Servers

MailScanner, Postfix, ClamAV and SpamAssassin Setup RHEL/CentOS 5/6

Posted on by Andy

Hello,

this howto only describes how to configure MailScanner on a CentOS 5 machine. The requirements like Postfix (CentOS repository), ClamAV (EPEL repository) and Spamassassin (CentOS repository) have to be installed and working before you continue.

First download MailScanner from their website (www.mailscanner.info), extract the .tar.gz and execute the install.sh. The script starts now and compiles all needed rpm packages (rpm-build package is needed and has to be installed before with yum). Wait 15 minutes and Mailscanner is installed.

Now let's configure it:

– edit the file /etc/MailScanner/MailScanner.conf and set following values 

%org-name% = your organization name
%org-long-name% = your full organization name
Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
Incoming Work Group = clam
Incoming Work Permissions = 0640
MTA = postfix
Virus Scanners = clamd
Clamd Socket = /var/run/clamav/clamd.sock
Use SpamAssassin = yes
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

– then go and create the folder /var/spool/MailScanner/Spamassassin 

# mkdir /var/spool/MailScanner/spamassassin

– change permissions  to owner postfix and group clamav and restrict access to others 

# chown -R postfix:clamav /var/spool/MailScanner/incoming
# chmod -R 770 /var/spool/MailScanner/incoming
# chown -R postfix:clamav /var/spool/MailScanner/quarantine
# chmod -R 770 /var/spool/MailScanner/quarantine
# chown -R postfix:clamav /var/spool/MailScanner/spamassassin
# chmod -R 770 /var/spool/MailScanner/spamassassin

– MailScanner looks for freshclam in a different location than installed so create a symbolic link to it 

# ln -s /usr/bin/freshclam /usr/local/bin/freshclam

ok, MailScanner should now be installed and configured now, let's integrate postfix:

– edit the /etc/postfix/main.cf and uncomment the line 

header_checks = regexp:/etc/postfix/header_checks

add the next line to that file 

/^Received:/ HOLD

That's it… the postfix service should be started through MailScanner so disable or enable following services: 

# chkconfig postfix off
# chkconfig MailScanner on
# chkconfig spamassassin on
# chkconfig clamd on

UPDATE: If you are using perl 5.10.1 it can be that Mailscanner exits with errors in an endless loop causing high cpu usage and no message delivery or keeps sending messages about problem messages. In that case open /usr/sbin/MailScanner and add the -U parameter to the first line (allow unsafe operations).

source: http://www.linuxmail.info/mailscanner-postfix-clamav-spamassassin-howto-centos-5/

Map unix group to a windows domain group

Posted on by Andy

Hello world,

here my scenario: i have a webdevelopment server as a domain member and i need the apache user in one of the domain groups so that apache can access readable and writeable files by the webdev group. The problem now is that you can't add unix users to a windows group because the unix user doesn't exist on the windows machine. BUT: you can map an existing unix group to an existing windows group so that the unix group is like an alias for the windows one and add the unix user to that group… and it is quite easy.

Let's say you have group1 on windows and domgroup1 on unix. Here is how to do it:

create a new unix group
# groupadd domgroup1

now map the groups
# net groupmap add ntgroup="group1" unixgroup="domgroup1" type=domain

list the mapped groups
# net groupmap list

now restart samba
# /etc/init.d/smb restart

The only thing left you have to do now is to add the user add to your domgroup1 in /etc/group

Roaming profiles permissions

Posted on by Andy

Hi again, when i installed a windows 2008 server and configured the roaming folders for domain users, the permissions were wrong and the folders were not created automatically. So here is a basic overview of some working permissions:

NTFS-Level permissions:

Windows User Account Minimum permissions required
Creater/Owner Full Control, Subfolders And Files Only
Administrator None
Security group of users needing to put data on share List Folder/Read Data, Create Folders/Append Data – This Folder Only
Everyone No Permissions
Local System Full Control, This Folder, Subfolders And Files

SMB-Level permissions:

Windows User Account Default Permissions Minimum permissions required
Everyone Full Control No Permissions
Security group of users needing to put data on share N/A Full Control

Following NTFS permissions are set automatically when the folder is created:

Windows User Account Default Permissions Minimum permissions required
%Username% Full Control, Owner Of Folder Full Control, Owner Of Folder
Local System Full Control Full Control
Administrators No Permissions No Permissions
Everyone No Permissions No Permissions

for more information check here.