How to install ASSP v.2 on CentOS 7 64 bit
时间:2015-03-24 12:59 来源:www.it.net.cn 作者:IT
This howto shows the steps to install ASSP on a minimal CentOS 7 installation. It does not cover the installation of CentOS nor the setup of the mail server. The CentOS-7.0-1406-x86_64-Minimal.iso image is suitable for this setup. If you have the DVD image, choose Minimal Install and proceed with the installation.
After reboot
Disable NetworkManager and FirewallD and enable the network service
systemctl disable NetworkManagersystemctl stop NetworkManager
systemctl disable firewalldsystemctl stop firewalld
systemctl enable networksystemctl start network
Edit the network card configuration (we assume one network card installed on the system)
vi /etc/sysconfig/network-scripts/ifcfg-eth0
Replace IPADDR0=a.b.c.dWith IPADDR=a.b.c.d
Replace PREFIX0=xxWith PREFIX=xx
Replace GATEWAY0=aa.bb.cc.ddWith GATEWAY=aa.bb.cc.dd
Update OS
yum -y update
reboot
yum install wget perl
Get extra software for Centos from epel, repoforge, remi repositories:
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm
wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
Install repositories
yum localinstall rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm epel-release-7-5.noarch.rpm remi-release-7.rpm
Install shorewall firewall (iptables manager):
yum install shorewall
Let's edit our firewall. These options and example files are the minimum to make it work. Further configuration is needed. For more information on shorewall and how to configure it, visit http://shorewall.net
First, the interface file:
vi /etc/shorewall/interfaces
net eth0
The policy file:
vi /etc/shorewall/policy
$FW net ACCEPT
net all DROP
all all REJECT
The rules file:
vi /etc/shorewall/rules
Under ?SECTION NEW add below rules:
# Enable access from the internet to ssh, smtp and assp web interface services
# For security reasonsYou might want to limit ssh access to a single or a class of
# trusted IP's
ACCEPT net $FW tcp 22,25,55555
# Enable ping (1 request per second with a burst of one)ACCEPT net $FW icmp 8 - - 1/sec:1
The shorewall.conf file:
# vi /etc/shorewall/shorewall.conf
Replace STARTUP_ENABLED=No with STARTUP_ENABLED=Yes
And finally the zones file:
vi /etc/shorewall/zones
Enable firewall
systemctl enable shorewallsystemctl start shorewall
Check if firewall is running with shorewall status command:
shorewall status | grep running
Shorewall is running
Install software needed for ASSP2 & Modules:
yum install gcc openssl-devel perl-Net-SMTPS perl-IO-Compress-Zlib perl-Text-Glob perl-Number-Compare perl-Convert-TNEF perl-Digest-SHA1 perl-Email-MIME perl-Email-Send perl-Email-Valid perl-File-ReadBackwards perl-MIME-Types perl-Mail-DKIM perl-Mail-SPF perl-Net-CIDR-Lite perl-Net-DNS perl-Net-IP-Match-Regexp perl-Net-SMTP-SSL perl-Time-HiRes perl-Crypt-CBC perl-IO-Socket-SSL perl-Sys-MemInfo perl-Time-HiRes perl-Tie-DBI perl-LWP-Authen-Negotiate clamd perl-Net-IP perl-Text-Unidecode perl-Schedule-Cron-Events perl-BerkeleyDB perl-LDAP perl-CPAN perl-local-lib perl-CPAN-Meta-Requirements unzip deltarpm net-tools policycoreutils-python
Optional update CPAN
perl -MCPAN -e shell
Accept default options and proceed to upgrade:
cpan> install CPANcpan> reload cpan
Enable ClamAV at boot time
systemctl enable clamd
clamd.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig clamd on
The unit files have no [Install] section. They are not meant to be enabled
using systemctl.
Possible reasons for having this kind of units are:
1) A unit may be statically enabled by being symlinked from another unit's
.wants/ or .requires/ directory.
2) A unit's purpose may be to act as a helper for some other unit which has
a requirement dependency on it.
3) A unit may be started when needed via activation (socket, path, timer,
D-Bus, udev, scripted systemctl call, ...).
