Set Up an Email Gateway with CentOS Linux 5.4
Today I’m going to walk you through the set up of an open source email gateway on CentOS 5.4. Some of the tools we’ll use include Postfix, SpamAssassin, ClamAV, MailScanner, and MailWatch.
First let’s install some prerequisites from the CentOS base packages:
# yum install wget ntp vixie-cron crontabs postfix patch rpm-build binutils glibc-devel gcc make yum-protectbase yum-priorities
Next we’ll disable SELinux. I generally disable this on servers but you may want to keep it turned on if security is more of a concern. To disable, edit /etc/selinux/config and modify the parameter to read:
SELINUX=disabled
Reboot the server and log back in.
Now we’ll disable the iptables firewall. If you do this make sure that the server is not exposed directly to the internet and is behind a firewall or filtering router of some kind. Once everything is configured properly you’ll want to re-enable iptables and set up rules to allow inbound traffic like SMTP.
# chkconfig iptables off && service iptables stop
Configuring and Verifying Postfix
Now we’ll configure Postfix as an email relay. Edit /etc/postfix/main.cf to include these parameters:
myhostname = YourHost.YourDomain.com mydomain = localhost myorigin = $mydomain inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, $mydomain mynetworks_style = host
Also modify the following line in main.cf to specify which domains for which Postfix will relay email. Email whose destination domain is specified here will be forwarded to your email server. If you want to include multiple domains, separate them with whitespace.
relay_domains = YourDomain.com
Append this to the end of main.cf to allow Postfix to map email addresses to the transport method such as local or SMTP:
transport_maps = hash:/etc/postfix/transport
Next append this line to /etc/postfix/transport to specify the transport protocol and what server to forward the email to for this domain :
YourDomain.com smtp:[192.168.10.7]
Now let’s build the lookup tables to activate email forwarding:
# postmap /etc/postfix/transport
Now you’ll want to test the above configuration and ensure that Postfix is relaying email to your internal email server. Stop the Postfix daemon and restart to apply the configuration, and test that email is being forwarded.
# service postfix restart
Install MailScanner
First we need to download and extract the MailScanner archive:
# cd ~ # wget http://www.mailscanner.info/files/4/rpm/MailScanner-4.79.11-1.rpm.tar.gz # tar zxvf MailScanner-4.79.11-1.rpm.tar.gz # cd MailScanner-4.79.11-1
Time to run the install script. It will warn us if any prerequisites are missing.
# ./install.sh
Once the installer has finished, disable the automatic startup of Postfix and enable MailScanner, the MailScanner startup script will handle the startup of Postfix:
# chkconfig postfix off # service postfix stop # chkconfig MailScanner on
Give the Postfix user permissions on the MailScanner directories:
# chown postfix.postfix /var/spool/MailScanner/incoming # chown postfix.postfix /var/spool/MailScanner/quarantine
Time to edit /etc/MailScanner/MailScanner.conf and change the following parameters to tell MailScanner to use Postfix:
Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming MTA = postfix Use SpamAssassin = no
Edit /etc/postfix/main.cf to include the following parameter:
header_checks = regexp:/etc/postfix/header_checks
Append this line to /etc/postfix/header_checks
/^Received:/ HOLD
Now start MailScanner and once again test that email is forwarding to your email server properly:
# service MailScanner start
Install ClamAV
We need to activate the RPMForge repository which contains an updated version of ClamAV.
# cd ~ # wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.i386.rpm # rpm -ivh rpmforge-release-0.5.1-1.el5.rf.i386.rpm
I found an error in the repository file that is installed. Edit /etc/yum.repos.d/rpmforge.repo and under the [rpmforge] section and change:
enable = 0
to
enabled = 0
This will ensure that the RPMForge repository is only activated when we explicitly request it to be when we run yum.
Now it’s time to install ClamAV:
# yum install --enablerepo=rpmforge clamav clamav-db clamd
Update ClamAV to include the newest virus definitions:
# freshclam
Edit /etc/MailScanner/MailScanner.conf to properly identify the ClamAV update paths:
Monitors for ClamAV Updates = /var/clamav/*.cld /var/clamav/*.cvd
Install SpamAssassin
# yum install spamassassin
Set up directories for SpamAssassin:
# mkdir /var/spool/MailScanner/spamassassin # chown postfix.postfix /var/spool/MailScanner/spamassassin
Configure MailScanner for SpamAssassin by editing /etc/MailScanner/MailScanner.conf:
Use SpamAssassin = yes SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
Now let’s restart MailScanner and test email forwarding again:
# service MailScanner restart
Now is a good time also to test and verify that ClamAV and SpamAssassin are filtering viruses and spam properly. The following websites have test files and strings that should allow you to see if filtering is working.
http://www.eicar.org/anti_virus_test_file.htm
http://spamassassin.apache.org/gtube/
By default SpamAssassin will not forward email that it identifies as spam to your internal email server so to verify that spam is filtering correctly check the contents of the maillog:
# tail /var/log/maillog
Install MailWatch
PHP, MySQL, and Apache are prerequisites for MailWatch so let’s start by installing these plus a few other needed packages:
# yum install mysql-server php php-mysql php-gd httpd perl-DBD-MySQL
It’s a good idea set the password on the root user account inside MySQL:
# /usr/bin/mysqladmin -u root password 'new-password'
Now we need to make a change to a parameter in /etc/php.ini
magic_quotes_gpc = On
Download the MailWatch archive and extract the files:
# cd ~ # wget http://downloads.sourceforge.net/project/mailwatch/mailwatch/1.0.5/mailwatch-1.0.5.tar.gz # tar zxvf mailwatch-1.0.5.tar.gz # cd mailwatch-1.0.5
Edit /etc/MailScanner/MailScanner.conf, otherwise you may receive an error when you attempt to start MailWatch:
Virus Scanners = clamav
Now proceed to run through the MailWatch installation instructions here:
http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:install
Once completed with the MailWatch set up, your Email Gateway should now be complete.
http://blog.core-it.com.au/?p=12
http://blog.sekiur.com/2008/09/setting-up-a-mail-relay-on-centos-5/
Hey Aaron, this is a great how-to. Definitely helped me set up a secondary backup MTA should anything ever go wrong with our IronPort (again, heh). The only problem that I had was with the MailWatch setup, I followed their directions in their wiki but had an issue with MailScanner not actually logging any email to the DB. I traced it down to an omission of an important step: you need to configure and install MailWatch.pm (found in the mailwatch-x.x.x package) and place this into /usr/lib/MailScanner/MailScanner/CustomFunctions/ somewhere between the time of copying in SQLBlackWhiteList.pm and restarting the MailScanner service. I hope this helps any other people reading this article, because I had a hard time looking for a solution myself.
Thanks again Aaron!
Great tutorial…
Change the typo Append this line to /etc/postfix_header_checks to Append this line to /etc/postfix/header_checks
B’Regards
Updated. Thanks for the info, Bahadir.
this is a great tutorial, thanks for the effort. I have clustered barracudas but needed an open MTA to allow individual hosts trying to send out. great job
The following link is not available now. Could you pls let me knwo how to install the mailwatch. Many thx!
http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:install
Yes, there is indeed a problem with that link, Ray. You could try here:
http://sourceforge.net/projects/mailwatch/
Thanks a lot. Of paramount importance is the effect that optimising MySQL variables can have on speed.
Yours, Eug.
Buen tutorial, Saludos!!!!
Dear sir i have some problem.Let me describe. i have domain (abc.com) .this is at two place..server “A” and “B”………”.A” is main server. Secondary is B….. some userz are at A server..but those user are not at B server…when i send mail through B server it says userUnknown
iam configuring mailscanner and mailwatch for qmail….but i failed to get mail on mailscanner.also after configuring mailwatch and mailscanner , all mail get stuck in queue.even not getting delivered.what to do…an you please guide me….for qmail