CentOS 6.4 Email Gateway (Part 4)

We're now ready to install and configure MailScanner. Firstly we'll pre-install the packages required by MailScanner. Open up Putty and input the following:

yum install perl-Archive-Zip perl-DBI perl-DBD-SQLite perl-Filesys-Df perl-Net-CIDR perl-OLE-Storage_Lite perl-Sys-Hostname-Long perl-Sys-SigAction perl-MIME-tools

You'll need to install wget for the next procedure to work:

yum install wget

We need to install a few other packages before running the MailScanner install procedure:

yum install patch rpm-build
yum install binutils glibc-devel gcc make

Now go to your tmp folder:

cd /tmp

Download the MailScanner compressed file like so:

wget http://www.mailscanner.info/files/4/rpm/MailScanner-4.84.6-1.rpm.tar.gz

Now we need to extract the file:

tar xvf MailScanner-4.84.6-1.rpm.tar.gz

A new folder will have been created called MailScanner-4.84.6-1. We need to go to that folder to run the setup script like so:

cd MailScanner-4.84.6-1
sh install.sh

The install process will take a while so be patient. Once the install is complete we need to edit the /etc/MailScanner/MailScanner.conf file.

Find:

%org-name% = yoursite

Change yoursite to the name of your organisation. The value can NOT have any spaces:

%org-name% = Matrix 7

Find:

%org-long-name% =

Change to what ever you organisations name is. This option CAN have spaces:

%org-long-name% = Matrix 7 Is Awesome

Find:

%web-site% =

Change to your website:

%web-site% = www.Matrix7.com.au

Find:

Run As User =

Change to:

Run As User = postfix

Find:

Run As Group =

Change to:

Run As Group = postfix

Find:

Quarantine Silent Viruses = no

Change to:

Quarantine Silent Viruses = yes

Find:

Quarantine Modified Body = no

Change to:

Quarantine Modified Body = yes

Find:

Always Include SpamAssassin Report = no

Change to:

Always Include SpamAssassin Report = yes

Find:

Notify Senders Of Viruses = no

Change to:

Notify Senders Of Viruses = yes

Find:

Notify Senders Of Blocked Size Attachments = no

Change to:

Notify Senders Of Blocked Size Attachments = yes

Find:

Spam List = # spamhaus-ZEN # You can un-comment this to enable them

Change to:

Spam List = spamhaus-ZEN # You can un-comment this to enable them

Find:

Incoming Queue Dir =

Change to:

Incoming Queue Dir = /var/spool/postfix/hold

Find:

Outgoing Queue Dir =

Change to:

Outgoing Queue Dir = /var/spool/postfix/incoming

Find:

MTA =

Change to:

MTA = postfix

Find:

Incoming Work Group =

Change to:

Incoming Work Group = clamav

Find:

Incoming Work Permissions =

Change to:

Incoming Work Permissions = 0750

Find:

Virus Scanners =

Change to:

Virus Scanners = clamav

Find:

Clamd Socket =

Change to:

Clamd Socket = /var/run/clamav/clamd.sock

Find:

SpamAssassin User State Dir =

Change to:

SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

Find:

Quarantine User =

Change to:

Quarantine User = root

Find:

Quarantine Group =

Change to:

Quarantine Group = apache

Find:

Quarantine Permissions =

Change to:

Quarantine Permissions = 0660

Find:

Quarantine Whole Message = no

Change to:

Quarantine Whole Message = yes

Find:

Quarantine Whole Messages As Queue Files =

Change to:

Quarantine Whole Messages As Queue Files = no

Find:

Detailed Spam Report =

Change to:

Detailed Spam Report = yes

Find:

Include Scores In SpamAssassin Report =

Change to:

Include Scores In SpamAssassin Report = yes

Find:

Spam Actions = deliver header "X-Spam-Status: Yes"

Change to:

Spam Actions = store notify

Find:

High Scoring Spam Actions =

Change to:

High Scoring Spam Actions = store-spam

This change it up to you. You can either deliver or store. I'd recommend you deliver until you're comfortable with the system:

High Scoring Spam Actions = deliver

Change the above back to store after a few months running the system.

Find:

Non Spam Actions = deliver header "X-Spam-Status: No"

Change to:

Non Spam Actions = store deliver header "X-Spam-Status: No"

Find:

Log Spam = no

Change to:

Log Spam = yes

Save and Close the file.

Now we'll edit the Edit /etc/MailScanner/virus.scanners.conf file:

Find:

clamd /bin/false /usr/local

Change to:

clamd /bin/false /usr/sbin

Find:

clamav /usr/lib/MailScanner/clamav-wrapper /usr/local

Change to:

clamav /usr/lib/MailScanner/clamav-wrapper /usr

Now we'll edit /etc/MailScanner/spam.assassin.prefs.conf and add the same name you used in the %org-name% variable previously to edit these lines:

Find:

bayes_ignore_header X-YOURDOMAIN-COM-MailScanner
bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-SpamCheck
bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-SpamScore
bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-Information

envelope_sender_header X-MailScanner-From

Change to:

bayes_ignore_header X-Matrix 7-MailScanner
bayes_ignore_header X-Matrix 7-MailScanner-SpamCheck
bayes_ignore_header X-Matrix 7-MailScanner-SpamScore
bayes_ignore_header X-Matrix 7-MailScanner-Information

envelope_sender_header X-Matrix 7-MailScanner-From

You need change Matrix 7 in each line above to your organisation's name that you used in %org-name% variable.

Find:

use_auto_whitelist 0

Change to:

#use_auto_whitelist 0

Now we need to set the appropriate permissions:

cd /var/spool/MailScanner
mkdir spamassassin
chown -R postfix:clam *
chmod -R 750 *
chown postfix.postfix /var/spool/MailScanner/incoming
chown postfix.postfix /var/spool/MailScanner/quarantine

Now we need to edit the /etc/postfix/main.cf file again to include the MailScanner settings:

Find:

#header_checks = regexp:/etc/postfix/header_checks

Change to:

header_checks = regexp:/etc/postfix/header_checks

Save and close the file.

Edit the /etc/postfix/header_checks file:

Go to the end iof the file and add:

/^Received:/ HOLD

Save and close the file.

Edit the /usr/sbin/MailScanner file:

Find:

#!/usr/bin/perl -I/usr/lib/MailScanner

Change to:

#!/usr/bin/perl -I/usr/lib/MailScanner -U

Now we're going to turn off Postfix becuase it does not need to run as a service. MailScanner manages Postfix via a daemon.

service postfix stop
chkconfig postfix off
service MailScanner start
chkconfig  --level 235 MailScanner on

Now you've completed the MailScanner configuration...

 

 

13 Responses

  1. Hello Matrix, I am following you from long ago , i have install Email Gateway and is in production from last one year and working excellent till date but recently i got problem , some latest updates done i.e Clamav updated to 0.99.2 latest version and with this update the date of system change to 2014 and MailScanner start markin all the emails as DDos attack .. so what i did that i reinstall Clam AV and re updated now it partially start working after every two or three day it slow down a again start marking all the email mark as a DDOs attack, now what i did is to make one change in etc/MAilScanner/MAilscanner.conf Maximum Processing Attempts = 6 to 0 . which i get from somewhere on web . i am not satisfied yet that weather it will resolve the issue or not so if you have any idea ? THanks IHsan
  2. Also i forget one thing is there any difference between Clamd spamassisan and Clamdav ? as i install Clamdav full ......
    • Matrix7
      You'll need to uninstall the ClamAV and then re-install ClamD because MailScanner uses ClamD which is the daemon to scan incoming emails. Once you've uninstalled ClamAV install ClamD using the following syntax: yum install clamd Once installed ensure you have compolete all the items in Step 2: http://www.matrix7.com.au/centos/centos-6-4-email-gateway-part-2/
      • Bundle i did as per your instructions seems the problem is resolved . so is the reson was Clamav which was marking everything as a virus ? while sometime it was working fine for one or two days .........
        • Matrix7
          Probably. I've never tried to use ClamAV so can only assume that was the cause. Glad you've got it working again...
          • Sorry to bother you again :) infect it work fine til now when i check it detect one of my test email again as a Virus with Denial of Dos Attack .. few thing which i not is when it stop working for some time . 1. all the server get very slow 2. the Load Average also get very much Hig i.e 10.30 ,5.91.3.24 in Mailwatch screen .. Note: this time the problem remain for one or two messages then it gets normal again .. Thanks Ihsan
          • Matrix7
            I've never seen this issue before. The only recent posting I can find about this issue is here: http://lists.mailscanner.info/pipermail/mailscanner/2016-May/103453.html Make sure you read the whole thread as it gives some pointers on how to resolve the issue. Sorry I couldn't help further.
  3. Thank you very much for pointing me to some good links ............ if i found the root cause then surly i will updated you regarding the problem .. Thanks
    • Hi, i have found something with Mail Scanner LInt command following is the out put , now i dont know how to deal with it . Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 2355 hostnames from the phishing whitelist Read 3938 hostnames from the phishing blacklists Config: calling custom init function MailWatchLogging Started SQL Logging child Checking version numbers... Version number in MailScanner.conf (4.84.6) is correct. Unrar is not installed, it should be in /usr/bin/unrar. This is required for RAR archives to be read to check filenames and filetypes. Virus scanning is not affected. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting 1.message: Win.Trojan.Trojan-1082 FOUND ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function MailWatchLogging
      • Matrix7
        I'm not sure what issue you've found by you description, but reading through your post it seems you don't have unrar installed on your system. Follow this procedure to install unrar and test again: http://idroot.net/tutorials/install-rarunrar-centos/
        • Ok i thought it cause of the virus which is in the output of lint command ...cks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting 1.message: Win.Trojan.Trojan-1082 FOUND ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses Thanks
          • Hi, i found this log today , MailScanner[23542]: Commercial scanner clamav timed out! mail-svr MailScanner[23542]: clamav: Failed to complete, timed out mail-svr MailScanner[22183]: Commercial scanner clamav timed out! mail-svr MailScanner[22183]: clamav: Failed to complete, timed out mail-svr MailScanner[23542]: Virus Scanning: Denial Of Service attack is in message BC5AC20B3E.AD8E1 so it means clamav is also running with clamD, My question is is there any way to disable clamav while clamD running ?
          • Matrix7
            I'm assuming this is on a virtual machine? This looks to me like you don't have enough resources allocated to your VM or the hard disks it is installed on are very slow. It seems that it's taking too long to process the scan therefore timing out. Have a look at the how much RAM, CPU and try and move it to a faster hard disk and then re-test.

Leave a comment