Innovators in Mail server, Webmail and appliance solutions

You can add per-domain AV and Spam filtering support, if you wish. Just follow the following steps:

1.) open up /usr/local/atmail/mailserver/configure

2.) find:

MYSQL_DOMAINS = select Hostname from Domains where Hostname='${quote_mysql:$domain}'

3.) Below this, add:

MYSQL_AVCHECK = SELECT Hostname from Domains where AV='1' and Hostname='$domain'

MYSQL_SPAMCHECK = SELECT Hostname from Domains where Spam='1' and Hostname='$domain'

4.) Then, find this line:

domainlist relay_to_domains =

5.) Below this:

domainlist sa_domains = mysql;MYSQL_SPAMCHECK
domainlist av_domains = mysql;MYSQL_AVCHECK

6.) Then, find:

accept  hosts = :

7.) Below this:

warn domains = +av_domains
set acl_m1 = 1

warn domains = +spam_domains
set acl_m2 = 1

8.) Then, find:

acl_check_content:

9.) Below this, add:

accept condition = ${if match{$acl_m1}{1}}

accept condition = ${if match{$acl_m2}{1}}

10.) Login to your MySQL

11.) Add the two other columns to the Domains table:

> alter table Domains add Spam tinyint(1) default NULL;
> alter table Domains add AV tinyint(1) default NULL;

12.) To enable filtering for a specific domain, do the following:

> update Domains set Spam='1' where Hostname='yourdomain.com';

Replace yourdomain.com with your chosen domain.

13.) Restart atmail:

% /etc/init.d/atmailserver restart

On certain machines, you might not have a loopback address assigned. And when trying to use SpamAssassin, it shows this error in /var/log/maillog:

host-foo spamd: spamd: connection from [ip address] at port 55390
spamd: unauthorized connection from [ipaddress]

SpamAssassin usually binds to all the IP addresses on the machine, but you'll need to specify which IP addresses are allowed to be a client. If you have no loopback IPs configured, it detects your IP as a public IP.

You will need to do the following:

- open up /etc/rc.d/atmailserver (or an equivalent)

- find this line:

/usr/local/atmail/spamassassin/bin/spamd -d -x -q -u atmail --virtual-config-dir=/usr/local/atmail/ -m 6 -r /usr/local/atmail/spamassassin/spamd.pid

- change to:

/usr/local/atmail/spamassassin/bin/spamd -A [public IP adddress] -d -x -q -u atmail --virtual-config-dir=/usr/local/atmail/ -m 6 -r /usr/local/atmail/spamassassin/spamd.pid

Where [public IP address] is your IP address.

- restart AtMail:

   % /etc/init.d/atmailserver restart 

When compiled with Exim, the libspf libraries can sometimes cause issues. Sometimes it is best to use the SPFQuery binaries for SPF support.

To use SPFQuery with Exim, just go through the following steps:

- download Mail::SPF from http://search.cpan.org/CPAN/authors/id/J/JM/JMEHNLE/mail-spf/Mail-SPF-v2.006.tar.gz

- untar, install:

% tar xvfz Mail-SPF-v2.006.tar.gz
% cd Mail-SPF-v2.006
% perl Makefile.PL && make && make install

- open the /usr/local/atmail/mailserver/configure file (or where your Exim configuration file is located).

- find this line:

accept  local_parts   = postmaster
domains       = +local_domains

- below this, add:

# SPF Acl clause
warn  set acl_m1  = --ip-address=$sender_host_address  --mfrom=$sender_address --helo=$sender_helo_name
set acl_m1  = ${run{/usr/bin/spfquery $acl_m1}{$value}{fail}}

deny message    = SPF check fail. $sender_host_address is not allowed to send mail from $sender_address_domain.
condition   = ${if eq {$runrc}{1}{1}{0}}

- restart exim:

% killall -HUP exim

- you can also add this line to check for soft failures:

warn message    = SPF check soft fail. Your host is not set as an allowed sender for $sender_address_domain.     condition   = ${if eq {$runrc}{2}{1}{0}}

"A DNS Blacklist, or DNSBL, is a means by which an Internet site may publish a list of IP addresses that some people may want to avoid and in a format which can be easily queried by computer programs and the Internet. The technology is built on top of the Internet Domain Name System, or DNS. DNSBLs are chiefly used to publish lists of addresses linked to spamming. Most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists." - http://en.wikipedia.org/wiki/DNSBL

To install apache DNSBL you must first have Apache 2.2 with the mod_access.so module installed.

