/[gentoo]/xml/htdocs/doc/en/mailfilter-guide.xml
Gentoo

Contents of /xml/htdocs/doc/en/mailfilter-guide.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.22 - (show annotations) (download) (as text)
Wed Mar 2 09:16:17 2011 UTC (3 years, 6 months ago) by nightmorph
Branch: MAIN
Changes since 1.21: +9 -22 lines
File MIME type: application/xml
remove instructions to use an outdated patched version of smtpclient in favor of the more recent version. also fixed some guidexml, and replaced the deprecated package.keywords with package.accept_keywords

1 <?xml version='1.0' encoding='utf-8'?>
2 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
3 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/mailfilter-guide.xml,v 1.21 2008/05/20 20:12:23 swift Exp $ -->
4
5 <guide>
6 <title>Gentoo mailfiltering gateway guide</title>
7
8 <author title="Author">
9 <mail link="jaervosz@gentoo.org">Sune Kloppenborg Jeppesen</mail>
10 </author>
11 <author title="Contributor">
12 <mail link="gentoo@hilli.dk">Jens Hilligsøe</mail>
13 </author>
14 <author title="Editor">
15 <mail link="nightmorph@gentoo.org">Joshua Saddler</mail>
16 </author>
17
18 <abstract>
19 This guide is step-by-step guide for installing spam fighting technologies for
20 Postfix. Among them Amavisd-new using Spamassassin and ClamAV, greylisting and
21 SPF.
22 </abstract>
23
24 <!-- The content of this document is licensed under the CC-BY-SA license -->
25 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
26 <license/>
27
28 <version>1</version>
29 <date>2011-03-02</date>
30
31 <chapter>
32 <title>Introduction</title>
33 <section>
34 <body>
35
36 <p>
37 This guide describe step by step how to install a spam and virus filtering mail
38 gateway. It is quite simple to adopt this to a single server solution.
39 </p>
40
41 </body>
42 </section>
43 <section>
44 <title>The big picture</title>
45 <body>
46
47 <p>
48 This document describe how to setup a spam filtering mail gateway with
49 multiple domains. This server is meant to run in front of the mail
50 servers actually keeping the mail accounts i.e. Microsoft Exchange or
51 Lotus Notes.
52 </p>
53
54 <p>
55 In this setup applications with good security records and readable
56 configuration files have been chosen. The email MTA is postfix which
57 has a good security record and is fairly easy to setup right.
58 Postfix will listen normally on port 25 for incoming mail. Upon reception it
59 will forward it to Amavisd-new on port 10024. Amavisd-new will then filter
60 the mail through different filters before passing the mail back to Postfix
61 on port 10025 which in turn will forward the mail to the next mail server.
62 </p>
63
64 <p>
65 Amavisd-new is a content filtering framework utilizing helper applications for
66 virus filtering and spam filtering. In this setup we will be using two helper
67 applications one ClamAV for filtering virus mails and Spamassassin for filtering
68 spam. Spamassassin itself can function as yet another layer of content filtering
69 framework and utilize the helper applications Vipul's Razor2 and DCC.
70 </p>
71
72 <p>
73 Unlike many other spam fighting technologies like RBLs and others Spamassassin
74 does not simply accept or reject a given email based on one single test. It uses
75 a lot of internal tests and external helper applications to calculate a spam
76 score for every mail passed through. This score is based on the following tests:
77 </p>
78
79 <ul>
80 <li>Bayesian filtering</li>
81 <li>Static rules based on regular expressions</li>
82 <li>Distributed and collaborative networks:
83 <ul>
84 <li>RBLs</li>
85 <li>Razor2</li>
86 <li>Pyzor</li>
87 <li>DCC</li>
88 </ul>
89 </li>
90 </ul>
91
92 <p>
93 The first part (chapters 1 to 4) of the guide will describe the basic setup
94 of a mailfiltering gateway. The next chapters can be implemented individually
95 with no dependence between each chapter. These chapters describe how to:
96 </p>
97
98 <ul>
99 <li>
100 setup special IMAP folders for learning of the Bayesian
101 filter and for delivery of false positives
102 </li>
103 <!--
104 <li>setup log analyzers to create daily reports</li>
105 -->
106 <li>setup greylisting with Postfix</li>
107 <li>setup Amavisd-new to use a MySQL backend for user preferences</li>
108 <li>setup Spamassassin to use a MySQL backend for AWL and Bayes data</li>
109 </ul>
110
111 <note>
112 The IMAP folders will be using the maildir format. Having each mail in a
113 separate file makes handling much simpler. If you're using mbox I propose to
114 give maildir a try. If you're not already using maildir emerge the necessary
115 tools with <c>emerge courier-imap</c>.
116 </note>
117
118 <p>
119 A planned fifth part will contain various tips regarding performance and things
120 you may want to know (running chrooted, postfix restrictions, etc.).
121 </p>
122
123 <note>
124 Delegating responsibility to third parties is not without risks. You have to
125 know and trust these third parties. In this setup only the decision to
126 quarantine virus mails are based on a single third party. Using Spamassassin's
127 scoring system the decision to stop spam mails are not made by a single
128 authority except perhaps Spamassassins own static rules.
129 </note>
130
131 <warn>
132 When rejecting spam mails at the MTA level you have to be very careful when
133 selecting the RBL's you want to use, i.e. SpamCop is a bad RBL to use at the MTA
134 level because you will experience false positives because sometimes their
135 listing is just too aggressive. Further info at <uri
136 link="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?UNIX03/Realtime_Blackhole_Lists_Are_Bad">Realtime
137 Blackhole Lists Are Bad</uri> and <uri
138 link="http://theory.whirlycott.com/~phil/antispam/rbl-bad/rbl-bad.html">The Spam
139 Problem: Moving Beyond RBLs</uri>
140 </warn>
141
142 </body>
143 </section>
144 <section>
145 <title>Preparations</title>
146 <body>
147
148 <p>
149 Before you start make sure that you have a working Postfix installation where
150 you can send and receive mails also you need a backend mailserver. If you're not
151 experienced with setting up Postfix it might quickly become too complicated if
152 all should be set up at once. If you need help you can find it in the excellent
153 <uri link="http://www.gentoo.org/doc/en/virt-mail-howto.xml">Virtual
154 Mailhosting System with Postfix Guide</uri> in the Gentoo Documentation.
155 </p>
156
157 </body>
158 </section>
159 </chapter>
160
161 <chapter>
162 <title>Installing the programs needed</title>
163 <section>
164 <body>
165
166 <p>
167 We start out by installing the most important programs: Amavisd-new,
168 Spamassassin and ClamAV.
169 </p>
170
171 <pre caption="Installing Amavis, Spamassassin and Clamav">
172 # <i>emerge amavisd-new spamassassin clamav </i>
173 </pre>
174
175 <note>
176 As previously mentioned you should already have a working <c>postfix</c>
177 instance running on the box. Basically this shouldn't be much more than
178 <c>emerge postfix</c> <e>and</e> have a basic understanding of how Postfix is
179 working.
180 </note>
181
182 </body>
183 </section>
184 <section>
185 <title>Setting up DNS</title>
186 <body>
187
188 <note>
189 If you're not setting up a gateway server but have the mailboxes on
190 the same server you only have to create the MX-Record.
191 </note>
192
193 <p>
194 While the programs are emerging fire up another shell and create the needed DNS
195 records.
196 </p>
197
198 <p>
199 Start out by creating a <c>MX</c> record for the mail gateway and an <c>A</c>
200 record for the next destination.
201 </p>
202
203 <pre caption="Setting up DNS">
204 <comment>(Create a MX record for the gateway server)</comment>
205 MX 10 mailgateway.mydomain.tld.
206 <comment>(Create an A record for the gateway server)</comment>
207 mailgateway A mgw.ip.add.here
208 <comment>(Create an A record for the next hop mail server)</comment>
209 mail A ms.ip.add.here
210 </pre>
211
212 <note>
213 Some ADSL providers might block port 25 and force you to relay mail through one
214 of their servers. Typically you have to create a secondary MX-Record
215 like <c>MX 20 backup-mx.some-isp.tld</c>
216 </note>
217
218 </body>
219 </section>
220 <section>
221 <title>Opening the firewall</title>
222 <body>
223
224 <p>
225 In addition to allowing normal mail traffic you have to allow a
226 few services through your firewall to allow the network checks to
227 communicate with the servers.
228 </p>
229
230 <table>
231 <tr>
232 <th>Application</th><th>Protocol</th><th>Port</th>
233 </tr>
234 <tr>
235 <ti>DCC</ti><ti>UDP</ti><ti>6277</ti>
236 </tr>
237 <tr>
238 <ti>Razor(outgoing ping)</ti><ti>TCP</ti><ti>7</ti>
239 </tr>
240 <tr>
241 <ti>Razor</ti><ti>TCP</ti><ti>2703</ti>
242 </tr>
243 </table>
244
245 <p>
246 Razor uses pings to discover what servers are closest to it.
247 </p>
248
249 </body>
250 </section>
251 <section>
252 <title>Configuring Postfix</title>
253 <body>
254
255 <p>
256 First we have to tell <c>postfix</c> to listen on port 10025 and we remove most
257 of the restrictions as they have already been applied by the <c>postfix</c>
258 instance listening on port 25. Also we ensure that it will only listen for local
259 connections on port 10025. To accomplish this we have to add the following at
260 the end of <path>/etc/postfix/master.cf</path>
261 </p>
262
263 <pre caption="Changing the master.cf file">
264 smtp-amavis unix - - n - 2 smtp
265 -o smtp_data_done_timeout=1200
266 -o smtp_send_xforward_command=yes
267 <comment>#Equivalently when using lmtp:
268 #lmtp-amavis unix - - n - 2 lmtp
269 # -o lmtp_data_done_timeout=1200
270 # -o lmtp_send_xforward_command=yes</comment>
271
272 127.0.0.1:10025 inet n - n - - smtpd
273 -o content_filter=
274 -o local_recipient_maps=
275 -o relay_recipient_maps=
276 -o smtpd_restriction_classes=
277 -o smtpd_client_restrictions=
278 -o smtpd_helo_restrictions=
279 -o smtpd_sender_restrictions=
280 -o smtpd_recipient_restrictions=permit_mynetworks,reject
281 -o mynetworks=127.0.0.0/8
282 -o strict_rfc821_envelopes=yes
283 -o smtpd_error_sleep_time=0
284 -o smtpd_soft_error_limit=1001
285 -o smtpd_hard_error_limit=1000
286
287 <comment>#If you want to use proxy filtering instead
288 #smtp inet n - n - 8 smtpd
289 # -o smtpd_proxy_filter=127.0.0.1:10024
290 # -o smtpd_client_connection_count_limit=4
291 #If you don't want to scan outgoing mail use this
292 #10.0.0.2:smtp inet n - n - - smtpd
293 #-o content_filter=</comment>
294 </pre>
295
296 <note>
297 The <c>smtp-amavis</c> line specifies that a maximum of two of these processes
298 may run at any time. If you need a greater degree of concurrency tune this
299 number to fit your needs. Remember that to match the number with
300 <c>$max_servers</c> in <path>amavisd.conf</path>. Keep in mind that
301 <c>amavisd-new</c> is quite memory-intensive and raising the amount of
302 <c>amavisd-new</c> processes too high can easily lead to memory starvation and
303 heavy swapping, which leads to drastically reduced performance.
304 </note>
305
306 <note>
307 If you want to reject spam early on in the process you can use the
308 Before-Queue (proxy) method instead of the filter method. If you uncomment
309 the three lines you will have to set <c>content_filter=</c> in
310 <path>main.cf</path>. This is not recommended for high traffic servers
311 as the number of concurrent connections are limited to the number of
312 amavisd instances.
313 </note>
314
315 <warn>
316 The Before-Queue(proxy) method is still not properly tested.
317 </warn>
318
319 <note>
320 If you, for any reason whatsoever, want to send mail from this box and don't
321 want it scanned, add another postfix instance by uncommenting the last two
322 lines and substitute with a proper IP.
323 </note>
324
325 <p>
326 The file <path>master.cf</path> tells the postfix master program how
327 to run each individual postfix process. More info with <c>man 8
328 master</c>.
329 </p>
330
331 <p>
332 Next we need the main <c>postfix</c> instance listening on port 25 to filter the
333 mail through <c>amavisd-new</c> listening on port 10024.
334 </p>
335
336 <p>
337 We also need to set the next hop destination for mail. Tell Postfix to filter
338 all mail through an external content filter and enable explicit routing to let
339 Postfix know where to forward the mail to.
340 </p>
341
342 <pre caption="Modifying /etc/postfix/main.cf">
343 biff = no
344 empty_address_recipient = MAILER-DAEMON
345 queue_minfree = 120000000
346
347 content_filter = smtp-amavis:[127.0.0.1]:10024
348 <comment>#Equivalently when using lmtp:
349 #content_filter = lmtp-amavis:[127.0.0.1]:10024
350
351 # TRANSPORT MAP
352 #
353 # Insert text from sample-transport.cf if you need explicit routing.</comment>
354 transport_maps = hash:/etc/postfix/transport
355
356 relay_domains = $transport_maps
357 </pre>
358
359 <p>
360 Postfix has a lot of options set in <path>main.cf</path>. For further
361 explanation of the file please consult <c>man 5 postconf</c> or the
362 same online <uri link="http://www.postfix.org/postconf.5.html">Postfix
363 Configuration Parameters</uri>.
364 </p>
365
366 <p>
367 The format of the <path>transport</path> file is the normal Postfix hash file.
368 Mail to the domain on the left hand side is forwarded to the destination on the
369 right hand side.
370 </p>
371
372 <pre caption="/etc/postfix/transport">
373 mydomain.tld smtp:mail.mydomain.tld
374 </pre>
375
376 <p>
377 After we have edited the file we need to run the <c>postmap</c> command. Postfix
378 does not actually read this file so we have to convert it to the proper format
379 with <c>postmap /etc/postfix/transport</c>. This creates the file
380 <path>/etc/postfix/transport.db</path>. There is no need to reload Postfix as it
381 will automatically pick up the changes.
382 </p>
383
384 <note>
385 If the next hop mail server is not listening on the standard SMTP port 25 you
386 can tell postfix to use a given port number, like
387 <c>smtp:mail.mydomain.tld:25000</c>.
388 </note>
389
390 <p>
391 If your first attempts to send mail result in messages bouncing, you've likely
392 made a configuration error somewhere. Try temporarily enabling
393 <c>soft_bounce</c> while you work out your configuration issues. This prevents
394 postfix from bouncing mails on delivery errors by treating them as temporary
395 errors. It keeps mails in the mail queue until <c>soft_bounce</c> is disabled or
396 removed.
397 </p>
398
399 <pre caption="Enabling soft_bounce">
400 # <i>postconf -e "soft_bounce = yes"</i>
401 # <i>/etc/init.d/postfix reload</i>
402 </pre>
403
404 <p>
405 Once you've finished creating a working configuration, be sure to disable
406 or remove <c>soft_bounce</c> and reload postfix.
407 </p>
408
409 </body>
410 </section>
411 <section>
412 <title>Configuring Amavisd-new</title>
413 <body>
414
415 <p>
416 Amavisd-new is used to handle all the filtering and allows you to easily glue
417 together severel different technologies. Upon reception of a mail message it
418 will extract the mail, filter it through some custom filters, handle white and
419 black listing, filter the mail through various virus scanners and finally it
420 will filter the mail using SpamAssassin.
421 </p>
422
423 <p>
424 Amavisd-new itself has a number of extra features:
425 </p>
426
427 <ul>
428 <li>
429 it identifies dangerous file attachments and has policies to handle them
430 </li>
431 <li>
432 per-user, per-domain and system-wide policies for:
433 <ul>
434 <li>whitelists</li>
435 <li>blacklists</li>
436 <li>spam score thresholds</li>
437 <li>virus and spam policies</li>
438 </ul>
439 </li>
440 </ul>
441
442 <p>
443 Apart from <c>postfix</c> and <c>freshclam</c> we will run all applications as
444 the user <c>amavis</c>.
445 </p>
446
447 <!--
448 <pre caption="/etc/passwd">
449 amavis:x:1010:413:added by portage for amavisd-new:/var/amavis:/bin/bash
450 </pre>
451 -->
452
453 <!--
454 <p>
455 Create the new home directory and set the proper permissions.
456 </p>
457
458 <pre caption="Create the new home directory and set the proper permissions">
459 # <i>mkdir /var/amavis</i>
460 # <i>chown amavis:amavis /var/amavis</i>
461 # <i>chmod 750 /var/amavis</i>
462 </pre>
463 -->
464
465 <p>
466 Edit the following lines in <path>/etc/amavisd.conf</path>
467 </p>
468
469 <pre caption="Editing /etc/amavisd.conf">
470 <comment>(Insert the domains to be scanned)</comment>
471 $mydomain = 'example.com';
472 <comment>(Bind only to loopback interface)</comment>
473 $inet_socket_bind = '127.0.0.1';
474 <comment>(Forward to Postfix on port 10025)</comment>
475 $forward_method = 'smtp:127.0.0.1:10025';
476 $notify_method = $forward_method;
477 <comment>(Define the account to send virus alert emails)</comment>
478 $virus_admin = "virusalert\@$mydomain";
479 <comment>(Always add spam headers)</comment>
480 $sa_tag_level_deflt = -100;
481 <comment>(Add spam detected header aka X-Spam-Status: Yes)</comment>
482 $sa_tag2_level_deflt = 5;
483 <comment>(Trigger evasive action at this spam level)</comment>
484 $sa_kill_level_deflt = $sa_tag2_level_deflt;
485 <comment>(Do not send delivery status notification to sender. It does not affect
486 delivery of spam to recipient. To do that, use the kill_level)</comment>
487 $sa_dsn_cutoff_level = 10;
488 <comment>Don't bounce messages left and right, quarantine
489 instead</comment>
490 $final_virus_destiny = D_DISCARD; # (defaults to D_DISCARD)
491 $final_banned_destiny = D_DISCARD; # (defaults to D_BOUNCE)
492 $final_spam_destiny = D_DISCARD; # (defaults to D_BOUNCE)
493 </pre>
494
495 <note>
496 With this line <c>$sa_tag2_level_deflt = 5;</c> you set the Spamassassin spam
497 score to 5. This might be a bit low. As you might have noticed the Amavisd-new
498 default is <c>6.3</c>. If you don't want to see a single spam mail in your
499 mail folder choose <c>5</c>, but if you don't want to deal with false positives
500 choose <c>6.3</c>.
501 </note>
502
503 <p>
504 Create a quarantine directory for the virus mails as we don't want these
505 delivered to our users.
