Search:  
Gentoo Wiki

Complete_Virtual_Mail_Server/Amavis_and_Spamassassin_UI


Please format this article according to the guidelines and Wikification suggestions, then remove this notice {{Wikify}} from the article


Complete Virtual Mail Server


Getting Started


Basic Mail Setup


Enhanced Mail Services


Anti-Spam Configuration


Anti-Virus Configuration


Log Analyzer


Wrapping it Up

edit

Amavis/Spamassassin UI

With the above setup, we have setup quite a rich ability to manage per-recipient information (amavisd settings, whitelists, quarantined messages, etc.). Now we need a UI that will allow us to access these. As noted above, there were not a lot of choices out there so I settled on a package still in its early development phases.

The one package I felt had a lot to offer was Maia Mailguard, but in the end decided to bench it (at least for now). Version 1.x of this system is designed to work with amavisd-new and applies a patch to it. This means it only works with specific earlier versions of amavis (2.2.0) and I decided I couldn’t recommend something that would prevent an upgrade to a new version. They are starting to work on the 2.x releases which will be standalone from amavisd. When this is released (expected mid to late 2006), then I suggest you go back and look at it again (I know I will). Until then, we will use some other options.

Note: This is not exactly true.
Maia 1.0.x is based off an older amavisd-new, true, but we essentially forked from it and maintain our own version of amavisd-maia now, and so you do not need to have amavisd-new installed, and thus do not need to worry about upgrades to amavisd-new breaking anything. An ebuild script is underway at http://bugs.gentoo.org/show_bug.cgi?id=130068 and we would appreciate any help in getting it completed. For a longer explanation of why Maia is based on an older version of amavisd-new, please read http://www.maiamailguard.org/maia/wiki/AmavisVersion
Note: DGM, Maia Mailguard developer

The best I came up with at this time is MailZu (http://www.mailzu.net) which manages the messages quarantined in the database. It’s not great, but it’s a start. For those of you who have a little time and are feeling up to it, it would be great to see this product built out further to support what we have configured above or modify a squirrelmail plugin to support the native amavisd schema. Who knows, if I have time when this is finally completed, I may go back and start this work myself.

In the meantime, let’s press on with what is readily available.


Installing and Configuring MailZu

There is no ebuild for MailZu, so we will download it from its home website to your /homedir on the Web Server. You may need to change the file name used below to reflect the latest version available so check with the site before downloading.


Code: Getting MailZu
 
# wget http://www.mailzu.net/download/MailZu_0.7b.tar.gz
  

Installation is very straight forward. We simply need to untar the file we downloaded into a subdirectory of our webserver (I used a subdirectory from where I was serving Squirrelmail).


Code: Untarring MailZu
 
# cd /var/www/example.com/htdocs
# tar –xvzf /homedir/MailZu_0.7b.tar.gz
  

This results in everything being untarred into a directory MailZu_0.7b which kind of sucks for internet access so I renamed it at this point to mailzu.


Code: Renaming the Directory
 
# mv MailZu_0.7b mailzu
  

There are a few configuration settings in amavisd we need to verify are set appropriately. I have listed them below, you simply need to go through your amavisd.conf file and either validate or adjust them as required.

Check below for


Code: /etc/amavisd.conf
 
# nano /etc/amavisd.conf

@inet_acl = qw(127.0.0.1 192.168/16 );  # adjust list as needed
$inet_socket_bind = undef;       # bind to all IP interfaces if undef


$inet_socket_port = [10024, 9998];   # listen on this local TCP port(s)

$interface_policy{'9998'} = 'AM.PDP';

$policy_bank{'AM.PDP'} = {
    protocol => 'AM.PDP',
    inet_acl => [qw( 127.0.0.1 [::1] <IP of MailZu host> )],
};

  

This should be enough to get MailZu running with amavisd, now we just need to set the MailZu config settings and we should be good to go.


We will start with MailZu’s config file. A sample file is provided with the distribution, so we will copy that as our starting point. From there we will make the specific changes needed to tell MailZu about our database. We are going to set both the amavisd and authentication parameters.


To crypt() or not to crypt()... Imap Auth Is just Painless


By default MailZu requires all passwords stored in it's database to be MD5 (bot standard unix crypt()) If we were use the sql auth method with MailZu we would have to patch MailZu to work with our database. Unfortunately this is not always practical due to having altered one obscure variable which is unsupported upstream that also does not work correctly if you chose to use postfixadmin due to how postfixadmin requires it's mailbox table to be configured.


Forcing php to behave be a frustrating experience for any seasoned administrator. Fortunately MailZu can be set to have courier-imap do the dirty work by using the imap auth method which removes the need to debug crypt hashed logins until your nearly as bald as Dr. Phil. It would appear others share this enthusiasm for the beloved crypt() function in php. MailZu's imap authentication method supports imapcert via tls so authentication isn't sent in cleartext.

NOTE: Need php compiled with USE="imap" and maybe "socket".


User-Notice : 1. changed /mailzu/lib/IMAPAuth.class.php Line 81 to $host = '{'$host."/imap/notls}INBOX"; to work with IMAP and plain passwords.

2. Emerge PEAR with : emerge PEAR-PEAR PEAR-DB ACCEPT_KEYWORDS="~x86" emerge PEAR-MDB2_Driver_pgsql for PEAR to work with Postgres


Code: config/config.php
 
# cp config/config.php.sample config/config.php
# nano config/config.php

// Amavisd-new AM.PDP port
// Since the port number can not be stored in the database
// all instances of amavisd-new must use the same AM.PDP port
$conf['amavisd']['spam_release_port'] = '9998';

// Database type to be used by PEAR [mysql]
/* Options are:
        mysql  -> MySQL
        pgsql  -> PostgreSQL
        ibase  -> InterBase
        msql   -> Mini SQL
        mssql  -> Microsoft SQL Server
        oci8   -> Oracle 7/8/8i
        odbc   -> ODBC (Open Database Connectivity)
        sybase -> SyBase
        ifx    -> Informix
        fbsql  -> FrontBase
*/
$conf['db']['dbType'] = 'pgsql';

// Database user who can access the amavisd database
$conf['db']['dbUser'] = 'amavis';

// Password for above user to access the amavisd database
$conf['db']['dbPass'] = 'supersecret';

// Name of database
$conf['db']['dbName'] = 'amavis';

// Database host specification (hostname[:port]) [localhost]
$conf['db']['hostSpec'] = '127.0.0.1:5432';

/**********
* Authentication Settings
*
* Choose your authentication method ($conf['auth']['serverType']),
* Then fill in the necessary auth information for corresponding method
*
***********/
// Available authentication methods
/* Options are:
        ldap -> Standard LDAP server, e.g. OpenLDAP
        ad   -> MS Active Directory
        sql  -> PHP PEAR compatible database
        exchange  -> MS Exchange 5.5
        imap  -> IMAP protocol
*/
$conf['auth']['serverType'] = 'imap';

....................
cut omitted section
....................

/*** Database Authentication Settings ***/
// Database type to be used by PEAR
/* Options are:
        mysql  -> MySQL
        pgsql  -> PostgreSQL
        ibase  -> InterBase
        msql   -> Mini SQL
        mssql  -> Microsoft SQL Server
        oci8   -> Oracle 7/8/8i
        odbc   -> ODBC (Open Database Connectivity)
        sybase -> SyBase
        ifx    -> Informix
        fbsql  -> FrontBase
*/
$conf['auth']['dbType'] = 'pgsql';

// Database host specification (hostname[:port]) [localhost]
$conf['auth']['dbHostSpec'] = '127.0.0.1:5432';

// Database user who can access the auth database
$conf['auth']['dbUser'] = 'postfix';

// Password for above user to auth database
$conf['auth']['dbPass'] = 'supersecret';

