-
 +</​code>​
 +
 +Now the **huge** advantage of cn=config is that it doesn'​t require a reload of slapd for the changes to take effect, unlike the configuration files.
 +
 +=== - Configure the linuxwall.info database ===
 +Via cn=config, we can change the internal parameters of the dc=linuxwall,​dc=info database. For example, to increase the cache size from 2MB (the default on debian) to 20MB, edit the olcDbConfig inside olcDatabase={1}hdb as follow:
 +<​file>​
 +{0}set_cachesize 0 20971520 0
 +</​file>​
 +This will generate the following LDAP query
 +<​code>​
 +#!RESULT OK
 +#​!CONNECTION ldap://​192.168.1.153:​389
 +#!DATE 2011-09-18T13:​37:​54.823
 +dn: olcDatabase={1}hdb,​cn=config
 +changetype: modify
 +replace: olcDbConfig
 +olcDbConfig:​ {1}set_lk_max_objects 1500
 +olcDbConfig:​ {2}set_lk_max_locks 1500
 +olcDbConfig:​ {3}set_lk_max_lockers 1500
 +olcDbConfig:​ {0}set_cachesize 0 20971520 0
 +-
 +</​code>​
 +
 +We can also define more indexes on the "​cn"​ and "​uid"​ attributes (the default creates indexes for ObjectClass only).
 +<​code>​
 +#!RESULT OK
 +#​!CONNECTION ldap://​192.168.1.153:​389
 +#!DATE 2011-09-18T13:​44:​10.004
 +dn: olcDatabase={1}hdb,​cn=config
 +changetype: modify
 +add: olcDbIndex
 +olcDbIndex: cn eq,​sub,​pres,​approx
 +-
 +
 +#!RESULT OK
 +#​!CONNECTION ldap://​192.168.1.153:​389
 +#!DATE 2011-09-18T13:​45:​14.604
 +dn: olcDatabase={1}hdb,​cn=config
 +changetype: modify
 +add: olcDbIndex
 +olcDbIndex: uid eq
 +-
 +</​code>​
 +
 +==== - Creating users ====
 +
 +Use the python script below to generate a **SSHA** password:
 +<​code:​python>​
 +#​!/​usr/​bin/​env python
 +import os, sys, hashlib
 +from base64 import urlsafe_b64encode as encode
 +from base64 import urlsafe_b64decode as decode
 +
 +def makeSecret(password):​
 +    salt = os.urandom(4)
 +    h = hashlib.sha1(password)
 +    h.update(salt)
 +    return "​{SSHA}"​ + encode(h.digest() + salt)
 +
 +def checkPassword(challenge_password,​ password):
 +    challenge_bytes = decode(challenge_password[6:​])
 +    digest = challenge_bytes[:​20]
 +    salt = challenge_bytes[20:​]
 +    hr = hashlib.sha1(password)
 +    hr.update(salt)
 +    return digest == hr.digest()
 +
 +cleartext_password = raw_input("​password > ")
 +challenge_password = makeSecret(cleartext_password)
 +print challenge_password
 +</​code>​
 +
 +Edit the following LDIF:
 +<​file>​
 +dn: cn=Bob Kelso,​ou=people,​dc=linuxwall,​dc=info
 +uid: bob
 +uidNumber: 10002
 +gidNumber: 998
 +sn: Kelso
 +cn: Bob Kelso
 +homeDirectory:​ /dev/null
 +objectClass:​ posixAccount
 +objectClass:​ top
 +objectClass:​ inetOrgPerson
 +objectClass:​ organizationalPerson
 +objectClass:​ person
 +mail: bob@linuxwall.info
 +userPassword:​ {SSHA}MJmued-ye7RLJlAjW_g6F5Qj_MYuRR74
 +</​file>​
 +import the LDIF into LDAP:
 +<​code>​
 +# ldapadd -h 127.0.0.1 -p 389 -D "​cn=admin,​dc=linuxwall,​dc=info"​ -W -f /​root/​bob.ldif ​
 +Enter LDAP Password: ​
 +adding new entry "​cn=Bob Kelso,​ou=people,​dc=linuxwall,​dc=info"​
 +</​code>​
 +===== - Dovecot =====
 +Install the package for imap and lmtpd. This will automatically enable dovecot'​s imap support, and listen for connections on tcp/143.
 +<​code>​
 +# apt-get install dovecot-imapd dovecot-lmtpd
 +</​code>​
 +==== - Home and Mail locations ====
 +Virtual users need a home directory. We will set that into **/​var/​necto/​homedirs**. The Maildir will go under ~/Maildir.
 +<​file>​
 +# vim /​etc/​dovecot/​conf.d/​10-mail.conf
 +
 +mail_home = /​var/​necto/​homedirs/​%n
 +mail_location = maildir:​~/​mail
 +</​file>​
 +
 +Create a **virtualusers** group as follow:
 +<​code>​
 +# groupadd -r virtualusers
 +# grep virtualusers /etc/group
 +virtualusers:​x:​998:​
 +</​code>​
 +Users in LDAP must be members of the gid 998.
 +
 +Now create the directory. It should be owned by **necto:​virtualusers**.
 +
 +<​code>​
 +# mkdir /​var/​necto/​homedirs
 +# chown necto:​virtualusers /​var/​necto/​homedirs
 +# chmod g+rwx /​var/​necto/​homedirs
 +</​code>​
 +
 +
 +==== - IMAP Authentication ====
 +Dovecot should be set to accept STARTTLS connections by default. Make sure to disable plain text auth on non encrypted connections.
 +<​file>​
 +# vim /​etc/​dovecot/​conf.d/​10-auth.conf
 +
 +disable_plaintext_auth = yes
 +auth_mechanisms = plain login digest-md5
 +</​file>​
 +
 +In **/​etc/​dovecot/​conf.d/​10-master.conf**
 +<​file>​
 +service auth {
 +  unix_listener /​var/​spool/​postfix/​private/​auth {
 +    group = postfix
 +    mode = 0660
 +    user = postfix
 +  }
 +  user = root
 +}
 +</​file>​
 +
 +In **/​etc/​dovecot/​conf.d/​10-auth.conf**,​ uncomment the line
 +<​file>​
 +!include auth-ldap.conf.ext
 +</​file>​
 +The configuration of the LDAP auth driver is installed by the **dovecot-ldap** package into **/​etc/​dovecot/​conf.d/​auth-ldap.conf.ext**. The default is fine.
