Fedora Linux Mail Server How To 02.14.13 Rev 3.0 Maintained By Thomas Sandquist tom@420bakers.net ### Changes To This Document In Rev 3: * Complete update of all steps for all currently supported OSes. * Added support documentation for RHEL/CentOS/Fedora. * Soon to come support documentation for Debian/Ubuntu distros. * Updated Squirrelmail Vacation Responder (local autorespond and forward). ### Upgrade Steps ### If performing an upgrade from a previous installation of these packages please check each step/sections title as they now show Install/Upgrade in the title of sections that do have upgrade steps available. Make sure to read each of these sections thoroughly as some will have you perform same or similar steps to the original install while others will have their own upgrade steps that are different from the initial install. ### Change In Packaging ### Please note that due to recent security issues with some of the programs in the tarball I have removed many of the rpm packages that are already available via yum. Hopefully this will ensure that you are using the newest/most secure versions of these programs possible. Most of the below mailserver packages will already be in a tarball named 'mailserver.mm-dd-yy.tar.gz' You can download the tarball from http://www.toms-games.com/linux The mailserver.upg.xx-xx-xx.tar.gz file contains only packages for which there are updates (good for upgrading the software after it is installed). This guide is meant to be a "How To" to help you build a Fedora Linux mail server with anti-spam and virus scanner capabilities. This guide assumes that you already have a domain and DNS service setup. As always I am not responsible for any thing you do with this information, for better or for worse (so if it doesn't work or you nuke your mail server at work thinking your a stud don't go pointing the finger at me)! This guide is a collaboration from Andrew Bassett's 'Installing Sendmail, Spam Assassin, and MailScanner on FC1' guide (located at fedoranews.org), different help forums online, and a lot of my own personal experience. As always, if you have any suggestions or modifications you think should be added to this procedure please let me know. First things first, you need these software packages to continue: RHEL/CentOS 4/5/6 or Fedora base OS install MailScanner Webmin Usermin (optional) Sendmail SpamAssassin DCC Pyzor Razor Clam-AV (optional) McAfee Linux Command Line Scanner (included) Squirrelmail (optional) Local Autorespond Forward plugin for Squirrelmail + Compatibility plugin for Squirrelmail (optional) or: RHEL/CentOS 4/5/6 or Fedora base OS installed mailserver.xx-xx-xx.tar.gz (tarball of most of the packages needed for this How To) ####################### Operating System Install and Base Config - Install a base installation of your OS making sure the packages mentioned below are installed. Make sure all OS updates are installed too (Fedora, RHEL5/6, CentOS4/5/6 this is done by running 'yum -y update'). Before you continue, make sure you have the following packages installed: * Perl * Sendmail * wget * unzip * gcc * patch * rpm-build Most of these packages will already be installed depending on what kind of install options you chose. However if you chose a base install you may not have all of these installed. The below yum commands should install most of the above software. yum groupinstall 'development tools' yum install sendmail Utilize the 'yum search' command to find any lingering dependancies. All dependancy packages should be available via yum. Note: Depending on your distro it may be necessary to install EPEL, rpmforge or another 3rd party repository for yum to have access to all of the needed packages. For example with RHEL installs it's often handy to have the EPEL repo installed for access to extra tools and dependancies. For more info see: http://wiki.centos.org/AdditionalResources/Repositories CentOS 6 Note: The 'E-mail server' package group uses postfix by default instead of sendmail. While postfix can be used as your MTA with MailScanner and the other software included in the tarball it is outside of the scope of the current documentation. The following commands will install the above mentioned packages as well as swap out postfix for sendmail. yum groupinstall 'development tools' 'ftp server' yum install sendmail sendmail-cf service postfix stop service sendmail start yum remove postfix Depending on the installation method and options used to install your OS its possible an iptables firewall may be enabled and running on the system. You are encouraged to use a firewall however we don't want it running during the setup/install process as they often cause problems and make troubleshooting near impossible. If you have an iptables/ip6tables firewall enabled please run the following command to disable it until your mail configuration is confirmed good and working. service iptables stop service ip6tables stop chkconfig --level 2345 iptables off chkconfig --level 2345 ip6tables off ####################### Webmin w/ SSL Install/Upgrade - http://www.webmin.com Before you install Webmin for the first time, install Net:SSLeay with: yum install perl-Net-SSLeay Once the install is complete, download Webmin (or use the version in the tarball) and install/upgrade it with: rpm -Uvh webmin-x.xxx-x.noarch.rpm If you are installing usermin you may do so with the same rpm command substituting usermin-x.xxx-x.noarch.rpm instead. For Webmin, open up a browser and point to https://your-box.tld:10000. For Usermin, open up a browser and point to https://your-box.tld:20000. Once you're logged into webmin you can click on the system tab, and go to bootup/shutdown and turn off any unnecessary services, and stop them from starting up. Note: Make sure you know what you are turning off!!! ####################### Create Sendmail-cf Now we need to modify the base Sendmail configuration to fit our needs. This is typically done via Webmin by clicking on Servers -> Sendmail Mail Server -> Sendmail M4 Configuration and clicking the Edit File Manually button at the bottom of the page, or by opening up your favorite text editor and editing /etc/mail/sendmail.mc, and comment out the following lines by placing dnl in front of them: Before: DAEMON_OPTIONS('Port=smtp,Addr=127.0.0.1, Name=MTA')dnl After: dnl DAEMON_OPTIONS('Port=smtp,Addr=127.0.0.1, Name=MTA')dnl You may also want to comment out the following line to help with spam. Make sure DNS will not be an issue before doing so. Before: FEATURE('accept_unresolvable_domains')dnl After: dnl FEATURE('accept_unresolvable_domains')dnl *** Also you can add this if you want DNSBL enabled... Add below the line: FEATURE(`blacklist_recipients')dnl dnl # dnl # dnsbl - DNS based Blackhole List/Black List/Rejection list dnl # See http://www.sendmail.org/m4/features.html#dnsbl dnl # FEATURE(`dnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl FEATURE(`dnsbl', `cbl.abuseat.org', `"Spam blocked see: http://cbl.abuseat.org/lookup.cgi?ip="$&{client_addr}')dnl FEATURE(`dnsbl', `sbl.spamhaus.org', `"Spam blocked see: http://spamhaus.org/query/bl?ip="$&{client_addr}')dnl dnl # Close and save. Now recreate the sendmail.cf at a command prompt with: m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf or make -C /etc/mail depending on your version. ####################### SMTP AUTH Instructions To use SMTP AUTH with TLS enabled with sendmail you need to make the following configuration changes. First find these lines in your sendmail.mc file and change them to look like the ones below: define(`confAUTH_OPTIONS', `A p y')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl define(`confCACERT_PATH',`/etc/pki/tls/certs')dnl define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')dnl define(`confSERVER_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl define(`confSERVER_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl The AuthOptions of A p y can be adjusted if needed depending on your intended configuration. The current example above means use the AUTH= parameter, require encryption for PLAIN and LOGIN mechanisms, and don't allow anonymous login. One common modifcation on the above is to omit p and only use A y. This configuration uses the AUTH= parameter but does not require encryption for common PLAIN and LOGIN mechanisms and also doesn't allow anonymous login. It is highly suggested that you use encryption for SMTP Auth. See the sendmail docs for more information and all available options. If you have enabled the DNSBLs in the Sendmail Config section above add this line as well: FEATURE(delay_checks)dnl Rebuild your Sendmail config. make -C /etc/mail or m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf Now you need to create the sendmail cert: cd /etc/pki/tls/certs/ make sendmail.pem Make sure you fill out the information correctly for the cert and pay attention to its expiration date (you may need to modify the sendmail.pem file prior to running make if you want to adjust the expiration date). Now you need to configure saslauthd to start up at boot and restart the service now: chkconfig --level 345 saslauthd on service saslauthd restart You should now have Sendmail configured for SMTP Auth with encrypted logins. ### Creating a proper Trusted Root Certificate for use with Outlook ### Using a self-signed TLS cert with Microsoft Outlook will cause an error everytime you send an email stating that a proper Trusted Root Certificate could not be found requiring you to click on a 'Yes' button to finally send the message. While this is no show stopper it can be a PITA. Here are the directions to properly export the OutlookSMTP.p12 cert file and how to import it in to Windows. While still in the /etc/pki/tls/certs/ directory type: openssl pkcs12 -export -in sendmail.pem -inkey sendmail.pem -out OutlookSMTP.p12 Make sure to leave the export password blank if it asks. This will create a file named OutlookSMTP.p12 in the current directory. Copy this file to your Windows PC or file server so you can access it from your Outlook workstation. To import the OutlookSMTP.p12 file into the Trusted Root Certification Authorities store within Internet Explorer do the following: Tools -> Internet Options -> Content -> Certificates. Click on the Trusted Root Certification Authorities tab and then click on the import button. Click the browse button and locate the OutlookSMTP.p21 file you copied from the mail server. You may need to change the drop down menu from X.509 to .p12 to find your cert. You will receive a confirmation message once the cert has imported properly. ### Another note here... one of my systems had mail forwarding issues until I added this line to the /etc/mail/sendmail.cf file. Make sure you add this after making the new config from the steps above! O DontBlameSendmail=forwardfileingroupwritabledirpath I gathered the info on this from this site: http://www.sendmail.org/tips/DontBlameSendmail.html NOTE: If you followed the SMTP Auth instructions and also performed the steps in the Create Sendmail-CF section you should not have to perform the following IP Relaying configuration unless you have a specific need for it. ### Configure IP Relaying ### Now you must setup Sendmail via the console or Webmin. You will need to edit the access file to enable ip-based relaying. In Webmin you can do this by clicking on Servers , then Sendmail Configuration , then Spam Control . Set the Mail source to Network . Enter the IP Address or IP Network you want to allow relaying from (ie. 192.168.1 will allow any computer with an IP in the 192.168.1.xxx range to send mail across the server while 10.0.0.5 will allow only that IP to relay mail across the server). Set Match against to Everything and set Allow relaying as the Action . Click the create button to add the new relaying rule. Additionally you can manually edit the access file and add the relay there by hand. Edit the /etc/mail/access file and add the following at the bottom, using the IP Address or IP Network you want to allow relaying from in place of 127.0.0.1: 127.0.0.1 RELAY To manually rebuild the access database you can run the following command: makemap hash /etc/mail/access.db < /etc/mail/access ####################### Install/Upgrade SpamAssassin - http://www.spamassassin.org/downloads.html The SpamAssassin installation process has changed from previous versions of this document. The package repos for Fedora/CentOS/RHEL have been much better about carrying a current version of the software which has made performing a manual installation unecessary in most cases. However if SpamAssassin was not installed for some reason or you want to manually install the latest available version please follow the below instructions. To install SpamAssassin via Yum: yum -y install spamassassin To aquire and manually install the latest available version in RPM format, check out the information over at spamtips.org (http://www.spamtips.org/p/rpm-packages.html). ####################### Install/Upgrade MailScanner - http://www.sng.ecs.soton.ac.uk/mailscanner/downloads.shtml Unpack the tar file with: tar xvzf MailScanner-x.xx-x.tar.gz cd MailScanner-x.xx-x ./install.sh Note: DO NOT RUN THE 'service MailScanner start' command displayed at the end of the install.sh script! You will start MailScanner later. Make sure you do run the other 'service sendmail stop' and 'chkconfig' commands! Note: While this document is geared toward using the McAfee Command Line Scanner product as the underlying virus scanner for MailScanner, it is important to note that MailScanner is written to work with many different AV solutions including ClamAV which is also very popular to use in this configuration. If you would prefer to use ClamAV please lookup one of the many MailScanner + ClamAV documents on how to install ClamAV and integrate it in to MailScanner. ####################### Install/Upgrade DCC - http://www.dcc-servers.net/dcc/source/dcc-dccd.tar.Z Extract the package with: tar -zxvf dcc-dccd.tar.Z Then cd into the directory, and to install type: ./configure; make install SpamAssassin will automatically pick up DCC and use it. NOTE: To upgrade DCC in the future use the /var/dcc/libexec/updatedcc script. NOTE: If using the DCC source tarball from the mailserver tarball please note that it will be named after its version number (ie. dcc-1.3.126.tar.Z) ####################### Install/Upgrade Pyzor - http://pyzor.sourceforge.net You will need the rpm package python-devel for Pyzor (should have been included in install). Extract the package with tar zxvf pyzor-x.x.x.tar.gz, cd into the directory, and to install type: python setup.py build python setup.py install Pyzor will automatically be picked up by SpamAssassin as well. ####################### Install/Upgrade Razor - http://razor.sourceforge.net Download the razor-agents, and the razor-agents-sdk tarballs. Extract the razor-agents-sdk first with: tar zxvf razor-agents-sdk-x.xx.tar.gz tar zxvf razor-agents-x.xx.tar.gz cd into the agents-sdk directory first, and type: perl Makefile.PL make make test make install Do the same in the razor-agents directory. When you're done with both packages, check the INSTALL file for the final configuration steps. MAKE SURE TO SWITCH USERS WHEN IT TELLS YOU TO!!! Razor will automatically be picked up by SpamAssassin. ####################### Anti-Spam Shell Script/Cron Job Make this a shell script (I used anti-spam as the name), and chmod 755 it. I put it in /etc/cron.daily #!/bin/sh pyzor discover razor-admin -discover /var/dcc/libexec/updatedcc ####################### McAfee Command Line Scanner NOTE: It may be necessary to install older compat-libstdc++ packages if you need to use the older McAfee virus engine. It is strongly suggested you use the latest version of the McAfee virus engine for the best performance and protection. ### How to install McAfee (i386) ### From the directory where the mcafee tarball is sitting type: mkdir mcafee mv vscl-l32-6.0.3-e.tar.z mcafee cd mcafee tar -zxvf vscl-l32-6.0.3-e.tar.z Then type: ./install-uvscan ### How to install McAfee (x64) ### From the directory where the mcafee tarball is sitting type: mkdir mcafee mv vscl-l64-6.0.3-e.tar.z mcafee cd mcafee tar -zxvf vscl-l64-6.0.3-e.tar.z Then type: ./install-uvscan The default settings are normally fine during installation. MailScanner will auto-update your McAfee virus defs for you. ####################### Configure MailScanner Read through the MailScanner.conf config file for more details on what each configuration option means. While the below examples touch on some of the basic and more common settings, it is strongly suggested that you read and verify the entire configuration file to ensure you know how things are set up! Below are two different example configurations. Example 1. Mail Gateway Configuration (I don't always agree with these settings. Read the config file and set it up your own way!) # Theses setting will tell MailScanner to use Sendmail and SpamAssassin for mail processing. # Mail will be delivered to the mail queue in batches for delivery. Messages deemed Spam will be # forwarded to the address spam@yourdomain.com. Your configured Virus Scanner is clamav. # Sendmail is used in a mail forwarding (mail gateway) configuration for this example. # DNSBL is also disabled. Modify the following in /etc/MailScanner/MailScanner.conf MTA = sendmail Use SpamAssassin = yes Delivery Method = batch Spam Actions = forward spam@yourdomain.com High Scoring Spam Actions = forward spam@yourdomain.com Virus Scanners = clamav Comment out the following lines in /etc/MailScanner/spam.lists.conf #MAPS-RBL blackholes.mail-abuse.org #MAPS-DUL dialups.mail-abuse.org #MAPS-RSS relays.mail-abuse.org #MAPS-RBL+ rbl-plus.mail-abuse.org *Note - make sure you make an account spam@yourdomain.com Configure Sendmail (for a mail forwarding configuration) - From Webmin, click on Servers, click on Sendmail Configuration. Go to Domain Routing (mailertable) and manually edit /etc/mail/mailertable and add the following line: yourdomain.com esmtp:normalmailserver.xxx.com normalmailserver.xxx.com is the full hostname of the mail server that spam server will forward all mail to. Make sure to separate with the tab key and save the settings. Next, Click on Relay domains and add yourdomain.com Example 2. Mail Server Configuration Modify the following in /etc/MailScanner/MailScanner.conf # Theses setting will tell MailScanner to use Sendmail and SpamAssassin for mail processing. # Mail will be delivered to the mail queue immediately for delivery after processing. # Messages deemed Spam will be marked in the headers with "X-Spam-Status: Yes" and will have {Spam?} added to the beginning of the subject line. # Messages are then delivered to the intended user. MTA = sendmail Use SpamAssassin = yes Delivery Method = queue Spam Actions = deliver header "X-Spam-Status: Yes" High Scoring Spam Actions = deliver header "X-Spam-Status: Yes" Virus Scanners = mcafee ####################### Final Sendmail Configuration Steps - You will need to edit the local-host-names file and add your domain/domains to it. In Webmin you can do this by clicking on Servers , then Sendmail Configuration , then Local Domains. Now would also be a good time to edit the /etc/aliases file if you need to do any account aliasing. This is also available on the Sendmail Configuration page in Webmin. At this point you should be able to start MailScanner and beginning testing the mail delivery capabilities of your server. To start MailScanner run the following command: /sbin/service MailScanner start ####################### Squirrelmail and Auto-Responder You can add Webmail access with Auto-Responder/Forwarding included via Squirrelmail for quick web access to your email. To do this you first need to make sure Squirrelmail has been installed. Squirrellmail is included in the RHEL/CentOS/Fedora install media but can also be installed via yum (RHEL4: use up2date). yum install squirrelmail Installing the Vacation/Auto-Responder: Once Squirrelmail has been installed you need to install the Vacation/Auto-Responder. The previously used Vacation_Local package is no longer under development and has had issues when used on RHEL6 and new version of Fedora. While it is still included in the mailserver tarball, it is suggest you use the new Local_Autorespond_Forward package instead. Also note that Vacation_Local will be removed from the mailserver tarball in the future. To install Local_Autorespond_Forward you must first decompress and read the INSTALL document for both the Local_Autorespond_Forward and the compatibility tarballs. tar -zxvf local_autorespond_forward-3.0.1-1.4.0.tar.gz tar -zxvf compatibility-2.0.16-1.0.tar.gz Follow the instructions to move these two plugin folders to the squirrelmail plugins folder (normally located at /usr/share/squirrelmail/plugins). If necessary follow the patching instructions for the compatibility plugin. Then follow the instructions for configuring config.php for Local_Autorespond_Forward. In most situations you will want to follow the FTP backend instructions. Make sure to also follow the Squirrelmail configuration steps so that Squirrelmail will see your new plugins. Note: If upgrading from the older Vacation_Local to Local_Autorespond_Forward there have been situations where the older vacation config files have caused problems with the configuration and display of the Auto-Responder page in Squirrelmail. It is suggested that you either manually clear the old .forward* and .vacation* messages from users home directories or have users log in and verify the settings are correct and pages loading properly. It may also be possible to use the Vacation program initialization features found in the config.php file for Local_Autorespond_Forward to do this automatically for each user account (this is unfortunately beyond the current scope of this document). Legacy Vacation_Local Install Steps: To install Vacation_Local you need to decompress the tarball and move the folder to the Squirrelmail plugins folder. tar -zxvf vacation_local-2.0-1.4.tar.gz Follow the instructions in the INSTALL file to properly configure config.php as well as Squirrelmail to see the plugin. Once Squirrelmail and your Vacation Responder plugin have been installed and configured you need to install the Vacation RPM package. The following command should accomplish this along with installing any needed dependancies: yum install vacation-1.2.6.1-3.i686.rpm Note: You can substitute another version of the Vacation RPM package if you want to use an older or newer package. ####################### Final Configuration Steps - If this is a server migration/reload make sure at this point that you have merged the password and group files, the files in /etc/mail have been configured properly, the /etc/aliases file contains it's proper information, and all log monitoring/forwarding has been set up. It s also a good idea to make sure MailScanner is running at this point if it hasn't already been started. Type the following: /sbin/service MailScanner start If you disabled your iptables/ip6tables firewall using the commands at the beginning of this document you can re-enable the firewall services with the following commands: chkconfig --level 2345 iptables on chkconfig --level 2345 ip6tables on /sbin/service iptables start /sbin/service ip6tables start ####################### Configure Webmin - You can install some additional Webmin modules to control VSFTPD and MailScanner. The MailScanner module is included in this tarball (webmin-module-1.1-4.wbm). The below configuration information should work in most cases. Full path to MailScanner program = /usr/sbin/MailScanner Full path and filename of MailScanner config file = /etc/MailScanner/MailScanner.conf Full path to the MailScanner bin directory = /usr/sbin Full path and filename for the MailScanner pid file = /var/run/MailScanner.pid Command to start MailScanner = /sbin/service MailScanner start Command to stop MailScanner = /sbin/service MailScanner stop PLEASE NOTE: The Apply Changes button does not appear to restart MailScanner properly. After you have made changes in the Webmin MailScanner Configuration module click on the Apply Changes button. When the page refreshes click on the Stop MailScanner button. Wait for several seconds (15+) before clicking on the Start MailScanner button. If someone knows of a fix for this issue please let me know! Use the ftp/http module install feature to install the VSFTPD module. http://provider4u.de/images/stories/downloads/vsftpd.tar.gz You should be set! ####################### Known Issues: (NOTE: This issue is now resolved by upgrading to the McAfee Virus Engine v5.1 or later) Problem: McAfee stops working after performing Fedora updates with Yum (FC4, FC5). Answer: The McAfee Linux Command Line Scanner requires an old version of the compat-libstdc++ package. During the installation of the scanner you had to force install the correct version. I have seen Yum remove this package during a system update before. Normally this corresponds with a new compat-libstdc++ package being released but may occur in other situations as well. Short of not performing the compat-libstdc++ package updates I know of no way to stop this issue from occurring. My suggestion is for admins to test the McAfee scanner from the command line after performing the Fedora updates. Once your yum update command has finished type the following: uvscan --version If you receive a library error then you will need to repeat the force install of the old compat-libstdc++ package. If you have deleted the original file you will need to download it again. Problem: Clicking the 'Apply Changes' button in the MailScanner module in Webmin results in MailScanner shutting down but not restarting. Answer: See the note in the 'Configure Webmin' section regarding this issue. In short, you need to use the 'Stop MailScanner' button and then the 'Start MailScanner' button to correctly restart MailScanner from Webmin. *** OLD AND DEPRICATED INFO *** Problem: I've used Yum to update my system but now Razor, Pyzor, and DCC are no longer filtering properly. Answer: The spamassassin.i386 package from Fedora may not use the same configuration as the package you built from the SpamAssassin website. It is suggested that you use the '--exclude=spamassassin.i386' switch with yum to avoid this issue. Make sure to follow the rpmbuild instructions to upgrade you SpamAssassin package. You may also find it easier to do your updates with Yum first, then do your SpamAssassin update.