Saturday, September 12, 2009

SMTP-Auth, clamav, spamassassin, ssl/tls example

VERSIONID(`setup for linux')dnl
dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl
dnl define(`confLOG_LEVEL', `9')dnl
dnl define(`SMART_HOST', `smtp.your.provider')dnl
define(`confDEF_USER_ID', ``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A p')dnl
define(`confDOMAIN_NAME', `')dnl


dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl

INPUT_MAIL_FILTER(`clamav-milter', `S=local:/var/run/clamav-milter/clamav.sock, F=T,T=S:4m;R:4m;E:10m')
define(`confINPUT_MAIL_FILTERS', `clamav-milter')
INPUT_MAIL_FILTER(`spamassassin', `S=unix:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}')dnl
dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
dnl INPUT_MAIL_FILTER(`clmilter’,`S=local:/var/milter/clmilter.sock, F=, T=S:4m;R:4m’)
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T -o /etc/mail/access.db')dnl
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=, Name=MTA')dnl
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl FEATURE(`relay_based_on_MX')dnl
dnl MASQUERADE_AS(`')dnl
dnl FEATURE(masquerade_envelope)dnl
dnl FEATURE(masquerade_entire_domain)dnl
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
dnl MAILER(cyrusv2)dnl

Integrate sendmail with clamav

CLAMAV Configuration

#yum -y install clamav*


Start the clamd daemon before clamav-milter

Create  the quarantine directory and Start the clamav-milter with the following options:

#mkdir /var/mail/quarantine/
#chown clamav:clamav /var/mail/quarantine/
#chmod 600 /var/mail/quarantine/

# clamav-milter -o local:/var/run/clamav-milter/clamav.sock --quarantine-dir=/var/mail/quarantine

Other clamav-milter options:
              --bounce \
              --advisory \
              --force-scan \
              --dont-wait \
              --dont-log-clean \
              --max-children=2 \
              --server=localhost \
              --config-file=/etc/clamd.d/milter.conf \
              --pidfile=/var/run/clamav-milter/ \

Create clamav.conf file to run the freshclam
#vi /etc/clamav.conf
LogFile /var/log/clam/clamd.log
PidFile /var/run/clam/
LocalSocket /var/run/clam/clamd.sock
MaxThreads 50
ThreadTimeout 600
MaxDirectoryRecursion 15
SelfCheck 600
User clamav
ArchiveMaxFileSize 10M #file max size in Megabytes for archived scaned files.You can modify this to suit your purposes
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000

Edit file to enable the virus scaning

#vi /etc/mail/

INPUT_MAIL_FILTER(`clamav-milter', `S=local:/var/run/clamav-milter/clamav.sock, F=T,T=S:4m;R:4m;E:10m')
define(`confINPUT_MAIL_FILTERS', `clamav-milter')
These two lines are all you need to let Sendmail work with clamav..... let me explain a litle
  • S=local:/var/run/clamav-milter.sock offcourse is the socket created by clamav-milter
  • F= tells Sendmail what to do if the filter fail, blank means act as if there is no filter. You could use "R" for reject or "T" for temporary fail.
  • T= determens timeouts:

    • S:4m a timeout of 4 minutes for sending to the filter
    • R:4m a timeout of 4 minutes for receiving from the filter

Perhaps you will have to make other changes to this file for your site - that is the reason it is not included in the package - but that is beyond the scope of this little help file

Rewrite the by running macro and reload the service

#m4 /etc/mail/ > /etc/mail/
#service sendmail reload

Test by sending Infected mail

#echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' |sendmail -v

Configuring SendMail To Act As A SmartHost & To Rewrite From-Address

This tutorial explains how to configure a sendmail server to forward all mails generated from localhost to another SMTP server for sending mails to remote recipients. Also it explains how to rewrite the from address of user@localhost.localdomain to
Example Scenario: You have a production server which is not configured to relay mails externally, but there is a application running in that server which mails its log to the given email address regarding its status and incase of any service failures. since the sendmail runs locally on localhost.localdomain name it tries to forward the mail with root@localhost.localdomain to the remote smtp server, which would get rejected because of the reason that localhost.localdomain resolves to Invalid IP. So in order to overcome that we have to rewrite the from address of root@localhost.localdomain to so that the other smtp server relays the mail from to the or whatever address you want to send the service status mail to.
NOTE: Specific parts of this tutorial applies only to Redhat Based Systems, but in general the procedure applies to all

Install the Rpms

root@domain# yum install sendmail sendmail-cf

It should install them in your linux system.
Once installed you have to make sure the server is started and starts automatically on reboot.

root@domain# chkconfig sendmail on 
root@domain# service sendmail start

Now the server is up and running.

First add the remote server ip address and its domain name to the /etc/hosts
#vi /etc/hosts
You dont have to do the above step if your local dns can resolve the
domain name to the ip address of the smtp server which is configured to
relay mail. 

Edit the Sendmail configuration file for forwarding mails

#vi /etc/mail/
Forwarding mails to smarthost
Then save the file.

For rewriting the from address of the mails create genericstable file.

#vi /etc/mail/genericstable
In the Generics table file enter the following lines:
The above lines mean that if any mails sent by root will be masqueraded and appear to come from as instead of root@localhost.localdomain and if any mail sent by the user mohan will appear to come from instead of mohan@localhost.localdomain
Then save the file.

Enabling Features in the sendmail configuration file.

#vi /etc/mail/
Add these lines for enabling features:

Then run:
#make -C /etc/mail
It should compile all the files under the /etc/mail directory and updates the changes.
After that restart the sendmail service.

root@domain# service sendmail restart
That's it, you have configured sendmail to act as a smarthost.

Configuring Your SMTP Server To accept mails from Smarthosts:

NOTE: This procedure is applicable only if the remote live smtp server is a sendmail server, which is true in this scenario. For other SMTP servers refer to their documentation.
Presumptions: The live SMTP server is already using FEATURE ('access_db'..
Edit the access file in the live smtp server to accept mails from the smart host.

vi /etc/mail/access
connect:     RELAY
cd /etc/mail

Rebuild the Access database file.

#/usr/sbin/makemap hash access < access
Restart the sendmail service.

root@smtp# service sendmail restart
That's it; the remote smtp server will accept mails from the smarthost.

Linux Complete Reference Guide

Sendmail Server

  • - sendmail 8.13.6
  • - dovecot 1.0
  • - clamav 0.88.2
  • - clamav-milter 0.88.2
  • - spamassassin 3.1.3 
  1. Basic Configuration
  2. Dovecot IMAP Server
  3. Starting The Services
  4. Preventing Abuse
  5. Full SSL/TLS Encryption
  6. Clam Antivirus
  7. SpamAssassin 

Sending emails to multiple recipients scattered around the world these days is such an easy everyday task, that its hard to image life without it. Sending an email through the Internet uses many different protocols and applications that all work seamlessly to ensure your message reaches its end destination.

This chapter will provide assistance in the configuration of your own server for sending and receiving emails, and will also provide details on some extra applications to ensure your system remains secure and relatively virus free. In chapter 13, we will configure a webmail application which provides a means to send and receive email while away from home. To make proper use of an email system requires the server to be configured with a fully registered Internet domain name; DNS is used extensively for email. In chapter 20 we will configure LDAP to provide our network with a share address book (with SSL) to be used by internal and/or roaming clients.

Before we begin, here are some of the basic components that help to make up the email world:

MUA: Mail User Agent The email application that a user sends/receives (thunderbird,pine,outlook)
MTA: Mail Transport Agent The server agent responsible for sending the emails (sendmail,postfix,qmail)
MDA: Mail Delivery Agent The server agent that accepts email from MTA, and places into users mailbox (procmail)
SMTP: Simple Mail Transport Protocol MUAs and MTAs use this protocol for sending emails
POP3: Post Office Protocol (Ver 3) MUAs use this protocol for receiving their emails from the final server
IMAP: Internet Message Access Protocol MUAs can use this protocol to send and receive emails on the servers

Procmail is normally installed and running on most systems already so it won't be covered here.

Note !! The preferred email protocol for this configuration is IMAPS as all emails are stored on the main server and then replicated through to your MUA client when it connects. Because the mail files on the server and client are synchronised, the webmail application will have all the emails contained on your local workstation and vice versa, including sent emails.

1. Basic Configuration


We are going to configure the MTA first, and the package that is most commonly used is sendmail. The configuration files for sendmail are extremely technical for new users, and should definately be backed up before making any changes, they are so complex in fact that one configuration file is actually used to configure the second file.

The important thing to remember is that we will make the changes only in the file, and the changes will be moved into the file for us. This is the preferred method for configuring sendmail.

[bash]# cp /etc/mail/ /etc/mail/

Caution !! Do not edit sendmail's "cf" file, use the "mc" macro file to make the changes. This backup is only a precautionary measure in case everything goes bad.

[bash]# cp /etc/mail/ /etc/mail/
[bash]# vi /etc/mail/

Inside the sendmail macro file, there are many lines that start and end with "dnl". This acronym stands for "delete through newline", and is used to tell the macro process to ignore the current line when building the new file. This should be treated just like a standard configuration comment.

When sendmail dispatches your email, it places the servers hostname behind your username, which becomes the "from address" in the email (ie. Normally we only want to use the domainname and not the hostname, this setting allows all outgoing emails to be "", the preferred method.

define(`confDOMAIN_NAME', `')dnl

Email can be sent via a smarthost if the Internet connection is not on all the time. This needs configuring at your ISP or by whoever is providing your smarthost capability. This is generally not required on a dedicated link.

dnl define(`SMART_HOST',`smtp.your.provider')dnl

Below are some daemon options that specify (basically) who can connect and send emails. The top one (default) only allows emails to be sent from by the local server. The default options need to be adjusted before the server will accept emails from any other networked computer.

DAEMON_OPTIONS(`Port=smtp,Addr=, Name=MTA')dnl Only local server can send email
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl Users can now connect to send email

The aliases and virtusertable ("/etc/mail/virtusertable") are lists that allow incoming emails to be redirected to other local accounts or external email addresses. See "man aliases" or README for details on these files.

Many of the applications on the server are configured to send email to the root account when problems occur. It is recommended that an entry be placed into the /etc/aliases file to redirect all of root's email to the supervisors standard user account. This saves having to check the root account for emails as they can be automatically sent to another valid account.

define(`ALIAS_FILE', `/etc/aliases')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl

Note !! If alias file (/etc/aliases) is adjusted, it needs to be updated with the "newaliases" command before settings are implemented.

The access database ("/etc/mail/access") is a list of IP addresses and domainnames of allowable connections. Your IP subnet and other details need to be placed in here before you can send email, ensuring that you leave the localhost information as configured.

FEATURE(`access_db',`hash -T -o /etc/mail/access.db')dnl
# Example of /etc/mail/access
localhost.localdomain     RELAY
localhost                 RELAY                 RELAY
192.168.1                 RELAY               RELAY

Before accepting emails, sendmail can do a DNS lookup on the address of the person who is sending the email. It is recommended that this option be set up so that any email failing a DNS lookup is rejected; there is a fair chance the email was not sent from a valid domain name and possibly spoofed. Comment the following line to enable DNS lookup.

dnl FEATURE(`accept_unresolvable_domains')dnl

Caution !! You should consult the README file for further details on available settings ("/usr/share/sendmail-cf/README").

Mail Aliases - Who gets Who's Email

Sendmail includes a standard "/etc/aliases" file that can be used to redirect certain emails to a single user on the system, a group of users, or even to an email address external of the mail system (i.e. to another organisation). The basic alias file looks similar to below, it contains an alias on the left side followed by a colon and then the list of users that will receive the email, listed on the right hand side.

It is important to nominate an account to redirect all the system emails to, i.e. a "root" alias. This ensures that any system orientated alerts are directed to an individual who can monitor the system's status and warning messages.

[bash]# cp /etc/aliases /etc/aliases.original
[bash]# vi /etc/aliases
# Our Own Aliases
www:            root
admin:          root
sysadmin:       root
webmaster:      root
support:        helpdesk

# Person who should get root's mail
root:           john             <-- John will receive all system/security email alerts meant for root.

# People who have left our organisation - Mail redirection...

Aliases can also be configured to for mutliple recipients, this is a convenient way to create generic group email accounts outside of a global address book. With this example, a file is created with a list of mail receipiants listed on one line at a time.

[bash]# vi /etc/mail/mailing-list

The "mailing-list" alias is listed in the alias table, and the file containing the list of users is also added with the use of an "include" statement; this tests sendmail where the list of users can be found for the mailing-list. Alternatively, an alias can have several recipients listed directly aside the alias, separated by commas.

[bash]# vi /etc/aliases
# Our Own Aliases
sysadmins:      john,mark,lisa
mailing-list:   :include:/etc/mail/mailing-list

After the alias table has been adjusted, the "newaliases" command needs to be executed before the table will be used by sendmail again.

[bash]# newaliases
/etc/aliases: 97 aliases, longest 31 bytes, 998 bytes total

2. Dovecot IMAP Server

Now that the sendmail server has been setup to allow the sending of emails, we need to configure a means for the user to retrieve any emails that are waiting for them on the server. One of the packages that does this is dovecot, which handles POP and IMAP mailboxes in clear text or with link encryption (POPS and IMAPS); IMAPS is the preferred mail protocol for MUAs.

Dovecot is relatively easy to configure, but backing up the config file is still important.

[bash]# cp /etc/dovecot.conf /etc/dovecot.conf.original
[bash]# vi /etc/dovecot.conf

Dovecot needs to be told which protocols it will accept for incoming client connections, the setting below is the main dovecot configuration file; note its detail for both IMAP and POP3 protocols.

protocols = imap pop3

login_dir = /var/run/dovecot/login
login_chroot = yes
login_user = dovecot

protocol imap {
login_executable = /usr/libexec/dovecot/imap-login
mail_executable = /usr/libexec/dovecot/imap
login_greeting_capability = yes

protocol pop3 {
login_executable = /usr/libexec/dovecot/pop3-login
mail_executable = /usr/libexec/dovecot/pop3
pop3_enable_last = no

auth_executable = /usr/libexec/dovecot/dovecot-auth
auth_process_size = 256
auth_cache_ttl = 3600

auth default {
  mechanisms = plain
  user = root
  ssl_require_client_cert = no
  passdb pam {
  userdb passwd {

Caution !! If you plan on setting up SquirrelMail for your webmail requirements, you will need to have the IMAP protocol enabled.

User Email Accounts

When a standard user account is created on the server, that user is automatically granted access to login to the system and is also able to send and receive emails. The user now really only needs to configure their MUA with the details of the servers address and their account details, and email should be fully accessible.

Creating a standard user account with a false shell stops that account from being able to log into the system (a Linux login), but still allows them to use the system for the purpose of sending and receiving emails. Creating a user account using the following example, is the easiest method for creating email only accounts for friends and family where they do not require login access to the server.

[bash]# useradd -c "Alice Jones" -s /sbin/nologin alice

Email only accounts forbid a user from logging in and accessing their home directories. These accounts may not be suitable if users expect access to their "public_html" directories if they are present.

You may also consider placing all of the email only accounts into an appropriately named group for easy management.

3. Starting the Services

Starting the newly configured services are relatively straight forward, however if any changes have been made to the sendmail macro file or access lists, then the file will need to be recompiled before any of the changes will be accepted. These days many of the initscripts handle this task automatically, however its good to do it manually just to be certain.

