From Campworld

LinuxServersFC5: HOWTO Incoming Mail Filter Server on Fedora Core 5 - Postfix Spamassassin Amavisd-new ClamAV Grey Listing

History / Status

• DONE - (no grey listing yet)

Introduction

Sometimes you need to seperate some of the mail server functions. This howto covers setting up a mail server that filters out spam and viruses before sending the email to your main mail server. You will get the following features:
* postfix: the workhorse behind the mail delivery

• clamav: antivirus checking for email
• spamassassin: spam checking
• postgrey: grey listing support for postfix to reduce spam

Lets get started

First - Building the Post Office

Configure Postfix

Here we go with config files. You'll have to be sure to change some settings to match your host. The config files will have sections commented out. Don't worry about it. Just copy and past to create the config files. What ever you see here replaces what already exists. Don't forget to backup the original files.

/etc/postfix/main.cf

 
# postfix user/group
#soft_bounce=yes
mail_owner = postfix
setgid_group = postdrop
delay_warning_time = 4

# postfix paths
html_directory = no
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
queue_directory = /var/spool/postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.2/samples
readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES

# network settings
inet_interfaces = all
mydomain = yourdomain.com
myhostname = host.yourdomain.com
myorigin = $mydomain
mynetworks = 192.168.0.0/16,
        127.0.0.0/24
mydestination =
relay_domains = $mydomain

# mappings
transport_maps = hash:/etc/postfix/transport
local_recipient_maps = 
virtual_alias_maps = hash:/etc/postfix/virtual
alias_maps = hash:/etc/aliases
recipient_delimiter = +

# debugging
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

# rules restrictions 
smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_access
smtpd_helo_restrictions = permit_mynetworks,
        reject_non_fqdn_hostname,
        check_helo_access hash:/etc/postfix/helo_access
smtpd_sender_restrictions = reject_non_fqdn_sender, 
        reject_unknown_sender_domain,
        check_sender_access hash:/etc/postfix/sender_access
smtpd_recipient_restrictions = permit_mynetworks, 
        reject_unauth_destination,
        reject_non_fqdn_recipient, 
        reject_unknown_recipient_domain,
        check_recipient_access hash:/etc/postfix/recipient_access
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining

/etc/postfix/master.cf

 
#
# Postfix master process configuration file.  For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#  -o content_filter=smtp-amavis:127.0.0.1:10024
#  -o receive_override_options=no_address_mappings
#submission inet n      -       n       -       -       smtpd
#       -o smtpd_etrn_restrictions=reject
#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps    inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission   inet    n       -       n       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
  -o content_filter= 
  -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
# spam/virus section
#
#smtp-amavis  unix  -    -       y       -       2       smtp
#  -o smtp_data_done_timeout=1200
#  -o disable_dns_lookups=yes
#  -o smtp_send_xforward_command=yes
#127.0.0.1:10025 inet n  -       y       -       -       smtpd
#  -o content_filter=
#  -o smtpd_helo_restrictions=
#  -o smtpd_sender_restrictions=
#  -o smtpd_recipient_restrictions=permit_mynetworks,reject
#  -o mynetworks=127.0.0.0/8
#  -o smtpd_error_sleep_time=0
#  -o smtpd_soft_error_limit=1001
#  -o smtpd_hard_error_limit=1000
#  -o receive_override_options=no_header_body_checks
#  -o smtpd_bind_address=127.0.0.1
#  -o smtpd_helo_required=no
#  -o smtpd_client_restrictions=
#  -o smtpd_restriction_classes=
#  -o disable_vrfy_command=no
#  -o strict_rfc821_envelopes=yes

/etc/postfix/virtual

 
root       itadmin@yourdomain.com
virus      itadmin@yourdomain.com
spam       itadmin@yourdomain.com

/etc/postfix/transport

 
yourdomain.com     smtp:[192.168.1.2]

To wrap things up we need to create the *.db files for postfix. So type:
> postmap /etc/postfix/virtual
> postmap /etc/postfix/transport
> touch /etc/postfix/client_access
> postmap /etc/postfix/client_access
> touch /etc/postfix/helo_access
> postmap /etc/postfix/helo_access
> touch /etc/postfix/sender_access
> postmap /etc/postfix/sender_access
> echo "example.com OK" > /etc/postfix/recipient_access
> postmap /etc/postfix/recipient_access

Configuring the Little Things That Drive You MAD

Be sure your /etc/hosts looks similar to the following.

 
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost
192.168.11.21   host.domain.com

Preparing and Testing the Postoffice

First things first. Reboot the system. If everything went well we all should be at the same point. Setup your favorit mail client and send some test emails.

Virus and Spam checking

This is another optional item. I suggest that you install this as well.

Installing the software

Do the following:
> yum install amavisd-new clamav clamav-update spamassassin

Configuring ClamAV

Type
> nano -w /etc/freshclam.conf
The line that has the word example on it needs to be commented out or deleted. The config file explaines.

Let's bring the virus definiations up to date.
> freshclam

Configuring Razor

You need to register to use Razor. So type the following.
> razor-admin -register -user=some_user -pass=somepass

Configuring Amavisd-new

You need to edit /etc/amavisd/amavisd.conf
Here is a list of items you should change. just scroll through the file to find each item.

• $mydomain = 'example.com'; # set to your domain name
• $log_level = 1; # set the log leve to one
• $sa_tag_level_deflt = -99; # i want to see the headers so change to -99
• $sa_tag2_level_deflt = 5.0; # start with 5
• $sa_kill_level_deflt = 9; # change to 9
• $sa_dsn_cutoff_level = 9; # change to 9
• $sa_quarantine_cutoff_level = 50; # remove the starting # and change to 50
• $myhostname = 'lightning.campworld.net'; # remove the starting # and enter your host name
• $notify_method = 'smtp:[127.0.0.1]:10025'; # uncomment the line
• $forward_method = 'smtp:[127.0.0.1]:10025'; # uncomment the line
• $final_banned_destiny = D_DISCARD; # change to D_DISCARD

Here are some settings I added in. Use them if you wish.

 
# added in settings RC
@whitelist_sender_maps = read_hash("$MYHOME/white.lst");
@blacklist_sender_maps = read_hash("$MYHOME/black.lst");
$spam_quarantine_to = "spam\@$mydomain";
$virus_quarantine_to = "virus\@$mydomain";
$banned_quarantine_to = "spam\@$mydomain";
$hdrfrom_notify_admin = "Content Filter <postmaster\@$mydomain>";

Since I have white and black list files they need to be created.
> touch /var/spool/amavisd/black.lst
> touch /var/spool/amavisd/white.lst
> chown amavis:amavis /var/spool/amavisd/black.lst
> chown amavis:amavis /var/spool/amavisd/white.lst

Let's start amavisd
> /etc/init.d/amavisd start

Configuring Postfix

We need to tell postfix about amavisd. If you copied and pasted the postfix files from abouve than you are in good shape. All we need to do is uncomment some lines. Edit /etc/postfix/master.cf

Uncomment the two lines below the smtp

 
smtp      inet  n       -       n       -       -       smtpd
#  -o content_filter=smtp-amavis:127.0.0.1:10024
#  -o receive_override_options=no_address_mappings

Next look for the section marked spam/virus section. Uncomment all the lines in that section.

OK. Restart postfix
> /etc/init.d/postfix restart

Testing it out

Now send yourself some test emails. Lets hope it went well.

Conclusion

With a bit of work you come out with a robust server.

Comments