Introduction

Overview

MPP is an email security and compliance application that provides a complete solution for email filtering and compliance for service providers, small and medium sized businesses and providers that serve these markets. This guide provides an overview of installing MPP and its system components as well as #Installing the MPP Virtual Appliance and #Installing MPP on Mac OS X. The MPP configuration guide provides an overview of configuration options and design tips and the MPP Manager guide provides an overview of MPP GUI controls. (back to the top)

Deployment Scenarios

MPP can be installed on SMTP gateways or directly on your email server. MPP is compatible with Sendmail, Qmail, Postfix, CommuniGate Pro, Exim, Sun Java System Enterprise Server or Surgemail MTA’s. MPP is available as a VMWare virtual appliance that can be installed as a scanning gateway. MPP is also compatible with collaboration platforms such as Zimbra, Zarafa and others. (back to the top)

Visit <a href="http://www.wikipedia.org">Wikipedia</a> to see more information
` All you need to do is add in target="blank" as show below: `Visit <a href="http://www.wikipedia.org" target="blank">Wikipedia</a> to see more information
`

Architecture Overview

MPP has three primary components: MPP Core Plug-ins MPP Manager

MPP System Architecture

The basic MPP system is made up of a Mail Transfer Agent (Postfix, Sendmail, Qmail, Exim, CGPro, SurgeMail, Zimbra, Sun Java Systems Messaging Server), Webmin and MPP. These are the only required components for a basic implementation of MPP. (back to the top)

When MPP is deployed in conjunction with MySQL and/or LDAP end-users or domain admins can configure features such as per-user spam white/black lists, address validation, quarantine and policy-assignment dynamically with QReview, a component of MPP Manager. QReview allows end-users or domain admins can access their spam quarantines and archives and to set basic settings. (back to the top)

Below is a logical diagram of the MPP system architecture. They are separated for clarity, however, all components may be installed on one or multiple servers depending on the scale of your installation. (back to the top)

MPP System Installation for Linux, Solaris, FreeBSD

Linux, Solaris, FreeBSD

This section describes the steps for installing MPP on Linux, FreeBSD or Solaris servers. It is NOT applicable to MacOS X or the MPP Virtual Appliance; for those guidelines please refer to #Installing the MPP Virtual Appliance and #Installing MPP on Mac OS X . If you are upgrading from MPPv3 please skip to the #MPP Upgrade Instructions (back to the top)

Installing MPP

First download the correct MPP package for your operating system from :http://messageapartners.com. (back to the top)

This section does not apply to installing the MPP Virtual Appliance or MacOS X bundle installer.

1) Run MPP Installer Package

Linux: rpm –Uvh <package name> or install.sh for non-RedHat platform

Solaris: pkgadd -d <package name>

FreeBSD: pkg_add <package name>

2) Run MPP Configure Script

This script will configure most MTA’s (Postfix, QMAIL, Sendmail, CGP) to use MPP, configure MPP to use your selected scanners and run MPP plug-in update scripts.

/usr/local/MPP/scripts/configure.pl

Manual configuration of MTA’s is not generally required, however, subsequent sections in this guide provide detail about modifications required for MTA’s to use MPP.

3) Install MPP Manager

Install MPP Manager from /usr/local/MPP/www/mppserver.tar.gz

tar –zxvf mppserver.tar.gz
cd mppserver*
./setup.pl

MPP Manager requires the XML tool, expat, which is a part of most modern operating systems. In the rare case that you need to install it EXPAT can be installed from sources or using your OS installation tools such as yum or Yast. If this fails for some reason expat can be installed from sources using these steps. (back to the top)

Download from ftp://ftp.messagepartners.com/pub/expat/expat-2.0.1.tar.gz

tar –xvf expat-2.0.1.tar.gz
cd expat-2.0.1
./configure
make
make install

Most Perl modules required by MPP Manger are included along with MPP Manager and require no other installation. However, in the case that you don’t have the required modules Perl modules should be installed from your OS install tools such as yum. – DBD, HTML::Entities and GD. (back to the top)

4) Confirm the Installation

Logon on to http://yourhost:20001 using the username and password you specified during the installation. If MPP is not running check the specific reason by viewing the logs in status->monitor->MPP Logs. (back to the top)

Send a message to MPP@Mailspect.com or Support@Mailspect.com if you have issues or need a full trial key that does not mark messages during scanning. Mailspect offers installation services. (back to the top)

Trial Keys

The MPP trial kit comes with a trial key that is intended to provide you with a temporary method of operating MPP. Since these keys are manually updated with our package it is possible that they can be expired when you begin your trial of MPP. (back to the top)

The trial key will mark headers, messages and warn recipients for viruses. The trial keys are not intended for production use. For production trials the trial key should be replaced with an evaluation key by sending an email to Info@Mailspect.com with your contact information, number of users and the scanner plug-ins that you wish to evaluate. (back to the top)

Optional – Configuring MySQL

MPP functionality is enhanced when used in conjunction with MySQL for things like quarantine and archive storage, WBL lists, Access Control Lists and more. More detail is provided in the MPP Configuration Guide about this topic. (back to the top)

Here are basic instructions to configure MPP to use MySQL. All that is required to use MPP with MySQL is to create an empty MySQL database and a user that can access it. The MySQL database can be local or remote. (back to the top)

mysql –p –u root

Create database mpp;

Grant all on mpp.* to mpp@localhost identified by ‘mpp1233’;

A single database is fine for evaluation purposes but a production system should have separate databases for spam quarantine, archives and message tracking. Database setup is detailed in the GUI Configuration Guide but once you have created the empty database you can create the MPP tables via the MPP GUI under System->Database->Setup. MPP SQL tables can be created with MPP GUI, however, command line instructions are provided here for convenience. (back to the top)

cat /usr/local/MPP/sql/mpp-mysql.sql | mysql –p –u root –t databasename

• Change database name to the name of your table.

Typical MySQL Errors

If MPP cannot connect to the database after all tables are created and permisions check check /etc/my.cnf file to ensure that the client section has the same socket path as other sections. (back to the top)

[mysql.server]

user=mysql

basedir=/var/lib

socket=/var/lib/mysql/mysql.sock

[client]

socket=/var/lib/mysql/mysql.sock

[mysqld_safe]

log-error=/var/log/mysqld.log

pid-file=/var/run/mysqld/mysqld.pid

Installing MPP on Mac OS X

MPP has a comprehensive installer for Leopard i386 and Tiger PPC that installs all components of MPP and MPP Manager in one step. Simply download the package, run the DMG installer and point your browser to http://localhost:20001 to review settings. All default settings are made for optimal spam filtering, your email server is automatically detected and modified, MPP Manager is installed and all libraries are updated. (back to the top)

The MPP bundle installer is compatible with Postfix, the default email server on Mac OS X, or CommuniGate Pro. If you are using CGP, add mppcgpproxy as a helper after the bundle installation completes. (back to the top)

The MPP bundle installer does not require MySQL, however, if MySQL functionality is required it can easily be configured after the installation is complete. (back to the top)

Installing the MPP Virtual Appliance

Overview

The MPP Virtual Appliance is a pre-configured SMTP proxy that will filter email for virus and spam and archive email. All presets have been made and after a configuration script is run you will be ready for production. Since it is assumed that the appliance will be an SMTP relay be prepared with the name of the domain that it should filter and the IP address of the real email server that it should relay to. (back to the top)

System Requirements

The MPP Virtual Appliance works with all VMWare virtualization including VMware Player for Windows, VMware Fusion for MacOS X, VMware Server for Windows/Linux or any VMWare enterprise product. (back to the top)

CPU: minimum Intel Pentium 4 2Ghz or equivalen, RAM: minimum minimum 1GB / recommended 2Gb, HDD free space: minimum 30Gb, Networking: Ethernet card (for VMware bridged networking). (back to the top)

If you plan on converting your trial into a production system make sure to allocate enough hard drive space to accommodate your spam quarantine or archive. Message Partners will work with you to establish these guidelines. (back to the top)

Installing

1)Download the MPP Virtual Appliance and add it as a virtual machine.

For VMware Player open MPP_appliance/vmimage_files/MPPDemo.vmx to start appliance.

For VMware Server register MPPDemo.vmx as new virtual machine and start VM

2)Run configure script

/usr/local/MPP/scripts/mppappconf

The configure script will set the root password, timezone config, setup relay domains, setup MPP MySQL quarantine and/or MySQL archive along with new root password. If you make a mistake, don’t worry, you can always start over and fix the parts that need correction.

3)To adjust settings go to http://host:20001 to configure

4)To access spam quarantine and archives go to http://host:20000 5)To place in production point your mx record for your domain to the IP of the Virtual Appliance. (back to the top)

Archiving Jouranled Email with the MPP Virtual Appliance

It is possible to have the virtual appliance archive email as a standalone product and NOT relay email or filter for spam. Please contact Mailspect support for help with this application. (back to the top)

MPP Plug-in Modules

MPP supports plug-in modules to increase functionality.

