Dadang Haryadi

Aku lagi tertarik buat mempelajari security lebih dalam lagi, dan salah satu distro yang menyedia utility secara lengkap adalah distro backtrack, walaupun dengan distro lain seperti ubuntu bisa dilakukan, namun aku perlu suasana yang agak beda dan yang jelas menggunakan backtrack kita tinggal pakai saja. sampailah aku korbankan ubuntu di notebook aku diganti dengan backtrack ini.

Persiapan yang perlu dilakukan adalah :

1. Space hardisk yang cukup minimal 4GB.
2. Download/Beli CD/DVD backtrack
3. mempersiapkan partisi bisa dengan gparted ( GUI ) untuk lebih mudahnya, atau fdisk ( CLI ) dll.

pada kasus ini aku menggunakan perintah fdisk.

pertama booting notebook menggunakan cd backtrack

cek apa saja yang lagi di mounting

bt ~ # mount
aufs on / type aufs (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
usbfs on /proc/bus/usb type usbfs (rw)
/dev/sda1 on /mnt/sda1 type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksize=4096)
/dev/sda2 on /mnt/sda2 type ext3 (rw,noatime)

Continue reading »

Tanggal 24 April 2008 jam 16:03 kemarin ubuntu resmi mengeluarkan release baru versi 8.04 ( hardy Heron ), ngga mau menunggu lebih lama lagi langsung saja aku upgrade systemku juga.  cara upgradenya sangat mudah. ada beberapa cara untuk upgrade ke versi teranyar berikut langkah-langkahnya :

sebelum memulai upgrade pastikan dulu paket-paket di versi sebelumnya sudah yang paling baru, anda bisa berikan perintah sebagai berikut :

apt-get update

kemudia jika memang ada yang perlu di perbaharui lanjutkan dengan perintah

apt-get upgrade

untuk mengecek versi ubuntu yang terinstall :

root@proxyclub:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 7.10
Release:        7.10
Codename:       gutsy

Continue reading »

3 Debian Sarge

For volatile packages such as ClamAV (there are new ClamAV releases very often), there exists the Debian-volatile repository (for Sarge and Woody only at the time of this writing). To make sure that we install the latest ClamAV package, we edit /etc/apt/sources.list first and add the following line to it:

vi /etc/apt/sources.list

[...]
deb http://volatile.debian.net/debian-volatile sarge/volatile main contrib non-free

Afterwards we update our packages database by running:

apt-get update

Then we install amavisd-new, SpamAssassin, and ClamAV together with a few other programs (mainly programs that amavisd-new needs to unpack archives, because emails can contain archives as attachments):

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip unarj bzip2 unzoo libnet-ph-perl libnet-snpp-perl libnet-telnet-perl nomarch lzop

You will be asked a few questions:

Virus database update method: <– daemon
Local database mirror site: <– db.de.clamav.net (Germany; select the mirror that is closest to you)
HTTP proxy information (leave blank for none): <– (blank)
Should clamd be notified after updates? <– Yes

vi /etc/amavis/amavisd.conf

[...]
# @bypass_virus_checks_acl = qw( . );  # uncomment to DISABLE anti-virus code
[...]
# @bypass_spam_checks_acl  = qw( . );    # No default dependency on spamassassin
[...]

And then you should take a look at the spam settings and the actions for spam-/virus-mails in the same file. There’s no need to change anything if the default settings are ok for you. The file contains many explanations so there’s no need to explain the settings here:

[...]
$final_virus_destiny      = D_DISCARD; # (defaults to D_BOUNCE)
$final_banned_destiny     = D_BOUNCE;  # (defaults to D_BOUNCE)
$final_spam_destiny       = D_REJECT;  # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested

[...]

$virus_admin = “postmaster@$mydomain”;         # due to D_DISCARD default

[...]

$QUARANTINEDIR = ‘/var/lib/amavis/virusmails’;
#$virus_quarantine_method = “local:virus-%i-%n”;    # default
#$spam_quarantine_method  = “local:spam-%b-%i-%n”;  # default
$virus_quarantine_to  = ‘virus-quarantine’;    # traditional local quarantine
$spam_quarantine_to = ’spam-quarantine’;

[...]

$sa_local_tests_only = 1;   # (default: false)
#$sa_auto_whitelist = 1;    # turn on AWL (default: false)

# Timout for SpamAssassin. This is only used if spamassassin does NOT
# override it (which it often does if sa_local_tests_only is not true)
$sa_timeout = 30;           # timeout in seconds for a call to SpamAssassin
                            # (default is 30 seconds, undef disables it)

# AWL (auto whitelisting), requires spamassassin 2.44 or better
# $sa_auto_whitelist = 1;   # defaults to undef

$sa_mail_body_size_limit = 150*1024;  # don’t waste time on SA is mail is larger
                            # (less than 1% of spam is > 64k)
                            # default: undef, no limitations

# default values, can be overridden by more specific lookups, e.g. SQL
$sa_tag_level_deflt  = 4.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31; # add ’spam detected’ headers at that level
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
                           # at or above that level: bounce/reject/drop,
                           # quarantine, and adding mail address extension

$sa_dsn_cutoff_level = 10;  # spam level beyond which a DSN is not sent,
                            # effectively turning D_BOUNCE into D_DISCARD;
                            # undef disables this feature and is a default;

$sa_spam_subject_tag = ‘***SPAM*** ‘;   # (defaults to undef, disabled)
[...]

Afterwards, run these commands to add the clamav user to the amavis group and to restart amavisd-new and ClamAV:

adduser clamav amavis
/etc/init.d/amavis restart
/etc/init.d/clamav-daemon restart

Next we must edit the configuration file of the Freshclam daemon (that’s the daemon that regularly and automatically fetches the newest virus signatures from a ClamAV mirror) because it contains a small bug. Open /etc/clamav/freshclam.conf and modify the NotifyClamd line as shown below:

vi /etc/clamav/freshclam.conf

[...]
NotifyClamd /etc/clamav/clamd.conf
[...]

Then restart Freshclam (make sure no other Freshclam process (maybe of another ClamAV installation) is running because then our Freshclam will fail to start):

/etc/init.d/clamav-freshclam restart

Now we have to configure Postfix to pipe incoming email through amavisd-new:

postconf -e ‘content_filter = amavis:[127.0.0.1]:10024′
postconf -e ‘receive_override_options = no_address_mappings’

Afterwards append the following lines to /etc/postfix/master.cf:

vi /etc/postfix/master.cf

[...]
amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_bind_address=127.0.0.1

Then restart Postfix:

/etc/init.d/postfix restart

Now run

netstat -tap

and you should see Postfix (master) listening on port 25 (smtp) and 10025, and amavisd-new on port 10024:

server1:~# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost.localdo:10024 *:* LISTEN 4369/amavisd (maste
tcp 0 0 localhost.localdo:10025 *:* LISTEN 4895/master
tcp 0 0 *:874 *:* LISTEN 1964/rpc.statd
tcp 0 0 *:sunrpc *:* LISTEN 1553/portmap
tcp 0 0 *:auth *:* LISTEN 1932/inetd
tcp 0 0 *:smtp *:* LISTEN 4895/master
tcp6 0 0 *:imaps *:* LISTEN 3177/couriertcpd
tcp6 0 0 *:pop3s *:* LISTEN 3094/couriertcpd
tcp6 0 0 *:pop3 *:* LISTEN 3038/couriertcpd
tcp6 0 0 *:imap2 *:* LISTEN 3129/couriertcpd
tcp6 0 0 *:ssh *:* LISTEN 1943/sshd
tcp6 0 0 *:smtp *:* LISTEN 4895/master
tcp6 0 148 localhost:ssh localhost:4631 ESTABLISHED2052/0

