InstallationServeurMailPostfix,Amavisd, Mysql,Spamassassin,Dspam,CourierIMAPsamedi19mai2007partonio LesystmesurlequelestbascedocumentestuneDEBIANTesting (Lenny).LaversionStable(Etch)ladatederdactionprsentequelques diffrencessurcertainspaquets(changementdenomlorsdesmontesde version:voirlesitedebianpourlesversionsquivalentes)maiscela nentraneaucunproblmedanslesfonctionnalits. Parsoucideclart,onadetaillchaqueactionleplusprcisementpossible,etce,pournepas rduireletutounesimplesuccessiondecommande.Maiscelapeutservelerparfoisfastidieuxde crerunfichierencopier/collerpuisdemodifierlemotdepasse.(surtoutquandilfautmodifier plusieursoccurences). Cestpourcelaquelontrouveraennoteenpieddepagelescommandesrapidespourexcuter certainesactionslongues. Unhyperlienavecunnumroestlesignedelexistencedunecommanderapide.Pratiquelorsque lonrefaitletuto(oupourlesfaineants!) CetutofonctionneaussisousUbuntumaiscertainspaquetsprsententdelgresdiffrences.On essaieradelesindiquersipossible. OnutiliseracommeserveurIMAPceluideCourier,maispourceuxquilesouhaitentnous prciseronslamarchesuivrepourinstallerDovecotlaplace. Onprendracommebasepourlexempleledomainestarbridge.orgetlehostnameduserveurde mailseraspike. Onmetlesystmejour: aptitude update aptitude dist-upgrade

Onvrifielesfichiers:

/etc/hostname:

spike.starbridge.org

/etc/hosts:spike.starbridge.orglocalhost.localdomainlocalhostspike

127.0.0.1

CacheDNSLocalLefonctionnementdunserveurdemailncessitelutilisationintensivederequtesDNS.Pourdes raisonsdeperformances,ilesttrsfortementconseilldinstalleruncacheDNSlocal. aptitude install bind9 LaconfigurationdebasesousDebianfournieunserveurcache(onpeutbiensurleconfigurerpour grersondomainelocalvoiresondomainepublicmaiscenestpaslesujetdecetarticle). Onmodifiele/etc/resolv.confpourpointerenlocal:nameserver127.0.0.1 searchstarbridge.org

onrelanceleserveurDNS: /etc/init.d/bind9 restart Puisontestelarsolutionavecnslookupoudig Nslookup >server doitretourner: Default server: 127.0.0.1 Address: 127.0.0.1#53 puis: > yahoo.fr Larsolutiondoitsefairecorrectement.

PostfixetMysqlaptitude install postfix postfix-mysql mysql-client-5.0 mysqlserver-5.0 courier-imap courier-imap-ssl courier-authdaemon courier-authlib-mysql libsasl2-2 libsasl2-modules sasl2-bin libpam-mysql openssl ntp fam tmpreaper Dautrepaquetsvontsinstallerenmmetemps.LancienMTAexim4seradsintall. Pourinstallerdovecotlaplacedecourierremplacercourierimapetcourierimapsslpar dovecotimapd

Note:pourlesquestionsdelinstalleurDebian:

courierbase:Fautilcrerlesrpertoiresncessairesladministrationweb=NON. postfixconfiguration:SITEINTERNET.Pourleresteonrpondpardfaut.

Oninstalleapache+php5pourgrerplustardletoutaveclinterfacepostfixadmin. aptitude install apache2 libapache2-mod-php5 php5-mysql Note:IlestfortementconseilldinstallerleSSLavecapachepourscuriserleschanges.Cette configurationseradtaillplusloinlorsdelinstallationdepostfixadmin. Pourceuxquileprfre,onpeuttoutdesuiteinstallerphpmyadminpoureffectuerltapesuivante. (onnedtaillerapascetteinstallation,endehorsduscopedecedocument) OnpassedonclacrationdelabasePostfix: Note:Silonamisunpasswordlorsdelinstallationdupaquetsmysql,ilfautsauterlapremire commandecidessousetexcuterdirectementlaseconde. mysqladmin -u root password '*****' mysqladmin -u root --password='*****' create postfix Crationdeluserpostfix: $ mysql -u root -p Enter password: GRANT ALL PRIVILEGES ON postfix.* TO "postfix"@"localhost" IDENTIFIED BY '******'; Oncrelestablessuivantesdanslabasepostfix:USEpostfix; CREATETABLEadmin( usernamevarchar(255)NOTNULLdefault'', passwordvarchar(255)NOTNULLdefault'', createddatetimeNOTNULLdefault'0000000000:00:00', modifieddatetimeNOTNULLdefault'0000000000:00:00', activetinyint(1)NOTNULLdefault'1', PRIMARYKEY(username) )TYPE=MyISAMCOMMENT='PostfixAdminVirtualAdmins'; ##########Tablestructurefortablealias########################## CREATETABLEalias( addressvarchar(255)NOTNULLdefault'', gototextNOTNULL, domainvarchar(255)NOTNULLdefault'', createddatetimeNOTNULLdefault'0000000000:00:00', modifieddatetimeNOTNULLdefault'0000000000:00:00', activetinyint(1)NOTNULLdefault'1', PRIMARYKEY(address) )TYPE=MyISAMCOMMENT='PostfixAdminVirtualAliases';

############Tablestructurefortabledomain##################### CREATETABLEdomain( domainvarchar(255)NOTNULLdefault'', descriptionvarchar(255)NOTNULLdefault'', aliasesint(10)NOTNULLdefault'0', mailboxesint(10)NOTNULLdefault'0', maxquotaint(10)NOTNULLdefault'0', quotaint(10)NOTNULLdefault'0', transportvarchar(255)defaultNULL, backupmxtinyint(1)NOTNULLdefault'0', createddatetimeNOTNULLdefault'0000000000:00:00', modifieddatetimeNOTNULLdefault'0000000000:00:00', activetinyint(1)NOTNULLdefault'1', PRIMARYKEY(domain) )TYPE=MyISAMCOMMENT='PostfixAdminVirtualDomains'; ##########Tablestructurefortabledomain_admins################ CREATETABLEdomain_admins( usernamevarchar(255)NOTNULLdefault'', domainvarchar(255)NOTNULLdefault'', createddatetimeNOTNULLdefault'0000000000:00:00', activetinyint(1)NOTNULLdefault'1', KEYusername(username) )TYPE=MyISAMCOMMENT='PostfixAdminDomainAdmins'; ############Tablestructurefortablelog######################## CREATETABLElog( timestampdatetimeNOTNULLdefault'0000000000:00:00', usernamevarchar(255)NOTNULLdefault'', domainvarchar(255)NOTNULLdefault'', actionvarchar(255)NOTNULLdefault'', datavarchar(255)NOTNULLdefault'', KEYtimestamp(timestamp) )TYPE=MyISAMCOMMENT='PostfixAdminLog'; ##########Tablestructurefortablemailbox####################### CREATETABLEmailbox( usernamevarchar(255)NOTNULLdefault'', passwordvarchar(255)NOTNULLdefault'', namevarchar(255)NOTNULLdefault'', maildirvarchar(255)NOTNULLdefault'', quotavarchar(20)NOTNULLdefault'0', domainvarchar(255)NOTNULLdefault'', createddatetimeNOTNULLdefault'0000000000:00:00', modifieddatetimeNOTNULLdefault'0000000000:00:00', activetinyint(1)NOTNULLdefault'1', PRIMARYKEY(username) )TYPE=MyISAMCOMMENT='PostfixAdminVirtualMailboxes';

############Tablestructurefortablevacation##################### CREATETABLEvacation( emailvarchar(255)NOTNULLdefault'', subjectvarchar(255)NOTNULLdefault'', bodytextNOTNULL, cachetextNOTNULL, domainvarchar(255)NOTNULLdefault'', createddatetimeNOTNULLdefault'0000000000:00:00', activetinyint(4)NOTNULLdefault'1', PRIMARYKEY(email) )ENGINE=InnoDBDEFAULTCHARSET=utf8COLLATE=utf8_general_ciTYPE=InnoDBCOMMENT='PostfixAdminVirtualVacation'; #############vacation_notificationtable####################### CREATETABLEvacation_notification( on_vacationvarchar(255)NOTNULL, notifiedvarchar(255)NOTNULL, notified_attimestampNOTNULLdefaultnow(), CONSTRAINTvacation_notification_pkeyPRIMARYKEY(on_vacation,notified), FOREIGNKEY(on_vacation)REFERENCESvacation(email)ONDELETECASCADE )ENGINE=InnoDBDEFAULTCHARSET=utf8COLLATE=utf8_general_ciTYPE=InnoDBCOMMENT='PostfixAdminVirtualVacation Notifications';

