Configuring a mail gateway on CentOS 7 using Postfix with SpamAssassin, ClamAV, OpenDKIM, SPF and DMARC


The gateway will be functioning the following way:

incoming messages from external mail servers will be received on port 25 and checked with SpamAssassin and ClamAV

outgoing messages from the internal mail server will be received on port 10025 and signed with OpenDKIM

Let’s assume that the IP address of the internal mail server is 192.168.100.100 and the external IP address of the mail gateway is 198.51.100.1


Basic configuration


install Postfix

yum install postfix

edit the /etc/postfix/main.cf file

inet_interfaces = all
inet_protocols = ipv4

myhostname = mail.example.com
mydestination =

relay_domains = example.com
relay_transport = smtp:[192.168.100.100]
relay_recipient_maps = hash:/etc/postfix/recipients
mynetworks = 192.168.100.100/32

local_transport = error:local mail delivery is disabled

smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/postfix/public.cer
smtpd_tls_key_file = /etc/postfix/private.key
smtpd_tls_loglevel = 1

edit the /etc/postfix/master.cf file

10025     inet  n       -       n       -       -       smtpd
#local    unix  -       n       n       -       -       local

create the /etc/postfix/recipients file with a list of allowed recipients

create the /etc/postfix/recipients.db hash table with a list of allowed recipients

postmap hash:/etc/postfix/recipients

generate a private key and a certificate (as described here or here) and save them into the /etc/postfix/private.key and the /etc/postfix/public.cer files respectively

change owners and permissions of the private key and the certificate

chmod 600 /etc/postfix/private.key

restart Postfix

systemctl restart postfix


SpamAssassin


install the EPEL repository

yum install epel-release

install SpamAssassin

yum install spamassassin

replace the content of the /etc/mail/spamassassin/local.cf file

report_hostname mail.example.com
report_safe 0

start SpamAssassin

systemctl start spamassassin

install the spamass-milter package to integrate SpamAssassin and Postfix

yum install spamass-milter

create a group for shared access of Postfix and spamass-milter to a socket file

groupadd sa-milt-sock
gpasswd -M sa-milt,postfix sa-milt-sock

edit the /etc/sysconfig/spamass-milter file to change startup options of the service

SOCKET_OPTIONS="-g sa-milt-sock"

start spamass-milter

systemctl start spamass-milter

edit the /etc/postfix/main.cf file

milter_connect_macros = j {daemon_name} v _

Comment 1: otherwise the log would be populated with the messages ‘Could not retrieve sendmail macro “_” …’

Comment 2: also the messages ‘Could not retrieve sendmail macro “!” …’ could be added to the log, but you can safely ignore them

edit the /etc/postfix/master.cf file

smtp	inet	n	-	n	-	-	smtpd
	-o smtpd_milters=unix:/run/spamass-milter/spamass-milter.sock

restart Postfix

systemctl restart postfix


ClamAV


install ClamAV

yum install clamd

replace the content of the /etc/clamd.d/scan.conf file

LogSyslog yes
User clamscan
LocalSocket /run/clamd.scan/clamd.sock
LocalSocketGroup virusgroup
LocalSocketMode 660

update the virus database

freshclam

start ClamAV

systemctl start [email protected]

install the clamav-milter package to integrate ClamAV and Postfix

yum install clamav-milter

create the /etc/tmpfiles.d/clamav-milter.conf file

d /run/clamav-milter 0711 clamilt clamilt

create a group for shared access of Postfix and clamav-milter to a socket file

groupadd clamilt-sock
gpasswd -M clamilt,postfix clamilt-sock

replace the content of the /etc/mail/clamav-milter.conf file

User clamilt

ClamdSocket unix:/run/clamd.scan/clamd.sock

MilterSocket unix:/run/clamav-milter/clamav-milter.sock
MilterSocketGroup clamilt-sock
MilterSocketMode 660

AddHeader Replace
ReportHostname mail.example.com
OnInfected Accept

LogSyslog yes
LogFacility LOG_MAIL
LogClean Basic
LogInfected Basic

start clamav-milter

systemctl start clamav-milter

edit the /etc/postfix/master.cf file

smtp	inet	n	-	n	-	-	smtpd
	-o smtpd_milters=unix:/run/spamass-milter/spamass-milter.sock,unix:/run/clamav-milter/clamav-milter.sock

restart Postfix

systemctl restart postfix


OpenDKIM


install OpenDKIM

yum install opendkim

generate a private key and a DNS TXT record

opendkim-genkey -b 1024 -d example.com -a -s mail

Comment: as a result the files mail.private and mail.txt will be created

copy the private key into the /etc/opendkim/keys directory

cp mail.private /etc/opendkim/keys/opendkim.key

change owners and permissions of the private key

chown opendkim:opendkim /etc/opendkim/keys/opendkim.key
chmod 640 /etc/opendkim/keys/opendkim.key

add the TXT record saved in the mail.txt file to the DNS zone

replace the content of the /etc/opendkim.conf file

Socket local:/run/opendkim/opendkim.sock
Umask 007

Mode s
Canonicalization relaxed/relaxed
Domain example.com
Selector mail
InternalHosts 192.168.100.100
KeyFile /etc/opendkim/keys/opendkim.key

Syslog yes
SyslogSuccess yes

edit the /etc/tmpfiles.d/opendkim.conf file

D /run/opendkim 0711 opendkim opendkim -

remove and create again the /run/opendkim directory

systemd-tmpfiles –remove –create /etc/tmpfiles.d/opendkim.conf

create a group for shared access of Postfix and OpenDKIM to a socket file

groupadd dkimgroup
gpasswd dkimgroup -M opendkim,postfix

copy the /usr/lib/systemd/system/opendkim.service unit file into the /etc/systemd/system directory

cp /usr/lib/systemd/system/opendkim.service /etc/systemd/system/opendkim.service

Comment: as a result the /etc/systemd/system/opendkim.service unit file will override the default /usr/lib/systemd/system/opendkim.service unit file

edit the /etc/systemd/system/opendkim.service unit file

Group=dkimgroup

reload the systemd configuration

systemctl daemon-reload

start OpenDKIM

systemctl start opendkim

edit the /etc/postfix/master.cf file

10025     inet  n       -       n       -       -       smtpd
    -o smtpd_milters=unix:/run/opendkim/opendkim.sock

restart Postfix

systemctl restart postfix


SPF


add the following record to the DNS zone

host – @

type – TXT

value – v=spf1 +ip4:198.51.100.1/32 -all


DMARC


add the following record to the DNS zone

host – _dmarc

type – TXT

value – v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; aspf=s; adkim=s; fo=1; pct=100

Leave a Reply