How to deploy ASSP Spam Gateway with Postfix MTA on CentOS 6.4

In this tutorial we will show how to install and configure ASSP spam Gateway with Postfix as MTA on CentOS 6.4. In this particular case this system will be used as spam gateway which will scan incoming and outgoing email for spam and viruses.

In this particular tutorial we disable SELinux but this is not a requirement although additional configuration is required in case if you want to keep it enabled.

vi /etc/selinux/config

change to SELINUX=disabled

Incoming and Outgoing mail flow
a.Internet mail coming in.
1. Internet email arrives on port 25 on ASSP server. ASSP listening on port 25.
2. ASSP server forwards email to port 225 on the same server to postfix.
3. Postfix on ASSP server relays email to internal mail server on port 25.
b.Outgoing mail.
1. Email generated on internal mail server.
2. It is forwarded to port 25 on ASSP server.
3. ASSP server scans email for spam and viruses and forwards it to postfix on the same server to
port 225.
4. Postfix relays email out to the internet based on local routing maps.
c.On ASSP server final domains set as local , which means ASSP will relay emails to this domains to
local postfix, which relays this domains based on local transport maps to internal mail server.
domain-test1.com, domain-test2.com, domain-test3.com

d.On ASSP server, postfix is set to relay email from internal mail server to outside.
Internal mail server is set to forward all emails to ASSP server.

Add RPMForge and Remi repositories:

yum install wget
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
rpm -Uvh rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
vi /etc/yum.repos.d/rpmforge.repo

Change “enabled=1” to “enabled=0“. 0 means turn-off and 1 means turn-on.

 

Install necessary Perl modules:

In order to see which modules already installed you can use this command
yum list available ‘perl*’
yum –enablerepo=rpmforge list available ‘perl’
We recomend installing following modules which works for most deployments:

yum install perl-File-Scan-ClamAV.noarch perl-IO-Compress-Zlib.x86_64 perl-Text-Glob.noarch perl-Number-Compare.noarch perl-Convert-TNEF.noarch perl-Digest-SHA1.x86_64 perl-Email-MIME-Modifier.noarch perl-Email-Send.noarch perl-Email-Valid.noarch perl-File-ReadBackwards.noarch perl-MIME-Types.noarch perl-Mail-DKIM.noarch perl-Mail-SPF-Query.noarch perl-Mail-SPF.noarch perl-Mail-SRS.noarch perl-Net-CIDR-Lite.noarch perl-Net-DNS.x86_64 perl-Net-IP-Match-Regexp.noarch perl-Net-SMTP-Multipart.noarch perl-Net-SMTP-SSL.noarch perl-Net-SMTP-TLS.noarch perl-Net-SMTP_auth.noarch perl-Net-SenderBase.noarch perl-Tie-DBI.noarch perl-Time-HiRes.x86_64 perl-Crypt-CBC.noarch perl-Crypt-OpenSSL-AES.x86_64 perl-IO-Socket-SSL.noarch perl-Sys-MemInfo.x86_64 perl-Schedule-Cron-Events.noarch perl-Time-HiRes.x86_64 perl-Tie-DBI.noarch perl-LWP-Authen-Negotiate.noarch.

Install and start ClamAV:

yum install clamd
chkconfig clamd on
service clamd start

Download and Install ASSP:

wget http://sourceforge.net/projects/assp/files/latest/download?source=dlp/ASSP_2.3.3_13187_install.zip
unzip ASSP_2.3.3_13187_install.zip
mv -f assp/* /usr/share/assp

Now we create startup script

vi /etc/init.d/assp

#!/bin/bash

. /etc/init.d/functions
# Start the service ASSP
start() {
echo -n "Starting ASSP server: "
cd /usr/share/assp
perl assp.pl 2>&1 > /dev/null &
### Create the lock file ###
touch /var/lock/subsys/ASSP
success $"ASSP server startup"
echo
}
# Restart the service ASSP
stop() {
echo -n "Stopping ASSP server: "
kill -9 `ps ax | grep "perl assp.pl" | grep -v grep | awk '{ print $1 }'`
### Now, delete the lock file ###
rm -f /var/lock/subsys/ASSP
success $"ASSP server shutdown"
echo
}
### main logic ###
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status ASSP
;;
restart|reload|condrestart)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|status}"
exit 1
esac
exit 0

chmod +x /etc/init.d/assp

Postfix configuration:

Change postfix port to 225

1. vi /etc/postfix/master.cf

smtp inet n – n – – smtpd --change to 225 inet n – n – – smtpd

Test to make sure it listens on port 225

netstat -tanp|grep 225

3. vi /etc/postfix/main.cf

inet_interfaces = all   "<-- enable this so all interfaces can connect"

“make sure all the other ones disabled”

Postfix Transport maps configuration:

 
For the purpose of this tutorial we assume that test1-dom.com , test2-dom.com and test3-dom.com are internal domains. Meaning that users with this domains as smtp address located on internal mail server , in our case we simply use postfix with round cube as mail client.

1. vim /etc/postfix/transport
2. add this to a file

test1-dom.com       smtp:[internalhost.domain.com]     # where internalhost.domain.com is your internal mail server
test2-dom.com       smtp:[internalhost.domain.com]     # if this is different mail server you can specify it here
test3-dom.com       smtp:[internalhost.domain.com]

3. generate the transport map

postmap /etc/postfix/transport

4. add this to the end of /etc/postfix/main.cf

transport_maps = hash:/etc/postfix/transport

 

After deployment we suggest the following course of action:

1. Let system run in this mode for 1 week period.
2. During this time you need to monitor spam and no spam folders for any emails that are wrongfully
marked as spam or spam emails getting through. Move them to appropriate folders.

The best thing to do is to go to /usr/share/assp/notspam and move any spam messages to /usr/share/assp/spam folder with the following command cp “message” ../spam this if you located in /usr/share/assp/notspam or you can use full path cp “message” /usr/share/assp/spam.
3. After one week you can run new database update and turn off test mode.
4. Designate specific mailboxes for each domain where all spam will be send.

This is a a practical guide and comes without warranty of any kind!