AntiSpam AntiVirus Gateway Email Server using Debian, Postfix, Amavisd-new, SpamAssassin, Razor, DCC, Pyzor and ClamAV

Debian Anti-Spam Anti-Virus Gateway Email Server using Postfix, Amavisd-new, SpamAssassin, Razor, DCC, Pyzor, and ClamAV

This document is considered obsolete and is no longer maintained. Please see http://www200.pair.com/mecham/spam. for newer versions.

This document is not recommend as a guide to upgrade a system from amavisd-new 20030616-p10 to amavisd-new 2.4.2. I designed it as a guide for myself to do a fresh install. There are other versions of this document available. This document uses Debian stable (Sarge). If you would like to use Debian testing (Etch), see http://www200.pair.com/mecham/spam/. Original document created June 2005. Last revised 27 JUN 2006 by Gary V. The basic software used is Debian 3.1 (Sarge, Stable) - Postfix 2.1.5 - amavisd-new 2.4.2 - SpamAssassin 3.0.3. Due to the size of this document, please save it to your computer if you plan on using it more than once, then use that copy to view it subsequently. The "Change Log" is http://www200.pair.com/mecham/spam/20050626_changelog.html

Introduction
Document Description
Notes
Create Debian Installer CD
Debian Installation
Partition the Hard Drive
Debian Base System Configuration
PuTTY and additional programs
The 2 minute vi tutorial
Verify System Settings
Change apt-get settings
Navigating the system
Create Firewall Rules
Disable Unnecessary Daemons
Configure the NTP daemon
Installing Programs
Postfix 2.1.x Configuration
Edit master.cf

Edit main.cf
Postfix Anti-Spam settings
Configuring amavisd-new
Pyzor, Razor and SpamAssassin configuration
Installing DCC
Local DNS cache
Test the Installation
Installing ClamAV
Tweaking Notification Settings
Back up critical files
Set up security reports
Set up intrusion detection
CPAN, Mailgrep, Pflogsumm and trim_whitelist
Whitelisting, Blacklisting, Tweaking
Create Rescue Floppy
Make a tomsrtbt disk
Links, FAQs and such
Disclaimer

Introduction:

Index
******************************************************
This document was inspired by a document originally created by Scott L. Henderson http://www.freespamfilter.org
It is rewritten to reflect a Debian installation and contains a considerable amount of additional information.
In Scott's document, Red Hat Linux 9.0 was used.

Why this document exists:

There is a desire to control the flow of spam and viruses into organizational email systems. Many IT department budgets are tight and many administrators and executives are looking to Open Source solutions to reduce costs. To fight spam, you could buy an expensive appliance or proprietary software, but what if you could take a server you may already own and turn it into a better anti-spam tool than you could buy, without spending a dime on software?

I've found that many administrators of small to medium organizations (say, from 5 to 2000 users) don't yet have the knowledge, experience, or confidence, to build an Open Source system like this powerful anti-spam tool. This document is an attempt to address that situation. With little risk, one can try this spamfilter between an email server and the Internet. If you already have a gateway email server in place in front of your email server, you can place this server on your internal network between the 2 machines or on the Internet in front of your existing gateway. Given a choice however, it is much better to put this server ahead of any other servers. Even if you completely botch something, you can always just yank this system out of the loop and set about repairing it enough to retrieve any queued mail off of it. It is a nice way to get a taste of Linux and get your feet a little wet. I hope you will be as pleased as I have been with the results.

Although any version of Linux, as well as BSDs and other _nixen can (and have been) used for this configuration, this document describes using the Debian 3.1 "stable" version. Debian was chosen because it is free and has a loyal following. You may find however that Debian requires a little more proactive approach regarding security patches.

My email address is mr88talent at yahoo dot com. Support for the various programs used in this document is available from the mailing lists of the respective programs. There is also a forum available for this document and others like it at http://www.freespamfilter.org/forum/.

FAST BUILD BOXES

If you have built this system before, are an experienced Linux administrator, or for other reasons you want to skip all explanations and just perform the steps necessary to build this spamfilter, each major item that needs to be done is conveniently placed (where the Cat in the Hat keeps all his valuables):

IN A BOX

Commands to be typed in at a command prompt will have a slightly different font than the rest of the text on this page:

like this

And those items that you either need to read, make a decision on, etc, in addition to being "in the box", will be italicized:

like this

Items that display on the screen will be displayed:

like this

It will be assumed that if you follow the 'fast build' boxes, you will understand how to do certain things without explanation, like getting to a command prompt, basic vi commands, knowing when to replace example values - like "example.com" and "example2.com" - with your own when appropriate, etc.

******************************************************

Document Description:

Index
******************************************************
This Guide documents a step-by-step Debian GNU/Linux install using well-established Open Source software. The intended audience is a System Administrator currently running an email server that may or may not have ever used Linux.

This document will allow you to create an anti-spam email relay server. That is, there is no local mail delivery on this box. All inbound mail goes through this system. Spam is filtered out and re-directed to a specified mailbox ("spam-bin" in our example), or to the intended recipient, depending how "spammy" it is. Ham (non-spam) is passed on to its original intended recipients at your final destination mail server. Thus, a spam "filter" server.

This setup gives the system administrator control over spam, removing the need for end user interaction. In this configuration we will tag a small quantity of email as Spam> and forward it on to the intended recipient, but the vast majority of spam will be quarantined to a mailbox that we specify (spam-bin). Yes, with a little experience you can change this configuration. With this setup, if a user actually misses receiving an intended email, it is easy for you to find it and forward it on to them. It will be sitting in the quarantine area you have configured. The system is capable of using data from LDAP or SQL sources allowing per-user configuration but this document will not cover that aspect.

This system will work best when placed between a firewall and your Exchange server (any kind of SMTP/POP3/IMAP server) or you can sandwich it between your gateway email server and your Exchange server if necessary (not a good choice). This machine will reject a lot of spam mail. If you place it behind another gateway server, that server will end up creating bounce notices, many of which can never be delivered (because spammers usually fake their address). That server will be forced to deal with a large number of undeliverable messages. It is not good practice to accept a message you later bounce; if you are going to reject a message, it is best for all concerned to reject it immediately.

The design goal here is to filter and control spam and viruses originating from the Internet. The amavisd-new program was in fact originally written to be an interface between a mail server and various anti-virus packages. AMaViS is derived from "A MAil VIrus Scanner". Local delivery of mail on this box could also be configured if desired, but this document will not cover that aspect. This system also has the ability to quarantine (or discard) any email that has attachments that you would like to ban from your organization. Since most email borne viruses come in the form of Windows executable attachments, this system could serve as a first line of defense, with the second line of defense in the form of your desktop Anti-Virus system.

******************************************************

Notes:

Index
******************************************************
1. This is not a "standard" Linux HOWTO doc. It is written with more detail, step-by-step, so that any Sys Admin who has not used Linux before can set it up. Hopefully it will be informative and useful to experienced Linux/Unix administrators as well.

2. Complete install as per this doc will require a minimum of 600MB of disk space. The system will additionally need whatever amount required for temporary mail storage, as email is spooling through, which depends on your email traffic flow. I can't hope to estimate that for you. It is not a huge amount however; the mail won't generally stay on this system long. If you configure your system to keep quarantined messages on this machine, you will need enough additional space to accommodate.

3. This entire procedure will take an experienced administrator about 8 hours the first time around. A newbie, roughly twice as long. With some experience under your belt, your second box will take half as long.

4. This doc will not cover hardware problems. It assumes you have Linux compatible i386 hardware, including one NIC (network interface card). Generally, your hardware is most likely to be supported if it is neither too old nor too new in respect to chipset and processor technology.

5. You'll need to know the IP address, netmask, and other IP configuration details to be used on this box, before you begin. I won't be helping you with that.

6. You don't need a GUI like Gnome or KDE to build this box so we will NOT install one. It's a waste of 500MB on this particular machine. If you are new to Linux and want to see what they are like, put them on a box other than this one. If you absolutely insist on installing one, do it during the initial setup (using tasksel). I tried to do it after the fact and ended up with a mess. Having one will not make the installation and maintenance go faster or easier.

7. My instructions list using the vi (vim) text editor to edit text files. If you are more familiar with another text editor, feel free to use that. If you are used to a Windows environment, vi will seem difficult at first, but I will explain the basic commands you need to get things done. Be brave, you'll be fine, and when you're done, you'll be a little comfortable with the most common text editor in the Unix/Linux world.

8. In this doc, "example.com", "example2.com" and "example3.com" will be the fictitious example domains we'll be receiving mail for. You can receive mail for as many domains as you like with this system. Our example spamfilter mail server will have a host name of "sfa".

9. If you are installing a single hard drive (non RAID) I suggest you start this project with 2 identical hard drives. This however is your choice. You will spend a considerable amount of time creating this server and the easiest, most reliable, and most cost effective way to back up this server is to duplicate the hard drive. I suggest hard drives of at least 4.3GB but it's much better to start out with a pair of modern (fast) hard drives. If you happen to have a pair of identical computers kicking around, with identical network cards, so much the better. I like spares. The hard drives will be wiped clean of all partitions. Use only known good, error free hard drives. This is not the only means of saving yourself a lot of work should your hard drive fail. You could simply ftp the most critical files to an ftp server of your choice. If you are interested in a RAID1 setup, see http://www200.pair.com/mecham/raid/raid1.html

10. You will need to create at least two new mailboxes on your Exchange server to hold the quarantined spam and banned files. In this document, these mailboxes will be called "spam-bin" and "banned"'. You will also need mailboxes named "root" "postmaster" "abuse" and "mailer-daemon". These can be aliases for mailboxes that currently exist, or you can create new mailboxes for them. You may also wish to create a separate mailbox for quarantined viruses; I use "virii". You might want a separate mailbox for "postmaster" because you will receive a lot of NDRs there. An NDR is a "Non Delivery Report" which is a type of DSN (Delivery Status Notification). The "root" mailbox will receive important system information. The "spam-bin" and "banned" mailboxes must be monitored, and if "ham" (non-spam) is found, it must be forwarded to its intended recipient. Consider whitelisting the sender, so you don't have to worry about it again. With a little experience, you will find ways to quickly glance through the spam and delete it in bulk. It's a good idea to have the trash emptied on exit. I like to use a search tool and look for text like "HITS=8" or "HITS=9" and see what is there. Then select everything and hit [Delete]. If you create a "virii" mailbox, that must also be monitored.

