Dspam relay

Intro
This HowTO details how to have Postfix/dspam act as an anti spam/anti virus mail relay for another mail server. Postfix does not store any mail locally. All mail is forwarded on to the remote mail server.

Since this install is purely acting as a relay, dspam is configured to have one user process all email and do the retraining. It does not cover per user training and quarantines, though that may be covered that in a future guide.

Purpose
Anyone running a mail server who wants to have the garbage dropped before the mail server has to process the mails.

First steps
Remove ssmtp if it is installed

then install postfix.

Next install mysql by

Follow the post-install instructions to create the initial database and root user.

Finally we install Clamav

Use Flags
Add the following to packages.keywords to get the most recent versions. Clamav adds antivirus support for dspam, daemon adds the init scripts, and logrotate allows for automatic log rotation.

then

Once dspam is finished compiling we move on the to the configuration.

Follow the prompts to setup your mysql database.

The following assumes a user called dspam and the rest of the guide uses that name.

Next create a user that will process the mail and manage the quarantine

Dspam Configuration
Add filter as a trusted user in the dspam config. Code: # Trust root Trust mail Trust mailnull Trust smmsp Trust daemon Trust filter
 * 1) Trusted Users: Only the users specified below will be allowed to perform
 * 2) administrative functions in DSPAM such as setting the active user and
 * 3) accessing tools. All other users attempting to run DSPAM will be restricted;
 * 4) their uids will be forced to match the active username and they will not be
 * 5) able to specify delivery agent privileges or use tools.
 * 1) Trust nobody
 * 2) Trust majordomo

Change the following:

Uncomment the following lines and change LMTP to SMTP

Code: DeliveryHost       127.0.0.1 DeliveryPort       10025 DeliveryIdent      localhost DeliveryProto      SMTP

This returns mail into Postfix on 10025.

Add the following

Code: Preference "spamAction=quarantine" Preference "signatureLocation=headers" # can be 'message' or 'headers' Preference "showFactors=off" # changed from on ServerPID /var/run/dspam/dspam.pid ServerMode auto ServerParameters       "--user filter --deliver=innocent" ServerDomainSocketPath "/var/run/dspam/dspam.sock"

This guide uses a quarantine for all spam mail but optionally mail can be delivered text added to the subject if that is prefered to allow outlook or another mail client to filter by subject.

To avoid confusion the dspam signature is added to headers only.

Next add anti-virus capability to dspam. Locate the section Code: #
 * 1) ClamAVResponse: reject (reject or drop the message with a permanent failure)
 * 2)                 accept (accept the message and quietly drop the message)
 * 3)                 spam   (treat as spam and quarantine/tag/whatever)


 * 1) ClamAVPort     3310
 * 2) ClamAVHost     127.0.0.1
 * 3) ClamAVResponse accept

and uncomment the 3 lines related to Clamav

Postfix Initial Configuration
Next edit /etc/postfix/master.cf to add dspam to postfix and create the listening daemon. Note the port must match the DeliveryPort chosen in the dspam configuration file.

Code: dspam    unix  -       -       n       -       10      lmtp

Code: 127.0.0.1:10025 inet   n       -       n       -       -       smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o receive_override_options=no_unknown_recipient_checks

Now start up dspam, postfix, and clam and watch for any errors.

Code: /etc/init.d/clamd start /etc/init.d/postfix start /etc/init.d/dspam start

Postfix should be listening on port 25 and also on 10025. netstat -tunlp will list any listening services.

Code: netstat -tunlp | grep master tcp       0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN      30772/master tcp       0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      30772/master

If both entries display as shown above everything should be running as its supposed to be.

Postfix Extended Configuration
By default Dspam checks on both incoming and outgoing email. To have Dspam only check incoming emails you must add the following to /etc/postfix/main.cf

Code: smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_recipient_access pcre:/etc/postfix/dspam_incoming permit

Dspam to process outgoing email for several reasons. The primary being anti-virus checks are not done by postfix but by Dspam in this configuration setup and I want my outgoing email being scanned for viruses. (It is also done by the Exchange server at the backend but I like the dual layer of protection).

You will need to create the dspam_incoming file in the postfix directory.

code: nano -w /etc/postfix_dspam_incoming

/./    FILTER dspam:unix:/var/run/dspam/dspam.sock

This will force all email through the Dspam socket for processing.

code: /etc/init.d/postfix reload

Will reload postfix for the new configuration to take affect.

