Random Projects: Sendmail/MailScanner Gateway

Overview: This page describes implementation of a secure virus-scanning gateway to protect an insecure mail server, such as one of those put forth by that company in Washington State. It is cheap, quick, easy, and very reliable.

Design: The gateway mail server should be accessible as a public ip address. The MX record for the domain in question should be pointed to the gateway. Sendmail on the gateway passes mail from its incomming queue to MailScanner, which can scan it with any command line virus scanner. I use McAfee, but I hear Sophos is quite good. The gateway box then looks up using an internal dns server where to ssend the mail and delivers it.

Components:

  1. External DNS: External DNS points the MX record for your domain to the external interface of the gateway.
  2. Gateway:
    1. OS: Linux or BSD.
    2. Mail Transfer Agent: Sendmail comes installed. While I like Postfix better, MailScanner works well with it by default.
    3. MailScanner: MailScanner is a set of PERL scripts which is very good. It installs easily on a Linux box, and requires minimal configuration. Run sendmail by starting mailscanner. It will start two sendmail processes - an incomming queue and an outgoing queue, and pass files between them. Almost all configuration items are in $MAILSCANNER_DIRECTORY/etc/mailscanner.conf.
    4. Anti-Virus: There are several good anti-virus packages out there. I like McAfee, but I hear Sophos is good. MailScanner is set up for either, but prefers Sophos. These mailscanners can also scan your samba serveres, which is awfully nice
    5. Optional Web/IMAP client: You can also stick a web/imap client on this box for using Apache/Mod_SSL and something like Squirrelmail for a good external mail access solution
  3. Internal DNS: Internal DNS points MX for your domain to your mail server.
  4. Mail Server: This can be anything. Most likely, if you're going to all this effort, it's because you have one of those insecure mailservers which some jerk decided to integrate with a calendaring system. The key configuration here is that all mail should be relayed through the internal interface of the gateway.