eBox 1.5 SPAM Filter Gateway:
=========================
DISCLAIMER: I didn't know much about Postfix, Amavis, Spamassasin or ClamAV integration before having to do this. I don't assume I've got everthing right or that these settings are optimal. However, it does work very well for me and my company of 40+ employees. Emails are our bread and butter. =)
On that note, I would really appreciate any improvements people could suggest, or even showing me how this could have all been done through the eBox GUI! (if possible)
Intro:
To understand what we were trying to achieve, first I have to explain our situation and what we require. Our current setup is something like this:
|---->Exchange_2003_Server
Internet---->eBox_Gateway|
|---->Local_Network
Basically, we want eBox to filter all emails for SPAM and viruses before it passes them on to the Exchange server. The Exchange server will still be in control of all email processing. This means we do not want the eBox gateway to store mail locally, or require replication of the Exchange user list before it can accept emails.
I'm using eBox 1.5 on Ubuntu 10.04. Reasons for this are two-fold. Firstly, Ubuntu 8.04 (Hardy Heron) did not work with the hardware we have for our firewall. And secondly, we didn't want to be in the situation where we needed to upgrade the entire OS under our perimiter firewall in the near future because Hardy Heron's support ended.
So, eBox 1.5 and Ubuntu 10.04 it is. Be aware that some updates to the eBox unstable branch (1.5) can overwrite our configuration changes - so it is important for us to properly backup our modified config files.
Maybe its just me, but I tried every settings combination under the sun to try and get eBox to run as just a mail filtering gateway through the eBox GUI. I could not get it to work for the life of me. With the help of Kamilion (thanks a million, Kamilion =D), I was directed to start editing eBox stub files.
These files are located here:
/usr/share/ebox/stubs/
Alrighty, lets get down to business. Firstly, lets make a backup of the original eBox configuration:
sudo cp /usr/share/ebox/stubs/mail/main.cf.mas /root/main.cf.mas.orig
sudo cp /usr/share/ebox/stubs/mail/master.cf.mas /root/master.cf.mas.orig
Now edit the main Postfix configuration file to tell it to basically accept emails and forward them on to Exchange. Open the relevant stubs file (I use vi because I like it):
sudo vi /usr/share/ebox/stubs/mail/main.cf.mas
Firstly, comment out the 38th line regarding reject_unknown_recipient_domain like this:
#$smtpRecipientRestrictions .= 'reject_unknown_recipient_domain, ';
Change the mydestination and local_recipient_maps variables to be empty like so:
mydestination =
local_recipient_maps =
This is so that Postfix does not assume it is the final destination for delivery of the email. For me, 'mydestination' was on line 84 and 'local_recipient_maps' was on line 89.
Below these two variables, I placed this code:
local_transport = error:no local mail delivery
relay_recipient_maps = hash:/etc/postfix/relay_recipients
transport_maps = hash:/etc/postfix/transport
relay_domains = mydomain.com
relay_domains should be the domain of your email server (not the FQDN, just the base domain name).
After that, from line 121 (virtual_alias_maps) onwards, I commented out what eBox had there - except for the settings inside the 'if' statements. All in all, my /usr/share/ebox/stubs/mail/main.cf.mas file looks like this:
# Generated by eBox
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
<%args>
$hostname
$mailname
$ldapport
$relay
$relayAuth
$allowed
$maxmsgsize
$aliasDN
$vmaildir
$usersDN
$uidvmail
$gidvmail
$sasl
$smtptls
$ldap
$filter
$ipfilter
$portfilter
$bccMaps
$greylist
$greylistAddr
$greylistPort
</%args>
<%init>
use EBox::Gettext;
my $smtpRecipientRestrictions ;
$smtpRecipientRestrictions .= 'reject_non_fqdn_sender, ';
$smtpRecipientRestrictions .= 'reject_unknown_sender_domain, ';
$smtpRecipientRestrictions .= 'reject_non_fqdn_recipient, ';
#$smtpRecipientRestrictions .= 'reject_unknown_recipient_domain, ';
if ($sasl) {
$smtpRecipientRestrictions = 'permit_sasl_authenticated, ';
}
$smtpRecipientRestrictions .= 'permit_mynetworks, ';
$smtpRecipientRestrictions .= 'reject_unauth_destination';
# at his point all mail for whom the server isn't the final point or the
# forwarder has been rejected so the next restrictions only applies in this two cases
$smtpRecipientRestrictions .= ', reject_invalid_helo_hostname';
$smtpRecipientRestrictions .= ', reject_non_fqdn_helo_hostname';
$smtpRecipientRestrictions .= ', check_helo_access pcre:/etc/postfix/helo_checks.pcre';
if ($greylist) {
my $greylistRecipientRestriction = "check_policy_service inet:" .
$greylistAddr . ':' .
