Forget SpamAssassin, Use MailWasher with Scalix!

[Fracoon]

i have installed MailWasher following your instructions.....

But now, if i send an e-mail to the scalix server i get the following response :

Code: Select all

The original message was received at Fri, 28 Jul 2006 16:23:25 +0200
from localhost.localdomain [127.0.0.1]

  ----- The following addresses had permanent fatal errors -----
<admin@fseebach.de>
   (reason: 553 5.3.5 system config error)

  ----- Transcript of session follows -----
553 5.3.5 fseebach.de. config error: mail loops back to me (MX problem?)
554 5.3.5 Local configuration error


Final-Recipient: RFC822; admin@fseebach.de
Action: failed
Status: 5.3.5
Diagnostic-Code: SMTP; 553 5.3.5 system config error
Last-Attempt-Date: Fri, 28 Jul 2006 16:23:25 +0200


any idea how to fix this?

[jpreston]

Hey guys,

Sorry, I've been very busy at work these past few weeks.

RogerMaynard,

I'm not sure if it is possible to have MailWasher scan for keywords in the subject or body. I would assume that such a feature is POSSIBLE, but I am not completely aware of its current implementation. You may be better off contacting FireTrust directly, or even contributing back to the project by implementing such a feature.

Tahir,

To start, yes, you will need to modify your sendmail.cf file. That said, I HIGHLY advise against editing it directly. Instead, please follow the directions in the first post and use m4 to generate your sendmail.cf, all of the steps required are listed.

Fracoon,

I am curious to know why you are sending an e-mail to the Scalix server. Specifically, is it an external or internal sender? I've not run into this in any of my test cases, so I'm not entirely sure where the problem could lie. Perhaps giving me a more detailed description of the problem, along with all of the steps listed could help me reproduce your response. Typically the error you are describing is caused by a bad relay that is forcing mail loops. You may have to reconfigure Scalix and sendmail to ensure your relays are set up properly.

Thanks!

Joshua Preston.

[webdude12]

I am getting the same error.

The original message was received at Sat, 5 Aug 2006 17:47:10 -0700
from localhost [127.0.0.1]

----- The following addresses had permanent fatal errors -----
<aholloway@xxxxxx.org>
(reason: 553 5.3.5 system config error)

----- Transcript of session follows -----
553 5.3.5 209.188.15.230. config error: mail loops back to me (MX
problem?)
554 5.3.5 Local configuration error

This was sending an email from yahoo.com. I am trying to trouble shoot it now.

[jpreston]

Webdude12,

Can you post your /etc/mail/sendmail.mc, your /etc/mwserver.conf

Also, in the MailWasher system, could you please let me know if you are using any Realtime Black List Servers, if so, which ones?

Thanks!

Joshua Preston.

[webdude12]

Here they are....

Sendmail.mc

Code: Select all

divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl #     make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL', `9')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST',`smtp.your.provider')
dnl #
define(`confDEF_USER_ID',``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH',`/usr/share/ssl/certs')
dnl define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
dnl define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
dnl define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 12.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', 12)dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', 3)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
INPUT_MAIL_FILTER(`mailwasher_server',    `S=unix:/var/run/mwserver/mpd.sock, F=T, T=S:4m;R:4m')
define(`confINPUT_MAIL_FILTERS', `mailwasher_server')


mwserver.conf

Code: Select all

home=/usr
database_environment=/var/lib/mwserver
mwi_hostname=
mwi_service=4044
document_root=/usr/share/mwserver/site


I havent enabled any of the real time blacklists yet, as I am still testing.

[florian]

Joshua,

great thread - would you mind uploading your How-To to www.scalix.com/wiki as well or creating a link? Please do it on the playgroup page first and I'll then later move it to the official How-To section.

Cheers, many thanks,
Florian.

[heffe2001]

Anybody out there know if the junkmail submission address works with Scalix or not? I tried it, and without adding a user for that address, it bounces back every time.

Tried it with a user added, and it doesn't bounce, but it doesn't enter the mail into the blocklist either.

[divisionbyzero]

Hello everyone,

Great how-to. I've managed to set up MailWasher painlessly on my Scalix 10 installation.

However, I'd like to know if it's really working. The server I set up is a new one with only a few email accounts yet so I really can't gauge how effective MailWasher is or if it's even working. I'm asking because I can't see MailWasher putting up a header on my outgoing emails.

Any reply would be appreciated. Thanks.
Matt

[RogerMaynard]

I've just started getting the following error message when I try to add to my Global Whitelist

cursor->c_pget returned -30976: DB_SECONDARY_BAD: Secondary index inconsistent with primary

I had a power failure on the machine and it looks like it has corrupted the database.

I know this is a Scalix forum but have searched without success so far for any clues.
Does anyone know how to repair (or clean) the database and remove the error?

Regards
Roger

[KKJensen]

BRAVO on a great howto! I hope this shows up in the wiki as it worked very well with minimal configuration and required very few additional packages to the FC5 install I did. I was expecting to lost a week to getting spamassassin (or something else) installed and MailWasher is up and configured in one afternoon!

[mhacleth]

I followed your instructions carefully, and voila! a shiny scalix+mailwasher system.
Many thanks to you, Joshua.
Uhmm... what do you have for antivirus scanner?

[jpreston]

webdude12,

I'm wondering if omsendin properly modified your sendmail.mc file. I would attempt re-running it and see if there is any possibilities that it did not modify it for the Scalix additions.

Try rerunning omsendin and restarting sendmail and Scalix.

Thanks!

Joshua Preston.

[jpreston]

mhacleth,

I currently use clam-av for virus protection. On a Fedora system, and this is from memory so it may be slightly off, I did the following:

First, I installed clam-av

Code: Select all

yum install clamav clamav-milter


I then configured clamav properly and updated it using freshclam. Basically followed the installation instructions ;-)

I also made it start on boot up.

Code: Select all

chkconfig --level 345 clamav-milter on


I prefer to do system changes like this in single user mode so when I bring the system back to multi user mode all changes take effect immediately.

Changes to /etc/mail/sendmail.mc (based on the MailWasher HOWTO)

Before ClamAV:

Code: Select all

INPUT_MAIL_FILTER(`mailwasher_server', `S=unix:/var/run/mwserver/mpd.sock, F=T, T=S:60s;R:60s')dnl
define(`confINPUT_MAIL_FILTERS', `mailwasher_server')dnl


After ClamAV:

Code: Select all

INPUT_MAIL_FILTER(`clamav',`S=unix:/var/run/clamav/clmilter.sock, F=T, T=S:4m;R:4m')dnl
INPUT_MAIL_FILTER(`mailwasher_server', `S=unix:/var/run/mwserver/mpd.sock, F=T, T=S:60s;R:60s')dnl
define(`confINPUT_MAIL_FILTERS', `mailwasher_server, clamav')dnl


compile changes:

Code: Select all

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf


then configure Scalix sendmail:

Code: Select all

omsendin


edit /etc/sysconfig/sendmail set the queue runner to a reasonably low value at least for debugging

Code: Select all

QUEUE=1m


Afterwards, I go back to multi user mode. If you didn't use single user mode, you'll need to restart all applicable systems, such as MailWasher, ClamAV, Sendmail and Scalix. It may be easier to just restart the machine ;-)

Hope that helps!

[jpreston]

RogerMaynard,

As silly as it sounds, I've also run into this issue. Apparently there are syncronization issues with "Purging Messages Since Last Login" or whatever that means.

This is not however the end of the world. I'll refer you to this thread which explains the simple fix:

http://www.firetrust.org/phpBB2/viewtopic.php?t=564

Basically, I got tired on my large installation of manually performing those steps, so I have a cron job that runs every 5 minutes that does the following:

Checks to see if mpd is running.

If mpd is not running:
Stops mwi if it is running.
Prints a message saying that it was not running.
Deletes /var/lib/mwserver/quarantine*
Restarts mpd

Checks to see if mwi is running.

If mwi]/b] is not running:
Start [b]mwi.

I don't have the actual script on me now, but I'll post it later. It's a simple fix that solves the problem real fast and without too much of a headache. I've been using it now for about two weeks and none of my users have even noticed it was having problems. I don't think I have a large installation, but I do handle about 25,000 messages a day and have approximately 500 users.

Don't worry about deleting the quarantine* files, I have not noticed any users loosing their quarantines as MailWasher rebuilds the database if it is not there.

Hope that helps!

[jpreston]

divisionbyzero,

As far as I know, MailWasher does NOT modify any of the headers of e-mails, and the only way I know of to check to see if it is handling any messages is to do one of the following:

Please be aware that I am at work and these may not be 100% correct. I may have made a typo or incorrect path or something.

Assuming you are running mwserver with debug logging:

Code: Select all

tail -f /var/log/mwserver/mpd.log


You can also view your mail log:

Code: Select all

tail -f /var/log/maillog


However, I usually log into the MWI (MailWasher Interface) and go to System Statistics. The number of messages analyzed will tell you if its checking messages ;-)

Also, if you followed the HOWTO including adding the local users to the global whitelist, their messages are more than likely NOT being filtered, which could explain why / if their outgoing messages are being scanned.

Hope that helps!