INSERTINTOdomain(domain,description)VALUES('starbridge.org','TestDomain'); INSERTINTOalias(address,goto,domain)VALUES('user@starbridge.org','user@starbridge.org','starbridge.org'); INSERTINTOalias(address,goto,domain)VALUES('admin@starbridge.org','admin@starbridge.org','starbridge.org'); INSERTINTOalias(address,goto,domain)VALUES('alias@starbridge.org','user@starbridge.org','starbridge.org'); INSERTINTOalias(address,goto,domain)VALUES('root@starbridge.org','admin@starbridge.org','starbridge.org'); INSERTINTOalias(address,goto,domain)VALUES('postmaster@starbridge.org','admin@starbridge.org','starbridge.org'); INSERTINTOmailbox(username,password,name,maildir,domain)VALUES ('user@starbridge.org','$1$caea3837$gPafod/Do/8Jj5M9HehhM.','MailboxUser','user@starbridge.org/','starbridge.org'); INSERTINTOmailbox(username,password,name,maildir,domain)VALUES ('admin@starbridge.org','$1$caea3837$gPafod/Do/8Jj5M9HehhM.','MailboxAdmin','admin@starbridge.org/','starbridge.org'); INSERTINTOdomain_admins(username,domain,active)VALUES('admin@starbridge.org','ALL','1'); INSERTINTO`admin`(`username`,`password`,`created`,`modified`,`active`)VALUES ('admin@starbridge.org','$1$caea3837$gPafod/Do/8Jj5M9HehhM.','0000000000:00:00','0000000000:00:00',1);

Evidemmentonmodifiestarbridge.orgparsondomaine. Explications:Seules3tablessontncessairesPostfix.Leresteestpourlinterfacepostfixadmin queloninstalleraplustard. Lepassword(MD5)est"secret"($1$caea3837$gPafod/Do/8Jj5M9HehhM.) LepremierINSERTpermetPostfixdesavoirquecedomaineestvirtueletquildoitdonclegrer. Le3meINSERTestunaliasvirtuelpointantversunuserdelatablemailbox.Cetaliasverslui mmeserautilisparpostfixadmin. le4meINSERTestluiunsimplealiasvirtuel. Le7meINSERTestuncompte(boiteemail)virtuel,quiutiliseunmotdepasseencryptenMD5. LesdeuxderniersINSERTpermettentdecrerlesuperadministrateurquelonutiliseraplustard dansPostfixadmin.

ParamtragedePostfixNote:onremarqueraquelonlaissePostfixchroot(plussecure)etquelonutiliseledaemon proxypourcommuniqueraveclesocketdemysql. Onremplacetoutle/etc/postfix/main.cfparlecontenucidessous:smtpd_banner=$myhostnameESMTP$mail_name(Debian/GNU) biff=no append_dot_mydomain=no myhostname=spike.starbridge.org alias_maps=hash:/etc/aliases alias_database=hash:/etc/aliases myorigin=$mydomain mydestination=$myhostname,localhost.$mydomain,localhost mynetworks=127.0.0.0/8 recipient_delimiter=+ home_mailbox=Maildir/ notify_classes=2bounce,bounce,delay,policy,protocol,resource,software smtpd_helo_required=yes strict_rfc821_envelopes=yes virtual_alias_maps=proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps=static:20001 virtual_mailbox_base=/home/virtual virtual_mailbox_domains=proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps=proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid=20001 virtual_uid_maps=static:20001 proxy_read_maps=$local_recipient_maps$mydestination$virtual_alias_maps$virtual_alias_domains $virtual_mailbox_maps$virtual_mailbox_domains$relay_recipient_maps$relay_domains$canonical_maps $sender_canonical_maps$recipient_canonical_maps$relocated_maps$transport_maps$mynetworks $smtpd_recipient_restrictions$smtpd_sender_login_maps message_size_limit=50240000 smtpd_recipient_restrictions= permit_mynetworks, reject_unauth_destination, permit smtpd_data_restrictions= reject_unauth_pipelining, permit

Onmodifiele/etc/postfix/master.cfcommecidessous:#Postfixmasterprocessconfigurationfile.Fordetailsontheformat #ofthefile,seethemaster(5)manualpage(command:"man5master"). #========================================================================== #servicetypeprivateunprivchrootwakeupmaxproccommand+args #(yes)(yes)(yes)(never)(100) #========================================================================== smtpinetnsmtpd 587 inet n smtpd osmtpd_tls_security_level=encrypt osmtpd_sasl_auth_enable=yes osmtpd_etrn_restrictions=reject osmtpd_client_restrictions=permit_sasl_authenticated,reject #smtpsinetnsmtpd #osmtpd_tls_wrappermode=yes #osmtpd_sasl_auth_enable=yes #osmtpd_client_restrictions=permit_sasl_authenticated,reject #628inetnqmqpd pickupfifon601pickup oreceive_override_options=no_header_body_checks ocontent_filter= cleanupunixn0cleanup qmgrfifonn3001qmgr #qmgrfifon3001oqmgr tlsmgrunix1000?1tlsmgr rewriteunixtrivialrewrite bounceunix0bounce deferunix0bounce traceunix0bounce verifyunix1verify flushunixn1000?0flush proxymapunixnproxymap proxywriteunixn1proxymap smtpunixsmtp #WhenrelayingmailasbackupMX,disablefallback_relaytoavoidMXloops relayunixsmtp ofallback_relay= #osmtp_helo_timeout=5osmtp_connect_timeout=5 showqunixnshowq

errorunixerror retryunixerror discardunixdiscard localunixnnlocal virtualunixnnvirtual lmtpunixlmtp anvilunix1anvil scacheunix1scache # #==================================================================== #InterfacestononPostfixsoftware.Besuretoexaminethemanual #pagesofthenonPostfixsoftwaretofindoutwhatoptionsitwants. # #ManyofthefollowingservicesusethePostfixpipe(8)delivery #agent.Seethepipe(8)manpageforinformationabout${recipient} #andothermessageenvelopeoptions. #==================================================================== # #maildrop.SeethePostfixMAILDROP_READMEfilefordetails. #Alsospecifyinmain.cf:maildrop_destination_recipient_limit=1 # maildropunixnnpipe flags=DRhuuser=vmailargv=/usr/bin/maildropd${recipient} # #SeethePostfixUUCP_READMEfileforconfigurationdetails. # uucpunixnnpipe flags=Fqhuuser=uucpargv=uuxrnza$sender$nexthop!rmail($recipient) # #Otherexternaldeliverymethods. # ifmailunixnnpipe flags=Fuser=ftnargv=/usr/lib/ifmail/ifmailr$nexthop($recipient) bsmtpunixnnpipe flags=Fq.user=bsmtpargv=/usr/lib/bsmtp/bsmtpt$nexthopf$sender$recipient scalemailbackendunixnn2pipe flags=Ruser=scalemailargv=/usr/lib/scalemail/bin/scalemailstore${nexthop}${user}${extension} mailmanunixnnpipe flags=FRuser=listargv=/usr/lib/mailman/bin/postfixtomailman.py ${nexthop}${user}

Oncrelegroupeetleuservmailavecluidetgid20001,ainsiquelerpertoiredesmails: groupadd -g 20001 vmail useradd -g vmail -u 20001 vmail -d /home/virtual -m Onscurise: chown -R vmail: /home/virtual chmod 770 /home/virtual OncrelesfichiersdappeldestablesparPostfix: vi /etc/postfix/mysql_virtual_alias_maps.cf etoncolle:user=postfix password=**** hosts=localhost dbname=postfix query=SELECTgotoFROMaliasWHEREaddress='%s'andactive='1'

vi /etc/postfix/mysql_virtual_domains_maps.cf

user=postfix password=**** hosts=localhost dbname=postfix query=SELECTdomainFROMdomainWHEREdomain='%s'andactive='1'

vi /etc/postfix/mysql_virtual_mailbox_maps.cfuser=postfix password=**** hosts=localhost dbname=postfix query=SELECTmaildirFROMmailboxWHEREusername='%s'andactive='1'

Onscuriseletout: chmod 640 /etc/postfix/mysql_* chgrp postfix /etc/postfix/mysql_*

MaildropNousavonsbesoindunMDA(maildeliveryagent)pourlivrerlesmailsdanslesbotes. LeservicedelivraisonVirtualdePostfixneconvientpastotalementpournotreusage. EneffetnousallonsavoirbesoindecapacitdefiltragesurleMDAainsiquelapossibilitdegrer lesquotas,cequenesaitpasfaireVirtual. Procmailesttrsbienpourlefiltrage,maisnesupportepaslesusers/domainesvirtuelscarilnesait pascommuniqueravecunebasededonnes. UnemthoderpanduepourlesquotasestlapplicationdupatchVDAsurPostfix,optionquenous nechoisironspaspourdesraisonsdefiabilit. Maildroprpondluinosbesoins: Ilsoccuperadoncdelalivraisondesmailsdansleshome. aptitude install bzip2 gcc libpcre3-dev libpcre++-dev courierauthlib-dev g++ libtool libmysqlclient15-dev make libssl-dev Oninstalledabordlesoutilspourlacompilation: Ontlchargelessources: cd ~ wget http://switch.dl.sourceforge.net/sourceforge/courier/maildrop-2.0. 4.tar.bz2 tar jxf maildrop-2.0.4.tar.bz2 cd maildrop-2.0.4 ./configure -prefix=/usr/local/courier --withetcdir=directory=/etc/courier --enable-maildrop-uid=20001 --enable-maildrop-gid=20001 --enable-maildirquota --without-db make && make install Notes: PourEtch,lepaquetlibpcre++devnexistepasetaptitudelesignale:Nepasentenircompte Le./configureestparticulirementlongetdonnelimpressiondetournerenboucle.Ceciest normal,ilfautattendrelafinduprocessus. Alafindumakeinstallaveclaversion2.0.4,ilsepeutquelonobtienneunmessagederreursur undescomposants.MemesicelanempcherapasMaildropdefonctionneronpeutrglerle problmecommececi: cd makedat ln -s makedatprog.c makedatprog cd .. make install Onappliquelespermissionscorrectementsurlesexcutablesetsur/var/run/courier/authdaemaon: chown vmail: /usr/local/courier/bin/* chown vmail:daemon /var/run/courier/authdaemon/ chmod 750 /var/run/courier/authdaemon/ Note:PourUbuntuilfautmodifierenpluslefichier/etc/init.d/courierauthdaemonetremplacer

