<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="de">
	<id>https://wiki.ixheim.de/index.php?action=history&amp;feed=atom&amp;title=Mail_Server_Nachbau</id>
	<title>Mail Server Nachbau - Versionsgeschichte</title>
	<link rel="self" type="application/atom+xml" href="https://wiki.ixheim.de/index.php?action=history&amp;feed=atom&amp;title=Mail_Server_Nachbau"/>
	<link rel="alternate" type="text/html" href="https://wiki.ixheim.de/index.php?title=Mail_Server_Nachbau&amp;action=history"/>
	<updated>2026-07-10T10:13:35Z</updated>
	<subtitle>Versionsgeschichte dieser Seite in Xinux Wiki</subtitle>
	<generator>MediaWiki 1.35.1</generator>
	<entry>
		<id>https://wiki.ixheim.de/index.php?title=Mail_Server_Nachbau&amp;diff=71910&amp;oldid=prev</id>
		<title>Thomas.will: Die Seite wurde neu angelegt: „= Mailserver Nachbau: Postfix + Dovecot + Rspamd (it213.int) =  == Überblick == Diese Anleitung baut den kompletten Mailserver-Stack nach: Postfix (SMTP) →…“</title>
		<link rel="alternate" type="text/html" href="https://wiki.ixheim.de/index.php?title=Mail_Server_Nachbau&amp;diff=71910&amp;oldid=prev"/>
		<updated>2026-07-08T18:23:09Z</updated>

		<summary type="html">&lt;p&gt;Die Seite wurde neu angelegt: „= Mailserver Nachbau: Postfix + Dovecot + Rspamd (it213.int) =  == Überblick == Diese Anleitung baut den kompletten Mailserver-Stack nach: Postfix (SMTP) →…“&lt;/p&gt;
&lt;p&gt;&lt;b&gt;Neue Seite&lt;/b&gt;&lt;/p&gt;&lt;div&gt;= Mailserver Nachbau: Postfix + Dovecot + Rspamd (it213.int) =&lt;br /&gt;
&lt;br /&gt;
== Überblick ==&lt;br /&gt;
Diese Anleitung baut den kompletten Mailserver-Stack nach: Postfix (SMTP) → Dovecot (IMAP/LMTP/Sieve) → Rspamd (Spam-Scoring, DKIM, Bayes-Lernen, Blacklists). Jede Datei ist komplett und copy-paste-fertig für die Domain &amp;lt;code&amp;gt;it213.int&amp;lt;/code&amp;gt;, Host &amp;lt;code&amp;gt;mail.it213.int&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
{{Hinweis|&lt;br /&gt;
Alle Dateien liegen auch fertig gepackt als &amp;lt;code&amp;gt;mailconfig-it213.tar.gz&amp;lt;/code&amp;gt; vor, inkl. &amp;lt;code&amp;gt;deploy.sh&amp;lt;/code&amp;gt; zum automatischen Ausrollen. Diese Anleitung zeigt dieselben Dateien einzeln mit Erklärung, für den Fall dass man Schritt für Schritt nachbauen statt nur ausrollen will.&lt;br /&gt;
}}&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
! Komponente !! Aufgabe !! Port(e)&lt;br /&gt;
|-&lt;br /&gt;
| Postfix || SMTP-Empfang/-Versand, übergibt an Rspamd (Milter) und Dovecot (LMTP) || 25, 465, 587&lt;br /&gt;
|-&lt;br /&gt;
| Dovecot || IMAP-Zustellung, Mailbox-Speicherung, Sieve-Filter || 143, 993, LMTP (Unix-Socket)&lt;br /&gt;
|-&lt;br /&gt;
| Rspamd || Spam-Scoring, DKIM-Signing, Bayes-Klassifikation, Blacklists || 11332 (Milter), 11334 (Controller)&lt;br /&gt;
|-&lt;br /&gt;
| Redis || Backend für Rspamd Bayes-Statistik || 6379&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== 1. Postfix installieren ==&lt;br /&gt;
* apt install postfix&lt;br /&gt;
&lt;br /&gt;
Bei der Installation: &amp;quot;Internet Site&amp;quot; wählen, Mailname = &amp;lt;code&amp;gt;it213.int&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/postfix/main.cf ===&lt;br /&gt;
Komplett, so einfügen:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)&lt;br /&gt;
biff = no&lt;br /&gt;
append_dot_mydomain = no&lt;br /&gt;
readme_directory = no&lt;br /&gt;
compatibility_level = 3.6&lt;br /&gt;
&lt;br /&gt;
myhostname = mail.it213.int&lt;br /&gt;
mydestination = $myhostname, mail.it213.int, localhost.it213.int, it213.int, localhost&lt;br /&gt;
myorigin = /etc/mailname&lt;br /&gt;
