Wednesday, October 31, 2007

Corporate Mail Server

Fast Start with mail server.

In this article given an example setup and adjustments of post system on the basis of operational system Debian "Etch" with a following set of applications:

  • Postfix-SMTP

  • Saslauthd

  • Saslbd2

  • Cyrus-imap

  • Amavisd-new

  • Spamassasin

  • Clamav

First of all, for continuation of setup it is necessary to adjust an environment.
Add to /etc/apt/sources.list additional source for latest version of ClamAV
deb http://volatile.debian.org/debian-volatile etch/volatile main contrib
Further we shall update the list of packages:
apt-get update
On it all preparatory measures is finished. Let's establish necessary for work of a Mail Server packages.
apt-get install postfix libsasl2 libsasl2-modules sasl2-bin cyrus-imapd-2.2 cyrus-pop3d-2.2 cyrus-admin-2.2

Let's adjust a server of authorization saslauthd on use of a database of passwords sasldb2.
For this we shall edit a file /etc/default/saslauthd :
START=yes
MECHANISMS="sasldb"
and start the service /etc/init.d/saslauthd start
Now we shall check up correctly it works, but for the beginning it is necessary to add even one user:

mailserver:~# saslpasswd2 test
Password:
Again (for verification):
mailserver:~# sasldblistusers2
test@mailserver: userPassword
mailserver:~# testsaslauthd -u test -p test

If you have received the message "0: OK "Success." Means everything is all right.
If authorization has not passed- check file
/var/log/auth.log
Now We need to transfer socket of saslauthd to "cherooted" working directory of postfix /var/spool/postfix/ make this by editing /etc/fstab
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd none rw,bind 0 0
Also it is necessary make directory where we shall mount a socket of saslauthd:
mkdir -p /var/spool/postfix/var/run/saslauthdmount /var/run/saslauthd
Now we shall configure postfix for use sasl authorizations:
edit /etc/postfix/main.cf:
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_authenticated_header = yes
smtpd_sasl_application_name = smtpd

Now we forbid to send mail through ours SMTP without authorization,
For this purpose we shall create a file
/etc/postfix/sasl/smtpd.conf with following contents:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Restart the Postfix server and let's closely see following files for mistakes:

  1. /var/log/mail.err

  2. /var/log/mail.info

  3. /var/log/mail.warn

  4. /var/log/mail.log

That "to be friends" saslauthd and postfix it is necessary to execute the following:
adduser postfix sasl

Cyrus-imapd: cyrus will be engaged in rreceive of mail from postfix, sorting it on folders and granting to it of access to users.

Let's edit a file /etc/imapd.conf

admins: cyrus
allowplaintext: yes
sasl_mech_list: PLAIN
sasl_pwcheck_method: saslauthd auxprop
sasl_auxprop_plugin: sasldb

Pay attention, cyrus the same as and saslauthd, it is necessary to cooperate with postfix, therefore they need to be made available each other. We take advantage of already known mechanism (by editing /etc/fstab):

/var/run/cyrus /var/spool/postfix/var/run/cyrus none rw,bind 0 0

It is not forgotten to create a folder for cyrus:

mkdir -p /var/spool/postfix/var/run/saslauthd
mkdir -p /var/spool/postfix/var/run/cyrus
mount /var/spool/postfix/var/run/saslauthd
mount /var/spool/postfix/var/run/cyrus

mount /var/run/cyrus

Now we give an opportunity cyrus to take away mails at postfix by editing /etc/postfix/main.cf :
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
local_recipient_maps =

Let's add our Mail Server to lmtp group:
addgroup lmtp
adduser postfix lmtp

and make following:
dpkg-statoverride --remove /var/run/cyrus/socket
dpkg-statoverride --force --update --add cyrus lmtp 750 /var/run/cyrus/socket

Names and passwords are stored in a format which is distinct from system, it is necessary to specify the given option. Above mentioned added options "local_recipient_maps =" It means " to accept letters for any addressee ". We add the user cyrus in our base of registration records:
saslpasswd2 -c cyrus

Enter password, and restart the services:
/etc/init.d/postfix restart
/etc/init.d/cyrus2.2 restart
/etc/init.d/saslauthd restart

By this moment can already receive and send mails, create and delete folders on an IMAP-server, establish quotas and access rights on folders means of the utility cyradm. As all the further actions on adjustment for testing will demand to send and receive mail, I result the brief instruction on creation of IMAP accounts (mailboxes).



saslpasswd2 –c
cyradm –user cyrus localhost
localhost>cm user.
localhost>cm user..INBOX
localhost>cm user..Sent
localhost>cm user..Spam
localhost>cm user..Draft
localhost>cm user..Trash



"Be protected, sir". It is necessary to protect itself from a spam and viruses

Let's start installation:
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip unarj unrar bzip2
And make some changes to configuration files amavisd:

Edit /etc/amavis/conf.d/50-user

use strict;
$forward_method = 'smtp:127.0.0.1:10025';
$notify_method = $forward_method;
$virus_quarantine_to = 'undef';
$sa_local_tests_only = 0;
@inet_acl = qw( 127.0.0.1 [::1] xxx.xxx.xxx.xxx );
#------------ Do not modify anything below this line -------------
1; # insure a defined return

Edit /etc/amavis/conf.d/20-debian_defaults

use strict;
$QUARANTINEDIR = '/var/lib/amavis/virusmails';

$log_recip_templ = undef; # disable by-recipient level-0 log entries
$DO_SYSLOG = 1; # log via syslogd (preferred)
$syslog_ident = 'amavis'; # syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug'; # switch to info to drop debug output, etc
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
$inet_socket_port = 10024; # default listenting socket
$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
##$sa_tag_level_deflt = -999;
$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
##$sa_kill_level_deflt = 999;
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0; # only tests which do not require internet access?

