Welcome to FreeSpamfilter.org

CREATING A SPAMFILTER RELAY SERVER With Red Hat 9

Origionally by Scott L. Henderson

Maintained and Hosted by Dave D.

Document originally created July 2002. Last revised 01/16/2005.

While I maintain this document in Scott Henderson's origional words, I am making updates to maintain the integrity of this configuration.

Recent updates have been the BerkelyDB install that is required by Amavisd, and the necessary directories that have to be created. Thanks Sheldon S. and Chris S.

Why this document exists:

There is a desire to control the flow of "SPAM" into organizational email systems. SPAM (also known as "UCE", for "Unsolicited Commercial Email" or "UBE" for "Unsolicited Bulk Email" -- and by other, less flattering names), is growing at an alarming rate. Many IT department budgets, however, are tight, and many administrators and executives are looking to Open Source solutions to reduce costs. To fight SPAM, you COULD buy another server, purchase and install ANOTHER copy of a proprietary operating system, and THEN buy a 3rd party anti-spam tool. But what if you could take that old Pentium 450 server with 196MB of RAM (or even a lesser machine, in most cases), and turn it into a better anti-spam tool than you could BUY?

This anti-spam relay server was my first foray into putting Linux to work in a production environment. I created this document from my experiences, and since then (summer of 2002), I've worked with many other IT people who are beginning to explore the power and flexibility of Linux and other OSS (Open Source Software) options. I've found that many administrators of small to medium organizations (say, from 5 to 5000 users) don't yet have the knowledge or experience - or confidence - to build an Open Source system, like this powerful anti-spam tool. This document is an attempt to address that situation. With no risk, one can try this spamfilter between an email server and the Internet. Even if you completely botch something, you can always just yank this system out of the loop. So it is a nice way to learn Linux, and get your feet just a little bit wet. I hope you will be as pleased as I (and my boss!) have been with the results.

For experienced *nix admins, or others who might want to set up a very simliar system to this, but on OpenBSD, you should have a look at this excellent page. (It's a nice reference for the rest of us too!)

Also, here is a page from another individual with a similar configuration that you may want to investigate, using Postfix, Cyrus Imap, MySQL, Web-Cyradm... on Fedora Core 2.

RED HAT INSTALLATION:

Partition	Mount Pt	FS	Size	Type	Bootable

/dev/sda1	/boot		ext3	100MB	primary	    *

/dev/sda2	/		ext3	3000MB	primary

/dev/sda3	swap		swap	512MB

/dev/sda4	extended

/dev/sda5	/var/log	ext3	1000MB

/dev/sda6	/var/spool	ext3	3000MB

CHOOSING SOFTWARE "Package Groups":

POST-INSTALL RED HAT CONFIGURATION

GPG: "GNU Privacy Guard"

DOWNLOADING, VERIFYING, AND INSTALLING POSTFIX

Verifying the postfix tar ball

Postfix Installation

Postfix Configuration

CHROOT for Postfix, and preparing for filtering: changes to master.cf

smtp-amavis	unix	-	-	y	-	2	smtp
	-o smtp_data_done_timeout=1200
	-o disable_dns_lookups=yes

127.0.0.1:10025	inet	n	-	y	-	-	smtpd
	-o content_filter=
	-o local_recipient_maps=
	-o relay_recipient_maps=
	-o smtpd_restriction_classes=
	-o smtpd_helo_restrictions=
	-o smtpd_sender_restrictions=
	-o smtpd_recipient_restrictions=permit_mynetworks,reject
	-o mynetworks=127.0.0.0/8
	-o strict_rfc821_envelopes=yes

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      fifo  n       -       y       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       nqmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp

smtp-amavis	unix	-	-	y	-	2	smtp
	-o smtp_data_done_timeout=1200
	-o disable_dns_lookups=yes

127.0.0.1:10025	inet	n	-	y	-	-	smtpd
	-o content_filter=
	-o local_recipient_maps=
	-o relay_recipient_maps=
	-o smtpd_restriction_classes=
	-o smtpd_helo_restrictions=
	-o smtpd_sender_restrictions=
	-o smtpd_recipient_restrictions=permit_mynetworks,reject
	-o mynetworks=127.0.0.0/8
	-o strict_rfc821_envelopes=yes

Send all of root's mail to someone

#root:         you

root:        spamfilter@domain1.com

Starting Postfix automatically, at boot time

 #!/bin/sh 

# postfix  Postfix Mail Transfer Agent - Init Script

Set up asynchronous logging for Postfix:

mail.*                 /var/log/maillog 

mail.*                 -/var/log/maillog

Postfix Configuration

Read the text in this doc as you please, to understand better, then scroll down to the bottom of the file (actually doesn't make any difference WHERE in the file you do this):

add 1 new line for each domain for which you will be handling mail, similar to the example below

(but of course replace domain#.com with your domain(s) and x.x.x.x and y.y.y.y with the IP address of the mail server(s) that are the final destination(s) for their respective domains) - like this (remember, use the key "i" to begin inserting in vi):

domain1.com smtp:[x.x.x.x]
domain2.com smtp:[y.y.y.y]
(DO include the brackets on these lines!)

*These lines tell postfix to transport any mail addressed to recipients in domain#.com to the mail servers at the IP address(es) specified (i.e. your internal mail server(s), using the smtp protocol. The format is exacting, get every symbol correct and leave some white space between the domains and the "smtp" part.

-Use the regular "Esc", then the    :wq sequence to

exit vi

*Note: any time you make a change to this file, you must create a special version of it for postfix to read, by running the postmap command (postfix doesn't actually read the text version we work in, it makes another, faster file for its use):

postmap /etc/postfix/transport

Postfix anti-SPAM settings

Preliminary Notes:

The values below help ward off SPAM by means of postfix configuration. These will cause emails to be rejected by postfix right at the "front door", so to speak, without even having them scanned by Spamassassin ("SA"), or other systems deeper within your mail processing system. This is good and bad. It saves system resources, but it also doesn't let you SEE the bounced mail. All you will see is a log entry or two from postfix saying essentially "Hey, a mail server named "xxxxxxxx" at IP address X.X.X.X tried to send some mail in, but it broke rule XYZ, so I bounced it". Now this could have been SPAM -- spammers often intentionally don't follow RFCs in order to accomplish their goals. But if it was a "legitimate" mail -- say from a customer who's IT Department has simply misconfigured their mail server (extremely common)-- you could have some ruffled feathers to deal with!

If you want to allow ALL email to come in the front door, and configure SpamAssassin / Amavisd to scan and handle all SPAM control within the system, you would need to modify some of the settings below. I personally find a combination of postfix and SA anti-SPAM control to be best.

If you want to go BEYOND the postfix anti-SPAM config I'm setting up here (and believe me, you can), and/or you want to understand more about these settings, a super resource is Jim Seymour's Postfix Anti-UCE Page (expect to spend an hour or so reading and understanding all of it!) You will note I use some of the same settings as he does here, but this configuration is not nearly as restrictive. But this config also differs from his in the location of some of the restrictions because I have organized them how I feel they are most intuitive for the average administrator.

For now, just keep in mind that postfix will not be our only - or even our primary - anti-spam tool. So we don't need to try to block everything here. We don't even want to. We'll just try to slough off a little of the real obvious garbage, junk mail. SpamAssassin and Amavis will come into the picture in a bit, and will provide us with even more powerful and configurable options to recognize and manipulate SPAM.

smtpd_helo_required - make any connecting mail server do a proper smtp "handshake" and announce it's name. Internet RFCs require this, so we do too.

postconf -e "smtpd_helo_required = yes"

smtpd_helo_restrictions: We'll list 4 items here, but note that one isn't a "restriction":

permit_mynetworks - allows machines listed for the mynetworks value to be permitted without question

reject_unauth_pipelining - rejects bulk mailers that attempt to use pipelining to speed delivery, without checking if it is supported first (non-RFC, common among spammers)

reject_invalid_hostname - rejects when the client HELO has a bad hostname syntax.

reject_maps_rbl - reject the request when the reverse DNS lookup reveals that the network address is listed on an RBL specified in in the "maps_rbl_domains" parameter (below). RBLs are "Realtime Blackhole Lists" -- in other words, lists of "badboy" mail servers. Various organizations run them, many of these are free, some are not (like mail-abuse.org). I won't explain much about RBLs here - it's too complicated and they all have their own idiosyncracies. They are legitimate services, and VERY helpful in beating SPAM, but also (like many things dealing with spam) somewhat controversial. I've chosen a few freebies I that think work well together, but at some point down the road you should definitely search the Internet on "RBL" and learn more about all of this.

postconf -e "smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_maps_rbl"

(Remember to make commands as one continuous line, and ignore when it wraps!)


maps_rbl_domains - tells postfix which RBLs to use

postconf -e "maps_rbl_domains = sbl.spamhaus.org, relays.ordb.org, opm.blitzed.org, dun.dnsrbl.net, spam.dnsrbl.net"

*Note: If you want to be just a little more conservative, but still keep some RBL listing, leave in all the RBLs above except for the last one, from which I get a few claims from mail admins who say they have had trouble getting off the dnsrbl list, even after following their guidelines at http://www.dnsrbl.com/getremoved.html.  I can't verify this, though, and I do stop a good deal of spam by using this list. Your option, and you can always change any of this later, of course. Again, READ about these RBL things, and learn. (later :)

smtpd_sender_restrictions:

reject_non_fqdn_sender - reject when the data in the client "MAIL FROM:" command does not contain an address in fully-qualified domain form (e.g. "someone@somedomain.com").

