postifx en tant que front server

postifx en tant que front server - réseaux et sécurité - Linux et OS Alternatifs

Marsh Posté le 05-11-2006 à 16:18:09    

bonsoir a tous!!!
 
voila: je suis admin windows, et j'ai un serveur exchange a administrer (entre autres...)
pour le moment, ce server sert aussi de front end server, mais pour des raisons evidentes de secu, je voudrais placer devant un mail relay sous postfix pas cher...
 
si je resume, j'ai un firewall auquel seront reliees les 2 machines, le server postfix et le server Xchange.
le port 25 entrant sera route sur le front end server (sous postfix, donc) et la sus dite linbox forwardera tout sur le server exchange. pour les mails sortants, on va pas se faire chier, on va laisser le serveur exchange les envoyer tout seul.
 
voila ou j'en suis:
- j'ai installe une machine sous mandriva
- je lui ai colle postfix
- j'ai installe webmin
- (j'ai installe icewin, parce qu'on se refait pas....)
- j'ai cherche tout seul et configure mon postfix tout seul (voir la config dans quelques lignes)
- j'ai trouve un script pour creer la liste de mes addresses valables, histoire de pas tout forwarder qaund meme vers le server MS (attaque a l'annuaire etc etc etc...)
 
j'attends que tout le monde parte de la boite pour cahnger le port forwarding de mon nat et faire des tests...
 
je fais appel a vous tous pour 2 choses:
 
a- ca va marcher????
b- j'ai peur de creer un open mail relay et de me retrouver demain matin blackliste......
 
 
vous pouvez jeter un oeuil sur mes config???
 
merci!!!!!!!

Code :
  1. # These are only the parameters changed from a default install
  2. # see /etc/postfix/main.cf.dist for a commented, fuller version of this file.
  4. # These are changed by postfix install script
  5. readme_directory = /usr/share/doc/postfix-2.2.5/README_FILES
  6. html_directory = /usr/share/doc/postfix-2.2.5/html
  7. sendmail_path = /usr/sbin/sendmail.postfix
  8. setgid_group = postdrop
  9. command_directory = /usr/sbin
  10. manpage_directory = /usr/share/man
  11. daemon_directory = /usr/lib/postfix
  12. newaliases_path = /usr/bin/newaliases
  13. mailq_path = /usr/bin/mailq
  15. # User configurable parameters
  17. inet_interfaces = all
  18. mynetworks_style = class
  19. delay_warning_time = 4h
  20. smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandriva Linux)
  21. unknown_local_recipient_reject_code = 450
  22. smtp-filter_destination_concurrency_limit = 2
  23. lmtp-filter_destination_concurrency_limit = 2
  24. smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
  25. recipient_delimiter = +
  26. owner_request_special = no
  27. alias_maps = hash:/etc/postfix/aliases, hash:/var/lib/mailman/data/aliases
  28. myhostname = mail.pouet.org
  29. mydomain = hermes.pouet.loc
  30. mynetworks = 192.168.100.0/255.255.255.0
  31. transport_maps = hash:/etc/postfix/transport
  32. relay_recipient_maps =hash:/etc/postfix/virtual.txt
  33. relay_domains = $pouet.loc
  34. relay_domains = $pouet2.org
  35. relay_domains = $pouet3.org
  36. relay_domains = $pouet4.org
  37. relay_domains = $pouet5.org


 
 
merci a tous!!!!!


Message édité par mickael de psagot le 08-11-2006 à 12:29:17

---------------
"afin de prolonger tes jours sur cette terre que l'eternel ton D-ieu te donne."
Reply

Marsh Posté le 05-11-2006 à 16:18:09   

Reply

Marsh Posté le 06-11-2006 à 12:02:59    

up!


---------------
"afin de prolonger tes jours sur cette terre que l'eternel ton D-ieu te donne."
Reply

Marsh Posté le 08-11-2006 à 11:52:45    

ca veut dire personne, en fait???


---------------
"afin de prolonger tes jours sur cette terre que l'eternel ton D-ieu te donne."
Reply

Marsh Posté le 08-11-2006 à 11:54:56    

ben non ... désolé :(


---------------
Wedge#2487 @HS -#- PW: +∞ -#- Khaz-Modan/Boltiz @WoW
Reply

Marsh Posté le 08-11-2006 à 12:52:35    

Salut, écoute, dans ma société on fonctionne presque comme toi.
 
wan -> routeur -> port25 -> linux + postfix + postgrey + blabla -> Lotus sur une autre machine.
 
voici la conf installée (pas par moi chui arrivé c'était deja en place, et pas eu le temps de verifier si tout est propre)
 
main.cf
 

# see /usr/share/postfix/main.cf.dist for a commented, fuller
# version of this file.
 
# Do not change these directory settings - they are critical to Postfix
# operation.
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
program_directory = /usr/lib/postfix
 
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
setgid_group = postdrop
biff = no
 
# appending .domain is the MUA's job.
append_dot_mydomain = no
myhostname = amavis.xxxxxxxxxxxxxxxxx.Fr
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = amavis.xxxxxxxxxxxxxx.fr
mydestination = xxxxxxxxxxxx.fr, xxxxxxxxxxxxxxx.fr, xxxxxxxxxxxxxxx.fr, xxxxxxxxxxxxx.fr, localhost.xxxxxxxxxxxxxxxx.fr, amavis.xxxxxxxxxxxxxxxx.fr, localhost
#relayhost = smtp.oleane.net
relayhost =
mynetworks = 192.0.1.0/24 127.0.0.0/8 192.168.30.0/24 192.168.51.0/24 212.234.xxxx.xxxx
smtp_bind_address = 0.0.0.0
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_hostname
mime_header_checks = regexp:/etc/postfix/mime_header_checks
 
# configuration du serveur postfix en proxy smtp antivuris/antispam
local_recipient_maps =
transport_maps = hash:/etc/postfix/transport
 
# ajouter pour amavisd
content_filter = smtp-amavis:[127.0.0.1]:10024
 
#niveau de deboggage
debug_peer_level = 5
 
# SMTPD RECIPIENT RESTRICTION
smtpd_recipient_restrictions =
#    reject_unknown_sender_domain,
    permit_mynetworks,
    reject_unauth_destination,
    check_sender_access hash:/etc/postfix/sender-whitelist,
    check_client_access hash:/etc/postfix/rbl-whitelist,
    check_policy_service inet:127.0.0.1:60000
    reject_rhsbl_client blackhole.securitysage.com,
    reject_rhsbl_sender blackhole.securitysage.com,
    reject_rbl_client dul.dnsbl.sorbs.net,
    permit
 
smtpd_data_restrictions = reject_unauth_pipelining
 
smtpd_client_restrictions =
   reject_rbl_client rbl-plus.mail-abuse.org
   reject_rbl_client bl.spamcop.net
   reject_rbl_client will-spam-for-food.eu.org
   reject_rbl_client relays.mail-abuse.org
   reject_rbl_client blackholes.mail-abuse.org
   reject_rbl_client relays.visi.com
   reject_rbl_client wingate.opm.blitzed.org
   reject_rbl_client korea.rominet.net
   reject_rbl_client china.rominet.net
   reject_rbl_client taiwan.rominet.net
   reject_rbl_client hong-kong.rominet.net
 
smtpd_sender_restrictions =
   reject_rbl_client rbl-plus.mail-abuse.org
   reject_rbl_client bl.spamcop.net
   reject_rbl_client will-spam-for-food.eu.org
   reject_rbl_client relays.mail-abuse.org
   reject_rbl_client blackholes.mail-abuse.org
   reject_rbl_client relays.visi.com
   reject_rbl_client wingate.opm.blitzed.org
   reject_rbl_client korea.rominet.net
   reject_rbl_client china.rominet.net
   reject_rbl_client taiwan.rominet.net
   reject_rbl_client hong-kong.rominet.net

Reply

Marsh Posté le 13-11-2006 à 10:48:38    

je te remercie!!!
je vais voir ce que je peux faire avec ca!!!!


---------------
"afin de prolonger tes jours sur cette terre que l'eternel ton D-ieu te donne."
Reply

Marsh Posté le 13-11-2006 à 12:10:24    

j'ai fait quelques modifs
 


command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
program_directory = /usr/lib/postfix
 
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
setgid_group = postdrop
biff = no
 
# appending .domain is the MUA's job.
append_dot_mydomain = no
myhostname = amavis.xxxxxxxxxxxxxxxxxx.fr
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = amavis.apostrophe.fr
mydestination = xxxxxxxxxxxxxxxxxx.fr, mail.xxxxxxxxxxxxxxxxxx.fr, xxxxxxxxxxxxxxxxxx.fr, mail.xxxxxxxxxxxxxxxxxx.fr, localhost.xxxxxxxxxxxxxxxxxx.fr, amavis.xxxxxxxxxxxxxxxxxx.fr, localhost
#relayhost = smtp.oleane.net
relayhost =
mynetworks = 192.0.1.0/24 127.0.0.0/8 192.168.30.0/24 192.168.51.0/24 212.234.57.153
smtp_bind_address = 0.0.0.0
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_hostname
mime_header_checks = regexp:/etc/postfix/mime_header_checks
 
# configuration du serveur postfix en proxy smtp antivuris/antispam
local_recipient_maps =
transport_maps = hash:/etc/postfix/transport
 
# ajouter pour amavisd
content_filter = smtp-amavis:[127.0.0.1]:10024
 
#niveau de deboggage
debug_peer_level = 5
 
# SMTPD RECIPIENT RESTRICTION
smtpd_recipient_restrictions =
    reject_unknown_sender_domain,
    permit_mynetworks,
    reject_unauth_destination,
    check_sender_access hash:/etc/postfix/sender-whitelist,
    check_client_access hash:/etc/postfix/rbl-whitelist,
    check_policy_service inet:127.0.0.1:60000,
    reject_rhsbl_client blackhole.securitysage.com,
    reject_rhsbl_sender blackhole.securitysage.com,
    reject_rbl_client dul.dnsbl.sorbs.net,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    reject_unauth_destination,
    permit
 
smtpd_data_restrictions = reject_unauth_pipelining
 
smtpd_client_restrictions =
   reject_rbl_client rbl-plus.mail-abuse.org
   reject_rbl_client bl.spamcop.net
   reject_rbl_client will-spam-for-food.eu.org
   reject_rbl_client relays.mail-abuse.org
   reject_rbl_client blackholes.mail-abuse.org
#  reject_rbl_client relays.visi.com
   reject_rbl_client wingate.opm.blitzed.org
   reject_rbl_client korea.rominet.net
   reject_rbl_client china.rominet.net
   reject_rbl_client taiwan.rominet.net
   reject_rbl_client hong-kong.rominet.net
 
smtpd_sender_restrictions =
   reject_rbl_client rbl-plus.mail-abuse.org
   reject_rbl_client bl.spamcop.net
   reject_rbl_client will-spam-for-food.eu.org
   reject_rbl_client relays.mail-abuse.org
   reject_rbl_client blackholes.mail-abuse.org
#  reject_rbl_client relays.visi.com
   reject_rbl_client wingate.opm.blitzed.org
   reject_rbl_client korea.rominet.net
   reject_rbl_client china.rominet.net
   reject_rbl_client taiwan.rominet.net
   reject_rbl_client hong-kong.rominet.net

Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed