Deploing CentOS 7 with postfix, MailScanner, spamassassin, ClamAV as SMTP gateway

In this blog we will look into building smtp scanner gateway based on Postfix, Mailscanner , spamassassin and clamav. In this example we have CenOS 7 minimal deployed on the internal network. Perimeter firewall is setup with NAT translating public IP port 25 to internal mailscanner gateway 192.168.0.5. Internal Mail server itself can run any MTA for example postfix or Exchange and is assigned IP 192.168.0.23. Internal domain name will be toys.com. Mailscanner will be setup to scan outgoing and incoming messages for spam and malware. We will also seup webmin for easy system maintenance and configuration.

Basic system configuration

First we will start by removing firewalld and install iptables. We will then open correct ports. Next we will disable selinux and do complete update. This steps are not necessary and you can configure selinux and firewall to work with this configuration but to make deployment quicker we will not use this features for now.

#systemctl mask firewalld
#systemctl stop firewalld
#yum -y install iptables-services
#systemctl enable iptables
#systemctl start iptables
#iptables -I INPUT -p tcp --dport 25 -j ACCEPT
#iptables -I INPUT -p tcp --dport 10000 -j ACCEPT      #webmin web interface
#service iptables save

disable selinux by editing /etc/selinux/config and changing enforcing directive to disabled , you will need to restart system after that.

#yum update -y

Postfix configuration with relay maps

Now lets edit /etc/postfix/main.cf and make following configuration changes.

inet_interfaces = all  # make sure the other ones are disabled - see below
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
#inet_interfaces = localhost

relay_domains = toys.com
mynetworks_style = hos             t #uncomment
mynetworks = 192.168.0.23      #add this to only accept messaged for relay from your trusted ip addressed in this case your internal SMTP server

add this to the end of /etc/postfix/main.cf

transport_maps = hash:/etc/postfix/transport

Edit etc/postfix/transport

toys.com       smtp:[192.168.0.23]  # relay map
#postmap /etc/postfix/transport
#systemctl restart postfix

Install MailScanner

#yum install perl unzip gcc patch rpm-build cpp  perl-DBI perl-MIME-tools perl-DBD-SQLite binutils glibc-devel perl-Filesys-Df zlib zlib-devel automake perl-devel

download MailScanner-4.84.6-1.rpm.tar.gz to /opt directory or any other directory where you want to install your software.

#tar xvf MailScanner-4.84.6-1.rpm.tar.gz
#cd MailScanner-4.84.6-1
#./install.sh

Install Spamassassin

#yum install spamassassin
#sa-update  #update spamassasin
#service spamassassin start
#chkconfig spamassassin on


Install ClamAV

#rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
#yum install clamav
#freshclam

Configuration

#mkdir /var/spool/MailScanner/spamassassin
#chown postfix /var/spool/MailScanner/spamassassin
#chown postfix /var/spool/MailScanner/incoming/*
#chkconfig postfix off
#systemctl disable postfix.service
#systemctl stop postfix.service
#vim /etc/postfix/main.cf

Add line below at the bottom

header_checks = regexp:/etc/postfix/header_checks
vim /etc/postfix/header_checks

Add line below

/^Received:/ HOLD

vim /etc/MailScanner/MailScanner.conf

Make changes below

Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

Change permissions on some directories and files


#chown postfix.postfix /var/spool/MailScanner/incoming
#chown postfix.postfix /var/spool/MailScanner/quarantine
#chown postfix /var/spool/MailScanner/spamassassin
#chown postfix /var/spool/MailScanner/incoming/*

Start MailScanner

#MailScanner -lint   #check configuration - make sure there is no errors
#service MailScanner restart

Install webmin

This step is also optional but it makes configuring and maintaining your server or vm much quicker.

Edit /etc/yum.repos.d/webmin.repo # add the following


[Webmin]

name=Webmin Distribution Neutral
#baseurl=http://download.webmin.com/download/yum
mirrorlist=http://download.webmin.com/download/yum/mirrorlist
enabled=1
rpm --import http://www.webmin.com/jcameron-key.asc
#yum check-update
#yum install webmin -y
#chkconfig webmin on
#service webmin start

Optional Debug configuration

In case you run to any issues this will help you isolate any potential errors or problems.
vim /etc/MailScanner/MailScanner.conf # change directives to debug any potential problems

“Debug = yes” and “Debug SpamAssassin = yes”
check_MailScanner

Make sure messages are coming in or it will seat at “Building a message batch to scan”.

 

There will be many configuration options available but this is one of the basic ones to get started.