ASSP (Anti-Spam SMTP Proxy) On CentOS 5.4 part 2

This is a follow up post to Fight Spam With #ASSP (Anti-Spam SMTP Proxy) On CentOS 5.4. If you haven’t already installed ASSP do so before continuing with this How To and remember that you need a working installation of Microsoft Exchange 2007 Server as well. This How To can be implemented on a live Microsoft Exchange 2007 server while it’s running. Leave the original ports (25 In and 25 Out, OWA and/or internal usage ports) alone and create new ones. Once you’re ready to go simply activate the new ports, then deactivate the original ports, your users will never see a glitch in service and will make rolling back just as seamless.

Preliminary Note:

I am using a CentOS 5.4 i386 base installation with ASSP (Anti-Spam SMTP Proxy) and Microsoft Exchange 2007 Server already installed and configured in this tutorial.

* assp001.example.co.za (IP 10.0.0.100): CentOS 5.4 i386 ASSP installation
* exchange001.example.co.za (IP 10.0.0.101): Microsoft Exchange 2007 server

Setup Sendmail as your MTA relay

In the previous How To we disabled Sendmail because it used the same port that we wanted ASSP to listen on. What we need to do is some configuration changes and start/install it again to be our MTA. Edit your sendmail.mc configuration file and change the following values (replace example.co.za with your domain).

If you uninstalled Sendmail as per the previous How To then reinstall it.

Lets edit the Sendmail configuration file.

Finally build the Sendmail database.

Lets start Sendmail and test that it’s listening on the correct port.

So that’s the Sendmail MTA setup done, now onto the Exchange 2007 configuration.

Setup Exchange 2007

Remember that this setup assumes that you already have a working installation of Microsoft Exchange 2007

1) Create an additional incoming (i.e. “ASSP Inbound” on port 125) using the Exchange Management Console.
2) Create an additional outgoing connector (i.e. “ASSP Outbound”) using the Exchange Management Console. Set the outbound connector to transfer to a smarthost on 192.168.0.2 (ASSP) and check the box for to use the remote server DNS on the smarthost. The outbound connector will default to port 25 which we will change in the next step.
3) Change the outbound connector “ASSP Outbound” port to 325 via the Exchange Management Shell using the Set-SendConnector command.

In ASSP Admin panel, make the following changes

  • In NETWORK SETUP
  • 1) Insure the SMTP LISTEN PORT is 10.0.0.100:25
    2) Insure the SMTP DESTINATION is 10.0.0.101:125

  • In RELAYING
  • 3) Insure the RELAY PORT is 10.0.0.100:325
    4) Insure the RELAY HOST is 10.0.0.100:125

    Here is a flow description of how everything fits together

  • Incoming Mail
  • Internet to Firewall on 25 –> Firewall passes to ASSP on 10.0.0.100 Port 25 –> relays to Exchange listening on 10.0.0.101 port 125

  • Outgoing Mail
  • Exchange from 10.0.0.101 port 325 smarthosts –> ASSP listening on 10.0.0.100 port 325 and relays –> to Sendmail MTA on listening on 10.0.0.100 port 125 –> MTA transmits to the internet.

  • Exchange Settings – Final
  • 1) Disable outbound connector on port 25 in and enable “ASSP Outbound” connector in the Exchange Management Console.

    • Rob

      Typo, I think…

      Where you say :

      # Incoming Mail

      Internet to Firewall on 25 –> Firewall passes to ASSP on 10.0.0.100 Port 25 –> relays to Exchange listening on 10.0.0.100 port 125

      …don't you mean:
      …–> relays to Exchange listening on 10.0.0.101 port 125

    • How2CentOS

      Well spotted, thanks! I have amended the typo ….

    • Rob

      Glad to help… great how-to, I'm going to try it as soon as I migrate my SBS2003 box to SBS2008. I'm trying to get SBS2008 installed in a Xen DomU… keeps blue-screening on me.

    • How2CentOS

      I am looking for guys to assist with How To's – If you're keen please let me know and you'll get full credit for anything posted. Thanks for the support!

    • Rob

      Not sure I'm good enough at this stuff to do a how-to… I can barely muddle through one's that knowledgeable folks like yourself put together!
      By the way, I got the SBS 2003 server migrated over to SBS 2008 running on Xen… it was an ordeal. I'm still struggling with getting USB working, and it seems like every time I boot the virtual machine it acts differently. Anyway, I'm going to try setting up the AntiSpam server described in your how-to tonight. Wish me luck.

    • Rob

      This line failed:
      # m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

      …until I did:
      #yum install sendmail-cf

    • Rob

      Forgive me for being stupid, but when we edit /etc/mail/sendmail.mc, do we add these 4 lines to the top of the file…

      DAEMON_OPTIONS(Name=MTA,Port=125')
      MASQUERADE_AS(
      grayspace.com')dnl
      FEATURE(masquerade_entire_domain)dnl
      MASQUERADE_DOMAIN(grayspace.com)dnl

      …or do we replace some lines in the file?

    • Rob

      OK, so replaced lines in config file, finished up how-to, but when I try to send from Exchange I get:

      Delivery has failed to these recipients or distribution lists:

      rob
      Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.

      The following organization rejected your message: assp1.grayspace.com.
      Sent by Microsoft Exchange Server 2007

      Diagnostic information for administrators:

      Generating server: SBS2008.Grayspace.local

      rob@grayspace.net
      assp1.grayspace.com #550 5.7.1 <rob@grayspace.net>… Relaying denied. IP name possibly forged [192.168.101.11] ##

    • How2CentOS

      Thanks again, amended the How To

    • How2CentOS

      You need to find and replace those lines.

    • How2CentOS

      Double check you relay settings in the ASSP configuration