Don't know if HOWTOs are allowed here, but I thought I'd share in case anyone else is having issues setting up a reasonably bulletproof mail setup - mods can feel free to delete this if I've crossed a line - but I've migrated a lot of the stuff I've learned from the Fedora project here and wrote a simple guide on getting mail working -

We've added a virus scanner, spam control, greylisting and three DNS blacklists to sendmail's configuration. This stuff ought to reduce your spam by about 90%. The only one that's not self-explanatory is milter-greylist. Greylisting temporarily rejects email, assuming that real mail servers will resend the message to you but spam servers will not. Out of the box milter-greylist will accept a resent email after 30 minutes. It means you'll get email a little later, but you can whitelist anyone you like. Works pretty well

First, I highly recommend adding the Misc and Extras repo at http://centos.karan.org - you'll need them for some of this. Just save the two .repo files to /etc/yum.repos.d - if you use yum extender you'll have to enable them in your profile as well - but we'll do all this from the command line.

Here we go - first we install a pile of software. Leave out anything you've already got installed -

yum install sendmail dovecot clamav* milter-greylist spamassassin spamass-milter pyzor perl-Razor-agent

Next we make sure sendmail works. I use sendmail but others might want to use postfix or exim. Anyway, these instructions are for sendmail

Edit /etc/sendmail.mc - change

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl

to

DAEMON_OPTIONS(`Port=smtp, Name=MTA’)dnl

This will lift the restriction that causes sendmail to only listen to localhost.

Also, add the following lines to sendmail.mc - add them right above the MAILER lines at the bottom of the file. Watch for word wrap here - the addition below is 9 lines long.

FEATURE(`dnsbl',`relays.ordb.org')dnl
FEATURE(`dnsbl',`list.dsbl.org')dnl
FEATURE(`dnsbl',`sbl-xbl.spamhaus.org')dnl
INPUT_MAIL_FILTER(`greylist',`S=local:/var/lib/milter-greylist/run/milter-greylist.sock')
define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter/spamass-milter.sock, F=,T=C:15m;S:4m;R:4m;E:10m')dnl
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav-milter/clamav.sock, F=T, T=S:4m;R:4m')

Then rebuild sendmail.cf by opening a terminal window and typing

make -C /etc/mail

Next, we want to make sure sendmail will relay mail from machines on our local subnet - we do that by editing /etc/mail/access - I added the following lines to the file

192.168.1 RELAY
my.wan.ip.address RELAY

Both may not be necessary but I added both of them anyway. It works

Then, rebuild the access database by doing -

cd /etc/mail

makemap hash access.db < access

Okay, now let's fix dovecot. Open /etc/dovecot.conf and change

protocols = imap imaps

to

protocols = imap imaps pop3 pop3s

Next, let's get the virus scanner going. Open /etc/freshclam.conf and look for this:

Comment or remove the line below.
Example

Change it to this:

Comment or remove the line below.
#Example

You'll have to do the same thing with /etc/clamav.conf - as clamav won't run or update without the example lines commented out. I think that's because they want someone to actually look at the configuration files

milter-greylist doesn't need a whole lot of configuring unless you want to whitelist some folks or domains out of the box - you'll find the configuration file at /etc/mail/greylist.conf

On to spamassassin...

There's an excellent (but basic) configuration generator for spamassassin at

http://www.yrex.com/spam/spamconfig.php

and you can use that info to edit the real spamassassin config file at /etc/mail/spamassassin/local.cf

If you want to play with spamass-milter's configuration you'll find it at /etc/sysconfig/spamass-milter. Notice that all the flags in the file are commented out - be particularly careful of the -m flag. If you uncomment the line the -m flag will disable spamassassin subject rewriting. If you're using spamassassin to rewrite subject lines you'll want to take that -m out. I leave the -r 15 at the default. This will tell spamass-milter to reject any email with a spam score of 15 or higher. You can adjust this to your taste.

Okay, we're almost done.

