Centos 7 mail server

In this blog I am adding a few comments / observations on installation and configuration of mail server with the following features:

  • firewalld enabled
  • selinux enabled
  • postfix
  • dovecot
  • spam assassin
  • clamav
  • amavisd
  • Roundcube

Personally, I am a huge fan of selinux and it is painful to see tutorials advising disabling selinux on RHEL/Centos/Fedora. There is nothing special about the installation and configuration of the above services that requires disabling selinux (or firewalld).

All services were installed using yum:

yum install postfix dovecot amavisd-new clamav-update

Firewalld

This post in NOT intended to be a tutorial on firewalld, rather it is a brief summary working with firewalld.

I would refer you to one of the many tutorials available online firewalld for reference.

firewall-cmd –add-service=smtp –permanent

The current open ports / services on the mail server are:

firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client smtp pop3s imaps http https
  ports: 587/tcp 465/tcp 110/tcp 143/tcp 25/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Postfix

As with firwalld, this post is NOT intended to be a tutorial on postfix, again there are many online tutorials.

Key configuration options

Some KEY options include:

#Required to send to most mail servers such as gmail.com
always_add_missing_headers = yes


#Option is all 1 line
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination


#Option is all 1 line
smtpd_relay_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination


#Set custom mail location, if unset mail is in /var/spool/mail
#This puts mail in /home/$USER/mail
home_mailbox = mail/

IF you set a location for mail (home_mailbox = mail) you must then either:

  1. add a .mailrc for each user with the following lines:

    set MAIL=/home/bodhi/mail
    set folder=mail

  2. In a multi-user system, add the following edits to system files to enable ~/mail via login, su, sudo, or ssh:

    #command is all 1 line
    echo ‘export MAIL=~/mail’ | sudo tee -a /etc/bash.bashrc | sudo tee -a /etc/profile.d/mail.sh

Here is a test email from the mail server (logged into localhost)

bodhi@mail:~$mail bodhi.zazen@ubuntu.com
Subject: Postfix working

This is a test email

.
EOT

And to read the reply

panther@mail:~$mail
Heirloom Mail version 12.5 7/5/10.  Type ? for help.
"/var/spool/mail/panther": 2 messages
>   1 bodhi@mail.org    Sun Dec  3 18:08  20/573   "test"
    2 bodhi zazen           Sun Dec  3 18:09  75/3559  "Re: it works"
& 2

test dovecot

Dovecot is a little more obscure !

telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a LOGIN USER_NAME PASSWORD
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in
a LIST "" "*"
* LIST (\HasNoChildren) "." INBOX
a OK List completed.
a EXAMINE INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS ()] Read-only mailbox.
* 2 EXISTS
* 0 RECENT
* OK [UNSEEN 1] First unseen.
* OK [UIDVALIDITY 1512325183] UIDs valid
* OK [UIDNEXT 6] Predicted next UID
a OK [READ-ONLY] Examine completed (0.001 secs).
a FETCH 2 BODY[]
* 2 FETCH (BODY[] {546}
Return-Path: 
X-Original-To: bodhi@mail.org
Delivered-To: bodhi@mail.org
Received: by mail.mail.org (Postfix, from userid 1001)
	id E4F7E178044E; Sun,  3 Dec 2017 16:58:04 +0100 (CET)
Date: Sun, 03 Dec 2017 16:58:04 +0100
To: bodhi@mail.org
Subject: Test
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20171203155804.E4F7E178044E@mail.mail.org>
From: bodhi.zazen@ubuntu.com

It works , thank you

)
a OK Fetch completed.
a LOGOUT
* BYE Logging out
a OK Logout completed.
Connection closed by foreign host.

Prevent mail server from being marked as spam, install and configure opendkim

See : Install opendkim Centos 7

Test your key with (change “mail.org” to your domain name) :

dig mail.org._domainkey.ceae.info TXT

returns

; <<>> DiG 9.10.3-P4-Ubuntu <<>> mail.org._domainkey.ceae.info TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50764
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;mail.org._domainkey.ceae.info. IN TXT

;; Query time: 333 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Dec 05 14:33:07 MST 2017
;; MSG SIZE  rcvd: 65

Spam assassin and clamav

I used This tutorial

HOWEVER that tutorial is incomplete and does not work with selinux enabled

To complete the setup , with selinux enabled, run

setsebool -P antivirus_can_scan_system 1
setsebool -P clamd_use_jit on


yum install clamav clamav-scanner-systemd


cd /usr/lib/systemd/system
cp clamd\@scan.service clamd\@amavisd.service


systemctl start clamd@amavisd
systemctl enable clamd@amavisd
systemctl restart amavisd

Now, while tailing the mail log, send a test email containing the following message

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

In the logs we will see

Dec  3 22:27:41 mail postfix/qmgr[350]: 9E79B17806EE: from=, size=7448, nrcpt=1 (queue active)
Dec  3 22:27:41 mail postfix/smtpd[1663]: disconnect from mail-wr0-f175.google.com[209.85.128.175]
Dec  3 22:27:52 mail clamd[1583]: /var/spool/amavisd/tmp/amavis-20171203T222741-01661-aAF7S5Ck/parts/p004: Eicar-Test-Signature FOUND
Dec  3 22:27:52 mail clamd[1583]: /var/spool/amavisd/tmp/amavis-20171203T222741-01661-aAF7S5Ck/parts/p001: Eicar-Test-Signature FOUND
Dec  3 22:27:52 mail amavis[1661]: (01661-01) Blocked INFECTED (Eicar-Test-Signature) {DiscardedInbound,Quarantined}, [209.85.128.175]:46159 [209.85.128.175]  -> , Queue-ID: 9E79B17806EE, Message-ID: , mail_id: 1bM4Cqm5z69m, Hits: -, size: 7606, 10249 ms
Dec  3 22:27:52 mail postfix/lmtp[1668]: 9E79B17806EE: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=10, delays=0.16/0.04/0.02/10, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=01661-01 - INFECTED: Eicar-Test-Signature)
Dec  3 22:27:52 mail postfix/qmgr[350]: 9E79B17806EE: removed
Dec  3 22:31:01 mail postfix/anvil[1665]: statistics: max connection rate 1/60s for (smtp:209.85.128.175) at Dec  3 22:27:41
Dec  3 22:31:01 mail postfix/anvil[1665]: statistics: max connection count 1 for (smtp:209.85.128.175) at Dec  3 22:27:41
Dec  3 22:31:01 mail postfix/anvil[1665]: statistics: max cache size 1 at Dec  3 22:27:41

To test spam assassin, use GTUBE to send the following test spam message

Subject: Test spam mail (GTUBE)
Message-ID: 
Date: Wed, 23 Jul 2003 23:30:00 +0200
From: Sender 
To: Recipient 
Precedence: junk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

This is the GTUBE, the
	Generic
	Test for
	Unsolicited
	Bulk
	Emailv

If your spam filter supports it, the GTUBE provides a test by which you
can verify that the filter is installed correctly and is detecting incoming
spam. You can send yourself a test mail containing the following string of
characters (in upper case and with no white spaces and line breaks):

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

You should send this test mail from an account outside of your network.

Roundcube

Roundcube is in the centos repos

yum install roundcube

The following booleans were used for selinux

setsebool -P httpd_can_sendmail on
setsebool -P httpd_can_network_connect_db on

And to allow web access outside localhost, use the following configuration

<Directory /usr/share/roundcubemail/>
    <IfModule mod_authz_core.c>
        # Apache 2.4
        # Require local
        Require all granted
    </IfModule>

And to get rid of localhost in domain name

nano config.inc.php

$config['default_host'] = 'ssl://%n';
$config['smtp_server'] = 'tls://%n';

How to tell if it is working

On Ubuntu I installed the package clamav-testfiles and packaged them up in a .zip , .xz , and .bz2 file and sent them from mutt

bodhi@Ubuntu:~$mutt -s "Config2" -a /home/bodhi/config.tar.bz2 -- bodhi@mail.org

bodhi@Ubuntu:~$mutt -s "Config2" -a /home/bodhi/config.xz -- bodhi@mail.org

bodhi@Ubuntu:~$mutt -s "Config2" -a /home/bodhi/config.zip -- bodhi@mail.org

On the server tail -f the log and you will see messages such as:

Dec  5 02:32:08 mail amavis[30150]: (30150-07) Blocked BANNED (.exe,.exe-ms,usr/share/clamav-testfiles/clam_IScab_int.exe) {BouncedInbound,Quarantined}, [174.45.173.129]:59838 [174.45.173.129]  -> , Queue-ID: E158517802D8, Message-ID: <20171205013139.tikx5ynbexyln3qg@Ubuntu.com
This entry was posted in Fedora, Linux. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *