Download and unpack Postfwd archive to /usr/local/postfwd:

cd /usr/local/
wget http://postfwd.org/postfwd-1.10pre7c.tar.gz
tar -xf postfwd-1.10pre7c.tar.gz
mv postfwd-1.10pre7c postfwd

Copy the configuration file at its place, and copy the startup script to its place

cp /usr/local/postfwd/etc/postfwd.cf /etc/postfix/
cp /usr/local/postfwd/bin/postfwd-script.sh /etc/init.d/postfwd

Then, if I try to set a daemon to be startet at boot time, with:

chkconfig --add postfwd

But I got an error saying: “service postfwd does not support chkconfig”? Ok. There is a statement in a init script that tells the chkconfig command how to add or delete this daemon to the boot process. This statement looks like this:

# chkconfig: 2345 78 32
# description: Postfwd Policy Server

This means that a script should be started in levels 2,3,4,5 and that its start priority should be 78, and stop pririty 32. Priorities present the order / sequence in which the services are either started and stopped. So if you for instance have Postfix starting and a postfwd application, it is essential that the postfwd is started before Postfix. Having Postfix start value of 80 you need a lower value for the Postfwd (78 for example).

After we added this line to /etc/init.d/postfwd file, lets repeat:

chkconfig –add postfwd

Ok. This worked. But, I had a lot of problems in a supplied default init script of policyfwd. I had to change a startup script a lot. After faunding out that init script is somehow strange, I had to rewrite a script based on postgrey’s init script. Here it is ready to download. So copy this one to /etc/init.d.

Now, start it with:

service postfwd start

It should work. Now to make Postfix aware of it. Open your postfix /etc/postfix/main.cf and insert or edit the following.

127.0.0.1:10040_time_limit	= 3600
smtpd_recipient_restrictions	= ...
				  ...
				  check_policy_service inet:127.0.0.1:10040,
				  permit

smtpd_end_of_data_restrictions =
				  check_policy_service inet:127.0.0.1:10040

The last one is needed because you have to call postfwd at end_of_data state for reliable size checks.

Testing it up

If you want to list the rules, just type:

/usr/local/postfwd/sbin/postfwd -f /etc/postfix/postfwd.cf -C

Finally, if you are satisfied, start postfwd and reload postfix. Then, monitor the log file for lines mentioning postfwd with:

tail -f /var/log/maillog | grep postfwd

There is an example policy request distributed with postfwd, called ‘request.sample’. Simply change it to meet your requirements:

nano /usr/local/postfwd/tools/request.sample
/usr/local/postfwd/sbin/postfwd -f /etc/postfix/postfwd.cf </usr/local/postfwd/tools/request.sample

Thats it.

No - it is not!

Really a bug not counted as one

I spent at least an hour just to find out the bug. No! It is not a bug. I just need to read very, very carefully:

From the Doc’s: “Multiple use of the same item is allowed and will compared as logical OR ”

So macro with this content:

&&LIMITEDS { sender=.*@onedomain.com ; sender~=user@seconddomain.com; };

will work, and the following one will not (only first rule will be accounted):

&&LIMITEDS { sender_domain=onedomain.com ; sender~=user@seconddomain.com; };

Reverse IP tools, in order of quality:

http://whois.webhosting.info/

http://www.yougetsignal.com/tools/web-sites-on-web-server/

http://www.myipneighbors.com/

And, not free ones:

http://www.domaintools.com/reverse-ip/

http://www.securityspace.com/bizintel/reverse-ip.html

If you are using ProFTPD, the uploads can not be resumed, by default. Change this by editing the configuration file (/etc/proftpd.conf) and changing-adding following values:

AllowOverwrite on
AllowStoreRestart on

The first one is probably already enabled in config file. Resumed upload is considered the same as a file overwrite (in ProFTPD). Therefore the file overwriting must be enabled.

And, it can be done on Fedora / CentOS in an easy manner.

The best tutorial is this, and a good ones are these and these.

Greylisting is very effective in reducing spam - almost 90% of servers contacting our mail system are illegitimate, and greylisting reduces the noise from them. Some of the best products is milter-greylist (it is still not aware that postfix is milter compatible). For postfix, there is a similar solution called postgrey.

Postgrey - this one I choose.  Best tutorial I found for installing on my CentOS was here.

Milter Greylisting solutions: milter-greylist, milter-gris, Scam-grey milter.

These are only basic limits, that are valid for entire host-domain. These can be set fairly high, if you really need that. Later on, you can impose other limits with some milter filters.

Current values can be seen with:

postconf  | grep 'mailbox_size_limit\|message_size_limit\|virtual_mailbox_limit'

Default values are:

postconf -d | grep 'mailbox_size_limit\|message_size_limit\|virtual_mailbox_limit'

Edit values with:

postconf -e 'message_size_limit = 104857600'

This changes /etc/postfix/main.cf confguration file. Mine values are:

# 100 Mb
message_size_limit = 104857600

# 1 Gb
mailbox_size_limit = 1073741824
virtual_mailbox_limit = 1073741824

Milters I’ve found while looking for mail throttling

Best milters that I found, excluding the ones that provide graylisting functionality, were:

• j-chkmail: Multipurpose mail filtering software.
• Milter-regex: Reject mail matching regular expressions. Simple and can be usefull.
• Mailfromd: General-purpose mail filtering daemon. It looked too complicated for me.
• milter-limit: Limit number of mails, per sender. Looks like it has not enough documentation.
• milter-length: Limiting mails by message size.

But, milters are native for Sendmail, not Postfix (but they work in latest Postfix). Analog solution for Postfix is to use some Policy Daemon:

• postfix_policy: It has a web interface as a plus. This looks logical to me, because it allows a administrator to configure in an easy way.
• postfwd: The configuration looked the simplest to me. S I decided to go with this one.
• ACL Policy Daemon: Apolicyd (Python) does have message size limiting, but does not have message count (rate-limiting or throttling) control. And, according to this post, it is very heavy on the server load. So, it’s out.

These are actively maintained, and Policyd-weight is not active anymore. Finally, I decided to go for Postfwd.

I am surprised that there are so little open-source solution for this very common need in corporate environment.

The first that slips mind are Postfix’s bcc_maps directives (or similar). Alternative mechanism should be pretty straightforward - thru milter system. If someone reading this post finds some other useful utility (open source only), please post a comment about it.

And, my list f sound open-source solutions is:

• Postfix’s recipient_bcc_maps (mails send to some adresses) or sender_bcc_maps (for mails sent by some user addresses)
• Open Mail Archiver (I really like the straightforward idea)
• Scam-archiver
• MailArchiva (Open Source Edition)
• Or maybe some procmail recipes like here or Æmail

Suddently, on my CentOS the Logwatch mails are very big, with huge Postfix “**Unmatched Entries**” section, mostly about messages dropped because they were in RBLs, similar to this:

Service unavailable; Client host [x.x.x.x] blocked using zen.spamhaus.org; ...

My logwatch package is up to date. Problem is - the service and configuration for postfix in that package are not.

You need to update postfix filter portion of logwatch.
It can be updated either from: http://www.mikecappella.com/logwatch or from latest version of logwatch at: www.logwatch.org

For me, the first link was better because it had a fresher scripts. I downloaded the package, and only two files are needed for me (do not install or anything).

Just rename (remove -logwatch part of filename) files

postfix-logwatch
postfix-logwatch.conf

to

postfix
postfix.conf

and copy them to

       /etc/logwatch/scripts/services/postfix (The Logwatch postfix filter)
       /etc/logwatch/conf/services/postfix.conf (The Logwatch postfix filter configuration file)

Files at this location will override default values. And this should fix the problem.

But, there was a problem with  file services/postfix where I had to remove the first line for logwatch to work. Now, when I execute /etc/cron.daily/0logwatch, I do get an reasonable sized email with email statistics.

I just got tired of looking at lot of these messages in my Apache log (or similar ones in ssh log)

[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/ads
[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/thisdoesnotexistahaha.php
[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/drupal
[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/adserver
[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/adxmlrpc.php
[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/xmlrpc.php

These robots are constantly trying to exploit vunerabilities. I want to stop them.

There are couple of solutions, but after researching, I concluded that for me the best one is Fail2Ban (compared to DenyHosts or BlockHosts), specially because it can analyze log files for Apache, SSH, FTP and Postfix (and I have it in repository). BTW, there was some vulnerabilities with it, in the past.

All the configuration is done in /etc/fail2ban/jail.conf.

To find out what IP addresses are most active in accessing your webistes, just execute this line against Apache access log.

awk '{print $1}' access_log | sort | uniq -c | sort -n | tail -20 | awk '{print $2,$2,$1}' | logresolve | awk '{printf "%6d %s (%s)\n",$3,$1,$2}'

where access_log is filename for Apache  access log file, and -20 means that I want to see a first 20 addresses. Great resource of information can be found at the-art-of-web.com.

Very good source that I did not use: http://www.howtoforge.com/mail_statistics_mailgraph_pflogsumm

I setup AWStats package on my server using instructions on this DjTremors site.

And everything worked, besides the fact that I must disable suexec in ISPConfig (Management / Server - Settings / Web / suexec Checkbox).

At first, I tried adding this statistics inside a ISPConfig’s http server. Just to remember, whenever I need something to be an option in ISPConfig, under the Tools menu. This is done by creating a subdirectory in  /home/admispconfig/ispconfig/web/tools/tools, and creating a nav.inc.php file there

But the problem arises because Perl can not be enabled without larger modifications in a /root/ispconfig/httpd/conf/httpd.conf. I always got an error

mod_perl.so: undefined symbol: apr_bucket_shared_split

So I made a Tools link, but pointing to a main Apache server (where I have Perl enabled).

File: nav.inc.php

<? if($go_api->auth->check_admin(0,1)) {
/*
   Only Admin can see this
   Copyright (c) 2008, cvladan.com, Vladan Colovic - All rights reserved.
*/
?>
<!-- Mail AWStats for all domains //-->

menuDaten.neu(new LinkEintrag('root','<? echo $go_api->lng("Mail Server Statistics")?>','http://www.duplonucleo.com/ispcstats/awstats.pl?config=mail','_blank','email.gif','Ma
il Server Stats','n',''));

<? } ?>

Let me explain important files in AWStats for ISPConfig. There is /root/ispconfig/scripts/shell/awstats.php file that periodically recreates .conf files in /etc/awstats, based on virtual domains created in web home /var/www. There is no need to change this file. Another important file is/home/admispconfig/ispconfig/web/ispc.awstats/awstats_updateall.pl which is executed periodically too. This file launches update process for all AWStats config files, except awstats.model.conf found in a particular directory (in our case /etc/awstats), so you can easily setup.

As we see, there is no need to change anything. It will automaticly update our mail statistics. So, lets go there…

First, I needed to add a script  maillogconvert.pl  where it sould be in a first place - in: /home/admispconfig/ispconfig/web/ispc.awstats

Then edit the /etc/awstats/awstats.mail.conf and … Not so good link, and much better (original).

And do not be shooked with the amount of mails recieved by admispconfig@. Thats ok. The admispconfig mailbox is a script that generates your mail statistics. The emails that go to admispconfig contain the size of the original email sent to one of your users in bytes.

And, after everything, I just updated AWStats from 6.5 to version 6.8 (latest one)

The easiest way to check if WAN load balancing is working to go to the different sites that show IP, and check that all IP addresses are different. In my case, I had to get 3 different IP’s. So, use these sites: whatismyip.net, whatismyip.org, whatismyip.com, ipnow.org