Postfix Dovecot Spamassassin Postgrey Mailgraph Stats on Debian wheezy

Debian comes with exim4 as defaul MTA: i used it since some days ago, when i decided to migrate to Postfix. That was one of the better choices i've ever made: postfix configuration, compared to exim4, is really much much easier.

I am going to setup system users, not virtual ones: in this configuration you don't need any database. As a side note, when you need to add a new mail-only user, do not assign him/her a valid shell - use "/bin/false" instead.

Postfix

First of all i purged all of exim4 related packages, including spamassassin and greylistd. Then i started installing postfix and verified that local mail was still working as expected - and it was.

# apt-get install postfix
# apt-get install mailutils
# echo test |mail -s 'postfix' roughnecks

When the post-install configuration for postfix started, i chose to use a smarthost, given the fact that i am behind a dynamic IP address on a consumer ADSL connection and my DNS records are managed by dyndns; so postfix will pass all of the "non-internal" mail to my ISP's SMTP and that will be responsible of the actual delivery to destination mail addresses.

Next i edited some values in /etc/postfix/main.cf, leaving some defaults in place.

myhostname = laltromondo.dynalias.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = nadir.laltromondo.dynalias.net, laltromondo.dynalias.net, localhost
relayhost = out.alice.it
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4

Added myhostname and mydestination accordingly to my setup, relayhost which is the smarthost i talked about previously and finally i changed inet_protocols to ipv4 only (i have ipv6 connectivity but i just don't need it for mail - and, obviously, it won't be so hard modifying this setting afterwards, should i change idea).

Remember to restart postfix each time you change configuration values.

# service postfix restart

Now we need to generate an SSL certificate for postfix: i am using a self-signed key but that is just my case; if you bought some "real" certificate from a Certification Authority you are ready to go.

There are plenty of how-to about generating a self-signed key, so i am not going to write about that here - just as an example, you can take a look at this post. In any case i am going to copy-paste the actual commands as a reminder/template.

# openssl genrsa -des3 -out mail.domain.tld.key 2048
# chmod 600 mail.domain.tld.key
# openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csr
# openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt
# openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass
# mv mail.domain.tld.key.nopass mail.domain.tld.key
# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
# chmod 600 mail.domain.tld.key
# chmod 600 cakey.pem
# mv mail.domain.tld.key /etc/ssl/private/
# mv mail.domain.tld.crt /etc/ssl/certs/
# mv cakey.pem /etc/ssl/private/
# mv cacert.pem /etc/ssl/certs

# postconf -e 'smtp_use_tls = yes'
# postconf -e 'smtpd_use_tls = yes'
# postconf -e 'smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key'
# postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt'
# postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
# postconf -e 'tls_random_source = dev:/dev/urandom'

"mail.domain.tld" is a placeholder for the actual domain where postfix will work, while "postconf" is the "Postfix configuration utility". To read more about that, ask its manpage:

# service postfix restart
$ man postconf

Postfix should be fine for now, let's procede.

# apt-get install dovecot-core dovecot-imapd

I will cover just the basic steps to make Dovecot work with Postix; if you need help configuring other aspects of Dovecot, take a look at the wiki

Postfix and Dovecot SASL

Reference

The socket is configured in "/etc/dovecot/conf.d/10-master.conf" under the "service auth" section: add something like the following..

# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}

Then add the remaining configurations to /etc/postfix/main.cf, as shown in the Example Postfix main.cf excerpt paragraph. You can append them to the bottom of file. Restart dovecot and postfix.

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Last line of code is different based on the postfix version, which in Debian wheezy is 2.9.6

Spamassassin

# apt-get install spamassassin spamc

First of all take a look at /etc/default/spamassassin

Enable the service:

ENABLED=1

Change the options parameter specifying the spamassassing user, which in Debian is "debian-spamd"

OPTIONS="--create-prefs --max-children 1 --helper-home-dir \
--username debian-spamd"

Also adjust the "--max-children" switch accordingly to the server properties: i am using a PIII machine and few users, so 1 child would be enough.

The child process will be run by debian-spamd user, while the master process will always be run by root.