The module that this document will walk you through installing is called mod_access_dnsbl and it's homepage can be found here, in particular, the file that you will need is here.
It is a requirement of mod_access_dnsbl that the mod_dnsbl_lookup module be installed first, which can be found here.
These files can be downloaded with the following commands:

# wget http://www.apacheconsultancy.com/modules/mod_access_dnsbl/mod_access_dnsbl-0.01.tar.gz
# wget http://www.sysdesign.ca/archive/mod_dnsbl_lookup-0.91.tar.gz

It is recommended that you move these files into a sub-directory of /tmp, this can be achieved with the following commands

# mkdir /tmp/apachednsblinstall
# mv ./mod_access_dnsbl-0.01.tar.gz /tmp/apachednsblinstall/
# mv ./mod_dnsbl_lookup-0.91.tar.gz /tmp/apachednsblinstall/
# cd /tmp/apachednsblinstall

Now you must extract the files with the following commands

# tar xzvf mod_access_dnsbl-0.01.tar.gz
# tar xzvf mod_dnsbl_lookup-0.91.tar.gz

Move into the newly created mod_dnsbl_lookup directory:

# cd mod_dnsbl_lookup-0.91

Compile and install the module

# ./autogen.sh
# ./configure
# make
# make install

(for configuration options of this module, refer to /tmp/apachednsblinstall/mod_dnsbl_lookup-0.91/README)

Proceed to the mod_access_dnsbl directory with the following command:

# cd ../mod_access_dnsbl-0.01

Install the mod_access_dnsbl module with the following command (NOTE: You will need to have the apxs tool installed: http://httpd.apache.org/docs/2.2/programs/apxs.html)

# apxs -cia mod_access_dnsbl.c

(for configuration options of this module, refer to /tmp/apachednsblinstall/mod_access_dnsbl-0.01/README)

Ensure that the necessary lines in your httpd.conf file have been updated to load the extra modules, they should look something like this:

LoadModule dnsbl_lookup_module  modules/mod_dnsbl_lookup.so
LoadModule access_dnsbl_module  modules/mod_access_dnsbl.so

Restart Apache 2.x

# /etc/init.d/apachectl restart

Your new Apache DNSBL should now be up and running!

You can limit AtMail to only access the local Mailserver by doing the following:

- go to WebAdmin > Config > Mail Configuration

- set the MailServer field to "127.0.0.1"

- save changes

- download the file from: http://atmail.com/kb/attach/mailserver-update.txt

- place it on your server as: /usr/local/atmail/webmail/modules/mailserver-update.php

- execute the file:

% cd /usr/local/atmail/webmail/modules/ && php mailserver-update.php

- this will update every local user's MailServer definition to " 127.0.0.1 "

- you can further limit access by setting WebAdmin > Config > Mail Configuration > Mail Type to "No External Servers"

- save changes, restart Apache.

Since Atmail 5.5 DKIM support is added to the mail-server version of the software.
DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message while it is in transit. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. This can assist with marking your emails as "trusted" and guarantee a greater level of delivery and less false positives with spam-filters. Providers such as Gmail and other large ISP's validate DKIM headers, and we recommend admins adopt this practice to help with message integrity.
Should you wish for all outgoing messages sent from your server to be DKIM signed, follow the steps below.

1: Make sure you are running Atmail 5.5, otherwise upgrade your copy to the latest version. Verify your server has DKIM support compiled into Exim:

/usr/local/atmail//mailserver/bin/exim -dd 2>&1 | grep Experimental_DKIM

This should return:

Support for: crypteq iconv() OpenSSL Content_Scanning Experimental_DKIM

2: Create a new private/public pair key via the cmd-line:

openssl genrsa -out /usr/local/atmail/mailserver/dkim.key 1024
openssl rsa -in /usr/local/atmail/mailserver/dkim.key -out /usr/local/atmail/mailserver/dkim.public -pubout -outform PEM

3: View the contents of /usr/local/atmail/mailserver/dkim.public

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEYVlzEzrHH1ile+IYBZasjVTi
n+kacOvmpiJGhxNuGKhTmOCrvLh4Z+eQp1Dvj7kJNUU3EF5nEbFl7WTb/Z3uxxET
MImk47xX2eJdr/q98c+gJurZvlbpFuTT9JhXRmA8kkHZrARHUpsWZMsNt69ewgQK
XaAKH1MH5I4y0+JsqQIDAQAB
-----END PUBLIC KEY-----

4: Remove the --BEGIN and --END tags, and remove line breaks so the public key spans a single line. Add the following to your DNS server zone file:

mail._domainkey.yourdomain.com. IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQE............KXaAKH1MH5I4y0+JsqQIDAQAB"

5: Open the Exim configure file, locate the transport "remote_smtp" and append the following.

remote_smtp:
driver = smtp
#
dkim_domain=yourdomain.com
dkim_selector=mail
dkim_private_key=/usr/local/atmail/mailserver/dkim.key
#

6: Restart your nameserver and the Atmail services ( /etc/init.d/atmailserver restart )

7: Via Webmail or an external mail-client, send a message via SMTP to an outside address. View the headers of the email and if successful, you will see the header lines:

Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;d=yourdomain.com; s=mail; h=MIME-Version:Message-ID:To:Reply-To:Content-Type:Date:Subject:From; bh=4WWVzoOsUWW0f4BYC2VHYfz2dQAB9PwjbTcHsvaaHrY=; b=GvkmrnJM1f2MhkRxZjTwKIPWTYmVUm//P2hqSw4eJ7izAo0GFunTddhlZ4UOWfBiObJj7+E8OGcVjyoMKj+4bNVhPqaMEi3Iidzexn8uqYbM+1vGCUf7b1tg10C+dzfdnsQIiGrkAYYlMvWGefhDlRhFq0OQfI1sDYN7pMMoqeQ=
You can also test the DKIM header is successful by emailing dkimtest@atmail.org , on success you will receive an autoreply, otherwise a returned mail "Bad DKIM header"

--

This will be natively supported in Atmail 5.6 due Dec 2008 - In the meantime these changes can be made to any existing Atmail 5.5 installation with DKIM support.

Question:Our need is to block all email addresses/domain not configured in the @mail server.
So I want to avoid mail deliveries from addresses like bill.gates@microsoft.com or george.bush@whitehouse.org.

Answer:Yes this can be done. Follow the step detailed below.
Open and edit the Exim configuration file located at /usr/local/atmail/mailserver/configure, please remember to also back up this file before changes are made. Find and delete the following code.

# This router routes addresses that are not in local domains by doing a DNS
# lookup on the domain name.
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

Restart the @mail server and test.

When you want to upgrade SpamAssassin 2.63 for @Mail to 3.0, keep in mind that the two versions have different SQL querying schemas. Also, you may need to take out some lines in the local.cf file, as many options have been deprecated.

To upgrade your SpamAssassin installation, just run through the following steps:

(more...)

Should you want to see if your Spam filter is working, just send an email with the following string:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

This is the GTUBE - the Generic Test for Unsolicited Bulk Email. If your spam filter supports it, the GTUBE provides a test by which you can verify that the filter is installed correctly and is detecting incoming spam, in a similar fashion to the EICAR anti-virus test file.

Should you want to disable SpamAssassin for some domains or users, just do the following:

- open up your /usr/local/atmail/mailserver/configure
- find the following lines:

domains = ${lookup mysql {MYSQL_CHECKSPAM}{$value}}

(more...)