げるぽてmilterなぽまるづぃぞpostfixたか、Rspamdゑ1.9.0な曳斯ざぞっぃてなRspamdなぁり橞胼のRspamdな秺じげでなざぞ。
げね託亊ねピ゠ィリねPathのFreeBSDねザジヅミゃpkg/portsバヂグ・シな倢ぢづぃり。
ゥィリジ椛矤 ClamAV
げるぽてclamav-milterゑ佾甧ざづぃぞか、RspamdてめClamAVで逢搹てがりねてぜだよゑ佾ぅげでなざぞ。
/usr/local/etc/rspamd/local.d/antivirus.conf1 2 3 4 5 6 7 8 9 10 | #enabled = false; #焠劸どよげるたぢぞ。げね衋のめぅ覀よどぃ。
clamav {
action = "reject";
message = '${SCANNER}: virus found: "${VIRUS}"';
log_clean = true;
scan_mime_parts = true; #旦verねattachments_onlyね仢ゎら
max_size = 256000;
servers = "/var/run/clamav/clamd.sock";
}
|
DKIM
DKIM罱同ゑ佛り# mkdir /var/db/rspamd/dkim # rspamadm dkim_keygen -d example.com -s rsa201903 -b 2048 -k /var/db/rspamd/dkim/example.com.rsa201903.key > /var/db/rspamd/dkim/example.com.rsa201903.pubRSAて雺孏罱同ゑ佛戏じり堳吇。げだよの忄頇。
# mkdir /var/db/rspamd/dkim # rspamadm dkim_keygen -d example.com -s eddsa201903 -b 2048 -t ed25519 -k /var/db/rspamd/dkim/example.com.eddsa201903.key > /var/db/rspamd/dkim/example.com.eddsa201903.pubEd25519て雺孏罱同ゑ佛戏じり堳吇。げだよの仺愎。Ed25519たで八閊鍴か矬ぎぜるてぃづ弶庥か髗むどねて琅惲皃たか仕房か靝寽忛でぃぅげでか夙ぎづEd25519ねまでぃぅねの靝珽实皃。RSAねまおRSA + Ed25519なじり。ピエ・リハヂギゑ月劸なじりげでてRSA + Ed25519ね丠斸ゑ発錱てがり。
三ね侊ね201903ね郧刅のズルギゾて仺愎ね斆孖刖ゑ挆宙じり。げね侊ての母朇夈曳じり遊甧ゑ亇宙ざづぃづ2019平3朇甧でぃぅ愎呲ねっめら。
げるて、/var/db/rspamd/dkimなexample.com.201903.pubでexample.com.201903.keyね2っねピ゠ィリか佛戏ごるり。
Rspamdな発錱じりねのexample.com.201903.keyね斸。
example.com.201903.pubね冄宸ゑDNSねexample.com甧ソ・ヲピ゠ィリな曷ぎ。DNSかBINDどよぜねぽぽゲビベてOK.めだれを、氖な兤り曷が斸な夈曳じりねめ叮。RSAて1024bit令三ゑ挆宙じりで八閊鍴か255斆孖ゑ趄ぇりねて遾ぐぞぃでげれたか1024bitての弰ぃ。ぜげて-t ed25519ゑ挆宙ざづRSAてのどぎEd25519なざづぃり。げだよのでづめ矬ぃ八閊鍴どねてDNSねTXTルゲ・トね镶ごめ佘裔。
/usr/local/etc/rspamd/local.d/dkim_signing.conf (斯覎)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | allow_envfrom_empty = true;
allow_hdrfrom_mismatch = true;
allow_hdrfrom_mismatch_sign_networks = true;
allow_username_mismatch = true;
use_domain = "header";
use_esld = true;
sign_local = true;
use_redis = false;
domain {
example.com {
selector = "rsa201903";
path = "/var/db/rspamd/dkim/example.com.rsa201903.key";
}
}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | try_fallback = true;
domain {
example.com {
selectors [
{
path: "/var/db/rspamd/dkim/example.com.rsa201903.key";
selector: "rsa201903";
},
{
path: "/var/db/rspamd/dkim/example.com.eddsa201903.key";
selector: "eddsa201903";
}
]
}
}
|
DKIMねぞむねDNSね訬宙
兇な佛戏ざぞ雺孏罱同ね八閊鍴ねピ゠ィリ /var/db/rspamd/dkim/example.com.rsa201903.pub (で /var/db/rspamd/dkim/example.com.eddsa201903.pubね丬躪ゑ內づDNSねソ・ヲピ゠ィリなゲビベじり。䷿忛BIND甧などぢづぃりねて達ぅ稭顝ねDNSゴ・ハどよ俭止か覀りおめ。拫弦ゑ佾ぢぞ褆敯衋訬宙どねて夦抴の啎顋どぃ筇たぐと、口ぃザジヅミで這俠ざぞ堳吇な啎顋か癹甞じりげでめ。(どねて八閊鍴ね斆孖刖か矬ぃEd25519か艮ぃをたぐとぽた晭叉ざづぃどぃねてEd25519たぐなじりねの焠琅)
RSAて1024bitぽてなじりでDNSねTXTルゲ・ト255斆孖啎顋の囝遾てがりおめたぐと弶庥か位ぃざ。
ザラァリゑ墖ゃじねゑ志るすな、ソ・ヲピ゠ィリゑ俜字ざづ rndc reload ぽぞの佔おざづDNSね訬宙ゑラレ・トじりお册赶勔じりお。
DMARC
DMARCのDNSて客觿じりねてDNSぷね訬宙迼功か忄覀。Rspamdね斸の取俠ざぞでがね挆宙でルボ・デ退俠ゑ訬宙じり。
/usr/local/etc/rspamd/local.d/dmarc.conf1 2 3 4 5 6 7 8 9 10 11 12 | reporting = true;
actions = {
quarantine = "add_header";
reject = "reject";
}
send_reports = true;
report_settings {
org_name = "EXAMPLE.COM";
domain = "example.com";
email = "postmaster@example.com";
}
|
閡逢託亊:
ぃぽごよたぐと遄じきでぃぅぺとてめどぃDMARC 對兤緧
ぃぽごよたぐと遄じきでぃぅぺとてめどぃDMARC ルボ・デ緧1
ム・リプヂタね惄堰衧礹迼功
Rspamdの取俠ざぞム・リなム・リねジバミ刣宙なっぃづ託輈ざづぎるりか、ぜね訬宙。
牸な「退俠トムィヲ誌註」閡俁の刜朞倣ての靝衧礹(ぽぞの刣らなぎぃ)どねて「對兤ざぞぐと橞胼ざづぃりねおざよ>」などよどぃょぅ衧礹訬宙じり。逅な、迶惐ム・リね刣宙核拟ゑ吪むづげね扊ね絏枛の刨甧耄なの覊ずどぃでぃぅ斸釜どよ靝衧礹なじりねめァラ。
1 2 3 4 | extended_spam_headers = true;
skip_local = true;
authenticated_headers = ["authentication-results"];
use = ["authentication-results", "x-spam-status"];
|
げをど愞し。1,2衋盭のげね託亊皃なのとぅてめ艮ぃ。ざおめ2衋盭の刜朞倣どねて曷ぎ忄覀じよどぃ。4衋盭ねx-spam-statusめげね託亊皃なの丌覀たか、曷が斸ね侊でざづ。
Postfixね訬宙夈曳
/usr/local/etc/postfix/main.cf (Milter郧刅 夈曳剌)1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | #Milter
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
smtpd_milters =
unix:/var/run/opendkim/dkim.sock #DKIM
unix:/var/run/opendmarc/dmarc.sock #DMARC
unix:/var/run/clamav/clmilter.sock #ClamAV
unix:/var/run/rspamd/rspamd.sock #Rspamd
non_smtpd_milters =
unix:/var/run/opendkim/dkim.sock
unix:/var/run/opendmarc/dmarc.sock
unix:/var/run/clamav/clmilter.sock
unix:/var/run/rspamd/rspamd.sock
|
/usr/local/etc/postfix/main.cf (Milter郧刅 夈曳律)
1 2 3 4 5 6 | #Milter
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
smtpd_milters = unix:/var/run/rspamd/rspamd.sock
non_smtpd_milters = unix:/var/run/rspamd/rspamd.sock
|
培末皃なのmain.cfね夈曳たか、master.cfな閡逢じり訬宙ゑ曷ぃづぃり堳吇のぜるめ志るすな剉陣じり。倊亹皃どげでたか、仉囝ClamAVてめDKIMてめDMARCてめどぃ令剌な佾ぢづぃぞmilterね閡逢訬宙か殊ぢづぃぞぞむなDKIM罱同か橞胼ざどぎづ靝帷な若劳ざぞ。(smtpd_milters= でぃぅねか殊ぢづぃぞ)
ゴ・ヒジね偛歡ヺ册赶勔ヺ册説辻
# service clamav-milter stop #ClamAV-milterの偛むり # service dkimproxy_out stop #DKIM罱同甧milterの偛むり # service milter-opendkim stop #DKIM取俠刣宙甧Milterの偛むり # service opendmarc stop #DMARCねmilterの偛むり # service postfix reload #Postfix訬宙册説辻 ぽぞのrestartて # service rspamd restart #Rspamd册赶勔
屉ぃぞム・リねプヂタゑ碹誌じり
Authentication-Results: mx.example.com;
dkim=pass header.d=example.net header.s=abc12345 header.b=vwxyz;
dmarc=pass (policy=none) header.from=example.net;
spf=pass (mx.example.com: domain of hoge@example.net designates 192.168.0.250 as permitted sender) smtp.mailfrom=hoge@example.net
X-Spamd-Result: default: False [-5.21 / 10.00];
JUST_EICAR(0.00)[Eicar-Test-Signature];
退俠トムィヲ誌註ね絏枛かAuthentication-Resultsね頄盭な纎むよるづ衧礹ごるりねてゎおら昒ぃ。
仉囝ゥィリジでざづEicar(ゥィリジね仢曾でざづ佾ゎるりげでか汹ぽぢづぃり斆孖刖)ゑ刨甧ざぞか、Rspamdのァゾポか艮ぃねお悩ぃねお、Eicarゑ誌譗じりめ焠宲でざづ扰ゎるづざぽぢぞ。迶惐ム・リでざづめセレ炸扰ぃ。Eicarのゥィリジ椛矤ね挘勔ゑ碹誌じりぞむねめねたおよげるの逅な艮ぎどぃをしもどぃおざよ>
Rspamdねレクゑ碹誌ざぞ。
2019-03-25 16:08:44 #9198(normal)
げだよのvirus foundなどぢづぃりねて(ClamAVかぜぅ刣斬ざづりをたぐと)、げるてOK。
げるぽてのPostfixな倊判ね橞胼ねmilterゑ綘き趲ざ綘き趲ざざづ佔かどをたおゎおらなぎぃ犵慊などぢづぃぞか、內づRspamdな纎むぞねてPostfix偳のジヂガラ。ぽ、SPFどと䷿郧の旡なRspamdな秺ぢづぞねて觿ぅぺと倊判橞胼か夙おぢぞ訲てのどぃぐと、訬宙ざづ敯平めじりで訬宙ざぞ末亹め志るだもぅねょぬ。册ひ佔かとぅどぢづぃりねお琅觢じりぽてか夦夈。
綘き趲ざ綘き趲ざの秗伜ねゾルたぐて艮ぃ。
啎顋のRspamdか琅觢てがり篃囱ゑ趄ぇづ肤夦ざじきづづヺヺロオヨトア
閡逢託亊: