Welcome to FreeSpamfilter.org
Home | About | Contribute | Forum
Sorry so much patience is being required of you!
I'm STILL a few days away from a major update to this document, covering
installation with Red Hat 9, and the latest versions of SpamAssassin,
Razor, and amavisd-new.
As I work through this updating process, I am finding many things that have
changed since the last revision, and I have learned many new things. While the
document below could be used as a guide by a fairly experienced Linux
administrator, I cannot right now recommend it for a newbie - until the update
is done. There are too many things to overlook or compensate for. An
experienced admin will be able to spot and overlook mistakes, but
my goal here is to create a doc that anyone with even entry level Linux
experience could successfully follow.
Much has changed, there is much to edit. Thanks for your patience.
...Scott Henderson, Oct 8, 2003
--------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
*Note: as of 4/24/2003 I am switching this doc to use ports 10024 and
10025, the standard ones for this kind of setup. If you have worked
with a previous version of this document, I referred to ports 10027
and 10028. Either set of ports will work, as long as you are consistent.
--------------------------------------------------------------------------------------------------
This Guide documents a step-by-step Red Hat Linux install using postfix,
amavisd-new, SpamAssassin, and Razor to create an anti-spam email
relay server (i.e., no local mail delivery on this box - all inbound mail is
simply directed through this system, and on to its final mail server. SPAM
is filtered out and directed to a specified mailbox somewhere which can
be reviewed for content, including for any "false postives"). This setup
gives the system administrator control over spam, removing the need for
end user interaction. All decisions on spam filtering are handled right
at this relay server, by YOU.
This configuration will work well when placed between a firewall
and an internal, office mail server. Although the design goal here
is to simply filter and control spam originating from the Internet,
the configuration could be modified to include filtering mail in both
directions, and antivirus scanning and control can easily be added in
to the mix, as well. (The "amavisd-new" program was in fact originally
written to be an interface between a mail server and various anti-virus
packages.) Local delivery of mail on this box could also be configured,
if desired.
In my case, an anti-spam tool was needed in front of a Microsoft
Exchange server, and this setup fills the bill nicely. Scanning
outbound mail for spam content was not needed in my case, so my
outbound mail runs directly from the internal mail server to the
Internet, without passing through this system. All of this, of course,
may be modified.
So, some of my reasons for setting up a spamfilter in this way are:
-we already have an Exchange server and will not be getting rid of it
-we don't want to spend $ on spam software (most of what I've seen for
$ hasn't been too impressive, anyway!)
-to protect our Exchange server (a "buffer" between the bad guys and our
internal mail system - no direct connections to it from the Internet)
-to spread the CPU load (spamfilter does the spam scanning, Exchange
the AV and delivery)
-to be able to take the Exchange server down and Internet emails will
still come in and be stored, waiting, on the spamfilter
This configuration describes using Red Hat version 7.3 as the OS. Yes, I
know Red Hat 9 is out. :) I just haven't done it and then gone back through
this doc and changed it. I know folks have used RH8 and 9. If you want
to venture forth and try this with 8 or 9, just do your best to make sure
you get all the required software packages installed, following this
document's lead on what you need. I would really appreciate input from
people who do this, especially if you will tell me about any differences, so
I can pass those specifics on to the next people. Here is some info on RH9.
There are also folks who have successfully set this up on Debian, Mandrake,
etc. If you run this setup on other Linux or BSD distributions - or whatever-
PLEASE also let me know so I can mention that fact in this doc too, along with
any suggestions/comments you have! Thanks! ...scottlhenderson(at)yahoo.com
(You can always click HERE for the most current version of this document.)
*Notes:
1. This is not a "standard" Linux HOWTO doc. It is written with more detail, step-by-step, so that anyone with even the most basic understanding of Linux can install and configure it. Apologies to experienced administrators, just wade through :)
2. This doc will not cover hardware problems. It assumes you have Linux compatible i386 hardware, including one NIC (network interface card).
3. My instructions list using the "vi" editor to edit text files. Use any text editor you want. Feel free to use "pico" if vi or emacs scare you. :-) But when you need to edit a particular LINE in a file, you'll probably want to use vi because it shows the current line number at the bottom of the screen.
4. I'm sure there are numerous ways this doc and/or the methods used here, and the particular software selections and configurations, could be improved. Please email suggestions to scottlhenderson(at)yahoo.com.
5. You'll need to know what IP address, netmask, and other IP configuration details will be used on this box, before you begin.
6. Complete install as per this doc will require less than 1GB of disk space. The system will then need whatever amount will be required for email as it is spooling through, depending on email traffic flow.
7. In this doc, "companymail1.com" and "companymail2.com" will be the fictitious example domains we'll be receiving mail for. And our spamfilter mail server will have a host name of "mail1.companymail1.com".
8. An Internet connection is required during the build, for downloading software we need.
9. The entire procedure will take an experienced administrator about 3 hours. A newbie twice as much or more.
This setup has successfully been installed and tested by various people. I have installed it on 3 machines, but this was back in the summer of 2002, and several of the software components now have newer versions. At the time I installed, I tested on:
-1: Compaq DeskPro 4000 P166 (I'm not kidding!) with a 4GB IDE drive
-2: Compaq Proliant 800 dual P200 356MB RAM, with Compaq SMART-2/P Array controller, (but only a single 8GB IDE disk)
-3: Dell 500SC, 1.13GHz Celeron CPU, 1GB RAM, 3 Seagate 18GB IDE drives in hardware RAID5
*Within a normal 24 hour period, this last system listed receives around 10-15,000 inbound emails, and removes between 10-13% of these as spam. The box handles this quantity easily. I do not have benchmarking data for high-end use, such as at very large companies or ISPs, etc., but the software components in this doc are all designed for high capacity and I would expect them to scale up very well. The 2 main executable programs used herein, postfix and amavisd, both also have configurable throttling and performance settings.)
------------------------------------------------------
------------------------------------------------------
-INITIAL RED HAT INSTALLATION:
------------------------------------------------------
------------------------------------------------------
If you're using another distribution, just try to get all the right pieces in place. When in doubt, add it in to the mix. You should just try to make sure when you're all done to try not to run any services you don't need.
(OK - don't have the Ethernet cable connected till we need it. We're starting with a clean box, we'll try to keep it that way!)
-insert RH 7.3 install CD, boot up
-if RH install program doesn't launch from CD, use RH 7.3 boot/install disk to boot up, then choose CD installation
-default Install type, just hit Enter at 1st screen (graphical install program)
-select appropriate keyboard and mouse on those screens
-Install Options screen: choose Custom install
-Disk Partitioning: best to manually partition with Disk Druid (or fdisk, if you know what you're doing), set up partitions as appropriate on the next screen, similar to what is listed below. If you don't understand partitioning at all, select "Have the installer automatically partition for you". It will work just fine.
*Suggestions for manual mail server partitioning with Disk Druid:
/dev/hda1 mounted on / type ext3 (OS, apps, etc) *primary partition, ~1200-2400MB or so (AT LEAST 1000MB)
/dev/hda2 swap -as appropriate per your machine, at least as much as RAM you have (Yoda speaking)
/dev/hda5 on /var/log type ext3 (enough room for all system logs) ~1000MB will easily handle all logging at a 50,000 emails per week rate
/dev/hda6 on /var/spool type ext3 (main storage - this will contain the queued mail messages. let this partition have the rest of the free space unless there is some need for other partions.
---WRITE DOWN YOUR PARTITION INFO!!!
-GRUB as bootloader, install on MBR
-set a GRUB password, write this down!
-Network Config:
-uncheck DHCP
-set up all network parameters as appropriate (this doc will not cover what IP & network address values to use, that's up to you!)
(*note: network and broadcast addresses will self-fill if you move the cursor back and forth a couple of times between the IP Address and Netmask fields, after having filled in those fields)
-Firewall Config: (make your own decisions here, this doc will assume running it)
-High
-Customize, eth0 trusted (allow):
-SSH, Mail SMTP
-Language, Time Zone as appropriate
-enter root password (do not use same as GRUB password)
-WRITE THIS DOWN!!!
-create additional accounts for non-root access
-WRITE DOWN THE ACCOUNT NAMES AND PASSWORDS!!!
-(one of these accounts will be used to receive certain kinds of mail and so forth, this doc will hereafter refer to this account with the word "username". More accounts will not be needed, as we basically won't be receiving mail locally on this machine, except that you will want to create an account for each administrator who will connect to this box for administrative purposes. These can also, of course, be added later.)
-Authentication Config: (all of the below is just the default)
-enable MD5 and shadow passwords, make sure NIS not enabled
-unless you understand what you're doing, leave the rest alone (don't use), as we will only authenticate to this box using it's own systems - reducing hacking possibilities.
-CHOOSING SOFTWARE:
-Installation of software "Package Groups":
(*Note: this installation will not include a GUI, as this is not necessary or even very helpful for running a server, and consumes resources we want for more important systems. If you insist on a GUI interface, go ahead and add it in)
-NO GUI SETUP: ...everything unchecked except:
-network support
-messaging and web tools
-utilities
-software development
-I don't use Emacs, but if you do, check that box
***DO check the "select individual packages" at the bottom
-Selecting individual packages:
(*Note: you can select to add other individual programs here as you see fit. The list below is not set in stone, and I am not experienced with all of these programs. Consult an experienced Linux administrator to improve on these selections. But if selected as listed, this will work fine for this project)
---Add:
under "Applications":
Archiving - lha, unarj, unzip, zip
CPAN* (all of them)
Databases - mysql, mysql-server
File - perl-* (i.e. everything that starts with perl-)
Internet - Lynx, openssl-perl
System - arpwatch, diskcheck, ethtool, fbset, tripwire, vlock
Text - dos2unix
under "Development":
Languages - perl-* except perl-DBD-pg, rpm-perl
System - (kernel source), libaio-devel
System Environment
--Daemons - openssh-server, postfix
--Libraries - libaio, libesmtp. perl-*
---Remove:
under "Applications":
Communications - efax
Internet - micq, rsh, talk
under "System Environment":
--Daemons - sendmail-*
-------End of individual software package selections-------
-hit "Next" and RH install will check to make sure you have not selected any programs without also selecting appropriate required dependent software.
-if you made the selections exactly as per the above, you should NOT see next an "Unresolved Dependencies" screen - if you do, you can do one of 3 things:
1- review the list on the "Unresolved Dependencies" screen to determine what you did different and hit the "Back" button to make changes
2- check "Install packages that have dependencies" if you have added packages you want, and want RH to make sure all required dependent software is installed
3- use the 3rd option, if you know what you are doing :)
-"About to Install" screen: hit Next, let the install run, inserting additional CDs when prompted.
-label a blank floppy with "RH 7.3 BOOTDISK" and the machine name and date. insert this floppy to create the boot disk when it prompts for it.
-when the install is finished, remove CDs and floppies and hit Enter to reboot.
------------------------------------------------------------------
--END RED HAT INSTALL--
------------------------------------------------------------------
----------after install:
(if no boot from HD, use your boot floppy)
-log in as "username", su to root
-SHUT DOWN AND REMOVE SENDMAIL:
-let's get sendmail stopped, right away, so it doesn't start handling mail:
-then, let's get sendmail off of the box entirely:
-SHUT OFF IPTABLES:
Next - firewall stuff. Let's shut off iptables, which we won't be using (RH 7.3 runs ipchains, which we already configured during installation). Run the command:
...and UNselect iptables from the resulting list (i.e., remove the asterisk).
-While we're in here, let's also uncheck apmd, gpm, and kudzu, which we won't need for this server.
Then save and exit by hitting the tab key to get the highlight on the "OK" button and hitting the Enter key.
-CREATE ADDITIONAL REQUIRED ACCOUNTS & GROUPS:
-Now make a copy of the passwd and group files, before you do anything to it, just in case you make a mistake somewhere:
-create a "vscan" user with no login, no home dir, an "amavis" user, and a "sweep" group for amavisd. 3 commands. Each of these 3 commands goes on a single command line (ignore that it will wrap when you type it)! The \ character just means "continue with the line below" - don't actually type the \
-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
POSTFIX Configuration
-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
*All commands must be EXACT! Including capitalization.
-First, as a safeguard, make backups of original postfix config files:
-SEND ROOT'S MAIL TO SOMEONE:
-In order to follow standard security guidelines, we try to avoid logging in as root - unless necessary to configure something we can't do another way - so let's not force a root login just to check root's mail. In /etc/postfix/aliases, near the bottom of the file, point root to a valid user on the system (one of those you created during install):
(Page down to almost the bottom of the file where you will see a line like):
root: postfix
-replace "postfix" with a username (one of the accounts you created during the install). In "vi", you type an "i" to begin editing mode. When you're done, the line look something like this:
root: username
(again, "username" replaced with whatever account name you used. Doesn't matter how much blank space there is between root: and username, but there must be SOME.)
-to exit vi just hit the Esc key, and then type the characters:
and hit "Enter".
-SET POSTFIX TIME:
-set/sync local time with postfix time:
(it will prompt you for confirmation, hit y for yes)
-Now let's make sure postfix time and system time always stay in sync, with an automatic update between the two, once per hour. Type:
This will drop you into root's cron file, where we can set up automated activities. Type an "i" to enter insert mode (we're in vi) and add this line:
Then, to exit vi, Esc, :wq.
This will cause a time sync between postfix and the OS system time every hour of every day, at 5 minutes past the hour. (If you later set up time service "ntpd" to an external time server - not explained in this doc - this will keep your postfix system pretty close to exact Internet time. See https://www.ntp.org for more details on time service)
-START POSTFIX AT BOOT:
-set postfix to start automatically at boot:
-PREP FOR CHROOTED POSTFIX:
-since we'll run postfix services in a chrooted (contained/safe) environment, we'll need some copies of network files in /var/spool/postfix/etc (2 commands):
*Note: anytime a change is made to either /etc/hosts or /etc/resolv.conf, at ANY point in the future, these files must be copied again into the postfix chroot environment, using the above commands!
-ASYNCHRONOUS LOGGING:
- edit syslogd.conf (per /etc/postfix/README_FILES/LINUX_README) to use async logging for mail:
-First, backup the file:
-Then,
-scroll to the line that has:
mail.* /var/log/maillog
-hit "i" to begin editing, and type a single dash "-" in front of /var/log/maillog
-when you're done, the line should be:
mail.* -/var/log/maillog
-hit the Esc key, then type
and hit Enter. (the standard vi "write and quit" exit)
-CREATE MAILDROP GROUP:
-create a maildrop group, in case that ends up being needed later:
------------------------------------------------------------------------
-POSTFIX MAIL CONFIGURATION CHANGES TO CREATE A SPAM-FILTER RELAY:
(*note: the actual commands which will insert these values into the appropriate file start immediately below each line labelled "COMMAND:" Cut and paste, or type in these commands at a command line, while logged in as root. As with all *nix commands, they are case sensitive, and must be exactly correct!)
____________________________________________________
/etc/postfix/main.cf:
-below are some suggested values to use in postfix's main configuration file "main.cf". These have been tested for this configuration and will work fine, but you may wish to make changes or use additional values. Refer to the postfix documents (/etc/postfix/README_FILES) for more information on other options.
*You don't need to do this right now, since we haven't started postfix yet, but normally, after making changes to the main.cf file, run (as root):
-"postfix stop", then "postfix start"
-or.... "postfix reload" (but ONLY use this if the load on the mail server is VERY LIGHT! Better to stop and start it)
-DESCRIPTION OF MODIFICATIONS TO the main.cf file:
------------------------
GENERAL VALUES:
------------------------
(*Note: in commands, wherever quote marks " " are used, use them!)
inet_interfaces
-what NICs we use (all in this example)
COMMAND:
myorigin
*The myorigin parameter specifies the DOMAIN that appears in mail that is posted on this machine.
COMMAND:
myhostname
*The myhostname parameter describes the fully-qualified domain name of the machine running the Postfix system. $myhostname appears as the default value in many other Postfix configuration parameters.
COMMAND:
mydomain
*The mydomain parameter specifies the parent domain of $myhostname. By default it is derived from $myhostname by stripping off the first part (unless the result would be a top-level domain).
COMMAND:
mydestination
*The mydestination parameter specifies for what domains this machine will accept mail for delivery.
COMMAND:
mynetworks
*The mynetworks parameter represents the machines I trust, to relay mail for, to any destination.
COMMAND:
(where x.x.x.x is the IP address of the internal server that will be receiving inbound mail from this smtp relay box)
-if you will be dealing with mulitple internal mail servers, and/or want to allow other machines to relay through this server (carefull!!), just add them to this parameter in CIDR format, using quotes now, like this:
(the above will allow machines x.x.x.x, y.y.y.y, and any machine that has an IP address starting with 172.20 to relay mail through)
biff = no
*we don't use biff
COMMAND:
empty_address_recipient
*where mail goes if a bounced email doesn't have a valid return address (so no valid address would exist to send it to otherwise)
COMMAND:
(where username is the account name of who you would like this mail to go to)
------------------------------------------------------------
*we will not use relay_domains, instead specifying transports in transport table, as per suggestion at http://www.postfix.org/faq.html#firewall
------------------------------------------------------------
smtpd_banner
*What the server announces itself as to other connecting mail servers (keep server identification info to a minimum, but conform to RFCs. ESMTP just specifies that this mail server understands Extended SMTP, which postfix does)
COMMAND:
queue_minfree = (default: no restriction)
How many bytes of free space are needed in the queue file system. The SMTP server declines inbound mail delivery requests when there is insufficient disk space - the mail will be accepted once enough space becomes available - set to appropriate size, per disk space, if desired [i.e. make it small enough the disk won't fill up. The below value will cause mail server to stop receiving mail when there is only 8MB of space open in the mail queue area. Choose your own value here).
COMMAND:
message_size_limit = 1000000000
*nothing bigger than 1GB allowed in the door (choose another value if you prefer)
COMMAND:
--------------
transport_maps
--------------
-we need to tell postfix where to look for the transport file:
COMMAND:
---------------
local_transport
---------------
-give an error message for local delivery attempts:
COMMAND:
----------------
----------------
Anti-SPAM values
----------------
----------------
Notes: the values below help ward off SPAM ("UCE" - Unsolicited Commercial Email). These will cause mail to be rejected by postfix right at the "front door", so to speak, without even having them scanned by Spamassassin or other tools deeper within the mail processing system, saving resources, but also not letting you see some of the bounced mail. If you want to allow _ALL_ mail to come in, and configure SpamAssassin and Amavisd to handle problem emails within, you will need to modify some of these values.
-------------------
smtpd_helo_required
-------------------
-restricts what hostnames clients may send with the HELO (EHLO) command. Some UCE software can be stopped by being strict right here.
smtpd_helo_required
*standard RFC mail requires a HELO (or EHLO), so we do too, unless the boss doesn't get some of his mail... :)
COMMAND:
-----------------------
smtpd_helo_restrictions
-----------------------
-there are several. common ones are listed here. Of course, some legitimate mail can also be stopped by using these restrictions, from folks who don't know how to properly configure their mail server... so you may have to later decide to take some of these back out. I try to contact mail administrators of errant servers and ask if they could fix this - unless too many feathers get ruffled, in which case either remove the setting that is blocking them, or set up a helo_access file to get them through. I won't explain that here, though... this doc is already long enough!
permit_mynetworks
allows machines listed for the mynetworks value to be permitted without question
reject_invalid_hostname
Reject the request when the client HELO or EHLO parameter has a bad hostname syntax. The invalid_hostname_reject_code specifies the response code to rejected requests (default: 501).
reject_unknown_hostname
Reject the request when the hostname in the client HELO (EHLO) command has no DNS A or MX record. The unknown_hostname_reject_code specifies the response code to rejected requests (default: 450). This doens't mean postfix is verifying the mail server's name is actually from the domain of the sender's address, just that the mail server's name has a valid DNS domain name at the end of it, and it can be looked up in DNS on the Internet... period.
reject_non_fqdn_hostname
Reject the request when the hostname in the client HELO (EHLO) command is not in fully-qualified domain form, as required by the RFC. The non_fqdn_reject_code specifies the response code to rejected requests (default: 504). So, if their server announces its name as "bob1", postfix won't take mail from it. But if it's "bob1.somedomain.com", then OK.
reject_maps_rbl (optional)
Reject the request when the reversed client network address is listed under any of the domains listed in "maps_rbl_domains" (below). RBLs are "Realtime Blackhole Lists", or lists of "bad guys" or "bad" mail servers. Various organizations run them, some free, some not (like mail-abuse.org). I won't explain much about RBLs here - it's too complicated and they all use their own, various techniques. They are legitimate services, and in my opinion very helpful, but also (like many things dealing with spam) somewhat controversial. I've chosen a few freebies I that think work well together, but at some point down the road you should definitely search the Internet on "RBL" and "anti-spam" and learn more about all of this. Also- make SURE to check out http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt for some more information and an example of a good, tight (restrictive) postfix anti-spam configuration. (But not now - we've got enough to do...!)
COMMAND:
(note: the below command, like all listed in this doc, should be typed in on one line. If you're cutting and pasting, you may need to do 2-3 pastes into 1 line)
(*Note: use the last parameter: "reject_maps_rbl" ONLY if you plan to use RBLs.)
maps_rbl_domains
-if you DO plan to use RBLs, per the above, also need to set another value:
COMMAND:
(add or replace with any other blacklist(s) you wish to use)
*Note 4/4/2003: If you want to be just a little more conservative, but still keep some RBL listing, leave in all the RBLs above except for the last one, from which I get a few claims from mail admins who say they have had trouble getting off the dnsrbl list, even after following their guidelines at http://www.dnsrbl.com/getremoved.html. I can't verify this, though, and I do stop a good deal of spam by using this list. Your option, and you can always change any of this later, of course.
-------------------------
smtpd_sender_restrictions
-------------------------
-restricts what sender addresses this system accepts in "MAIL FROM" line (i.e. who the mail says it is FROM).
reject_unauth_pipelining
REJECTs certain bulk mailers that attempt to use pipelining to speed delivery, without checking if it is supported first (non-RFC, common among spammers)
reject_unknown_sender_domain
Reject the request when the sender mail address has no DNS A or MX record at all. The unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450). (The response is always 450 in case of a temporary DNS error.)
reject_non_fqdn_sender
Reject the request when the address in the client MAIL FROM command is not in fully-qualified domain form. The non_fqdn_reject_code specifies the response code to rejected requests (default: 504).
COMMAND:
----------------------------
smtpd_recipient_restrictions
----------------------------
-restricts what recipient addresses this system accepts in "RCPT TO" line (i.e., who the mail says it is FOR).
*By default, the Postfix SMTP server relays mail:
-from trusted clients whose IP address matches $mynetworks,
-from trusted clients whose hostname matches $relay_domains or a subdomain thereof,
-from untrusted clients to destinations that match $relay_domains or a subdomain thereof, except for addresses that contain sender-specified routing (user@elsewhere@domain).
-we'll modify this default behavior just a bit, to add a reject for a non-fqdn address
reject_unauth_destination
Ignore the client hostname. Reject the request unless one of the following is true:
the resolved destination address matches $relay_domains or a subdomain thereof, and the address contains no sender-specified routing (user@elsewhere@domain),
Postfix is the final destination: any destination that matches $mydestination, $inet_interfaces or $virtual_maps.
The relay_domains_reject_code parameter specifies the response code for rejected requests (default: 554).
reject_non_fqdn_recipient
Reject the request when the address in the client RCPT TO command is not in fully-qualified domain form. The non_fqdn_reject_code specifies the response code to rejected requests (default: 504).
COMMAND:
(again, the above command on one line)
-*Note:restrictions are used in the same order as they appear in /etc/postfix/main.cf and the first match ends the process. This is why it's a good idea to put permit_mynetworks as first entries when setting restrictions.
-------------
header_checks
-------------
-header checks is a file in /etc/postfix/ that postfix uses against all email headers, looking for things like common spam phrases, etc. Actions are taken according to what is found, and what is specified in the "header_checks" file. In main.cf, we just want to tell postfix where this file is.
COMMAND:
--------------
content_filter
--------------
-this is how we'll pass mail to amavisd and SpamAssassin for filtering. Type the command verbatim:
COMMAND:
-----------------------------------------------------------------------
-when you are done issuing all the above commands to set these postfix main.cf parameters, issue the command:
...to get a list of your parameters and to review them CAREFULLY for correctness. Go back and fix any mistakes. Print or otherwise save a separate copy of this info (on a different machine!), as well as each of the below docs, for future reference.
____________________________________________________
/etc/postfix/transport:
-Below is an addition to make to the transport file, so postfix always forwards all valid mail (which has passed muster) for companymail1.com and companymail2.com to another server(s), after accepting and processing it. When we're done, we'll have lines in our transport file like this:
companymail1.com smtp:[x.x.x.x]
companymail2.com smtp:[y.y.y.y]
*These lines tell postfix to transport (relay) any mail to companymail#.com to the IP address(es) specified (i.e. the internal mail server(s), via the transport protocol specified (us. smtp). *format is very exacting, get every symbol correct. In the commands below, the space between companymail#.com and the rest should be spaces, not tab characters. Again, on one line:
COMMAND:
*Note: after making any change to this file, run:
____________________________________________________
/etc/postfix/header_checks:
-The header_checks file specifies certain strings (listed in "regular expression" format, not explained here) and tells postfix what to do with the mail when it encounters these strings.
-contents of a header_checks file (you may have to create this file - the COMMAND below will handle it, if the file exists, it will append the data, if it doesn't, it will create it first):
Examples of lines in header_checks:
# Postmaster is OK, that way they can talk to us about how to fix their problem
/^postmaster@.*$/ OK
# example of mail header contents usefult to block:
/^Subject: C:\\CoolProgs\\Pretty Park\.exe/ REJECT
# example of blocking any mail with subject line beginning with words "MAKE MONEY!!!"
/ ^Subject: MAKE MONEY!!!/ REJECT
# example of blocking inbound smtp mail to joeschmoe
/^To: joeschmoe@companymail2.com/ REJECT
COMMAND: (example)
(in the command above, the white space must be spaces, not tab characters)
*Note: after making any change to this file, run:
*And another Note: after running the above command, you will get a warning message saying one or more records are in "key: value" format, and asking if this is an alias file. Ignore this message.
____________________________________________________
/etc/postfix/access
-the access file is another check used by postfix to block right at the front door certain senders/domains/IPaddress ranges. Below are bogus examples, create your own as you see fit. You need to have at least one entry in this file, because postfix will be looking here and expect to see SOMETHING. If you don't have any of these to create right now, just use a made up one for starters, like the last one in the COMMAND example below. Here's an example of an access file:
#access map file
#
# note: this file only accepts 3 forms of input
# [45]XX $message, REJECT, OK
#
ispy99@spamnet.cn 550 Go away
makeabuck@mlm.dom 550 You've got to be kidding me
allspam.dom 550 Spam is not accepted here
badguy.net REJECT
#250.192 REJECT
#goodguy@somewhere.com OK
justaspamminfool@allspamallthetime.com REJECT
-to create entries in this file, use a text editor, or:
COMMAND: (2 "one-per-line" examples)
(in the commands above, the white space must be spaces, not tab characters)
*Note: after making any change to this file, run:
-- END OF POSTFIX CONFIG CHANGES TO MAKE A SPAMFILTER --
++++++++++++++++++++++++++++++++++++++++++++++++++++++
-FORWARD INTERNAL MAIL TO ANOTHER MAILBOX (IF DESIRED):
-this section is optional. Do this if you don't want to check any mail on this box directly.
-make a .forward file for root and username for mail on this machine to be forwarded out to another mailbox (like "somemailbox@somedomain.com"), probably one on the internal server, like "mailstuff@companymail1.com", etc).
COMMAND:
--------------------------------------------------------------------------------
-REMOTE ADMINISTRATION TEST:
-OK, plug in the Ethernet cable, and test ssh
-on any machine with ssh installed, try a connection to the new mail server:
...where x.x.x.x is the IP address of this new server. log in.
-then switch to the root account:
(provide the root password when prompted.) Then,
--------------------------------------------------
RED HAT REGISTRATION AND UPDATES
--------------------------------------------------
-Red Hat has a nice program to keep your machine up to date. You just have to register your machine first. To do that, run:
-write down the username and so forth you use during the registration process. When you're done with that, run:
-and RH will update all packages you have on your machine that aren't up to date. It will not install anything not already there, just updates. reboot after. You may have to run this over an evening or on a weekend. Paid RH subscribers get priority on this service, and if the line is too busy it will stop and tell you there isn't enough bandwidth right now for you, and refer you to a web page you can look at to learn about buying a paid subscription ($60/year per server).
-you can go to https://rhn.redhat.com at any time to view or alter this registration (cookies required on this site)
-if for some reason you don't want to use up2date, you can still get the same updates manually. Go to http://rhn.redhat.com/errata/rh73-errata.html to read about the available updates for your system. Write down the ones you want to apply, and use, then download and install them. You can download by anonymous ftp to updates.redhat.com, in directory 7.3/en/os/i386.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
----------------------------------------------------------------------------------
-PREPARATION FOR INSTALL OF SPAMASSASSIN AND AMAVISD (required modules)
-there are quite a few things required, but most of them we can get and install from CPAN, which is pretty easy.
-as root enter the command:
(note: this requires an Internet connection!)
-at CPAN prompt type "yes"
(and answer the questions. for many of these, the default answer - given by just hitting a return, will suffice. )
--------
-when you get prompted like this:
Parameters for the 'make' command?
Typical frequently used setting:
-j3 dual processor system
Your choice: []
-type in -j3 if you have a dual processor machine, otherwise leave blank
-when you get prompted like this:
Parameters for the 'make install' command?
Typical frequently used setting:
UNINST=1 to always uninstall potentially conflicting files
Your choice: [-j3] UNINST=1
-type in UNINST=1 and hit enter
------------
-When asked to select the locations from which you will pull data, put in several. Answer all questions until you are back at the cpan prompt.
-at the CPAN prompt, run these commands, in turn (if at any point you are prompted for unsatisfied dependencies and asked if you want to "prepend them to the queue", choose y for "yes")
(again, capitalization and symbols EXACT):
(then just wait till it finishes and returns you to the cpan prompt)
(wait more :)
(note: if this one doesn't want to install, use the "-f" option to force it)
(this last one will prompt you several times if ok to prepend things to the queue)
-------------------------------------------------------------------------------
--------------------
-SPAMASSASSIN
--------------------
-still at the cpan prompt:
(watch that capitalization!)
-OK, we're done with CPAN, type "exit" to return to the regular system prompt.
----------------------------------------------------------------------------------
--------------------
-AMAVISD-NEW
--------------------
-some other required software, and how to get it:
-(un)rar:
-to get unrar:
-then anonymous ftp to ftp.rarlab.com, cd to /rar, and get rarlinux-3.0.tar.gz, exit ftp.
-run:
and put the resulting file named unrar in the bin:
-zoo:
-I cheated here. I don't figure I'll ever see a *.zoo file come through my email system these days, and if I do, I'm not going to scan it's contents for possible spam content, so I just made a bogus "zoo" script file (neither SpamAssassin nor amavisd will care if this doesn't work, anyway, they will just go on their way if they ever happen to call this file and it doesn't do anything):
-hit "i" to begin "inserting" text and type in (exactly):
-exit vi in the standard manner, hit Esc, then type
-then at the command line, to make this new file executable:
-if you really want to get zoo, go to a search engine like google, search on "Linux zoo compress" or something like that.
-vscan:
-vscan is the executable for an antivirus program. Since we won't be doing AV scanning in this configuration, we'll create a bogus vscan to use (if one isn't there, amavisd won't configure). Just like above, with zoo, create a file named vscan and put only #!/bin/sh into it. Save it, and make it executable.
-arc:
-if you're just making spamfilter, you can do the same thing with arc and make a bogus /usr/bin/arc (what spammer would use arc on the spam message first????) In that case, after creating /usr/bin/arc, you can skip to the "Razor 1.20" section, below.
-If you will be doing anti-virus scanning in addition to filtering spam, you'll need to be able to open arc files, so:
-then, anonymous ftp to ftp.stat.umn.edu then cd to /pub/arc/ and get arc.shar.gz
-exit ftp ("bye") and run each command:
-get a copy of xlipstat-<VERSION>.tar.gz, compile and install it (arc needs it).
-go to www.stat.umn.edu/arc/unix1.html if you want, for more explanation/info on arc
-Razor 1.20
(*Note: at the time I originally set up my spamfilter - early 2002 - you didn't want to get a more recent version of razor; it wouldn't work with the version of amavisd current at the time. This may be resolved now, but I have not looked into it. You can check the amavis website to see if you can run a more recent verion of Razor, if you wish). The commands:
-then page down a couple of times, and get your cursor on razor-agents-1.20.tar.gz
-hit the right arrow key
-on the next page, use the down arrow key to get the cursor onto one of the download locations ("download20 kb"). hit a right-arrow key.
-on the next page, use the down arrow to get the cursor to the start of the line:
http://...............sourceforge.net/sourceforge/razor/razor-agents-1.20.tar.gz
-hit "d" to download it
-"q" to exit links when its done, then unpack the tarball and move to the new directory, and install:
--------------------
-finally, done with required software for amavis! Now to download amavisd-new from Internet. To do this, use "links" again, from /usr/src:
-wait for page to load, scroll down and put your cursor on
amavisd-new-20030314-p1.tar.gz and hit a "d" for download. Hit "q" when it's done to exit links.
-unpack amavisd-new and go into the new directory:
(you DO know about the shortcut to fill in the remainder of long file/path names in Linux don't you? Just type in the first part, then hit the tab key?)
-OK, let's pull the Ethernet cable again - we won't be needing the connection for a bit (and until we have the box better secured, we'll minimize it's exposure).
---------------------------------------------------------
-BUILDING AND INSTALLING AMAVISD-NEW
---------------------------------------------------------
-read the Release_Notes and INSTALL files in this directory for instructions for installing amavisd-new. They will explain all you need to know about it.
----------------------------------------
-CONFIGURING AMAVISD-NEW
----------------------------------------
-Make a backup of the config file:
-then,
-find the line (around line 172) that starts with: $mailfrom_notify_admin =
and replace the email address in that line with the email address you would like to have appear in emails bounced from this box. This will be who persons will reply to in case their mail is bounced, if they claim it isn't spam, and they want to you stop blocking them. So make it a legitimate address you will be monitoring, something nice, like "mailbouncer@companymail1.com" or the more standard "postmaster@companymail1.com".
-SET AMAVIS TO ONLY LISTEN FOR MAIL LOCALLY:
-set amavis to respond to calls from local ports (postfix will listen for all external calls). Find the lines (somewhere around lines 345-50) that look like:
#$inet_socket_bind = "127.0.0.1"; # limit socket bind to loopback interface
#@inet_acl = qw( 127.0.0.1 ); # allow SMTP access only from localhost
-and remove the # sign from the beginning of each
-find the lines (just a bit past the above 2 lines) that makes amavisd not listen to remote calls:
@inet_acl = qw(127/8 193.2.4.243 193.2.4.66);
$inet_socket_bind = undef; # bind to all IP interfaces
-and add a # in front of each of these lines
-SEND SPAM TO QUARANTINE:
-send all spam emails to a quarantine mailbox. Find the line:
$spam_quarantine_to = 'spam-quarantine';
-and edit to replace spam-quarantine with a valid email address where you want copies of this stuff to go (so you can see what has been rejected, and pull someting out if it was a "false positive") To find this line in the vi editor, hit the / key and type in "spam_quarantine_to", then hit the Enter key.
-SEND NOTIFICATIONS TO ADMIN
-This is optional. It will result in saving 2 copies of every spam, but it gives you some more information. With this feature, the designated spam admin email address mailbox will receive a copy of each email tagged as spam, which will include text explaining the spam rules broken. Since we're already getting a copy of the tagged emails anyway in the spam quarantine (albeit without a nice explanation), we don't really NEED this. It is a cool feature, though, since it provides a copy explaining the broken rules. On the other hand, it's not quite as good for use in forwarding false positives on to their proper recipients. It's a bit hard to explain. To really understand the difference, you'll have to test it out. To use this feature, find the line where the "spamadmin" email address is specified, and give it an address. For ease of handling your spam, you probably want this to be different mailbox than the spam quarantine! Note that email blocked by postfix will not be reported here, just those stopped by Amavis/SpamAssassin.
-AMAVIS LOGGING:
-make amavis log everything to /var/log/maillog, same place postfix uses, so all mail-related logging is in one place. Find the line (119):
$SYSLOG_LEVEL = "user.info";
...and change this to:
$SYSLOG_LEVEL = "mail.info";
-exit vi: Esc, then
-GIVE AMAVISD ACCOUNT (VSCAN) OWNERSHIP OF AMAVIS DIRECTORY:
-next, give ownership of the /var/amavis directory to the user vscan:
-[OPTIONAL-DON'T USE RAZOR]------------------------------------------------
-To stop Amavis from making Razor checks (and so just use SpamAssassin), you must edit the actual amavisd script, not the amavisd.conf file.
-First, make a backup copy of the original file:
Then:
-page down and edit the lines (2695 and 2696) that start with:
if ($body_lines <=1) { # avoid false positives like Test, foo, *, aaa
do_log(1, "spam_scan: skip Razor check for a body of $body_lines . . .
-hit "i" to enter "INSERT" mode
-and make them to:
if ($body_lines <=-1) { # avoid false positives like Test, foo, *, aaa
# do_log(1, "spam_scan: skip Razor check for a body of $body_lines . . .
(1st line, 2695, gets changed to -1, line 2696 gets a # in r of it, so we don't log each time we skip this)
-to exit vi and save changes... Esc key, then:
---------------------------------------------------------------------------------
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
-START AMAVISD AT BOOT TIME:
-now, to set amavisd to start at boot:
-right after the Start Daemons comment line (35), add:
*Note: there are different paths to the amavisd, depending
on which version you are running. It should be either
/usr/sbin/amavisd or, in newer versions, at
/usr/local/sbin/amavisd. Find out where yours is
(the command "
that in place of "/PATH/amavisd" in the script below:
echo -n "Starting amavisd: "
/PATH/amavisd 2>/dev/null 1>&2 && success || failure
echo
-in the stop section (right after the line: stop() { )
-add 3 lines near the bottom, so this section ends up looking like this:
# Stop daemons.
echo -n "Shutting down postfix: "
/usr/sbin/postfix stop 2>/dev/null 1>&2 && success || failure
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/postfix
echo
echo -n "Shutting down amavisd: "
/PATH/amavisd stop 2>/dev/null 1>&2 && success || failure
echo
return $RETVAL
-and, in the "reload" section, insert 2 lines, so:
reload() {
echo -n "Reloading amavis: "
/PATH/amavisd reload 2>/dev/null 1>&2 && success || failure
echo
echo -n "Reloading postfix: "
/usr/sbin/postfix reload 2>/dev/null 1>&2 && success || failure
RETVAL=$?
-For those admins wondering, you do NOT need to make amavisd start as the vscan user. The script itself will do this, and start amavisd as a daemon, keeping it from having root priviledges. Postfix, BTW, also runs as another user: "postfix", not as root.
-------------------------------------------------------------------------------
-GIVE OWNERSHIP TO AMAVISD ACCOUNT TO SPAMASSASSIN STUFF:
-give ownership to /usr/share/spamassassin and all files within to vscan (3 commands):
-give ownership of any directories used to store quarantined email to vscan:
------------------------------------------------------------
...OK, let's see if we can fire the system up! Type:
You should see 2 lines indicating that amavisd and postfix start successfully. This is indicated by "OK" appearing on each line. If instead the word "FAILED" appears on either line, you've got a config error somewhere with either postfix or amavisd. You'll have to review the above configurations to determine where the problem lies. I'm postive the above configuration information is correct - I've done it too many times, and so have others.
--------------------------------------------------------------------------------
-CONFIGURING POSTFIX TO SEND MAIL THROUGH AMAVIS/SPAMASSASSIN
Now we need to tell postfix how to send emails through the amavisd/spamassassin filter, and to listen for mail returning from it. Another document covers this, so instead of repeating those instructions here, let's go straight to the proverbial horse's mouth...
-carefully follow the instructions in this file: /usr/src/amavisd-new-<version#>/README.postfix
(obviously, change <version#> to whatever is correct in your case)
-------------------------------------------------------------------------------
-REQUIRED NAME RESOLUTION
-OK, other mail servers will need to find your server. Set up name resolution of mail1.companymail1.com to its IP address. How this is done depends on your environment. Bascially, you need to make sure that any box that needs to talk to this mail server can resolve its name, either through appropriate DNS server entries somewhere, or local "hosts" files on those machines.
-----------------------
-MAILGREP UTILITY:
-While not required, a nice tool to have is "mailgrep.pl", to parse certain data out of the mail logs instead of having to scroll through them, or do the grep commands. It was written by Craig Sanders, but for some reason the links on Craig's web site (http://taz.net.au/postfix) don't work anymore, so I have put a copy on my site (thanks to the GPL Craig released this under, this is all perfectly simple and legal - thanks, Craig!) So, to set this up, download the openlogfile (a perl function to open log files) and mailgrep (a perl script to help search the maillog) utilities, rename them, put them in /usr/bin, and make mailgrep.pl executable:
-plug in the Ethernet cable again... then:
-arrow down to "Save as", hit Enter
-shorten the name by removing the ".txt" from the end of the file name, hit Enter to save it.
-do the same with http://www.geocities.com.scottlhenderson/openlogfile.pl.txt.
-hit "q" to exit links
-then, pull the Ethernet cable out, and:
-To learn how to use this, just type the command:
*Note: our mail log is not "mail.log" (the default for this tool), so we need to type the correct mail log path and file name - /var/log/maillog -when we use it. E.g., to search for all mail log entries dealing with mail to or from "someuser@somedomain.com", we would use:
To see what mailgrep.pl does for you, compare the output of the above to:
------------------------------
-SPEED UP REBOOTS:
-set grub to 2 second delay, to make remote reboots faster, but still allow you time to respond if you're at the console:
-edit the line: timeout=10 to timeout=2
-to exit... Esc,
------------------------------------
-----------------------------------------------------------------------
-MAIL REPORTS:
-This section will set up an automated preparation of a very nicely laid out report of email activity, and email this report to username (whose mail we redirected using a .forward file, remember?) once per day, with the previous day's mail statistics, and once weekly, with the stats for the entire previous week. This section is optional:
-first, we need the Date::Calc perl module. Plug into the Ethernet and:
(this will require some other stuff, when prompted, choose yes)
-Then, we need the pflogsumm.pl utility:
-Page down about 3 pages to the line:
pflogsumm-1.0.3.pl [http download] [ftp download]
(or a more recent version if a new one is in the list)
-put your cursor on [http download] and hit "d" to download.
- use "q" to quit links when you're done.
-pull the Ethernet
-rename pflogsumm1.0.3.pl to plflogsumm.pl:
-Make pflogsumm.pl executable:
-ROUTINE EMAIL LOG SUMMARIES TO USERNAME:
-set up cron to prepare and mail pflogsumm results, daily and weekly:
as root:
(drops you into the vi editor.) Hit an "i" to begin. Then enter a blank line or 2 above the existing line using the Enter key, arrow back to the top and type in 2 lines: (replacing "mail1.companymail1.com" with the name of your mail server, and username with the name of the account you created):
-Then, exit vi by hitting the Esc key, then typing :wq and hitting Enter.
------------------------------------
-[Optional - to maximize disk I/O throughput:
-run hdparm (see man hdparm, and some nice instructions at: http://linux.oreillynet.com/pub/a/linux/2000/06/29/hdparm.html)
(hdparm -W to en/dis-able IDE drive write-caching)
-----------------------------------------------------------------------
-SECURITY:
-Set up some decent security on your box. If you don't know how, plug in to the Ethernet and go to http://www.cisecurity.org and download the latest Linux security benchmark and tools and use them. Not real hard to do, but takes a little time. Well worth it, you'll have a reasonably secure box. Just fill out your name and email address, read the pdf documentation (obviously you won't read the pdf file on this server, do this on a GUI computer) and go through it step by step. It will take an hour or so to do. One note: at the end of this doc it explains how to use ntpd for time service. This is highly recommended on a mail server, for having accurate time stamps for emails and logs. You can also refer to http://www.eecis.udel.edu/~ntp/ for more information (than you probably want) on ntp time service, and also for a list of free public time servers you can use. The instructions in the CISecurity pdf file don't explain something you need to do for ntpd to work, however. After you download and install it, do this:
-To learn more on security, read the Linux Security HOWTO document at: http://www.tldp.org/HOWTO/Security-HOWTO/index.html and/or the Red Hat-specific security doc at: http://www.tldp.org/HOWTO/Security-Quickstart-Redhat-HOWTO/index.html
-configure tripwire, if desired. For info, see www.tripwire.org, get a good book on it, and also read:
------------------------
-BACKUPS
-Develop a plan for backups. You need a plan for this, even though... this machine won't hold data, for the most part, as all mail will just be forwarded from it, not generally stored on it (unless the mail server it is sending to goes down, in which case it will store all mail until the receiving server becomes available). At the least, you should backup all the configuration files related to the programs in use on this server.
........Make sure the Ethernet cable is plugged in, and reboot the box. You're done, girl. Go test it :)
-------------------------------------------------------------------------------
-CONFIGURING, WHITELISTING, BLACKLISTING, CHANGING SCORE VALUES, ETC.
-With SpamAssassin, you can change many configuration values. Among these are white and blacklisting senders and receivers, altering the scores for various spam-ish email characteristics, and so forth. For those spammers who manage to always score just below your SPAM score threshold, for instance, you can blacklist their domain or specific sending address, as you see fit. Likewise when legitimate email ends up in the spam quarantine mailbox, you can whitelist the sender or domain. You'll be doing this kind of thing several times a day for the first week or two, then little adjustment will be needed.
If you want to change the score that SpamAssassin gives to a characteristic, you can do that too. These kinds of changes can all be done in one file: /etc/mail/spamassassin/local.cf. You don't want to go into the regular SpamAssassin config files (in /usr/share/spamassassin) and mess with them. Your changes would be overwritten if you upgrade SA in the future, anyway. Here's the contents of a ficticious local.cf file for starters (note: anytime you edit this file, you will want to stop and restart the mail system, to make sure the changes are read)
-------------------------------------------------------------------------------
-OTHER NOTES, COMMENTS:
Spam traffic in increasing dramatically. I recently read an estimate that spam traffic may represent one half of all email traffic by year end 2003. And spammers are becoming increasingly sophisticated. Setting the above system up won't end your anti-spam project, I'm afraid. You'll catch a LOT of spam with this, but some will keep getting through, and some good emails will get blocked. You'll learn and tweak things as you go forward.
I hope this doc is useful to you. Please keep in mind this is a freebie project. My time to provide tech support for this procedure is very limited, but if you're in a jam, try me and I'll help if I can. You also have available to you the mailing lists for spamassassin, postfix, amavis, etc. The people on these lists are very helpful - I couldn't have set this up without them. They are an EXCELLENT tech support option -- from them, I usually always had an answer to my questions within a few minutes to a half an hour or so!
Everyone is welcome to link to this document, as well as to copy all or any portion of it for their own use and/or to share with others pretty much as they see fit. More specifically, this document is provided under the terms of the OpenContent license. See http://www.opencontent.org/opl.shmtl for a copy of the license. The author assumes no liability for the use of this information - use it at your own risk.
...this doc originally created July 2002. Last revised 5/18/2003.
SPAMFILTER EMAIL RELAY SERVER "HOWTO" / GUIDE
--------------------------------------------------------------------------------------------------Sorry so much patience is being required of you!
I'm STILL a few days away from a major update to this document, covering
installation with Red Hat 9, and the latest versions of SpamAssassin,
Razor, and amavisd-new.
As I work through this updating process, I am finding many things that have
changed since the last revision, and I have learned many new things. While the
document below could be used as a guide by a fairly experienced Linux
administrator, I cannot right now recommend it for a newbie - until the update
is done. There are too many things to overlook or compensate for. An
experienced admin will be able to spot and overlook mistakes, but
my goal here is to create a doc that anyone with even entry level Linux
experience could successfully follow.
Much has changed, there is much to edit. Thanks for your patience.
...Scott Henderson, Oct 8, 2003
--------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
*Note: as of 4/24/2003 I am switching this doc to use ports 10024 and
10025, the standard ones for this kind of setup. If you have worked
with a previous version of this document, I referred to ports 10027
and 10028. Either set of ports will work, as long as you are consistent.
--------------------------------------------------------------------------------------------------
This Guide documents a step-by-step Red Hat Linux install using postfix,
amavisd-new, SpamAssassin, and Razor to create an anti-spam email
relay server (i.e., no local mail delivery on this box - all inbound mail is
simply directed through this system, and on to its final mail server. SPAM
is filtered out and directed to a specified mailbox somewhere which can
be reviewed for content, including for any "false postives"). This setup
gives the system administrator control over spam, removing the need for
end user interaction. All decisions on spam filtering are handled right
at this relay server, by YOU.
This configuration will work well when placed between a firewall
and an internal, office mail server. Although the design goal here
is to simply filter and control spam originating from the Internet,
the configuration could be modified to include filtering mail in both
directions, and antivirus scanning and control can easily be added in
to the mix, as well. (The "amavisd-new" program was in fact originally
written to be an interface between a mail server and various anti-virus
packages.) Local delivery of mail on this box could also be configured,
if desired.
In my case, an anti-spam tool was needed in front of a Microsoft
Exchange server, and this setup fills the bill nicely. Scanning
outbound mail for spam content was not needed in my case, so my
outbound mail runs directly from the internal mail server to the
Internet, without passing through this system. All of this, of course,
may be modified.
So, some of my reasons for setting up a spamfilter in this way are:
-we already have an Exchange server and will not be getting rid of it
-we don't want to spend $ on spam software (most of what I've seen for
$ hasn't been too impressive, anyway!)
-to protect our Exchange server (a "buffer" between the bad guys and our
internal mail system - no direct connections to it from the Internet)
-to spread the CPU load (spamfilter does the spam scanning, Exchange
the AV and delivery)
-to be able to take the Exchange server down and Internet emails will
still come in and be stored, waiting, on the spamfilter
This configuration describes using Red Hat version 7.3 as the OS. Yes, I
know Red Hat 9 is out. :) I just haven't done it and then gone back through
this doc and changed it. I know folks have used RH8 and 9. If you want
to venture forth and try this with 8 or 9, just do your best to make sure
you get all the required software packages installed, following this
document's lead on what you need. I would really appreciate input from
people who do this, especially if you will tell me about any differences, so
I can pass those specifics on to the next people. Here is some info on RH9.
There are also folks who have successfully set this up on Debian, Mandrake,
etc. If you run this setup on other Linux or BSD distributions - or whatever-
PLEASE also let me know so I can mention that fact in this doc too, along with
any suggestions/comments you have! Thanks! ...scottlhenderson(at)yahoo.com
(You can always click HERE for the most current version of this document.)
*Notes:
1. This is not a "standard" Linux HOWTO doc. It is written with more detail, step-by-step, so that anyone with even the most basic understanding of Linux can install and configure it. Apologies to experienced administrators, just wade through :)
2. This doc will not cover hardware problems. It assumes you have Linux compatible i386 hardware, including one NIC (network interface card).
3. My instructions list using the "vi" editor to edit text files. Use any text editor you want. Feel free to use "pico" if vi or emacs scare you. :-) But when you need to edit a particular LINE in a file, you'll probably want to use vi because it shows the current line number at the bottom of the screen.
4. I'm sure there are numerous ways this doc and/or the methods used here, and the particular software selections and configurations, could be improved. Please email suggestions to scottlhenderson(at)yahoo.com.
5. You'll need to know what IP address, netmask, and other IP configuration details will be used on this box, before you begin.
6. Complete install as per this doc will require less than 1GB of disk space. The system will then need whatever amount will be required for email as it is spooling through, depending on email traffic flow.
7. In this doc, "companymail1.com" and "companymail2.com" will be the fictitious example domains we'll be receiving mail for. And our spamfilter mail server will have a host name of "mail1.companymail1.com".
8. An Internet connection is required during the build, for downloading software we need.
9. The entire procedure will take an experienced administrator about 3 hours. A newbie twice as much or more.
This setup has successfully been installed and tested by various people. I have installed it on 3 machines, but this was back in the summer of 2002, and several of the software components now have newer versions. At the time I installed, I tested on:
-1: Compaq DeskPro 4000 P166 (I'm not kidding!) with a 4GB IDE drive
-2: Compaq Proliant 800 dual P200 356MB RAM, with Compaq SMART-2/P Array controller, (but only a single 8GB IDE disk)
-3: Dell 500SC, 1.13GHz Celeron CPU, 1GB RAM, 3 Seagate 18GB IDE drives in hardware RAID5
*Within a normal 24 hour period, this last system listed receives around 10-15,000 inbound emails, and removes between 10-13% of these as spam. The box handles this quantity easily. I do not have benchmarking data for high-end use, such as at very large companies or ISPs, etc., but the software components in this doc are all designed for high capacity and I would expect them to scale up very well. The 2 main executable programs used herein, postfix and amavisd, both also have configurable throttling and performance settings.)
------------------------------------------------------
------------------------------------------------------
-INITIAL RED HAT INSTALLATION:
------------------------------------------------------
------------------------------------------------------
If you're using another distribution, just try to get all the right pieces in place. When in doubt, add it in to the mix. You should just try to make sure when you're all done to try not to run any services you don't need.
(OK - don't have the Ethernet cable connected till we need it. We're starting with a clean box, we'll try to keep it that way!)
-insert RH 7.3 install CD, boot up
-if RH install program doesn't launch from CD, use RH 7.3 boot/install disk to boot up, then choose CD installation
-default Install type, just hit Enter at 1st screen (graphical install program)
-select appropriate keyboard and mouse on those screens
-Install Options screen: choose Custom install
-Disk Partitioning: best to manually partition with Disk Druid (or fdisk, if you know what you're doing), set up partitions as appropriate on the next screen, similar to what is listed below. If you don't understand partitioning at all, select "Have the installer automatically partition for you". It will work just fine.
*Suggestions for manual mail server partitioning with Disk Druid:
/dev/hda1 mounted on / type ext3 (OS, apps, etc) *primary partition, ~1200-2400MB or so (AT LEAST 1000MB)
/dev/hda2 swap -as appropriate per your machine, at least as much as RAM you have (Yoda speaking)
/dev/hda5 on /var/log type ext3 (enough room for all system logs) ~1000MB will easily handle all logging at a 50,000 emails per week rate
/dev/hda6 on /var/spool type ext3 (main storage - this will contain the queued mail messages. let this partition have the rest of the free space unless there is some need for other partions.
---WRITE DOWN YOUR PARTITION INFO!!!
-GRUB as bootloader, install on MBR
-set a GRUB password, write this down!
-Network Config:
-uncheck DHCP
-set up all network parameters as appropriate (this doc will not cover what IP & network address values to use, that's up to you!)
(*note: network and broadcast addresses will self-fill if you move the cursor back and forth a couple of times between the IP Address and Netmask fields, after having filled in those fields)
-Firewall Config: (make your own decisions here, this doc will assume running it)
-High
-Customize, eth0 trusted (allow):
-SSH, Mail SMTP
-Language, Time Zone as appropriate
-enter root password (do not use same as GRUB password)
-WRITE THIS DOWN!!!
-create additional accounts for non-root access
-WRITE DOWN THE ACCOUNT NAMES AND PASSWORDS!!!
-(one of these accounts will be used to receive certain kinds of mail and so forth, this doc will hereafter refer to this account with the word "username". More accounts will not be needed, as we basically won't be receiving mail locally on this machine, except that you will want to create an account for each administrator who will connect to this box for administrative purposes. These can also, of course, be added later.)
-Authentication Config: (all of the below is just the default)
-enable MD5 and shadow passwords, make sure NIS not enabled
-unless you understand what you're doing, leave the rest alone (don't use), as we will only authenticate to this box using it's own systems - reducing hacking possibilities.
-CHOOSING SOFTWARE:
-Installation of software "Package Groups":
(*Note: this installation will not include a GUI, as this is not necessary or even very helpful for running a server, and consumes resources we want for more important systems. If you insist on a GUI interface, go ahead and add it in)
-NO GUI SETUP: ...everything unchecked except:
-network support
-messaging and web tools
-utilities
-software development
-I don't use Emacs, but if you do, check that box
***DO check the "select individual packages" at the bottom
-Selecting individual packages:
(*Note: you can select to add other individual programs here as you see fit. The list below is not set in stone, and I am not experienced with all of these programs. Consult an experienced Linux administrator to improve on these selections. But if selected as listed, this will work fine for this project)
---Add:
under "Applications":
Archiving - lha, unarj, unzip, zip
CPAN* (all of them)
Databases - mysql, mysql-server
File - perl-* (i.e. everything that starts with perl-)
Internet - Lynx, openssl-perl
System - arpwatch, diskcheck, ethtool, fbset, tripwire, vlock
Text - dos2unix
under "Development":
Languages - perl-* except perl-DBD-pg, rpm-perl
System - (kernel source), libaio-devel
System Environment
--Daemons - openssh-server, postfix
--Libraries - libaio, libesmtp. perl-*
---Remove:
under "Applications":
Communications - efax
Internet - micq, rsh, talk
under "System Environment":
--Daemons - sendmail-*
-------End of individual software package selections-------
-hit "Next" and RH install will check to make sure you have not selected any programs without also selecting appropriate required dependent software.
-if you made the selections exactly as per the above, you should NOT see next an "Unresolved Dependencies" screen - if you do, you can do one of 3 things:
1- review the list on the "Unresolved Dependencies" screen to determine what you did different and hit the "Back" button to make changes
2- check "Install packages that have dependencies" if you have added packages you want, and want RH to make sure all required dependent software is installed
3- use the 3rd option, if you know what you are doing :)
-"About to Install" screen: hit Next, let the install run, inserting additional CDs when prompted.
-label a blank floppy with "RH 7.3 BOOTDISK" and the machine name and date. insert this floppy to create the boot disk when it prompts for it.
-when the install is finished, remove CDs and floppies and hit Enter to reboot.
------------------------------------------------------------------
--END RED HAT INSTALL--
------------------------------------------------------------------
----------after install:
(if no boot from HD, use your boot floppy)
-log in as "username", su to root
-SHUT DOWN AND REMOVE SENDMAIL:
-let's get sendmail stopped, right away, so it doesn't start handling mail:
/etc/init.d/sendmail stop -then, let's get sendmail off of the box entirely:
rpm -qa | grep sendmail | xargs rpm -e
-SHUT OFF IPTABLES:
Next - firewall stuff. Let's shut off iptables, which we won't be using (RH 7.3 runs ipchains, which we already configured during installation). Run the command:
ntsysv ...and UNselect iptables from the resulting list (i.e., remove the asterisk).
-While we're in here, let's also uncheck apmd, gpm, and kudzu, which we won't need for this server.
Then save and exit by hitting the tab key to get the highlight on the "OK" button and hitting the Enter key.
-CREATE ADDITIONAL REQUIRED ACCOUNTS & GROUPS:
-Now make a copy of the passwd and group files, before you do anything to it, just in case you make a mistake somewhere:
cp /etc/passwd /etc/passwd-original cp /etc/group /etc/group-original-create a "vscan" user with no login, no home dir, an "amavis" user, and a "sweep" group for amavisd. 3 commands. Each of these 3 commands goes on a single command line (ignore that it will wrap when you type it)! The \ character just means "continue with the line below" - don't actually type the \
echo "vscan:NP:33333:33333:Daemon for Amavisd:/var/amavis: \
/sbin/nologin" >> /etc/passwd
echo "amavis:NP:33334:33334:Amavis:/nonexistant: \
/sbin/nologin" >> /etc/passwd
echo "sweep:*:33335:" >> /etc/group
-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
POSTFIX Configuration
-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
*All commands must be EXACT! Including capitalization.
-First, as a safeguard, make backups of original postfix config files:
cd /etc
mkdir postfix-original
cp -Rp postfix/* postfix-original -SEND ROOT'S MAIL TO SOMEONE:
-In order to follow standard security guidelines, we try to avoid logging in as root - unless necessary to configure something we can't do another way - so let's not force a root login just to check root's mail. In /etc/postfix/aliases, near the bottom of the file, point root to a valid user on the system (one of those you created during install):
vi /etc/postfix/aliases (Page down to almost the bottom of the file where you will see a line like):
root: postfix
-replace "postfix" with a username (one of the accounts you created during the install). In "vi", you type an "i" to begin editing mode. When you're done, the line look something like this:
root: username
(again, "username" replaced with whatever account name you used. Doesn't matter how much blank space there is between root: and username, but there must be SOME.)
-to exit vi just hit the Esc key, and then type the characters:
:wqand hit "Enter".
-SET POSTFIX TIME:
-set/sync local time with postfix time:
cp -p /etc/localtime /var/spool/postfix/etc/localtime (it will prompt you for confirmation, hit y for yes)
-Now let's make sure postfix time and system time always stay in sync, with an automatic update between the two, once per hour. Type:
crontab -e This will drop you into root's cron file, where we can set up automated activities. Type an "i" to enter insert mode (we're in vi) and add this line:
5 * * * * /bin/cp -p /etc/localtime /var/spool/postfix/etc/localtime
Then, to exit vi, Esc, :wq.
This will cause a time sync between postfix and the OS system time every hour of every day, at 5 minutes past the hour. (If you later set up time service "ntpd" to an external time server - not explained in this doc - this will keep your postfix system pretty close to exact Internet time. See https://www.ntp.org for more details on time service)
-START POSTFIX AT BOOT:
-set postfix to start automatically at boot:
ln -s /etc/init.d/postfix /etc/rc.d/rc3.d/S80postfix-if it reports the file already exists, that's fine.
-PREP FOR CHROOTED POSTFIX:
-since we'll run postfix services in a chrooted (contained/safe) environment, we'll need some copies of network files in /var/spool/postfix/etc (2 commands):
cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf
cp /etc/hosts /var/spool/postfix/etc/hosts *Note: anytime a change is made to either /etc/hosts or /etc/resolv.conf, at ANY point in the future, these files must be copied again into the postfix chroot environment, using the above commands!
-ASYNCHRONOUS LOGGING:
- edit syslogd.conf (per /etc/postfix/README_FILES/LINUX_README) to use async logging for mail:
-First, backup the file:
cp /etc/syslog.conf /etc/syslog.conf-original -Then,
vi /etc/syslog.conf -scroll to the line that has:
mail.* /var/log/maillog
-hit "i" to begin editing, and type a single dash "-" in front of /var/log/maillog
-when you're done, the line should be:
mail.* -/var/log/maillog
-hit the Esc key, then type
:wqand hit Enter. (the standard vi "write and quit" exit)
-CREATE MAILDROP GROUP:
-create a maildrop group, in case that ends up being needed later:
echo "maildrop:*:33337:" >> /etc/group
------------------------------------------------------------------------
-POSTFIX MAIL CONFIGURATION CHANGES TO CREATE A SPAM-FILTER RELAY:
(*note: the actual commands which will insert these values into the appropriate file start immediately below each line labelled "COMMAND:" Cut and paste, or type in these commands at a command line, while logged in as root. As with all *nix commands, they are case sensitive, and must be exactly correct!)
____________________________________________________
/etc/postfix/main.cf:
-below are some suggested values to use in postfix's main configuration file "main.cf". These have been tested for this configuration and will work fine, but you may wish to make changes or use additional values. Refer to the postfix documents (/etc/postfix/README_FILES) for more information on other options.
*You don't need to do this right now, since we haven't started postfix yet, but normally, after making changes to the main.cf file, run (as root):
-"postfix stop", then "postfix start"
-or.... "postfix reload" (but ONLY use this if the load on the mail server is VERY LIGHT! Better to stop and start it)
-DESCRIPTION OF MODIFICATIONS TO the main.cf file:
------------------------
GENERAL VALUES:
------------------------
(*Note: in commands, wherever quote marks " " are used, use them!)
inet_interfaces
-what NICs we use (all in this example)
COMMAND:
postconf -e inet_interfaces=all myorigin
*The myorigin parameter specifies the DOMAIN that appears in mail that is posted on this machine.
COMMAND:
postconf -e myorigin=companymail1.com myhostname
*The myhostname parameter describes the fully-qualified domain name of the machine running the Postfix system. $myhostname appears as the default value in many other Postfix configuration parameters.
COMMAND:
postconf -e myhostname=mail1.companymail1.com mydomain
*The mydomain parameter specifies the parent domain of $myhostname. By default it is derived from $myhostname by stripping off the first part (unless the result would be a top-level domain).
COMMAND:
postconf -e mydomain=companymail1.com mydestination
*The mydestination parameter specifies for what domains this machine will accept mail for delivery.
COMMAND:
postconf -e mydestination="companymail1.com, companymail2.com"
(list all domains you will be accepting mail for - and don't forget, the command goes on one line!) mynetworks
*The mynetworks parameter represents the machines I trust, to relay mail for, to any destination.
COMMAND:
postconf -e mynetworks=x.x.x.x/32
(where x.x.x.x is the IP address of the internal server that will be receiving inbound mail from this smtp relay box)
-if you will be dealing with mulitple internal mail servers, and/or want to allow other machines to relay through this server (carefull!!), just add them to this parameter in CIDR format, using quotes now, like this:
postconf -e mynetworks="x.x.x.x/32, y.y.y.y/32, 172.20.0.0/16" (the above will allow machines x.x.x.x, y.y.y.y, and any machine that has an IP address starting with 172.20 to relay mail through)
biff = no
*we don't use biff
COMMAND:
postconf -e biff=no empty_address_recipient
*where mail goes if a bounced email doesn't have a valid return address (so no valid address would exist to send it to otherwise)
COMMAND:
postconf -e empty_address_recipient=username
(where username is the account name of who you would like this mail to go to)
------------------------------------------------------------
*we will not use relay_domains, instead specifying transports in transport table, as per suggestion at http://www.postfix.org/faq.html#firewall
------------------------------------------------------------
smtpd_banner
*What the server announces itself as to other connecting mail servers (keep server identification info to a minimum, but conform to RFCs. ESMTP just specifies that this mail server understands Extended SMTP, which postfix does)
COMMAND:
postconf -e smtpd_banner="mail1.companymail1.com ESMTP"
queue_minfree = (default: no restriction)
How many bytes of free space are needed in the queue file system. The SMTP server declines inbound mail delivery requests when there is insufficient disk space - the mail will be accepted once enough space becomes available - set to appropriate size, per disk space, if desired [i.e. make it small enough the disk won't fill up. The below value will cause mail server to stop receiving mail when there is only 8MB of space open in the mail queue area. Choose your own value here).
COMMAND:
postconf -e queue_minfree=8000000 message_size_limit = 1000000000
*nothing bigger than 1GB allowed in the door (choose another value if you prefer)
COMMAND:
postconf -e message_size_limit=1000000000 --------------
transport_maps
--------------
-we need to tell postfix where to look for the transport file:
COMMAND:
postconf -e transport_maps=hash:/etc/postfix/transport ---------------
local_transport
---------------
-give an error message for local delivery attempts:
COMMAND:
postconf -e local_transport="error:local mail delivery is disabled on this machine" ----------------
----------------
Anti-SPAM values
----------------
----------------
Notes: the values below help ward off SPAM ("UCE" - Unsolicited Commercial Email). These will cause mail to be rejected by postfix right at the "front door", so to speak, without even having them scanned by Spamassassin or other tools deeper within the mail processing system, saving resources, but also not letting you see some of the bounced mail. If you want to allow _ALL_ mail to come in, and configure SpamAssassin and Amavisd to handle problem emails within, you will need to modify some of these values.
-------------------
smtpd_helo_required
-------------------
-restricts what hostnames clients may send with the HELO (EHLO) command. Some UCE software can be stopped by being strict right here.
smtpd_helo_required
*standard RFC mail requires a HELO (or EHLO), so we do too, unless the boss doesn't get some of his mail... :)
COMMAND:
postconf -e smtpd_helo_required=yes -----------------------
smtpd_helo_restrictions
-----------------------
-there are several. common ones are listed here. Of course, some legitimate mail can also be stopped by using these restrictions, from folks who don't know how to properly configure their mail server... so you may have to later decide to take some of these back out. I try to contact mail administrators of errant servers and ask if they could fix this - unless too many feathers get ruffled, in which case either remove the setting that is blocking them, or set up a helo_access file to get them through. I won't explain that here, though... this doc is already long enough!
permit_mynetworks
allows machines listed for the mynetworks value to be permitted without question
reject_invalid_hostname
Reject the request when the client HELO or EHLO parameter has a bad hostname syntax. The invalid_hostname_reject_code specifies the response code to rejected requests (default: 501).
reject_unknown_hostname
Reject the request when the hostname in the client HELO (EHLO) command has no DNS A or MX record. The unknown_hostname_reject_code specifies the response code to rejected requests (default: 450). This doens't mean postfix is verifying the mail server's name is actually from the domain of the sender's address, just that the mail server's name has a valid DNS domain name at the end of it, and it can be looked up in DNS on the Internet... period.
reject_non_fqdn_hostname
Reject the request when the hostname in the client HELO (EHLO) command is not in fully-qualified domain form, as required by the RFC. The non_fqdn_reject_code specifies the response code to rejected requests (default: 504). So, if their server announces its name as "bob1", postfix won't take mail from it. But if it's "bob1.somedomain.com", then OK.
reject_maps_rbl (optional)
Reject the request when the reversed client network address is listed under any of the domains listed in "maps_rbl_domains" (below). RBLs are "Realtime Blackhole Lists", or lists of "bad guys" or "bad" mail servers. Various organizations run them, some free, some not (like mail-abuse.org). I won't explain much about RBLs here - it's too complicated and they all use their own, various techniques. They are legitimate services, and in my opinion very helpful, but also (like many things dealing with spam) somewhat controversial. I've chosen a few freebies I that think work well together, but at some point down the road you should definitely search the Internet on "RBL" and "anti-spam" and learn more about all of this. Also- make SURE to check out http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt for some more information and an example of a good, tight (restrictive) postfix anti-spam configuration. (But not now - we've got enough to do...!)
COMMAND:
(note: the below command, like all listed in this doc, should be typed in on one line. If you're cutting and pasting, you may need to do 2-3 pastes into 1 line)
postconf -e smtpd_helo_restrictions="permit_mynetworks, reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname, reject_maps_rbl" (*Note: use the last parameter: "reject_maps_rbl" ONLY if you plan to use RBLs.)
maps_rbl_domains
-if you DO plan to use RBLs, per the above, also need to set another value:
COMMAND:
postconf -e maps_rbl_domains="sbl.spamhaus.org, relays.ordb.org, opm.blitzed.org,dun.dnsrbl.net, spam.dnsrbl.net" (add or replace with any other blacklist(s) you wish to use)
*Note 4/4/2003: If you want to be just a little more conservative, but still keep some RBL listing, leave in all the RBLs above except for the last one, from which I get a few claims from mail admins who say they have had trouble getting off the dnsrbl list, even after following their guidelines at http://www.dnsrbl.com/getremoved.html. I can't verify this, though, and I do stop a good deal of spam by using this list. Your option, and you can always change any of this later, of course.
-------------------------
smtpd_sender_restrictions
-------------------------
-restricts what sender addresses this system accepts in "MAIL FROM" line (i.e. who the mail says it is FROM).
reject_unauth_pipelining
REJECTs certain bulk mailers that attempt to use pipelining to speed delivery, without checking if it is supported first (non-RFC, common among spammers)
reject_unknown_sender_domain
Reject the request when the sender mail address has no DNS A or MX record at all. The unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450). (The response is always 450 in case of a temporary DNS error.)
reject_non_fqdn_sender
Reject the request when the address in the client MAIL FROM command is not in fully-qualified domain form. The non_fqdn_reject_code specifies the response code to rejected requests (default: 504).
COMMAND:
postconf -e smtpd_sender_restrictions="reject_unauth_pipelining, reject_unknown_sender_domain, reject_non_fqdn_sender" ----------------------------
smtpd_recipient_restrictions
----------------------------
-restricts what recipient addresses this system accepts in "RCPT TO" line (i.e., who the mail says it is FOR).
*By default, the Postfix SMTP server relays mail:
-from trusted clients whose IP address matches $mynetworks,
-from trusted clients whose hostname matches $relay_domains or a subdomain thereof,
-from untrusted clients to destinations that match $relay_domains or a subdomain thereof, except for addresses that contain sender-specified routing (user@elsewhere@domain).
-we'll modify this default behavior just a bit, to add a reject for a non-fqdn address
reject_unauth_destination
Ignore the client hostname. Reject the request unless one of the following is true:
the resolved destination address matches $relay_domains or a subdomain thereof, and the address contains no sender-specified routing (user@elsewhere@domain),
Postfix is the final destination: any destination that matches $mydestination, $inet_interfaces or $virtual_maps.
The relay_domains_reject_code parameter specifies the response code for rejected requests (default: 554).
reject_non_fqdn_recipient
Reject the request when the address in the client RCPT TO command is not in fully-qualified domain form. The non_fqdn_reject_code specifies the response code to rejected requests (default: 504).
COMMAND:
postconf -e smtpd_recipient_restrictions="permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient" (again, the above command on one line)
-*Note:restrictions are used in the same order as they appear in /etc/postfix/main.cf and the first match ends the process. This is why it's a good idea to put permit_mynetworks as first entries when setting restrictions.
-------------
header_checks
-------------
-header checks is a file in /etc/postfix/ that postfix uses against all email headers, looking for things like common spam phrases, etc. Actions are taken according to what is found, and what is specified in the "header_checks" file. In main.cf, we just want to tell postfix where this file is.
COMMAND:
postconf -e header_checks=regexp:/etc/postfix/header_checks --------------
content_filter
--------------
-this is how we'll pass mail to amavisd and SpamAssassin for filtering. Type the command verbatim:
COMMAND:
postconf -e content_filter=smtp-amavis:[localhost]:10024 -----------------------------------------------------------------------
-when you are done issuing all the above commands to set these postfix main.cf parameters, issue the command:
postconf -n ...to get a list of your parameters and to review them CAREFULLY for correctness. Go back and fix any mistakes. Print or otherwise save a separate copy of this info (on a different machine!), as well as each of the below docs, for future reference.
____________________________________________________
/etc/postfix/transport:
-Below is an addition to make to the transport file, so postfix always forwards all valid mail (which has passed muster) for companymail1.com and companymail2.com to another server(s), after accepting and processing it. When we're done, we'll have lines in our transport file like this:
companymail1.com smtp:[x.x.x.x]
companymail2.com smtp:[y.y.y.y]
*These lines tell postfix to transport (relay) any mail to companymail#.com to the IP address(es) specified (i.e. the internal mail server(s), via the transport protocol specified (us. smtp). *format is very exacting, get every symbol correct. In the commands below, the space between companymail#.com and the rest should be spaces, not tab characters. Again, on one line:
COMMAND:
echo "companymail1.com smtp:[x.x.x.x]" >> /etc/postfix/transport
echo "companymail2.com smtp:[y.y.y.y]" >> /etc/postfix/transport
*Note: after making any change to this file, run:
postmap /etc/postfix/transport ____________________________________________________
/etc/postfix/header_checks:
-The header_checks file specifies certain strings (listed in "regular expression" format, not explained here) and tells postfix what to do with the mail when it encounters these strings.
-contents of a header_checks file (you may have to create this file - the COMMAND below will handle it, if the file exists, it will append the data, if it doesn't, it will create it first):
Examples of lines in header_checks:
# Postmaster is OK, that way they can talk to us about how to fix their problem
/^postmaster@.*$/ OK
# example of mail header contents usefult to block:
/^Subject: C:\\CoolProgs\\Pretty Park\.exe/ REJECT
# example of blocking any mail with subject line beginning with words "MAKE MONEY!!!"
/ ^Subject: MAKE MONEY!!!/ REJECT
# example of blocking inbound smtp mail to joeschmoe
/^To: joeschmoe@companymail2.com/ REJECT
COMMAND: (example)
echo "/^Subject: C:\\CoolProgs\\Pretty Park\.exe/ REJECT" >> /etc/postfix/header_checks (in the command above, the white space must be spaces, not tab characters)
*Note: after making any change to this file, run:
postmap /etc/postfix/header_checks *And another Note: after running the above command, you will get a warning message saying one or more records are in "key: value" format, and asking if this is an alias file. Ignore this message.
____________________________________________________
/etc/postfix/access
-the access file is another check used by postfix to block right at the front door certain senders/domains/IPaddress ranges. Below are bogus examples, create your own as you see fit. You need to have at least one entry in this file, because postfix will be looking here and expect to see SOMETHING. If you don't have any of these to create right now, just use a made up one for starters, like the last one in the COMMAND example below. Here's an example of an access file:
#access map file
#
# note: this file only accepts 3 forms of input
# [45]XX $message, REJECT, OK
#
ispy99@spamnet.cn 550 Go away
makeabuck@mlm.dom 550 You've got to be kidding me
allspam.dom 550 Spam is not accepted here
badguy.net REJECT
#250.192 REJECT
#goodguy@somewhere.com OK
justaspamminfool@allspamallthetime.com REJECT
-to create entries in this file, use a text editor, or:
COMMAND: (2 "one-per-line" examples)
echo "makeabuck@mlm.dom 550 You've got to be kidding me" >> /etc/postfix/access
echo "justaspamminfool@allspamallthetime.com REJECT" >> /etc/postfix/access (in the commands above, the white space must be spaces, not tab characters)
*Note: after making any change to this file, run:
postmap /etc/postfix/access-- END OF POSTFIX CONFIG CHANGES TO MAKE A SPAMFILTER --
++++++++++++++++++++++++++++++++++++++++++++++++++++++
-FORWARD INTERNAL MAIL TO ANOTHER MAILBOX (IF DESIRED):
-this section is optional. Do this if you don't want to check any mail on this box directly.
-make a .forward file for root and username for mail on this machine to be forwarded out to another mailbox (like "somemailbox@somedomain.com"), probably one on the internal server, like "mailstuff@companymail1.com", etc).
COMMAND:
echo "rootstuff@companymail1.com" >> /root/.forward
echo "mailstuff@companymail1.com" >> /home/username/.forward --------------------------------------------------------------------------------
-REMOTE ADMINISTRATION TEST:
-OK, plug in the Ethernet cable, and test ssh
-on any machine with ssh installed, try a connection to the new mail server:
ssh -l username x.x.x.x ...where x.x.x.x is the IP address of this new server. log in.
-then switch to the root account:
su -
(provide the root password when prompted.) Then,
exitexit --------------------------------------------------
RED HAT REGISTRATION AND UPDATES
--------------------------------------------------
-Red Hat has a nice program to keep your machine up to date. You just have to register your machine first. To do that, run:
rhn_register -write down the username and so forth you use during the registration process. When you're done with that, run:
up2date -u -and RH will update all packages you have on your machine that aren't up to date. It will not install anything not already there, just updates. reboot after. You may have to run this over an evening or on a weekend. Paid RH subscribers get priority on this service, and if the line is too busy it will stop and tell you there isn't enough bandwidth right now for you, and refer you to a web page you can look at to learn about buying a paid subscription ($60/year per server).
-you can go to https://rhn.redhat.com at any time to view or alter this registration (cookies required on this site)
-if for some reason you don't want to use up2date, you can still get the same updates manually. Go to http://rhn.redhat.com/errata/rh73-errata.html to read about the available updates for your system. Write down the ones you want to apply, and use, then download and install them. You can download by anonymous ftp to updates.redhat.com, in directory 7.3/en/os/i386.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
----------------------------------------------------------------------------------
-PREPARATION FOR INSTALL OF SPAMASSASSIN AND AMAVISD (required modules)
-there are quite a few things required, but most of them we can get and install from CPAN, which is pretty easy.
-as root enter the command:
perl -MCPAN -e shell (note: this requires an Internet connection!)
-at CPAN prompt type "yes"
(and answer the questions. for many of these, the default answer - given by just hitting a return, will suffice. )
--------
-when you get prompted like this:
Parameters for the 'make' command?
Typical frequently used setting:
-j3 dual processor system
Your choice: []
-type in -j3 if you have a dual processor machine, otherwise leave blank
-when you get prompted like this:
Parameters for the 'make install' command?
Typical frequently used setting:
UNINST=1 to always uninstall potentially conflicting files
Your choice: [-j3] UNINST=1
-type in UNINST=1 and hit enter
------------
-When asked to select the locations from which you will pull data, put in several. Answer all questions until you are back at the cpan prompt.
-at the CPAN prompt, run these commands, in turn (if at any point you are prompted for unsatisfied dependencies and asked if you want to "prepend them to the queue", choose y for "yes")
(again, capitalization and symbols EXACT):
install MD5 (then just wait till it finishes and returns you to the cpan prompt)
install Net::Server (wait more :)
(note: if this one doesn't want to install, use the "-f" option to force it)
install IO::Wrap (wait) install Unix::Syslog (etc...) install Mail::Address
install MIME::Parser
install Convert::TNEF
install Convert::UUlib
install Compress::Zlib
install Archive::Tar
install Archive::Zip
install Net::SMTP
force install Net::DNS (this last one will prompt you several times if ok to prepend things to the queue)
-------------------------------------------------------------------------------
--------------------
-SPAMASSASSIN
--------------------
-still at the cpan prompt:
install Mail::SpamAssassin (watch that capitalization!)
-OK, we're done with CPAN, type "exit" to return to the regular system prompt.
----------------------------------------------------------------------------------
--------------------
-AMAVISD-NEW
--------------------
-some other required software, and how to get it:
-(un)rar:
-to get unrar:
cd /usr/src -then anonymous ftp to ftp.rarlab.com, cd to /rar, and get rarlinux-3.0.tar.gz, exit ftp.
-run:
tar xzf rarlinux-3.0.tar.gz and put the resulting file named unrar in the bin:
cp rar/unrar /usr/bin -zoo:
-I cheated here. I don't figure I'll ever see a *.zoo file come through my email system these days, and if I do, I'm not going to scan it's contents for possible spam content, so I just made a bogus "zoo" script file (neither SpamAssassin nor amavisd will care if this doesn't work, anyway, they will just go on their way if they ever happen to call this file and it doesn't do anything):
vi /usr/bin/zoo (which will open up the editor to a blank file named zoo) -hit "i" to begin "inserting" text and type in (exactly):
#!/bin/sh-exit vi in the standard manner, hit Esc, then type
:wq
-then at the command line, to make this new file executable:
chmod +x /usr/bin/zoo -if you really want to get zoo, go to a search engine like google, search on "Linux zoo compress" or something like that.
-vscan:
-vscan is the executable for an antivirus program. Since we won't be doing AV scanning in this configuration, we'll create a bogus vscan to use (if one isn't there, amavisd won't configure). Just like above, with zoo, create a file named vscan and put only #!/bin/sh into it. Save it, and make it executable.
-arc:
-if you're just making spamfilter, you can do the same thing with arc and make a bogus /usr/bin/arc (what spammer would use arc on the spam message first????) In that case, after creating /usr/bin/arc, you can skip to the "Razor 1.20" section, below.
-If you will be doing anti-virus scanning in addition to filtering spam, you'll need to be able to open arc files, so:
cd /usr/local/lib
mkdir Arc
cd Arc -then, anonymous ftp to ftp.stat.umn.edu then cd to /pub/arc/ and get arc.shar.gz
-exit ftp ("bye") and run each command:
gunzip arc.shar.gz
/bin/sh arc.shar
cp arc /usr/bin -get a copy of xlipstat-<VERSION>.tar.gz, compile and install it (arc needs it).
-go to www.stat.umn.edu/arc/unix1.html if you want, for more explanation/info on arc
-Razor 1.20
(*Note: at the time I originally set up my spamfilter - early 2002 - you didn't want to get a more recent version of razor; it wouldn't work with the version of amavisd current at the time. This may be resolved now, but I have not looked into it. You can check the amavis website to see if you can run a more recent verion of Razor, if you wish). The commands:
cd /usr/src
links http://sourceforge.net/project/showfiles.php?group_id=3978 -then page down a couple of times, and get your cursor on razor-agents-1.20.tar.gz
-hit the right arrow key
-on the next page, use the down arrow key to get the cursor onto one of the download locations ("download20 kb"). hit a right-arrow key.
-on the next page, use the down arrow to get the cursor to the start of the line:
http://...............sourceforge.net/sourceforge/razor/razor-agents-1.20.tar.gz
-hit "d" to download it
-"q" to exit links when its done, then unpack the tarball and move to the new directory, and install:
tar xvzf razor-agents-1.20.tar.gz
cd razor-agents-1.20
perl Makefile.PL
make
make test
make install --------------------
-finally, done with required software for amavis! Now to download amavisd-new from Internet. To do this, use "links" again, from /usr/src:
cd /usr/src
links http://www.ijs.si/software/amavisd/ -wait for page to load, scroll down and put your cursor on
amavisd-new-20030314-p1.tar.gz and hit a "d" for download. Hit "q" when it's done to exit links.
-unpack amavisd-new and go into the new directory:
tar xzvf amavisd-new-20030314-p1.tar.gz
cd amavisd-new-20030314(you DO know about the shortcut to fill in the remainder of long file/path names in Linux don't you? Just type in the first part, then hit the tab key?)
-OK, let's pull the Ethernet cable again - we won't be needing the connection for a bit (and until we have the box better secured, we'll minimize it's exposure).
---------------------------------------------------------
-BUILDING AND INSTALLING AMAVISD-NEW
---------------------------------------------------------
-read the Release_Notes and INSTALL files in this directory for instructions for installing amavisd-new. They will explain all you need to know about it.
----------------------------------------
-CONFIGURING AMAVISD-NEW
----------------------------------------
-Make a backup of the config file:
cp /etc/amavisd.conf /etc/amavisd.conf-original -then,
vi /etc/amavisd.conf -find the line (around line 172) that starts with: $mailfrom_notify_admin =
and replace the email address in that line with the email address you would like to have appear in emails bounced from this box. This will be who persons will reply to in case their mail is bounced, if they claim it isn't spam, and they want to you stop blocking them. So make it a legitimate address you will be monitoring, something nice, like "mailbouncer@companymail1.com" or the more standard "postmaster@companymail1.com".
-SET AMAVIS TO ONLY LISTEN FOR MAIL LOCALLY:
-set amavis to respond to calls from local ports (postfix will listen for all external calls). Find the lines (somewhere around lines 345-50) that look like:
#$inet_socket_bind = "127.0.0.1"; # limit socket bind to loopback interface
#@inet_acl = qw( 127.0.0.1 ); # allow SMTP access only from localhost
-and remove the # sign from the beginning of each
-find the lines (just a bit past the above 2 lines) that makes amavisd not listen to remote calls:
@inet_acl = qw(127/8 193.2.4.243 193.2.4.66);
$inet_socket_bind = undef; # bind to all IP interfaces
-and add a # in front of each of these lines
-SEND SPAM TO QUARANTINE:
-send all spam emails to a quarantine mailbox. Find the line:
$spam_quarantine_to = 'spam-quarantine';
-and edit to replace spam-quarantine with a valid email address where you want copies of this stuff to go (so you can see what has been rejected, and pull someting out if it was a "false positive") To find this line in the vi editor, hit the / key and type in "spam_quarantine_to", then hit the Enter key.
-SEND NOTIFICATIONS TO ADMIN
-This is optional. It will result in saving 2 copies of every spam, but it gives you some more information. With this feature, the designated spam admin email address mailbox will receive a copy of each email tagged as spam, which will include text explaining the spam rules broken. Since we're already getting a copy of the tagged emails anyway in the spam quarantine (albeit without a nice explanation), we don't really NEED this. It is a cool feature, though, since it provides a copy explaining the broken rules. On the other hand, it's not quite as good for use in forwarding false positives on to their proper recipients. It's a bit hard to explain. To really understand the difference, you'll have to test it out. To use this feature, find the line where the "spamadmin" email address is specified, and give it an address. For ease of handling your spam, you probably want this to be different mailbox than the spam quarantine! Note that email blocked by postfix will not be reported here, just those stopped by Amavis/SpamAssassin.
-AMAVIS LOGGING:
-make amavis log everything to /var/log/maillog, same place postfix uses, so all mail-related logging is in one place. Find the line (119):
$SYSLOG_LEVEL = "user.info";
...and change this to:
$SYSLOG_LEVEL = "mail.info";
-exit vi: Esc, then
:wq-GIVE AMAVISD ACCOUNT (VSCAN) OWNERSHIP OF AMAVIS DIRECTORY:
-next, give ownership of the /var/amavis directory to the user vscan:
chown vscan /var/amavis -[OPTIONAL-DON'T USE RAZOR]------------------------------------------------
-To stop Amavis from making Razor checks (and so just use SpamAssassin), you must edit the actual amavisd script, not the amavisd.conf file.
-First, make a backup copy of the original file:
cp /usr/sbin/amavisd /usr/sbin/amavisd-originalThen:
vi /usr/sbin/amavisd -page down and edit the lines (2695 and 2696) that start with:
if ($body_lines <=1) { # avoid false positives like Test, foo, *, aaa
do_log(1, "spam_scan: skip Razor check for a body of $body_lines . . .
-hit "i" to enter "INSERT" mode
-and make them to:
if ($body_lines <=-1) { # avoid false positives like Test, foo, *, aaa
# do_log(1, "spam_scan: skip Razor check for a body of $body_lines . . .
(1st line, 2695, gets changed to -1, line 2696 gets a # in r of it, so we don't log each time we skip this)
-to exit vi and save changes... Esc key, then:
:wq---------------------------------------------------------------------------------
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
-START AMAVISD AT BOOT TIME:
-now, to set amavisd to start at boot:
vi /etc/init.d/postfix-right after the Start Daemons comment line (35), add:
*Note: there are different paths to the amavisd, depending
on which version you are running. It should be either
/usr/sbin/amavisd or, in newer versions, at
/usr/local/sbin/amavisd. Find out where yours is
(the command "
which amavisd" will do it) and putthat in place of "/PATH/amavisd" in the script below:
echo -n "Starting amavisd: "
/PATH/amavisd 2>/dev/null 1>&2 && success || failure
echo
-in the stop section (right after the line: stop() { )
-add 3 lines near the bottom, so this section ends up looking like this:
# Stop daemons.
echo -n "Shutting down postfix: "
/usr/sbin/postfix stop 2>/dev/null 1>&2 && success || failure
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/postfix
echo
echo -n "Shutting down amavisd: "
/PATH/amavisd stop 2>/dev/null 1>&2 && success || failure
echo
return $RETVAL
-and, in the "reload" section, insert 2 lines, so:
reload() {
echo -n "Reloading amavis: "
/PATH/amavisd reload 2>/dev/null 1>&2 && success || failure
echo
echo -n "Reloading postfix: "
/usr/sbin/postfix reload 2>/dev/null 1>&2 && success || failure
RETVAL=$?
-For those admins wondering, you do NOT need to make amavisd start as the vscan user. The script itself will do this, and start amavisd as a daemon, keeping it from having root priviledges. Postfix, BTW, also runs as another user: "postfix", not as root.
-------------------------------------------------------------------------------
-GIVE OWNERSHIP TO AMAVISD ACCOUNT TO SPAMASSASSIN STUFF:
-give ownership to /usr/share/spamassassin and all files within to vscan (3 commands):
chown vscan /usr/share/spamassassin
cd /usr/share/spamassassin
chown vscan *-give ownership of any directories used to store quarantined email to vscan:
chown vscan /var/virusmails ------------------------------------------------------------
...OK, let's see if we can fire the system up! Type:
/etc/init.d/postfix startYou should see 2 lines indicating that amavisd and postfix start successfully. This is indicated by "OK" appearing on each line. If instead the word "FAILED" appears on either line, you've got a config error somewhere with either postfix or amavisd. You'll have to review the above configurations to determine where the problem lies. I'm postive the above configuration information is correct - I've done it too many times, and so have others.
--------------------------------------------------------------------------------
-CONFIGURING POSTFIX TO SEND MAIL THROUGH AMAVIS/SPAMASSASSIN
Now we need to tell postfix how to send emails through the amavisd/spamassassin filter, and to listen for mail returning from it. Another document covers this, so instead of repeating those instructions here, let's go straight to the proverbial horse's mouth...
-carefully follow the instructions in this file: /usr/src/amavisd-new-<version#>/README.postfix
(obviously, change <version#> to whatever is correct in your case)
-------------------------------------------------------------------------------
-REQUIRED NAME RESOLUTION
-OK, other mail servers will need to find your server. Set up name resolution of mail1.companymail1.com to its IP address. How this is done depends on your environment. Bascially, you need to make sure that any box that needs to talk to this mail server can resolve its name, either through appropriate DNS server entries somewhere, or local "hosts" files on those machines.
-----------------------
-MAILGREP UTILITY:
-While not required, a nice tool to have is "mailgrep.pl", to parse certain data out of the mail logs instead of having to scroll through them, or do the grep commands. It was written by Craig Sanders, but for some reason the links on Craig's web site (http://taz.net.au/postfix) don't work anymore, so I have put a copy on my site (thanks to the GPL Craig released this under, this is all perfectly simple and legal - thanks, Craig!) So, to set this up, download the openlogfile (a perl function to open log files) and mailgrep (a perl script to help search the maillog) utilities, rename them, put them in /usr/bin, and make mailgrep.pl executable:
-plug in the Ethernet cable again... then:
cd /usr/bin-hit the "Esc" key (this brings up the links menu)
links http://www.geocities.com.scottlhenderson/mailgrep.pl.txt
-arrow down to "Save as", hit Enter
-shorten the name by removing the ".txt" from the end of the file name, hit Enter to save it.
-do the same with http://www.geocities.com.scottlhenderson/openlogfile.pl.txt.
-hit "q" to exit links
-then, pull the Ethernet cable out, and:
chmod +x mailgrep.pl-To learn how to use this, just type the command:
mailgrep.pl *Note: our mail log is not "mail.log" (the default for this tool), so we need to type the correct mail log path and file name - /var/log/maillog -when we use it. E.g., to search for all mail log entries dealing with mail to or from "someuser@somedomain.com", we would use:
mailgrep.pl -s someuser@somedomain.com /var/log/maillog To see what mailgrep.pl does for you, compare the output of the above to:
grep -i someuser@somedomain.com /var/log/maillog------------------------------
-SPEED UP REBOOTS:
-set grub to 2 second delay, to make remote reboots faster, but still allow you time to respond if you're at the console:
vi /boot/grub/menu.lst -edit the line: timeout=10 to timeout=2
-to exit... Esc,
:wq ------------------------------------
-----------------------------------------------------------------------
-MAIL REPORTS:
-This section will set up an automated preparation of a very nicely laid out report of email activity, and email this report to username (whose mail we redirected using a .forward file, remember?) once per day, with the previous day's mail statistics, and once weekly, with the stats for the entire previous week. This section is optional:
-first, we need the Date::Calc perl module. Plug into the Ethernet and:
perl -MCPAN -e shell install Date::Calc (this will require some other stuff, when prompted, choose yes)
bye -Then, we need the pflogsumm.pl utility:
cd /usr/bin links http://jimsun.linxnet.com/postfix_contrib.html -Page down about 3 pages to the line:
pflogsumm-1.0.3.pl [http download] [ftp download]
(or a more recent version if a new one is in the list)
-put your cursor on [http download] and hit "d" to download.
- use "q" to quit links when you're done.
-pull the Ethernet
-rename pflogsumm1.0.3.pl to plflogsumm.pl:
mv pflogsumm1.0.3.pl pflogsumm.pl-Make pflogsumm.pl executable:
chmod +x /usr/bin/pflogsumm.pl -ROUTINE EMAIL LOG SUMMARIES TO USERNAME:
-set up cron to prepare and mail pflogsumm results, daily and weekly:
as root:
crontab -e (drops you into the vi editor.) Hit an "i" to begin. Then enter a blank line or 2 above the existing line using the Enter key, arrow back to the top and type in 2 lines: (replacing "mail1.companymail1.com" with the name of your mail server, and username with the name of the account you created):
10 3 * * * /usr/bin/pflogsumm.pl -d yesterday /var/log/maillog 2>&1 |/bin/mail -s "mail1.companymail1.com - Postfix daily mail summary" username 10 3 * * 0 /usr/bin/pflogsumm.pl /var/log/maillog 2>&1 |/bin/mail -s "mail1.companymail1.com - Postfix WEEKLY mail summary" username -Then, exit vi by hitting the Esc key, then typing :wq and hitting Enter.
------------------------------------
-[Optional - to maximize disk I/O throughput:
-run hdparm (see man hdparm, and some nice instructions at: http://linux.oreillynet.com/pub/a/linux/2000/06/29/hdparm.html)
(hdparm -W to en/dis-able IDE drive write-caching)
-----------------------------------------------------------------------
-SECURITY:
-Set up some decent security on your box. If you don't know how, plug in to the Ethernet and go to http://www.cisecurity.org and download the latest Linux security benchmark and tools and use them. Not real hard to do, but takes a little time. Well worth it, you'll have a reasonably secure box. Just fill out your name and email address, read the pdf documentation (obviously you won't read the pdf file on this server, do this on a GUI computer) and go through it step by step. It will take an hour or so to do. One note: at the end of this doc it explains how to use ntpd for time service. This is highly recommended on a mail server, for having accurate time stamps for emails and logs. You can also refer to http://www.eecis.udel.edu/~ntp/ for more information (than you probably want) on ntp time service, and also for a list of free public time servers you can use. The instructions in the CISecurity pdf file don't explain something you need to do for ntpd to work, however. After you download and install it, do this:
touch /etc/ntp.drift.TEMPchown ntp /etc/ntp.drift.TEMP-To learn more on security, read the Linux Security HOWTO document at: http://www.tldp.org/HOWTO/Security-HOWTO/index.html and/or the Red Hat-specific security doc at: http://www.tldp.org/HOWTO/Security-Quickstart-Redhat-HOWTO/index.html
-configure tripwire, if desired. For info, see www.tripwire.org, get a good book on it, and also read:
man tripwire------------------------
-BACKUPS
-Develop a plan for backups. You need a plan for this, even though... this machine won't hold data, for the most part, as all mail will just be forwarded from it, not generally stored on it (unless the mail server it is sending to goes down, in which case it will store all mail until the receiving server becomes available). At the least, you should backup all the configuration files related to the programs in use on this server.
........Make sure the Ethernet cable is plugged in, and reboot the box. You're done, girl. Go test it :)
-------------------------------------------------------------------------------
-CONFIGURING, WHITELISTING, BLACKLISTING, CHANGING SCORE VALUES, ETC.
-With SpamAssassin, you can change many configuration values. Among these are white and blacklisting senders and receivers, altering the scores for various spam-ish email characteristics, and so forth. For those spammers who manage to always score just below your SPAM score threshold, for instance, you can blacklist their domain or specific sending address, as you see fit. Likewise when legitimate email ends up in the spam quarantine mailbox, you can whitelist the sender or domain. You'll be doing this kind of thing several times a day for the first week or two, then little adjustment will be needed.
If you want to change the score that SpamAssassin gives to a characteristic, you can do that too. These kinds of changes can all be done in one file: /etc/mail/spamassassin/local.cf. You don't want to go into the regular SpamAssassin config files (in /usr/share/spamassassin) and mess with them. Your changes would be overwritten if you upgrade SA in the future, anyway. Here's the contents of a ficticious local.cf file for starters (note: anytime you edit this file, you will want to stop and restart the mail system, to make sure the changes are read)
# /etc/mail/spamassassin/local.cf
#
# WHITE AND BLACKLIST FILE, AND SCORE CHANGES
#
# Note: wildcards ARE allowed here. Please add entries to
# each list in alpha order, by final domain.
#
# WHITE-LISTED SENDERS (the good guys):
whitelist_from *.good-domain.net # This domain is safe
whitelist_from *@goodguys.com # These guys are ok
whitelist_from dudley.duright@mounties.ca # He never spams us
# WHITE-LISTED RECEIVERS:
# (Let ALL mail through to these recipients - no scanning for SPAM):
all_spam_to spam-lover@companymail1.com # He likes it
# BLACK-LISTED SENDERS (the bad guys):
blacklist_from offers@*.*
blacklist_from offerz@*.*
blacklist_from *@badguys.com # nasty outlaws
blacklist_from *@casino-fun.* # we don't want any of this stuff...
# SCORE CHANGES (Don't mess with these unless you KNOW what
# you are doing!
score FORGED_HOTMAIL_RECD 5.50
score WEB_BUGS 1.50
-------------------------------------------------------------------------------
-OTHER NOTES, COMMENTS:
Spam traffic in increasing dramatically. I recently read an estimate that spam traffic may represent one half of all email traffic by year end 2003. And spammers are becoming increasingly sophisticated. Setting the above system up won't end your anti-spam project, I'm afraid. You'll catch a LOT of spam with this, but some will keep getting through, and some good emails will get blocked. You'll learn and tweak things as you go forward.
I hope this doc is useful to you. Please keep in mind this is a freebie project. My time to provide tech support for this procedure is very limited, but if you're in a jam, try me and I'll help if I can. You also have available to you the mailing lists for spamassassin, postfix, amavis, etc. The people on these lists are very helpful - I couldn't have set this up without them. They are an EXCELLENT tech support option -- from them, I usually always had an answer to my questions within a few minutes to a half an hour or so!
Everyone is welcome to link to this document, as well as to copy all or any portion of it for their own use and/or to share with others pretty much as they see fit. More specifically, this document is provided under the terms of the OpenContent license. See http://www.opencontent.org/opl.shmtl for a copy of the license. The author assumes no liability for the use of this information - use it at your own risk.
...this doc originally created July 2002. Last revised 5/18/2003.
About Us | Contact Us | ©2005
freespamfilter.org