# uname -a

Switch

mercredi 30 septembre 2015

STOP aux adresses gmail, yahoo, hotmail dans les communications professionnelles

Ceci est juste un billet d’humeur sur quelque chose que je trouve de plus en plus exaspérant : la recrudescence des aderses Gmail, Yahoo, ou Microsoft dans des emails soit-disant sérieux, professionnels, etc.

PME, syndicats, gouvernements, fédérations politiques, arrêtez d’utiliser des fournisseurs d’emails grand public, et assumez votre marque ! Vous ne voudriez pas avoir la publicité de votre imprimeur au verso de tous vos tracts ? Alors ne faites pas pareil avec les mails.

Donc NON, ce n’est pas acceptable, à part si vous êtes un particulier, d’avoir une adresse mail en @gmail.com, @yahoo.com ou @outlook.com. En faisant cela vous démontrez :

  • Votre méconnaissance et/ou votre amateurisme le plus total dans l’utilisation des NTIC.
  • Qu’aucun de vos amis, agences de com, ou conseillers n’a de connaissances solides sur le sujet (ça fait flipper hein ?).
  • Que vous aimez tellement les américains que vous êtes prêt à leur transmettre tous vos emails.
  • Que vous êtes radin au point de ne pas dépenser les 30 euros nécessaires pour obtenir un nom de domaine et une boîte mail chez un registrar.

Avoir une adresse contact@monentreprise.com c’est compliqué ? Non, ça prend 20 minutes maximum pour peu que vous sachiez comment s’appelle votre entreprise.

En bonus, le mail que j’ai reçu ce matin :

wtf-service-civique.png

Bordel de merde.

samedi 29 août 2015

Postfix : configure postmaster, hostmaster, and abuse catchall for RFC compliance

This short howto will show you how to set up a catchall for common required email addresses. Some mail servers are testing if mail is accepted on this addresses to detect spammymail servers. Hostmaster address can also be used for domain Trading, to check the ownership of the domain.

1. Create a file named /etc/postfix/regexp-catchall.cf with the following content:

# Catchall to comply with RFC standards
/^postmaster@/    youshouldreadit@mydomain.com
/^hostmaster@/    youshouldreadit@mydomain.com
/^abuse@/         youshouldreadit@mydomain.com

Replace youshouldreadit@mydomain.com with a mail address you actually read.

2. Open /etc/postfix/main.cf and locate (or create) the line virtual_alias_maps, and add at the end regexp:/etc/postfix/regexp-catchall.cf, for instance:

virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, regexp:/etc/postfix/regexp-catchall.cf

3. Restart Postfix.

Warning : read comment #4 for issues with this setup.

vendredi 13 mars 2015

Configure sender rate limits to prevent spam, using cluebringer (policyd) with Postfix

This small how-to will show you how to configure cluebringer (aka policyd) to set a per-hour/per-user limit for sent mails. Note that sending to multiple recipient will count like multiple mails were sent.

This how-to is Debian-oriented but should apply to any unix operating system.

Lire la suite...

samedi 1 février 2014

Configure Postfix as standalone single-domain SMTP server using Unix users and PAM on Debian

Here is a quick setup to configure Postfix mail server, using existing Unix users.

The server will process mails for only one domain, and every existing user on the server will have a mail box inside his home directory.

Abstract

Postfix is an SMTP server, it receives incoming mail from other SMTP servers, and allows client to send mails to other SMTP servers.

What we don't want is an open mail relay. A mail relay is a SMTP server that take anything from any client, and send it to any SMTP server. We only want trusted users to send emails, to prevent anonymous clients from sending spam.

Incoming mail will be processed either if :

  • The domain name of one of the recipient matches the mail server domain, and the mail user name is also a system user (SMTP servers can send us incoming mails).
  • The client who tries to sends the mail has successfully authenticated.

Postfix authentication for clients can be handled by SASL. SASL is a standard protocol to provide an authentication layer. It can query PAM, or other authentication providers (MySQL users, etc).

Notes :

  • We will use PAM for Unix users SMTP authentication.
  • Unix users are stored in /etc/passwd and their passwords are stored in /etc/shadow.
  • Mails will be stored in the ~/Maildir/ of each users, in Maildir format.

Postfix : installation and configuration

Install Postfix : apt-get install postfix

Answer the questions during installation to setup your mail domain (the "example.com" in user@example.com).

Modify config files :

/etc/postfix/main.cf :

Configure TLS and Maildir :

# TLS parameters
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mail.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = example.com, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +

home_mailbox = Maildir/

# These are the "no relay" restrictions
smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated reject_unauth_destination

/etc/postfix/master.cf :

Enable TLS and alternate (submission) ports :

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

SASL : installation and configuration

SASL plugin for Postfix (Cyrus) is part of the dependencies of Postfix server.

Install SASL administration tools : apt-get install sasl2-bin

Enable SASL daemon at startup : edit /etc/default/saslauthd and switch START to yes.

Start it manually for the first time : service saslauthd start

Enable PAM authentication for SASL

Check that PAM is part of the MECHANISMS variable in /etc/default/saslauthd :

MECHANISMS="pam"

Create /etc/pam.d/smtp :

#
# /etc/pam.d/smtp - specify PAM SMTP behavior
#

@include common-auth
@include common-account
@include common-password
@include common-session

Enable SASL for Postfix

Add to /etc/postfix/main.cf :

smtpd_sasl_auth_enable = yes

Create /etc/postfix/sasl/smtpd.conf :

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Adjust OPTIONS in /etc/default/saslauthd :

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Add postfix user to sasl group :

adduser postfix sasl

Configuration check

Restart all services (postfix, salsauthd).

Try authentication using SASL : testsaslauthd -u user -p password

Try authentication from command line, without mail client : https://qmail.jms1.net/test-auth.shtml

Try SMTP reception by sending mail to your domain (your MX fields in domain has to be configured accordingly).

Sources

page 2 de 2 -