$greylistPort ;
$smtpRecipientRestrictions .= ", $greylistRecipientRestriction";
}
my $certFile = '/etc/postfix/sasl/postfix.pem';
my $keyFile = '/etc/postfix/sasl/postfix.pem';
</%init>
# require helo
smtpd_delay_reject = yes
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
myorigin = /etc/mailname
myhostname = <% $hostname %>
mydestination =
smtp_helo_name = <% $mailname %>
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
local_recipient_maps =
relayhost = <% $relay %>
% if ($relay) {
smtp_tls_security_level = may
smtp_tls_key_file = <% $keyFile %>
smtp_tls_cert_file = <% $certFile %>
% }
% if ($relayAuth) {
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
% }
mynetworks = <% $allowed %>
message_size_limit = <% $maxmsgsize %>
mailbox_size_limit = 0
virtual_mailbox_limit = 0
recipient_delimiter = +
inet_interfaces = all
#### STUFF SAM HAS ADDED ########
local_transport = error:no local mail delivery
relay_recipient_maps = hash:/etc/postfix/relay_recipients
transport_maps = hash:/etc/postfix/transport
relay_domains = mydomain.com
# Virtual Aliases
#virtual_alias_maps = ldap:valiases
#valiases_server_host = 127.0.0.1
#valiases_search_base = <% $aliasDN %>
#valiases_query_filter = (&(mail=%s)(objectClass=CourierMailAlias))
#valiases_result_attribute = maildrop
#aliases_bind = no
# Virtual Domains
dovecot_destination_recipient_limit = 1
virtual_transport = dovecot
#virtual_transport = virtual
#virtual_mailbox_base = <% $vmaildir %>
#virtual_mailbox_maps= ldap:ldapvirtualmap
#ldapvirtualmap_server_host = 127.0.0.1:<% $ldapport %>
#ldapvirtualmap_bind = no
#ldapvirtualmap_search_base = <% $usersDN %>
#ldapvirtualmap_query_filter = (&(mail=%s)(!(quota=-1))(objectClass=CourierMailAccount))
#ldapvirtualmap_result_attribute = mailbox
#virtual_mailbox_domains = ldap:vmaildomains
#vmaildomains_server_host = 127.0.0.1
#vmaildomains_bind = no
#vmaildomains_search_base = ou=postfix,<% $ldap->{'dn'} %>
#vmaildomains_query_filter = (|(&(objectclass=domain)(domainComponent=%s))(&(objectclass=CourierMailAlias)(mail=@%s)))
#vmaildomains_result_attribute = dc, maildrop
#virtual_minimum_uid = 100
#virtual_uid_maps = static:<% $uidvmail %>
#virtual_gid_maps = static:<% $gidvmail %>
% if (($smtptls) or ($sasl)){
## TLS/SSL
#smtpd_use_tls = no
#smtpd_tls_note_starttls = yes
#smtpd_tls_key_file = <% $keyFile %>
#smtpd_tls_cert_file = <% $certFile %>
#smtpd_tls_loglevel = 1
% }
smtpd_recipient_restrictions = <% $smtpRecipientRestrictions %>
% if ($sasl) {
#SASL authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myorigin
% }
% if ($filter) {
content_filter=smtp-amavis:<% $ipfilter %>:<% $portfilter %>
% }
% if ($bccMaps) {
sender_bcc_maps = <% $bccMaps %>
recipient_bcc_maps = <% $bccMaps %>
% }
Next we need to modify the file located at /usr/share/ebox/stubs/mail/master.cf.mas:
Add the following lines directly under the line starting with the word 'pickup':
-o content_filter=
-o receive_override_options=no_header_body_checks
Once you have modified both of these files, you should create a backup of them just in case eBox overwrites them with an update:
sudo cp /usr/share/ebox/stubs/mail/main.cf.mas /root/main.cf.mas
sudo cp /usr/share/ebox/stubs/mail/master.cf.mas /root/master.cf.mas
Now create and edit a file in /etc/postfix/ called relay_recipients:
sudo vi /etc/postfix/relay_recipients
Again, I'm using vi because it is teh win. Add this line to the file:
@mydomain.com OK
Once you have saved that, create the hash out of this file for Postfix to use with the following command:
sudo postmap /etc/postfix/relay_recipients
Now create and edit a file in /etc/postfix/ called transport:
sudo vi /etc/postfix/transport
Add this line to the file:
mydomain.com relay:[my.exchange.ip.address]
Obviously, where I've put 'my.exchange.ip.address' you need to substitute it with the IP Address of your Exchange/Mail server. Once you have saved that, create the hash out of this file for Postfix to use with the following command:
sudo postmap /etc/postfix/transport
Lastly, we need to change some settings in the eBox GUI.
Go to Mail->General and make sure the FQDN of your mail server (ie. mail.mydomain.com) is in the 'Smarthost to send mail' box.
In the Mail->General->'Mail filter Options' tab, make sure 'Filter in use' is set to 'eBox internal mail filter'.
In 'Mail Filter'->'SMTP Mail Filter'->General make sure all three boxes are ticked. Leave the services port as the default.
In 'Mail Filter'->'SMTP Mail Filter'->'Filter Policies' you may want to change the way Amavis deals with SPAM and Viruses. This is up to you. I am discarding viruses and SPAM, bouncing banned files and passing bad headers. I've actually set up Amavis to quarantine discarded SPAM for me so I can go through it for false-positives. Let me know if you want a HOW-TO on that.
Lastly (really), go to the Dashboard and restart both the Mail and 'Mail Filter' services. After this, your eBox gateway should be now filtering all incoming emails for SPAM and viruses before it goes on to your internal mail server (Exchange in my case).
Please let me know if you see any glaring errors, omissions or better ways to do things!
Topic: HOW-TO: eBox 1.5 Mail Filter Gateway (Read 8140 times)