HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   HOWTO-Related Questions (http://www.howtoforge.com/forums/forumdisplay.php?f=2)
-   -   Ubuntu Mail Server issues (warning: a long list!) (http://www.howtoforge.com/forums/showthread.php?t=15964)

klonos 4th October 2007 11:52

Ubuntu Mail Server issues (warning: a long list!)
 
Hello everybody... after a long time, here I am posting once again. In the meantime I have setup and deployed another 3 mail servers based on Ubuntu (one of them on 6.10 and two on 7.04) by following the "http://www.howtoforge.com/virtual_po..._quota_courier" HowTo and also grabbed a few ideas from "http://www.howtoforge.com/virtual_po...er_ubuntu_edgy", "http://www.howtoforge.com/mail_stati...raph_pflogsumm" and "http://www.howtoforge.com/debian_etc...pd_mysql_quota" in order to implement features like ftp and statistics. Now, I have learned a great deal on the way (coming from the m$ world and being a linux newbie and all) plus troubleshooting issues that came along, taught me a few things as well. So, now I have a few servers to "play with" (7 in production and another 2-3 on vmware standing by for testing), all based on Ubuntu Linux and HowToForge tutorials.

Cutting to the chase, I have collected a few questions/issues and here they are, numbered so we wont loose track of them as we hunt them down:

Issue #1: Since the HowTo refers to virtual users and domains, I suppose that it may be used by say a small office to serve both users within the company and also road-warriors/branch office users outside of it. So it is meant for users both inside and outside the network, right????

I may be doing something wrong here, but what I end up with most of the times is users outside mynetworks not being able to send through smtp. I have worked around this by adding check_client_access hash:/relay_access rules. Also, in some cases neither users within mynetworks can authenticate unless I add the ip range of the network there (mynetworks = 127.0.0.0/8 10.0.0.0/8 or mynetworks = 127.0.0.0/8 192.168.1.0/8), again as a workaround.

Any ideas? what should I be looking for??

Issues #2 and #3: I implement stats with mailgraph (http) & the pflogsumm script (by email). The first issue (#2) here is that after log rotation and on the 7th day instead of the normal stats email to the postmaster account, I receive:

Code:

gunzip: /var/log/mail.log.0 already exists;    not overwritten
gzip: /var/log/mail.log.0.gz already exists;    not overwritten

in the email. The script is:

Code:

#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
gunzip /var/log/mail.log.0.gz

pflogsumm -h 10 -u 10 /var/log/mail.log.0 | formail -c -I"Subject: Mail Statistics" -I"From: stats@gnosis.gr" -I"To: postmaster@gnosis.gr" -I"Received: from mail.gnosis.gr ([10.0.0.14])" | $

gzip /var/log/mail.log.0
exit 0

So, what I think should be done is have it to first check if mail.log.0 already exists and if so, use it without gunzipping it. Also it should first check if mail.log.0.gz already exists before trying to gzip mail.log.0. Now I know a bit of coding, but nothing on linux scripts. Can someone please add these if-exist-checks (or if-not-exists-checks) to the script??

Issue #3 is that since the email with the stats contains a lot of numbers and all, it gets detected as spam. How can I whitelist it so that I don't have to amavisd-release it all the time?

Issue #4: All .exe/.com etc. attachments get blocked with:

Code:

BANNED contents (multipart/mixed | application/x-zip-compressed,.zip
How do I control which extensions get blocked or not? Is there any way I can define users or groups and have per-user or per-group rules regarding attachments?? How can I implement something like MailZu (http://www.mailzu.net/) or any other quarantine management system/interface???

Issue #5: Each time I setup a mail server that is meant to serve only a single domain, I set the virtual_mailbox_domains = domain.net instead of pointing it to the domains table in the mysql db. In these cases, since there is no other domain served, I need to have the users authenticate by using username instead of username@domain.net. If I enter only the username in mysql, I need to change the query in email2email.cf from:

Code:

query = SELECT email FROM users WHERE email='%s'
to something that retrieves the username and adds the '@' and the value of virtual_mailbox_domains to it? That would do the trick, right??? Can anyone help on this one please?

Issue #6: ClamAV is pretty good at what it does, but if I need to use a commercial anti-virus solution how should I do it? Can I have both of them checking emails without the one getting in the way of the other? I think this has to do with amavisd, right???

Issue #7
: I have a case where while all smtp and pop traffic goes through the gateway defined in /etc/network/interfaces , all outgoing http traffic (freshclam updates, dcc, apt-get or wget downloads etc.) needs to be redirected to another proxy. I know that in freshclam I can define proxy and port settings, but (besides I had no luck with it) what about all other http requests? Plus, if I need to change the proxy, I would have to go through each conf file and do it. Would squid do the job? If yes, what do I need to define in squid.conf to have it redirect requests to an ip diferent from the default gateway and perhaps a port different from 80 plus only allow the server itself.


Issue #8: Talking about changing settings in a lot of files... if I need to change the root password or a local account, I use passwd. If I need to change virtual email account passwords I use phpmyadmin. What if I need to change the mail_admin password? I have to go through each mysql_virtual*.cf file and change it! Is there any way we can have this set of credentials (user/pass) stored in a single place and point to it instead?

Whow, what a list I have there, huh ?!?!?! Are these some headache or what?? :) Thank you all in advance for any help/ideas.

falko 5th October 2007 12:50

Quote:

Originally Posted by klonos
So it is meant for users both inside and outside the network, right????

Yes.

Quote:

Originally Posted by klonos
I may be doing something wrong here, but what I end up with most of the times is users outside mynetworks not being able to send through smtp. I have worked around this by adding check_client_access hash:/relay_access rules. Also, in some cases neither users within mynetworks can authenticate unless I add the ip range of the network there (mynetworks = 127.0.0.0/8 10.0.0.0/8 or mynetworks = 127.0.0.0/8 192.168.1.0/8), again as a workaround.

Any ideas? what should I be looking for??

Did you enable "Server requires authentication" in your email clients?

Quote:

Originally Posted by klonos
Issue #6: ClamAV is pretty good at what it does, but if I need to use a commercial anti-virus solution how should I do it? Can I have both of them checking emails without the one getting in the way of the other? I think this has to do with amavisd, right???

You can enable other virus scanners like F-Prot in the amavisd configuration (of course, you must install F-Prot first); they won't get into each other's way. :)

klonos 5th October 2007 21:09

Quote:

Did you enable "Server requires authentication" in your email clients?
Yes, yes I know... I did that already and also checked the output of
Code:

ps aux|grep sasl
and all and everything seems to be in the way it should. I just wanted to make sure I installed a mail server meant to do all I needed it to do (serve users both inside the network and out of it). We will have to troubleshoot this one at some later time since I have already worked around it as I said.

Quote:

You can enable other virus scanners like F-Prot in the amavisd configuration (of course, you must install F-Prot first); they won't get into each other's way.
Thank you for this answer as well. What I had in mind was trend micro and I already found the following entry in /etc/amavis/conf.d/15-av-scanners:

Code:

### http://www.trendmicro.com/  - backs up Trophie
  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
    '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],

What I really need is any success stories from people that have already tried it before, things I should look out for, or better a step-by-step guide. I will google it a bit myself as well and see what I may come up with. Will let evryone know if all goes well. In the meantime I can use all the help I get.

Any ideas/comments regarding my other issues??

falko 6th October 2007 14:18

Quote:

Originally Posted by klonos
What I really need is any success stories from people that have already tried it before, things I should look out for, or better a step-by-step guide. I will google it a bit myself as well and see what I may come up with. Will let evryone know if all goes well. In the meantime I can use all the help I get.

I've tried ClamAV together with F-Prot, and it was working good. Should be the same for Trendmicro.


All times are GMT +2. The time now is 07:59.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.