1 scooffice server 4.1 administration brian watrous president & ceo atcs, inc
TRANSCRIPT
2
Modules
1. Overview of SCOoffice Server2. Installing and Upgrading to SCOoffice
Server3. Configuring and Managing SCOoffice
Server4. Managing a Distributed Environment5. Securing SCOoffice Server
3
Modules
6. Managing Recipients and Aliases7. Managing Mail Queues8. Managing Private and Public Folders9. Managing Email Routing10.Managing Virus Protection11.Managing Spam Filtering12.Performing Preventive Maintenance13.Planning for and Recovering from
Disasters
4
How this Course is Designed
Task oriented Hands-on exercises Certification exam Prerequisites
Windows SCO OpenServer TCP/IP PlaceWare training
5
How this Course is Designed
Course uses RFC2606 style domain names:
elmspruce
oak
rosedaisy
poppy
paperpen
staple
example.com
example.net
example.org
7
Overview
SCOoffice Server
SCOoffice Address Book™
Desktop components Server components
SCOoffice Connector™
Microsoft Outlook®
SCOoffice WebClient
Web Browser
8
Overview
SCOoffice Server Internet e-mail Real-time collaboration Integrated anti-virus Junk e-mail Prevention Easy Administration User Profile Management Server Side Filtering Migration Tools Single-click Configuration
9
Overview
WebClient Internet e-mail
client Meeting scheduling
capabilities Shares folders:
email, calendars, contacts, and tasks
Interface similar to Microsoft Outlook.
10
Overview
Connector Plug-in for Microsoft
Outlook®
Shared public and private folders
Supports special folder types
Fine grained folder access controls
11
Overview
Address Book Plug-in for Microsoft
Outlook Works with any LDAP
server Provides native
Outlook global-address book look and feel
12
SCOoffice Architecture
SCO OpenServer
Postfix
Ap
ach
e
Pro
FTP
Op
en
LD
AP
Cyru
s IM
AP AMaViS
SpamAssassin
ClamAV
13
SCOoffice Architecture
SCO OpenServer
Postfix
Ap
ach
e
Pro
FTP
Op
en
LD
AP
Cyru
s IM
AP AMaViS
SpamAssassin
ClamAV
14
Helpful URLs
Technology HomepagePostfix http://www.postfix.org
Apache http://www.apache.org
Cyrus IMAP http://asg.web.cmu.edu.cyrus
OpenLDAP http://www.openldap.org
ProFTPD http://www.proftpd.org
MON http://www.kernel.org/software/mon
AMaViS http://www.amavis.orghttp://www.ijs.si/software/amavisd
SpamAssassin http://www.spamassassin.org
Clam AntiVirus http://www.clamav.net
15
Starting SCOoffice Server
P86insightserver1
insightserver2
saslauthd3
slurpd3slapd3 clamd3 amavisd3 postfix3 cyrus3 apache3 proftpd3 mon3
mon19
mon.dscripts20*
alert.dscripts21*
clamd7slapd4 slurpd5 saslauthd6
amavisd8 postfix11cyrus
master13
imapd14 pop3d15
apachectl16
httpd17
proftpd18
clamscan9*
spamassassin10
*
qmgr12*
pickup12*
cleanup12*
trivial-rewrite12*
local12*
flush12*
smtpd12*
16
Starting SCOoffice Server (cont.)
P86insightserver1
insightserver2
saslauthd3
slurpd3slapd3 clamd3 amavisd3 postfix3 cyrus3 apache3 proftpd3 mon3
mon19
mon.dscripts20*
alert.dscripts21*
clamd7slapd4 slurpd5 saslauthd6
amavisd8 postfix11cyrus
master13
imapd14 pop3d15
apachectl16
httpd17
proftpd18
clamscan9*
spamassassin10
*
qmgr12*
pickup12*
cleanup12*
trivial-rewrite12*
local12*
flush12*
smtpd12*
18
Planning and Installation
Planning a SCOoffice Server Overview System Requirements Kernel Tuning Changes Made to Your System Network Considerations Domain Layout Installing SCOoffice Server
19
Installing SCOoffice Server
SCOoffice Server 4.1 is CUSTOM installable
Consult the installation guide for kernel tuning parameters
Make sure your DNS is configured correctly
20
Changes Made to Your System
Directory Purpose/opt/insight SCOoffice Server installation
directory
/opt/insight/var/spool/imap
User mail storage directory
/opt/insight/etc Configuration file directory
/opt/insight/log Log file directory
37
Migration Wizard
Migration Wizard Migrate mail from an
existing server (server-to-server)
Import mail from an existing PST file
Import mail from and existing MBOX file
Import from an RFC 2849 LDIF file
Import from an /etc/shadow file
38
SCOoffice Server Configuration
Default admin password is “admin”
Change this password immediately!
