               Ispol'zovanie tehnologii seryh spiskov vo FreeBSD

  Tom Rodes

   <trhodes@FreeBSD.org>

   Izdanie: 43126

   Avtorskie prava (c) 2004 The FreeBSD Documentation Project

   2013-11-07 gabor.
   Annotaciya

   `Eta stat'ya sozdana isklyuchitel'no dlya opisaniya tehnologii zaderzhki
   peredachi soobschenij na pochtovom servere FreeBSD. Server s tehnologiej
   zaderzhki peredachi (relaydelay) ili popadaniem v seryj spisok
   (greylisting) snizhaet uroven' spama prosto za schiot vydachi
   diagnosticheskogo soobscheniya TEMPFAIL na kazhdoe vhodyaschee pochtovoe
   soobschenie. Smysl `etoj tehnologii zaklyuchaetsya v tom, chto
   bol'shinstvo spamerov dlya vypolneniya svoej raboty ispol'zuyut
   sobstvennye personal'nye komp'yutery i specializirovannoe programmnoe
   obespechenie. Nastoyaschij pochtovyj server dolzhen pomeschat'
   soobscheniya v ochered' i pytat'sya dostavit' ego pozzhe. Takim obrazom,
   skoree vsego, spamer perejdiot k sleduyuschemu hostu vmesto togo, chtoby
   popytat'sya snova poslat' `elektronnoe poslanie. `Eto prekrasnaya ideya;
   po krajnej mere, do teh por, poka spamery ne nachnut ispol'zovat'
   programmnoe obespechenie, kotoroe budet obespechivat' povtor peredachi. No
   kak imenno `eto rabotaet? Itak, v processe priioma soobscheniya
   `elektronnoj pochty ID soobscheniya sohranyaetsya v baze dannyh, a v
   kachestve rezul'tata vozvraschaetsya TEMPFAIL vmeste s `elektronnoj
   pochtoj. Esli soobschenie `elektronnoj pochty posylaetsya povtorno, to ID
   soobscheniya budet sveryat'sya s ID soobschenij, sohranionnymi v baze
   dannyh. Esli v baze dannyh ono suschestvuet, to poslaniyu `elektronnoj
   pochty razreshaetsya dostavka po naznacheniyu. V protivnom sluchae ID
   sohranyaetsya, a v kachestve rezul'tata vozvratitsya TEMPFAIL. `Etot cikl
   budet povtoryat'sya dlya kazhdogo soobscheniya, postupayuschego na server.
   Po moemu lichnomu opytu, `eto dejstvitel'no otsekaet 90% spama.

     ----------------------------------------------------------------------

   Soderzhanie

   1. Bazovaya nastrojka

1. Bazovaya nastrojka

   Nam potrebuetsya perl s podderzhkoj mnogopotochnogo vypolneniya.
   Ustanovite lang/perl5.8 s ustanovlennoj peremennoj USE_THREADS=yes.
   Snachala mozhet potrebovat'sya udalit' tekuschuyu versiyu perl; na
   neobhodimost' sdelat' `eto ukazhut oshibki v processe ustanovki.

  Primechanie:

   Pri `etom potrebuetsya, chtoby vse porty, kotorym nuzhen perl, byli
   perestroeny i pereustanovleny; ports-mgmt/portupgrade horosho dlya `etogo
   podhodit. Po krajnej mere, on ukazhet, kakie porty byli udaleny i kakie
   neobhodimo pereustanovit'.

   Teper' chto kasaetsya servera bazy dannyh; MySQL prekrasno podhodit dlya
   takogo tipa raboty. Ustanovite databases/mysql40-server vmeste s
   databases/p5-DBD-mysql40. Predyduschij port dolzhen podrazumevat'
   ustanovku databases/p5-DBI-137, tak chto odin shag budet propuschen.

   Ustanovite perenosimyj podklyuchaemyj servernyj modul' na baze perl, port
   net/p5-Net-Daemon. Bol'shinstvo ustanovok `etih portov dolzhny prohodit'
   bez problem. Sleduyuschij shag budet bolee trudoiomkim.

   Teper' ustanovite port mail/p5-Sendmail-Milter. Na moment napisaniya
   `etogo dokumenta v fajle Makefile imelas' stroka, nachinayuschayasya s
   BROKEN, prosto uberite ili zakommentirujte eio. Ona pomechena tak lish'
   potomu, chto v FreeBSD po umolchaniyu ne vklyuchalsya i ne ustanavlivalsya
   paket perl s podderzhkoj mnogopotochnogo vypolneniya. Posle udaleniya
   `etoj stroki on dolzhen stroit'sya i ustanavlivat'sya bez oshibok.

   Sozdajte katalog dlya razmescheniya vremennyh konfiguracionnyh fajlov:

 # mkdir /tmp/relaydelay
 # cd /tmp/relaydelay

   Teper', kogda u nas imeetsya vremennyj katalog dlya raboty, komande fetch
   nuzhno peredat' sleduyuschie URL-adresa:

 # fetch http://projects.puremagic.com/greylisting/releases/relaydelay-0.04.tgz
 # fetch http://lists.puremagic.com/pipermail/greylist-users/attachments/20030904/b8dafed9/relaydelay-0.04.bin

   Teper' neobhodimo raspakovat' ishodnyj kod:

 # gunzip -c relaydelay-0.04.tgz | tar xvf -

   Na `etot moment vo vremennom kataloge dolzhno okazat'sya neskol'ko fajlov.
   Teper' neobhodimaya informaciya mozhet peredavat'sya serveru bazy dannyh
   importirovaniem eio iz fajla mysql.sql:

 # mysql < relaydelay-0.04/mysql.sql

   Ustanovite patch relaydelay.bin dlya ostal'nyh fajlov, zapustiv takuyu
   komandu:

 # patch -d /tmp/relaydelay/relaydelay-0.04 < relaydelay.bin

   Otredaktirujte fajly relaydelay.conf i db_maintenance.pl, dobaviv v nih
   korrektnoe imya pol'zovatelya i parol' dlya SUBD MySQL. Esli SUBD byla
   postroena i ustanovlena tak, kak opisano vyshe, to v nej otsutstvuyut
   pol'zovateli i paroli. `Eta situaciya dolzhna byt' ispravlena do perevoda
   sistemy v promyshlennuyu `ekspluataciyu, chto opisano v dokumentacii k
   SUBD i vyhodit za ramki dannoj stat'i.

   Smenite rabochij katalog na relaydelay-0.04:

 # cd relaydelay-0.04

   Skopirujte ili peremestite konfiguracionnye fajly v sootvetstvuyuschie
   katalogi:

 # mv db_maintenance.pl relaydelay.pl /usr/local/sbin
 # mv relaydelay.conf /etc/mail
 # mv relaydelay.sh /usr/local/etc/rc.d/

   Protestirujte poluchivshuyusya konfiguraciyu, vypolniv takuyu komandu:

 # sh /usr/local/etc/rc.d/relaydelay.sh start

  Primechanie:

   `Etot fajl ne budet suschestvovat', esli predyduschie komandy mv(1) ne
   byli vypolneny.

   Esli vsio otrabotalo korrektno, to v kataloge /var/log dolzhen poyavit'sya
   novyj fajl, relaydelay.log. V niom dolzhen nahodit'sya tekst, podobnyj
   sleduyuschemu:

 Loaded Config File: /etc/mail/relaydelay.conf
 Using connection 'local:/var/run/relaydelay.sock' for filter relaydelay
 DBI Connecting to DBI:mysql:database=relaydelay:host=localhost:port=3306
 Spawned relaydelay daemon process 38277.
 Starting Sendmail::Milter 0.18 engine.

   Esli fajl ne poyavilsya, to chto-to srabotalo nepravil'no, peresmotrite
   `ekrannuyu diagnostiku ili prosmotrite zhurnal'nyj fajl messages na
   predmet poyavleniya novoj informacii.

   Ob"edinite vsio vmeste, dobaviv sleduyuschuyu stroku v fajl
   /etc/mail/sendmail.mc ili specifichnyj dlya vashej sistemy mc-fajl:

 INPUT_MAIL_FILTER(`relaydelay', `S=local:/var/run/relaydelay.sock, T=S:1m;R:2m;E:3m')dnl

   Perestrojte i pereustanovite fajly v kataloge /etc/mail i perezapustite
   sendmail. Korotkaya komanda make restart dolzhna sdelat' vsio neobhodimoe.

   Sgruzite skript na yazyke perl, razmeschionnyj po adresu
   http://lists.puremagic.com/pipermail/greylist-users/2003-November/000327.html
   i sohranite ego v katalog relaydelay-0.04. V sleduyuschem primere `etot
   skript oboznachaetsya kak addlist.pl.

   Otredaktirujte fajl whitelist_ip.txt, modificirovav ego tak, chtoby v nego
   byli vklyucheny IP-adresa serverov, kotorye dolzhny imet' vozmozhnost'
   ignorirovat' fil'try relaydelay. To est' `eto domeny, pri poluchenii
   `elektronnoj pochty ot kotoryh diagnosticheskoe soobschenie TEMPFAIL
   vydavat'sya ne budet.

   Kak primer mozhno privesti:

 192.168.   # My internal network.
 66.218.66       # Yahoo groups has unique senders.

   Fajl blacklist_ip.txt dolzhen imet' pohozhee naznachenie, no s obratnymi
   pravilami. Ukazhite v `etom fajle IP-adresa, kotorye dolzhny otvergat'sya
   bez vydachi diagnosticheskogo soobscheniya TEMPFAIL. `Etot perechen'
   domenov nikogda ne poluchit dazhe vozmozhnost' soobschit' o tom, chto oni
   yavlyayutsya real'no suschestvuyuschimi pochtovymi serverami.

   `Eti fajly teper' dolzhny byt' importirovany v bazu dannyh posredstvom
   skripta addlist.pl, kotoryj byl poluchen neskol'kimi strokami vyshe:

 # perl addlist.pl -whitelist 9999-12-31 23:59:59 < whitelist_ip.txt
 # perl addlist.pl -blacklist 9999-12-31 23:59:59 < blacklist_ip.txt

   Dlya vklyucheniya tehnologii relaydelay pri kazhdoj zagruzke sistemy,
   dobav'te strochku relaydelay_enable="YES" v fajl /etc/rc.conf.

   ZHurnal'nyj fajl /var/log/relaydelay.log dolzhen postepenno popolnyat'sya
   udachnymi prohozhdeniyami. V zavisimosti ot zagruzki vashego pochtovogo
   servera, vskore dolzhny poyavit'sya strochki, podobnye sleduyuschim.

 === 2004-05-24 21:03:22 ===
 Stored Sender: <someasshole@flawed-example.com>
 Passed Recipient: <local_user@pittgoth.com>
   Relay: example.net [XXX.XX.XXX.XX] - If_Addr: MY_IP_ADDRESS
   RelayIP: XX.XX.XX.XX - RelayName: example.net - RelayIdent:  - PossiblyForged: 0
   From: someasshole@flawed-example.com - To: local_user
   InMailer: esmtp - OutMailer: local - QueueID: i4P13Lo6000701111
   Email is known but block has not expired.  Issuing a tempfail.  rowid: 51
   IN ABORT CALLBACK - PrivData: 0<someasshole@flawed-example.com>

   V fajl /etc/newsyslog.conf teper' mozhno dobavit' sleduyuschuyu stroku,
   kotoraya obespechivaet rotaciyu zhurnalov relaydelay.log pri dostizhenii
   razmera v 100 Kbajt:

 /var/log/relaydelay.log                 644  3     100  *     Z

  Primechanie:

   V kakoj-to moment poyavlyalas' oshibka o nepolnom opredelenii peremennyh
   perl v fajle /etc/mail/relaydelay.conf. Esli te dve peremennye
   raskommentirovany, to konfiguracionnyj fajl mozhet byt' obrabotan
   normal'no. Prosto ne zabud'te ubrat' ih iz kommentariev do togo, kak
   nachat' rabotu s tehnologiej relaydelay.
