After Install Centos on your Machine please proceed given Bellow Steps
Please install Postfix on your machine by using given bellow command
# yum install postfix -y
Services To Disable
To enhance security and free system resources on the system we need to disable any services that are not required. You can run this script to do this for you.
· acpid
· anacron
· apmd
· autofs
· bluetooth
· cups
· firstboot
· gpm
· haldaemon
· messagebus
· mdmonitor
· hidd
· ip6tables
· kudzu
· lvm2-monitor
· netfs
· nfslock
· pcscd
· portmap
· rpcgssd
· rpcidmapd
· sendmail
· smartd
· yum-updatesd
Basics
We need to fix a few issues to prepare the system for configuration.
· Install updates
# yum upgrade
· Switch the mta to postfix
# alternatives --config mta
There are 2 programs which provide 'mta'.
Selection Command
1 /usr/sbin/sendmail.postfix*
2 /usr/sbin/sendmail.sendmail
Enter to keep the current selection[+], or type selection number: 1
Install caching-nameserver config:
# yum install caching-nameserver
Install Build tools:
# yum install gcc cpp gcc-c++ automake automake14 automake15 automake16 automake17 openssl-devel subversion ncurses-devel -y
Install Webmin / Virtualmin
Import webmin pgp key:
# wget http://www.webmin.com/jcameron-key.asc
# rpm --import jcameron-key.asc
Download the rpm:
# wget http://prdownloads.sourceforge.net/webadmin/webmin-1.390-1.noarch.rpm
Verify the rpm (should say OK or else download again):
# rpm --checksig webmin-1.390-1.noarch.rpm
Install the rpm:
# rpm -Uvh webmin-1.390-1.noarch.rpm
Now Restart Webmin
# service webmin restart
Configure Rpmforge Repo
# rpm -Uhv http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
NOTE: If you are using a different architecture check on https://rpmrepo.org/RPMforge/Using for the correct rpm
Disable the repo (such that base packages not overwritten) edit /etc/yum.d/rpmforge.repo and set the following option:
enabled = 0
Note: Save & Exite Now
Install Extra Required Packages
# wget http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt -O /usr/local/bin/update_sanesecurity.sh
# chmod +x /usr/local/bin/update_sanesecurity.sh
# ln -s /usr/local/bin/update_sanesecurity.sh /etc/cron.hourly//usr/local/bin/update_sanesecurity.sh
Install PHP eaccelerator:
# yum --enablerepo=rpmforge install php-eaccelerator
Install newer spamassassin package from rpmforge:
# yum --enablerepo=rpmforge upgrade spamassassin
Install spamass-milter:
# yum --enablerepo=rpmforge install spamass-milter
Install perl modules required by spamassassin:
# perl -MCPAN -e 'install Mail::SPF'
#perl -MCPAN -e 'install Mail::SPF::Query'
# perl -MCPAN -e 'install Net::Ident'
# perl -MCPAN -e 'install IP::Country::Fast'
# perl -MCPAN -e 'install Mail::DomainKeys'
# perl -MCPAN -e 'install Mail::DKIM'
Install fuzzyOCR:
# yum --enablerepo=rpmforge install netpbm-progs ocrad gocr gifsicle giflib-utils giflib -y
# svn co https://svn.own-hero.net/fuzzyocr/trunk/devel/
# cd devel/
# perl -MCPAN -e 'install String::Approx'
# perl -MCPAN -e 'install Time::HiRes'
# perl -MCPAN -e 'install Log::Agent'
# cp -rv {FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOcr.words,FuzzyOcr/} /etc/mail/spamassassin
# chcon -R system_u:object_r:etc_mail_t /etc/mail/spamassassin/{FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOcr.words,FuzzyOcr/}
# wget http://www.gbnetwork.co.uk/mailscanner/FuzzyOcr.words -O /etc/mail/spamassassin/FuzzyOcr.words
Install Razor:
# yum --enablerepo=rpmforge install razor-agents -y
Install roundcube:
# yum install php-imap
# rpm -Uvh http://www.topdog-software.com/oss/roundcube/roundcube-0.1-rc2.noarch.rpm
Install imapproxy:
# wget http://imapproxy.org/downloads/up-imapproxy-1.2.6.tar.gz
# rpmbuild -tb up-imapproxy-1.2.6.tar.gz
# rpm -Uvh /usr/src/redhat/RPMS/i386/up-imapproxy-1.2.6-1.i386.rpm
Activate services:
# chkconfig --level 345 httpd on
# chkconfig --level 345 postfix on
# chkconfig --level 345 spamassassin on
# chkconfig --level 345 spamass-milter on
# chkconfig --level 345 mysqld on
# chkconfig --level 345 named o
# nchkconfig --level 345 vsftpd on
# chkconfig --level 345 dovecot on
# chkconfig --level 345 imapproxy on
Configuration
Postfix Setup
We will be setting up postfix with the following features:
· Virtual hosting
· UCE prevention
· Anti virus
· STP authentication
· TLS
· RBLs
· SPF
Attack mitigation
The adding of accounts and domains with be configured through virtualmin although it can be done manually as well. The setup is designed to be resource friendly so should be able to run on machines that are not over spec'ed so enabling the resources to be put to better use. To make it resource friendly we are not using external databases to store virtual user information like most other how-to's do as well as using milters for spam and virus checking as opposed to running amavisd-new.
The Basics
To begin with we will configure the basics such as the hostname, mail origin, networks, hash maps spool directory. All these configuration options should be added to /etc/postfix/main.cf code in RED Color unless stated. Sample configuration files are available for download at the end of this page.
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mydomain = example.com
myorigin = $mydomain
mynetworks = 127.0.0.0/8
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
canonical_maps = hash:/etc/postfix/canonical
sender_canonical_maps = hash:/etc/postfix/canonical
recipient_canonical_maps = hash:/etc/postfix/canonical
virtual_alias_maps = hash:/etc/postfix/virtual
mail_spool_directory = /var/spool/mail
Maildir Format
We will use the much improved maildir format as opposed to the default mbox format:
home_mailbox = Maildir/
SASL
To perform SMTP authentication we will be using SASL, however we will not use the Cyrus SASL as that requires us to run the saslauthd daemon, we will instead use dovecot sasl since we will be running dovecot for IMAP and POP3 thus killing 2 birds with one stone.
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
TLS
We need TLS to ensure that the plain text passwords are not transmitted over the wire during SMTP authentication, servers that support TLS are also able to communicate with this server over a secured connection.
Instructions on creating your server certificate signed by cacert.org are can be found here.
· Set TLS random source:
tls_random_source = dev:/dev/urandom
Enable server TLS:
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/postfix/key.pem
smtpd_tls_cert_file = /etc/pki/postfix/server.pem
smtpd_tls_CAfile = /etc/pki/postfix/root.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
Enable client TLS:
smtp_use_tls = yes
smtp_tls_key_file = /etc/pki/postfix/key.pem
smtp_tls_cert_file = /etc/pki/postfix/server.pem
smtp_tls_CAfile = /etc/pki/postfix/root.crt
smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_cache
smtp_tls_note_starttls_offer = yes
Spam Prevention
Require a valid EHLO / HELO:
smtpd_helo_required = yes
disable_vrfy_command = yes
Change reject codes to permanent (by default postfix issues 4xx error codes which implies temporary failure we need 5xx for permanent errors):
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
unknown_local_recipient_reject_code = 550
Setup sender address verification:
address_verify_map = btree:/var/spool/postfix/verify
smtpd_sender_restrictions = hash:/etc/postfix/sender_access
Note: or download these files then extract and copy and destination locations
main.cf
master.cf
canonical
virtual
Extract Documents
# gzip -d main.cf
# gzip -d master.cf
# gzip -d canonical
# gzip -d virtual
Copy all of these files at destination
# cp main.cf /ete/postfix
# cp master.cf /ete/postfix
# cp canonical /ete/postfix
# cp virtual /ete/postfix
Create /etc/postfix/sender_access and add:
# vi /etc/postfix/sender_access (Now Press Enter)
#sample /etc/postfix/sender_access contains frequently spoofed domains
aol.com reject_unverified_sender
hotmail.com reject_unverified_sender
yahoo.com reject_unverified_sender
gmail.com reject_unverified_sender
bigfoot.com reject_unverified_sender
smtpd_error_sleep_time = 5s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_data_restrictions = reject_unauth_pipelining
Note: when you copy and paste these lines then pres "scape" then Press Shift + w + q and enter your file will be saved
Install postfix-policyd-spf-perl and enable SPF support:
# wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.005.tar.gz
# tar xzvf postfix-policyd-spf-perl-2.005.tar.gz
# cd postfix-policyd-spf-perl-2.005
# cp postfix-policyd-spf-perl /etc/postfix/
Dovecot Setup
This will setup dovecot as our IMAP/POP3 server.
Basic Configuration
We will setup dovecot for IMAP and POP3 and disable SSL.
vi /etc/dovecot.conf
protocols = imap pop3
listen = *
ssl_listen = *
ssl_disable = yes
mail_location = maildir:~/Maildir
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
protocol imap {
imap_client_workarounds = outlook-idle delay-newmail
}
protocol pop3 {
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol imap {
imap_client_workarounds = outlook-idle delay-newmail
listen = 127.0.0.1:10143
}
Note: Save and exit
If you dont want to do these steps please download dovecot.conf file and copy replace with current file
dovecot.conf
Setup Imap Proxy
Introduction
imapproxy was written to compensate for webmail clients that are unable to maintain persistent connections to an IMAP server. Most webmail clients need to log in to an IMAP server for nearly every single transaction. This behaviour can cause tragic performance problems on the IMAP server. imapproxy tries to deal with this problem by leaving server connections open for a short time after a webmail client logs out. When the webmail client connects again, imapproxy will determine if there's a cached connection available and reuse it if possible. - according to the imapproxy website.
Configuration
Make the following Red lines changes in the file /etc/imapproxy.conf:
server_hostname 127.0.0.1
cache_size 3072
listen_port 143
server_port 10143
cache_expiration_time 900
proc_username nobody
proc_groupname nobody
stat_filename /var/run/pimpstats
protocol_log_filename /var/log/imapproxy_protocol.log
syslog_facility LOG_MAIL
send_tcp_keepalives no
enable_select_cache yes
foreground_mode no
force_tls no
enable_admin_commands no
Vsftpd Setup
Introduction
We will use vsftpd as our ftp server. This has a better track record as opposed to the proftpd & wuftpd servers.
# yum install vsftpd
Note you can use any FTP server like
Anti Virus Configuration
For anti Virus configuration please visit given bellow link
http://linux-web-server.blogspot.com/2010/03/antiivius-on-linux-mail-server.html
Please change MySQL Database password
# service mysqld start
# mysqladmin -u root password NEWPASSWORD
SpamAssassin Setup
Create MySQL Database
# mysqladmin -p create bayes
# mysql -p bayes < /usr/share/doc/spamassassin-$(rpm --qf %{VERSION} -q spamassassin)/sql/bayes_mysql.sql
# mysql -p
mysql> GRANT ALL ON bayes.* TO bayes@localhost IDENTIFIED BY 'password';
Configure To Use DB
Edit the file /etc/mail/spamassassin/local.cf and add Red Lines:
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:bayes:localhost
bayes_sql_override_username bayes
bayes_sql_username bayes
bayes_sql_password password
Configure FuzzyOCR
We will be storing the image hashes in a mysql database to improve on performance such that images that we have already scanned do not get scanned again as OCR is a resource intense activity.
Create MySQL Database
# mysql -p < /usr/local/src/devel/FuzzyOcr.mysql
# mysqladmin -u fuzzyocr -p fuzzyocr password
Basic Settings
Edit /etc/mail/spamassassin/FuzzyOCR.cf and set the basic options:
# vi /etc/mail/spamassassin/FuzzyOCR.cf
focr_path_bin /usr/bin:/usr/local/bin
focr_minimal_scanset 1
focr_autosort_scanset 1
focr_enable_image_hashing 3
focr_logfile /tmp/FuzzyOcr.log
Note: Now save and Exit
Make FuzzyOCR Use The Databas
Edit the file /etc/mail/spamassassin/FuzzyOcr.cf and add:
focr_mysql_db FuzzyOcr
focr_mysql_hash Hash
focr_mysql_safe Safe
focr_mysql_user fuzzyocr
focr_mysql_pass password
focr_mysql_host localhost
focr_mysql_port 3306
focr_mysql_socket /var/lib/mysql/mysql.sock
Note: Now Save & Exit
SARE Rule Updates
# mkdir /etc/mail/spamassassin/sa-update-keys/
# chmod 700 /etc/mail/spamassassin/sa-update-keys/
# wget http://daryl.dostech.ca/sa-update/sare/GPG.KEY
# sa-update --import GPG.KEY
Create the channels file /etc/mail/spamassassin/sare-sa-update-channels.txt: (copy Red line and paste in created file)
vi /etc/mail/spamassassin/sare-sa-update-channels.txt
updates.spamassassin.org
72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_html_eng.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
70_sare_header_eng.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_adult.cf.sare.sa-update.dostech.net
72_sare_bml_post25x.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net
70_sare_unsub.cf.sare.sa-update.dostech.net
70_sare_uri0.cf.sare.sa-update.dostech.net
70_sare_obfu0.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net
Note: Now Save & Exit
Create an update script /usr/local/bin/update-sa: (copy Red line and paste in created file)
vi /usr/local/bin/update-sa
#!/bin/bash
#
#
sa-update -D --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt --gpgkey 856AA88A &>/var/log/sa-updates.log
Note: Save & Exit
# chmod +x /usr/local/bin/update-sa
# ln -s /usr/local/bin/update-sa /etc/cron.daily/
# ln -s /usr/local/bin/update-sa /etc/cron.hourly/
Spamass-milter Setup
Edit /etc/sysconfig/spamass-milter:
SOCKET=/var/run/spamass.sock
EXTRA_FLAGS="-m -r 8"
We need to patch the init file to fix the permissions of the socket created such that postfix is able to use the socket.
# wget http://www.topdog-software.com/files/spamass-milter.patch
# patch /etc/rc.d/init.d/spamass-milter <>
Roundcube Webmail Setup
Create the database and add the roundcube user.
mysqladmin -p create roundcube
mysql -p
mysql> GRANT ALL ON roundcube.* TO roundcube@localhost IDENTIFIED BY 'password';
Initialize the database:
mysql -u roundcube -p roundcube < /usr/share/doc/roundcube-0.1/SQL/mysql5.initial.sql
Basic Config (Fine given Line and replace with this line)
Configure database DSN in /var/www/roundcube/config/db.inc.php:
Note: Find and replace with given bellow Red Line
$rcmail_config['db_dsnw'] = 'mysql://roundcube:password@localhost/roundcube';
Configure roundcube in /var/www/roundcube/config/main.inc.php (Find and replace with given bellow Red Line)
$rcmail_config['default_host'] = 'localhost';
$rcmail_config['default_port'] = 143;
$rcmail_config['virtuser_file'] = '/etc/postfix/virtual';
$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_port'] = 25;
$rcmail_config['smtp_helo_host'] = 'localhost';
Note: Save & Exit Now
Edit /etc/httpd/conf/httpd.conf
After these steps in Apache you can access Round Cube Webmail like http://webmail.domainname.com/
Add These line in Apache at bottom
ServerName webmail.example.com
ServerAlias webmail.*
DocumentRoot /var/www/roundcube
allow from all
Note: Save & Exite
Now Install Virtulmin
Download Virtulmin Installer via http://software.virtualmin.com/gpl/scripts/install.sh
when it downloaded please run given bellow command
# sh install.sh
It will check your system and automatically installed when installed please reboot your system and start your virtualmin via https:/domainame.com:10000
For usermin http://domainname.com:20000/
Referance Link
http://www.howtoforge.com/virtual-hosting-with-virtualmin-on-centos5.1
No comments:
Post a Comment