Mail Server How-to
Postfix / Dovecot / SASL / MailScanner / Spamassassin / ClamAV / Postgrey on CentOS 4.x
Part I – Installation Pre-requisites
1.) Do a minimal install of CentOS by selecting the custom install and unchecking everything. Turn off SELinux as well.
2.) Check the hostname by executing the command “more /etc/sysconfig/network” and “more /etc/hosts”.
3.) Make sure that you have the DNS MX record for the domain that points to the email server. To check, execute dig -t mx “domain name”.
Part II – Installing Postfix and Dovecot
1.) Now we need to install, or verify installed all the packages that we need for setting up Postfix with SASL, SMTP AUTH, IMAP and POP3. This will install all the required packages:
yum install postfix postfix-pflogsumm dovecot cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-ntlm cyrus-sasl-plain cyrus-sasl-sql
{the above is all one line with a space between each name (if it wraps), the cyrus-sasl-devel and cyrus-sasl-sql packages are optional, but may be used later if you install MailScanner and ClamAV}
2.) Now we need to remove sendmail, since postfix is the new MTA.
yum remove sendmail
3.) Once you have your MX and A DNS records set (from above), you are ready to configure your Postfix ... first we will edit the file /etc/postfix/main.cf and setup the important parameters. I am only going to list the parameters to get one fully functional domain working ... where there is no relaying except for users who have logged on. I will only discuss the parameters that need changing from the default:
myhostname = host.my.domain
mydomain = my.domain
myorigin = $mydomain
inet_interfaces = $myhostname, localhost
mydestination = $myhostname, $mydomain, localhost
local_recipient_maps = unix:passwd.byname $alias_maps
unknown_local_recipient_reject_code = 550
mynetworks_style = subnet
relay_domains = $mydestination
mail_spool_directory = /var/spool/mail
That is all the original stuff that needs changing .... here are the items added for SASL / SMTP AUTH (added to the bottom of the /etc/postfix/main.cf file):
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
Also in the bottom of the /etc/postfix/main.cf file, you can add a setting for max mail box size and max attachment size ... I will assume 20mb max attachment and 100mb max mailbox size...here is what to add for that:
message_size_limit = 20971520
mailbox_size_limit = 104857600
4.) Now we need to turn on IMAP, POP3, IMAPs, POP3s. All these are optional, but you will need to read or retrieve your mail somehow. Beyond the scope of this guide is generating a Certificate for using TLS and using IMAPs or POP3s. We will just turn on the standard POP3 and IMAP in this guide.
We installed Dovecot as our pop/imap daemon, so we need to set it up (if you are trying to use cyrus-impad, you are in the wrong section).
a. Edit the file /etc/dovecot.conf and change the following lines (these are just the lines that must be changed from the default):
protocols = imap pop3
imap_listen = *
pop3_listen = *
#imaps_listen = *
#pop3s_listen = *
ssl_disable = yes
#ssl_cert_file = /usr/share/ssl/certs/dovecot.pem
#ssl_key_file = /usr/share/ssl/private/dovecot.pem
5.) Next we want to get saslauthd working. We need to edit the file /etc/sysconfig/saslauthd and make sure it says this:
MECH=pam
Next we need to edit the file /usr/lib/sasl2/smtpd.conf and make sure it says:
pwcheck_method: saslauthd
Now we need to set postfix as the MTA ... do this:
alternatives --config mta
... select postfix (on my setup the number 1)
Now we need to start the saslauthd service with this command:
/etc/init.d/saslauthd restart
(if it wan't previously running, the first shutdown may fail .. but the start should say [OK].
restart postfix with the command:
/etc/init.d/postfix restart
restart dovecot with the command:
/etc/init.d/dovecot restart
6.) Next we need to make sure postfix, dovecot and saslauthd will start on reboot in at least runlevels 3 and 5 ... to do this issue the following command:
chkconfig --list | grep postfix
The output should be similar to this:
postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Then do:
chkconfig --list | grep saslauthd
It should also look like this:
saslauthd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
Then do:
chkconfig --list | grep dovecot
It should also look like this:
dovecot 0:off 1:off 2:off 3:on 4:on 5:on 6:off
If either is off for 3: or 5:, issue this command:
chkconfig saslauthd on
(or dovecot or postfix as applicable)
Then redo the chkconfig --list | grep saslauthd command ... it should now be on for 3: and 5:.
7.) If you have iptables on, you can adjust the open ports with the command:
system-config-securitylevel-tui
Select enable and then Customize ...
You will need to open imap:tcp pop3:tcp https:tcp in the bottom, as well as checking ssh and it allows you to ssh into the box ...
8.) In order to use PAM (ie, normal linux users with passwd / shadow usernames and passwords) as your SMTP authentication method, you MUST allow (and use) PLAIN text or Login as your Mail Client authenication method.
9.) In this setup, all users who have accounts on this server with a password can send and receive e-mail.
Part III - Installing Mailscanner utilizing Spamassassin and ClamAV.
1.) Download the latest Spamassassin and ClamAV easy installation package from mailscanner.info and install;
wget http://www.mailscanner.info/files/4/install-Clam-0.92-SA-3.2.4.tar.gz
tar –zxvf install-Clam-0.92-SA-3.2.4.tar.gz
cd install-Clam-0.92-SA-3.2.4
./intall.sh
2.) Install other packages that will be required later for other parts of this install
yum install sendmail-devel bzip2-devel gmp-devel zlib-devel autoconf automake rpm-build rpm-devel gcc perl-CPAN curl-devel unrar
3.) Download the latest MailScanner from mailscanner.info and install;
wget http://www.mailscanner.info/files/4/rpm/MailScanner-4.66.5-3.tar.gz
tar –zxvf MailScanner-4.66.5-3.tar.gz
cd MailScanner-4.66.5-3
export LANG=C; ./install.sh
4.) Stop postfix with the command:
/etc/init.d/postfix stop
Ensure postfix doesn't restart, as Mailscanner will start it from now on, with the command:
chkconfig postfix off
5.) Make the following changes to the /etc/postfix/main.cf file... add the line:
header_checks = regexp:/etc/postfix/header_checks
6.) Edit the file /etc/postfix/header_checks, add this line to the file:
/^Received:/ HOLD
7.) Now we are ready to setup the file /etc/MailScanner/MailScanner.conf, which is the configuration file for MailScanner. In this file, edit it to show the following values:
%org-name% = yoursite
Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix
File Timeout = 120
Maximum Archive Depth = 20
Virus Scanners = clamavmodule
Monitors for ClamAV Updates = /var/clamav/*.cvd
Use SpamAssassin = yes
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
Here are a couple other optional setting in MailScanner.conf:
Spam List = ORDB-RBL SBL+XBL SORBS-DNSBL CBL RSL DSBL spamcop
Allow IFrame Tags = yes
Log IFrame Tags = yes
Allow Script Tags = yes
Allow Object Codebase Tags = yes
Convert Dangerous HTML To Text = yes
Minimum Stars If On Spam List = 3
Spam Lists To Reach High Score = 3
8.) You will need to ensure that the user "postfix" can write to
/var/spool/MailScanner/incoming and /var/spool/MailScanner/quarantine with the commands:
chown postfix.postfix /var/spool/MailScanner/incoming
chown postfix.postfix /var/spool/MailScanner/quarantine
mkdir -m 700 /var/spool/MailScanner/spamassassin
chown postfix.postfix /var/spool/MailScanner/spamassassin
If you upgrade your copy of MailScanner, these directories may be changed back to being owned by root, so you may have to do the chown commands again
9.) .ClamAV should try to update hourly, controlled by MailScanner (via the cron job /etc/cron.hourly/update_virus_scanners).
