bluebottle

Postfix, Dovecot, Mailscanner on CentOS: notes

Notes on setting up the following:

• Postfix 2.3
• Dovecot 1.0
• MailScanner 4.68.8

On CentOS 5.

Postfix is setup with all domains as virtual domains, delivering to Maildirs in an arbitrary location. Virtual alias maps is implemented as hash db.

Dovecot makes the maildirs availble via IMAP. Authentications details are stored in a flat file.

MailScanner is configured to scan all incoming mail with SpamAssassin and ClamAV. It delivers all mail with modified headers only (no untraceable bouncing or subject mangling).

SMTP-AUTH is enabled with Postfix deferring to Dovecot.

Basic SMTP sender checks are done in postfix (including RBLs).

TLS is enabled for all systems.

Postfix

main.cf settings to remember:

• header_checks = regexp:/etc/postfix/header_checks -- to stick everything incoming into the Hold queue for MailScanner. Remove if not using MailScanner.

• inet_interfaces = localhost, mx.bluebottle.net.au

• smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org – RBLs as desired

• smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname — don’t use reject_unknown_helo_hostname, breaks too many real servers

• smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

• smtpd_sasl_auth_enable = yes

• smtpd_sasl_path = private/auth – the same path as in dovecot conf

• smtpd_sasl_type = dovecot

• smtpd_tls_cert_file = /etc/pki/postfix/certs/postfix.pem

• smtpd_tls_key_file = /etc/pki/postfix/private/postfix.pem

• smtpd_tls_security_level = may

openssl req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365
chown root:root $CERTFILE $KEYFILE
chmod 0600 $CERTFILE $KEYFILE

OPENSSLCONFIG:
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
C=AU
ST=Western Australia
L=Perth
O=bluebottle.net.au
OU=SMTP server
CN=mx.bluebottle.net.au
emailAddress=postmaster@bluebottle.net.au
[ cert_type ]
nsCertType = server

CERTFILE:
/etc/pki/postfix/certs/postfix.pem

KEYFILE:
/etc/pki/postfix/private/postfix.pem

• virtual_mailbox_domains = bluebottle.net.au
• virtual_alias_maps = hash:/etc/postfix/virtmap
• virtual_mailbox_maps = hash:/etc/postfix/virtdeliver
• virtual_mailbox_base = /home/vmail
• virtual_uid_maps = static:5000 – whatever the vmail UID is
• virtual_gid_maps = static:5000

/etc/postfix/virtmap:
# Contains all the addresses this server accepts
# And their mappings to final address
# Don’t forget postmap /etc/postfix/virtmap
alex@bluebottle.net.au        alex@bluebottle.net.au
root@bluebottle.net.au        root@bluebottle.net.au
abuse@bluebottle.net.au        root@bluebottle.net.au

/etc/postfix/virtdeliver:
# Contains mappings from accepted addresses to
# local mailbox location
alex@bluebottle.net.au                  bluebottle.net.au/alex/
root@bluebottle.net.au                  rootemails/

Dovecot

Generate SSL certificate. vi `locate dovecot-openssl.cnf` to edit details. Then exec `locate dovecot-1.0/examples/mkcert.sh`.

• mail_location: maildir:/home/vmail/%d/%n

• auth default { mechanisms = plain login cram-md5 — cram-md5 is aka hmac-md5 in non-current versions of Dovecot. This lets you logon with the password hash, eg ‘Secure Authentication’ in Thunderbird and a few other clients
• … passdb passwd-file { args = /home/vmail/passwd }

• … userdb static { args = uid=vmail gid=vmail /home/vmail/%d/%n/ }

• … socket listen { client { path = /var/spool/postfix/private/auth ; mode = 0660 ; user = postfix ; group = postfix } }

/home/vmail/passwd:
# Contains username and password for all user accounts
# Take note how username interacts with mail_location
# Generate password hash with dovecotpw
alex@bluebottle.net.au:{HMAC-MD5}999999a9bc23ca3b828faf15f9efb17152f71d9d0e5bc473194a05cebe34eaf
rootemails:{HMAC-MD5}999999a5e380b6b4ff3c1805c6d8661456dd2565c6d9fe63e5fe72c78cc4941

MailScanner

• Install via RH RPM from http://mailscanner.info/downloads.html

• Setup according to http://mailscanner.info/postfix.html

• Install the “ClamAV and SpamAssassin easy installation package” from downloads page above

Requires much tweaking to make it not modify the message apart from adding headers:

• Scan Messages = %rules-dir%/scan.messages.rules – you want to exclude your own domain(s) so nothing coming from your domain is listed as spam (especially for users sending via SMTP-AUTH from a dynamic IP range, which will set off various RBLs)

• Dangerous Content Scanning = no

• Mail Header = X-%org-name%-MailScanner-VirusCheck: – the default never made much sense to me

• #Information Header = X-%org-name%-MailScanner-Information: – useless

• Clean Header Value = Clean ; Infected Header Value = Infected ; Disinfected Header Value = Disinfected

• Always Include SpamAssassin Report = no

• Multiple Headers = add

• Sign Clean Messages = no

• Mark Infected Messages = no

• Mark Unscanned Messages = no

• Notify Senders = no – really not a good idea
  

• Scanned Modify Subject = no ; Virus Modify Subject = no — etc etc

• Add Watermark = yes ; Watermark Secret = %org-name%-Secret-111111 – set this section as appropriate

• Max SpamAssassin Size = 200k trackback

• Spam Actions = deliver header “X-Spam-Status: Yes”

• High Scoring Spam Actions = deliver header “X-Spam-Status: Yes”

• Non Spam Actions = deliver header “X-Spam-Status: No”

• MCP Checks = no

/etc/MailScanner/rules/scan.messages.rules:
# We want to scan everything by default, but ignore mail that is sent from our SMTP-AUTH users.
#They’ll probably be in a dynamic IP range which is in various RBLs like the PBL.
From:           bluebottle.net.au       no
FromOrTo:       default                 yes

Other Notes:

• postfix reload (may require a stop; start for some settings)

• service dovecot restart

• service MailScanner restart (also restarts postfix)

Comment (1)