// Name for auth database
$conf['auth']['dbName'] = 'postfix';

// Name for auth table that contains usernames and passwords
$conf['auth']['dbTable'] = 'mailbox';

// Name of the Username field of the SQL table
$conf['auth']['dbTableUsername'] = 'username';

// Name of the password field of the SQL table
$conf['auth']['dbTablePassword'] = 'password';

// Name of the 'first name' or 'full name' field of the SQL table
// This is used for the welcome message
// If such a field does not exist, leave it blank
$conf['auth']['dbTableName'] = 'name';

// Name of the 'mail address' field of the SQL table
$conf['auth']['dbTableMail'] = 'username';

// Hash configuration
// true   = passwords are md5 encrypted in database
// false  = passwords are cleartext in database
$conf['auth']['dbIsMd5'] = true;

....................
cut omitted section
....................

// IMAP type
/* Options are:
        imap     -> default
        imaptls  -> do not do start-TLS to encrypt the session, even with servers that support it
        imapssl  -> use the Secure Socket Layer to encrypt the session
        imapcert -> use the Secure Socket Layer to encrypt the session,
                    do not validate certificates from TLS/SSL server, needed if server uses self-signed certificates
*/
$conf['auth']['imap_type'] = 'imapcert';

// Domain name part of the email address, (e.g.: example.com)
$conf['auth']['imap_domain_name'] = 'example.com';

// quadrik, 16.02.2007 NOTE: it will work better if
// $conf['auth']['imap_domain_name'] = '';

/**
* End of Authentication Settings
*/
  


You will also need to configure config.php with appropriate logins for administrative access to MailZu to gain access to the administrative site quarantine and site pending requests sections for managing amavisd quarantines. Setting permissions for MailZu administrators can be set in the following section. Super admins are global administrators.


Code: config/config.php administrative permissions
 
/*** Permission listings ****/
/* The items you put in the admin lists
*  must be the same as the login ID.
*  Example:
*  If you login as 'userid' then..
*  conf['auth']['s_admins'] = array ('userid','userid2');
*
*  OR
*
*  If you login as 'userid@example.com' then...
*  conf['auth']['s_admins'] = array ('userid@example.com',
*                                    'userid2@example.com'
*                                   );
*
*/

// List of Super Admins
// Super Admins can do anything mail admins can plus
// change settings
$conf['auth']['s_admins'] = array ('superadmin@example.com', 'superadmin2@example.com');

// List of Mail Admins
// Mail Admins can see other users' spam and attachments
// and can perform any action on them
$conf['auth']['m_admins'] = array ('mailadmin@example.com', 'mailadmin2@example.com');

// User login restriction (Does not affect admins)
// If set to true, users will not be able to login. This is if you do
// not want users to view their quarantine, yet only have admins to
// view quarantines.
$conf['auth']['login_restriction'] = false;

// User restriction exemption
// List of users still allowed to login even if
// $conf['auth']['login_restriction'] = true
//
$conf['auth']['restricted_users'] = array ('superadmin@example.com', 'superadmin2@example.com');
  


The last section requiring general configuration are the Miscellaneous Settings for localization, baseurl and mail settings used for mailzu to send notifications.


Code: config/config.php Miscellaneous Settings
 
/**********
* Miscellaneous Settings
*
* The following settings must correspond to your amavisd-new setup
*
***********/

// Image to appear at the top of each page ['img/mailzu.gif']
// Leave this string empty if you are not going to use an image
// Specifiy link as 'directory/filename.gif'
$conf['ui']['logoImage'] = 'img/mailzu.gif';

// Welcome message show at login page ['Welcome to MailZu!']
$conf['ui']['welcome'] = 'Welcome to MailZu!';

// The full url to the root directory of MailZu
// Please do not include the trailing slash
$conf['app']['weburi'] = 'http://admin.example.com/mailzu';

// How to send email ['mail']
/* Options are:
        'mail' for PHP default mail
        'smtp' for SMTP
        'sendmail' for sendmail
        'qmail' for qmail MTA
*/
$conf['app']['emailType'] = 'mail';

// SMTP email host address []
// This is only required if emailType is SMTP
$conf['app']['smtpHost'] = '';

// SMTP port [25]
// This is only required if emailType is SMTP
$conf['app']['smtpPort'] = 25;

// Path to sendmail ['/usr/sbin/sendmail']
// This only needs to be set if the emailType is 'sendmail'
$conf['app']['sendmailPath'] = '/usr/sbin/sendmail';

// Path to qmail ['/var/qmail/bin/sendmail']
// This only needs to be set if the emailType is 'qmail'
$conf['app']['qmailPath'] = '/var/qmail/bin/sendmail';

// The email address of the support staff or administrator
// An email is sent to this address when a user reports an error
// or clicks the "Email Administrator" link
$conf['app']['adminEmail'] = 'support@example.com';

// Email admin upon Release Request
// When users try to release a banned file a request is sent to an
// admin. Admins can always look at 'Pending Requests' in the MailZu
// interface regardless.
//
// $conf['app']['notifyAdmin'] = 1;
$conf['app']['notifyAdmin'] = 1;

// Show the "Email Administrator" link for users
// If you have a large userbase, you may not want users to have the
// capability to just email the admin
// Note: The "Report Error" link is still available regardless
// of this option. This link is only visible if a fatal error occurs
// with releasing attachments. Default is 1 (show link).
//
// $conf['app']['showEmailAdmin'] = 0;
$conf['app']['showEmailAdmin'] = 1;

// Show Site Quarantine in search only mode if set to 1.
// No message is displayed when clicking on 'Site quarantine'.
// Keep the default for for large sites.
// $conf['app']['searchOnly'] = 1
$conf['app']['searchOnly'] = 1;

// The default language code.  This must be included in the language list in
// langs.php
$conf['app']['defaultLanguage'] = 'en_US';

// Display the choice for language selection during the login screen if set to 1
// Otherwise set it to 0
// Default is 1
$conf['app']['selectLanguage'] = '1';

// If you are running PHP in safe mode, set this value to 1.
// This toggles if we use the included Pear DB and Mail_Mime libraries included
// with this distribution
$conf['app']['safeMode'] = 1;

// View time in 12 or 24 hour format [12]
// Only acceptable values are 12 and 24 (if an invalid number is set, 12 hour
// time will be used)
$conf['app']['timeFormat'] = 12;

// Title of application ['MailZu']
// Will be used for page titles and in 'From' field of email responses
$conf['app']['title'] = 'MailZu';

// If we should log system activity or not [0]
// Can be 0 (for no) and 1 (for yes)
$conf['app']['use_log'] = 1;

// Directory/file for log ['/var/log/mailzu.log']
// Specify as /directory/filename.extension
$conf['app']['logfile'] = '/var/log/mailzu.log';

// Maximum number of messages displayed per page
$conf['app']['displaySizeLimit'] = 50;

include_once('init.php');
?>
  


edit by kardasa@kardasa.pl New amavisd need also this option to be set (default is false)

Code: config/config.php Miscellaneous Settings
 
// If using the bytea or BLOB mail_text quarantine type set to
// True. Since amavisd-2.4.4.

$conf['db']['binquar'] = true;

Note: edit by Alphacube

With my setup, server behind firewall and a local dns name not the same as mail domain. I had to change the foloving to make MailZu release messages.

Code: /lib/Quarantine.lib.php Miscellaneous Settings
 
$am = new AmavisdEngine($host); to $am = new AmavisdEngine(localhost);

otherwise mailzu tried to connect to my mail domain:9998 thus going outside the firewall and back.

Retrieved from "http://www.gentoo-wiki.info/Complete_Virtual_Mail_Server/Amavis_and_Spamassassin_UI"

Last modified: Mon, 14 Jul 2008 09:47:00 +0000 Hits: 16,725