Professional Documents
Culture Documents
Deploy Secure Messaging Solution using Sendmail & Dovecot Servers with
ClamAV
Kefa Rabah
Global Open Versity, Vancouver Canada
krabah@globalopenversity.org
www.globalopenversity.org
1
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Summary 24
2
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Deploy Secure Messaging Solution using Sendmail & Dovecot Servers with
ClamAV
1.0 Introduction
Over the last decade, the popularity of domain hosting has increased exponentially for many companies of
all sizes. All these domains need to be hosted somewhere, but corporate-level hosting of Web sites and
mail domains can be exorbitantly expensive for start-up and small to medium size businesses.
With the growth of the Internet, e-mail has also quickly become the main vehicle to spread information
through corporate users and the public at large. As the demand for fast, cheap and reliable e-mail grows,
more individuals and business large and small are turning to open source Linux to provide a fast, cheap
and reliable solution. And Sendmail is at the forefront of this cool messaging technology and it can be
easily scaled-up. One of the best solutions is using virtual hosting, which allows multiple domains to be
housed on a single server or server cluster. This is a valuable strategy for both a large company with the
hardware and bandwidth to host hundreds of domains and a small business with a mere two domains to
control its hosting solution with ease. In this Hands-on Lab session, we’ll take a look at how to configure
Sendmail to work on a single machine, but can also be scaled up to handle more than one domain. There
will be need to lock it down from security point of view. Also we’ll give our users’ ability to access their
email using RoundCube Webmail client via Dovecot POP/IMAP server.
Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer
and -delivery methods, including the Simple Mail Transfer Protocol (SMTP) used for email transport over
the Internet. It’s currently the most popular mail transfer agent (MTA) on the Internet. Its popularity is due
in part to its position as the standard MTA under most variants of the Linux/Unix-like operating systems.
Sendmail was originally developed by Eric Allman, in 1979, as "delevermail", which first shipped with
BSD 4.0. This program was not very flexible and required configuration at compile time. With the growth of
TCP protocol and other factors, it became obvious that delevermail was not flexible enough to handle
these new demands. Eric Allman had to recreate Sendmail from scratch, and what he produced has
become the standard for MTAs. Rather than reject messages that did not conform to protocols, sendmail
is designed to be tolerant of these messages. For those individuals who have never configured an e-mail
server, this hands-on manual will demonstrate how to configure sendmail 8.13.8 after a fresh install of
CentOS5.
Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with
security in mind. Apple Inc. includes Dovecot for email services in Mac OS X 10.6 Snow Leopard Server.
Developed by Timo Sirainen, Dovecot was first released in July 2002. Dovecot primarily aims to be a
lightweight, fast and easy to set up open source messaging server. It can work with standard mbox,
1
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Maildir, and its own experimental native high-performance dbox formats. It is fully compatible with UW
IMAP and Courier IMAP servers’ implementation of them, as well as mail clients accessing the mailboxes
directly.
Dovecot also includes a Mail delivery agent (called Local delivery agent in Dovecot’s documentation), with
optional Sieve filtering support. It also supports a variety of authentication schemas for IMAP and POP
access including CRAM-MD5 and the more secure DIGEST-MD5. It’s a Mail Delivery Agent is simple and
easy to install. In this HowTo guide and lab session, we’ll explain how to set it up as an IMAP or POP3
server. For alternate IMAP/POP3 servers see Courier or Cyrus.
We also need to lockdown our Sendmail server to secure our Sendmail server against cyber-criminals and
malwares. For this we’ll use Clamd. Clamd which comes integrated with ClamAV and Clamav-db fits the
bill for our task. It’s a multi-threaded daemon that uses libclamav to scan files for viruses. The daemon
listens for incoming connections on Unix and/or TCP socket and scans files or directories on demand for
viruses. The daemon is fully configurable via the clamd.conf file. It reads the configuration from
/etc/clamd.conf.
Clam AntiVirus (ClamAV) is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-
mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-
threaded daemon, a command line scanner and advanced tool for automatic database updates. The core
of the package is an anti-virus engine available in a form of shared library.
MailScanner is an open source free anti-virus and anti-spam filter protecting over 5 billion e-mails every
week, for many millions of users. MailScanner is an email virus scanner, vulnerability protector, and spam
tagger. It supports the Postfix, Sendmail, Exim, Qmail, and ZMailer MTAs, and the Sophos, McAfee, F-
Prot, F-Secure, CommandAV, InoculateIT, Inoculan, eTrust, Kaspersky, Nod32, AntiVir, BitDefender,
RAV, Panda, DrWeb, ClamAV, and other anti-virus scanners.
SquirrelMail is a web-based email application started by Nathan and Luke Ehresman and written in the
PHP scripting language. It can be installed on almost all web servers as long as PHP is present and the
web server has access to an IMAP and SMTP server. SquirrelMail outputs valid HTML 4.0 for its
presentation, making it compatible with a majority of current web browsers. SquirrelMail uses a plug-in
architecture to accommodate additional features around the core application, and over 200 plug-ins are
available on the SquirrelMail website Licensed under the GNU General Public License, SquirrelMail is free
software. It is currently available in over 50 languages. SquirrelMail is included in many major GNU/Linux
distributions and is independently downloaded by tens of thousands of people every month.