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128&lt;br /&gt;
inet_interfaces = all&lt;br /&gt;
inet_protocols = all&lt;br /&gt;
&lt;br /&gt;
alias_maps = hash:/etc/aliases&lt;br /&gt;
alias_database = hash:/etc/aliases&lt;br /&gt;
&lt;br /&gt;
home_mailbox = Maildir/&lt;br /&gt;
mailbox_command =&lt;br /&gt;
recipient_delimiter = +&lt;br /&gt;
message_size_limit = 31457280&lt;br /&gt;
mailbox_size_limit = 0&lt;br /&gt;
virtual_mailbox_limit = 31457280&lt;br /&gt;
&lt;br /&gt;
relayhost =&lt;br /&gt;
&lt;br /&gt;
smtpd_tls_cert_file = /etc/ssl/own.crt&lt;br /&gt;
smtpd_tls_key_file  = /etc/ssl/own.key&lt;br /&gt;
smtpd_tls_security_level = may&lt;br /&gt;
smtp_tls_CApath = /etc/ssl/certs&lt;br /&gt;
smtp_tls_security_level = may&lt;br /&gt;
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache&lt;br /&gt;
&lt;br /&gt;
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination&lt;br /&gt;
&lt;br /&gt;
smtpd_sasl_type = dovecot&lt;br /&gt;
smtpd_sasl_path = private/auth&lt;br /&gt;
smtpd_sasl_auth_enable = yes&lt;br /&gt;
&lt;br /&gt;
virtual_alias_maps = hash:/etc/postfix/virtual&lt;br /&gt;
&lt;br /&gt;
smtpd_milters = inet:127.0.0.1:11332&lt;br /&gt;
non_smtpd_milters = inet:127.0.0.1:11332&lt;br /&gt;
milter_default_action = accept&lt;br /&gt;
milter_protocol = 6&lt;br /&gt;
&lt;br /&gt;
mailbox_transport = lmtp:unix:private/dovecot-lmtp&lt;br /&gt;
virtual_transport = lmtp:unix:private/dovecot-lmtp&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
{{Achtung|&lt;br /&gt;
&amp;lt;code&amp;gt;smtpd_tls_cert_file&amp;lt;/code&amp;gt;/&amp;lt;code&amp;gt;_key_file&amp;lt;/code&amp;gt; zeigen hier auf &amp;lt;code&amp;gt;/etc/ssl/own.crt&amp;lt;/code&amp;gt;/&amp;lt;code&amp;gt;own.key&amp;lt;/code&amp;gt; – eigenes Zertifikat vorher dort ablegen (oder Let's Encrypt nutzen und Pfad anpassen). Ohne gültiges Cert startet Postfix zwar, aber TLS funktioniert nicht richtig.&lt;br /&gt;
}}&lt;br /&gt;
&lt;br /&gt;
{{Achtung|&lt;br /&gt;
&amp;lt;code&amp;gt;smtpd_relay_restrictions&amp;lt;/code&amp;gt; ist zwingend korrekt zu setzen – ohne diese Zeile oder in falscher Reihenfolge läuft der Server als offenes Relay.&lt;br /&gt;
}}&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/postfix/master.cf ===&lt;br /&gt;
Komplett, ersetzt die Standarddatei:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
#&lt;br /&gt;
# Postfix master process configuration file.&lt;br /&gt;
#&lt;br /&gt;
# ==========================================================================&lt;br /&gt;
# service type  private unpriv  chroot  wakeup  maxproc command + args&lt;br /&gt;
#               (yes)   (yes)   (no)    (never) (100)&lt;br /&gt;
# ==========================================================================&lt;br /&gt;
smtp      inet  n       -       y       -       -       smtpd&lt;br /&gt;
&lt;br /&gt;
submission inet n       -       y       -       -       smtpd&lt;br /&gt;
  -o syslog_name=postfix/submission&lt;br /&gt;
  -o smtpd_tls_security_level=encrypt&lt;br /&gt;
  -o smtpd_sasl_auth_enable=yes&lt;br /&gt;
  -o smtpd_reject_unlisted_recipient=no&lt;br /&gt;
&lt;br /&gt;
smtps     inet  n       -       y       -       -       smtpd&lt;br /&gt;
  -o smtpd_tls_wrappermode=yes&lt;br /&gt;
  -o smtpd_sasl_auth_enable=yes&lt;br /&gt;
  -o smtpd_milters=inet:127.0.0.1:11332&lt;br /&gt;
&lt;br /&gt;
pickup    unix  n       -       y       60      1       pickup&lt;br /&gt;
cleanup   unix  n       -       y       -       0       cleanup&lt;br /&gt;
qmgr      unix  n       -       n       300     1       qmgr&lt;br /&gt;
tlsmgr    unix  -       -       y       1000?   1       tlsmgr&lt;br /&gt;
rewrite   unix  -       -       y       -       -       trivial-rewrite&lt;br /&gt;
bounce    unix  -       -       y       -       0       bounce&lt;br /&gt;
defer     unix  -       -       y       -       0       bounce&lt;br /&gt;
trace     unix  -       -       y       -       0       bounce&lt;br /&gt;
verify    unix  -       -       y       -       1       verify&lt;br /&gt;
flush     unix  n       -       y       1000?   0       flush&lt;br /&gt;
proxymap  unix  -       -       n       -       -       proxymap&lt;br /&gt;
proxywrite unix -       -       n       -       1       proxymap&lt;br /&gt;
smtp      unix  -       -       y       -       -       smtp&lt;br /&gt;
relay     unix  -       -       y       -       -       smtp&lt;br /&gt;
        -o syslog_name=postfix/$service_name&lt;br /&gt;
showq     unix  n       -       y       -       -       showq&lt;br /&gt;
error     unix  -       -       y       -       -       error&lt;br /&gt;
retry     unix  -       -       y       -       -       error&lt;br /&gt;
discard   unix  -       -       y       -       -       discard&lt;br /&gt;
local     unix  -       n       n       -       -       local&lt;br /&gt;
virtual   unix  -       n       n       -       -       virtual&lt;br /&gt;
lmtp      unix  -       -       y       -       -       lmtp&lt;br /&gt;
anvil     unix  -       -       y       -       1       anvil&lt;br /&gt;
scache    unix  -       -       y       -       1       scache&lt;br /&gt;
postlog   unix-dgram n  -       n       -       1       postlogd&lt;br /&gt;
&lt;br /&gt;
maildrop  unix  -       n       n       -       -       pipe&lt;br /&gt;
  flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}&lt;br /&gt;
&lt;br /&gt;
uucp      unix  -       n       n       -       -       pipe&lt;br /&gt;
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)&lt;br /&gt;
&lt;br /&gt;
ifmail    unix  -       n       n       -       -       pipe&lt;br /&gt;
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)&lt;br /&gt;
bsmtp     unix  -       n       n       -       -       pipe&lt;br /&gt;
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient&lt;br /&gt;
scalemail-backend unix -       n       n       -       2       pipe&lt;br /&gt;
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}&lt;br /&gt;
mailman   unix  -       n       n       -       -       pipe&lt;br /&gt;
  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
{{Hinweis|&lt;br /&gt;
&amp;lt;code&amp;gt;submission&amp;lt;/code&amp;gt; (587) = STARTTLS, &amp;lt;code&amp;gt;smtps&amp;lt;/code&amp;gt; (465) = TLS direkt (Wrapper-Mode). Beide brauchen SASL-Auth, damit Clients (Roundcube etc.) sich anmelden können.&lt;br /&gt;
}}&lt;br /&gt;
&lt;br /&gt;
=== Test Postfix ===&lt;br /&gt;
* postfix check&lt;br /&gt;
* systemctl restart postfix&lt;br /&gt;
* systemctl status postfix&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== 2. Dovecot installieren ==&lt;br /&gt;
* apt install dovecot-imapd dovecot-lmtpd dovecot-sieve&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/dovecot/conf.d/10-master.conf ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
service imap-login {&lt;br /&gt;
  inet_listener imap {&lt;br /&gt;
    port = 143&lt;br /&gt;
  }&lt;br /&gt;
  inet_listener imaps {&lt;br /&gt;
    port = 993&lt;br /&gt;
    ssl = yes&lt;br /&gt;
  }&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
service pop3-login {&lt;br /&gt;
  inet_listener pop3 {&lt;br /&gt;
    port = 110&lt;br /&gt;
  }&lt;br /&gt;
  inet_listener pop3s {&lt;br /&gt;
    port = 995&lt;br /&gt;
    ssl = yes&lt;br /&gt;
  }&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
service lmtp {&lt;br /&gt;
  unix_listener /var/spool/postfix/private/dovecot-lmtp {&lt;br /&gt;
    mode = 0600&lt;br /&gt;
    user = postfix&lt;br /&gt;
    group = postfix&lt;br /&gt;
  }&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
service imap {&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
service pop3 {&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
service auth {&lt;br /&gt;
  unix_listener auth-userdb {&lt;br /&gt;
  }&lt;br /&gt;
&lt;br /&gt;
  unix_listener /var/spool/postfix/private/auth {&lt;br /&gt;
    mode = 0660&lt;br /&gt;
    user = postfix&lt;br /&gt;
    group = postfix&lt;br /&gt;
  }&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
service auth-worker {&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
service dict {&lt;br /&gt;
  unix_listener dict {&lt;br /&gt;
  }&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
{{Hinweis|&lt;br /&gt;
Die beiden &amp;lt;code&amp;gt;unix_listener&amp;lt;/code&amp;gt;-Blöcke unter &amp;lt;code&amp;gt;service lmtp&amp;lt;/code&amp;gt; und &amp;lt;code&amp;gt;service auth&amp;lt;/code&amp;gt; sind die Kopplung zu Postfix – ohne die kann Postfix weder Mails an Dovecot übergeben noch SASL-Auth durchführen. &amp;lt;code&amp;gt;mode&amp;lt;/code&amp;gt;/&amp;lt;code&amp;gt;user&amp;lt;/code&amp;gt;/&amp;lt;code&amp;gt;group&amp;lt;/code&amp;gt; müssen exakt so gesetzt sein, sonst Permission-Fehler.&lt;br /&gt;
}}&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/dovecot/conf.d/10-auth.conf ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
disable_plaintext_auth = no&lt;br /&gt;
auth_username_format = %n&lt;br /&gt;
auth_mechanisms = plain&lt;br /&gt;
!include auth-system.conf.ext&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
{{Achtung|&lt;br /&gt;
&amp;lt;code&amp;gt;disable_plaintext_auth = no&amp;lt;/code&amp;gt; ist nur vertretbar, weil TLS im &amp;lt;code&amp;gt;submission&amp;lt;/code&amp;gt;-Block erzwungen wird (&amp;lt;code&amp;gt;smtpd_tls_security_level=encrypt&amp;lt;/code&amp;gt;). TLS verschlüsselt die Verbindung, bevor die Klartext-Auth übertragen wird.&lt;br /&gt;
}}&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/dovecot/conf.d/20-lmtp.conf ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
protocol lmtp {&lt;br /&gt;
  mail_plugins = $mail_plugins sieve&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/dovecot/conf.d/20-imap.conf ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
protocol imap {&lt;br /&gt;
  mail_plugins = $mail_plugins imap_sieve&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/dovecot/conf.d/15-mailboxes.conf ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
namespace inbox {&lt;br /&gt;
  mailbox Drafts {&lt;br /&gt;
    auto = subscribe&lt;br /&gt;
    special_use = \Drafts&lt;br /&gt;
  }&lt;br /&gt;
  mailbox Junk {&lt;br /&gt;
    auto = subscribe&lt;br /&gt;
    special_use = \Junk&lt;br /&gt;
  }&lt;br /&gt;
  mailbox Trash {&lt;br /&gt;
    auto = subscribe&lt;br /&gt;
    special_use = \Trash&lt;br /&gt;
  }&lt;br /&gt;
  mailbox Sent {&lt;br /&gt;
    auto = subscribe&lt;br /&gt;
    special_use = \Sent&lt;br /&gt;
  }&lt;br /&gt;
  mailbox &amp;quot;Sent Messages&amp;quot; {&lt;br /&gt;
    special_use = \Sent&lt;br /&gt;
  }&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Test Dovecot ===&lt;br /&gt;
* doveconf -n&lt;br /&gt;
* systemctl restart dovecot&lt;br /&gt;
* openssl s_client -connect 127.0.0.1:993 -quiet&lt;br /&gt;
&lt;br /&gt;
Erwartete Antwort: &amp;lt;code&amp;gt;* OK [CAPABILITY IMAP4rev1 ...] Dovecot ready.&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== 3. Sieve: Spam automatisch einsortieren ==&lt;br /&gt;
&lt;br /&gt;
=== Datei: /var/lib/dovecot/sieve/spam-to-junk.sieve ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require [&amp;quot;fileinto&amp;quot;];&lt;br /&gt;
if header :contains &amp;quot;X-Spam&amp;quot; &amp;quot;Yes&amp;quot; {&lt;br /&gt;
    fileinto &amp;quot;INBOX.Junk&amp;quot;;&lt;br /&gt;
    stop;&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* mkdir -p /var/lib/dovecot/sieve&lt;br /&gt;
* sievec /var/lib/dovecot/sieve/spam-to-junk.sieve&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== 4. IMAPSieve: automatisches Bayes-Lernen ==&lt;br /&gt;
Wenn eine Mail manuell nach Junk verschoben wird (oder raus), soll Rspamd automatisch daraus lernen.&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/dovecot/sieve/learn-spam.sieve ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require [&amp;quot;vnd.dovecot.pipe&amp;quot;, &amp;quot;copy&amp;quot;, &amp;quot;imapsieve&amp;quot;, &amp;quot;environment&amp;quot;, &amp;quot;variables&amp;quot;];&lt;br /&gt;
&lt;br /&gt;
if environment :matches &amp;quot;imap.mailbox&amp;quot; &amp;quot;*&amp;quot; {&lt;br /&gt;
    set &amp;quot;mailbox&amp;quot; &amp;quot;${1}&amp;quot;;&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
if string &amp;quot;${mailbox}&amp;quot; &amp;quot;Trash&amp;quot; {&lt;br /&gt;
    stop;&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
pipe :copy &amp;quot;rspamd-learn-spam.sh&amp;quot;;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/dovecot/sieve/learn-ham.sieve ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require [&amp;quot;vnd.dovecot.pipe&amp;quot;, &amp;quot;copy&amp;quot;, &amp;quot;imapsieve&amp;quot;, &amp;quot;environment&amp;quot;, &amp;quot;variables&amp;quot;];&lt;br /&gt;
&lt;br /&gt;
if environment :matches &amp;quot;imap.mailbox&amp;quot; &amp;quot;*&amp;quot; {&lt;br /&gt;
    set &amp;quot;mailbox&amp;quot; &amp;quot;${1}&amp;quot;;&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
if string &amp;quot;${mailbox}&amp;quot; &amp;quot;Junk&amp;quot; {&lt;br /&gt;
    stop;&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
pipe :copy &amp;quot;rspamd-learn-ham.sh&amp;quot;;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* mkdir -p /etc/dovecot/sieve&lt;br /&gt;
* sievec /etc/dovecot/sieve/learn-spam.sieve&lt;br /&gt;
* sievec /etc/dovecot/sieve/learn-ham.sieve&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/dovecot/sieve-pipe/rspamd-learn-spam.sh ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
#!/bin/bash&lt;br /&gt;
exec /usr/bin/rspamc learn_spam&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/dovecot/sieve-pipe/rspamd-learn-ham.sh ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
#!/bin/bash&lt;br /&gt;
exec /usr/bin/rspamc learn_ham&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* mkdir -p /etc/dovecot/sieve-pipe&lt;br /&gt;
* chmod +x /etc/dovecot/sieve-pipe/*.sh&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/dovecot/conf.d/90-sieve.conf ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
plugin {&lt;br /&gt;
    sieve = ~/.dovecot.sieve&lt;br /&gt;
    sieve_before = /var/lib/dovecot/sieve/spam-to-junk.sieve&lt;br /&gt;
    sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment&lt;br /&gt;
    sieve_plugins = sieve_imapsieve sieve_extprograms&lt;br /&gt;
    sieve_pipe_bin_dir = /etc/dovecot/sieve-pipe&lt;br /&gt;
&lt;br /&gt;
    imapsieve_mailbox1_name = INBOX.Junk&lt;br /&gt;
    imapsieve_mailbox1_causes = COPY&lt;br /&gt;
    imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve&lt;br /&gt;
&lt;br /&gt;
    imapsieve_mailbox2_name = *&lt;br /&gt;
    imapsieve_mailbox2_from = INBOX.Junk&lt;br /&gt;
    imapsieve_mailbox2_causes = COPY&lt;br /&gt;
    imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
{{Achtung|&lt;br /&gt;
&amp;lt;code&amp;gt;imapsieve_mailbox1_name&amp;lt;/code&amp;gt;/&amp;lt;code&amp;gt;_from&amp;lt;/code&amp;gt; müssen &amp;lt;code&amp;gt;INBOX.Junk&amp;lt;/code&amp;gt; heißen (mit Präfix), nicht nur &amp;lt;code&amp;gt;Junk&amp;lt;/code&amp;gt; – auch wenn &amp;lt;code&amp;gt;doveconf -n&amp;lt;/code&amp;gt; einen leeren &amp;lt;code&amp;gt;prefix&amp;lt;/code&amp;gt;-Wert zeigt. Das ist der interne Name, den Dovecot beim Maildir++-Layout verwendet. Falscher Name ist die häufigste Ursache, dass die Regel nie feuert, ohne Fehlermeldung im Log. Zur Diagnose: &amp;lt;code&amp;gt;journalctl -u dovecot -f | grep -i imapsieve&amp;lt;/code&amp;gt; beim Testverschieben mitlaufen lassen, auf die Zeile &amp;lt;code&amp;gt;mailbox X: MOVE event&amp;lt;/code&amp;gt; achten – X ist der korrekte Name für die Regel.&lt;br /&gt;
}}&lt;br /&gt;
&lt;br /&gt;
=== Test Lernen ===&lt;br /&gt;
Mail in Roundcube nach Junk verschieben, dann:&lt;br /&gt;
* rspamc stat | grep -i bayes&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;learned&amp;lt;/code&amp;gt; bei BAYES_SPAM muss um 1 steigen. Rückweg (Junk → Inbox) für BAYES_HAM entsprechend testen.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== 5. Rspamd installieren ==&lt;br /&gt;
* apt install rspamd redis-server&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/rspamd/local.d/redis.conf ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
servers = &amp;quot;127.0.0.1:6379&amp;quot;;&lt;br /&gt;
timeout = 1s;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/rspamd/local.d/classifier-bayes.conf ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
backend = &amp;quot;redis&amp;quot;;&lt;br /&gt;
new_schema = true;&lt;br /&gt;
expire = 8640000;&lt;br /&gt;
&lt;br /&gt;
autolearn {&lt;br /&gt;
  spam_threshold = 12.0;&lt;br /&gt;
  ham_threshold = -2.0;&lt;br /&gt;
  check_balance = true;&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/rspamd/local.d/actions.conf ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
reject = 15;&lt;br /&gt;
greylist = 4;&lt;br /&gt;
add_header = 6;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
{{Hinweis|&lt;br /&gt;
Diese Werte legen fest, ab welchem Spam-Score was passiert. &amp;lt;code&amp;gt;greylist&amp;lt;/code&amp;gt; niedrig, &amp;lt;code&amp;gt;add_header&amp;lt;/code&amp;gt; mittel, &amp;lt;code&amp;gt;reject&amp;lt;/code&amp;gt; hoch – bewusst wählen, nicht auf 999 setzen, sonst ist die Aktion faktisch deaktiviert.&lt;br /&gt;
}}&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/rspamd/local.d/worker-proxy.inc ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
milter = yes;&lt;br /&gt;
timeout = 120s;&lt;br /&gt;
upstream &amp;quot;local&amp;quot; {&lt;br /&gt;
  default = yes;&lt;br /&gt;
  self_scan = yes;&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/rspamd/local.d/milter_headers.conf ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
use = [&amp;quot;x-spamd-bar&amp;quot;, &amp;quot;x-spam-level&amp;quot;, &amp;quot;x-spam-status&amp;quot;, &amp;quot;authentication-results&amp;quot;];&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/rspamd/override.d/worker-controller.inc ===&lt;br /&gt;
Passwort-Hash vorher erzeugen:&lt;br /&gt;
* rspamadm pw&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
password = &amp;quot;HASH_HIER_EINFÜGEN&amp;quot;;&lt;br /&gt;
enable_password = &amp;quot;HASH_HIER_EINFÜGEN&amp;quot;;&lt;br /&gt;
bind_socket = [&lt;br /&gt;
    &amp;quot;localhost:11334&amp;quot;,&lt;br /&gt;
    &amp;quot;/run/rspamd/controller.sock mode=0660&amp;quot;&lt;br /&gt;
];&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Test Rspamd ===&lt;br /&gt;
* systemctl restart rspamd&lt;br /&gt;
* rspamc stat&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== 6. DKIM-Signing ==&lt;br /&gt;
&lt;br /&gt;
Key erzeugen:&lt;br /&gt;
* rspamadm dkim_keygen -b 2048 -s dkim -d it213.int -k /var/lib/rspamd/dkim/it213.int.dkim.key&lt;br /&gt;
&lt;br /&gt;
Die Ausgabe ist der DNS-TXT-Record für &amp;lt;code&amp;gt;dkim._domainkey.it213.int&amp;lt;/code&amp;gt; – bei eurem DNS-Provider eintragen.&lt;br /&gt;
&lt;br /&gt;
Rechte setzen:&lt;br /&gt;
* chown _rspamd:_rspamd /var/lib/rspamd/dkim/it213.int.dkim.key&lt;br /&gt;
* chmod 600 /var/lib/rspamd/dkim/it213.int.dkim.key&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/rspamd/local.d/dkim_signing.conf ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
domain {&lt;br /&gt;
  it213.int {&lt;br /&gt;
    selectors [&lt;br /&gt;
      {&lt;br /&gt;
        path = &amp;quot;/var/lib/rspamd/dkim/it213.int.dkim.key&amp;quot;;&lt;br /&gt;
        selector = &amp;quot;dkim&amp;quot;;&lt;br /&gt;
      }&lt;br /&gt;
    ]&lt;br /&gt;
  }&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Test DKIM ===&lt;br /&gt;
* systemctl reload rspamd&lt;br /&gt;
* echo -e &amp;quot;From: test@it213.int\nTo: test@example.com\nSubject: Test\n\nBody&amp;quot; | rspamc symbols&lt;br /&gt;
&lt;br /&gt;
Symbol &amp;lt;code&amp;gt;DKIM_SIGNED&amp;lt;/code&amp;gt; muss im Output erscheinen.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== 7. Blacklist / Whitelist ==&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/rspamd/local.d/modules.conf ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
multimap {&lt;br /&gt;
  enabled = true;&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/rspamd/local.d/multimap.conf ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
WHITELIST_SENDER_DOMAIN {&lt;br /&gt;
    type = &amp;quot;from&amp;quot;;&lt;br /&gt;
    filter = &amp;quot;email:domain&amp;quot;;&lt;br /&gt;
    map = &amp;quot;/etc/rspamd/local.d/lists/whitelist.sender.domain.map&amp;quot;;&lt;br /&gt;
    action = &amp;quot;accept&amp;quot;;&lt;br /&gt;
    symbol = &amp;quot;WHITELISTED_DOMAIN&amp;quot;;&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
WHITELIST_SENDER_EMAIL {&lt;br /&gt;
    type = &amp;quot;from&amp;quot;;&lt;br /&gt;
    map = &amp;quot;/etc/rspamd/local.d/lists/whitelist.sender.email.map&amp;quot;;&lt;br /&gt;
    action = &amp;quot;accept&amp;quot;;&lt;br /&gt;
    symbol = &amp;quot;WHITELISTED_ADDRESS&amp;quot;;&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
BLACKLIST_SENDER_DOMAIN {&lt;br /&gt;
    type = &amp;quot;from&amp;quot;;&lt;br /&gt;
    filter = &amp;quot;email:domain&amp;quot;;&lt;br /&gt;
    map = &amp;quot;/etc/rspamd/local.d/lists/blacklist.sender.domain.map&amp;quot;;&lt;br /&gt;
    action = &amp;quot;reject&amp;quot;;&lt;br /&gt;
    symbol = &amp;quot;BLACKLISTED_DOMAIN&amp;quot;;&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
BLACKLIST_SENDER_EMAIL {&lt;br /&gt;
    type = &amp;quot;header&amp;quot;;&lt;br /&gt;
    header = &amp;quot;From&amp;quot;;&lt;br /&gt;
    filter = &amp;quot;email&amp;quot;;&lt;br /&gt;
    map = &amp;quot;/etc/rspamd/local.d/lists/blacklist.sender.email.map&amp;quot;;&lt;br /&gt;
    action = &amp;quot;reject&amp;quot;;&lt;br /&gt;
    symbol = &amp;quot;BLACKLISTED_ADDRESS&amp;quot;;&lt;br /&gt;
    regexp = false;&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
BLOCKLIST_IP {&lt;br /&gt;
    type = &amp;quot;ip&amp;quot;;&lt;br /&gt;
    map = &amp;quot;/etc/rspamd/local.d/lists/blockip.map&amp;quot;;&lt;br /&gt;
    prefilter = true;&lt;br /&gt;
    action = &amp;quot;reject&amp;quot;;&lt;br /&gt;
    symbol = &amp;quot;BLOCKLIST_IP&amp;quot;;&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
ALLOWLIST_IP {&lt;br /&gt;
    type = &amp;quot;ip&amp;quot;;&lt;br /&gt;
    map = &amp;quot;/etc/rspamd/local.d/lists/allowip.map&amp;quot;;&lt;br /&gt;
    prefilter = true;&lt;br /&gt;
    action = &amp;quot;accept&amp;quot;;&lt;br /&gt;
    symbol = &amp;quot;ALLOWLIST_IP&amp;quot;;&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Maps anlegen (eine Adresse/Domain/IP pro Zeile):&lt;br /&gt;
* mkdir -p /etc/rspamd/local.d/lists&lt;br /&gt;
* touch /etc/rspamd/local.d/lists/{whitelist.sender.domain.map,whitelist.sender.email.map,blacklist.sender.domain.map,blacklist.sender.email.map,blockip.map,allowip.map}&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== 8. Virenscanner (ClamAV) ==&lt;br /&gt;
&lt;br /&gt;
{{Achtung|&lt;br /&gt;
Neuaufbau, kein dokumentierter Ist-Zustand einer laufenden Referenz. Vor Produktiveinsatz selbst durchtesten.&lt;br /&gt;
}}&lt;br /&gt;
&lt;br /&gt;
* apt install clamav-daemon&lt;br /&gt;
* systemctl enable --now clamav-daemon&lt;br /&gt;
* freshclam&lt;br /&gt;
&lt;br /&gt;
=== Datei: /etc/rspamd/local.d/antivirus.conf ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
clamav {&lt;br /&gt;
  action = &amp;quot;reject&amp;quot;;&lt;br /&gt;
  symbol = &amp;quot;CLAM_VIRUS&amp;quot;;&lt;br /&gt;
  type = &amp;quot;clamav&amp;quot;;&lt;br /&gt;
  servers = &amp;quot;/var/run/clamav/clamd.ctl&amp;quot;;&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Test ===&lt;br /&gt;
* curl -o /tmp/eicar.txt https://secure.eicar.org/eicar.com.txt&lt;br /&gt;
* rspamc symbols &amp;lt; /tmp/eicar.txt&lt;br /&gt;
&lt;br /&gt;
Symbol &amp;lt;code&amp;gt;CLAM_VIRUS&amp;lt;/code&amp;gt; muss erscheinen.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== 9. End-to-End-Verifikation ==&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
! Funktion !! Testbefehl !! Erwartetes Ergebnis&lt;br /&gt;
|-&lt;br /&gt;
| Postfix läuft || systemctl status postfix || active (running)&lt;br /&gt;
|-&lt;br /&gt;
| Dovecot läuft || systemctl status dovecot || active (running)&lt;br /&gt;
|-&lt;br /&gt;
| TLS-Cert korrekt || openssl s_client -connect mail.it213.int:993 || richtiges Cert&lt;br /&gt;
|-&lt;br /&gt;
| Rspamd scannt || rspamc stat || Scanned-Counter &amp;gt; 0&lt;br /&gt;
|-&lt;br /&gt;
| DKIM signiert || rspamc symbols (Testmail) || Symbol DKIM_SIGNED&lt;br /&gt;
|-&lt;br /&gt;
| Bayes lernt (Spam) || Mail nach Junk verschieben, rspamc stat || BAYES_SPAM learned +1&lt;br /&gt;
|-&lt;br /&gt;
| Bayes lernt (Ham) || Mail aus Junk raus, rspamc stat || BAYES_HAM learned +1&lt;br /&gt;
|-&lt;br /&gt;
| ClamAV aktiv || EICAR-Test || Symbol CLAM_VIRUS&lt;br /&gt;
|-&lt;br /&gt;
| Blacklist wirkt || Testmail von geblockter Domain/IP || Reject bzw. BLACKLISTED_*-Symbol&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
{{Hinweis|&lt;br /&gt;
Checkliste eignet sich auch zur Wiederholung nach Updates/Config-Änderungen, um schnell zu sehen was kaputtgegangen ist.&lt;br /&gt;
}}&lt;/div&gt;</summary>
		<author><name>Thomas.will</name></author>
	</entry>
</feed>