User Tools

Site Tools


build:spam

SpamAssassin

SpamAssassin is one of the best-known Open Source spam filters. It is now an Apache Foundation project. The main advantage of SpamAssassin is that it integrates many different types of tests – each test adds to or subtracts from the message's "spaminess", and the message gets a final score that combines all the tests. The primary disadvantage of SpamAssassin is that it is relatively slow, because it is written in Perl and runs through a large number of tests. We believe that our boxes are plenty powerful enough to handle the load, especially with some of the Postfix spam-avoidance techniques (such as greylisting) that reduce the number of spam emails that make it into the system.

We're using MailScanner as an interface between Postfix and SpamAssassin. We chose it because it's quite easy to understand, as compared with configuring amavisd and others to interface with Postfix. It was also used on the old AIX systems, so we were able to re-use most of the existing configuration settings.

Installation

apt-get install -y spamassassin
apt-get install -y mailscanner
apt-get install -y razor pyzor dcc-client

Configuration

Run pyzor discover to update pyzor's server list:

pyzor discover

Create a location for MailScanner to put files for SpamAssassin to scan.

mkdir /var/spool/MailScanner/spamassassin
chown -R postfix:postfix /var/spool/MailScanner
chown -R postfix:postfix /var/lib/MailScanner
chown -R postfix:postfix /var/run/MailScanner
chown -R postfix:postfix /var/lock/subsys/MailScanner

Back up the original MailScanner config file.

cp -a /etc/MailScanner/MailScanner.conf /etc/MailScanner/MailScanner.conf.dist

Edit the file /etc/MailScanner/MailScanner.conf to change these lines:

%org-name% = SLUUG
%org-long-name% = St. Louis UNIX Users Group
%web-site% = www.sluug.org
Max Children = 2	# Upped it from 1, to hopefully improve throughput.
Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix
Sendmail2 = /usr/sbin/sendmail

Virus Scanning = no
Virus Scanners = none

Dangerous Content Scanning = no
Quarantine Infections = no
Information Header = 
Always Include SpamAssassin Report = yes
Mark Unscanned Messages = no
Notify Senders = no  # This is the default, but we want to be SURE on this setting!

Virus Modify Subject = no
Filename Modify Subject = no
Content Modify Subject = no
Size Modify Subject = no
Disarmed Modify Subject = no
Spam Modify Subject = no
High Scoring Spam Modify Subject = no
Send Notices = no
Use SpamAssassin = yes  # This is the default.
Required SpamAssassin Score = 5
High SpamAssassin Score = 11
SpamAssassin Timeout = 120
High Scoring Spam Actions = delete
Log Spam = yes
Log Non Spam = yes

Edit /etc/MailScanner/spam.assassin.prefs.conf to add:

razor_config /etc/razor/razor-agent.conf

Edit /etc/razor/razor-agent.conf to add:

razorhome = /etc/razor/
logfile = sys-syslog

Create /etc/postfix/header_checks containing a single line, to have Postfix send all incoming emails to the HOLD queue, where MailScanner will pick them up.

echo '/^Received:/ HOLD' > /etc/postfix/header_checks

Tell Postfix to put everything it receives into the HOLD queue.

postconf -e 'header_checks=regexp:/etc/postfix/header_checks'

Configure MailScanner to run when started.

echo 'run_mailscanner=1' >> /etc/default/mailscanner

Startup

Start the MailScanner daemon:

/etc/init.d/mailscanner start

Restart the Postfix daemon, to have it send incoming emails to the HOLD queue.

/etc/init.d/postfix restart

Testing

Check the logs for errors on startup, using tail -f /var/log/mail.log /var/log/syslog.

MailScanner logs to /var/log/syslog under the name check. (Not sure why it uses that name in the log files instead of its own.)

Notes

All SpamAssassin settings are global in nature and not settable on a per user basis. This is the reason that we set the delete threshold so high – some users may want a higher threshold than others. Those that want a lower threshold can do so using procmail filters (or whichever other delivery agent we choose). Those wanting special rules will also have to set them up as procmail filters.

TODO

We should really not use MailScanner's preferred method of picking up emails from the HOLD queue and injecting them back into the Postfix system via the INCOMING queue. Postfix documentation says that this method is not supported. Instead, there should be an SMTP-type listener added to /etc/postfix/master.cf, which will submit the scanned messages back into Postfix via another SMTP listener (also listed in master.cf) on another port. I believe amavisd supports this method. One main reason we went with MailScanner (at least at first) it that it's easier to configure than figuring out how to configure all the required services in master.cf.

Configure SpamAssassin more like Michelob/Dark. Their local.cf file looks like this:

# If this option is set to 0, incoming spam is only modified by adding
# some `X-Spam-' headers and no changes will be made to the body.
report_safe 0
ok_languages            en
# Trusted networks are assumed to not be originating spam.
clear_trusted_networks
trusted_networks   128.252.19.8   # michelob
trusted_networks   128.252.19.9   # dark
# Internal networks are other potential MXes for our domain.
clear_internal_networks
internal_networks  128.252.19.8   # michelob
internal_networks  128.252.19.9   # dark
internal_networks  206.196.99.162 # bud
internal_networks  206.196.99.163 # budlight
# Assume we always have DNS lookups available.
dns_available yes
# The score threshold below which a mail has to score, to be fed into
# SpamAssassin's learning systems automatically as a non-spam message.
bayes_auto_learn_threshold_nonspam -1.1
# The score threshold above which a mail has to score, to be fed into
# SpamAssassin's learning systems automatically as a spam message.
bayes_auto_learn_threshold_spam 11.0
# For feeding spam and and ham for saved messages, mailboxes
# or directories:
# Change X-YOURDOMAIN-COM to match your %org-name% as 
# set in MailScanner.conf
bayes_ignore_header X-SLUUG-MailScanner
bayes_ignore_header X-SLUUG-MailScanner-SpamCheck 
bayes_ignore_header X-SLUUG-MailScanner-SpamScore 
bayes_ignore_header X-SLUUG-MailScanner-Information
# When using MailScanner, this is highly recommended.
bayes_auto_expire 0
# What should be the maximum size of the Bayes tokens database?
bayes_expiry_max_db_size 600000
lock_method flock
use_auto_whitelist 0
# This should be explicitly set for MailScanner
envelope_sender_header X-MailScanner-From
# Reduce timeouts for RBSLs.
rbl_timeout 20
razor_timeout 10
pyzor_timeout 10

Anti-virus

   apt-get install clamav unrar lha arj unzoo

Edit /etc/MailScanner/MailScanner.conf:

Virus Scanning=yes
Virus Scanners=clamav

and restart mailscanner.

For some reason, even though "Still Deliver Silent Viruses" is set to "no", the system is delivering messages stripped of infected attachments. This is contrary to the documentation in MailScanner.conf. Accordingly, virus scanning is now turned off.

Credits

Installed, configured, and documented by Craig Buchek.

Based on Mike Knight's MailScanner configuration on our AIX servers.

These articles helped me figure out how to configure Postfix and MailScanner to work together:

These articles helped me figure out why MailScanner was stopping without restarting, due to razor putting its log file in /var/spool/postfix/hold:

Comments

build/spam.txt · Last modified: 2007/09/16 21:46 by 75.132.107.251