Premessa, quanto segue è una soluzione SOLO per gli Amministratori di Sistema, perchè il sistema venga “digerito” dagli utenti furbacchioni è indispensabile:
– convocarli tutti (se ci stanno in un’unica stanza)
– spiegare i motivi che rendono indispensabile l’adozione del seguente “sistema”
– mostrare con degli esempi (inviando e ricevendo posta) come si comporterà il nuovo sistema e cosa dovranno fare i singoli operatori.
Per provare a “tamponare” il problema connesso all’eccessiva dimensione delle cassette di posta elettronica che abitualmente gli utenti “sconsiderati” utilizzano in modo improprio è possibile adottare la seguente soluzione:
– tutti gli allegati di posta elettronica che superato una specifica dimensione vengono rimossi dal body del messaggio stesso
– gli allegati rimossi vengono posizionati su di una specifica cartella di rete e condivisi tramite un server Web
– il body del messaggio viene modificato indicando esplicitamente che il messaggio di posta elettronica è stato rimosso dal messaggio stesso e che l’allegato è reperibile ad uno specifico URL
– successivamente gli allegati restano disponibili per un periodo specifico di tempo (es. 3 mesi) dopodichè gli allegati vengono cancellati dal sistema Vantaggi: – le cassette postali rimangono “leggere”
– gli utenti sono costretti ad archiviare opportunamente gli allegati ricevuti entro il termine prestabilito
– la posta elettronica viene utilizzata come tale (NON più come sistema di storage).
NB. per l’installazione del server è stata usata la versione squeeze di Debian
Elenco link utili:
http://www.mimedefang.com/faq http://www.mickeyhill.com/mimedefang-howto/#ss3.1
Lo schema di funzionamento per la POSTA IN ENTRATA sarà qualcosa di simile:
smtp-esterno –> (ASSP –> QMAIL) –> sendmail –> mimedefang –> SRVPOSTAINTERNO
Lo schema di funzionamento per la POSTA IN USCITA sarà qualcosa di simile:
SRVPOSTAINTERNO –> sendmail –> mimedefang –> (ASSP –> QMAIL) –> smtp-esterno
Gli allegati di posta elettronica vengono posizionati in /allegatiposta (si tratta di un disco dedicato e montato in automatico in fase di avvio)
# cat /etc/fstab /dev/vdb1 /allegatiposta ext3 rw 0 0
alla cartella /allegatiposta sono stati assegnati i seguenti permessi
chown defang:www-data /allegatiposta chmod 750 /allegatiposta
Apache è stato configurato nel modo seguente:
# cat /etc/apache2/sites-available/default <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /allegatiposta <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /allegatiposta> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> # ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ # <Directory "/usr/lib/cgi-bin"> # AllowOverride None # Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch # Order allow,deny # Allow from all # </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined # Alias /doc/ "/usr/share/doc/" # <Directory "/usr/share/doc/"> # Options Indexes MultiViews FollowSymLinks # AllowOverride None # Order deny,allow # Deny from all # Allow from 127.0.0.0/255.0.0.0 ::1/128 # </Directory> </VirtualHost>
Elenco pacchetti installati:
– sendmail
– mimedefang
– apache2 SENDMAIL + MIMEDEFANG
La configurazione dei file di sendmail va fatta in due passaggi distinti:
– modificare i file di configurazione (template)
– compilare i file di configurazione
# apt-get install sendmail # apt-get install mimedefang
– modificare il file /etc/mail/access e “compilarlo” con il seguente comando
#makemap hash /etc/mail/access.db < /etc/mail/access
# cat /etc/mail/access Connect:localhost RELAY GreetPause:localhost 0 ClientRate:localhost 0 ClientConn:localhost 0 Connect:127 RELAY GreetPause:127 0 ClientRate:127 0 ClientConn:127 0 #Connect:IPv6:::1 RELAY #GreetPause:IPv6:::1 0 #ClientRate:IPv6:::1 0 #ClientConn:IPv6:::1 0 Connect:SRVPOSTAINTERNO RELAY GreetPause:SRVPOSTAINTERNO 0 ClientRate:SRVPOSTAINTERNO 0 ClientConn:SRVPOSTAINTERNO 0
– modificare opportunamente il file /etc/mail/sendmail.mc
divert(-1)dnl #----------------------------------------------------------------------------- # $Sendmail: debproto.mc,v 8.14.3 2010-01-29 14:02:50 cowboy Exp $ # # Copyright (c) 1998-2008 Richard Nelson. All Rights Reserved. # # cf/debian/sendmail.mc. Generated from sendmail.mc.in by configure. # # sendmail.mc prototype config file for building Sendmail 8.14.3 # # Note: the .in file supports 8.7.6 - 9.0.0, but the generated # file is customized to the version noted above. # # This file is used to configure Sendmail for use with Debian systems. # # If you modify this file, you will have to regenerate /etc/mail/sendmail.cf # by running this file through the m4 preprocessor via one of the following: # * make (or make -C /etc/mail) # * sendmailconfig # * m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf # The first two options are preferred as they will also update other files # that depend upon the contents of this file. # # The best documentation for this .mc file is: # /usr/share/doc/sendmail-doc/cf.README.gz # #----------------------------------------------------------------------------- divert(0)dnl # # Copyright (c) 1998-2005 Richard Nelson. All Rights Reserved. # # This file is used to configure Sendmail for use with Debian systems. # define(`_USE_ETC_MAIL_')dnl include(`/usr/share/sendmail/cf/m4/cf.m4')dnl VERSIONID(`$Id: sendmail.mc, v 8.14.3-5+lenny1 2010-01-29 14:02:50 cowboy Exp $') OSTYPE(`debian')dnl DOMAIN(`debian-mta')dnl dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS= dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE dnl # dnl # General defines dnl # dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot() dnl # into this directory before writing files. dnl # If *all* your user accounts are under /home then use that dnl # instead - it will prevent any writes outside of /home ! dnl # define(`confSAFE_FILE_ENV', `')dnl dnl # dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!! dnl # Remove `, Addr=' clauses to receive from any interface dnl # If you want to support IPv6, switch the commented/uncommentd lines dnl # FEATURE(`no_default_msa')dnl dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl dnl DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp')dnl dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea, Addr=::1')dnl dnl DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea, Addr=127.0.0.1')dnl DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea')dnl dnl # dnl # Be somewhat anal in what we allow dnl # define(`confPRIVACY_FLAGS',dnl dnl # `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl dnl # dnl # Define connection throttling and window length dnl define(`confCONNECTION_RATE_THROTTLE', `15')dnl dnl define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl dnl # dnl # Features dnl # dnl # use /etc/mail/local-host-names dnl FEATURE(`use_cw_file')dnl dnl # dnl # The access db is the basis for most of sendmail's checking FEATURE(`access_db', , `skip')dnl dnl # dnl # The greet_pause feature stops some automail bots - but check the dnl # provided access db for details on excluding localhosts... dnl FEATURE(`greet_pause', `1000')dnl 1 seconds dnl # dnl # Delay_checks allows sender<->recipient checking dnl FEATURE(`delay_checks', `friend', `n')dnl dnl # dnl # If we get too many bad recipients, slow things down... dnl # define(`confBAD_RCPT_THROTTLE',`3')dnl dnl # dnl # Stop connections that overflow our concurrent and time connection rates dnl FEATURE(`conncontrol', `nodelay', `terminate')dnl dnl FEATURE(`ratecontrol', `nodelay', `terminate')dnl dnl # dnl # If you're on a dialup link, you should enable this - so sendmail dnl # will not bring up the link (it will queue mail for later) dnl define(`confCON_EXPENSIVE',`True')dnl dnl # dnl # Dialup/LAN connection overrides dnl # dnl include(`/etc/mail/m4/dialup.m4')dnl dnl include(`/etc/mail/m4/provider.m4')dnl dnl # dnl # Default Mailer setup MAILER_DEFINITIONS define(`SMART_HOST', `SRVPOSTAINTERNO')dnl INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m')dnl MAILER(`local')dnl MAILER(`smtp')dnl
eseguire il seguente comando per compilare i file di configurazione di sendmail e confermare tutte le opzioni
sendmailconfig
– modificare opportunamente il file /etc/mail/mimedefang-filter
# -*- Perl -*- #*********************************************************************** # # mimedefang-filter # # Suggested minimum-protection filter for Microsoft Windows clients, plus # SpamAssassin checks if SpamAssassin is installed. # # Copyright (C) 2002 Roaring Penguin Software Inc. # # This program may be distributed under the terms of the GNU General # Public License, Version 2, or (at your option) any later version. # # $Id$ #*********************************************************************** #*********************************************************************** # Set administrator's e-mail address here. The administrator receives # quarantine messages and is listed as the contact for site-wide # MIMEDefang policy. A good example would be 'defang-admin@mydomain.com' #*********************************************************************** $AdminAddress = 'ced@MIODOMINIO'; $AdminName = "Amministratori di Rete"; #*********************************************************************** # Set the e-mail address from which MIMEDefang quarantine warnings and # user notifications appear to come. A good example would be # 'mimedefang@mydomain.com'. Make sure to have an alias for this # address if you want replies to it to work. #*********************************************************************** $DaemonAddress = 'mimedefang@MIODOMINIO'; #*********************************************************************** # If you set $AddWarningsInline to 1, then MIMEDefang tries *very* hard # to add warnings directly in the message body (text or html) rather # than adding a separate "WARNING.TXT" MIME part. If the message # has no text or html part, then a separate MIME part is still used. #*********************************************************************** $AddWarningsInline = 1; #*********************************************************************** # To enable syslogging of virus and spam activity, add the following # to the filter: # md_graphdefang_log_enable(); # You may optionally provide a syslogging facility by passing an # argument such as: md_graphdefang_log_enable('local4'); If you do this, be # sure to setup the new syslog facility (probably in /etc/syslog.conf). # An optional second argument causes a line of output to be produced # for each recipient (if it is 1), or only a single summary line # for all recipients (if it is 0.) The default is 1. # Comment this line out to disable logging. #*********************************************************************** # md_graphdefang_log_enable('mail', 1); #*********************************************************************** # Uncomment this to block messages with more than 50 parts. This will # *NOT* work unless you're using Roaring Penguin's patched version # of MIME tools, version MIME-tools-5.411a-RP-Patched-02 or later. # # WARNING: DO NOT SET THIS VARIABLE unless you're using at least # MIME-tools-5.411a-RP-Patched-02; otherwise, your filter will fail. #*********************************************************************** # $MaxMIMEParts = 50; #*********************************************************************** # Set various stupid things your mail client does below. #*********************************************************************** # Set the next one if your mail client cannot handle multiple "inline" # parts. $Stupidity{"NoMultipleInlines"} = 1; # Detect and load Perl modules detect_and_load_perl_modules(); #*********************************************************************** # %PROCEDURE: filter_begin # %ARGUMENTS: # $entity -- the parsed MIME::Entity # %RETURNS: # Nothing # %DESCRIPTION: # Called just before e-mail parts are processed #*********************************************************************** sub filter_begin { my($entity) = @_; # Copy original message into work directory as an "mbox" file for # virus-scanning md_copy_orig_msg_to_work_dir_as_mbox_file(); } #*********************************************************************** # %PROCEDURE: filter # %ARGUMENTS: # entity -- a Mime::Entity object (see MIME-tools documentation for details) # fname -- the suggested filename, taken from the MIME Content-Disposition: # header. If no filename was suggested, then fname is "" # ext -- the file extension (everything from the last period in the name # to the end of the name, including the period.) # type -- the MIME type, taken from the Content-Type: header. # # NOTE: There are two likely and one unlikely place for a filename to # appear in a MIME message: In Content-Disposition: filename, in # Content-Type: name, and in Content-Description. If you are paranoid, # you will use the re_match and re_match_ext functions, which return true # if ANY of these possibilities match. re_match checks the whole name; # re_match_ext checks the extension. See the sample filter below for usage. # %RETURNS: # Nothing # %DESCRIPTION: # This function is called once for each part of a MIME message. # There are many action_*() routines which can decide the fate # of each part; see the mimedefang-filter man page. #*********************************************************************** sub filter { my($entity, $fname, $ext, $type) = @_; return if message_rejected(); # Avoid unnecessary work # Block message/partial parts if (lc($type) eq "message/partial") { md_graphdefang_log('message/partial'); action_bounce("MIME type message/partial not accepted here"); return action_discard(); } # sposto gli allegati superiori ad una certa dimensione in una cartella accessibile # tramite webserver $size = (stat($entity->bodyhandle->path))[7]; if ($size > 2000000) { return action_replace_with_url($entity, "/allegatiposta", "http://IndirizzoDelServerWebDoveSarannoPubblicatiGliAllegati", "Uno degli allegati e' piu' grande di 2MB.\n" . "NB. l'allegato verrà rimosso in automatico entro 90 giorni dalla data odierna.\n" . "L'allegato puo essere scaricato direttamente a questo indirizzo\n\n" . "\t_URL_\n"); } return action_accept(); } #*********************************************************************** # %PROCEDURE: filter_multipart # %ARGUMENTS: # entity -- a Mime::Entity object (see MIME-tools documentation for details) # fname -- the suggested filename, taken from the MIME Content-Disposition: # header. If no filename was suggested, then fname is "" # ext -- the file extension (everything from the last period in the name # to the end of the name, including the period.) # type -- the MIME type, taken from the Content-Type: header. # %RETURNS: # Nothing # %DESCRIPTION: # This is called for multipart "container" parts such as message/rfc822. # You cannot replace the body (because multipart parts have no body), # but you should check for bad filenames. #*********************************************************************** sub filter_multipart { my($entity, $fname, $ext, $type) = @_; return if message_rejected(); # Avoid unnecessary work # Block message/partial parts if (lc($type) eq "message/partial") { md_graphdefang_log('message/partial'); action_bounce("MIME type message/partial not accepted here"); return; } return action_accept(); } #*********************************************************************** # %PROCEDURE: defang_warning # %ARGUMENTS: # oldfname -- the old file name of an attachment # fname -- the new "defanged" name # %RETURNS: # A warning message # %DESCRIPTION: # This function customizes the warning message when an attachment # is defanged. #*********************************************************************** sub defang_warning { my($oldfname, $fname) = @_; return "L'allegato di nome '$oldfname' e' stato convertito in '$fname'.\n"; } # If SpamAssassin found SPAM, append report. We do it as a separate # attachment of type text/plain sub filter_end { my($entity) = @_; # No sense doing any extra work return if message_rejected(); # I HATE HTML MAIL! If there's a multipart/alternative with both # text/plain and text/html parts, nuke the text/html. Thanks for # wasting our disk space and bandwidth... # If you want to strip out HTML parts if there is a corresponding # plain-text part, uncomment the next line. # # NB. questo è molto interessante ma prima di abilitarlo valutate bene eventuali conseguenze !! # #remove_redundant_html_parts($entity); md_graphdefang_log('mail_in'); } # DO NOT delete the next line, or Perl will complain. 1;
– verificare la sintassi del file mimedefan-filter
mimedefang.pl -test
– per rendere effettive le modifiche applicate al file mimedefang-filter
/etc/init.d/mimedefang reread /etc/init.d/mimedefang restart
La rimozione degli allegati ritenuti obsoleti viene effettuata in automatico tramite un comando schedulato tramite cron.
