New distro

Remco Barendse mailscanner at barendse.to
Fri Jun 11 09:20:06 UTC 2021 

Hi list!

OK, with the input and help from the list I managed to complete the 
script for a super easy istall of MailScanner+postfix+SpamAssassin on a 
fresh install of ubuntu and got it working!

See attached, still work in progress ;)

All it takes is main.cf from Thom's website in the same directory as the 
script, and specify hostname, domain name and ip address of the exchange 
server where to deliver the mail i.e.:
./mailscanner-postfix.sh gw1 mynicedomain.com 10.1.0.60

Some questions :
- Not sure if pyzor, razor and DCC still do any good, i added 
pyzor+razor packages to the spamassassin install, DCC requires 
manual install. (Do pyzor and razor need configuration?)
   razor-admin -register tells me :
   Unable to register without a valid razorhome or identity
- spamassassin -D hangs when I run it yet test mail gets delivered
- 5 missing perl modules, can I skip/ignore or someone found them :
   Digest::SHA1 (is it included in libdigest-sha-perl ? Will MailScanner
     install Digest::SHA1 from CPAN nonetheless if i install the package
     and will I end up with 2 conflicting packags ?
   IP::Country (is it included in libgeo-ipfree-perl ? same as Digest)
   Mail::ClamAV
   Mail::SPF::Query (is it included in spf-tools-perl ?)
   SAVI
- Should I run ms-configure ?

Thom created /usr/local/etc/postfix-db to create the databases, I am 
thinking to either move that to cron.hourly instead or create it as a 
"make" file in postfix directory just like it was with sendmail :)

Still to do : fail2ban, postscreen, SPF, DKIM, DANE, DMARC, BIFI, CAA

Thanks for any comments / help / tips to further improve :)




On Wed, 9 Jun 2021, Ian wrote:

> On 08/06/2021 15:30, Remco Barendse wrote:
>
>>  I yet need to figure out some things. Can I forward scanned mail to
>>  exchange by putting this in /etc/postfix/transport :
>>  mynicedomain.com         smtp:[10.1.0.60]
>
> Hi,
>
> Yes, that's exactly what I use.
>
> If forwarding to exchange you might be interested in 'address verification'*. 
> This allows postfix to verify an email address with exchange before accepting 
> it on the MailScanner.  Which means that you don't have to maintain a local 
> list of acceptable addresses.
>
> * http://www.postfix.org/ADDRESS_VERIFICATION_README.html
>
>
> Regards
>
> Ian
> -- 
>
>
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
#!/bin/sh
# Script to install and configure MailScanner + postfix on Ubuntu 20.04
# Remco Barendse 11-JUN-2021 - Inspired on instructions from :
# https://vanderboon.net/2021/06/01/installing-mailscanner-5-4-with-postfix-on-ubuntu-20-04-lts/
# https://sites.google.com/site/wikirolanddelepper/mailscanner/configure-postfix-for-mailscanner
# https://serverfault.com/questions/280585/how-do-i-configure-postfix-to-deliver-mail-for-specified-domains-to-another-host
# http://www.postfix.org/ADDRESS_VERIFICATION_README.html
# Test with : mailx -r 'klaus.mustermann at example.com' -s 'Subject Line' -S 'smtp=<PUBLICIP>' 'validuser at myemailonexchange.com' < /dev/null
# To do : Install : fail2ban, pyzor, razor, dcc, postscreen,SPF, DKIM, DANE, DMARC, BIFI, CAA
# https://serverfault.com/questions/895242/dcc-plugin-to-spamassassin-does-not-get-loaded-on-debian-9

if [ $# -ne 3 ] ; then
        echo 'Usage: $0 <HOSTNAME> <FQDN> <EXCHANGEIP>'
        echo 'Example : ./mailscanner-postfix.sh gw1 mynicedomain.com 10.1.0.60'
        exit 1
fi

HOSTNAME=$1
MYDN=$2
EXCHANGEIP=$3

echo 'Install postfix - When asked choose “No configuration' ; sleep 5
sudo apt -y install postfix
# Example postfix (main.cf) : /usr/share/postfix/main.cf.debian
# To view Postfix configuration values, see postconf(1).

sudo touch /etc/postfix/header_checks
sudo echo "/^Received:/ HOLD" > /etc/postfix/header_checks
sudo touch /etc/postfix/access
sudo touch /etc/postfix/relay_recipients
sudo touch /etc/postfix/transport
sudo touch /etc/postfix/virtual
sudo mkdir -p /var/spool/MailScanner/incoming
sudo mkdir /var/spool/postfix/hold
sudo mkdir /var/spool/postfix/incoming
sudo chown postfix. /var/spool/postfix/hold
sudo chown postfix. /var/spool/postfix/incoming
sudo chown postfix. /var/spool/MailScanner/incoming
sudo chown postfix. /var/spool/MailScanner/quarantine

sudo echo '#!/bin/sh' >  /usr/local/etc/postfix-db
sudo echo 'cd /etc/postfix' >>  /usr/local/etc/postfix-db
sudo echo 'newaliases' >>  /usr/local/etc/postfix-db
sudo echo '/usr/sbin/postmap /etc/postfix/virtual' >>  /usr/local/etc/postfix-db
sudo echo '/usr/sbin/postmap /etc/postfix/transport' >>  /usr/local/etc/postfix-db
sudo echo '/usr/sbin/postmap /etc/postfix/access' >>  /usr/local/etc/postfix-db
sudo echo '/usr/sbin/postmap /etc/postfix/relay_recipients' >>  /usr/local/etc/postfix-db
sudo chmod a+x  /usr/local/etc/postfix-db  # and we will start it later