Next we turn a buncha services on but don't start them yet -

chkconfig sendmail on
chkconfig dovecot on
chkconfig clamav-milter on
chkconfig milter-greylist on
chkconfig spamassassin on
chkconfig spamass-milter on

Okay. We're all done. If you're lazy like me you can reboot the machine and everything will come up now. If you're a bit more industrious or don't want to reboot the machine you can start all the services like this -

service clamav-milter start
service milter-greylist start
service spamassassin start
service spamass-milter start
service dovecot start
service sendmail start

Happy emailing

Great write up, thanks for sharing. You may also want to consider implementing SMTP authentication for further bulletproofing.

Great idea - thanks

That bullet proof tutorial rocked! I took your tuorial and a few others and wrote a whoel article on the subject that includes SMTP AUTH and also automatic learning for the bayesian filters. You can find it at:
Securing Your Sendmail Server

Joshua Erdman

Hello,

this is indeed a useful post even for a winman like me .
I may just add that I heard that ordb is going out of service on January 2007.
So, one should remove it from the config.

Spamcop is a bit touchy to use.
Spamhaus is my RBL of choice.

my server is a a CentOS4.3 x86_64 full install and fully up to date
i followed the above instructions omitting only the following (which i understand is not important):



i attempt to send a mail from admin@mysite.com to me@mysite.com (both users are created with passwords) using squirrelmail i see this error (with firewall enabled and disabled):



i then try to send to admin@mysite.com from me@gmail.com

the maillog reads:



i then also tried with this configuration in the sendmail.mc from this page http://www.redhat.com/magazine/025nov06/features/email/index.html

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl ... change to - DAEMON_OPTIONS(`Port=smtp, Name=MTA')
LOCAL_DOMAIN(`localhost.localdomain')dnl ... change to - LOCAL_DOMAIN(`emailjunkie.org')
dnl MASQUERADE_AS(`mydomain.com')dnl ... change to - MASQUERADE_AS(`emailjunkie.org')
dnl FEATURE(masquerade_envelope)dnl ... change to - FEATURE(`masquerade_envelope')
and added the line ... FEATURE(`allmasquerade')

and received the same error:



this time the maillog reads:



the problem in both instances appears to be tcpwrappers (localhost, 127.0.0.1) rejection and DSN: Service unavailable

please i ask your help

thank you in advance for any help you can offer

But why would anyone still use sendmail if postfix is available as well? (hence all the errors!)

And spamassassin is only interesting if you're ready to spend about 1 to 4 hours daily on administrating it, and have a load of RAM and CPU-space left. All this is not what spam is for.

Why would anyone bother with this type of setup when you can have a mailserver up and running in about 1 hour with amavis, spamassassin, dpsam, mysql, tomcat etc. etc. - just try using Zimbra It's extremely easy to set-up and save the hassle of trying to integrate multiple packages.

I was a complete novice with Linux (I still am) and I managed to do it real easy, I've posted the link before but for posterity here it is again - www.zimbra.com Two versions available a paid-for version and for cheapskates like me an Open Source version with all the features you'd need.

thanks for the advice. if you can't beat 'em ....

meanwhile, where is the sendmail guru? sendmail is possible it is a redhat basic

Quote:
Any package that 'integrates' MySQL is asking for RAM, CPU, time and dependencies
many people don't feel like having.
Why would anyone use MySQL for mail-integration, even? The monstrosity
of using separate databases when it's all just lines of text we have to parse!
Flatfile would do just fine.

I say: Postfix, dovecot, clamd, clamsmtp with decent config will do just fine.
Amavis and Spamassassin are monsters, both administrative and memory/cpu-wise.

By the way, why is this forum running on such a strange UI?
punBB or phpBB are still so much better.

Hi,

We are planning on migrating to procmail? What do we need to do to convert our sendmail config?

Matt

Quote:

They're not designed to do the same thing : procmail is a mail delivery agent (mda) and sendmail is a mail transfert agent (mta)
By default sendmail uses procmail to deliver mail locally ! so maybe you have to explain us (better) what you're trying to do ...