chown daemon:daemon ${run_dir} /var/run/courierparchown vmail:daemon ${run_dir}Onvrifiesimaildropestcorrectementinstall(modulesactivs): /usr/local/courier/bin/maildrop -v

devraitdonner: maildrop 2.0.4 Copyright 1998-2005 Double Precision, Inc. Courier Authentication Library extension enabled. Maildir quota extension enabled. This program is distributed under the terms of the GNU General Public License. See COPYING for additional information. Onvoitquelauthentificationestactive,ainsiquelagestiondesquotasquenousconfigurerons plustard. Onditelefichier/etc/courier/authdaemonrcpourremplacerauthmodulelist="authpam"par authmodulelist="authpamauthmysql": cd /etc/courier mv authdaemonrc authdaemonrc-orig wget http://www.starbridge.org/spip/doc/Procmail/courier/authdaemonrc chown daemon: authdaemonrc chmod 660 authdaemonrc

Onexcutelescommandessuivantespourcrerlefichierauthmysqlrc(tototantvotrepassword): cd /etc/courier mv authmysqlrc authmysqlrc-orig wget http://www.starbridge.org/spip/doc/Procmail/courier/authmysqlrc chown daemon: authmysqlrc chmod 660 authmysqlrc sed -i 's/\*\*\*\*\*/toto/g' authmysqlrc

Note:Ilfautfairetrsattentionlasyntaxedecefichieretbienmettreuntabentreleparamtreet savaleur.Ilnedoityavoiraucunespacelafindunparamtre.Lamoindreerreurentranerale nonfonctionnementdelauthentification.Cestpourcelaquelefichierestdirectementfourniiciet nenecessitedoncaucunemodificationautrequecelledumotdepassedevotrebase. Onscurise: chmod 640 /etc/courier/authmysqlrc

MaildropestappelparPostfixaumomentdelalivraison.PourquePostfixutiliseMaildrop,on ajouteaumain.cf: virtual_transport=maildrop maildrop_destination_recipient_limit=1

etaumaster.cf(oneffaceleslignemaildropexistantesetonlesremplaceparcellesci): maildrop unixnnpipeflags=DRhuuser=vmail argv=/usr/local/courier/bin/maildropw90d${user}@${nexthop} ${extension}${recipient}${user}${nexthop}${sender}

Oncre/home/virtual/.mailfilterpouractiverleslogsetlacrationautomatiquedesmaildirla livraison(postfixnesaitpaslefairecommeavecletransportpardfaut"virtual",carcenestpaslui quilivredirectementdanslesrpertoires): vi /home/virtual/.mailfilter

etoncolle: logfile "/home/virtual/.maildrop.log"`[d$DEFAULT]||(maildirmake$DEFAULT &&maildirmakefSpam$DEFAULT&&maildirmakef sentmail$DEFAULT&&maildirmakefSpamToLearn$DEFAULT &&maildirmakefSpamFalse$DEFAULT)` `testr$HOME/$DEFAULT.mailfilter` if($RETURNCODE==0){log"(==)Including$HOME/$DEFAULT.mailfilter" exception{include$HOME/$DEFAULT.mailfilter}}

Onscurisecefichier: chown vmail: /home/virtual/.mailfilter chmod 600 /home/virtual/.mailfilter onredmarreledaemondauthentificationetPostfix /etc/init.d/courier-authdaemon restart /etc/init.d/postfix restart

Ontestecettepremireconfigurationdebase: authtest user@starbridge.org doitdonner: Authentication succeeded. Authenticated: user@starbridge.org (uid 20001, gid 20001) Home Directory: /home/virtual Maildir: user@starbridge.org/ Quota: 0S Encrypted Password: $1$caea3837$gPafod/Do/8Jj5M9HehhM. Cleartext Password: (none) Options: (none) Encasderreur,ilestfortprobablequelefichierauthmysqlrcsoitencause. Regarderleslogs:/var/log/mail.log. Puis: /usr/local/courier/bin/maildrop -V 7 -d user@starbridge.org celadevraitdonner: maildrop: authlib: groupid=20001 maildrop: authlib: userid=20001 maildrop: authlib: logname=user@starbridge.org, home=/home/virtual, mail=user@starbridge.org/ maildrop: Changing to /home/virtual

CTRL+Cpoursortir Onvrifiequelonpeutenvoyerunmailuser@starbridge.org: mail user@starbridge.org note:ilfauttaperun.(unpointseulsurlaligne)pourterminerlemessage. Onregardeleslogspourleserreurs.Sitoutafonctionnondevraittrouverdansuneligne: ...status=sent (delivered via maildrop service)...

note:silacommandemailnexistepassurlesystme(Ubuntuparexemple)linstalleravec aptitude install mailx

Puisontesteendirectsurleport25: (cequilfauttaperestprcdde>,lerestecestleretourduserveur):>telnetlocalhost25 220[127.0.0.1]ESMTPPostfix >HELOlocalhost 250[127.0.0.1] >MAILFROM: 2502.1.0SenderOK >RCPTTO: 2502.1.5OK >DATA 354Enddatawith. >. 2502.0.0Ok:queuedas079474CE44 >QUIT 2212.0.0Bye Connectionclosedbyforeignhost

Onregardeleslogspourvrifier.

NOTE:Lefichier.mailfiltercreplushautestcommuntouslescomptesetseraappliqu chaquemail.Silonveutappliquerdesrglesspcifiquesunutilisateur,ilsuffitdecrerun autrefichier.mailfilterdanssonMaildir.Onpourraparexempleredirigerdesemailsdans desrpertoiresspcifiquesdecettefaon.

Exempledefichier.mailfilterpersonnel:#eliminelesmessagesenprovenancedel'adressecidessous if(\ /^From:.*actu@b\.linternaute\.com/:h\ ) exception{ to"/dev/null" } #####annonces##### if(\ /^From:.*alerte@avendrealouer\.fr/:h\ ||/^From:.*mailing_pap@pap\.fr/:h\ ||/^Sender:.*alertemail@pap\.fr/:h\ ) exception{ to"${DEFAULT}/.annonces/" }

Note:Pourlacrationassisteetautonome(parlesutilisateurseuxmmes)desfichiersmailfilter personnelsonpourrautiliserunmoduleduWebmailhorde. LarticlesurlinstallationduWebmailtraiteendtaildecepoint. Biensuronappliqueralesmmesdroitsquepourlefichier.mailfiltergnralcefichier personnel: chown vmail: /home/virtual/user@starbridge.org/.mailfilter chmod 600 /home/virtual/user@starbridge.org/.mailfilter

CourierImapNote:PourintalleretconfigurerDovecotsionachoisiceluici,suivrecelienDovecotetnepas executerlesinstructionsdecettesection. Onadjconfigurlapartielaplusimportantedecourierimap,cestdirelauthentification mysql,danslapartiesurMaildrop. OnvasimplementajouterunefonctionnalittrsutileCourierIMAP: leENHANCEDIDLE Celapermetderafrachirentempsrellabotederceptiondansleclientdemessageriesans besoindelaplanifierouautre. Unnouveaumessageapparatrainstantanmentdansleclient. Attention:

ilfautqueleclientdemessageriesupportecettefonction.CestlecasdOutlooketde Thunderbird. PourfonctionnercettefonctionutiliseFAM,leFileAlterationMonitor. Surdesserveursavecdetrsnombreusesbotesemailcelapeuttreunproblmepourles performances. Ilfautdoncactivercettefonctionenconnaissancedecauseetsurveillerlachargeaufildu temps. DeplusFAMatendanceplantersurdetrsgrossesmanipulationssurlesbotes(avec plusieursmilliersdemail). Danscecasdefigure,CourierImapcontinuerafonctionnersansproblme(maissansle tempsrelbiensur)etdesmessagesderreursapparatrontdansmail.logjusquau redmarragedeFAM. IlpeutdonctrejudicieuxdesurveillerleprocessFAMetdelerelancerautomatiquement encasdarrt.(unmoduleWebminfaitcelatrscorrectement)

Pouractiverlafonction,recherchercesparamtresdans/etc/courier/imapdetmettreleurvaleur1 (IMAP_USELOCKSdevraitdjtresur1pardfaut)IMAP_USELOCKS=1 IMAP_ENHANCEDIDLE=1

Onredmarreensuiteledaemondauthentificationetcourierimap: /etc/init.d/courier-authdaemon restart /etc/init.d/courier-imap restart Ontestelaconnectiondepuisunclientmail(outlook,thunderbird..) Nepasoublierdespcifieruser@starbridge.orgcommelogindelaboiteetnonusertout seul. Onrappellequelepasswordestsecret. ParamtrerleSMTPsansauthentificationpourlemoment. Ondoitpouvoirconsulterlesmailenvoyslocalementtoutlheure. Ontesteunenvoidemaildepuisleclientsursapropreadresse.Onvrifieleslogsetlarrivedu nouveaumaildanslabote. Notes: PardfautIMAPestconfigurpourdmarreraumaximum40serveursIMAP.Celapermettra 40utilisateursdeseconnectersimultanment.(MAXDAEMONS=40)Pardfault,illimite galement20lenombredutilisateurssimultansdepuislammeIP.(MAXPERIP=20) Onmodifieradonccesparamtresenfonctiondunombredeboitesemail. /etc/courier/imapdcontientdesparamtresgnrauxdeconfigurationquisappliqueront galementimapssl.(parexempleleENHANCEDIDLE).Cependantlenombrededaemonsetde connectionsparIPseconfigureindpendammentdans/etc/courier/imapdet/etc/courier/imapdssl.

AuthentificationSASLPourlemomentPostfixutiliseladresseIPduclientquiseconnectepourdterminersiilpeut relayerounonlesmails(ouaccepterseulementdesmailspourlesuserslocaux). Pourpouvoirutilisersonserveurmaildepuislextrieur(casdeslaptops)ondoitpermettreune authentificationscurise: Oncrelefichier/etc/pam.d/smtp: vi /etc/pam.d/smtp etoncollelecontenusuivant:auth requiredpam_mysql.souser=postfixpasswd=*****host=127.0.0.1 db=postfixtable=mailboxusercolumn=usernamepasswdcolumn=password crypt=1md5=1 accountsufficientpam_mysql.souser=postfixpasswd=****** host=127.0.0.1db=postfixtable=mailboxusercolumn=username passwdcolumn=passwordcrypt=1md5=1

"*****"estlepassworddaccslatablePostfixparleuserpostfix

Onscurisecefichiercarlepasswordeststockenclair: chmod 640 /etc/pam.d/smtp Oncrelefichier/etc/postfix/sasl/smtpd.conf: vi /etc/postfix/sasl/smtpd.conf etoncollelecontenusuivant:pwcheck_method:saslauthd mech_list:PLAINLOGIN log_level:5

Onditele/etc/default/saslauthdcommececi(nepasmodifierlesautresparamtresdjprsents danslefichieroriginal):START=yes MECHANISMS="pam" OPTIONS="crm/var/spool/postfix/var/run/saslauthd"

Oncrelerpertoiredusocketetonluidonnelesdroitsadapts: mkdir /var/spool/postfix/var/ mkdir /var/spool/postfix/var/run/ mkdir /var/spool/postfix/var/run/saslauthd chown -R root:sasl /var/spool/postfix/var/ chmod 710 /var/spool/postfix/var/run/saslauthd adduser postfix sasl Oncreunliensymboliqueaucaso: ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd

Onajoutececiau/etc/postfix/main.cf:smtpd_sasl_auth_enable=yes smtpd_sasl_security_options=noanonymous smtpd_sasl_local_domain= broken_sasl_auth_clients=yes smtpd_sasl_authenticated_header=yes

Onajoutegalement"permit_sasl_authenticated"dans"smtpd_recipient_restrictions"pourvalider lesrestrictions(attentionbienplacerleparamtreexactementlendroitindiqu):

..... permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, ......

Ondite/etc/init.d/postfix,onrecherchelavariableFILESetonajouteetc/postfix/sasl/smtpd.conf laliste:FILES="etc/localtime etc/servicesetc/resolv.confetc/hosts\etc/nsswitch.conf etc/nss_mdns.configetc/postfix/sasl/smtpd.conf"

OnredmarrePostfixetSaslauthd: /etc/init.d/postfix restart /etc/init.d/saslauthd restart

OnvrifiequelesparamtressontbienpasssaudaemonSaslauthd: ps waux | grep saslauthd doitdonnerplusieurslignesaveccommeparamtres: /usr/sbin/saslauthd -a pam -c -r -m /var/spool/postfix/var/run/saslauthd -n 5 Note:CettesectionSASLetantsouventsujetteproblmelorsdelaconfiguration,ontrouveraici latotalitdescommandesalancerenunefoispourtoutconfigurer:

ActivationduTLSPourunserveurenproduction,ilseraitprfrabledutiliserunvritablecertificatfourniet signparuneautoritdecertificationdeconfiance.(payant). Onditelaconfigurationdesslpourpouvoirsignerdescertificatssur10ans,aulieud1anpar dfaut: vi /etc/ssl/openssl.cnfonchangelalignedefault_daysendefault_days=3650

OncreleCertificatRacine:

cd ~ /usr/lib/ssl/misc/CA.pl -newca onentrelesparametresrequis,onchoisisunpassphrasedesonchoixetonlaisse"challenge password"vide.CAcertificatefilename(orentertocreate) MakingCAcertificate... Generatinga1024bitRSAprivatekey .......++++++ .........................................++++++ writingnewprivatekeyto'./demoCA/private/cakey.pem' EnterPEMpassphrase: VerifyingEnterPEMpassphrase: Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter'.',thefieldwillbeleftblank. CountryName(2lettercode)[AU]:FR StateorProvinceName(fullname)[SomeState]:Paris LocalityName(eg,city)[]:Paris OrganizationName(eg,company)[InternetWidgitsPtyLtd]:Starbridge OrganizationalUnitName(eg,section)[]: CommonName(eg,YOURname)[]:starbridge.org EmailAddress[]:tonio@starbridge.org Pleaseenterthefollowing'extra'attributes tobesentwithyourcertificaterequest Achallengepassword[]: Anoptionalcompanyname[]: Usingconfigurationfrom/usr/lib/ssl/openssl.cnf Enterpassphrasefor./demoCA/private/cakey.pem: Checkthattherequestmatchesthesignature Signatureok

CertificateDetails: SerialNumber: 84:7c:ce:d2:f7:cf:df:6c Validity NotBefore:Nov1316:44:332007GMT NotAfter:Nov1216:44:332010GMT Subject: countryName=FR stateOrProvinceName=Paris organizationName=Starbridge commonName=starbridge.org emailAddress=tonio@starbridge.org X509v3extensions: X509v3SubjectKeyIdentifier: B9:04:A3:81:E5:5D:D6:82:72:F4:6E:0C:FB:3F:E2:62:1B:EF:B9:57 X509v3AuthorityKeyIdentifier: keyid:B9:04:A3:81:E5:5D:D6:82:72:F4:6E:0C:FB:3F:E2:62:1B:EF:B9:57 DirName:/C=FR/ST=Paris/O=Starbridge/CN=starbridge.org/emailAddress=tonio@starbridge.org serial:84:7C:CE:D2:F7:CF:DF:6C X509v3BasicConstraints: CA:TRUE CertificateistobecertifieduntilNov1216:44:332010GMT(1095days) Writeoutdatabasewith1newentries DataBaseUpdated

Cecertificatracinesertsignerlescertificats.Ilestlocalisdanslerpertoire/demoCA. Oncremaintenantuneclprivepourleserveurainsiquuncertificatpublicnonsign. mkdir ~/CERT cd ~/CERT openssl req -new -nodes -keyout starbridge-key.pem -out starbridge-req.pem -days 3650

etonentrelesparametrescommecidessous: Generatinga1024bitRSAprivatekey .............++++++ .............++++++ writingnewprivatekeyto'starbridgekey.pem' Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter'.',thefieldwillbeleftblank. CountryName(2lettercode)[AU]:FR StateorProvinceName(fullname)[SomeState]:Paris LocalityName(eg,city)[]:Paris OrganizationName(eg,company)[InternetWidgitsPtyLtd]:Starbridge OrganizationalUnitName(eg,section)[]: CommonName(eg,YOURname)[]:spike.starbridge.org EmailAddress[]:tonio@starbridge.org Pleaseenterthefollowing'extra'attributes tobesentwithyourcertificaterequest Achallengepassword[]: Anoptionalcompanyname[]:

Note:leparamtreleplusimportantestleCommonNamequidoittrelememequelenomavec lequelseconnectelesclientssurleserveur.IciilsagitduFQDN:spike.starbridge.org. Onsignemaintenantcecertificatpublicaveclecertificatracine: cd ~ openssl ca -out CERT/starbridge-cert.pem -infiles CERT/starbridgereq.pem Voicilasortiedelasignature:Usingconfigurationfrom/usr/lib/ssl/openssl.cnf Enterpassphrasefor./demoCA/private/cakey.pem: Checkthattherequestmatchesthesignature Signatureok CertificateDetails: SerialNumber: 84:7c:ce:d2:f7:cf:df:6d Validity NotBefore:Nov1316:51:322007GMT NotAfter:Nov1016:51:322017GMT Subject: countryName=FR stateOrProvinceName=Paris organizationName=Starbridge commonName=spike.starbridge.org emailAddress=tonio@starbridge.org X509v3extensions: X509v3BasicConstraints: CA:FALSE NetscapeComment: OpenSSLGeneratedCertificate X509v3SubjectKeyIdentifier: 05:2A:A9:90:6F:2A:80:F7:E3:EF:2B:F9:44:9D:8E:CF:C3:16:18:EF X509v3AuthorityKeyIdentifier: keyid:B9:04:A3:81:E5:5D:D6:82:72:F4:6E:0C:FB:3F:E2:62:1B:EF:B9:57 CertificateistobecertifieduntilNov1016:51:322017GMT(3650days) Signthecertificate?[y/n]:y

1outof1certificaterequestscertified,commit?[y/n]y Writeoutdatabasewith1newentries DataBaseUpdated

Oncopiemaintenantlecertificatetlacldanspostfix: mkdir /etc/postfix/tls cp demoCA/cacert.pem CERT/starbridge-key.pem CERT/starbridgecert.pem /etc/postfix/tls/ chmod 644 /etc/postfix/tls/starbridge-cert.pem /etc/postfix/tls/cacert.pem chmod 400 /etc/postfix/tls/starbridge-key.pem chmod 400 ~/CERT/*

Onajoutececiau/etc/postfix/main.cf:smtp_tls_CAfile=/etc/postfix/tls/cacert.pem smtp_tls_security_level=may smtp_tls_session_cache_database=btree:${data_directory}/smtp_tls_session_cache smtpd_tls_security_level=may smtpd_tls_auth_only=yes smtpd_tls_key_file=/etc/postfix/tls/starbridgekey.pem smtpd_tls_cert_file=/etc/postfix/tls/starbridgecert.pem smtpd_tls_CAfile=/etc/postfix/tls/cacert.pem smtpd_tls_loglevel=1 smtpd_tls_received_header=yes smtpd_tls_session_cache_database=btree:${data_directory}/smtpd_tls_session_cache tls_random_source=dev:/dev/urandom

Note:PourunPostfixinfrieurlaversion2.5(danslecadreduneinstallationdansEtch parexemple),ilfautmodifierles2paramtresbtree:$data_directory...parbtree: $queue_directory... OnredmarrePostfix: /etc/init.d/postfix restart OnvrifielefonctionnementdepuisunclientmailconfigurpourlauthentificationSASLsurun chiffrementTLSaveclesmmesidentifiantsquepourlaconnexionIMAP(nepasoublierle @starbridge.org). Note:silonainstallDovecotilfaudratesterleTLSltapesuivante Pourletypedauthentication,ilfautslectionner"enclair"(letermedpendduclientmail). CestlechiffragedelaconnexionparleTLSquiscuriseraletransfertdupassword. CestpourcelaquilnefautpasdissocierTLSetauthentification. Note:ladirectivesmtpd_tls_auth_only=yesimposelusageduneconnexionscurisepour lauthentificationSASL,cequilimiteraleserreursdeconfigurationdesutilisateurs.

IMAPDSSL: Note:sionachoisiDovecotsuivrecelien:Dovecotetnepassuivrecettesection: Maintenantquelonauncertificatsignonvaremplacerlecertificatpardfautdecourierimapssl parlenotre: cd ~/CERT cat starbridge-key.pem starbridge-cert.pem >certkey.pem cp certkey.pem starbridge-certkey.pem openssl gendh >> starbridge-certkey.pem chmod 400 ~/CERT/* cp starbridge-certkey.pem /etc/courier/ chmod 600 /etc/courier/starbridge-certkey.pem chown daemon /etc/courier/starbridge-certkey.pem Onditelefichierdeconfigurationdimapdssl: vi /etc/courier/imapd-ssl etonmodifielaligne:TLS_CERTFILE=/etc/courier/imapd.pem

parTLS_CERTFILE=/etc/courier/starbridgecertkey.pem

Enfinonrdmarreimapdssl: /etc/init.d/courier-imap-ssl stop /etc/init.d/courier-imap-ssl start OntestedepuisunclientmailenparametrantunconnectionSSLpourlimap(port993)

InstallationPostfixAdminPourfaciliterlacrationdesusersetlagestiondesbotesetdescomptes,onutilisePostfixadmin. Ladernireversionestla2.1.0maiselleprsentedenombreuxbugs.Nousutiliseronslaversion SVN. ActivationduSSLdansApache LeSSLestindispensablepourscuriserleschanges,enparticulierlesmotsdepasseutilisateurs. OnactiveleSSLparlacommande: a2enmod ssl Puisoncrelevirtualhost: vi /etc/apache2/sites-available/ssl

Etoncolle:

NameVirtualHost*:443 ServerAdminwebmaster@starbridge.org ServerNamewww.starbridge.org DocumentRoot/var/www/ OptionsFollowSymLinks AllowOverrideNone OptionsIndexesFollowSymLinksMultiViews AllowOverrideAll Orderallow,deny allowfromall #Thisdirectiveallowsustohaveapache2'sdefaultstartpage #in/apache2default/,butstillhave/gototherightplace #CommentedoutforUbuntu #RedirectMatch^/$/apache2default/

ScriptAlias/cgibin//usr/lib/cgibin/ AllowOverrideNone AllowOverrideAuthConfig OptionsExecCGIMultiViews+SymLinksIfOwnerMatch Orderallow,deny Allowfromall

ErrorLog/var/log/apache2/error.log

#Possiblevaluesinclude:debug,info,notice,warn,error,crit, #alert,emerg. LogLevelwarn

CustomLog/var/log/apache2/access.logcombined ServerSignatureOn

SSLEngineOn SSLCertificateFile/etc/apache2/ssl/starbridgecertkeywww.pem

SetEnvIfUserAgent".*MSIE.*"nokeepalivessluncleanshutdown

Onditelefichierports.confpouractiverleport443. Note:danslesderniresversionsdApache2.2sousDebianLennycetteligneestajout automatiquementlorsdelactivationdumoduleSSL: vi /etc/apache2/ports.conf etonajoutelalignelisten443

puisonactivelevirtualhost: a2ensite ssl Gnrationdescertificats: Ilestimportantdecreuncertificataveclememenomqueceluiutilispourlaconnection.Par exemplesionseconnecteauserveurwebparwww.starbridge.orgilfautcreruncertificatavecun CommonNameenwww.starbridge.org. Onpartduprincipequelonutilisewww.starbridge.org. Oncredoncuncertificatpublicnonsignetunecl,puisonlesigneavecleCA: cd ~/CERT openssl req -new -nodes -keyout starbridge-key-www.pem -out starbridge-req-www.pem -days 3650 OnentrelesinformationsenprenantsoindebienspecifierleCommonNameen www.starbridge.org.IlfautegalementrespecterlesinformationsentresdansleCAplustot. cd ~ openssl ca -out CERT/starbridge-cert-www.pem -infiles CERT/starbridge-req-www.pem chmod 400 ~/CERT/* cd CERT/ cat starbridge-key-www.pem starbridge-cert-www.pem >starbridgecertkey-www.pem mkdir /etc/apache2/ssl cp starbridge-certkey-www.pem /etc/apache2/ssl/ chmod 600 /etc/apache2/ssl/starbridge-certkey-www.pem chmod 400 ~/CERT/* OnredmarreApache:/etc/init.d/apache2 restart Ontestelaconnexionpar https://www.starbridge.org Lenavigateurvademanderlavalidationducertificatcarceluicinestpasreconnuparuneautorit deconfiance.Ceciestnormal(cestuncertificatselfsigned). Pourunserveurenproduction,ilseraitdoncprfrabledutiliserunvritablecertificat(payant).

aptitude install subversion cd /var/www svn -r 358 co https://postfixadmin.svn.sourceforge.net/svnroot/postfixadmin/trun k postfixadmin chown -R www-data: /var/www/postfixadmin cd postfixadmin chmod 640 *.php cd /var/www/postfixadmin/admin/ chmod 640 *.php cd /var/www/postfixadmin/images/ chmod 640 *.png cd /var/www/postfixadmin/languages/ chmod 640 *.lang cd /var/www/postfixadmin/templates/ chmod 640 *.php cd /var/www/postfixadmin/users/ chmod 640 *.php cd /var/www/postfixadmin/ onremplaceleconfig.inc.phppardfautparceluici: Note:Ilfautremplacertouteslesentresstarbridgedanscefichierparcellecorrespondantevotre domaine.(totoestlepasswordpourlabasesqlpostfixettoto.comvotredomaine): mv config.inc.php config.inc.php-orig wget http://www.starbridge.org/spip/doc/Procmail/config.inc.txt mv config.inc.txt config.inc.php sed -i "s/password'] = '\*\*\*\*\*'/password'] = 'toto'/" config.inc.php sed -i 's/www.starbridge.org/www.toto.com/g' config.inc.php sed -i 's/starbridge.org/toto.com/g' config.inc.php ]] Onscurisecefichier: chown www-data: /var/www/postfixadmin/config.inc.php chmod 640 config.inc.php

Oneffacelefichiersetup.phpquinestpasncessairedansnotrecas: rm /var/www/postfixadmin/setup.php Onseconnecteensuitelinterface: https://www.starbridge.org/postfixadmin (biensuronremplacestarbridgeparvotredomainesinonvousvousconnectezchezmoi!!) onsidentifieavecadmin@starbridge.org(onlacrplusttlorsdesinsertssql)(onrappellequele passwordestsecret) Onretrouveraleslmentsentrsenlignedecommandeaudbutdudocument.

Oncreunnouvelutilisateurpourvalider. OnrappellequelutilisationduSSLpourseconnecterPostfixadminestINDISPENSABLE siondoitpasserparinternetpourgrerlaplateforme.Surunrseaulocalsonutilisation seraitprfrable.

