Mailscanner/Exim Gateway With Communigate PRO Guide - Page 3


We will be storing the image hashes in a mysql database to improve on performance such that images that we have already scanned do not get scanned again as OCR is a resource intense activity.


Create MySQL Database

The sql script creates the database and tables and adds a user fuzzyocr with the password fuzzyocr:

mysql -p < /usr/local/src/devel/FuzzyOcr.mysql

Change the password:

mysqladmin -u fuzzyocr -p fuzzyocr password


Basic Settings

Edit /etc/mail/spamassassin/ and set the basic options:

focr_path_bin /usr/bin:/usr/local/bin
focr_minimal_scanset 1
focr_autosort_scanset 1
focr_enable_image_hashing 3
focr_logfile /tmp/FuzzyOcr.log


Make FuzzyOCR Use The Database

Edit the file /etc/mail/spamassassin/ and add:

focr_mysql_db FuzzyOcr
focr_mysql_hash Hash
focr_mysql_safe Safe
focr_mysql_user fuzzyocr
focr_mysql_pass password
focr_mysql_host localhost
focr_mysql_port 3306
focr_mysql_socket /var/lib/mysql/mysql.sock


Configure Razor

Register your razor system:

razor-admin -register


Configure Clamav

Base Config

This clamav installation with use both the official signatures as well as the sanesecurity signatures that are used combat image and pdf spam as well as phishing attacks.

Add the clamav user to the exim group:

usermod -G exim clamav

Configure clamd to listen to unix socket:

LocalSocket /var/run/clamav/clamd.socket

Configure clamd to start at boot:

chkconfig --level 345 clamd on



For clamav to be able to work in enforcing mode we need to add some localized policy modules. The sample policy is below:

module clamlocal 1.0;
require {
        class dir { add_name read remove_name search write };
        class file { create getattr lock read write append };
        type clamd_t;
        type clamd_var_log_t;
        type logwatch_t;
        type proc_t;
        type sysctl_kernel_t;
        type var_spool_t;
        type var_t;
        type var_log_t;
        role system_r;
allow clamd_t proc_t:file { getattr read };
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;
allow clamd_t var_spool_t:dir read;
allow clamd_t var_spool_t:file { getattr read };
allow clamd_t var_t:dir { add_name read remove_name write };
allow clamd_t var_t:file { create getattr lock read write };
allow logwatch_t clamd_var_log_t:dir { read search };
allow clamd_t var_log_t:file append;
allow clamd_t var_t:dir { read write };

The module can be downloaded from

Build and install the module:

gunzip clamlocal.te.gz
checkmodule -M -m -o clamlocal.mod clamlocal.te
semodule_package -o clamlocal.pp -m clamlocal.mod
semodule -i clamlocal.pp


Configure Mailwatch

Patch For Enhanced Release

This patch makes mailwatch to release messages via mailfeeder re-injecting the actual message through the smtp server to make it appear like the original message that was sent as opposed to the default mailwatch release that sends the released mail as an attachment from the postmaster account.

gunzip mailwatch_release.patch.gz
cd /var/www/html
patch -i ../mailwatch_release.patch


Configure The Base Directory

Since we are installing mailwatch into /var/www/html instead of /var/www/html/mailscanner we need to make modifications to the config conf.php to reflect this:

define(MAILWATCH_HOME, '/var/www/html');


Configure For Database

Set the following options in conf.php:

define(DB_TYPE, 'mysql');
define(DB_USER, 'mailwatch');
define(DB_PASS, 'password');
define(DB_HOST, 'localhost:/var/lib/mysql/mysql.sock');
define(DB_NAME, 'mailscanner');



Set this in the conf.php file:

define(QUARANTINE_USE_FLAG, true);

Install quarantine clean up script

cp /usr/local/src/mailwatch-1.0.4/tools/quarantine_maint.php /usr/local/bin/
chmod +x /usr/local/bin/quarantine_maint.php
ln -s /usr/local/bin/quarantine_maint.php /etc/cron.daily

Disable the mailscanner installed cron script /etc/cron.daily/clean.quarantine

$disabled = 1;



For mailwatch to work under enforcing mode we need to install a custom selinux policy module. The module source is below:

module mailwatch 1.0;

require {
        class dir { getattr read search };
        class file { getattr read execute execute_no_trans ioctl };
        class lnk_file { read getattr };
        class tcp_socket name_connect;
        type spamc_exec_t;
        type clamd_t;
        type getty_t;
        type hostname_exec_t;
        type initrc_t;
        type unconfined_t;
        type var_spool_t;
        type etc_mail_t;
        type ls_exec_t;
        type smtp_port_t;
        type spamassassin_exec_t;
        type httpd_sys_content_t;
        type httpd_t;
        type mysqld_t;
        type lib_t;

allow httpd_t clamd_t:dir getattr;
allow httpd_t hostname_exec_t:file getattr;
allow httpd_t var_spool_t:dir read;
allow httpd_t var_spool_t:file { getattr ioctl read };
allow httpd_t spamc_exec_t:file { execute execute_no_trans getattr read ioctl };
allow httpd_t etc_mail_t:dir { search getattr read };
allow httpd_t etc_mail_t:file { getattr read ioctl };
allow httpd_t etc_mail_t:lnk_file { getattr read };
allow httpd_t hostname_exec_t:file { execute read execute_no_trans };
allow httpd_t unconfined_t:dir { getattr search read };
allow httpd_t unconfined_t:file { read };
allow httpd_t initrc_t:dir { getattr search read };
allow httpd_t initrc_t:file read;
allow httpd_t ls_exec_t:file { execute read getattr execute_no_trans };
allow httpd_t spamassassin_exec_t:file { execute getattr read execute_no_trans ioctl };
allow mysqld_t httpd_sys_content_t:dir { getattr read search };
allow mysqld_t httpd_sys_content_t:file { read getattr };
allow httpd_t smtp_port_t:tcp_socket name_connect;
allow httpd_t lib_t:file execute_no_trans;

The module source can be downloaded from

Build and install the module:

gunzip mailwatch.te.gz
checkmodule -M -m -o mailwatch.mod mailwatch.te
semodule_package -o mailwatch.pp -m mailwatch.mod
semodule -i mailwatch.pp



Connect to your server http://hostname/ login, click on the "Tools/Links" menu ? "Update GeoIP database" and click "Run Now".


Mail Queue Monitor

Install the monitoring script:

cp /usr/local/src/mailwatch-1.0.4/mailq.php /usr/local/bin
chmod +x /usr/local/bin/mailq.php
crontab -e
0-59 * * * * /usr/local/bin/mailq.php

Edit for new directory layout:

if(flock($fl, LOCK_EX + LOCK_NB)) {
 require "/var/www/html/functions.php";
Share this page:

0 Comment(s)