[bash]# make -C /etc/mail

The services should now be set at the appropriate runlevels and then checked to ensure they are correct.

[bash]# chkconfig --level 2345 sendmail on
[bash]# chkconfig --level 2345 dovecot on
[bash]# chkconfig --list sendmail
[bash]# chkconfig --list dovecot

The services can now be started. The system logs should also be checked to ensure there are no errors.

[bash]# /etc/init.d/sendmail restart
[bash]# /etc/init.d/dovecot restart
[bash]# grep sendmail /var/log/maillog
[bash]# grep dovecot /var/log/maillog

You've got email !

4. Preventing Abuse

Open mail relays

The worst exploitation of an email system is if its able to relay emails for everyone, this allows spammers and other nasty organisations to use your unprotected system as a platform for their malicious activities. Although we have defined who can use the system in the above configurations (access database), we can take extra precautions to minimise the effects of any possible damage.

The following example is a basic open relay test that you can perform on your sendmail server as an example of how easy it is for a spammer to send emails through an insecured MTA. Firstly you need to telnet into your server on port 25 (SMTP) and then cut and paste the following text into the telnet session; remembering to change the "RCPT To:" address to your own email.

[bash]# telnet localhost 25
(Change "RCPT To:" email address)

MAIL From:
RCPT To:                     <-- Change this to your own email to see results.
Subject: Think we're insecure...
I have a feeling our mail server is being abused...

Now if you check your email you will notice an email from "TheBoss" and you'll see how easy it is to spoof an email. If this worked, it means that you have probably enabled your "/etc/mail/access" database with the correct RELAY permissions for it to occur. However, we only want to allow the correct clients to be able to relay through the MTA.

The following telnet test is an another open relay test that will automatically test your system from a remote Internet based relay attempt. Approximately 19 relay tests are conducted with results displayed as they occur, this is a good test of your systems configuration; it your server is open to relay, the spammers will find you soon.

[bash]# telnet

Caution !! If any of the open relay tests return serious warnings, you should seriously check your systems configuration - guaranteed your system will be exploited.

Email limits

The default file size for sendmail is unlimited, so if someone tries to send a tar archive over 2 GB throught the system, it will most likely crash the MTA while trying. A maximum file size should be set so sendmail knows when to reject a file that is too large.

[bash]# vi /etc/mail/

If you are using a PHP based webmail application like SquirrelMail, you can adjust the max file size for PHP to match the same amount; this allows PHP applications to match your mail server size limits.

[bash]# vi /etc/php.ini
post_max_size = 50M
upload_max_filesize = 50M
memory_limit = 64M

The following settings limit the rate of connections, the amount of running 'children', and the maximum number of recipients for each email. By specifying these types of directives it limits the rate of any possible exploitation or Denial of Service attacks. These would be suitable for a small office or home network, but may need to be increased for larger demands.


This section provides a few basic settings as an introduction to possible abuse situations and should provide you with some security considerations for your system. You should always check your system logs for any signs of abuse, and do some form of test attack on your own system (from the outside of course).

5. Full SSL/TLS Encryption

One of the easiest ways for any system to be exploited is for a username and password to be intercepted whilst traveling through the Internet, the basic action of logging into your server from the external (Internet) side opens your user credentials to such a risk. Luckly both Sendmail and Dovecot can both be covered by TLS and SSL encryption systems to ensure your credentials and correspondence stay safe.

To configure sendmail with TLS / SSL encryption, edit the main configuration file and make the following changes. The first setting disables plain text authentication, the second defines the trusted authentication mechanisums (to allow relaying), the third defines the SSL certificate files and the fourth enables the TLS link encryption and opens port 465 for secure emails (SMTPS).

[bash]# vi /etc/mail/
define(`confAUTH_OPTIONS', `A p')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

Note !! The bottom option causes sendmail to additionally listen for secure connections on port 465 through enforced SSL. Basic SMTP is still configured through port 25 for remote MTA connections and TLS.

In our initial configuration, we allowed sendmail to accept SMTP email from all hosts (the default is only from, itself). By changing this setting back to it's default, then only the local server can send unsecured emails, this is ideal if you are going to configure webmail to run from the local Apache web server.

Change This:
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
Back To:
DAEMON_OPTIONS(`Port=smtp, Addr=, Name=MTA')dnl

Now that sendmail had been configured for encrypted connections and authentication, you will need to create your SSL certificates before you can activate your new configuration; this can be done using the automated scripts located in the "/etc/pki/tls/certs" directory.

[bash]# cd /etc/pki/tls/certs
[bash]# make sendmail.pem
Country Name (2 letter code) [GB]:AU
State or Province Name (full name) [Berkshire]:QLD
Locality Name (eg, city) [Newbury]:Brisbane
Organization Name (eg, company) [My Company Ltd]:Miles Brennan
Organizational Unit Name (eg, section) []:Home Linux Server
Common Name (eg, your name or your server's hostname) []
Email Address []

You should now be able to send secure emails to your MTA (Sendmail) for delivery to remote addresses.

The next step is to configure Dovecot so you may be able to successfully retrieve emails from your mail server using SSL encryption; sending is only half way there, the receive path also needs to be configured. Open your Dovecot configuration and make the following adjustments. A point to note is that we are configuring the Dovecot server to use the exact same SSL certificates that the Sendmail server is using.

[bash]# vi /etc/dovecot.conf
ssl_disable = no
ssl_verify_client_cert = no
ssl_parameters_regenerate = 168
ssl_cipher_list = ALL:!LOW
ssl_cert_file = /etc/pki/tls/certs/sendmail.pem     <-- NOTE: Can use same certificate as Sendmail
ssl_key_file = /etc/pki/tls/certs/sendmail.pem      <-- NOTE: Can use same certificate as Sendmail
disable_plaintext_auth = yes

We can also block Dovecot from allowing any insecure client connections by forcing the server to only accept secure IMAPS and POP3S connections.

Change This:
protocols = imap pop3
To This:
protocols = imaps pop3s

Now that the services have both been configured, the services will need to be restarted.

[bash]# /etc/init.d/sendmail restart
[bash]# /etc/init.d/dovecot restart

If you have users on the external side of your firewall (i.e. on the Internet), you can allow both SMPTS (port 465) and IMAPS (port 993) connections to pass through your firewall with the following adjustments to your firewall script. Remember that port 25 (SMTP) is still required and will use TLS as required.

[bash]# vi /root/
# New INBOUND Connection: SMTP and SMTPS (over SSL)
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 25  -j ACCEPT  <-- for TLS encryption (and basic SMTP)
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 465 -j ACCEPT  <-- for SSL encryption

# New INBOUND Connection: IMAPS Email Clients (Secure Link - In and Out)
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 993 -j ACCEPT  <-- for SSL encryption
[bash]# /root/

By default the Dovecot server will listen on all interfaces when we declare a protocol to be configured. However we can add the following options to the protocol declaration to define a more detailed configuration.

The following Dovecot configuration causes both the secure IMAPS and POP3S protocols on be active on all network interfaces, but also allow Dovecot to operate the insecure IMAP protocol only from the localhost server, this again is an ideal configuration if you intend to run SquirrelMail on your server and it is an IMAP based application.

[bash]# vi /etc/dovecot.conf
protocols = imap imaps pop3s

protocol imap {
listen =
ssl_listen = *
ssl_disable = no

Note !! The above Dovecot settings allow for the IMAP based SquirrelMail application to work on the local server without requiring TLS/SSL encryption. A remote user will still interface the HTTPS web interface through SSL, ensuring secure access through a web browser.

6. Clam Antivirus

There is really no such thing as a virus in the Linux world and what you would call a virus is really nothing more than an exploit or maliciously crafted piece of code. Some not so better operating systems however are quite susceptible to virus attacks and the number one means of virus infection is currently via the email system. Although your Linux MTA itself is quite safe from any possible virus threats, we have a duty of care to at least protect our internal workstations that may face a somewhat different fate.

Clam AntiVirus is an opensource antivirus scanning toolkit for UNIX systems. Effectively it runs as its own independent service with its own suite of applications, these need to be interfaced by other applications in order to use the scanning facilities. Sendmail interfaces into clamav with whats called a milter (Mail Filter), and the results are returned to sendmail for further processing.


Firstly we need to install the clamav suite of applications, this command will install the clamav server and the milter required to work with Sendmail.

[bash]# yum install clamav*

The clam daemon configuration file should be backed up before any adjustments are made.

[bash]# cp /etc/clamd.d/milter.conf /etc/clamd.d/milter.conf.original
[bash]# vi /etc/clamd.d/milter.conf

The following is an example of a typical clamd configuration file. The "/etc/clam.d/clamd.conf" file is well documented with configuration options and further detailed information can be obtained from reading the supporting man page. Type "man clamd.conf" at the command prompt.

The "Example" option must be commented out before the daemon will start.

#Example                              <-- This must be commented out before the daemon will function
LogFile /var/log/clamd.milter
LogFileMaxSize 5M
DatabaseDirectory /var/lib/clamav
LocalSocket /var/run/clamd.milter/clamd.sock
#TCPSocket 3310
User clamilt

On one side we have a running MTA (Sendmail) and the other side we have a fully functional antivirus system, clamav-milter is the glue that binds it all together. As an email is passed onto the MTA, the milter redirects it to the antivirus server and awaits the results.

The following parameters detail how the milter will act and respond between the other two systems; should it just drop all infected email, should it notify the recipient or the sender, should it inform the administrator; there are numerous available options. You should consult the man page to configure the settings that will best suit your needs. Type "man clamav-milter" at the command prompt for more details.

[bash]# cp /etc/sysconfig/clamav-milter /etc/sysconfig/clamav-milter.original
[bash]# vi /etc/sysconfig/clamav-milter
CLAMAV_FLAGS="--local \
              --bounce \
              --advisory \
              --force-scan \
              --dont-wait \
              --dont-log-clean \
              --max-children=2 \
              --server=localhost \
              --config-file=/etc/clamd.d/milter.conf \
              --pidfile=/var/run/clamav-milter/ \
              --signature-file=/etc/mail/clamav-email-signature \
              local:/var/run/clamav-milter/clamav.sock "

In the above sample configuration we are placing a footer (signature-file) on all the emails that successfully pass thru the system, as an assurance to the end recipients that the email is virus free. The following is an example signature file, it isn't required but is an option should your email policy require it.

