1
 2
 3
 4
 5
 6
 7
 8
 9
10

# smtp
iptables -A FORWARD -d 172.16.<ID>.20 -p tcp --dport 25 -j ACCEPT
# pop3
iptables -A FORWARD -d 172.16.<ID>.20 -p tcp --dport 110 -j ACCEPT
# imap
iptables -A FORWARD -d 172.16.<ID>.20 -p tcp --dport 143 -j ACCEPT
# imaps
iptables -A FORWARD -d 172.16.<ID>.20 -p tcp --dport 993 -j ACCEPT
# pop3s
iptables -A FORWARD -d 172.16.<ID>.20 -p tcp --dport 995 -j ACCEPT

1
2
3
4

timedatectl set-timezone Asia/Taipei
apt install -y vim tmux htop tcpdump nload net-tools mtr
wget git.io/nella17-tmux-conf -O ~/.tmux.conf
wget https://github.com/nella17/dotfiles/raw/main/.vimrc.simple -O ~/.vimrc

1

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -nodes -days 365 -out /etc/ssl/mail.pem -keyout /etc/ssl/mail.key -subj '/CN=mail.<ID>.nasa'

1
2

groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /home/vmail -m

1
2
3
4

chmod 640 /etc/dovecot/users
chown root:dovecot /etc/dovecot/users
# generate CRYPT
doveadm pw

1
2
3
4
5

root:{CRYPT}$2y$05$yLzgcv.w7H392bqtNKxkqe50B9Mvve0yg7CqsQpHm.w21EeNB8C6.::::::
log:{CRYPT}$2y$05$RaTYHJbdQu4AnJOBuKBdOurcyntIzDgkj6TNCYdOzMqEOzbClckc6::::::
meow:{CRYPT}$2y$05$0KtIynyJKLeLNA9WSB7VT.3lpREs9C5JybN.OUIXiG9bIWgPHCxuC::::::
ta:{CRYPT}$2y$05$VXK8JKifdLVZ8gPkjQp.KuS14TJTFX/2xkHOHTbEYprchBqoy4KVC::::::
cool-ta:{CRYPT}$2y$05$VXK8JKifdLVZ8gPkjQp.KuS14TJTFX/2xkHOHTbEYprchBqoy4KVC::::::

1
2

find . -type f -exec cp {} {}.bak \;
find . -type f -not -name '*\.bak' -exec diff -U 3 --color {}.bak {} \;

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

@               MX      10 mail
@               TXT     "v=spf1 mx ip4:172.16.<ID>.20 -all"
mail            A       172.16.<ID>.20
mail            TXT     "v=spf1 a -all"
_dmarc          TXT     "v=DMARC1; p=reject; rua=dmarc@<ID>.nasa"
dkim._domainkey IN TXT ( "v=DKIM1; k=rsa; "
                "p=<DKIM KEY>" ) ;

cert            TXT     (
                            "<CERT in base64>"
                        );

1
2
3
4
5
6

DEBIAN_FRONTEND=noninteractive apt install -y postfix postfix-pcre
# useful commands
postfix reload
service postfix status
journalctl -u postfix
tail +1f /var/log/mail.log

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

compatibility_level = 2
dir = /etc/postfix/maps

biff = no

myhostname = mail.<ID>.nasa
mydomain = <ID>.nasa
myorigin = $mydomain
mydestination = localhost
relayhost =

virtual_mailbox_domains = $mydomain
virtual_mailbox_base = /home/vmail
virtual_mailbox_maps = hash:${dir}/virtual_mailbox
virtual_alias_domains = $myhostname
virtual_alias_maps = pcre:${dir}/virtual_alias-pcre hash:${dir}/virtual_alias-hash
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

sender_canonical_maps = hash:${dir}/sender_canonical
# sender_canonical_classes = envelope_sender, header_sender

# mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = host

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_client_restrictions = permit_sasl_authenticated check_policy_service inet:127.0.0.1:10023
# reject_unauth_pipelining

# smtpd_sender_restrictions = reject_unknown_sender_domain check_sender_access hash:${dir}/vmailbox reject_sender_login_mismatch
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch check_sender_access hash:${dir}/sender_access
smtpd_sender_login_maps = pcre:${dir}/sender_login
smtpd_recipient_restrictions = permit_mynetworks permit_auth_destination

smtpd_tls_cert_file = /etc/ssl/mail.pem
smtpd_tls_key_file = /etc/ssl/mail.key
smtpd_tls_security_level = encrypt

append_at_myorigin = yes
remote_header_rewrite_domain = domain.invalid
masquerade_domains = $mydomain
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_exceptions = admin, root

mail_spool_directory = /var/mail/
mailbox_size_limit = 0

header_checks = pcre:${dir}/header_checks
content_filter = amavisfeed:[127.0.0.1]:10024
smtpd_milters = inet:localhost:11332
# smtpd_milters = unix:/var/lib/rspamd/milter.sock

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

notify_classes = bounce, 2bounce, protocol, resource, software
# debug_peer_list = <ID>.nasa
# soft_bounce = yes

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

@@ -9,12 +9,14 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
-smtp      inet  n       -       y       -       -       smtpd
+smtp      inet  n       -       y       -       -       smtpd -v
+  -o cleanup_service_name=pre-cleanup
 #smtp      inet  n       -       y       -       1       postscreen
 #smtpd     pass  -       -       y       -       -       smtpd
 #dnsblog   unix  -       -       y       -       0       dnsblog
 #tlsproxy  unix  -       -       y       -       0       tlsproxy
 #submission inet n       -       y       -       -       smtpd
+#  -o cleanup_service_name=pre-cleanup
 #  -o syslog_name=postfix/submission
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
@@ -39,7 +41,14 @@
 #  -o milter_macro_daemon_name=ORIGINATING
 #628       inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
+  -o cleanup_service_name=pre-cleanup
+pre-cleanup   unix  n       -       y       -       0       cleanup
 cleanup   unix  n       -       y       -       0       cleanup
+  -o mime_header_checks=
+  -o nested_header_checks=
+  -o body_checks=
+  -o header_checks=
+  -o always_bcc=log@<ID>.nasa
 qmgr      unix  n       -       n       300     1       qmgr
 #qmgr     unix  n       -       n       300     1       oqmgr
 tlsmgr    unix  -       -       y       1000?   1       tlsmgr
@@ -125,3 +134,27 @@
   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
   ${nexthop} ${user}

+amavisfeed unix -      -       n       -       2      lmtp
+  -o lmtp_data_done_timeout=1200s
+  -o lmtp_send_xforward_command=yes
+  -o disable_dns_lookups=yes
+  -o max_use=20
+127.0.0.1:10025 inet n  -       n       -       -       smtpd
+  -o content_filter=
+  -o smtpd_delay_reject=no
+  -o smtpd_client_restrictions=permit_mynetworks,reject
+  -o smtpd_helo_restrictions=
+  -o smtpd_sender_restrictions=
+  -o smtpd_recipient_restrictions=permit_mynetworks,reject
+  -o smtpd_data_restrictions=reject_unauth_pipelining
+  -o smtpd_end_of_data_restrictions=
+  -o smtpd_restriction_classes=
+  -o mynetworks=127.0.0.0/8
+  -o smtpd_error_sleep_time=0
+  -o smtpd_soft_error_limit=1001
+  -o smtpd_hard_error_limit=1000
+  -o smtpd_client_connection_count_limit=0
+  -o smtpd_client_connection_rate_limit=0
+  -o smtpd_tls_security_level=
+  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
+  -o local_header_rewrite_clients=

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

maps/
├── header_checks
├── relay_recipients
├── relay_recipients.db
├── sender_access
├── sender_access.db
├── sender_canonical
├── sender_canonical.db
├── sender_login
├── sender_login.db
├── valias-regexp
├── virtual_alias-hash
├── virtual_alias-hash.db
├── virtual_alias-pcre
├── virtual_mailbox
└── virtual_mailbox.db

1

postmap maps/{file}

1
2

/Subject: .*NCTU.*/ REJECT no NCTU
/Subject: .*(6Zm95Lqk|=E9=99=BD=E4=BA=A4=).*/ REJECT no 陽交

1

@mail.<ID>.nasa @<ID>.nasa

1

<> REJECT null sender

1

cool-TA notcool-TA

1

/^(.+\|)?(.+)@(.+\.)?0\.nasa$/ $2

1

/^.+\|(.+)@(.+)$/ ${1}@${2}

1
2

@mail.<ID>.nasa @<ID>.nasa
nasata ta

1

/^(.+\|)(.+)@(.+)$/ $2@$3

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

root root/
report root/
postmaster root/
double-bounce root/
virusalert root/

log log/

meow meow/

ta ta/
nasata ta/
cool-ta cool-ta/

1

apt install -y dovecot-core dovecot-imapd dovecot-pop3d

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

@@ -16,11 +16,11 @@

 service imap-login {
   inet_listener imap {
-    #port = 143
+    port = 143
   }
   inet_listener imaps {
-    #port = 993
-    #ssl = yes
+    port = 993
+    ssl = yes
   }

