Major Tutorial on Mail Server Setup: POP3 Dovecot, SMTP Sendmail, Mail Security thru MailScanner, Mailwatch Front-end

I.    Introduction

This document will discuss installation and configurations how-to on setting up POP3 using Dovecot (, SMTP using Sendmail (, Email Security System using MailScanner (  and a Web-based front-end to MailScanner using Mailwatch (

II.    Planning the Installation

System Requirements:

a.    Linux Operating System (Kernel 2.2 and later)
b.    Apache Web Server
c.    Perl and perl modules
d.    GCC
e.    MySQL
f.    Vi editor
g.    PHP (w/ MySQL & GD Support)
h.    DBD
i.    DBD-MySQL
j.    wget
k.    unzip/unrar
l.    Dovecot
m.    Sendmail
n.    MailScanner/ClamAV/SpamAssassin
o.    Mailwatch

This was tested and deployed on Fedora Core 3 and later, Centos 4.2 and later, with minimum hardware requirements of Intel Pentium 4, 1GB RAM, 10/100 Mbps LAN Card, and Standard configuration, no extra hardware.

Dovecot w/ Kerberos Authentication integration with Active Directory

Doing a fresh install of Fedora Core 2 and later, Dovecot will be installed as the default IMAP server.

If you don’t have Dovecot already installed, use
#yum install dovecot

To start the dovecot daemon and ensure it starts with each system boot run
service dovecot start
chkconfig dovecot on


Prebuilt packages usually install /etc/dovecot.conf directly.

Modify /etc/dovecot.conf , these are the following lines (bold) need to be enabled

# Protocols we want to be serving:
#  imap imaps pop3 pop3s
protocols = imap imaps pop3 pop3s
# IP or host address where to listen in for connections. It’s not currently
# possible to specify multiple addresses. “*” listens in all IPv4 interfaces.
# “[::]” listens in all IPv6 interfaces, but may also listen in all IPv4
# interfaces depending on the operating system. You can specify ports with
# “host:port”.
imap_listen = [::]
pop3_listen = [::]
# IP or host address where to listen in for SSL connections. Defaults
# to above non-SSL equilevants if not specified.
imaps_listen = [::]
pop3s_listen = [::]
# PEM encoded X.509 SSL/TLS certificate and private key. They’re opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/ can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert_file = /usr/share/ssl/certs/dovecot.pem
ssl_key_file = /usr/share/ssl/private/dovecot.pem
# Use this logfile instead of syslog(). /dev/stderr can be used if you want to
# use stderr for logging (ONLY /dev/stderr – otherwise it is closed).
log_path = /var/log/dovecot.log
# Directory where authentication process places authentication UNIX sockets
# which login needs to be able to connect to. The sockets are created when
# running as root, so you don’t have to worry about permissions. Note that
# everything in this directory is deleted when Dovecot is started.
login_dir = /var/run/dovecot-login
## IMAP login process
login = imap
# Settings default to same as above, so you don’t have to set anything
# unless you want to override them.

login = pop3
# You can use both fcntl and flock too; if you do the order they’re declared
# with is important to avoid deadlocks if other MTAs/MUAs are using both fcntl
# and flock. Some operating systems don’t allow using both of them
# simultaneously, eg. BSDs. If dotlock is used, it’s always created first.
mbox_locks = fcntl
# Authentication process name.
auth = default
# If you are using SSL there is less benefit to digest-md5 and
# cram-md5 as the communication is already encrypted.
auth_mechanisms = plain
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use “static”.
#   passwd: /etc/passwd or similiar, using getpwnam()
#   passwd-file <path>: passwd-like file with specified location
#   static uid=<uid> gid=<gid> home=<dir template>: static settings
#   vpopmail: vpopmail library
#   ldap <config path>: LDAP, see doc/dovecot-ldap.conf
#   pgsql <config path>: a PostgreSQL database, see doc/dovecot-pgsql.conf
auth_userdb = passwd
# User to use for the process. This user needs access to only user and
# password databases, nothing else. Only shadow and pam authentication
# requires roots, so use something else if possible. Note that passwd
# authentication with BSDs internally accesses shadow files, which also
# requires roots. Note that this user is NOT used to access mails.
# That user is specified by auth_userdb above.
auth_user = root


a.    Use ps to check if dovecot process, if it’s not, there’s an error in your dovecot.conf and check your logs.
#ps -ef |grep dovecot
or use nmap to check if port 110 and 143 is open

b.    Telnet localhost 143

[root@phi2 pam.d]# telnet localhost 143
Connected to localhost.localdomain (
Escape character is ‘^]’.
•    OK dovecot ready.

Check also if it works from remote host



1.Create a domain user in Win2k Active Directory

2. Edit Kerberos file to have the right configuration

#vi /etc/krb5.conf

default_realm = PH2.freelinuxtutorials.COM
dns_lookup_realm = false
dns_lookup_kdc = false

PH2.freelinuxtutorials.COM = {
kdc =       —> IP of Domain Controller
admin_server =

where PH2.freelinuxtutorials.COM is the domain name of the Active Directory

3. Add the following line to /etc/pam.d/system-auth

auth        sufficient    /lib/security/$ISA/ use_first_pass
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/
password    sufficient    /lib/security/$ISA/ use_authtok
session     optional      /lib/security/$ISA/

4. Add local linux account on mail server
#adduser username


1.    Using from another computer, telnet the mail server port 110
telnet 110
+OK dovecot ready.
user username
pass password
+OK Logged in.
+OK 12 44214

2.    Change the domain user’s password in Active Directory, then do the testing again.
3.    Use any email client and repeat the testing steps to confirm POP3 authentication via AD.

Sendmail Installation & Configurations

There are two basic steps in installing sendmail, it is either by source or by packages (deb,rpm,tgz) ported to the operating system
In most Linux systems sendmail is available in RPM format.
If the sendmail package is not yet installed on your Linux machine, install it via yum
#yum install sendmail
#yum install sendmail-cf

if you want to install the latest sendmail package, get it at

1.Uncompress the latest sendmail.tar.gz file <Uncompress sendmail source directory>
3. ./configure
4. make
5. make install


1.    run m4 to generate sendmail from
# m4 /etc/mail/ >/etc/mail/
# make

2.    create mailertable as per requirement and run make to create dbm/hash database file for mailertable as follows from /etc/mail directory

#make mailertable

3.create a file named access and run following command to create access.db file
#make access.db
4. add local users aliases in /etc/aliases
5. run /bin/newaliases to update alias database files
6. restart sendmail service as:
#service sendmail restart

###Sample files used in the sendmail server
/etc/mail/access  file

localhost.localdomain     RELAY
localhost     RELAY     RELAY    RELAY
10.230.0        REJECT


# local-host-names – include all aliases for your machine here. configuration

dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/, you will need to regenerate the
dnl # /etc/mail/ file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl #     make -C /etc/mail
dnl #
VERSIONID(`setup for Red Hat Linux’)dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL’, `9′)dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST’,`smtp.your.provider’)
dnl #
dnl define(`confAUTO_REBUILD’)dnl
define(`confTO_CONNECT’, `1m’)dnl
define(`ALIAS_FILE’, `/etc/aliases’)dnl
define(`STATUS_FILE’, `/var/log/mail/statistics’)dnl
define(`UUCP_MAILER_MAX’, `2000000′)dnl
define(`confUSERDB_SPEC’, `/etc/mail/userdb.db’)dnl
define(`confPRIVACY_FLAGS’, `authwarnings,novrfy,noexpn,restrictqrun’)dnl
define(`confAUTH_OPTIONS’, `A’)dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS’, `A p’)dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH’,`/usr/share/ssl/certs’)
dnl define(`confCACERT’,`/usr/share/ssl/certs/ca-bundle.crt’)
dnl define(`confSERVER_CERT’,`/usr/share/ssl/certs/sendmail.pem’)
dnl define(`confSERVER_KEY’,`/usr/share/ssl/certs/sendmail.pem’)
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP’s
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL’,`groupreadablekeyfile’)dnl
dnl #
dnl define(`confTO_QUEUEWARN’, `4h’)dnl
dnl define(`confTO_QUEUERETURN’, `5d’)dnl
dnl define(`confQUEUE_LA’, `12′)dnl
dnl define(`confREFUSE_LA’, `18′)dnl
define(`confTO_IDENT’, `0′)dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`mailertable’,`hash -o /etc/mail/mailertable.db’)dnl
FEATURE(`virtusertable’,`hash -o /etc/mail/virtusertable.db’)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 12.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN’, 12)dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE’, 3)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`’,`procmail -t -Y -a $h -d $u’)dnl
FEATURE(`access_db’,`hash -T<TMPF> -o /etc/mail/access.db’)dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp, Name=MTA’)dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can’t reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea’)dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can’t
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn’t support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled– STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s’)dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6′)dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6′)
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24×7 DNS do need this.
dnl #
dnl FEATURE(`accept_unresolvable_domains’)dnl
dnl #
dnl FEATURE(`relay_based_on_MX’)dnl
dnl #
dnl # Also accept email sent to “localhost.localdomain” as local email.
dnl #
dnl LOCAL_DOMAIN(`localhost.localdomain’)dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from
dnl #
dnl MASQUERADE_AS(`’)dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just, but @* as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl


1.    Telnet the server port 25

telnet 25
Connected to (
Escape character is ‘^]’.
220 ESMTP Sendmail 8.13.1/8.13.1; Thu, 8 Mar 2007 20:25:28 +0800
250 2.1.0… Sender ok
250 2.1.5… Recipient ok
354 Enter mail, end with “.” on a line by itself
250 2.0.0 l28CQbXS030884 Message accepted for delivery

2. Test mail server configuration by testing following test unit:
•    from local user to other local user
•    from local user to user of other department/section
•    from local user to remote user
•    reply from local user
•    reply from user of other department/section
•    reply from remote user

MailScanner for Sendmail Installation and Configurations

MailScanner Installation Guide – Linux RPM
If you run into problems installing MailScanner, please ask for help on the mailing list. Please ensure you include your
•    Operating System and version
•    Perl version (Do “perl -v” to find out)
•    MailScanner version
•    SpamAssassin version
•    Installation info: rpm or tar, fresh install or update
Assumptions and Pre-requisites
For the purposes of this installation guide, it is assumed that you have installed a Linux server, including the packages
•    perl
•    sendmail
•    wget
•    unzip
•    gcc
If you are missing any of these packages, you will find them all on the Linux installation CD-ROM. I also assume that you already have a mailserver which currently handles your incoming mail. For the sake of this description, this mail host will be called “mailserver.your.domain”.
This distribution is provided as a tar file full of RPM packages. You need to unpack the tar file using a command line
tar xvf MailScanner-4.xx.x-x.tar
This will create a new directory, called something like MailScanner-4.xx.x-x. Move into the new directory using the “cd” command. If you do an “ls” at this point, you will see a file called “”, which you need to run using a command

MailScanner Installation Guide
SpamAssassin  can be a bit of a pig to install, so here is a guide of what I last did (on a Cobalt RaQ as it happened) to install it.
Download Mail-SpamAssassin-3.17.tar.gz from into somewhere sensible such as /root or /tmp.
If the site is down, search Google for the file and you’ll find a copy.
# perl -MCPAN -e shell
Whenever it asks for manual configuration, say no.
cpan> o conf prerequisites_policy ask
Stops it running away and installing loads of extras.
cpan> install Time::HiRes
cpan> install Net::DNS
cpan> quit
# tar xzf Mail-SpamAssassin-3.17.tar.gz
# cd Mail-SpamAssassin-3.17
# perl Makefile.PL
# make
You may now get some errors about pod2text. If you do, then do this command:
# ln -s /usr/bin/pod2man /usr/bin/pod2text
# make
# make test
This will fail horribly due to the lack of the file Pod/ so now do this to install it:
# perl -MCPAN -e shell
cpan> o conf prerequisites_policy ask
cpan> install Pod::Usage
cpan> quit
# make test
This time, the tests should succeed. They can take a while.
# make install
You now have installed SpamAssassin. The next step is to configure it and MailScanner.
1.    In /etc/MailScanner/MailScanner.conf, I would advise you set “Log Spam = yes” to start with.
2.    You will of course need “Use SpamAssassin = yes”.
3.    If you don’t have a very fast link, increase “SpamAssassin Timeout” to nearer 20.
Then just kill and restart MailScanner and you’re up and running.
# check_MailScanner
(This will print out the pids of the MailScanner processes)
Kill those pids with the “kill” command

You must install SpamAssassin (see below) and then change your Use SpamAssassin = setting in MailScanner.conf to yes (or use a ruleset). See other configuration parameters about SpamAssassin.
By far the easiest way of doing all this is by downloading
and using that.
tar xzf install-Clam-SA.tar.gz
cd install-Clam-SA
•    To check your ClamAV version:
[root@mymachine root]# clamscan -V
MailScanner Installation Guide


a. You’ll need the perl-DBI and perl-DBD-MySQL modules installed before you try this. (and of-course SpamAssassin, MySQL and MailScanner)
b. Some patience and a test environment before you go production.
Assumptions and Variables:
SpamAssassin Bayes Database Name: sa_bayes
SpamAssassin Bayes Database UserName: sa_user
SpamAssassin Bayes Database Password: sa_password
Your database server’s real name: local_fqdn
Every other server that’ll connect to and use this database: remote_fqdn (this name should be resolvable by DNS or /etc/hosts)

Create the MySQL database
First of all, create a database on the server where you intend on storing the bayesian information.
# mysql -u root -p #(some distros like redhat and clones have no password set by default.)
mysql> create database sa_bayes;
mysql> GRANT ALL ON sa_bayes.* TO sa_user@localhost IDENTIFIED BY ‘sa_password’;
mysql> GRANT ALL ON sa_bayes.* TO sa_user@local_fqdn IDENTIFIED BY ‘sa_password’;
mysql> GRANT ALL ON sa_bayes.* TO sa_user@remote_fqdn IDENTIFIED BY ‘sa_password’;
mysql> flush privileges;
Locate the bayes_mysql.sql file.
For RedHat(like) systems: /usr/share/doc/spamassassin-%version%/sql/bayes_mysql.sql
For Other systems: find / -name bayes_mysql.sql
# mysql -u sa_user -p sa_bayes < /path/to/bayes_mysql.sql

Make necessary changes to spam.assassin.prefs.conf
Make some changes to your spam.assassin.prefs.conf, on remote (MailScanner Front-end) servers replace ‘localhost’ with the value of ‘local-fqdn‘.
bayes_store_module           Mail::SpamAssassin::BayesStore::SQL
bayes_sql_dsn                DBI:mysql:**sa_bayes**:**localhost**
bayes_sql_username           **sa_user**
bayes_sql_password           **sa_password**
bayes_sql_override_username  root
and comment out the following lines:
bayes_path /etc/MailScanner/bayes/bayes
bayes_file_mode 0660

Test out the setup
And finally the acid test.
# spamassassin -x -D -p /path/to/spam.assassin.prefs.conf –lint
Check for lines like:
debug: bayes: Database connection established
debug: bayes: found bayes db version 3
debug: bayes: Using userid: 2
and some more like
debug: bayes: tok_get_all: Token Count: 20
debug: bayes token ‘somewhat’ ⇒ 0.978
debug: bayes: score = 0.845189622547555
Make sure you stop and start MailScanner..
# /etc/init.d/MailScanner stop
..sleep 10 seconds
# /etc/init.d/MailScanner start
Also add this to your crontab
minute hour * * * /path/to/sa-learn –force-expire –sync -p /path/to/spam.assassin.prefs.conf

Troubleshooting MailScanner
The first thing to do is to have a look at your logs (usually in /var/log/maillog or /var/log/mail.log).
Debug Mode
How to use MailScanner’s debug mode effectively:
•    Shutdown MailScanner and your MTA
•    Start only your incoming MTA. This is usually done by the command service MailScanner startin on Redhat. Other distros/OS may vary
•    Set “Debug = yes” and “Debug SpamAssassin = yes” in MailScanner.conf, then run ‘check_MailScanner’.
•    Watch carefully the output for error messages and fix what you can fix.
•    Restore the debug options back to no
•    Restart MailScanner

Testing Anti-virus test signatures
Most, if not all, anti-virus programs recognize the EICAR test signature. A similar signature is also avaliable for ClamAV, but this one is not recognized by any other scanners. To all intents and purposes, EICAR is all you need.
Go to and download the Eicar test virus, which is just a 68-character plain text file.
Email this file to your mail server that you want to test and look at the system logs to see what MailScanner does. Note that you can just telnet to your machine and send this string in the body, see the connexion page.
Most anti-virus scanners that are worth anything should pick up Eicar, and you should see MailScanner and your AV code noting that the mail message was infected with a virus.
You should also check to see if the message got cleaned and delivered, quarantined, or deleted according to your MailScanner configuration settings. The sender of the virus should receive notification that they sent a virus, if you have MailScanner configured to note infections.
Eicar should _NOT_ be in your Silent Virus list.
Install SPF packages
I found an RPM for libspf2 on Fedora Core 1 at:
I found an RPM for spfmilter on Fedora Core 1 at
You may be able to find one that is specific to your distribution. I tried compiling from source, but I failed.
Configure Sendmail with SPF
Add this line to /etc/mail/
INPUT_MAIL_FILTER(`spfmilter’,`S=unix:/var/run/spfmilter/spfmilter.sock, T=S:8m;R:8m’)
Rebuild the file :
cd /etc/mail/
m4 >
Enter the servers you want to whitelist in /etc/mail/spfmilter-whitelist.
Here is what i’ve got: #  internal server  # DMZ
Start the milter with the rc script:
/etc/init.d/spfmilter start
to add it at startup:
chkconfig –add spfmilter
To configure it:
/etc/sysconfig/spfmilter, but I had to dig into the rc script to get some config to work.
You should see it in ps
and netstat -lnp (listening socket)
unix  2      [ ACC ]     STREAM     LISTENING     28267609 11855/spfmilter     /var/run/spfmilter/spfmilter.sock

1.    Restart sendmail (or MailScanner)
2.    Check your logs (/var/log/maillog)
Send a message “from” * from another server.
To reject the message instead of just adding a header, remove the -m option in the config file /etc/sysconfig/spfmilter. I also had do delete the line
in the init script /etc/init.d/spfmilter to make it work

Installation of milter-greylist with sendmail
This document explains how to install milter-greylist. The SPF support is optionnal but allows milter to not greylist SPF-compliant senders. The instructions are based on a CentOS3 box.
1.    Download the(milter)
2.    (optional) Download the libspf2 package (you can choose other spf libraries, but I chose this one)
3.    Untar packages
Installing libsfp2
This step is optionnal
1.    cd into the libspf2 directory
2.    make && make install
Installing the milter
1.    Read the README file and make sure you have the prerequisites. The README is rather complete, so reading through it will reduce the chance of ommiting the obvious.
2.    cd in the milter directory
3.    If you are installing with SPF support, run
./configure –with-libspf2=/usr/local
If you don’t want SPF support, just run
4.    make && make install (When compiling with SPF support, I had to manually copy spf_dns_internal.h to /usr/local/include/spf2/)
Configuring Sendmail to use the milter (but without doing anything)
1.    Copy milter-greylist.m4 in the sendmail-cf/feature/ directory (cp milter-greylist.m4 /usr/share/sendmail-cf/feature/)
2.    Add “FEATURE(`milter-greylist’)” to your file
3.    Re-read the README file of the milter
4.    Configure the /etc/mail/greylist.conf by making sure you add entries to whitelist your internal network and start by whitelisting everyone (add acl whitelist default at the very end).
5.    Copy the rc script in /etc/init.d/ (I used cp /etc/init.d/milter-greylist and make it executable
6.    Open a terminal with a tail -f /var/log/maillog
7.    Start the milter (service milter-greylist start)
8.    Make a copy of your and rebuild it. Then look at the .cf file to see if you have the right entries (see README)
9.    Make the milter start at startup
(chkconfig –add milter-greylist)
10.    Restart sendmail and check your logs
Enabling greylisting
1.    In /etc/mail/greylisting.conf, enable gradually greylisting, either by e-mail address or by domain (see the README)

MailScanner Installation Guide — mailscanner.conf

System Settings

Max Children
Default is 5
MailScanner uses your server efficiently by running several identical processes at the same time, all processing mail. This is the number of these processes to run at once. Tuning this figure will optimise the performance of your system if you process a lot of mail. A good figure to start with is 5 children per CPU. So if you have 4 CPU’s in your server, start by setting this to 20.
Run As User
Default is to not change user
Provided for Exim users (and anyone not running sendmail as root), this changes the user under which MailScanner runs
Run As Group
Default is to not change group
Provided for Exim users (and anyone not running sendmail as root), this changes the group under which MailScanner runs
Incoming queue dir
Default is /var/spool/
Directory in which MailScanner should find e-mail messages for scanning
Outgoing queue dir
Default is /var/spool/mqueue
Directory in which MailScanner should place scanned e-mail messages
Incoming work dir
Default is /opt/MailScanner/var/incoming
Directory in which to temporarily store unpacked MIME messages during scanning process
Quarantine dir
Default is /opt/MailScanner/var/quarantine
Directory under which to archive quarantined infected e-mail attachments
PID dir
Default is /opt/MailScanner/var
Directory in which to store MailScanner process id files
sendmail or exim
Default is sendmail
Specifies which email package you are using
Default is /usr/lib/sendmail
Location of sendmail program
Default is the value of the Sendmail setting
Command line used to deliver outgoing/cleaned messages.
Provided for Exim users so they can specify a different exim.conf file for delivering from the outgoing queue.

Processing Incoming Mail
Max Unscanned Bytes Per Scan
Max Unsafe Bytes Per Scan
Max Unscanned Messages Per Scan
Max Unsafe Messages Per Scan
These values define the maximum size of a batch of messages which are all processed together. If you have problems with your server not processing messages fast enough, you might want to increase these values from those supplied.
Expand TNEF
Default is yes
Should we use an external TNEF decoder or not? TNEF decoding is built into Sophos and McAfee, so this should be no for Sophos/McAfee users and yes for all others.
Deliver Unparsable TNEF
Default is no
Rich Text format attachments produced by some versions of Microsoft Outlook cannot be completely decoded at present. Setting this option to yes allows compatibility with the behaviour of earlier versions where these attachments were still delivered. This would introduce the slight chance of a virus getting through in the segment of the attachment that could not be decoded, but the setting may be necessary if you have a large number of Microsoft Outlook users who are troubled by the new behaviour.
TNEF Expander
Default is /opt/mailscanner/bin/tnef
Full pathname giving location of the MS-TNEF expander/decoder program, or the keyword internal which will force use of the optional Perl Convert::TNEF module instead of the external program.
TNEF Timeout
Default is 120
The maximum time (in seconds) that the TNEF decoder is allowed to take to disassemble 1 Microsoft Outlook attachment.
Block Encrypted Messages
Default is no
This is intended for use with a ruleset to ensure that none of your users is covertly mailing sites with which you would not normally communicate (e.g. your competitors).
Block Unencrypted Messages
Default is no
This is intended for use with a ruleset to ensure that mail is always encrypted before being sent. This could be used to ensure that mail to your business partners is sent securely.

Virus Scanning and Vulnerability Testing

Virus Scanning
yes or no
Default is yes
Scan email for viruses? Switching this to no completely disables all virus-scanning functionality.
Virus Scanners
sophos, mcafee, command, kaspersky, inoculate, inoculan, nod32, f-prot, f-secure, antivir, panda, rav, none
Default is none
Specified which anti-virus package you are using
Note: If you are using several virus scanners, then this should be a space-separated list of the names of the scanners.
Virus Scanner Timeout
Default is 300
The maximum time (in seconds) that the virus scanner is allowed to take to scan 1 batch of messages.
Deliver Disinfected Files
Default is yes
Value is “yes” or “no”
Should infected attached documents be automatically disinfected and sent on to the original recipients
Silent Viruses
Messages whose virus reports contain any of the words listed here will be treated as “silent” viruses. No messages will be sent back to the senders of these viruses, and the delivery to the recipient of the message can be controlled by the next option “Still Deliver Silent Viruses”. This is primarily designed for viruses such as “Klez” and “Bugbear” which put fake addresses on messages they send, so there is no point informing the sender of the message, as it won’t actually be them who sent it anyway.
Still Deliver Silent Viruses
If this is set to yes then disinfected messsages that originally contained one of the “silent” viruses will still be delivered to the original recipients, even those addresses were chosen at random by the infected PC and do not correspond to anything a user intended to send. Set this to yes so that your users (and your management) appreciate how much MailScanner is doing to protect them, but set it to no if they complain a lot about receiving lots of virus warnings.

Removing Dangerous or Potentially Offensive Content

Allow Partial Messages
Default is no
Do you want to allow partial messages, which only contain a fraction of the attachments, not the whole thing? There is no way that “partial messages” can be scanned for viruses properly, as only a fragment of the message is ever processed, never the whole message at once.
Setting this option to yes is very dangerous as it can let viruses in. But you might want to use a ruleset to set it for some customers’ outgoing mail, for example.
Allow External Message Bodiees
Default is no
There is a mechanism, very rarely used, in which the body of a message is contained on a remote server, which the user’s email application should download when it displays the message. Currently, I am only aware of this feature being supported by a few versions of Netscape, and the only people who use it are the IETF. There is no way to guarantee that the fetched file has no viruses in it, as MailScanner never sees it.
Setting this option to yes is very dangerous as it can let viruses in from remote “message body servers”.
Allow IFrame Tags
Default is no
Do you want to allow HTML <IFrame> tags in email messages? This is not a good idea as it allows various Microsoft Outlook security vulnerabilities to go unprotected, but if you have a load of mailing lists sending them, then you will want to allow them to keep your users happy.
Log IFrame Tags
You may receive complaints from your users that HTML mailing lists they subscribe to have been stopped by the “Allow IFrame Tags” option above. So before you use the option above, set this option to “yes” and MailScanner will log the senders all messages which contain IFrame tags. You can then setup a ruleset for the option above which will allow IFrame tags in messages sent by well known (and trusted) mailing lists, while banning them from everywhere else.
Allow Object Codebase Tags
Default is no
Do you want to allow HTML <Object Codebase=…> tags in email messages? This will allow various Microsoft security vulnerabilities to go unprotected. I strongly advise you set this to “no” unless you have a very specific requirement.
Convert Dangerous HTML To Text
Default is no
When <IFrame> or <Object Codebase=…> HTML tags are allowed in messages, would you like to convert any messages containing them to be plain text. This is very useful as an alternative to either banning them using the 2 options above, or else allowing them through untouched. This option will still give the users the chance to read the text content of the message while not exposing them to potentially dangerous or offensive HTML content.
Convert HTML To Text
If you have users who are children, or who are offended by things like pornographic spam email, you can protect them by converting incoming HTML email messages into plain text. HTML attachments will not be affected. You could set this to be a ruleset so you only convert messages addressed to some of your users, or not convert messages from some known trusted sources. This can be essential if you have a “duty of care” for some of your users.

Attachment Filename Checking

Filename rules
Default is /opt/MailScanner/etc/filename.rules.conf
File in which to store the attachment filename ruleset, documented below. This can be a ruleset allowing different filename rules to apply to different users or domains.

Reports and Responses

Quarantine Infections
Set this to store infected / dangerous attachments in directories created under the quarantine directory. Without this, they will be deleted. Due to laws on privacy and data protection in your country, you may be forced to set this to “no”.
Quarantine Whole Message
Default is no
When an infected message is stored in the quarantine, a copy of the entire message will be saved, in addition to copies of the infected attachments.
Quarantine Whole Messages As Queue Files
Default is no
When an entire message is saved in the quarantine for any reason, do you want to save it as the raw data files out of the mail queue (which can be processed with the df2mbox script, and which is easier to send to its original recipients), or do you want a conventional message file consisting of the header followed by the body of the message. If the previous option is switched off, then this will only affect archived mail and quarantined spam. If the prevous option is on, then this also affects quarantined infections.
Deleted Bad Filename Message Report
When an attachment is deleted from a message because the filename failed the filename rules in force for the message, it is replaced by the contents of this file. A few variable substitutions can be made in this file, an example of each of which is contained in the supplied sample file.
Deleted Virus Message Report
When an attachment is deleted from a message because the attachment contained a virus or other dangerous content, it is replaced by the contents of this file. A few variable substitutions can be made in this file, an example of each of which is contained in the supplied sample file.
Stored Bad Filename Message Report
When an attachment is deleted from a message (and the attachment has been stored in the quarantine) because the filename failed the filename rules in force for the message, it is replaced by the contents of this file. A few variable substitutions can be made in this file, an example of each of which is contained in the supplied sample file.
Stored Virus Message Report
When an attachment is deleted from a message (and the attachment has been stored in the quarantine) because the attachment contained a virus or other dangerous content, it is replaced by the contents of this file. A few variable substitutions can be made in this file, an example of each of which is contained in the supplied sample file.
Disinfected Report
When, for example, a Microsoft Word macro virus has been safely removed from a document, leaving the original document intact, it is delivered on to the original recipient. The contents of this text file will be put in the body of the new message, explaining to the user what has happened.
Inline HTML Signature
Inline Text Signature
If the “Sign Clean Messages” option is set, then the contents of this file will be appended to the end of the body of every message that is scanned by MailScanner. You can use this to inform your users that MailScanner has scanned it, and you can also add any disclaimers you feel should be on mail travelling through your servers. The two options correspond to the contents that are appended to HTML messages and text messages respectively.
Inline HTML Warning Inline Text Warning
When attachments have been removed from a message, the contents of these files are inserted at the start of the body of the message to guide the recipient to read the “VirusWarning.txt” attachments that contain the virus reports themselves.
Sender Error Report
When a message could not be processed completely for some reason, such as bad message structure or unreadable winmail.dat TNEF attachments, this message is sent back to the sender. Read the example file supplied for a demonstration of what variables can be used inside the file.
Sender Bad Filename Report
When an attachment is trapped by the filename rules, this message is sent back to the sender.
Sender Virus Report
When an attachment is removed because of a virus, this message is sent back to the sender.
Hide Incoming Work Dir When this option is set, the full directory in which the virus was found will be removed from report messages sent to users. This makes the infection reports a lot easier to understand.

Changes to Message Headers

Mail header
Default is X-MailScanner:
Extra header that should be added to all scanned messages to show they have been scanned. You might want to add an abbreviation of your site name to this, so that you can find headers that are added by your MailScanner server.
Spam Header
Default is X-MailScanner-SpamCheck:
Name of the header to add to mail detected as spam. The text of the header is a list of the causes that think the message is spam.
Spam Score Header
Default is X-MailScanner-SpamScore:
If the option “Spam Score” is set, this is the name of the header that is used to contain the list of characters.
Information Header
Default is X-MailScanner-Information:
Name of the header to add to all messages, to be used for simply providing a URL or contact information for anyone receiving mail that has gone through MailScanner. If you do not want this header, simply comment out this setting or set it blank.
Detailed Spam Report
Default is yes
If this is set to yes then you get the normal fully detailed spam report in spam messages. If this is set to no then you simply get a “spam” or “not spam” report. The exact text inserted can be configured in the languages.conf file for your language.
Spam Score Character
If the option “Spam Score” is set, this is the character that will be repeated in the “Spam Score Header”, one letter for each point in the SpamAssassin score.
Clean Header Value
This is the text that is added to the “Mail Header” when a message is found to be clean and free of viruses and other dangerous content.
Infected Header Value
This is the text that is added to the “Mail Header” when a message is found to be infected with a virus or other dangerous content.
Disinfected Header Value
This is the text that is added to the “Mail Header” of a message that is created by MailScanner to contain disinfected documents containing macro viruses that could be completely removed, leaving the original document intact.
Information Header Value
This is the text that is added to the “Information Header” of a message that has passed through MailScanner at all. It could be used to provide a URL or contact address for recipients if they have any queries about the messages they have received.
Multiple Headers
When a message passes through more than one MailScanner server on your site, they will each try to add their own headers. This option controls what should happen when trying to add a MailScanner header that already exists in the message.
This is the name of the MailScanner server that is put in messages to users. If you have more than one MailScanner server on your site, you will want to change this on each server so that you can tell them apart.
Sign Messsages Already Processed
If a message has already been processed by another MailScanner server on your site, then the “Inline HTML/Text Signature” is not added to the message again if this option is set. Without it, you will get one signature added for every MailScanner server that processes the message.
Sign Clean Messages
If this option is set, then the “Inline HTML/Text Signature” will be added to the end of every clean message processed by MailScanner. You can use this to inform the recipient that the message has been checked, and also to add any legal disclaimer or copyright statement you want to add to every message. Using a ruleset for this option, you could very simply set it so that only messages leaving your site are signed, for example.
Mark Infected Messages
If this option is set, then the “Inline HTML/Text Warning” is added to the start of every message that is found to be infected or has had attachments removed for any reason. This can be used to guide the recipients to read the infection reports contained in the replacement attachments.
Mark Unscanned Messages
If this option is set, then any message which is not scanned by MailScanner gets the “Mail Header” added to it with the string contained in the “Unscanned Header Value” option. This can be used to advertise your MailScanner service to customers/clients who are currently not using it.
Unscanned Header Value
This supplies the text that is placed in the “Mail Header” of messages that have not been scanned, if the option “Mark Unscanned Messages” is set. It is a useful place to advertise your MailScanner service to new customers/clients.
Deliver Cleaned Messages
Once a message has had all viruses and dangerous content removed from it, it will then be delivered to the original recipients if this option is set. If you want the behaviour from previous versions of MailScanner that had the “Deliver From Local Domains” keyword, then you should set this to be a ruleset that only returns “yes” for messages destined for inside your site, and “no” for messages going out of your site.
Notify Senders
If this option is set, a message will be sent back to the address that sent each infected message. The text contained in these messages is supplied by the “Sender Reports” described earlier in this document.
Never Notify Senders Of Precedence
This contains a space-separated list of message “Precedence:” header values. If you receive a nasty message, the sender will not be notified if the “Precedence:” header value appears in this list. This is particularly useful for stopping MailScanner responding to poorly-maintained mailing lists.

Changes to the Subject: Line

Scanned Modify Subject
If this is set to “start” or “end” then the “Scanned Subject Text” is inserted at the start or the end of the Subject: line. This only happens if the Subject: line has not already been modified for any other reason.
Scanned Subject Text
This is the text inserted at the start or the end of the Subject: line if the “Scanned Modify Subject” option above is in effect.
Virus Modify Subject
If this is set, then the “Subject:” line of a message that was infected with a virus will have the “Virus Subject Text” text inserted at the start.
Virus Subject Text
This is the text inserted at the start of the “Subject:” line if the “Virus Modify Subject” option is set.
Filename Modify Subject
If this is set, then the “Subject:” line of a message that had an attachment with a dangerous filename will have the “Virus Subject Text” text inserted at the start.
Filename Subject Text
This is the text inserted at the start of the “Subject:” line if the “Filename Modify Subject” option is set.
Spam Modify Subject
If this is set, then the “Subject:” line of a message that was determined to be spam will have the “Spam Subject Text” text inserted at the start.
Spam Subject Text
This is the text inserted at the start of the “Subject:” line if the “Spam Modify Subject” option is set.
High Scoring Spam Modify Subject
If this is set, then the “Subject:” line of a message that was determined to be spam, and had a SpamAssassin score greater than the “High SpamAssassin Score” will have the “High Scoring Spam Subject Text” text inserted at the start.
High Scoring Spam Subject Text
This is the text inserted at the start of the “Subject:” line if the “High Scoring Spam Modify Subject” option is set.

Changes to the Message Body

Warning Is Attachment
When an infected or dangerous attachment is replaced with a text message containing the infection report, should the replacement be an attachment (yes) or should it be included inline in the main text of the message (no).
Attachment Warning Filename
What an infected or dangerous attachment is replaced with a text message containing the infection report, this is the filename of the attachment that appears in the message.
Attachment Encoding Charset
This is the name of the encoding character set used for the contents of “VirusWarning.txt” attachments. If your users do not use English as their preferred language, you may want to set this to “ISO-8859-1”.

Mail Archiving and Monitoring

Archive Mail
This option provides a list of directory names and/or email addresses to which all mail should be copied. You will probably want to make this a ruleset so that only mail to/from certain users is archived. Note that there may be severe legal privacy implications of using this option without the prior knowledge of the individuals whose messages you are archiving/copying.

Notices to System Administrators

Send Notices
Should system administrators listed in the “Notices To” option be notified of every infection found?
Notices Include Full Headers
If this option is set, then the system administrator notices will include the full headers of every infected message. If this option is set to “no” then only a restricted set of headers is included in the notices.
Hide Incoming Work Dir in Notices
When this option is set, the full directory in which the virus was found will be removed from report messages sent to administrators. This makes the infection reports a lot easier to understand. It is also very useful if your notices go to your customer sites.
Notice Signature
This string is added to the bottom of all system administrator notices, and is intended to be the signature of your MailScanner system. To insert “line-breaks” or “newline” characters, use the sequence \n.
Notices To
This option provides a list of the addresses to which virus notices should be sent. You may want to set this to be a ruleset, providing different notification addresses for different domains that you administer.
Local Postmaster
When virus warnings are sent to any users, this is the email address used as the “From:” header in the messages.

Definitions of Virus Scanners and Spam Detectors

Spam List Definitions
This file contains all the definitions of the “Spam Lists” (also known as RBL’s or DNSBL’s) which can be used to try to detect spam based on where each message came from. Many more spam lists can be added to this file, but it contains the most popular ones to get you started.
Virus Scanner Definitions
This file contains the locations of all the commands that are run for each virus scanner. Check this file before starting MailScanner to make sure it will run the correct command or wrapper script.

Spam Detection and Spam Lists (DNS Blocklists)
Spam Checks
If this option is set, messages will be checked to see if they are spam.
Spam List
This provides a space-separated list of “Spam Lists” (or RBL’s or DNSBL’s) which are checked for each message. These lists are based on the numeric IP address of the server that sent the message to your MailScanner server. Every list used here must be defined in the “Spam List Definitions” file mentioned above.
Spam Domain List
This provides a space-separated list of “Spam Lists” (or RBL’s or DNSBL’s) which are checked for each message. These lists are based on the domain name of the sender address of each message. Every list used here must be defined in the “Spam List Definitions” file mentioned above.
Spam List Timeout
This is the number of seconds to wait for each “Spam List” lookup to complete. If the lookup takes longer than this, it is killed and ignored.
Max Spam List Timeouts
If a “Spam List” lookup times out for this many consecutive checks without ever succeeding, then the particular “Spam List” entry will not be used any more, as it appears to be unreachable. When MailScanner restarts itself after a few hours, MailScanner will try to use the entry again, in case service has resumed properly.
Is Definitely Not Spam
This option would normally be a ruleset. Any messages for which the ruleset result is “yes” will never be marked as spam. This is used to create a spam “whitelist” of addresses which are never spam. You will probably want to include your own site (or your own site’s IP addresses) in this ruleset.
Is Definitely Spam
This option would normally be a ruleset. Any messages for which the ruleset result is “yes” will always be marked as spam. This is used to create a spam “blacklist” of addresses of known spammers.


Use SpamAssassin
Do you want to detect spam using the very good SpamAssassin package? You must have installed SpamAssassin before using this option, otherwise MailScanner will not start properly.
Max SpamAssassin Size
SpamAssassin is quite slow when processing very large messages. To work round this problem, this option provides a maximum size for messages that are processed with SpamAssassin. Most real spam is usually less than about 50,000 bytes per message.
Required SpamAssassin Score
This gives the minimum SpamAssassin score value above which messages are spam. This replaces SpamAssassin’s own “required_hits” value, so that it can be a ruleset and set to different values for different users/domains.
High SpamAssassin Score
Messages with a SpamAssassin score greater than this value are labelled as being “High Scoring Spam”, and a different set of “Spam Actions” are applied to messages scoring at least this value.
SpamAssassin Auto Whitelist
SpamAssassin has a feature which measures the ratio of spam to non-spam originating from different addresses, and will automatically add addresses to its own internal “whitelist” if most of the messages from an address is not spam. This option enables this feature of SpamAssassin. Please read their documentation for more information.
SpamAssassin Prefs File
SpamAssassin uses a “user preferences” file which can be used to set the values of various SpamAssassin options. This is the name of that file. Its most useful feature is that the RBL/DNSBL/”Spam List” checks done by SpamAssassin can be disabled as MailScanner already does them and there is little to be gained by doing these checks twice for every message.
SpamAssassin Timeout
This option sets the maximum number of seconds to wait for SpamAssassin to process a message. This is a useful protection against occasional bugs in SpamAssassin that can cause it to take hours to process a single message.
Max SpamAssassin Timeouts
If several consecutive calls to SpamAssassin time out, then MailScanner decides that there is something stopping SpamAssassin from working properly. It will therefore be disabled for the next few hours until MailScanner restarts itself, at which point it will be tried again.
Check SpamAssassin If On Spam List
If a message has already triggered any of the “Spam List” checks, the SpamAssassin check will be skipped if this option is set to “no”. This can help reduce the load on your server if SpamAssassin checks take a long time for some reason.
Always Include SpamAssassin Report
If this option is set, then the “Spam Header” will be included in the header of every message, so its presence cannot be used to filter out spam by your users’ e-mail applications.
Spam Score
If a message is spam, and this option is set, then a header will be added to the message containing 1 character for each point in the SpamAssassin score. This allows users to choose for themselves the SpamAssassin scores at which they want to do different things with the message, such as file it or delete it.

What to do with Spam

Spam Actions
This can be any combination of 1 or more of the following keywords, and these actions are applied to any message which is spam.
“deliver” – the message is delivered to the recipient as normal
“delete” – the message is deleted
“store” – the message is stored in the quarantine
“bounce” – a rejection message is sent back to the sender
“forward” – an email address is supplied, to which the message is forwarded
“striphtml” – convert all in-line HTML content in the message to be stripped to plain text, which removes all images and scripts and so can be used to protect your users from offensive spam. Note that using this action on its own does not imply that the message will be delivered, you will need to specify “deliver” or “forward” to actually deliver the message.
High Scoring Spam Actions
This is the same as the “Spam Actions” option above, but it gives the actions to apply to any message whose SpamAssassin score is above the “High Scoring” threshold described above.
Sender Spam Report
When the “bounce” spam action is applied to a message that triggered both a “Spam List” check and SpamAssassin, this file gives the text to put in that message.
Sender Spam List Report
When the “bounce” spam action is applied to a message that triggered a “Spam List” check, this file gives the text to put in that message.
Sender SpamAssassin Report
When the “bounce” spam action is applied to a message that triggered SpamAssassin, this file gives the text to put in that message.

System Logging

Syslog Facility
This is the name of the “facility” used by syslogd to log MailScanner’s messages. If this doesn’t mean anything to you, then either leave it alone or else read the “syslogd” man page.
Log Spam
If this option is set, then every spam message will be logged to syslog. If you get a lot of spam, or your server load is high, you will want to leave this option switched off. But if you are having trouble with spam detection, setting this to “yes” temporarily can provide useful debugging output.
Log Permitted Filenames
If this option is set, then every attachment filename that passes the “filename rules” checks will be logged to syslog. Normally this is of no interest. But if you are having trouble getting your filename rules correct, setting, this can provide useful debugging output.
Advanced Settings

Not for use by normal users. Setting this option to “yes” will put MailScanner into debugging mode, in which it creates slightly more output and will not become a daemon.
Always Looked Up Last
The value of the option is actually never used, but it is evaluated at the end of processing a batch of messages. It is designed to be used in conjunction with a Custom Function. The Custom Function should then be written to have a “side effect” of doing something useful such as logging lots of information about the batch of messages to a file or an SQL database.
Deliver In Background
When attempting delivery of any messages (when the “Delivery Method = batch”) the sendmail/Exim command will be run in the background so that MailScanner does not have to wait for the delivery attempt to complete. There are very few good reasons for setting this to “no”.
Delivery Method
With this option set to “batch”, then an attempt is made to deliver all of the messages in the current batch once they have been completely processed by MailScanner. With this option set to “queue”, the messages are just placed in the outgoing queue, leaving sendmail/Exim to attempt to deliver them the next time it processes its queue. This can be useful on servers with very high load.
Lockfile Dir
This is the directory in which lock files are placed to stop the virus scanners used while they are in the middle of updating themselves with new virus definitions. If you change this at all, you will need to edit the “autoupdate” scripts for all your virus scanners.
Lock Type
Do not set this option to anything unless you know exactly what you are doing. For sendmail and Exim, MailScanner will choose the correct value by default. This affects how mail queue files are locked, and your mail will be totally screwed up if you set this option to anything other than the correct value for your MTA. So leave it alone and let MailScanner choose the correct value for you.
Minimum Code Status
Some of the virus scanners are not supported by the authors of MailScanner, and they may use code contributed by another user. If this option is set to the wrong value for your virus scanners, then you will get an error message in your maillog (syslog) telling you that it is set wrong and MailScanner will refuse to start. The error message will include the location of a web page describing this option in more detail, and this tells you what value to set this to for each virus scanner that can be used by MailScanner.

Attachment Filename Ruleset
This is held in the filename pointed to by the configuration option Filename rules. It contains a set of rules that are used to judge whether any given file attachment should be accepted or rejected on the basis of its filename, regardless of whether it is found to be virus-infected or not.
This can not only be used for draconian measures such as banning all .exe attachments, but it can be used with any Perl regular expression to provide facilities such as detection of attempts at hiding filenames.
Many Windows e-mail programs (eg. Microsoft Outlook) hide common file extensions in an attempt to not baffle the user. The result is that while an attachment called “Your Document.doc” is helpfully displayed as “Your Document”, a more sinister attachment just as “Looks Safe.txt.pif” will appear simply as “Looks Safe.txt”. Many users recognise the .txt filename extension as applying to plain text files, which they know are safe. So even an experienced user may well double-click on this attachment thinking it is just going to start Notepad and display the text file.
However, the file is really an MS-Dos shortcut (.pif file) and can execute any arbitrary commands the author wanted: all without any indication to the unwitting user. The rules are matched in order from the top to the bottom of the file, and the first rule containing a matching regular expression is used.
Each line of the file is either blank, a comment (in which case it starts with a ‘#’ character) or is a rule made up of 4 fields separated by one or more TAB characters.
allow / deny
Accept or reject the attachment if its filename matches the regular expression
regular expression
The rule is executed if the attachment matches this expression. It may optionally be surrounded in ‘/’ characters. log text If the rule matches, this text is placed in the syslog. If the text is “-“, no string is logged.
user text If the rule matches, this text is placed in the text message sent to the user. If the text is “-“, no text is used.

Installation and Configuration of Mailwatch for MailScanner

MailWatch for MailScanner is a web-based front-end to MailScanner and features include displays of inbound/outbound mail queue size, load Average and today’s totals for messages, spam, viruses and blocked content on each page header, Quarantine management allows you to release, delete or run sa-learn across any quarantined messages etc.

Tested on CentOS 4.4, MailScanner ver. 4.57.6, Sendmail-8.13


a.    Working MailScanner setup
b.    MySQL
c.    Apache
d.    PHP (w/ MySQL and GD Support)
e.    Perl
f.    DBD
g.    DBD-MySQL

PHP configuration (php.ini) as follows:
•    short_open_tag = On
•    safe_mode = Off
•    register_globals = Off
•    magic_quotes_gpc = On
•    magic_quotes_runtime = Off
•    session.auto_start = 0
Install also PHP-GD, PHP-MySQL
#yum install php-gd
#yum install php-mysql

1.    Download the source tarball in , latest stable version is 1.0.3.

2.    Uncompress the tarball file in /usr/local/src
#tar zxvf mailwatch-1.0.3.tar.gz
#cd mailwatch

3.    Create the database
#mysql –p < create.sql

4.    Create a MySQL user/password and setup MailScanner for SQL Logging
#mysql –u root –p
mysql> GRANT ALL ON mailscanner.* TO mailwatch@localhost IDENTIFIED BY ‘<password>’;

5.    Edit and Copy
Change the $db_user and $db_pass values accordingly and move to /usr/lib/MailScanner/MailScanner/CustomFunctions
#mv /usr/lib/MailScanner/MailScanner/CustomFunctions

6.    Create a Mailwatch web user
# mysql mailscanner -u mailwatch -p
Enter password: ******
mysql> INSERT INTO users VALUES (‘username’,md5(‘password’),’name’,’A’,’0′,’0′,’0′,’0′,’0′);

7.    Install and Configure Mailwatch
Move the mailscanner directory “mailscanner” to web server’s root directory
# cd /usr/local/src/mailwatch
#mv mailscanner /var/www/html

8.    Change the permission of /var/www/html/mailscanner/images and var/www/html/mailscanner/images/cache
# chown root:apache images
# chmod ug+rwx images
# chown root:apache images/cache
# chmod ug+rwx images/cache

9.    Create conf.php by copying conf.php.example and edit the values to suit, you will need to set DB_USER and DB_PASS to the MySQL user and password that you created earlier
#cp conf.php.example conf.php
#vi conf.php

For MailScanner verions 4.43 or later, you can activate the new functionality by setting QUARANTINE_USE_FLAG to true in conf.php – if you do this, you must disable the clean.quarantine script supplied by MailScanner and use the new quarantine_maint.php script in the tools directory instead

To disable the clean.quarantine script edit /pathtomailmailscanner/bin/cron/clean.quarantine.cron and change from $disabled = 0; to $disabled = 1;
#vi /etc/cron.daily/clean.quarantine

To clean the quarantine, set ‘QUARANTINE_DAYS_TO_KEEP’ in conf.php and run ‘./quarantine_maint –clean’.
This should then be run daily from cron: you can do this by running

#echo “/usr/local/src/mailwatch/tools/quarantine_maint.php –clean” > /etc/cron.daily/
#chmod +x /etc/cron.daily/

then execute:

10.    Setup MailScanner
Stop MailScanner first
#service sendmail stop
#service MailScanner stop

11.    Edit /etc/MailScanner/MailScanner.conf  and make sure the following options are set:
•    Quarantine User = root
•    Quarantine Group = apache (this should be the same group as your web server)
•    Quarantine Permissions = 0660
•    Quarantine Whole Message = yes
•    Quarantine Whole Message As Queue Files = no
•    Detailed Spam Report = yes
•    Include Scores In SpamAssassin Report = yes
•    Always Looked Up Last = &MailWatchLogging
Spam Actions and High Scoring Spam Actions should also have ‘store’

12.    Start MailScanner up again and monitor the logs
#service MailScanner start
#tail –f /var/log/maillog

You should see something like:
Jan 1 12:18:23 hoshi MailScanner[26388]: MailScanner E-Mail Virus Scanner version 4.20-3 starting…
Jan 1 12:18:24 hoshi MailScanner[26388]: Config: calling custom init function MailWatchLogging
Jan 1 12:18:24 hoshi MailScanner[26388]: Initialising database connection
Jan 1 12:18:24 hoshi MailScanner[26388]: Finished initialising database connection

13.    Test  Mailwatch interface
Access using browser: http://hostname/mailscanner, then enter username and password (MailWatch web user that you created earlier) when prompted.

Procedures when messages quarantined again when release in Mailwatch

You need to bypass certain checks for messages from to allow the released messages to pass through MailScanner without being quarantined again.

1. Set the following in /etc/Mailscanner/Mailscanner.conf:

Filename Rules = %etc-dir%/filename.rules
Filetype Rules = %etc-dir%/filetype.rules
Dangerous Content Scanning = %rules-dir%/content.scanning.rules
Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules

2.    Create the files needed:

a.#vi /etc/MailScanner/rules/filename.rules
then set as follows:
From:       /etc/MailScanner/filename.rules.allowall.conf
FromOrTo:      default         /etc/MailScanner/filename.rules.conf

b.#vi /etc/MailScanner/rules/filetype.rules
then set as follows:
From:       /etc/MailScanner/filetype.rules.allowall.conf
FromOrTo:      default         /etc/MailScanner/filetype.rules.conf

c. #vi /etc/MailScanner/filename.rules.allowall.conf
then set as follows:
allow   .*      –       –

d. #vi /etc/MailScanner/filetype.rules.allowall.conf
then set as follows:
allow   .*      –       –

e. #vi /etc/MailScanner/rules/content.scanning.rules
From:       no
FromOrTo:       default        yes

f. Append to the spam.whitelist.rules
#vi /etc/Mailscanner/rules/spam.whitelist.rules
From:       yes
FromOrTo:       default        no

About the author


View all posts


  • Excellent article but I’m not sure that I agree. Then again, folks consider me difficult at the best of times! With thanks.

  • 无

  • 无

  • I definitely wanted to comkpose a small comment tto say thanks
    to you for all thee stunning information yyou are posting on this site.
    My considerable internet rewsearch hass now been honored with good
    know-how to write about with my relatives. I ‘d mention that many of us readers are
    unequivocally lucky to be in a magnificent place
    with very many outstanding individuals with insightful secrets.
    I feel truly privileged to have used the webpage and look forward to plenty of more awesome moments reading here.

    Thanks once more for a lot of things.

  • I’m excited to discover this site. I want to to thank you for your time just for this wonderful read!!

    I definitely really liked every part of it and I have you bookmarked to see new things in yoour site.

  • Pleae let me know if you’re looking for a author forr
    your site. You have some really great articles and I believe I would be a good asset.
    If you ever want to take some of the load off, I’d love too write some material for your blog in exchange for a link
    back to mine. Plase send me an email if interested.

  • If some one wishes expert view regarding blogging and site-building then i advise him/her to visit this webpage, Keep up the pleasant job.

Leave a Reply