To change admin’s password: Click on AccountsView Accounts Click on the administrator Type in a new password Click Update at the end of the page
39
After Installing SCOoffice Server
The “admin” account is not allowed to use the WebClient
Can point mail aliases to other account(s)
40
SCOoffice Server Configuration
Working with accounts Creating domains Creating groups Creating users Creating resources
Working with Aliases Creating aliases System aliases
Working with Mail Folders Viewing User Mail Folders Creating Mail Folders
42
Creating Domains (cont.)
Specify name for the domainAt the end of the page click Create
Creating domains is optional
44
Creating Groups
Select the distinguished name (DN) of the container in which the new group will reside
Fill in all required informationGroup name
At the end of the page, click Create
47
Creating Users
Click on AccountsCreate User
These hypertext links can also be used to create users, domains, groups, etc.
48
Creating Users
Select an organization or groupFill in all required information
LoginPasswordLast Name
At the end of the page click Create
User’s mailbox is created by defaultUser’s quota is not set by defaultAccess to WebClient is granted by default
50
Creating Resources (cont.)
Select a containerFill in all required information
LoginPasswordLast Name
At the end of the page click Create
Resources mailbox is created by defaultResources quota is not set by defaultAccess to WebClient is granted by default
52
Creating Aliases (cont.)
Working with Aliases (cont)
Select a container/domain
Give it a name Is it Open or Restricted
Open: everyone can subscribe to the alias
Restricted: alias owner allows/restricts alias members
53
Creating Aliases (cont.)
Working with Aliases (cont)
Who owns the alias click on Browse to select
owners Who are the members
click on Browse to select the members
Click on Create
55
Working with System Aliases (cont.)
Check the select box you want to change
Then either:Type another user‘s email address, orType a comma-separated list of email addresses
57
WebClient Setup
Scroll to the bottom Enabled by default To restrict access,
uncheck the “Access WebClient”
To control access to the WebClient when creating a user:
58
WebClient Setup
Click on WebClientAccess Controls
To control access to the WebClient for an existing user:
59
WebClient Setup
Check to grant WebClient access to a user
Uncheck to deny Webclient access to a user
Click on “Change Access”
To control access to the WebClient for an existing user:
64
Configuration Files
Technology Configuration File
Postfix /opt/insight/etc/postfix/main.cf/opt/insight/etc/postfix/master.cf
Apache /opt/insight/etc/apache/httpd.conf
Cyrus IMAP /opt/insight/etc/cyrus.conf/opt/insight/etc/imapd.conf
OpenLDAP /opt/insight/etc/openldap/ldap.conf
ProFTPD /opt/insight/etc/proftpd.conf
MON /opt/insight/mon/etc/mon.cf
AMaViS /opt/insight/etc/amavisd.conf
SpamAssassin /opt/insight/etc/mail/spamassassin/local.cf
Clam AntiVirus /opt/insight/etc/clamav.conf
71
Modifying Advanced Parameters
Apache, Cyrus, Postfix, etc. have numerous configurable parameters
Postfix, alone, has more than 300 parameters!
SCOoffice Server optimizes these parameters
Some parameters can be adjusted in the web console by clicking on ConfigurationServices
72
/opt/insight/htdocs/is4web/xml/SCOconfig.xml:
Modifying Advanced Parameters (cont.)
<item> tags in SCOconfig.xml specify which parameters are configurable
73
Modifying Advanced Parameters (cont.)
Use the web console to change parameters!
Do not edit these files directly: /opt/insight/etc/imapd.conf /opt/insight/etc/openldap/slapd.conf /opt/insight/etc/etc/postfix/main.cf /opt/insight/etc/apache/httpd.conf /opt/insight/etc/etc/proftpd.conf
74
Adding Cyrus Partitions
SCO OpenServer
Postfix
Ap
ach
e
Pro
FTP
Op
en
LD
AP
Cyru
s IM
AP AMaViS
SpamAssassin
ClamAV
76
Adding Cyrus Partitions
Add and mount disk drive(s)
Create directory: mkdir –p /some/other/directory/users
In /opt/insight/etc/imapd.conf:
partition-default: /opt/insight/var/spool/imappartition-1: /some/other/directorydefaultpartition: default
Restart Cyrus: /opt/insight/etc/rc/cyrus restart
77
Adding Cyrus Partitions
Backup scripts back up the default partition Backup scripts do not back up new Cyrus
partitions
78
Reclaiming Ports 80 and 443
SCO OpenServer
Postfix
Ap
ach
e
Pro
FTP
Op
en
LD
AP
Cyru
s IM
AP AMaViS
SpamAssassin
ClamAV
79
Reclaiming Ports 80 and 443
By default, SCOoffice Server utilizes ports 80 (http) and 443 (https)
SCOoffice Server’s http and https servers can be relocated
Modifying Apache parameters Reactivating rc scripts
Reclaiming Ports 80 and 443 involves:
80
Reclaiming Ports 80 and 443 (cont.)
Click on ConfigurationServices Click Apache Change Port and Listen to the new port number
for http (e.g. 880) Change Define SSLPort to the new port number for
https (e.g. 4443) Click on Restart
81
Reclaiming Ports 80 and 443 (cont.)
To re-enable SCO OpenServer’s Apache web server
Rename /etc/rc0.d/_P90apache Rename /etc/rc2.d/_P90apache Start SCO OpenServer’s Apache web server
82
Reclaiming Port 21
SCO OpenServer
Postfix
Ap
ach
e
Pro
FTP
Op
en
LD
AP
Cyru
s IM
AP AMaViS
SpamAssassin
ClamAV
83
Reclaiming Port 21
By default, SCOoffice Server utilizes port 21 for ProFTP
SCOoffice Server’s ftp server can be relocated
Modifying ProFTP parameters Reactivating ftp in /etc/inetd.conf
Reclaiming Port 21 involves:
84
Reclaiming Port 21 (cont.)
Click on ConfigurationServices Click ProFTP Change Port to the new port number for ftp (e.g.
221) Click on Restart
Uncomment the ftp line in /etc/inetd.conf Send a SIGHUP to inetd
To relocate ProFTP:
To reactivate SCO OpenServer’s ftp server:
86
Active Directory Authentication Process
I want to read my email.
Client
I’m configured to use Active Directory
authentication.
I decide who is
authenticated.
So I’ll forward the user’s
authentication request.
SCOofficeServer1
ActiveDirectory
Server
2
4 3
88
Distributed Mail – Single Server
SCOofficeServer
Alice Bob
Single Server Role• Stores all mail user accounts in local LDAP
directory• Stores all users’ email locally• Handles all email authentication requests
89
Master Role• Stores the master LDAP user accounts database• No local email storage for users• Can handle mail authentication requests• Redirects clients to slave for email retrieval
Distributed Mail – Master Server
Master
Slave
Alice
Internet
Slave
Bob Carl
90
Distributed Mail – Slave Server
Master
Slave
Alice
Internet
Slave
Bob Carl
Slave Role• Stores a local copy of the master LDAP user account
database• Stores email locally for each user defined on this server• Can handle email authentication requests
91
Sharing in a Distributed Environment
Master
Slave
Alice
Internet
Slave
Bob Carl
Contacts
Calendar
Folders
Contacts
Calendar
Folders
92
Sharing in a Distributed Environment
Master
Slave
Alice
Internet
Slave
Bob Carl
Contacts
Calendar
Folders
Contacts
Calendar
Folders
93
Duties in a Distributed Environment
MASTER SLAVE
Stores email No Yes
Maintains LDAP directory
YesYes, but only
a copy
Handles email authentication requests
Yes Yes
94
Configuring Distributed Mail
On the master server:
1. Click ConfigurationDistributed Mail
2. Select Master3. Click “Set”
95
Configuring Distributed Mail (cont.)
On the master server:
1. Enter the slave server’s fully qualified domain name
2. Enter “admin”3. Enter the admin
password4. Click “Add”
96
Configuring Distributed Mail (cont.)
LDAP notice
List of slave servers
New slave servers added here
This server’s role
97
Configuring Distributed Mail
On the slave server(s):
1. Click ConfigurationDistributed Mail.
2. Select Slave.3. Click Set.
98
Configuring Distributed Mail (cont.)
On the slave server(s):
1. Enter the master server’s fully qualified domain name.
2. Enter “admin”.3. Enter the admin
password.4. Click Add.
99
Reading Mail in a Distributed Environment
Master
Slave Slave Slave
Client
I want to read my mail.
You need to contact your slave server
103
Outlook
21*
2580/443*110/995143/993389/636
* Not used by Outlook Express
External Firewall Configuration
Internet
SCOofficeServer
SMTPServer
25
WebClient
80/443
Firewall
105
Internal Firewall Configuration
SCOoffice(master)
SCOoffice(slave)
SCOoffice(slave)
Firewall
25389/636143/993
2003
106
Remote Office Firewall Configuration
SCOoffice(master)
SCOoffice(slave)
SCOoffice(slave)
Firewall
25389/636143/993
2003
Internet
SCOoffice(slave)
SCOoffice(slave)
SCOoffice(slave)
107
SCO OpenServer’s HTTP Servers
SCO OpenServer runs HTTP servers on ports: 80 – SCOoffice Server’s HTTP server 443 – SCOoffice Server’s HTTPS server 615 – Internet Configuration Manager 8457 – DocView: Access to SCO OpenServer
documentation
108
Other SCOoffice Server Related Ports
SCOoffice Server runs daemons on ports: 21 – ProFTP 25 – SMTP 110 – POP3 143 – IMAP 389 – OpenLDAP 993 – IMAP4 over TLS/SSL 995 – POP3 over TLS/SSL 2000 –Cyrusmaster (sieve) 2003 –Cyrusmaster (LMTP) 2583 – MON 4840 – SASLAUTHD 4844 – SASLAUTHD 10024 – AMaViS
109
Disallowing Open Relay
Don’t let server be used as an open relay
Numerous ways to prevent open relay
We will configure SASLAUTHD + TLS# telnet rose.example.net smtp220 rose.example.net ESMTP Postfix (2.0.20)HELO nuisance.spammer.net250 rose.example.netMAIL FROM: [email protected] OkRCPT TO: [email protected] Ok...
110
Disallowing Open Relay
Useful for blocking unwanted SMTP sessions:
smtpd_client_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions
Stored in LDAP
111
Disallowing Open Relay
LOGIN authentication mechanismBase64 encoded username
bobBase64 encoded passwordbpasswd
PLAIN authentication mechanismBase64 encoded:user+NULL+user+NULL+passwordbob\0\bob\0bpasswd
Simple Authentication and Security Layer (SASL)
112
Disallowing Open Relay
smtpd
saslauthd
slapd …/etc/saslauthd.conf
ldap_servers: ldap://127.0.0.1/ldap_filter: login=%u
…/lib/sasl2/smtpd.conf
pwcheck_method: saslauthdmech_list: plain login
imapd/pop3d
…/etc/imapd.conf
sasl_pwcheck_method: saslauthd
cyrusmaster
…/etc/cyrus.conf
imap cmd=“imapd –p 2 …pop3 cmd=“pop3d” ……
SASL AUTHENTICATION
113
Disallowing Open Relay
SASL Configuration on the Server
smtpd_sasl_auth_enable = yessmtpd_sender_restrictions =
check_sender_access ldap:ldapSenderAccess,
permit_sasl_authenticatedsmtpd_recipient_restrictions =check_recipient_access ldap:ldapRecipientAccess,
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
broken_sasl_auth_clients = yessmtpd_sasl_security_options = noanonymoussmtpd_delay_reject = yes
114
Disallowing Open Relay
SASL Configuration on the Client
smtp_sasl_auth_enable = yessmtp_sasl_password_maps =
hash:/opt/insight/etc/postfix/sasl_passwdsmtp_sasl_security_options = noanonymous
115
Disallowing Open Relay
Create /opt/insight/etc/postfix/sasl_passwd:
Run postmap(1) after creating (or modifying) file
example.net alice:apasswdexample.org bob:bpasswd
116
Disallowing Open Relay
TLS v1 is based on SSL v3 Encrypt SMTP traffic using TLS X.509 certificates
117
Disallowing Open Relay
TLS Configuration on the Server
smtpd_tls_cert_file = /opt/insight/etc/ssl/server.pemsmtpd_tls_key_file = /opt/insight/etc/ssl/server.pemsmtpd_tls_CAfile = /opt/insight/etc/ssl/server.pemsmtpd_use_tls = yes
118
Disallowing Open Relay
TLS Configuration on the Client
smtp_tls_cert_file = /opt/insight/etc/ssl/server.pemsmtp_tls_key_file = /opt/insight/etc/ssl/server.pemsmtp_tls_CAfile = /opt/insight/etc/ssl/server.pemsmtp_use_tls = yes
