Postfix, DSpam, and ClamAV

I needed a clean, effective SMTP gateway that would handle virus scanning and smap filtering for my company. I wanted something that would allowed spam control on a per user basis. We've been using a SpamAssassin installation for a few years that worked very well, but was missing this last piece. I found dspam, and that seemed to fit a lot of my needs. ClamAV has always worked great, so I'll stick with that. The last part was the MTA. I never became really proficient with sendmail, and I read a few places that some linux distros were actually removing sendmail from the default package set. Procfix came highly recommended, so I decided to go with that. With my components selected, I set out looking for a good howto for this trio as an SMTP gateway. I found bits and pieces here and ther eon the web, but no one single document that I could follow. Hence this page was born :)

There are two options for assembling these pieces, packages or source. Source has always worked well for me, but one last thing I was looking for was ease of maintenance, especially for my coworkers. Based on that I chose to chase down the differences between the source defaults and the configs used with my distro (Fedora).

Resources: [url][/url] -- [url]http://dspam.nuclearelephant.com/[/url] -- [url][/url] [url][/url]




Contents [hide]
1 Postfix in, sendmail out
2 Postfix debugging
3 Postfix -- main.cf
4 ClamAV
5 amavisd-new
6 Greylisting
7 Installing DSpam
8 Joining Dspam and postfix
9 The DSPAM CGI interface
10 References

[edit]Postfix in, sendmail out
First things first, let's get postfix working in it's most basic for, in place of sendmail. This isn't too tough.

yum install postfix
yum remove sendmailVoila! Now we have a lean, mean MTA. Let's tune a few of the postfix settings and setup the relay for our domains.

The heart of the postfix config is /etc/postfix/main.cf.

[edit]Postfix debugging
I found that throughout my setup, I ran into times where I though things would work, and in fact they didn't. One of the best tools for monitoring the postfix environment is the /var/log/maillog (on fedora, your distro may vary.) Opening another cosole window, and tailing this log allowed me to watch everything that wsa happening.

# tail -f /var/log/maillog
Jun 14 14:41:08 hostname postfix/postfix-script: starting the Postfix mail system
Jun 14 14:41:08 hostname postfix/master[3662]: daemon started -- version 2.2.2, configuration /etc/postfix
Sometimes I needed a little more information. There is a lot of information here, but the most helpful was the debug_peer_list parameter. This allows debugging of specific connections, not everything that comes in.

[edit]Postfix -- main.cf
This is the core of the postfix configuration. I'll try to cover a few of the things that caught me by surprise.

Bound Interfaces

By default, the Fedora config of postfix limits connections to only those from localhost. As a mail relay, this is obviosuly a problem. This parameter is inet_interfaces. Once I added the external IP, things went much more smoothly.

Other items

Configure postfix to allow mail as needed. This may include domain and/or ip restrictions.

[edit]ClamAV
I'm using ClamAV for virus scanning. The first step is to get clam installed.

yum install clamav*
Then run a quick update

freshclamWe'll need ClamAV available as a TCP stream, so look for the appropriate settings in /etc/clamd.conf

# TCP port address.
# Default: disabled
TCPSocket 3310

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: disabled
TCPAddr 127.0.0.1
I also like to log this stuff, as long as you have CPU for it. Clam includes it's own auto-trim feature, so you can limit log file size from /etc/clamd.conf.

# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
LogFile /var/log/clamd.log

# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if you want to run another clamd instance,
# please # copy the configuration file, change the LogFile variable, and run
# the daemon with the --config-file option).
# This option disables log file locking.
# Default: disabled
LogFileUnlock

# Maximal size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers.
# Default: 1M
LogFileMaxSize 5M
[edit]amavisd-new
amavisd-new is the glue between Postfix and ClamAV. It will also call DSPAM once we get that setup.

yum install amavisd-new
This will install amavisd-new and all of it's dependancies.

Next we want to make sure that it calls ClamAV. My ClamAV section was already uncommented.

vi /etc/amavisd/amavisd.conf
Now test whether amavisd will run, with

amavisd debug
in a terminal window, and you can watch everything that happens. Now we need to tell postfix to use amavisd. This happens in the postfix file master.cf. I made my master.cf look like this, where edits are made to the first few configuration lines, and from #submission on is left alone.

#This is the before-filter smtpd...it passes content to amavisd on port 10024
smtp      inet  n       -       n       -       -       smtpd
        -o smtpd_proxy_filter=127.0.0.1:10024
        -o smtpd_client_connection_count_limit=4
#This is the after-filter smtpd, it receives mail from amavisd to port 10025
127.0.0.1:10025    inet  n       -       y       -       -       smtpd
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,check_relay_domains
        -o smtpd_data_restrictions=
        -o receive_override_options=no_unknown_recipient_checks

#submission inet n      -       n       -       -       smtpd
...
We are setting up an smtp server on 25, which proxies the mail through loalhost:10024, and an smtp server on 10025 to received the sterile mail.

[edit]Greylisting
We're going to use postgrey for freylisting on our system. For those not familiar, greylisting is the practice of requiring new sender/recipient pairs to resend mail. This delay is ususally just 5 to 10 minutes, and when the mail is resent, the pair is no longer new, so the mail is delivered imediately. Most spam systems will skip sending the mail when they don't get through right away.

First, download the current version

wget [url][/url]
untar it, and change to the source directory

tar zxvf postgrey-X.XX.tar.gz
cd postgrey-X.XX
add the postgrey user, and change their shell to /sbin/nologin (or whatever your distro uses)

useradd -s /sbin/nologin postgrey
create the directory to store the postfix data

mkdir /var/spool/postfix/postgrey
chown postgrey /var/spool/postfix/postgrey
we need to make postgrey start with the system boot, so edit rc.local (or your distro's boot script) and add

# Start postgrey
echo -n 'postgrey'; /usr/local/sbin/postgrey --inet=10023 -d --delay=50 --user=postgrey --group=postgrey \
--greylist-text="Policy restrictions; try later"
"

[edit]Installing DSpam
Download the current source from [url]dspam/sources.[/url] Open it up and change to the directory.

wget [url]dspam/sources/dspam-X.X.X.tar.gz[/url]
tar zxvf dspam-X.X.X.tar.gz
cd dspam-X.X.X
Create the dspam user. we give him a shell of nologin so the account can't be use to start interactive sessions.

mkdir /var/dspam
adduser -d /var/dspam -s /bin/false dspam
The next step is to configure the source. Read the README in the doc/ folder carefully for options specific to your system. I prefer to put the configure command in a shell script so it's not lost when I need to refer to previous configurations.

vi myconfigure.sh

./configure \
   --with-userdir=/var/dspam \
   --with-userdir-owner=dspam \
   --with-userdir-group=postdrop \
   --with-dspam-owner=dspam \
   --with-dspam-group=postdrop \
   --with-dspam-mode=4510 \
   --with-local-delivery-agent=/usr/sbin/sendmail \
   --with-storage-driver=mysql_drv \
   --with-mysql-includes=/usr/include/mysql \
   --with-mysql-libraries=/usr/lib/mysql \
   --enable-alternative-bayesian \
   --disable-trusted-user-security \
   --enable-large-scale \
   --enable-virtual-users \
   --enable-long-usernames \
   --enable-spam-delivery
Now we create the mysql databases.

mysql -u root -p -e "create database dspam"
mysql -u root -p -e "grant all on dspam.* to dspam@localhost identified by 'DSPAMPASS'"
mysql -u dspam -p dspam < ./src/tools.mysql_drv/mysql_objects-speed.sql -p
mysql -u dspam -p dspam < ./src/tools.mysql_drv/virtual_users.sql
cp ./src/tools.mysql_drv/purge.sql  /var/dspam
We have to tell dspam where to find mysql, and how to connect. We do that in /var/dspam/mysql.data

vi /var/dspam/mysql.data

/var/lib/mysql/mysql.sock # this may vary per your configuration

dspam
DSPAMPASS
dspam
Now set the rights on the working directory.

chown dspam:postfix /var/dspam/mysql.data
chmod 440 /var/dspam/mysql.data
Finally, we don't want the database to grow forever, so we setup a nightly cron job to clean things up. Edit /etc/crontab.

vi /etc/crontab

0 0 * * * (/usr/bin/mysql -u dspam -p'DSPAMPASS' dspam  < /var/dspam/purge.sql)1>&2>/dev/null
[edit]Joining Dspam and postfix
We need to tell postfix where to find dpsam. We do this in /etc/postfix/master.cf.

vi /etc/postfix/master.cf
dspam                unix      -      n      n      -      -      pipe
  flags=Rhq user=dspam argv=/usr/local/bin/dspam -i -f ${sender} -- %u --user ${recipient}

dspam-add            unix      -      n      n      -      -      pipe
   flags=Rhq user=dspam argv=/usr/local/bin/dspam --user ${user}@${nexthop} --addspam

dspam-del             unix      -      n      n      -      -      pipe
   flags=Rhq user=dspam argv=/usr/local/bin/dspam --user ${user}@${nexthop} --falsepositive  
and in /etc/postfix/main.cf we need to add to the transport_maps line:

vi /etc/postfix/main.cf

transport_maps = regexp:/etc/postfix/transport_regexp
The file transport_maps = regexp:/etc/postfix/transport_regexp allows us to route spam or ham to the the proper action (mark this spam, or mark this not-spam).

vi /etc/postfix/transport_regexp

/^.*@spam.(.*)$/     dspam-add:${1}
/^.*@ham.(.*)$/      dspam-del:${1}
[edit]The DSPAM CGI interface
One can manage DSpam through a web interface that is packaged with the sourced. I had to forst copy the cgi and html directories rom the source to the live apache directories on my server.

cp ./webui/cgi-bin /var/www/cgi-bin
cp ./webui/htdocs/* /var/www/html
A quick check showed me that the server was now upset about the configure.pl file. In the cgi directory, I found configure.pl.in. I made a copy of that and called it configure.pl.

cp configure.pl.in configure.pl
Now the 500 error went away, and dspam is upset because it can't tell who I am. Hmm, let's get apache to prompt for a user and handle the authentication, then DSpam can trust that username that it received in the http headers.

[edit]References
Thanks to everyone!

[url]http://devnull.com/kyler/dspam.20040512.html[/url] [url]postconf.5.html#relay_recipient_maps[/url] [url]DEBUG_README.html[/url] [url]~nugget/projects/postfixrelaymaps/[/url] [url].2C_ClamAV.2C_and_amavisd-new_with_Debian_testing.2Funstable[/url] [url][/url] [url]http://flakshack.com/anti-spam/wiki/index.php?page=FairlySecureAntiVirusWiki[/url] [url][/url] [url][/url]

------------------

%2C_DSpam%2C_and_ClamAV&redirect=no&printable=yes&printable=yes#Installing_DSpam