Mailscanner/Exim Gateway With Communigate PRO Guide - Page 2
Anti Spam
If you want to reject messages from servers with no reverse dns add this under acl_check_rcpt:, it does have a exception list to which you can add domains where the acl should not be applied and trys to deliver a test message to sending address to verify if the sender is valid.
drop message = REJECTED - We don't accept messages from hosts without reverse DNS log_message = No reverse DNS domains = ! lsearch;/etc/exim/checks_exempt_hosts !verify = reverse_host_lookup !verify = sender/callout=2m,defer_ok !condition = ${if eq{$sender_verify_failure}{}}
To reject messages from clients that dont provide a HELO/EHLO add this to acl_check_rcpt:
drop message = REFUSED - no HELO/EHLO greeting log_message = remote host did not present greeting condition = ${if def:sender_helo_name {false}{true}}
You can rate limit the connections to your server as well add this to acl_check_connect: to do so (read the exim docs on the parameters if you want to fine tune it for your site).
deny ratelimit = 250 / 15m / strict message = You can only send $sender_rate per $sender_rate_period log_message = RATE: $sender_rate/$sender_rate_period (max $sender_rate_limit) accept
Stop rogue spam bots from trashing your machine.
smtp_accept_max_nonmail = 30 smtp_max_unknown_commands = 1
Allow pipelining only from the localhost to allow you to later use mailfeeder to release mail.
pipelining_advertise_hosts = 127.0.0.1
Address Verification
This users the router check_backend to communicate with your communigate pro system via ldap to ensure that an address exists before accepting mail for that address.
Add your default ldap servers to the exim configuration.
ldap_default_servers = xxx.xxx.xxx.xxx
Configure domains that have a catchall account (no verification if address exists before accepting mail.
# example /etc/exim/catchall_domains somedomain.com
Specify this in the exim configuration.
domainlist domains_with_catchall = lsearch;/etc/exim/catchall_domains
Create and add the ldap enabled CGP domains to the file /etc/exim/ldap-domains. The first column is the domain alias or domain and the second is the actual domain as it exists in ldap as when you sync CGP domains to ldap it does not copy the domain aliases as well.
#example /etc/exim/ldap-domains example.com: example.com example.co.za: example.com
Create the check_backend router, this should be the first router in your configuration.
check_backend: driver = redirect domains = ! +domains_with_catchall : +relay_to_domains allow_fail allow_defer forbid_file forbid_pipe data = ${lookup ldap{ldap:///uid=${local_part},cn=${lookup{$domain}lsearch{/etc/exim/ldap-domains}}?mail}{$value}{:fail: Unknown user}} #version 5.x use this instead #data = ${lookup ldap{ldap:///cn=${lookup{$domain}lsearch{/etc/exim/ldap-domains}}?uid?sub?(uid=$local_part)}{$local_part@$domain}{:fail: User Unknown}}
Clean Delivery Exim
This is the configuration that is used to deliver the clean mail that mailscanner has already scanned. The configuration file is /etc/exim/exim_out.conf. For this you can use the default configuration with all the checks and acls taken out.
You need to add this router to deliver the cleaned mail to the actual CGP servers. If you are running a cluster, this router is capable of spreading the deliveries across the servers that you have configured in /etc/exim/mail-routes making it fully redundant.
deliver_clean: driver = manualroute domains = +relay_to_domains transport = remote_smtp hosts_randomize = true route_data = ${lookup{$domain}lsearch{/etc/exim/mail-routes}}
Configure MySQL
Add this to the configuration file /etc/my.cnf:
socket=/var/lib/mysql/mysql.sock skip-networking
This configures mysql to only communicate via the socket not tcp which is better for security and for performance.
Start mysql, this will initialize the default databases.
service mysqld start
Set the root users password:
mysqladmin -u root password NEWPASSWORD
Create the mailwatch database and populate tables:
mysql -p < /usr/local/src/mailwatch-1.0.4/create.sql
Create the mysql user for mailwatch and mailscanner logging:
mysql
mysql> GRANT ALL ON mailscanner.* TO mailwatch@localhost IDENTIFIED BY 'password';
Create the mailwatch admin user:
mysql mailscanner -u mailwatch -p
Enter password: ******
mysql> INSERT INTO users VALUES ('',md5(' '),' ','A','0','0','0','0','0');
Configure MailScanner
Intro
Mailscanner has several configuration options i will only dwell on those that are needed to get the system working. To further customize the system please read the mailscanner documentation or look at the sample configuration files that i have provided.
Basic Configuration
Please edit the following configuration variables in /etc/MailScanner/MailScanner.conf:
Run As User = exim Run As Group = exim Incoming Queue Dir = /var/spool/exim.in/input Outgoing Queue Dir = /var/spool/exim/input MTA = exim Sendmail = /usr/sbin/exim -C /etc/exim/exim_out.conf Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_out.conf Quarantine User = exim Quarantine Group = apache Quarantine Permissions = 0660 Quarantine Infections = yes Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no Keep Spam And MCP Archive Clean = yes Spam Actions = store High Scoring Spam Actions = store Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes
- Set permissions
chown exim.exim -R /var/spool/MailScanner/incoming
mkdir -p /var/spool/exim.in/{input,msglog,scan,db}
chown exim.exim /var/spool/exim.in/{input,msglog,scan,db}
Anti Virus
If you have a second virus scanner set
Virus Scanning = yes Virus Scanners = "name of virus scanner"
Blacklists And Whitelists
We will be using SQL(mysql) based whitelisting and blacklisting to easily integrate with the mailwatch front end to allow users to whitelist and blacklist senders from within the web interface.
Edit the mailscanner configuration file and add:
Is Definitely Not Spam = &SQLWhitelist Is Definitely Spam = &SQLBlacklist Ignore Spam Whitelist If Recipients Exceed = 20
Edit the file /usr/lib/MailScanner/MailScanner/CustomFunctions/SQLBlackWhiteList.pm:
sub CreateList { my($type, $BlackWhite) = @_; my($dbh, $sth, $sql, $to_address, $from_address, $count); my($db_name) = 'mailscanner'; my($db_host) = 'localhost'; my($db_user) = 'mailwatch'; my($db_pass) = 'password';
Mailwatch Integration
Edit the mailscanner configuration file and add:
Always Looked Up Last = &MailWatchLogging
Edit the file /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm:
my($db_name) = 'mailscanner'; my($db_host) = 'localhost'; my($db_user) = 'mailwatch'; my($db_pass) = 'password';
Configure Spamassassin
This configuration will use a mysql database to store the bayes information. So we will create a database and user that will be used to connect to the database. We will also be using extra rules (SARE hosted by Daryl C. W. O'Shea http://www.dostech.ca/) so we will configure sa-update to download them automatically.
Create MySQL Database
mysqladmin -p create bayes
Populate the database:
mysql -p bayes < /usr/share/doc/spamassassin-3.2.3/sql/bayes_mysql.sql
Create the user:
mysql -p
mysql> GRANT ALL ON bayes.* TO bayes@localhost IDENTIFIED BY 'password';
Configure To Use DB
Edit the file /etc/mail/spamassassin/local.cf and add:
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL bayes_sql_dsn DBI:mysql:bayes:localhost bayes_sql_override_username bayes bayes_sql_username bayes bayes_sql_password password
SARE Rule Updates
Import the GPG key used to sign the rules:
wget http://daryl.dostech.ca/sa-update/sare/GPG.KEY sa-update --import GPG.KEY
Create the channels file /etc/mail/spamassassin/sare-sa-update-channels.txt:
updates.spamassassin.org 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net 70_sare_evilnum0.cf.sare.sa-update.dostech.net 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net 70_sare_html0.cf.sare.sa-update.dostech.net 70_sare_html_eng.cf.sare.sa-update.dostech.net 70_sare_header0.cf.sare.sa-update.dostech.net 70_sare_header_eng.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 70_sare_adult.cf.sare.sa-update.dostech.net 72_sare_bml_post25x.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net 70_sare_spoof.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_oem.cf.sare.sa-update.dostech.net 70_sare_genlsubj0.cf.sare.sa-update.dostech.net 70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_uri0.cf.sare.sa-update.dostech.net 70_sare_obfu0.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net
Create an update script /usr/local/bin/update-sa:
#!/bin/bash # # sa-update -D --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt --gpgkey 856AA88A
Make it executable and add it to cron:
chmod +x /usr/local/bin/update-sa
ln -s /usr/local/bin/update-sa /etc/cron.daily/
ln -s /usr/local/bin/update-sa /etc/cron.hourly