1 SCOoffice Server 4.1 Administration Brian Watrous President & CEO ATCS, Inc.

2 Modules 1.Overview of SCOoffice Server 2.Installing and Upgrading to SCOoffice Server 3.Configuring and Managing SCOoffice Server 4.Managing a Distributed Environment 5.Securing SCOoffice Server

3 Modules 6.Managing Recipients and Aliases 7.Managing Mail Queues 8.Managing Private and Public Folders 9.Managing Routing 10.Managing Virus Protection 11.Managing Spam Filtering 12.Performing Preventive Maintenance 13.Planning for and Recovering from Disasters

4 How this Course is Designed  Task oriented  Hands-on exercises  Certification exam  Prerequisites  Windows  SCO OpenServer  TCP/IP  PlaceWare training

5 How this Course is Designed  Course uses RFC2606 style domain names: elm spruce oak rose daisy poppy paper pen staple example.com example.net example.org

6 Module 1 Overview of SCOoffice Server

7 Overview SCOoffice Server SCOoffice Address Book™ Desktop componentsServer components SCOoffice Connector™ Microsoft Outlook ® SCOoffice WebClient Web Browser

8 Overview  SCOoffice Server  Internet  Real-time collaboration  Integrated anti-virus  Junk Prevention  Easy Administration  User Profile Management  Server Side Filtering  Migration Tools  Single-click Configuration

9 Overview  WebClient  Internet client  Meeting scheduling capabilities  Shares folders: , calendars, contacts, and tasks  Interface similar to Microsoft Outlook.

10 Overview  Connector  Plug-in for Microsoft Outlook ®  Shared public and private folders  Supports special folder types  Fine grained folder access controls

11 Overview  Address Book  Plug-in for Microsoft Outlook  Works with any LDAP server  Provides native Outlook global-address book look and feel

12 SCOoffice Architecture SCO OpenServer Postfix Apache ProFTP OpenLDAP Cyrus IMAP AMaViS Spam Assassin ClamAV

13 SCOoffice Architecture SCO OpenServer Postfix Apache ProFTP OpenLDAP Cyrus IMAP AMaViS Spam Assassin ClamAV

14 Helpful URLs TechnologyHomepage Postfixhttp:// Apachehttp:// Cyrus IMAPhttp://asg.web.cmu.edu.cyrus OpenLDAPhttp:// ProFTPDhttp:// MONhttp:// AMaViShttp:// SpamAssassinhttp:// Clam AntiVirushttp://

15 Starting SCOoffice Server P86insightserver 1 insightserver 2 saslauthd 3 slurpd 3 slapd 3 clamd 3 amavisd 3 postfix 3 cyrus 3 apache 3 proftpd 3 mon 3 mon 19 mon.d scripts 20* alert.d scripts 21* clamd 7 slapd 4 slurpd 5 saslauthd 6 amavisd 8 postfix 11 cyrus master 13 imapd 14 pop3d 15 apachectl 16 httpd 17 proftpd 18 clamscan 9* spamassassin 10* qmgr 12* pickup 12* cleanup 12* trivial-rewrite 12* local 12* flush 12* smtpd 12*

16 Starting SCOoffice Server (cont.) P86insightserver 1 insightserver 2 saslauthd 3 slurpd 3 slapd 3 clamd 3 amavisd 3 postfix 3 cyrus 3 apache 3 proftpd 3 mon 3 mon 19 mon.d scripts 20* alert.d scripts 21* clamd 7 slapd 4 slurpd 5 saslauthd 6 amavisd 8 postfix 11 cyrus master 13 imapd 14 pop3d 15 apachectl 16 httpd 17 proftpd 18 clamscan 9* spamassassin 10* qmgr 12* pickup 12* cleanup 12* trivial-rewrite 12* local 12* flush 12* smtpd 12*

17 Module 2 Installing and Upgrading SCOoffice Server

18 Planning and Installation  Planning a SCOoffice Server Overview  System Requirements  Kernel Tuning  Changes Made to Your System  Network Considerations  Domain Layout  Installing SCOoffice Server

19 Installing SCOoffice Server  SCOoffice Server 4.1 is CUSTOM installable  Consult the installation guide for kernel tuning parameters  Make sure your DNS is configured correctly

20 Changes Made to Your System DirectoryPurpose /opt/insightSCOoffice Server installation directory /opt/insight/var/spool/imapUser mail storage directory /opt/insight/etcConfiguration file directory /opt/insight/logLog file directory

21 1. Login as root

22 2. Click on Software Manager

23 3. Software Manager Opens

24 4. Install New Software

25 5. From Server Name

26 6. Select Media Images CD-ROM Drive 0

27 7. Click Install

28 8. Click Continue to Upgrade Sendmail

29 9. Installation Continues

Input License Information

License Install – Success

Kernel Tuning for Unix Logins

Rollback Sendmail Patches

Installation Proceeds

Installation Complete

36 Module 3 Configuring and Managing SCOoffice Server

37 Migration Wizard  Migrate mail from an existing server (server- to-server)  Import mail from an existing PST file  Import mail from and existing MBOX file  Import from an RFC 2849 LDIF file  Import from an /etc/shadow file

38 SCOoffice Server Configuration  Default admin password is “admin”  Change this password immediately!  To change admin’s password:  Click on Accounts  View Accounts  Click on the administrator  Type in a new password  Click Update at the end of the page

39 After Installing SCOoffice Server  The “admin” account is not allowed to use the WebClient  Can point mail aliases to other account(s)

40 SCOoffice Server Configuration  Working with accounts  Creating domains  Creating groups  Creating users  Creating resources  Working with Aliases  Creating aliases  System aliases  Working with Mail Folders  Viewing User Mail Folders  Creating Mail Folders

41 Creating Domains  Click on Accounts  Create Domain

42 Creating Domains (cont.)  Specify name for the domain  At the end of the page click Create  Creating domains is optional

43 Creating Groups Click on Accounts  Create Group

44 Creating Groups  Select the distinguished name (DN) of the container in which the new group will reside  Fill in all required information  Group name  At the end of the page, click Create

45 Creating Groups

46 Creating Groups

47 Creating Users  Click on Accounts  Create User These hypertext links can also be used to create users, domains, groups, etc.

48 Creating Users  Select an organization or group  Fill in all required information  Login  Password  Last Name  At the end of the page click Create  User’s mailbox is created by default  User’s quota is not set by default  Access to WebClient is granted by default

49 Creating Resources Click on Accounts  Create Resource

50 Creating Resources (cont.)  Select a container  Fill in all required information  Login  Password  Last Name  At the end of the page click Create  Resources mailbox is created by default  Resources quota is not set by default  Access to WebClient is granted by default

51 Creating Aliases Click on Aliases  Create Alias

52 Creating Aliases (cont.)  Working with Aliases (cont)  Select a container/domain  Give it a name  Is it Open or Restricted  Open: everyone can subscribe to the alias  Restricted: alias owner allows/restricts alias members

53 Creating Aliases (cont.)  Working with Aliases (cont)  Who owns the alias  click on Browse to select owners  Who are the members  click on Browse to select the members  Click on Create

54 Working with System Aliases Click on Aliases  System Aliases

55 Working with System Aliases (cont.)  Check the select box you want to change  Then either:  Type another user‘s address, or  Type a comma-separated list of addresses

56 WebClient Setup  Access Control  Preferences

57 WebClient Setup  Scroll to the bottom  Enabled by default  To restrict access, uncheck the “Access WebClient” To control access to the WebClient when creating a user:

58 WebClient Setup  Click on WebClient  Access Controls To control access to the WebClient for an existing user:

59 WebClient Setup  Check to grant WebClient access to a user  Uncheck to deny Webclient access to a user  Click on “Change Access” To control access to the WebClient for an existing user:

60 WebClient Setup  Preferences  As a user, run the WebClient  Click preferences

61 WebClient Preferences Viewing pane

62 WebClient Preferences

63 WebClient Preferences

64 Configuration Files TechnologyConfiguration File Postfix/opt/insight/etc/postfix/main.cf /opt/insight/etc/postfix/master.cf Apache/opt/insight/etc/apache/httpd.conf Cyrus IMAP/opt/insight/etc/cyrus.conf /opt/insight/etc/imapd.conf OpenLDAP/opt/insight/etc/openldap/ldap.conf ProFTPD/opt/insight/etc/proftpd.conf MON/opt/insight/mon/etc/mon.cf AMaViS/opt/insight/etc/amavisd.conf SpamAssassin/opt/insight/etc/mail/spamassassin/local.cf Clam AntiVirus/opt/insight/etc/clamav.conf

65 Configuring Services Services Apache Cyrus IMAP OpenLDAP Postfix ProFTPD

66 Configuring Apache All changes are saved to /opt/insight/etc/apache/httpd.conf

67 Configuring Cyrus IMAP All changes are saved to /opt/insight/etc/cyrus.conf

68 Configuring OpenLDAP All changes are saved to /opt/insight/etc/openldap/slapd.conf

69 Configuring Postfix All changes are saved to /opt/insight/etc/postfix/main.cf

70 Configuring ProFTPD All Changes are saved to /opt/insight/etc/proftpd.conf

71 Modifying Advanced Parameters  Apache, Cyrus, Postfix, etc. have numerous configurable parameters  Postfix, alone, has more than 300 parameters!  SCOoffice Server optimizes these parameters  Some parameters can be adjusted in the web console by clicking on Configuration  Services

72 /opt/insight/htdocs/is4web/xml/SCOconfig.xml: Modifying Advanced Parameters (cont.) tags in SCOconfig.xml specify which parameters are configurable

73 Modifying Advanced Parameters (cont.)  Use the web console to change parameters!  Do not edit these files directly:  /opt/insight/etc/imapd.conf  /opt/insight/etc/openldap/slapd.conf  /opt/insight/etc/etc/postfix/main.cf  /opt/insight/etc/apache/httpd.conf  /opt/insight/etc/etc/proftpd.conf

74 Adding Cyrus Partitions SCO OpenServer Postfix Apache ProFTP OpenLDAP Cyrus IMAP AMaViS Spam Assassin ClamAV

75 Adding Cyrus Partitions Administrators add Cyrus partitions to:  Increase disk space  Spread I/O

76 Adding Cyrus Partitions Add and mount disk drive(s) Create directory: mkdir –p /some/other/directory/users In /opt/insight/etc/imapd.conf: partition-default: /opt/insight/var/spool/imap partition-1: /some/other/directory defaultpartition: default Restart Cyrus: /opt/insight/etc/rc/cyrus restart

77 Adding Cyrus Partitions  Backup scripts back up the default partition  Backup scripts do not back up new Cyrus partitions

78 Reclaiming Ports 80 and 443 SCO OpenServer Postfix Apache ProFTP OpenLDAP Cyrus IMAP AMaViS Spam Assassin ClamAV

79 Reclaiming Ports 80 and 443  By default, SCOoffice Server utilizes ports 80 (http) and 443 (https)  SCOoffice Server’s http and https servers can be relocated  Modifying Apache parameters  Reactivating rc scripts Reclaiming Ports 80 and 443 involves:

80 Reclaiming Ports 80 and 443 (cont.)  Click on Configuration  Services  Click Apache  Change Port and Listen to the new port number for http (e.g. 880)  Change Define SSLPort to the new port number for https (e.g. 4443)  Click on Restart

81 Reclaiming Ports 80 and 443 (cont.)  To re-enable SCO OpenServer’s Apache web server  Rename /etc/rc0.d/_P90apache  Rename /etc/rc2.d/_P90apache  Start SCO OpenServer’s Apache web server

82 Reclaiming Port 21 SCO OpenServer Postfix Apache ProFTP OpenLDAP Cyrus IMAP AMaViS Spam Assassin ClamAV

83 Reclaiming Port 21  By default, SCOoffice Server utilizes port 21 for ProFTP  SCOoffice Server’s ftp server can be relocated  Modifying ProFTP parameters  Reactivating ftp in /etc/inetd.conf Reclaiming Port 21 involves:

84 Reclaiming Port 21 (cont.)  Click on Configuration  Services  Click ProFTP  Change Port to the new port number for ftp (e.g. 221)  Click on Restart  Uncomment the ftp line in /etc/inetd.conf  Send a SIGHUP to inetd To relocate ProFTP: To reactivate SCO OpenServer’s ftp server:

85 Module 4 Managing a Distributed Environment

86 Active Directory Authentication Process I want to read my . Client I’m configured to use Active Directory authentication. I decide who is authenticated. So I’ll forward the user’s authentication request. SCOoffice Server 1 Active Directory Server 2 4 3

87 Active Directory Authentication

88 Distributed Mail – Single Server SCOoffice Server AliceBob Single Server Role Stores all mail user accounts in local LDAP directory Stores all users’ locally Handles all authentication requests

89 Master Role Stores the master LDAP user accounts database No local storage for users Can handle mail authentication requests Redirects clients to slave for retrieval Distributed Mail – Master Server MasterSlave Alice Internet Slave BobCarl

90 Distributed Mail – Slave Server MasterSlave Alice Internet Slave BobCarl Slave Role Stores a local copy of the master LDAP user account database Stores locally for each user defined on this server Can handle authentication requests

91 Sharing in a Distributed Environment MasterSlave Alice Internet Slave BobCarl Contacts Calendar Folders

92 Sharing in a Distributed Environment MasterSlave Alice Internet Slave BobCarl Contacts Calendar Folders

93 Duties in a Distributed Environment MASTERSLAVE Stores NoYes Maintains LDAP directoryYes Yes, but only a copy Handles authentication requests Yes

94 Configuring Distributed Mail  On the master server: 1.Click Configuration  Distributed Mail 2.Select Master 3.Click “Set”

95 Configuring Distributed Mail (cont.)  On the master server: 1.Enter the slave server’s fully qualified domain name 2.Enter “admin” 3.Enter the admin password 4.Click “Add”

96 Configuring Distributed Mail (cont.)  LDAP notice  List of slave servers  New slave servers added here  This server’s role

97 Configuring Distributed Mail  On the slave server(s): 1.Click Configuration  Distributed Mail. 2.Select Slave. 3.Click Set.

98 Configuring Distributed Mail (cont.)  On the slave server(s): 1.Enter the master server’s fully qualified domain name. 2.Enter “admin”. 3.Enter the admin password. 4.Click Add.

99 Reading Mail in a Distributed Environment MasterSlave Client I want to read my mail. You need to contact your slave server

100 Mail Delivery in a Distributed Environment MasterSlave SMTP Server DNS Server

101 Module 5 Securing SCOoffice Server

102 Securing SCOoffice Server

103 Outlook 21 * 25 80/443* 110/ / /636 * Not used by Outlook Express External Firewall Configuration Internet SCOoffice Server SMTP Server 25 WebClient 80/443 Firewall

104 Internal Firewall Configuration SCOoffice Server Firewall 3268 Active Directory Server

105 Internal Firewall Configuration SCOoffice (master) SCOoffice (slave) Firewall / /

106 Remote Office Firewall Configuration SCOoffice (master) SCOoffice (slave) Firewall / / Internet SCOoffice (slave)

107 SCO OpenServer’s HTTP Servers  SCO OpenServer runs HTTP servers on ports:  80 – SCOoffice Server’s HTTP server  443 – SCOoffice Server’s HTTPS server  615 – Internet Configuration Manager  8457 – DocView: Access to SCO OpenServer documentation

108 Other SCOoffice Server Related Ports  SCOoffice Server runs daemons on ports:  21 – ProFTP  25 – SMTP  110 – POP3  143 – IMAP  389 – OpenLDAP  993 – IMAP4 over TLS/SSL  995 – POP3 over TLS/SSL  2000 –Cyrusmaster (sieve)  2003 –Cyrusmaster (LMTP)  2583 – MON  4840 – SASLAUTHD  4844 – SASLAUTHD  – AMaViS

109 Disallowing Open Relay  Don’t let server be used as an open relay  Numerous ways to prevent open relay  We will configure SASLAUTHD + TLS # telnet rose.example.net smtp 220 rose.example.net ESMTP Postfix (2.0.20) HELO nuisance.spammer.net 250 rose.example.net MAIL FROM: 250 Ok RCPT TO: 250 Ok...

110 Disallowing Open Relay  Useful for blocking unwanted SMTP sessions:  smtpd_client_restrictions  smtpd_sender_restrictions  smtpd_recipient_restrictions Stored in LDAP

111 Disallowing Open Relay LOGIN authentication mechanism Base64 encoded usernamebob Base64 encoded passwordbpasswd PLAIN authentication mechanism Base64 encoded: user+NULL+user+NULL+password bob\0\bob\0bpasswd Simple Authentication and Security Layer (SASL)

112 Disallowing Open Relay smtpd saslauthd slapd …/etc/saslauthd.conf ldap_servers: ldap:// / ldap_filter: login=%u …/lib/sasl2/smtpd.conf pwcheck_method: saslauthd mech_list: plain login imapd/pop3d …/etc/imapd.conf sasl_pwcheck_method: saslauthd cyrusmaster …/etc/cyrus.conf imapcmd=“imapd –p 2 … pop3cmd=“pop3d” … … SASL AUTHENTICATION

113 Disallowing Open Relay  SASL Configuration on the Server smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = check_sender_access ldap:ldapSenderAccess, permit_sasl_authenticated smtpd_recipient_restrictions = check_recipient_access ldap:ldapRecipientAccess, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination broken_sasl_auth_clients = yes smtpd_sasl_security_options = noanonymous smtpd_delay_reject = yes

114 Disallowing Open Relay  SASL Configuration on the Client smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/opt/insight/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous

115 Disallowing Open Relay  Create /opt/insight/etc/postfix/sasl_passwd:  Run postmap(1) after creating (or modifying) file example.netalice:apasswd example.orgbob:bpasswd

116 Disallowing Open Relay  TLS v1 is based on SSL v3  Encrypt SMTP traffic using TLS  X.509 certificates

117 Disallowing Open Relay  TLS Configuration on the Server smtpd_tls_cert_file = /opt/insight/etc/ssl/server.pem smtpd_tls_key_file = /opt/insight/etc/ssl/server.pem smtpd_tls_CAfile = /opt/insight/etc/ssl/server.pem smtpd_use_tls = yes

118 Disallowing Open Relay  TLS Configuration on the Client smtp_tls_cert_file = /opt/insight/etc/ssl/server.pem smtp_tls_key_file = /opt/insight/etc/ssl/server.pem smtp_tls_CAfile = /opt/insight/etc/ssl/server.pem smtp_use_tls = yes

119 Disallowing Open Relay  Using a Certificate Authority’s Certificate smtp_tls_CApath = /opt/insight/etc/ssl/ca_cert.pem smtpd_tls_CApath = /opt/insight/etc/ssl/ca_cert.pem

120 Disallowing Open Relay  To test to see if a mail server is an open relay:  Log into the mail server  telnet rt.njabl.org 2500

121 Exercise: Tracing TLS and SASL TLS + SASL Authentication: SASL Authentication Only:

122 Other Restrictions  Other useful restrictions:  smtpd_client_restrictions  smtpd_helo_restrictions  smtpd_sender_restrictions  See

123 Using smtpd_client_restrictions  In main.cf:  In /opt/insight/etc/postfix/smtp_clients: smtpd_client_restrictions = check_client_access hash:/opt/insight/etc/postfix/smtp_clients, permit OK PERMIT REJECT REJECT /24OK example.netOK paper.example.orgDUNNO example.orgREJECT

124 Using smtpd_helo_restrictions  check_helo_access  reject_invalid_hostname  reject_non_fqdn_hostname  reject_unknown hostname  In main.cf:  In /opt/insight/etc/postfix/helo: smtpd_helo_restrictions = reject_invalid_hostname, check_helo_access hash:/opt/insight/etc/postfix/helo example.orgOK example.netREJECT

125 Using smtpd_sender_restrictions  check_sender_access  reject_unknown_sender_domain

126 Creating a Chroot Jail  A chroot jail adds a layer of protection  Limits daemon(s) to /opt/insight/var/spool/postfix  Set the fifth field in master.cf to ‘y’

127 Module 6 Managing Recipients and Aliases

128 Address Rewriting /opt/insight/etc/postfix/canonical_sender: /opt/insight/etc/postfix/canonical_recipient: sender_canonical_maps = hash:/opt/insight/etc/postfix/canonical_sender recipient_canonical_maps = hash:/opt/insight/etc/postfix/canonical_recipient /opt/insight/etc/postfix/main.cf:

129 Hiding Host Names  Masquerading intentionally hides internal hostnames   In main.cf: masquerade_domains = example.org

130 Hiding Host Names  Masquerading intentionally hides internal hostnames   In main.cf: masquerade_domains = example.com, example.net, example.org, !sales.example.com masquerade_exceptions = alice, bob

131 Directing Sent to Unknown Users sent to unknown users:  Returned to sender by default  Can be directed to an user or alias  Beware of spammers In main.cf: luser_relay = alice local_recipient_maps =

132 Relocating Users and Domains  Relocation maps used when users or domains move  Configure relocation rules in main.cf: relocated_maps = hash:/opt/insight/etc/postfix/relocated  Define relocation rules in lookup

133 Relocating Users and Domains Relocated User Relocated Domain

134 Types of Aliases  Postfix supports numerous types of aliases  SCOoffice Server stores aliases two ways Stored in LDAP Stored in a file

135 Types of Aliases  From /opt/insight/etc/postfix/main.cf: alias_maps = hash:/opt/insight/etc/mail/aliases alias_database = hash:/opt/insight/etc/mail/aliases local_recipient_maps = $alias_maps ldap:ldapsource

136 Types of Aliases  From /opt/insight/etc/mail/aliases:

137 Types of Aliases  Process alias files with postalias(1):  # postalias hash:/opt/insight/etc/mail/aliases  Reload Postfix if a new alias lookup table is added to main.cf:  # postfix reload

138 Exercise: Adding a New Alias File  Edit /opt/insight/etc/postfix/aliases  Process the alias file  Reload Postfix

139 Module 7 Managing Mail Queues

140 Postfix Mail Delivery sendmailpostdroppickupsmtpdcleanup trivial- rewrite qmgrlocalsmtppipe active incoming messages incomingmaildropbounce

141 Managing Mail Queues  To display mail queue, select Mail Delivery  Mail Queue:

142 Managing Mail Queues  For more information, use postqueue -p: Active On hold

143 Module 8 Managing Private and Public Folders

144 Creating Mail Folders  Click on Mail Folders  Create Folder

145 Creating Mail Folders (cont.)  Name the folder  Specify where to create the folder  Specify the type of folder  Click on “Create”  User’s view:

146 Location of Mail Folders in Filesystem Advantages  Each message is stored as a separate file  If one file becomes corrupted, the whole data store is not corrupted  Easy to restore a single message  Can rebuild a single users inbox

147 Working with Mail Folders  Click on Accounts  View Accounts  Select the users whose mail folders you want to see

148 Working with Mail Folders (cont.)  While viewing the user’s account information, click on “View Mail Folders”

149 Reconstructing Mail Folders  To reconstruct the user’s mail folders, click on the “Reconstruct all mail folders” button

150 Setting Access Control Lists  Select a user or a group (e.g. Anyone)  Define the ACLs (default is l,r,s)  Click on “Add ACL” To set ACLs for a specific mail folder:

151 Setting Access Control Lists (cont.) A new ACL appears

152 Module 9 Managing Routing

153 Configuring MX Records  MX records in DNS instruct mail servers where to direct messages example.comINMX10elm.example.com. example.comINMX20spruce.example.com. example.comINMX30oak.example.com. domain nameclasstypepreferencehostname

154 Querying MX Records  When debugging problems exchanging with other domains, query MX records  Use nslookup(1)  Specify “set querytype=MX”

155 Configuring a Relay Host  A relay host enables delivery to be centralized  In main.cf: relay_host = oak.example.com or relay_host =

156 Module 10 Managing Virus Protection

157 ClamAV SCO OpenServer Postfix Apache ProFTP OpenLDAP Cyrus IMAP AMaViS Spam Assassin ClamAV

158 Updating ClamAV Virus Definitions  Virus definitions are updated automatically  Cron job runs /opt/insight/bin/freshclam  Virus definition files:  /opt/insight/share/clamav/main.cvd  /opt/insight/share/clamav/daily.cvd  See freshclam(1)

159 Exercise: Updating Virus Definitions  Consult the freshclam(1) manual page  Instruct freshclam(1) to download latest virus definitions into a directory  View the contents of the directory  See the latest virus definitions at

160 Adding 3 rd Party Anti-Virus Scanners SCO OpenServer Postfix Apache ProFTP OpenLDAP Cyrus IMAP AMaViS Spam Assassin ClamAV Sophos

161 Adding 3 rd Party Anti-Virus Scanners (cont.)  To replace ClamAV with Sophos:  Download and install Sophos  Comment out ClamAV lines in /opt/insight/etc/amavisd.conf  Uncomment Sohpos lines in /opt/insight/etc/amavisd.conf  Restart AMaViS

162 Exercise: 3 rd Party Anti-Virus Scanners  View amavisd.conf comments which explain:  The syntax entries  The relationship

163 Exercise: 3 rd Party Anti-Virus Scanners  Examine usage message from /usr/local/bin/sweep.

164 Module 11 Managing Spam Filtering

165 SpamAssassin SCO OpenServer Postfix Apache ProFTP OpenLDAP Cyrus IMAP AMaViS Spam Assassin ClamAV

166 SpamAssassin  SpamAssassin uses numerous tests  SpamAssassin is configured in:  /opt/insight/etc/mail/local.cf  /opt/insight/share/spamassassin/*.cf  Do not modify files in share/spamassassin  After modifying configuration files, run:  spamassassin --lint  /opt/insight/etc/rc/amavisd restart

167 SpamAssassin  Every SpamAssassin administrator should know:  required_hits  report_contact  report_safe  Whitelisting  Blacklisting

168 SpamAssassin  Customizing headers  SpamAssassin headers begin “X-Spam”  X-Spam-Checker-Version is mandatory  Modify headers with:  remove_header  clear_headers  add_header

169 SpamAssassin Spam detection software, running on the system "_HOSTNAME_", has identified this incoming as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or block similar future . If you have any questions, see _CONTACTADDRESS_ for details. Content preview: _PREVIEW_ Content analysis details: (_HITS_ points, _REQD_ required) " ptsrulenamedescription" _SUMMARY_ Report message:

170 SpamAssassin Subject: this address is no longer available [this message has been automatically generated] Please note that this address is no longer in use, and nowadays receives nothing but unsolicited commercial mail. Accordingly, any mail sent to it is added to several spam-tracking databases, then automatically deleted. If you genuinely want to contact the owner of the address, please re-check your contact lists, or search the web, to find their current address. The mail you sent is reproduced in full below, for resending to the correct address. Sorry for the inconvenience! [-- Signed: the SpamAssassin mail filter] Spamtrap message:

171 SpamAssassin  The original message was not completely plain text, and may be unsafe to  open with some clients; in particular, it may contain a virus,  or confirm that your address can receive spam. If you wish to view  it, it may be safer to save it to a file and open it with an editor. Unsafe_report message:

172 SpamAssassin  Areas tested:  header  body  rawbody  full  uri

173 SpamAssassin header NO_REAL_NAME From =~ /^["\s]*\ ?\s*$/ Perl regular expression Header to match Name of rule Perl regex operator Header test example:

174 SpamAssassin  Header test definitions only define the test  Header test definitions don’t define:  The test’s description  The test’s score  20_head_tests.cf specifies:  50_scores.cf specifies: SCOoffice uses this score header NO_REAL_NAME From =~ /^["\s]*\ ?\s*$/ describe NO_REAL_NAME From: does not include a real name score NO_REAL_NAME

175 SpamAssassin  Meta-match (boolean expression) body CLICK_BELOW_CAPS/CLICK\s.{0,30}(?:HERE|BELOW)/s describe CLICK_BELOW_CAPSAsks you to click below (in capital letters) body __CLICK_BELOW/click\s.{0,30}(?:here|below)/is meta CLICK_BELOW(__CLICK_BELOW && !CLICK_BELOW_CAPS) describe CLICK_BELOWAsks you to click below

176 SpamAssassin  Meta-match (boolean arithmetic expression) body __NIGERIAN_CODE_CONDUCT/\bcode of conduct\b/i body __NIGERIAN_CIV_SERVICE/\bcivil service\b/i body __NIGERIAN_TOP_SECRET/\btop secret\b/I body __NIGERIAN_HONESTY/\btransparent honesty\b/i meta NIGERIAN_BODY_GOVT((__NIGERIAN_CODE_CONDUCT + __NIGERIAN_CIV_SERVICE + __NIGERIAN_TOP_SECRET + __NIGERIAN_HONESTY) >= 2) describe NIGERIAN_BODY_GOVTMessage body has many indications of nigerian scam score NIGERIAN_BODY_GOVT

177 Quaranting Viruses and Spam  By default, SCOoffice Server:  Quarantines messages containing viruses  Does not quarantine messages containing spam

178 Quaranting Viruses and Spam  Messages containing viruses are quarantined by AMaViS.

179 Quaranting Viruses and Spam  Headers added to messages containing spam:  X-Virus-Scanned  X-Spam-Status  X-Spam-Level  X-Spam-Flag  Subject

180 Quaranting Viruses and Spam  AMaViS can be configured to quarantine spam  Configured in amavisd.conf  $final_spam_destiny  $QUARANTINEDIR  $spam_quarantine_to

181 Quaranting Viruses and Spam  To quarantine spam to a directory, configure amavisd.conf: $final_spam_destiny = D_PASS $QUARANTINEDIR = /opt/insight/var/virusmails $spam_quarantine_to = ‘spam-quarantine’

182 Header Checks To block s based on headers: In /opt/insight/etc/postfix/main.cf: header_checks = pcre:/opt/insight/etc/postfix/header_checks In /opt/insight/etc/postfix/header_checks: /^subject: known_message_subject/ REJECT

183 Blocking Attachments by Extension To block s containing.exe,.bat, etc. attachments: In /opt/insight/etc/postfix/main.cf: header_checks = pcre:/opt/insight/etc/postfix/header_checks In /opt/insight/etc/postfix/header_checks: /^content-type:.*name[[:space:]]*=.*\.(exe|bat)/ REJECT Rejected file extension: $1

184 Module 12 Performing Preventive Maintenance

185 Mon Overview  What is Mon?  Mon is a general purpose service monitor  Mon schedules monitors  Mon provides a multitude of alert methods  Mon is extensible  SCOoffice Server uses Mon to monitor:  HTTP  LDAP  FTP  SMTP  IMAP  Pop3

186 Mon Monitor facilities  Monitor scripts provided by Mon:  dns.monitor  ftp.monitor  http.monitor  imap.monitor  ldap.monitor  ping.monitor  pop3.monitor  smtp.monitor  tcp.monitor  telnet.monitor  Monitor scripts are stored in /opt/insight/mon/mon.d

187 Mon Alert Methods  Alert scripts provided by Mon:  file.alert  mail.alert  remote.alert  Alert scripts are stored in /opt/insight/mon/alert.d

188 1.maxprocs = 20 2.randstart = 60s 3.hostgroup building1 elm.example.com oak.example.com 4.hostgroup building2 spruce.example.com maple.example.com 5.watch building1 6. service ftp 7. interval 1m 8. monitor ftp.monitor 9. period wd {Sun-Sat} 10. alert file.alert /opt/insight/logs/mon_ftp.log 11. alert mail.alert 12. alertevery 1h The MON configuration file MON is configured in /opt/insight/mon/etc/mon.cf

189 The MON configuration file (cont.) 1.maxprocs = 20 2.randstart = 60s 3.hostgroup building1 elm.example.com oak.example.com 4.hostgroup building2 spruce.example.com maple.example.com 5.watch building1 6. service ftp 7. interval 1m 8. monitor ftp.monitor 9. period wd {Sun-Sat} 10. alert file.alert /opt/insight/logs/mon_ftp.log 11. alert mail.alert 12. alertevery 1h MON is configured in /opt/insight/mon/etc/mon.cf

190 The MON configuration file (cont.) 1.maxprocs = 20 2.randstart = 60s 3.hostgroup building1 elm.example.com oak.example.com 4.hostgroup building2 spruce.example.com maple.example.com 5.watch building1 6. service ftp 7. interval 1m 8. monitor ftp.monitor 9. period wd {Sun-Sat} 10. alert file.alert /opt/insight/logs/mon_ftp.log 11. alert mail.alert 12. alertevery 1h MON is configured in /opt/insight/mon/etc/mon.cf

191 The MON configuration file (cont.) 1.maxprocs = 20 2.randstart = 60s 3.hostgroup building1 elm.example.com oak.example.com 4.hostgroup building2 spruce.example.com maple.example.com 5.watch building1 6. service ftp 7. interval 1m 8. monitor ftp.monitor 9. period wd {Sun-Sat} 10. alert file.alert /opt/insight/logs/mon_ftp.log 11. alert mail.alert 12. alertevery 1h MON is configured in /opt/insight/mon/etc/mon.cf

192 Managing Disk Space  Strategies for managing disk space usage:  Setting maximum message size  Restricting attachments  Imposing quotas  Setting mailbox expire values  Setting logging levels  Pruning log files

193 Managing Disk Space  Strategies for managing disk space usage:  Setting maximum message size  Restricting attachments  Imposing quotas  Setting mailbox expire values  Setting logging levels  Pruning log files

194 Guarding Backups  Backups are stored in /opt/insight/htdocs/is4web/tar  Protected by.htaccess in that directory  Beware of:  Missing.htaccess  Modified.htaccess  World writable.htaccess

195 Configuration File Sanity Checks  spamassassin --lint  postfix check  apachectl configtest

196 Log Files  SCOoffice uses the following log files:  /var/adm/syslog  /opt/insight/logs/amavis.log  /opt/insight/logs/freshclam.log  /opt/insight/logs/access_log  /opt/insight/logs/error_log

197 Log Files ComponentSyslogd Facility Cyrus IMAP and POP3local6 Postfixmail SASLAUTHDauth ProFTPDauthpriv slapd/slurpdlocal4

198 Log Files Where to specify logging levels:  /etc/syslog.conf  /opt/insight/etc/postfix/master.cf  /opt/insight/etc/postfix/main.cf  /opt/insight/etc/amavisd.conf  /opt/insight/etc/clamav.conf  /opt/insight/etc/freshclam.conf  /opt/insight/etc/apache/httpd.conf

199 Log Files Events to monitor in syslog:  Monitor SMTPD connections: egrep “[^s]connect from|client=“ /var/adm/syslog  Monitor bounced messages: grep status=bounced /var/adm/syslog  Monitor deferred messages: grep status=deferred /var/adm/syslog  Monitor address rewriting: grep orig_to /var/adm/syslog  Monitor SASLAUTHD failures: grep “auth failure” /var/adm/syslog

200 Module 13 Planning for and Recovering from Disasters

201 Creating Backups Administrators can backup:  SCOoffice Server configuration  LDAP directory  IMAP datastore Backup scripts stored in:  /opt/insight/htdocs/is4web/cron Restore scripts stored in:  /opt/insight/htdocs/is4web/bin

202 Restoring and Uploading Backup Files  Restore backups  Download backups from server to local hard drive  Upload backups from local hard drive to server  Delete backups

203 Creating Backups  Backup scripts: /opt/insight/htdocs/is4web/cron  Restore scripts: /opt/insight/htdocs/is4web/bin  Backups are compressed cpio archives  Third party backup software can be integrated into the web console

204 SCOoffice Server 4.1 Thank You

205 Microsoft Outlook ® Setup  Single Click configuration  Manual Connector installation  Sharing folders  Manual Address Book installation  Automated Installation

206 Why I wish we used Postfix 2.1  XCLIENT support  main.cf supports ldap:/some/file/name (instead of putting ldap parameters in publicly readable main.cf)  Versions we’re running (see notes)