To setup ClamAV for auto updates, edit the file /etc/MailScanner/virus.scanners.conf. Find the line:
clamav /usr/lib/MailScanner/clamav-wrapper /usr/local
Change it to:
clamav /usr/lib/MailScanner/clamav-wrapper /usr
To update ClamAV database do
freshclam
10.) Now you can start MailScanner by issuing the command:
/etc/init.d/MailScanner start
Part IV – Postfix with OpenSSL
1.) Install OperSSL;
yum –y install openssl openssl-devel
2.) Setup the saslauth files, add the following information to the bottom of each file
vi /usr/lib/sasl2/smtpd.conf
Add:
pwcheck_method: saslauthd
vi /usr/lib/sasl/smtpd.conf
Add:
mech_list: plain login
3.) Setup the OpenSSL directories ready for the OpenSSL certificates
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
4.) Make the OpenSSL certificates
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
5.) Set up an OpenSSL certificate for postfix
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
6.) Remove the OpenSSL encryption on the postfix certificate file
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
7.) Change the name of the OpenSSL certificate
mv -f smtpd.key.unencrypted smtpd.key
8.) Change the permissions on the file
chmod 600 smtpd.key
9.) last command for setting up the OpenSSL certificate for postfix
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem - days 3650
10.) Add some more information to the postfix main.cf file
vi /etc/postfix/main.cf
Add the ff. lines:
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
11.) Edit dovecot.conf
protocols = imap pop3
imap_listen = *
pop3_listen = *
imaps_listen = *
pop3s_listen = *
ssl_disable = no
ssl_cert_file = /etc/postfix/ssl/smtpd.crt
ssl_key_file = /etc/postfix/ssl/smtpd.key
12.) Restart MailScanner and saslauthd
service MailScanner restart
service saslauthd restart
13.) To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your postfix mail server type
ehlo localhost
If you see the lines
250-STARTTLS
&
250-AUTH
then that means you are on your way to the next part.
Part V – Postfix with Postgrey
1.) Add user and group postgrey
groupadd -g 10010 postgrey useradd -g postgrey -u 10010 postgrey 2.) Download and install postgrey and its dependencies
wget http://isg.ee.ethz.ch/tools/postgrey/pub/postgrey-latest.tar.gz perl -MCPAN -e shell cpan> install Net::Server cpan> install IO::Multiplex cpan> install BerkeleyDB tar zxvf postgrey-latest.tar.gz cd postgrey-latest cp postgrey /usr/local/bin cp postgrey_whitelist_clients postgrey_whitelist_recipients /etc/postfix/ mkdir /var/spool/postfix/postgrey chown postgrey.postgrey /var/spool/postfix/postgrey 3.) Make postgrey to run as process
vi /etc/rc.d/rc.local
Add the line: /usr/local/bin/postgrey --inet=60000 -d -- pidfile=/var/run/postgrey.pid --user=postgrey --group=postgrey 4.) Edit main.cf file and add the ff. lines
vi /etc/postfix/main.cf smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access regexp:/etc/postfix/check_client_whitelist, check_client_access regexp:/etc/postfix/check_client_reject, reject_unlisted_recipient, check_client_access regexp:/etc/postfix/check_client_greylist smtpd_restriction_classes = check_greylist check_greylist = check_policy_service inet:60000 5.) Edit /etc/postfix/check_client_greylist
vi /etc/postfix/check_client_greylist
Add:
/^unknown$/ check_greylist
/^[^\.]*[0-9][^0-9\.]+[0-9]/ check_greylist
/^[^\.]*[0-9]{5}/ check_greylist
/^([^\.]+\.)?[0-9][^\.]*\.[^\.]+\..+\.[a-z]/ check_greylist
/^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]/ check_greylist
/^[^\.]*[0-9]\.[^\.]*[0-9]\.[^\.]+\..+\./ check_greylist
/^(dhcp|dialup|ppp|adsl)[^\.]*[0-9]/ check_greylist
6.) Execute the ff. commands
postmap /etc/postfix/check_client_greylist /usr/local/bin/postgrey --inet=60000 -d --
pidfile=/var/run/postgrey.pid --user=postgrey --group=postgrey If you have no error message in executing these commands, you have installed postgrey correctly 
0 comments:
Post a Comment