Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

Mailscanner/Exim Gateway With Communigate PRO Guide


Mailscanner/Exim Gateway With Communigate PRO Guide

In this tutorial we will be installing and setting up Mailscanner as a mail firewall in front of a Communigate pro cluster. This tutorial has been written for the CENTOS 5.x Linux distro but am sure it can be used for any other Linux based system with little modifications. The system will run with SELinux in enforcing mode. The components that we will use include:

  • Mailscanner
  • Clamav
  • exim
  • apache
  • mailwatch
  • razor
  • spamassassin
  • mysql
  • fuzzy ocr
  • sanesecurity signatures
  • mailfeeder

Install Packages

I assume that you have installed a bare bores CENTOS 5 system with the “Development Tools” group to work with so I will not go much into issues such as package selection and partition layout. As we will need to install certain software that is not part of the default CENTOS bases, we need to configure the system to use Dag Wieers rpm repo as he does package lots of software that we need.

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

With that done we have configured the system to use the rpmforge repo.

For this tutorial the working directory will be /usr/local/src – all downloads should be downloaded to and extracted in there.

 

Exim

yum install exim -y
/usr/sbin/alternatives –set mta /usr/sbin/sendmail.exim
service sendmail stop
/sbin/chkconfig –level 345 sendmail off
/sbin/chkconfig –level 345 exim off

 

MailScanner

wget http://www.mailscanner.info/files/4/rpm/MailScanner-4.66.5-3.rpm.tar.gz
tar xzvf MailScanner-4.66.5-3.rpm.tar.gz
cd MailScanner-4.66.5-3
./install.sh

 

Clamav

yum install clamav clamav-db clamd -y
freshclam

 

Sanesecurity Signatures

wget http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt -O /usr/local/bin/update_sanesecurity.sh
chmod +x /usr/local/bin/update_sanesecurity.sh
ln -s /usr/local/bin/update_sanesecurity.sh /etc/cron.hourly/
/usr/local/bin/update_sanesecurity.sh

 

Apache

yum install httpd php php-mysql php-gd php-eaccelerator -y /sbin/chkconfig –level 345 httpd on

 

Spamassassin

yum install spamassassin -y

 

Fuzzy OCR

yum install netpbm-progs ocrad gocr gifsicle giflib-utils giflib -y
svn co svn://svn.own-hero.net/fuzzyocr/trunk/devel
cd devel/
perl -MCPAN -e ‘install String::Approx’
perl -MCPAN -e ‘install Time::HiRes’
perl -MCPAN -e ‘install Log::Agent’
cp -rv {FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOcr.words,FuzzyOcr/} /etc/mail/spamassassin
chcon -R system_u:object_r:etc_mail_t /etc/mail/spamassassin/{FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOcr.words,FuzzyOcr/}
wget http://www.gbnetwork.co.uk/mailscanner/FuzzyOcr.words -O /etc/mail/spamassassin/FuzzyOcr.words

 

Razor

yum install razor-agents

 

MySQL

yum install mysql mysql-server -y

 

Mailwatch

wget http://dfn.dl.sourceforge.net/sourceforge/mailwatch/mailwatch-1.0.4.tar.gz
tar xzvf mailwatch-1.0.4.tar.gz
cd mailwatch-1.0.4
cp -av mailscanner/* /var/www/html/
cp /var/www/html/conf.php.example /var/www/html/conf.php
mkdir /var/www/html/temp
chmod u+rwx /var/www/html/temp
rm -f /var/www/html/{index.php,xml,jpgraph,fpdf}
cp /var/www/html/status.php /var/www/html/index.php
mv /var/www/html/jpgraph-1.12.1 /var/www/html/jpgraph
mv /var/www/html/fpdf152 /var/www/html/fpdf
mv /var/www/html/xmlrpc_1.2 /var/www/html/xmlrpc
chown apache.apache -R /var/www/html/
chmod ug+rwx /var/www/html/images
chmod ug+rwx /var/www/html/images/cache
chcon -R system_u:object_r:httpd_sys_content_t /var/www/html/
cp MailWatch.pm /usr/lib/MailScanner/MailScanner/CustomFunctions/
cp SQLBlackWhiteList.pm /usr/lib/MailScanner/MailScanner/CustomFunctions/
cp tools/db_clean.php /usr/local/bin/
cp tools/quarantine_maint.php /usr/local/bin/

 

Mailfeeder

wget http://www.pldaniels.com/mailfeeder/mailfeeder-0.2.3.tar.gz
tar xzvf mailfeeder-0.2.3.tar.gz
cd mailfeeder-0.2.3
make
cp mailfeeder /usr/local/bin/

 

Configure Packages

Configure Exim

Introduction

To run exim with mailscanner you need 2 configuration files one for the daemon that will listen on port 25 and accept incoming mail and another for the exim process that will deliver the clean mail that has been scanned by mailscanner. You also require 2 queues one for incoming and the other for clean mail that has been scanned.

I will not dwell on all the configuration options that exim provides i expect that you will be able to get detailed info else where on how to configure an normal running exim system so i will only focus on those areas that are specific to this setup.

  • So to begin backup your exim configuration then create the second configuration file out the outbound process.

cp /etc/exim/exim.conf /etc/exim/exim.conf.orig
cp /etc/exim/exim.conf /etc/exim/exim_out.conf

 

Inbound Exim

This is the configuration for the exim daemon that listens on port 25 and accepts the messages and queues them for mailscanner to process. The configuration file is /etc/exim/exim.conf.

 

Anti-virus / Sanesecurity Checks

Configure the incoming exim daemon (/etc/exim/exim.conf) to use clamav to scan incoming mail and reject virus infected email and image and pdf spam at smtp time.

av_scanner = clamd:/var/run/clamav/clamd.sock

 

Mail Routing

Configure the domains you accept mail for, we will add these to a file /etc/exim/relay_domains.

# example /etc/exim/relay_domains
example.com

Specify this in the exim configuration:

domainlist relay_to_domains = lsearch;/etc/exim/relay_domains

Configure the routing of the domains you are filtering mail for in the file /etc/exim/mail-routes.

#example /etc/exim/mail-routes
example.com: xxx.xxx.xxx.xxx:xxx.xxx.xxx.xxx #this domain is on a CGP cluster of 2 front end nodes
somedomain.com: xxx.xxx.xxx.xxx # this delivers to one CGP machine

Configure a router to accept mail for the relay domains. You need to add this under the check_backend: router (see address verification below).

deliver_clean:
  driver = manualroute
  domains = +relay_to_domains
  transport = remote_smtp
  route_data = ${lookup{$domain}lsearch{/etc/exim/mail-routes}}

 

Mailscanner Intergration

Configure the inbound exim just to queue the messages and not deliver to enable mailscanner to process them.

spool_directory = /var/spool/exim.in
process_log_path = /var/spool/exim/exim-process.info
queue_only = true
queue_only_override = false

 

RBL’s

Configure the RBL’s under acl_check_rcpt:

drop    message       = REJECTED because $sender_host_address is in a black list spamhaus.org
           dnslists      = xen.spamhaus.org
drop    message       = REJECTED because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
           dnslists      = bl.spamcop.net
drop    message       = REJECTED because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
           dnslists      = dnsbl.sorbs.net

Anti Spam

If you want to reject messages from servers with no reverse dns add this under acl_check_rcpt:, it does have a exception list to which you can add domains where the acl should not be applied and trys to deliver a test message to sending address to verify if the sender is valid.

drop  message   = REJECTED - We don't accept messages from hosts without reverse DNS
        log_message = No reverse DNS
        domains = ! lsearch;/etc/exim/checks_exempt_hosts
        !verify = reverse_host_lookup
        !verify = sender/callout=2m,defer_ok
        !condition =  ${if eq{$sender_verify_failure}{}}

To reject messages from clients that dont provide a HELO/EHLO add this to acl_check_rcpt:

drop  message  = REFUSED - no HELO/EHLO greeting
        log_message = remote host did not present greeting
        condition = ${if def:sender_helo_name {false}{true}}

You can rate limit the connections to your server as well add this to acl_check_connect: to do so (read the exim docs on the parameters if you want to fine tune it for your site).

deny ratelimit = 250 / 15m / strict
       message = You can only send $sender_rate per $sender_rate_period
       log_message = RATE: $sender_rate/$sender_rate_period (max $sender_rate_limit)
accept

Stop rogue spam bots from trashing your machine.

smtp_accept_max_nonmail = 30
smtp_max_unknown_commands = 1

Allow pipelining only from the localhost to allow you to later use mailfeeder to release mail.

pipelining_advertise_hosts = 127.0.0.1

 

Address Verification

This users the router check_backend to communicate with your communigate pro system via ldap to ensure that an address exists before accepting mail for that address.

