Configuring a mail gateway on CentOS 7 using Postfix with SpamAssassin, ClamAV, OpenDKIM, SPF and DMARC
The gateway will be functioning the following way:
incoming messages from external mail servers will be received on port 25 and checked with SpamAssassin and ClamAV
outgoing messages from the internal mail server will be received on port 10025 and signed with OpenDKIM
Let's assume that the IP address of the internal mail server is 192.168.100.100 and the external IP address of the mail gateway is 198.51.100.1
Basic configuration
install Postfix
yum install postfix
edit the /etc/postfix/main.cf file
inet_interfaces = all
inet_protocols = ipv4
myhostname = mail.example.com
mydestination =
relay_domains = example.com
relay_transport = smtp:[192.168.100.100]
relay_recipient_maps = hash:/etc/postfix/recipients
mynetworks = 192.168.100.100/32
local_transport = error:local mail delivery is disabled
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/postfix/public.cer
smtpd_tls_key_file = /etc/postfix/private.key
smtpd_tls_loglevel = 1
edit the /etc/postfix/master.cf file
10025 inet n - n - - smtpd
#local unix - n n - - local
create the /etc/postfix/recipients file with a list of allowed recipients
create the /etc/postfix/recipients.db hash table with a list of allowed recipients
postmap hash:/etc/postfix/recipients
generate a private key and a certificate (as described here or here) and save them into the /etc/postfix/private.key and the /etc/postfix/public.cer files respectively
change owners and permissions of the private key and the certificate
chmod 600 /etc/postfix/private.key
restart Postfix
systemctl restart postfix
SpamAssassin
install the EPEL repository
yum install epel-release
install SpamAssassin
yum install spamassassin
replace the content of the /etc/mail/spamassassin/local.cf file
report_hostname mail.example.com
report_safe 0
start SpamAssassin
systemctl start spamassassin
install the spamass-milter package to integrate SpamAssassin and Postfix
yum install spamass-milter
create a group for shared access of Postfix and spamass-milter to a socket file
groupadd sa-milt-sock
gpasswd -M sa-milt,postfix sa-milt-sock
edit the /etc/sysconfig/spamass-milter file to change startup options of the service
SOCKET_OPTIONS="-g sa-milt-sock"
start spamass-milter
systemctl start spamass-milter
edit the /etc/postfix/main.cf file
milter_connect_macros = j {daemon_name} v _
Comment 1: otherwise the log would be populated with the messages 'Could not retrieve sendmail macro "_" …'
Comment 2: also the messages 'Could not retrieve sendmail macro "!" …' could be added to the log, but you can safely ignore them
edit the /etc/postfix/master.cf file
smtp inet n - n - - smtpd
-o smtpd_milters=unix:/run/spamass-milter/spamass-milter.sock
restart Postfix
systemctl restart postfix
ClamAV
install ClamAV
yum install clamd
replace the content of the /etc/clamd.d/scan.conf file
LogSyslog yes
User clamscan
LocalSocket /run/clamd.scan/clamd.sock
LocalSocketGroup virusgroup
LocalSocketMode 660
update the virus database
freshclam
start ClamAV
systemctl start clamd@scan
install the clamav-milter package to integrate ClamAV and Postfix
yum install clamav-milter
create the /etc/tmpfiles.d/clamav-milter.conf file
d /run/clamav-milter 0711 clamilt clamilt
create a group for shared access of Postfix and clamav-milter to a socket file
groupadd clamilt-sock
gpasswd -M clamilt,postfix clamilt-sock
replace the content of the /etc/mail/clamav-milter.conf file
User clamilt
ClamdSocket unix:/run/clamd.scan/clamd.sock
MilterSocket unix:/run/clamav-milter/clamav-milter.sock
MilterSocketGroup clamilt-sock
MilterSocketMode 660
AddHeader Replace
ReportHostname mail.example.com
OnInfected Accept
LogSyslog yes
LogFacility LOG_MAIL
LogClean Basic
LogInfected Basic
start clamav-milter
systemctl start clamav-milter
edit the /etc/postfix/master.cf file
smtp inet n - n - - smtpd
-o smtpd_milters=unix:/run/spamass-milter/spamass-milter.sock,unix:/run/clamav-milter/clamav-milter.sock
restart Postfix
systemctl restart postfix
OpenDKIM
install OpenDKIM
yum install opendkim
generate a private key and a DNS TXT record
opendkim-genkey -b 1024 -d example.com -a -s mail
Comment: as a result the files mail.private and mail.txt will be created
copy the private key into the /etc/opendkim/keys directory
cp mail.private /etc/opendkim/keys/opendkim.key
change owners and permissions of the private key
chown opendkim:opendkim /etc/opendkim/keys/opendkim.key
chmod 640 /etc/opendkim/keys/opendkim.key
add the TXT record saved in the mail.txt file to the DNS zone
replace the content of the /etc/opendkim.conf file
Socket local:/run/opendkim/opendkim.sock
Umask 007
Mode s
Canonicalization relaxed/relaxed
Domain example.com
Selector mail
InternalHosts 192.168.100.100
KeyFile /etc/opendkim/keys/opendkim.key
Syslog yes
SyslogSuccess yes
edit the /etc/tmpfiles.d/opendkim.conf file
D /run/opendkim 0711 opendkim opendkim -
remove and create again the /run/opendkim directory
systemd-tmpfiles --remove --create /etc/tmpfiles.d/opendkim.conf
create a group for shared access of Postfix and OpenDKIM to a socket file
groupadd dkimgroup
gpasswd dkimgroup -M opendkim,postfix
copy the /usr/lib/systemd/system/opendkim.service unit file into the /etc/systemd/system directory
cp /usr/lib/systemd/system/opendkim.service /etc/systemd/system/opendkim.service
Comment: as a result the /etc/systemd/system/opendkim.service unit file will override the default /usr/lib/systemd/system/opendkim.service unit file
edit the /etc/systemd/system/opendkim.service unit file
Group=dkimgroup
reload the systemd configuration
systemctl daemon-reload
start OpenDKIM
systemctl start opendkim
edit the /etc/postfix/master.cf file
10025 inet n - n - - smtpd
-o smtpd_milters=unix:/run/opendkim/opendkim.sock
restart Postfix
systemctl restart postfix
SPF
add the following record to the DNS zone
host - @
type - TXT
value - v=spf1 +ip4:198.51.100.1/32 -all
DMARC
add the following record to the DNS zone
host - _dmarc
type - TXT
value - v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; aspf=s; adkim=s; fo=1; pct=100