Deploy MailScanner CentOS 7 and postfix
We are setting up Centos 7 running MailScanner with postfix as mail gateway accepting mail for domain aaa.com, bbb.com, ccc.com and relaying mail for any SMTP server located on 102.168.0.0/24 subnet or from 192.168.2.2.
Firewall and system requirements
CentOS 7 minimal install
Inbound – tcp port 25
Outbound – tcp ports 2703, 7, udp port 24441, 6207, 53
Configure postfix
#systemctl enable postfix #systemctl start postfix
Edit /etc/postfix/main.cf
Below is configuration for domain aaa.com bbb.com ccc.com
queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix inet_interfaces = all inet_protocols = all mydestination = $myhostname, localhost.$mydomain, localhost unknown_local_recipient_reject_code = 550 mynetworks = 192.168.0.0/24, 192.168.2.2 ######################################## # RELAY DOMAINS # ######################################## relay_domains = aaa.com,bbb.com,ccc.com debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.10.1/samples message_size_limit = 40960000 readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES transport_maps = hash:/etc/postfix/transport
Edit /etc/postfix/transport
replace x.x.x.x with ip address of your internal mail server. If domains are being routed for external delivery replace it with SMTP server of next hop mail relay.
aaa.com smtp:[x.x.x.x] bbb.com smtp:[x.x.x.x] ccc.com smtp:[x.x.x.x]
Apply transport configuration
#postmap transport
Install MailScanner
Download MailScanner-4.85.2-3.rpm.tar.gz from Mailscanner download
Choose Red Hat /CentOS since we installing it on CentOS 7
Unpack it and run install.sh script
#tar zxf MailScanner-4.85.2-3.rpm.tar.gz #cd MailScanner-4.85.2-3 #./install.sh
In the Postfix configuration file /etc/postfix/main.cf add this line at the end of file
header_checks = regexp:/etc/postfix/header_checks
In the file /etc/postfix/header_checks add this line
This will tell Postfix to move all messages to the HOLD queue
/^Received:/ HOLD
Configure MailScanner and Postfix
Edit /etc/MailScanner/MailScanner.conf and make the following adjustments
Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming MTA = postfix
Make sure user postfix has write permissions to MailScanner folder
#cd /var/spool #chown -R postfix.postfix MailScanner
Start MailScanner
#/etc/init.d/MailScanner restart
We should now have working MailScanner gateway
Note:
In some cases you need to do the following to get mailscanner to work
#mkdir /var/spool/MailScanner/spamassassin #chown postfix.postfix /var/spool/MailScanner/spamassassin
In some cases you will want to setup chroot for postfix. In this case following script can be executed
#! /bin/sh # LINUX2 - shell script to set up a Postfix chroot jail for Linux # Tested on SuSE Linux 5.3 (libc5) and 7.0 (glibc2.1) # Other testers reported as working: # # 2001-01-15 Debian sid (unstable) # Christian Kurz# Copyright (c) 2000 - 2001 by Matthias Andree # Redistributable unter the MIT-style license that follows: # Abstract: "do whatever you want except hold somebody liable or change # the copyright information". # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to # deal in the Software without restriction, including without limitation the # rights to use, copy, modify, merge, publish, distribute, sublicense, and/or # sell copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING # FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS # IN THE SOFTWARE. # 2000-09-29 # v0.1: initial release # 2000-12-05 # v0.2: copy libdb.* for libnss_db.so # remove /etc/localtime in case it's a broken symlink # restrict find to maxdepth 1 (faster) # Revision 1.4 2001/01/15 09:36:35 emma # add note it was successfully tested on Debian sid # # 20060101 /lib64 support by Keith Owens. # CP="cp -p" cond_copy() { # find files as per pattern in $1 # if any, copy to directory $2 dir=`dirname "$1"` pat=`basename "$1"` lr=`find "$dir" -maxdepth 1 -name "$pat"` if test ! -d "$2" ; then exit 1 ; fi if test "x$lr" != "x" ; then $CP $1 "$2" ; fi } set -e umask 022 POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix} cd ${POSTFIX_DIR} mkdir -p etc lib usr/lib/zoneinfo test -d /lib64 && mkdir -p lib64 # find localtime (SuSE 5.3 does not have /etc/localtime) lt=/etc/localtime if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi rm -f etc/localtime # copy localtime and some other system files into the chroot's etc $CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc $CP -f /etc/host.conf /etc/hosts /etc/passwd etc ln -s -f /etc/localtime usr/lib/zoneinfo # copy required libraries into the chroot cond_copy '/lib/libnss_*.so*' lib cond_copy '/lib/libresolv.so*' lib cond_copy '/lib/libdb.so*' lib if test -d /lib64; then cond_copy '/lib64/libnss_*.so*' lib64 cond_copy '/lib64/libresolv.so*' lib64 cond_copy '/lib64/libdb.so*' lib64 fi postfix reload