Email upgrade: Replacing Axigen mail with MailScanner

flickr/cookipediachef

I'm tired of moving spam mail to spam folders from which the system never learns. So it's time for me to try a new approach -- one that will give me the ability to not only block spam, but to monitor what is happening within my mail server in an easy manner and to solve an apparent 'missing' email problem for one of my mailbox users. (Actually it wasn't missing: it was going directly to the Spam folder. But the tool the users were using did not allow the spam folder to be easily read and it didn't properly learn what was and was not spam.)

To that end, I chose to drop the Axigen mail platform, which was problematic for me at best.

I had several goals with this upgrade:

• Block Spam

• Auto Learn if Spam is in the Spam mailbox or moved out to the Users Mailbox using a system wide learning tool

• Disable Auto-movement of Spam mail to the Spam mailbox on a per user basis

• Web based monitoring of where mail is going at all times

• Multi-domain configuration with database backed aliases, etc.

• Support for IMAP over SSL, POP over SSL, and SMTP over SSL

In search of solutions, I investigated Zimbra and Gmail. I would have liked to use Zimbra, but given how my network is setup, it just would not install. Zimbra is not designed to be installed within a DMZ without access to the internal DNS configuration. So this was not for me. As for Gmail, the privacy concerns about having a third party with access to my email was not to my liking. This to me is a jurisdictional issue. (By the way, I do have a Gmail account, but I use it as a backup, just in case my mail server has issues. This has happened twice in 20 or so years.)

In the end I went back to what I know. I know how to configure and use MailScanner. But I wanted to make sure I could monitor my email environment easily. Did MailScanner have a new tool to aid in monitoring? A quick search showed me that it did, via the MailWatch interface (and it was relatively current as well!).

However, since MailScanner is not everything, I still needed a mail transport agent (MTA). For this I chose postfix as I was also familiar with it, it was supported by MailScanner (albeit not quite the same way the postfix team envisioned). And there was a web based tool called Postfix.Admin that allows for management of multiple domains, aliases, etc. Then use Dovecot for IMAP and POP over SSL support.

MailScanner has support for many anti-virus programs and integrates with SpamAssassin, which is finally active again (it may not have been inactive, but since SARE went offline it was fairly useless at blocking new Spam). This is extremely important because the Spam rules must be updated at all times.

It seems there is just not one tool that does everything. So I finally decided on using:

• MailScanner

• Postfix

• ClamAV (via clamD)

• Dovecot

• SpamAssassin

• Mailwatch

• Postfix.admin

And to add to the web based management capabilities I chose to use Webmin as well.

Postfix was trivial to get working without a SQL backend. It is important to have Postfix working before you add in MailScanner. MailScanner requires the MTA, Anti-Virus, and Spam Assassin to be pre-installed. The install script that comes with MailScanner is very good at resolving dependencies. Even so, the key to integrating everything is to pay very close attention to permissions. MailScanner runs as the Postfix user, this is crucial. ClamAV however generally runs as the clam or clamav user. User permissions are the worst issues to overcome. Here is what I ended up doing:

• Postfix as postfix user

• Dovecot as mail user using Maildir format

• Dovecot deliver program running as mail (from within postfix). To do this, I set my local_transport within Postfix to be 'virtual,' which uses the virtual_transport mechanism to store local email. If you use the standard mailbox_command setting of using the dovecot deliver program, deliver cannot deliver the email without using setuid permissions, which is a poor security choice. In addition, to make this happen, I had to set the Postfix virtual_minimum_uid option to the UID of the mail user as well as the virtual_uid_maps to be 'static:8'. In essence always deliver email as the mail user. Since I do not have physical local users, this allows Dovecot to manage all email.

• SpamAssassin runs via MailScanner so runs as the user postfix

• ClamD was changed however to run as the root user. Eventually, this will need to change back to the clam user, but there are issues with being able to write and read the temporary files owned by postfix. Running as either mail or postfix did not solve this problem.

There are lots of write-ups on how to get MailScanner + Postfix + Dovecot working together. I used the following resources to install and solve problems.

• Virtual Users And Domains With Postfix, MailScanner, Mailwatch & MySQL On CentOS 5.1 -- used to install, configure, run MailScanner, MailWatch, Postfix, etc. w/Mysql Great tutorial here.

• MailScanner Installation Guide - Postfix -- used to aid in configuring MailScanner + Postfix

• MailWatch for MailScanner Installation Instructions -- Used to aid in configuring MailWatch

• MailWatch Tips and Tricks: GeoIP update -- Used to manually update the GeoIP DB as the online was broken even after using latest from Head.

• Ending spam -- Used to configure SpamAssassin to increase Spam detection. I followed all these rules except the installation of CRM114 (which may still happen). I also setup Spam Assassin to update daily using the mechanism documented here.

• Dovecot Sieve plugin -- Used to configure per user movement of Spam mail to a Spam folder

• Postfix SASL Howto -- Used to use dovecot for SMTP over SSL authentication

When I was done, I ran the following to test everything:

sudo –u postfix Mailscanner –lint

Then I wrote a script that does an sa-learn every night once all my mail has been moved around. It learns not only what is considered Spam, but also what is considered to be Ham. I ran this script periodically during the first few days by hand to train SpamAssassin with what is already there.

This went fairly smoothly, but I wanted to have better control over user passwords, so I implemented DIGEST-MD5 passwords into Postfix.Admin and donated the patch back to Postfix.Admin. There are still a few issues, but this allows you to store your password in DIGEST-MD5 mode. I have to still work on the ability to submit via DIGEST-MD5, etc.

In addition, I wanted to be able to better control my whitelists in MailScanner (there is a method to do this in MailWatch, but it too is broken). I hope to get that patch uploaded shortly as well.

I now have an easy to monitor email subsystem that tells me that I receive roughly 49.5% of high scoring Spam. I will continue to refine this system and perhaps add in other spam fighting techniques, but for now the system runs quickly and allows easy monitoring and a quick way to manage whitelists, aliases, and virtual domains.

Now, this runs within a well monitored VM, but not within a Cloud just yet.

spam-600x450.jpg