How to install MailCleaner 2020.01

Mailcleaner is an antispam system to call yours. Many companies have jumped into Office 365 or Google G-Suite, but for those brave warriors out there who still host their own mail server, here’s a good way of filtering SPAM and protecting your network from e-mail viruses and scams.

Why MailCleaner?

Mailcleaner is the best open source antispam solution I’ve ever found, for three main reasons:

• It has a nice compilation of well-known software, plenty of features;
• It’s flexible, with a complete web GUI and the possibility of customizing the underlying applications;
• Most important: it has a user quarantine interface, where employees can release their own retained mail, add an address to his own white list, etc.

But the installation and configuration of MailCleaner has its oddities and this guide will help you keep your sanity during the process.

This is a comprehensive compilation and, after finishing this tutorial, you will have both a nice functioning antispam server and a good understanding of MailCleaner’s features.

Installing MailCleaner

The current version is based on Debian 8 Jessie and is distributed as ready-to-go virtual machines. What you’ll need:

• A hostname by which your antispam web page will be accessed;
• A valid (publicly trusted) SSL/TLS certificate. If you don’t have one, or prefer using Let’s Encrypt, this will be covered in this guide;
• Proper rules in your firewall to redirect SMTP and web traffic to your antispam box. When using Let’s Encrypt, you will have to make sure the MailCleaner server can be reached by TCP port 80 using every hostname you’ve chosen. You know the drill.

Here’s the download page for you to choose your flavor:

Latest downloads - MailCleaner - Open source Anti spam & Antivirus gateway

I’ll be using Hyper-V (vhdx), but the instructions can be easily adapted to VMware or another platform.

1. Download and unzip the file (MailCleaner_VHDX_2019022601.zip);
2. Create your new VM (Generation 1, not UEFI);
   Recommended specs are: 4 vCPUs, 4GB of RAM.
   As per the Hyper-V version, anything from Windows Server 2012 R2 and on will be fine.
3. Attach the vhdx and that’s it;
4. Power on and let it stew for a while.

Seriously, I recommend that you let the VM initialize and just let it be for 30 minutes or so. Go do something else. The server will have time to start every service it wants, update anything it wants, etc.

Initial configuration

The Mailcleaner version in this VM is 2018.12. That’s OK, it will update itself to the latest available version later.

1. Login as root.
   Every password is set to MCPassw0rd (root, mysql, web admin, etc.)
2. There’s a initial setup script that offers you a few options.
   You can set your keyboard layout here and the server’s IP address.
   You can change the IP later using the web interface too. Don’t bother changing the root password now, because the deployment wizard will force you to do it later.
   You can run this script anytime by executing: /usr/mailcleaner/scripts/installer/installer.pl
3. Define the server’s hostname and point your main host (fqdn) to localhost to avoid name resolution problems locally (make sure you have this name valid in your DNS servers too):
   nano /etc/hostname and type the server name you want (Crtl + X to save)
   nano /etc/hosts and add the server names like this, for example:
   127.0.0.1 localhost myserver myserver.mydomain.com
4. At the shell prompt, run:
   touch /var/mailcleaner/run/configurator/updater
   This will prevent the update loop that sometimes happens (usually happens, if you ask me) in the deployment wizard later, in which the updates are never recognized and you can’t proceed.
5. Access https://your_mailcleaner_ip:4242 to run the deployment wizard
   Follow the steps, it’s quite simple.

• Just remember: every initial password is MCPassw0rd
• At the second page (updates) you may see a “Warning: touch(): Utime failed” error. Just ignore it.
• For root and MySQL passwords, only letters and numbers are allowed (for some reason). You can change the root password manually later to whatever you like.
• At “host ID” we usually put 1, if this is the first and/or the only box in the network.
• In “Base URL” you should put the full hostname you’re going to use to access the web interface (the main host you’ve set as myserver.mydomain.com in step 2).

At the end of the wizard it tells you that all services will be restarted within 15 minutes. Click the “8. [Mandatory] Close…” button and wait before proceeding, as instructed.

Note: at this point you should be able to SSH into your server. Root login is enabled by default.

Accessing MailCleaner’s MySQL database

This is an optional step. But if you’re keeping your antispam server in a perimeter network (DMZ), which I strongly recommend that you do, and/or if you’re using Let’s Encrypt certificate validation on this box, you are probably going to need this.

From the console or SSH shell, run:

/usr/mailcleaner/bin/mc_mysql -m

Then, on mysql> prompt, set the MailCleaner database as current:

use mc_config;

You can try a show tables; if you’re curious.

Adding firewall rules to the database

MailCleaner keeps local firewall rules in its DB and sets the iptables config every time the server loads.

By default, SSH access is allowed from the local subnet only. To add your internal subnet as permitted (assuming it’s different from the subnet your server currently is), run:

insert into external_access (service,port,protocol,allowed_ip) values ('ssh','22','TCP','n.n.n.n/nn');

Where “n.n.n.n/nn” is the subnet you want to add, in CIDR notation.

If you’re going to use Let’s Encrypt certificates and perform name validation in this box, please add this alternative TCP port to the local firewall rules too (you can change the port number if you want, just keep track of it):

insert into external_access (service,port,protocol,allowed_ip) values ('letsencrypt','8090','TCP','0.0.0.0/0');

Then just run quit to exit the MySQL shell.

If your server will in fact be in another subnet, make sure you have the proper rules in your firewalls to allow traffic from MailCleaner to your mail server (TCP 25) and other necessary resources/servers (like LDAP or LDAPS ports if you are going to use Active Directory authentication, for example), etc.

Reference: https://support.mailcleaner.net/…ing-the-mailcleaner-firewall

SSL/TLS certificate

We need certificates for:

• The web page (SSL/https)
• The MTA, for STARTTLS

You can have two separate certs or use the same one on both services. The SSL certificate must contain your main hostname for accessing the admin web page, and the certificate for STARTTLS must have your MX name(s) in it (as subject or alternative subject name). I believe wildcard certificates should work here too.

Please note: we used to get by with self-signed or private CA certificates, (that can still work for the web page SSL/https), but many e-mail providers, like Microsoft, are taking issue with self-signed certificates in your MTA (mail reception, MX servers). That’s the main reason I reinstalled my MailCleaner box recently. We were not receiving e-mails from Office 365 (Exchange Online), and Gmail servers were delivering, but returning an “unknown certificate” warning.

1. If you already have a valid certificate (or two) you want to use, you can go ahead and login to the admin web interface:

https://your_mailcleaner_hostname/admin

And then paste its contents in the configuration section. You will need the certificate(s) in PEM format. Usually .crt for the certificate data (public key) and .key for the private key. If you have a .pfx file, you can use openssl to convert it.

Before replacing the web interface SSL certificate you’re going to see a lot of certificate warnings in your browser (more then usual).

SSL certificate: Configuration > Services > Web Interfaces

You need to supply a cert chain if your cert provider has an intermediate CA.

STARTTLS certificate: Configuration > SMTP > TLS/SSL

After changing these configurations, it will ask you to restart a few services, which is done in the page Monitoring > Status:

Note: If you go into this page, and instead of “Host: 1 (127.0.0.1) Up”, you see “Unresponsive” (and nothing else), don’t worry. Login as root again in the server console and reboot it. Wait at least 5 minutes for the services to come up again.

2. If you decided to use Let’s Encrypt certificates, here are some instructions and considerations:

The main challenge here is that you have to provide external http access to your MailCleaner server for the certificate name validation.

Maybe you use the same name for you MX record that you use for your mail server or webmail. Maybe you have a pfSense firewall with the ACME module installed, like I do. Maybe you have a reverse proxy like HAproxy. There are many possibilities and obstacles here, so see what suits you better. A few options are:

• Have the certificate and the name validation performed somewhere else (like in your firewall) and create a routine for copying the cert files to your MailCleaner box;
• Forward Let’s Encrypt validation requests to an alternative TCP port on your MailCleaner server by using either:
  - a reverse proxy (more secure and flexible)
  - a simple NAT rule (if you have a dedicated public IP available)

You may feel that we’re missing a simpler option here, where you could just redirect the entire TCP 80 traffic to your MailCleaner server, but apart from that being less secure, MailCleaner itself (apache) is using port 443 as default and is listening on port 80 to redirect every request to https. You would have to alter this configuration or stop/start apache’s service every time.

Let’s Encrypt validation on the MailCleaner box

Here I’m assuming you have a reverse proxy (dedicated or as a feature in your firewall solution), that can redirect HTTP traffic based on rules, so I’ll be covering the certificate request considering just the one scenario where connections from Let’s Encrypt servers will be reaching your MailCleaner box on an alternative TCP port.

If you want to explore other options, see this complete article about using Let’s Encrypt certificates with MailCleaner:

Eliminate spam using SSL with an open source certification authority

What kind of rules do you need on your reverse proxy?

• You have to redirect every request sent to port TCP 80, whose destination hostname is your MailCleaner external FQDN myserver.mydomain.com and the path starts with /.well-known/acme-challenge/
• This must be true for every hostname your MailCleaner will hold.
• Also, you have to configure your reverse proxy to send these requests to an alternative port on MailCleaner server, since port 80 is already in use. We’re using port 8090 in the examples bellow.

Please note that, although we’re using an alternative port internally, Let’s Encrypt servers will only connect to your public IP using TCP port 80.

Prepare for requesting the certificate

Having your redirect rules in place, login as root in your MailCleaner server and run the following commands.

MailCleaner uses iptables, as explained before. If you didn’t add this port to the firewall rules (in the DB), or if you did, but the server has not been rebooted yet, we must open the alternative port 8090 manually:

iptables -A INPUT -p tcp -m tcp --dport 8090 -j ACCEPT

Then install Certbot:

wget https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto

Lets try to issue our certificate using Let’s Encrypt staging (testing) server:

certbot-auto certonly --standalone --preferred-challenges http --http-01-port 8090 --email myemail@domain.com --no-eff-email --agree-tos --staging -d myserver.mydomain.com

If you have more than one name, just add them with “-d” at the end. E.g.:
-d mx1.mydomain.com -d mx2.mydomain.com -d spam.mydomain.com

Note: after issuing this command it will hit a bootstrapping routine identifying missing dependencies, mostly python packages. Let it install the necessary software.

If everything went fine, you should see a result like this:

If it didn’t go well, keep in mind that most errors with this process are caused by the Let’s Encrypt servers not being able to reach your server. Check if your firewall configuration is really OK.

Request your certificate

When the certificate issuing process is working correctly with the staging server, go ahead and request your certificate for production:

certbot-auto certonly --standalone --preferred-challenges http --http-01-port 8090 --email myemail@domain.com --no-eff-email --agree-tos --force-renewal -d myserver.mydomain.com

The result screen is pretty similar. You will now have a valid certificate at the following path:

/etc/letsencrypt/live/myserver.yourdomain.com/

Automate the certificate assignment and renewal

The last piece of this puzzle is this great script provided by GRahamJB in the following MailCleaner forum topic:

https://forum.mailcleaner.org/viewtopic.php?f=5&t=3035&p=12532&hilit=set+certificates#p12532

Let’s save this script in our server:

nano /usr/local/bin/set-certificates.pl

Paste the contents of the script and save it (Ctrl + X). Then give the script permission to run:

chmod +x /usr/local/bin/set-certificates.pl

Now run the script to assign your certificates to the Web interface and the MTA service:

set-certificates.pl --set_web --set_mta_in --set_mta_out --key /etc/letsencrypt/live/myserver.mydomain.com/privkey.pem --data /etc/letsencrypt/live/myserver.mydomain.com/cert.pem --chain /etc/letsencrypt/live/myserver.mydomain.com/chain.pem

Now that we know it works, schedule these commands to run weekly, using cron and the certbot’s built-in renewal routine:

nano /etc/letsencrypt/renewal/myserver.mydomain.com.conf

Check if everything looks good and add the following line at the end (the same set-certificates.pl you just ran, preceded by “renew_hook =”)

.
.
# Options used in the renewal process
[renewalparams]
authenticator = standalone
account = 9d670ed7c63c6238f90f042f852fc33e
pref_challs = http-01,
http01_port = 8090
server = https://acme-v02.api.letsencrypt.org/directory
# Set MailCleaner certs
renew_hook = set-certificates.pl --set_web --set_mta_in --set_mta_out --key /etc/letsencrypt/live/myserver.mydomain.com/privkey.pem --data /etc/letsencrypt/live/myserver.mydomain.com/cert.pem --chain /etc/letsencrypt/live/myserver.mydomain.com/chain.pem

Note that the “renew_hook = set-cert…” command must be one single line. Save the file (Ctrl + X) and run the following command to test it:

certbot-auto renew --force-renewal

If the renewal succeeds you shall see a result similar to the one bellow. Note how our renew_hook command was called. The certificate has been updated in MailCleaner and the necessary services restarted.

Now let’s add that renew command to cron:

crontab -e

Add the following line and save the file. This will make certbot run every Sunday, 2am:

0 2 * * 7 /usr/local/bin/certbot-auto renew

If crontab doesn’t open the way you expect, run select-editor to choose the editor you like (nano, for example). Save the file. If you want to check the result, run crontab -l .

By default, certbot will only renew the certificate if it has less than 30 days left in its expiry date. If the cert is not due to expire, certbot will not renew it.

Done!

If you access https://your_mailcleaner_hostname/admin you’ll see that the SSL certificate is valid. And if you run the following command in your server, you can see that the certificate being presented on STARTTLS is the new Let’s Encrypt cert you just set:

openssl s_client -connect localhost:25 -starttls smtp

That’s the first part of the implementation

Now your have the server up and running, ready to start configuring your domains, e-mail routing and antispam features.

Move on to the next part of this guide:

How to configure MailCleaner 2020.01

If you have doubts or suggestions, please let me know in the comments.