sles-mail-server

1. Introduction
2. Configuring SpamAssassin
   1. Basic Configuration
   2. Advanced Configuration
3. Configuring ClamAV
4. Configuring Postfix
   1. Basic configuration
   2. Configuring Postfix to detect spam and virii
5. IMAP and POP3 servers
6. SquirrelMail

Edit Link Top

Introduction

This document explains how to set up an email server on SuSE Linux Enterprise Server using the following free software:

• Postfix - a Mail Transport Agent.
• SpamAssassin - a program for detecting spam.
• ClamAV - an antivirus.
• University of Washington IMAP Toolkit - an IMAP and POP3 implementation.
• SquirrelMail - a webmail that acts as an IMAPs client.

This server will:

• Allow access through encrypted POP3 and IMAP (also refered to as POP3s and IMAPs).
• Receive email through SMTP (possibly acting as the MX for your domain).
• Stop messages containing infected files.
• Stop spam (with a great flexibility).
• Allow users to check their mail through a webmail.

This document is currently an incomplete draft. It is actively being worked on by Alejandro Forero Cuervo <bachue@bachue.com>. Please report any errors you find.

Edit Link Top

Configuring SpamAssassin

Edit Link Top

Basic Configuration

Even though Postfix includes a great deal of configuration parameters for rejecting UCE, we're not going to use them in this setup. We're, instead, going for the much more sophisticated approach of using SpamAssassin. I've found that in practice, most of Postfix's parameters for controlling UCE tend to be rather restrictive. I strongly advice you against using them, unless you have specific reasons to do so.

1. Install the spamassassin package and its dependencies.
2. Create a spamd user and group to run the SpamAssassin server. You could run the SpamAssassin daemon as root, but that wouldn't be very secure (as security vulnerabilities in the daemon could grant anyone root access to your machine). You could create the group and user with the following commands:
   • groupadd spamd
   • useradd -g spamd -s /sbin/nologin -m spamd
3. Edit the /etc/sysconfig/spamd script to make sure it runs spamd as the spamd user. To do this, add -u spamd to the value of the SPAMD_ARGS variable.
4. Start spamd (rcspamd start) and make sure the system runs it automatically (insserv spamd).

Edit Link Top

Advanced Configuration

Detecting spam is not an easy task, specially since spammers go a great length to make their messages difficult to tell from normal mail. For this reason, you are strongly adviced to properly train and configure spamassassin for your particular needs. This section provides a brief look at the things you should do, with links to the relevant sections at http://wiki.apache.org/spamassassin/SpamAssassin's wiki.

Optional software used by SpamAssassin is not available as SLES packages. If you want to improve the efficiency of your spam detection, you should install it. I'm talking mostly about Vipul's Razor, which can increase the precision of the system.

You could also whitelist or blacklist addresses, adding whitelist_from or blacklist_from lines to /etc/mail/spamassassin/local.cf. There is more information about whitelists in http://wiki.apache.org/spamassassin/ManualWhitelist.

Very importantly, you should train your installation with a few spam and ham messages. For each word in those messages, SpamAssassin will keep statistics on how likely they are to indicate that the message is either spam or ham. I recommend you train your system with at least 1000 spam and 1000 ham messages. You can find out more about training SpamAssassin.

Edit Link Top

Configuring ClamAV

We will use ClamAV to check incoming mail for virii.

1. Install the clamav package and its dependencies. This package will create the user and group vscan to run the daemon.
2. Set your system to run the ClamAV daemon automatically (insserv clamd) and execute it (rcclamd start).
3. Set your system to update its virus database from the network:
   1. Run freshclam to make sure the system can update the database. Solve any possible problems that might arrise. Should you need to set it up to use an HTTP proxy, look in /etc/freshclam.conf.
   2. Enable the LogSyslog directive in /etc/freshclam.conf.
   3. Set your system to run freshclam periodically. To do this, I recommend you edit the crontab of the vscan user, setting it to run freshclam every hour. You should use a job such as N * * * * /usr/bin/freshclam –quite, where N is some random number from 3 to 57. (Alternatively, you could run freshclam as a daemon; unfortunately, the SLES package does not include an script in /etc/init.d to do so so you'd have to create it.)

Edit Link Top

Configuring Postfix

Edit Link Top

Basic configuration

1. Edit the values in /etc/sysconfig/postfix. You'll need to edit the following variables:
   1. POSTFIX_LOCALDOMAINS
   2. POSTFIX_RELAYHOST - In case you want all outgoing mail to be relayed by a separate server.
2. Set SMTPD_LISTEN_REMOTE to yes in /etc/sysconfig/mail.
3. Make sure you've set your system to run Postfix on startup (insserv postfix... and, while we're at it, rcpostfix restart).
4. If you plan to use Postfix to relay mail from your clients, set mynetworks (in /etc/postfix/main.cf). By default, Postfix will relay mail for all clients in the same IP subnetworks it is on.

You should, at this point, try to send a message to a local user and verify that Postfix receives it and stores it locally, inside /var/spool/mail.

Edit Link Top

Configuring Postfix to detect spam and virii

Now you need to configure Postfix to use the services provided by SpamAssassin and ClamAV for all incoming messages. I wrote a simple shell script to do this. You can download it from:

• https://anonymous:@freaks-unidos.net/azul-home/src/postfix-clamav-spamassassin-filter/mfilter

I suggest you store it in /usr/local/bin/mfilter. Make sure any user can execute it (chmod a+x /usr/local/bin/mfilter).

After you've installed it, read the comments. There are a good deal of configurable settings. You'll need to follow the three steps described there in order to tell Postfix to use it for all incoming (through SMTP) mail.

Edit Link Top

IMAP and POP3 servers

We will use the implementation of IMAP and POP3 provided by the University of Washington, which seems to be the most common alternative.

1. Install package imap. It includes servers for both the IMAP and the POP3 protocols.
2. Generate certificates for the TLS/SSL encrypted connections:
   • cd /etc/ssl/certs
   • openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem
   • openssl req -new -x509 -nodes -out ipop3d.pem -keyout ipop3d.pem
3. Enable access through imaps and pop3s, in /etc/xinetd.d/imap.
4. Make sure xinetd is running (rcxinetd restart) and run on startup (insserv rcxinetd).

Edit Link Top

SquirrelMail

Unfortunately, Novell decided not to include any webmail software as part of SLES. As a consequence, SquirrelMail is not available as an RPM so you'll need to download it and install it manually. Thankfully, the installation is relatively painless.

You'll need to install and configure the following packages, and all their dependencies, first:

• apache2 - Make sure you configure it and run it. We're not going to cover in detail the configuration of Apache in this document.
• apache2-mod_php4 package needed
• php4 and php4-session

To install SquirrelMail, download it and look at its INSTALL file. In config/conf.pl you'll want to:

• Enable TLS for connecting to the IMAP server.
• Specify that the IMAP server runs on port 993.

That should be all.

• clamav(1)

• email(7)

• spamassasin(1)

• squirrelmail(1)

• suse(3)