This document describes how to install milter manager to CentOS 8.See Install for general installinformation.
In this document, CentOS 8.3 is used. Sudo is used to run a commandwith root privilege. If you don't use sudo, use su instead.
Postfix is used as MTA because it's installed by default.
Spamass-milter, clamav-milter and milter-greylist are used asmilters. Milter packages registered in EPEL are used.
Register EPEL like the following:
% sudo dnf install -y epel-release
Now, you install milters:
% sudo dnf install -y spamass-milter-postfix clamav-scanner-systemd clamav-update clamav-milter clamav-milter-systemd milter-greylist
And you install RRDtool for generating graphs:
% sudo dnf install -y rrdtool
milter manager can be installed by dnf.
Register milter manager yum repository like the following:
% curl -s https://packagecloud.io/install/repositories/milter-manager/repos/script.rpm.sh | sudo bash
See also: https://packagecloud.io/milter-manager/repos/install
Enable ruby:3.0 module:
% sudo dnf module -y enable ruby:3.0
Now, you install milter manager:
% sudo dnf install -y milter-manager
Here is a basic configuration policy.
milter-greylist should be applied only ifS25Rcondition is matched to reduce needless delivery delay.But the configuration is automatically done bymilter manager. You need to do nothing for it.
It's difficult that milter manager runs on SELinux. Disable SELinuxpolicy module for Postfix and Milter.
% sudo semodule -d postfix % sudo semodule -d milter
At first, you configure spamd.
spamd adds "[SPAM]" to spam mail's subject by default. Ifyou don't like the behavior, edit/etc/mail/spamassassin/local.cf.
Before:
rewrite_header Subject [SPAM]
After:
# rewrite_header Subject [SPAM]
Add the following configuration to/etc/mail/spamassassin/local.cf. This configuration is for addingheaders only if spam detected.
remove_header ham Status remove_header ham Level
Start spamd on startup:
% sudo systemctl enable spamassassin
Start spamd:
% sudo systemctl start spamassassin
Here are spamass-milter's configuration items:
Change /etc/sysconfig/spamass-milter:
Before:
#EXTRA_FLAGS="-m -r 15"
After:
EXTRA_FLAGS="-m -r 15"
Start spamass-milter on startup:
% sudo systemctl enable spamass-milter
Start spamass-milter:
% sudo systemctl start spamass-milter
Update ClamAV virus database and start clamd.
Edit /etc/freshclam.conf like the following. It comments out"Example", changes "NotifyClamd" value and uncomments otheritems.
Before:
Example #LogFacility LOG_MAIL #NotifyClamd /path/to/clamd.conf
After:
#Example LogFacility LOG_MAIL NotifyClamd /etc/clamd.d/scan.conf
Run freshclam by hand at the first time:
% sudo freshclam
Configure clamd.
Edit /etc/clamd.d/scan.conf like the following. It comments out"Example" and uncomments other items:
Before:
Example #LogFacility LOG_MAIL #LocalSocket /run/clamd.scan/clamd.sock
After:
#Example LogFacility LOG_MAIL LocalSocket /run/clamd.scan/clamd.sock
Start clamd on startup:
% sudo systemctl enable clamd@scan
Start clamd:
% sudo systemctl start clamd@scan
Configure clamav-milter.
Edit /etc/mail/clamav-milter.conf like the following. It comments out"Example", change "ClamdSocket" value and uncomments other items:
Before:
Example #MilterSocket /run/clamav-milter/clamav-milter.socket #MilterSocketMode 660 #ClamdSocket tcp:scanner.mydomain:7357 #LogFacility LOG_MAIL
After:
#Example MilterSocket /run/clamav-milter/clamav-milter.socket MilterSocketMode 660 ClamdSocket unix:/run/clamd.scan/clamd.sock LogFacility LOG_MAIL
Add "clamilt" user to "clamscan" group to access clamd's socket:
% sudo usermod -G clamscan -a clamilt
Start clamav-milter on startup:
% sudo systemctl enable clamav-milter
Start clamav-milter:
% sudo systemctl start clamav-milter
Change /etc/mail/greylist.conf for the followingconfigurations:
# note The configuration relaxes Greylist check to avoid Greylist adverse effect. It increases received spam mails but you should give priority to avoid false positive rather than false negative. You should not consider that you blocks all spam mails by Greylist. You can blocks spam mails that isn't blocked by Greylist by other anti-spam technique such as SpamAssassin. milter manager helps constructing mail system that combines some anti-spam techniques.
