March 9, 2006

Implementing a Postfix mail server with spam and antivirus protection

Author: Anže Vidmar

Building a complete email system with spam and antivirus protection is not as hard as you might think. This guide will walk you through installing and configuring everything you need for sending and receiving email, filtering spam, and scanning for viruses in email.

For our system, we'll use the Postfix mail transport agent (MTA); Dovecot, a secure, open source IMAP and POP3 server for Linux/Unix-like systems; SquirrelMail, a standards-based Webmail package written in PHP 4; SpamAssassin, a powerful open source spam filter; and ClamAV, a GPLed virus scanner. To tie everything together we'll use amavisd-new, a high-performance interface between MTAs and content checkers such as virus scanners and spam filters.

The system will be configured so that users will have POP, secure POP, IMAP, and secure IMAP (IMAPS) access, and will also be able to access their email from the Web using SquirrelMail. Every email sent or received will be scanned for viruses and checked for possible spam content.

The email applications will run on Fedora Core 4 and Red Hat Enterprise Linux Advanced Server 4.

To install the packages for this project we will use the Yellow Dog Updater, Modified (Yum). In order to get all the packages that you need, make sure you have the Fedora Extras repository (/etc/yum.repos.d/fedora-extras.repo; it's included in the distribution and enabled by default) and Dries repository enabled and configured. You will need both repositories in order to install all the packages needed.

Installation

To begin, you'll want to make sure your system is up-to-date. Run yum update if you haven't already.

Now configure the Dries repository for use by creating a file called /etc/yum.repos.d/dries.repo, with the following entries:

[dries]
name=Extra Fedora rpms dries - $releasever - $basearch
baseurl=http://ftp.belnet.be/packages/dries.ulyssis.org/fedora/linux/$releasever/$basearch/dries/RPMS/
enabled=1
gpgcheck=1

Next, install the GPG key for this repository:

rpm --import http://dries.ulyssis.org/rpm/RPM-GPG-KEY.dries.txt

Now that you have the repositories ready, you can install the packages that we need:

yum install postfix dovecot spamassassin squirrelmail clamav clamav-server clamav-update clamav-lib clamav-data amavisd-new

Wait until all the packages and dependencies are installed.

By default, Fedora and Red Hat distributions come with sendmail set as the MTA for the system. You can check or change the default MTA with the system-switch-mail utility. If you don't have it installed yet, install it now:

yum install system-switch-mail system-switch-mail-gnome

Simply run the system-switch-mail tool and select Postfix as your default MTA.

Now that you have all the necessary applications and tools installed, it's time to configure them to work together.

Setting up Postfix

To configure Postfix, edit the main Postfix configuration file /etc/postfix/main.cf and change these entries as follows:

#This is your fully qualified domain name (FQDN):
myhostname = mail.srv.dyndns.org

#myorigin specifies the default domain name that is appended
myorigin = $mydomain

#By the parameter "all" we allow the connections to our server
# from anywhere, not only from localhost
inet_interfaces = all

#The mydestination parameter specifies the list of domains that
#this machine considers itself the final destination for.
mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost

#Reject the unknown users
local_recipient_maps = unix:passwd.byname $alias_maps

#With this parameter we make sure that our server won't be an open relay server
mynetworks_style = host

The configuration file is well commented, so if you need more info about the configuration, dig into it. For even more information on Postfix, see the Postfix.org documentation.

Next, start the Postfix service with the command service postfix start. Also make sure the service is automatically started at boot time:

chkconfig postfix on

Setting up Dovecot

Now it's time to set up Dovecot. Edit the Dovecot config file, /etc/dovecot.conf, to suit your needs. In this case we want to enable POP3, secure POP3, IMAP, and secure IMAP services as shown:

protocols = imap imaps pop3 pop3s
imap_listen = *
pop3_listen = *
imaps_listen = *
pop3s_listen = *

After that's done, start the Dovecot service and make sure that it's started at boot time:

service dovecot start
chkconfig dovecot on

Setting up Squirrelmail

In order to be able to use webmail, you need to have Apache's httpd service up and running. It shouldn't be necessary to do any extra configuring of httpd config file for this task, so you can just use it as is. Start the service and make sure it's started at boot time:

service httpd start
chkconfig httpd on

The installation of Squirrelmail will not change your httpd.conf file. Instead, Squirrelmail creates the file squirrelmail.conf in /etc/httpd/conf.d. This file links the /webmail/ virtual folder to the actual Squirrelmail folder installation located at /usr/share/squirrelmail.