119
Disallowing Open Relay
Using a Certificate Authority’s Certificate
smtp_tls_CApath = /opt/insight/etc/ssl/ca_cert.pemsmtpd_tls_CApath = /opt/insight/etc/ssl/ca_cert.pem
120
Disallowing Open Relay
To test to see if a mail server is an open relay: Log into the mail server telnet rt.njabl.org 2500
122
Other Restrictions
Other useful restrictions: smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions See www.postfix.org/uce.html
123
Using smtpd_client_restrictions
In main.cf:
In /opt/insight/etc/postfix/smtp_clients:
smtpd_client_restrictions =check_client_access
hash:/opt/insight/etc/postfix/smtp_clients,permit
192.168.1.1 OK192.168.1.2 PERMIT192.168.1.3 REJECT192.168.1.123 REJECT192.168.1.0/24 OKexample.net OKpaper.example.org DUNNOexample.org REJECT
124
Using smtpd_helo_restrictions
check_helo_access reject_invalid_hostname reject_non_fqdn_hostname reject_unknown hostname
In main.cf:
In /opt/insight/etc/postfix/helo:
smtpd_helo_restrictions = reject_invalid_hostname,check_helo_access hash:/opt/insight/etc/postfix/helo
example.org OKexample.net REJECT
126
Creating a Chroot Jail
A chroot jail adds a layer of protection Limits daemon(s) to /opt/insight/var/spool/postfix
Set the fifth field in master.cf to ‘y’
128
Address Rewriting
[email protected]@[email protected]
[email protected]@[email protected]
/opt/insight/etc/postfix/canonical_sender:
[email protected]@[email protected]
[email protected]@[email protected]
/opt/insight/etc/postfix/canonical_recipient:
sender_canonical_maps =hash:/opt/insight/etc/postfix/canonical_sender
recipient_canonical_maps = hash:/opt/insight/etc/postfix/canonical_recipient
/opt/insight/etc/postfix/main.cf:
129
Hiding Host Names
Masquerading intentionally hides internal hostnames
[email protected] [email protected]
In main.cf:masquerade_domains = example.org
130
Hiding Host Names
Masquerading intentionally hides internal hostnames
[email protected] [email protected]
In main.cf:masquerade_domains = example.com, example.net,
example.org,!sales.example.com
masquerade_exceptions = alice, bob
131
Directing Email Sent to Unknown Users
Email sent to unknown users: Returned to sender by default Can be directed to an email user or alias
Beware of spammers
In main.cf:luser_relay = alicelocal_recipient_maps =
132
Relocating Users and Domains
Relocation maps used when users or domains move
Configure relocation rules in main.cf:
relocated_maps = hash:/opt/insight/etc/postfix/relocated
Define relocation rules in lookup table:
[email protected]@example.net
@example.org example.net
134
Types of Aliases
Postfix supports numerous types of aliases
SCOoffice Server stores aliases two ways
Stored in LDAPStored in a file
135
Types of Aliases
From /opt/insight/etc/postfix/main.cf:alias_maps = hash:/opt/insight/etc/mail/aliasesalias_database = hash:/opt/insight/etc/mail/aliaseslocal_recipient_maps = $alias_maps ldap:ldapsource
136
Types of Aliases
From /opt/insight/etc/mail/aliases:
MAILER-DAEMON:[email protected]: [email protected]:[email protected]:[email protected]: [email protected]:[email protected]: [email protected]:[email protected]: [email protected]
137
Types of Aliases
Process alias files with postalias(1):
# postalias hash:/opt/insight/etc/mail/aliases
Reload Postfix if a new alias lookup table is added to main.cf:
# postfix reload
138
Exercise: Adding a New Alias File
Edit /opt/insight/etc/postfix/aliases Process the alias file Reload Postfix
140
Postfix Mail Delivery
sendmail
postdrop
pickup
smtpd cleanup
trivial-rewrite
qmgr
local
smtp
pipe
active
inco
min
gm
ess
ages
incoming
maildrop
bounce
145
Creating Mail Folders (cont.)
Name the folder Specify where to
create the folder Specify the type of
folder Click on “Create”
User’s view:
146
Location of Mail Folders in Filesystem
Advantages Each email message
is stored as a separate file
If one file becomes corrupted, the whole data store is not corrupted
Easy to restore a single email message
Can rebuild a single users inbox
147
Working with Mail Folders
Click on AccountsView Accounts
Select the users whose mail folders you want to see
148
Working with Mail Folders (cont.)
While viewing the user’s account information, click on “View Mail Folders”
149
Reconstructing Mail Folders
To reconstruct the user’s mail folders, click on the “Reconstruct all mail folders” button
150
Setting Access Control Lists
Select a user or a group (e.g. Anyone)
Define the ACLs (default is l,r,s)
Click on “Add ACL”
To set ACLs for a specific mail folder:
153
Configuring MX Records
MX records in DNS instruct mail servers where to direct email messages
example.com IN MX 10 elm.example.com.example.com IN MX 20spruce.example.com.example.com IN MX 30 oak.example.com.
domain name class type preference hostname
154
Querying MX Records
When debugging problems exchanging email with other domains, query MX records
Use nslookup(1) Specify “set querytype=MX”
12
3
4
155
Configuring a Relay Host
A relay host enables email delivery to be centralized
In main.cf:
relay_host = oak.example.com
or
relay_host = 192.168.1.17
157
ClamAV
SCO OpenServer
Postfix
Ap
ach
e
Pro
FTP
Op
en
LD
AP
Cyru
s IM
AP AMaViS
SpamAssassin
ClamAV
158
Updating ClamAV Virus Definitions
Virus definitions are updated automatically
Cron job runs /opt/insight/bin/freshclam Virus definition files:
/opt/insight/share/clamav/main.cvd /opt/insight/share/clamav/daily.cvd
See freshclam(1)
159
Exercise: Updating Virus Definitions
Consult the freshclam(1) manual page Instruct freshclam(1) to download latest
virus definitions into a directory View the contents of the directory See the latest virus definitions at
www.clamav.net.
160
Adding 3rd Party Anti-Virus Scanners
SCO OpenServer
Postfix
Ap
ach
e
Pro
FTP
Op
en
LD
AP
Cyru
s IM
AP AMaViS
SpamAssassin
ClamAVC
lam
AV
Sop
hos
Sophos
161
Adding 3rd Party Anti-Virus Scanners (cont.)
To replace ClamAV with Sophos: Download and install Sophos Comment out ClamAV lines in
/opt/insight/etc/amavisd.conf Uncomment Sohpos lines in
/opt/insight/etc/amavisd.conf Restart AMaViS
162
Exercise: 3rd Party Anti-Virus Scanners
View amavisd.conf comments which explain:
The syntax of @av_scanners entries The relationship between @av_scanners
and @av_scanners_backup
165
SpamAssassin
SCO OpenServer
Postfix
Ap
ach
e
Pro
FTP
Op
en
LD
AP
Cyru
s IM
AP AMaViS
SpamAssassin
ClamAV
166
SpamAssassin
SpamAssassin uses numerous tests SpamAssassin is configured in:
/opt/insight/etc/mail/local.cf /opt/insight/share/spamassassin/*.cf
Do not modify files in share/spamassassin After modifying configuration files, run:
spamassassin --lint /opt/insight/etc/rc/amavisd restart
167
SpamAssassin
Every SpamAssassin administrator should know: required_hits report_contact report_safe Whitelisting Blacklisting
168
SpamAssassin
Customizing headers SpamAssassin headers begin “X-Spam” X-Spam-Checker-Version is mandatory Modify headers with:
remove_header clear_headers add_header
169
SpamAssassin
Spam detection software, running on the system "_HOSTNAME_", hasidentified this incoming email as possible spam. The original messagehas been attached to this so you can view it (if it isn't spam) or blocksimilar future email. If you have any questions, see_CONTACTADDRESS_ for details.
Content preview: _PREVIEW_
Content analysis details: (_HITS_ points, _REQD_ required)
" pts rule name description" ---- --- ------------------ --------------------------------------------_SUMMARY_
Report message:
170
SpamAssassin
Subject: this address is no longer available
[this message has been automatically generated]
Please note that this address is no longer in use, and nowadaysreceives nothing but unsolicited commercial mail. Accordingly,any mail sent to it is added to several spam-tracking databases,then automatically deleted.
