Contents
Install clamav (anti-virus software)
1.Install Clam AntiVirus
|
1 |
# dnf --enablerepo=epel -y install clamav clamav-update clamav-scanner-systemd |
2.Virus definition file update setting
|
1 2 3 4 5 6 7 8 9 |
# vi /etc/freshclam.conf ●Line 75 Insert "#" at the beginning of the line "DatabaseMirror database.clamav.net" and add "DatabaseMirror db.jp.clamav.net". #DatabaseMirror database.clamav.net DatabaseMirror db.jp.clamav.net ●Per line151 Add "NotifyClamd /etc/clamd.d/scan.conf". #NotifyClamd /path/to/clamd.conf NotifyClamd /etc/clamd.d/scan.conf |
3.Update virus definition files
|
1 2 3 4 5 |
# freshclam ClamAV update process started at Thu Feb 3 20:04:55 2022 daily database available for download (remote version: 26442) Time: 0.8s, ETA: 0.0s [========================>] 55.08MiB/55.08MiB Testing database: '/var/lib/clamav/tmp.31cb943695/clamav-e129800b69d746b1fe1e8b2ef16f0d58.tmp-daily.cvd' ... |
4.Edit Clam AntiVirus configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# vi /etc/clamd.d/scan.conf ●Line 14 # Default: disabled LogFile /var/log/clamd.scan ← Uncomment ●Line 77 # Default: disabled PidFile /run/clamd.scan/clamd.pid ← Uncomment ●Line 96 # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) LocalSocket /run/clamd.scan/clamd.sock ← Uncomment ●Line 219 # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges #User clamscan ← Add # to the beginning of the line and comment it out (to make it work with root privileges) |
5.Start Clam AntiVirus
|
1 2 3 |
# systemctl start clamd@scan ← Start clamd # systemctl enable clamd@scan ← clamd auto-start setting Created symlink /etc/systemd/system/multi-user.target.wants/clamd@scan.service → /usr/lib/systemd/system/clamd@.service. |
|
1 2 |
# systemctl is-enabled clamd@scan enabled |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# systemctl status clamd@scan ← operation check ● clamd@scan.service - clamd scanner (scan) daemon Loaded: loaded (/usr/lib/systemd/system/clamd@.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2022-01-22 15:57:41 JST; 57s ago Docs: man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/ Main PID: 190805 (clamd) Tasks: 2 (limit: 4180) Memory: 416.2M CGroup: /system.slice/system-clamd.slice/clamd@scan.service mq190805 /usr/sbin/clamd -c /etc/clamd.d/scan.conf Feb 03 20:16:13 Lepard clamd[275984]: ELF support enabled. Feb 03 20:16:13 Lepard clamd[275984]: Mail files support enabled. Feb 03 20:16:13 Lepard clamd[275984]: OLE2 support enabled. Feb 03 20:16:13 Lepard clamd[275984]: PDF support enabled. 6.Perform virus scan. |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# wget http://www.eicar.org/download/eicar.com # clamscan --infected --remove --recursive root/eicar.com: Win.Test.EICAR_HDB-1 FOUND ← virus detection /root/eicar.com: Removed. ← virus removal ---------- SCAN SUMMARY ----------- Known viruses: 8605057 Engine version: 0.103.5 Scanned directories: 1 Scanned files: 9 Infected files: 1 ← One virus detection Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 12.829 sec (0 m 12 s) Start Date: 2022:02:03 20:23:05 End Date: 2022:02:03 20:23:17 |
7.Deployment of automatic virus scan execution scripts
|
1 2 |
# mkdir -p /var/www/system # cd /var/www/system |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# vi /var/www/system/clamscan.sh #!/bin/bash PATH=/usr/bin:/bin # excludeopt setup excludelist=/var/www/system/clamscan.exclude if [ -s $excludelist ]; then for i in `cat $excludelist` do if [ $(echo "$i"|grep \/$) ]; then i=`echo $i|sed -e 's/^\([^ ]*\)\/$/\1/p' -e d` excludeopt="${excludeopt} --exclude-dir=$i" else excludeopt="${excludeopt} --exclude=$i" fi done fi # signature update freshclam # virus scan clamscan --recursive --remove ${excludeopt} / |
|
1 2 3 |
# chmod 700 clamscan.sh # echo "/sys/" >> /var/www/system/clamscan.exclude # echo "/proc/" >> /var/www/system/clamscan.exclude |
9.Run regular virus scans
|
1 2 |
# crontab -e 0 1 * * * /var/www/system/clamscan.sh > /dev/null 2>&1 |
Mail Server Install
1. Install Postfix
1.Install the required software.
|
1 2 3 4 5 |
# dnf -y install postfix dovecot cyrus-sasl cyrus-sasl-plain # systemctl enable postfix # systemctl enable dovecot # systemctl enable saslauthd # dnf install cyrus-sasl-md5 |
Check if Postfix is installed.
|
1 2 3 4 |
# rpm -qa | grep postfix postfix-3.5.8-2.el8.x86_64 pcp-pmda-postfix-5.3.1-5.el8.x86_64 postfix-perl-scripts-3.5.8-2.el8.x86_64 |
2.Register Postfix to the service.
|
1 2 |
# systemctl enable postfix.service Created symlink from /etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service. |
|
1 2 |
# systemctl is-enabled postfix.service enabled |
3.Backup postfix configuration files, main.cf and master.cf files
|
1 2 |
# cp -p /etc/postfix/main.cf `date '+/etc/postfix/main.cf.%Y%m%d'` # cp -p /etc/postfix/master.cf `date '+/etc/postfix/master.cf.%Y%m%d'` |
4.Preprocessing for new users
Set up automatic sending and receiving of e-mails when a new user is added.
Set up automatic sending and receiving of e-mails when a new user is added.
|
1 2 3 4 |
# mkdir -p /etc/skel/Maildir/{new,cur,tmp} # chmod -R 700 /etc/skel/Maildir/ # echo "~/Maildir/"> /etc/skel/.forward # chmod 600 /etc/skel/.forward |
5.Pretreatment for existing users
|
1 2 3 4 |
# mkdir -p /home/<user>/Maildir/{new,cur,tmp} # chown -R <user>:<user> /home/<user>/Maildir/ # chmod 700 /home/<user>/Maildir # chmod 700 /home/<user>/Maildir/{new,cur,tmp} |
6.Editing the SMTP Authentication Configuration File
|
1 |
# cp -p /etc/sasl2/smtpd.conf `date '+ /etc/sasl2/smtpd.conf.%Y%m%d'` |
|
1 2 3 4 5 6 7 |
# vi /etc/sasl2/smtpd.conf ●Line 1,2 Comment out Add the following # pwcheck_method: saslauthd # mech_list: plain login pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: cram-md5 digest-md5 plain login |
7.Registering and starting the saslauthd service
|
1 2 |
# systemctl enable saslauthd.service Created symlink from /etc/systemd/system/multi -user.target.wants/saslauthd.service to /usr/lib/systemd/sy stem/saslauthd.service. |
|
1 2 |
# systemctl is-enabled saslauthd.service enabled |
|
1 |
# systemctl start saslauthd.service |
8.Create a Postfix user (e.g. puser)
|
1 2 |
# useradd -s /sbin/nologin puser # passwd puser |
|
1 |
# echo "<optional password>" | saslpasswd2 -p -u <Domain> -c puser |
Change the group permissions in the file /etc/sasldb2 to the postfix group so that postfix can read it.
|
1 2 |
# sasldblistusers2 puser@<Domain>: userPassword |
|
1 |
# chgrp postfix /etc/sasldb2 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# vi /etc/postfix/main.cf ●Per line96 add #myhostname = virtual.domain.tld myhostname = mail.<Domain> ●Per line 103 Add a domain name #mydomain = domain.tld mydomain = <Domain> ●Per line 119 Uncomment out myorigin = $mydomain ●Per line135 change inet_interfaces = all ●Per line183 add Comment out around line 183, and add it to line 184. #mydestination = $myhostname, localhost.$mydomain, localhost mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain ●Per line285 add #mynetworks = 168.100.189.0/28, 127.0.0.0/8 #mynetworks = $config_directory/mynetworks #mynetworks = hash:/etc/postfix/network_table mynetworks = 192.168.11.0/24, 127.0.0.0/8 ←192.168.11.0/24 should match your environment. ●Per line440 Uncomment out Set the mail storage format. #home_mailbox = Mailbox home_mailbox = Maildir/ ●Per line447 add #mail_spool_directory = /var/mail mail_spool_directory = /var/spool/mail ●Per line593 add #smtpd_banner = $myhostname ESMTP $mail_name #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_banner = $myhostname ESMTP unknown ●Add the following to the last line message_size_limit = 10485760 mailbox_size_limit = 1073741824 # SMTP-Auth Configuration smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination |
|
1 2 3 4 5 6 |
# vi /etc/postfix/master.cf ●Remove the "#" at the beginning of lines 17 and 20 submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes |
10.Start Postfix.
|
1 2 |
# postmap hash:/etc/postfix/virtual # systemctl start postfix.service |
2.Install Dovecot
1.Edit the dovecot.conf file
|
1 |
# cp -p /etc/dovecot/dovecot.conf `date '+ /etc/dovecot/dovecot.conf.%Y%m%d'` |
|
1 2 3 4 5 6 7 |
# vi /etc/dovecot/dovecot.conf ●Per line25 add # protocols = imap pop3 lmtp protocols = imap pop3 ●Line 30 : Uncomment out # To listen only to IPv4, remove [::] listen = *, :: |
|
1 2 3 4 5 6 |
# vi /etc/dovecot/conf.d/10-auth.conf ●Line 10 : Uncomment out change Plain text authentication is also allowed. disable_plaintext_auth = no ●Line 100 : add auth_mechanisms = plain login |
3.Edit the 10-mail.conf file
|
1 2 3 |
# vi /etc/dovecot/conf.d/10-mail.conf ●Line 30 : Uncomment out mail_location = maildir:~/Maildir |
4.Edit the 10-master.conf file
|
1 2 3 4 5 6 7 8 |
# vi /etc/dovecot/conf.d/10-master.conf ●Line 107-109 : uncomment out ,add # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } |
5.Edit the 10-ssl.conf file
|
1 2 3 4 |
# vi /etc/dovecot/conf.d/10-ssl.conf ●Per lie 8 Change "ssl = required" to "ssl = yes". ssl = yes |
6.Register dovecot as a service and start it.
|
1 2 |
# systemctl enable dovecot.service Created symlink from /etc/systemd/system/multi-user.target.wants/dovecot.service to /usr/lib/systemd/system/dovecot.service. |
|
1 2 |
# systemctl is-enabled dovecot.service Enabled |
|
1 |
# systemctl start dovecot.service |
7.Open ports with firewalld
|
1 2 3 4 |
# firewall-cmd --permanent --add-service=pop3 # firewall-cmd --permanent --add-service=imap # firewall-cmd --permanent --add-service=smtp # firewall-cmd --reload |
Mail Server : Postfix + Clamav + Amavisd+SpamAssassin
1.Real-time scanning of emails
①Install Amavisd and Clamav Server
|
1 |
# dnf -y install amavisd-new clamd perl-Digest-SHA1 perl-IO-stringy |
➁Edit configuration file
|
1 2 3 |
# vi /etc/clamd.d/scan.conf ●Line 81:Uncomment out TemporaryDirectory /var/tmp |
|
1 2 3 |
# touch /var/log/clamd.scan # chown clamscan. /var/log/clamd.scan # systemctl enable clamd@scan |
➂Configure and start Amavisd
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# vi /etc/amavisd/amavisd.conf ●Per line 13 Deleting # at the beginning of a line @bypass_spam_checks_maps = (1); # controls running of anti-spam code ●Line 23: $mydomain = 'Domain'; ●Per line28 comment out #$QUARANTINEDIR = undef; # -Q ●Per line125 comment out # $virus_admin = undef; # notifications recip ●Line 158:Uncomment out $myhostname = 'mail.Domain'; ●Per line 163,164 Uncomment out $notify_method = 'smtp:[127.0.0.1]:10025'; $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter! |
|
1 2 |
# systemctl enable amavisd Created symlink /etc/systemd/system/multi-user.target.wants/amavisd.service → /usr/lib/systemd/system/amavisd.service. |
|
1 2 3 |
# vi /etc/postfix/main.cf # Add to last line content_filter=smtp-amavis:[127.0.0.1]:10024 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# vi /etc/postfix/master.cf # Add to last line smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 |
|
1 |
# systemctl restart postfix |
2.Email spam protection
①Install SpamAssassin to prevent spam.
|
1 |
# dnf -y install spamassassin spamass-milter-postfix |
|
1 |
# systemctl start spamassassin |
|
1 2 |
# systemctl enable spamassassin Created symlink /etc/systemd/system/multi-user.target.wants/spamassassin.service → /usr/lib/systemd/system/spamassassin.service. |
②Configuring SpamAssassin
|
1 2 3 |
# vi /etc/mail/spamassassin/v310.pre ●Per line24 Remove # from the beginning of the line loadplugin Mail::SpamAssassin::Plugin::DCC |
③SpamAssassin Configuration File Update Script
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# cd /var/www/system # vi /var/www/system/spamassassin-update.sh #!/bin/bash cd /etc/mail/spamassassinwget -q https://github.com/kittyfreak/spamassassin_user_prefs/archive/refs/heads/main.zip [ $? -ne 0 ] && exit unzip main.zip >/dev/null 2>&1 [ $? -ne 0 ] && exit rm -f main.zip mv spamassassin_user_prefs-main/user_prefs . rm -rf spamassassin_user_prefs-main diff user_prefs user_prefs.org > /dev/null 2>&1 if [ $? -ne 0 ]; then cp user_prefs local.cf echo "report_safe 0" >> local.cf echo "rewrite_header Subject ***SPAM***" >> local.cf if [ -f /etc/rc.d/init.d/spamassassin ]; then /etc/rc.d/init.d/spamassassin restart > /dev/null else systemctl restart spamassassin > /dev/null fi fi cp user_prefs user_prefs.org |
|
1 2 |
# chmod 700 /var/www/system/spamassassin-update.sh # /var/www/system/spamassassin-update.sh |
Confirm that the SpamAssassin configuration file has been created in the /etc/mail/spamassassin directory as of the current date.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# ls -l /etc/mail/spamassassin 合計 1520 drwxr-xr-x 2 root root 4096 1月 21 22:24 channel.d -rw-r--r-- 1 root root 985 12月 12 19:06 init.pre -rw-r--r-- 1 root root 499337 1月 21 23:20 local.cf drwx------ 2 root root 4096 12月 12 19:06 sa-update-keys -rw-r--r-- 1 root root 62 12月 12 19:06 spamassassin-default.rc -rwxr-xr-x 1 root root 35 12月 12 19:06 spamassassin-helper.sh -rw-r--r-- 1 root root 55 12月 12 19:06 spamassassin-spamc.rc -rw-r--r-- 1 root root 499289 12月 29 00:02 user_prefs -rw-r--r-- 1 root root 499289 1月 21 23:20 user_prefs.org -rw-r--r-- 1 root root 2523 1月 21 22:52 v310.pre -rw-r--r-- 1 root root 1194 12月 12 19:06 v312.pre -rw-r--r-- 1 root root 2416 12月 12 19:06 v320.pre -rw-r--r-- 1 root root 1237 12月 12 19:06 v330.pre |
Set up cron to run automatically every day.
|
1 2 |
# crontab -e 0 2 * * * /var/www/system/spamassassin-update.sh > /dev/null 2>&1 |
④Incorporating SpamAssassin into Postfix
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# vi /etc/postfix/master.cf ●Per line12 Add a "#" to the beginning of line 11 and add SpamAssassin settings on line 12 # smtp inet n - n - - smtpd smtp inet n - n - - smtpd -o content_filter=spamassassin ●Add to last line smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 spamassassin unix - n n - - pipe user=nobody argv=/usr/bin/spamc -e /usr/sbin/sendmail.postfix -oi -f ${sender} ${recipient} |
|
1 2 3 |
# vi /etc/postfix/main.cf ●Add the following to the last line content_filter=smtp-amavis:[127.0.0.1]:10024 |
|
1 |
# systemctl restart postfix |