Mail server

Postfix MTA updated to fix security vulnerabilities such as incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root. This update has been rated as having moderate security impact.

All users of postfix should upgrade to these updated packages.

How do I patch Postfix under Debian / Ubuntu Linux?

First, update the internal database, enter:
# apt-get update
Install corrected Postfix package, enter:
# apt-get upgrade

How do I patch Postfix under RHEL / CentOS Linux?

Type the following command under RHEL / CentOS 5.x:
# yum update
Type the following command under RHEL # up2date -u

Traditionally you use the “sendmail -q” command to flush mail queue under Sendmail MTA. Under Postfix MTA, just enter the following command to flush the mail queue:
# postfix flush
OR
# postfix -f

To see mail queue, enter:
# mailq

To remove all mail from the queue, enter:
# postsuper -d ALL

To remove all mails in the deferred queue, enter:
# postsuper -d ALL deferred

postfix-delete.pl script

Following script deletes all mail from the mailq which matches the regular expression specified as the first argument (Credit: ??? – I found it on old good newsgroup)

#!/usr/bin/perl
 
$REGEXP = shift || die "no email-adress given (regexp-style, e.g. bl.*\@yahoo.com)!";
 
@data = qx</usr/sbin/postqueue -p>;
for (@data) {
  if (/^(\w+)(\*|\!)?\s/) {
     $queue_id = $1;
  }
  if($queue_id) {
    if (/$REGEXP/i) {
      $Q{$queue_id} = 1;
      $queue_id = "";
    }
  }
}
 
#open(POSTSUPER,"|cat") || die "couldn't open postsuper" ;
open(POSTSUPER,"|postsuper -d -") || die "couldn't open postsuper" ;
 
foreach (keys %Q) {
  print POSTSUPER "$_\n";
};
close(POSTSUPER);

For example, delete all queued messages from or to the domain called fackspamdomain.com, enter:
./postfix-delete.pl fackspamdomain.com
Delete all queued messages that contain the word “xyz” in the e-mail address:
./postfix-delete.pl xyz

Updated for accuracy.

Postfix provides Mime header check for all incoming messages. You can put restrictions on .exe / .bat / .vbs files and block all attachments.

mime_header_checks directive allows you to define file, you will place a restriction for any file extensions that you do not want to have passing through your mail sever system.

On most mail server the first thing that needs to be done is to enable header checks and block dangerous files.

Define mine header checks

Open main.cf file:
# vi /etc/postfix/main.cf
Append / set mime_header_checks directive as follows:
mime_header_checks = regexp:/etc/postfix/mime_header_checks

Save and close the file.

Block attachments

Now open /etc/postfix/mime_header_checks file:
# vi /etc/postfix/mime_header_checks
Append following line:
/name=[^>]*\.(bat|com|exe|dll|vbs)/ REJECT
Save and close the file.

Restart postfix

First create postfix lookup table for mime_header_checks file:
# /etc/init.d/postfix restart

Watch log file

You should see rejected mail log in /var/log/maillog file:
# tail -f /var/log/maillog
Output:

Jun 20 14:28:06 server postfix/smtpd[5442]: connect from web31601.mail.mud.yahoo.com[68.142.198.147]
Jun 20 14:28:07 server postfix/smtpd[5442]: 245F913906EE: client=web31601.mail.mud.yahoo.com[68.142.198.147]
Jun 20 14:28:07 server postfix/cleanup[5492]: 245F913906EE: message-id=
Jun 20 14:28:07 server postfix/cleanup[5492]: 245F913906EE: reject: header Content-Type: application/x-msdos-program; name="updatebankdetails.bat" from web31601.mail.mud.yahoo.com[68.142.198.147]; from= to= proto=SMTP helo=: Message content rejected

For more information please read postfix and header_checks man page.

Librenix has a posted small and sweet article that explains basic steps to configure and install a mail server with antivirus / antispam in minutes.

From the article:
This article illustrates a situation where you need to set up your own mail server (be it your home mail server, or a small office one). It actually shows that, if using an integrated service mail server, anyone can do the job, all in a matter of minutes.
AXIGEN Mail Server, the solution chosen for this example, can send and receive e-mails securely via “mydomain.com” and is able to retrieve them in a WebMail interface – this means that it includes all mail services needed for a fully functional mail server (SMTP, IMAP, POP3, WebMail, WebAdmin).

To get an idea of the amount of time you can spare by installing such a solution, just think of all the different open source applications you would need to install instead (i.e. an MTA, Squirrelmail for Webmail, QmailAdmin for web configuration, Courier for IMAP and POP3 and many others.)

=> Install a Mail Server with Antivirus and Antispam in minutes

You can send email with attachment via shell script or at shell prompt/command line using mutt or mail command. This will not hide your IP address.

To send anonymous email from shell prompt use Mixmaster, which is the type II remailer protocol and the most popular implementation of it.

Remailers provide protection against traffic analysis and allow sending email anonymously or pseudonymously. Mixmaster consists of both client and server installations and is designed to run on several operation systems including but not limited to *BSD, Linux and Microsoft Windows.

This article explains how to install mixmaster and how to use it to send email, in an anonymous and secure fashion:

An anonymous remailer is a computer service that privatizes your email. A remailer allows you to send electronic mail to a Usenet news group or to a person without the recipient knowing your name or your email address. Anonymous remailers provide protection against traffic analysis.

This package provides both a client and an optional server installation.

=> Using mixmaster to send anonymous email


Address rewriting allows changing outgoing email ID or the domain name itself. Useful for hiding out internal user names, especially shell users on Linux and Unix boxes. For example:
» SMTP user/shell user: tom-01
» EMAIL ID: tom@domain.com
» Server name (FQDN): server01.hosting.com
However, when tom-01 send an email from shell prompt, cron job or using php, it looks like it was sent from tom-01@server01.hosting.com. In some cases, internal hosts have no valid Internet domain name, and instead, use a name such as localdomain.local or something else. It can be a problem when you want to send mail over the Internet because many mail servers reject mail addresses with invalid domain names to avoid spam. Another valid case is where your email routed using a smarthost such as AWS SES. A smarthost is an email server in the cloud or at ISP datacenter via which we can send emails and have them forwarded on to the email recipients’ email servers.
[continue reading…]

Email filtering is an essential task. There are many methods like:
=> Bayesian spam filtering
=> SpamAssassin/DSPAM programs
=> Check open relay using RBL etc

Now ORDB.org is shutting down its operation. ORDB is quite effective and I use this list against all of email servers. Spammers still use 3rd party servers and desktop computers so that they could minimize or avoid detection by re-routing their e-mail through these third party e-mail servers.

According to their home page:
We encourage system owners to remove ORDB checks from their mailers immediately and start investigating alternative methods of spam filtering. We recommend a combination involving greylisting and content-based analysis (such as the dspam project, bmf or Spam Assassin). DNS and the mailing lists will vanish today, December 18, 2006.

Generally, I use following sequence while configuring anti-spam
reject_rbl_client relays.ordb.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net

These services blocks thousands of spam everyday before hitting email server and Spam Assassin. Indeed a bad news for mail server admins!