See also Customizing MailCleaner

See also MailCleaner Quick Guide

See also Zimbra LDAP Directory Notes

See also Exchange E-Mail Security

See also MailCleaner CSF Firewall

See also MailCleaner AntiSpam

See also MailCleaner LetsEncrypt Free SSL

Important Read!: https://medium.com/@victorlclopes/how-to-manage-and-customize-mailcleaner-2020-01-c13bbae12745

User: https://mc.virtualarchitects.com

Support: https://support.mailcleaner.net/

Forum: https://forum.mailcleaner.org/

Traffic Flow: https://www.mailcleaner.net/downloads/Mailcleaner-process.pdf

Windows LDAP Browser: http://www.ldapadmin.org/

Major Releases: https://www.mailcleaner.net/informations/release.html

Commercial version updates are mostly automatic and can be viewed at Monitoring → Status.

/root/Updater4MC/updater4mc.sh

You can also perform system updates of the underlying OS:

apt update && apt-get dist-upgrade -y && apt-get autoremove -y && apt-get clean && reboot

https://support.mailcleaner.net/boards/3/topics/37-customizing-the-mailcleaner-firewall

The built-in firewall and fail2ban for MailCleaner are awkward and unreliable, but cluster-aware. We are using CSF with LFD instead.

/usr/mailcleaner/bin/mc_mysql -m mc_config

show tables;

select * from external_access;

update external_access set allowed_ip = '192.168.100.0/24' where service = 'configurator';

insert into external_access (service,port,protocol,allowed_ip) values ('configurator','4242','TCP','192.168.130.0/24');

/usr/mailcleaner/etc/init.d/firewall restart

Fail2Ban doesn't seem to work correctly, so we use CSF + LFD instead.

https://support.mailcleaner.net/boards/3/topics/80-fail2ban

https://support.mailcleaner.net/boards/3/topics/63

https://support.mailcleaner.net/boards/3/topics/61-password-protected-archives-manage-a-whitelist

Password protected archives (.zip files) are blocked system-wide in the current MailCleaner configuration. While it is not possible to change this at the domain level, there is a whitelist to permit whitelisted sender domains.

manage_wh_passwd_archives.sh [add|del] domain.tld
/usr/mailcleaner/etc/init.d/mailscanner restart ms

Don't forget to restart the Filtering MTA service on both servers.

https://support.mailcleaner.net/boards/3/topics/32-mailcleaner-newsletter-module

This can only be done by administrators.

Management → Users → <address> → Actions → Preferences → Bypass all filtering for this address

Create a single “spam administrator” user account and add all e-mail aliases that the spam administrator should administer to their Address Group.

Don't forget to specify Send reports to this address under the User Address Settings and select the checkbox Apply settings to all addresses before saving!

In the admin interface, add a new administrator user:

Configuration → Accesses → New Administrator

Assign the role Hotline.

Assign the domain allowed in Manage Domains.

The new admin user can access the admin interface and see the quarantine of all users of this domain. He has access to all features of the admin interface top section “Management”, but is restricted to the allowed domain.

https://www.mailcleaner.org/add-ons/

If your MailCleaner alias domains are also aliased on the (Zimbra) mail server, then you can probably use LDAP for address verification and user authentication of all domains.

If you have mail accounts with aliases in multiple domains, you may run into trouble using LDAP address verification. In these cases, it may be necessary to use SMTP address verification for the alias domain(s).

If the domains (and therefore users) are separate on the mail server, you can probably use LDAP for the main (most users) domain and SMTP address verification for the aliased domain(s).

For MailCleaner LDAP usage generally, you probably want to mirror the domain aliasing as used on your Zimbra server.

Zimbra LDAP uses TCP/389 and TLS internally. Open the Zimbra host firewall to permit your MailCleaner host(s).

A successful connection will not display any prompt. A firewall rejection should be evident.

Verify firewall is open from MailCleaner host CLI:

telnet zimbrahost.yourzimbradomain.tld 389

Like MS Exchange, Zimbra does not reject mail at the SMTP level for non-existent users by default.

Reject non-existent users at SMTP level for SMTP address verification:

su - zimbra
zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
zmmtactl restart

If your domain has numerous aliases, it is better to use LDAP address verification so aliases are automatically grouped per user.

Per domain at Configuration → Domains → <domain> → Users Authentication:

1. MailCleaner Admin UI → Configuration → Domains → <domain> → Users Authentication
   1. BaseDN: ou=people,dc=yourdomain,dc=tld
   2. Bind User: uid=zimbra,cn=admins,cn=zimbra
   3. User Attribute: uid
   4. Username Modifier: Use only entered username (without domain)
   5. Address Lookup: Fetch addresses from LDAP directory
2. Test with sample user credentials

Determine Bind User Distinguished Name:

These credentials should probably work for all queries for all domains extant on the Zimbra server.

su - zimbra
zmlocalconfig -s zimbra_ldap_userdn zimbra_ldap_password

Test:

ldapsearch -x -h zimbrahost.yourdomain.tld -D uid=zimbra,cn=admins,cn=zimbra -w <yourpasssword>

ldapsearch -x -D "uid=zimbra,cn=admins,cn=zimbra" -w <yourpasssword> -H ldap://zimbrahost.yourdomain.tld -b "ou=people,dc=yourdomain,dc=tld" -s sub 'uid=yourtestuser'

ldapsearch -x -D "uid=search-user,ou=people,dc=example,dc=com" \
           -W -H ldap://ldap.example.com -b "ou=people,dc=example,dc=com" \
           -s sub 'uid=test-user'

-D - Use bind user "search-user"
-ZZ - Use TLS - place just after -x
-w <password> - Specify password
-W - Prompt for password
-h - LDAP server FQDN
-H - URL of LDAP server. Non-SSL in this case; use "ldaps://" for SSL
-b - The search base
-s - Search scope - i.e. base for base of tree, one for on level down and sub for recursively searching down the tree (can take a while)

Finally the search filter as a non-option argument. In this case we will search for the uid of "test-user"

Choose SMTP as the Callout Connector.

Choose local as the Authentication Type.

For Virtualmin, we can add a Header Check to give messages from the MailCleaner filter server a 'pass' (whitelisting) through SpamAssassin, while leaving spam and virus filtering enabled for all domains.

This should:

1. Permit normal delivery of Quarantine Reports
2. Maintain protection from evildoers that try to bybass the DNS MX record (spam filter)
3. Allow you to leave spam and virus filtering enabled for all domains

Webmin → Servers → SpamAssassin → Header and Body Tests

MailCleaner Documentation: https://support.mailcleaner.net/boards/3/topics/73

Exchange users will use their Active Directory (sAMAccountName) user account credentials. This is probably not their full e-mail address.

Configure Exchange so that MailCleaner is a trusted internal server where headers are ignored by Exchange filtering:

Get-TransportConfig | fl InternalSMTPServers

Set-TransportConfig -InternalSMTPServers @{Add="<ipaddr>"}

Enable LDAPS on one of your domain controllers:

https://www.youtube.com/watch?v=JFPa_uY8NhY

Reboot the domain controller.

Test your LDAPS and firewall connectivity:

telnet your.domain.controller.ip 636

Use LDAP Admin tool to interrogate your specific LDAP directory.

Configuration → Domains → <domain> → Address verification

Configuration → Domains → <domain> → User authentication

ADUC → Enable Advanced → Attribute Editor

The MTA (exim_stage1) must be restarted to activate changes.

https://support.mailcleaner.net/boards/3/topics/94#DNS-shorthands

The Watchdog Report points out some possible configuration issues.

Exim commands begin like:

/opt/exim4/bin/exim -C /usr/mailcleaner/etc/exim/exim_stage1.conf ...

For example, this will show you the status of queue1:

/opt/exim4/bin/exim -C /usr/mailcleaner/etc/exim/exim_stage1.conf -bp

Change the 1 in the configuration file to 1 2 or 4 where:

Messages that are NOT for your domains are accepted by queue1 and sent right away to the outside/Internet so queue1 is an outgoing queue for relayed mail.

More information about this is here: https://support.mailcleaner.net/boards/3/topics/49-exim-queue-management

Install ldapsearch on the MailCleaner host:

apt-get update && apt-get install ldap-utils

Packet capture on the Zimbra server:

tcpdump -vv -w ldap.pcap -i eth0 src <ip.of.mail.cleaner>

Always specify siteconfigpath when testing.

Customize SpamAssassin Rules

https://support.mailcleaner.net/boards/3/topics/15-configure-a-loadbalancing-cluster

Use DNS MX records to route mail through the new clustered host.

Use MX record priority to configure load balancing or failover.