If you like you can now add Razor, Pyzor, and DCC to SpamAssassin to improve its filtering performance. Razor, Pyzor and DCC are spamfilters that use a collaborative filtering network. To install them, run

apt-get install razor pyzor dcc-client

Now we have to tell SpamAssassin to use these three programs. Edit /etc/spamassassin/local.cf and add the following lines to it:

vi /etc/spamassassin/local.cf

[...]
# dcc
use_dcc 1
dcc_path /usr/bin/dccproc
dcc_add_header 1
dcc_dccifd_path /usr/sbin/dccifd

#pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
pyzor_add_header 1

#razor
use_razor2 1
razor_config /etc/razor/razor-agent.conf

#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1

Restart amavisd-new afterwards:

/etc/init.d/amavis restart

That’s it already. Now watch your mail log (/var/log/mail.log) to see if amavisd-new is working properly. amavisd-new will log whenever it finds a spam or virus email. When you (re)start amavisd-new it should also log that it loads its spam and virus scanning code (if not, you probably did something wrong).

For taking a live look at your mail log, you can use this command:

tail -f /var/log/mail.log

(Press CTRL + c to leave the log.)

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 03/08/2007

This article shows how to integrate amavisd-new into a Postfix mail server for spam- and virus-scanning. amavisd-new is a high-performance interface between MTAs such as Postfix and content checkers: virus scanners, and/or SpamAssassin. We will use ClamAV for virus scanning and SpamAssassin for spam scanning in this tutorial.

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Preliminary Note

In this tutorial I will describe how to install/configure amavisd-new on Debian Etch/Ubuntu 6.10 Edgy Eft (the steps are identical for both distributions) and on Debian Sarge. The amavisd-new configuration is suitable for systems where system users are used for email accounts; if you use virtual users, a few modifications to the amavisd-new configuration might or might not be required (but that depends on the actual setup). If you use virtual email users, take a look at these two tutorials:

• Virtual Users And Domains With Postfix, Courier And MySQL (Fedora Core 5)
• Virtual Users And Domains With Postfix, Courier And MySQL (Debian Sarge)

amavisd-new works like this: Postfix receives an email on port 25, passes it to amavisd-new on port 10024 which then invokes ClamAV and SpamAssassin, and afterwards amavisd-new re-injects the mail into Postfix on port 10025 which then finally delivers the mail (if it’s clean). Here’s a small layout of the process:

                                      [SpamAssassin]
^
|
Email –> [(Port 25) Postfix] –> [(10024) amavisd-new] –> [(10025) Postfix] –> Mailbox
|
v
[ClamAV]

I assume that Postfix and your email accounts are already set up and working as I don’t cover Postfix installation/configuration here.

All steps in this tutorial are done as root, so make sure you’re logged in as root.

2 Debian Etch/Ubuntu 6.10 Edgy Eft

First we install amavisd-new, SpamAssassin, and ClamAV together with a few other programs (mainly programs that amavisd-new needs to unpack archives, because emails can contain archives as attachments):

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 unzoo libnet-ph-perl libnet-snpp-perl libnet-telnet-perl nomarch lzop

Afterwards we must configure amavisd-new. The configuration is split up in various files which reside in the /etc/amavis/conf.d directory. Take a look at each of them to become familiar with the configuration. Most settings are fine, however we must modify two files:

First we must enable ClamAV and SpamAssassin in /etc/amavis/conf.d/15-content_filter_mode by uncommenting the @bypass_virus_checks_maps and the @bypass_spam_checks_maps lines:

vi /etc/amavis/conf.d/15-content_filter_mode

The file should look like this:

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

#
# Default antivirus checking mode
# Uncomment the two lines below to enable it back
#

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

#
# Default SPAM checking mode
# Uncomment the two lines below to enable it back
#

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1;  # insure a defined return

And then you should take a look at the spam settings and the actions for spam-/virus-mails in /etc/amavis/conf.d/20-debian_defaults. There’s no need to change anything if the default settings are ok for you. The file contains many explanations so there’s no need to explain the settings here:

vi /etc/amavis/conf.d/20-debian_defaults

$QUARANTINEDIR = "$MYHOME/virusmails";

$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug';  # switch to info to drop debug output, etc

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

$inet_socket_port = 10024;   # default listenting socket

$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;    # only tests which do not require internet access?