cat /etc/cron.d/cancellaallegatiobsoleti # m h dom mon dow user command 05 20 * * * root find /allegatiposta -atime 90 -type f -exec rm {} \; gli allegati rimossi NON devono essere sostituiti con altrettanti allegati testuali contententi il messaggio e il link all'allegato rimosso, ma vogliamo che il link stesso venga aggiunto direttamente al body del messaggio. # diff -Nau /usr/bin/mimedefang.pl.originale /usr/bin/mimedefang.pl --- /usr/bin/mimedefang.pl.originale 2013-05-02 16:29:54.000000000 +0200 +++ /usr/bin/mimedefang.pl 2013-05-03 09:39:42.000000000 +0200 @@ -817,7 +817,7 @@ if ($Action eq "replace") { $Changed = 1; - $out->add_part($ReplacementEntity); +# $out->add_part($ReplacementEntity); return 0; } @@ -848,7 +848,7 @@ # If action is "replace", replace it with $ReplacementEntity; if ($Action eq "replace") { $Changed = 1; - $out->add_part($ReplacementEntity); +# $out->add_part($ReplacementEntity); return 0; } @@ -1193,15 +1193,19 @@ sub action_replace_with_warning ($) { my($msg) = @_; return 0 if (!in_filter_context("action_replace_with_warning")); + $Actions{'replace_with_warning'}++; $Action = "replace"; - $ReplacementEntity = MIME::Entity->build(Type => "text/plain", - Encoding => "-suggest", - Data => [ "$msg\n" ]); +# $ReplacementEntity = MIME::Entity->build(Type => "text/plain", +# Encoding => "-suggest", +# Data => [ "$msg\n" ]); $WarningCounter++; - $ReplacementEntity->head->mime_attr("Content-Type.name" => "warning$WarningCounter.txt"); - $ReplacementEntity->head->mime_attr("Content-Disposition" => "inline"); - $ReplacementEntity->head->mime_attr("Content-Disposition.filename" => "warning$WarningCounter.txt"); +# $ReplacementEntity->head->mime_attr("Content-Type.name" => "warning$WarningCounter.txt"); +# $ReplacementEntity->head->mime_attr("Content-Disposition" => "inline"); +# $ReplacementEntity->head->mime_attr("Content-Disposition.filename" => "warning$WarningCounter.txt"); + +push(@Warnings, "$msg\n"); + return 1; } @@ -5296,14 +5300,14 @@ $DaemonAddress = 'mailer-daemon@localhost' unless defined($DaemonAddress); $SALocalTestsOnly = 1 unless defined($SALocalTestsOnly); - if (!defined($GeneralWarning)) { - $GeneralWarning = - "WARNING: This e-mail has been altered by MIMEDefang. Following this\n" . - "paragraph are indications of the actual changes made. For more\n" . - "information about your site's MIMEDefang policy, contact\n" . - "$AdminName <$AdminAddress>. For more information about MIMEDefang, see:\n\n" . - " $URL\n\n"; - } +# if (!defined($GeneralWarning)) { +# $GeneralWarning = +# "WARNING: This e-mail has been altered by MIMEDefang. Following this\n" . +# "paragraph are indications of the actual changes made. For more\n" . +# "information about your site's MIMEDefang policy, contact\n" . +# "$AdminName <$AdminAddress>. For more information about MIMEDefang, see:\n\n" . +# " $URL\n\n"; +# } # check dir $workdir = $ARGV[0];