# Quota limits to avoid bombs (like 42.zip)
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA = 100*1024; # bytes
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes

### DM ####
$final_virus_destiny = D_REJECT; # (defaults to D_BOUNCE)
$final_banned_destiny = D_REJECT; # (defaults to D_BOUNCE)
$final_spam_destiny = D_PASS; # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested
$viruses_that_fake_sender_re = new_RE(
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan
qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc
[qr'^(EICAR|Joke\.|Junk\.)'i => 0],
[qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
[qr/.*/ => 1], # true by default (remove or comment-out if undesired)
);

$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
# Leave empty (undef) to add no header
$X_HEADER_LINE = "Debian $myproduct_name at $mydomain";

@viruses_that_fake_sender_maps = (new_RE(
[qr'\bEICAR\b'i => 0], # av test pattern name
[qr/.*/ => 1], # true for everything else
));
@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$', # retain full original message for virus checking (can be slow)
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data', # don't trust Archive::Zip
));

# for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample
$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components

# block certain double extensions anywhere in the base name
qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Windows Class ID CLSID, strict

qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,

# qr'^application/x-msmetafile$'i, # Windows Metafile MIME type
# qr'^\.wmf$', # Windows Metafile file(1) type

# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types

# [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed
# [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives

qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
# inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
# ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
# wmf|wsc|wsf|wsh)$'ix, # banned ext - long

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.

qr'^\.(exe-ms)$', # banned file(1) types
# qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
@score_sender_maps = ({ # a by-recipient hash lookup table,
# results from all matching recipient tables are summed
# ## per-recipient personal tables (NOTE: positive: black, negative: white)
# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}],
# 'user3@example.com' => [{'.ebay.com' => -3.0}],
# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0,
# '.cleargreen.com' => -5.0}],
## site-wide opinions about senders (the '.' matches any recipient)

'.' => [ # the _first_ matching sender determines the score boost

new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
[qr'^(your_friend|greatoffers)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
),
# read_hash("/var/amavis/sender_scores_sitewide"),
{ # a hash-type lookup table (associative array)
'nobody@cert.org' => -3.0,
'cert-advisory@us-cert.gov' => -3.0,
'owner-alert@iss.net' => -3.0,
'slashdot@slashdot.org' => -3.0,
'securityfocus.com' => -3.0,
'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
'security-alerts@linuxsecurity.com' => -3.0,
'mailman-announce-admin@python.org' => -3.0,
'amavis-user-admin@lists.sourceforge.net'=> -3.0,
'amavis-user-bounces@lists.sourceforge.net' => -3.0,
'spamassassin.apache.org' => -3.0,
'notification-return@lists.sophos.com' => -3.0,
'owner-postfix-users@postfix.org' => -3.0,
'owner-postfix-announce@postfix.org' => -3.0,
'owner-sendmail-announce@lists.sendmail.org' => -3.0,
'sendmail-announce-request@lists.sendmail.org' => -3.0,
'donotreply@sendmail.org' => -3.0,
'ca+envelope@sendmail.org' => -3.0,
'noreply@freshmeat.net' => -3.0,
'owner-technews@postel.acm.org' => -3.0,
'ietf-123-owner@loki.ietf.org' => -3.0,
'cvs-commits-list-admin@gnome.org' => -3.0,
'rt-users-admin@lists.fsck.com' => -3.0,
'clp-request@comp.nus.edu.sg' => -3.0,
'surveys-errors@lists.nua.ie' => -3.0,
'emailnews@genomeweb.com' => -5.0,
'yahoo-dev-null@yahoo-inc.com' => -3.0,
'returns.groups.yahoo.com' => -3.0,
'clusternews@linuxnetworx.com' => -3.0,
lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0,
lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,

# soft-blacklisting (positive score)
'sender@example.net' => 3.0,
'.example.net' => 1.0,
},
], # end of site-wide tables
});
1; # insure a defined return

Add user clamav to group amavis:
adduser clamav amavis
Now we force postfix to give mail for check to antivirus,
Add to file
/etc/postfix/master.cf
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
As add in the end of file /etc/postfix/main.cf :
content_filter=smtp-amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

Restart the Postfix it also look there are no error in a logfile
/etc/init.d/postfix restart
tail /var/log/mail.log

Let's still more some tools and we adjust spamassassin:
apt-get install razor pyzor dcc-client

Edit file /etc/spamassassin/local.cf
(take into consideration difference between version 3.0. and 3.1. We review 3.1)

# rewrite_header Subject *****SPAM*****
# report_safe 1
# trusted_networks 10.0.1.
# lock_method flock
# dcc
use_dcc 1
#pyzor
use_pyzor 1
#razor
use_razor2 1
#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1

and uncoment follow line in file /etc/spamassassin/v310.pre :
loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::AntiVirus

Now it is necessary to allow spamassassin to be started:

Edit /etc/default/spamassassin :
ENABLED=1

And restart following services:

  • /etc/init.d/clamav-freshclam restart

  • /etc/init.d/clamav-daemon restart

  • /etc/init.d/spamassassin restart

  • /etc/init.d/amavis restart

  • /etc/init.d/postfix restart


The theme of setup and maintains of a MailServer under Linux can be developed infinitely, :-)
but in this article it is considered fast and easy way of install and configure of corporate Mail Server with IMAP access and antispam antivirus protection.

P.S.
All of the credentials are sent in cleartext which means they can be sniffedm the wire.
... What about TLS ?