Sophos

Sophos is our highest performing scanner due to its capability to scan files in memory and fast updates of signatures. MPP only uses the SAVI library files; we do not require the Sophos Sweeper command line scanner. (back to the top)

Installation of Sophos is automated as part of the MPP installation.

Sophos updates can be configured from MPP Manager, on the front page in the plug-in updates section. Be sure to setup both Sophos monthly and daily updates. (back to the top)

Kaspersky

Mailspect provides a custom kit for KAV, though we work with standard components for KAV for FileServers or KAV for MailServervers. (back to the top)

Nod32

You must have a valid NOD32 for Linux Mail Server (version 2.50 or higher) license. After installation, simply add ‘nod32‘ as a scan_engine in mppd.conf.xml or via the MPP GUI file and restart MPP. Also note that Nod32 will only work with MPP 2.4 and greater. NOD32 must be obtained from an authorized NOD32 reseller or distributor. (back to the top)

F-Prot

Install the standard F-Prot for Mail servers. MPP uses the F-Prot Daemon Scanner, f-protd. (back to the top)

SpamAssassin

MPP interfaces with the spamd component of SpamAssassin. (back to the top)

ClamD

MPP interoperates with libclamav or clamd. Libclamav is included for testing purposes and can be utilized by using the ‘clamav’ content scanner. Clamd is the preferred method of using MPP with ClamAV. (back to the top)

Cloudmark

Installation of Cloudmark is automatic, as Cloudmark is statically linked with MPP. MPP uses the Cloudmark Authority SDK, CMAE. Initial configuration of MPP with Cloudmark is automated by the configure.pl script. The key.txt file enables usage of this engine. (back to the top)

Cloudmark uses an internal scheduler for updates. The Cloudmark configuration file placed in /usr/local/MPP/cloudmark/conf, may be modified to change the frequency. We also have a tab in our MPP GUI for adjusting the various parameters. (back to the top)

We have a cartridge update script, /usr/local/MPP/scripts/cloudmarkupdate.sh that updates the cartridge.so file, located in /usr/local/MPP/cloudmark/lib. The script is updated periodically and we announce its availability on the MPP mailing list. You can add the script to run in cron monthly. It will also update the CMAE SDK/API, /usr/lib/libcmae.so, when new ones become available. (back to the top)

Mailshell

Installation of Mailshell is automatic, as Mailshell is statically linked with MPP. Initial configuration of MPP with Mailshell is automated by the configure.pl script. The key.txt file enables usage of this engine. The SDK/API resides in /usr/lib and is named libspamcatcher.so.0.0.0, and needs to be updated periodically. Subscribe to the MPP mailing list to be notified. (back to the top)

Add the /usr/local/MPP/mailshellupdate.sh binary to cron to update Mailshell’s rules. The configure.pl script should do this for you.(back to the top)

You can edit some options in the /usr/local/MPP/mailshell/conf/spamcatcher.conf file. Please read the warnings (in the file) carefully as some options can limit performance. For example, running live RBL queries (option: rbl_list) can result in more delay. Also, enable_spamcompiler_cache=no could result in using large amounts of memory (>100MB) since the SDK would not be allowed to store compiled rules in an on-disk cache. You are welcome to experiment with options like blocked_charset_list, and note that he SDK extracts the "charset" attribute from the "Content-Type:" header of a message and your mileage may vary based on mail clients. (back to the top)

Commtouch

The Commtouch engine components are not included in MPP and must be obtained from Message Partners by sending an email to info@messagepartners.com or contacting your representative directly. The Commtouch installation package comes with detailed instructions. Commtouch is available for Linux, Solaris, MacOS X (intel) and FreeBSD. (back to the top)

McAffee VirusScan (UVScan)

MPP interfaces with McAffee command line scanner using an innovative daemon like interface. This yields extreme performance gains over other implementations of this command line scanner. (back to the top)

Updating Content Engines

MPP has controls to update Clam, Sophos and Mailshell in the MPP GUI. F-PROT, KAV and Nod32 must be configured for updates via their update scripts. Cloudmark is self-updating for micro-updates; however, it is necessary to run cloudmarkupdate.sh in order to keep the core cartridge up to date. CM will update itself every few minutes, they release cartridge updates about once a quarter and we will announce on the MPP list when these occur. (back to the top)

Make sure to add cron entries for daily and monthly scripts. Cloudmarkupdate.sh and Sophosmonthly.pl should be run monthly or when we announce new updates on our mailing list. Clamavupdate.sh and sophosdaily.sh should be run multiple times a day depending on your requirements. If you run hourly please schedule on random minutes in the hour rather than at 0. (back to the top)

(back to the top)

MPP Upgrade Instructions

When there is an update to MPP we release 2 versions – a binary only package and a complete install package. If there are no major changes in the configuration files then it is easiest to use the binary packages to update MPP. Simply stop mppd, download the binary package from our ftp server, ftp://ftp.raeinternet.com/pub/mpp2/ , bunzip2 and untar in the MPP directory and restart MPP. If you want to take advantage of new commands it is best to configure them via the MPP GUI and let it create the associated XML commands. (back to the top)

From time-to-time we may release an update that will require extensive changes in the configuration file. In these cases it is best to backup your MPP dir and install the new package. (back to the top)

Updating from MPPv3 to MPPv4

Upgrading from MPP 3.6 to MPP 4.3.0 can be done using binary only archives for your OS of choice:

Download any of previous archives for your OS, then follow these steps:

1) stop MTA and MPP

2) unpack archive in /usr/local/MPP

3) cd /usr/local/MPP, move binaries archive here

4) tar xjvf mppd-4.3.0-1.OS.ARCH.tar

5) remove policy_timeout_* options from /usr/local/MPP/mppd.conf.xml

6) if MySQL archive /quarantine is in use, please apply the following SQL script to your current MPP DB(s) in use:

ftp://ftp.messagepartners.com/pub/mpp4/sql/migrate_4_1_0.sql

mysql -hMPP_HOST -uMPP_USER -pMPP_PASS MPP_DB < migrate_4_1_0.sql

Mailshell users should upgrade Spamcatcher library and spamcatcher.conf

The file spamcatcher.conf is available for download here:

ftp://ftp.messagepartners.com/pub/mailshell/spamcatcher-5.1.0/spamcatcher.conf

Library for your OS of choice is available here:

OS X 10.5+ / i386: ftp://ftp.messagepartners.com/pub/mailshell/spamcatcher-5.1.0/osx/i386/libspamcatcher.0.0.0.dylib

OS X 10.4+ / PPC: ftp://ftp.messagepartners.com/pub/mailshell/spamcatcher-5.1.0/osx/ppc/libspamcatcher.0.0.0.dylib

Linux / i386: ftp://ftp.messagepartners.com/pub/mailshell/spamcatcher-5.1.0/linux/i386/libspamcatcher.so.0.0.0

Copy libspamcatcher library in /usr/lib for OS X / Linux and spamcatcher.conf file in /usr/local/MPP/mailshell/conf

7) Restart mppd and MTA

(back to the top)

MPP Removal Instructions

• Make a backup of the configuration.

• Remove all configurations for the mppd from your mail server configuration files and restart your mail server to confirm that the MPP is no longer scanning.

• Uninstall the package using the examples below:

• For Redhat, rpm -e mpprpmxxx

• For Solaris, pkgrm mpprpmxxx

• For OS X download and run this command:

• ftp://ftp.messagepartners.com/pub/mpp4/osx/Uninstall.command

• There is also a remove script that you can use: /usr/local/MPP/uninstall.pl

• Remove the log files in /var/log/MPP

• Remove the start up scripts, e.g., for Linux: /etc/init.d/mppd, for OS X: /Library/StartupItems/MPP. (back to the top)

MTA Integration

Introduction

In most all cases it is not required to manually configure your MTA to use MPP as the configure script will take care of this. However, there are cases such as for Exim or CommuniGate Pro, where manual steps are required. The following section describes the manual configuration process of configuring MPP and MTA’s. (back to the top)

MPP supports MTA;s using their native filter interfaces i.e. milter, content filter, etc.. It’s usually a simple matter to change some configuration files. First, the email server software has to be reconfigured to use external filters. Second, MPP needs to identify which mail server is being used. (back to the top)

For Postfix, Sendmail, Qmail and CGP configure.pl will automatically configure all mail server settings and it is not necessary to perform these steps manually. This script will automatically configure the correct engine and email_server setting in mppd.conf.xml for all email servers. (back to the top)

You must manually configure MPP as a helper in CommuniGate Pro and configure MTA configuration files with Exim and Sun Java System Messaging Server to work with MPP. (back to the top)

CommuniGate Pro

MPP requires that CommuniGate Pro to define an “external helper” that points to mppcgpproxy. This communication is via a Unix socket. This configuration change must be made manually using the following steps. (back to the top)

1) Ensure that there is a symbolic link in /var/CommuniGate to /usr/local/MPP/mppcgpproxy. If it is not there, manually create it.

# ln -s /usr/local/MPP/mppcgpproxy /var/CommuniGate/mppcgpproxy

2) Create a server wide rule:

4) For CGP 5.x: Queue -> Rules -> Create New

Click SETTINGS > RULES

(back to the top)

INPUT_MAIL_FILTER(`mppd', `S=/var/run/mppd.sock, F=T,T=S:4m;R:4m;E:5m')

# m4 sendmail.mc > /etc/mail/sendmail.cf

# Input mail filters
O InputMailFilters=mppd
# Milter options
O Milter.macros.connect=j, _, {daemon_name}, {if_name}, {if_addr}
O Milter.macros.helo={tls_version}, {cipher}, {cipher_bits}, {cert_subject},  
 {cert_issuer}
O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, 
 {mail_mailer}, {mail_host}, {mail_addr}
O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host}, {rcpt_addr}
and
Xmppd, S=/var/run/mppd.sock, F=T, T=E:5m

<email_server>postfix</email_server> 
<email_server_in_protocol>lmtp</email_server_in_protocol>

<policy_enabled>yes</policy_enabled
<policy_filter_string>mppscan:[127.0.0.1]:10025</policy_filter_string>

<policy_enabled>yes</policy_enabled

content_filter = mppscan:[localhost]:10025
and add check_policy_service inet:127.0.0.1:9998 to 
smtpd_recipient_restrictions  and  smtpd_data_restrictions 

smtp      inet  n       -       n       -       -       smtpd
         -o content_filter=
 # -- Added for MPP --
 localhost:10026 inet    n       -       n       -       10      smtpd
         -o content_filter=
         -o local_recipient_maps=
         -o relay_recipient_maps=
         -o myhostname=localhost.domain.tld
         -o smtpd_helo_restrictions=
         -o smtpd_client_restrictions=
         -o smtpd_sender_restrictions=
         -o smtpd_recipient_restrictions=permit_mynetworks,reject
         -o smtpd_data_restrictions=
         -o smtpd_end_of_data_restrictions=
         -o mynetworks=127.0.0.0/8
         -o smtpd_authorized_xforward_hosts=127.0.0.0/8
 mppscan    unix    -       -       n       -       10      lmtp
         -o lmtp_send_xforward_command=yes
         -o lmtp_cache_connection=no
 # -- end --

content_filter = mppscan:[localhost]:10025

localhost:10026 inet n - n - 10 smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o myhostname=localhost.domain.tld
   -o smtpd_helo_restrictions=
   -o smtpd_client_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
scan    unix    -       -       n       -       10      lmtp
    -o lmtp_send_xforward_command=yes
    -o lmtp_cache_connection=no

check_policy_service inet:127.0.0.1:9998 to smtpd_recipient_restrictions  and smtpd_data_restrictions. (back to the top)

 -rws—x--x 1 qmailq qmail 20692 Feb 7 15:48 /var/qmail/bin/qmail-queue.mpp

 -rws—x--x 1 qmailq qmail 645528 Feb 3 18:13 /usr/local/MPP/mppqmailproxy 

 exec /usr/local/bin/softlimit -m 6000000

 g_virus_filtercmd="/usr/local/surgemail/mppsurgemailproxy"  type=""

Listens on the 25/tcp (standard smtp)
daemon_smtp_ports= 25
begin routers
#This has to be the 1st router!!
mpp_router:
driver = manualroute
transport = local_smtp_10025
route_data = 127.0.0.1
self = send

begin transports
local_smtp_10025:
driver = lmtp
gethostbyname
allow_localhost = true
port = 10025

daemon_smtp_ports = 10026
local_interfaces = 127.0.0.1

/etc/init.d/exim start
or
exim -bd -q1h

exim -bd -C /etc/exim/exim.conf.outgoing

<email_server>exim</email_server> 
<email_server_in_protocol>lmtp</email_server_in_protocol>

(mandatory blank line)
!
! submits mail to MPP for scanning
tcp_mpp_submit lmtp master port $PORT daemon $HOST
tcp_mpp_submit-daemon

! Rules for submitting mail to mppd filter
$* $U%$H$Mtcp_submit@tcp_mpp_submit-daemon
$* $U%$H$Mtcp_local@tcp_mpp_submit-daemon

Add to imta.cnf configuration file for MTA the following channel definition
(mandatory blank line)
!
! receives scanned mail injected by MPP
tcp_mpp_inject smtp slave
tcp_mpp_inject-daemon

[SERVICE=MPP_INJECT]
PORT=$PORT
IMAGE=IMTA_BIN:tcp_smtp_server
LOGFILE=IMTA_LOG:tcp_smtp_server.log
STACKSIZE=2048000
INTERFACE_ADDRESS=$HOST
PARAMETER=CHANNEL=tcp_mpp_inject