   # Number of connections to handle before starting a new process. Typically
@@ -37,11 +37,11 @@

 service pop3-login {
   inet_listener pop3 {
-    #port = 110
+    port = 110
   }
   inet_listener pop3s {
-    #port = 995
-    #ssl = yes
+    port = 995
+    ssl = yes
   }
 }

@@ -70,7 +70,7 @@
   #vsz_limit = $default_vsz_limit

   # Max. number of IMAP processes (connections)
-  #process_limit = 1024
+  process_limit = 1024
 }

 service pop3 {
@@ -104,9 +104,11 @@
   }

   # Postfix smtp-auth
-  #unix_listener /var/spool/postfix/private/auth {
-  #  mode = 0666
-  #}
+  unix_listener /var/spool/postfix/private/auth {
+    mode = 0666
+    user = postfix
+    group = postfix
+  }

   # Auth process is run as this user.
   #user = $default_internal_user

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

@@ -27,7 +27,7 @@
 #
 # <doc/wiki/MailLocation.txt>
 #
-mail_location = mbox:~/mail:INBOX=/var/mail/%u
+mail_location = maildir:~:INDEX=~/index

 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections.
@@ -182,7 +182,7 @@
 # non-valid GID as primary group ID aren't allowed to log in. If user
 # belongs to supplementary groups with non-valid GIDs, those groups are
 # not set.
-#first_valid_gid = 1
+first_valid_gid = 0
 #last_valid_gid = 0

 # Maximum allowed length for mail keyword name. It's only forced when trying

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

@@ -9,8 +9,8 @@
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/dovecot/private/dovecot.pem
-ssl_key = </etc/dovecot/private/dovecot.key
+ssl_cert = </etc/ssl/mail.pem
+ssl_key = </etc/ssl/mail.key

 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

@@ -97,7 +97,7 @@
 #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
 #   gss-spnego
 # NOTE: See also disable_plaintext_auth setting.
-auth_mechanisms = plain
+auth_mechanisms = plain login

 ##
 ## Password and user databases
@@ -119,10 +119,10 @@
 #!include auth-deny.conf.ext
 #!include auth-master.conf.ext

-!include auth-system.conf.ext
+#!include auth-system.conf.ext
 #!include auth-sql.conf.ext
 #!include auth-ldap.conf.ext
-#!include auth-passwdfile.conf.ext
+!include auth-passwdfile.conf.ext
 #!include auth-checkpassword.conf.ext
 #!include auth-vpopmail.conf.ext
 #!include auth-static.conf.ext

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

@@ -5,16 +5,17 @@

 passdb {
   driver = passwd-file
-  args = scheme=CRYPT username_format=%u /etc/dovecot/users
+  args = scheme=CRYPT username_format=%Lu /etc/dovecot/users
+  auth_verbose = yes
 }

 userdb {
   driver = passwd-file
-  args = username_format=%u /etc/dovecot/users
+  args = username_format=%Ln /etc/dovecot/users

   # Default fields that can be overridden by passwd-file
-  #default_fields = quota_rule=*:storage=1G
+  default_fields = quota_rule=*:storage=1G

   # Override fields from passwd-file
-  #override_fields = home=/home/virtual/%u
+  default_fields = uid=vmail gid=vmail home=/home/vmail/%u
 }

1
2

apt install -y postgrey
# /etc/default/postgrey

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

apt install -y amavisd-new spamassassin clamav clamav-daemon
# update SpamAssassin
sa-update
freshclam
# access control
usermod -a -G amavis clamav
usermod -a -G clamav amavis
# debug amavis
journalctl -u amavis
service amavis restart
# debug clamav
tail -f /var/log/clamav/clamav.log
service clamav-daemon status

1
2
3
4
5
6
7
8

@@ -8,6 +8,6 @@
 # To manually set $myhostname, edit the following line with the correct Fully
 # Qualified Domain Name (FQDN) and remove the # at the beginning of the line.
 #
-#$myhostname = "mail.example.com";
+$myhostname = "mail.<ID>.nasa";

 1;  # ensure a defined return

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

@@ -10,8 +10,8 @@
 # If You wish to enable it, please uncomment the following lines:


-#@bypass_virus_checks_maps = (
-#   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+@bypass_virus_checks_maps = (
+   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);


 #
@@ -21,7 +21,7 @@
 # If You wish to enable it, please uncomment the following lines:


-#@bypass_spam_checks_maps = (
-#   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+@bypass_spam_checks_maps = (
+   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

 1;  # ensure a defined return

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

@@ -33,7 +33,9 @@
 $inet_socket_port = 10024;   # default listening socket

 $sa_spam_subject_tag = '***SPAM*** ';
-$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
+$subject_tag_maps_by_ccat{+CC_VIRUS} = [ '*** SPAM *** ' ];
+
+$sa_tag_level_deflt  = -999;  # add spam info headers if at, or above that level
 $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
 $sa_kill_level_deflt = 6.31; # triggers spam evasive actions
 $sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

@@ -7,9 +7,9 @@
 $enable_dkim_verification = 1;
 # Don't be verbose about sending mail:
 @whitelist_sender_acl = qw( .$mydomain );
-$final_virus_destiny      = D_DISCARD; # (defaults to D_BOUNCE)
-$final_banned_destiny     = D_DISCARD;  # (defaults to D_BOUNCE)
-$final_spam_destiny       = D_DISCARD;  # (defaults to D_REJECT)
+$final_virus_destiny      = D_PASS; # (defaults to D_BOUNCE)
+$final_banned_destiny     = D_PASS;  # (defaults to D_BOUNCE)
+$final_spam_destiny       = D_PASS;  # (defaults to D_REJECT)
 $final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested

 $virus_admin = undef;

1
2
3
4
5
6
7
8
9

@@ -8,6 +8,8 @@
 # the directives you can use in this file
 #

+$notify_method  = 'smtp:127.0.0.1:10025';
+$forward_method = 'smtp:127.0.0.1:10025';

 #------------ Do not modify anything below this line -------------
 1;  # ensure a defined return

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

@@ -3,11 +3,12 @@
 #Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
 LocalSocket /var/run/clamav/clamd.ctl
 FixStaleSocket true
-LocalSocketGroup clamav
-LocalSocketMode 666
+LocalSocketGroup amavis
+LocalSocketMode 660
 # TemporaryDirectory is not set to its default /tmp here to make overriding
 # the default with environment variables TMPDIR/TMP/TEMP possible
 User clamav
+AllowSupplementaryGroups true
 ScanMail true
 ScanArchive true
 ArchiveBlockEncrypted false
@@ -17,18 +18,18 @@
 ReadTimeout 180
 MaxThreads 12
 MaxConnectionQueueLength 15
-LogSyslog false
+LogSyslog true
 LogRotate true
 LogFacility LOG_LOCAL6
 LogClean false
-LogVerbose false
+LogVerbose true
 PreludeEnable no
 PreludeAnalyzerName ClamAV
 DatabaseDirectory /var/lib/clamav
 OfficialDatabaseOnly false
 SelfCheck 3600
 Foreground false
-Debug false
+Debug true
 ScanPE true
 MaxEmbeddedPE 10M
 ScanOLE2 true
@@ -51,7 +52,7 @@
 PhishingAlwaysBlockCloak false
 PartitionIntersection false
 DetectPUA false
-ScanPartialMessages false
+ScanPartialMessages true
 HeuristicScanPrecedence false
 StructuredDataDetection false
 CommandReadTimeout 30

1
2
3
4

apt install -y rspamd
rspamadm configwizard
# /var/lib/rspamd/dkim/
tail -f /var/log/rspamd/rspamd.log

1
2
3
4
5

reject = null;
add_header = 3;
rewrite_subject = 4;
grow_factor = 10;
subject = "*** SPAM *** %s"

1
2
3
4
5
6
7
8
9

clamav {
  action = "rewrite subject";
  subject = "*** SPAM *** %s";
  scan_mime_parts = true;
  scan_text_mime = true;
  scan_image_mime = true;
  log_clean = true;
  servers = "/var/run/clamav/clamd.ctl";
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

domain {
    <ID>.nasa {
        selector = "dkim";
        path = "/var/lib/rspamd/dkim/<ID>.nasa.dkim.key";
    }
}
allow_hdrfrom_mismatch = true;
allow_username_mismatch = true;
auth_only = true;
use_esld = true;
use_domain = "envelope";

1
2
3
4

skip_local = false;
skip_authenticated = false;
extended_spam_headers = true;
# extended_headers_rcpt = ["@<ID>.nasa"];

1

sa_local = "/etc/spamassassin/local.cf";

1
2

password = "<password hash / generated by configwizard>";
bind_socket = "0.0.0.0:11334";

1

count = 4;

1

apt install -y mutt

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

set editor = "vim"
set ssl_starttls = "yes"

set smtp_url = "smtp://<user>@mail.<ID>.nasa:25"
set smtp_pass = "<pass>"

set imap_user = '<user>'
set imap_pass = '<pass>'

set folder = "imaps://mail.<ID>.nasa:993"
set spoolfile = "+INBOX"

bind index G imap-fetch-mail