Scalix and SpamAssassin/Amavisd-new HOWTO

[STrRedWolf]

I've now gotten a fairly working setup for Scalix Community and SpamAssassin -- complicated, though, but it is working. Here's a mini-Howto on how to do it.

You need:

• Scalix (duh)
• Postfix (don't remove Sendmail!) -- I'm using Postfix for two reasons: It's eazier to configure than Sendmail and Amavisd-new integrates nicely with it. Get a 2.2.x version.
• Amavisd-new
• SpamAssassin

Make sure those are installed, but don't run Postfix, Amavisd-new, nor SpamAssassin yet.

1. Make Scalix listen on an alternate port: In /var/opt/scalix/sys/smtpd.cfg, add the line:

Code: Select all

LISTEN_PORT=10027

If you have Scalix Web Access (webmail) installed: Edit /etc/opt/scalix/webmail/partner.xml and append :10027 to the smtpServer= line, and then restart Tomcat.

Restart Scalix's SMTP relay (omstpd), or the whole thing if you're lazy.

2. Make Sendmail only listen to localhost:25. Edit /etc/mail/sendmail.cf and make sure this is the only DaemonPortOptions line there:

Code: Select all

O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA

Restart Sendmail, and wash your hands of that config file. We've now made room for Postfix.

3. Configure Amavisd-new and SpamAssassin. The default Amavisd-new configuration is good if you already have an antivirus checker setup, but for me, I edited /etc/amavisd.conf and disabled it since I don't have any installed. The default SpamAssassin config works fairly well.

Ether way, once done, start Amavisd-new up.

4. Configure Postfix for Amavisd-new. First, you need to edit /etc/postfix/master.cf. You need to tweak an smtpd line, and add a few more:

Code: Select all

smtp      inet  n       -       n       -       -       smtpd
        -o content_filter=smtp-amavis:[127.0.0.1]:10024
smtp-amavis unix -      -       n       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o disable_dns_lookups=yes
        -o smtp_send_xforward_command=yes
        -o max_use=20
127.0.0.1:10025   inet  n       -       n       -       -       smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0   
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Then edit /etc/postfix/main.cf. You need to tweak inet_interfaces so that Postfix only runs on any interface *BUT* localhost (or else it'll complain and nothing will get through). You also have to blank out local_recipient_maps so it doesn't bounce anything managed by Scalix:

Code: Select all

local_recipient_maps =

One last line to add, which will tell Postfix to forward all good mail to Scalix:

Code: Select all

transport_maps = hash:/etc/postfix/transport

If you're carrying more than one domain, you'll have to tweak other settings too, but if you're using Scalix for just one, save it, you're done in here.

And finally, edit /etc/postfix/transport and add one line:

Code: Select all

yourdomain.com        smtp:[ youriphere ]:10027

Save it, run postmap on it, and start Postfix up.

5. Test it! It took me a few tries to make things work -- the end result is this HOWTO. Test it out. If it works, all you need to do is make sure things start up on boot.

Now why did I keep Sendmail? I basically wasn't sure how Scalix interfaced with Sendmail. To be on the safe side, Sendmail handles outgoing, Postfix handles incomming, and Scalix gets clean mail.

[ScalixSupport]

That's great information. Thanks for documenting it.

The one thing that I (personally) have seen as a difference between Postfix and Sendmail is that Postfix seems to work at a domain level for mailer determination.

With sendmail, the rules that Scalix adds allowsmail to be sent to Scalix only if there is an address match with an entry in the SYSTEM directory. This reinforces the fact that Scalix doesn't have any concept of domain ownership. It also means that you can use the Scalix server as an incoming (external facing) gateway and have mail destined for the same domain being routed to different servers.

If there is a way to do this with Postfix, I'd be interested in the results.

Cheers

Dave

[steveday]

Thankyou for your directions. However I am getting connection refused when I look at the postfix queue. If I try and telnet localhost on 10027 I also get connection refused. Please can you offer any insight.

[steveday]

Now I have got myself terribly confused I am not using sendmail at all only postfix


Cheers

Steve

[ET2005]

I tried the How to steps above but got failure right at step 2 when trying to restart sendmail.

I am running Suse 9.3 pro.

Here are the steps to reproduce:
1.

Code: Select all

/etc/init.d/postfix stop

to make sure that postfix is not running.
2.

Code: Select all

/etc/init.d/sendmail restart

to restart sendmail.

Observe:
Initializing SMTP port (sendmail)
postfix: fatal: the postfix command must not run as a set-uid process

Any clue on how to work around this issue?

Thanks
ET

[ET2005]

I found the problem.
Both postfix and sendmail install the binary sendmail in /usr/sbin, therefore if postfix is installed after sendmail then the sendmail binary got overwritten by the postfix installation.

Using both postfix and sendmail with Suse 9.3 is not a good scenario, although possible.

I will post a How to when I have a working configuration.

[florian]

actually, i believe when trying to install postfix or sendmail using SuSEs yast, the tool will mention a conflict between the packages, so I would assume that SUSE does not officially support having both MTAs installed.

The problem reported was probably a result of this! ;-)

Cheers and great work sorting this out anyway,
Florian.

[ET2005]

Suse did mention conflict between postfix and sendmail but I went head and force the installation anyway.

What ever you do, make sure that you back up the different flavor of sendmail for each package before forcing a conflict package on top. For example:

1. Install postfix first
2 . cp /usr/sbin/sendmail /usr/sbin/sendmail.postfix
3. Install sendmail (and tell YasT to ignore conflict and accept potential inconsistencies)
4. cp /usr/sbin/sendmail /usr/sbin/sendmail.sendmail

... any way I got a working configuration with Scalix/Sendmail/Postfix working, using the original ideal of the HOWTO in this topic.

Incoming mail:

192.168.x.x:25->---Postfix--->-127.0.0.1:25-->--Sendmail--Scalix

Outgoing mail:

Scalix-->Sendmail-->192.168.x.x:25--->Postfix--->192.168.x.x:25

In a few days, I will be implemeting SMTPD AUTH, Antispam rules, Amavis, ClamAV, Outgoing routing, SMTP AUTH for outbound to see whether it's a workable scenario.
If all go well I will be able to replace cyrus by Scalix and have scheduling on the desktop side (Outlook of course).
Scalix Web Access is great but the pop-up scheme for login is a turn-off.

ET

[florian]

Few things

1 (as a general remark) - When using SuSE, best experience for stability has always been to do things "the SuSE way". I'm old-school Unix (Sys V.2), so this is hard for me (I prefer RedHat mostly for this very reason), therefore "forcing" YaST into doing things (and actually breaking RPM database logic by taking away registered file) is usually not th e most preferred way.

2. Why do you need sendmail on the box anyway? I mean - yes, I do know that we don't support Scalix as either incoming or outgoing MTA, but at the same time I do know it works, most certainly by looking at other posts on this forum.

I read this

Now why did I keep Sendmail? I basically wasn't sure how Scalix interfaced with Sendmail. To be on the safe side, Sendmail handles outgoing, Postfix handles incomming, and Scalix gets clean mail.

Now, again, I don't want to push you guys to unsupported configurations (well, actually, all this is unsupp'd anyway!), but there is one situation that you currently can't handle easily with Postfix instead of sendmail; Scalix uses a lookup-based approach in handling incoming SMTP email addresses. That means that, independent of it's domain, email for a certain recipient is routed into scalix based on the existence of the email address in the directory. In that sense, Scalix does not "own" a domain; this makes it easy in coexistence situations to do things such as.... for address@mydomain.com, let the scalix server check if it knows the address, otherwise forward (via mailertable and sendmail) to another server ALSO responsible for @mydomain.com. For mail coming in through the Scalix SMTP relay listening on port 25, this happens in the relay; for mail coming in through sendmail - for whatever reason, we modify the sendmail configuration with a programmatic mapper called "ommapsmtp" (check sendmail.cf for details) that does the lookup. Postfix does not know about programmatic mappers by default for such purpose (though it's more flexible for mapping things then sendmail), so all known-to-work Postfix setups with Scalix rely on "domain ownership", i.e. all mail destined for certain local domain(s) are simply forwarded into Scalix. Needless to say, for most situations this is completely acceptable.

So, bottom line is - by all means do remove sendmail and make this a clean postfix box, unless you find something else - in case you do, let us know! :-)

3. (unrelated) - SWA and the "pop-up thing"; for many reasons of architecture as an AJAX-type application - the most important being security - SWA needs it's own window (that is because in JavaScript, the single thread of code execution is bound to the browser window it's living in). As the non-popup-type SWA login window could have been linked to by someone else, this one could also be controlled by something different (including some malicious stuff trying to live in the same JS "address space" as we are and controlling our app, this is not good enough for us, therefore we do the Popup thing. I believe, and that's really an AFAIK, we could do something with frames, but it all becomes more ugly and cumbersome. As good browsers support pretty selective popup-blocking, we believe allowing your webmail server these popups is probably acceptable given the background of all this - if you don't think so, please tell us why.

It might help that, in the next major release of Scalix coming up very soon, we've at least made the visuals more elegant. The login screen, after successful login which was kept open in the past and confused some users, will be replaced by a "Login successful" box with a "Return-to-login" "link" and the popup. We looked at closing the login frame/window, but that wasn't simply possible for some browser types.

Hope this helps, cheers,
Florian.

[ET2005]

You are right in term of over-riding YasT.

May be I am missing something but... can Scalix live without sendmail?

Visibly Scalix implements its own smtp for receiving mail so I can always tell Postfix to deliver mail there instead of getting the incoming to sendmail incoming port.

I don't need sendmail on the box.

My other issue is that I would also like to use postfix as outgoing smtp relay for Scalix.
How can I configure Scalix to by-pass sendmail and deliver its mail directly to postfix?

At this point I am running all in one server groupware system so I have to hack postfix in.
And I only have one server per domain address.

However I can see that for a large enterprise model what Scalix has make sense.
In a large enterprise trying to fit postfix and Scalix on the same box would not make too much sense anyway.

Regarding the pop-up, I don't have a problem with the pop-ups per se.
The thing that is clumpsy is that the login window does not go away after the pop up loads or after the pop up is closed. It will be elegant if you can find a way to make the login pop up go away on the browsers that support the closing.


ET

[florian]

Well... it's quite simple....

- Scalix HAS it's own inbound SMTP listener for various reasons (performance, security by a very modular component with limited amounts of code, SMTP authentication against the Scalix directory).

- Scalix uses the systems standard MTA for outbound SMTP (the scalix smtp relay does not do outbound smtp at all); reason for this is the great queueing, dns resolution and address/header rewriting capabilities of standard outbound MTAs

- Scalix CAN use a standard MTA for inbound SMTP as well; for an example on this, check the document on spamassassin integration that can be found in our Support/Knowledgebase section.

- Scalix as of today only supports sendmail as an outbound (and eventually inbound standard MTA). However, as Postfix is largely compatible with sendmail, even down to providing a command line emulator file called sendmail, sendmail *can* in fact be replaced by Postfix - see this forum for some discussions on how this is to be done. Again, this is unsupported but known to work (with few limitations). We're constantly re-checking our platform support and officially supporting Scalix with Postfix in some future release is on the watchlist - however no commitments yet.

Therefore, if you feel comfortable with such a home-made environment (and it certainly is OK for small, esp. community edition deployments), feel free. Use the power of open systems architectures and enjoy. If you're a commercial customer, please just don't kill our support lines with it! :-)

for the popup stuff, i believe you'll like the improvements the new version is bringing; the window will still remain, maybe we can change this later.

-- Florian.

[Juan]

Goodday,

well i have made postfix default and scalix is not accepring mail to 10027 as setup in smtp.cfg any ideas

[Juan]

Goodday,

i miss configured smtpd.cfg to LISTEN 127.0.0.1:10027

so i changed /etc/postfix/transport

postconf -e "transport_maps = hash:/etc/postfix/transport"

postmap /etc/postfix/transport

but logs said connection refuesed!

[Juan]

Goodday,

what is port 8006 because if i route mail to it it accepts but does not show on webmail...

[treebeard]

Hello,

I've setup the CE raw beta 11 on a Debian box.
I installed postfix and not sendmail: since you can't install both sendmail and postfix with .deb packages.

It's probabaly right in front of me..but I'm missing something though.
Postfix listens on all interfaces to port 25,
omsmtpd listens on localhost:10025
let's say the I use "mydomain" as domain for scalix users.

In /etc/postfix/transport I have a rule :
mydomain smtp:127.0.0.1:10025

All mails are delivered, whenever I send a mail to user@mydomain from a non-scalix client.
But when I use the Outlook connector or SAW, mails do not delivered to user@mydomain, nor to an internet user...

cheers,
Steven