Before:
socket "/run/milter-greylist/milter-greylist.sock" # ... racl whitelist default
After:
socket "/run/milter-greylist/milter-greylist.sock" 660
# ...
subnetmatch /24
greylist 10m
autowhite 1w
sm_macro "trusted_domain" "{trusted_domain}" "yes"
racl whitelist sm_macro "trusted_domain" spf pass
racl greylist sm_macro "trusted_domain" not spf pass
racl greylist default
Start milter-greylist on startup:
% sudo systemctl enable milter-greylist
Start milter-greylist:
% sudo systemctl start milter-greylist
Add "milter-manager" user to "clamilt" group to accessclamav-milter's socket:
% sudo usermod -G clamilt -a milter-manager
Add "milter-manager" user to "mail" group and "grmilter" group toaccess milter-greylist's socket:
% sudo usermod -G mail -a milter-manager % sudo usermod -G grmilter -a milter-manager
Add "milter-manager" user to "postfix"" group to accessspamass-milter's socket:
% sudo usermod -G postfix -a milter-manager
milter manager detects milters that installed in system.You can confirm spamass-milter, clamav-milter andmilter-greylist are detected:
% sudo /usr/sbin/milter-manager -u milter-manager -g milter-manager --show-config
The following output shows milters are detected:
...
define_milter("milter-greylist") do |milter|
milter.connection_spec = "unix:/run/milter-greylist/milter-greylist.sock"
...
milter.enabled = true
...
end
...
define_milter("clamav-milter") do |milter|
milter.connection_spec = "unix:/var/run/clamav-milter/clamav-milter.socket"
...
milter.enabled = true
...
end
...
define_milter("spamass-milter") do |milter|
milter.connection_spec = "unix:/run/spamass-milter/postfix/sock"
...
milter.enabled = true
...
end
...
You should confirm that milter's name, socket path and "enabled =true". If the values are unexpected, you need to change/etc/milter-manager/milter-manager.local.conf. SeeConfiguration for details ofmilter-manager.local.conf.
But if we can, we want to use milter manager without editingmiter-manager.local.conf. If you report your environment to the miltermanager project, the milter manager project may improve detect method.
milter manager's configuration is finished.
Start to milter manager on startup:
% sudo systemctl enable milter-manager
Start to milter manager:
% sudo systemctl start milter-manager
milter-test-server is usuful to confirm milter manager wasran:
% sudo -u milter-manager milter-test-server -s unix:/var/run/milter-manager/milter-manager.sock
Here is a sample success output:
status: accept elapsed-time: 0.128 seconds
If milter manager fails to run, the following message willbe shown:
Failed to connect to unix:/var/run/milter-manager/milter-manager.sock
In this case, you can use log to solve theproblem. milter manager is verbosily if –verbose option isspecified. milter manager outputs logs to standard output ifmilter manager isn't daemon process.
You can add the following configuration to/etc/sysconfig/milter-manager to output verbose log tostandard output:
OPTION_ARGS="--verbose --no-daemon"
Restart milter manager:
% sudo systemctl restart milter-manager
Some logs are output if there is a problem. Runningmilter manager can be exitted by Ctrl+c.
OPTION_ARGS configuration in /etc/sysconfig/milter-managershould be commented out after the problem is solved to runmilter manager as daemon process. And you should restartmilter manager.
Enables Postfix:
% sudo systemctl enable postfix % sudo systemctl start postfix
Configure Postfix for milters. Append following lines to/etc/postfix/main.cf:
milter_protocol = 6 milter_default_action = accept
For details for each lines.
Register milter manager to Postfix. It's important thatspamass-milter, clamav-milter and milter-greylist aren't needed to beregistered because they are used via milter manager.
Append following lines to /etc/postfix/main.cf:
smtpd_milters = unix:/var/run/milter-manager/milter-manager.sock
Reload Postfix's configuration.
% sudo systemctl reload postfix
milter manager logs to syslog. If milter manager works well,some logs can be shown in /var/log/maillog. You need to senda test mail for confirming.
There are many configurations to work milter and Postfixtogether. They can be reduced by introducing milter manager.
Without milter manager, you need to specify sockets ofspamass-milter, clamav-milter and milter-greylist to/etc/postfix/main.cf. With milter manager, you don't need tospecify sockets of them, just specify a socket ofmilter manager. They are detected automatically. You don'tneed to take care some small mistakes like typo.
milter manager also detects which '/sbin/chkconfig -add' isdone or not. If you disable a milter, you use the followingsteps:
% sudo systemctl stop milter-greylist % sudo systemctl disable milter-greylist
You need to reload milter manager after you disable a milter.
% sudo systemctl reload milter-manager
milter manager detects a milter is disabled and doesn't useit. You don't need to change /etc/postfix/main.cf.
You can reduce maintainance cost by introducingmilter manager if you use some milters on CentOS.
milter manager also provides tools to helpoperation. Installing them is optional but you can reduceoperation cost too. If you also install them, you will go toInstall to CentOS(optional).