I get lots of spam. There seems to be nothing I can do about it so I believe I need to find a better scanner/mail platform. So I went looking for something different. Currently I use Amavisd/Postfix/ClamAV/SpamAssassin, which when properly configured SHOULD find nearly all Spam. But alas, I believe after the most recent upgrade the configuration was shot. Even the bayesian learning system did not really learn anything new, and I kept getting the same old mail. This was/is annoying at best.
So I looked into Zimbra. Zimbra ships as a Virtual Appliance which was perfect for my needs and a 10 user limited license is fairly inexpensive as in free.
My attempts to install Zimbra using the RPM method on CentOS 5.4 hit a snag. There is apparently some sort of network scan that goes on to determine if your settings are correct, etc. I was able to install it, but the configuration stated antispam and antivirus were not available, even though the proper files were installed. So I figured I would try out the virtual appliance.
The virtual appliance imported just fine, but on boot it tried to do the same network scan to determine if the settings were correct even though I gave it a STATIC IP, etc. Since this was to live behind NAT, there is no direct access between it and many of the things it apparently needed. The Virtual Appliance did not boot fully.
So Zimbra did not work for me. I am not sure why it does any sort of scan. This worries me from a Security perspective as I did not know WHAT it was doing. Nor was it explained clearly. In essence my network did not allow Zimbra to properly find everything. Perhaps it is looking for a lax set of security for a DMZ location.
When I had a physical mail server, I used to use MailScanner and was pleased with it, but upgrades were a pain so I went to something different when I went virtual. Alas, that was my downfal. MailScanner (http://www.mailscanner.info) incorporates many of the same things as Zimbra but in a much different package. So I went back to a base CentOS 5.4 installa nd worked out from there.
MailScanner comes with two sets of packages MailScanner-4.79.11-1.rpm.tar.gz and install-Clam-SA-latest.tar.gz. The first installs MailScanner and all its dependencies, and the later installs the latest ClamAV and SpamAssassin as well as the rules. So far so good. During configuration of MailScanner I also determined that I needed the following tools:
- unrar – http://packages.sw.be/unrar
- antiword – http://packages.sw.be/antiword
- DCC – http://www.rhyolite.com/anti-spam/dcc
- Razor – http://razor.sourceforge.net
Then I needed a modern version of postfix (2.7.1), which I found in binary and source form from http://postfix.wl0.org/. I first tried the binary but determined it did not support SASL authentication via TLS, so had to recompile from source with a slight change to the SPEC file. I enabled ‘with_sasl’ then rebuilt from source. The following builds this as an installable RPM for me.
rpm -ivh postfix-2.7.1-1.src..rpm
# Modify /usr/src/redhat/SPECS/postfix.spec to enable SASL
rpmbuild -bb /usr/src/redhat/SPECS/postfix.spec
Now postfix was ready. I have done all this before, but many years ago. Next was to make sure postfix runs within a chroot jail for security reasons…. So how do we do this? Run the following scripts:
Now I was ready to turn everything on which I did. But I still have an authentication problem with postfix from my smtp clients. But they would not connect. Which lead me to determine that the chroot setup for SASL was incorrect and we needed to perform some more changes. Such as the following.
mkdir -p /var/spool/postfix/var/run
mv /var/run/saslauthd /var/spool/postfix/var/run
ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd
cp /etc/passwd /var/spool/postfix/etc
mv /etc/sasl2 /var/spool/postfix/etc
ln -s /var/spool/postfix/etc/sasl2 /etc/sasl2
Now I am backup. I even made some new changes to the main.cf within postfix which disables anonymous clients from accessing my mailserver for relay purposes. The following are those changes to /etc/postfix/main.cf. I placed these at the end:
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
This new setup started blocking more spam than the old configuration. Which was exactly what I wanted to happen. Unfortunately Zimbra would not work for me and that was an issue. I was really looking forward to working with Zimbra, but it was just too problematic. Yes, if I understood it as well as I understand postfix and MailScanner I may have tried to solve the problem, but this time I did not have the time. Zimbra needs to be simpler to use, paying attention to the manual configurations I make instead of trying to determine my network, etc.
Edward L. Haletky, aka Texiwill, is an author, analyst, developer, technologist, and business owner. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and TVP Strategy where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.