LagestiondesQuotasOnlavu,onacompilmaildropaveclagestiondesquotasetonaparamtrdanslabaseSQLdes champspourlesgrer.Ilfautmaintenantlesparamtrer: Oncreunmessagedalertegnriquepourledpassementdequotas:(onpenseraladapterases besoinsmaisilfautetreprudentdanslamiseenformedufichier) mkdir /usr/local/courier/etc/ cd /usr/local/courier/etc/ wget http://www.starbridge.org/spip/doc/Procmail/usr/local/courier/etc/ quotawarnmsg chown -R vmail: /usr/local/courier/etc/ chmod 644 /usr/local/courier/etc/quotawarnmsg ln -s /usr/local/courier/etc/quotawarnmsg /usr/local/etc/

LeresteestdjparamtrdansMaildrop,PostfixetCourierImap. Pouruneexplicationdtailledufonctionnementvoircetarticle: IlsuffitdutiliserPostfixadminpourrglerunquotapourunutilisateur. Lefaireaveclutilisateuruser@starbridge.orgquipardfautnapasdequota. Ontesteenenvoyantunmail. Onregardeleslogs. Onvrifiequunfichier.maildirsizesoitbiencredansleMaildirdudestinataire. Voilaleserveurestconfigur! Acestadeleserveurestscurismaisnefiltrenilesvirus,nilesspams.

Antispam/AntivirusParametragedePostfix: Unegrandemajoritdesspamsnerespectentpaslesrglesdenvoidemail:HELOincorrect, MAILFROMdundomaineinconnu,etc,etc... Ilesttrsfortementconseilldeliredesdocumentssurcesujet,notammentlesRFCpourbien comprendrelefonctionnement. LapremirechosefaireestderenforcerPostfixpourquilsoitbeaucoupplusrestrictif. Pourcelaonvautiliserlessmtpd_recipient_restrictions. Onnedtaillerapasicilesactionsprcisesdechaquergle.(ladocumentationdePostfixesttrs prcisesurlesujetetlarticlesurlagestionduserveurdemailrevientsurtouslespointsenles dtaillant).smtpd_recipient_restrictions= reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unknown_recipient_domain, reject_invalid_helo_hostname, reject_unlisted_recipient, reject_unlisted_sender, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_unauth_destination, check_client_accesshash:/etc/postfix/internal_networks, check_sender_accesshash:/etc/postfix/not_our_domain_as_sender, check_helo_accessproxy:mysql:/etc/postfix/mysqlhello.cf, check_sender_accessproxy:mysql:/etc/postfix/mysqlsender.cf, check_client_accessproxy:mysql:/etc/postfix/mysqlclient.cf, reject_rbl_clientlist.dsbl.org, reject_rbl_clientzen.spamhaus.org, permit

Onditelemain.cfetonremplacetoutlesmtpd_recipient_restrictionsparceluici: Onlevoit,onaaussiparamtrdesRBL(desblacklists)quifiltrentassezefficacement(parfois trop).

ATTENTION:IlexistedautresRBL(Spamcop...)quipeuventrendrelefiltrageencoreplus restrictifmaiscelaestdconseillersurunserveurenproduction,bienquelonpuissese servirdestablescidessous(mysqlsender.cfetmysqlclient.cf)pourwhitelistercertains clientsouexpditeurs).

IlvautmieuxgrerlesRBLsupplmentairesautraversdunePolicyServicedePostfixqui permettraplusdesouplesse.(Ondtailleracepointdansunautrearticle) AnoterqueSpamassassingreaussipardfautcertainesRBL. EnsuiteilfautlimiterlespossibilitsdeforgingdesexpditeursenvrifiantlesMAILFROM (adressesexpditrices). Toujoursdanslemain.cf,onplaceaudessusdublocsmtpd_recipient_restrictions=:smtpd_sender_login_maps=proxy:mysql:/etc/postfix/mysqlsaslsendercheck.cf smtpd_sender_restrictions= reject_authenticated_sender_login_mismatch smtpd_reject_unlisted_sender=yes smtpd_restriction_classes= has_our_domain_as_sender has_our_domain_as_sender= check_sender_accesshash:/etc/postfix/our_domain_as_sender, reject

CelapermettradempcherdesutilisateursdemettreuneautreadresseemaildansleMAILFROM. Ilsserontobligsdepasserparlesdomainesquelongre. DemmelesutilisateursauthentifisparSASLseronttenusdutilisercommeadresseemail(MAIL FROM)unaliasvalidedeleurmailprincipal.(ondtailleracefonctionnementdansledocumentsur lagestionduserveur). Ilfautmaintenantcrerlesfichiersdelookup:

Oncrelefichier/etc/postfix/internal_networks:

vi /etc/postfix/internal_networks Onspcifiesonrseaulocaletsonadressepubliquelintrieur. CelapermetdespcifierlaoulesplagesIPdenotrerseau,quiserontautorisesenvoyerunmail avecnosdomainesdansleMAILFROM. CelapermetgalementdeprciserlesIPautorisesenvoyerunmailenseprsentantavecnotre HELO. OnbloqueraainsilesclientsSMTPextrieursquiseprsententavecunHELOquiestlenotre: 10.0.0has_our_domain_as_sender

Onpostmapcefichier: postmap /etc/postfix/internal_networks

Ensuiteoncrelefichier/etc/postfix/mysqlhello.cfquiappelleunetableSQL.

vi /etc/postfix/mysql-hello.cf CettetableSQLlisteralesHELOdenosdomainesemail(onpeutenpossderplusieursdanslecas dunserveurmultidomaine).user=postfix password=**** hosts=localhost dbname=postfix query=SELECTaccessFROMpostfix_helloWHEREsource='%s'

Onscurisecefichier: chown postfix /etc/postfix/mysql-hello.* chmod 640 /etc/postfix/mysql-hello.*

Oncreensuitelefichier/etc/postfix/mysqlsender.cf.

vi /etc/postfix/mysql-sender.cf IlsertblacklisterouwhitelisterlesMAILFROM,cestdirelesexpditeurs,selonleuradresse emailoujusteledomainedecelleci:user=postfix password=**** hosts=localhost dbname=postfix query=SELECTaccessFROMpostfix_accessWHEREsource='%s'ANDtype='sender'

Onscurisecefichier: chown postfix /etc/postfix/mysql-sender.* chmod 640 /etc/postfix/mysql-sender.*

Oncrelefichier/etc/postfix/mysqlclient.cf.

vi /etc/postfix/mysql-client.cf Ilsertblacklisterouwhitelisterlesclientsparleurconnection(ip/domaine):user=postfix password=***** hosts=localhost dbname=postfix query=SELECTaccessFROMpostfix_accessWHEREsource='%s'ANDtype='client'

Onscurisecefichier: chown postfix /etc/postfix/mysql-client.* chmod 640 /etc/postfix/mysql-client.*

Oncrelefichier/etc/postfix/mysqlsaslsendercheck.cf.

vi /etc/postfix/mysql-sasl-sender-check.cf IlsertspcifierlesadressesquelesutilisateursauthentifisparSASLpeuventutilisercomme MAILFROM:user=postfix password=***** hosts=localhost dbname=postfix query=SELECTgotoFROMaliasWHEREaddress='%s'

Onremarqueraquelonfaitappellatablealias.Eneffetcestlemeilleurendroitpourconnatre lesMAILFROMdunutilisateur,carunmailfromvalidedoittreuneadressevalidepourcet utilisateur.(doncundecesalias) chown postfix /etc/postfix/mysql-sasl-sender-check.* chmod 640 /etc/postfix/mysql-sasl-sender-check.*

Onscurisecefichier:

Oncrelefichier/etc/postfix/our_domain_as_sender.

vi /etc/postfix/our_domain_as_sender IlsertspcifierlesdomainesautorisscommeMAILFROMpourlesusersinternesauthentifis parleurIP(lesclientsenlocalpeuventenvoyerunemaillocalsanssauthentifierdansnotre

configuration) starbridge.orgOK OK

Onpostmapcefichier: postmap /etc/postfix/our_domain_as_sender

Oncreenfinlefichier/etc/postfix/not_our_domain_as_sender.

vi /etc/postfix/not_our_domain_as_sender IlsertspcifierlesdomainesrefusscommeMAILFROMpourlesusersexternesnon authentifis(cestdirequelquundelextrieurquinousenvoieunmail).Siilspcifieundenos domainesenMAILFROM,lemessageserarefus. starbridge.org554Youarenotinourdomain

Onpostmapcefichier: postmap /etc/postfix/not_our_domain_as_sender

Oncrelestablesenquestion:

mysqlurootp usepostfix; CREATETABLE`postfix_hello`(`id`int(10)unsignedNOTNULL auto_increment,`source`varchar(128)NOTNULLdefault'',`access` varchar(128)NOTNULLdefault'',PRIMARYKEY(`id`) )ENGINE=MyISAMAUTO_INCREMENT=1DEFAULTCHARSET=latin1; INSERTINTO`postfix_hello`(`source`,`access`)VALUES ('starbridge.org','REJECTyouarenotme'); CREATETABLE`postfix_access`(`id`int(10)unsignedNOTNULL auto_increment,`source`varchar(128)NOTNULLdefault'',`access` varchar(128)NOTNULLdefault'',`type` enum('recipient','sender','client')NOTNULLdefault'sender',PRIMARY KEY(`id`) )ENGINE=MyISAMAUTO_INCREMENT=1DEFAULTCHARSET=latin1; INSERTINTO`postfix_access`(`source`,`access`,`type`)VALUES ('yahoo.com','OK','client'),('newsletter@lesechos.fr','554Spamnot toleratedhere','sender');

NotezbienleINSERTsurlatablepostfix_helloetlemodifierpourvotredomaine.