reject_unknown_sender_domain - reject when the sender mail address has no DNS "A" or "MX" record at all. (The "sender" here is what the sending mail server gave in the "MAIL FROM:", not the header "From" line.)

postconf -e "smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain"

smtpd_recipient_restrictions: restricts what recipient addresses this system accepts in "RCPT TO" line (i.e., who the mail says it is FOR, in the envelope information. Again - NOT from any header "To:" data).

reject_unauth_destination - Ignore the client hostname. Reject unless one of the following is true:

1-the resolved destination address matches $relay_domains or a subdomain thereof, and the address contains no sender-specified routing (user@elsewhere@domain)
2-any destination that matches $mydestination, $inet_interfaces or $virtual_maps (we won't be using virtual_maps).

reject_non_fqdn_recipient - reject when the address in the "RCPT TO:" command is not in fully-qualified domain form.

postconf -e "smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient"

*Note: restrictions are used in the same order as they appear in /etc/postfix/main.cf and the first match ends the process.

header_checks - tells postfix where to find a file we'll use to evaluate header information in emails (like common spam phrases, etc. and tells postfix what to do with each of these).

postconf -e "header_checks = regexp:/etc/postfix/header_checks"

content_filter - here's where we tell postfix to use amavis

postconf -e "content_filter = smtp-amavis:[localhost]:10024"

*When you are done issuing all the above commands to set these main.cf parameters (and in fact ANY time you make changes in either main.cf or master.cf), issue this command to make postfix immediately reads its new configuration:

postfix reload

And now:

postconf -n >> /root/postconf.txt

This produces a file /root/postconf.txt showing a list of your main postfix parameters, including any that are not default. Review them CAREFULLY for correctness. (Use the command: less /root/postconf.txt . Go back and fix any mistakes. I recommend you print or otherwise save a separate copy of this info (on a different machine!), as well as each of the below docs, for future reference.

/etc/postfix/header_checks - this file will list certain "strings" of text, and tells postfix what to do with mail if it encounters these in email headers (I'd like to insert a URL here for a good, brief explanation of what email headers are, and how they are different from envelope data, if someone knows of one, please email me! ...SH).

-A sample file is already created for us, with comments explaining what to put in it. We'll make a copy of that, and then you can edit it:

cp /etc/postfix/sample-regexp-header.cf /etc/postfix/header_checks

Then, edit this doc as appropriate:

vi /etc/postfix/header_checks

And here's an example of a line you might put in:

/^Postmaster@/ OK

Note this file requires regexp ("regular expression format"). "regexp" is something you'll want to learn about in order to live in the *nix world. Get a book or research it on the Net sometime. For an example of an elaborate header_checks file from someone with an attitude, take a look here. But don't blindly follow this - use your own mind! :)

/etc/postfix/access - this file is another check used by postfix to control things right at the front door. In this file, we'll list certain senders/domains/IPaddress ranges for special handling. Below are bogus examples, create your own as you see fit. This file needs to exist, because postfix will be looking here and will expect to see SOMETHING. If you don't have any of these to create right now, just use a made up one for starters, like the last one in the COMMAND example below. Note that an "OK" here doesn't mean an email will not be tagged as spam by amavis a bit further on...

touch /etc/postfix/access

(This creates an empty file)

vi /etc/postfix/access

---

#Example access map file
# 
# note: this file only accepts 3 control types:
# 
# REJECT
# OK 
# [45]XX $message (for specially selected error codes and messages)

ispy99@spamnet.cn     550 Go away 
makeabuck@mlm.dom 550 No MLM thanks 
allspam.dom 550 Spam is not accepted here 
badguy.net REJECT 
#250.192     REJECT 
#goodguy@somewhere.com     OK
justaspamminfool@allspamallthetime.com REJECT 

---

(Of course, any line starting with a # symbol will be ignored by postfix)

*Note: any time you change this file, afterwards you will always:

postmap /etc/postfix/access

...to create the special version of it that postfix will use.

END of Postfix anti-SPAM settings...

---

Remote Administration test:

READ AND CHOOSE:

-This section assumes you don't want to physically go to this box whenever you want to administer it. If you DO plan to always physically go to it, you can ignore this section and turn the ssh server on this box off with this command: chkconfig sshd off . Otherwise, plug in the Ethernet cable, and let's test ssh. On any machine with an ssh client installed, try a connection to the new server.

(You can use the ssh client from another Linux machine, as most every distro ships with one, or you can obtain an ssh client for other operating systems, like Windows and Macintosh. For examples, see here: Some other SSH Clients.

With a typical client version of ssh, you can test a connection to the spamfilter like this:

From another machine, running an ssh client:

ssh -l admin1 x.x.x.x

(where x.x.x.x is the IP address of this new server, and "admin1" is your user name on it. The first time you connect ssh will prompt you asking if you are sure this is the right machine. Say yes unless you believe terrorists have already sneaked into your building and have secretly replaced your spamfilter box with another at the same IP address, when you weren't looking.) Next:

log in!

then switch to the root account:

su -

Yes the dash is important!

Provide the root password when prompted. That's good, if you got this far everything is fine. Get out:

exit

exit

Or, if you are in England, use these:

wayout

wayout

(JUST kidding... :-)

---

Red Hat Registration and Updates

-Red Hat has a nice system to keep your machine up to date. You have to register your machine first. We'll go into the GUI:

startx

1. Start the Mozilla Web browser. It will open to a Red Hat page.

2. Click on the "Activate" button near the bottom.

3. Acknowledge the "encrypted page" message, if it appears.

4. Click on the link to download the new version of the up2date program.

5. Read and understand the instructions on this page to download and install the up2date software. I suggest you write down the commands you'll need to do. Your software is under the section "Red Hat Linux 9 i386".

6. Once you've downloaded, open a terminal window and run these commands:

cd

md5sum up2date-3.1.23.2-1.i386.rpm

(you should get a big ugly hash number. It should match the one on the web page)

md5sum up2date-gnome-3.1.23.2-1.i386.rpm

(likewise on this file...)
7. Next, we'll update this software:

rpm -Fvh up2date-*

8. Now we'll register with Red Hat using the new software:

up2date --register

9. In the resulting window,

go to the "Package Exceptions" tab, highlight "kernel*", and hit "Remove". Then hit "OK".

10. Answer "Yes" to install the Red Hat key.

11. Follow the "Red Hat Update Agent" prompts to complete your registration.

(at Step 3 of the registration process, I do NOT recommend unselecting any of the boxes, and I do recommend selecting ALL packages for updates)

12. write down the username and password that you use during the registration process.

*You can go to https://rhn.redhat.com at any time to view or alter this registration (cookies required on this site)

RH will update all packages you have on your machine. This will take a while. Red Hat will not install any software not already there -- just updates, including bug fixes, security patches, etc. Sweet! Reboot after. You may have to run this over an evening or on a weekend. Paid RH subscribers get priority on this service, and if the wire is too busy it will stop and tell you there isn't enough bandwidth right now for you, and refer you to a web page where you can learn about buying a paid subscription ($60/year per box, good investment, in my humble opinion. See the web site for info.) Of course, you can also just come back and try this procedure as many times as you like, later. If for some reason you don't want to use up2date, you can still get the same updates manually. For details on that, go to http://www.redhat.com/apps/support/errata .

---

Download amavisd-new, Spamassassin, and Razor

While we're in the GUI, we'll do some more downloading. I will assume you can find your way around without point-and-click directions for this. As time goes on, the versions of these software packages will continue to be updated. I have noted the versions I used when preparing this doc. If you get a newer version of something, make sure to read any "Release Notes" and other documentation that comes with it so you will know if you need to change some of the procedures from what I have written for setting this up:

Download all of these to /usr/local/src :

1. With Mozilla, go to http://sourceforge.net/projects/razor and get the latest versions of "razor-agents" (I got 2.36) and "razor-agents-sdk" (I got 2.03). These will be in ...tar.gz "tarball" format.

2. Go to http://www.spamassassin.org and download the latest version of SpamAssassin in tar.gz format (I got 2.60-rc3).

3. Go to http://www.ijs.si/software/amavisd, hit "Download" and get the latest version in tarball format (I got version 20030616-p5). Right-click on the "md5 sum" right next to it and "Save Link Target as" and put it in /usr/local/src, too.

OK, now let's:

pull the Ethernet cable

We won't be needing the connection for a bit (and until we have the box better secured, we'll minimize it's exposure).

---

Installing Razor

We won't need the GUI for this, so you can exit it, or just use a terminal window. Let's go to our download directory and unpack razor, then compile and install it:

cd /usr/local/src

tar xzvf razor-agents-sdk-#.#.tar.gz

(as always, replace the #.# stuff with the numbers of your version)

cd razor-agents-sdk-#.#

perl Makefile.PL

make

make install

OK, done with the "sdk" part... now:

cd ..

tar xzvf razor-agents-#.#.tar.gz

cd razor-agents-#.#

perl Makefile.PL

make

make test

make install

---

Installing SpamAssassin

First, we need to change a language setting:

vi /etc/sysconfig/i18n

Change the "LANG" value from "en_US.UTF-8" to simply "en_US"

save, and exit vi

-reboot the box:

reboot

When it is back up, log in as root and:

cd /usr/local/src

tar xzvf Mail-SpamAssassin-#.#.tar.gz

cd Mail-SpamAssassin-#.#

perl Makefile.PL

Here you will be prompted, asking for an email address for "users who want more information on your filter installation". I'd recommend using "postmaster@domain1.com" or something similar.

When prompted asking if you want to run Razor v2 tests you can reply "y", and if no errors, continue on: (if you get an error about "pod2man" you don't have the value set right in /etc/sysconfig/i18n - fix it and reboot again)

make

make install

---

"Installing" amavisd-new

Run these commands:

cd ..

md5sum amavisd-new-#######.tar.gz > my-amavis-md5sum

cat my-amavis-md5sum

cat amavisd-new-########.tar.gz.md5

(Make sure you get the "md5" on the end of that last one!)

Now compare the hash value of the output from the above 2 commands!

If the hash values don't match exactly, you have a corrupted or forged amavisd-new file. Don't use it. Stop, figure out why, and fix it. Then go on:

tar xzvf amavisd-new-########.tar.gz

cd amavisd-new-########

*Note: If you have a version of amavis different than what I mentioned in the download instructions above, read the INSTALL file in this directory to see if the instructions for setting up amavisd-new have changed from what I am describing below.

There isn't really an "install" to amavis, you just move two files into their places:

cp amavisd /usr/local/sbin

cp amavisd.conf /etc

Configuring amavisd-new

First, make a backup of the amavisd config file:

cp /etc/amavisd.conf /etc/amavisd.conf-original

Next, we'll edit this file, but first let me just mention that this file is a very important part of configuration control in your spam system. There are many settings in here. I won't cover all of them by any means. But this file is one of those heavily commented config files that some hate, others love. I recommend you return and spend some time reading in here, after this system is all set up, to learn more about just what you can do with amavisd. But be careful, and always back up before you change anything!

vi /etc/amavisd.conf

Locate the line that begins with: $mydomain = 'example.com' and change the value from: 'example.com' to 'domain1.com'

Do I still need to remind people to change my example value "domain1.com" with the appropriate value? Surely not...

Locate the line that begins with $daemon_user, and change the value from: 'vscan' to 'amavis'

Locate the line that begins with $daemon_group, and change the value from: 'sweep' to 'amavis'

Scroll down to the line that begins with: # @bypass_virus_checks_acl . . . .

And remove the "#" symbol at the front of this line

This last one removes all anti-virus code from amavis. Since we're only interested in anti-spam functionality, for us, this is a good thing.

Locate the line that begins with: #$warnspamsender = 1; . . . and remove the leading # symbol, to make amavis send a bounce message whenever an email is quarantined as spam.

Of course, this is your call, but strict RFC compliance calls for notifying the sender whenever you don't deliver to a recipient. I do it, even though it does mean I always have a small stack of emails in the queue headed to obviously bogus sender addresses. This doesn't have much effect on the server's performance.

Next, locate the line that begins like this: $mailfrom_notify_spamadmin . . . and change "spam.police\@$mydomain"; to "postmaster\@domain1.com";
Next, locate the line that looks like this: #$spam_quarantine_to = 'spam-quarantine'; and insert a # symbol at the beginning of that line
On the very next line, you'll see: #$spam_quarantine_to = "spam-quarantine\@$mydomain"; Here, remove the leading # symbol.
(And make sure you have an emailbox for this address on a destination server - This is where you will review quarantined emails, and will forward on any "false positives" to the proper recipient.)
*Alternative:* Instead of delivering the spam to an emailbox on the internal server, drop it into a folder right on the spamfilter. To do that, comment out the "spam_quarantine_to" line above that references the email address, and instead select and indicate a folder name for the value "spam_quarantine_to". (Read the comments in this area of amavisd.conf for more info.)

---

Installing amavisd prerequisites

We'll get these prerequisites from CPAN, which is a fantastic service on the Net that provides perl code, so we don't have to go to a bunch of different web/ftp servers to get what we need. There is a LOT of stuff we need, though, so this will take a while. Grab a soda and plug in to the Ethernet:

cd

perl -MCPAN -e shell

at the prompt asking if you are ready to manually configure, type "no" (we'll let it autoconfigure)

*If at any point you are prompted for unsatisfied dependencies and asked if you want to "prepend them to the queue", choose "y" for "yes". If at any time you get prompted asking if you want to modify/update your configuration, reply yes also. You might also get a message saying the servers are too busy or "maximum connections", and you don't get that piece installed. Just wait a second, and try again. Keep at it until all these are on your machine. If at any point it seems to just be hung/not moving, wait at least 30 seconds, and hit the Enter key.

(Watch capitalization, and symbols need to be EXACT):

install MD5

then just be patient until it finishes the install and returns you to the cpan prompt...

Then go on...

install Compress::Zlib

install Archive::Tar

install Archive::Zip

install IO::Stringy

install Mail::Internet

install Net::Server

install Convert::TNEF

install Convert::UUlib

install MIME::Base64

install MIME::Parser

(The next one prompts: "Do you want me to perform hostname lookups?" responded n for no. (we don't need this tested now), it will prompt you with "Enter a list of available NNTP hosts" -just hit Enter. It will ask about several other kinds of hosts, like SMTP, POP3, etc. -just hit Enter. Then a prompt will ask if "you have a firewall/ftp proxy between your machine and the internet" Answer appropriately for your situation, then comes a prompt for "Should all FTP connections be passive? hit Enter (for yes). Then, when prompted, provide your internet domain name (e.g. domain1.com), and for "Do you want me to run these tests?" reply no.

install Net::SMTP

install Digest::MD5

install Time::HiRes

install Unix::Syslog

install BerkeleyDB

q

I have run into people saying that a certain server has timed out, or is unreacheable with CPAN installations, be patient, and try again at different times, they will come I promise. :)

Before we run Amavisd-new for the first time, we need to create some default directories for Amavisd to function without error:

mkdir /var/amavis/tmp

mkdir /var/amavis/db

mkdir /var/amavis/var

chown amavis:amavis -R /var/amavis/tmp

chown amavis:amavis -R /var/amavis/db

chown amavis:amavis -R /var/amavis/var

---

Starting amavisd-new

Let's give amavisd a little test run:

amavisd stop

amavisd debug

After just a few moments, if you have something misconfigured, amavisd will tell you. If you have an error in /etc/amavisd.conf, it will give you a line number and a brief explanation. Fix anything wrong. This will mean reading closely any error messages, and possibly reading files in /usr/local/src/amavisd-new-########, etc. There are friends at the amavis mailing lists waiting to help...

If everything is OK, you will see a lot of lines scroll that look like text log entries (exactly what debug mode does - logs to the screen), and the last item will end with "Parent ready for children". (Only a computer could say that, huh?)

Use the Ctrl-C key combination to exit amavis.

You can ignore the lines above this that talk about things like "No $unfreeze - not using it", and "No zoo", yada, yada. Unfreeze and zoo and the rest of those are similar to [un]zip and other [de]compression utilities. Useful if scanning email for hidden viruses, but we won't bother to open such unusual compressed/archived file attachments to look for spam. FYI, though, each time amavis starts up normally on your box, all these lines will be recorded in the system log files.

Obviously, we'll want amavisd-new to start at boot, and we'll want it to fire up BEFORE postfix, so when postfix directs mail to its filtering friend, the friend will be there to answer the call. We'll put an init script for amavis where it goes, and set it to start amavis at boot:

cp /usr/local/src/amavisd-new-########/amavisd_init.sh /etc/init.d/amavisd

chmod u+x /etc/init.d/amavisd

chkconfig --add amavisd

vi /etc/init.d/amavisd

Change the line: prog="/usr/sbin/amavisd" to: prog="/usr/local/sbin/amavisd"

*For those admins wondering, you do NOT need to do anything further to make amavisd-new run as the "amavis" user. The program itself will do this, keeping it from having root priviledges. Postfix, BTW, will also run automatically as another user: "postfix", not as root.


Give ownership to the Spamassassin folders to amavisd, and test a Start-up

chown amavis:amavis -R /usr/share/spamassassin

Razor2 configuration

An individual who set this system up recently pointed out that this document does not cover proper Razor configuration. I have not tested his instructions yet, but I have reasonable confidence that they are accurate. I provide the following link to a page, which he has created, covering this configuration. If you do not follow the instructions on his page, your spamfilter will run fine, but apparently will not take advantage of the Razor capabilities. I will be going through this Razor configuration procedure myself within the next few weeks (when I get TIME!!!!!) and will update this document accordingly then. Here is the page. (Please note that any line on his doc that begins with a # symbol means to type that command in, as root.)


...OK, let's see if we can fire this system up! Type:

/etc/init.d/amavisd start

/etc/init.d/postfix start

From each command, you should see a line indicating that the program started successfully. This is indicated by "OK" appearing on each line. If instead the word "FAILED" appears on either line, you've got a config error somewhere with either postfix or amavisd. (Or you already had one or both already running, in which case of course they will "FAIL" to start. You must shut them down first.

OK, you can start them? Great. Let's see if we can connect to amavis. With a little deviation, we will basically follow the doc on your machine at: /usr/src/amavisd-new-########/README_FILES/README.postfix:

telnet 127.0.0.1 10024

You should get a connection response, indicating amavisd-new is "ready". Good. now just drop the connection:

quit

Shut them both down again, Postfix Interruptus:

/etc/init.d/amavisd stop

/etc/init.d/postfix stop

---

---

Required Name resolution

-OK, other mail servers will need to find your server. Set up name resolution of spamfilter.domain1.com to its IP address. How this is done depends on your environment. Bascially, you need to make sure that any box that needs to talk to this mail server can resolve its name, either through appropriate DNS server entries somewhere, or local "hosts" files on those machines.

---

MAILGREP UTILITY:

-While not required, a nice tool to have is "mailgrep.pl", to parse certain data out of the mail logs instead of having to scroll through them, or do the grep commands. Note this tool will not work quite right with Mandrake, as Mandrake by default disperses mail log data to 3 different files under /var/log/mail. You'd have to read up on how this tool works and see if you can make it fit that set up (or change the way Mandrake logs to resemble Red Hat). If you do either, please let me know how this comes out!

This little gem was written by Craig Sanders, but for some reason the links on Craig's web site (http://taz.net.au/postfix) don't work anymore, so I have put a copy on my site (thanks to the GPL Craig released this under, this is all perfectly simple and legal - thanks, Craig!) So, to set this up, download the openlogfile (a perl function to open log files) and mailgrep (a perl script to help search the maillog) utilities, rename them, put them in /usr/bin, and make mailgrep.pl executable:

-plug in the Ethernet cable again... then get to your browser of choice and download the file:

http://www.freespamfilter.org/scripts/mailgrep.pl.txt

-do a "Save as", and save it to /usr/bin

-shorten the name by removing the ".txt" from the end of the file name.

-do the same with:

http://www.freespamfilter.org/scripts/openlogfile.pl.txt

Next, grab "File::MMagic", using CPAN (you know how to do this now!)

-then, pull the Ethernet cable out, and:

chmod +x /usr/bin/mailgrep.pl

-To learn how to use this, just type the command:

mailgrep.pl
*Note: our mail log is not "mail.log" (the default for this tool), so we need to type the correct mail log path and file name - /var/log/maillog -when we use it. E.g., to search for all mail log entries dealing with mail to or from "someuser@somedomain.com", we would use:

mailgrep.pl -s someuser@somedomain.com /var/log/maillog

To see what mailgrep.pl does for you, compare the output of the above to:

grep -i someuser@somedomain.com /var/log/maillog

Of course, these suggest ideas for developing scripts to make these kinds of searches even easier. All of that is left as an exercise for the reader...

---

SPEED UP REBOOTS:
-set grub to 2 second delay, to make remote reboots faster, but still allow you time to respond if you're at the console:

vi /boot/grub/menu.lst

-edit the line: timeout=10 to timeout=2

---

MAIL REPORTS:

-This section will set up an automated preparation of a very nicely laid out report of email activity, and email this report to us once per day, with the previous day's mail statistics, and once weekly, with the stats for the entire previous week.

This section is optional

-first, we need the Date::Calc perl module. Plug into the Ethernet and:

perl -MCPAN -e shell

install Date::Calc

(this will require some other stuff, when prompted, choose yes)

bye

-Then, we need the pflogsumm.pl utility:

cd /usr/bin

Go to: http://jimsun.linxnet.com/postfix_contrib.html Read the instructions and get the latest pflogsumm.pl installed

-pull the Ethernet tubule

-Don't forget to make pflogsumm.pl executable:

chmod +x /usr/bin/pflogsumm.pl

-ROUTINE EMAIL OF LOG SUMMARIES:

-set up cron to prepare and mail pflogsumm results, daily and weekly:

as root:

crontab -e

Enter a blank line or 2 above the existing line using the Enter key, arrow back to the top and type in 2 lines: (replacing "spamfilter.domain1.com" with the name of your mail server) This report will be emailed to wherever you redirected root's email. Obviously you can change this behavior...

The end result should be like:

10 3 * * * /usr/bin/pflogsumm.pl -d yesterday /var/log/maillog 2>&1 |/bin/mail -s "spamfilter.domain1.com - Postfix daily mail summary" root

10 3 * * 0 /usr/bin/pflogsumm.pl /var/log/maillog 2>&1 |/bin/mail -s "spamfilter.domain1.com - Postfix WEEKLY mail summary" username

---

SECURITY:

-Set up some decent security on your box. If you don't know how, plug in to the Ethernet and go to http://www.cisecurity.org and download the latest Linux security benchmark and tools and use them. Not real hard to do, but takes a little time. You can skip this, of course, but do polish your resume if so, and don't keep it on this box, it will be hacked. :)

Just fill out your name and email address, on the cisecurity web page, then download and read the pdf documentation and go through it step by step. It will take an hour or so to do. One note: at the end of this doc it explains how to use ntpd for time service. You NEED to do this, to have accurate time stamps for emails and logs. Important for email servers, it is! (Yoda again...) You can refer to http://www.ntp.org for more information (than you maybe want) on ntp time service, but also for a list of free public time servers you can use. The instructions in the CISecurity pdf file don't explain something I had to do for ntpd to work, however.

If ntp doesn't work for you, after you set it up, do this:

touch /etc/ntp.drift.TEMP

chown ntp /etc/ntp.drift.TEMP

-To learn more on security, read the Linux Security HOWTO document at: http://www.tldp.org/HOWTO/Security-HOWTO/index.html and/or the Red Hat-specific security doc at: http://www.tldp.org/HOWTO/Security-Quickstart-Redhat-HOWTO/index.html

Configure tripwire

...if desired. For info, see www.tripwire.org (do you notice a pattern here?), or get a good book on it, and of course, read thusly:

man tripwire

---

BACKUPS

-Develop a plan for backups. You need a plan for this, even though this machine won't hold data, for the most part, since all mail will just be forwarded from it, not generally stored on it (unless the mail server it is sending to goes down, in which case it will store all mail until the receiving server becomes available). At the least, you should backup all the configuration files related to the programs in use on this server! Remember if you blow the thing up, you'll be back here reading this document again! (Actually a copy of this HOWTO as the build document for this system might not be a bad idea either...)

