Installing Exim with ClamAV, SpamAssassin and Greylistd support on Debian 7.5

The development server caters for the delivery of email to a single host or domain.

Installing Exim, ClamAV, SpamAssassin and Greylistd

We install the required packages by executing the following command in a “root” shell.

apt-get install exim4-daemon-heavy clamav-daemon clamav-freshclam clamav-testfiles spamassassin greylistd

Once the installation is complete, we continue with the configuration of the components.

Populating ClamAV database

The initial virus database should be downloaded before ClamAV can be started. We download the current database by executing the following command in a “root” shell.

freshclam

To automatically update the ClamAV virus database, we start the clamav-freshclam service by executing the following command in a “root” shell.

service clamav-freshclam start

To start the daemon, we start the clamav-daemon service by executing the following command in a “root” shell.

service clamav-daemon start

Configuring SpamAssassin

The configuration of SpamAssassin is defined in the /etc/default/spamassassin file. To activate SpamAssassin, we set the value of ENABLED to 1, as shown below.

ENABLED=1

To automatically update the rules on a nightly basis, we set the value of CRON to 1, as shown below.

CRON=1

Configuring Greylistd

We activate Greylistd by executing the following command in a “root” shell.

greylistd-setup-exim4 add

Configuring ClamAV

To enable ClamAV to scan the mail spool directory, the user clamav should be added to the group Debian-exim. We add the user to the group by executing the following command in a “root” shell.

adduser clamav Debian-exim

The permissions on the mail spool directory should also allow for the group to have write access to the files as well as to set the group to Debian-exim for any new files created in the directory. We set the permissions by executing the following commands in a “root” shell.

chmod -Rf g+w /var/spool/exim4
chmod -Rf g+s /var/spool/exim4

We need to confirm that the /etc/clamav/clamd.conf file contains the following; if it doesn’t, we need to set it.

AllowSupplementaryGroups true

To activate the new configuration, we restart the clamav-daemon service by executing the following command in a “root” shell.

service clamav-daemon restart

Configuring Exim

ClamAV

To enable ClamAV in Exim, we edit the /etc/exim4/exim4.conf.template file by uncommenting the following line. If our Exim configuration is split, we edit the /etc/exim4/conf.d/main/02_exim4-config_options file.

av_scanner = clamd:/var/run/clamav/clamd.ctl

To define the error message returned, we edit the /etc/exim4/exim4.conf.template file as follows. If our Exim configuration is split, we edit the /etc/exim4/conf.d/acl/40_exim4-config_check_data file.

# Deny if the message contains malware. Before enabling this check, you
# must install a virus scanner and set the av_scanner option in the
# main configuration.
#
# exim4-daemon-heavy must be used for this section to work.
#
deny
  malware = *
  message = This message was detected as possible malware ($malware_name).

SpamAssassin

To enable SpamAssassin in Exim, we edit the /etc/exim4/exim4.conf.template file by uncommenting the following line. If our Exim configuration is split, we edit the /etc/exim4/conf.d/main/02_exim4-config_options file.

spamd_address = 127.0.0.1 783

To define the error message returned, we edit the /etc/exim4/exim4.conf.template file as follows. If our Exim configuration is split, we edit the /etc/exim4/conf.d/acl/40_exim4-config_check_data file.

# Add headers to a message if it is judged to be spam. Before enabling this,
# you must install SpamAssassin. You also need to set the spamd_address
# option in the main configuration.
#
# exim4-daemon-heavy must be used for this section to work.
#
# Please note that this is only suiteable as an example. There are
# multiple issues with this configuration method. For example, if you go
# this way, you'll give your spamassassin daemon write access to the
# entire exim spool which might be a security issue in case of a
# spamassassin exploit.
#
# See the exim docs and the exim wiki for more suitable examples.
#
warn
  spam = Debian-exim:true
  add_header = X-Spam_score: $spam_score\n\
            X-Spam_score_int: $spam_score_int\n\
            X-Spam_bar: $spam_bar\n\
            X-Spam_report: $spam_report

To reconfigure Exim, we execute the following command in a “root” shell.

dpkg-reconfigure exim4-config

To activate the new configuration, we reload the exim4 service by executing the following command in a “root” shell.

service exim4 reload
Advertisements

Setting up your own development server in Debian

In this series of articles, we will be setting up a new development environment under Debian 7.5. This will include a base server operating system, GUI Desktop Environment, Network Time Server, DNS server, Mail server, Database server and Web server. We will also be hosting our own Version Control System with integration into a Project Management and Issue and Time Tracking solution. We will also require our own Certificate Authority to request and sign digital certificates to use on our internal network and web server.

Operating System and Desktop Environment

As stated above, we will be making use of Debian 7.5 for our server operating system and either log in remotely to a shell over SSH or directly via a Desktop Environment.

Our Desktop Environment will be LXDE, due to the fact that it is designed to work well with computers on the lower end of the performance spectrum – in my case, I am running my Debian server on a Pentium IV 1.7GHz with 512MB of RAM and 2 drives of 40GB and 160GB each – the latter being used as my data drive and the former to host the operating system. We’ll also be installing Gnome and KDE as well, which are both very common Desktop Environments.

Network Time

For us to be able to broadcast Coordinated Universal Time on our internal network, we will be using NTP.

DNS Server

For us to be able to host domains on our internal network, we will be using Bind.

Mail Server

For us to be able to send and receive email messages on our internal network, we will be using Exim 4 with ClamAV, SpamAssassin and Greylistd enabled.

Data storage

For us to be able to provide data storage for our applications, we will be making use of

  • Relational databases;
  • In-memory object caching; and
  • NoSQL databases.

Relational database

MySQL Server 5.5 will provide our relational database back-end and we will be administering it through a web front-end making use of phpMyAdmin.

Object-caching

Memcached will provide our object-caching back-end and we will be administering it through a web front-end making use of phpMemcachedAdmin.

NoSQL database

MongoDB will provide our NoSQL database back-end and we will be administering it through a web front-end making use of RockMongo.

Web Server

The web front-ends will be hosted on Apache 2.2, with virtual hosts configured for each specific web front-end and SSL certificates securing the communication between the web front-ends and clients.

Java Application Server

Tomcat will provide our Java Application Server functionality.

Zend Framework

Zend Framework 2 is an open source framework for developing web applications and services using PHP 5.3+. Apigility provides the functionality to implement a WebAPI on top of the Zend Framework.

Version Control System

For us to provide our own version control system, we will be using Subversion and Mercurial and also enable access to it over the HTTPS protocol.

Project Management and Issue and Time Tracking

For us to provide our project management solution, we will be using Redmine and configure access to both Subversion and Mercurial as well as enable access to it over the HTTPS protocol.


The articles will be published in the order below and as these become available, I will update the list with the appropriate links.

At the end of this series, we will have a comprehensive development server for internal use. A note on this, we are setting up the server behind an existing firewall making use of the 192.168.100.x range of IP addresses.