Jamyy's Weblog

在 CentOS 7 安裝 Sendmail + ClamAV + MailScanner

by Jamyy on 八月.22, 2014, under Linux

  • 產生憑證
  • 安裝郵件服務套件
    • saslauthd
    • dovecot
    • sendmail
  • 安裝 ClamAV
  • 安裝 MailScanner
  • 讓 clamdscan 可以掃描 MailScanner/incoming 郵件
  • 啟用 MailScanner 服務

產生憑證

# cd /etc/pki/tls/certs
# make mail.pem (Server 用)
# openssl x509 -in mail.pem -out mail.der (提供給 Windows User 安裝到 "信任的根憑證授權")

安裝郵件服務套件

# yum install cyrus-sasl cyrus-sasl-plain \
   dovecot sendmail sendmail-cf spamassassin

saslauthd

# vi /usr/lib64/sasl2/Sendmail.conf

pwcheck_method:saslauthd

# systemctl enable saslauthd
# systemctl start saslauthd

dovecot

# vi /etc/dovecot/conf.d/10-mail.conf

mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_access_groups = mail

# vi /etc/dovecot/conf.d/10-auth.conf

auth_mechanisms = plain login

# vi /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/pki/tls/certs/mail.pem
ssl_key = </etc/pki/tls/certs/mail.pem

# systemctl enable dovecot
# systemctl start dovecot

sendmail

# vi /etc/mail/local-host-names

mydomain.com

# vi /etc/mail/sendmail.mc

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/mail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/mail.pem')dnl

DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

安裝 ClamAV

# rpm -Uvh http://ftp.riken.jp/Linux/fedora/epel/beta/7/x86_64/epel-release-7-0.2.noarch.rpm
# yum install clamav clamav-server clamav-update clamav-scanner

# vi /etc/freshclam.conf

#Example

# vi /etc/clamd.d/scan.conf

#Example
LogFile /var/log/clamd.scan
LogTime yes
LogSyslog yes
PidFile /var/run/clamd.scan/clamd.pid
LocalSocket /var/run/clamd.scan/clamd.sock
User clamscan
AllowSupplementaryGroups yes

# ln -s /etc/clamd.d/scan.conf /etc/clamd.conf

# touch /var/log/clamd.scan
# chown :clamscan $_
# chmod 0620 $_
# restorecon $_ (for SELinux=enforcing)

# vi /etc/sysconfig/freshclam

#FRESHCLAM_DELAY=disabled-warn	# REMOVE ME

# freshclam

# systemctl enable clamd@scan
# systemctl start clamd@scan

安裝 MailScanner

# vi /etc/yum.repos.d/atrpm.repo

[atrpms]
name=CentOS $releasever - $basearch - ATrpms
baseurl=http://dl.atrpms.net/el$releasever-$basearch/atrpms/stable
gpgkey=http://ATrpms.net/RPM-GPG-KEY.atrpms
gpgcheck=1
enabled=0

# yum install --enablerepo=atrpms install unrar DCC razor-agents
# rpm -Uvh http://ftp.isu.edu.tw/Linux/Fedora/linux/releases/19/Everything/x86_64/os/Packages/p/pyzor-0.5.0-8.fc19.noarch.rpm

# vi /etc/mail/spamassassin/v310.pre

loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2

# echo /usr/libexec/dcc/dccifd >> /etc/rc.d/rc.local
# chmod +x /etc/rc.d/rc.local
# /usr/libexec/dcc/dccifd

# yum install \
perl-Archive-Zip \
perl-DBI \
perl-DBD-SQLite \
perl-OLE-Storage_Lite \
perl-Sys-SigAction \
perl-MIME-tools

# yum install perl-CPAN perl-YAML gcc wget
# cpan

(接受所有預設值)

# cpan

cpan> install Filesys::Df
cpan> install Sys::Hostname::Long
cpan> install Net::CIDR
cpan> exit

# wget http://www.mailscanner.info/files/4/rpm/MailScanner-4.84.6-1.rpm.tar.gz
# tar zxf MailScanner-*
# cd MailScanner-*
# yum install --nogpgcheck mailscanner* tnef*

# vi /etc/init.d/MailScanner

"${NETWORKING}" = "no"

:%s/$MTA/"$MTA"/g

# vi /etc/MailScanner/MailScanner.conf

%org-name% = MYCOM
Incoming Work Group = clamscan
Incoming Work Permissions = 0640
Virus Scanners = clamd
Clamd Socket = /var/run/clamd.scan/clamd.sock
Clamd Use Threads = yes

# vi /etc/MailScanner/spam.assassin.prefs.conf

envelope_sender_header X-MYCOM-MailScanner-From
#use_auto_whitelist 0
dcc_path /usr/bin/dccproc
dcc_home /etc/dcc

:%s/X-YOURDOMAIN-COM-M/X-MYCOM-M/g

# vi /etc/MailScanner/virus.scanners.conf

clamd           /bin/false                              /usr

讓 clamdscan 可以掃描 MailScanner/incoming 郵件

# mv /usr/bin/clamdscan /usr/bin/clamdscan-cmd
# vi clamdscan

#!/bin/bash

/usr/bin/clamdscan-cmd --fdpass $@

# chmod +x /usr/bin/clamdscan

SELinux=disabled 到此即可, 以下是 SELinux=enforcing 的處理

# restorecon /usr/bin/clamdscan

# MailScanner --lint

MailScanner.conf says "Virus Scanners = clamd"
Found these virus scanners installed: clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: Permission denied. ERROR :: /var/spool/MailScanner/incoming/3180
Virus Scanning: Clamd found 1 infections
Virus Scanning: Found 1 viruses
===========================================================================

# yum install policycoreutils-python
# grep mscan_spool /var/log/audit/audit.log | audit2allow -M clamd-mailscanner
# semodule -i clamd-mailscanner.pp

# MailScanner --lint

MailScanner.conf says "Virus Scanners = clamd"
Found these virus scanners installed: clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================

啟用 MailScanner 服務

# systemctl disable postfix
# systemctl stop postfix
# systemctl disable sendmail
# systemctl stop sendmail
# systemctl enable MailScanner
# systemctl start MailScanner


 
Ref:



:, , ,