Monday, May 12, 2008

FreeBSD, Postfix, Mailscanner and Mailwatch Installation

Installing postfix, mailscanner and mailwatch on FreeBSD

I have setup a number of servers using mailscanner and postfix to do antispam and antivirus checking. This particular example will show you how to set the server up as a mail gateway. i.e. all inbound and outbound mail will go via this server. You can also use the server as a pop3/imap4 server and doing so, does make life a little easier as you don't have to worry about the transport and relay_hosts files. At a later stage I will show that info too..... when I get a chance.
This my seem strange but as there is quite a bit involved in installing and configuring I am splitting this into two How-To's this one, The install How-To and the configuration How-To

First off its probably best to start on a new install of FreeBSD. Once you have done the initial portsnap fetch and portsnap extract

Right here we go.

Two things you might want to do is force your NIC to 100MB full duplex and install lsof

Type in ifconfig
and check if the ethernet interface is running at 100 Full-Duplex or Half Duplex you can force 100 Full duplex by editing your /etc/rc.conf file
here is an example

ifconfig_em0="inet 192.168.1.46 netmask 255.255.252.0 media 100baseTX mediaopt full-duplex"

cd /usr/ports/sysutils/lsof
make install clean

you can use lsof -i to check what is running and what ports are used.
here is an example
# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 262 root 16u IPv4 0xc5d15000 0t0 TCP *:http (LISTEN)
httpd 263 www 16u IPv4 0xc5d15000 0t0 TCP *:http (LISTEN)
httpd 264 www 16u IPv4 0xc5d15000 0t0 TCP *:http (LISTEN)
syslogd 491 root 6u IPv6 0xc568c000 0t0 UDP *:syslog
syslogd 491 root 7u IPv4 0xc568bec4 0t0 UDP *:syslog
sshd 612 root 3u IPv6 0xc57b4000 0t0 TCP *:ssh (LISTEN)
sshd 612 root 4u IPv4 0xc57b3cb0 0t0 TCP *:ssh (LISTEN)


Install Apache:
You are going to need this or Mailwatch

cd /usr/ports/www/apache13
make install clean

once installed
edit rc.d and rc.conf

vi /etc/rc.conf
add the following line
apache_enable="YES"

in theory you should not have to worry about changing the NO to a YES in /usr/local/etc/rc.d but I have run in to issues in the past where setting the /etc/rc.conf still does not start the service
vi /usr/local/etc/rc.d/apache
look for
apache_enable=${apache_enable-"NO"}
and change it to
apache_enable=${apache_enable-"YES"}

Then install php4
cd /usr/ports/lan/php4
make install clean
select the apache module if its not selected already














Then you install Mysql Server 5.0 (this is also used for Mailscanner and Mailwatch)

cd /usr/ports/databases/mysql50-server
make install clean
you should not have to make any changes a default config should be fine as is.
one you have installed mysql edit rc.d and rc.conf.

vi /etc/rc.conf
and add
mysql_enable="YES"

then vi /usr/local/etc/rc.d/mysql-server
and change
: ${mysql_enable="NO"}
to
: ${mysql_enable="YES"}


Postfix
postfix is the MTA that will accept the mail and push it on the the next server once mailscaner has processed it all.

cd /usr/ports/mail/postfix
make install clean

depending on what you want to do yoi just have to select the following, you can of course add SASL of Mysql and other if you want to use mysql maps or have SMTP authentication. in this example we are foregoing all that as its just a gateway.














During the postfix install you will see this pop up in the console screen

Added group "postfix".
Added group "maildrop".
Added user "postfix".
You need user "postfix" added to group "mail".
Would you like me to add it [y]?

press y and enter the install will continue

Would you like to activate Postfix in /etc/mail/mailer.conf [n]?
now you press n and enter, once again the install will continue

If you choose to completely disable sendmail see the rc.conf info below then:
you can choose y and see below for details
#
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
#
sendmail /usr/libexec/sendmail/sendmail
send-mail /usr/libexec/sendmail/sendmail
mailq /usr/libexec/sendmail/sendmail
newaliases /usr/libexec/sendmail/sendmail
hoststat /usr/libexec/sendmail/sendmail
purgestat /usr/libexec/sendmail/sendmail

You see that the mailer is /usr/libexec <<<< this is the base system also notice the remark Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail

When entered y your mailer.conf file will look like

#
# Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
#
sendmail /usr/local/sbin/sendmail
send-mail /usr/local/sbin/sendmail
mailq /usr/local/sbin/sendmail
newaliases /usr/local/sbin/sendmail

These are the postfix executeables (notice the remark Execute the Postfix sendmail program, named /usr/local/sbin/sendmail)

Now you edit the rc.conf and rc.d files again

vi /etc/rc.conf
and add the below
postfix_enable="YES"
sendmail_enable="NONE"

If you want to make sure that sendmail is competely disabled then also do the following
postfix_enable="YES"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

also create a file /etc/periodic.conf containing the following

daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

then vi /usr/local/etc/rc.d/postfix
and change from
: ${postfix_enable="NO"}
to
: ${postfix_enable="YES"}

if you like you can go ahead and edit the alias file for postfix vi /etc/aliases

where it says root: me change it to your address or an alias like networks@yourdomain.com
of course you can leave it as it is but either way run postalias /etc/aliases so that it can create the aliases.db file without this you will have issues getting postfix started and accepting mail.

Installing Mailscanner

Now you can go ahead and install mailscanner,
Mailscanner is a brilliant open source AntiSpam and Antivirus server that is as close to commercial offerings like MailMarshal and others that I have seen. If you use and like mailscanner you really should consider making a donation

cd /usr/ports/mail/mailscanner
make install clean














Next you will see this message while Mailscanner is compiling.

*************************************************************************
/bin/ln -s /usr/local/etc/MailScanner/spam.assassin.prefs.conf /usr/local/etc/mail/spamassassin/mailscanner.cf
# Display warning about new start/stop scripts
*************************************************************************

ATTENTION
The MailScanner port uses new start/stop scripts according to rc.subr
standard. Your old scripts will be overwritten after you press ENTER.
To start mailscanner and your mta, please put the correct statements in
your rc.conf. For examples/syntax please look at mailscanner.sh and
mta.sh in your rc.d directory.

Please: Also have a look at CHANGES.port in your MailScanner
doc dir (see above).

*************************************************************************
Press ENTER to continue...

Now before you go off and press Enter, scroll up in the session / console and you will see this

make renew-wrapper
make renew-autoupdate
make renew-reports

just copy the text and hit ENTER as it says and wait till mailscanner is installed.
or you can do the following

While mailscanner is building you can open another console or session the the server user
if you have local access you can use ALT-F1 or just ssh to the server again, or of course you can wait till its done and run the below commands afterwards

once you are connected to a different console / session
cd to the mailscanner port directory again
cd /usr/ports/mail/mailscanner

and paste
make renew-wrapper
make renew-autoupdate
make renew-reports

Then in the original session / console just hit Enter as it says.

ok cd to /usr/local/etc/rc.d

After mailscanner is installed you should have the following
clamav-freshclam
Freshclam will check to see if there are new virus pattern updates and download them on an hourly or daily basis. in the configuration How-To I will show you what to edit.
vi clamav-freshclam
and change
: ${clamav_freshclam_enable="NO"}
to
: ${clamav_freshclam_enable="YES"}

then add
clamav_freshclam_enable="YES" to /etc/rc.conf

clamav-clamd
Clamav is the actual Anti Virus scanner when mail enters the queue we will check a number of things including RBL's (real time blacklists) and then the message will be scanned for viruses.

vi clamav-clamd
and change
: ${clamav_clamd_enable="NO"}
to
: ${clamav_clamd_enable="YES"}

then add clamav_clamd_enable="YES" to /etc/rc.conf


mta
you can leave MTA as is, as the postfix startup file has already been sorted out.


sa-spamd

Sa-spamd is the spamassassin daemon that runs with mailscanner it will check the message for various indicators and score them if a mail has a score higher than say 4 the message will be sent to a quarrentine.

vi sa-spamd
and change
: ${spamd_enable:="NO"}

to
: ${spamd_enable:="YES"}

and add
spamd_enable:="YES" to /etc/rc.conf


mailscanner

Mailscanner is what basically runs and coardinates all of the above, spamd , clamav etc.

vi mailscanner
and change
: ${mailscanner_enable="NO"}
to
: ${mailscanner_enable="YES"}

and add mailscanner_enable="YES" to /etc/rc.conf

your rc.conf file should look like this now

defaultrouter="192.168.0.1"
hostname="mailav01.yourdomain.com"
ifconfig_em0="inet 192.168.1.4 netmask 255.255.255.0 media 100baseTX mediaopt full-duplex"
sendmail_enable="NONE"
sshd_enable="YES"
apache_enable="YES"
mysql_enable="YES"
clamav_freshclam_enable="YES"
clamav_clamd_enable="YES"
spamd_enable="YES"
mailscanner_enable="YES"
postfix_enable="YES"

If you installed FreeBSD using the default install and chose to use the auto option to setup your partitions you would see that your /var directory / partition is pretty small and trust me you can easily rack up a Database in the GB's not to mention huge log files, and
the default path of mysql is /var/db/mysql

so in your rc.conf file you might want to do this
Create a dir /usr/local/var/db and put the following line in my /etc/rc.conf

mysql_dbdir=”/usr/local/var/db/mysql”

Now the database location is on the /usr partition which is much bigger on a default install of freebsd.

Lastly we install Mailwatch
You can follow the above link and download the file
or you can use wget from your server. For some reason there is no FreeBSD port, or not that I have seen.

cd to a place where you want to download the file to
i.e.
cd /root/download
wget http://switch.dl.sourceforge.net/sourceforge/mailwatch/mailwatch-1.0.4.tar.gz
once its downloaded
tar xvfz mailwatch-1.0.4.tar.gz
then
mv mailwatch-1.0.4 mailwatch
mv mailwatch /usr/local/www/

Thats it for now.
Checkout the configuration guide, if you need assistance to configure.

1 comment:

Michael said...

Excellent how to. However for those users who are copy/pasting there is an error in the php4 setup. "cd /usr/ports/lan/php4" should be "cd /usr/ports/lang/php4".

Thanks again for the great walkthru!

Joe's Store