Implementing a Postfix mail server with spam and antivirus protection

This was taken from the web originally (sorry I don't remember where or I would attribute)

Updated for Fedora Core 7 on Sat 16 Jun 2007 01:45:55 PM EST 

Installation

To begin, you'll want to make sure your system is up-to-date. Run yum update if you haven't already.

yum install postfix dovecot spamassassin squirrelmail clamav clamav-server clamav-update clamav-lib clamav-data amavisd-new

Wait until all the packages and dependencies are installed.

By default, Fedora and Red Hat distributions come with sendmail set as the MTA for the system. You can check or change the default MTA with the system-switch-mail utility. If you don't have it installed yet, install it now:

yum install system-switch-mail system-switch-mail-gnome

Simply run the system-switch-mail tool and select Postfix as your default MTA.

Now that you have all the necessary applications and tools installed, it's time to configure them to work together.

Setting up Postfix

To configure Postfix, edit the main Postfix configuration file /etc/postfix/main.cf and change these entries as follows:

#This is your fully qualified domain name (FQDN):
myhostname = mail.jamesmcdonald.id.au

#myorigin specifies the default domain name that is appended
myorigin = jamesmcdonald.id.au

#By the parameter "all" we allow the connections to our server
# from anywhere, not only from localhost
inet_interfaces = all

#The mydestination parameter specifies the list of domains that
#this machine considers itself the final destination for.
mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost, blackbox.jmcd.local

#Reject the unknown users
local_recipient_maps = unix:passwd.byname $alias_maps

#With this parameter we make sure that our server won't be an open relay server
# mynetworks_style = host
mynetworks = 127.0.0.0/8 10.254.239.0/24

The configuration file is well commented, so if you need more info about the configuration, dig into it. For even more information on Postfix, see the Postfix.org documentation.

Next, start the Postfix service with the command service postfix start. Also make sure the service is automatically started at boot time:

chkconfig postfix on

Setting up Dovecot

Now it's time to set up Dovecot. Edit the Dovecot config file, /etc/dovecot.conf, to suit your needs. In this case we want to enable POP3, secure POP3, IMAP, and secure IMAP services as shown:

protocols = imap imaps pop3 pop3s
imap_listen = *
pop3_listen = *
imaps_listen = *
pop3s_listen = *

After that's done, start the Dovecot service and make sure that it's started at boot time:

service dovecot start
chkconfig dovecot on

Setting up Squirrelmail

In order to be able to use webmail, you need to have Apache's httpd service up and running. It shouldn't be necessary to do any extra configuring of httpd config file for this task, so you can just use it as is. Start the service and make sure it's started at boot time:

service httpd start
chkconfig httpd on

The installation of Squirrelmail will not change your httpd.conf file. Instead, Squirrelmail creates the file squirrelmail.conf in /etc/httpd/conf.d. This file links the /webmail/ virtual folder to the actual Squirrelmail folder installation located at /usr/share/squirrelmail.

Edit the /usr/share/squirrelmail/config/config.php file and change the domain$ variable to match your domain name, in order to make the from-domain setting (when sending email from Web) correct. For our server, it looks like this:

$domain = 'jamesmcdonald.id.au';

To test webmail, go to http://localhost/webmail/ or http://your_domain_name/webmail/ and log in to check your email and send a few test messages.

Blocking spam and viruses

SpamAssassin is configured right out of the box when you install it, so you shouldn't need to change anything here. However, to reduce the chance that a false positive will tag known addresses, you can whitelist addresses. The file /etc/mail/spammassassin/local.cf should list known email addresses, in a format similar to:

whitelist_from anzevi@some-strange-domain.com
whitelist_from anze@out-there-somewhere.net

Spamassassin will be called by amavisd-new, so we don't need to configure the SpamAssassin daemon to start at boot time.

To block viruses, we need to configure ClamAV to connect daily to an Internet-based antivirus database and fetch new virus definitions. You need to have a cron daemon running in order for ClamAV to fetch the virus definitions.

First, edit /etc/sysconfig/freshclam and comment out the following line:

#FRESHCLAM_DELAY=disabled-warn  # REMOVE ME

Next, edit /etc/freshclam.conf and change the antivirus database to the closest mirror to your location:

#Example
DatabaseMirror db.au.clamav.net

To test ClamAV, run the clamscan command in your home folder. The AV client should check your home directory and subdirectories for viruses. Since you are running this check on a Linux box for local files, I'm pretty sure ClamAV won't find any viruses on your machine.

To test updating the virus definitions, run freshclam.

After making the changes, start the service with service amavisd start, and set it to start at boot with chkconfig amavisd on.

note: there is another service clamd.amavisd which doesn't need starting

Now, test your configuration to see that everything works. Telnet to port 10024 and you should see something like this:

[root@mail ~]# telnet localhost 10024
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
quit
221 2.0.0 [127.0.0.1] amavisd-new closing transmission channel
Connection closed by foreign host.

If you are able to telnet to port 10024 and you are greeted by amavisd-new, you've done a good job and you may continue with the configuration. If you're unable to connect to that port, make sure the amavisd service is running, and look for errors in /var/log/messages.

Additional Postfix configuration

Once amavisd is configured and working correctly, you need to configure Postfix so it knows how to communicate with amavisd-new. Copy the following lines to the bottom of your existing /etc/postfix/master.cf file:

smtp-amavis unix -      -       n     -       2  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n  -       n     -       -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

You can find more information how this work in the amavisd documentation in your /usr/share/doc folder. For example, since we're running amavisd 2.3.3, we would check the /usr/share/doc/amavisd-new-2.3.3/README.postfix file.

Save the file and reload the Postfix service, then test it by using telnet to connect to port 10025:

[root@mail ~]# telnet localhost 10025
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.srv.dyndns.org ESMTP Postfix
quit
221 Bye
Connection closed by foreign host.

If this works for you, you have a working configuration, and you are ready to make the final changes to Postfix.

Add this line to the end of /etc/postfix/main.cf:

content_filter = smtp-amavis:[127.0.0.1]:10024

You can also use postconf -e 'content_filter=smtp-amavis:[127.0.0.1]:10024' to
add the content_filter configuration line to main.cf

Once you've done this, Postfix will send all incoming and outgoing mail directly through the content filter that you configured earlier.

Testing

Goto http://www.abuse.net/cgi-bin/relaytest and check to make sure you haven't configured an open relay.

All you have to do now is send yourself some clean email messages and some spam, junk, and viruses, and see what's happening on your mail server. You can find sample messages with spam and virus content in /usr/share/doc/amavisd-new-X.X.X/test-messages folder. The best way to see in real time what is going on your mail server is to watch /var/log/maillog for entries using tail -f /var/log/maillog.

That's all you need to do to configure Postfix and the helper applications to provide antivirus, spam filtering, webmail, POP, and IMAP access. Enjoy your new mail server!