Hi,

Sorry I meant Postfix. Using this howto what are the steps involved in switch from sendmail -> postfix?

Matt

Quote:

Hello, I have also installed postfix, mailscanner, postgrey and clamav in centos as antispam-antivirus gateway. It works great for me. Also installed vispan & mailscanner mailwatch to monitor the server. I have write a document and like to share with you people. You can get the doc here.
http://www.fakrul.com/demo/antispam.php

Well What the Heck, I'll post mine too!

Mine is Scalix email server (http://scalix.com)
Very nice user interface, talks to Outlook for calendars and scheduling and all that nonsense.
Basically an Exchange drop in.

So, if you wanna see my HOWTO, CentOS4.4, Scalix, spamassassin and clamav,
it's here:

http://www.swifttide.com/Scalix_Setup.html

Hi All.

I cant seem to be able to update clamav via yum? The kbs-CentOS doesn't seem to be up to date. How do I update clamav to latest version?

daily.cvd updated

**Unmatched Entries**
nonblock_connect: connect timing out (30 secs): 1 Time(s)
WARNING: Your ClamAV installation is OUTDATED!: 459 Time(s)
WARNING: Current functionality level = 10, recommended = 14: 199 Time(s)
DON'T PANIC! Read http://www.clamav.net/faq.html: 459 Time(s)
WARNING: Current functionality level = 10, recommended = 15: 78 Time(s)
WARNING: Mirror 193.1.193.64 is not synchronized.: 7 Time(s)
WARNING: Local version: 0.88.7 Recommended version: 0.90.1: 97 Time(s)
WARNING: Invalid DNS reply. Falling back to HTTP mode.: 1 Time(s)
WARNING: Local version: 0.88.7 Recommended version: 0.90.2: 85 Time(s)
Trying again in 5 secs...: 7 Time(s)

"So, if you wanna see my HOWTO, CentOS4.4, Scalix, spamassassin and clamav,
it's here:

http://www.swifttide.com/Scalix_Setup.html"

Doug - the above link goes to a black hole but I'd appreciate seeing the notes as I am about to embark on a Scalix trial.

Thanks

Yikes! bad link. it's here:

http://www.swifttide.com/scalix/Scalix_Setup.html

Good luck! Check out the forums on the scalix site, lot of good info.
Scalix just got bought by Xandros, not sure if that's good or bad...

The Repositories page on the CentOS Wiki indicates that the Priorities plugin for Yum should be installed before using 3rd party repositories, such as the ones mentioned above.

LinOSuar

This did not work at all for me, se linux balked on almost everything. I did achieve the same thing via a slighlty different path
sendmail Mailscanner clamav howto

works great on Centos 5.3 I am also using APF, BFD, LES, PRM, LSM, chrootkit, rkhunter for more seccurity also here is a trick if you are using your server as an outgoing relay only add the following to the end of your /etc/mail/access

1 ERROR:"551 We do not accept mail sent directly to our servers. You must use the valid MX record of the domain that you are sending to."
2 ERROR:"551 We do not accept mail sent directly to our servers. You must use the valid MX record of the domain that you are sending to."
3 ERROR:"551 We do not accept mail sent directly to our servers. You must use the valid MX record of the domain that you are sending to."
4 ERROR:"551 We do not accept mail sent directly to our servers. You must use the valid MX record of the domain that you are sending to."
5 ERROR:"551 We do not accept mail sent directly to our servers. You must use the valid MX record of the domain that you are sending to."
6 ERROR:"551 We do not accept mail sent directly to our servers. You must use the valid MX record of the domain that you are sending to."
7 ERROR:"551 We do not accept mail sent directly to our servers. You must use the valid MX record of the domain that you are sending to."
8 ERROR:"551 We do not accept mail sent directly to our servers. You must use the valid MX record of the domain that you are sending to."
9 ERROR:"551 We do not accept mail sent directly to our servers. You must use the valid MX record of the domain that you are sending to."


this will cause everything that you have not specifically configured to recieve from not be able to use your mail server.

rember to makemap hash access < access and restart your sendmail