Set Up an Email Gateway with CentOS Linux 5.4
Today I’m going to walk you through the set up of an open source email gateway on CentOS 5.4. Some of the tools we’ll use include Postfix, SpamAssassin, ClamAV, MailScanner, and MailWatch.
First let’s install some prerequisites from the CentOS base packages:
# yum install wget ntp vixie-cron crontabs postfix patch rpm-build binutils glibc-devel gcc make yum-protectbase yum-priorities
Next we’ll disable SELinux. I generally disable this on servers but you may want to keep it turned on if security is more of a concern. To disable, edit /etc/selinux/config and modify the parameter to read:
Reboot the server and log back in.
Now we’ll disable the iptables firewall. If you do this make sure that the server is not exposed directly to the internet and is behind a firewall or filtering router of some kind. Once everything is configured properly you’ll want to re-enable iptables and set up rules to allow inbound traffic like SMTP.
# chkconfig iptables off && service iptables stop
Configuring and Verifying Postfix
Now we’ll configure Postfix as an email relay. Edit /etc/postfix/main.cf to include these parameters:
myhostname = YourHost.YourDomain.com mydomain = localhost myorigin = $mydomain inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, $mydomain mynetworks_style = host
Also modify the following line in main.cf to specify which domains for which Postfix will relay email. Email whose destination domain is specified here will be forwarded to your email server. If you want to include multiple domains, separate them with whitespace.
relay_domains = YourDomain.com
Append this to the end of main.cf to allow Postfix to map email addresses to the transport method such as local or SMTP:
transport_maps = hash:/etc/postfix/transport
Next append this line to /etc/postfix/transport to specify the transport protocol and what server to forward the email to for this domain :
Now let’s build the lookup tables to activate email forwarding:
# postmap /etc/postfix/transport
Now you’ll want to test the above configuration and ensure that Postfix is relaying email to your internal email server. Stop the Postfix daemon and restart to apply the configuration, and test that email is being forwarded.
# service postfix restart
First we need to download and extract the MailScanner archive:
# cd ~ # wget http://www.mailscanner.info/files/4/rpm/MailScanner-4.79.11-1.rpm.tar.gz # tar zxvf MailScanner-4.79.11-1.rpm.tar.gz # cd MailScanner-4.79.11-1
Time to run the install script. It will warn us if any prerequisites are missing.
Once the installer has finished, disable the automatic startup of Postfix and enable MailScanner, the MailScanner startup script will handle the startup of Postfix:
# chkconfig postfix off # service postfix stop # chkconfig MailScanner on
Give the Postfix user permissions on the MailScanner directories:
# chown postfix.postfix /var/spool/MailScanner/incoming # chown postfix.postfix /var/spool/MailScanner/quarantine
Time to edit /etc/MailScanner/MailScanner.conf and change the following parameters to tell MailScanner to use Postfix:
Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming MTA = postfix Use SpamAssassin = no
Edit /etc/postfix/main.cf to include the following parameter:
header_checks = regexp:/etc/postfix/header_checks
Append this line to /etc/postfix/header_checks
Now start MailScanner and once again test that email is forwarding to your email server properly:
# service MailScanner start
We need to activate the RPMForge repository which contains an updated version of ClamAV.
# cd ~ # wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.i386.rpm # rpm -ivh rpmforge-release-0.5.1-1.el5.rf.i386.rpm
I found an error in the repository file that is installed. Edit /etc/yum.repos.d/rpmforge.repo and under the [rpmforge] section and change:
enable = 0
enabled = 0
This will ensure that the RPMForge repository is only activated when we explicitly request it to be when we run yum.
Now it’s time to install ClamAV:
# yum install --enablerepo=rpmforge clamav clamav-db clamd
Update ClamAV to include the newest virus definitions:
Edit /etc/MailScanner/MailScanner.conf to properly identify the ClamAV update paths:
Monitors for ClamAV Updates = /var/clamav/*.cld /var/clamav/*.cvd
# yum install spamassassin
Set up directories for SpamAssassin:
# mkdir /var/spool/MailScanner/spamassassin # chown postfix.postfix /var/spool/MailScanner/spamassassin
Configure MailScanner for SpamAssassin by editing /etc/MailScanner/MailScanner.conf:
Use SpamAssassin = yes SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
Now let’s restart MailScanner and test email forwarding again:
# service MailScanner restart
Now is a good time also to test and verify that ClamAV and SpamAssassin are filtering viruses and spam properly. The following websites have test files and strings that should allow you to see if filtering is working.
By default SpamAssassin will not forward email that it identifies as spam to your internal email server so to verify that spam is filtering correctly check the contents of the maillog:
# tail /var/log/maillog
PHP, MySQL, and Apache are prerequisites for MailWatch so let’s start by installing these plus a few other needed packages:
# yum install mysql-server php php-mysql php-gd httpd perl-DBD-MySQL
It’s a good idea set the password on the root user account inside MySQL:
# /usr/bin/mysqladmin -u root password 'new-password'
Now we need to make a change to a parameter in /etc/php.ini
magic_quotes_gpc = On
Download the MailWatch archive and extract the files:
# cd ~ # wget http://downloads.sourceforge.net/project/mailwatch/mailwatch/1.0.5/mailwatch-1.0.5.tar.gz # tar zxvf mailwatch-1.0.5.tar.gz # cd mailwatch-1.0.5
Edit /etc/MailScanner/MailScanner.conf, otherwise you may receive an error when you attempt to start MailWatch:
Virus Scanners = clamav
Now proceed to run through the MailWatch installation instructions here:
Once completed with the MailWatch set up, your Email Gateway should now be complete.