Solution
In this Hands-on Lab session, you’ll learn how to setup virtual network on VMware (you may also use any
other virtual machines like MS VirtualPC, Linux Xen, or VirtualBox from Sun). In this lab session, we’ll
concentrate on installing Sendmail server with Dovecot server and SquirrelMail webmail client on a clean
install Linux CentOS5 Server. You will learn how to install and configure Webmin to help with configuring
DNS server. I’ll also show you how to set static IP address which is required for successful deploying a
DNS and messaging servers. Finally, we’ll go through a step-by-step process to install Sendmail
messaging server, Dovecot POP/IMAP server and SquirrelMail Webmail client. You’ll also have an
opportunity to do some hands-on lab assignments at the end of the lab session. Upon completion of the
2
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
hands-on labs you’ll have gained a competency level and a capability to be able to plan design implement
and deploy an enterprise grade messaging solution using Sendmail.
Assumptions
It’s assumed that you have a good understanding of Linux operating system and its working environment.
It’s also assumed that you know how to install and configure Linux CentOS5, if not go ahead and pop over
to scribd.com and check out a good HowTo entitled “Install Configure and Upgrade Linux CentOS5 Server
v1.1” to get you started.
Other related articles that you may need for this Hands-on Lab session:
5. The system will now install and will required CDs 1-6.
6. Once the system reboots disable firewall and SElinux.
7. Make sure your /etc/hosts file has the line:
IP address and FQDN hostname (i.e. 192.168.83.21 linuxc.monstserv.com linuxc).
8. Reboot the system (for changes to take effect).
9. Then run yum update to my sure your system is fully up to date.
10. Reboot the system.
11. OS server installation complete and ready for DNS, Sendmail and Dovecot servers’ installation.
3
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
2. Webmin is the most powerful administration tool in its nature. We will use it to set up our DNS, but I
will not go over it in detail because we already know how to use other administrative tools. It is not
difficult to use because it is web based, in any event, you should know that you can use it remotely to
administrate the system. Checkout a great HowTo by the same author on Docstoc.com for the
detailed DNS server setup using Webmin. In this HowTo you can see how you use Webmin to setup
DNS Server and mail, www and ftp servers on Linux CentOS5.
3. While here also note our hostname: linuxc.monstserv.com
4. Other servers are:
mail.monstserv.com
www.monstserv.com
ftp.monstserv.com
5. Check out /etc/hosts to ensure that you have a correct setup, in our case, it’s as follows:
6. To ensure that your DNS server is installed and configured correctly, perform the following test via
dig and nslookup command:
;; QUESTION SECTION:
;linuxc.monstserv.com. IN A
;; ANSWER SECTION:
linuxc.monstserv.com. 38400 IN A 192.168.83.21
;; AUTHORITY SECTION:
monstserv.com. 38400 IN NS linuxc.monstserv.com.
4
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Name: linuxc.monstserv.com
Address: 192.168.83.21
7. We’re good and ready to move on Part 3, Install and configure Sendmail server
2. It is also important that your administrator put a reverse DNS entry to prevent delays in mail delivery.
Most modern e-mail servers use reverse lookup as a means of authentication for mail transfer. Again,
confirm this setting is correct using the nslookup command on your IP address.
3. As you can see, the DNS entries are setup and working correctly, so let's move on to actually
configuring sendmail. By default, sendmail installations on CentOS5 will only allow SMTP traffic on the
localhost. The output of netstat -nl will show you all ports that have a dæmon listening; note
the line that says 127.0.0.1:25. This means the server is only listening on the loop back interface
for connections on port 25 (SMTP).
2. In case you get blank result, then Sendmail is not installed. Best way to get Sendmail is to compile it
from the source file. However, I have found that the RPM files obtained via Yum, if you use
CentOS4/RHE4 and later, Fedora Core 8 and later, or Yast with OpenSuse 11.1 contain all the
required files. To install all Sendmail files with CentOS5, do the following:
5
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
2. The two most basic steps in configuring a Sendmail server are to modify this file to enable Sendmail
to listen on the NIC interface and to make Sendmail to accept mail from valid web domains.
3. It is also good idea to check the interfaces on which Sendmail is listening with the "netstat"
command. Sendmail listens on TCP port 25, so we use "netstat" and "grep" for "25" to see a
default configuration listening only on IP address 127.0.0.1 (loopback).
The full document has moved to Docstoc.com. You may download it from here:
http://www.docstoc.com/docs/30208011/?key=OTFmNTYwMTIt&pass=MzlmOS00MTll
-----------------------------------------------
Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in
several fields of Science & Technology, IT Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance
your educating and career goals using the latest innovations and technologies.
6
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada