Premessa, quanto segue è una soluzione SOLO per gli Amministratori di Sistema, perchè il sistema venga “digerito” dagli utenti furbacchioni è indispensabile:
– convocarli tutti (se ci stanno in un’unica stanza)
– spiegare i motivi che rendono indispensabile l’adozione del seguente “sistema”
– mostrare con degli esempi (inviando e ricevendo posta) come si comporterà il nuovo sistema e cosa dovranno fare i singoli operatori.
Per provare a “tamponare” il problema connesso all’eccessiva dimensione delle cassette di posta elettronica che abitualmente gli utenti “sconsiderati” utilizzano in modo improprio è possibile adottare la seguente soluzione:
– tutti gli allegati di posta elettronica che superato una specifica dimensione vengono rimossi dal body del messaggio stesso
– gli allegati rimossi vengono posizionati su di una specifica cartella di rete e condivisi tramite un server Web
– il body del messaggio viene modificato indicando esplicitamente che il messaggio di posta elettronica è stato rimosso dal messaggio stesso e che l’allegato è reperibile ad uno specifico URL
– successivamente gli allegati restano disponibili per un periodo specifico di tempo (es. 3 mesi) dopodichè gli allegati vengono cancellati dal sistema Vantaggi: – le cassette postali rimangono “leggere”
– gli utenti sono costretti ad archiviare opportunamente gli allegati ricevuti entro il termine prestabilito
– la posta elettronica viene utilizzata come tale (NON più come sistema di storage).
NB. per l’installazione del server è stata usata la versione squeeze di Debian
Elenco link utili:
http://www.mimedefang.com/faq http://www.mickeyhill.com/mimedefang-howto/#ss3.1
Lo schema di funzionamento per la POSTA IN ENTRATA sarà qualcosa di simile:
smtp-esterno –> (ASSP –> QMAIL) –> sendmail –> mimedefang –> SRVPOSTAINTERNO
Lo schema di funzionamento per la POSTA IN USCITA sarà qualcosa di simile:
SRVPOSTAINTERNO –> sendmail –> mimedefang –> (ASSP –> QMAIL) –> smtp-esterno
Gli allegati di posta elettronica vengono posizionati in /allegatiposta (si tratta di un disco dedicato e montato in automatico in fase di avvio)
# cat /etc/fstab /dev/vdb1 /allegatiposta ext3 rw 0 0
alla cartella /allegatiposta sono stati assegnati i seguenti permessi
chown defang:www-data /allegatiposta chmod 750 /allegatiposta
Apache è stato configurato nel modo seguente:
# cat /etc/apache2/sites-available/default
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /allegatiposta
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /allegatiposta>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
# ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
# <Directory "/usr/lib/cgi-bin">
# AllowOverride None
# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
# Order allow,deny
# Allow from all
# </Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
# Alias /doc/ "/usr/share/doc/"
# <Directory "/usr/share/doc/">
# Options Indexes MultiViews FollowSymLinks
# AllowOverride None
# Order deny,allow
# Deny from all
# Allow from 127.0.0.0/255.0.0.0 ::1/128
# </Directory>
</VirtualHost>
Elenco pacchetti installati:
– sendmail
– mimedefang
– apache2 SENDMAIL + MIMEDEFANG
La configurazione dei file di sendmail va fatta in due passaggi distinti:
– modificare i file di configurazione (template)
– compilare i file di configurazione
# apt-get install sendmail # apt-get install mimedefang
– modificare il file /etc/mail/access e “compilarlo” con il seguente comando
#makemap hash /etc/mail/access.db < /etc/mail/access
# cat /etc/mail/access Connect:localhost RELAY GreetPause:localhost 0 ClientRate:localhost 0 ClientConn:localhost 0 Connect:127 RELAY GreetPause:127 0 ClientRate:127 0 ClientConn:127 0 #Connect:IPv6:::1 RELAY #GreetPause:IPv6:::1 0 #ClientRate:IPv6:::1 0 #ClientConn:IPv6:::1 0 Connect:SRVPOSTAINTERNO RELAY GreetPause:SRVPOSTAINTERNO 0 ClientRate:SRVPOSTAINTERNO 0 ClientConn:SRVPOSTAINTERNO 0
– modificare opportunamente il file /etc/mail/sendmail.mc
divert(-1)dnl #----------------------------------------------------------------------------- # $Sendmail: debproto.mc,v 8.14.3 2010-01-29 14:02:50 cowboy Exp $ # # Copyright (c) 1998-2008 Richard Nelson. All Rights Reserved. # # cf/debian/sendmail.mc. Generated from sendmail.mc.in by configure. # # sendmail.mc prototype config file for building Sendmail 8.14.3 # # Note: the .in file supports 8.7.6 - 9.0.0, but the generated # file is customized to the version noted above. # # This file is used to configure Sendmail for use with Debian systems. # # If you modify this file, you will have to regenerate /etc/mail/sendmail.cf # by running this file through the m4 preprocessor via one of the following: # * make (or make -C /etc/mail) # * sendmailconfig # * m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf # The first two options are preferred as they will also update other files # that depend upon the contents of this file. # # The best documentation for this .mc file is: # /usr/share/doc/sendmail-doc/cf.README.gz # #----------------------------------------------------------------------------- divert(0)dnl # # Copyright (c) 1998-2005 Richard Nelson. All Rights Reserved. # # This file is used to configure Sendmail for use with Debian systems. # define(`_USE_ETC_MAIL_')dnl include(`/usr/share/sendmail/cf/m4/cf.m4')dnl VERSIONID(`$Id: sendmail.mc, v 8.14.3-5+lenny1 2010-01-29 14:02:50 cowboy Exp $') OSTYPE(`debian')dnl DOMAIN(`debian-mta')dnl dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS= dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE dnl # dnl # General defines dnl # dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot() dnl # into this directory before writing files. dnl # If *all* your user accounts are under /home then use that dnl # instead - it will prevent any writes outside of /home ! dnl # define(`confSAFE_FILE_ENV', `')dnl dnl # dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!! dnl # Remove `, Addr=' clauses to receive from any interface dnl # If you want to support IPv6, switch the commented/uncommentd lines dnl # FEATURE(`no_default_msa')dnl dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl dnl DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp')dnl dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea, Addr=::1')dnl dnl DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea, Addr=127.0.0.1')dnl DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea')dnl dnl # dnl # Be somewhat anal in what we allow dnl # define(`confPRIVACY_FLAGS',dnl dnl # `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl dnl # dnl # Define connection throttling and window length dnl define(`confCONNECTION_RATE_THROTTLE', `15')dnl dnl define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl dnl # dnl # Features dnl # dnl # use /etc/mail/local-host-names dnl FEATURE(`use_cw_file')dnl dnl # dnl # The access db is the basis for most of sendmail's checking FEATURE(`access_db', , `skip')dnl dnl # dnl # The greet_pause feature stops some automail bots - but check the dnl # provided access db for details on excluding localhosts... dnl FEATURE(`greet_pause', `1000')dnl 1 seconds dnl # dnl # Delay_checks allows sender<->recipient checking dnl FEATURE(`delay_checks', `friend', `n')dnl dnl # dnl # If we get too many bad recipients, slow things down... dnl # define(`confBAD_RCPT_THROTTLE',`3')dnl dnl # dnl # Stop connections that overflow our concurrent and time connection rates dnl FEATURE(`conncontrol', `nodelay', `terminate')dnl dnl FEATURE(`ratecontrol', `nodelay', `terminate')dnl dnl # dnl # If you're on a dialup link, you should enable this - so sendmail dnl # will not bring up the link (it will queue mail for later) dnl define(`confCON_EXPENSIVE',`True')dnl dnl # dnl # Dialup/LAN connection overrides dnl # dnl include(`/etc/mail/m4/dialup.m4')dnl dnl include(`/etc/mail/m4/provider.m4')dnl dnl # dnl # Default Mailer setup MAILER_DEFINITIONS define(`SMART_HOST', `SRVPOSTAINTERNO')dnl INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m')dnl MAILER(`local')dnl MAILER(`smtp')dnl
eseguire il seguente comando per compilare i file di configurazione di sendmail e confermare tutte le opzioni
