On this page
Mailscanner/Exim Gateway With Communigate PRO Guide
In this tutorial we will be installing and setting up Mailscanner as a mail firewall in front of a Communigate pro cluster. This tutorial has been written for the CENTOS 5.x Linux distro but am sure it can be used for any other Linux based system with little modifications. The system will run with SELinux in enforcing mode. The components that we will use include:
- Mailscanner
- Clamav
- exim
- apache
- mailwatch
- razor
- spamassassin
- mysql
- fuzzy ocr
- sanesecurity signatures
- mailfeeder
Install Packages
I assume that you have installed a bare bores CENTOS 5 system with the "Development Tools" group to work with so I will not go much into issues such as package selection and partition layout. As we will need to install certain software that is not part of the default CENTOS bases, we need to configure the system to use Dag Wieers rpm repo as he does package lots of software that we need.
rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
With that done we have configured the system to use the rpmforge repo.
For this tutorial the working directory will be /usr/local/src - all downloads should be downloaded to and extracted in there.
Exim
yum install exim -y
/usr/sbin/alternatives --set mta /usr/sbin/sendmail.exim
service sendmail stop
/sbin/chkconfig --level 345 sendmail off
/sbin/chkconfig --level 345 exim off
MailScanner
wget http://www.mailscanner.info/files/4/rpm/MailScanner-4.66.5-3.rpm.tar.gz
tar xzvf MailScanner-4.66.5-3.rpm.tar.gz
cd MailScanner-4.66.5-3
./install.sh
Clamav
yum install clamav clamav-db clamd -y
freshclam
Sanesecurity Signatures
wget http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt -O /usr/local/bin/update_sanesecurity.sh
chmod +x /usr/local/bin/update_sanesecurity.sh
ln -s /usr/local/bin/update_sanesecurity.sh /etc/cron.hourly/
/usr/local/bin/update_sanesecurity.sh
Apache
yum install httpd php php-mysql php-gd php-eaccelerator -y /sbin/chkconfig --level 345 httpd on
Spamassassin
yum install spamassassin -y
Fuzzy OCR
yum install netpbm-progs ocrad gocr gifsicle giflib-utils giflib -y
svn co svn://svn.own-hero.net/fuzzyocr/trunk/devel
cd devel/
perl -MCPAN -e 'install String::Approx'
perl -MCPAN -e 'install Time::HiRes'
perl -MCPAN -e 'install Log::Agent'
cp -rv {FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOcr.words,FuzzyOcr/} /etc/mail/spamassassin
chcon -R system_u:object_r:etc_mail_t /etc/mail/spamassassin/{FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOcr.words,FuzzyOcr/}
wget http://www.gbnetwork.co.uk/mailscanner/FuzzyOcr.words -O /etc/mail/spamassassin/FuzzyOcr.words
Razor
yum install razor-agents
MySQL
yum install mysql mysql-server -y
Mailwatch
wget http://dfn.dl.sourceforge.net/sourceforge/mailwatch/mailwatch-1.0.4.tar.gz
tar xzvf mailwatch-1.0.4.tar.gz
cd mailwatch-1.0.4
cp -av mailscanner/* /var/www/html/
cp /var/www/html/conf.php.example /var/www/html/conf.php
mkdir /var/www/html/temp
chmod u+rwx /var/www/html/temp
rm -f /var/www/html/{index.php,xml,jpgraph,fpdf}
cp /var/www/html/status.php /var/www/html/index.php
mv /var/www/html/jpgraph-1.12.1 /var/www/html/jpgraph
mv /var/www/html/fpdf152 /var/www/html/fpdf
mv /var/www/html/xmlrpc_1.2 /var/www/html/xmlrpc
chown apache.apache -R /var/www/html/
chmod ug+rwx /var/www/html/images
chmod ug+rwx /var/www/html/images/cache
chcon -R system_u:object_r:httpd_sys_content_t /var/www/html/
cp MailWatch.pm /usr/lib/MailScanner/MailScanner/CustomFunctions/
cp SQLBlackWhiteList.pm /usr/lib/MailScanner/MailScanner/CustomFunctions/
cp tools/db_clean.php /usr/local/bin/
cp tools/quarantine_maint.php /usr/local/bin/
Mailfeeder
wget http://www.pldaniels.com/mailfeeder/mailfeeder-0.2.3.tar.gz
tar xzvf mailfeeder-0.2.3.tar.gz
cd mailfeeder-0.2.3
make
cp mailfeeder /usr/local/bin/
Configure Packages
Configure Exim
Introduction
To run exim with mailscanner you need 2 configuration files one for the daemon that will listen on port 25 and accept incoming mail and another for the exim process that will deliver the clean mail that has been scanned by mailscanner. You also require 2 queues one for incoming and the other for clean mail that has been scanned.
I will not dwell on all the configuration options that exim provides i expect that you will be able to get detailed info else where on how to configure an normal running exim system so i will only focus on those areas that are specific to this setup.
- So to begin backup your exim configuration then create the second configuration file out the outbound process.
cp /etc/exim/exim.conf /etc/exim/exim.conf.orig
cp /etc/exim/exim.conf /etc/exim/exim_out.conf
Inbound Exim
This is the configuration for the exim daemon that listens on port 25 and accepts the messages and queues them for mailscanner to process. The configuration file is /etc/exim/exim.conf.
Anti-virus / Sanesecurity Checks
Configure the incoming exim daemon (/etc/exim/exim.conf) to use clamav to scan incoming mail and reject virus infected email and image and pdf spam at smtp time.
av_scanner = clamd:/var/run/clamav/clamd.sock
Mail Routing
Configure the domains you accept mail for, we will add these to a file /etc/exim/relay_domains.
# example /etc/exim/relay_domains example.com
Specify this in the exim configuration:
domainlist relay_to_domains = lsearch;/etc/exim/relay_domains
Configure the routing of the domains you are filtering mail for in the file /etc/exim/mail-routes.
#example /etc/exim/mail-routes example.com: xxx.xxx.xxx.xxx:xxx.xxx.xxx.xxx #this domain is on a CGP cluster of 2 front end nodes somedomain.com: xxx.xxx.xxx.xxx # this delivers to one CGP machine
Configure a router to accept mail for the relay domains. You need to add this under the check_backend: router (see address verification below).
deliver_clean: driver = manualroute domains = +relay_to_domains transport = remote_smtp route_data = ${lookup{$domain}lsearch{/etc/exim/mail-routes}}
Mailscanner Intergration
Configure the inbound exim just to queue the messages and not deliver to enable mailscanner to process them.
spool_directory = /var/spool/exim.in process_log_path = /var/spool/exim/exim-process.info queue_only = true queue_only_override = false
RBL's
Configure the RBL's under acl_check_rcpt:
drop message = REJECTED because $sender_host_address is in a black list spamhaus.org dnslists = xen.spamhaus.org drop message = REJECTED because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text dnslists = bl.spamcop.net drop message = REJECTED because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text dnslists = dnsbl.sorbs.net