General Scenario and assumption
We are going to configure OFF LINE mail server. We have our mail server hosted and our domain is “electromech.info” and our mail server name “mail.electromech.info” ( smtp and pop3 ).
User name at our hosted mail server is : dimple@electromech.info
Password of user dimple on the mail server is : XXXX
Local configuration :
Ip address of our mail server in local network 192.168.0.xxx
We are using Redhat Enterprise Linux 4 U3 for the test setup.
All local users will contact our local mail server only.
The OFF-LINE mail server means : the last point of our mail is hosted mail server. Periodically we need to download the mail from hosted mail server. The download frequency can be decided on the basis of load and user. The fetchmail will provide the facility to download the mail from the hosted server.
The basic setup will include :
sendmail ( MTA – smtp server )
dovecot ( IMAP and POP3 server )
fetchmail ( download script from hosted server )
MailScanner ( antivirus mechanism for mail )
Clamav ( Antivirus software )
Spamassassin ( Antispam thru MailScanner only )
MailWatch ( Reports and maillog analysis )
1. General consideration and explanation
Please check proper resolution of the hostname
check 1. /etc/hosts
2. /etc/sysconfig/network
should resolve the hostname like
[root@stationxxx ~]# hostname
stationxxx.example.com
example : /etc/hosts
[root@stationxxx ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
192.168.0.xxx stationxxx.example.com stationxxx
example : /etc/sysconfig/network
[root@stationxxx ~]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=stationxxx.example.com
Check the rpm is loaded or not.
# rpm -qa | grep sendmail
sendmail-8.13.1-2
sendmail-cf-8.13.1-2
#rpm -qa | grep dovecot
dovecot-0.99.11-2.EL4.1
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
This command invokes the m4 macro processor, supplying it the name of two macro definition files to process. m4 processes the files in the order given. The first file is a standard sendmail macro template supplied with the sendmail source package, the second, of course, is the file containing our own macro definitions. The output of the command is directed to the /etc/mail/sendmail.cf file, which is our target file.
You may now start sendmail with the new configuration.
Sample /etc/mail/sendmail.mc file :
dnl define(`SMART_HOST',`smtp.your.provider')
define(`SMART_HOST',`mail.electromech.info')
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
dnl define(`confCACERT_PATH',`/usr/share/ssl/certs')
dnl define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
dnl define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
dnl define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')
define(`confCACERT_PATH',`/etc/mail/certs')
define(`confCACERT',`/etc/mail/certs/cacert.pem')
define(`confSERVER_CERT',`/etc/mail/certs/sendmail.pem')
define(`confSERVER_KEY',`/etc/mail/certs/sendmail.pem')
define(`confCLIENT_CERT',`/etc/mail/certs/sendmail.pem')
define(`confCLIENT_KEY',`/etc/mail/certs/sendmail.pem')
dnl #
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl FEATURE(`accept_unresolvable_domains')dnl
FEATURE(authinfo, `hash -o /etc/mail/authinfo')
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
LOCAL_DOMAIN(`electromech.info')dnl
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
MASQUERADE_AS(`electromech.info')dnl
dnl #
FEATURE(masquerade_envelope)dnl
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
FEATURE(masquerade_entire_domain)dnl
dnl #
MAILER(local)
The /etc/mail/access
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
# by default we allow relaying from localhost...
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
192.168.0 RELAY
electromech.info RELAY
student@ REJECT
NOTE : Please check /usr/share/sendmail-cf/README for RHEL5
sample /etc/mail/authinfo
#AuthInfo:yahoo.com "U:siege.x@sbcglobal.net" "P:pAsSWoRd" "M:PLAIN LOGIN"
#AuthInfo: "U:siege.x@sbcglobal.net" "P:pAsSWoRd" "M:PLAIN"
/etc/aliases (& /etc/aliases.db)
Contains aliases for e-mail addresses. For example, it allows you to send mail destined for user 'daemon' to 'root'.
Only local names may be aliased.
Example /etc/aliases:
daemon: root # Messages sent to user daemon are redirected to root
root: steve # Messages sent to root are redirected to steve
webmaster: steve bob sue # Messages sent to webmaster are redirected to steve, bob and sue
steve@foo.com: bob # This entry is invalid unless the local host name is foo.com
# or foo.com is listed in /etc/mail/local-host-names
After editing /etc/aliases, you must regenerate /etc/aliases.db with the newaliases command.
/etc/mail/access (& /etc/mail/access.db)
Controls which hosts are allowed to use sendmail.
localhost.localdomain RELAY #
localhost RELAY ### These 3 permit the localhost to relay
127.0.0.1 RELAY #
10.22 REJECT # Reject mail from any host with an IP that starts with 10.22
nobody@ REJECT # Rejects any mail addressed to user 'nobody' regardless
# of the domain it's sent to.
foo.com OK # Accept mail from foo.com (not for relaying) even
# if other rules might reject it
bar.com REJECT # Reject all mail from bar.com and send message to sender
foobar.com DISCARD # Like REJECT, except sender doesn't receive a message
# The following sends the specfied RFC error code back to the sender along with the
# message specified after it.
someone.com 550 We don't accept your mail.
After editing /etc/mail/access, you must regenerate /etc/mail/access.db by going into /etc/mail and typing make.
/etc/mail/mailertable (& /etc/mail/mailertable.db)
Useful for overriding DNS or if DNS isn't available.
Allows you to perform domain translation.
Can specify the deliver agent.
foo.net smtp:bar.net # Forward mail addressed to foot.net to bar.net
foobar.net smtp:[192.168.1.20] # Forward mail addressed to foobar.com to the host at 192.168.1.20
Regenerate /etc/mail/mailertable.db by going to /etc/mail and typing make.
/etc/mail/virtusertable (& /etc/mail/virtusertable.db)
Allows you to map multiple virtual domains and users to other addresses.
webmaster@foo.com steve # Mail sent to webmaster@foo.com is redirected to local user steve
postmaster@bar.com steve@foo.com # Mail sent to postmaster@bar.com is redirected to steve@foo.com
@somedomain.com joe@foo.com # Mail addressed to _any_ user at somedomain.com is redirected
# to joe@foo.com
@foobar.com %1@bar.com # Mail addressed to a user at foobar.com is redirected to the same
# user at barr.com.
Regenerate /etc/mail/virtualusertable.db by going to /etc/mail and typing make.
/etc/mail/domaintable (& /etc/mail/domaintable.db)
Allows an old domain to be mapped to a new one.
Example /etc/mail/domaintable:
NEED TO FIND MORE INFO ABOUT domaintable
/etc/mail/local-host-names
foo.com
electromech.info
Your Sendmail.conf file should look like as below or change it so it will look like below for user athentication.
# cat /usr/lib/sasl2/Sendmail.conf
pwcheck_method:saslauthd
Execute below command to use /etc/shadow file as authentication.
#saslauthd -a shadow
Creating the Certificate for secured communication.
Let us create self signed certificates for our mail server.
#mkdir /etc/mail/certs
#cd /etc/mail/certs
#openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 1865
#openssl req -nodes -new -x509 -keyout sendmail.pem -out sendmail.pem -days 1460
#chmod 600 sendmail.pem
#openssl x509 -noout -text -in sendmail.pem
Fetchmail Sample file to download the mail.
sample file /root/.fetchmailrc
#set syslog
poll mail.electromech.info
user dimple@electromech.info
pass "XXXXXX"
is dimple here
keep
the permission for .fetchmailrc should be 610
#chmod 610 /root/.fetchmail
Procmail for mail forwarders
sample / example for procmail files
Sort out all mail coming from the scuba-dive mailing list into the mailfolder scubafile (uses the locallockfile
scubafile.lock).
:0:
* ^TOscuba
scubafile
Forward all mail from peter about compilers to william (and keep a copy of it here in petcompil).
:0
* ^From.*peter
* ^Subject:.*compilers
{
:0 c
! william@somewhere.edu
:0
petcompil
}
A simple autoreply recipe. It makes sure that neither mail from any daemon (like bouncing mail or mail from mailing-lists), nor autoreplies coming from yourself will be autoreplied to. If this precaution would not be taken, disaster could result (‘ringing’ mail). In order for this recipe to autoreply to all the incoming mail, you should of course insert it before all other recipes in your rcfile. However, it is advisable to put it after any recipes that process the mails from subscribed mailinglists; it generally is not a good idea to generate autoreplies to mailinglists (yes, the !^FROM_DAEMON regexp should already catch those, but if the mailinglist doesn’t follow accepted conventions, this might not be enough).
:0 h c
* !^FROM_DAEMON
* !^X-Loop: your@own.mail.address
| (formail -r -I"Precedence: junk" \
-A"X-Loop: your@own.mail.address" ; \
echo "Mail received.") | $SENDMAIL -t
A more complicated autoreply recipe that implements the functional equivalent of the well known vacation(1) program. This recipe is based on the same principles as the last one (prevent ‘ringing’ mail). In addition to that however, it maintains a vacation database by extracting the name of the sender and inserting it in the vacation.cache file if the name was new (the vacation.cache file is maintained by formail which will make sure that it always contains the most recent names, the size of the file is limited to a maximum of approximately 8192 bytes).
If the name was new, an autoreply will be sent.
As you can see, the following recipe has comments between the conditions. This is allowed. Do not put comments on the same line as a condition though.
SHELL=/bin/sh # for other shells, this might need adjustment
:0 Whc: vacation.lock
# Perform a quick check to see if the mail was addressed to us
* $^To:.*\<$\LOGNAME\>
# Don’t reply to daemons and mailinglists
* !^FROM_DAEMON
# Mail loops are evil
* !^X-Loop: your@own.mail.address
| formail -rD 8192 vacation.cache
:0 ehc # if the name was not in the cache
| (formail -rI"Precedence: junk" \
-A"X-Loop: your@own.mail.address" ; \
echo "I received your mail,"; \
echo "but I won’t be back until Monday."; \
echo "-- "; cat $HOME/.signature \
) | $SENDMAIL -oi -t
Installation of CLAMAV antivirus:
Download the antivirus software from :
http://rpmfind.net/linux/RPM/dag/redhat/el5/i386/CByName.html
http://apt.sw.be/redhat/el5/en/i386/dag/repodata/repoview/C.group.html
clamav-0.90.3-1.el5.rf.i386.rpm
clamav-db-0.90.3-1.el5.rf.i386.rpm
clamd-0.90.3-1.el5.rf.i386.rpm
Load the rpm as below:
#rpm -ivh clamav-0.90.3-1.el5.rf
#rpm -ivh clamav-db-0.90.3-1.el5.rf
#rpm -ivh clamd-0.90.3-1.el5.rf
Mailscanner quick install notes :
This describes the steps necessary to install mailscanner on RHEL4
Download MailScanner-4.54.6-1.rpm.tar.gz from the site http://www.mailscanner.info/downloads.shtml
#tar zxvf MailScanner-4.54.6-1.rpm.tar.gz
#cd MailScanner-4.54.6-1
configuration: /etc/MailScanner/MailScanner.conf
notes:
The instance of sendmail which receives incoming mail queues it to /var/spool/mqueue.in. MailScanner uses /var/spool/MailScanner/incoming
Install sequence
1. Install a supported anti-virus package. ( Please refer the clamav installation guide )
2. Install mailscanner package, by running the "./install.sh" script contained in the distribution directory.
3. Adapt configuration to suit AV package. Edit /etc/MailScanner/MailScanner.conf and set the "Virus Scanners =" line to correspond with the installed AV package(s), eg
Virus Scanners = clamav
4. Adapt the AV wrapper to suit. If you have not installed the AV package in its default location, you may need to edit the file /etc/MailScanner/virus.scanners.conf to set the installation directory you used for your virus scanner.
5. Stop any old versions of MailScanner.
6. Stop and disable your original sendmail setup. To do this,
service sendmail stop
chkconfig sendmail off
chkconfig --level 2345 sendmail off
7. Enable and start your new MailScanner setup. To do this,
chkconfig MailScanner on
chkconfig --level 2345 MailScanner on
service MailScanner start
-
Edit /etc/MailScanner/MailScanner.conf check and edit the line below:
#%org-name% = yoursite (check and do as below)
%org-name% = electromech
#%org-long-name% = Your Organisation Name Here ( comment this line and convert below)
%org-long-name% = ElectroMech Corporation
%web-site% = www.electromech.com
INSTALLATION INSTRUCTIONS MAILWATCH
-------------------------
MailWatch for MailScanner is developed on RedHat 9 & RHEL 3.0, so these docs will reflect this and I will make note on anything that will be required to run on other distro's or operating systems.
BEFORE YOU START
You must have a working MailScanner set-up and have running copies of MySQL, Apache, PHP (with MySQL and GD support) and for MailScanner to be able to use a database you need Perl DBD and DBD-MySQL.
SUPPORT
Please use the mailing-list mailwatch-users@lists.sourceforge.net or the forums on Sourceforge. Note that you will get faster support from me if you use the mailing-list.
NOTES FOR OTHER OPERATING SYSTEMS/LINUX DISTRO'S
PHP should have the following set in php.ini (possibly others too....)
short_open_tag = On
safe_mode = Off
register_globals = Off
magic_quotes_gpc = On
magic_quotes_runtime = Off
session.auto_start = 0
INSTALLATION
All commands below should be run as the 'root'.
----------------------------------------------------------- Create the database
# mysql < create.sql
NOTE: you will need to modify the above as necessary for your system if you have a root password for your MySQL database (recommended!) - RH9 is blank by default.
--------- Create a MySQL user and password & Set-up MailScanner for SQL logging
# mysql
mysql> GRANT ALL ON mailscanner.* TO mailwatch@localhost IDENTIFIED BY '<password>';
mysql> GRANT FILE ON *.* TO mailwatch@localhost IDENTIFIED BY '<password>';
mysql> FLUSH PRIVILEGES;
Edit MailWatch.pm and change the $db_user and $db_pass values accordingly and move MailWatch.pm to /usr/lib/MailScanner/MailScanner/CustomFunctions (this could be /opt/MailScanner/lib/MailScanner/MailScanner/CustomFunctions on non-RPM systems).
--------------------------------------------------- Create a MailWatch web user
# mysql mailscanner -u mailwatch -p
Enter password: ******
try this or
mysql> desc users;
mysql> insert into users(username, password, fullname, type) values('mailscanner',md5('redhat'),'mailwatch','A');
try this
mysql> INSERT INTO users VALUES ('<username'>,md5('<password>'),'<name>','A');
------------------------------------------------- Install & Configure MailWatch
- Move the mailscanner directory to the web server's root.
# mv mailscanner /var/www/html/
- Check the permissions of /var/www/html/mailscanner/images and /var/www/html/images/cache - they should be ug+rwx and owned by root and in the same group as the web server user (apache on RedHat 9).
# chown root:apache images
# chmod ug+rwx images
# chown root:apache images/cache
# chmod ug+rwx images/cache
- Create conf.php by copying conf.php.example and edit the values to suit, you will need to set DB_USER and DB_PASS to the MySQL user and password that you created earlier.
Note that MailWatch 1.0 can use the quarantine more effectively when used with MailScanner version 4.43 or later as Julian added some code for me to keep track of messages quarantined by using a flag in the maillog table. This means that MailWatch 1.0 is *much* faster when you have a large quarantine directory. The new quarantine report requires the use of the new functionality - so you must upgrade if you want to run this.
The new quarantine flag is not used by default - if you have MailScanner verions 4.43 or later, you can activate the new functionality by setting QUARANTINE_USE_FLAG to true in conf.php - if you do this, you must disable the clean.quarantine script supplied by MailScanner and use the new quarantine_maint.php script in the tools directory instead.
To clean the quarantine - set 'QUARANTINE_DAYS_TO_KEEP' in conf.php and run './quarantine_maint --clean'. This should then be run daily from cron.
# cp conf.php.example conf.php
------------------------------------------------------------ Set-up MailScanner
- Stop MailScanner
# service MailScanner stop
Next edit /etc/MailScanner/MailScanner.conf - make sure that the following options are set:
Always Looked Up Last = &MailWatchLogging
Detailed Spam Report = yes
Quarantine Whole Message = yes
Quarantine Whole Message As Queue Files = no
Include Scores In SpamAssassin Report = yes
Quarantine User = root
Quarantine Group = apache (this should be the same group as your web server)
Quarantine Permissions = 0660
Spam Actions and High Scoring Spam Actions should also have 'store' as one of the keywords if you want to quarantine items for learning/viewing in MailWatch.
If you want to use the integrate Blacklist/Whitelist (optional):
then edit the file and change the connection string in the CreateList
subroutine to match MailWatch.pm.
Copy SQLBlackWhiteList.pm to /usr/lib/MailScanner/MailScanner/CustomFunctions and in MailScanner.conf set:
Is Definitely Not Spam = &SQLWhitelist
Is Definitely Spam = &SQLBlacklist
Then edit SQLBlackWhitelist.pm and change the connection string in the
CreateList subroutine to match MailWatch.pm.
- Move the Bayesian Databases and set-up permissions (skip this if you don't use bayes).
Edit /etc/MailScanner/spam.assassin.prefs.conf and set:
bayes_path /etc/MailScanner/bayes/bayes
bayes_file_mode 0660
Create the 'new' bayes directory, make the directory owned by the same group as the web server user and make the directory setgid:
# mkdir /etc/MailScanner/bayes
# chown root:apache /etc/MailScanner/bayes
# chmod g+rws /etc/MailScanner/bayes
Copy the existing bayes databases and set the permissions:
# cp /root/.spamassassin/bayes_* /etc/MailScanner/bayes
# chown root:apache /etc/MailScanner/bayes/bayes_*
# chmod g+rw /etc/MailScanner/bayes/bayes_*
Test SpamAssassin to make sure that it is using the new databases correctly:
# spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint
and you should see soomething like:
debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file
debug: bayes: 28821 tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks
debug: bayes: 28821 tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_seen
debug: bayes: found bayes db version 2
debug: Score set 3 chosen.
- Start MailScanner up again.
# service MailScanner start && tail -f /var/log/maillog
You should see something like:
Jun 13 12:18:23 hoshi MailScanner[26388]: MailScanner E-Mail Virus Scanner version 4.20-3 starting...
Jun 13 12:18:24 hoshi MailScanner[26388]: Config: calling custom init function MailWatchLogging
Jun 13 12:18:24 hoshi MailScanner[26388]: Initialising database connection
Jun 13 12:18:24 hoshi MailScanner[26388]: Finished initialising database connection
Congratulations - you now have MailScanner logging to MySQL.
------------------------------------------------- Test the MailWatch interface
Point your browser to http://<hostname>/mailscanner/ - you should be prompted for a username and password - enter the details of the MailWatch web user that you created earlier, and you should see a list of the last 50 messages processed by MailScanner.
- Update the SpamAssassin Rules table
MailWatch keeps a list of all the SpamAssassin rules and descriptions which are displayed on the 'Message Detail' page - to show the descriptions, you need to run the updater every time you add new rules or upgrade SpamAssassin.
Click on the 'Other' menu and select 'Update SpamAssassin Rule Descriptions' and click 'Run Now'.
- Update the GeoIP database
Click on the 'Other' menu and select 'Update GeoIP database' and click 'Run Now'.
- Setup the Mail Queue watcher (optional)
You can get MailWatch to watch and display your sendmail queue directories - all you need to do is copy mailq.php (from the root of the mailwatch tarball - not from the mailscanner directory - they are different!) to /usr/local/bin and set-up a cron-job to run it.
Edit mailq.php first to change the require line to point to the location of functions.php, then:
# cp mailq.php /usr/local/bin
# crontab -e
0-59 * * * * /usr/local/bin/mailq.php
Note: mailq.php re-creates all entries on each run, so for busy sites you will probably want to change this to run every 5 minutes or greater.
- Setup the Sendmail Relay Log watcher (optional)
You can get MailWatch to watch your sendmail logs and store all message relay information which is then displayed on the 'Message Detail' page which helps debugging and makes it easy for a Helpdesk to actually see where a message was delivered to by the MTA and what the response back was (e.g. the remote queue id etc.).
# cp tools/sendmail_relay.php /usr/local/bin
# nohup /usr/local/bin/sendmail_relay.php 2>&1 > /dev/null &