By RoNNY
Nussbaum
Greetings!
This document describes how to install Postfix, Amavisd-new, SpamAssassin, Pyzor, Razor, and DCC on one box running Fedora Core 4. The installation assumes that Postfix will not be the final destination of incoming mail. Also, no e-mail is sent through it to the outside world. It is a simple MTA that receives e-mail, scans it, and moves it to another MTA for processing.
For those of you still working on a v2.1.7 setup, the older document is here.
You need to know some Linux to use this guide. At the minimum you need to know how to work with vi (see Appendix B). Also, I’m not a Linux expert, so some of you gurus out there may find some better ways to do things. That’s fine. Feel free to give me feedback. It’s important to keep this document updated, your input is invaluable, and will help make this document better. For all questions or comments, please e-mail me at ronnynussbaum [at] gmail [dot] com.
Use this document at your own risk. I take absolutely no responsibility for any losses or damages incurred as a result of using this installation, but it does work…really!
This document was inspired by the original document written by Scott L. Henderson, however, it’s a document that I wrote on my own, and has some more settings, tweaks, and tricks that I learned about from my own experience, and from the good people in the mailing lists. I tried to be very clear, and explain each setting. If you find something to be confusing, please let me know.
I’d like to also mention the great document by mr88talent. His document describes a similar installation, but on a Debian rather than Fedora. You can find his document here: http://www200.pair.com/mecham/spam/, and I have found it to contain some valuable resources that are good for Fedora as well, and were used in this document.
I will start by installing Postfix, which will be our mail server in this case. Postfix uses amavisd-new to communicate with content filters, such as SpamAssassin, and ClamAV. SpamAssassin is using its own anti-spam techniques, as well as communicating with third-party services, such as Razor, Pyzor, and DCC, to detect if a message is spam or not. In this document, I will refer to amavis-new as Amavisd, and sometimes amavisd. In any case, I’m talking about amavisd-new, which can be found here: http://www.ijs.si/software/amavisd/.
You will also see situation where I claim that something will happen if we set a specific variable to a specific value.
Please keep in mind that this doesn’t necessarily means that in all cases, and all configurations, you will get the same results.
The setting may be true for this configuration only.
This document works best if you view it at a resolution of 1024x768. If you have a lower resolution browser window, make sure to pay careful attention to the commands that you type. Spaces tend to disappear when your browser wraps the lines. Also, some people reported printing the document, and that some underscores disappeared in the process. Please double-check every command that you type against the web version of the document.
One final note: this installation is for Fedora Core 4, but this document started its life as the installation manual for Fedora Core 3. With proper adjustment, it can be easily used on FC3. In fact, I think that the only thing that’s a little different is the installation part. If you chose to install FC3 instead of FC4, I suggest that you’ll simply ignore the differences that you see during install. It should work fine.
Another final note: please please please check the forum. There’s answers to a lot of your questions there.
Enjoy building the server.
-RoNNY
Conventions Used In This Manual
Login to the System for the First
Time
Disabling Some Unneeded Daemons
(Services)
Changing the Language Preferences
Make vi Show Files in Color (use
vim)
Downloading the Required Software
Set the System to Boot into Text
Mode
A Word About DNS and MX Records
Postfix’s Own Anti-Spam Filters
Setting Postfix to Start
Automatically at System Boot
Saving Postfix’s Configuration
An Overview of Amavis’ Quarantine,
Notifications, and Actions
Creating Some Directories for
Amavisd
Installing Some Prerequisites for
Amavisd
About Sender Policy Framework (SPF)
Creating White-List and Black-List
files
Setting Postfix to Use Amavisd
Setting Amavisd to Start
Automatically at System Boot
More SpamAssassin Configuration
Reminder Regarding Configuration
Changes
Alternative clamd Configuration
Setting ClamAV (clamd) to Start
Automatically at System Boot
Setting ClamAV to Auto-Update
hourly
Backing-up the Server’s
Configuration
Tweaking SpamAssassin’s Tests
Scores
Appendix A: Setting up the IP
address manually
Setting Up Multiple IPs for the
Server
Appendix B: Very short vi manual
Appendix C: Postfix startup script
Appendix E: Upgrading the Server’s
Software
Throughout the manual, commands that should be typed in by
you in the shell prompt, or in vi, will look like
this. Several commands that need to be typed one after the other,
are separated from each other with a white line:
command 1
command 2
When a command is too long to fit in one line its second, third, fourth,
etc, lines will be indented:
this command is so long,
so I had to type it in several lines
and then indent it
over and over again!
Note that the above conventions also may be used even when you type something in vi, and not necessarily the shell prompt.
Please read the very short vi manual in Appendix B. From now on, I will assume that you know how to use vi, so that when I write “edit the file”, “or “save close the file”; you’ll know what I mean. Also, unless otherwise stated, each command should be issued by pressing Enter after the command is typed in.
Desktops:
Choose either GNOME or KDE. I like GNOME.
Click on Details and uncheck all of the optional GNOME components.
Applications:
Check Editors, go into the Details, and uncheck Emacs.
Check
everything under Text-Based Internet, except slrn and epic
Uncheck Office/Productivity,
Sound and Video, and Graphics.
Servers:
Check Server Configuration Tools and all of its sub-components.
Development:
Check Development tools.
System:
Check Administration Tools.
Uncheck Printing Support.
Uncheck Language Support.
Click Next twice to start the installation!
When the installation is done, the CD/DVD will be ejected, and you’ll have to click Reboot.
As of the writing of
these lines, there’s an error that you’ll see right when the boot process
begins. The following lines appear:
mknod failed to create
/dev/console
mknod failed to create
/dev/null
mknod failed to create
/dev/zero
Please see this Bugzilla report to see if it was fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157129
Update (07/17/2005):
Bugzilla indicates that an update to the Kernel fixes this error. See the
“updating the system” section below, and update your CD/DVD-installed Kernel!
After rebooting, you will have to set up a few more things:
Login to the System for the First Time
Login as root, and open a terminal window by using the main menu (like the “Start” menu in Windows), and then: Applications, System Tools, Terminal.
Issue the command ifconfig:
ifconfig
And press <Enter>.
See if you have an IP associated with the eth0 interface. If you don’t have an IP, check your cables and NIC.
I will not cover how to install a firewall on your server in this document. This server will be used as a mail-relay, spam filtering, and possible AV filtering server, nothing more. I think that making it a Firewall as well is a waste of valuable resources. Please make sure to create the necessary rules in your corporate firewall, to allow port 25 to this server, as well as any other necessary ports for Razor, etc, as you’ll see below.
PuTTY is a free SSH client. SSH is essentially a secured way of doing Telnet. At this point you can choose to continue working on the server directly, or to install PuTTY on your Windows-based PC, and SSH into your server instead!
Get PuTTY from here: http://www.chiark.greenend.org.uk/~sgtatham/putty/, then run it.
Select the SSH radio button when you see the main menu, enter your server’s IP in the “Host Name (or IP Address)” box, then put a name under the “Saved Sessions” box, and hit save.
From now on, every time you’ll start PuTTY, you can just choose the session name that you chose, and it’ll connect you to your server.
When connecting for the first time, you’ll see a security alert. Simply choose Yes, and you’ll be connected.
You can exit PuTTY by typing exit in the shell prompt. Don’t ever close PuTTY by hitting its window’s “X” button, at least not while you’re editing a file.
WinSCP is a very cool SCP (file-transfer) program that can
greatly help you when you transfer files between your Windows-based PC, and
your server. You can get it here: http://winscp.net/eng/index.php,
and configuration of it is very easy. Just follow the defaults. You’ll have to
give it your server’s IP address, as well as the user name and password for
login. If you chose the “Norton Commander” look, it’ll give you two panes, one
for your local PC, and the other for the remote server. You can then easily
transfer files between the two.
Disabling Some Unneeded Daemons (Services)
Issue the command:
chkconfig <service
name> off
Replacing <service name> with each of the following:
sendmail, apmd,
cups, isdn,
kudzu, netfs,
nfslock, pcmcia,
portmap, cups-config-daemon,
and bluetooth.If your hard drives don’t
support S.M.A.R.T., repeat the above for the smartd
service as well.
Do you see that red ball with an exclamation point in it? It tells you that your system is not fully patched. So the first thing we’ll do is patch the system. I like to use the tool that came with Fedora, yum, to do the patching. Before we use yum, we need to import Fedora’s public key into our key ring. This is done to ensure that the packages that we’ll download are authentic, and came from trusted sources.
Type everything as shown. Remember that Linux is cASe
sEnsItiVe.
In places that you see “- -“, remember that the two minuses should be typed
without the space between them. It’s just that sometimes when I type -- in
Word, it looks like one long minus.
Issue the following commands:
gpg --import
/usr/share/rhn/RPM-GPG-KEY-fedora
rpm --import
/usr/share/rhn/RPM-GPG-KEY-fedora
Now that you have Red Hat’s key in your key ring, you can download updated
packages of Fedora.
Issue the command:
yum -y update
This will start downloading and installing new packages, and probably a brand new kernel. Take a coffee break.
After drinking many cups of coffee, issue the yum command shown above again, just to be sure that no update was missed. When you see a blue ball with a checkmark on it, your system is updated. You can repeat the process any time you want to update your system.
You can always issue the yum check-update command, to see what updates are available for update.
Changing the Language Preferences
We need to change the language settings of the system for SpamAssassin:
vi /etc/sysconfig/i18n
In the line that starts with LANG, change the “en_US.UTF-8”:
Put your cursor on the dot that’s in “en_US.UTF-8”, and press x 6 times, so that you’re left with “en_US”.
Save and exit the file.
Make vi Show Files in Color (use vim)
Argh! So annoying. The
developers of FC4 changed something to make vi be the default editor instead of
vim (VI iMproved).
We’re about to fix it
below, but before we do, know that this change may cause you not to be able to
run vi if your system ever crashes, and you need to run in
emergency/single-user mode, and the /usr directory was not mounted for whatever
reason. vim resides on /usr/bin/vim, so you can run it after mounting /usr in
case of an emergency situation. If this is way to much information for you,
don’t worry, and do the next steps anyway.
Edit the following file:
vi /etc/profile.d/vim.sh
It should look like this:
if [ -n "$BASH_VERSION"
-o -n "$KSH_VERSION" -o -n "$ZSH_VERSION" ]; then
[ -x /usr/bin/id ] || return
[ `/usr/bin/id -u` -le 100 ] && return
# for bash and zsh, only if no alias is already set
alias vi >/dev/null 2>&1 || alias vi=vim
fi
Add a # sign in front of lines 2 and 3, so that it looks like this:
if [ -n
"$BASH_VERSION" -o -n "$KSH_VERSION" -o -n
"$ZSH_VERSION" ]; then
# [ -x /usr/bin/id ] || return
# [ `/usr/bin/id -u` -le 100 ] &&
return
# for bash and zsh, only if no alias is already set
alias vi >/dev/null 2>&1 || alias vi=vim
fi
And yes, in case you wonder, I know this can be done with Aliasing as well J
I like the ls command to always show all files in a long listing, and in color.
Edit the /etc/bashrc file, and add:
alias ls='ls -al --color=tty' to the end of the file if you want it as well.
Downloading the Required Software
While we’re in the GUI, let’s download the installation sources that we’ll need.
Put them all under /usr/local/src. Note that you can also download the files to your Windows PC, and then transfer them to your server using WinSCP. Even though we can install some of this softw