11. This system can also be configured to discard spam by simply changing one line in a configuration file, but this is often a bad idea. SpamAssassin assigns a score to each email depending on how spammy it calculates it to be. If you choose to discard spam, then you should only consider that option for spam that scores a 12 or higher. There are a couple of ways we can do this, and I will discuss them them later.

12. When I refer to the Exchange email server, this term is synonymous with "your current email server" or "your current SMTP/POP3/IMAP server". In other words, it's not specific to Microsoft Exchange.

13. You could also build more than one of these boxes and use the second one as a secondary MX email server. Allocate an unused IP address to the secondary server and add a new A record and (secondary) MX record in your DNS records. Please note that this document does not cover issues such as MX records or changes to DNS records or adding reverse DNS records. It assumes that if you have set up your own email server, you will have some understanding of these issues. Your ISP may offer assistance with those issues. Be aware that changes to DNS records, if improperly done, may result in the loss of mail. It can take weeks for other DNS servers to recognize changes. You need to gain enough knowledge to understand the implications of DNS record changes. If this server is on an internal network, sandwiched between your existing email gateway server and your Exchange server, then no Internet DNS changes are required. In general, don't delete any existing DNS records!

14. There are many ways this spamfilter could be incorporated into your existing setup. I would like to give one possible scenario. Let's say you have one Exchange server handling all your email. You have an MX record set up for it with a priority of [10] and you managed to set up a reverse DNS record for it and everything is working fine. Take an unused public IP address and assign it to your new spamfilter. Once our new spamfilter is working as it should, create a new 'A' record for it 'sfa' and a new MX record with a priority of [5] 'sfa.example.com.' which will make it your new primary Mail eXchanger. Your Exchange server will now be your secondary Mail eXchanger. After the system has been running well for at least a month (this gives all the DNS servers time to eliminate their cached records) you may now configure the Exchange server to accept mail only from your spamfilter(s) and your internal clients, and possibly some work-at-home people that have static IP addresses. By this time the only mail that should be coming in directly to the Exchange server is spam, because spammers love to deliberately send mail to secondary servers. The spamfilter will be configured to send all of its mail both to, and through, the Exchange server so we want to leave the Exchange server's DNS records alone. If you would like an additional backup email server, just build another one of these and set it up with a priority [7] MX record.

15. It is extremely important that this box is thoroughly tested before being relied upon to handle large quantities of mail in a production environment. When building the system, send test emails through one at a time and evaluate what has transpired. Read the mail.log file. Turn up the level of debugging in amavisd-new. Run amavisd-new in debug mode and monitor the activity. Monitor memory usage using the 'top' program. I will explain how to do these things as the document progresses. The following comments are personal interpretations/observations and may not be technically correct: I have seen on several occasions that even on a properly set up system, when the system is under load, there are memory allocation issues. Some of the processes tend to temporarily allocate enough memory that some of the 'swap' memory is allocated. This memory is then released for use by other processes. If an amavisd-new process begins using swap memory, it runs so slowly that it essentially becomes unavailable to Postfix. The mail then begins to build up in the queue waiting for another shot at it later. This makes matters worse because there is that much more mail to deal with. The system eventually chokes and you are left with thousands of messages in the queue. Lessons to learn here: if this system goes down and you need to take this system out of the loop, make sure you have another system (your original system, if nothing else) in place to accept mail until you get the problem solved. You can disable the content filter (amavisd-new) and requeue the deferred mail and Postfix will at least get the mail delivered and off your system. If you are filtering for multiple domains, start by having only one (least busy) domain have its mail sent through our spamfilter and keep an eye on things. Build from there. If your system exhibits this sort of behavior, it could be an indication you need more horsepower under the hood.

16. Minimum hardware requirements:
For a small system with a light load (a couple emails per minute, or 2500 messages per day at peak) I suggest a Pentium 233Mhz and 256MB RAM absolute minimum (384MB gives you a little breathing room). At 10,000 messages a day a 1Ghz PIII with 768MB RAM would be more appropriate. Amavisd-new appears to use about 43MB per child process (parameter $max_servers) and will use 128MB right out of the box (one master and 2 child processes) and ClamAV will add around 30MB to that. If you configure your system to use more instances of amavisd-new, allocate at least 43MB for each additional instance (58 if you use ClamAV). Amavisd-new can reach 100MB per process if you use a lot of additional SpamAssassin rule sets and/or have large black/white lists. Generally speaking, a fast hard drive and adequate RAM will show more of a performance improvement than a fast processor will, but an adequate CPU is also necessary. Fifty percent more ram than you need is not a bad idea. The programs that run on this server are disk intensive and CPU intensive. A slow hard drive will make this system perform poorly. In this setup we forward quarantined email to another server. If you plan on keeping quarantined email on this server you will need a large enough hard drive to accommodate. You will need a known good floppy drive, a CD-ROM drive (only used for initial Debian installation) and of course, a connection to the Internet in order to install and download all the software we need. It’s a good idea to have hardware that you don’t plan on changing. Your spamfilter should ideally be in its final form. Adding additional memory later is fine. If you get errors during installation that appear to be hardware related, find other hardware and start over. If you have a new motherboard, you may or may not get very far. Linux may not support every new motherboard chipset out there. If you have an ancient NIC card, or one of a new design, you may not get very far either.

17. Benchmarking:
Sorry, I do not have benchmarking data for high-end use, such as at very large companies or ISPs, but I am aware of several small ISPs that currently run this configuration. The software components in this doc are all designed for high capacity and I would expect them to scale up very well. The 2 main executable programs used herein, Postfix and amavisd-new, both have configurable throttling and performance settings. They are also mature products, with a proven track record and a large following of users. SpamAssassin, with all the work it has to do, fetching information off the Internet on the fly, matching its rules to the content of the messages and such, will tax a machine quite a bit. If you add antivirus filtering, this will also put some pressure on our spamfilter. Large ISPs need powerful multi processor machines and fast SCSI hard drives in RAID arrays to make this work well. I have heard of sites processing millions of messages a day using a cluster of 15 high powered multi processor machines. Mark Martinec has also written a paper that illustrates the capacity of a single high power dual processor machine http://www.ijs.si/software/amavisd/amavisd-new-magdeburg-20050519.pdf

18. This document was created from a Windows user perspective. UNIX/Linux users should have little problem translating Windows specific activities to your environment. I suggest you create a new folder on your computer, preferably in the root directory of drive C: and call it "debian". This folder will be where all the work files we use will be stored. I would like you to save this html document there now and then open it up again in your browser. We are going to customize this document to make things easier for you. Once we have the spamfilter computer up and running you will do the entire configuration by remote control from the comfort of your Windows computer. Portions of this document can be copied and pasted into the spamfilter computer. I would like you to customize this document by doing a search and replace of the elements such as the spamfilter's IP address and hostname. I suggest using WordPad to edit this document. If you have a plain text html editor you like, you may use that instead. Avoid using any editor that modifies the html code. Once you open it in your editor you will see instructions at the top of this document. Go ahead and do that now.

After you edit the document, it might be a good idea to print it out so you can check things off as you complete them (it's about 77 pages).

19. Precautionary note: Be very cautious obtaining any and all software from links on these web pages. Spend some time looking at the URLs on the web pages that pop up. Verify the web sites are legitimate. You could be reading a forgery of this document designed to cause malice. The websites that you link to could be hijacked. Read the disclaimer.

20. Every link in this document opens in a new window, so if it appears nothing happens when you click a link, take a look at your Taskbar.

21. Assuming you are not using a RAID configuration and would like the ability to clone your hard drive:
If you have an IDE CD-ROM drive, set the jumper on the CD-ROM drive to SLAVE and install the CD-ROM drive as the secondary slave. Install the CD-ROM drive so it is in the second position of the data cable, so the primary part of the cable sets loose on top of the drive. If you have a tower case, place the CD-ROM drive in the slot that is at least one down from the top. The reason we are doing this is we want to be able to place a duplicate hard drive in the top position. This drive will not be plugged in during the installation. We will only plug it in when we want to duplicate the primary hard drive. This drive will be used to back up the entire system on occasion. Leave the cover off the case while we build the box. In the future you may wish to purchase one of those mobile hard drive racks. This is why we left the top slot free. If you have a SCSI hard drive, well, hopefully you know what to do as far as jumper settings go. This is all optional, but recommended. You need some means of recovering the system after a catastrophe.

While you are building the box, it would be a good idea to back it up when you have reached a major milestone. We can simply place the duplicate drive on top of the CD-ROM drive and plug it in (with the power off, of course). Set your BIOS to auto detect your drives (if you have that option). There are two simple methods I use to duplicate disks, one is to use dd. It makes an exact duplicate of your hard drive bit by bit, sector by sector, even empty ones. This is why (1) your hard drives must be identical; (2) they must be error free. dd does not work well if both of these conditions are not met. dd is also painfully slow, it can take hours for a large (40GB) disk and some people say it is not a reliable way to clone a hard drive. One other alternative is Norton Ghost 2003 or the Enterprise edition. Earlier versions will not work. Version 8 will work great if you are fortunate enough to have a copy. See Ghost compatibility with Linux. Ghost has the option to clone a drive sector by sector similar to what dd might do. Like dd, the disks should be identical when using this method. At the very least, the destination drive should be the same size or larger and the geometry should be similar. Going to a smaller drive using this method would fail. If Ghost complains that your hard drive has errors, I suggest you run shutdown -r -F now and let it reboot. When it starts back up it will run "fsck" which is the conceptual equivalent of "chkdsk /f" in the Windows world. Ghost 2003 comes with SystemWorks 2003 or often comes with motherboard software. Ghost 2003 also works in (the recommended) normal mode but after the disk is cloned the boot record must be repaired on the cloned drive by first booting to a rescue floppy. There is other software out there that has the ability to clone Linux hard drives. I’m just used to Ghost.

Let’s talk about dd. Here’s how I do it. Make a tomsrtbt (Tom’s Root Boot) floppy disk and boot from it (instructions to make the disk come later). Log in as root. Then, with both drives installed, issue the command:

dd if=/dev/hda of=/dev/hdc bs=8192
This assumes IDE hard drives. Type this very, very carefully. Then wait a long, long time. Your disk drive LED should be lit solid. We'll make a tomsrtbt disk after the system is up. It's actually less of a hassle to make it from the Debian box than it would be from a Windows machine.

if = input file, of = output file. IDE disks are numbered hda hdb hdc hdd - primary master, primary slave, secondary master, and secondary slave - respectively. SCSI hard drives are sda sdb sdc etc. Any time you clone a hard drive, you should test the new drive. If it boots up, reboot it by using shutdown -r -F now to repair any potential problems.

22. Linux, Postfix and amavisd-new are flexible, complex systems. There are innumerable ways to configure a spam filtering server like this one. This document will not attempt to teach you everything there is to know about Linux, Postfix, SpamAssassin and amavisd-new, nor are the instructions I provide meant to give the impression that this is the best way to configure this device. This box meets MY needs and hopefully will provide a solid base for others to work with. It is my hope that this document will provide a degree of familiarity with these programs sufficient enough to enable you to resolve problems as they arise and enable you to reconfigure the system to meet your needs. If you need help with problems, or just want to tweak the system to meet your particular needs, and you need help doing so, the mailing lists for the various programs are your best source. When using mailing lists, state the versions of the programs you are using, try to state the issue in a concise manner and provide examples when examples are necessary. Search through the mailing list archives to see if your question has been answered before. I feel the biggest flaw in this document is that you will learn only a little about Linux and you know what they say: a little knowledge is a dangerous thing. If you are new to Linux I suggest at the very least you purchase a Linux Pocket Guide or equivalent to have on hand. Here is a 16 page PDF on Unix command line basics.

23. This machine will have to resolve a lot of IP addresses and read a lot of DNS records. If it takes a long time to retrieve an answer from a DNS server, this delay could affect the performance of this box. It is much better to have a local caching DNS server available than not. You may have a local proxy server capable of caching DNS queries or a server on your network running a true DNS server like BIND or Windows 2000/2003 DNS server. If you do, use one of these as your primary name server. I provide instructions in this document to install a local DNS cache on this machine if you do not.

24. So what do these various programs do? Postfix is a powerful and flexible MTA. In its most basic configuration it receives and sends email. We will configure it to use amavisd-new as a content filter. Postfix will listen on the standard SMTP port 25 and any mail that comes in on that port and is not rejected will be sent to amavisd-new on port 10024. Amavisd-new will process it and send the mail back to Postfix on port 10025. Postfix will then relay it to the intended recipient(s) on another mail server. Amavisd-new acts like a specialized MTA. To prevent the loss of mail in amavisd-new, amavisd-new will not actually say it has accepted a message from Postfix until it has returned it to Postfix. In our case, amavisd-new will load SpamAssassin and use it as though it is part of the program itself. It will also call ClamAV (clamd or clamscan) to scan email for viruses. SpamAssassin will query Pyzor, Razor2 and DCC servers and the result of the queries may influence the score that SpamAssassin produces. SpamAssassin is a sophisticated system using a number of means to identify spam. It uses hundreds of its own static and dynamic tests and it queries other servers on the Internet in order for it to produce a spam "score". The higher the score, the more likely the message is spam. Razor, Pyzor and DCC are each different in the way they work, but they have at least one thing in common: they are collaborative mechanisms. Computers all over the world feed them spam or spam signatures. If they receive the same spam from many different sources, it is assumed that that spam can in fact be considered spam. SpamAssassin checks each email to see if it appears in any of their databases. SpamAssassin also queries a number of other real time blacklists (RBLs) and several URIDNSBL servers. SpamAssassin sends the URLs found in the message body to URIDNSBL servers to see if they have been blacklisted. These are also collaborative mechanisms that are manually reviewed by humans. SpamAssassin also uses Sender Policy Framework (SPF) to influence its score. SpamAssassin merely scores the email. We configure amavisd-new to take various actions depending on the score. I have found a paper that further describes the actions of these programs and how it all fits together: http://www.giac.org/practical/GSEC/Greg_Williamson_GSEC.pdf

******************************************************

Create Debian Installer CD:

Index
******************************************************
There are, at any given time, three versions of Debian. They are "stable", "testing" and "unstable". At the time of this writing "stable" is named "Sarge", "testing" is named "Etch" and unstable is always named "Sid". The Debian Installer CD-ROM (debian-31r2-i386-netinst.iso) is typically the preferred method of installation and the one we will use. It has a known working installer and a fairly complete base system. You can also use floppies that load just enough software to enable you to download everything including the installer itself.

For future reference:
http://www.us.debian.org/releases/sarge/debian-installer/
http://www.debian.org/distrib/netinst
http://www.debian.org/releases/stable/i386/ch04s02.html.en

You need a CD-RW drive and CD burning software on your PC to create the CD from an ".iso" file.

Make a new directory on your Windows computer and call it 'debian' or something.
Then download the latest version of the Debian installer for "Sarge" and save it there. Go to:
http://cdimage.debian.org/debian-cd/3.1_r2/i386/iso-cd/debian-31r2-i386-netinst.iso
for the Debian 3.1 (Sarge, Stable) network installation CD, which I recommend.

Create a CD from the image using your CD burning software. When you label the CD include the creation date of the software.
I use Roxio 5.0 Easy CD Creator. From the Data CD Project window I choose File -> Record CD from CD image. For Nero 5 Burning ROM, choose File -> Burn Image after getting to the data CD window (ISO).

Set the BIOS in your computer to boot from the CD-ROM drive if necessary. If for any reason you cannot create the CD or you cannot boot from the CD, you can boot from Debian Installer floppies. A separate document http://www200.pair.com/mecham/spam/sarge-installer-floppies.html provides instructions on creating the Installer floppies.

******************************************************

Debian Installation:

Index
******************************************************
Before you start the installation, you may need to know what brand and model your Ethernet card is. You may need to know what chip set the card has. I was unable to install a 3Com 3c509 ISA card.

The really fun part of the installation is the fact that no matter how I describe the process to you, it may be different when you do it. The Debian installation process somewhat follows a linear pattern, but there is no way I can predict what order the screens will come up. We are going to install the "stable" version currently named "Sarge". In general, if you are asked questions during installation, the installer guesses what the most appropriate response would be, and it usually is what we want.

If things don't go well and you need to start over, I strongly suggest you delete everything off the hard drive during [Partition a hard drive]. Starting with a clean slate helps a lot.

Additional information on the Debian Installer is located at http://www.debian.org/releases/stable/i386/apa

The main objective of the Debian Installer is to gather enough information to enable it to install the [Debian base system configuration] menu. It needs to know what language to continue in, what keyboard you are using, what network hardware you have (it should figure this out automatically), and what your network settings are (we don't want it to figure this out via DHCP). We will also have to configure the partitions on the hard drive at this time so we have a place to put the software that is installed.

We are going to erase the hard drive so make sure you don't have any data on it you might need.
Boot up the computer using the Installer CD or the Installer floppy #1.
If you use the floppy to boot up, it will prompt you for the second floppy.
I recommend the CD-ROM. The instructions below pertain to the CD-ROM method in the default "ask as few questions as possible" mode. To install the recommended 2.6.x version of the Linux kernel, type in:

linux26

There are four installation methods in the "Stable" version on the Debian Installer. I now recommend linux26.
You choose the method when the CD-ROM boots up. At the "boot:" prompt type in:

linux - (or just hit [Enter]) for the default method. The default method installs the Linux 2.4 kernel and asks as few questions as possible.

linux26 - Same as above except it installs the 2.6 kernel.

expert - If you would like configure advanced options (asks many questions).

expert26 - Same as expert mode but this installs the 2.6 kernel.

If you install in non-expert mode, skip this next optional section.
I will not cover the expert mode of installation other than providing some general pointers:
**************OPTIONAL EXPERT MODE*****************

Read through the installation instructions for the default method provided after this optional section for answers to some of the prompts.

If you choose expert mode please install the 2.4 kernel.

If you choose expert26 mode please install the 2.6 kernel.

In general, if a list of items to select from is presented, you most likely will not need to change any of the selections or configure any hardware parameters except those noted below in the default section. Use the [tab] key to tab over to [Continue] or [Ok]
*********************END OPTIONAL*********************

[Choose Language]
This determines the language of the installer and picks a keyboard.
This installation has only been tested with English - English

[Choose country or region]
Choose what is appropriate

Unplug the Ethernet cable, we want DHCP to fail.

[Select a keyboard layout]
American English selects a standard qwerty keyboard

[Module needed by your ethernet card]

If you see this menu, it only means one thing. The Installer does not recognize your Ethernet card.
Look through the list; the majority of cards that are supported will NOT be on the list, this is a list of somewhat obsolete or possibly bleeding edge cards, not the majority. If it does not find your card, try another NIC Card. The machine I am building right now has an old 3Com ISA PnP 3c509, and it's not working, possibly because PnP may not be supported this early in the game, or because there is a bug in the installer. This is going to be an email server, so a reliable NIC card is important. If you have and old ISA NE2000 compatible card you can use the "ne" driver but you will need to know the interrupt and I/O address beforehand. If you have a problem, the fastest way to solve the problem may be to replace the card with another model.

[!! Configure the network]
Network autoconfiguration failed

We wanted this to happen, simply press:
[Continue]

On the next screen, choose the default of:
[Configure network manually]

[Configure the network]
Plug the Ethernet cable back in
(and make sure Num Lock is on!)
[IP address:]
111.111.111.111
[Netmask:]
255.255.255.x
[Gateway:]
333.333.333.333
[Name server addresses:]
444.444.444.444 555.555.555.555
[Hostname:]
sfa
[Domain name:]
example.com

******************************************************

Partition the Hard Drive:

Index
******************************************************
The disk partitioning software that comes with this version of the Debian Installer seems to be geared toward novices and as such makes a lot of assumptions in order to make partitioning easy. However, if you want to deviate from what the software provides, it is somewhat cumbersome. At this point you can play with the partitioning software all you like. If you have problems, simply erase the disk and start over.

[!! Partition disks]

Choose [Erase entire disk]

[Partitioning scheme:]
You are free to choose any of the three partitioning schemes provided but we need at least 1GB of space for each data partition. If you choose the [Desktop machine] or [Multi-user workstation] method of partitioning, ideally you would have 4GB or more for either the /var partition or the /var/spool partition respectively.

If you are building this with a 1GB or 2GB drive (not recommended), choose
[All files in one partition]

For a larger drive choose:
[Desktop machine]

Then arrow up and change the "Mount point:" of partition "#6 logical" from /home to /var
Here is an example of what the finished product could look like:

IDE1 master (hda) - 10.0 GB Maxtor 5T010H1
hda1	#1 primary   2.8 GB ext3 / (bootable) (root partition)
hda5	#5 logical 353.7 MB swap   (swap partition)
hda6	#6 logical   6.8 GB ext3 /var

The same drive using and modifying the [Multi-user workstation] partitioning scheme: It took me about 10 minutes of playing with the software to figure out how to modify what the partitioning software came up with, but this will provide a little better performance (due to reduced file fragmentation). You need a 6GB or larger drive and a little patience to do this.
Change the mount point of "#1 primary" from / to /boot
Change the mount point of "#5 logical" from /usr to /
Change the mount point of "#6 logical" from /var to /var/lib (Enter manually)
Delete both partitions #9 and #8, then recreate logical partitions #8 and #9 from the free space and change the mount points to what is illustrated below.

Each data partition should be at least 1GB as shown. The /var/spool directory is where our mail queues will be, so it would be desirable to make it 3GB or larger.

IDE1 master (hda) - 10.0 GB Maxtor 5T010H1
hda1	#1 primary 279.6 MB ext3 /boot (bootable)
hda5	#5 logical   3.6 GB ext3 /     (root)
hda6	#6 logical   1.8 GB ext3 /var/lib
hda7	#7 logical 386.6 swap swap
hda8	#8 logical   1.0 GB ext3 /var/log
hda9	#9 logical   3.0 GB ext3 /var/spool

Once you have what you like, choose
[Finish partitioning and write changes to disk]
[Write changes to disk?] [Yes]

[Installing the Debian base system]
Wait....
[Install the GRUB boot loader to the master boot record?]
If you would like the install the GRUB boot loader choose [Yes]
If you would like the install the LILO boot loader [Tab] over and select [Go Back]
Then select the 'Install the LILO boot loader...'
[Finish the installation]
Remove the CD or floppy when prompted, then hit [Continue] This will reboot.

The Debian Installer has done its job, now it's time for the:

******************************************************

Debian base system configuration:

Index
******************************************************

[Debian base system configuration] - Welcome to your new Debian system! [OK]

[Time zone configuration]
[Is the hardware clock set to GMT?] [NO]

[Select your time zone:]
Simply choose what is appropriate.

[Password setup]
This will ask for root's password and allow you to create a "normal" user and a password for that user. Watch your [Num Lock] status. Use really good passwords and don't forget them. Please add one, and just one, normal user here. If you plan on storing mail locally on this machine (not documented here), or even if you don't, create a user who's main purpose in life might be to hold root's mail. I suggest calling the user myroot or something similar.

Keep in mind that all the best hacker tools run on Linux. If a hacker gains root access to this box, your entire network is history.

Make sure you are connected to the Internet

[Apt configuration]
[Archive access method for apt:]
Choose [http] then your [Mirror country]
then a mirror near you. (mirrors.kernel.org works very well in the US)
[HTTP proxy information] (configure if needed, otherwise leave unconfigured)

Testing apt sources...

[Debian software selection]
[Choose software to install:]

Do not select anything here.
Simply [Tab] over and select [Ok]

Software will download now. I hope you have a fast Internet connection. What software we don't have now, we can easily get later. We are trying to keep this system somewhat clean. We will use apt-get to install most software after the fact. Some software may also be upgraded, and as a result, you may be asked some questions. When asked a question, usually the default answer will be the correct answer.

This section should not show up, but just in case it does:

[Configuring console data]
IMPORTANT! choose "Don't touch keymap"
You chose one earlier whether you knew it or not and choosing
any keyboard here may remove the keyboard mapping
and you may not be able to get it back without starting the installation over!!!!!

[Configuring Exim v4 (exim4-config)]

[General type of mail configuration:]
choose [no configuration at this time]
[Really leave the mail system unconfigured?] [Yes]

[Root and postmaster mail recipient:]
The "normal" user we added earlier will display here. This is fine, so simply accept this. Since all mail will be relayed to another server, this setting will actually end up being ignored. However, if you configure your system to store mail locally, all of root's mail will be redirected to this "normal" user's mailbox. This is necessary because you typically cannot access root's mailbox remotely.

[Debian base system configuration]
[Setup of your Debian system is complete]
[OK]

Once you get the login prompt, login as root and issue the following command:
apt-get install ntpdate

We installed ntpdate simply to set our clock to the correct time. Later we will disable it from running when our machine boots up and instead use the ntp daemon to keep our clock accurate. Note that if you have problems communicating with the download server (download seems stuck at [0%] - nothing seems to be happening for a long time), you can use [Ctrl]+c to break out of the communication session then try again. You should not use [Ctrl]+c when software is actually installing however, doing so could trash your system.

Thanks to the ntpdate program, our system should now have the correct time. Now we need to set our CMOS clock to the same time as our system:

hwclock --systohc

Enter the following command:

dpkg-reconfigure locales

[Configuring locales]
You use [PgUp] [PgDn] [up-arrow] [down-arrow] [tab] and [spacebar] to navigate and select.
Your ISO-8859-x locale should already be selected. You can simply [Tab] over to [Ok].
The installer software correctly assumed I wanted en_US ISO-8859-1. I suggest you have this also (in addition to others if you require them). If you need to change the locale, or add additional locales, use the [arrow] [spacebar] and [tab] keys. I suggest you do NOT pick a UTF-8 locale. SpamAssassin and amavisd-new may have problems if you do.

[Which locale should be the default in the system environment?]
I suggest you do NOT choose [None], I suggest you choose [en_US]

We need to make sure we have a keymap file:

ls -l /etc/console

This lists the contents of the /etc/console directory. You should see a file named "boottime.kmap.gz"
If you get "Total: 0" then we have no keymap file.

If, and only if, we have no keymap file, run the command:
dpkg-reconfigure console-data

And choose [Select keymap from arch list]
Follow the prompts that apply to you and when the program exits check again to see if there is now a file called "boottime.kmap.gz" in the /etc/console directory.
If the file is not there, reboot and try again. We cannot continue until a keymap file is installed. Worst case is we would have to start the installation over again!

Note that you can use the [up-arrow] key to recall previously entered commands (which can then be edited and executed).

Once you are back at the shell prompt, reboot the system with [Ctrl][Alt][Delete]

This is the end of the basic Debian installation.

If you don't feel good about the way things went, or you would like to experiment with one of the other methods of installation, this would be the time to start over from scratch!

******************************************************

PuTTY and additional programs:

Index
******************************************************
Now turn the monitor off and head on over to your trusty old Windows computer. We are going to configure every thing else from there!

You should have this document open in a window on your Windows computer because we are going to use a Windows SSH client called PuTTY to operate our spamfilter remotely. I am going to save you a lot of typing because you are going to select text with the mouse, copy it to the clipboard with [Ctrl]+c and then paste it into the PuTTY window with a right-click of the mouse. This will save you a ton of typing.

Download putty.exe from somewhere like: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Place putty.exe on your desktop, open it up, select SSH, input the IP address of the spamfilter, enter a name for your session in saved sessions, hit Save, then Open. When you use PuTTY again, simply double click on the saved session. Make sure you are at a command (shell) prompt before exiting PuTTY. You can log off the PuTTY window by issuing the command 'logout' or 'exit'.

If you are selecting some text to paste onto the Linux command prompt (the bash shell), you normally should not select the empty line below the text we are selecting. If you do, this has the same effect as hitting the [enter] key when it is pasted into the PuTTY screen. Sometimes this is desirable. If you select only to the end of the text, you will have the opportunity to review what was pasted before you hit [enter]. Make sure the command line is empty before you paste something into it.

If you are editing a configuration file (we will use the vi editor to do that), you may select multiple lines to copy and paste. To insure there is a newline character at the end of each line I suggest extending your selection to the empty line below the text you are selecting. I will provide empty lines below any text that ends up getting pasted into a document we are editing with vi.

Some of the text in this document will have to be edited either before or after you copy and paste it into the PuTTY window. If you have not already done so I recommend you save this document as a text file or an html file and do a search and replace of key items like your domain name and IP address, then use that document to continue. I suggest using WordPad or your favorite plain text HTML editor to edit this file. Do not use a program that will modify the HTML code. If you open this document in WordPad there are instructions at the top of the page. Once your changes have been made, open the saved document in your browser. You will now have your own semi custom document.

PuTTY anomalies.
You will notice when we paste stuff into a file we are editing using vi, the first few characters may be missing, so look carefully at what you have pasted and repair as necessary. Your [Home] and [End] keys will work when editing a file using vi, but will not work on at the command prompt. The numeric keypad will work at the command prompt but will not work in vi. Hitting the [Num Lock] key will not change this, so don't do it. If you hit [Num Lock] key while in the vi editor, you might get a help screen, not what you intended!

Open up a PuTTY session now and log in as root.
The command prompt at the bash shell will look something like:
sfa:~#
The ~ (tilde) represents our home directory, and because we logged in as root, our home is /root

Try this command:

pwd
(which means "print working directory"; it will reply with "/root")

This would be a good time to also download and install WinSCP. WinSCP is a great GUI file browser that lets you transfer files between your Windows machine and your new Debian box. You can also edit files on your Debian box from your Windows machine using WinSCP's editor.

We need to get a number of additional programs. Go ahead and select ALL the text in the box below with your mouse, then use [Ctrl]+c to copy it to the clipboard, then right-click the PuTTY window, then hit [enter] to issue the command. I suggest you select from right to left (bottom to top). Going the other way always wants to select one extra space character which can be a problem with certain apt-get commands.

apt-get install libc6-dev dpkg-dev db4.3-util libdb4.3-dev libberkeleydb-perl vim lynx ncftp bzip2 unzip perl-doc libwww-perl ntp-simple zlib1g-dev unzoo arj zip lzop nomarch arc zoo unarj ftp lsof less libdbi-perl libmail-spf-query-perl libconvert-binhex-perl gcc make autoconf automake1.7 libtool flex bison libldap2 libcompress-zlib-perl dnsutils rblcheck pax libmail-spf-query-perl libdbi-perl libnet-ident-perl cabextract libio-socket-ssl-perl

We are installing a C compiler, some database libraries, some compression/decompression programs and some programs that will make our life a little easier.

We also need to remove some programs for security reasons. Hopefully you don't need PCMCIA or printer support. This server will not need dial-up support either. You will not necessarily have all of these programs installed.

apt-get remove ipchains lpr nfs-common portmap pidentd pcmcia-cs
 pppoe pppoeconf ppp pppconfig uw-imapd qpopper mailagent

Important note: The machine is very vulnerable at this point. Any time you are not working on the spamfilter, you should unplug the ethernet cable! This machine should be connected to the Internet only when necessary to configure it. We need to get all our security measures in place before it "goes live". You will need to leave it plugged in to complete the installation however. If you are familiar with editing files on a Linux system, it might be a good idea to jump ahead to "Create Firewall Rules" and then return here to continue.

******************************************************

The 2 minute vi tutorial:

Index
******************************************************
We are going to use vi (vim actually) to do most of our editing. Fortunately we only need to learn a few commands to be able to accomplish our tasks. There are 3 operating modes in vi. There is the "Command" mode, the "Write" mode and the "Command line" mode. When you first open a file for editing, you are in Command mode. You change to Write mode by entering the letter "i", (short for "insert"). You can edit text pretty much as you would expect in Write mode. You exit out of Write mode and return to Command mode by hitting the [Esc] key. There are many commands that can be learned in Command mode but we only need to learn two more in addition to "i". Those commands are ":" (a colon) and "/" (a forward slash). The colon is used to enter the third mode, the Command line mode and the slash enables the Search command. When you are in Command line mode, you will see a colon at the bottom of the screen. Here is a list of commands we will use while in Command line mode:

:q    quit (provided you have not made any changes) By the way, the lower case q is used often in *nix as a way to exit a screen.
:q! exits vi and discards changes (great when you trashed the file and just want to start over!)
:wq saves the changes and exits vi (write and quit)
:w    saves the current changes but does not exit vi (write)
And in command mode:
G    The capital "G" Goes to the bottom of the page (very handy)

And here is how the Search command works:
/text_to_search_for moves the cursor to the first occurrence of text_to_search_for

Once the first occurrence of the text we searched for is found, use a lower case 'n' to find the next occurrence.

That's all we need to know for now!
If you would like a cheat sheet for additional commands: http://www.fprintf.net/vimCheatSheet.html and http://amath.colorado.edu/computing/unix/vi/

If you install vim from 'testing', vi may no longer use vim (which is what we actually want), so you may need to point vi to vim:

Run this to see which program vi points to:


ls -l /etc/alternatives/vi

If it says it is pointing to nvi or other program instead of vim (like this):
/etc/alternatives/vi -> /usr/bin/nvi

Then we need to fix it so it points to (symbolically links to) vim:


mv /etc/alternatives/vi /etc/alternatives/nvi

ln -s /usr/bin/vim /etc/alternatives/vi

If you run this again:


ls -l /etc/alternatives/vi

You should see that it now links to vim.

******************************************************

Verify System Settings:

Index
******************************************************
We need to take a look at a few important files to make sure they are accurate.

vi /etc/resolv.conf

Make sure our domain name is at the top, in the form:
search example.com

The file should look something like:

search example.com
nameserver 444.444.444.444
nameserver 555.555.555.555

Repair it if it is not. (Use "i", then edit it) remember - the numeric keypad is useless.
If you made changes, Exit the file with [Esc] : wq
If you did not need to change anything, Exit the file with [Esc] : q

vi /etc/hosts

The top of file should look something like:

127.0.0.1		localhost.localdomain	localhost
111.111.111.111		sfa.example.com		sfa

Repair it if it does not (localhost.localdomain is not strictly required).
Remember, use "i" to insert and don't use the numeric keypad.
If the hostname "sfa" is listed on both lines, remove it from the 127.0.0.1 line.
Since we are here, you might as well add any other hosts you would like our spamfilter to know about.
I suggest you (at least) put your internal mail server(s) here.
Simply append any other entries to the bottom of the list.

If you made changes, Exit the file with [Esc] : wq
If you did not need to change anything, Exit the file with [Esc] : q
If you have a mess on your hands, Exit the file with [Esc] : q! and try again.

If you made changes to any of the above files:

reboot
logout

FYI, to power down the system, the command is: shutdown -h now

******************************************************

Change apt-get settings:

Index
******************************************************
In Red Hat you would use "update -u" to get updates to installed packages. In Debian, you use apt-get update (to update the local database of available packages) followed by apt-get upgrade, to install the latest version of any and all packages it found on our system. This is fine because we are using the "stable" version of Debian, but you should not upgrade your system or install packages indiscriminately, especially if you use any packages from the "testing" or "unstable" branches. This could make stuff stop working. Fortunately there is something called "Apt-Pinning" that enables us to prioritize the order of "stable", "testing", and "unstable" software sources. This file has to be created by us. The most succinct explanation of this can be found at http://jaqque.sbih.org/kplug/apt-pinning.html. If you ever use "apt-get upgrade", I strongly recommend using apt-get -s upgrade to "simulate" the upgrade process before you actually upgrade.

This next file is critical to the way our system functions.

vi /etc/apt/preferences

Enter this text in the file ("i" to insert) EXACTLY as shown.
Yes, you can select the text with your mouse, hit [Ctrl]+c , and then right-click in the vi editor window.


Package: *

Pin: release a=stable

Pin-Priority: 600



Package: *

Pin: release a=testing

Pin-Priority: 450



Package: *

Pin: release a=unstable

Pin-Priority: 400

Exit the file with [Esc] : wq as usual.

I recommend you use apt-get -s install [package] before you install any package. It lets you "simulate" what would happen. If you want a package that is an "unstable" or "testing" version, you would have to specifically request the "unstable" or "testing" version or change the priority before you install it (unless the only version is "unstable" or "testing" or your current version is "unstable" or "testing"). For example


apt-get -t unstable install [package].

If you use tools like tasksel, you may have to temporarily change the priority prior to installing a new set of packages. The most stable situation is to only upgrade to new packages if a security flaw is found and make sure you have the ability to completely restore the hard drive if upgrades don't go well. So I don't frighten you too much, the Debian package maintainers are amazing, so apt-get usually works very well.

Use apt-cache to search the local database for available packages.
apt-cache search [search terms] will find packages that sound like what you want and:
apt-cache show [packagename] will return more details on a particular package.
apt-cache showpkg [packagename] will return more details on a particular package.
apt-cache policy [packagename] will return which versions are available along with the priority of each version.
apt-setup will enable you to change mirrors. The alternative is to edit /etc/apt/sources.list manually (which I prefer).
apt-get clean clears the local repository of all retrieved package files.
apt-get autoclean clears the local repository of retrieved package files of programs that are no longer installed.
dpkg -l [packagename] will list the version and a short description of the package we have installed.

You can also search for packages at http://www.debian.org/distrib/packages. At a later time you can study these great instructions for searching your local package database: http://newbiedoc.sourceforge.net/tutorials/apt-get-intro/info.html.en Also grab http://www.oreilly.com/catalog/linuxnut4/chapter/ch05.pdf for later review.

We need to add "unstable" and "testing" sources to our list of available Debian packages.
This modification is critical to the way our system functions.

cp /etc/apt/sources.list /etc/apt/sources.backup

This creates a backup file. Then:

vi /etc/apt/sources.list

At this point, the contents of the file look something like this:

#deb file:///cdrom/ sarge main

deb http://mirrors.kernel.org/debian/ stable main
deb-src http://mirrors.kernel.org/debian/ stable main

deb http://security.debian.org/ stable/updates main

We need to modify this file so the result will look something like this:
(with only the http server unique to your particular system)

deb http://mirrors.kernel.org/debian/ stable main non-free contrib
deb-src http://mirrors.kernel.org/debian/ stable main

deb http://security.debian.org/ stable/updates main

deb http://mirrors.kernel.org/debian/ testing main non-free contrib
deb-src http://mirrors.kernel.org/debian/ testing main

deb http://mirrors.kernel.org/debian/ unstable main non-free contrib
deb-src http://mirrors.kernel.org/debian/ unstable main

Note what I have done here:
The line
#deb file:///cdrom/ sarge main
has been erased. ([up-arrow] to the top of the file and hold down the [Delete] key.)
The 4 bottom lines have been copied from the top 2 lines, and then modified slightly as indicated.
The words "non-free" and "contrib" have been added to 3 of the lines.
You are welcome to simply copy and paste what I have listed above.
Save and exit the file.

Here's a hint on how to quickly make a copy of the first 2 lines:
Enter "i" to get into write mode, highlight the 2 lines with your mouse then right click your mouse in the PuTTY window.

You must run apt-get update next.

apt-get update

If you have any problems, please check for errors in your sources.list file and run apt-get update again.

Now that we have non-free and unstable sources listed, we need to install two more programs:

apt-get install lha unrar

For lha license information see http://lists.debian.org/debian-devel/1999/11/msg00549.html and for rar (unrar) see http://www.rarsoft.com/index.htm

******************************************************

Navigating the system:

Index
******************************************************
A quick word about less. less is a great file and directory viewer.
You can [page-up] and [page-down] and search for text in the same manner you search for text using vi.
Use a lower case "q" to exit less.
To view a file using less:
less /path/file
To view directory contents, pipe it through less:
ls -l | less (current directory, or)
ls -l /path/directory | less

I also like this one:
history | less
then enter an upper case G to go to the bottom of the display.
It displays the commands you have entered previously. Use q to quit. You can even search the same way you do with vi.

I don't mean to break your concentration, but there is another cool tool called locate.
locate allows you to search a database of every file name on the system.
It's kind of like Windows Find. You first have to build the database with the updatedb command, and then you can search through it.
Try this: we are going to use locate and less together:
updatedb
locate kmap | less
What you are looking at is every keymap file on the system along with any file name that has the string "kmap" in it.
Play with it; then "q" to exit less
Now we are going to do something cool.
Take your mouse and highlight any directory you see above, only highlight the directory and not past it.
For example: /usr/share/keymaps/i386/qwerty/
Now right click your mouse anywhere on the screen. You will notice the text has been pasted to the command line.
Now [left-arrow] over to the beginning of the line (or hit [Ctrl]+a) and type in:
cd
Put a space after cd and hit [return]. We just saved ourselves having to type the entire path name just in order to change to that directory. I like that.
OK, simply enter cd to get back home.

Sorry for the diversion.

******************************************************

Create Firewall Rules:

Index
******************************************************
We need to set up some form of firewall on this box. This is a subject that could (and does) fill volumes. We are going to use something quick and simple that will give us a basic firewall. Something is MUCH better than nothing, and we just don't have time to read volumes on the subject right now.

I worked for a couple days trying to figure out what iptables was all about. I tried using tools like lokkit and shorewall and others, only to get frustrated and confused because I kept getting errors and the firewall simply would not work. My best guess is iptables did not like any rules file it did not create itself. Lokkit was a snap in Red Hat, and a nightmare in Debian. That's pretty much how this whole experience went. But I'm learning a LOT more about GNU/Linux by working with Debian. After day 2 it dawned on me iptables is very much like Cisco access lists (which I am a little familiar with).

I am going to give you a set of commands below that I want you to paste into the command line, in the correct order. You MUST change the IP addresses to fit your needs, if you have not already done so. The line with '--dport 22' on it is SSH and the network address to the left needs to be the network that both your computer and the spamfilter computer are on. You could also limit access to a single computer (yours, of course) by using your_ipaddress_goes_here/32. This is a security measure. If you do that part wrong, it will lock you out. The line with '--sport 53' on it are for access to DNS servers. BTW, all you have to do to change your DNS servers is change the entries in /etc/resolv.conf.

If you would like to add more rules in the future or make modifications, simply copy and paste these lines into a text editor like notepad, make the changes you would like, and then copy and paste them to a command prompt in your PuTTY window. You can copy and paste all the lines at once. The first line deletes all the entries that were in the rule-set previously and the next to the last line saves the new rule set. The last line shows how one would load a rules file into iptables. Keep a copy of the text file on your computer and call it firewall-rules.txt. I learned to never edit the /etc/firewall-rules file directly on the spamfilter computer. It looks like iptables will reject the file if anyone other than itself has modified it. I learned that one the hard way.

DO NOT USE AS IS, CHANGE NETWORK ADDRESS FIRST IF YOU HAVE NOT ALREADY DONE SO:
You can copy and paste this whole section to the command prompt:

iptables -F

iptables -N FIREWALL

iptables -F FIREWALL

iptables -A INPUT -j FIREWALL

iptables -A FORWARD -j FIREWALL

iptables -A FIREWALL -p tcp -m tcp --dport 25 --syn -j ACCEPT

iptables -A FIREWALL -p tcp -m tcp -s 222.222.222.222/24 --dport 22 --syn -j ACCEPT

iptables -A FIREWALL -i lo -j ACCEPT

iptables -A FIREWALL -p udp -m udp --sport 53 -j ACCEPT

iptables -A FIREWALL -p tcp -m tcp --sport 53 -j ACCEPT

iptables -A FIREWALL -p udp -m udp --dport 123 -j ACCEPT

iptables -A FIREWALL -p udp -m udp --sport 6277 -j ACCEPT

iptables -A FIREWALL -p udp -m udp --sport 24441 -j ACCEPT

iptables -A FIREWALL -p tcp -m tcp --syn -j REJECT

iptables -A FIREWALL -p udp -m udp -j REJECT

iptables-save > /etc/firewall-rules

iptables-restore < /etc/firewall-rules

Now run:

iptables -L

To list the rule set. This is informational only.

We have written the firewall rules to a file on the spamfilter computer, but iptables starts with an empty rule set each time the computer restarts. The rule set we saved to /etc/firewall-rules must be "loaded" into iptables every time the system starts up.

We are going to insert the command to configure iptables into a file that starts up the network interfaces when the system boots up:

vi /etc/network/interfaces

And insert the following text (remember, it's "i" to insert)
in the blank line just below "iface lo inet loopback":

pre-up iptables-restore < /etc/firewall-rules

Save and exit the file as usual with [Esc] : wq

From now on I will assume you know how to edit, save, and exit files using vi.
If not stated, it will be implied that after editing a file, you need to save and exit it,
or if necessary, discard changes and start over.

Please don't think this is where you would stick any old command you would like.
This is not the place, and not the way, to do so. That's a whole 'nuther subject. This file is the right place (along with /etc/resolv.conf) to change network settings however.

That's all there is to it. You have just used what I believe is the fewest possible steps to create a simple functional personal firewall for this machine. I will admit that it should have been a lot easier by utilizing one of the firewall tools, but it just didn't work out.

At this point our firewall allows external users to connect to SSH and Mail. It also allows replies from Pyzor, DCC, DNS servers and NTP servers. It blocks (I hope) everything else except any sessions that originate from us. This allows us to connect to the outside world. This box should be behind another firewall at any rate. If so, that firewall/screening router will need to be configured to allow tcp port 25 traffic to this machine, but only after this box is fully functional. If you have things locked down really tight; take a look at http://flakshack.com/anti-spam/wiki/index.php?page=Provide+firewall+access for some ideas. Keep in mind we also need udp port 24441 for Pyzor and access to external DNS servers. As far as DCC, Razor and Pyzor go, try them before you start messing with your Internet firewall. I have my spamfilter behind a screening router, a hardware firewall, and software NAT box firewall and none of them required reconfiguration for these programs to work. Port 25 SMTP will probably need to be opened however.

If you have not done so, reboot again and run
iptables -L to verify the firewall loaded during start up.

If you have problems, enter the command iptables -F from the console to clear out iptables. This will allow you another shot at it.

******************************************************

Disable Unnecessary Daemons:

Index
******************************************************
We are now going to remove some services (daemons) that start up at boot time. I only want you to remove the services I have listed below, no more than that. You could (and probably would) end up with an unusable system if you disabled more than this. Our basic system does not start up many services anyway but "you can't hack a service that isn't running". The only secure system is a system that doesn't exist.

Below is a list of commands I found useful to determine what services were running.
Run them one at a time if you care to.

top

ps afx

ps afxl

ps -A

ls -F /etc/rc2.d

lsof -i | grep LISTEN

grep -v "^#" /etc/inetd.conf | sort -u

netstat -pn -l -A inet

netstat -pn -l inet

These are from http://linuxgazette.net/issue89/gonzales.html#4

I also liked the lsconfig script I found here:
http://www.shallowsky.com/software/scripts/lsconfig
Save it as /usr/bin/lsconfig and make it executable.
Like this:

cd /usr/bin

wget http://www200.pair.com/mecham/debian/lsconfig

chmod +x /usr/bin/lsconfig

lsconfig

If you run lsconfig, the stuff just scrolls by on the screen. You can choose "Copy all to Clipboard" from the drop down menu of the PuTTy window. Click on the two little computers in the upper left-hand corner of the PuTTY window to access the menu. Then open a spreadsheet and paste it into it. Play with it from there.

We need to make a backup of the init scripts in /etc/init.d because after we remove some services, the system may delete the scripts.

cp -r /etc/init.d /etc/init.d-original

These commands assume you are not hooking up a printer to this machine and you are not using a laptop to build your spamfilter!
Feel free to copy and paste these next two boxes in their entirety.

Ok, let's just get this done:

/etc/init.d/lpd stop

update-rc.d -f lpd remove

/etc/init.d/nfs-common stop

update-rc.d -f nfs-common remove

/etc/init.d/portmap stop

update-rc.d -f portmap remove

/etc/init.d/pcmcia stop

update-rc.d -f pcmcia remove

/etc/init.d/ppp stop


update-rc.d -f ppp remove

/etc/init.d/exim4 stop

update-rc.d -f exim4 remove

update-rc.d -f ntpdate remove

The inetd service (InterNET Daemon) starts multiple services that can be enabled or disabled individually.

update-inetd --disable time

update-inetd --disable daytime

update-inetd --disable echo

update-inetd --disable chargen

update-inetd --disable ident

update-inetd --disable discard

The last one may ask you a question regarding "multiple entries", answer yes (y).

Restart the service:

/etc/init.d/inetd restart

Check that we got everything:

lsof -i | grep LISTEN

The only daemon you should see is at this point is *:ssh

You may have to run this again:
update-inetd --disable discard

If there are other programs shown, try rebooting and test again.

If you would like to get any of these services back, we can reverse the events.
For example, to enable 'ident' and then refresh inetd, issue these 2 commands:

update-inetd --enable ident
/etc/init.d/inetd restart

For example, to re-enable the printer service, and start it up right now:

update-rc.d lpd defaults
/etc/init.d/lpd start

If you get an error that the file does not exist, first restore it from the backup we made, and then try again:

cp -i /etc/init.d-original/lpd /etc/init.d
update-rc.d lpd defaults
/etc/init.d/lpd start

This is an example only, we actually uninstalled printer support.

We have just made our machine much more secure that when we started. I will talk about additional security measures at the end of this document, but we want to get this thing up and running first! We want to see this puppy actually do something!

You used a few commands above to help you see what services were running before we made changes. Run them again, if you like, to see the effect of disabling them.

******************************************************

Configure the NTP daemon:

Index
******************************************************
We actually may not need to configure the ntp daemon (ntpd). We installed ntp-simple which does a good job of setting everything up for us. It is set up to use a different time server each time the daemon starts up (http://www.pool.ntp.org/). It configures our machine as an ntp client. If you have a favorite ntp server that you wish to use you can edit /etc/ntp.conf and insert it per the example in the file. NTP is a flexible and complex system so I leave it up to you to research it further if you care to.

If you care to choose your own servers from the list of Public NTP Secondary (stratum 2) Time Servers at http://www.eecis.udel.edu/~mills/ntp/clock2a.html we can use the little ntpdate program to quickly test them prior to insertion in /etc/ntp.conf:

For example:

/etc/init.d/ntp-server stop
ntpdate clock.fmt.he.net
ntpdate ntp1.tummy.com
/etc/init.d/ntp-server start

By the way, the command to modify the date and time is date and to change the time zone it's tzconfig

******************************************************

Installing Programs:

Index
******************************************************
This is a new system, so let's make sure everything is current:

apt-get upgrade

Upgrading certain programs may bring up dialog boxes requiring you to respond to configuration questions. Typically, the default answers are OK.

If the kernel is upgraded, once the upgrade process is complete, you must:
reboot

One of the Perl modules amavisd-new needs is Compress::Zlib (version 1.35 or newer). The Debian 'stable' version of this module (libcompress-zlib-perl) is at version 1.34. If we install the 'testing' version of this program on a system running the 'stable' release, the program is configured to install a new version of Perl and other critical system files. If you are running 'stable', I DO NOT want this to happen so we will download and install Compress::Zlib manually. If the download fails, Google for Compress-Zlib-1.41.tar.gz in order to find another download location.


cd /usr/local/src

wget http://search.cpan.org/CPAN/authors/id/P/PM/PMQS/Compress-Zlib-1.41.tar.gz

tar xzvf Compress-Zlib-1.41.tar.gz

cd Compress-Zlib-1.41

perl Makefile.PL

make && make test && make install

cd

If all goes well, the last thing you will see is: "Appending installation info to /usr/local/lib/perl/5.8.4/perllocal.pod"

Note that when we manually install Perl programs like this, the Debian version will be ignored because Perl will find this program first.

To avoid any compatibility problems with Net::Server, please read this:



http://www200.pair.com/mecham/spam/net-server.html

We'll use apt-get to download and install most of our core programs. Note that when we install Postfix, apt-get is smart enough to remove exim4 (because it conflicts with Postfix). This document is based of the following versions of these programs: postfix 2.1.x spamassassin 3.0.3 amavisd-new 2.4.2. The instructions may differ significantly if newer (or older) versions are installed. Please run:

apt-cache policy postfix spamassassin amavisd-new

This will give output similar to the following:

postfix:
  Installed: (none)
  Candidate: 2.1.5-9
  Version Table:
     2.2.10-1 0
        400 http://mirrors.kernel.org unstable/main Packages
     2.2.4-1.0.1 0
        450 http://mirrors.kernel.org testing/main Packages 
     2.1.5-9 0
        600 http://mirrors.kernel.org stable/main Packages
spamassassin:
  Installed: (none)
  Candidate: 3.0.3-2
  Version Table:
     3.1.0a-2 0
        450 http://mirrors.kernel.org testing/main Packages
        400 http://mirrors.kernel.org unstable/main Packages
     3.0.3-2 0
        600 http://security.debian.org stable/updates/main Packages
        600 http://mirrors.kernel.org stable/main Packages
amavisd-new:
  Installed: (none)
  Candidate: 20030616p10-5
  Version Table:
     1:2.3.3-2 0
        400 http://mirrors.kernel.org unstable/main Packages
     20030616p10-5 0
        600 http://mirrors.kernel.org stable/main Packages
        450 http://mirrors.kernel.org testing/main Packages

This tells us there are newer versions of Postfix available in the "testing" and "unstable" branches. Once we have completed our setup, you can optionally upgrade to the newer version by simply installing it using "apt-get -t testing install [list of packages]". Note that if you decide to install the testing version of Postfix, some other important system files will also get upgraded to the testing version (notably libc6, libc6-dev and locales). When mixing testing with stable, there is always some potential of future problems with program dependencies, but generally, Debian is very smart about these issues. The more cautious person would not upgrade. I have experienced problems with new versions of libc6 when using a 2.4 version of the Linux kernel. I had to upgrade to a 2.6 kernel to solve the problem. The report shows there is a newer version of SpamAssassin available. We can also upgrade SpamAssassin to the new version once our install is done, or you can install the new 3.1 version now. It shows us there is an unstable version of amavisd-new available, but we are NOT going to install it. The configuration files for that new Debian version are not consistent with the typical way amavisd-new is configured. Instead of one configuration file, this new version splits the configuration files into half a dozen files in a couple different directories. We will instead install an old version of amavisd-new. We need to install this old version via apt-get because it creates the amavis user and group, installs several scripts for startup and maintenance, creates the directory structure and installs other ancillary files. We will manually install the author's version 2.4.2 of amavisd-new over the top of 20030616-p10. So with this in mind:

apt-get -t stable install amavisd-new

apt-get install razor pyzor

If you would like to install the newer version of spamassassin:
apt-get install spamassassin/testing

Otherwise:
apt-get install spamassassin

apt-get install postfix postfix-pcre postfix-mysql postfix-ldap

Debconf will pop up a Postfix configuration screen.
For [General type of configuration?] select:
No configuration

Make a few of directories, limit unauthorized users from writing to the amavis directory and create a symbolic link. The symbolic link is created so we can use the original author's version of the amavisd-new executable:

mkdir /root/.spamassassin
mkdir /var/lib/amavis/tmp
mkdir /var/lib/amavis/db
mkdir /var/lib/amavis/var
chown -R amavis:amavis /var/lib/amavis
chmod -R 750 /var/lib/amavis
ln -s /etc/amavis/amavisd.conf /etc/amavisd.conf

We are going to replace amavisd-new version 20030616-p10 with 2.4.2. The amavisd.conf file that I have you download here is very close to the standard amavisd.conf file that is supplied with version 2.4.2, but it has been modified to work with our Debian installed package. We will also get a Debian compatible amavisd.conf-sample file we can use as a reference for many of the settings amavisd-new uses.

Now we will replace our (currently unconfigured) amavisd-new version 20030616-p10 with version 2.4.2.


amavisd-new stop

cd /usr/local/src

wget http://www.ijs.si/software/amavisd/amavisd-new-2.4.2.tar.gz


tar xzvf amavisd-new-2.4.2.tar.gz

rm amavisd-new-2.4.2.tar.gz

cd amavisd-new-2.4.2

cp amavisd amavisd-new

cp amavisd-new /usr/sbin/amavisd-new-2.4.2

cp /usr/sbin/amavisd-new /usr/sbin/amavisd-new-20030616p10

cp /usr/sbin/amavisd-new-2.4.2 /usr/sbin/amavisd-new

cd /etc/amavis

mv amavisd.conf amavisd.conf-20030616p10

wget http://www200.pair.com/mecham/amavisd/2.4.2/amavisd.conf

wget http://www200.pair.com/mecham/amavisd/2.4.2/amavisd.conf-sample

To prevent the Debian version of amavisd-new from installing over our custom one when we run 'apt-get upgrade', place the package on hold:
echo "amavisd-new hold" | dpkg --set-selections

******************************************************

Postfix Configuration Part 1:

Index
******************************************************
We need some sample files from the Postfix source code, note that the source code we grab here is the original source code, before it is modified by the Debian package maintainers:

cd /usr/local/src
wget http://ftp.debian.org/debian/pool/main/p/postfix/postfix_2.1.5.orig.tar.gz
tar xzvf postfix_2.1.5.orig.tar.gz

We always place our source code in /usr/local/src.

List the contents of this directory:

ls -l

When we unpacked the source code, we created a new directory called postfix-2.1.5. Make sure you are still in the /usr/local/src directory, then remove the file we downloaded with the command:

rm postfix*

You will get an error like "rm: cannot remove `postfix-2.1.5': Is a directory". That's good; we didn't want to remove the directory.

We now have a number of Postfix sample files. We want to make use of those sample files so we will copy them to the /etc/postfix directory.

The second line below will need to be edited if you have a different version of the Postfix source code.
MAKE SURE you answer "n" to "overwrite?" Do each section separately.

cp -i /usr/share/postfix/main.cf.debian /etc/postfix/main.cf

cp -i /usr/local/src/postfix-2.1.5/conf/* /etc/postfix

cp -i /etc/postfix/header_checks /etc/postfix/body_checks

cp -i /etc/postfix/access /etc/postfix/sender_access

******************************************************

Edit master.cf:

Index
******************************************************
Read this before you complete this section.
If you are using Postfix version 2.1.x, 2.2.x or 2.3.x, I have done the work of configuring master.cf for you and you may simply download the file from me. If you wish to use this file, follow the first 4 steps below.

The master.cf we download here can be used with Postfix versions 2.3.x, 2.2.x and 2.1.x

postfix stop
cd /etc/postfix
mv master.cf master.cf-original
wget http://www200.pair.com/mecham/debian-postfix-2.2-amavisd/master.cf

Note that wget will not normally overwrite an existing file, so we "moved" master.cf to another file first.
Now you can simply jump to Edit Main.cf:

If you wish to do the work yourself, continue on.

postfix stop
vi /etc/postfix/master.cf

Next, we want to give Postfix some information it will need to talk to the amavisd-new program. (BTW, watch out for the two Postfix configuration files, both located in the /etc/postfix folder. More than one admin has gotten confused between "master.cf" and "main.cf"!)

Add these lines near the bottom of master.cf. Note: the items on these lines are separated by tabs. And the "-o" is the lower case letter o, not zero. These settings are from http://www.ijs.si/software/amavisd/README.postfix. You can copy and paste this entire section once the cursor is in the correct position (see below) and you are in insert mode. Note: when copying sections like this that contain tabs, rather than using a right click of the mouse to paste into the editor, press [Shift]+[Insert]:

smtp-amavis	unix	-	-	-	-	2	smtp
	-o smtp_data_done_timeout=1200
	-o smtp_send_xforward_command=yes
	-o disable_dns_lookups=yes
	-o max_use=20

127.0.0.1:10025	inet	n	-	-	-	-	smtpd
	-o content_filter=
	-o local_recipient_maps=
	-o relay_recipient_maps=
	-o smtpd_restriction_classes=
	-o smtpd_delay_reject=no
	-o smtpd_client_restrictions=permit_mynetworks,reject
	-o smtpd_helo_restrictions=
	-o smtpd_sender_restrictions=
	-o smtpd_recipient_restrictions=permit_mynetworks,reject
	-o smtpd_data_restrictions=reject_unauth_pipelining
	-o smtpd_end_of_data_restrictions=
	-o mynetworks=127.0.0.0/8
	-o smtpd_error_sleep_time=0
	-o smtpd_soft_error_limit=1001
	-o smtpd_hard_error_limit=1000
	-o smtpd_client_connection_count_limit=0
	-o smtpd_client_connection_rate_limit=0
	-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

We also need to add two items below the 'pickup' service type. The 'pickup' service 'picks up' local mail (local meaning "on this machine") and delivers it. Later we will create a daily/weekly report that this box will mail to us and because the report will contain contents that will classify the report itself as spam, this is a way to bypass content filtering for mail generated by this machine.

Add this just below the 'pickup' service type:

	 -o content_filter=
	 -o receive_override_options=no_header_body_checks

When you are all done, the table and the lines right after it should end up looking like this:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#submission inet n      -       -       -       -       smtpd
#	-o smtpd_etrn_restrictions=reject
#	-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps    inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n      -       -       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
	-o content_filter=
	-o receive_override_options=no_header_body_checks
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
	-o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache	  unix  -       -       -       -       1       scache
#
smtp-amavis	unix	-	-	-	-	2	smtp
	-o smtp_data_done_timeout=1200
	-o smtp_send_xforward_command=yes
	-o disable_dns_lookups=yes
	-o max_use=20

127.0.0.1:10025	inet	n	-	-	-	-	smtpd
	-o content_filter=
	-o local_recipient_maps=
	-o relay_recipient_maps=
	-o smtpd_restriction_classes=
	-o smtpd_delay_reject=no
	-o smtpd_client_restrictions=permit_mynetworks,reject
	-o smtpd_helo_restrictions=
	-o smtpd_sender_restrictions=
	-o smtpd_recipient_restrictions=permit_mynetworks,reject
	-o smtpd_data_restrictions=reject_unauth_pipelining
	-o smtpd_end_of_data_restrictions=
	-o mynetworks=127.0.0.0/8
	-o smtpd_error_sleep_time=0
	-o smtpd_soft_error_limit=1001
	-o smtpd_hard_error_limit=1000
	-o smtpd_client_connection_count_limit=0
	-o smtpd_client_connection_rate_limit=0
	-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

(Don't worry about the stuff below this part displayed above - you won't need to change any of those rows, and they are all listed as "pipe" in the last column.)

******************************************************

Edit main.cf:

Index
******************************************************
Our next friend is the file /etc/postfix/main.cf the main configuration file for Postfix. Following are suggested values to use in main.cf. These have been tested for this configuration and will work fine, but there are many judgment calls involved in this, and it is a good idea at some point to learn more about Postfix configuration, on your own. You could first look at the sample Postfix main.cf file /usr/share/postfix/main.cf.dist . There are comments describing some of the most common options. Refer also to the Postfix documents on your machine in the


/usr/local/src/postfix-2.1.5/README_FILES

directory, or read the documentation on the Postfix web site http://www.postfix.org/documentation.html. I also recommend http://www.postfix-book.com/.

Since we are setting up our spamfilter to relay all of its mail to another server, we will be using what Postfix considers a "relay domain address class" which essentially means that we will use, out of the 300+ configurable parameters in Postfix, a small group of parameters that serves our purpose best. This address class is described here: http://www.postfix.org/ADDRESS_CLASS_README.html#relay_domain_class. We are also acting as a primary MX for another server so please read this appropriate section: http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup

It is common in Postfix to store items in lookup tables. We are going to use several hash tables to store data that Postfix will use. Once we have plain text data in these tables, we use the postmap command to create binary files (Berkeley DB format) that Postfix will ultimately use to retrieve the data. For example, if you have a file called "filename" and you "postmap filename", a new file is created "filename.db". Postfix will retrieve data from "filename.db", not "filename". There are more than a dozen other types of data files that Postfix can use to store data. Hash tables are an appropriate choice for several tables we will use, and pcre (Perl Compatible Regular Expressions) is appropriate for a couple tables we will use to hold content filtering data. In its simplest form a hash table is comprised of 2 pieces of data, a key and a value; typically referred to as the key/value pair. The key and the value are separated with whitespace (typically a space or tab). The data in a typical table that we use in Postfix would look something like:
user1@example.com OK
user2@example.com OK
user1@example2.com OK
Suggested reading: http://www.postfix.org/DATABASE_README.html

OK, lets get going. Note: in commands, wherever quote marks " " are used, use them. Rather than editing main.cf directly (which you may nonetheless do, if you prefer) we'll use a handy tool that comes with Postfix, named "postconf". We will use the -e switch, which means to "edit" main.cf.

We simply need to make a correction to the default setting here:

postconf -e "alias_maps = hash:/etc/aliases"

Now we will create from the text version of the aliases file, the binary version that Postfix will actually use. We do not need to edit the aliases file at this time but it would be a good idea to do so simply to view the contents. You need to run newaliases now, and every time after you edit the aliases file. The newaliases command is just like postmap except that it's specific to the aliases file.

newaliases

You will see there is now an "aliases.db" file in /etc/. That is what Postfix reads. Now that you have a proper aliases file, it appears that because we are going to configure our system to relay all mail (no mail will be locally delivered), the aliases file will be ignored by Postfix. We instead will set up virtual_alias_maps that we can use for address rewriting should we need to. Other programs may read/write to the /etc/aliases file, so we do not remove it.

myorigin The domain name that mail created on this machine appears to come from. For example, if one of our programs (cron for example) sends mail to "root" it will be sent to "root@example.com".

postconf -e "myorigin = example.com"

Obviously, in the above, and all the following commands, replace my example parameters, like "example.com", with your own specific values.

myhostname The fully-qualified domain name (FQDN) of the machine running the Postfix system.

postconf -e "myhostname = sfa.example.com"

mynetworks These are the machines I trust, and will relay mail for, to any destination. Generally, this is set to my LAN, or just one, or a few trusted internal mail servers. Along with "relay_domains", this is an important one to get right lest you run the possibility of becoming an "open relay". In other words, your box could accept and forward mail to domains for which it has no business doing so. Being an open relay is a serious issue, and can cause you to get blacklisted by various Internet anti-spam lists, among other problems. You can specify a single computer, multiple individual computers, or any computer on a specified network. You can also exclude certain hosts in your network by preceding the IP address with an exclamation point. If you are using a NAT router that substitutes the real client IP address with its own, then you should also exclude the IP address of the NAT router from mynetworks. If you will be dealing with multiple internal mail servers, and/or want to allow several machines and/or subnets to relay through this server (careful!), just add them to this parameter in CIDR format, like this:

Please read important notes above.

postconf -e "mynetworks = 127.0.0.0/8, 222.222.222.222/24, 10.10.10.10/24"

The above will allow the machines on the networks 222.222.222.222/24, and 10.10.10.10/24 to relay smtp mail through this box. You could also specify a single computer's IP address. If you only know your dotted decimal netmask (i.e. 255.255.255.240) and need to convert it to CIDR format, try the http://www.wildpackets.com/products/free_utilities/ipsubnetcalc/overview. (Input an IP address on your network, select the subnet info tab, select your subnet mask, your network is Subnet ID/Mask Bits.) Or simply take a look at http://www.belchfire.net/webtools/cidr_conversion_table.html.

message_size_limit Maximum size email that Postfix will let in the "front door".

postconf -e "message_size_limit = 10485760"

The above allows email up to 10MB, the value is in bytes (10*1024*1024). Mail larger than this may possibly get bypassed by the anti-virus scanner (ClamAV). You could increase this if you also configure ClamAV to scan files larger than 10MB. I'm really not sure, but if any process keeps the entire message in RAM while it is being processed, and you get a lot of large messages in a short time period, and you allow message_size_limit to get much larger, you might need more RAM. At any rate, if you increase this, use 'top' to keep an eye on memory usage.

local_transport Give an error message for local delivery attempts.

postconf -e "local_transport = error:no local mail delivery"

mydestination An empty mydestination tells Postfix this machine is not the final destination.

postconf -e "mydestination = "

local_recipient_maps An empty local_recipient_maps tells Postfix there are no local mailboxes.

postconf -e "local_recipient_maps = "

virtual_alias_maps Our spamfilter must be able to receive mail for postmaster@[111.111.111.111]. Reportedly, some things actually expect this ability to exist. We will also allow mail to abuse@[111.111.111.111]. Since we do not allow local mail delivery, mail addressed to our spamfilter IP address will get rejected with an error message. Setting up virtual_alias_maps allows email to these two accounts to be forwarded to an inside address. Make sure your Exchange server is set up to receive messages addressed to "root", "postmaster" and "abuse".

Set up a reference to the virtual file:
postconf -e "virtual_alias_maps = hash:/etc/postfix/virtual"

Then edit the virtual file:
vi /etc/postfix/virtual

and add postmaster and admin in the format:


postmaster postmaster@example.com

abuse abuse@example.com

Save and exit the file, then create the binary file that Postfix will use:
postmap /etc/postfix/virtual

relayhost Generally speaking, if this machine is on an internal network, you need to configure 'relayhost'. If it is on the Internet serving as a gateway server, you would optionally configure 'relayhost', but normally you would not. The relayhost is the email server you wish to use to send outbound email. The outbound email I'm talking about is the non-local mail, mail bound for domains other than ours, not the normal email that comes from outside the system and is bound for your internal mailboxes (we use /etc/postfix/transport to route those). At this time you are using a machine other than this one to send mail out to the Internet so you should place the IP address of that machine here (the brackets must be there). If preferred, you can use a host name instead of an IP address (keep the brackets, i.e. [gateway.example.com]). If this is blank, or not configured, then our spamfilter will be used for that purpose. You can certainly do that, but if you do, you should first have your reverse DNS record in place and of course your "A" record and "MX" record so other servers on the Internet will accept your mail. If these are not yet in place, it is very useful to temporarily configure relayhost.

postconf -e "relayhost = [666.666.666.666]"

You can optionally reconfigure your clients and other SMTP servers to use our spamfilter for their outgoing mail. Keep in mind that if you use your spamfilter as your outbound SMTP server that your outbound mail will go through the same scanning process as your inbound mail (unless you find some fancy tweaks to prevent it). I recommend using relayhost if you wish to offload NDRs and other DSNs. If you use this setting make sure the relayhost you designate is configured to accept email from this machine and THAT machine is not using THIS machine for ITS outgoing mail (can you say "loop"?)

relay_recipient_maps - We are going to build a table of every single user in every single domain that we accept mail for. This table will be used to reject mail that is addressed to nonexistent users in our domain(s). Don't freak out just yet. At this time we are only going to set up the structure of the table. Then you will come back to this after your spamfilter is functional and work on finding an automated process that can be used to populate the database. Or, if you have a manageable number of users, manually enter them. If this proves too daunting a task, we may have to rely on the Exchange server to do the 'user unknown' rejects. In some cases you might be able to use reject_unverified_recipient as an alternative. If you are in fact using Exchange, there are HOWTOs available that describe automating the process of building the relay_recipients table. It has been very common of late for spammers to launch 'dictionary attacks'; sending thousands of messages to a domain using fabricated user names. Our spamfilter will have to process each and every one of these unless you put your valid users in the relay_recipients table. Don't underestimate the importance of this and make sure you are not the only one in your organization who knows how to make changes to this file.

Set up a reference to a file we will create to store the data:
postconf -e "relay_recipient_maps = hash:/etc/postfix/relay_recipients"

Then edit that file:
vi /etc/postfix/relay_recipients

For the moment, we are going to accept mail for all users in our domain(s) so enter each domain you accept mail for in the format:


@example.com OK

@example2.com OK

@example3.com OK

Then create the binary file that Postfix will use:
postmap /etc/postfix/relay_recipients

The entries above are temporary. They are wildcards that allow mail to your domains. You MUST remove the entries above at some point in the near future and replace them with every single one of your valid recipients' email addresses. When you are ready to enter each user individually in the relay_recipients file, you would first remove (or comment out) the data above that allows mail to all users in the domain, and then list each user individually in the form:
user1@example.com OK
user2@example.com OK
user3@example.com OK

Actually, in this particular file the value "OK" listed after each user is not used for anything, but something must be there because a hash table requires a value after the key. Note that by eli