niels / Software / #email

Postfix with Cyrus, Clamav and Spamassassin

This is a quick howto on how to get it all running. Most of the software used is a lot more powerful than this howto suggests. Once you have it all up and running make sure to spend some time checking out the full potential of your setup.

Get all the packages:

Include

deb http://ftp2.de.debian.org/
debian-volatile sarge/volatile main

in your /etc/apt/sources.list to make sure you get updates on the clamav engine (and not just the virus data as provided by freshclam).

apt-get install postfix clamav clamav-base clamav-daemon clamav-freshclam amavisd-new spamassassin spamc razor pyzor cyrus21-admin cyrus21-common cyrus21-imapd cyrus21-pop3d

The amavis package recommends a lot of tools like unzip, unrar, etc. It’s best to install all of them; using dselect might be helpful here.

Clamav

Clamav will run fine without changing any settings. To make sure Clamav plays nicely with Amavis add the clamav user to the amavis group in /etc/group:

postfix:x:104:
postdrop:x:105:
mysql:x:106:
clamav:x:107:
amavis:x:108:clamav

You can do this by typing:

adduser clamav amavis

Spamassassin

Switch user to amavis:

peen:~# su - amavis

Then run the commands required to enable Razor to be used by Spamassassin:

amavis@peen:~$ razor-admin -create
amavis@peen:~$ razor-admin -register
Register successful. Identity stored in /var/lib/amavis/.razor/
identity-ruu0K-KHfE

Also enable Pyzor:

amavis@peen:~$ pyzor discover
downloading servers from http://pyzor.sourceforge.net/cgi-bin/
inform-servers-0-3-x

Create/edit /etc/spamassassin/local.cf.
Mine is very simple:

report_safe 0
skip_rbl_checks 1

I turn off rbl checks in spamassassin as I will have postfix do this instead; see below. No other changes are required.

By default spamassassin is disabled on Debian. Make sure to edit /etc/default/spamassassin and start it:

peen:~# /etc/init.d/spamassassin start
Starting SpamAssassin Mail Filter Daemon: spamd.

Amavis

/etc/amavis/amavisd.conf requires a few configuration changes. Please find the settings quoted below and adjust them to match your setup.

…
$mydomain = ‘peen.net’;
…
$forward_method = ’smtp:127.0.0.1:10025′;
$notify_method = $forward_method;
…
@local_domains_acl = ( “.$mydomain”, “.localhost” );
…
$inet_socket_port = 10024;
…

Also make sure you turn on spamassassin support by removing this line:

@bypass_spam_checks_acl = qw( . );

The rest of the defaults are fine. Now restart amavis:

peen:~# /etc/init.d/amavis restart
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.

And do a tail on your syslog to make sure it detects Clamav and Spamassassin:

peen:~# tail -4 /var/log/syslog
Dec 1 11:42:38 peen amavis[15613]: Using internal av scanner code for (primary) Clam Antivirus-clamd
Dec 1 11:42:38 peen amavis[15613]: Found secondary av scanner Clam Antivirus – clamscan at /usr/bin/clamscan
Dec 1 11:42:38 peen amavis[15613]: SpamControl: initializing Mail::SpamAssassin
Dec 1 11:42:39 peen amavis[15613]: SpamControl: done

##Cyrus

The default Cyrus configuration will work for us. We do however need to set sasl passwords and create mailboxes:

peen:~# saslpasswd2 cyrus
Password:
Again (for verification):
peen:~# saslpasswd2 niels
Password:
Again (for verification):

The cyrus user is used for administering Cyrus. The niels user is, well, me. Now create the mailbox for niels:

peen:~# su – cyrus
cyrus@peen:~$ cyradm localhost
IMAP Password:
localhost.localdomain> cm user.niels
localhost.localdomain> exit

##Postfix

Finally we’ll need Postfix to actuall get this thing going. We need to add quite a bit to /etc/postfix/master.cf to make sure Postfix can communicate with Amavis:

…
smtp-amavis unix – – n – 2 smtp
-o smtp_data_done_timeout=1200

127.0.0.1:10025 inet n – n – – smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000