Relaying Mail
Add a list of authorized recipients to relay for. Create relay_recipients and add users as such:

Code: nano -w /etc/postfix/relay_recipients

user1@domain.com OK user2@domain.com OK user3@domain.com OK

Next make the file processable by postfix. Do this by postmapping the file.

Code: postmap relay_recipients

This file must be postmapped every time there is a change to it. Postfix must also be reloaded to reflect the change.

Add the trigger to postfix. Locate and find the section for relay_recipients and change it to

Code: relay_recipient_maps = hash:/etc/postfix/relay_recipients

Reload postfix

Code: postfix reload

Transports
Finally, tell postfix where it is supposed to be delivering this mail. Do this by creating transport maps

Edit /etc/postfix/main.cf and add the following line

Code: transport_maps = hash:/etc/postfix/transport

The transport file should look like this.

Code: domain.com         smtp:servername.domain.com

Ensure your server can reach the remote server by its FQDN. If it does not either fix your dns or add it to hosts. In some cases you might need to add the ip address instead of the fqdn. It will work just the same.

Postmap the file for postfix and reload postfix

Code: postmap transport && postfix reload

Ensure all services are loading at boot time

Code: rc-update add clamd default rc-update add dspam default rc-update add mysql default

Web Interface
Dspam offers a web interface to do retraining and quarantine management. It works perfectly for retraining but I have yet to get it to work properly as far as releasing false positives and passing them onto users. I have so far been forced to use webmin and forward the users mail that way. If anyone knows of a workaround or how to make it work properly please add it here.

Installing the Web Interface
There are two methods of going about installing the web interface. Both are covered in brief here.

Initial Steps
First apache needs to be compiled with SUEXEC enabled. Add it to package use flags so it's left out during future upgrades.

To emerge without adding the use flag you can:

USE="suexec" emerge -av apache

Virtual Host
Code:

The end result is:

* apache dspam-web's config requires the scripts in the cgi-bin * to be run as dspam:dspam. Ensure you have a global SuexecUserGroup * declaration in the main server config which will force everything in cgi-bin * to run as dspam:dspam. * To install dspam-web-3.8.0-r1 into a virtual host, run the following command: * * webapp-config -I -h -d dspam-web dspam-web 3.8.0-r1

This examples assumes an install into localhost.

A virtual host will automatically be created for you. Copy and paste it into /etc/apache2/vhosts.d/dspam.conf

 DocumentRoot /var/www/localhost/htdocs ServerName localhost

#Use dspam.cgi as main index RewriteEngine On       RewriteRule ^/?$ /cgi-bin/dspam.cgi [redirect,last]

SuexecUserGroup dspam dspam ScriptAlias /cgi-bin/ /var/www/localhost/cgi-bin/

 Options FollowSymLinks ExecCGI SetHandler cgi-script

AllowOverride None Order deny,allow Allow from all

AuthType basic AuthName "DSPAM Control Center" #For those lucky enough to have a LDAP authentication database AuthLDAPURL ldap://localhost:389/ou=People,dc=yourdomain,dc=com?uid?sub?(objectClass=posixAccount) Require valid-user  

Edit and change settings to suit your install.

Directory Based
This section borrows from here

Add the following to httpd.conf

nano -w /etc/apache2/httpd.conf

 Options ExecCGI AuthType Basic AuthName "dspam" Require valid-user AuthUserFile /var/www/localhost/password SetHandler cgi-script 

Enable the directory function by added -D USERDIR to /etc/conf.d/apache2

Code: APACHE2_OPTS="-D DEFAULT_VHOST -D USERDIR"

Create the web directory for the user filter.

mkdir ~filter/public_html

Code: cp -R /usr/share/webapps/dspam-web/version number/hostroot/* ~filter/public_html/

cp /usr/share/webapps/dspam-web/version number here/htdocs/* /var/www/localhost/htdocs/

Ensure public access to the site.

chown -R filter:users ~filter/public_html/

Reload Apache

Code: /etc/init.d/apache2 restart

At this point you can point your browser to http://hostname/~filter/cgi-bin/dspam.cgi

Securing the Web interface
Use a basic auth and .htaccess .htpasswd to secure the web interface from unauthorized use.

htpasswd2 -c /var/www/localhost/password filter

filter is used here just for consistency.