Edit /etc/clamd.conf:
vi /etc/clamd.conf
Replace your values with the ones below:
LogFileMaxSize 2m
LogRotate yes
LocalSocketGroup clamav
LocalSocket /var/clamav/clamd.sock
# TCPSocket 3310
# TCPAddr 127.0.0.1
PidFile /var/clamav/clamd.pid
TemporaryDirectory /var/tmp
IdleTimeout 60
Edit /etc/freshclam.conf:
vi /etc/freshclam.conf
Add or uncomment LogRotate yes
Start ClamAV:
systemctl start clamd
Install CPAN modules for ASSP:
cpan -i Unicode::GCString Sys::CpuAffinity Thread::State Thread::Queue Schedule::Cron File::Scan::ClamAV Sys::Syslog IO::Socket::INET6 Lingua::Stem::Snowball Lingua::Identify Archive::Extract Archive::Zip Archive::Tar Mail::SRS Net::SenderBase Tie::DBI Crypt::OpenSSL::AES Regexp::Optimizer Schedule::Cron::Events Mail::SPF::Query File::Scan::ClamAV
Answer any questions by pressing Enter key (it will be the default option within the [ ] brackets)
Possibly Mail::SPF::Query and File::Scan::ClamAV won't install without force. In that case:
perl -MCPAN -e shell
cpan> force install Mail::SPF::Querycpan> force install File::Scan::ClamAV
I would recommend to install perl modules one by one to catch potential errors and/or missing dependencies:
perl -MCPAN -e shell
cpan> install
Download ASSP v.2 from http://sourceforge.net/projects/assp/ onto your server and unzip it:
unzip ASSP__Install.zip
mv -f assp/ /var/db/assp/
cd /var/db/assp
Start assp for the first time:
perl assp.pl
Any errors about perl modules will be reported to /var/db/assp/moduleLoadErrors.txt. Any other errors will be printed on the console (assp will stay in the foreground).
Start configuring ASSP by logging onto the web interface:
http://<IP_or_FQDN>:55555
user: rootpassword: nospam4me
By default assp binds to port 25/tcp on every ipv4 address (0.0.0.0:25). This will generate a conflict with the local email server (postfix, exim, sendmail, opensmtpd). This information will be printed onto assp log file (/var/db/assp/logs/maillog.txt) and on the console, if assp runs in the foreground:
[init] Error: couldn't create server socket on port '25' -- maybe another service is running or I'm not root (uid=0)? -- or a wrong IP address is defined? -- Address already in use
In this case we'll be setting up postfix and will have to change it's default port (25/tcp) to let's say 125/tcp and bind to localhost only:
vi /etc/postfix/master.cf
Replace
smtp inet n - n - - smtpd
With
localhost:125 inet n - n - - smtpd
Let's restart postfix:
systemctl restart postfix
Job for postfix.service failed. See 'systemctl status postfix.service' and 'journalctl -xn' for details.
systemctl status postfix.service
postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled)
Active: failed (Result: exit-code) since Sun 2014-12-21 15:34:11 ICT; 6s ago
Process: 30186 ExecStop=/usr/sbin/postfix stop (code=exited, status=0/SUCCESS)
Process: 30200 ExecStart=/usr/sbin/postfix start (code=exited, status=1/FAILURE)
Process: 30198 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
Process: 30195 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
Main PID: 29346 (code=killed, signal=TERM)
systemd[1]: Starting Postfix Mail Transport Agent...
postfix/master[30272]: fatal: bind 127.0.0.1 port 125: Permission denied
postfix/master[30271]: fatal: daemon initialization failure
systemd[1]: postfix.service: control process exited, code=exited status=1
systemd[1]: Failed to start Postfix Mail Transport Agent.
systemd[1]: Unit postfix.service entered failed state.
The above error is because selinux won't allow postfix to bind to a different port other than 25, 465 and 587
To make postfix bind to port 125, disable selinux (not recommended) or add another port to selinux policy for postfix to bind:
semanage port -a 125 -t smtp_port_t -p tcp
And check if port 125 is in the list of allowed ports:
semanage port -l | grep smtp_port_t
smtp_port_t tcp 125, 25, 465, 587
Now we can restart postfix without errors:
systemctl restart postfix
Another way of doing things is to enable smtp on localhost, and in assp web config enable port 25 on the public/private ip address of the server respectively. In this way there is no selinux configuration involved.
In /etc/postfix/master.cf:
vi /etc/postfix/master.cf
Replace
smtp inet n - n - - smtpd
With
localhost:smtp inet n - n - - smtpd
In assp web config Network Setup->SMTP Listen Port change from 25 to <Public/Private_IP>:25 and Network Setup->SMTP Destination from 125 to 127.0.0.1:25
Apply changes using the Apply button on the web interface.
To make assp start at boot time, in assp web config go to Server Setup and under Run ASSP as a Daemon choose Yes – externally controlled
We then create the systemd assp script:
vi /etc/systemd/system/assp.service
[Unit]
Description=AntiSpam SMTP Proxy
After=network.target
[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/usr/bin/perl /var/db/assp/assp.pl /var/db/assp/
ExecStop=/usr/bin/killall /usr/bin/perl
[Install]
WantedBy=multi-user.target
Reload systemd:
systemctl daemon-reload
Enable ASSP script at boot time:
systemctl enable assp.service
Reboot the server and check if the services are up and running. Then you can proceed to fine tune ASSP and postfix (or your chosen email daemon).
Links
原文 http://www.howtoforge.com/tutorial/install-assp-v2-on-centos-7/
(责任编辑:IT)
This howto shows the steps to install ASSP on a minimal CentOS 7 installation. It does not cover the installation of CentOS nor the setup of the mail server. The CentOS-7.0-1406-x86_64-Minimal.iso image is suitable for this setup. If you have the DVD image, choose Minimal Install and proceed with the installation. After rebootDisable NetworkManager and FirewallD and enable the network service systemctl disable NetworkManagersystemctl stop NetworkManager systemctl disable firewalldsystemctl stop firewalld systemctl enable networksystemctl start network Edit the network card configuration (we assume one network card installed on the system) vi /etc/sysconfig/network-scripts/ifcfg-eth0 Replace IPADDR0=a.b.c.dWith IPADDR=a.b.c.d Replace PREFIX0=xxWith PREFIX=xx Replace GATEWAY0=aa.bb.cc.ddWith GATEWAY=aa.bb.cc.dd Update OSyum -y update reboot yum install wget perl Get extra software for Centos from epel, repoforge, remi repositories: wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm wget http://rpms.famillecollet.com/enterprise/remi-release-7.rpm Install repositoriesyum localinstall rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm epel-release-7-5.noarch.rpm remi-release-7.rpm Install shorewall firewall (iptables manager): yum install shorewall Let's edit our firewall. These options and example files are the minimum to make it work. Further configuration is needed. For more information on shorewall and how to configure it, visit http://shorewall.net First, the interface file: vi /etc/shorewall/interfaces net eth0 The policy file: vi /etc/shorewall/policy $FW net ACCEPT net all DROP all all REJECT The rules file: vi /etc/shorewall/rules Under ?SECTION NEW add below rules: # Enable access from the internet to ssh, smtp and assp web interface services # For security reasonsYou might want to limit ssh access to a single or a class of # trusted IP's ACCEPT net $FW tcp 22,25,55555 # Enable ping (1 request per second with a burst of one)ACCEPT net $FW icmp 8 - - 1/sec:1 The shorewall.conf file: # vi /etc/shorewall/shorewall.conf Replace STARTUP_ENABLED=No with STARTUP_ENABLED=Yes And finally the zones file: vi /etc/shorewall/zones Enable firewall systemctl enable shorewallsystemctl start shorewall Check if firewall is running with shorewall status command: shorewall status | grep running Shorewall is running Install software needed for ASSP2 & Modules: yum install gcc openssl-devel perl-Net-SMTPS perl-IO-Compress-Zlib perl-Text-Glob perl-Number-Compare perl-Convert-TNEF perl-Digest-SHA1 perl-Email-MIME perl-Email-Send perl-Email-Valid perl-File-ReadBackwards perl-MIME-Types perl-Mail-DKIM perl-Mail-SPF perl-Net-CIDR-Lite perl-Net-DNS perl-Net-IP-Match-Regexp perl-Net-SMTP-SSL perl-Time-HiRes perl-Crypt-CBC perl-IO-Socket-SSL perl-Sys-MemInfo perl-Time-HiRes perl-Tie-DBI perl-LWP-Authen-Negotiate clamd perl-Net-IP perl-Text-Unidecode perl-Schedule-Cron-Events perl-BerkeleyDB perl-LDAP perl-CPAN perl-local-lib perl-CPAN-Meta-Requirements unzip deltarpm net-tools policycoreutils-python Optional update CPAN perl -MCPAN -e shell Accept default options and proceed to upgrade: cpan> install CPANcpan> reload cpan Enable ClamAV at boot time systemctl enable clamd clamd.service is not a native service, redirecting to /sbin/chkconfig. Executing /sbin/chkconfig clamd on The unit files have no [Install] section. They are not meant to be enabled using systemctl. Possible reasons for having this kind of units are: 1) A unit may be statically enabled by being symlinked from another unit's .wants/ or .requires/ directory. 2) A unit's purpose may be to act as a helper for some other unit which has a requirement dependency on it. 3) A unit may be started when needed via activation (socket, path, timer, D-Bus, udev, scripted systemctl call, ...). Edit /etc/clamd.conf: vi /etc/clamd.conf Replace your values with the ones below: LogFileMaxSize 2m LogRotate yes LocalSocketGroup clamav LocalSocket /var/clamav/clamd.sock # TCPSocket 3310 # TCPAddr 127.0.0.1 PidFile /var/clamav/clamd.pid TemporaryDirectory /var/tmp IdleTimeout 60 Edit /etc/freshclam.conf: vi /etc/freshclam.conf Add or uncomment LogRotate yes Start ClamAV: systemctl start clamd Install CPAN modules for ASSP: cpan -i Unicode::GCString Sys::CpuAffinity Thread::State Thread::Queue Schedule::Cron File::Scan::ClamAV Sys::Syslog IO::Socket::INET6 Lingua::Stem::Snowball Lingua::Identify Archive::Extract Archive::Zip Archive::Tar Mail::SRS Net::SenderBase Tie::DBI Crypt::OpenSSL::AES Regexp::Optimizer Schedule::Cron::Events Mail::SPF::Query File::Scan::ClamAV Answer any questions by pressing Enter key (it will be the default option within the [ ] brackets) Possibly Mail::SPF::Query and File::Scan::ClamAV won't install without force. In that case: perl -MCPAN -e shell cpan> force install Mail::SPF::Querycpan> force install File::Scan::ClamAV I would recommend to install perl modules one by one to catch potential errors and/or missing dependencies: perl -MCPAN -e shell cpan> install Download ASSP v.2 from http://sourceforge.net/projects/assp/ onto your server and unzip it: unzip ASSP__Install.zip mv -f assp/ /var/db/assp/ cd /var/db/assp Start assp for the first time: perl assp.pl Any errors about perl modules will be reported to /var/db/assp/moduleLoadErrors.txt. Any other errors will be printed on the console (assp will stay in the foreground). Start configuring ASSP by logging onto the web interface: http://<IP_or_FQDN>:55555 user: rootpassword: nospam4me By default assp binds to port 25/tcp on every ipv4 address (0.0.0.0:25). This will generate a conflict with the local email server (postfix, exim, sendmail, opensmtpd). This information will be printed onto assp log file (/var/db/assp/logs/maillog.txt) and on the console, if assp runs in the foreground: [init] Error: couldn't create server socket on port '25' -- maybe another service is running or I'm not root (uid=0)? -- or a wrong IP address is defined? -- Address already in use In this case we'll be setting up postfix and will have to change it's default port (25/tcp) to let's say 125/tcp and bind to localhost only: vi /etc/postfix/master.cf Replace smtp inet n - n - - smtpd With localhost:125 inet n - n - - smtpd Let's restart postfix: systemctl restart postfix Job for postfix.service failed. See 'systemctl status postfix.service' and 'journalctl -xn' for details. systemctl status postfix.service postfix.service - Postfix Mail Transport Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled) Active: failed (Result: exit-code) since Sun 2014-12-21 15:34:11 ICT; 6s ago Process: 30186 ExecStop=/usr/sbin/postfix stop (code=exited, status=0/SUCCESS) Process: 30200 ExecStart=/usr/sbin/postfix start (code=exited, status=1/FAILURE) Process: 30198 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS) Process: 30195 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS) Main PID: 29346 (code=killed, signal=TERM) systemd[1]: Starting Postfix Mail Transport Agent... postfix/master[30272]: fatal: bind 127.0.0.1 port 125: Permission denied postfix/master[30271]: fatal: daemon initialization failure systemd[1]: postfix.service: control process exited, code=exited status=1 systemd[1]: Failed to start Postfix Mail Transport Agent. systemd[1]: Unit postfix.service entered failed state. The above error is because selinux won't allow postfix to bind to a different port other than 25, 465 and 587 To make postfix bind to port 125, disable selinux (not recommended) or add another port to selinux policy for postfix to bind: semanage port -a 125 -t smtp_port_t -p tcp And check if port 125 is in the list of allowed ports: semanage port -l | grep smtp_port_t smtp_port_t tcp 125, 25, 465, 587 Now we can restart postfix without errors: systemctl restart postfix Another way of doing things is to enable smtp on localhost, and in assp web config enable port 25 on the public/private ip address of the server respectively. In this way there is no selinux configuration involved. In /etc/postfix/master.cf: vi /etc/postfix/master.cf Replace smtp inet n - n - - smtpd With localhost:smtp inet n - n - - smtpd In assp web config Network Setup->SMTP Listen Port change from 25 to <Public/Private_IP>:25 and Network Setup->SMTP Destination from 125 to 127.0.0.1:25 Apply changes using the Apply button on the web interface. To make assp start at boot time, in assp web config go to Server Setup and under Run ASSP as a Daemon choose Yes – externally controlled We then create the systemd assp script: vi /etc/systemd/system/assp.service [Unit] Description=AntiSpam SMTP Proxy After=network.target [Service] Type=oneshot RemainAfterExit=true ExecStart=/usr/bin/perl /var/db/assp/assp.pl /var/db/assp/ ExecStop=/usr/bin/killall /usr/bin/perl [Install] WantedBy=multi-user.target Reload systemd: systemctl daemon-reload Enable ASSP script at boot time: systemctl enable assp.service Reboot the server and check if the services are up and running. Then you can proceed to fine tune ASSP and postfix (or your chosen email daemon). Links原文 http://www.howtoforge.com/tutorial/install-assp-v2-on-centos-7/ (责任编辑:IT) |