Mailscanner/Exim Gateway With Communigate PRO Guide - Page 2

Anti Spam

If you want to reject messages from servers with no reverse dns add this under acl_check_rcpt:, it does have a exception list to which you can add domains where the acl should not be applied and trys to deliver a test message to sending address to verify if the sender is valid.

drop  message   = REJECTED - We don't accept messages from hosts without reverse DNS
        log_message = No reverse DNS
        domains = ! lsearch;/etc/exim/checks_exempt_hosts
        !verify = reverse_host_lookup
        !verify = sender/callout=2m,defer_ok
        !condition =  ${if eq{$sender_verify_failure}{}}

To reject messages from clients that dont provide a HELO/EHLO add this to acl_check_rcpt:

drop  message  = REFUSED - no HELO/EHLO greeting
        log_message = remote host did not present greeting
        condition = ${if def:sender_helo_name {false}{true}}

You can rate limit the connections to your server as well add this to acl_check_connect: to do so (read the exim docs on the parameters if you want to fine tune it for your site).

deny ratelimit = 250 / 15m / strict
       message = You can only send $sender_rate per $sender_rate_period
       log_message = RATE: $sender_rate/$sender_rate_period (max $sender_rate_limit)
accept

Stop rogue spam bots from trashing your machine.

smtp_accept_max_nonmail = 30
smtp_max_unknown_commands = 1

Allow pipelining only from the localhost to allow you to later use mailfeeder to release mail.

pipelining_advertise_hosts = 127.0.0.1

 

Address Verification

This users the router check_backend to communicate with your communigate pro system via ldap to ensure that an address exists before accepting mail for that address.

Add your default ldap servers to the exim configuration.

ldap_default_servers = xxx.xxx.xxx.xxx

Configure domains that have a catchall account (no verification if address exists before accepting mail.

# example /etc/exim/catchall_domains
somedomain.com

Specify this in the exim configuration.

domainlist domains_with_catchall = lsearch;/etc/exim/catchall_domains

Create and add the ldap enabled CGP domains to the file /etc/exim/ldap-domains. The first column is the domain alias or domain and the second is the actual domain as it exists in ldap as when you sync CGP domains to ldap it does not copy the domain aliases as well.

#example  /etc/exim/ldap-domains
example.com: example.com
example.co.za: example.com

Create the check_backend router, this should be the first router in your configuration.

check_backend:
 driver = redirect
 domains = ! +domains_with_catchall : +relay_to_domains
 allow_fail
 allow_defer
 forbid_file
 forbid_pipe
 data = ${lookup ldap{ldap:///uid=${local_part},cn=${lookup{$domain}lsearch{/etc/exim/ldap-domains}}?mail}{$value}{:fail: Unknown user}}
 #version 5.x use this instead
 #data = ${lookup ldap{ldap:///cn=${lookup{$domain}lsearch{/etc/exim/ldap-domains}}?uid?sub?(uid=$local_part)}{$local_part@$domain}{:fail: User Unknown}}

 

Clean Delivery Exim

This is the configuration that is used to deliver the clean mail that mailscanner has already scanned. The configuration file is /etc/exim/exim_out.conf. For this you can use the default configuration with all the checks and acls taken out.

You need to add this router to deliver the cleaned mail to the actual CGP servers. If you are running a cluster, this router is capable of spreading the deliveries across the servers that you have configured in /etc/exim/mail-routes making it fully redundant.

deliver_clean:
  driver = manualroute
  domains = +relay_to_domains
  transport = remote_smtp
  hosts_randomize = true
  route_data = ${lookup{$domain}lsearch{/etc/exim/mail-routes}}

 

Configure MySQL

Add this to the configuration file /etc/my.cnf:

socket=/var/lib/mysql/mysql.sock
skip-networking

This configures mysql to only communicate via the socket not tcp which is better for security and for performance.

Start mysql, this will initialize the default databases.

service mysqld start

Set the root users password:

mysqladmin -u root password NEWPASSWORD

Create the mailwatch database and populate tables:

mysql -p < /usr/local/src/mailwatch-1.0.4/create.sql

Create the mysql user for mailwatch and mailscanner logging:

mysql
mysql> GRANT ALL ON mailscanner.* TO mailwatch@localhost IDENTIFIED BY 'password';

Create the mailwatch admin user:

mysql mailscanner -u mailwatch -p
Enter password: ******
mysql> INSERT INTO users VALUES ('',md5(' '),'','A','0','0','0','0','0');

 

Configure MailScanner

Intro

Mailscanner has several configuration options i will only dwell on those that are needed to get the system working. To further customize the system please read the mailscanner documentation or look at the sample configuration files that i have provided.

 

Basic Configuration

Please edit the following configuration variables in /etc/MailScanner/MailScanner.conf:

Run As User = exim
Run As Group = exim
Incoming Queue Dir = /var/spool/exim.in/input
Outgoing Queue Dir = /var/spool/exim/input
MTA = exim
Sendmail = /usr/sbin/exim -C /etc/exim/exim_out.conf
Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_out.conf
Quarantine User = exim
Quarantine Group = apache
Quarantine Permissions = 0660
Quarantine Infections = yes
Quarantine Whole Message = yes
Quarantine Whole Messages As Queue Files = no
Keep Spam And MCP Archive Clean = yes
Spam Actions = store
High Scoring Spam Actions = store
Detailed Spam Report = yes
Include Scores In SpamAssassin Report = yes
  • Set permissions
chown exim.exim -R /var/spool/MailScanner/incoming
mkdir -p /var/spool/exim.in/{input,msglog,scan,db}
chown exim.exim /var/spool/exim.in/{input,msglog,scan,db}

 

Anti Virus

If you have a second virus scanner set

Virus Scanning = yes
Virus Scanners = "name of virus scanner"

 

Blacklists And Whitelists

We will be using SQL(mysql) based whitelisting and blacklisting to easily integrate with the mailwatch front end to allow users to whitelist and blacklist senders from within the web interface.

Edit the mailscanner configuration file and add:

Is Definitely Not Spam = &SQLWhitelist
Is Definitely Spam = &SQLBlacklist
Ignore Spam Whitelist If Recipients Exceed = 20

Edit the file /usr/lib/MailScanner/MailScanner/CustomFunctions/SQLBlackWhiteList.pm:

sub CreateList {
  my($type, $BlackWhite) = @_;
  my($dbh, $sth, $sql, $to_address, $from_address, $count);
  my($db_name) = 'mailscanner';
  my($db_host) = 'localhost';
  my($db_user) = 'mailwatch';
  my($db_pass) = 'password';

 

Mailwatch Integration

Edit the mailscanner configuration file and add:

Always Looked Up Last = &MailWatchLogging

Edit the file /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm:

my($db_name) = 'mailscanner';
my($db_host) = 'localhost';
my($db_user) = 'mailwatch';
my($db_pass) = 'password';

 

Configure Spamassassin

This configuration will use a mysql database to store the bayes information. So we will create a database and user that will be used to connect to the database. We will also be using extra rules (SARE hosted by Daryl C. W. O'Shea http://www.dostech.ca/) so we will configure sa-update to download them automatically.

 

Create MySQL Database

mysqladmin -p create bayes

Populate the database:

mysql -p bayes < /usr/share/doc/spamassassin-3.2.3/sql/bayes_mysql.sql

Create the user:

mysql -p
mysql> GRANT ALL ON bayes.* TO bayes@localhost IDENTIFIED BY 'password';

 

Configure To Use DB

Edit the file /etc/mail/spamassassin/local.cf and add:

bayes_store_module  Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn       DBI:mysql:bayes:localhost
bayes_sql_override_username bayes
bayes_sql_username  bayes
bayes_sql_password  password

 

SARE Rule Updates

Import the GPG key used to sign the rules:

wget http://daryl.dostech.ca/sa-update/sare/GPG.KEY sa-update --import GPG.KEY

Create the channels file /etc/mail/spamassassin/sare-sa-update-channels.txt:

updates.spamassassin.org
72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_html_eng.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
70_sare_header_eng.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_adult.cf.sare.sa-update.dostech.net
72_sare_bml_post25x.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net
70_sare_unsub.cf.sare.sa-update.dostech.net
70_sare_uri0.cf.sare.sa-update.dostech.net
70_sare_obfu0.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net

Create an update script /usr/local/bin/update-sa:

#!/bin/bash
#
#
sa-update -D --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt --gpgkey 856AA88A

Make it executable and add it to cron:

chmod +x /usr/local/bin/update-sa
ln -s /usr/local/bin/update-sa /etc/cron.daily/
ln -s /usr/local/bin/update-sa /etc/cron.hourly
Share this page:

0 Comment(s)