506 </p>
507
508 <pre caption="Create a quarantine directory for the virus mails">
509 # <i>mkdir /var/amavis/virusmails</i>
510 # <i>chown amavis:amavis /var/amavis/virusmails</i>
511 # <i>chmod 750 /var/amavis/virusmails</i>
512 </pre>
513
514 <note>
515 Amavisd-new offers finer policy tuning by using policy banks.
516 </note>
517
518 </body>
519 </section>
520 <section>
521 <title>Configuring ClamAV</title>
522 <body>
523
524 <p>
525 As virus scanner we use ClamAV as it has a fine detection rate comparable with
526 commercial offerings, it is very fast and it is Open Source Software. We love
527 log files, so make <c>clamd</c> log using <c>syslog</c> and turn on
528 verbose logging. Also do not run <c>clamd</c> as <c>root</c>. Now edit
529 <path>/etc/clamd.conf</path>
530 </p>
531
532 <pre caption="Edit /etc/clamd.conf">
533 <comment>(Verbose logging with syslog)</comment>
534 LogSyslog
535 LogVerbose
536 LogFacility LOG_MAIL
537 <comment>(Change pid file location)</comment>
538 PidFile /var/run/amavis/clamd.pid
539 <comment>(Set the clamav socket)</comment>
540 LocalSocket /var/amavis/clamd
541 <comment>(Close the connection when this limit is exceeded)</comment>
542 StreamMaxLength 10M
543 <comment>(Don't run clamd as root)</comment>
544 User amavis
545 <comment>(Newer versions require you to uncomment this)</comment>
546 ScanMail
547 ScanArchive
548 </pre>
549
550 <note>
551 Also remember to remove the Example directive to make ClamAV work
552 </note>
553
554 <p>
555 ClamAV comes with the <c>freshclam</c> deamon dedicated to periodical checks
556 of virus signature updates. Instead of updating virus signatures twice a day
557 we will make <c>freshclam</c> update virus signatures every two hours.
558 </p>
559
560 <pre caption="Edit /etc/freshclam.conf">
561 <comment>(Syslog logging)</comment>
562 LogSyslog
563 <comment>(Verbose logging)</comment>
564 LogVerbose
565 <comment>(Explicitly drop root privileges)</comment>
566 DatabaseOwner clamav
567 <comment>(Check for updates every two hours. That is the official recommendation)</comment>
568 Checks 12
569 <comment>(Use the mirror closest to you. Replace XY with your country code</comment>
570 DatabaseMirror db.XY.clamav.net
571 </pre>
572
573 <p>
574 Start <c>clamd</c> with <c>freshclam</c> using the init scripts by modifying
575 <path>/etc/conf.d/clamd</path>.
576 </p>
577
578 <pre caption="Modifying /etc/conf.d/clamd">
579 START_CLAMD=yes
580 FRESHCLAM_OPTS="-d"
581 </pre>
582
583 <p>
584 At last modify <path>amavisd.conf</path> with the new location of the
585 socket.
586 </p>
587
588 <pre caption="Modifying /etc/amavisd.conf">
589 <comment>(Uncomment the clamav scanner and modify socket location)</comment>
590 ['ClamAV-clamd',
591 \&amp;ask_daemon, ["CONTSCAN {}\n", "/var/amavis/clamd"],
592 qr/\bOK$/, qr/\bFOUND$/,
593 qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
594 </pre>
595
596 <warn>
597 Do NOT modify the <c>$unix_socketname</c> unless you know what you're doing.
598 </warn>
599
600 </body>
601 </section>
602 <section>
603 <title>Configuring Vipul's Razor</title>
604 <body>
605
606 <p>
607 Razor2 is a collaborative and distributed spam checksum network. Install it
608 with <c>emerge razor</c> and create the needed configuration files. Do this
609 as user <c>amavis</c> by running <c>su - amavis</c> followed <c>razor-admin
610 -create</c>.
611 </p>
612
613 <pre caption="Creating the required configuration files">
614 # <i>emerge razor</i>
615
616 <comment>(Temporarily set amavis' shell to bash)</comment>
617 # <i>usermod -s /bin/bash amavis</i>
618 # <i>su - amavis</i>
619 $ <i>razor-admin -create</i>
620 $ <i>exit</i>
621
622 <comment>(Reset the shell to /bin/false)</comment>
623 # <i>usermod -s /bin/false amavis</i>
624 </pre>
625
626 </body>
627 </section>
628 <section>
629 <title>Configuring Distributed Checksum Clearinghouse (dcc)</title>
630 <body>
631
632 <p>
633 Like Razor2, dcc is a collaborative and distributed spam checksum network. Its
634 philosopy is to count the number of recipients of a given mail identifying each
635 mail with a fuzzy checksum.
636 </p>
637
638 <pre caption="Installing DCC">
639 # <i>emerge dcc</i>
640 </pre>
641
642 </body>
643 </section>
644 <section>
645 <title>Configuring Spamassassin</title>
646 <body>
647
648 <p>
649 Amavis is using the Spamassassin Perl libraries directly so there is no need to
650 start the service. Also this creates some confusion about the configuration as
651 some Spamassassin settings are configured in
652 <path>/etc/mail/spamassassin/local.cf</path> and overridden by options in
653 <path>/etc/amavisd.conf</path>.
654 </p>
655
656 <pre caption="Create /etc/mail/spamassassin/local.cf">
657 <comment># Enable the Bayes system</comment>
658 use_bayes 1
659
660 <comment># Enable all network checks</comment>
661 skip_rbl_checks 0
662
663 <comment># Mail using languages used in these country codes will not be marked
664 # as being possibly spam in a foreign language.
665 # - danish english norwegian swedish</comment>
666 ok_languages da en no sv
667
668 <comment># Mail using locales used in these country codes will not be marked
669 # as being possibly spam in a foreign language.</comment>
670 ok_locales en
671
672 <comment># Use a sensible bayes path</comment>
673 bayes_path /var/amavis/.spamassassin/bayes
674 </pre>
675
676 <note>
677 With Spamassassin version 3.1 you have to enable DCC, Razor2 by uncommenting
678 the corresponding lines in <path>v310.pre</path>.
679 </note>
680
681 <note>
682 You can find inspiration for your <path>local.cf</path> file by trying the <uri
683 link="http://www.yrex.com/spam/spamconfig.php">SpamAssassin Configuration
684 Generator</uri>.
685 </note>
686
687 <note>
688 You might also want to switch the <c>ok_languages</c> and <c>ok_locales</c>.
689 </note>
690
691 </body>
692 </section>
693 </chapter>
694
695 <chapter>
696 <title>Every good rule has good exceptions as well</title>
697 <section>
698 <body>
699
700 <p>
701 Once mail really starts passing through this mail gateway you will probably
702 discover that the above setup is not perfect. Maybe some of your customers like
703 to receive mails that others wouldn't. You can whitelist/blacklist
704 envelope senders quite easily. Uncomment the following line in
705 <path>amavisd.conf</path>.
706 </p>
707
708 <pre caption="Modifying amavisd.conf to do sitewide scoring">
709 read_hash("/var/amavis/sender_scores_sitewide"),
710 </pre>
711
712 <p>
713 In the <path>sender_scores_sitewide</path> file you put complete email
714 addresses or just the domian parts and then note a positive/negative score
715 to add to the spam score.
716 </p>
717
718 <pre caption="whitelist_sender example">
719 <comment>(Whitelist all emails from the specific email address)</comment>
720 postmaster@example.net -3.0
721 <comment>(Whitelist all emails from the example.net excluding subdomains)</comment>
722 .example.net 1.0
723 </pre>
724
725 <note>
726 See <path>/etc/amavisd.conf</path> for more examples.
727 </note>
728
729 <note>
730 Placing these addresses outside <path>amavisd.conf</path> is a cleaner and safer
731 solution.
732 </note>
733
734 <note>
735 Alternatively it can be done in Spamassassin's configuration file
736 <path>/etc/mail/spamassassin/local.cf</path> but I think it is cleaner
737 to do it in <path>/etc/amavisd.conf</path>.
738 </note>
739
740 <note>
741 In a later chapter I will show how to implement per-user policies using
742 MySQL.
743 </note>
744
745 <p>
746 While waiting for a better method you can add the following to
747 <path>amavisd.conf</path> to bypass spam checks for <c>postmaster</c> and
748 <c>abuse</c> mailboxes.
749 </p>
750
751 <pre caption="By pass spam filters for all postmaster and abuse mails">
752 map { $bypass_spam_checks{lc($_)}=1 } (qw(
753 postmaster@
754 abuse@
755 ));
756 </pre>
757
758 <impo>
759 While we are at it we should <e>never</e> automatically discard mails to the
760 <c>postmaster</c> or the <c>abuse</c> accounts. See <uri
761 link="http://www.ietf.org/rfc/rfc2142.txt">RFC 2142 MAILBOX NAMES FOR COMMON
762 SERVICES, ROLES AND FUNCTIONS</uri>. Otherwise your domains might end up listed
763 in some of the evil lists over at <uri
764 link="http://www.rfc-ignorant.org/">rfc-ignorant.org</uri>.
765 </impo>
766
767 </body>
768 </section>
769 </chapter>
770
771 <chapter>
772 <title>Adding more rules</title>
773 <section>
774 <body>
775
776 <p>
777 If you want to use more rules provided by the SARE Ninjas over at the
778 <uri link="http://www.rulesemporium.com/">SpamAssassin Rules
779 Emporium</uri> you can easily add and update them using
780 the <c>sa-update</c> mechanism included in Spamassassin.
781 </p>
782
783 <p>
784 A brief guide to using SARE rulesets with <c>sa-update</c> can be found <uri
785 link="http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt">here</uri>.
786 </p>
787
788 </body>
789 </section>
790 </chapter>
791
792 <chapter>
793 <title>Testing and finishing up</title>
794 <section>
795 <title>Testing the setup</title>
796 <body>
797
798 <p>
799 Now before you start <c>freshclam</c> you can manually verify that it works.
800 </p>
801
802 <pre caption="Testing freshclam">
803 # <i>freshclam</i>
804 ClamAV update process started at Sun May 2 09:13:41 2004
805 Reading CVD header (main.cvd): OK
806 Downloading main.cvd [*]
807 main.cvd updated (version: 22, sigs: 20229, f-level: 1, builder: tkojm)
808 Reading CVD header (daily.cvd): OK
809 Downloading daily.cvd [*]
810 daily.cvd updated (version: 298, sigs: 1141, f-level: 2, builder: diego)
811 Database updated (21370 signatures) from database.clamav.net (193.1.219.100).
812 </pre>
813
814 <p>
815 Now you have updated virus definitions and you know that
816 <path>freshclam.conf</path> is working properly.
817 </p>
818
819 <p>
820 Test freshclam and amavisd from the cli and amavisd testmails.
821 Start <c>clamd</c> and <c>amavis</c> with the following commands:
822 </p>
823
824 <pre caption="Start amavisd and clamd and reload postfix configuration">
825 # <i>/etc/init.d/clamd start</i>
826 # <i>/etc/init.d/amavisd start</i>
827 # <i>/etc/init.d/postfix reload</i>
828 </pre>
829
830 <p>
831 If everything went well <c>postfix</c> should now be listening for mails on port
832 25 and for reinjected mails on port 10024. To verify this check your log file.
833 </p>
834
835 <pre caption="Checking log files">
836 # <i>tail -f /var/log/mail.log</i>
837 </pre>
838
839 <note>
840 Depending on your log settings the correct path might be
841 <path>/var/log/messages</path>.
842 </note>
843
844 <p>
845 Now if no strange messages appear in the log file it is time for a new
846 test.
847 </p>
848
849 <p>
850 Use <c>netcat</c> to manually connect to <c>amavisd</c> on port 10024
851 and <c>postfix</c> on port 10025.
852 </p>
853
854 <note>
855 Netcat can be used as an advanced replacement for <c>telnet</c>. Install it with
856 <c>emerge netcat</c>.
857 </note>
858
859 <note>
860 For some unknown reason you can not complete a manual mail injection to
861 <c>amavisd</c> with netcat. Use <c>telnet</c> instead.
862 </note>
863
864 <pre caption="Manually checking that amavisd and postfix are listning to the new ports">
865 # <i>nc localhost 10024</i>
866 <comment>(Amavis working)</comment>
867 220 [127.0.0.1] ESMTP amavisd-new service ready
868 <i>nc localhost 10025</i>
869 <comment>(Postfix reinject working)</comment>
870 220 example.com ESMTP Postfix
871 </pre>
872
873 <note>
874 If you want to see the complete output from amavisd-new start
875 <c>amavisd debug-sa</c> as the <c>amavis</c> user and send a mail.
876 For this to work you might have to change the default shell in
877 <path>/etc/passwd</path>.
878 </note>
879
880 <p>
881 Add <c>amavisd</c> and <c>clamd</c> to the <c>default</c> runlevel.
882 </p>
883
884 <pre caption="Add amavisd and clamd to the default runlevel">
885 # <i>rc-update add clamd default</i>
886 # <i>rc-update add amavisd default</i>
887 </pre>
888
889 <note>
890 We do not add <c>spamd</c> to the default runlevel as <c>amavisd</c>
891 uses the Spamassassin Perl libraries directly.
892 </note>
893
894 <note>
895 You might notice <c>Net::Server: Couldn't POSIX::setuid to ...
896 []</c> lines in your log. According to
897 <uri link="http://www.ijs.si/software/amavisd/README.chroot">amavis chroot
898 README</uri>, if the process UID remains 0 (<c>root</c>), the program will
899 terminate, otherwise you can consider the message just as informative.
900 This is because <c>POSIX::setuid()</c> returns a string <c>0 but
901 true</c>.
902 </note>
903
904 <impo>
905 If you enabled login for amavis remember to set back the login shell in
906 <path>/etc/passwd</path> to <c>/bin/false</c>.
907 </impo>
908
909 </body>
910 </section>
911 </chapter>
912
913 <chapter>
914 <title>Autolearning and sidelining emails</title>
915 <section>
916 <title>Creating the spamtrap user</title>
917 <body>
918
919 <p>
920 Create the spamtrap account and directories.
921 </p>
922
923 <pre caption="Create spamtrap account">
924 # <i>useradd -m spamtrap</i>
925 # <i>maildirmake /home/spamtrap/.maildir</i>
926 # <i>chown -R spamtrap:mailusers /home/spamtrap/.maildir</i>
927 <comment>(Give the spamtrap user a sensible password)</comment>
928 # <i>passwd spamtrap</i>
929 </pre>
930
931 <p>
932 If you manually want to check some of the mails to ensure that you have no false
933 positives you can use the following <c>procmail</c> recipe to sideline spam
934 found into different mail folders.
935 </p>
936
937 </body>
938 </section>
939 <section>
940 <title>Creating .procmailrc</title>
941 <body>
942
943 <pre caption="Creating /home/spamtrap/.procmailrc">
944 <comment>#Set some default variables</comment>
945 MAILDIR=$HOME/.maildir
946
947 SPAM_FOLDER=$MAILDIR/.spam-found/
948
949 LIKELY_SPAM_FOLDER=$MAILDIR/.likely-spam-found/
950
951 <comment>#Sort mails with a spamscore of 7+ to the spamfolder</comment>
952 :0:
953 * ^X-Spam-Status: Yes
954 * ^X-Spam-Level: \*\*\*\*\*\*\*
955 $SPAM_FOLDER
956
957 <comment>#Sort mail with a spamscore between 5-7 to the likely spam folder</comment>
958 :0:
959 * ^X-Spam-Status: Yes
960 $LIKELY_SPAM_FOLDER
961
962 <comment>#Sort all other mails to the inbox</comment>
963 :0
964 *
965 ./
966 </pre>
967
968 <warn>
969 If your mail server is going to receive a lot of mail you should NOT
970 use the likely-spam recipe. Instead set <c>$sa_tag2_level_deflt</c>
971 high enough to avoid false positives and filter it directly to
972 <c>$SPAM_FOLDER</c>.
973 </warn>
974
975 <note>
976 If you haven't already installed <c>procmail</c> do it with <c>emerge
977 procmail</c>.
978 </note>
979
980 <p>
981 Now make sure that Postfix uses <c>procmail</c> to deliver mail.
982 </p>
983
984 <pre caption="Modifying /etc/postfix/main.cf">
985 mailbox_command = /usr/bin/procmail -a "DOMAIN"
986 </pre>
987
988 </body>
989 </section>
990 <section>
991 <title>Create mailfolders</title>
992 <body>
993
994 <p>
995 Now we will create shared folders for ham and spam.
996 </p>
997
998 <pre caption="Create the necessary mailfolders">
999 # <i>maildirmake /var/amavis/.maildir</i>
1000 # <i>maildirmake -S /var/amavis/.maildir/Bayes</i>
1001 # <i>maildirmake -s write -f spam /var/amavis/.maildir/Bayes</i>
1002 # <i>maildirmake -s write -f ham /var/amavis/.maildir/Bayes</i>
1003 # <i>maildirmake -s write -f redeliver /var/amavis/.maildir/Bayes</i>
1004 </pre>
1005
1006 <p>
1007 Amavisd-new needs to be able to read these files as well as all mailusers.
1008 Therefore we add all the relevant users to the mailuser group along with amavis.
1009 </p>
1010
1011 <pre caption="Setting the proper permissions">
1012 # <i>groupadd mailusers</i>
1013 # <i>usermod -G mailusers spamtrap</i>
1014 # <i>chown -R amavis:mailusers /var/amavis/.maildir/</i>
1015 # <i>chown amavis:mailusers /var/amavis/</i>
1016 # <i>chmod -R 1733 /var/amavis/.maildir/Bayes/</i>
1017 # <i>chmod g+rx /var/amavis/.maildir/</i>
1018 # <i>chmod g+rx /var/amavis/.maildir/Bayes/</i>
1019 </pre>
1020
1021 <warn>
1022 This grants members of the <c>mailusers</c> groups access to <c>amavis</c>
1023 mail.
1024 </warn>
1025
1026 <p>
1027 This makes the spam and ham folders writable but not readable. This way
1028 users can safely submit their ham without anyone else being able to read it.
1029 </p>
1030
1031 <p>
1032 Then run the following command as the <c>spamtrap</c> user:
1033 </p>
1034
1035 <pre caption="Adding the shared folders to the users mailfolder">
1036 $ <i>maildirmake --add Bayes=/var/amavis/.maildir/Bayes $HOME/.maildir</i>
1037 </pre>
1038
1039 <note>
1040 We have to give the group read permissions on the <path>Bayes</path>
1041 folder in order for the mail client to be able to see the subdirectories used by
1042 IMAP.
1043 </note>
1044
1045 </body>
1046 </section>
1047 <section>
1048 <title>Adding cron jobs</title>
1049 <body>
1050
1051 <p>
1052 Now run <c>crontab -u amavis -e</c> to edit the amavis crontab to
1053 enable automatic learning of the Bayes filter every hour.
1054 </p>
1055
1056 <pre caption="amavis crontab">
1057 <comment>#Auto learn</comment>
1058 0 * * * * /usr/bin/sa-learn --spam /var/amavis/.maildir/Bayes/.spam/{cur,new} \
1059 > /dev/null 2>&amp;1
1060 0 * * * * /usr/bin/sa-learn --ham /var/amavis/.maildir/Bayes/.ham/{cur,new} > \
1061 /dev/null 2>&amp;1
1062 </pre>
1063
1064 <note>
1065 <c>amavis</c> has to be a member of the <c>cron</c> group to run
1066 crons.
1067 </note>
1068
1069 <note>
1070 It seems like the shared maildir folders will make <c>sa-learn</c> examine all
1071 messages twice. This should not be a problem. The output will also show that the
1072 maximum of messages learned from is half or less than the messages examined.
1073 </note>
1074
1075 </body>
1076 </section>
1077 <section>
1078 <title>Modifying amavisd.conf</title>
1079 <body>
1080
1081 <p>
1082 Now modify amavis to redirect spam emails to the <c>spamtrap</c> account and
1083 keep spamheaders.
1084 </p>
1085
1086 <pre caption="Modifying /etc/amavisd.conf">
1087 <comment>(Define the account to send virus spam emails)</comment>
1088 $spam_quarantine_to = "spamtrap\@$myhostname";
1089 </pre>
1090
1091 </body>
1092 </section>
1093 <section>
1094 <title>Redelivering false positives</title>
1095 <body>
1096
1097 <p>
1098 If you set the spam score very low like we do you will probably have some false
1099 positives. These are filtered into the folder <path>likely-spam</path>. These
1100 are manually reviewed and any false positive is moved to the
1101 <path>redeliver</path> mailfolder. From there it is first fed through
1102 <c>sa-learn --ham</c> and then redelivered with all headers intact using <uri
1103 link="http://www.engelschall.com/sw/smtpclient/">smtpclient</uri>.
1104 </p>
1105
1106 <pre caption="Installing smtpclient">
1107 # <i>echo "mail-client/smtpclient" &gt;&gt; /etc/portage/package.accept_keywords</i>
1108 # <i>emerge smtpclient</i>
1109 </pre>
1110
1111 <p>
1112 Check for mails in the <path>redeliver</path> folder every minute using cron.
1113 </p>
1114
1115 <pre caption="amavis crontab">
1116 <comment>#Redeliver false positives</comment>
1117 * * * * * find /var/amavis/.maildir/Bayes/.redeliver/cur/ -type f -name \
1118 "[0-9]*" -exec cp {} /var/amavis/.maildir/Bayes/.ham/cur/ \; \
1119 &amp;&amp; find /var/amavis/.maildir/Bayes/.redeliver/cur/ -type f \
1120 -name "[0-9]*" -exec /usr/local/bin/redeliver.pl {} \;
1121 </pre>
1122
1123 <p>
1124 Now we only have to copy the <c>redeliver.pl</c> file to
1125 <path>/usr/local/bin/</path>. <uri
1126 link="http://home.coming.dk/files/redeliver.pl">Download it</uri> or use
1127 the version below.
1128 </p>
1129
1130 <pre caption="redeliver.pl">
1131 <comment>#!/usr/bin/perl -w
1132
1133 # Redelivers mail using a modified version of smtpclient
1134 # By: Jens Hilligsoe &lt;gentoo@hilli.dk&gt;</comment>
1135
1136 use strict;
1137
1138 if(!($#ARGV == 0)) {
1139 die "Usage:\n$0 maildir_mail\n";
1140 }
1141
1142 my $mail = $ARGV[0];
1143 my $to = "";
1144 my $from = "";
1145
1146 sub prunefile ( $ );
1147
1148 <comment># Retrieve To and From envelope adresses</comment>
1149 open (MAIL, $mail) or die "Could not open $mail: $?\n";
1150 while(&lt;MAIL&gt;) {
1151 if(($to eq "") || ($from eq "")) {
1152 chop;
1153 (my $key, my $value) = split (/:/);
1154 if($key eq "X-Envelope-To") {
1155 $to = $value;
1156 $to =~ s/[\&lt;\&gt;,]//g; # Remove "&lt;", "&gt;" and ","
1157 $to =~ s/^\s+|\s+$//g; #Remove whitespace before and after
1158 }
1159 if($key eq "X-Envelope-From") {
1160 $from = $value;
1161 $from =~ s/[\&lt;\&gt;,]//g;
1162 $from =~ s/^\s+|\s+$//g;
1163 if($from eq "") {
1164 $from = "postmaster";
1165 }
1166 }
1167 }
1168 }
1169
1170 if($to eq "") {
1171 prunefile($ARGV[0]); # Just nuke it if to is empty
1172 } else {
1173 my $redelivercmd = "cat $ARGV[0] | smtpclient -F -S 127.0.0.1 -P 10025 -f $from $to";
1174 unless (system($redelivercmd) == 0 ) {
1175 die "Unable to redeliver: $?";
1176 }
1177 prunefile($ARGV[0]); # Clean up
1178 }
1179
1180 sub prunefile ( $ ) {
1181 my ($file) = @_;
1182 unless (unlink $file) {
1183 die "Unable to remove mail: $?";
1184 }
1185 }
1186 </pre>
1187
1188 </body>
1189 </section>
1190 <section>
1191 <title>Cleaning up</title>
1192 <body>
1193
1194 <p>
1195 We don't want to keep mail forever so we use <c>tmpwatch</c> to clean up
1196 regularily. Emerge it with <c>emerge tmpwatch</c>. Only <c>root</c> is able to
1197 run <c>tmpwatch</c> so we have to edit the <c>root</c> crontab.
1198 </p>
1199
1200 <pre caption="Modifying root crontab">
1201 <comment># Clean up
1202 # Keep virusmails for a week (24*7 hours)</comment>
1203 15 0 * * * /usr/sbin/tmpwatch -c -f -d --quiet 168 /var/amavis/virusmails/
1204 <comment># Delete spam and ham learned after a week</comment>
1205 15 0 * * * /usr/sbin/tmpwatch -c -f -d --quiet 168 /var/amavis/.maildir/Bayes/
1206 </pre>
1207
1208 </body>
1209 </section>
1210 </chapter>
1211
1212 <!--
1213 <chapter>
1214 <title>Log analyzers</title>
1215 <section>
1216 <title>General Postfix statistics</title>
1217 <body>
1218
1219 <p>
1220 Now that we have set up our gateway mail server it would be nice to be
1221 able to monitor it. To this end we install two small Perl scripts that
1222 will mail you daily summaries about mail and spam statistics. First
1223 download and install <c>pflogsumm</c>:
1224 </p>
1225
1226 <pre caption="Download and installing pflogsumm">
1227 # <i>wget http://jimsun.linxnet.com/downloads/pflogsumm-1.1.0.tar.gz</i>
1228 # <i>tar xzf pflogsumm-1.1.0.tar.gz</i>
1229 # <i>cp pflogsumm-1.1.0/pflogsumm.pl /usr/local/bin/</i>
1230 </pre>
1231 </body>
1232 </section>
1233 <section>
1234 <title>Postfix spam statistics</title>
1235 <body>
1236
1237 <p>
1238 Next we download and install the script that generates daily
1239 statistics about spam caught:
1240 </p>
1241
1242 <pre caption="Downloading and installing spamreport">
1243 # <i>wget http://www.flakshack.com/anti-spam/nosack-spamreport.pl</i>
1244 # <i>mv nosack-spamreport.pl /usr/local/bin/</i>
1245 # <i>chmod +x /usr/local/bin/nosack-spamreport.pl</i>
1246 </pre>
1247 <p>
1248 We want a daily mail from each of the scripts so we add two entries to
1249 the <c>root</c> crontab:
1250 </p>
1251 <pre caption="Adding report scripts to root crontab">
1252 15 0 * * * /usr/local/bin/pflogsumm.pl -d yesterday \
1253 /var/log/mail.log 2&gt;&amp;1 | /bin/mailx \
1254 -s "`uname -n` daily mail stats" postmaster
1255 10 0 * * * /usr/local/bin/nosack-spamreport.pl \
1256 /var/log/mail.log 2&gt;&amp;1 | /bin/mailx \
1257 -s "`uname -n` daily spam stats" postmaster
1258 </pre>
1259
1260 <note>
1261 You might need to do an <c>emerge Date-Calc</c> and <c>emerge
1262 mailx</c>. Alternatively you can use <c>mail</c> installed with
1263 <c>emerge mailutils</c>
1264 </note>
1265
1266 <note>
1267 If you rotate your logs on a weekly basis (like I do) you might want
1268 to ensure that the scripts are run just before the logs are rotated.
1269 </note>
1270
1271 <note>
1272 Currently investigating another amavis log analyzer
1273 <uri link="http://homepages.hs-bremen.de/~renegat/amavislogsumm">amavislogsumm</uri>
1274 </note>
1275 </body>
1276 </section>
1277 </chapter>
1278 -->
1279
1280 <chapter>
1281 <title>Greylisting</title>
1282 <section>
1283 <title>Introduction</title>
1284 <body>
1285
1286 <p>
1287 Greylisting is one of the newer weapons in the spam fighting
1288 arsenal. As the name implies it is much like whitelisting and
1289 blacklisting. Each time an unknown mailserver tries to deliver
1290 mail the mail is rejected with a <e>try again later</e> message.
1291 This means that mail gets delayed but also that stupid spam bots
1292 that do not implement the RFC protocol will drop the attempt to
1293 deliver the spam and never retry. With time spam bots will probably
1294 adjust, however it will give other technologies more time to identify
1295 the spam.
1296 </p>
1297
1298 <note>
1299 If your ISP blocks incoming traffic on port 25 and relays all mail to you
1300 through their own mail server greylisting will not work.
1301 </note>
1302
1303 <p>
1304 Postfix 2.1 come with a simple Perl greylisting policy server that
1305 implements such a scheme. However it suffers from unpredictable
1306 results when the partition holding the greylisting database run
1307 out of space. There exists an improved version that do not suffer
1308 this problem. First I will show how to install the builtin
1309 greylisting support that come with Postfix and then I will show
1310 how to configure the more robust replacement.
1311 </p>
1312
1313 <note>
1314 There are other greylisting policy servers for Postfix around (such as <uri
1315 link="http://www.gasmi.net/gld.html">Gld</uri>, which is in Portage, and <uri
1316 link="http://sqlgrey.sourceforge.net/">SQLgrey</uri>). Some of them support
1317 database backends, auto whitelisting and other neat features.
1318 </note>
1319
1320 </body>
1321 </section>
1322 <section>
1323 <title>Simple greylisting</title>
1324 <body>
1325
1326 <note>
1327 If you prefer to use the improved greylisting with postgrey you can
1328 safely skip this section.
1329 </note>
1330
1331 <p>
1332 We need the file <path>greylist.pl</path> but unfortunately
1333 the ebuild does not install it as default.
1334 </p>
1335
1336 <pre caption="Getting greylist.pl">
1337 # <i>cp /usr/portage/distfiles/postfix-your-version-here.tar.gz /root/</i>
1338 # <i>tar xzf postfix-your-version-here.tar.gz</i>
1339 # <i>cp postfix-2.1.0/examples/smtpd-policy/greylist.pl /usr/bin/</i>
1340 </pre>
1341
1342 <p>
1343 Now we have the file in place we need to create the directory
1344 to hold the greylisting database:
1345 </p>
1346
1347 <pre caption="Creating directory for the greylisting database">
1348 # <i>mkdir /var/mta</i>
1349 # <i>chown nobody /var/mta</i>
1350 </pre>
1351
1352 <warn>
1353 Do not create the greylisting database directory on a partition that
1354 might run out of space. While postfix can recover from no-space-left
1355 situations for the mail queue and mail box situations, this is not the
1356 case with the greylisting database. If the file becomes corrupted
1357 you may not be able to receive mail at all until you delete the file
1358 by hand.
1359 </warn>
1360
1361 </body>
1362 </section>
1363 <section>
1364 <title>Configuring greylisting</title>
1365 <body>
1366
1367 <p>
1368 Now that we have all this ready all that is left is to add it to the
1369 postfix configuration. First we add the necessary information to the
1370 <path>master.cf</path>:
1371 </p>
1372
1373 <pre caption="Modifying master.cf to use greylisting">
1374 policy-greylist unix - n n - - spawn
1375 user=nobody argv=/usr/bin/perl /usr/bin/greylist.pl
1376 </pre>
1377
1378 <p>
1379 The postfix spawn daemon normally kills its child processes after 1000
1380 seconds but this is too short for the greylisting process so we have
1381 to increase the timelimit in <path>main.cf</path>:
1382 </p>
1383
1384 <pre caption="Modifying main.cf to use greylisting">
1385 policy-greylist_time_limit = 3600
1386 <comment>(Under smtpd_recipient_restrictions add:)</comment>
1387 check_sender_access hash:/etc/postfix/sender_access
1388 <comment>(Later on add:)</comment>
1389 restriction_classes = greylist
1390 greylist = check_policy_service unix:private/policy-greylist
1391 </pre>
1392
1393 <warn>
1394 Be sure to specify <c>check_sender_access</c> AFTER
1395 <c>reject_unauth_destination</c> or else your system could become an
1396 open mail relay.
1397 </warn>
1398
1399 <note>
1400 The greylist database gets polluted quickly with bogus addresses. It
1401 helps if you protect greylist lookups with other restrictions that
1402 reject unknown senders and/or recipients.
1403 </note>
1404
1405 <p>
1406 We don't want to use greylisting for all domains but only for those
1407 frequently abused by spammers. After all it will delay mail delivery.
1408 A list of frequently forged MAIL FROM domains can be found <uri
1409 link="http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in">online</uri>.
1410 Add the domains you receive a lot of spam from to
1411 <path>/etc/postfix/sender_access</path>:
1412 </p>
1413
1414 <pre caption="Format of sender_access">
1415 aol.com greylist
1416 hotmail.com greylist
1417 bigfoot.com greylist
1418 </pre>
1419
1420 <p>
1421 If you want a more extensive list:
1422 </p>
1423
1424 <pre caption="Adding all domains to sender_access">
1425 # <i>wget http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in</i>
1426 # <i>cat sender-domain-validate.in | sort | awk {'print $1 "\t\t greylist"'} > /etc/postfix/sender_access</i>
1427 </pre>
1428
1429 <p>
1430 Now we only have to initialize the <path>sender_access</path>
1431 database:
1432 </p>
1433
1434 <pre caption="Initialize sender_access">
1435 # <i>postmap /etc/postfix/sender_access</i>
1436 </pre>
1437
1438 <p>
1439 Now the setup of simple greylisting is complete.
1440 </p>
1441
1442 <warn>
1443 I tried this on one box handling thousands of mails daily and the
1444 results were almost a complete disaster. After four days the box was
1445 bogged down with hundreds of old <c>greylist.pl</c> processes.
1446 </warn>
1447
1448 </body>
1449 </section>
1450 <section>
1451 <title>Configuring improved greylisting with postgrey</title>
1452 <body>
1453
1454 <p>
1455 You can install the enhanced greylisting policy server with a simple
1456 <c>emerge</c>:
1457 </p>
1458
1459 <pre caption="Installing postgrey">
1460 # <i>emerge postgrey</i>
1461 </pre>
1462
1463 <p>
1464 After installing <c>postgrey</c> we have to edit <path>main.cf</path>.
1465 Changes are almost exactly like the built in greylisting.
1466 </p>
1467
1468 <pre caption="Modifying main.cf to use greylisting">
1469 <comment>(Under smtpd_recipient_restrictions add:)</comment>
1470 check_sender_access hash:/etc/postfix/sender_access
1471 <comment>(Later on add:)</comment>
1472 smtpd_restriction_classes = greylist
1473 greylist = check_policy_service inet:127.0.0.1:10030
1474 </pre>
1475
1476 <note>
1477 The Postfix SMTPD_POLICY_README only uses <c>restriction_classes</c>
1478 but that does not appear to work.
1479 </note>
1480
1481 <note>
1482 If you want to greylist everything instead add <c>check_policy_service
1483 inet:127.0.0.1:10030</c>.
1484 </note>
1485
1486 <p>
1487 Finally, start the server and add it to the proper runlevel.
1488 </p>
1489
1490 <pre caption="Starting postgrey">
1491 # <i>/etc/init.d/postgrey start</i>
1492 # <i>rc-update add postgrey default</i>
1493 </pre>
1494
1495 <note>
1496 Some people like to get their mail fast and thus greylisting is
1497 worthless. However if you employ a backup mail server you can safely
1498 setup greylisting on that server. My limited experiences tell me that
1499 it can stop up to a third of the spam received.
1500 </note>
1501
1502 </body>
1503 </section>
1504 </chapter>
1505 <chapter>
1506 <title>SPF (Sender Policy Framework)</title>
1507 <section>
1508 <title>Introduction</title>
1509 <body>
1510
1511 <p>
1512 SPF allows domain owners to state in their DNS records which IP
1513 addressess should be allowed to send mails from their domain. This
1514 will prevent spammers from spoofing the <c>Return-Path</c>.
1515 </p>
1516
1517 <note>
1518 If your ISP blocks incoming traffic on port 25 and relays all mail to you
1519 through their own mail server SPF will not work.
1520 </note>
1521
1522 <p>
1523 First domain owners have to create a special <c>TXT</c> DNS record.
1524 Then an SPF-enabled MTA can read this and if the mail originates from a
1525 server that is not described in the SPF record the mail can be
1526 rejected. An example entry could look like this:
1527 </p>
1528
1529 <pre caption="Example SPF record">
1530 example.com. IN TXT "v=spf1 a mx ptr -all"
1531 </pre>
1532
1533 <p>
1534 The <c>-all</c> means to reject all mail by default but allow mail
1535 from the <c>A</c>(<c>a</c>), <c>MX</c>(<c>mx</c>) and
1536 <c>PTR</c>(<c>ptr</c>) DNS records. For more info consult further
1537 resources below.
1538 </p>
1539
1540 <note>
1541 If you relay outgoing mail through your ISP you will have to add:
1542 <c>include:yourisp.com</c>.
1543 </note>
1544
1545 <p>
1546 Spamassassin 3.0 has support for SPF, however it is not enabled by default
1547 and the new policy daemon in Postfix supports SPF so let's install SPF support
1548 for Postfix.
1549 </p>
1550
1551 <note>
1552 If you want to use SPF with Spamassassin instead simply
1553 <c>emerge&nbsp;dev-perl/Mail-SPF-Query</c> and restart Amavisd-new.
1554 </note>
1555
1556 </body>
1557 </section>
1558 <section>
1559 <title>Preparations</title>
1560 <body>
1561
1562 <p>
1563 First you have to
1564 install Postfix 2.1 as described above. When you have fetched the
1565 source grab the <path>spf.pl</path> with:
1566 </p>
1567
1568 <pre caption="Installing spf.pl">
1569 # <i>cp postfix-&lt;version&gt;/examples/smtpd-policy/spf.pl /usr/local/bin/</i>
1570 </pre>
1571
1572 <note>
1573 The <path>spf.pl</path> coming with Postfix is slightly buggy so find
1574 and uncomment the following line: <c>push @HANDLERS, "sender_permitted_from";
1575 use Mail::SPF::Query;</c>. Furthermore in about line 199 substitute
1576 <c>comemnt</c> with <c>comment</c>. Alternatively you can download a
1577 <uri link="http://spf.pobox.com/postfix-policyd.txt">development
1578 version</uri>.
1579 </note>
1580
1581 <p>
1582 This Perl script also needs some Perl libraries that are not in
1583 portage but it is still quite simple to install them:
1584 </p>
1585
1586 <pre caption="Installing the needed Perl libraries">
1587 # <i>emerge Mail-SPF-Query Net-CIDR-Lite Sys-Hostname-Long</i>
1588 </pre>
1589
1590 <p>
1591 Now that we have everything in place all we need is to configure
1592 Postfix to use this new policy.
1593 </p>
1594
1595 <pre caption="Modifying master.cf to use SPF">
1596 policy-spf unix - n n - - spawn
1597 user=nobody argv=/usr/bin/perl /usr/local/bin/spf.pl
1598 </pre>
1599
1600 <p>
1601 Now add the SPF check in <path>main.cf</path>. Properly configured SPF
1602 should do no harm so we could check SPF for all domains:
1603 </p>
1604
1605 <pre caption="Modifying main.cf to use SPF">
1606 <comment>(Under smtpd_recipient_restrictions add:)</comment>
1607 check_policy_service unix:private/policy-spf
1608 </pre>
1609
1610 <note>
1611 If you're experiencing problems with SPF, e.g. when using
1612 <c>fetchmail</c>, you might want to enable SPF for certain domains only.
1613 </note>
1614
1615 </body>
1616 </section>
1617 </chapter>
1618
1619 <chapter>
1620 <title>Configuring amavisd-new to use MySQL</title>
1621 <section>
1622 <title>Configuring MySQL</title>
1623 <body>
1624
1625 <note>
1626 This has not been tested on versions higher than 2.2. Feedback is welcome :)
1627 </note>
1628
1629 <p>
1630 For large domains the default values you can set in
1631 <path>amavisd.conf</path> might not suit all users. If you configure
1632 amavisd-new with MySQL support you can have individual settings for
1633 users or groups of users.
1634 </p>
1635
1636 <pre caption="Creating the MySQL database and user">
1637 # <i>mysql -u root -p mysql</i>
1638 Enter password:
1639 Welcome to the MySQL monitor. Commands end with ; or \g.
1640 Your MySQL connection id is 78 to server version: 4.0.18-log
1641
1642 Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
1643 mysql> <i>create database maildb;</i>
1644 mysql> <i>GRANT INSERT,UPDATE,DELETE,SELECT ON maildb.* TO 'mail'@'localhost' IDENTIFIED BY 'very_secret_password';</i>
1645 mysql> <i>use maildb;</i>
1646 </pre>
1647
1648 <p>
1649 Now that the database is created we'll need to create the necessary tables.
1650 You can cut and paste the following into the mysql prompt:
1651 </p>
1652
1653 <pre caption="MySQL table layout">
1654 CREATE TABLE users (
1655 id int unsigned NOT NULL auto_increment,
1656 priority int NOT NULL DEFAULT '7', -- 0 is low priority
1657 policy_id int unsigned NOT NULL DEFAULT '1',
1658 email varchar(255) NOT NULL,
1659 fullname varchar(255) DEFAULT NULL, -- not used by amavisd-new
1660 local char(1), -- Y/N (optional field, see note further down)
1661 PRIMARY KEY (id),
1662 KEY email (email)
1663 );
1664 CREATE UNIQUE INDEX users_idx_email ON users(email);
1665
1666 <comment>(any e-mail address, external or local, used as senders in wblist)</comment>
1667 CREATE TABLE mailaddr (
1668 id int unsigned NOT NULL auto_increment,
1669 priority int NOT NULL DEFAULT '7', -- 0 is low priority
1670 email varchar(255) NOT NULL,
1671 PRIMARY KEY (id),
1672 KEY email (email)
1673 );
1674 CREATE UNIQUE INDEX mailaddr_idx_email ON mailaddr(email);
1675
1676 <comment>(-- per-recipient whitelist and/or blacklist,</comment>
1677 <comment>-- puts sender and recipient in relation wb)</comment>
1678 (white or blacklisted sender)
1679 CREATE TABLE wblist (
1680 rid int unsigned NOT NULL, -- recipient: users.id
1681 sid int unsigned NOT NULL, -- sender: mailaddr.id
1682 wb char(1) NOT NULL, -- W or Y / B or N / space=neutral
1683 PRIMARY KEY (rid,sid)
1684 );
1685
1686 CREATE TABLE policy (
1687 id int unsigned NOT NULL auto_increment,
1688 policy_name varchar(32), -- not used by amavisd-new
1689 virus_lover char(1), -- Y/N
1690 spam_lover char(1), -- Y/N (optional field)
1691 banned_files_lover char(1), -- Y/N (optional field)
1692 bad_header_lover char(1), -- Y/N (optional field)
1693 bypass_virus_checks char(1), -- Y/N
1694 bypass_spam_checks char(1), -- Y/N
1695 bypass_banned_checks char(1), -- Y/N (optional field)
1696 bypass_header_checks char(1), -- Y/N (optional field)
1697 spam_modifies_subj char(1), -- Y/N (optional field)
1698 spam_quarantine_to varchar(64) DEFAULT NULL, -- (optional field)
1699 spam_tag_level float, -- higher score inserts spam info headers
1700 spam_tag2_level float DEFAULT NULL, -- higher score inserts
1701 -- 'declared spam' info header fields
1702 spam_kill_level float, -- higher score activates evasive actions, e.g.
1703 -- reject/drop, quarantine, ...
1704 -- (subject to final_spam_destiny setting)
1705 PRIMARY KEY (id)
1706 );
1707 </pre>
1708
1709 <note>
1710 If you have problems using copy/paste you might have to copy this
1711 somewhere else and clean out the unneeded characters.
1712 </note>
1713
1714 <note>
1715 Lookups trying to match email are done with raw (rfc2821-unquoted
1716 and unbracketed) addresses as a key, i.e.:
1717 <c>John "Funny" Smith@example.com</c>
1718 </note>
1719
1720 <note>
1721 Lookups are performed in the following order: <c>SQL</c>, <c>LDAP</c>,
1722 <c>hash</c>, <c>ACL</c>, <c>regexp</c>, <c>constant</c>. The first that
1723 returns a definitive answer (not <c>undef/NULL</c>) stops the search.
1724 </note>
1725
1726 <p>
1727 If you wish to use whitelisting and blacklisting you must add the
1728 sender and receiver to <c>mailadr</c> after which you create the relation
1729 between the two e-mail addresses in <c>wblist</c> and state if it is
1730 whitelisting (<c>W</c>) or blacklisting (<c>B</c>).
1731 </p>
1732
1733 <p>
1734 Now that we have created the tables let's insert a test user and a test
1735 policy:
1736 </p>
1737
1738 <pre caption="Create test user and test policy">
1739 INSERT INTO users
1740 SET
1741 id =1,
1742 priority =9,
1743 policy_id =1,
1744 email ="johndoe@example.com",
1745 fullname ="John Doe",
1746 local ="Y";
1747
1748 INSERT INTO policy
1749 SET
1750 id =1,
1751 policy_name ="Test policy 1",
1752 virus_lover ="N",
1753 spam_lover ="N",
1754 banned_files_lover ="N",
1755 bad_header_lover ="N",
1756 bypass_virus_checks ="N",
1757 bypass_spam_checks ="N",
1758 bypass_banned_checks ="N",
1759 bypass_header_checks ="N",
1760 spam_modifies_subj ="N",
1761 spam_quarantine_to =NULL,
1762 spam_tag_level =-50.0,
1763 spam_tag2_level =7.0,
1764 spam_kill_level =10.0;
1765 </pre>
1766
1767 <note>
1768 Copy this to somewhere else and adjust to suit your own environment.
1769 </note>
1770
1771 <note>
1772 <c>local</c> should be set to <c>Y</c> otherwise the mail will not be
1773 scanned for spam.
1774 </note>
1775
1776 <p>
1777 This inserts a test user and a Test policy. Adjust these examples to
1778 fit your needs. Further explanation of the configuration names can be
1779 found in <path>amavisd.conf</path>.
1780 </p>
1781
1782 </body>
1783 </section>
1784 <section>
1785 <title>Configuring amavisd to use MySQL</title>
1786 <body>
1787
1788 <p>
1789 Now that MySQL is ready we need to tell amavis to use it:
1790 </p>
1791
1792 <pre caption="Modifying amavisd.conf">
1793 @lookup_sql_dsn =
1794 ( ['DBI:mysql:maildb:host1', 'mail', 'very_secret_password'] );
1795
1796 <comment>(For clarity uncomment the default)</comment>
1797 $sql_select_policy = 'SELECT *,users.id FROM users,policy'.
1798 ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'.
1799 ' ORDER BY users.priority DESC';
1800
1801 <comment>(If you want sender white/blacklisting)</comment>
1802 $sql_select_white_black_list = 'SELECT wb FROM wblist,mailaddr'.
1803 ' WHERE (wblist.rid=?) AND (wblist.sid=mailaddr.id)'.
1804 ' AND (mailaddr.email IN (%k))'.
1805 ' ORDER BY mailaddr.priority DESC';
1806 </pre>
1807 </body>
1808
1809 </section>
1810 </chapter>
1811
1812 <chapter>
1813 <title>Configuring Spamassassin to use MySQL</title>
1814 <section>
1815 <body>
1816
1817 <p>
1818 As of Spamassassin 3.0 it is possible to store the Bayes and AWL data in a MySQL
1819 database. We will use MySQL as the backend as it can generally outperform other
1820 databases. Also, using MySQL for both sets of data makes system management much
1821 easier. Here I will show how to easily accomplish this.
1822 </p>
1823
1824 <p>
1825 First start out by creating the new MySQL user and then create
1826 the needed tables.
1827 </p>
1828
1829 <pre caption="Creating the new MySQL database and user">
1830 # <i>mysql -u root -p mysql</i>
1831 Enter password:
1832 Welcome to the MySQL monitor. Commands end with ; or \g.
1833 Your MySQL connection id is 78 to server version: 4.0.18-log
1834
1835 Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
1836 mysql> <i>create database dbname;</i>
1837 mysql> <i>GRANT INSERT,UPDATE,DELETE,SELECT ON dbname.* TO 'dbuser'@'localhost' IDENTIFIED BY 'another_very_secret_password';</i>
1838 mysql> <i>use dbname;</i>
1839 </pre>
1840
1841 <p>
1842 Now that the database is created we'll create the necessary tables. You can cut
1843 and paste the following into the mysql prompt:
1844 </p>
1845
1846 <pre caption="MySQL table layout">
1847 CREATE TABLE bayes_expire (
1848 id int(11) NOT NULL default '0',
1849 runtime int(11) NOT NULL default '0',
1850 KEY bayes_expire_idx1 (id)
1851 ) TYPE=MyISAM;
1852
1853 CREATE TABLE bayes_global_vars (
1854 variable varchar(30) NOT NULL default '',
1855 value varchar(200) NOT NULL default '',
1856 PRIMARY KEY (variable)
1857 ) TYPE=MyISAM;
1858
1859 INSERT INTO bayes_global_vars VALUES ('VERSION','3');
1860
1861 CREATE TABLE bayes_seen (
1862 id int(11) NOT NULL default '0',
1863 msgid varchar(200) binary NOT NULL default '',
1864 flag char(1) NOT NULL default '',
1865 PRIMARY KEY (id,msgid)
1866 ) TYPE=MyISAM;
1867
1868 CREATE TABLE bayes_token (
1869 id int(11) NOT NULL default '0',
1870 token char(5) NOT NULL default '',
1871 spam_count int(11) NOT NULL default '0',
1872 ham_count int(11) NOT NULL default '0',
1873 atime int(11) NOT NULL default '0',
1874 PRIMARY KEY (id, token),
1875 INDEX (id, atime)
1876 ) TYPE=MyISAM;
1877
1878 CREATE TABLE bayes_vars (
1879 id int(11) NOT NULL AUTO_INCREMENT,
1880 username varchar(200) NOT NULL default '',
1881 spam_count int(11) NOT NULL default '0',
1882 ham_count int(11) NOT NULL default '0',
1883 token_count int(11) NOT NULL default '0',
1884 last_expire int(11) NOT NULL default '0',
1885 last_atime_delta int(11) NOT NULL default '0',
1886 last_expire_reduce int(11) NOT NULL default '0',
1887 oldest_token_age int(11) NOT NULL default '2147483647',
1888 newest_token_age int(11) NOT NULL default '0',
1889 PRIMARY KEY (id),
1890 UNIQUE bayes_vars_idx1 (username)
1891 ) TYPE=MyISAM;
1892
1893 CREATE TABLE awl (
1894 username varchar(100) NOT NULL default '',
1895 email varchar(200) NOT NULL default '',
1896 ip varchar(10) NOT NULL default '',
1897 count int(11) default '0',
1898 totscore float default '0',
1899 PRIMARY KEY (username,email,ip)
1900 ) TYPE=MyISAM;
1901 </pre>
1902
1903 <impo>
1904 The <c>INSERT</c> line is needed otherwise Spamassassin
1905 will not work.
1906 </impo>
1907
1908 <note>
1909 This is also available in the source tarball in the files
1910 <path>awl_mysql.sql</path> and <path>bayes_mysql.sql</path>.
1911 </note>
1912
1913 </body>
1914 </section>
1915 <section>
1916 <title>Configuring Spamassassin to use the MySQL backend</title>
1917 <body>
1918
1919 <p>
1920 If you have an old Bayes database in the DBM database and want
1921 to keep it follow these instructions:
1922 </p>
1923
1924 <pre caption="Converting Bayes data from a DBM Database">
1925 <i>su - amavis</i>
1926 <i>sa-learn --sync</i>
1927 <i>sa-learn --backup > backup.txt</i>
1928 <i>sa-learn --restore backup.txt</i>
1929 </pre>
1930
1931 <note>
1932 Note that the last step should only be performed after the MySQL database and
1933 <path>secrets.cf</path> have been updated.
1934 </note>
1935
1936 <p>
1937 Now give Spamassassin the required info:
1938 </p>
1939
1940 <pre caption="Modifying /etc/mail/spamassassin/secrets.cf">
1941 <comment>(Tell Spamassassin to use MySQL for bayes data</comment>
1942 bayes_store_module Mail::SpamAssassin::BayesStore::SQL
1943 bayes_sql_dsn DBI:mysql:sa_bayes:localhost:3306
1944 bayes_sql_username db_name
1945 bayes_sql_password another_very_secret_password
1946
1947 <comment>(Tell Spamassassin to use MySQL for AWL data</comment>
1948 auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList
1949 user_awl_dsn DBI:mysql:sa_bayes:localhost:3306
1950 user_awl_sql_username db_name
1951 user_awl_sql_password another_very_secret_password
1952 </pre>
1953
1954 <p>
1955 Next, change its permissions for proper security:
1956 </p>
1957
1958 <pre caption="Changing permissions">
1959 # <i>chmod 400 /etc/mail/spamassassin/secrets.cf</i>
1960 </pre>
1961
1962 <note>
1963 To create a very secret password use <c>emerge
1964 app-admin/makepasswd</c> and <c>makepasswd -chars=8</c>
1965 </note>
1966
1967 <p>
1968 Now all you have to do is <c>/etc/init.d/amavisd restart</c>.
1969 </p>
1970
1971 </body>
1972 </section>
1973 </chapter>
1974
1975 <chapter>
1976 <title>Troubleshooting</title>
1977 <section>
1978 <title>Amavisd-new</title>
1979 <body>
1980
1981 <p>
1982 To troubleshoot Amavisd-new start out by stopping it with <c>/etc/init.d/amavisd
1983 stop</c> and then start it manually in the foreground with <c>amavisd debug</c>
1984 and watch it for anomalies in the output.
1985 </p>
1986
1987 </body>
1988 </section>
1989 <section>
1990 <title>Spamassassin</title>
1991 <body>
1992
1993 <p>
1994 To troubleshoot Spamassassin you can filter an email through it with
1995 <c>spamassassin -D &lt; mail</c>. To ensure that the headers are intact you can
1996 move it from another machine with IMAP.
1997 </p>
1998
1999 <note>
2000 If you need to troubleshoot you have to enable login for the user
2001 <c>amavis</c> by changing the login shell in <path>/etc/passwd</path> to
2002 <path>/bin/bash</path>.
2003 </note>
2004
2005 <p>
2006 If you want you can make get the same information and more with Amavisd-new
2007 using <c>amavisd debug-sa</c>.
2008 </p>
2009
2010 </body>
2011 </section>
2012 <section>
2013 <title>Getting help</title>
2014 <body>
2015
2016 <p>
2017 If you need help a good place to go is the amavis-user mailing
2018 list. Before postting a question try searching the <uri
2019 link="http://marc.theaimsgroup.com/?l=amavis-user">Amavis User
2020 mailing list archives</uri>. If you find no answer here you can
2021 subscribe to the <uri
2022 link="https://lists.sourceforge.net/lists/listinfo/amavis-user">Amavis User
2023 mailing list</uri>
2024 </p>
2025
2026 <p>
2027 If your question is specific to SpamAssassin, DCC, Razor, or
2028 Postfix, please refer to their respective home pages listed below.
2029 </p>
2030
2031 </body>
2032 </section>
2033 </chapter>
2034
2035 <chapter>
2036 <title>Resources</title>
2037 <section>
2038 <title>For further information</title>
2039 <body>
2040
2041 <ul>
2042 <li>
2043 <uri link="http://www.ijs.si/software/amavisd/INSTALL">Amavisd-new
2044 INSTALL</uri>
2045 </li>
2046 <li>
2047 <uri link="http://www.ijs.si/software/amavisd/README.postfix">Amavisd-new
2048 Postfix README</uri>
2049 </li>
2050 <li>
2051 <uri link="http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks">Amavisd-new
2052 Policy bank documentation</uri>
2053 </li>
2054 <li>
2055 <uri link="http://spamassassin.apache.org/full/3.0.x/dist/sql/README">Spamassassin
2056 SQL README</uri>
2057 </li>
2058 <li>
2059 <uri link="http://www.greylisting.org">Greylisting</uri>
2060 </li>
2061 <li>
2062 <uri link="http://www.postfix.org/FILTER_README.html">Postfix
2063 SMTPD_POLICY_README</uri>
2064 </li>
2065 <li>
2066 <uri link="http://www.unixwiz.net/techtips/postfix-HELO.html">Blocking
2067 spammers with Postfix HELO controls</uri>
2068 </li>
2069 <li>
2070 <uri link="http://www.linuxjournal.com/article.php?sid=7327">SPF
2071 Overview</uri>
2072 </li>
2073 <li>
2074 <uri link="http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt">Jim
2075 Seymour's Postfix Anti-UCE Cheat Sheet</uri>
2076 </li>
2077 </ul>
2078
2079 </body>
2080 </section>
2081 <section>
2082 <title>General resources</title>
2083 <body>
2084
2085 <ul>
2086 <li><uri link="http://www.spamassassin.org">Spamassassin</uri></li>
2087 <li><uri link="http://www.ijs.si/software/amavisd/">Amavisd-new</uri></li>
2088 <li>
2089 <uri link="http://www.ijs.si/software/amavisd/amavisd-new-docs.html">Amavisd-new
2090 documentation bits and pieces</uri>
2091 </li>
2092 <li><uri link="http://razor.sourceforge.net/">Vipuls's Razor</uri></li>
2093 <li><uri link="http://pyzor.sourceforge.net/">Pyzor</uri></li>
2094 <li>
2095 <uri link="http://www.rhyolite.com/anti-spam/dcc/">Distributed Checksum
2096 Clearinghouse</uri>
2097 </li>
2098 <li>
2099 <uri link="http://www.renaissoft.com/projects/maia/">Maia
2100 Mailguard</uri>
2101 </li>
2102 </ul>
2103
2104 </body>
2105 </section>
2106 <section>
2107 <title>Other howtos</title>
2108 <body>
2109
2110 <ul>
2111 <li>
2112 <uri link="http://www.flakshack.com/anti-spam/">Fairly-Secure Anti-SPAM
2113 Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor
2114 and DCC</uri>
2115 </li>
2116 </ul>
2117
2118 </body>
2119 </section>
2120 </chapter>
2121 </guide>

  ViewVC Help
Powered by ViewVC 1.1.20