[bash]# vi /etc/mail/clamav-email-signature
This email has been ClamScanned !

The service is now ready to run after we set the correct runlevels. The clamav-milter logs directly to "/var/log/maillog" when it processes an email, which can be checked after all the configurations are complete.

[bash]# chkconfig --level 2345 clamav-milter on
[bash]# chkconfig --list clamav-milter
[bash]# /etc/init.d/clamav-milter restart

Now that the milter is running, we need to tell sendmail to use it. Place the following line into the file, then restart the Sendmail service.

[bash]# vi /etc/mail/
INPUT_MAIL_FILTER(`clamav-milter', `S=local:/var/run/clamav-milter/clamav.sock, F=T,T=S:4m;R:4m;E:10m')
[bash]# make -C /etc/mail
[bash]# /etc/init.d/sendmail restart

Thats it !! You are all configured now for antivirus scanning.

Testing the Clamav Scanner

The easiest way to check if the scanner is functioning, is to check the mail logs. The details of each email that gets sent by the milter to clamd is placed in the log, the example below shows how the milter added the extra header details to the incoming email.

[bash]# grep Milter /var/log/maillog
sendmail: Milter add: header: X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on
sendmail: Milter add: header: X-Virus-Status: Clean

The email can be checked at the MUA to confirm the presence of the extra milter headers on all of the incoming emails. This is confirmation that the system is configured and functioning as expected.

X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on
X-Virus-Status: Clean

The European Institute for Computer Antivirus Research (EICAR) have created an antivirus test signature that can be used to test many antivirus programs. Your new Sendmail configuration can be tested by sending the EICAR test signature through as an email and check to see if Clamav identified and labelled the email as an infected message.

Issue the following command at the command line interface, ensuring that you change the email address to your own (or one you can access). When the email arrives at the email address you inserted, you can check the headers within the email and see if Clamav has inserted the following flags.

[bash]# echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' | mail
X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on
X-Virus-Status: Infected with Eicar-Test-Signature
Subject: [Virus] Eicar-Test-Signature

Note !! More information about the EICAR test antivirus signature can be seen at this site:

Freshclam updates

The Clam Antivirus system is only as effective as its latest copy of the virus definitions, these can be updated using the freshclam application. Make the following adjustments to your freshclam settings, ensuring you ADD a "#" (comment) to the "FRESHCLAM_DELAY" directive, this enables the update service.

[bash]# vi /etc/sysconfig/freshclam
FRESHCLAM_MOD=180                <-- Update interval in minutes
#FRESHCLAM_DELAY=disabled-warn   <-- Add "#" to activate (enable) clamav updates

The main antivirus functions are now running and freshclam can be configured to keep the system up to date with the latest virus patterns. As normal the configuration file should be backed up.

[bash]# cp /etc/freshclam.conf /etc/freshclam.conf.original
[bash]# vi /etc/freshclam.conf

This is an example of the freshclam configuration file. This file too is well documented and the supporting man page should be consulted for any further queries. Type "man freshclam.conf" at the command prompt.

If your system is behind a firewall or you prefer to use a proxy server, then ensure that you complete and enable the appropriate HTTPProxy options for your system.

DatabaseOwner clamav
DatabaseDirectory /var/lib/clamav
Checks 24
MaxAttempts 5
UpdateLogFile /var/log/freshclam.log
DatabaseMirror db.??               ###  <-- See Note.
#HTTPProxyPort 3128
#HTTPProxyUsername username
#HTTPProxyPassword password

Note !! Replace "??" (above) with the two letter country code for your region, or remove line from configuration file if you are unsure.

Freshclam will automatically update itself at intervals define with the earlier "FRESHCLAM_MOD" declaration. However, if you require to update your antivirus manually to test your configuration, you can execute the command at the xterm prompt.

[bash]# freshclam
ClamAV update process started at Sun May 21 12:01:57 2006
main.cvd is up to date (version: 38, sigs: 51206, f-level: 7, builder: tkojm)
Downloading daily.cvd [*]
daily.cvd updated (version: 1472, sigs: 4793, f-level: 8, builder: arnaud)
Database updated (55999 signatures) from (IP:

Freshclam keeps a log of all update details.

[bash]# tail /var/log/freshclam.log

7. SpamAssassin

One of the biggest wastes of bandwidth throughout the Internet today is from unwanted/unsolicitated bulk email, in other words spam; we hate it. Unfortunately for us it isn't going to go away for a while, fortunately we can at least filter some of it out of our Inbox by using SpamAssassin which comes standard now with many Linux distributions. SpamAssassin will at the very least allow you to take some control back over your email account.

To install SpamAssassin and the required milter for Sendmail, type the following command at the prompt.

[bash]# yum install spamass-milter spamassassin

SpamAssassin has many plugins written and available for use, they can be enabled in the "/etc/mail/spamassassin/v310.pre" plugin file. The plugins file is the first configuration to be loaded by SpamAssassin.

[bash]# cp /etc/mail/spamassassin/v310.pre /etc/mail/spamassassin/v310.pre.original
[bash]# vi /etc/mail/spamassassin/v310.pre
loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop
loadplugin Mail::SpamAssassin::Plugin::AWL
loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
loadplugin Mail::SpamAssassin::Plugin::ReplaceTags

The "/etc/mail/spamassassin/" file is the main global configuration file for the whole server and can be configured like so.

[bash]# cp /etc/mail/spamassassin/ /etc/mail/spamassassin/
[bash]# vi /etc/mail/spamassassin/
required_score          5.0
rewrite_header subject  [SPAM]
report_safe             1
use_bayes               1
use_bayes_rules         1
bayes_auto_learn        1
skip_rbl_checks         0
use_razor2              1
use_dcc                 1
use_pyzor               1
trusted_networks        192.168.1/24 127/8
internal_networks       192.168.1/24 127/8

Note !! If you need assistance in determining which configuration options are the best for your system, you can use the online "SpamAssassin Configuration Generator" located at: "". your customised online configuration can then be downloaded into your /etc/mail/spamassassin/ file.

To define daemon runtime options, edit the system configuration file for SpamAssassin.

[bash]# cp /etc/sysconfig/spamassassin /etc/sysconfig/spamassassin.original
[bash]# vi /etc/sysconfig/spamassassin
SPAMDOPTIONS="-d -c -l -m5 -H"

Users can also fine tune their own options for SpamAssassin by editing their own user configuration files located in their home drives.

[/home/miles]$ vi ~/.spamassassin/user_prefs             <-- executed as basic user

The SpamAssassin mail filter (milter) can then be configured with runtime options.

[bash]# cp /etc/sysconfig/spamass-milter /etc/sysconfig/spamass-milter.original
[bash]# vi /etc/sysconfig/spamass-milter

The daemons need to be configured to start at the appropriate runlevels using the following commands, this should also be checked to ensure the daemons will initialise at expected if needed at next reboot.

[bash]# chkconfig --level 2345 spamassassin on
[bash]# chkconfig --level 2345 spamass-milter on
[bash]# chkconfig --list spamassassin
[bash]# chkconfig --list spamass-milter

Once the services has been configured, the daemons can both be restarted.

[bash]# /etc/init.d/spamassassin restart
[bash]# /etc/init.d/spamass-milter restart

The SpamAssassin configurations have now been completed, however the mail server has not yet been configured to use the spam filtering daemon yet. Before we do the final configuration, it is important to firstly test that SpamAssassin is functioning as expected and the email that passes through the daemon is handled correctly. If we don't do these tests then some of your email may just disappear because of a poorly configured service.

The first test passes a test email to the spam daemon and returns the results to the screen. This test email is considered by SpamAssassin to be clean and should return a clean result.

[bash]# spamassassin -t < /usr/share/doc/spamassassin-3*/sample-nonspam.txt | grep X-Spam
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable

The second test passes an email that is considered by SpamAssassin to contain spam signatures, as such the test should return a positive result to the test. You should note the "X-Spam-Flag: YES" flag that SpamAssassin inserts into the email's headers, this will allow users an easily way to identify and automatically sort spam affected emails into junk email folders as they arrive in their Inboxes.

[bash]# spamassassin -t < /usr/share/doc/spamassassin-3*/sample-spam.txt | grep X-Spam
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on
X-Spam-Level: **************************************************
X-Spam-Status: Yes, score=1000.0 required=5.0 tests=GTUBE,NO_RECEIVED,

Once you are happy that the outcomes of both your spam and non-spam tests are successful, Sendmail can be configured to pass emails to the SpamAssassin daemon by use of the mail filter (milter).

[bash]# vi /etc/mail/
INPUT_MAIL_FILTER(`spamassassin', `S=unix:/var/run/spamass-milter/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}')dnl

Now that the SpamAssassin milter settings have been inserted into the Sendmail configuration, the Sendmail server can be restarted; this will complete your installation.

[bash]# make -C /etc/mail
[bash]# /etc/init.d/sendmail restart

For further information on SpamAssassin configuration, you can view the following man pages: "Mail::SpamAssassin::Conf" and "Mail::SpamAssassin".

Thursday, September 10, 2009

Create Users And Change Passwords With A Bash Script

These two scripts are very important for the system admin who regularly works with mail servers and somehow forgets to backup his system username and password! Let’s say somehow we lost the usernames and passwords of the mail server. In this case the admin has to manually create all the users and then change the passwords for all the users. Tedious job. Let’s make our life easier.
First create a file which contains all the user name. Something like this:
Save the file as userlist.txt. Now create the following bash file:
for i in `more userlist.txt `
echo $i
adduser $i
Save the file and exit.
chmod 755 userlist.txt
Now run the file:
This will add all the users to the system. Now we have to change the passwords. Let's say we want username123 as password. So for user nayeem the password will be nayeem123, rubi123 for user rubi and so on.
Create another bash file as follows:
for i in `more userlist.txt `
echo $i
echo $i"123" | passwd –-stdin "$i"
echo; echo "User $username’s password changed!"
Run the file. All the passwords are changed.

Network Monitoring With ntop

ntop is a network traffic tools that shows network usage in a real time. One of the good things about this tool is that you can use a web browser to manage and navigate through ntop traffic information to better understand network status.
Also Ntop monitors and reports hosts traffic and supports these protocols:
  • (R)ARP
  • IPX
  • DLC
  • Decnet
  • AppleTalk
  • Netbios
In this tutorial we'll install ntop 3.2 in CentOS 4.


Ntop 3.2


1- Installing G-LIB:
rpm -ivh  glib-1.2.10-16.i386.rpm

2- Installing ntop:
rpm -ivh ntop-3.2-1.el4.rf.i386.rpm

Running ntop
1- Initialize ntop:
That will initialize ntop and it will ask you to enter your username and password.
The default username: admin
Password: yourEnteredpassword
2- Start ntop service:
#service ntop start

Log In To The Web Interfacentop can be managed through a web interface. You can enter your server address in your web browser:
Now you can monitor your hosts and manage your ntop configuration.


Ntop SC

How To Block Ads And Banners In SafeSquid Proxy Server

Ads and banners not only unnecessarily consume bandwidth, but also distract users, and can be exceedingly irritating at times. Few ads and banners keep rotating and fetching new contents, and keep consuming bandwidth in the background.
SafeSquid can be configured to either blank out these ads and banners, or replace them with a custom html page or an image. In this tutorial I will explain how you can replace ads and banners with a custom html page. This requires configuring 3 sections, viz. Templates, Profiles and URL redirecting.
The first thing to do is to design an html page, to replace the ads and banners. Since many ads and banners are displayed in a small window, the html page that you design to replace them, should be as small as possible.
Here is a sample :
Copy your custom html file, which we will call ads.html in this tutorial, to the SafeSquid template directory. By default, the directory is located at /opt/safesquid/safesquid/templates/. You can verify this from the SafeSquid Interface => Config => Templates Section. 
SafeSquid's Templates section, allows you to add your own custom templates, or messages, to be displayed when a page is blocked by a filter, instead of SafeSquid's default message. The replacement file could be an html page, an image, audio / video file, an executable, etc. and is a very powerful tool, that we will explained in a future tutorial.
After you have copied the file to the templates directory, you need to define the file in the Templates section (create a template), and give it a name by which it will be identified in the other section. To do this, open the SafeSquid Interface and go to Config => Templates. Click on Add under the Template sub-section and add the new template as shown below:
Template to replace ads and banners

Mime type
Response code
The explanation for the various fields above can be found at and will be covered in a future tutorial.
Now the file ads.html can be used as a template in SafeSquid, and has been named replace-ad-banner. We will later use it in the URL Redirecting section.
The next thing to do, is to identify ads and banners that appear in web pages, so that they can be replaced. They could either be fetched from a remote Ad Server, or located on the same web server. In the former case, if the Ad Servers are identified, then it would be easy to identify the content being fetched by these servers. In the later case, in most cases, the link to the content has the words ad, ads, adv, advert, banner, banners, etc. in the file part of the URL, e.g.*, * So, if we can filter our such URLs, we can replace them with our custom template.
SafeSquid allows the use of Perl Compatible Regular Expressions (PCRE), hence we can create a single rule that can cover multiple words, strings or expressions. Go to Config => Profiles and create the following two rules:
Profile to identify Ad Servers:
Identify content from Ad Servers
Time match mode
Added profiles
The above rule analyzes the Host part of URLs to verify if the content is being served from any of the Ad Servers listed in the Host field, and if a positive mach is found, applies the profile Ad-Server-Content to that content. (A URL is made up of  protocol://host/file, e.g.
The Host field in the above rule is a regular expression. Host names are separated  with a pipe (|). In regular expressions, a '.' is a special character - a single character wildcard. A '\' before a '.' specifies that it is to be interpreted as character '.' and not wildcard. The expression begins with ^ad(|s|v|server)\. This will match the expressions ad., ads., adv. and adserver. in the host part of a URL, e.g.,,, etc. You can also add additional hosts to the expression.
Profile to identify expressions in file part of URL:
Template to replace ads and banners
Time match mode
Added profiles
The above rule analyzes the file part of URLs to verify if they contain any of the expressions specified in the file field of the rule, and if a positive match is found, applies the profile Ad-Banner to the content.
We can now use the added profiles Ad-Server-Content and Ad-Banner that is applied to positive matches, to redirect the requests for them to our custom html page ads.htnl. To achieve this, go to Config => URL redirecting. The URL redirecting section allows you to redirect requests for specific URL, to another URL. This is a very powerful feature, and is mostly used to create redundancy for web servers, when SafeSquid is used in reverse proxy mode.
Verify that the section is enabled - Enabled = Yes, click on Add under Redirect sub-section and add the following rule:
Redirect specified profiles to template replace-ad-banner
302 redirect false
Applies to
Simply put, this rule will redirect all the requests that carry the profiles Ad-Server-Content and Ad-Banner, to the template replace-ad-banner, which is the name of our custom html page - ads.html. I will cover the URL redirecting section and explanation for the various fields, in a future tutorial.
We are now ready to test the results of the above configurations. Open the browser and visit a website that has lots of ads and banners, e.g. The ads and banners should now be replaced with the custom html, as shown below:

You can also verify what URLs are being redirected, by checking the SafeSquid logs. Click on View log entries in the Top Menu of the interface. You will see a lot of entries. To filter out the entries for URL redirecting, type redirect in the Regular expression match field, and click on Submit. This will filter out entries similar to this:
2008 06 06 13:06:45 [19] redirect: request for to http://safesquid.cfg/template/replace-ad-banner