[...]
$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
$final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA
$final_spam_destiny       = D_BOUNCE;
$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
[...]

Afterwards, run these commands to add the clamav user to the amavis group and to restart amavisd-new and ClamAV:

adduser clamav amavis
/etc/init.d/amavis restart
/etc/init.d/clamav-daemon restart

Next we must edit the configuration file of the Freshclam daemon (that’s the daemon that regularly and automatically fetches the newest virus signatures from a ClamAV mirror) because it contains a small bug. Open /etc/clamav/freshclam.conf and modify the NotifyClamd line as shown below:

vi /etc/clamav/freshclam.conf

[...]
NotifyClamd /etc/clamav/clamd.conf
[...]

Then restart Freshclam (make sure no other Freshclam process (maybe of another ClamAV installation) is running because then our Freshclam will fail to start):

/etc/init.d/clamav-freshclam restart

Now we have to configure Postfix to pipe incoming email through amavisd-new:

postconf -e ‘content_filter = amavis:[127.0.0.1]:10024′
postconf -e ‘receive_override_options = no_address_mappings’

Afterwards append the following lines to /etc/postfix/master.cf:

vi /etc/postfix/master.cf

[...]
amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_bind_address=127.0.0.1

Then restart Postfix:

/etc/init.d/postfix restart

Now run

netstat -tap

and you should see Postfix (master) listening on port 25 (smtp) and 10025, and amavisd-new on port 10024:

server1:~# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:4069                  *:*                     LISTEN     3457/rpc.statd
tcp        0      0 localhost.localdo:10024 *:*                     LISTEN     6886/amavisd (maste
tcp        0      0 localhost.localdo:10025 *:*                     LISTEN     7268/master
tcp        0      0 *:sunrpc                *:*                     LISTEN     3083/portmap
tcp        0      0 *:auth                  *:*                     LISTEN     3417/inetd
tcp        0      0 *:smtp                  *:*                     LISTEN     7268/master
tcp6       0      0 *:imaps                 *:*                     LISTEN     4952/couriertcpd
tcp6       0      0 *:pop3s                 *:*                     LISTEN     4872/couriertcpd
tcp6       0      0 *:pop3                  *:*                     LISTEN     4815/couriertcpd
tcp6       0      0 *:imap2                 *:*                     LISTEN     4905/couriertcpd
tcp6       0      0 *:ssh                   *:*                     LISTEN     3438/sshd
tcp6       0      0 *:smtp                  *:*                     LISTEN     7268/master
tcp6       0    148 server1.example.com:ssh localhost:3117          ESTABLISHED3519/0

If you like you can now add Razor, Pyzor, and DCC to SpamAssassin to improve its filtering performance. Razor, Pyzor and DCC are spamfilters that use a collaborative filtering network. To install them, run

apt-get install razor pyzor dcc-client

Now we have to tell SpamAssassin to use these three programs. Edit /etc/spamassassin/local.cf and add the following lines to it:

vi /etc/spamassassin/local.cf

[...]

# dcc
use_dcc 1
dcc_path /usr/bin/dccproc
dcc_add_header 1
dcc_dccifd_path /usr/sbin/dccifd

#pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
pyzor_add_header 1

#razor
use_razor2 1
razor_config /etc/razor/razor-agent.conf

#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1

Restart amavisd-new afterwards:

/etc/init.d/amavis restart

That’s it already. Now watch your mail log (/var/log/mail.log) to see if amavisd-new is working properly. amavisd-new will log whenever it finds a spam or virus email. When you (re)start amavisd-new it should also log that it loads its spam and virus scanning code (if not, you probably did something wrong).

For taking a live look at your mail log, you can use this command:

tail -f /var/log/mail.log

(Press CTRL + c to leave the log.)

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 05/31/2007

The last few weeks have seen a dramatic increase in spam (once again). Estimates say that spam makes now up for 80 - 90% of all emails, and many mail servers have difficulties in managing the additional load caused by the latest spam, and spam filters such as SpamAssassin do not recognize large parts of that spam as they did before. Fortunately, we can block a big amount of that spam at the MTA level, for example by using blacklists, running tests on the sender and recipient domains, etc. An additional benefit of doing this is that it lowers the load on the mail servers because the (resource-hungry) spamfilters have to look at less emails.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

This is just a quick guide showing you how you can configure Postfix (2.x and 1.x) to block spam before entering the server. It’s more or less self-explanatory. However, after applying this to your own mail server, you should check the mail log to make sure that no legitmate mails are blocked.

2 Postfix 2.x

Open /etc/postfix/main.cf and place the following lines in it (replacing the respective settings if they exist):

vi /etc/postfix/main.cf

[...]
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

smtpd_recipient_restrictions =
            reject_invalid_hostname,
            reject_unknown_recipient_domain,
            reject_unauth_pipelining,
            permit_mynetworks,
            permit_sasl_authenticated,
            reject_unauth_destination,
            reject_rbl_client multi.uribl.com,
            reject_rbl_client dsn.rfc-ignorant.org,
            reject_rbl_client dul.dnsbl.sorbs.net,
            reject_rbl_client list.dsbl.org,
            reject_rbl_client sbl-xbl.spamhaus.org,
            reject_rbl_client bl.spamcop.net,
            reject_rbl_client dnsbl.sorbs.net,
            reject_rbl_client cbl.abuseat.org,
            reject_rbl_client ix.dnsbl.manitu.net,
            reject_rbl_client combined.rbl.msrbl.net,
            reject_rbl_client rabl.nuclearelephant.com,
            permit
[...]

Restart Postfix afterwards:

/etc/init.d/postfix restart

3 Postfix 1.x

Open /etc/postfix/main.cf and place the following lines in it (replacing the respective settings if they exist):

vi /etc/postfix/main.cf

[...]
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

maps_rbl_domains =
            multi.uribl.com,
            dsn.rfc-ignorant.org,
            dul.dnsbl.sorbs.net,
            list.dsbl.org,
            sbl-xbl.spamhaus.org,
            bl.spamcop.net,
            dnsbl.sorbs.net,
            cbl.abuseat.org,
            ix.dnsbl.manitu.net,
            combined.rbl.msrbl.net,
            rabl.nuclearelephant.com

smtpd_recipient_restrictions =
            permit_sasl_authenticated,
            permit_mynetworks,
            reject_invalid_hostname,
            reject_non_fqdn_hostname,
            reject_non_fqdn_sender,
            reject_unknown_sender_domain,
            reject_unknown_recipient_domain,
            reject_maps_rbl,
            check_relay_domains
[...]

Restart Postfix afterwards:

/etc/init.d/postfix restart

4 More Blacklists

You can find more DNS & RHS blackhole lists that you can add to your Postfix configuration here: http://spamlinks.net/filter-dnsbl-lists.htm

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 06/06/2007

In this tutorial I will show how you can set up a Postfix mailserver as a backup mail exchanger for a domain so that it accepts mails for this domain in case the primary mail exchanger is down or unreachable, and passes the mails on to the primary MX once that one is up again.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

I want to set up a backup MX for the domain example.com. In this example the primary MX for example.com is called mx1.example.com (IP address 1.2.3.4), so I call the backup MX mx2.example.com (IP address 1.2.3.5).

example.com. 86400 IN MX 10 mx1.example.com.
example.com. 86400 IN MX 20 mx2.example.com.

It’s important that the primary MX has a lower number (10) and therefore a higher priority than the backup MX (20).

I’m assuming that the Postfix on mx2.example.com is already installed and working.

2 Configuring Postfix On mx2.example.com

To make mx2.example.com a backup MX for the domain example.com, all we have to do is change/add three lines to /etc/postfix/main.cf:

vi /etc/postfix/main.cf

First make sure that smtpd_recipient_restrictions contains permit_mynetworks and reject_unauth_destination, so something like this would be ok:

[...]
smtpd_recipient_restrictions =

	permit_sasl_authenticated,

	permit_mynetworks,

	reject_unauth_destination
[...]

Then we must add example.com to the relay_domains paramater; if there’s no relay_domains paramater yet in /etc/postfix/main.cf, the following will do:

[...]
relay_domains = $mydestination, example.com
[...]

And finally we add an empty relay_recipient_maps parameter to /etc/postfix/main.cf:

[...]
relay_recipient_maps =
[...]

(That way we don’t have to specify a list of valid email addresses to back up, which might be a daunting task if you have to manage hundreds of email accounts.)

There’s one important thing I have to add: You must not list example.com in the following parameters in /etc/postfix/main.cf:

• mydestination
• virtual_alias_domains
• virtual_mailbox_domains

That’s it already. All we have to do now is restart Postfix:

/etc/init.d/postfix restart

3 Testing

To test the new backup MX, we take down the MTA (Postfix, Sendmail, Exim, etc.) on mx1.example.com and send an email from some remote server to an example.com account (e.g. someuser@example.com).

If you have access to the mail log on the remote (sending) server, you should now find something like this in it:

Jun 6 18:29:16 mail postfix/smtp[17746]: AF814144146: to=<someuser@example.com>, relay=mx2.example.com[1.2.3.5], delay=1, status=sent (250 2.0.0 Ok: queued as DCA5A1BF40F)

As you see, the mail has been sent to mx2.example.com instead of mx1.example.com because mx1.example.com is unreachable. Now, let’s take a look at the mail log of mx2.example.com:

Jun 6 18:29:16 mx2 postfix/qmgr[3049]: DCA5A1BF40F: from=<falko@blabla.tld>, size=892, nrcpt=1 (queue active)
Jun 6 18:29:16 mx2 postfix/smtpd[3051]: disconnect from mail.blabla.tld[1.2.3.6]
Jun 6 18:29:16 mx2 postfix/smtp[3057]: connect to mx1.test1.de[1.2.3.4]: Connection refused (port 25)
Jun 6 18:29:16 mx2 postfix/smtp[3057]: DCA5A1BF40F: to=<someuser@example.com>, relay=none, delay=0.07, delays=0.03/0.02/0.01/0, dsn=4.4.1, status=deferred (connect to mx1.test1.de[1.2.3.4]: Connection refused)

mx2.example.com has accepted the mail and tried to connect to mx1.example.com to deliver it to the primary MX. Because the primary MX is down, mx2.example.com cannot deliver the mail and keeps it in the mailqueue until mx1.example.com is available again.

Now we start the MTA on mx1.example.com again. The backup MX will not immediately deliver the queued mail, but after some minutes you should see something like this in the mail log of mx2.example.com:

Jun 6 18:56:44 mx2 postfix/qmgr[3080]: DCA5A1BF40F: from=<falko@blabla.tld>, size=892, nrcpt=1 (queue active)
Jun 6 18:56:45 mx2 postfix/smtp[3083]: DCA5A1BF40F: to=<someuser@example.com>, relay=mx1.example.com[1.2.3.4]:25, delay=1648, delays=1648/0.09/0.4/0.12, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 167995B0109)

The mail has been delivered to the primary MX where you can see this in the mail log:

Jun 6 18:56:45 mx1 postfix/local[4963]: 167995B0109: to=<someuser@server1.example.com>, orig_to=<someuser@example.com>, relay=local, delay=0.54, delays=0.08/0.02/0/0.43, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-)

So no mails were lost while mx1.example.com was down, and users can continue to retrieve their mails from mx1.example.com.

Sudah hampir satu tahun sejak perusahaan menggunakan Microsoft Product, Linux tak tersentuh, kangen juga saya sama consolnya,  to be continue……..