Onrelancepostfix postfix reload onvrifieleslogsetonteste. Onainsrdesexemplesdeblacklistetdewhitelist. Toutledtaildufonctionnementsetrouvedansledocumentgestionserveurdemail. OnpeututiliserPhpMyadminpourgrercestablesSQL.

VrificationdesHeaders,duBodyetduTypeMimeparPostfix.Postfixpeutvrifierlesmailsentrantstrssimplementenanalysantleheader,lebodyetletype mimedespicesjointes. Cetypedeblocageesttrsefficace,plusrapidequedelaisserfaireAmavisdouSA,maismanque desouplesse. Ilsavrecependanttrsefficacepourbloquerdestypesdefichiersparexemplesansquelemailne soitenvoyauserveurpuistrait(conomiedebandepassanteetdeCPU). Cependantunetropgrandequantitderglesetunforttraficauraitleffetinversesurles performances. Ilfautdoncutilisercesrglesavecprcaution. Oncrelesfichiersncessaires: cd /etc/postfix/ wget http://www.starbridge.org/spip/doc/Procmail/postfix/body_checks.cf wget http://www.starbridge.org/spip/doc/Procmail/postfix/header_checks. cf wget http://www.starbridge.org/spip/doc/Procmail/postfix/mime_headers_c hecks.cf

Onditele/etc/postfix/main.cfetonajouteleslignes:header_checks=regexp:/etc/postfix/header_checks.cf body_checks=regexp:/etc/postfix/body_checks.cf mime_header_checks=regexp:/etc/postfix/mime_headers_checks.cf

Onrelancepostfix: postfix reload Ontesteenenvoyantunmailclassiquepuisunautrequicontientundesmotsoutypebloquspar cesrgles. Leblocageestimmdiatetsetraduitparunretourderreuraumomentdelenvoi.

InstallationAmavisdoninstallelesprrequis: aptitude install libdb4.4-dev OnlanceCPANenconsole: perl -MCPAN -e shell Sicestlapremirefois,onrpondpardfautauxquestionsquilposepourlaconfigurationde linterface. PuisonmetjourCpanetoninstallelesmodules: install Bundle::CPAN reload cpan install install install install install install install install install install install install Archive::Zip Convert::TNEF Convert::UUlib Net::Server Time::HiRes Unix::Syslog BerkeleyDB Mail::Sendmail Email::Valid Mail::DKIM MIME::Charset MIME::EncWords

Oninstalleaussilessoftsncessaires(lesdecoders)siilsnesontpasdjinstalls: aptitude install file libcompress-bzip2-perl nomarch arc p7zipfull arj zoo lzop tnef pax cabextract

IlesttrsimportantgalementdinstallerRARdepuislesitederarlabs.Suivrelesinstructions dinstallationsurlesite. Tlchargerlessourceschezamavisd: cd ~ wget http://www.ijs.si/software/amavisd/amavisd-new-2.6.0.tar.gz tar xvzf amavisd-new-2.6.0.tar.gz cd amavisd-new-2.6.0 Crerleuseretlegroupeamavis: addgroup amavis adduser --disabled-password --home /var/amavis --ingroup amavis amavis

Crerlessousrpertoiresdanslehomedamavis: mkdir /var/amavis/tmp /var/amavis/var /var/amavis/db /var/amavis/home chown -R amavis: /var/amavis

Oncre2lecteurtmpfspourhbergerlesrpertoiresdbettmpdamavis.Celaaccrotnotablement lesperformancedetraitement: Modifier/etc/fstab: tmpfs/var/amavis/dbtmpfsrw,size=10m,mode=700,uid=amavis,gid=amavis00 tmpfs/var/amavis/tmptmpfsrw,size=150m,mode=700,uid=amavis,gid=amavis00

Note:Latailledeceslecteurstmpfsestmodifierselonlachargeduserveur,laconfigurationet biensurlaquantitdeRAMdisponible.Poursimplifier/var/amavis/tmpestdpendantdunombre dinstancesdamavisdetdelataillemaximaledunmessage.Lesparamtresmisicisontokpour5 instancesetunmessage_size_limitde10Mo,cequiestlargementsuffisantdanslaconfigpar dfautdamavisd(2instances) Puis: mount /var/amavis/tmp mount /var/amavis/db onvrifieparunmount -l Copierlexcutable: cp amavisd /usr/local/sbin/ chown root /usr/local/sbin/amavisd chmod 755 /usr/local/sbin/amavisd Copierlefichierdeconf: cd /etc/ wget http://www.starbridge.org/spip/doc/Procmail/amavisd/amavisd.conf chown root:amavis /etc/amavisd.conf chmod 640 /etc/amavisd.conf

Crerlaquarantaine: mkdir /var/virusmails chown amavis:amavis /var/virusmails chmod 750 /var/virusmails

Lefichierdeconfiguration/etc/amavisd.conffourniiciestmodifipourcollernosbesoins: Evidemmentilfauteditertoutdememecefichierpourprciser: sonrseaulocaldans@mynetworks, sondomaineavec$mydomain etsonhostnameavec$myhostname$daemon_user='amavis'; $daemon_group='amavis'; $mydomain='starbridge.org'; $myhostname='spike.starbridge.org'; $MYHOME='/var/amavis'; $log_level=2; @mynetworks=qw(127.0.0.0/8[::1][FE80::]/10[FEC0::]/10 10.0.0.0/24); $virus_admin="admin\@$mydomain";#notificationsrecip $banned_admin="admin\@$mydomain"; $inet_socket_port=[10024,10026]; #forward_method=>'smtp:[127.0.0.1]:10027',

Pourinfovoicilesprincipauxparamtresquionttmodifidanslefichierfourni. Ondsactivetemporairementlantispametlantiviruspourtester: Ondcommentepourcelaleslignes(audbutdufichierdeconf):@bypass_virus_checks_maps=(1); @bypass_spam_checks_maps=(1);

Dmarreramavisdenconsolepourvoirsiilmanquedesprrequis: /usr/local/sbin/amavisd debug Noterleserreursventuelles.Siamavisdnedmarrepas,arrterlaetrsoudrelesproblmes. Sicestok,arrteramavisdparCTRL+C. OnconfigurePostfix: Onajoutelafindumaster.cf:

smtpamavisunixy2smtp osmtp_data_done_timeout=1200 osmtp_send_xforward_command=yes odisable_dns_lookups=yes omax_use=20

127.0.0.1:10025inetnysmtpd ocontent_filter= olocal_recipient_maps= orelay_recipient_maps= osmtpd_restriction_classes= osmtpd_client_restrictions= osmtpd_helo_restrictions= osmtpd_sender_restrictions= osmtpd_recipient_restrictions=permit_mynetworks,reject osmtpd_data_restrictions=reject_unauth_pipelining osmtpd_end_of_data_restrictions= omynetworks=127.0.0.0/8 ostrict_rfc821_envelopes=yes osmtpd_error_sleep_time=0 osmtpd_soft_error_limit=1001 osmtpd_hard_error_limit=1000 osmtpd_client_connection_count_limit=0 osmtpd_client_connection_rate_limit=0 oreceive_override_options=no_address_mappings,no_header_body_checks,no_unknown_recipient_checks

etonmodifietoujoursdanslemaster.cflasectionsurleport587commececi:587inetnsmtpd osmtpd_tls_security_level=encrypt osmtpd_sasl_auth_enable=yes osmtpd_etrn_restrictions=reject ocontent_filter=smtpamavis:[127.0.0.1]:10026 osmtpd_client_restrictions=permit_sasl_authenticated,reject

(onajouteenfaitlalignesurlecontent_filter)Cettedernieremodificationpermettradutiliser1 configurationdistinctedansamavisdpourlesuserseconnectantenSASLdelexterieur.Eneffet ceuxcisontendehorsdenotreLANetnesontdoncpasconsidrsparamavisdcommelocaux (MYNETSpouramavisd)

Enspecifiantunportdecoutesupplementairepouramavisd(10026)onseconnecteavecla configurationdelapolicy_bankORIGINATING,quidisposepardefautdutagoriginatingcomme lapolicybankMYNETS,quipermetaamavisddesavoirqueleclientestdeconfiance. LesutilisateursidentifisparSASLhorsdulanetlesutilisateursduLAN(identifisSASLoupas) serontdoncconsidrsdelamemefacon.(onnotequelonpourramememodifierlecomportement damavisdtresprecisementdecettefacon.Voirlarticlesuivantsurlesujet. Oneditemaintenantlemain.cfetonajoute:content_filter=smtpamavis:[127.0.0.1]:10024

Relancerpostfix: postfix reload Surveillerleslogs: tail -f /var/log/mail.log Sitoutestok,lancernouveauamavisddebug /usr/local/sbin/amavisd debug ettaperenconsole: telnet 127.0.0.1 10024 Ildoitrpondre: Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 [127.0.0.1] ESMTP amavisd-new service ready

quitpoursortir PareilpourtesterleretourdePostfix: telnet 127.0.0.1 10025 Ildoitrpondreuntrucdustyle: Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 spike.starbridge.org ESMTP Postfix (Debian/GNU)

QUITpoursortir(enmajuscules) Silesconnectionssontok: Testerlefonctionnementdebase(cequilfauttaperestprcdde>,lerestecestleretourdu serveur):

>telnetlocalhost10024 220[127.0.0.1]ESMTPamavisdnewserviceready >HELOlocalhost 250[127.0.0.1] >MAILFROM: 2502.1.0SenderOK >RCPTTO: 2502.1.5RecipientOK >DATA 354Enddatawith. >From:virustester >To:undisclosedrecipients:; >Subject:amavisdtestsimplenospamtestpattern >Thisisasimpletestmessagefromtheamavisdnewtestmessages. >. 2502.6.0Ok,id=3089702,fromMTA([127.0.0.1]:10025):2502.0.0Ok:queuedas079474CE44 >QUIT 2212.0.0[127.0.0.1]amavisdnewclosingtransmissionchannel

Lallerretourpostfix/amavisdfonctionnebien!

