Mail server gateway
Not so long ago, lucky enough to change jobs. Got to the company, which, in principle, deserves a separate article for a number of reasons and, perhaps, will appear here later. If it’s very brief on the structure of our department: it is not forbidden to do something other than your main activity, so my eyes fell on our mail server, which causes a lot of trouble.
The company has remote affiliate branches evenly distributed throughout Western Europe using a single mail server. Unfortunately, the budget of the IT department is not very large, and there are quite a lot of users (about 700 email accounts). It was used, and is now used for Exchange 2010 mail with the latest updates and more or less customized spam filtering rules, but somehow it didn’t work with the antivirus. The purchased solution refused to work normally, inflating the queue of incoming correspondence to indecent sizes and hanging tightly all mail. (Yes, I know that all best practice speaks of the need for both the edge server and the backup server separately, but what happened at that time was.)
We take the initiative in their hands. Much to his surprise, it was not possible to find a detailed manual for solving such a problem, so there was an idea to share our trials and errors in the runet.
From what was eventually tested and tested:
')
Zentyal , ASSP and Xeams .
After boosted and sampled several more products, I opted for Xeams. Yes, unfortunately, this is not OpenSource , but a closed product, however, it is very friendly to those administrators who do not have much experience with Linux & Dovecot & Postfix & etc bundles. In addition, it is cross-platform, so there will be no problems even for those with linkus on you.
It can work in three modes:
Stand alone server - yes, xeams know how to be and just a mail server. How good I can not say, because this function interested me last.
Spam firewall - in this mode, xeams only accepts all mail traffic to itself and further distributes it to corporate mail servers.
Hybrid mode - Hybrid mode. Combines the other two, I recommend to put it, because it will not be able to fully filter spam without skipping outgoing traffic through itself.
Since we already had a mail server, we used the SMTP-Proxy option
Installation was made on a clean machine with Ubuntu 14.04. The only thing that needed to be delivered was Java, which, in fact, runs the Xeams engine.
Xeams uses ClamAV, however, recommends putting it on a separate machine, but in the process of using it on one machine, no problems were noticed. If you need to reconfigure the ClamAV settings later, this can also be done without problems.
We download archive with the installer from here . We unpack, give rights and execute.
If everything went well, the Web Interface will be available on port 5272.
The main page contains reports, graphs and basic parameters of resource consumption. We gave the car 8GB of RAM, the peak load several times reached 6, so these figures are quite justified.
Go to the setting itself. On the Firewall, we wrap all traffic on port 25 on our Xeams IP on port 2525. This is done because Xeams not only receives, but also sends mail through it, so that incoming traffic comes to port 2525 and outgoing traffic to port 25.
In general, setting up Xeams is simple and quite convenient. To which moments all the same, I would like to draw attention:
Spamfilters
Xeams has a rather large set of spam filters:
Real-time Black-hole servers (RBL) . Each list can have its own significance points, on the basis of which, Xeams determines the reliability of the letter.
Adaptive filters use Bayesian Analysis , which copes well with the functions assigned to it. There were concerns that it would work poorly, due to the large number of correspondence languages (Russian, German, English, Spanish, Italian, Polish, Greek), however, the percentage of false positives is rather low.
Auto Learn Sender . Great thing, it is because of him that we pass all outgoing email traffic through Xeams, which analyzes the addresses of the recipients and takes them into account when making the final assessment of the reliability of the letter.
The rest of the filters are standard and I do not think that they should be described in this article, which has already turned out to be bloated.
Now I would like to give a few words to the not quite obvious nuances:
After several days of use, we changed the default filter settings and glasses configuration:
and Bayesian Score raised to 115.
The most common false triggering was the problem of correct encoding, since, nevertheless, Xeams is sharpened in English, decided to disable this setting.
By default, ClamAV does NOT check for macro attachments in Ofiice documents, i.e. newfangled .locky can safely pass
You can fix it with one line:
In general, two weeks after using and analyzing spam, possible spam, we can say that 98% of spam really does not pass.
I will be glad to suggestions, comments and criticism in the comments.
The company has remote affiliate branches evenly distributed throughout Western Europe using a single mail server. Unfortunately, the budget of the IT department is not very large, and there are quite a lot of users (about 700 email accounts). It was used, and is now used for Exchange 2010 mail with the latest updates and more or less customized spam filtering rules, but somehow it didn’t work with the antivirus. The purchased solution refused to work normally, inflating the queue of incoming correspondence to indecent sizes and hanging tightly all mail. (Yes, I know that all best practice speaks of the need for both the edge server and the backup server separately, but what happened at that time was.)
We take the initiative in their hands. Much to his surprise, it was not possible to find a detailed manual for solving such a problem, so there was an idea to share our trials and errors in the runet.
From what was eventually tested and tested:
')
Zentyal , ASSP and Xeams .
I will not describe them in detail, but a few words should be said
Let's start in order. Zentyal was dropped quickly enough, because the goal was not to change the entire Active Directory infrastructure and move to an open-source solution, and indeed, it’s rather a kind of combine from everything that is possible. It seems to me that it would be great for SMB with up to 50 users.
Let us turn to our second candidate. Anti-Spam SMTP Proxy. There is a whole set for proxying mail traffic, i.e. and Bayesian spam filtering, and penalty points, black / white lists, and ClamAV and a whole lot more. There is only one drawback: usability. Those. The ASSP web interface is a hell-wrapped configs that I personally find it easier to edit via the console. This thing stayed with us for about 2 months in production, and then one of the admins changed something in the configs and wrap everything ... In general, we caught a .locky a couple of times and last time there was no actual backup, so the person left vacation, and when it came it was too late. This made us revise our backup policy, but more about that another time. Unfortunately, we don’t have a separate Linux administrator, because almost all the infrastructure on Microsoft, so picking monstrous rewards through the web interface for admins was a real torture.
Let us turn to our second candidate. Anti-Spam SMTP Proxy. There is a whole set for proxying mail traffic, i.e. and Bayesian spam filtering, and penalty points, black / white lists, and ClamAV and a whole lot more. There is only one drawback: usability. Those. The ASSP web interface is a hell-wrapped configs that I personally find it easier to edit via the console. This thing stayed with us for about 2 months in production, and then one of the admins changed something in the configs and wrap everything ... In general, we caught a .locky a couple of times and last time there was no actual backup, so the person left vacation, and when it came it was too late. This made us revise our backup policy, but more about that another time. Unfortunately, we don’t have a separate Linux administrator, because almost all the infrastructure on Microsoft, so picking monstrous rewards through the web interface for admins was a real torture.
After boosted and sampled several more products, I opted for Xeams. Yes, unfortunately, this is not OpenSource , but a closed product, however, it is very friendly to those administrators who do not have much experience with Linux & Dovecot & Postfix & etc bundles. In addition, it is cross-platform, so there will be no problems even for those with linkus on you.
It can work in three modes:
Stand alone server - yes, xeams know how to be and just a mail server. How good I can not say, because this function interested me last.
Spam firewall - in this mode, xeams only accepts all mail traffic to itself and further distributes it to corporate mail servers.
Hybrid mode - Hybrid mode. Combines the other two, I recommend to put it, because it will not be able to fully filter spam without skipping outgoing traffic through itself.
Since we already had a mail server, we used the SMTP-Proxy option
Installation was made on a clean machine with Ubuntu 14.04. The only thing that needed to be delivered was Java, which, in fact, runs the Xeams engine.
sudo apt-get update && upgrade sudo apt-get install libc6-i386 sudo update-alternatives --config java sudo apt-get install default-jre java -version Xeams uses ClamAV, however, recommends putting it on a separate machine, but in the process of using it on one machine, no problems were noticed. If you need to reconfigure the ClamAV settings later, this can also be done without problems.
sudo apt-get install clamav-daemon We download archive with the installer from here . We unpack, give rights and execute.
wget http://www.xeams.com/files/XeamsLinux64.tar tar -xf ./XeamsLinux64.tar chmod +x ./Install.sh ./Install.sh If everything went well, the Web Interface will be available on port 5272.
The main page contains reports, graphs and basic parameters of resource consumption. We gave the car 8GB of RAM, the peak load several times reached 6, so these figures are quite justified.
Go to the setting itself. On the Firewall, we wrap all traffic on port 25 on our Xeams IP on port 2525. This is done because Xeams not only receives, but also sends mail through it, so that incoming traffic comes to port 2525 and outgoing traffic to port 25.
In general, setting up Xeams is simple and quite convenient. To which moments all the same, I would like to draw attention:
Server Configuration> Server Configuration> Basic
Specify the port for http / https web access.
DNS, if specified in the settings of the machine itself, you can not specify
And an address for daily reports.
Specify the port for http / https web access.
DNS, if specified in the settings of the machine itself, you can not specify
And an address for daily reports.
Server Configuration> Server Configuration> Advanced
On the Advanced tab, you must specify HELO (as a rule, you can simply copy from the settings of your existing mail server) in order not to get into SpamList yourself.
On the Advanced tab, you must specify HELO (as a rule, you can simply copy from the settings of your existing mail server) in order not to get into SpamList yourself.
Server Configuration> SMTP Configuration> Relaying
Use only Closing relay and list the addresses and hosts from which you can send mail without authentication.
From the Exchange side, it looks like this, where the smtp-relay address is filled in
Use only Closing relay and list the addresses and hosts from which you can send mail without authentication.
From the Exchange side, it looks like this, where the smtp-relay address is filled in
Server Configuration> SMTP Proxy Server Configuration
Everything is simple here, we specify the ports to which the mail is received, we indicate the forwarding address and port. In our case, this is the address of the corporate Exchange.
Everything is simple here, we specify the ports to which the mail is received, we indicate the forwarding address and port. In our case, this is the address of the corporate Exchange.
Greylisting
. I strongly recommend that you register there all the domains of the public mail and the white list, because the delay of the letter by 10 hours due to incorrect settings on the side of the sending mail server is, alas, not uncommon.Separately, I would like to say about <a
href = " en.wikipedia.org/wiki/%D0%A1%D0%B5%D1%80%D1%8B%D0%B9_%D1%81%D0%BF%D0%B8%D1%81% BE% D0% BA »> Greylisting
href = " en.wikipedia.org/wiki/%D0%A1%D0%B5%D1%80%D1%8B%D0%B9_%D1%81%D0%BF%D0%B8%D1%81% BE% D0% BA »> Greylisting
Server Configuration> Active Directory Integration
If you have raised Active Directory, then it can easily be integrated into Xeams. What for? At least so that users do not torture you at first, that they do not receive mail. A user can easily log in and check his mailbox, view his spam and register his black / whitelist:
In addition, it provides the ability to use SMTP only to authenticated users. In general, convenient.
If you have raised Active Directory, then it can easily be integrated into Xeams. What for? At least so that users do not torture you at first, that they do not receive mail. A user can easily log in and check his mailbox, view his spam and register his black / whitelist:
In addition, it provides the ability to use SMTP only to authenticated users. In general, convenient.
Clamav
If you, just like I installed ClamAV on the same server as Xeams, then the setup page will look something like this:
Below I will talk about some of the nuances of its use.
Below I will talk about some of the nuances of its use.
Spamfilters
Xeams has a rather large set of spam filters:
Real-time Black-hole servers (RBL) . Each list can have its own significance points, on the basis of which, Xeams determines the reliability of the letter.
Adaptive filters use Bayesian Analysis , which copes well with the functions assigned to it. There were concerns that it would work poorly, due to the large number of correspondence languages (Russian, German, English, Spanish, Italian, Polish, Greek), however, the percentage of false positives is rather low.
Auto Learn Sender . Great thing, it is because of him that we pass all outgoing email traffic through Xeams, which analyzes the addresses of the recipients and takes them into account when making the final assessment of the reliability of the letter.
The rest of the filters are standard and I do not think that they should be described in this article, which has already turned out to be bloated.
Now I would like to give a few words to the not quite obvious nuances:
After several days of use, we changed the default filter settings and glasses configuration:
Graduation of letters on points
and Bayesian Score raised to 115.
The most common false triggering was the problem of correct encoding, since, nevertheless, Xeams is sharpened in English, decided to disable this setting.
By default, ClamAV does NOT check for macro attachments in Ofiice documents, i.e. newfangled .locky can safely pass
You can fix it with one line:
echo 'ScanOLE2 true' >> /etc/clamav/clamd.conf If anyone is interested, here is the config that we use now.
cat /etc/clamav/clamd.conf #Automatically Generated by clamav-base postinst #To reconfigure clamd run #dpkg-reconfigure clamav-base #Please read /usr/share/doc/clamav-base/README.Debian.gz for details TCPSocket 3310 # TemporaryDirectory is not set to its default /tmp here to make overriding # the default with environment variables TMPDIR/TMP/TEMP possible User clamav AllowSupplementaryGroups true ScanMail true ScanArchive true ArchiveBlockEncrypted false MaxDirectoryRecursion 15 FollowDirectorySymlinks false FollowFileSymlinks false ReadTimeout 180 MaxThreads 12 MaxConnectionQueueLength 15 LogSyslog true LogRotate true LogFacility LOG_LOCAL6 LogClean false LogVerbose false PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav SelfCheck 3600 Foreground false Debug false ScanPE true MaxEmbeddedPE 10M ScanOLE2 true ScanPDF true ScanHTML true MaxHTMLNormalize 10M MaxHTMLNoTags 2M MaxScriptNormalize 5M MaxZipTypeRcg 1M ScanSWF true DetectBrokenExecutables false ExitOnOOM false LeaveTemporaryFiles false AlgorithmicDetection true ScanELF true IdleTimeout 30 PhishingSignatures true PhishingScanURLs true PhishingAlwaysBlockSSLMismatch false PhishingAlwaysBlockCloak false PartitionIntersection false DetectPUA false ScanPartialMessages false HeuristicScanPrecedence false StructuredDataDetection false CommandReadTimeout 5 SendBufTimeout 200 MaxQueue 100 ExtendedDetectionInfo true OLE2BlockMacros false ScanOnAccess false AllowAllMatchScan true ForceToDisk false DisableCertCheck false DisableCache false MaxScanSize 100M MaxFileSize 25M MaxRecursion 10 MaxFiles 10000 MaxPartitions 50 MaxIconsPE 100 StatsEnabled false StatsPEDisabled true StatsHostID auto StatsTimeout 10 StreamMaxLength 25M LogFile /var/log/clamav/clamav.log LogTime true LogFileUnlock false LogFileMaxSize 0 Bytecode true BytecodeSecurity TrustSigned BytecodeTimeout 60000 OfficialDatabaseOnly false CrossFilesystems true OnAccessMaxFileSize 25M In general, two weeks after using and analyzing spam, possible spam, we can say that 98% of spam really does not pass.
I will be glad to suggestions, comments and criticism in the comments.
Source: https://habr.com/ru/post/305746/
All Articles