Edit the /usr/share/squirrelmail/config/config.php file and change the domain$ variable to match your domain name, in order to make the from-domain setting (when sending email from Web) correct. For our server, it looks like this:

$domain = 'srv.dyndns.org';

To test webmail, go to http://localhost/webmail/ or http://your_domain_name/webmail/ and log in to check your email and send a few test messages.

Blocking spam and viruses

SpamAssassin is configured right out of the box when you install it, so you shouldn't need to change anything here. However, to reduce the chance that a false positive will tag known addresses, you can whitelist addresses. The file /etc/mail/spammassassin/local.cf should list known email addresses, in a format similar to:

whitelist_from anzevi@some-strange-domain.com
whitelist_from anze@out-there-somewhere.net

Spamassassin will be called by amavisd-new, so we don't need to configure the SpamAssassin daemon to start at boot time.

To block viruses, we need to configure ClamAV to connect daily to an Internet-based antivirus database and fetch new virus definitions. You need to have a cron daemon running in order for ClamAV to fetch the virus definitions.

First, edit /etc/sysconfig/freshclam and comment out the following line:

#FRESHCLAM_DELAY=disabled-warn  # REMOVE ME

Next, edit /etc/freshclam.conf and change the antivirus database to the closest mirror to your location:

#Example
DatabaseMirror db.de.clamav.net

You can see a list of available mirrors here.

To test ClamAV, run the clamscan command in your home folder. The AV client should check your home directory and subdirectories for viruses. Since you are running this check on a Linux box for local files, I'm pretty sure ClamAV won't find any viruses on your machine.

To test updating the virus definitions, run freshclam.

Setting up amavisd-new

Now we'll set up amavisd-new. The user amavis is automatically created at amavisd-new install time, but we still need to create the following directories and make sure the owner is amavis, as shown below:

mkdir /var/run/amavis
mkdir /var/run/clamav
chown amavis /var/run/amavis
chown amavis /var/run/clamav

You may leave the group permissions of the folders set to root. Copy the sample config file to /etc:

cp /usr/share/doc/clamav-server-X.XX.X/clamd.conf
/etc/clamd.conf

Replace the X.XX.X with the version you're using. Then, make the following changes to your /etc/clamd.conf file:

#Example
User amavis
#TCPSocket 3310
#PidFile /var/run/clamd.<SERVICE>/clamd.pid
#LocalSocket /var/run/clamd.<SERVICE>/clamd.sock

After making the changes, start the service with service amavisd start, and set it to start at boot with chkconfig amavisd on.

Now, test your configuration to see that everything works. Telnet to port 10024 and you should see something like this:

[root@mail ~]# telnet localhost 10024
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
quit
221 2.0.0 [127.0.0.1] amavisd-new closing transmission channel
Connection closed by foreign host.

If you are able to telnet to port 10024 and you are greeted by amavisd-new, you've done a good job and you may continue with the configuration. If you're unable to connect to that port, make sure the amavisd service is running, and look for errors in /var/log/messages.

Additional Postfix configuration

Once amavisd is configured and working correctly, you need to configure Postfix so it knows how to communicate with amavisd-new. Copy the following lines to the bottom of your existing /etc/postfix/master.cf file:

smtp-amavis unix -      -       y     -       2  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
127.0.0.1:10025 inet n  -       y     -       -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

You can find more information how this work in the amavisd documentation in your /usr/share/doc folder. For example, since we're running amavisd 2.3.3, we would check the /usr/share/doc/amavisd-new-2.3.3/README.postfix file.

Save the file and reload the Postfix service, then test it by using telnet to connect to port 10025:

[root@mail ~]# telnet localhost 10025
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.srv.dyndns.org ESMTP Postfix
quit
221 Bye
Connection closed by foreign host.

If this works for you, you have a working configuration, and you are ready to make the final changes to Postfix.

Add this line to the end of /etc/postfix/main.cf:

content_filter = smtp-amavis:[127.0.0.1]:10024

Once you've done this, Postfix will send all incoming and outgoing mail directly through the content filter that you configured earlier.

Conclusion

All you have to do now is send yourself some clean email messages and some spam, junk, and viruses, and see what's happening on your mail server. You can find sample messages with spam and virus content in /usr/share/doc/amavisd-new-X.X.X/test-messages folder. The best way to see in real time what is going on your mail server is to watch /var/log/maillog for entries using tail -f /var/log/maillog.

That's all you need to do to configure Postfix and the helper applications to provide antivirus, spam filtering, webmail, POP, and IMAP access. Enjoy your new mail server!

Category:

  • Enterprise Applications
Click Here!