Centos 4.0 Postfix + Ldap + Mailscanner +, Dovecot + Cyrus-SASL +Virtual Domains... Options

[Robert83]

-----------------------------------READ THIS----------------------------------------------
CHANGE MYCOMPANY.HOSTING TO YOUR REAL DOMAIN NAME , AND USE THAT EVERYWHERE
INSTEAD OF MYCOMPANY.HOSTING
FOR EXAMPLE IF YOUR DOMAIN NAME IS BIGCOMPANY.COM YOU WILL USE BIGCOMPANY.COM
EVERYWHERE IN THIS GUIDE INSTEAD OF MYCOMPANY.HOSTING!!!!


!!! READ THIS !!!
IF YOU USED BIGCOMPANY.COM FOR FQDN (MAIL.BIGCOMPANY.COM) , YOU CANNOT USE
THE SAME DOMAIN NAME FOR VIRTUAL DOMAINS, SINCE POSTFIX WILL NOT WORK, THIS IS
A CRITICAL ERROR I MADE IN THIS GUIDE, SORRY.


if you already set up the system, and postfix is complaining about mydestination and virtual domain
then do the following to correct the problem ( no need to reinstall )

stop all services (postfix,openldap...)
delete all files under /var/lib/ldap
change all the names from bigcompany.com (example) to bigcompany.org (example)
also change
/etc/hosts (use a editor to change bigcompany.com to bigcompany.org
and
/etc/sysconfig/network

basicaly all you have to do is go trough this guide again, and change all the domain names mycompany.hosting to something else ... if you used abmas.com for it , then you'll change it to (for example, but you can USE whatever you like) abmaz.biz , and that will solve all the problems, just make sure you change EVERYTHING.


-------------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------------
CHANGES :
-------------------------------------------------------------------------------------------

1. Correction at PART VI :
error :

CODE

DocumentRoot “/home/webpage/squirrelmail”
<Directory “/home/webpage/squirrelmail”>

correction :

CODE

DocumentRoot “/home/webpage/webmail”
<Directory “/home/webpage/webmail”>

2. Correction at PART I.
error :
/etc/openldap/slapd.conf

CODE

access to dn.regex=".*,jdv=([^,]+),o=hosting,dc=mycompany,dc=hosting"

correction

CODE

access to dn.regex=".*,jvd=([^,]+),o=hosting,dc=mycompany,dc=hosting"

3. Correction at PART IX
forgot to mention :

CODE

yum install mod_ssl

4. Correction at PART VII

error :

CODE

jamm.ldap.search.base = o=hosting,dc=mycompany,dc=hosting
jamm.ldap.root.dn = cn=Manager,dc=mycompany,dc=hosting

correction :

CODE

jamm.ldap.search_base = o=hosting,dc=mycompany,dc=hosting
jamm.ldap.root_dn = cn=Manager,dc=mycompany,dc=hosting

5. Correction at PART V
Forgot to add

CODE

chown postfix.postfix /var/spool/MailScanner/incoming
chown postfix.postfix /var/spool/MailScanner/quarantine

-------------------------------------------------------------------------------------------
Special thanx to ethan for helping me out , thank you
-------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------

Hello everyone,

...this one is going to be a...

CentOS 4.0 : Postfix + MailScanner(ClamAV+Spamassassin)+LDAP+Dovecot+Cyrus-SASL+TomCat+Jamm+Squirrelmail(MySQL)+Virtual Domain Hosting e-mail server guide

note: due to the fact that I wanted to keep this as simple as possible , you wont find to much explanation here of what a certain option does , for that you can check the following three places :

http://wanderingbarque.com/howtos/mailserv...mailserver.html
http://jamm.sourceforge.net/howto/single-h...mailserver.html
http://www.linuxhelp.ca/forums/index.php?a...=ST&f=15&t=3647

My guide is based on these three + I added some slight modifications to it.

So let's begin.




-----------------------------------------------------------------------------------------------
PART I. Installing the operating system, and configuring OpenLDAP for mailer.mycompany.hosting
-----------------------------------------------------------------------------------------------




Download the Centos 4.0 distro for you architecture from www.centos.org.Install
CentOS 4.0 using the minimal install option.

note : if you only want to set up a e-mail server using CentOS 4.0 and this guide,
all you need to download is CD1 , no other CD is necesary in order to complete
this guide.

a.) insert CD1 into your CD drive and wait for the
CentOS logo to show up , press [ENTER]

b.) at the Installation Type choose Custom

c.) Automatically partition

d.) Network Configuration

CODE

eth0:
ip address  : 192.168.11.10
netmask : 255.255.255.0
hostname :
mailer.mycompany.hosting
gateway : 192.168.11.250
primary dns : 192.168.11.250

select No firewall (you might need to enable this, if you are not behind a firewall, and configure it properly)
Enable SELinux? : Disabled

enter the root password when promet and after that go down on the list and select
minimal installation and click next.

Once the installation is completed, login as root.And do the following :

CODE

cd /home
wget http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-4
rpm --import RPM-GPG-KEY-CentOS-4
yum update
yum install openldap-servers openldap-clients

Update all packages that need updating.Then install Midnight Commander.

CODE

yum install mc

Download JAMM from http://jamm.sourceforge.net/ (you are going to love this)

CODE

wget http://belnet.dl.sourceforge.net/sourceforge/jamm/jamm-0.9.6-bin.tar.gz
tar -zxvf jamm-0.9.6-bin.tar.gz
slappasswd
New password:
Re-enter new password:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

What you get here you shall type in to the /etc/openldap/slapd.conf as
rootpw


Copy jamm.schema from the /home/jamm-0.9.6 direcotry to /etc/openldap/schema/

Edit the file /etc/openldap/ldap.conf adding/modifying only the following parts

CODE

BASE dc=mycompany,dc=hosting

Then edit the file /etc/openldap/slapd.conf

CODE

include          /etc/openldap/schema/jamm.schema

password-hash {CRYPT}

database       ldbm
suffix            "dc=mycompany,dc=hosting"
rootdn          "cn=Manager,dc=mycompany,dc=hosting"
rootpw          {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

access to dn.regex=".*,jvd=([^,]+),o=hosting,dc=mycompany,dc=hosting"
        attr=userPassword
   by self write
   by group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc=mycompany,dc=hosting" write
   by dn="cn=dovecot,dc=mycompany,dc=hosting" read
   by anonymous auth
   by * none

access to dn.regex=".*,jvd=([^,]+),o=hosting,dc=mycompany,dc=hosting"
   by self write
   by group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc=mycompany,dc=hosting" write
   by * read

access to *
   by * read

CODE

cd /etc/openldap
vi base.ldif

CODE

dn: dc=mycompany, dc=hosting
objectClass: top
objectClass: domain
domainComponent: mycompany

dn: cn=Manager, dc=mycompany, dc=hosting
objectClass: top
objectClass: organizationalRole
cn: Manager

dn: o=hosting, dc=mycompany, dc=hosting
objectClass: top
objectClass: organization
o: hosting

dn: cn=dovecot, dc=mycompany, dc=hosting
objectClass: top
objectClass: organizationalPerson
cn: dovecot
sn: dovecot

delete all files in /var/lib/ldap/

CODE

/etc/init.d/ldap start
ldapadd -x -D "cn=Manager,dc=mycompany,dc=hosting" -W -f base.ldif
ldappasswd -x -W -S -D "cn=Manager,dc=mycompany,dc=hosting" "cn=dovecot,dc=mycompany,dc=hosting"
yyyyyyyyyyyyyyyyyyyyyyyyy

-----------------------------------------------------------------------------------------------
PART II. Installing Postfix and configuring it with OpenLDAP
-----------------------------------------------------------------------------------------------

CODE

yum install postfix
yum remove sendmail

CODE

adduser vmail

check the users uid gid under /etc/password and use that uid gid in postfix main.cf
/etc/passwd
for examaple : vmail:x:500:500::/home/vmail:/sbin/nologin 500:500 is the one that is interesting to us

under /etc/postfix create the following files

ldap-accounts

CODE

server_host = localhost
server_port = 389
search_base = o=hosting,dc=mycompany,dc=hosting
query_filter = (&(objectClass=JammMailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE))
result_attribute = mailbox
bind = no

ldap-accountsmap

CODE

server_host = localhost
server_port = 389
search_base = o=hosting,dc=mycompany,dc=hosting
query_filter = (&(objectClass=JammMailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE))
result_attribute = mail
bind = no

ldap-aliases

CODE

server_host = localhost
server_port = 389
search_base = o=hosting,dc=mycompany,dc=hosting
query_filter = (&(objectClass=JammMailAlias)(mail=%s)(accountActive=TRUE))
result_attribute = maildrop
bind = no

ldap-domains

CODE

server_host = localhost
server_port = 389
search_base = o=hosting,dc=mycompany,dc=hosting
query_filter = (&(objectClass=JammVirtualDomain)(jvd=%s)(accountActive=TRUE)(delete=FALSE))
result_attribute = jvd
bind = no
scope = one

/etc/postfix/header_checks

CODE

/^Received:/ HOLD

/etc/postfix/main.cf

CODE

header_checks = regexp:/etc/postfix/header_checks
myhostname = mailer.mycompany.hosting
mydomain = mycompany.hosting
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, $mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks_style = host
relay_domains = $mydestination
mail_spool_directory = /var/spool/mail

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination, permit
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtp_sasl_auth_enable = no

smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/mycompany.key
smtpd_tls_cert_file = /etc/postfix/mycompany.crt
smtpd_tls_Cafile = /etc/postfix/mycompany.ca

message_size_limit = 10485760
mailbox_size_limit = 104857600

virtual_alias_maps = ldap:/etc/postfix/ldap-accountsmap, ldap:/etc/postfix/ldap-aliases

virtual_transport = virtual
virtual_mailbox_base = /home/vmail/domains
virtual_mailbox_maps = ldap:/etc/postfix/ldap-accounts
virtual_mailbox_domains = ldap:/etc/postfix/ldap-domains
virtual_minimum_uid = 500
virtual_uid_maps = static:500
virtual_gid_maps = static:500

/usr/share/ssl/misc

CODE

modify CA
-newcert)
   # create a certificate
   $REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS
   RET=$?
   echo "Certificate (and private key) is in newreq.pem"
;;
-newreq)
   # create a certificate request
   $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
   RET=$?
   echo "Request (and private key) is in newreq.pem"
;;

/usr/share/ssl/openssl.cnf

CODE

...
[ CA_default ]

dir             = ./demoCA         # Where everything is kept
...
default_days    = 3650             # How long to certify for
...

[ req_distinguished_name ]
countryName                     = Country Name (code)
countryName_default             = CS
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Vojvodina

localityName                    = Locality Name (eg, city)
localityName_default            = Backa Topola

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Mycompany Hosting

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Virtual Domain Hosting

commonName                      = Common Name (eg, your name or your server's hostname)
# (Very Important, in order to keep mail clients and other user agents from complaining, this name must
# match exactly the name that the user will be entering into their client settings.  Whether that be
# domain.extension or mail.domain.extension or what.  It must be a valid DNS name pointing at your
# server.
commonName_default              = mailer.mycompany.hosting
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_default            = postmaster@mycompany.hosting
emailAddress_max                = 64

CODE

/usr/share/ssl/misc/CA –newca
/usr/share/ssl/misc/CA –newreq
/usr/share/ssl/misc/CA –sign

/etc/newreq.pem
only lines BEGIN RSA PRIVATE KEY till END RSA PRIVATE KEY are needed

rename newreq.pem to mycompany.key
rename newcert.pem to mycompany.crt
rename cacert.pem to mycompany.ca

and then copy the renamed files to /etc/postfix (like this)

/etc/postfix/mycompany.key
/etc/postfix/mycompany.crt
/etc/postfix/mycompany.ca




-----------------------------------------------------------------------------------------------
PART III. Installing CYRUS-SASL and configuring it with OpenLDAP
-----------------------------------------------------------------------------------------------




/usr/lib/sasl2/smtpd.conf

CODE

pwcheck_method: saslauthd
mech_list: login plain

/etc/sysconfig/saslauthd

CODE

MECH=ldap

/etc/saslauthd.conf

CODE

ldap_servers: ldap://127.0.0.1
ldap_search_base: o=hosting,dc=mycompany,dc=hosting
ldap_filter: (&(objectClass=JammMailAccount)(mail=%u@%r)(accountActive=TRUE)(delete=FALSE))

-----------------------------------------------------------------------------------------------
PART IV. Installing Dovecot and configuring it with OpenLDAP
-----------------------------------------------------------------------------------------------

CODE

cd /home
wget http://dag.wieers.com/packages/dovecot/dovecot-0.99.13-1.2.el4.test.i386.rpm
yum install mysql postgresql-libs
rpm –Uvh dovecot*

/etc/dovecot.conf

CODE

protocols = imap imaps pop3 pop3s
ssl_disable = no
disable_plaintext_auth = no
first_valid_uid = 500
last_valid_uid = 500
first_valid gid = 500
last_valid_gid = 500
default_mail_env = maildir:/home/vmail/domains/%d/%n
auth = default
auth_mechanisms = plain
auth_userdb = ldap /etc/dovecot-ldap.conf
auth_passdb = ldap /etc/dovecot-ldap.conf
auth_user = root

/etc/dovecot-ldap.conf

CODE

hosts = localhost
dn = cn=dovecot,dc=mycompany,dc=hosting
dnpass = yyyyyyyyyyyyyyyyyyyyyyyyy
ldap_version = 3
base = o=hosting,dc=mycompany,dc=hosting
deref = never
scope = subtree
user_attrs = mail,homeDirectory,,,,
user_filter = (&(objectClass=JammMailAccount)(mail=%u)(accountActive=TRUE)(delete=FALSE))
pass_attrs = mail,userPassword
pass_filter = (&(objectClass=JammMailAccount)(mail=%u)(accountActive=TRUE)(delete=FALSE))
default_pass_scheme = CRYPT
user_global_uid = 500
user_global_gid = 500

-----------------------------------------------------------------------------------------------
PART V. Installing Mailscanner (Clamav+Spamassassin)
-----------------------------------------------------------------------------------------------

CODE

yum install spamassassin sendmail-devel bzip2-devel gmp-devel zlib-devel autoconf automake rpm-build
rpm-devel gcc perl-CPAN curl-devel

CODE

cd /home
wget http://crash.fce.vutbr.cz/crash-hat/2/clamav/clamav-0.83-1.src.rpm
rpmbuild --rebuild clamav-0.74-1.src.rpm
cd /usr/src/redhat/RPMS/i386
rpm -Uvh clamav-0.83-1.i386.rpm clamav-devel-0.83-1.i386.rpm
cpan
accept all the settings till you get to the mirror, there choose the closest mirror
install Parse::RecDescent
install Inline
install Mail::ClamAV

CODE

cd /home
wget http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.40.5-1.rpm.tar.gz
tar -xvzf MailScanner-4.40.5-1.rpm.tar.gz
cd MailScanner-4.40.5-1
export LANG=C; ./install.sh

modify /etc/MailScanner/MailScanner.conf

CODE

%org-name% = mycompany.hosting
%org-long-name% = MyCompany Hosting
%web-site% = www.mycompany.com


Run As User = postfix
Run As Group = postfix
MTA = postfix

Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming

File Timeout = 120
Maximum Archive Depth = 20
Virus Scanners = clamavmodule
Monitors for ClamAV Updates = /var/lib/clamav/*.cvd
Use SpamAssassin = yes
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

Spam List = ORDB-RBL SBL+XBL SORBS-DNSBL CBL RSL DSBL spamcop
Allow IFrame Tags = yes
Allow Script Tags = yes
Allow Object Codebase Tags = yes
Convert Dangerous HTML To Text = no
Minimum Stars If On Spam List = 3
Spam Lists To Reach High Score = 3
Sign Clean Messages = yes
Spam Actions = deliver
High Scoring Spam Actions = deliver

CODE

mkdir /var/spool/MailScanner/spamassassin
chown postfix.postfix /var/spool/MailScanner/spamassassin
chown postfix.postfix /var/spool/MailScanner/incoming
chown postfix.postfix /var/spool/MailScanner/quarantine

modify /etc/MailScanner/virus.scanners.conf

CODE

clamav    /usr/lib/MailScanner/clamav-wrapper    /usr

modify /etc/MailScanner/filename.rules.conf

CODE

allow    .[a-z][a-z0-9]{2,3}s*.[a-z0-9]{3}$    Found possible filename hiding
allow    s{10,0}    Filename contains lots of white space
allow    {[a-hA-H0-9-]{25,}}    Filename trying to hide its real type
allow    .exe$    Windows/DOS Executable
allow    .bmp$    Windows bitmap file security vulnerability

modify /etc/MailScanner/filetype.rules.conf

CODE

allow    self-extract    -      -
allow    ELF  -      -
allow    executable    -      -

CODE

cd /home
wget http://dag.wieers.com/packages/unrar/unrar-3.4.3-1.2.el4.rf.i386.rpm
rpm -Uvh unrar-3.4.3-1.2.el4.rf.i386.rpm

[Robert83]

--------------------------------------------------------------
PART VII. Installing TOMCAT 4.x and configuring it (very basic)
--------------------------------------------------------------


Download http://java.sun.com/j2se/1.4.2/download.html Java 2 SDK from that website.

CODE

cd /home
./j2sdk-1.2.4.rpm.bin    
it will extract a rpm file from this one
rpm –Uvh j2sdk-1_4_2_07-i586.rpm

add to the end of /etc/profile

CODE

export JAVA_HOME=/usr/java/j2sdk1.4.2_07
export PATH=$JAVA_HOME/bin:$PATH:$HOME/bin:/sbin:/usr/sbin

CODE

wget http://linux.cs.lewisu.edu/apache/jakarta/tomcat-4/v4.1.31/bin/jakarta-tomcat-4.1.31.tar.gz

(this is about 7.68 MB)

CODE

tar –xvzf jakarta-tomcat-4.1.31.tar.gz

then copy the contents of jakarta-tomcat-4.1.31 to /usr/local/tomcat

extract /home/jamm/jamm-0.9.6.war (pressing ENTER on it while in Midnight Commander) and copy it
to /usr/local/tomcat/webapps/jamm

extract jamm cleaner from jamm directory to /home/jammCleaner

CODE

vi jammcleanerhelper
/home/jammCleaner/bin/jammCleaner –b “o=hosting,dc=mycompany,dc=hosting” –D  “cn=Manager,dc=mycompany,dc=hosting" -w xxxxxxxxxxxxxxxxxxx -y

CODE

vi /home/job
10 * * * * /home/jammcleanerhelper
crontab /home/job

cd /usr/local/tomcat/webapps/jamm/WEB-INF
using MC F6 rename jamm.properties.dist to jamm.properties

modify the file /usr/local/tomcat/webapps/jamm/WEB-INF/jamm.properties

CODE

jamm.ldap.search.base = o=hosting,dc=mycompany,dc=hosting
jamm.ldap.root.dn = cn=Manager,dc=mycompany,dc=hosting

add to the file /etc/rc.d/rc.local

CODE

export JAVA_HOME=/usr/java/j2sdk1.4.2_07
export PATH=$JAVA_HOME/bin:$PATH:$HOME/bin:/sbin:/usr/sbin
./usr/local/tomcat/bin/startup.sh

--------------------------------------------------------------
PART VIII. Adding MYSQL support to Squirrelmail
--------------------------------------------------------------

CODE

yum install php-devel

modify /etc/php.ini

CODE

include_path = ".:/php/includes:/usr/share/pear"

CODE

yum install php-mysql mysql mod_auth_mysql mysql-server
chkconfig mysqld on
/etc/init.d/mysqld start

CODE

mysqladmin create squirrelmail
GRANT select,insert,update,delete ON squirrelmail.* TO squirreluser@localhost IDENTIFIED BY 'sqpassword';
use squirrelmail

CREATE TABLE address (
   owner varchar(128) DEFAULT '' NOT NULL,
   nickname varchar(16) DEFAULT '' NOT NULL,
   firstname varchar(128) DEFAULT '' NOT NULL,
   lastname varchar(128) DEFAULT '' NOT NULL,
   email varchar(128) DEFAULT '' NOT NULL,
   label varchar(255),
   PRIMARY KEY (owner,nickname),
   KEY firstname (firstname,lastname)
 );

CREATE TABLE userprefs (
  user varchar(128) DEFAULT '' NOT NULL,
  prefkey varchar(64) DEFAULT '' NOT NULL,
  prefval BLOB DEFAULT '' NOT NULL,
  PRIMARY KEY (user,prefkey)
);

Quit

CODE

cd /home/webpage/webmail/config
./conf.pl

In the menu, select Database, then select DSN for Address Book. Enter your string, mine is this:

CODE

mysql://squirreluser:sqpassword@localhost/squirrelmail

Now pick DSN for Preferences and enter the same thing again. (Remember, the format is mysql://user:password@host/database)

Restart the webserver with the command:

CODE

/etc/init.d/httpd restart

--------------------------------------------------------------
PART IX. Securing the webmail, autmaticaly rewriting url for webmail access to https
--------------------------------------------------------------

CODE

yum install mod_ssl

modify/add to file /etc/httpd/conf/httpd.conf

CODE

LoadModule rewrite_module modules/mod_rewrite.so
RewriteEngine On
RewriteCond    %{SERVER_PORT} !^443$
RewriteRule    ^/webmail(.*)$ https://192.168.11.10/webmail/$1 [L,R]

modify/add to file /etc/httpd/conf.d/ssl.conf

CODE

<Directory "/home/webpage/webmail/">
    Options +Indexes
    SSLOptions +StrictRequire
    SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
    Order deny,allow
    Deny from all
    Satisfy any
</Directory>

[Robert83]

In order to access JAMM to add new users

enter into your browser

CODE

http://ip_address_of_your_server:8080/jamm

username : root
password : the_one_you_used_for_rootpw (in /etc/openldap/slapd.conf)

Once you are done adding the user with JAMM , you MUST create the directories for that user
on the linux box.

Access it via ssh

CODE

ssh ip_address_of_your_server

CODE

cd /home/vmail
mkdir domain_name/user_name

both domain_name and user_name directory must be rwxrwx--- vmail.vmail

use chown vmail.vmail to change owner of dir (example chown vmail.vmail domain_name)
use chmod 770 to change premission of dir (example chmod 770 domain_name)

Once this is the the user will be able to recieve e-mail.

To access the e-mail box via squirrelmail or a e-mail client you must enter the username and password like this (example)

username : someuser@somedomain.com
password : passwordforsomeuser

Sincerely
Robert B

[Robert83]

Hi,

when you update to latest cyrus-sasl , it will work no more with my current setup...

so you must do this , modify your /etc/init.d/saslauthd

CODE

MECH=shadow
FLAGS="-O /etc/saslautdh.conf -r -n 0"

see saslautdh --help for options , the most important thing is about -r here.

/etc/sysconfig/saslauthd

CODE

MECH=ldap

Also, if I forgot to tell, you can only use smtp trough ssl, you have to config your mail client to use smtp with ssl.

Sincerely
Robert B

[Robert83]

Using Amavisd New instead of MailScanner (if you have problems with MailScanner like me)

CODE

rpm -e MailScanner
rm -f /etc/MailScanner
rm -f /var/spool/MailScanner

then add the following two lines to the end of your /etc/yum.repos.d/CentOS-Base.repos

CODE

[dag]
name=Dag RPM Repostory for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1
gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt

[kbs-CentOS-Misc]
name=CentOS.Karan.Org-EL$releasever - Stable
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
gpgcheck=1
enabled=1
baseurl=http://centos.karan.org/el$releasever/misc/stable/$basearch/RPMS/

then we install Amavisd New

CODE

yum install amavisd-new
yum install clamd

Then we configure /etc/amavisd.conf like this

CODE

$mydomain = 'yourdomainname.com';


$virus_admin               = "postmaster@$mydomain";

$mailform_notify_admin        = "postmaster@$mydomain";
$mailform_notify_recip         = "postmaster@$mydomain";
$mailform_notify_spamadmin = "postmaster@$mydomain";
$mailform_to_quarantine = '';

$final_spam_destiny   =  D_DISCARD;

qr'.. (vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
# qr'^.(exe-ms)$',       # banned file(1) types
# qr'^.(lha|tnef)$',       # banned file(1) types

['ClamAV-clamd',
     &ask_daemon, ["CONTSCAN {}n", "/var/run/clamav/clamd.sock"],
    qr/bOK$/, qr/bFOUND$/,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Only uncomment the above ClamAV-clamd lines, and make sure /var/run/clamav/clamd.sock is there intead of /var/run/clamav/clamd.