If you genuinely want to contact the owner of the address, pleasere-check your contact lists, or search the web, to find theircurrent e-mail address.
The mail you sent is reproduced in full below, for resending tothe correct address. Sorry for the inconvenience!
[-- Signed: the SpamAssassin mail filter]
Spamtrap message:
171
SpamAssassin
The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor.
Unsafe_report message:
173
SpamAssassin
header NO_REAL_NAME From =~ /^["\s]*\<?\S+\@\S+\>?\s*$/
Perl regular
expression
Header to match
Name of rule
Perl regex operator
Header test example:
174
SpamAssassin
Header test definitions only define the test Header test definitions don’t define:
The test’s description The test’s score
20_head_tests.cf specifies:
50_scores.cf specifies:SCOoffice uses this
score
header NO_REAL_NAME From =~ /^["\s]*\<?\S+\@\S+\>?\s*$/describe NO_REAL_NAME From: does not include a real name
score NO_REAL_NAME 0.339 0.285 0.339 0.160
175
SpamAssassin
Meta-match (boolean expression)
body CLICK_BELOW_CAPS /CLICK\s.{0,30}(?:HERE|BELOW)/sdescribe CLICK_BELOW_CAPS Asks you to click below (in capital letters)
body __CLICK_BELOW /click\s.{0,30}(?:here|below)/ismeta CLICK_BELOW (__CLICK_BELOW && !CLICK_BELOW_CAPS)describe CLICK_BELOW Asks you to click below
176
SpamAssassin
Meta-match (boolean arithmetic expression)
body __NIGERIAN_CODE_CONDUCT /\bcode of conduct\b/ibody __NIGERIAN_CIV_SERVICE /\bcivil service\b/ibody __NIGERIAN_TOP_SECRET /\btop secret\b/Ibody __NIGERIAN_HONESTY /\btransparent honesty\b/imeta NIGERIAN_BODY_GOVT((__NIGERIAN_CODE_CONDUCT +
__NIGERIAN_CIV_SERVICE +
__NIGERIAN_TOP_SECRET +
__NIGERIAN_HONESTY) >= 2)describe NIGERIAN_BODY_GOVT Message body has many
indications of nigerian scamscore NIGERIAN_BODY_GOVT 2.900 2.800 2.800 2.700
177
Quaranting Viruses and Spam
By default, SCOoffice Server: Quarantines messages containing viruses Does not quarantine messages containing spam
179
Quaranting Viruses and Spam
Headers added to messages containing spam: X-Virus-Scanned X-Spam-Status X-Spam-Level X-Spam-Flag Subject
180
Quaranting Viruses and Spam
AMaViS can be configured to quarantine spam Configured in amavisd.conf
$final_spam_destiny $QUARANTINEDIR $spam_quarantine_to
181
Quaranting Viruses and Spam
To quarantine spam to a directory, configure amavisd.conf:
$final_spam_destiny = D_PASS$QUARANTINEDIR = /opt/insight/var/virusmails$spam_quarantine_to = ‘spam-quarantine’
182
Header Checks
To block emails based on headers:
In /opt/insight/etc/postfix/main.cf:header_checks =
pcre:/opt/insight/etc/postfix/header_checks
In /opt/insight/etc/postfix/header_checks:/^subject: known_message_subject/ REJECT
183
Blocking Attachments by Extension
To block emails containing .exe, .bat, etc. attachments:
In /opt/insight/etc/postfix/main.cf:header_checks =
pcre:/opt/insight/etc/postfix/header_checks
In /opt/insight/etc/postfix/header_checks:/^content-type:.*name[[:space:]]*=.*\.(exe|bat)/
REJECT Rejected file extension: $1
185
Mon Overview
What is Mon? Mon is a general purpose service monitor Mon schedules monitors Mon provides a multitude of alert methods Mon is extensible
SCOoffice Server uses Mon to monitor: HTTP LDAP FTP SMTP IMAP Pop3
186
Mon Monitor facilities
Monitor scripts provided by Mon: dns.monitor ftp.monitor http.monitor imap.monitor ldap.monitor ping.monitor pop3.monitor smtp.monitor tcp.monitor telnet.monitor
Monitor scripts are stored in /opt/insight/mon/mon.d
187
Mon Alert Methods
Alert scripts provided by Mon: file.alert mail.alert remote.alert
Alert scripts are stored in /opt/insight/mon/alert.d
188
1. maxprocs = 202. randstart = 60s
3. hostgroup building1 elm.example.com oak.example.com4. hostgroup building2 spruce.example.com maple.example.com
5. watch building16. service ftp7. interval 1m8. monitor ftp.monitor9. period wd {Sun-Sat}10. alert file.alert /opt/insight/logs/mon_ftp.log11. alert mail.alert [email protected]. alertevery 1h
The MON configuration file
MON is configured in /opt/insight/mon/etc/mon.cf
189
The MON configuration file (cont.)
1. maxprocs = 202. randstart = 60s
3. hostgroup building1 elm.example.com oak.example.com4. hostgroup building2 spruce.example.com maple.example.com
5. watch building16. service ftp7. interval 1m8. monitor ftp.monitor9. period wd {Sun-Sat}10. alert file.alert /opt/insight/logs/mon_ftp.log11. alert mail.alert [email protected]. alertevery 1h
MON is configured in /opt/insight/mon/etc/mon.cf
190
The MON configuration file (cont.)
1. maxprocs = 202. randstart = 60s
3. hostgroup building1 elm.example.com oak.example.com4. hostgroup building2 spruce.example.com maple.example.com
5. watch building16. service ftp7. interval 1m8. monitor ftp.monitor9. period wd {Sun-Sat}10. alert file.alert /opt/insight/logs/mon_ftp.log11. alert mail.alert [email protected]. alertevery 1h
MON is configured in /opt/insight/mon/etc/mon.cf
191
The MON configuration file (cont.)
1. maxprocs = 202. randstart = 60s
3. hostgroup building1 elm.example.com oak.example.com4. hostgroup building2 spruce.example.com maple.example.com
5. watch building16. service ftp7. interval 1m8. monitor ftp.monitor9. period wd {Sun-Sat}10. alert file.alert /opt/insight/logs/mon_ftp.log11. alert mail.alert [email protected]. alertevery 1h
MON is configured in /opt/insight/mon/etc/mon.cf
192
Managing Disk Space
Strategies for managing disk space usage: Setting maximum message size Restricting attachments Imposing quotas Setting mailbox expire values Setting logging levels Pruning log files
193
Managing Disk Space
Strategies for managing disk space usage: Setting maximum message size Restricting attachments Imposing quotas Setting mailbox expire values Setting logging levels Pruning log files
194
Guarding Backups
Backups are stored in /opt/insight/htdocs/is4web/tar
Protected by .htaccess in that directory Beware of:
Missing .htaccess Modified .htaccess World writable .htaccess
196
Log Files
SCOoffice uses the following log files: /var/adm/syslog /opt/insight/logs/amavis.log /opt/insight/logs/freshclam.log /opt/insight/logs/access_log /opt/insight/logs/error_log
197
Log Files
Component Syslogd Facility
Cyrus IMAP and POP3 local6
Postfix mail
SASLAUTHD auth
ProFTPD authpriv
slapd/slurpd local4
198
Log Files
Where to specify logging levels: /etc/syslog.conf /opt/insight/etc/postfix/master.cf /opt/insight/etc/postfix/main.cf /opt/insight/etc/amavisd.conf /opt/insight/etc/clamav.conf /opt/insight/etc/freshclam.conf /opt/insight/etc/apache/httpd.conf
199
Log Files
Events to monitor in syslog: Monitor SMTPD connections:
egrep “[^s]connect from|client=“ /var/adm/syslog
Monitor bounced messages:grep status=bounced /var/adm/syslog
Monitor deferred messages:grep status=deferred /var/adm/syslog
Monitor address rewriting:grep orig_to /var/adm/syslog
Monitor SASLAUTHD failures:grep “auth failure” /var/adm/syslog
201
Creating Backups
Administrators can backup: SCOoffice Server configuration LDAP directory IMAP datastore
Backup scripts stored in: /opt/insight/htdocs/is4web/cron
Restore scripts stored in: /opt/insight/htdocs/is4web/bin
202
Restoring and Uploading Backup Files
Restore backups Download backups
from server to local hard drive
Upload backups from local hard drive to server
Delete backups
203
Creating Backups
Backup scripts: /opt/insight/htdocs/is4web/cron Restore scripts: /opt/insight/htdocs/is4web/bin
Backups are compressed cpio archives
Third party backup software can be integrated into the web console
205
Microsoft Outlook® Setup
Single Click configuration Manual Connector installation Sharing folders Manual Address Book installation Automated Installation