Building an OpenBSD mail server, part 2
In the second part of this article, published a month after the first, I explain how to set up and configure the spam and virus filtering software, as part of the Postfix mail system.
This article is copyright material. Please do not reproduce it without permission.
In last month's issue, we looked at how to build a rack mounted server running the free OpenBSD 3.6 operating system, to use as a virus and spam filtering mail gateway. This month, we're continuing the project by installing the mail system, along with the virus and spam filters. You'll end up with a system that can provide POP3 email to your network, whether at home or in an office, and dramatically cut down on the amount of viruses and junk in your mailbox.
To get up and running, all you'll need is a CD burnt from the PCWmailserver.iso image on this month's cover disc, which contains all the software packages needed to set the system up, plus some simple scripts that will automate parts of the process. As well as the core software, we'll also add some extra tools that will make expansion easier, including a database that can be configured to handle mail aliases, and cd writing tools for backing up config files.
When you've finished you should find that the server has ample capacity to take on other tasks - and there are plenty of packages that can be added to OpenBSD, such as IMAP servers, web filtering programs, and file sharing.
Finally, remember that setting up a mail server, though straightforward, can result in lost mail if you make mistakes. So we recommend you set up your server with a new domain name, and make sure it's behaving as you expect, before you entrust it with all your email; the sample files and documents on the CD explain how you can manage multiple domains on the same server.
To do our install, we'll be using some scripts and packages on the cover disc; you can do everything manually, using the excellent guide by Scott Vintinner and Kris Nosack at www.flakshack.com/anti-spam/wiki, which provided the inspiration for this project. We'll note major differences from that guide as we go along. Log in to your server as root, either on the console or use ssh to connect over the network; Windows users can download the PuTTY ssh client from www.chiark.greenend.org.uk/~sgtatham/putty/. Create a new directory for mounting cds with the command
then insert the PCWmailserver CD and type
mount /dev/cd0a /mnt/cdrom.
You'll now have three directories under /mnt/cdrom. In pkg you'll find the software packages, config contains sample config files, and scripts contains some setup files we'll use later. If you're doing a manual install, you may still find it helpful to use the packages on our CD - though remember there may be updates made since we created the disc.
Packages can be installed using the pkg_add command on OpenBSD, and you can give a URL instead of a filename. All the packages on the CD are from the OpenBSD collection, with the exception of Jérôme Loyet's port of the ClamAV anti-virus software, which we've compiled using the instructions from his site . Our install script will add all the necessary packages - where OpenBSD needs another package to install the ones you've asked it to, it will fetch that automatically from the same location. Make sure you've turned capture on in your ssh program, since some messages that you'll need to read will appear during the installation. To run the script, type
and then type
Press Enter to continue and wait while the various programs are added to your system.
Although not essential for the mail system, our script installs the MySQL database, which you can use to handle aliases - useful if you have lots of users. You'll need to set a master password for MySQL, following the instructions that the script displayed, just after it started. Start the server with the command
to run it in the background. Type the commands shown in the script to change the password to something suitable, and then shut MySQL down for now by typing
/usr/local/bin/mysqladmin -u root -p shutdown
You'll have to type the password you just set, and the database server will stop. You'll see some additional steps listed in the install script output for setting up PHP and MySQL to work with web pages; make a note of those for later - we don't need them for this project, though.
The next step is to enable the Postfix mail system which is done by typing
at the OpenBSD prompt. We'll configure the mail system later on; it's a good idea to review the Postfix documentation, however, at www.postfix.org. The O'Reilly book Postifx The Definitive Guide (ISBN 0-596-00212-2) is also well worth reading. Postfix can be configured very flexibly, and we only have space here for some basic configurations. Since we've not yet configured the mail system, edit the file /etc/rc.conf by typing
and changing the sendmail_flags line to sendmail_flags=NO. Next, type
to edit the schedule table for root using vi, and delete the 2 lines for the sendmail queue runner. .
If you want to host mailboxes on the server, the simplest way is to create user accounts, which is done using the useradd command. Use short names - you can set up aliases that point to them later. There are various options for the useradd command, which you can read by typing
at the prompt. We want to create a home directory for each user, which will be useful if you set up file sharing later, or want to use an IMAP server and give people space for their mailboxes. To add a user called nigel, type a command like
useradd -m -c 'Nigel Whitfield' nigel
Set a password for the user with the command
then type the password twice. This password is what users will need to collect email from the POP mailboxes we'll set up later.