Add your default ldap servers to the exim configuration.

ldap_default_servers = xxx.xxx.xxx.xxx

Configure domains that have a catchall account (no verification if address exists before accepting mail.

# example /etc/exim/catchall_domains
somedomain.com

Specify this in the exim configuration.

domainlist domains_with_catchall = lsearch;/etc/exim/catchall_domains

Create and add the ldap enabled CGP domains to the file /etc/exim/ldap-domains. The first column is the domain alias or domain and the second is the actual domain as it exists in ldap as when you sync CGP domains to ldap it does not copy the domain aliases as well.

#example  /etc/exim/ldap-domains
example.com: example.com
example.co.za: example.com

Create the check_backend router, this should be the first router in your configuration.

check_backend:
 driver = redirect
 domains = ! +domains_with_catchall : +relay_to_domains
 allow_fail
 allow_defer
 forbid_file
 forbid_pipe
 data = ${lookup ldap{ldap:///uid=${local_part},cn=${lookup{$domain}lsearch{/etc/exim/ldap-domains}}?mail}{$value}{:fail: Unknown user}}
 #version 5.x use this instead
 #data = ${lookup ldap{ldap:///cn=${lookup{$domain}lsearch{/etc/exim/ldap-domains}}?uid?sub?(uid=$local_part)}{$local_part@$domain}{:fail: User Unknown}}

 

Clean Delivery Exim

This is the configuration that is used to deliver the clean mail that mailscanner has already scanned. The configuration file is /etc/exim/exim_out.conf. For this you can use the default configuration with all the checks and acls taken out.

You need to add this router to deliver the cleaned mail to the actual CGP servers. If you are running a cluster, this router is capable of spreading the deliveries across the servers that you have configured in /etc/exim/mail-routes making it fully redundant.

deliver_clean:
  driver = manualroute
  domains = +relay_to_domains
  transport = remote_smtp
  hosts_randomize = true
  route_data = ${lookup{$domain}lsearch{/etc/exim/mail-routes}}

Configure MySQL

Add this to the configuration file /etc/my.cnf:

socket=/var/lib/mysql/mysql.sock
skip-networking

This configures mysql to only communicate via the socket not tcp which is better for security and for performance.

Start mysql, this will initialize the default databases.

service mysqld start

Set the root users password:

mysqladmin -u root password NEWPASSWORD

Create the mailwatch database and populate tables:

mysql -p < /usr/local/src/mailwatch-1.0.4/create.sql

Create the mysql user for mailwatch and mailscanner logging:

mysql
mysql> GRANT ALL ON mailscanner.* TO mailwatch@localhost IDENTIFIED BY ‘password’;

Create the mailwatch admin user:

mysql mailscanner -u mailwatch -p
Enter password: ******
mysql> INSERT INTO users VALUES (”,md5(‘ ‘),”,’A’,’0′,’0′,’0′,’0′,’0′);

 

Configure MailScanner

Intro

Mailscanner has several configuration options i will only dwell on those that are needed to get the system working. To further customize the system please read the mailscanner documentation or look at the sample configuration files that i have provided.

 

Basic Configuration

Please edit the following configuration variables in /etc/MailScanner/MailScanner.conf:

Run As User = exim
Run As Group = exim
Incoming Queue Dir = /var/spool/exim.in/input
Outgoing Queue Dir = /var/spool/exim/input
MTA = exim
Sendmail = /usr/sbin/exim -C /etc/exim/exim_out.conf
Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_out.conf
Quarantine User = exim
Quarantine Group = apache
Quarantine Permissions = 0660
Quarantine Infections = yes
Quarantine Whole Message = yes
Quarantine Whole Messages As Queue Files = no
Keep Spam And MCP Archive Clean = yes
Spam Actions = store
High Scoring Spam Actions = store
Detailed Spam Report = yes
Include Scores In SpamAssassin Report = yes
  • Set permissions

chown exim.exim -R /var/spool/MailScanner/incoming
mkdir -p /var/spool/exim.in/{input,msglog,scan,db}
chown exim.exim /var/spool/exim.in/{input,msglog,scan,db}

 

Anti Virus

If you have a second virus scanner set

Virus Scanning = yes
Virus Scanners = "name of virus scanner"

 

Blacklists And Whitelists

We will be using SQL(mysql) based whitelisting and blacklisting to easily integrate with the mailwatch front end to allow users to whitelist and blacklist senders from within the web interface.

Edit the mailscanner configuration file and add:

Is Definitely Not Spam = &SQLWhitelist
Is Definitely Spam = &SQLBlacklist
Ignore Spam Whitelist If Recipients Exceed = 20

Edit the file /usr/lib/MailScanner/MailScanner/CustomFunctions/SQLBlackWhiteList.pm:

sub CreateList {
  my($type, $BlackWhite) = @_;
  my($dbh, $sth, $sql, $to_address, $from_address, $count);
  my($db_name) = 'mailscanner';
  my($db_host) = 'localhost';
  my($db_user) = 'mailwatch';
  my($db_pass) = 'password';

 

Mailwatch Integration

Edit the mailscanner configuration file and add:

Always Looked Up Last = &MailWatchLogging

Edit the file /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm:

my($db_name) = 'mailscanner';
my($db_host) = 'localhost';
my($db_user) = 'mailwatch';
my($db_pass) = 'password';

 

Configure Spamassassin

This configuration will use a mysql database to store the bayes information. So we will create a database and user that will be used to connect to the database. We will also be using extra rules (SARE hosted by Daryl C. W. O’Shea http://www.dostech.ca/) so we will configure sa-update to download them automatically.

 

Create MySQL Database

mysqladmin -p create bayes

Populate the database:

mysql -p bayes < /usr/share/doc/spamassassin-3.2.3/sql/bayes_mysql.sql

Create the user:

mysql -p
mysql> GRANT ALL ON bayes.* TO bayes@localhost IDENTIFIED BY ‘password’;

 

Configure To Use DB

Edit the file /etc/mail/spamassassin/local.cf and add:

bayes_store_module  Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn       DBI:mysql:bayes:localhost
bayes_sql_override_username bayes
bayes_sql_username  bayes
bayes_sql_password  password

 

SARE Rule Updates

Import the GPG key used to sign the rules:

wget http://daryl.dostech.ca/sa-update/sare/GPG.KEY sa-update –import GPG.KEY

Create the channels file /etc/mail/spamassassin/sare-sa-update-channels.txt:

updates.spamassassin.org
72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_html_eng.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
70_sare_header_eng.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_adult.cf.sare.sa-update.dostech.net
72_sare_bml_post25x.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net
70_sare_unsub.cf.sare.sa-update.dostech.net
70_sare_uri0.cf.sare.sa-update.dostech.net
70_sare_obfu0.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net

Create an update script /usr/local/bin/update-sa:

#!/bin/bash
#
#
sa-update -D --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt --gpgkey 856AA88A

Make it executable and add it to cron:

chmod +x /usr/local/bin/update-sa
ln -s /usr/local/bin/update-sa /etc/cron.daily/
ln -s /usr/local/bin/update-sa /etc/cron.hourly

FuzzyOCR

We will be storing the image hashes in a mysql database to improve on performance such that images that we have already scanned do not get scanned again as OCR is a resource intense activity.

 

Create MySQL Database

The sql script creates the database and tables and adds a user fuzzyocr with the password fuzzyocr:

mysql -p < /usr/local/src/devel/FuzzyOcr.mysql

Change the password:

mysqladmin -u fuzzyocr -p fuzzyocr password

Basic Settings

Edit /etc/mail/spamassassin/FuzzyOCR.cf and set the basic options:

focr_path_bin /usr/bin:/usr/local/bin
focr_minimal_scanset 1
focr_autosort_scanset 1
focr_enable_image_hashing 3
focr_logfile /tmp/FuzzyOcr.log

 

Make FuzzyOCR Use The Database

Edit the file /etc/mail/spamassassin/FuzzyOCR.cf and add:

focr_mysql_db FuzzyOcr
focr_mysql_hash Hash
focr_mysql_safe Safe
focr_mysql_user fuzzyocr
focr_mysql_pass password
focr_mysql_host localhost
focr_mysql_port 3306
focr_mysql_socket /var/lib/mysql/mysql.sock

 

Configure Razor

Register your razor system:

razor-admin -register

 

Configure Clamav

Base Config

This clamav installation with use both the official signatures as well as the sanesecurity signatures that are used combat image and pdf spam as well as phishing attacks.

