Sunday, March 22, 2015

How to set up Open WebMail in CentOS

I had originally written this tutorial for xmodulo.com
Webmail interface is one of must-have services for any mail server. Most of us are used to native email client software, but what if your favorite client software is not available for any reason? For example, you have left your laptop at home, or your phone's data plan just went dry, or maybe you are just travelling. An alternative way to access a mail service in such cases would be to use the webmail interface of your mail server. As long as there is web browser with Internet connectivity, you should be able to use the webmail interface.
Open WebMail is a lightweight, open-source webmail for Linux. The interface may be a bit old school, but Open WebMail provides the following features.
  • Custom folders
  • Mail filters
  • Changing passwords
  • Automatic mail reply (vacation/out of office responders)
  • Contacts
  • Support for large mailboxes
Open WebMail has its own repository for CentOS/RHEL/Fedora. Package for Debian is available in their site as well. However, as of this writing, the package for Debian does not work on Ubuntu due to dependencies issues.

Updating the Repository and Installing Open WebMail on CentOS

As usual, adding Repoforge repository is always recommended. The official repository for Open WebMail is added as well.
# cd /etc/yum.repos.d
# wget http://openwebmail.org/openwebmail/download/redhat/rpm/release/openwebmail.repo
Now, Open WebMail can be easily set up using yum command.
# yum install openwebmail perl-CGI httpd

Configuring Open WebMail

First of all, the file /var/www/cgi-bin/openwebmail/etc/dbm.conf is updated with the following parameters.
# vim /var/www/cgi-bin/openwebmail/etc/dbm.conf
## the previous values are overwritten ##
dbm_ext                 .pag
dbmopen_ext             none
dbmopen_haslock         no
Then Open WebMail can be initialized with an installed script as follows.
# /var/www/cgi-bin/openwebmail/openwebmail-tool.pl --init
The index.html file for Open WebMail is also prepared by using a soft link.
# ln -s /var/www/data/openwebmail/redirect.html /var/www/html/index.html
[Optional] The domain name for the mail server is defined manually to avoid any future mistakes in the @domain part of the mail address.
# vim /var/www/cgi-bin/openwebmail/etc/openwebmail.conf
domainnames             example.tst
The Apache web server is restarted.
# service httpd restart
# chkconfig httpd on
Finally, Open WebMail can be accessed by pointing the browser to the URL of the mail server: http://mail.example.tst OR http://IP-Address-of-Mail-Server
Some screenshots are provided below.
Open WebMail login page:
Open WebMail interface:
Open WebMail preferences:

Troubleshooting Open WebMail

Open WebMail may generate errors or behave abnormally if specific versions of some Perl packages are not installed. Fortunately, the packages are available in Open WebMail repository and are very easy to install. The following demonstrates how to install problematic Perl packages.
A folder is created to store the packages. It could be any folder.
# mkdir /var/www/data/openwebmail/packages
# cd /var/www/data/openwebmail/packages
Packages are downloaded.
# wget http://openwebmail.org/openwebmail/download/packages/CGI.pm-3.05.tar.gz
# wget http://openwebmail.org/openwebmail/download/packages/MIME-Base64-3.01.tar.gz
# wget http://openwebmail.org/openwebmail/download/packages/Text-Iconv-1.2.tar.gz
Install CGI.
# tar zxvf CGI.pm-3.05.tar.gz
# cd CGI.pm-3.05
# perl Makefile.PL; make; make install
Install MIME.
# tar zxvf MIME-Base64-3.01.tar.gz
# cd MIME-Base64-3.01
# perl Makefile.PL; make; make install
Install Text-Iconv.
# tar zxvf Text-Iconv-1.2.tar.gz
# cd Text-Iconv-1.2
# perl Makefile.PL; make; make install
To sum up, Open WebMail interface may be a bit old school, but it is a complete package pre-built with often needed features. Besides, the installation process is easy, and the interface is very lightweight. Open WebMail is certainly a worthy candidate when a simple webmail interface is needed.
Hope this helps.

How to set up MailScanner, Clam Antivirus and SpamAssassin in CentOS mail server

I had originally written this tutorial for xmodulo.com
In the world of mail servers, MailScanner is one of the best open source software for virus scanning and spam detection. MailScanner relies on pre-installed anti-virus and anti-spam software to check incoming and outgoing emails for malicious content or patterns of spamming. This makes sure that the mail server does not participate in the distribution of malware and unsolicited spam emails. It also helps preventing the mail server IP from becoming blacklisted, keeping the mail server records clean.
This tutorial will focus on setting up MailScanner along with Clam Antivirus and SpamAssassin in a CentOS system. The procedure should work on RHEL as well. If you are interested in setting up this system on Ubuntu, refer to this tutorial instead.
Installing MailScanner is a lengthy process, but going forward step by step should make the deployment process easy.

Preparing the System

Before we start doing anything, it should be mentioned that SELinux is disabled on CentOS. Configuring SELinux for MailScanner is beyond the scope of this tutorial. It is also necessary to add Repoforge repository on CentOS.

Installing Dependencies

yum is used to install packages that are required for MailScanner. The list is long, but fortunately yum can resolve all the dependencies.
# yum install gcc cpp perl bzip2 zip unrar make patch automake rpm-build perl-DBI perl-MIME-tools perl-DBD-SQLite binutils glibc-devel perl-Filesys-Df zlib zlib-devel

Installing ClamAV and SpamAssassin

yum can be used to install ClamAV and SpamAssassin as well. The following few steps cover how to install and prepare them.
# yum install clamav spamassassin
Update ClamAV.
# freshclam -v
Update and start SpamAssassin.
# sa-update
# service spamassassin start
# chkconfig spamassassin on
Fix a path to MailScanner by creating a symbolic link.
# ln -s /usr/bin/freshclam /usr/local/bin/freshclam

Configuring Postfix

Postfix is stopped and disabled on start-up. Postfix should not auto-start because the MailScanner service will be responsible for invoking Postfix whenever necessary.
# service postfix stop
# chkconfig postfix off
Postfix header_checks is used to hold any incoming email that Postfix receives. MailScanner performs checks on the emails held in a queue.
# vim /etc/postfix/main.cf
## This line is added ##
header_checks = regexp:/etc/postfix/header_checks
# vim /etc/postfix/header_checks
## This line is added ##
/^Received:/ HOLD

Preparing MailScanner

MailScanner is not yet available in CentOS or Repoforge repositories. We will download packages from the official MailScanner site and install it.
# wget http://www.mailscanner.info/files/4/rpm/MailScanner-4.84.6-1.rpm.tar.gz
Now we will extract and install the packages. The installation will take some time, so you can take a break if you want.
# tar zxvf MailScanner-4.84.6-1.rpm.tar.gz
# cd MailScanner-4.84.6-1
# ./install
After installation, the directories necessary for SpamAssassin are created and permissions are modified.
# mkdir /var/spool/MailScanner/spamassassin
# chown postfix /var/spool/MailScanner/spamassassin
# chown postfix /var/spool/MailScanner/incoming/*
Next, the configuration file for MailScanner is backed up and then modified.
# vim /etc/MailScanner/MailScanner.conf
%org-name% = test CentOS Mail Server
%org-long-name% = ORGFULLNAME
%web-site% = ORG WEBSITE

Run As User = postfix
Run As Group = postfix
MTA = postfix

Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming

Virus Scanners = clamav

## please check /etc/MailScanner/spam.lists.conf for more details ##
Spam List = SBL+XBL

## the directory created earlier ##
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
At this point, MailScanner is ready. We can initialize the service.
Debug MailScanner stats before firing up.
# MailScanner -lint
# service MailScanner start
# chkconfig MailScanner on

Verifying MailScanner Operation

After MailScanner has been deployed, the events that take place behind the scenes can be viewed in /var/log/maillog. The following log snippet shows the sample activities while a mail is processed by Postfix.
# tailf /var/log/maillog
Mar  8 03:12:15 centos postfix/pickup[15865]: 79F6D1391: uid=0 from=
Mar  8 03:12:15 centos postfix/cleanup[15871]: 79F6D1391: hold: header Received: by mail.example.tst (Postfix, from userid 0)??id 79F6D1391; Sat,  8 Mar 2014 03:12:15 +0600 (BDT) from local; from= to=
Mar  8 03:12:15 centos postfix/cleanup[15871]: 79F6D1391: message-id=<20140307211215.79F6D1391@mail.example.tst>
Mar  8 03:12:16 centos MailScanner[15832]: New Batch: Scanning 1 messages, 668 bytes
Mar  8 03:12:16 centos MailScanner[15832]: Virus and Content Scanning: Starting
Mar  8 03:12:22 centos MailScanner[15832]: Requeue: 79F6D1391.AA526 to 0FA2E139C
Mar  8 03:12:22 centos MailScanner[15832]: Uninfected: Delivered 1 messages
Mar  8 03:12:22 centos postfix/qmgr[15866]: 0FA2E139C: from=, size=442, nrcpt=1 (queue active)
Mar  8 03:12:22 centos MailScanner[15832]: Deleted 1 messages from processing-database
Mar  8 03:12:22 centos postfix/local[15897]: 0FA2E139C: to=, relay=local, delay=6.8, delays=6.7/0.01/0/0.07, dsn=2.0.0, status=sent (delivered to mailbox)
Mar  8 03:12:22 centos postfix/qmgr[15866]: 0FA2E139C: removed
The above process can be summarized as:
  1. As instructed, Postfix holds the mail upon receipt.
  2. MailScanner swoops in and scans the email in queue.
  3. MailScanner re queues the email and hands it over back to Postfix.
  4. Postfix processes the email as necessary and delivers the mail to recipient.
On a finishing note, MailScanner is a very powerful tool for providing necessary security to a mail server. It can protect the mail server from malware for both incoming and outgoing mails. It is a must for any email server deployed in production environment.
This tutorial covered setting up MailScanner with basic configuration. The parameters of MailScanner as well as SpamAssassin and ClamAV can be customized to meet the requirements of the production environment.
Hope this helps.

How to set up Clam Antivirus, SpamAssassin and MailScanner on Ubuntu mail server

I had originally written this tutorial for xmodulo.com.
Antivirus and anti-spam protection are the among the most important security features for a mail server.
Unix/Linux based mail servers are typically invulnerable to malware and viruses, and there is a very slim chance that the server itself may get infected. On the other hand, the operating system of an end user device may not always be so secured. We certainly do not want our mail server to accept or distribute malware embedded emails. So setting up antivirus software on a mail server is a must.
Anti spam filters will inspect every incoming and outgoing mail for patterns of spamming. For example, spam mails usually contain a large number of recipients. Also, reverse DNS query for the domain in a spam mail does not always provide proper answers. If the spam filter software finds any mail that could be spam, it blocks the mail. This helps retaining the reputation of the mail server, as well as prevents the IP address of the mail server from being blacklisted.
In this tutorial, we will be looking at how to secure our mail server on Ubuntu by setting up:
  • Clam Antivirus: open-source antivirus engine.
  • SpamAssassin: e-mail spam filtering engine.
  • MailScanner [version_4.74.16-1]: uses antivirus and anti-spam engines to scan inbound and outbound emails.
This tutorial is version specific. As of this writing, MailScanner is not available in the Ubuntu repository. So we will be using the MailScanner .deb package instead. Unfortunately, the dependency packages required for the latest version of MailScanner [4.79.11-2.2] are not available in the Ubuntu repository either. However, the dependency packages for version 4.74.16-1 are available. Thus, we will be using MailScanner [4.79.16-1] .deb package in this tutorial. Ubuntu 12.04 is used for testing.
For those of you who are interested in setting it up on CentOS, refer to this tutorial instead.

Installing Dependencies on Ubuntu

Before starting doing anything on Ubuntu, the first thing to do is be to install all the necessary dependencies. The list of dependencies is long, but luckily it can be done using one command.
# apt-get install gcc g++ cpp zlib1g-dev libgmp3-dev perl bzip2 zip make patch automake libhtml-template-perl linux-headers-`uname -r` build-essential libnewt-dev libusb-dev libconvert-tnef-perl libdbd-sqlite3-perl libfilesys-df-perl libmailtools-perl libmime-tools-perl libmime-perl libnet-cidr-perl libsys-syslog-perl libio-stringy-perl libfile-temp-perl libole-storage-lite-perl libarchive-zip-perl libole-storage-lite-perl libdigest-sha-perl

Installing Clam Antivirus and SpamAssassin

Now that the dependencies are installed, Clam Antivirus and SpamAssassin can be installed using apt-get.
# apt-get install clamav clamav-daemon spamassassin
SpamAssassin has to be enabled, and then started:
# vim /etc/default/spamassassin
ENABLED=1
# service spamassassin restart
After the packages are installed, they can be updated using the following commands.
# freshclam ; sa-update

Installing MailScanner

After all the software that MailScanner depends on has been installed, we will download the .deb package for MailScanner version 4.74 and install it.
# wget http://mirrors.kernel.org/ubuntu/pool/universe/m/mailscanner/mailscanner_4.74.16-1_all.deb
# dpkg -i mailscanner_4.74.16-1_all.deb

Configuring MailScanner

Now it is time to adjust the parameters of MailScanner.
First of all, the directory for SpamAssassin is created and permission for that directory is adjusted.
# mkdir /var/spool/MailScanner/spamassassin
# chown postfix /var/spool/MailScanner/spamassassin
The configuration file /etc/MailScanner/MailScanner.conf is backed up, and then modified as followed.
# vim /etc/MailScanner/MailScanner.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
%org-name% = test Ubuntu mail server
%org-long-name% = Your Organization Name Here
%web-site% = www.your-organisation.com
 
Run As User = postfix
Run As Group = postfix
 
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
 
MTA = postfix
 
Virus Scanners = clamav
 
Spam List = SBL+XBL
## please check /etc/MailScanner/spam.lists.conf for more details ##
 
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
## the directory created earlier ##
More information about the configuration file parameters can be found in the official documentation.
Postfix configuration file is modified as well. We will configure Postfix to hold off any mails. MailScanner will swoop in, and check those emails. Then the mails will be handed over to Postfix again for delivery. Here is how the configurations are modified.
# vi /etc/postfix/header_checks
/^Received:/ HOLD
# vim /etc/postfix/main.cf
header_checks = regexp:/etc/postfix/header_checks
MailScanner is enabled by un-commenting the following line.
# vim /etc/default/mailscanner
run_mailscanner=1
Finally, Postfix and MailScanner services are started.
# service postfix restart
# service mailscanner restart

Testing MailScanner

Now that MailScanner has been deployed, we can test its functionality by monitoring the mail log. Let us send a test mail and see what happens.
# tail /var/log/mail.log
Mar  3 02:46:39 ubuntu postfix/smtpd[31616]: connect from localhost[127.0.0.1]
Mar  3 02:46:39 ubuntu postfix/smtpd[31616]: E5F3C44FB1: client=localhost[127.0.0.1], sasl_method=LOGIN, sasl_username=sarmed
Mar  3 02:46:39 ubuntu postfix/cleanup[31620]: E5F3C44FB1: hold: header Received: from [server_ip] (localhost [127.0.0.1])??by ubuntu.example.tst (Postfix) with ESMTPA id E5F3C44FB1??for ; Mon,  3 Mar 2014 02:46:39 +0600 (BDT) from localhost[127.0.0.1]; from= to= proto=ESMTP helo=<[server_ip]>
Mar  3 02:46:39 ubuntu postfix/cleanup[31620]: E5F3C44FB1: message-id=
Mar  3 02:46:40 ubuntu postfix/smtpd[31616]: disconnect from localhost[127.0.0.1]
Mar  3 02:46:40 ubuntu MailScanner[31695]: MailScanner E-Mail Virus Scanner version 4.74.16 starting...
Mar  3 02:46:40 ubuntu MailScanner[31695]: Read 848 hostnames from the phishing whitelist
Mar  3 02:46:40 ubuntu MailScanner[31570]: New Batch: Scanning 1 messages, 2572 bytes
Mar  3 02:46:40 ubuntu MailScanner[31695]: Read 4278 hostnames from the phishing blacklist
Mar  3 02:46:40 ubuntu MailScanner[31695]: Using SpamAssassin results cache
Mar  3 02:46:40 ubuntu MailScanner[31695]: Connected to SpamAssassin cache database
Mar  3 02:46:40 ubuntu MailScanner[31695]: Enabling SpamAssassin auto-whitelist functionality...
Mar  3 02:46:41 ubuntu MailScanner[31695]: Using locktype = flock
Mar  3 02:46:41 ubuntu MailScanner[31570]: Virus and Content Scanning: Starting
Mar  3 02:46:48 ubuntu MailScanner[31570]: Requeue: E5F3C44FB1.283A6 to 13B8344FB3
Mar  3 02:46:48 ubuntu MailScanner[31570]: Uninfected: Delivered 1 messages
Mar  3 02:46:48 ubuntu postfix/qmgr[31519]: 13B8344FB3: from=, size=1879, nrcpt=1 (queue active)
Mar  3 02:46:48 ubuntu postfix/local[31637]: 13B8344FB3: to=, relay=local, delay=8.6, delays=8.6/0/0/0.02, dsn=2.0.0, status=sent (delivered to mailbox)
Mar  3 02:46:48 ubuntu postfix/qmgr[31519]: 13B8344FB3: removed
The summary of the log is provided below.
  • Postfix held the email after the SMTP connection. The email was placed in /var/spool/postfix/hold.
  • MailScanner scanned the email: (1) spam-check from blacklist, (2) spam-check from spamassassin online database, and (3) virus and content scanning.
  • MailScanner changed the queue ID for the email.
  • After the mail was found clean, it was handed over to Postfix with the new queue ID.
  • Postfix delivered the email to destination account.
To sum up, MailScanner integrated with Clam Antivirus and SpamAssassin is a very powerful tool, and is a must for production mail servers. It can fend off exploitation of most existing mail server vulnerabilities. This tutorial covers the minimum configuration for securing a mail server using MailScanner. The parameters of MailScanner, Clam Antivirus and SpamAssassin are highly customizable, and can be modified to meet different requirements.
Hope this helps.