Configuring postfix

/etc/postfix/main.cf

remove the first line with

CODE

header_checks = regexp:/etc/postfix/header_checks

add this line at the end

CODE

content_filter = smtp-amavis:[127.0.0.1]:10024

/etc/postfix/master.cf

CODE

smtp-amavis unix        -       -       n       -       2       smtp
   -o disable_dns_lookups=yes
127.0.0.1:10025 inet    n       -       n       -       -       smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o mynetworks=127.0.0.0/8

configure /etc/clamd.conf

CODE

Localsocket = /var/run/clamav/clamd.sock
# TCPSocket 3310

check if clamav is in group with amavis

CODE

groups clamav

should show clamav amavis

CODE

chkconfig clamd on
/etc/init.d/clamd start
freshclam -d -c 10

then we start amavis and postfix

CODE

chkconfig amavisd on
/etc/init.d/amavisd start
/etc/init.d/postfix start

This is it , now you have Amavis New instead of MailScanner

Sincerely
Robert B

[Robert83]

Using Rules Du Joure to get rid of even more spam, tested on live e-mail server, and it works really good. Noticable.

CODE

cd /home
wget http://sandgnat.com/rdj/rules_du_jour
chmod 755 rules_du_jour

Using your favorite editor modify the following lines :

SA_DIR="/etc/mail/spamassassin";
MAIL_ADDRESS="root";
SA_RESTART"/etc/init.d/spamassassin restart";

for me I only modified the MAIL_ADDRESS , the other options were good, but check just in case.

Then create a directory in /etc
/etc/rulesdujour/
in here create the file config
so it looks like thi /etc/rulesdujour/config
edit the config file and put the following into it

CODE

TRUSTED_RULESETS="TRIPWIRE ANTIDRUG SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 BLACKLIST BLACKLIST_URI RANDOMVAL BOGUSVIRUS SARE_ADULT SARE_FRAUD SARE_FRAUD_PRE25X SARE_BML SARE_BML_PRE25X SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER SARE_HEADER0 SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG SARE_HEADER_X264_X30 SARE_HEADER_X30 SARE_HTML SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3 SARE_HTML4 SARE_HTML_ENG SARE_HTML_PRE300 SARE_SPECIFIC SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2 SARE_OBFU3 SARE_REDIRECT SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 SARE_GENLSUBJ SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3 SARE_GENLSUBJ_X30 SARE_GENLSUBJ_ENG SARE_HIGHRISK SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI3 SARE_URI_ENG SARE_WHITELIST SARE_WHITELIST_PRE30"

Sincerely
Robert B

[Robert83]

ONLY DO THIS IF YOU HAVE PROBLEMS

Hello everyone,

In case you are getting :
postfix/smtpd[xxxx]: warning: dict_ldap_lookup: Search error -5: Timed out.

this will happen to you probably if you use a a domain name with lots of aliases pointing to some other domain.

example
mail for user1@domain.com goes to user1.domain2.com.

You need to do the following :

/etc/postfix/ldap-accounts
/etc/postfix/ldap-aliasses
/etc/postfix/ldap-accountsmap
/etc/postfix/ldap-domains

add the following line to the end of the above four files.

CODE

timeout = 30

then edit /etc/postfix/main.cf (only add proxy: in front of the following files)

CODE

virtual_alias_maps = proxy:ldap:/etc/postfix/ldap-accountsmap,proxy:ldap:/etc/postfix/ldap-aliases
virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap-domains

then restart postfix

CODE

/etc/init.d/postfix restart

Sincerely
Robert Becskei

[Robert83]

Installing MailGraph for postfix

First you need to download rrdtool :

CODE

yum install rrdtool perl-rrdtool

Then we need to install the following two perl modules via cpan

CODE

cpan

then type

CODE

install File::Tail
install Time:HiRes
quit

then we'll download mailgraph from here http://people.ee.ethz.ch/~dws/software/mailgraph/

CODE

cd /home
wget http://people.ee.ethz.ch/~dws/software/mailgraph/pub/mailgraph-1.12.tar.gz
tar zxvf mailgraph-1.12.tar.gz
rm -f mailgraph-1.12.tar.gz

then we copy the file mailgraph.pl to /usr/local/bin

CODE

cp mailgraph.pl /usr/local/bin
cp mailgraph.cgi /var/www/cgi-bin
cd /var/www/cgi-bin
chmod 755 mailgraph.cgi

then we create the directory for the rrd's

CODE

mkdir /var/lib/mailgraph

then we rename mailgraph-init to mailgraph

CODE

cd /home/mailgraph-1.12
mv mailgraph-init mailgraph
chmod 755 mailgraph
vi mailgraph

modify the following lines

CODE

RRD_DIR=/var/lib/mailgraph
MAILGRAPH_PL=/usr/local/bin/mailgraph.pl
MAIL_LOG=/var/log/maillog

then copy the file to /etc/init.d

CODE

cp mailgraph /etc/init.d
chkconfig --add mailgraph
chkconfig --list mailgraph

it should show that mailgraph is on for 2,3,4,5 (if it's not)

CODE

chkconfig mailgraph on

then we type

CODE

/etc/init.d/mailgraph start

and then we can access http://hostname/cgi-bin/mailgraph.cgi

Sincerely
Robert B

[Robert83]

Catching some more spam

You need to modify you /etc/postfix/main.cf file (the following line)

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_rbl
_client sbl-xbl.spamhaus.org,reject_rbl_client list.dsbl.org,reject_rbl_client combined.njabl.org,reject_rbl_client bl.spamcop.net
,permit

we added

reject_rbl_client sbl-xbl.spamhaus.org,reject_rbl_client list.dsbl.org,reject_rbl_client combined.njabl.org,reject_rbl client bl.spamcop.net


Sincerely
Robert B

[Robert83]

Aditional things to do in order to block spam mails :

/etc/postfix/main.cf

add the following to this :

CODE

smtpd_recipient_restrictions =  
                                             reject_invalid_hostname,

insert the following 4 lines right bellow reject_invalid_hostname

CODE

reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain

Now we will install PostGrey which will help us in our war against spammers :

CODE

yum install perl-IO-Multiplex perl-BerkeleyDB
cd /home
wget http://www.lfarkas.org/linux/packages/el4/i386/RPMS/postgrey-1.27-0.noarch.rpm
rpm -Uvh postgrey*.rpm

now we type in the following line in main.cf right after reject_unauth_destination (in a new line)

CODE

check_policy_service unix:/var/spool/postfix/postgrey/socket,

now we start postgrey service

CODE

/etc/init.d/postgrey start
chkconfig postgrey on

we also add the following ruleset by hand to /etc/mail/spamassassin/ directory

name it SURBL.cf

the contents of the file are :

CODE

urirhssub        URIBL_JP_SURBL multi.surbl.org         A       64
body             URIBL_JP_SURBL eval:check_uridnsbl('URIBL_JP_SURBL')
describe         URIBL_JP_SURBL Has URI in JP at http://www.surbl.org/lists.html
tflags           URIBL_JP_SURBL net

score            URIBL_JP_SURBL 3.0

now we do a restart for spamassassin

CODE

/etc/init.d/spamassassin restart

we will also use from now one sa-update, but in order to run it we need to install the following package :

CODE

yum install perl-libwww-perl

after that we can run the following command manualy or create a cron job for it.

CODE

sa-update

or

/home/job.cron

CODE

21 4 * * *      /usr/bin/sa-update

then add the job (or jobs)

CODE

crontab /home/job.cron

Also edit /etc/mail/spamassassin/local.cf file

CODE

bayes_autolearn 1
bayes_auto_learn_treshold_nonspam 0.1
bayes_auto_learn_treshold_spam 5.0

what I do in adition by hand is, spam that is spam and still gets trough, I go from mdir to mdir , and copy all the spam messages
to one location say /home/spam

then I do a

CODE

sa-learn --spam /home/spam

I repeat I've selected my SPAM messages by hand, those I know are 100% spam and still get trough, don't you ever copy
all your mails without looking here and marking them as spam.

Sincerely
Robert B

ps. : don't PANIC when seeing that all mails in /var/log/maillog are marked as NOQUEUE REJECTED!, because after 5 mins they will be able to pass, this behaviour is normal, for more information please read the documentation for PostGrey