sendmailconfig
– modificare opportunamente il file /etc/mail/mimedefang-filter
# -*- Perl -*-
#***********************************************************************
#
# mimedefang-filter
#
# Suggested minimum-protection filter for Microsoft Windows clients, plus
# SpamAssassin checks if SpamAssassin is installed.
#
# Copyright (C) 2002 Roaring Penguin Software Inc.
#
# This program may be distributed under the terms of the GNU General
# Public License, Version 2, or (at your option) any later version.
#
# $Id$
#***********************************************************************
#***********************************************************************
# Set administrator's e-mail address here. The administrator receives
# quarantine messages and is listed as the contact for site-wide
# MIMEDefang policy. A good example would be 'defang-admin@mydomain.com'
#***********************************************************************
$AdminAddress = 'ced@MIODOMINIO';
$AdminName = "Amministratori di Rete";
#***********************************************************************
# Set the e-mail address from which MIMEDefang quarantine warnings and
# user notifications appear to come. A good example would be
# 'mimedefang@mydomain.com'. Make sure to have an alias for this
# address if you want replies to it to work.
#***********************************************************************
$DaemonAddress = 'mimedefang@MIODOMINIO';
#***********************************************************************
# If you set $AddWarningsInline to 1, then MIMEDefang tries *very* hard
# to add warnings directly in the message body (text or html) rather
# than adding a separate "WARNING.TXT" MIME part. If the message
# has no text or html part, then a separate MIME part is still used.
#***********************************************************************
$AddWarningsInline = 1;
#***********************************************************************
# To enable syslogging of virus and spam activity, add the following
# to the filter:
# md_graphdefang_log_enable();
# You may optionally provide a syslogging facility by passing an
# argument such as: md_graphdefang_log_enable('local4'); If you do this, be
# sure to setup the new syslog facility (probably in /etc/syslog.conf).
# An optional second argument causes a line of output to be produced
# for each recipient (if it is 1), or only a single summary line
# for all recipients (if it is 0.) The default is 1.
# Comment this line out to disable logging.
#***********************************************************************
# md_graphdefang_log_enable('mail', 1);
#***********************************************************************
# Uncomment this to block messages with more than 50 parts. This will
# *NOT* work unless you're using Roaring Penguin's patched version
# of MIME tools, version MIME-tools-5.411a-RP-Patched-02 or later.
#
# WARNING: DO NOT SET THIS VARIABLE unless you're using at least
# MIME-tools-5.411a-RP-Patched-02; otherwise, your filter will fail.
#***********************************************************************
# $MaxMIMEParts = 50;
#***********************************************************************
# Set various stupid things your mail client does below.
#***********************************************************************
# Set the next one if your mail client cannot handle multiple "inline"
# parts.
$Stupidity{"NoMultipleInlines"} = 1;
# Detect and load Perl modules
detect_and_load_perl_modules();
#***********************************************************************
# %PROCEDURE: filter_begin
# %ARGUMENTS:
# $entity -- the parsed MIME::Entity
# %RETURNS:
# Nothing
# %DESCRIPTION:
# Called just before e-mail parts are processed
#***********************************************************************
sub filter_begin {
my($entity) = @_;
# Copy original message into work directory as an "mbox" file for
# virus-scanning
md_copy_orig_msg_to_work_dir_as_mbox_file();
}
#***********************************************************************
# %PROCEDURE: filter
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools documentation for details)
# fname -- the suggested filename, taken from the MIME Content-Disposition:
# header. If no filename was suggested, then fname is ""
# ext -- the file extension (everything from the last period in the name
# to the end of the name, including the period.)
# type -- the MIME type, taken from the Content-Type: header.
#
# NOTE: There are two likely and one unlikely place for a filename to
# appear in a MIME message: In Content-Disposition: filename, in
# Content-Type: name, and in Content-Description. If you are paranoid,
# you will use the re_match and re_match_ext functions, which return true
# if ANY of these possibilities match. re_match checks the whole name;
# re_match_ext checks the extension. See the sample filter below for usage.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This function is called once for each part of a MIME message.
# There are many action_*() routines which can decide the fate
# of each part; see the mimedefang-filter man page.
#***********************************************************************
sub filter {
my($entity, $fname, $ext, $type) = @_;
return if message_rejected(); # Avoid unnecessary work
# Block message/partial parts
if (lc($type) eq "message/partial") {
md_graphdefang_log('message/partial');
action_bounce("MIME type message/partial not accepted here");
return action_discard();
}
# sposto gli allegati superiori ad una certa dimensione in una cartella accessibile
# tramite webserver
$size = (stat($entity->bodyhandle->path))[7];
if ($size > 2000000) {
return action_replace_with_url($entity,
"/allegatiposta",
"http://IndirizzoDelServerWebDoveSarannoPubblicatiGliAllegati",
"Uno degli allegati e' piu' grande di 2MB.\n" .
"NB. l'allegato verrà rimosso in automatico entro 90 giorni dalla data odierna.\n" .
"L'allegato puo essere scaricato direttamente a questo indirizzo\n\n" .
"\t_URL_\n");
}
return action_accept();
}
#***********************************************************************
# %PROCEDURE: filter_multipart
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools documentation for details)
# fname -- the suggested filename, taken from the MIME Content-Disposition:
# header. If no filename was suggested, then fname is ""
# ext -- the file extension (everything from the last period in the name
# to the end of the name, including the period.)
# type -- the MIME type, taken from the Content-Type: header.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This is called for multipart "container" parts such as message/rfc822.
# You cannot replace the body (because multipart parts have no body),
# but you should check for bad filenames.
#***********************************************************************
sub filter_multipart {
my($entity, $fname, $ext, $type) = @_;
return if message_rejected(); # Avoid unnecessary work
# Block message/partial parts
if (lc($type) eq "message/partial") {
md_graphdefang_log('message/partial');
action_bounce("MIME type message/partial not accepted here");
return;
}
return action_accept();
}
#***********************************************************************
# %PROCEDURE: defang_warning
# %ARGUMENTS:
# oldfname -- the old file name of an attachment
# fname -- the new "defanged" name
# %RETURNS:
# A warning message
# %DESCRIPTION:
# This function customizes the warning message when an attachment
# is defanged.
#***********************************************************************
sub defang_warning {
my($oldfname, $fname) = @_;
return
"L'allegato di nome '$oldfname' e' stato convertito in '$fname'.\n";
}
# If SpamAssassin found SPAM, append report. We do it as a separate
# attachment of type text/plain
sub filter_end {
my($entity) = @_;
# No sense doing any extra work
return if message_rejected();
# I HATE HTML MAIL! If there's a multipart/alternative with both
# text/plain and text/html parts, nuke the text/html. Thanks for
# wasting our disk space and bandwidth...
# If you want to strip out HTML parts if there is a corresponding
# plain-text part, uncomment the next line.
#
# NB. questo è molto interessante ma prima di abilitarlo valutate bene eventuali conseguenze !!
#
#remove_redundant_html_parts($entity);
md_graphdefang_log('mail_in');
}
# DO NOT delete the next line, or Perl will complain.
1;
– verificare la sintassi del file mimedefan-filter
mimedefang.pl -test
– per rendere effettive le modifiche applicate al file mimedefang-filter
/etc/init.d/mimedefang reread /etc/init.d/mimedefang restart
La rimozione degli allegati ritenuti obsoleti viene effettuata in automatico tramite un comando schedulato tramite cron.
cat /etc/cron.d/cancellaallegatiobsoleti
# m h dom mon dow user command
05 20 * * * root find /allegatiposta -atime 90 -type f -exec rm {} \;
gli allegati rimossi NON devono essere sostituiti con altrettanti allegati testuali contententi il messaggio e il link all'allegato
rimosso, ma vogliamo che il link stesso venga aggiunto direttamente al body del messaggio.
# diff -Nau /usr/bin/mimedefang.pl.originale /usr/bin/mimedefang.pl
--- /usr/bin/mimedefang.pl.originale 2013-05-02 16:29:54.000000000 +0200
+++ /usr/bin/mimedefang.pl 2013-05-03 09:39:42.000000000 +0200
@@ -817,7 +817,7 @@
if ($Action eq "replace") {
$Changed = 1;
- $out->add_part($ReplacementEntity);
+# $out->add_part($ReplacementEntity);
return 0;
}
@@ -848,7 +848,7 @@
# If action is "replace", replace it with $ReplacementEntity;
if ($Action eq "replace") {
$Changed = 1;
- $out->add_part($ReplacementEntity);
+# $out->add_part($ReplacementEntity);
return 0;
}
@@ -1193,15 +1193,19 @@
sub action_replace_with_warning ($) {
my($msg) = @_;
return 0 if (!in_filter_context("action_replace_with_warning"));
+
$Actions{'replace_with_warning'}++;
$Action = "replace";
- $ReplacementEntity = MIME::Entity->build(Type => "text/plain",
- Encoding => "-suggest",
- Data => [ "$msg\n" ]);
+# $ReplacementEntity = MIME::Entity->build(Type => "text/plain",
+# Encoding => "-suggest",
+# Data => [ "$msg\n" ]);
$WarningCounter++;
- $ReplacementEntity->head->mime_attr("Content-Type.name" => "warning$WarningCounter.txt");
- $ReplacementEntity->head->mime_attr("Content-Disposition" => "inline");
- $ReplacementEntity->head->mime_attr("Content-Disposition.filename" => "warning$WarningCounter.txt");
+# $ReplacementEntity->head->mime_attr("Content-Type.name" => "warning$WarningCounter.txt");
+# $ReplacementEntity->head->mime_attr("Content-Disposition" => "inline");
+# $ReplacementEntity->head->mime_attr("Content-Disposition.filename" => "warning$WarningCounter.txt");
+
+push(@Warnings, "$msg\n");
+
return 1;
}
@@ -5296,14 +5300,14 @@
$DaemonAddress = 'mailer-daemon@localhost' unless defined($DaemonAddress);
$SALocalTestsOnly = 1 unless defined($SALocalTestsOnly);
- if (!defined($GeneralWarning)) {
- $GeneralWarning =
- "WARNING: This e-mail has been altered by MIMEDefang. Following this\n" .
- "paragraph are indications of the actual changes made. For more\n" .
- "information about your site's MIMEDefang policy, contact\n" .
- "$AdminName <$AdminAddress>. For more information about MIMEDefang, see:\n\n" .
- " $URL\n\n";
- }
+# if (!defined($GeneralWarning)) {
+# $GeneralWarning =
+# "WARNING: This e-mail has been altered by MIMEDefang. Following this\n" .
+# "paragraph are indications of the actual changes made. For more\n" .
+# "information about your site's MIMEDefang policy, contact\n" .
+# "$AdminName <$AdminAddress>. For more information about MIMEDefang, see:\n\n" .
+# " $URL\n\n";
+# }
# check dir
$workdir = $ARGV[0];