Add the clamav user to the exim group:

usermod -G exim clamav

Configure clamd to listen to unix socket:

LocalSocket /var/run/clamav/clamd.socket

Configure clamd to start at boot:

chkconfig –level 345 clamd on

 

SELinux

For clamav to be able to work in enforcing mode we need to add some localized policy modules. The sample policy is below:

module clamlocal 1.0;
require {
        class dir { add_name read remove_name search write };
        class file { create getattr lock read write append };
        type clamd_t;
        type clamd_var_log_t;
        type logwatch_t;
        type proc_t;
        type sysctl_kernel_t;
        type var_spool_t;
        type var_t;
        type var_log_t;
        role system_r;
};
allow clamd_t proc_t:file { getattr read };
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;
allow clamd_t var_spool_t:dir read;
allow clamd_t var_spool_t:file { getattr read };
allow clamd_t var_t:dir { add_name read remove_name write };
allow clamd_t var_t:file { create getattr lock read write };
allow logwatch_t clamd_var_log_t:dir { read search };
allow clamd_t var_log_t:file append;
allow clamd_t var_t:dir { read write };

The module can be downloaded from http://www.topdog-software.com/files/clamlocal.te.gz.

Build and install the module:

wget http://www.topdog-software.com/files/clamlocal.te.gz
gunzip clamlocal.te.gz
checkmodule -M -m -o clamlocal.mod clamlocal.te
semodule_package -o clamlocal.pp -m clamlocal.mod
semodule -i clamlocal.pp

 

Configure Mailwatch

Patch For Enhanced Release

This patch makes mailwatch to release messages via mailfeeder re-injecting the actual message through the smtp server to make it appear like the original message that was sent as opposed to the default mailwatch release that sends the released mail as an attachment from the postmaster account.

wget http://www.topdog-software.com/files/mailwatch_release.patch.gz
gunzip mailwatch_release.patch.gz
cd /var/www/html
patch -i ../mailwatch_release.patch

 

Configure The Base Directory

Since we are installing mailwatch into /var/www/html instead of /var/www/html/mailscanner we need to make modifications to the config conf.php to reflect this:

define(MAILWATCH_HOME, '/var/www/html');

 

Configure For Database

Set the following options in conf.php:

define(DB_TYPE, 'mysql');
define(DB_USER, 'mailwatch');
define(DB_PASS, 'password');
define(DB_HOST, 'localhost:/var/lib/mysql/mysql.sock');
define(DB_NAME, 'mailscanner');

 

Quarantine

Set this in the conf.php file:

define(QUARANTINE_USE_FLAG, true);
define(QUARANTINE_DAYS_TO_KEEP, 30);

Install quarantine clean up script

cp /usr/local/src/mailwatch-1.0.4/tools/quarantine_maint.php /usr/local/bin/
chmod +x /usr/local/bin/quarantine_maint.php
ln -s /usr/local/bin/quarantine_maint.php /etc/cron.daily

Disable the mailscanner installed cron script /etc/cron.daily/clean.quarantine

$disabled = 1;

$disabled = 1;

 

SELinux

For mailwatch to work under enforcing mode we need to install a custom selinux policy module. The module source is below:

module mailwatch 1.0;

require {
        class dir { getattr read search };
        class file { getattr read execute execute_no_trans ioctl };
        class lnk_file { read getattr };
        class tcp_socket name_connect;
        type spamc_exec_t;
        type clamd_t;
        type getty_t;
        type hostname_exec_t;
        type initrc_t;
        type unconfined_t;
        type var_spool_t;
        type etc_mail_t;
        type ls_exec_t;
        type smtp_port_t;
        type spamassassin_exec_t;
        type httpd_sys_content_t;
        type httpd_t;
        type mysqld_t;
        type lib_t;
};

allow httpd_t clamd_t:dir getattr;
allow httpd_t hostname_exec_t:file getattr;
allow httpd_t var_spool_t:dir read;
allow httpd_t var_spool_t:file { getattr ioctl read };
allow httpd_t spamc_exec_t:file { execute execute_no_trans getattr read ioctl };
allow httpd_t etc_mail_t:dir { search getattr read };
allow httpd_t etc_mail_t:file { getattr read ioctl };
allow httpd_t etc_mail_t:lnk_file { getattr read };
allow httpd_t hostname_exec_t:file { execute read execute_no_trans };
allow httpd_t unconfined_t:dir { getattr search read };
allow httpd_t unconfined_t:file { read };
allow httpd_t initrc_t:dir { getattr search read };
allow httpd_t initrc_t:file read;
allow httpd_t ls_exec_t:file { execute read getattr execute_no_trans };
allow httpd_t spamassassin_exec_t:file { execute getattr read execute_no_trans ioctl };
allow mysqld_t httpd_sys_content_t:dir { getattr read search };
allow mysqld_t httpd_sys_content_t:file { read getattr };
allow httpd_t smtp_port_t:tcp_socket name_connect;
allow httpd_t lib_t:file execute_no_trans;

The module source can be downloaded from http://www.topdog-software.com/files/mailwatch.te.gz.

Build and install the module:

wget http://www.topdog-software.com/files/mailwatch.te.gz
gunzip mailwatch.te.gz
checkmodule -M -m -o mailwatch.mod mailwatch.te
semodule_package -o mailwatch.pp -m mailwatch.mod
semodule -i mailwatch.pp

 

GeoIP

Connect to your server http://hostname/ login, click on the “Tools/Links” menu ? “Update GeoIP database” and click “Run Now”.

 

Mail Queue Monitor

Install the monitoring script:

cp /usr/local/src/mailwatch-1.0.4/mailq.php /usr/local/bin
chmod +x /usr/local/bin/mailq.php
crontab -e
0-59 * * * * /usr/local/bin/mailq.php

Edit for new directory layout:

if(flock($fl, LOCK_EX + LOCK_NB)) {
 require "/var/www/html/functions.php";

SELinux

For mailwatch to work under enforcing mode we need to install a custom selinux policy module. The module source is below:

module mailwatch 1.0;

require {
        class dir { getattr read search };
        class file { getattr read execute execute_no_trans ioctl };
        class lnk_file { read getattr };
        class tcp_socket name_connect;
        type spamc_exec_t;
        type clamd_t;
        type getty_t;
        type hostname_exec_t;
        type initrc_t;
        type unconfined_t;
        type var_spool_t;
        type etc_mail_t;
        type ls_exec_t;
        type smtp_port_t;
        type spamassassin_exec_t;
        type httpd_sys_content_t;
        type httpd_t;
        type mysqld_t;
        type lib_t;
};

allow httpd_t clamd_t:dir getattr;
allow httpd_t hostname_exec_t:file getattr;
allow httpd_t var_spool_t:dir read;
allow httpd_t var_spool_t:file { getattr ioctl read };
allow httpd_t spamc_exec_t:file { execute execute_no_trans getattr read ioctl };
allow httpd_t etc_mail_t:dir { search getattr read };
allow httpd_t etc_mail_t:file { getattr read ioctl };
allow httpd_t etc_mail_t:lnk_file { getattr read };
allow httpd_t hostname_exec_t:file { execute read execute_no_trans };
allow httpd_t unconfined_t:dir { getattr search read };
allow httpd_t unconfined_t:file { read };
allow httpd_t initrc_t:dir { getattr search read };
allow httpd_t initrc_t:file read;
allow httpd_t ls_exec_t:file { execute read getattr execute_no_trans };
allow httpd_t spamassassin_exec_t:file { execute getattr read execute_no_trans ioctl };
allow mysqld_t httpd_sys_content_t:dir { getattr read search };
allow mysqld_t httpd_sys_content_t:file { read getattr };
allow httpd_t smtp_port_t:tcp_socket name_connect;
allow httpd_t lib_t:file execute_no_trans;

The module source can be downloaded from http://www.topdog-software.com/files/mailwatch.te.gz.

Build and install the module:

wget http://www.topdog-software.com/files/mailwatch.te.gz
gunzip mailwatch.te.gz
checkmodule -M -m -o mailwatch.mod mailwatch.te
semodule_package -o mailwatch.pp -m mailwatch.mod
semodule -i mailwatch.pp

 

GeoIP

Connect to your server http://hostname/ login, click on the “Tools/Links” menu ? “Update GeoIP database” and click “Run Now”.

 

Mail Queue Monitor

Install the monitoring script:

cp /usr/local/src/mailwatch-1.0.4/mailq.php /usr/local/bin
chmod +x /usr/local/bin/mailq.php
crontab -e
0-59 * * * * /usr/local/bin/mailq.php

Edit for new directory layout:

if(flock($fl, LOCK_EX + LOCK_NB)) {
 require "/var/www/html/functions.php";

Comments

comments