smtp.uvt.cz

Zpet na rozcestnik

smtp.uvt.cz

je server pro odesilani posty pro Petrovo klienty.
Tandem postfix anvil + policyd je nastaven tak, aby neumoznil poslani vice nez 60 mailu za hodinu z jedne konkretni source-mail adresy, s tim, ze burst v jedne minute pusti maximalne 45 mailu - ochrana proti cilenemu spamu/ukradeni schranky.

Services access information

MySQL

Account	Password	Database	Description
root	1:eQUTODEsEy0pczwsfHkEE3gzDDpL	-all-	-all-
pd_uzdb1	1:8fvzjIn1h8vf9c3b9d3w1NCKjfS+	pd_db1	policyd main

Services list with short description

Postfix ; as MTA open relay
policyd (known as cluebringer) ; as policy daemon implementing additional mail rules to combat spam

MySQL ; hosts database for policyd

unbound ; caching / recursive DNS resolver

apache ; webserver (serves web interface for policyd, off by default)

policyd gui ; php frontend of the policyd

Important file locations for services

Postfix

/etc/postfix - main configuration directory for the postfix, most notable config files are:
master.cf
main.cf
access - contains ip addresses and subnets that are allowed / denied relay

Cluebringer Policyd

/etc/policyd/cluebringer.conf - main configuration file

MySQL

/etc/my.cnf - main configuration file
/etc/my.cnf.d - directory for specific configuration files loaded via directive in my.cnf
/var/log/mysqld.log - main log file

unbound

/etc/unbound - directory containing whole unbound configuration
/etc/unbound/unbound.conf - main configuration file

Firewall

/etc/rc.d/fw-on - main firewall configuration file used by the firewall preudo-service

Important file locations in general

PKI (public key infrastructure)

/etc/pki - main directory that contains all relevant informaction on certs, keys and bundles
/etc/pki/tls - general directory for k/c/b storage, notable directories
certs - contains certificate files
private - contains private key files for aforementioned certificates
requests - optional directory, contains csr files that were generated by tools like openssl

/etc/pki/_application_name_ - directory specific to some application, be it nginx, dovecot etc. Notable directories are same.

General rule set by RH - certs and cert keys go into app directory, unless they are used by several applications at once. If the certfile is to be used by several applications, it is placed in the general directory (/etc/pki/tls), and the application directories contain symlimnks of the same name, pointing to these files.

How To:

Allow/Block address/subnet in smtp relay configuration

Access list works alike to typical firewall - first hit rule is used, so if you want to allow subnet but block specific address, list that address before the subnet.
Configuration is done within /etc/postfix/access file, syntax is simple address or subnet + action, example:
109.205.76.16 REJECT
109.205.72 OK

then use the "postmap" utility:
postmap /etc/postfix/access

Change postfix rate limits (the burst)

Edit the /etc/postfix/main.cf file, there are two parameters controlling the message rate
smtpd_client_message_rate_limit - number of messages to allow per anvil_rate
anvil_rate_time_unit - the actual anvil rate the number of messages still allowed is calculated from
after saving the edit, run the:
service postfix reload

Change policy rate limits (counters/period)

Log to mysql:
mysql -u pd_uzdb1 -p pd_db1
1) Counters
get the list of available counters:
SELECT * FROM quotas_limits;

to edit counter at specific ID:
UPDATE quotas_limits SET CounterLimit=your_limit WHERE ID="the_id_youve_chosen";

example:
UPDATE quotas_limits SET CounterLimit=100 WHERE ID="4";

2) Period
get the list of available periods for policies:
SELECT * FROM quotas;

to edit period at specific ID:
UPDATE quotas SET Period=your_period WHERE ID="the_id_youve_chosen";

example:
UPDATE quotas SET Period=1800 WHERE ID="3";