sudo cat main.cf > /etc/postfix/main.cf
sudo sed -i "s/mail.yourdomain.com/$HOSTNAME.$MYDN/g" /etc/postfix/main.cf
sudo sed -i "s/10.0.0.0\/24/10.0.0.0\/8/g" /etc/postfix/main.cf
sudo sed -i "s/mydestination = $myhostname, localhost.$mydomain, localhost/mydestination = $$HOSTNAME, localhost.$$MYDN, localhost/g" /etc/postfix/main.cf
sudo sed -i "s/relay_domains = yourdomain.com yourotherdomain.com yourveryfantasticdomain.com/relay_domains = $MYDN/g" /etc/postfix/main.cf
echo "$MYDN        smtp:[$EXCHANGEIP]" >> /etc/postfix/transport

echo 'Install ClamAV' ; sleep 5
sudo apt install -y clamav clamav-daemon
sudo systemctl enable clamav-daemon
sudo systemctl enable clamav-freshclam
sudo systemctl stop clamav-daemon
sudo sed -i 's/LocalSocketGroup clamav/LocalSocketGroup mtagroup/g' /etc/clamav/clamd.conf
sudo chown -R postfix.mtagroup  /etc/clamav
sudo usermod -a -G mtagroup postfix
sudo usermod -a -G mtagroup clamav
sudo systemctl restart clamav-daemon

# Optional: Extra ClamAV signatures
# It does not cost much and gives you a load of extra protection: the 4.000.000 virus/malware signatures of securiteinfo.com.
# https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml

echo 'SpamAssassin install' ; sleep 5
sudo apt -y install spamassassin pyzor razor
apt-get -y install libyaml-perl libtest-manifest-perl libbusiness-isbn-data-perl libbusiness-isbn-perl libtest-pod-perl libmodule-build-perl libinline-perl libencode-detect-perl libnet-ldap-perl libnet-cidr-lite-perl libio-string-perl libnet-dns-resolver-programmable-perl libmail-spf-perl
# Couldn't find :
# Digest::SHA1 (is it included in libdigest-sha-perl ?)
# IP::Country (is it included in libgeo-ipfree-perl ?)
# Mail::ClamAV
# Mail::SPF::Query (is it included in spf-tools-perl ?)
# SAVI
sudo wget -O /etc/mail/spamassassin/KAM.cf https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf
sudo wget -O /etc/cron.hourly/KAM.cf.sh https://dutchspamassassinrules.nl/DSR/contrib/KAM.cf.sh
sudo wget -O /etc/mail/spamassassin/DSR.cf https://dutchspamassassinrules.nl/DSR/DSR.cf
sudo wget -O /etc/cron.hourly/DSR.cf.sh https://dutchspamassassinrules.nl/DSR/DSR.cf.sh

# Install DCC
sudo wget -O /tmp/dcc.tar.Z 'https://www.dcc-servers.net/src/dcc/dcc.tar.Z'
cd /tmp
tar xvzf dcc.tar.Z
cd dcc-*
sudo ./configure && sudo make && sudo make install
sudo echo 'use_dcc 1' >> /etc/spamassassin/local.cf
sudo echo 'dcc_timeout 8' >> /etc/spamassassin/local.cf
sudo echo 'dcc_home /var/dcc/' >> /etc/spamassassin/local.cf
sudo echo 'dcc_path /usr/local/bin/dccproc' >> /etc/spamassassin/local.cf
sudo echo 'add_header all DCC _DCCB_: _DCCR_' >> /etc/spamassassin/local.cf
sed -i '/DCC/s/^#//g' /etc/spamassassin/v310.pre
sudo ufw allow 6277/udp

echo 'MailScanner install' ; sleep 5
sudo echo '# For use with MailScanner' >> /etc/apparmor.d/usr.sbin.clamd
sudo echo '/var/spool/MailScanner/** rw,' >> /etc/apparmor.d/usr.sbin.clamd
sudo echo '/var/spool/MailScanner/incoming/** rw,' >> /etc/apparmor.d/usr.sbin.clamd

sudo wget -O /tmp/MailScanner.noarch.deb https://github.com/MailScanner/v5/releases/download/5.3.4-3/MailScanner-5.3.4-3.noarch.deb
sudo apt -y install /tmp/MailScanner.noarch.deb
#ms-configure
sudo sed -i "s/yoursite/$HOSTNAME/g" /etc/MailScanner/MailScanner.conf

sudo echo 'Run As User = postfix' > /etc/MailScanner/conf.d/my_postfix.conf
sudo echo 'Run As Group = postfix' >> /etc/MailScanner/conf.d/my_postfix.conf
sudo echo 'Incoming Queue Dir = /var/spool/postfix/hold' >> /etc/MailScanner/conf.d/my_postfix.conf
sudo echo 'Outgoing Queue Dir = /var/spool/postfix/incoming' >> /etc/MailScanner/conf.d/my_postfix.conf
sudo echo 'MTA = postfix' >> /etc/MailScanner/conf.d/my_postfix.conf
sudo echo 'Clamd Socket = /var/run/clamav/clamd.ctl' >> /etc/MailScanner/conf.d/my_postfix.conf
sudo echo 'SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin' >> /etc/MailScanner/conf.d/my_postfix.conf

#Complete config of PostFix + MailScanner, then 
sudo mkdir /var/spool/MailScanner/spamassassin
sudo chown postfix.postfix /var/spool/MailScanner/spamassassin
sudo /usr/local/etc/postfix-db
sudo systemctl enable postfix
sudo systemctl restart postfix

sudo sed -i 's/run_mailscanner=0/run_mailscanner=1/g' /etc/MailScanner/defaults

sudo systemctl enable mailscanner
sudo systemctl start mailscanner

sudo ufw allow smtp
sudo ufw allow submission
sudo ufw allow submissions

More information about the MailScanner mailing list