Deploing CentOS 7 with postfix, MailScanner, spamassassin, ClamAV as SMTP gateway
In this blog we will look into building smtp scanner gateway based on Postfix, Mailscanner , spamassassin and clamav. In this example we have CenOS 7 minimal deployed on the internal network. Perimeter firewall is setup with NAT translating public IP port 25 to internal mailscanner gateway 192.168.0.5. Internal Mail server itself can run any MTA for example postfix or Exchange and is assigned IP 192.168.0.23. Internal domain name will be toys.com. Mailscanner will be setup to scan outgoing and incoming messages for spam and malware. We will also seup webmin for easy system maintenance and configuration.
Basic system configuration
First we will start by removing firewalld and install iptables. We will then open correct ports. Next we will disable selinux and do complete update. This steps are not necessary and you can configure selinux and firewall to work with this configuration but to make deployment quicker we will not use this features for now.
#systemctl mask firewalld #systemctl stop firewalld #yum -y install iptables-services #systemctl enable iptables #systemctl start iptables #iptables -I INPUT -p tcp --dport 25 -j ACCEPT #iptables -I INPUT -p tcp --dport 10000 -j ACCEPT #webmin web interface #service iptables save
disable selinux by editing /etc/selinux/config and changing enforcing directive to disabled , you will need to restart system after that.
#yum update -y
Postfix configuration with relay maps
Now lets edit /etc/postfix/main.cf and make following configuration changes.
inet_interfaces = all # make sure the other ones are disabled - see below #inet_interfaces = $myhostname #inet_interfaces = $myhostname, localhost #inet_interfaces = localhost relay_domains = toys.com mynetworks_style = hos t #uncomment mynetworks = 192.168.0.23 #add this to only accept messaged for relay from your trusted ip addressed in this case your internal SMTP server
add this to the end of /etc/postfix/main.cf
transport_maps = hash:/etc/postfix/transport
Edit etc/postfix/transport
toys.com smtp:[192.168.0.23] # relay map #postmap /etc/postfix/transport #systemctl restart postfix
Install MailScanner
#yum install perl unzip gcc patch rpm-build cpp perl-DBI perl-MIME-tools perl-DBD-SQLite binutils glibc-devel perl-Filesys-Df zlib zlib-devel automake perl-devel
download MailScanner-4.84.6-1.rpm.tar.gz to /opt directory or any other directory where you want to install your software.
#tar xvf MailScanner-4.84.6-1.rpm.tar.gz #cd MailScanner-4.84.6-1 #./install.sh
Install Spamassassin
#yum install spamassassin #sa-update #update spamassasin #service spamassassin start #chkconfig spamassassin on
Install ClamAV
#rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm #yum install clamav #freshclam
Configuration
#mkdir /var/spool/MailScanner/spamassassin #chown postfix /var/spool/MailScanner/spamassassin #chown postfix /var/spool/MailScanner/incoming/* #chkconfig postfix off #systemctl disable postfix.service #systemctl stop postfix.service #vim /etc/postfix/main.cf
Add line below at the bottom
header_checks = regexp:/etc/postfix/header_checks vim /etc/postfix/header_checks
Add line below
/^Received:/ HOLD
vim /etc/MailScanner/MailScanner.conf
Make changes below
Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming MTA = postfix SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
Change permissions on some directories and files
#chown postfix.postfix /var/spool/MailScanner/incoming #chown postfix.postfix /var/spool/MailScanner/quarantine #chown postfix /var/spool/MailScanner/spamassassin #chown postfix /var/spool/MailScanner/incoming/*
Start MailScanner
#MailScanner -lint #check configuration - make sure there is no errors #service MailScanner restart
Install webmin
This step is also optional but it makes configuring and maintaining your server or vm much quicker.
Edit /etc/yum.repos.d/webmin.repo # add the following
[Webmin] name=Webmin Distribution Neutral #baseurl=http://download.webmin.com/download/yum mirrorlist=http://download.webmin.com/download/yum/mirrorlist enabled=1 rpm --import http://www.webmin.com/jcameron-key.asc #yum check-update #yum install webmin -y #chkconfig webmin on #service webmin start
Optional Debug configuration
In case you run to any issues this will help you isolate any potential errors or problems.
vim /etc/MailScanner/MailScanner.conf # change directives to debug any potential problems
“Debug = yes” and “Debug SpamAssassin = yes” check_MailScanner
Make sure messages are coming in or it will seat at “Building a message batch to scan”.
There will be many configuration options available but this is one of the basic ones to get started.