How to install Zarafa on Debian Lenny with Postfix, procmail, spamassassin, clamassassin, spam learning and SASL

This is the first of two articles about configuring Zarafa to enable some extra options that aren't covered in a default install. I've talked a little about Zarafa in a previous article. It's a Linux groupware system that's almost entirely open source. There's some very good documentation, including installation instructions, on the official Zarafa website. However, while this documentation covers Zarafa in great detail, it doesn't cover many common Linux server programs you might want to combine with it.

Pretty much any mail server these days needs spam filtering. Anti-virus scanning is also a good idea if you have any users accessing their mail from a Windows machine. Some of your users may want to use a mail client other than Outlook or Zarafa's web interface, which will require secure authentication to allow them to send mail. None of these requirements are dealt with directly in the Zarafa documentation, although they are touched upon. That's where this article comes in. There's no real new information in it, but as far as I know there are no tutorials out there that collect all the information in one place. Hopefully having a guide that goes through everything in sequence will make it easier for new users.

Notes before you start

This is a pretty long guide, you'll probably have an easier time with it if you read through it a bit at a time before trying to put it into practice. I've divided up into two articles to simplify things: I'll start by explaining how to use Postfix to deliver mail through Procmail, along with a Procmail script that will scan mail for spam and viruses and filter it accordingly. Once that's done you can install Zarafa. In the second article I'll explain how to use Zarafa's IMAP capabilities to do automated training for the spam filter and enable SASL authentication.

I'm going to assume that you have a working Debian server install already, with each mail user having a Linux shell account (it doesn't matter if logins are enabled). Before beginning, a quick word of warning: the setup I'm about to describe isn't really suitable for a large scale deployment. It's fine for a small home or office server where there aren't a lot of accounts though.

Postfix and Procmail

The first thing that needs setting up is Postfix. You can install it by running apt-get install postfix as root. I won't go into an explanation of how to configure Postfix itself, as it's a topic that's already been covered in many places. Once you've got the basic configuration done, you'll need to make sure a few options are enabled. The only that matters for spam and virus scanning is the following:

mailbox_command = /usr/bin/procmail -f- -a "$USER"

This tells Postfix to deliver incoming mail to procmail instead of directly to the user's inbox. Procmail is not installed by default, so make sure you have it installed by running apt-get install procmail as root. Procmail can be globally configured using /etc/procmailrc, here's an example:

# Run procmail as the receiving user, not root:
# Log procmail's activities to the user's home directory:
# Scan message to see if it contains a virus:
:0fw: $HOME/.clamassassin.lock
| /usr/bin/clamassassin
# If the message appears to contain a virus, pass Zarafa the -j flag:
* ^X-Virus-Status: Yes
| /usr/bin/zarafa-dagent -j $LOGNAME
# Alternatively, you can automatically delete the message by commenting
# out the above section and uncommenting the following:
#* ^X-Virus-Status: Yes
# If no virus was found, scan message to see if it is spam:
:0fw: $HOME/.spamassassin.lock

Antivirus filtering

This is a fairly straightforward procmail script. It relies on three external programs: clamassassin, spamassassin and zarafa-dagent. The zarafa-dagent is, of course, part of Zarafa so we don't need to worry about that. The slightly more tricky part is setting up clamassassin and spamassassin. We'll start with clamassassin. It's a frontend for the popular open source anti-virus program ClamAV, specifically designed for use in mail filtering. To install it, just run apt-get install clamassassin. Unless you already have a ClamAV server running on your network, you will also want to install ClamAV on your Zarafa server. I recommend using the daemonised version as you'll get much better performance out of it. To install this, run apt-get install clamav-daemon. To make sure that clamassassin uses the daemonised version of clamav and not the standalone version, open up /etc/defaults/clamassassin and make sure that it contains the line CLAMSCAN=/usr/bin/clamdscan. N.B. the d is very important, it's the difference between the daemonised and non-daemonised versions!

Antispam filtering

Now that virus scanning is configured, let's set up spamassassin to handle spam filtering. Like ClamAV, spamassassin comes in daemonised and non-daemonised forms, and you'll get much faster performance out of the daemonised version. Install the packages spamassassin and spamc and edit the file /etc/default/spamassassin so that it contains the line ENABLED=1. You can now start the spamassassin daemon by running /etc/init.d/spamassassin start. Spamassassin is now running and filtering your incoming mail. You may want to check which tests it's running by going into /etc/spamassassin and looking at the .pre files in there. Not all of the plugins are enabled by default, it's worth checking the spamassassin documentation to see if you want to run extra tests or disable some of the default ones. Side note: if you want to boost performance further, you can enable precompiled rules in spamassassin, see this article and this article for further information.

Testing and next steps

Now is a good time to pause for breath! Postfix should be working fully with filtering enabled. You can now go ahead and install Zarafa. For simplicity I suggest adding users to Zarafa with the same username as their Linux shell account name, more complicated setups are outside of the scope of this how to. Once you've created some accounts, try sending and receiving some test mail to make sure that everything is working! You can check that the filtering is occurring by looking at the message headers. If spamassassin is working you should see a header something like this:

X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on

Likewise for clamassassin, look for something like this:

X-Virus-Checker-Version: clamassassin 1.2.4 with clamdscan / ClamAV 0.96/11207/Thu Jun 17 17:47:19 2010

If they're present then congratulations, everything is working correctly! You're now ready to proceed to the second part of this how-to, covering SASL authentication and training of the spam filter.

Add new comment