Backup MX (exim)

Автор: Morty.



 Данная статья рассказывает о том как сделать для вашей существующей
почтовой системы резервирование SMTP службы, а точнее BACKUPMX.
Допустим у вас уже есть почтовый сервер который работает и имеет имя
mainmx.domain.com. И стоит такая задача как, сделать еще один
smtp сервер (mx.domain.com)который в случае проблем на главном
либо еще какихто проблем, сможет принять почту. Резервных MXов можно
сделать 2-3 и болеее ;) mx1,mx2,mx3... Как показано на картинке резервные
SMTP будут принимать почту из мира и пересылать на ваш основной. Все что
требуеться для этого, это настроить Exim и сделать MX записи в днс зоне.

Было:


domain.com IN MX 10 mainmx.domain.com

Стало:


domain.com IN MX 10 mainmx.domain.com domain.com IN MX 10 mx.domain.com

Для MX записей существует такой параметр как приоритет, здесь
оба серверы в одинаковом приоритете. Можно указывать "старшинство"
указывая младшим 20, 30 , 40.




Приступим к установке, настройке сервера mx.domain.com
Ключевое место в конфигурации экзима это файл
deliver_to
в котором указываеться какой домен на какой хост(какому почтовому
серверу передавать)
Устанавливаем:
/usr/ports/mail/exim
Опции по умолчанию , + посмотреть/проверить следующие


[x] CONTENT_SCAN Enable exiscan email content scanner [X] SA_EXIM SA-Exim support [x] SRS Enable Sender Rewriting Scheme [X] TLS Link against OpenSSL

/usr/ports/security/clamav
опции по умолчанию
/usr/ports/mail/p5-Mail-SpamAssassin


make showconfig ===> p5-Mail-SpamAssassin-3.3.1: AS_ROOT=on "Run spamd as root (recommended)" SPAMC=on "Build spamd/spamc (not for amavisd)" SACOMPILE=on "sa-compile" DKIM=on "DKIM/DomainKeys Identified Mail" SSL=on "Build with SSL support for spamd/spamc" GNUPG=on "Install GnuPG (for sa-update)" MYSQL=off "Add MySQL support" PGSQL=off "Add PostreSQL support" RAZOR=on "Add Vipul's Razor support" SPF_QUERY=on "Add SPF query support" RELAY_COUNTRY=on "Relay country support" DCC=off "Add DCC support (see LICENSE)" ===> Use 'make config' to modify these settings

exim
/usr/local/etc/exim/configure


########################################################### # EXIM CONFIGURATION # ########################################################### .include /usr/local/etc/exim/settings #system_filter = /usr/local/etc/exim/system-filter #system_filter_reply_transport = my_address_reply_transport #system_filter_user = exim domainlist my_local_domains = /usr/local/etc/exim/local_domains domainlist my_relay_for_domains = /usr/local/etc/exim/relay_domains hostlist my_relay_from_hosts = /usr/local/etc/exim/accept_from av_scanner = clamd:/var/run/clamav/clamd.sock spamd_address = 127.0.0.1 783 tls_advertise_hosts = * tls_certificate = /usr/local/etc/exim/certs/crt tls_privatekey = /usr/local/etc/exim/certs/key daemon_smtp_ports = 25 : 465 : 587 tls_on_connect_ports = 465 #auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}} rfc1413_hosts = * rfc1413_query_timeout = 0s acl_smtp_rcpt = my_receive_acl acl_smtp_data = acl_check_data ########################################################### # ACL CONFIGURATION # ########################################################### begin acl my_receive_acl: accept hosts =: control = dkim_disable_verify deny message = MACRO_RESTRICTED_CHARACTERS domains = +my_local_domains local_parts = ^[.] : ^.*[@%!/|] deny message = MACRO_RESTRICTED_CHARACTERS domains = !+my_local_domains local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ drop # Required because "[IPv6:<address>]" will have no .s condition = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}} condition = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}} hosts = !+my_relay_from_hosts : * message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1) drop condition = ${if match{$sender_helo_name}{\N\.$\N}} hosts = !+my_relay_from_hosts : * message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1) drop condition = ${if match{$sender_helo_name}{\N\.\.\N}} hosts = !+my_relay_from_hosts : * message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1) drop message = "REJECTED - Bad HELO - Host\ impersonating [$sender_helo_name]" condition = ${if match{$sender_helo_name}{$primary_hostname}} drop condition = ${if eq{[$interface_address]}{$sender_helo_name}} message = $interface_address is _my_ address accept local_parts = postmaster domains = +my_local_domains require verify = sender deny condition = ${lookup{$sender_host_name}nwildlsearch\ {/usr/local/etc/exim/db/blacklist_re_hostname}{yes}{no}} hosts = !+my_relay_from_hosts : * logwrite = "$sender_host_name you are in blaklistHOST" deny condition = ${lookup{$sender_helo_name}nwildlsearch\ {/usr/local/etc/exim/db/blacklist_re_helo}{yes}{no}} hosts = !+my_relay_from_hosts : * logwrite = "$sender_helo_name you are in HELOblacklist " accept domains = +my_local_domains endpass accept domains = +my_relay_for_domains endpass accept hosts = +my_relay_from_hosts endpass require message = MACRO_RELAY_NOT_PERMITTED domains = +my_local_domains : +my_relay_for_domains drop message = REJECTED - Too many failed \ recipients - count = $rcpt_fail_count log_message = REJECTED - Too many failed recipients\ - count = $rcpt_fail_count condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}} !verify = recipient/callout=2m,defer_ok,use_sender require verify = recipient # You can put here DNS black-list checks #--------------------------------------- # RCPT checks are end here, so ACCEPT all that, and do next DATA checks with it acl_check_data: deny malware = * message = This message contains a virus ($malware_name) deny demime = * condition = ${if >{$demime_errorlevel}{2}{1}{0}} message = This message contains a MIME error deny message = Incorrect headers syntax log_message = REJECT: Incorrect header syntax hosts = !+my_relay_from_hosts:* !verify = header_syntax # SpamOtsosina warn condition = ${if >{$message_size}{400K}} message = X-Spam-Report: Spam scan skipped; message too large log_message = Skipping spam scan; message too large accept condition = ${if >{$message_size}{400K}} warn message = X-Spam-Score: $spam_score ($spam_bar) hosts = !+my_relay_from_hosts : * spam = nobody:defer_ok warn hosts = !+my_relay_from_hosts : * spam = nobody:defer_ok message = X-Spam-Report: $spam_report deny condition = ${if >{$spam_score_int}{80}{1}{0}} hosts = !+my_relay_from_hosts : * spam = nobody:defer_ok message = Spam score too high ($spam_score) # DATA checks finished, accept all that dobralos do syuda ;) accept # deny message = MACRO_RELAY_NOT_PERMITTED ########################################################### # ROUTERS CONFIGURATION # ########################################################### begin routers dnslookup: driver = dnslookup domains = ! +my_local_domains transport = my_remote_smtp_transport ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 no_more my_redirect_router: driver = redirect data = ${lookup{$local_part@$domain}\ lsearch{/usr/local/etc/exim/redirect_email}} system_aliases: driver = redirect domains = +my_local_domains allow_fail allow_defer data = ${lookup{$local_part}lsearch{/etc/aliases}} user = mailnull group = mail file_transport = address_file pipe_transport = address_pipe my_relay_domains_router: driver = manualroute domains = +my_relay_for_domains transport = my_remote_smtp_transport route_data = ${lookup{$domain}lsearch\ {/usr/local/etc/exim/deliver_to}} no_more my_external_domains_router: domains = !+my_local_domains : !+my_relay_for_domains ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 driver = dnslookup transport = my_remote_smtp_transport no_more # my_local_domains_router: # driver = accept # check_local_user # transport = my_local_delivery_transport # cannot_route_message = MACRO_UNKNOWN_USER # no_more ########################################################### # TRANSPORTS CONFIGURATION # ########################################################### begin transports my_remote_smtp_transport: driver = smtp headers_add = X-processed-by: MACRO_HEADER_ADDED # ne Uzaetsa #my_local_delivery_transport: # driver = appendfile # file = /var/mail/$local_part # delivery_date_add # envelope_to_add # return_path_add # group = mail # mode = 0660 my_address_reply_transport: driver = autoreply headers_add = X-processed-by: MACRO_HEADER_ADDED autoreply ########################################################### # RETRY CONFIGURATION # ########################################################### begin retry .include /usr/local/etc/exim/retry_settings begin rewrite begin authenticators

/usr/local/etc/exim/settings


# exim settings MACRO_HOSTNAME = mx.domain.com MACRO_CONTACT = +38 (044) 535-55-55, postmaster@domain.com MACRO_LOCATION = Kiev-Ukraine MACRO_HEADER_ADDED = processed by MACRO_HOSTNAME ,\ MACRO_LOCATION , $tod_full MACRO_SMTP_BANNER = MACRO_HOSTNAME , MACRO_LOCATION ,SMTP Ready... MACRO_UNKNOWN_USER = \n\n *** Unknown user, please contact \ MACRO_CONTACT if you require further assistance.\ Error generated by \MACRO_HOSTNAME ,\ MACRO_LOCATION on $tod_full *** \n\n MACRO_RELAY_NOT_PERMITTED = \n\n *** Relay not permitted, please \ contact MACRO_CONTACT if you require \ further assistance. Error generated by \ MACRO_HOSTNAME , MACRO_LOCATION on $tod_full *** \n\n MACRO_RESTRICTED_CHARACTERS = \n\n *** Restricted characters in \ email address, please contact MACRO_CONTACT \ if you require further assistance.\ Error generated by MACRO_HOSTNAME , MACRO_LOCATION on $tod_full *** \n\n primary_hostname = mx.domain.com exim_user = mailnull exim_group = mail qualify_domain = domain.com qualify_recipient = domain.com #host_lookup = !192.168.0.0/16 never_users = root message_size_limit = 25M smtp_accept_max = 100 smtp_banner = MACRO_SMTP_BANNER ignore_bounce_errors_after = 2d timeout_frozen_after = 7d delay_warning = 24h received_headers_max = 30 split_spool_directory = true log_selector = \ +all \ +tls_cipher \ +tls_peerdn \ # -incoming_port \ # -incoming_interface \ -arguments \ -smtp_connection \ -lost_incoming_connection \ -queue_run syslog_timestamp = no log_file_path = syslog : /var/log/exim/%s-%D.log #log_file_path = /var/log/exim/%s

/usr/local/etc/exim/accept_from


#accept/relay from this hosts 127.0.0.1 192.168.0.0/16

/usr/local/etc/exim/deliver_to


# Deliver this domain to Host domain.com: 192.168.200.1 special.com: 192.168.150.1

/usr/local/etc/exim/local_domains


# local-domains domain.com special.com

/usr/local/etc/exim/redirect_email


#redirect mail for this list of users # root@dom.com: admin@domain.com

/usr/local/etc/exim/relay_domains


# relay mail for this list of domains domain.com special.com

/usr/local/etc/exim/retry_settings


# retry and timeout settingst # Retry.. every 10 mins for 2 hours # Then.. every hour for 24 hours # Finally.. every 6 hours for 5 days # Domain Error Retry.. Then.. Finaly.. * * F,2h,10m; F,24h,1h; F,5d,6h

/usr/local/etc/exim/system-filter


# system-filter :) #

SpamAssasin
/usr/local/etc/mail/spamassassin/local.cf


report_safe 0 trusted_networks 192.168. # Set the threshold at which a message is considered spam (default: 5.0) required_score 8.0 # Use Bayesian classifier (default: 1) use_bayes 1 #auto_learn 1 bayes_auto_learn 1 bayes_path /var/db/spamassassin/bayes/bayes use_auto_whitelist 0 allow_user_rules 0 bayes_min_ham_num 100 whitelist_from *@domain.com score BAYES_99 8.0 score BAYES_95 7.0 score BAYES_80 6.0 score BAYES_60 6.5 score BAYES_50 5.0

/usr/local/etc/exim/sa-exim.conf
коментируем 1 строчку, остальной конфиг по умолчанию


# Remove or comment out the following line to enable sa-exim #SAEximRunCond: 0

/usr/local/etc/exim/db/blacklist_re_hostname


^smtp\d\w*\.orange\.fr$ ^smtp\d*\.ono\.com$ ^cp-out\d+\.libero\.it$ ^f\dmail(-\d+-)?\d+\.rediffmail\.com$ ^smtp-out\d+-m\d+\.kriweb\.com$ bzq-179-112-209.static.bezeqint.net ^dsl\d+\.\d+-\d+\.ttnet\.net\.tr$ ^\w+\.mdp2\.net$ *.neoplus\\.adsl\\.tpnet\\.pl ^.*gprs.*pool ^dhcp\d+\.myzipnet\.com$ ^dyn-\d+-\d+-\d+-\d+\.ppp\.tiscali\.fr$ ^cklist\d+\.starspecials\.co\.uk$ ^ppp\d+-\d+\.adsl\.forthnet\.gr$ ^host-\d+-\d+\.xdsl\.telecet\.ru$ ^\d+\.red-\d+-\d+-\d+\.dynamicip\.rima-tde\.net$ ^p[a-f\d]{8}\.dip\.t-dialin\.net$ ^\d+-\d+-\d+-\d+\.static\.germania\.com\.ar$ ^nat-\d+\.megalan\.ru$ ^\d+\.pool\d+-\d+-\d+\.dynamic\.orange\.es$ ^l\d+-\d+-\d+\.cn\.ru$ ^adsl-\d+-\d+-\d+\.\w+\.bellsouth\.net$ ^chello\d+\.\w+\.surfer\.at$ ^a\d+-\d+\.adsl\.paltel\.net$ ^dsl-\d+-\d+-\d+\.telkomadsl\.co\.za$ ^cannon\d+\.missuniverseinvietnam\.com$ ^\w+dsl-\d+\.home\.otenet\.gr$ bl\d+-\d+-\d+\.dsl\.telepac\.pt$ ^mail\.tfmi\.com\.tw$ ^ppp\d+\.dsl\.hol\.gr$ ^[a-z]\d+\.adsl\.alicedsl\.de$ ^acceso-cmp\d+-\d+\.lpa\.idec\.net$ ^p[a-f\d]{8}\.dip0\.t-ipconnect\.de$ ^port\d+-afx-adsl\.cwjamaica\.com$ h66-173-49-130.mntimn.dedicated.static.tds.net ^\d+-\d+-\d+\.adsl\.terra\.cl$ 221-128-244-55.static.exatt.net ^\w+-[a-f\d]{8}\.pool\.mediaways\.net$ ^\d+\.subnet\d+-\d+-\d+\.speedy\.telkom\.net\.id$ ^host\d+-\d+-static\.\d+-\d+-b\.business\.telecomitalia\.it$ ^\w+-as\d+\.alshamil\.net\.ae$ ^host\d+.\w+\.nw\.com\.tr$ ^max6060-\d+\.rel\.com\.ua$ ^bl\d+-\d+-\d+.dsl\.telepac\.pt$ ^.*visionexpress\.pl ^.*se\.biz\.rr\.com ^.*vhostnix4\.com ^.*vladfemri\.ru ^.*4net\.ru ^[a-f\d]{8}\.bb\.sky\.com$ ^ip-\d+-\d+\.tpi\.ru$ ^.*coke\.zp\.ua ^.*agfmachining\.com ^.*odessa\.comstar\.net\.ua ^\w+-\d+-\d+\.dyn-ip-\w+\.\w+\.skylink\.ru$ ^.*szivarvanynet\.hu ^.*mgsm\.ru # etc

/usr/local/etc/exim/db/blacklist_re_helo


^Dynamic-IP-\d+\.cable\.net\.co$ ^.*dsldevice\\.lan ^.*speedtouch\\.lan ^whosting\d+\.virtualandes\.cl$ ^\d+\.smed\.net$ ^ppp_lan_adsl_pool_\d+_\d+\.emcali\.net\.co$ ^\d+\.red-\d+-\d+-\d+\.staticip\.rima-tde\.net$ ^\d+\.\d+\.\d+\.\d+\.static\.vsnl\.net\.in$ ^tdev\d+-\d+\.codetel\.net\.do$ ^ppp_adsl_\d+_\d+\.emcali\.net\.co$ ^d\d+\.sub\d+\.net\d+\.udm\.net$ ^\d+\.\d+\.artcoms\.ru$ ^\w+dsl-\d+\.home\.otenet\.gr$ ^adsl-\d+-\d+\.tricom\.net$ ^.*contenocity\.webair\.com ^.*not-defined-pppoe\.amur\.ru ^\w+\.directimpressionsinc\.com$ ^adsl\d+-\d+\.dyn\.etb\.net\.co$ ^client-\d+.\d+.\d+.\d+\.speedy\.net\.pe$ ^\d+\.\d+\.\d+.\d+.\w+-dynamic-bb\.vsnl\.net\.in$ ^.*algenia\.ro ^vidin-\d+-\d+\.vidaoptics\.com$ ^.*sme\\.krk\\.ru ^.*static\.link\.com\.eg ^.*siscotel-ngi-bollate\.csbno\.net ^.*bol\.net\.in ^dsl-\w+-static-\d+\.\d+\.\d+\.\d+\.airtelbroadband\.in$ ^.*kraftangan\.gov\.my ^\d+\.subnet\d+-\d+-\d+\.speedy\.telkom\.net\.id$ ^host-\d+-\d+-\d+-\d+\.static\.link\.com\.eg$ ^.*ecm\.iolbroadband\.com ^.*mazurek\.man\.lodz\.pl ^\w+-\w+-Dynamic-\d+\.\d+\.\d+\.\d+\.airtelbroadband\.in$ ^.*mail\.regenome\.com ^\d+-\d+-\d+-\d+\.dyn\.dsl\.cantv\.net$ ^.*BODOR\.szigetnet\.hu ^.*mail_server\.info\.com\.ph ^.*server\.ws\.md ^.*mail\.illidan\.info ^.*unknown\.interbgc\.com ^\d+-\d+-\d+-\d+\.\w+\.\w\.brasiltelecom\.net\.br$ ^pc\d+\.telecentro\.com\.ar$ ^\w+-\d+-\d+-\d+\.hotlink\.com\.br$ ^dyn-\d+-\d+\.fttb\.kis\.ru$ ^\w+-\w+-\d+\.\d+\.\d+\.\d+\.mtnl\.net\.in$ ^statia\d+\.blue-cafe\.severin\.rdsnet\.ro$ ^dsl-ppoe-\d+-\d+-\d+-\d+\.ip\.peterstar\.net$ ^\d+-\d+-\d+-\d+\.saudi\.net\.sa$ # etc

Сертификаты
/usr/local/etc/exim/certs/certs.sh


#!/bin/sh openssl req -x509 -newkey rsa:1024 -keyout file1 -out file2 \ -days 9999 -nodes

Запускаем этот скрипт, генерим KEY и CERT. На выходе получаем
file1 и file2, открываем и смотрим хуизху:
-----BEGIN CERTIFICATE---—
Значит переименовываем этот файл в crt
другой файл в key. И храним их в /usr/local/etc/exim/certs


  Этот информационный блок появился по той простой причине, что многие считают нормальным, брать чужую информацию не уведомляя автора (что не так страшно), и не оставляя линк на оригинал и автора — что более существенно. Я не против распространения информации — только за. Только условие простое — извольте подписывать автора, и оставлять линк на оригинальную страницу в виде прямой, активной, нескриптовой, незакрытой от индексирования, и не запрещенной для следования роботов ссылки.
  Если соизволите поставить автора в известность — то вообще почёт вам и уважение.

© lissyara 2006-10-24 08:47 MSK