SUSE not Fedora
My Internet gateway at home is a old Dell XPS 450. It’s a PII running at 450Mhz, has a 30GB IDE drive, and 256MB RAM. No cd-rom drive, I removed it when it broke a few years ago. When I need to install an operating system, I temporarily attach a DVD drive.
I was previously running Fedora Core 3 on it. Fedora is okay, but it is on an aggressive development schedule. For example Fedora Core 2 was released May 18, 2004, patches are currently supported by the Fedora Legacy Project. That’s how the model works, the main project works on releases and patches for a small amount of time. Then the Legacy project takes over the patches. It’s all well documented and explained.
My problem is the amount of time for main project support is too short. I don’t want to keep installing a new Linux distribution, but I do want timely patches. The legacy project is pretty good, but they definitely have resource issues. The current Fedora Core gets patched quickly as you expect. But in order to stay current you should have the latest release.
The SUSE ftp server has patches for the 9.0 release, which came out October 2003. That is the kind of support I am looking for. I downloaded the SUSE Linux OSS 10.0 CD images, ran a script to create a DVD image. I burnt the DVD, attached a drive to my old box and installed away.
Postfix, Spamassassin, anti-virus, Oh My
Now that ports 25 and 80 are no longer blocked, I wanted to use the basement box as a backup mail server.
I want the server to
- receive mail for dembowski.net and epyon-1.com
- use TLS encryption if possible
- check the sender’s IP address against Spamhaus
- greylist the traffic
- virus scan the mail
- rate the content for spam
I installed the SUSE package for Postfix and configured it to only accept mail for my domains, open mail relays are BAD. I referred to The Book of Postfix for guidance; Postfix is now a breeze. The only thing I deviated from was to generate a self signed certificate as so
openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout dixie.dembowski.net.pem -out dixie.dembowski.net.pem
This created a self signed key and certificate with an expiration of 10 years. That is the pem file that I refer to in my postfix main.cf file.
Greylisting is the number one most effective thing I have added to kill spam. It works like this: a mail server connects to my server and tries to deliver mail. The servers IP address, the sender’s e-mail address, and the recipient’s address goes into a database. Instead of accepting the mail, my server sends back a 450 code, which basically says “Not now I’m busy. Try back in 5 minutes”. A RFC compliant mail server will attempt to re-send later, and all further attempts (after 300 seconds) from the IP address, sender e-mail, recipient e-mail combination will be accepted.
Spammers typically do not try to re-send, and the sender’s e-mail is often random so they never get in at all. See http://isg.ee.ethz.ch/tools/postgrey/ for more info, this is a very effective means to control unwanted mail.
I downloaded a postgrey RPM from http://www.lfarkas.org/linux/packages/el3/i386/SRPMS/postgrey-1.23-0.src.rpm and modified the postgrey.sysv file to match SUSE. Rebuilt package and installed.
I added the SUSE packages for Spamassassin, ClamAV, and Amavisd-new for content filtering.
A few tests and all was done. I modified my MX records for my domains, and have been receiving mail on my new box. This server does not attempt to deilver e-mail except to the destination servers for my two domains.