Spamassassing logs' destination file is /var/log/mail.log (as well as postfix and dovecot ones)

Now let's edit /etc/spamassassing/local.cf

I found useful to specify our trusted network (mails from this network are always fine)

trusted_networks 192.168.0/24

You can add other networks too, like an ipv6 subnet: as the configuration file itself states.. "See 'perldoc Mail::SpamAssassin::Conf' for details of what can be tweaked."

Two other lines have to be uncommented, in my opinion:

shortcircuit USER_IN_BLACKLIST       on
shortcircuit ALL_TRUSTED             on

If you do so, you have to enable the "shortcuit" plugin in /etc/spamassassin/v320.pre, line 33.

Shortcuiting TRUSTED networks and USER IN BLACKLIST is a convenient way to save CPU cycles. To add a blacklist, simply specify a line like the following at the bottom of /etc/spamassassin/local.cf ..

blacklist_from *.domain.tld

and all emails coming from "domain.tld" will be marked as spam without more checks - You can set as many lines as you need.

Last but not least, let's specify a contact for users to report to us.

report_contact  postmaster@laltromondo.dynalias.net

When an email is considered spam you will read something like this at the beginning of its body:

Spam detection software, running on the system "nadir.laltromondo.dynalias.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
postmaster@laltromondo.dynalias.net for details.

Start the spamassassin service:

# service spamassassin start

Now, we need to tell postfix to use spamassassin. To tell postfix to use spamassassin, we are going to edit /etc/postfix/master.cf and change the line:

smtp      inet  n       -       -       -       -       smtpd

to:

smtp      inet  n       -       -       -       -       smtpd
  -o content_filter=spamassassin

and then, at the end of master.cf, let's add:

spamassassin unix -     n       n       -       -       pipe
        user=debian-spamd argv=/usr/bin/spamc -f -e
        /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Restart postfix and we should be fine.

Postgrey

This package provides a policy server for Postfix to implement "greylisting". Greylisting is a spam filtering method that rejects email from external servers on the first try. Spammers don't usually retry sending their messages, whereas legitimate mail servers do.

# apt-get install postgrey

All you need to do to enable postgrey is adding a statement to /etc/postfix/main.cf, as it's written in the postgrey manpage (man postgrey).

If you followed the previously discussed Dovecot configuration you should now have a line in main.cf like the following:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

We need it to become like:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023 

Once again restart postfix and do some tests.

Mailgraph

Mailgraph is a very simple mail statistics RRDtool frontend for Postfix, Sendmail or Exim that produces daily, weekly, monthly and yearly graphs of received/sent and bounced/rejected mail.

# apt-get install rrdtool mailgraph

Visit http://your-domain.tld/cgi-bin/mailgraph.cgi

Stats

Postfix Log Entry Summarizer

pflogsumm.pl is designed to provide an over-view of postfix activity, with just enough detail to give the administrator a "heads up" for potential trouble spots. The following is an over-view of the reports produced:

  • Total number of:
    • Messages received, delivered, forwarded, deferred, bounced and rejected
    • Bytes in messages received and delivered
    • Sending and Recipient Hosts/Domains
    • Senders and Recipients
    • Optional SMTPD totals for number of connections, number of hosts/domains connecting, average connect time and total connect time
  • Per-Day Traffic Summary (for multi-day logs)
  • Per-Hour Traffic (daily average for multi-day logs)
  • Optional Per-Hour and Per-Day SMTPD connection summaries
  • Sorted in descending order:
    • Recipient Hosts/Domains by message count, including:
      • Number of messages sent to recipient host/domain
      • Number of bytes in messages
      • Number of defers
      • Average delivery delay
      • Maximum delivery delay
    • Sending Hosts/Domains by message and byte count
    • Optional Hosts/Domains SMTPD connection summary
    • Senders by message count
    • Recipients by message count
    • Senders by message size
    • Recipients by message size
    with an option to limit these reports to the top nn.
  • A Semi-Detailed Summary of:
    • Messages deferred
    • Messages bounced
    • Messages rejected
  • Summaries of warnings, fatal errors, and panics
  • Summary of master daemon messages
  • Optional detail of messages received, sorted by domain, then sender-in-domain, with a list of recipients-per-message.
  • Optional output of "mailq" run

Pflogsumm.pl was written using Perl 5.004. As of version 19990413-02, pflogsumm worked with Perl 5.003, but future compatibility is not guaranteed.

Pflogsumm.pl requires the Date::Calc module