We're going to run our mail system in what's called a chroot environment. That means that the programs can only see the part of the filesystem that we want them too, minimising risk should any of them be compromised. To do that, however, certain system files need to be created in the area we'll use as our root directory. For the Amavisd mail scanner, that is the directory /var/amavisd and those below it. Before we can install all the files, we need to change an option on the filesystem. Type the command
and find the line referring to the /var filesystem. It should look something like this screen. Delete the word nodev from the line, and the comma following it. Save the file. Now shutdown the server and reboot it, with the command
shutdown -r now
so the filesystem is mounted with the correct options.
When the server has rebooted, mount the CD again. In the directory /mnt/cdrom/config/postfix you will find some sample files which can be used to configure the email system. You must change parts of these files, adding your domain and other information, and save the changed files in the /etc/postfix directory. In the files, lines that you need to change have a comment before them, starting with the phrase PCWCONFIG, which you can search for in vi. Read the notes in the files, and make the appropriate. Next, type
cp /etc/postfix/aliases /etc/aliases
to copy the basic alias file, then
Find the line at the top that says #root: you and change it to, for example
if the user Nigel is to receive administrative mail. Create another alias called virusalert, and after saving, update the database by typing
Now we need to set up the files needed for the email scanner. You can do this using the instructions on Scott and Kris' web site - though note that the user id that our scanning system runs under is _vscan, not amavsid - or you can run the script from the PCW cd to do the work for you. Type
and then type
You also need to edit the /etc/amavisd.conf file, following the instructions on the web site, using the file /mnt/cdrom/config/amavisd.conf as the base - it's already set up to use the ClamAV scanner, and send reports to virusalert. Unlike Scott's config, we're not using DCC to scan email, since there wasn't a ready built package for OpenBSD, but we will be using Razor.
You may also want to edit the amavisd script itself (it's in /usr/local/sbin/amavisd) to give a more descriptive bounce message than 'Message content rejected', which is at line 5523). In our own setup, we include a URL (www.nigelwhitfield.com/mailfiltering.html) that points to a page with information. Next, copy the ClamAV files to the correct location by typing
cp /mnt/cdrom/config/amavisd/* /var/amavisd/etc
Edit /var/amavisd/clamd.conf and /var/amavisd/freshclam.conf with appropriate values for your system. UK users will find the files are ok as they are. Now, download the latest virus definitions to the chroot environment by typing
chroot -u _vscan /var/amavisd /usr/bin/freshclam
Start the virus scanner with the command
chroot -u _vscan /var/amavisd /usr/sbin/clamd
Now, if you want to use Razor (it's configured in the amavisd files supplied), you need to register with the network. Razor works like CloudMark's SpamNet, checking message fingerprints against known spam. Type
then Enter, then
razor-admin -home=/etc/razor -create
to create a set of config files, and then
razor-admin -home=/etc/razor -d -register -user=youraddress@yourdomain
You should see that registration is completed ok. Copy the files created in /etc/razor too the right place with
cp /etc/razor/* /var/amavisd/.razor
and set their ownership with the command
chown -R _vscan:_vscan /var/amavisd/.razor
and press Enter. You should see that amavisd starts up, without any errors, and reports that it's started some child processes. Press Ctrl & C to stop amavisd. We're almost done.
Now, make sure you've updated any postfix tables, such as /etc/postfix/virtual_alias by running the postmap program on them. Type
and so on, for each table. Unless you've rebooted, you should still have clamd running. Start amavisd by typing its name, followed by Enter. It will start in the background, returning you to the system prompt. Now start postfix running by typing
tail -f /var/log/maillog
and watch the messages as mail is passed through your system. Press Ctrl & C to stop viewing the log, and type
to shut down the mail system if you need to make configuration changes. If you suspect that you have problems with your mail system, you may want to change the smtpd line in /etc/postfix/master.cf to the standard
smtp inet n - y - - smtpd
so that it doesn't pass messages through amavisd, helping you to narrow down problems.
If you've reached this stage and all is well, you'll want to configure the server so that all the necessary services start automatically when it's booted. In /mnt/cdrom/config you'll find two files called rc.local and rc.conf. These are fragements that you can add to the /etc/rc.local and /etc/rc.conf files on your system, which control the startup of processes at boot time. Type
and find the line 'miscellaneous other flags' then type
to read in the new text. Do similarly with the rc.local file - each of our files contains a short set of instructions, and you'll find when you restart that your server will collect virus definitions twice daily, start the Amavis and Clam daemons, along with MySQL and a POP3 server. We've also installed the cdrtools package, so if you included a CD burner in your hardware, you can use that to make a backup CD of your configuration files.
End of article.
Click here for the NigelWhitfield.com home page.