How to configure MailCleaner 2020.01
This is the second part of a guide on how to install and manage a MailCleaner antispam server. In the first part we covered installation and initial setup.
If you didn’t see it yet, check it out:
I’ll lead you through the most typical options that you need to get started. We’ll cover some other advanced features later.
Basic server configuration
Now that you have your MailCleaner box up and running, login to your https://your_mailcleaner_name/admin web interface to start configuring it.
1. Registration
When you login you will see a warning saying your installation is not registered. “Click here to resolve” and go through the registration. It’s free and simple.
This will lead you to “Configuration > Base system > Registration”. Unless you have an Enterprise Edition, scroll all the way down and you’ll see the Community registration:
2. Network and region
In the same section, define these other settings according to your scenario (navigate through the left menu):
- Network
- DNS settings
- Localization (time zone)
- Date and time
Note: Don’t use public DNS servers like Google DNS (8.8.8.8), otherwise you will have problems querying blacklists (RBLs).
And don’t forget to disable the “configurator interface” (192.168.1.42). If you need to change your IP address, do it first and save it. After you have successfully defined the main IP, then disable the configurator IP:
SMTP settings
1. Configuration > SMTP > SMTP checks
In this section you can set which basic verifications you want performed against other mail servers trying to deliver to you, such as SPF, reverse DNS, Blacklists (RBLs), etc. Here’s a suggestion of how to set these options:
There are other stages where you can set Blacklist checking, as you will see later. At this point I recommend just Barracuda Central and Spam Haus, because those are the the ones I usually never have false positives.
TLS/SSL settings have already been done in the first part of this guide. You can take a look at other options available using the left menu, but we are not going to discuss them for now.
2. Restarting services
You will soon find out that most changes need one or more services to be restarted:
If you “Click here to resolve” you will be sent to the “Monitoring > Status” page. You can make a number of changes and wait to restart the services at once in the end.
Anti-Spam features
1. Configuration > Anti-Spam > Global settings
MailCleaner has a number of antispam software and techniques available. They are processed in order and you can change which one will come first or later and if they will have a decisive role in stopping an e-mail message. I usually leave the default order.
Here I only recommend that you “Enable access to whitelists”. But don’t add any addresses to it yet:
2. Configuration > Anti-Spam > 4 - PreRBLs
Here you have another level of blacklist checking. Deselect b.barracudacentral.org and zen.spamhaus.org, because we’ve already have them enabled at the “SMTP checks”. Here’s my suggested configuration:
I had some false positives with Sorbs and UceProtect level 3.
“SMTP checks” blacklists vs “Anti-Spam > PreRBL” blacklists
When a host connects to your MailCleaner server trying to deliver, and said host is listed in one of the RBLs defined in “SMTP checks”, this connection will be refused and the message delivery attempt will show as “Rejected” in your lists.
That’s why only the most trustworthy RBLs should be checked during that stage.
If that host passes the RBLs set in SMTP checks (plus the other basic checks, of course), the message will be “Accepted” and then the list of evaluations defined in this “Anti-Spam” section begins.
When the host that delivered a message is found in a RBL that’s configured inside this “Anti-Spam > PreRBL” section, such message will be marked as “spam” and will (by default) be quarantined.
3. Configuration > Anti-Spam > 5 - UriRBLs
URI blacklists are great, you should let them all enabled:
4. Configuration > Anti-Spam > 6 - Spamc
By Spamc, read SpamAssassin (by Apache). Here we have to basically deselect every Uri RBL and almost every DNS RBL, because we have them enabled in previous modules:
The most great contribution SpamAssassin has to give us in MailCleaner is the heuristic analysis, which we will see in a more advanced topic.
Content protection
1. Configuration > Content protection
In this section we have mostly attachment inspection options, including virus scan. Anti-virus protection is provided by ClamAV. There is no much to be changed here. Just familiarize yourself with the features, in case you want to block a file extension in the future, for example.
Domains
To start receiving and filtering e-mail you must create a domain. This will define your accepted domain names, as well as how e-mails should be treated when belonging to it, including whitelists, quarantine authentication, etc.
You should create a “domain” for each e-mail domain name you have that needs a different configuration. Domain names that you treat as one should be set as “alias” (e.g. yourdomain.com and yourdomain.net).
1. Create your domain
Just click “New domain +”, type your domain name (the main one, if you have more than one) and click “Submit”:
Then type your other domain names in “Aliases” (if they just represent the same domain), and provide some contact information if you want. Click “Submit” before going to the next step.
Then click “Next step >>” in the upper right corner and define your mail server, where messages should be delivered after inspection:
If you have more then one mail server (or more then one Transport server role in an Exchange organization, for example), add each one in a new line. If that’s the case you can choose if e-mails will be delivered to all mail servers (round robin style) or if the first will be used by default and the other one(s) as a failover only.
Submit settings before testing destinations.
If you click “Next step >>” again, you see about “Address verification”. You can use LDAP (query the mail field of users) or SMTP (try to deliver to your mail server and check if the rcpt to really exists).
I usually leave it as “none”, to avoid delaying mail reception, as I don’t see so much value in testing the addresses beforehand. If a spammer is trying to deliver e-mail to random users that don’t exist in your domain, such attempt will probably be caught in another inspection method.
2. Default preferences
Click “Next step >>” again and you will land on “Preferences”. Select the default language for user reports (there are many languages to choose from). I recommend the “Summary frequency” to stay as “weekly” and the “Action on spams” to remain as “quarantine” (of course).
The summary is a nice html report that MailCleaner sends to each user (if that user has e-mail messages quarantined), and it looks like this:
You can click on each “arrow” icon on the left of a respective message to release it (it will be delivered to you right away).
3. Quarantine user authentication
Here is a nice little thing. Since MailCleaner has a web interface available to end users, you can set how they are going to be authenticated to access it.
By the way, the quarantine address (end user interface) is MailCleaner’s root web path. Users should go to https://your_mailcleaner_name and they will land on the login page.
Some of the authentication protocols available are: LDAP/Active Directory, IMAP, SMTP, RADIUS and more.
Authentication against a Microsoft Active Directory domain controller will be something like the following configuration. Note the “Bind user” has to be a distinguished name.
You can use SSL if you had that set up or if you have an Enterprise Root CA.
Remember: submit your settings before testing.
Note about user alias, authentication and access to quarantined mail
A user can only access quarantined e-mail or configurations for an account that matches his user alias exactly. I mean, if you have a user whose account is “john.smith” and he authenticates on MailCleaner (against AD, for example), he can only see quarantined messages that were to be sent to “john.smith@yourdomain.com”.
MailCleaner has no way of knowing if such user has more than one SMTP address or that his account name is different from his e-mail alias. But if you do have aliases set up in your domain configuration (e.g. domain.com / domain.net) the user can switch between those after authenticating.
If you have a situation like this, you can try to workaround it by using a different field as “User attribute” (instead of samAccountName) or by creating a local account in the MailCleaner with the privilege of managing SPAM quarantines for specific domains.
However, if a user owns a specific SMTP address, or belong to a mail-enabled group, and there are quarantined e-mail destined to those addresses, that user will receive the html summary report by e-mail and he/she can click to release a message, for example.
4. Filtering options
Clicking “Next step >>” once more will get you to “Filtering”, where you can, among other things, enter trusted domains and addresses to the whitelist.
“Reject unauthorized messages from this domain” is important to prevent spoofing.
“Reject unencrypted SMTP sessions to this domain” is dangerous, because there are still some crazy e-mail providers that still don’t send messages using an encrypted connection by default.
You have to mark “Enable whitelists” and submit your settings first for the whitelist controls to show up. Addresses added to this list will not be quarantined, even if it’s considered spam. But keep in mind that the sender server needs to pass the basic SMTP checks nonetheless (SPF, etc.).
Note that the correct syntax for adding an entire domain is *@domain.com You can add a complete address too (someguy@trusted.com).
About greylisting
I used greylisting for a while, but now I don’t recommend it.
Although it is a fabulous method for preventing SPAM, nowadays we have some giant e-mail providers like Microsoft (Office 365/Exchange Online) that every time they try to send you an e-mail and you don’t accept it straight away, it will try to send the same message using another server, and then another server and so on.
This means that most of their mail servers (trying to deliver) will almost never pass the greylisting check, because it’s never the same server. And if it is the same one eventually, it will probably be outside the time window limit that the greylisting engine tolerates for re-tries.
If you do want to use it, though, because is such a great feature, keep in mind that you will have to enter a lot domains in the greylisting exception list on “Configuration > SMTP > Greylisting”.
About whitelisting
Some say whitelists are dangerous because someone could spoof a domain and a malicious message could pass through. The way I see it, this is nonsense, considering that you have SPF checks and other basic verifications. Besides, your users won’t let you live without whitelists, because false positives will occur and you will need to register a domain as trusted sender.
You also might be asking yourself why we enter whitelist addresses here in the domain configuration and not in the global control there in “Configuration > Anti-Spam > Global settings”. Well, the answer is simple and a bit sad: the global whitelist you see there does not work as you expect and the best way to add a trusted sender is in the domain settings. More about whitelists in a future topic.
General settings
Finally, the last step in this initial configuration is to set the default behavior for tasks and the web interface, plus some contact information.
Go to “Configuration > General settings”.
Navigate through the left menu options. I recommend that you set:
- The default GUI language for end users, and your “Default domain”.
- Your contact name and e-mail address
- The “Spam retention”, that is defined in days (default: 60)
- Periodic tasks. The day of week and the time of day will define, for example, when users will receive the quarantine html summary report
Looking good!
You can now redirect your inbound SMTP traffic to your MailCleaner IP address and take a look at “Management > Tracing” to see how e-mail messages are being processed.
If you find some error you want to investigate, check out “Monitoring > Logs”. And of course you can take a look at the MailCleaner forum, at https://forum.mailcleaner.org .
Now we have the third and last part of this guide, that will cover management and customization. Keep going:
