Deploy MailScanner CentOS 7 and postfix

We are setting up Centos 7 running MailScanner with postfix as mail gateway accepting mail for domain aaa.com, bbb.com, ccc.com and relaying mail for any SMTP server located on 102.168.0.0/24 subnet or from 192.168.2.2.

Firewall and system requirements

CentOS 7 minimal install
Inbound – tcp port 25
Outbound – tcp ports 2703, 7, udp port 24441, 6207, 53

Configure postfix

#systemctl enable postfix
#systemctl start postfix

Edit /etc/postfix/main.cf

Below is configuration for domain aaa.com bbb.com ccc.com

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks = 192.168.0.0/24, 192.168.2.2
########################################
#      RELAY DOMAINS                   #
########################################
relay_domains = aaa.com,bbb.com,ccc.com
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
message_size_limit = 40960000
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
transport_maps = hash:/etc/postfix/transport

Edit /etc/postfix/transport
replace x.x.x.x with ip address of your internal mail server. If domains are being routed for external delivery replace it with SMTP server of next hop mail relay.

aaa.com        smtp:[x.x.x.x]
bbb.com	       smtp:[x.x.x.x]
ccc.com	       smtp:[x.x.x.x]

Apply transport configuration

#postmap transport 

Install MailScanner

Download MailScanner-4.85.2-3.rpm.tar.gz from Mailscanner download

Choose Red Hat /CentOS since we installing it on CentOS 7

Unpack it and run install.sh script

#tar zxf MailScanner-4.85.2-3.rpm.tar.gz 
#cd MailScanner-4.85.2-3
#./install.sh 

In the Postfix configuration file /etc/postfix/main.cf add this line at the end of file

header_checks = regexp:/etc/postfix/header_checks

In the file /etc/postfix/header_checks add this line
This will tell Postfix to move all messages to the HOLD queue

/^Received:/ HOLD

Configure MailScanner and Postfix

 

Edit /etc/MailScanner/MailScanner.conf and make the following adjustments

Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix

Make sure user postfix has write permissions to MailScanner folder

#cd /var/spool
#chown -R postfix.postfix MailScanner

Start MailScanner

#/etc/init.d/MailScanner restart

We should now have working MailScanner gateway

Note:
In some cases you need to do the following to get mailscanner to work

#mkdir /var/spool/MailScanner/spamassassin
#chown postfix.postfix /var/spool/MailScanner/spamassassin

In some cases you will want to setup chroot for postfix. In this case following script can be executed

#! /bin/sh
# LINUX2 - shell script to set up a Postfix chroot jail for Linux
# Tested on SuSE Linux 5.3 (libc5) and 7.0 (glibc2.1)
# Other testers reported as working:
#
# 2001-01-15 Debian sid (unstable)
# Christian Kurz 
# Copyright (c) 2000 - 2001 by Matthias Andree
# Redistributable unter the MIT-style license that follows:
# Abstract: "do whatever you want except hold somebody liable or change
# the copyright information".
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
# 2000-09-29
# v0.1: initial release
# 2000-12-05
# v0.2: copy libdb.* for libnss_db.so
# remove /etc/localtime in case it's a broken symlink
# restrict find to maxdepth 1 (faster)
# Revision 1.4 2001/01/15 09:36:35 emma
# add note it was successfully tested on Debian sid
#
# 20060101 /lib64 support by Keith Owens.
#
CP="cp -p"
cond_copy() {
# find files as per pattern in $1
# if any, copy to directory $2
dir=`dirname "$1"`
pat=`basename "$1"`
lr=`find "$dir" -maxdepth 1 -name "$pat"`
if test ! -d "$2" ; then exit 1 ; fi
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi
}
set -e
umask 022
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}
cd ${POSTFIX_DIR}
mkdir -p etc lib usr/lib/zoneinfo
test -d /lib64 && mkdir -p lib64
# find localtime (SuSE 5.3 does not have /etc/localtime)
lt=/etc/localtime
if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi
if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi
if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi
rm -f etc/localtime
# copy localtime and some other system files into the chroot's etc
$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc
$CP -f /etc/host.conf /etc/hosts /etc/passwd etc
ln -s -f /etc/localtime usr/lib/zoneinfo
# copy required libraries into the chroot
cond_copy '/lib/libnss_*.so*' lib
cond_copy '/lib/libresolv.so*' lib
cond_copy '/lib/libdb.so*' lib
if test -d /lib64; then
cond_copy '/lib64/libnss_*.so*' lib64
cond_copy '/lib64/libresolv.so*' lib64
cond_copy '/lib64/libdb.so*' lib64
fi
postfix reload