New Mail Server: Zimbra? MailScanner?

I get lots of spam. There seems to be nothing I can do about it so I believe I need to find a better  scanner/mail platform. So I went looking for something different. Currently I use Amavisd/Postfix/ClamAV/SpamAssassin, which when properly configured SHOULD find nearly all Spam. But alas, I believe after the most recent upgrade the configuration was shot. Even the bayesian learning system did not really learn anything new, and I kept getting the same old mail. This was/is annoying at best.

So I looked into Zimbra. Zimbra ships as a Virtual Appliance which was perfect for my needs and a 10 user limited license is fairly inexpensive as in free.

Zimbra

My attempts to install Zimbra using the RPM method on CentOS 5.4 hit a snag. There is apparently some sort of network scan that goes on to determine if your settings are correct, etc. I was able to install it, but the configuration stated antispam and antivirus were not available, even though the proper files were installed. So I figured I would try out the virtual appliance.

The virtual appliance imported just fine, but on boot it tried to do the same network scan to determine if the settings were correct even though I gave it a STATIC IP, etc. Since this was to live behind NAT, there is no direct access between it and many of the things it apparently needed. The Virtual Appliance did not boot fully.

So Zimbra did not work for me. I am not sure why it does any sort of scan. This worries me from a Security perspective as I did not know WHAT it was doing. Nor was it explained clearly. In essence my network did not allow Zimbra to properly find everything. Perhaps it is looking for a lax set of security for a DMZ location.

MailScanner

When I had a physical mail server, I used to use MailScanner and was pleased with it, but upgrades were a pain so I went to something different when I went virtual. Alas, that was my downfal. MailScanner (http://www.mailscanner.info) incorporates many of the same things as Zimbra but in a much different package. So I went back to a base CentOS 5.4 installa nd worked out from there.

MailScanner comes with two sets of packages MailScanner-4.79.11-1.rpm.tar.gz and install-Clam-SA-latest.tar.gz. The first installs MailScanner and all its dependencies, and the later installs the latest ClamAV and SpamAssassin as well as the rules. So far so good. During configuration of MailScanner I also determined that I needed the following tools:

  • unrar  – http://packages.sw.be/unrar
  • antiword – http://packages.sw.be/antiword
  • DCC – http://www.rhyolite.com/anti-spam/dcc
  • Razor – http://razor.sourceforge.net

Then I needed a modern version of postfix (2.7.1), which I found in binary and source form from http://postfix.wl0.org/.  I first tried the binary but determined it did not support SASL authentication via TLS, so had to recompile from source with a slight change to the SPEC file. I enabled ‘with_sasl’ then rebuilt from source. The following builds this as an installable RPM for me.

rpm -ivh postfix-2.7.1-1.src..rpm
# Modify /usr/src/redhat/SPECS/postfix.spec to enable SASL
rpmbuild -bb /usr/src/redhat/SPECS/postfix.spec

Now postfix was ready. I have done all this before, but many years ago. Next was to make sure postfix runs within a chroot jail for security reasons…. So how do we do this? Run the following scripts:

sh /etc/postfix/examples/chroot-setup/LINUX2
sh /etc/postfix/postfix-chroot.sh

Now I was ready to turn everything on which I did. But I still have an authentication problem with postfix from my smtp clients. But they would not connect. Which lead me to determine that the chroot setup for SASL was incorrect and we needed to perform some more changes. Such as the following.

mkdir -p /var/spool/postfix/var/run
mv /var/run/saslauthd /var/spool/postfix/var/run
ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd
cp /etc/passwd /var/spool/postfix/etc
mv /etc/sasl2 /var/spool/postfix/etc
ln -s /var/spool/postfix/etc/sasl2 /etc/sasl2

Now I am backup. I even made some new changes to the main.cf within postfix which disables anonymous clients from accessing my mailserver for relay purposes. The following are those changes to /etc/postfix/main.cf. I placed these at the end:

# SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes

Conclusion
This new setup started blocking more spam than the old configuration. Which was exactly what I wanted to happen. Unfortunately Zimbra would not work for me and that was an issue. I was really looking forward to working with Zimbra, but it was just too problematic. Yes, if I understood it as well as I understand postfix and MailScanner I may have tried to solve the problem, but this time I did not have the time. Zimbra needs to be simpler to use, paying attention to the manual configurations I make instead of trying to determine my network, etc.

Edward Haletky

Edward L. Haletky, aka Texiwill, is an author, analyst, developer, technologist, and business owner. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and TVP Strategy where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.

4 thoughts on “New Mail Server: Zimbra? MailScanner?”

  1. Ed,

    I have been running a very similar environment for about 1.5 years now.
    I am running Zimbra in a Linux (Red Hat) VM with a separate VM for postfix/clamav/spamassassin and a separate VM for DNS. We used Zimbra in production at my last company (Linux shop) so I feel fairly comfortable with it.

    I would be happy to chat with you at VMworld next week and even show you the configuration if you are interested or available.

    Chris

    1. If we can find the time to meet up, I would be interested. I am just amazed that the Zimbra install wants to search my network. Why is the real question. From a security perspective I do not want it looking at my network.

  2. Zimbra doesn’t do any sort of network scan, what it requires is a correctly formatted /etc/hosts file and valid DNS A & MX records pointing to your Zimbra server (if you’re behind a NAT router or firewall you’ll need to have a LAN DNS server and those records pointing to your Zimbra LAN IP). There really shouldn’t be much trouble getting the CentOS version of Zimbra running, it’s one of the easiest installs of Zimbra if you have the items I mentioned above configured correctly.

    1. Thanks Bill. I actually have properly formated DNS A & MX records for the target hosts. Yet for some reason it still did not work. Eventually I will retry Zimbra but at this time I needed to get something running that actually stopped spam… This lead to go back to the old standby.

Leave a Reply

Your email address will not be published. Required fields are marked *

two + seventeen =