 +
 +And then in **/​etc/​dovecot/​dovecot-ldap.conf.ext**
 +<​file>​
 +hosts = localhost:​389
 +auth_bind = yes
 +ldap_version = 3
 +base = dc=linuxwall,​dc=info
 +scope = subtree
 +user_attrs = uidNumber=uid,​ gidNumber=gid
 +user_filter = (&​(objectClass=inetOrgPerson)(uid=%u))
 +pass_attrs = uid=user,​userPassword=password
 +pass_filter = (&​(objectClass=inetOrgPerson)(uid=%u))
 +</​file>​
 +
 +==== - LMTP delivery from Postfix ===
 +In 10-master.conf,​ enable the LMTP service as follow:
 +<​code>​
 +service lmtp {
 +  unix_listener /​var/​spool/​postfix/​private/​dovecot-lmtp {
 +    user = postfix
 +    group = postfix
 +    mode = 0666
 +  }
 +}
 +</​code>​
 +The above creates a unix socket inside of Postfix'​s chroot. Now add this to **/​etc/​postfix/​main.cf**:​
 +<​file>​
 +mailbox_transport = lmtp:​unix:​private/​dovecot-lmtp
 +</​file>​
 +And finally, tell dovecot to use the username part of an email address when authenticating users. This is done in **/​etc/​dovecot/​conf.d/​10-auth.conf**:​
 +<​file>​
 +auth_username_format = %n
 +</​file>​
 +
 +===== - Postfix =====
 +==== - Auth ====
 +In main.cf
 +<​file>​
 +mynetworks = 127.0.0.0/8 [::1]/128
 +
 +smtpd_sasl_auth_enable = yes 
 +smtpd_sasl_type = dovecot
 +smtpd_sasl_path = private/​auth
 +smtpd_sasl_local_domain = $mydomain
 +smtpd_sasl_security_options = noanonymous
 +smtpd_sasl_authenticated_header = yes
 +
 +smtpd_recipient_restrictions = permit_sasl_authenticated,​ permit_mynetworks,​ reject_unauth_destination
 +</​file>​
 +
 +Postfix will use the socket located in /​var/​spool/​postfix/​private/​auth to connect to dovecot, and dovecot will verify the authentication against ldap.
 +
 +==== - TLS ====
 +To enable STARTTLS support in smtp and smtpd, in **main.cf**:​
 +<​file>​
 +# TLS server options
 +smtpd_tls_security_level = may
 +smtpd_tls_auth_only = yes
 +smtpd_tls_key_file = /​etc/​postfix/​certs/​samchiel.linuxwall.info.key
 +smtpd_tls_cert_file = /​etc/​postfix/​certs/​samchiel.linuxwall.info.crt
 +smtpd_tls_CAfile = /​etc/​postfix/​certs/​ca-linuxwall.crt
 +smtpd_tls_loglevel = 2
 +smtpd_tls_received_header = yes
 +smtpd_tls_session_cache_timeout = 3600s
 +smtpd_tls_session_cache_database = btree:/​var/​lib/​postfix/​smtpd_tls_session_cache
 +tls_random_source = dev:/​dev/​urandom
 +smtpd_tls_ask_ccert = yes
 +smtpd_tls_req_ccert = no
 +smtpd_tls_mandatory_protocols = !SSLv2, SSLv3, TLSv1
 +smtpd_tls_mandatory_ciphers = high
 +tls_high_cipherlist = ECDHE-RSA-AES256-GCM-SHA384:​ECDHE-ECDSA-AES256-GCM-SHA384:​ECDHE-RSA-AES128-GCM-SHA256:​ECDHE-ECDSA-AES128-GCM-SHA256:​ECDHE-RSA-RC4-SHA:​ECDHE-ECDSA-RC4-SHA:​kEDH+AESGCM:​ECDHE-RSA-AES256-SHA384:​ECDHE-ECDSA-AES256-SHA384:​ECDHE-RSA-AES256-SHA:​ECDHE-ECDSA-AES256-SHA:​ECDHE-RSA-AES128-SHA256:​ECDHE-ECDSA-AES128-SHA256:​ECDHE-RSA-AES128-SHA:​ECDHE-ECDSA-AES128-SHA:​RC4-SHA:​HIGH:​!aNULL:​!eNULL:​!EXPORT:​!DES:​!3DES:​!MD5:​!PSK
 +tls_preempt_cipherlist = yes
 +
 +# TLS client options
 +smtp_use_tls = yes
 +smtp_tls_note_starttls_offer = yes
 +smtp_tls_protocols = !SSLv2, SSLv3, TLSv1
 +smtp_tls_loglevel = 1
 +</​file>​
 +
 +==== - DKIM ====
 +<​code>​
 +apt-get install opendkim-tools opendkim
 +</​code>​
 +Activate the TCP socket between postfix and opendkim in **/​etc/​default/​opendkim**:​
 +<​file>​
 +SOCKET="​inet:​5001@localhost"​ # listen on loopback on port 12345
 +</​file>​
 +Configure **/​etc/​opendkim.conf** as follow:
 +<​file>​
 +Syslog yes
 +UMask 002
 +Domain linuxwall.info
 +KeyFile /​etc/​dkim/​samchiel.private
 +Selector samchiel
 +Canonicalization simple
 +Mode sv
 +SubDomains no
 +AlwaysAddARHeader yes
 +OversignHeaders From
 +</​file>​
 +=== - DKIM key setup ===
 +
 +Create **/​etc/​dkim**
 +<​code>​
 +# mkdir /etc/dkim
 +# cd /etc/dkim/
 +</​code>​
 +Generate the signing key:
 +<​code>​
 +root:/​etc/​dkim#​ opendkim-genkey -s samchiel
 +root:/​etc/​dkim#​ ls
 +samchiel.private ​ samchiel.txt
 +
 +root:/​etc/​dkim#​ cat samchiel.private ​
 +-----BEGIN RSA PRIVATE KEY-----
 +MII..............
 +................lm5vYaO/​M6VrQOiC0TE=
 +-----END RSA PRIVATE KEY-----
 +
 +root:/​etc/​dkim#​ cat samchiel.txt ​
 +samchiel._domainkey IN TXT "​v=DKIM1;​ k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWYz+pWFNyT0v0+HbRXmpHKR9f4A0kGtucwrbf+5we2YM8rUKoocg4itI18xsE4aB69SZo/​oqkY7pqxiE3sNjv/​mGaqb3+iiS4REj6sWoeRWZ0MGKdRjln2VKvAhtZOn03GLk1KSIyBMnzFiPOwyftscFdPWgTiRQVsj+OauqQBwIDAQAB"​ ; ----- DKIM key samchiel for linuxwall.info
 +</​code>​
 +
 +Don't forget to change the permissions on /etc/dkim
 +<​code>​
 +# chown opendkim /etc/dkim/ -R
 +</​code>​
 +
 +Copy the DNS record into you DNS, and test it using **dig**.
 +<​code>​
 +$ dig TXT samchiel._domainkey.linuxwall.info @ns0.linuxwall.info +short
 +
 +"​v=DKIM1\;​ k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWYz+pWFNyT0v0+HbRXmpHKR9f4A0kGtucwrbf+5we2YM8rUKoocg4itI18xsE4aB69SZo/​oqkY7pqxiE3sNjv/​mGaqb3+iiS4REj6sWoeRWZ0MGKdRjln2VKvAhtZOn03GLk1KSIyBMnzFiPOwyftscFdPWgTiRQVsj+OauqQBwIDAQAB\;"​
 +</​code>​
 +
 +Once your DNS records have propagated, use **opendkim-testkey** to verify the setup:
 +<​code>​
 +# opendkim-testkey -d linuxwall.info -s samchiel -k /​etc/​dkim/​samchiel.private -vvv
 +opendkim-testkey:​ key loaded from /​etc/​dkim/​samchiel.private
 +opendkim-testkey:​ checking key '​samchiel._domainkey.linuxwall.info'​
 +opendkim-testkey:​ key not secure
 +opendkim-testkey:​ key OK
 +</​code>​
 +The returned message "key not secure"​ signifies that the key has been verified correctly, but the DNS transport did not use DNSSEC.
 +
 +=== - Integrate with Postfix ===
 +Enable a listening socket in **/​etc/​default/​opendkim**:​
 +<​file>​
 +SOCKET="​inet:​5001@localhost"​ # listen on loopback on port 12345
 +</​file>​
 +And restart the daemon. It will now be listening on localhost:​5001.
 +<​code>​
 +# netstat -taupen|grep LISTEN|grep 5001
 +
 +tcp        0      0 127.0.0.1:​5001 ​         0.0.0.0:​* ​              ​LISTEN ​     108        67516       ​26652/​opendkim
 +</​code>​
 +
 +Then tell postfix to use this socket in **/​etc/​postfix/​main.cf**
 +<​file>​
 +# sign using opendkim
 +smtpd_milters = inet:​localhost:​5001
 +non_smtpd_milters = inet:​localhost:​5001
 +</​file>​
 +<​note>​ As noted in the documentation of opendkim:
 +<​file>​
 +    (c) If you have a content filter in master.cf that feeds it back into a
 +        different smtpd process, you should alter the second smtpd process in
 + master.cf to contain '-o receive_override_options=no_milters'​ to
 + prevent messages being signed or verified twice. ​ For tips on avoiding
 + DKIM signature breakage, see:
 + http://​www.postfix.org/​MILTER_README.html#​workarounds
 +</​file>​
 +</​note>​
 +
 +Finally, try sending an email through Postfix. The recipient will receive it with the following headers:
 +<​file>​
 +Return-Path:​ <​julien@linuxwall.info>​
 +Delivered-To:​ xxx@xxxx.com
 +[.....]
 +DKIM-Signature:​ v=1; a=rsa-sha256;​ c=simple/​simple;​ d=linuxwall.info;​
 +        s=samchiel; t=1342323330;​
 +        bh=4mHBVj76U6YgzAm5ZVkHTVb7MpRdguQPtIH1WLoOPoA=;​
 +        h=subject:​Date:​From:​From;​
 +        b=LRList01AdB2UuiHLw7xa/​NQHaF28UdH/​ufzu4EvPI4rmuUjx1/​J2cENxlegy67Vi
 +        M9Aox0Q8OshTTDQForrGOzi7OFmvy3vsQh92JFVvVvq/​VJ0kCD5aRn2qVCRnRRx/​pa
 +        2RRCrEsaNMlYaiIl1Vsa7evw1gl9Wuz3K2arXg5w=
 +subject: test dkim signature
 +Message-Id: <​20120715033517.6C78F17C0060@samchiel.linuxwall.info>​
 +Date: Sat, 14 Jul 2012 23:35:12 -0400 (EDT)
 +From: julien@linuxwall.info
 +
 +test caribou 12345.
 +</​file>​
 +
 +==== - Postscreen ====
 +In **/​etc/​postfix/​main.cf**
 +<​file>​
 +# Postcreen configuration
 +postscreen_dnsbl_sites =
 +    zen.spamhaus.org*3
 +    dnsbl.njabl.org*2
 +    bl.spameatingmonkey.net*2
 +    dnsbl.ahbl.org
 +    bl.spamcop.net
 +    dnsbl.sorbs.net
 +postscreen_dnsbl_threshold = 3
 +postscreen_dnsbl_action = enforce
 +postscreen_greet_banner = Welcome. Please wait to be seated
 +postscreen_greet_action = enforce
 +postscreen_pipelining_enable = yes
 +postscreen_pipelining_action = enforce
 +postscreen_non_smtp_command_enable = yes
 +postscreen_non_smtp_command_action = enforce
 +postscreen_bare_newline_enable = yes
 +postscreen_bare_newline_action = enforce
 +</​file>​
 +
 +And update **/​etc/​postfix/​master.cf** to direct the **smtp** service to postscreen:
 +<​file>​
 +# ==========================================================================
 +# service type  private unpriv ​ chroot ​ wakeup ​ maxproc command + args
 +#               ​(yes) ​  ​(yes) ​  ​(yes) ​  ​(never) (100)
 +# ==========================================================================
 +#smtp      inet  n       ​- ​      ​- ​      ​- ​      ​- ​      smtpd
 +smtp      inet  n       ​- ​      ​- ​      ​- ​      ​1 ​      ​postscreen
 +smtpd     ​pass ​ -       ​- ​      ​- ​      ​- ​      ​- ​      smtpd
 +dnsblog ​  ​unix ​ -       ​- ​      ​- ​      ​- ​      ​0 ​      ​dnsblog
 +tlsproxy ​ unix  -       ​- ​      ​- ​      ​- ​      ​0 ​      ​tlsproxy
 +</​file>​
 +
 +Restart postfix, and test a connection on port 25:
 +<​code>​
 +$ nc 192.168.1.220 25
 +220-Welcome. Please wait to be seated
 +220 samchiel.linuxwall.info ESMTP Postfix (Debian/​GNU)
 +^C
 +</​code>​
 +
 +And active postscreen TLS support in main.cf
 +<​file>​
 +postscreen_tls_security_level = may
 +</​file>​
 +==== - Submission ====
 +When sending email, do not use port tcp/25. Use tcp/587 so that DSPAM will not inspect outgoing emails. Do to so, enable the submission service in **/​etc/​postfix/​master.cf**:​
 +<​file>​
 +submission inet n       ​- ​      ​- ​      ​- ​      ​- ​      smtpd
 +  -o syslog_name=postfix/​submission
 +  -o smtpd_sasl_auth_enable=yes
 +  -o smtpd_client_restrictions=permit_sasl_authenticated,​reject
 +  -o milter_macro_daemon_name=ORIGINATING
 +</​file>​
 +==== - Recipient control via LDAP ====
 +Postfix must be able to query the LDAP directory to verify that incoming email are valid recipient in the directory.
 +Create this file in **/​etc/​postfix/​ldap_recipient_map.cf**:​
 +<​file>​
 +server_host = localhost
 +server_port = 389
 +search_base = ou=people,​dc=linuxwall,​dc=info
 +query_filter = (mail=%s)
 +result_attribute = mail
 +</​file>​
 +And add this directive to **main.cf**:​
 +<​file>​
 +local_recipient_maps = ldap:/​etc/​postfix/​ldap_recipient_map.cf,​ $alias_maps
 +</​file>​
 +Reload postfix. You can test this check using the postmap command:
 +<​code>​
 +# postmap -q julien@linuxwall.info ldap://​etc/​postfix/​ldap_recipient_map.cf ​
 +julien@linuxwall.info
 +</​code>​
 +If the command returns nothing, then the check has failed.
 +
 +===== - DSPAM =====
 +Install Postgresql first.
 +<​code>​
 +# apt-get install postgresql
 +</​code>​
 +Then, install dspam and libdspam7-drv-pgsql:​
 +<​code>​
 +# apt-get install dspam libdspam7-drv-pgsql
 +</​code>​
 +dpkg will attempt to create the dspam database. If this fails (as it did for me), you can create it manually. Connect to postgres, change the password of the "​dspam"​ role (or create it, if it's missing), and load the SQL for the database creation.
 +<​code>​
 +# su postgres
 +postgres@samchiel:/​etc/​dspam/​dspam.d$ psql
 +psql (9.1.4)
 +Type "​help"​ for help.
 +
 +postgres=# alter role dspam password '​oqwidh1o2ehfg93rtogh09yh5j06534vskdbf';​
 +ALTER ROLE
 +
 +postgres=# \c dspam
 +You are now connected to database "​dspam"​ as user "​postgres"​.
 +
 +dspam=# \i /​usr/​share/​dbconfig-common/​data/​libdspam7-drv-pgsql/​install/​pgsql
 +
 +dspam=# \d
 +
 +                   List of relations
 + ​Schema |          Name          |   ​Type ​  ​| ​ Owner   
 +--------+------------------------+----------+----------
 + ​public | dspam_preferences ​     | table    | postgres
 + ​public | dspam_signature_data ​  | table    | postgres
 + ​public | dspam_stats ​           | table    | postgres
 + ​public | dspam_token_data ​      | table    | postgres
 + ​public | dspam_virtual_uids ​    | table    | postgres
 + ​public | dspam_virtual_uids_seq | sequence | postgres
 +(6 rows)
 +
 +dspam=# alter table dspam_preferences owner to dspam;
 +ALTER TABLE
 +dspam=# alter table dspam_signature_data owner to dspam;
 +ALTER TABLE
 +dspam=# alter table dspam_stats owner to dspam;
 +ALTER TABLE
 +dspam=# alter table dspam_token_data owner to dspam;
 +ALTER TABLE
 +dspam=# alter table dspam_virtual_uids owner to dspam;
 +ALTER TABLE
 +dspam=# alter sequence dspam_virtual_uids_seq owner to dspam;
 +ALTER SEQUENCE
 +
 +</​code>​
 +
 +Configure **/​etc/​dspam/​dspam.d/​pgsql.conf** as follow:
 +<​file>​
 +PgSQLServer 127.0.0.1
 +PgSQLPort 5432
 +PgSQLUser dspam
 +PgSQLPass oqwidh1o2ehfg93rtogh
 +PgSQLDb dspam
 +PgSQLConnectionCache 3
 +</​file>​
 +<​note>​I'​ve had issues with PgSQLPass that were too long, so don't go beyond 32 characters.</​note>​
 +And enable the daemon in **/​etc/​default/​dspam**:​
 +<​file>​
 +# Variables for dspam.
 +#
 +# Do not start dspam.
 +START=yes
 +</​file>​
 +==== - dspam.conf ====
 +
 +See http://​wiki.linuxwall.info/​doku.php/​en:​ressources:​dossiers:​dspam
 +
 +<​file>​
 +Home /​var/​spool/​dspam
 +StorageDriver /​usr/​lib/​x86_64-linux-gnu/​dspam/​libpgsql_drv.so
 +TrustedDeliveryAgent "/​usr/​bin/​procmail"​
 +DeliveryHost 127.0.0.1
 +DeliveryPort 5003
 +DeliveryIdent localhost
 +DeliveryProto SMTP
 +EnablePlusedDetail on
 +PlusedCharacter +
 +PlusedUserLowercase on
 +OnFail error
 +Trust root
 +Trust dspam
 +Trust www-data
 +Trust mail
 +Trust daemon
 +TrainingMode tum
 +TestConditionalTraining on
 +Feature whitelist
 +Algorithm graham burton
 +Tokenizer osb
 +PValue bcr
 +WebStats on
 +ImprobabilityDrive on
 +Preference "​trainingMode=TUM"​ #​ { TOE | TUM | TEFT | NOTRAIN } -> default:​teft
 +Preference "​spamAction=deliver"​ #​ { quarantine | tag | deliver } -> default:​quarantine
 +Preference "​spamSubject=[SPAM]"​ #​ { string } -> default:​[SPAM]
 +Preference "​statisticalSedation=5"​ #​ { 0 - 10 } -> default:0
 +Preference "​enableBNR=on"​ #​ { on | off } -> default:off
 +Preference "​enableWhitelist=on"​ #​ { on | off } -> default:on
 +Preference "​signatureLocation=headers"​ #​ { message | headers } -> default:​message
 +Preference "​tagSpam=off"​ #​ { on | off }
 +Preference "​tagNonspam=off"​ #​ { on | off }
 +Preference "​showFactors=on"​ #​ { on | off } -> default:off
 +Preference "​optIn=off"​ #​ { on | off }
 +Preference "​optOut=off"​ #​ { on | off }
 +Preference "​whitelistThreshold=10"​ #​ { Integer } -> default:10
 +Preference "​makeCorpus=off"​ #​ { on | off } -> default:off
 +Preference "​storeFragments=off"​ #​ { on | off } -> default:off
 +Preference "​localStore="​ #​ { on | off } -> default:​username
 +Preference "​processorBias=on"​ #​ { on | off } -> default:on
 +Preference "​fallbackDomain=off"​ #​ { on | off } -> default:off
 +Preference "​trainPristine=off"​ #​ { on | off } -> default:off
 +Preference "​optOutClamAV=off"​ #​ { on | off } -> default:off
 +Preference "​ignoreRBLLookups=off"​ #​ { on | off } -> default:off
 +Preference "​RBLInoculate=off"​ #​ { on | off } -> default:off
 +Preference "​notifications=off"​ #​ { on | off } -> default:off
 +AllowOverride enableBNR
 +AllowOverride enableWhitelist
 +AllowOverride fallbackDomain
 +AllowOverride ignoreGroups
 +AllowOverride ignoreRBLLookups
 +AllowOverride localStore
 +AllowOverride makeCorpus
 +AllowOverride optIn
 +AllowOverride optOut
 +AllowOverride optOutClamAV
 +AllowOverride processorBias
 +AllowOverride RBLInoculate
 +AllowOverride showFactors
 +AllowOverride signatureLocation
 +AllowOverride spamAction
 +AllowOverride spamSubject
 +AllowOverride statisticalSedation
 +AllowOverride storeFragments
 +AllowOverride tagNonspam
 +AllowOverride tagSpam
 +AllowOverride trainPristine
 +AllowOverride trainingMode
 +AllowOverride whitelistThreshold
 +AllowOverride dailyQuarantineSummary
 +AllowOverride notifications
 +IgnoreHeader Accept-Language
 +IgnoreHeader Approved
 +IgnoreHeader Archive
 +IgnoreHeader Authentication-Results
 +IgnoreHeader Cache-Post-Path
 +IgnoreHeader Cancel-Key
 +IgnoreHeader Cancel-Lock
 +IgnoreHeader Complaints-To
 +IgnoreHeader Content-Description
 +IgnoreHeader Content-Disposition
 +IgnoreHeader Content-ID
 +IgnoreHeader Content-Language
 +IgnoreHeader Content-Return
 +IgnoreHeader Content-Transfer-Encoding
 +IgnoreHeader Content-Type
 +IgnoreHeader DKIM-Signature
 +IgnoreHeader Date
 +IgnoreHeader Disposition-Notification-To
 +IgnoreHeader DomainKey-Signature
 +IgnoreHeader Importance
 +IgnoreHeader In-Reply-To
 +IgnoreHeader Injection-Info
 +IgnoreHeader Lines
 +IgnoreHeader List-Archive
 +IgnoreHeader List-Help
 +IgnoreHeader List-Id
 +IgnoreHeader List-Post
 +IgnoreHeader List-Subscribe
 +IgnoreHeader List-Unsubscribe
 +IgnoreHeader Message-ID
 +IgnoreHeader Message-Id
 +IgnoreHeader NNTP-Posting-Date
 +IgnoreHeader NNTP-Posting-Host
 +IgnoreHeader Newsgroups
 +IgnoreHeader OpenPGP
 +IgnoreHeader Organization
 +IgnoreHeader Originator
 +IgnoreHeader PGP-ID
 +IgnoreHeader Path
 +IgnoreHeader Received
 +IgnoreHeader Received-SPF
 +IgnoreHeader References
 +IgnoreHeader Reply-To
 +IgnoreHeader Resent-Date
 +IgnoreHeader Resent-From
 +IgnoreHeader Resent-Message-ID
 +IgnoreHeader Thread-Index
 +IgnoreHeader Thread-Topic
 +IgnoreHeader User-Agent
 +IgnoreHeader X--MailScanner-SpamCheck
 +IgnoreHeader X-AV-Scanned
 +IgnoreHeader X-AVAS-Spam-Level
 +IgnoreHeader X-AVAS-Spam-Score
 +IgnoreHeader X-AVAS-Spam-Status
 +IgnoreHeader X-AVAS-Spam-Symbols
 +IgnoreHeader X-AVAS-Virus-Status
 +IgnoreHeader X-AVK-Virus-Check
 +IgnoreHeader X-Abuse
 +IgnoreHeader X-Abuse-Contact
 +IgnoreHeader X-Abuse-Info
 +IgnoreHeader X-Abuse-Management
 +IgnoreHeader X-Abuse-To
 +IgnoreHeader X-Abuse-and-DMCA-Info
 +IgnoreHeader X-Accept-Language
 +IgnoreHeader X-Admission-MailScanner-SpamCheck
 +IgnoreHeader X-Admission-MailScanner-SpamScore
 +IgnoreHeader X-Amavis-Alert
 +IgnoreHeader X-Amavis-Hold
 +IgnoreHeader X-Amavis-Modified
 +IgnoreHeader X-Amavis-OS-Fingerprint
 +IgnoreHeader X-Amavis-PenPals
 +IgnoreHeader X-Amavis-PolicyBank
 +IgnoreHeader X-AntiVirus
 +IgnoreHeader X-Antispam
 +IgnoreHeader X-Antivirus
 +IgnoreHeader X-Antivirus-Scanner
 +IgnoreHeader X-Antivirus-Status
 +IgnoreHeader X-Archive
 +IgnoreHeader X-Assp-Spam-Prob
 +IgnoreHeader X-Attention
 +IgnoreHeader X-BTI-AntiSpam
 +IgnoreHeader X-Barracuda
 +IgnoreHeader X-Barracuda-Bayes
 +IgnoreHeader X-Barracuda-Spam-Flag
 +IgnoreHeader X-Barracuda-Spam-Report
 +IgnoreHeader X-Barracuda-Spam-Score
 +IgnoreHeader X-Barracuda-Spam-Status
 +IgnoreHeader X-Barracuda-Virus-Scanned
 +IgnoreHeader X-BeenThere
 +IgnoreHeader X-Bogosity
 +IgnoreHeader X-Brightmail-Tracker
 +IgnoreHeader X-CRM114-CacheID
 +IgnoreHeader X-CRM114-Status
 +IgnoreHeader X-CRM114-Version
 +IgnoreHeader X-CTASD-IP
 +IgnoreHeader X-CTASD-RefID
 +IgnoreHeader X-CTASD-Sender
 +IgnoreHeader X-Cache
 +IgnoreHeader X-ClamAntiVirus-Scanner
 +IgnoreHeader X-Comment-To
 +IgnoreHeader X-Comments
 +IgnoreHeader X-Complaints
 +IgnoreHeader X-Complaints-Info
 +IgnoreHeader X-Complaints-To
 +IgnoreHeader X-DKIM
 +IgnoreHeader X-DMCA-Complaints-To
 +IgnoreHeader X-DMCA-Notifications
 +IgnoreHeader X-Despammed-Tracer
 +IgnoreHeader X-ELTE-SpamCheck
 +IgnoreHeader X-ELTE-SpamCheck-Details
 +IgnoreHeader X-ELTE-SpamScore
 +IgnoreHeader X-ELTE-SpamVersion
 +IgnoreHeader X-ELTE-VirusStatus
 +IgnoreHeader X-Enigmail-Supports
 +IgnoreHeader X-Enigmail-Version
 +IgnoreHeader X-Evolution-Source
 +IgnoreHeader X-Extra-Info
 +IgnoreHeader X-FSFE-MailScanner
 +IgnoreHeader X-FSFE-MailScanner-From
 +IgnoreHeader X-Face
 +IgnoreHeader X-Fellowship-MailScanner
 +IgnoreHeader X-Fellowship-MailScanner-From
 +IgnoreHeader X-Forwarded
 +IgnoreHeader X-GMX-Antispam
 +IgnoreHeader X-GMX-Antivirus
 +IgnoreHeader X-GPG-Fingerprint
 +IgnoreHeader X-GPG-Key-ID
 +IgnoreHeader X-GPS-DegDec
 +IgnoreHeader X-GPS-MGRS
 +IgnoreHeader X-GWSPAM
 +IgnoreHeader X-Gateway
 +IgnoreHeader X-Greylist
 +IgnoreHeader X-HTMLM
 +IgnoreHeader X-HTMLM-Info
 +IgnoreHeader X-HTMLM-Score
 +IgnoreHeader X-HTTP-Posting-Host
 +IgnoreHeader X-HTTP-UserAgent
 +IgnoreHeader X-HTTP-Via
 +IgnoreHeader X-Headers-End
 +IgnoreHeader X-ID
 +IgnoreHeader X-IMAIL-SPAM-STATISTICS
 +IgnoreHeader X-IMAIL-SPAM-URL-DBL
 +IgnoreHeader X-IMAIL-SPAM-VALFROM
 +IgnoreHeader X-IMAIL-SPAM-VALHELO
 +IgnoreHeader X-IMAIL-SPAM-VALREVDNS
 +IgnoreHeader X-Info
 +IgnoreHeader X-IronPort-Anti-Spam-Filtered
 +IgnoreHeader X-IronPort-Anti-Spam-Result
 +IgnoreHeader X-KSV-Antispam
 +IgnoreHeader X-Kaspersky-Antivirus
 +IgnoreHeader X-MDAV-Processed
 +IgnoreHeader X-MDRemoteIP
 +IgnoreHeader X-MDaemon-Deliver-To
 +IgnoreHeader X-MIE-MailScanner-SpamCheck
 +IgnoreHeader X-MIMEOLE
 +IgnoreHeader X-MIMETrack
 +IgnoreHeader X-MMS-Spam-Filter-ID
 +IgnoreHeader X-MS-Exchange-Forest-RulesExecuted
 +IgnoreHeader X-MS-Exchange-Organization-Antispam-Report
 +IgnoreHeader X-MS-Exchange-Organization-AuthAs
 +IgnoreHeader X-MS-Exchange-Organization-AuthDomain
 +IgnoreHeader X-MS-Exchange-Organization-AuthMechanism
 +IgnoreHeader X-MS-Exchange-Organization-AuthSource
 +IgnoreHeader X-MS-Exchange-Organization-Journal-Report
 +IgnoreHeader X-MS-Exchange-Organization-Original-Scl
 +IgnoreHeader X-MS-Exchange-Organization-Original-Sender
 +IgnoreHeader X-MS-Exchange-Organization-OriginalArrivalTime
 +IgnoreHeader X-MS-Exchange-Organization-OriginalSize
 +IgnoreHeader X-MS-Exchange-Organization-PCL
 +IgnoreHeader X-MS-Exchange-Organization-Quarantine
 +IgnoreHeader X-MS-Exchange-Organization-SCL
 +IgnoreHeader X-MS-Exchange-Organization-SenderIdResult
 +IgnoreHeader X-MS-Has-Attach
 +IgnoreHeader X-MS-TNEF-Correlator
 +IgnoreHeader X-MSMail-Priority
 +IgnoreHeader X-MailScanner
 +IgnoreHeader X-MailScanner-Information
 +IgnoreHeader X-MailScanner-SpamCheck
 +IgnoreHeader X-Mailer
 +IgnoreHeader X-Mailman-Version
 +IgnoreHeader X-Mlf-Spam-Status
 +IgnoreHeader X-NAI-Spam-Checker-Version
 +IgnoreHeader X-NAI-Spam-Flag
 +IgnoreHeader X-NAI-Spam-Level
 +IgnoreHeader X-NAI-Spam-Report
 +IgnoreHeader X-NAI-Spam-Route
 +IgnoreHeader X-NAI-Spam-Rules
 +IgnoreHeader X-NAI-Spam-Score
 +IgnoreHeader X-NAI-Spam-Threshold
 +IgnoreHeader X-NEWT-spamscore
 +IgnoreHeader X-NNTP-Posting-Date
 +IgnoreHeader X-NNTP-Posting-Host
 +IgnoreHeader X-NetcoreISpam1-ECMScanner
 +IgnoreHeader X-NetcoreISpam1-ECMScanner-From
 +IgnoreHeader X-NetcoreISpam1-ECMScanner-Information
 +IgnoreHeader X-NetcoreISpam1-ECMScanner-SpamCheck
 +IgnoreHeader X-NetcoreISpam1-ECMScanner-SpamScore
 +IgnoreHeader X-Newsreader
 +IgnoreHeader X-Newsserver
 +IgnoreHeader X-No-Archive
 +IgnoreHeader X-No-Spam
 +IgnoreHeader X-OSBF-Lua-Score
 +IgnoreHeader X-OWM-SpamCheck
 +IgnoreHeader X-OWM-VirusCheck
 +IgnoreHeader X-Olypen-Virus
 +IgnoreHeader X-Orig-Path
 +IgnoreHeader X-OriginalArrivalTime
 +IgnoreHeader X-Originating-IP
 +IgnoreHeader X-PAA-AntiVirus
 +IgnoreHeader X-PAA-AntiVirus-Message
 +IgnoreHeader X-PGP-Fingerprint
 +IgnoreHeader X-PGP-Hash
 +IgnoreHeader X-PGP-ID
 +IgnoreHeader X-PGP-Key
 +IgnoreHeader X-PGP-Key-Fingerprint
 +IgnoreHeader X-PGP-KeyID
 +IgnoreHeader X-PGP-Sig
 +IgnoreHeader X-PIRONET-NDH-MailScanner-SpamCheck
 +IgnoreHeader X-PIRONET-NDH-MailScanner-SpamScore
 +IgnoreHeader X-PMX
 +IgnoreHeader X-PMX-Version
 +IgnoreHeader X-PN-SPAMFiltered
 +IgnoreHeader X-Posting-Agent
 +IgnoreHeader X-Posting-ID
 +IgnoreHeader X-Posting-IP
 +IgnoreHeader X-Priority
 +IgnoreHeader X-Proofpoint-Spam-Details
 +IgnoreHeader X-Qmail-Scanner-1.25st
 +IgnoreHeader X-Quarantine-ID
 +IgnoreHeader X-RAV-AntiVirus
 +IgnoreHeader X-RITmySpam
 +IgnoreHeader X-RITmySpam-IP
 +IgnoreHeader X-RITmySpam-Spam
 +IgnoreHeader X-Rc-Spam
 +IgnoreHeader X-Rc-Virus
 +IgnoreHeader X-Received-Date
 +IgnoreHeader X-RedHat-Spam-Score
 +IgnoreHeader X-RedHat-Spam-Warning
 +IgnoreHeader X-RegEx
 +IgnoreHeader X-RegEx-Score
 +IgnoreHeader X-Rocket-Spam
 +IgnoreHeader X-SA-GROUP
 +IgnoreHeader X-SA-RECEIPTSTATUS
 +IgnoreHeader X-STA-NotSpam
 +IgnoreHeader X-STA-Spam
 +IgnoreHeader X-Scam-grey
 +IgnoreHeader X-Scanned-By
 +IgnoreHeader X-Sender
 +IgnoreHeader X-SenderID
 +IgnoreHeader X-Sohu-Antivirus
 +IgnoreHeader X-Spam
 +IgnoreHeader X-Spam-ASN
 +IgnoreHeader X-Spam-Check
 +IgnoreHeader X-Spam-Checked-By
 +IgnoreHeader X-Spam-Checker
 +IgnoreHeader X-Spam-Checker-Version
 +IgnoreHeader X-Spam-Clean
 +IgnoreHeader X-Spam-DCC
 +IgnoreHeader X-Spam-Details
 +IgnoreHeader X-Spam-Filter
 +IgnoreHeader X-Spam-Filtered
 +IgnoreHeader X-Spam-Flag
 +IgnoreHeader X-Spam-Level
 +IgnoreHeader X-Spam-OrigSender
 +IgnoreHeader X-Spam-Pct
 +IgnoreHeader X-Spam-Prev-Subject
 +IgnoreHeader X-Spam-Processed
 +IgnoreHeader X-Spam-Pyzor
 +IgnoreHeader X-Spam-Rating
 +IgnoreHeader X-Spam-Report
 +IgnoreHeader X-Spam-Scanned
 +IgnoreHeader X-Spam-Score
 +IgnoreHeader X-Spam-Status
 +IgnoreHeader X-Spam-Tagged
 +IgnoreHeader X-Spam-Tests
 +IgnoreHeader X-Spam-Tests-Failed
 +IgnoreHeader X-Spam-Virus
 +IgnoreHeader X-Spam-Warning
 +IgnoreHeader X-Spam-detection-level
 +IgnoreHeader X-SpamAssassin-Clean
 +IgnoreHeader X-SpamAssassin-Warning
 +IgnoreHeader X-SpamBouncer
 +IgnoreHeader X-SpamCatcher-Score
 +IgnoreHeader X-SpamCop-Checked
 +IgnoreHeader X-SpamCop-Disposition
 +IgnoreHeader X-SpamCop-Whitelisted
 +IgnoreHeader X-SpamDetected
 +IgnoreHeader X-SpamInfo
 +IgnoreHeader X-SpamPal
 +IgnoreHeader X-SpamPal-Timeout
 +IgnoreHeader X-SpamReason
 +IgnoreHeader X-SpamScore
 +IgnoreHeader X-SpamTest-Categories
 +IgnoreHeader X-SpamTest-Info
 +IgnoreHeader X-SpamTest-Method
 +IgnoreHeader X-SpamTest-Status
 +IgnoreHeader X-SpamTest-Version
 +IgnoreHeader X-Spamadvice
 +IgnoreHeader X-Spamarrest-noauth
 +IgnoreHeader X-Spamarrest-speedcode
 +IgnoreHeader X-Spambayes-Classification
 +IgnoreHeader X-Spamcount
 +IgnoreHeader X-Spamsensitivity
 +IgnoreHeader X-TERRACE-SPAMMARK
 +IgnoreHeader X-TERRACE-SPAMRATE
 +IgnoreHeader X-TM-AS-Category-Info
 +IgnoreHeader X-TM-AS-MatchedID
 +IgnoreHeader X-TM-AS-Product-Ver
 +IgnoreHeader X-TM-AS-Result
 +IgnoreHeader X-TMWD-Spam-Summary
 +IgnoreHeader X-TNEFEvaluated
 +IgnoreHeader X-Text-Classification
 +IgnoreHeader X-Text-Classification-Data
 +IgnoreHeader X-Trace
 +IgnoreHeader X-UCD-Spam-Score
 +IgnoreHeader X-User-Agent
 +IgnoreHeader X-User-ID
 +IgnoreHeader X-User-System
 +IgnoreHeader X-Virus-Check
 +IgnoreHeader X-Virus-Checked
 +IgnoreHeader X-Virus-Checker-Version
 +IgnoreHeader X-Virus-Scan
 +IgnoreHeader X-Virus-Scanned
 +IgnoreHeader X-Virus-Scanner
 +IgnoreHeader X-Virus-Scanner-Result
 +IgnoreHeader X-Virus-Status
 +IgnoreHeader X-VirusChecked
 +IgnoreHeader X-Virusscan
 +IgnoreHeader X-WSS-ID
 +IgnoreHeader X-WinProxy-AntiVirus
 +IgnoreHeader X-WinProxy-AntiVirus-Message
 +IgnoreHeader X-Yandex-Forward
 +IgnoreHeader X-Yandex-Front
 +IgnoreHeader X-Yandex-Spam
 +IgnoreHeader X-Yandex-TimeMark
 +IgnoreHeader X-cid
 +IgnoreHeader X-iHateSpam-Checked
 +IgnoreHeader X-iHateSpam-Quarantined
 +IgnoreHeader X-policyd-weight
 +IgnoreHeader X-purgate
 +IgnoreHeader X-purgate-Ad
 +IgnoreHeader X-purgate-ID
 +IgnoreHeader X-sgxh1
 +IgnoreHeader X-to-viruscore
 +IgnoreHeader Xref
 +IgnoreHeader acceptlanguage
 +IgnoreHeader thread-index
 +IgnoreHeader x-uscspam
 +Notifications off
 +PurgeSignature off #​ Specified in purge.sql
 +PurgeNeutral 90
 +PurgeUnused off #​ Specified in purge.sql
 +PurgeHapaxes off #​ Specified in purge.sql
 +PurgeHits1S off #​ Specified in purge.sql
 +PurgeHits1I off #​ Specified in purge.sql
 +LocalMX 127.0.0.1
 +SystemLog on
 +UserLog on
 +Opt out
 +ParseToHeaders on
 +ChangeModeOnParse on
 +ChangeUserOnParse full
 +ServerHost 127.0.0.1
 +ServerPort 5002
 +ServerQueueSize 32
 +ServerPID /​var/​run/​dspam/​dspam.pid
 +ServerMode auto
 +ServerParameters "​--deliver=innocent,​spam -d %u"
 +ServerIdent "​localhost.localdomain"​
 +ProcessorURLContext on
 +ProcessorBias on
 +StripRcptDomain off
 +Include /​etc/​dspam/​dspam.d/​
 +</​file>​
 +==== - Dspam routes to Postfix ====
 +Dspam will receive email to inspect on port tcp/5002, and return them to postfix on port tcp/5003. Therefore, postfix needs to have a listening port on tcp/5003.
 +
 +Add this to the end of **/​etc/​postfix/​master.cf**
 +<​file>​
 +#Dspam return route
 +127.0.0.1:​5003 inet n  -       ​n ​      ​- ​       -      smtpd
 +      -o content_filter=
 +      -o receive_override_options=no_unknown_recipient_checks,​no_header_body_checks,​no_milters
 +      -o smtpd_helo_restrictions=
 +      -o smtpd_client_restrictions=
 +      -o smtpd_sender_restrictions=
 +      -o smtpd_recipient_restrictions=permit_mynetworks,​reject
 +      -o mynetworks=127.0.0.0/​8
 +      -o smtpd_authorized_xforward_hosts=127.0.0.0/​8
 +</​file>​
 +
 +And update the **smtp** line of postfix to submit incoming emails to dspam, still in **master.cf**.
 +<​file>​
 +smtpd     ​pass ​ -       ​- ​      ​- ​      ​- ​      ​- ​      smtpd
 +        -o content_filter=lmtp:​127.0.0.1:​5002
 +</​file>​
 +
 +==== - Dspam Maintenance ====
 +Add this to **/​etc/​crontab**
 +<​file>​
 +30 4    * * *   ​dspam ​  /​usr/​bin/​dspam_logrotate -a 60 -d /​var/​spool/​dspam/​data/​
 +30 4    * * *   ​dspam ​  /​usr/​bin/​dspam_maintenance
 +</​file>​
 +===== - Additional configuration =====
 +==== - Enable support for plussed addresses ====
 +Addresses of the form **user+something@domain.com**,​ where "​something"​ is a random string that is not part of the username. ​
 +To enable support for plussed addresses, go to **/​etc/​dovecot/​conf.d/​15-lda.conf** and set **recipient_delimiter** as follow:
 +<​file>​
 +recipient_delimiter = +
 +</​file>​
 +Same in **/​etc/​postfix/​main.cf**:​
 +<​file>​
 +recipient_delimiter = +
 +</​file>​
 +And in **/​etc/​dspam/​dspam.conf**:​
 +<​file>​
 +PlusedCharacter +
 +</​file>​
 +===== - Sieve =====
 +<​code>​
 +# apt-get install dovecot-managesieved dovecot-sieve
 +</​code>​
 +Edit the managesieve configuration in **/​etc/​dovecot/​conf.d/​20-managesieve.conf**:​
 +<​file>​
 +service managesieve-login {
 +  inet_listener sieve {
 +    port = 4190
 +  }
 +  service_count = 1
 +  process_min_avail = 1
 +  vsz_limit = 64M
 +}
 +service managesieve {
 +}
 +protocol sieve {
 +  mail_max_userip_connections = 3
 +}
 +</​file>​
 +
 +And configure the sieve service itself in **/​etc/​dovecot/​conf.d/​90-sieve.conf**.
 +<​file>​
 +plugin {
 +  sieve = ~/​.dovecot.sieve
 +  sieve_dir = ~/sieve
 +   
 +  recipient_delimiter = +
 +  sieve_max_script_size = 10M
 +  sieve_max_actions = 1024
 +  sieve_max_redirects = 64
 +}
 +</​file>​
 +
 +Reload dovecot, and tcp/4190 will be listening for sieve connectionss.
 +<​code>​
 +# netstat -taupen|grep LISTEN|grep 4190
 +tcp        0      0 0.0.0.0:​4190 ​           0.0.0.0:​* ​              ​LISTEN ​     0          11253       ​3228/​dovecot ​   ​
 +tcp6       ​0 ​     0 :::​4190 ​                :::​* ​                   LISTEN ​     0          11254       ​3228/​dovecot
 +</​code>​
 +
 +Test the connection using **sieve-connect** as follow:
 +To test the authentication,​ generate credentials using this perl script:
 +<code perl>
 +#​!/​usr/​bin/​perl
 +# Stephan Bosch, stephan@rename-it.nl
 +use MIME::​Base64;​
 +use strict;
 +my $username = shift;
 +my $password = shift;
 +my $userpass = "​\x00"​.$username."​\x00"​.$password."";​
 +my $encode=encode_base64($userpass);​
 +$encode =~ s/^\s+//;
 +$encode =~ s/\s+$//;
 +print "​AUTHENTICATE \"​PLAIN\"​ \"​$encode\"​\r\n";​
 +</​code>​
 +And use the returned AUTHENTICATE string into a netcat connection to the managesieve port:
 +<​code>​
 +# nc localhost 4190
 +
 +"​IMPLEMENTATION"​ "​Dovecot Pigeonhole"​
 +"​SIEVE"​ "​fileinto reject envelope encoded-character vacation subaddress comparator-i;​ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave"
 +"​NOTIFY"​ "​mailto"​
 +"​SASL"​ "PLAIN LOGIN DIGEST-MD5"​
 +"​STARTTLS"​
 +"​VERSION"​ "​1.0"​
 +OK "​Dovecot ready."​
 +
 +AUTHENTICATE "​PLAIN"​ "​AGp1bGllbgB0aGlzaXNub3RteXJlYWxwYXNzd29yZA=="​
 +OK "​Logged in."
 +
 +LISTSCRIPTS
 +OK "​Listscripts completed."​
 +</​code>​
 +
 +Enable the plugin directory in **/​etc/​dovecot/​conf.d/​10-mail.conf** as follow:
 +<​file>​
 +# Directory where to look up mail plugins.
 +mail_plugin_dir = /​usr/​lib/​dovecot/​modules
 +</​file>​
 +And finally, enable the **sieve** plugin for dovecot-lda in **/​etc/​dovecot/​conf.d/​15-lda.conf**:​
 +<​file>​
 +protocol lda {
 +  # Space separated list of plugins to load (default is global mail_plugins).
 +  mail_plugins = sieve
 +}
 +</​file>​
 +And for dovecot-lmtp in **/​etc/​dovecot/​conf.d/​20-lmtp.conf**:​
 +<​file>​
 +protocol lmtp {
 +  mail_plugins = sieve
 +}
 +</​file>​
 +
 +Test using **sieve-connect**:​
 +<​code>​
 +# sieve-connect -s localhost -p 4190 --notlsverify -u julien --authmech PLAIN 
 +Sieve/IMAP Password: ​
 +ReadLine support enabled.
 +> ls
 +> put /​home/​julien/​dovecotsieve ​
 +> ls
 +"​dovecotsieve"​
 +> activate dovecotsieve ​
 +> ls
 +"​dovecotsieve"​ ACTIVE
 +
 +</​code>​
 +===== - Roundcube =====
 +<​code>​apt-get install roundcube-plugins roundcube-pgsql roundcube-plugins-extra </​code>​
 +The above will install roundcube and dependencies,​ configure the postgres database and prepare Apache. ​
 +
 +In **/​etc/​roundcube/​apache.conf**,​ uncomment the two Aliases lines as follow:
 +<​file>​
 +# Those aliases do not work properly with several hosts on your apache server
 +# Uncomment them to use it or adapt them to your configuration
 +Alias /​roundcube/​program/​js/​tiny_mce/​ /​usr/​share/​tinymce/​www/​
 +Alias /roundcube /​var/​lib/​roundcube
 +</​file>​
 +And restart Apache2. This will make available at **http://​SERVERIP/​roundcube/​**.
 +
 +===== - Ejabberd =====
 +<​code>​apt-get install ejabberd</​code>​
 +
 +In **ejabberd.cfg**,​ replace the Hostname:
 +<​file>​
 +%% Hostname
 +{hosts, ["​linuxwall.info"​]}.
 +</​file>​
 +
 +Enable SSL:
 +<​file>​
 +  %%
 +  %% To enable the old SSL connection method (deprecated) in port 5223:
 +  %%
 +  {5223, ejabberd_c2s,​ [
 +                        {access, c2s},
 +                        {shaper, c2s_shaper},​
 +                        {max_stanza_size,​ 65536},
 +                      zlib,
 +                        tls, {certfile, "/​etc/​ejabberd/​ejabberd.pem"​}
 +                       ]},
 +</​file>​
 +
 +Comment out the default auth method to enable the LDAP authentication:​
 +<​file>​
 +%%
 +%% {auth_method,​ internal}.
 +
 +...
 +
 +%%
 +%% Authentication using LDAP
 +%%
 +{auth_method,​ ldap}.
 +%%
 +%% List of LDAP servers:
 +{ldap_servers,​ ["​localhost"​]}.
 +%%
 +%% Encryption of connection to LDAP servers (LDAPS):
 +%%{ldap_encrypt,​ none}.
 +%%{ldap_encrypt,​ tls}.
 +%%
 +%% Port connect to LDAP server:
 +{ldap_port, 389}.
 +%%{ldap_port,​ 636}.
 +%%
 +%% LDAP manager:
 +%%{ldap_rootdn,​ "​dc=example,​dc=com"​}.
 +%%
 +%% Password to LDAP manager:
 +%%{ldap_password,​ "​******"​}.
 +%%
 +%% Search base of LDAP directory:
 +{ldap_base, "​ou=people,​dc=linuxwall,​dc=info"​}.
 +%%
 +%% LDAP attribute that holds user ID:
 +{ldap_uids, [{"​mail",​ "​%u@linuxwall.info"​}]}.
 +%%
 +%% LDAP filter:
 +{ldap_filter,​ "​(objectClass=inetOrgPerson)"​}.
 +
 +</​file>​
en/ressources/dossiers/nectux.txt ยท Last modified: 2013/07/24 03:57 (external edit)
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0