A good place to visit regarding Linux backups is http://mkcdrec.ota.be/

---

Make sure the Ethernet cable is plugged in, and reboot the box. You're done, girl. Go test it     :)

---

I'd like to add a good deal of information on tweaking and white/black-listing, etc., but who knows when I'll have time for it. Here's a little bit I have so far:

---

CONFIGURING, WHITELISTING, BLACKLISTING, CHANGING SCORE VALUES, ETC.

-With Amavis and SpamAssassin, you can change many configuration values. Among these are white and blacklisting senders and receivers, altering the scores for various spam-ish email characteristics, and so forth. For those spammers who manage to always score just below your SPAM score threshold, for instance, you can blacklist their domain or specific sending address, as you see fit. Likewise when legitimate email ends up in the spam quarantine mailbox, you can whitelist the sender or domain. You'll be doing this kind of thing several times a day for the first week or two.

If you want to change the score that SpamAssassin gives to a characteristic, you can do that too. These kinds of changes can all be done in one file: /etc/mail/spamassassin/local.cf. You don't want to go into the regular SpamAssassin config files (in /usr/share/spamassassin) and mess with them. Your changes would be overwritten if you upgrade SA in the future, anyway. Remember: all of this has nothing to do with what Postfix does at the "front gate". OK, here are the contents of a ficticious local.cf file, for ideas:

# /etc/mail/spamassassin/local.cf
#
# WHITE AND BLACKLIST FILE, AND SCORE CHANGES
#
# Note: wildcards ARE allowed here.  Please add entries to 
#each list in alpha order, by final domain. 
#

# WHITE-LISTED SENDERS (the good guys):

whitelist_from   *.good-domain.net            # This domain is safe
whitelist_from   *@goodguys.com               # These guys are ok
whitelist_from   dudley.duright@mounties.ca   # He never spams us


# WHITE-LISTED RECEIVERS:
# (Let ALL mail through to these recipients - no scanning for SPAM):

all_spam_to  spam-lover@domain1.com   # He likes it


# BLACK-LISTED SENDERS (the bad guys):

blacklist_from   offers@*.*    
blacklist_from   offerz@*.*
blacklist_from   *@badguys.com     # nasty outlaws
blacklist_from   *@casino-fun.*     # we don't want any of this stuff...


# SCORE CHANGES (Don't mess with these unless you KNOW what 
#                you are doing!

score FORGED_HOTMAIL_RECD      5.50
score WEB_BUGS                 1.50

---

BLOCKING MAIL TO INVALID RECIPIENTS

With the above configuration, email to invalid mailboxes (bogus_address@yourdomain.com) will be processed and sent on the the internal mail server, making it the job of the internal server to reject them. If you would prefer to block all mail to invalid mailboxes at the front gate, (eliminating a bunch of garbage and saving resources on both your spamfilter and your internal mail server!) you just need to give postfix a current list of your valid recipients (and have the system automatically obtain and keep a current list). To do this with Exchange as the internal server, you can use this document. (This was written by Jack VanDenSype. It looks really good, but I haven't tested this myself yet, so don't ask me for help on this)

---

* Note: a good site for email server testing is at: http://zmailer.org/mxverify.html (read the instructions on the page)

---

Some final comments:

Spam traffic in increasing dramatically. And spammers are becoming increasingly sophisticated. Setting this system up won't end your anti-spam project, I'm afraid. You'll catch a LOT of spam with this, but some will keep getting through, and some good emails will get blocked. You'll learn and tweak things as you go forward. Welcome to the learning curve.

My time to provide tech support for this procedure is VERY limited, but if you're in a jam, try me and I'll help if I can. My apologies in advance if I can't help or don't have time. Don't be offended. I will do my best to refer you to someone who can answer your question for you, or point you in a direction that you can troubleshoot and make it work yourself (see and do method)).

If you feel the need to donate to the cause there is a donation link at the top of this document, or on the origional home page. Thanks for your support in advance. There are many ways you can help out with this project, and you can contact me a Dave@freespamfilter.org.

Everyone is welcomed to link to this document, as well as to copy all or any portion of it for their own use and/or to share with others. More specifically, I have selected a Creative Commmons "Share Alike" License to cover this work, which is roughly equivalent to the GPL license used for software:


Creative Commons License.


The author can unfortunately assume no liability for the use of this information. Terribly sorry. If you're standing on someone's shoulders you probably shouldn't try to kick them anyway.


This page created with the incredible "vi" web page builder. :)

About Us | Contact Us | ©2005 freespamfilter.org