Then we edit /etc/postfix/main.cf to accept email for our domain, do rbl checks, send email to Amavis and deliver it to Cyrus:

smtpd_banner = peen.net ESMTP
biff = no

append_dot_mydomain = no

myhostname = xxx-xxx-xxx-xxx.solcon.nl
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = peen.net, localhost.localdomain, localhost.localdomain, localhost
mynetworks = 127.0.0.0/8, 192.168.2.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mailbox_transport=
lmtp:unix:/var/run/cyrus/socket/lmtp
content_filter = smtp-amavis:[127.0.0.1]:10024

smtpd_helo_required = yes
disable_vrfy_command = yes

smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client relays.ordb.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit

smtpd_data_restrictions =
reject_unauth_pipelining,
permit

Now restart postfix and you’re ready to receive email!

peen:~# /etc/init.d/postfix restart
Stopping mail transport agent: Postfix.
Starting mail transport agent: Postfix.
niels / Software / #email

Plesk with Clamav

Written while using Debian 3.1 (sarge) and Plesk 7.5.

Clamav

Install the Debian packages clamav, clamav-daemon and
clamav-freshclam.

plesk:~# apt-get install clamav clamav-daemon clamav-freshclam

Download and extract qsheff and ripmime tar balls.

plesk:~# cd /usr/local/src/
plesk:/usr/local/src# wget http://www.enderunix.org/qsheff/qsheff-1.0-r3.tar.gz
plesk:/usr/local/src# wget http://www.pldaniels.com/ripmime/ripmime-1.4.0.5.tar.gz
plesk:/usr/local/src# tar zxvf qsheff-1.0-r3.tar.gz
plesk:/usr/local/src# tar zxvf ripmime-1.4.0.5.tar.gz

Building and installing ripmime is straightforward:

plesk:/usr/local/src# cd ripmime-1.4.0.5
plesk:/usr/local/src/ripmime-1.4.0.5# make

plesk:/usr/local/src/ripmime-1.4.0.5# make install

Ripmime will now be installed in /usr/local/bin; an appropriate place, and right where qsheff expects it.

Now build and install qsheff:

plesk:/usr/local/src# cd qsheff-1.0-r3
plesk:/usr/local/src/qsheff-1.0-r3# ./configure
plesk:/usr/local/src/qsheff-1.0-r3# make
plesk:/usr/local/src/qsheff-1.0-r3# /etc/init.d/qmail stop
plesk:/usr/local/src/qsheff-1.0-r3# make install

Now, before starting qmail, we have to fix the clamav path in the qsheff config file. Open /usr/local/etc/qsheff/qsheff.conf and change

VIRUS_PROG = “/usr/local/bin/clamdscan –quiet”

to

VIRUS_PROG = “/usr/bin/clamdscan –quiet”

You will probably want to change

enable_blackhole = 0;

to

enable_blackhole = 1;

as well.

Continue the installation:

plesk:/usr/local/src/qsheff-1.0-r3# /usr/local/etc/qsheff/install-wrapper.sh
plesk:/usr/local/src/qsheff-1.0-r3# /etc/init.d/qmail start

And everything should be working!

Spamassassin

If you, like me, want to use the Debian provided spamassassin instead of the Plesk one, there are a few extra steps.

First make sure you remove the plesk spamassassin using plesk.

Then install the Debian version:

plesk:~# apt-get install spamassassin spamc pyzor razor dcc-client

Initialize pyzor and razor:

plesk:~# pyzor discover
plesk:~# razor-admin –create
plesk:~# razor-admin –register

If registering razor fails, simply try it again.

Enable pyzor, razor and the dcc-client in /etc/spamassassin/local.cf:

pyzor_path /usr/bin/pyzor
pyzor_max 2
add_header all Pyzor _PYZOR_
score PYZOR_CHECK 5.00
use_pyzor 1
use_razor2 1
add_header all DCC _DCCB_: _DCCR_
dcc_path /usr/bin/dccproc
use_dcc 1

And restart spamassassin:

/etc/init.d/spamassassin restart

To enable things in our qsheff installation above you will have to replace /var/qmail/bin/qmail-queue with a little shell script:

plesk:~# cd /var/qmail/bin/
plesk:/var/qmail/bin# rm qmail-queue
plesk:/var/qmail/bin# vi qmail-queue

Insert the following code:

#!/bin/sh

/usr/bin/spamc | /var/qmail/bin/qmail-qsheff

Save the file, make it executable and restart qmail:

plesk:/var/qmail/bin# chmod +x qmail-queue
plesk:/var/qmail/bin# /etc/init.d/qmail restart

Notes
If /var/log/qsheff.log contains errors like

ERR, error=QUEUE, hint=chdir_workdir,open_mesg

you’ve probably set the clamav path wrong.

niels / Software / #voip

Bristuff 0.3.0-PRE-1d

As bristuff still seems to be the most popular way to use HFC Cologne based ISDN cards I’ve patched Asterisk with the lastest bristuff patches from Junghanns. Updated packages for Debian Sarge can be found at their usual location:

Add the following line to your /etc/apt/sources.list:

deb http://debian.peen.net asterisk/
niels / Software / #linux

enlightenment?

Inspired by David’s urge to maximize eye candy on his newly installed Linux machine and old memories of a cutting edge Enlightenment DR16 I decided to check out its latest version.

Although still beta, the latest version is called E17. It’s a complete rewrite and has been in development for quite some time now. Based on Shadoi’s i386
repository I built some amd64 packages for debian unstable. Building and installing Shadoi’s packages went very smoothly.

E17 is running a small 12 hours now, but so far it feels quite stable. The file manager wasn’t included in the packages and the media player feels a little basic, but as a window manager and basic desktop environment I might actually decide to stick with it. I wont throw screenshots and a lengthy description of the eye candy at you; there are many out there already and it’s a much better idea to
just try yourself anyway 🙂

For those who fear destroying their beloved setup there is a live-cd available with both version 16.8 and 17 called elivecd.

niels / Hardware / #voip

Unlocking Pilmo Voicefinder

A while ago I posted a small HOWTO on how to use Pilmo and the Pilmo Voicefinder with Asterisk. In response to that I got some requests on how to unlock the Voicefinder. Although there is no need to unlock it when using my instructions, here’s how:

Download an original Addpac firmware from http://www.addpac.com/addpac_eng/customer.html

Just type AP200 in the download box and you’ll get a list of available firmwares.

  • Connect the voicefinder using a DTE serial cable.
  • When the system boots press Ctrl-C and Ctrl-X alternately until you see BOOT_login:
  • Login as guest using password guest.
  • Set a new password for the root user using the password command: password newpw newpw
  • Do a show interfaces.
  • Configure your PC to be in the same IP range (or reconfigure the voicefinder IP).
  • FTP to the voicefinder IP address and upload the downloaded firmware. (Login using root and the newly set password.)
  • When the upload is complete the Voicefinder will report the version of the firmware you uploaded an start writing it to flash.
  • Once writing and verifying is completed type reboot.

The voicefinder will reboot using the newly uploaded original firmware. It will ask your DHCP server for an IP address. Go there with your favorite web browser and behold.. a full Addpac webinterface 🙂

niels / Software /

Personal Livestream

Two weeks ago XS4ALL introduced ‘Personal Livestream‘, allowing their customers to share their own audio/video stream with an unlimited number of viewers within XS4ALL and a handful on the rest of the Internet. Sounds good?

Unfortunatly their website tells you the service will only work with Windows as the service requires Windows Media Encoder. Sound bad!

Fortunatly it’s easy to prove them wrong using vlc:

vlc input_stream --sout '#transcode{vcodec=DIV3,vb=256,scale=1,acodec=mp3,ab=32,channels=2}:std{access=mmsh,mux=asfh,url=:7007}'

Replace input_stream with your favorite audio/video files or devices, register your stream with XS4ALL and enjoy!

niels / Software / #voip

Pilmo and Asterisk

The last few years I’ve been using Pilmo as my voip provider and am quite pleased with it. The good thing about them is that they supply me with a regular Dutch phone number including a normal area code and not some weird number in one of the dedicated voip number ranges. The bad thing about them is that prices at other providers have been dropping and they are slow to follow.

What I wanted was to keep Pilmo for my incoming calls and use other providers for my outgoing calls. Unfortunately the ATA they supply is more or less locked. I decided to install Asterisk and tweak its config to proxy between their ATA and the Pilmo servers. I can now receive calls on my Pilmo phone number and call everyone I know, even abroad, for free using an IAX channel to voipbuster.com.

I posted my config to: voip-info.org

niels / Blog / #vpn

Super Freeswan and Windows XP

Wanted to throw out WPA for several reasons, I switched to IPSEC for my wireless network which includes a Windows XP machine…
This is just a quick reference for myself so I don’t have to figure it out all over again when I add a Windows machine to the network.

On the Freeswan box

  • Edit openssl config to increase number of bits and expiry time.
  • Use CA.sh to create a root certificate. (by default in ./demoCA)
  • Lower expiry time back down a bit in openssl config.
  • Create a new client (and also one for the server) certificate: CA.sh -newreq (use a pass phrase)
  • Sign this certificate: CA.sh -sign
  • Rename newcert.pem to something client specific (clientcert.pem in this example). (You might also want to keep newreq.pem..)
  • Create a PKCS12 file for Windows: openssl pkcs12 -export -in clientcert.pem -inkey newreq.pem -certfile demoCA/cacert.pem -out client.p12
  • Extract the subject, you’ll need it for ipsec.conf: openssl x509 -in clientcert.pem -inform pem -noout -subject

Put stuff in ipsec.conf:

config setup
    interfaces="ipsec0=eth1″
    klipsdebug=none
    plutodebug=control
    plutoload=%search
    plutostart=%search
    uniqueids=yes

conn %default
    keylife=70m
    keyingtries=3
    disablearrivalcheck=no
    authby=rsasig
    ike=aes-md5,aes-sha,3des-md5,3des-sha
    esp=aes128-md5,aes128-sha1,3des-md5,3des-sha1
    dpddelay=120
    dpdtimeout=370
    dpdaction=clear
    compress=yes
    leftrsasigkey=%cert
    rightrsasigkey=%cert

conn client
    right=192.168.1.12
    rightid="C=NL, ST=NH, L=PURMEREND, O=NiElS, OU=CLIENT, CN=Niels Peen, E=ni
    [email protected]”
    rightca="/C=NL/ST=NH/L=PURMEREND/O=NiElS/CN=Niels Peen/[email protected]”
    left=192.168.1.9
    leftsubnet=0.0.0.0/0
    leftcert=/etc/ipsec.d/certs/servercert.pem
    leftca=%same
    pfs=yes

You will notice that in the subject emailAddress has been replace with E.

On the Windows box

  • (Win)SCP the P12 file to the Windows machine.
  • Start “MMC”
  • You begin with an empty console. Now add some plugins: (names may vary as I translate them from the Dutch Windows version)
  • Certificates -> Computer Account -> Local machine
  • Certificates -> User Account
  • IP Security Monitor
  • IP Policy Management -> This Computer

You now have a useful MMC profile. Save it.

  • Go to Certificates (Local machine), right click -> All tasks -> Import
  • Now import the P12 file, it will ask you for the password. Turn on the exportable option and set the archive to “automatic”. Your certificate should now be imported.
  • Now we’ll create a security policy.
  • Give it a name, like “ipsec all traffic”.
  • Disable the default rule and the the properties dialog pop-up.

We now have a rules Window.

  • Disable the Wizard.

We’ll be adding two rules. One for client to server and one for server to client.
I’ll describe one procedure. The differences are only the Source an Destination address and the Tunnel endpoint. This will make sense once you run into them 🙂

  • Add a rule. (assuming client to server).
  • In filter tab, add a filter.
  • Disable wizard.
  • Name it “client to server”.
  • Hit “add”.
  • Set Source to “My address”, set Destination to “Any address” and disable mirroring.
  • In the description type “client to server”, and close the filter properties dialog and the rule properties dialog. Select the just made filter.
  • Go to filter action tab. Disable Wizard and hit “Add”. We only do this one once, you can use it in both the “client to server” and the “server to client” rules.
  • Select “Negotiate” and hit Add.
  • Select “Custom” and configure it for SHA1, 3DES. Turn off AH. Turn on the session key settings. Defaults are fine. Close dialogs until we’re back in filter properties. Turn off non-secure traffic and enable PFS.
  • In the general tab, name this “ipsec crypto”. Close dialog.
  • Back in the filter action tab select the just made “ipsec crypto”.
  • Go to verification methods. Add one using our imported certificate. Remove kerberos.
  • Set type of connection to “All”.
  • Set tunnel endpoint to the servers address.

Now do the same for a server to client rule.
Back in first dialog, go to the common tab and enable PFS using the Advanced button.

Back in MMC enable the ipsec all traffic policy. Encryption should now take place!

niels / Blog /

Resume

Link to outdated resume has been removed.

Since I had to dig up my resume anyway, I’ve put it [online].

niels / Blog / #email

E-mail replies

Outdated links to lists removed.

Not getting reply to your email? Make sure to check my [blacklist] and [ignorelist].