(onpeutarrterledebugdamavisdparunCTRL+C)

InstallationClamavPrrequis: aptitude install zlib1g zlib1g-dev libgmpxx4ldbl libgmp3-dev Note:SousEtch,aptitudesignalequaucunpaquetnecorrespondlibgmpxx4ldbl.Cest normal,ilsagitdunpaquetLenny.Nepasentenircompte

Oncompiledepuislessources: cd ~ wget http://mesh.dl.sourceforge.net/sourceforge/clamav/clamav-0.93.tar. gz tar xvzf clamav-0.93.tar.gz cd clamav-0.93 ./configure --sysconfdir=/etc --with-user=amavis --withgroup=amavis --with-dbdir=/var/lib/clamav make make install ldconfig mkdir /var/run/clamav chown -R amavis: /var/run/clamav chmod -R 750 /var/run/clamav mkdir /var/lib/clamav chown -R amavis: /var/lib/clamav chmod -R 770 /var/lib/clamav

Onmetajourlesfichiersdeconfiguration: cd /etc mv clamd.conf clamd.conf.orig mv freshclam.conf freshclam.conf.orig wget http://www.starbridge.org/spip/doc/Procmail/clamd.conf wget http://www.starbridge.org/spip/doc/Procmail/freshclam.conf

Onmodifielacrontabdelutilisateuramavispourplanifierlamisejourdelabaseantivirale: crontab -e -u amavis etonajoute: 00,6,12,18***/usr/local/bin/freshclamlogverbose

Crer: mkdir /var/log/clamav chown -R amavis:amavis /var/log/clamav Crerunfichier/etc/init.d/clamd cd /etc/init.d/ wget http://www.starbridge.org/spip/doc/Procmail/clamd chmod 755 /etc/init.d/clamd update-rc.d clamd defaults

Onfaitlamisejourdelabasevirale: freshclam Onvrifiequelesfichierssoientbienprsentsdanslerpertoire: ls -la /var/lib/clamav Onlanceclamd: /etc/init.d/clamd start Etonvrifieleslogs: tail -f /var/log/clamav/clamd.log EtonvrifiebienqueClamtourne: ps aux | grep clam Ontestelefonctionnement(ledossier"test"estdanslerpertoireclamav0.93): cd /root/clamav-0.93/test/ clamdscan -l scan.txt clam-x.yz

clamavx.yzetantundesfichiersdetestprsentsdanslerpertoiretest InstallationdessignaturesadditionnellespourClam(dtectionduspam,phising...) Ilsagitdefichierssupplmentairesquelonplacedansledossier/var/lib/clamav aptitude install curl rsync mkdir /var/tmp/clamdb chown amavis: /var/tmp/clamdb chmod 770 /var/tmp/clamdb cd /usr/sbin wget http://www.starbridge.org/spip/doc/Procmail/usr/sbin/UpdateSaneSec urity.sh chmod 755 UpdateSaneSecurity.sh Onlancelescript: su -c '/usr/sbin/UpdateSaneSecurity.sh' amavis

Attentionlescriptmets5minutespourselancer Onvrifiequelesfichierssontbienprsentsdanslerpertoiredeclam: ls -l /var/lib/clamav

Ondoittrouverlesfichierssuivantsenplusdesfichiersclassiques: MSRBL-Images.hdb MSRBL-SPAM.ndb phish.ndb phish.ndb.gz scam.ndb scam.ndb.gz Oncreunetachecronpourmettrejourcesfichiers: crontab -e -u amavis

5*/4***/usr/sbin/UpdateSaneSecurity.sh

InstallationdeClamdMonpourlasurveillancedudemonclam: installerlescriptdesurveillancefournidanslessourcesdeclam: cd /root/clamav-0.93/contrib/clamdmon tar xvzf clamdmon-1.0.tar.gz cd clamdmon-1.0 make make install Ondite/usr/local/sbin/clamdmon.shcommececi:#!/bin/sh /usr/local/sbin/clamdmon p/var/run/clamav/clamd.ctl&&(killallclamd;sleep5; killall9clamd;sleep1;/usr/local/bin/freshclam;sleep1; /usr/local/sbin/clamd)

Editerlacrontabderoot crontab -e puisoncolle:*/5****/usr/local/sbin/clamdmon.sh

SpamassassinOninstalleSAparCPAN perl -MCPAN -e shell o conf prerequisites_policy ask install HTML::Parser install LWP install IO::Zlib install Archive::Tar install DB_File install Net::SMTP install Net::DNS install Net::DNS::Resolver::Programmable install Error install NetAddr::IP install IP::Country::Fast install Mail::SPF install DBI install DBD::mysql force install Encode::Detect force install Mail::SpamAssassin

LinstallationdeDBD::mysqlpeutfinirparuneerreur(lemaketestnepassepas).Ilfautalors forcerlinstallenajoutantforceavantlacommandeinstall. SAestinstall.Saconfigdebasesefaitdanslefichier/etc/mail/spamassassin/local.cfmaispourla plupartdesparamtres,cestlefichieramavisd.confquiseraprioritaire. LorsquonutiliseAmavisdpourappelerSAilestinutiledelancerspamd. Onditele/etc/mail/spamassassin/local.cfcommececi:

lock_method flock required_score4.3 rewrite_headerSubject*****SPAM***** report_safe0 clear_internal_networks clear_trusted_networks #trustednetworksdoitTOUJOURScontenirlesmemesentresque internal.Onajouteraeventuellementdesrseauxdeconfiancedansce paramtre. internal_networks82.239.58.13110.0.0/24192.168.1/24 trusted_networks82.239.58.13110.0.0/24192.168.1/24 use_bayes1 bayes_auto_expire0 bayes_store_moduleMail::SpamAssassin::BayesStore::MySQL bayes_sql_dsnDBI:mysql:spam:localhost bayes_sql_usernamespam bayes_sql_password***** bayes_sql_override_usernameamavis bayes_auto_learn1 bayes_auto_learn_threshold_nonspam0.1 bayes_auto_learn_threshold_spam7.0 #use_auto_whitelist0 auto_whitelist_factoryMail::SpamAssassin::SQLBasedAddrList user_awl_dsnDBI:mysql:spam:localhost user_awl_sql_usernamespam user_awl_sql_password***** skip_rbl_checks0 dns_availableyes ##OptionalScoreIncreases scoreBAYES_994.300 scoreBAYES_803.000 scoreMISSING_MIMEOLE0.5010.5010.2410.200 scoreBAYES_60002.5022.502 scoreNO_RELAYS3.2

internal_networksettrusted_networkssontdesparamtrestrsimportantspourlapertinencedela dtection.Ilfautabsolumentlesconfigurercorrectement. Onscurise: chown amavis: /etc/mail/spamassassin/local.cf chmod 640 /etc/mail/spamassassin/local.cf

SAfonctionnesur2typesdetests:

Heuristiques(ensembledergles) Bayesiens(apprentissageetstatistiques)

Pourlefiltrebayesien,onvainstallerdirectementlabasedansunebaseMysql.Lesperformances sontsuprieuresetonsaffranchitdediverseslimitations: Oncrelabase:mysqlurootp createdatabasespam; GRANTSELECT,INSERT,UPDATE,DELETEONspam.*TO'spam'@'localhost'IDENTIFIEDBY'*****'; FLUSHPRIVILEGES; quit

onimportelabasesql: wget http://starbridge.org/spip/doc/Procmail/spamassassin/bayes_awl.sql wget http://spamassassin.apache.org/gtube/gtube.txt mysql -u root -p spam < bayes_awl.sql

Oninitialiselabase: su amavis -c 'sa-learn -D --spam gtube.txt' Onpeutvrifieravecphpmyadminquelabasesestbienremplie. Pouramliorerlesperformances,onadsactivle"opportunistic(automatic)Bayesautoexpiry"en spcifiant"bayes_auto_expire0"dans/etc/mail/spamassassin/local.cf. Ilfautdonccrerunetachecronquotidiennepoureffectuerlexpiration: Uncrontabdeluseramavisferalaffaire: crontab -e -u amavis etonajoute163***/usr/local/bin/salearnsyncforceexpire

OnaactivlAutoWhitelistdansSA.ContrairementaBayes,lAWLnapasdemcanisme dexpiration,quivitelabasedegrossirindefiniment.

Pourcelaoncreunscriptquinettoiralestablesrgulierement: cd /etc/ wget http://www.starbridge.org/spip/doc/Procmail/spamassassin/SAawl-purgesql

puisoncreunetachecron crontab -e -u amavis etonajoute:254***/usr/bin/mysqluspamp'******'spam