Chinaunix首页 | 论坛 | 博客
  • 博客访问: 3343102
  • 博文数量: 815
  • 博客积分: 12898
  • 博客等级: 上将
  • 技术积分: 7883
  • 用 户 组: 普通用户
  • 注册时间: 2006-12-25 09:57
文章分类

全部博文(815)

文章存档

2014年(1)

2011年(46)

2010年(192)

2009年(121)

2008年(70)

2007年(385)

分类: BSD

2007-11-22 02:05:10

most of this has been taken from the FairlySecureAntiSpamWiki, but has been modified to suit the selco.info network. it passes mail on to the exchange server at 172.20.100.81 and doesn't use dcc or pyzor. other than that, it's strikingly similar.
  1. remove sendmail
    1. Delete the old sendmail executable.
      note that on OpenBSD, the real sendmail executable will still be available at /usr/libexec/sendmail/sendmail.
      # rm /usr/sbin/sendmail
    2. Remove sendmail queue runner command in crontab
      # crontab -e
      Look for the lines that look like this and remove them or comment them out with a #
      # sendmail clientmqueue runner
      */30 * * * * /usr/sbin/sendmail -L sm-msp-queue -Ac -q
    3. Edit the /etc/rc.conf file to prevent sendmail from starting when the computer boots. make the sendmail_flags line look like this:
      sendmail_flags = NO
    4. Kill off any existing sendmail processes.
      # kill `head -1 /var/run/sendmail.pid`
      # ps -ax |grep [s]endmail
  2. add users
    1. Use vipw to edit the password file. Go to the bottom of the file and add the following line:
      amavisd:*:3000:3000::0:0:Amavis Mail Scanner Daemon:/var/amavisd:/sbin/nologin
    2. add the group account for our new user. edit the /etc/group file. Add the following line (preferrably in numeric order with any other groups in the list):
      amavisd:*:3000:
  3. install & configure postfix
    1. install postfix
      # pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/postfix-2.1.4.tgz
    2. add "-a /var/spool/postfix/dev/log" to syslogd_flags in /etc/rc.conf and restart syslogd
      # kill -HUP `cat /var/run/syslog.pid`
    3. enable postfix (ignore the instruction to edit the sendmail_flags)
      # /usr/local/sbin/postfix-enable
      # ln -s /usr/local/sbin/sendmail /usr/sbin/sendmail
    4. change your postfix configs.
      note: this is the part that enables the xbl and sbl in postfix
      your best bet is to just use the following patch: and apply it like so:
      # ftp -o - ~dlg/spam/postfix-config.patch | patch
    5. set up postfix to pass our email (and no-one else's!)
      # cat << EOF > /etc/postfix/relay_domains
      selco.info OK
      .selco.info OK
      selco.lib.mn.us OK
      .selco.lib.mn.us OK
      EOF
      # echo "* smtp:[172.20.100.81]" > /etc/postfix/transport
      # postmap /etc/postfix/transport
    6. start postfix at boot
      # echo "/usr/local/sbin/postfix start" >> /etc/rc.local
    7. start postfix
      # /usr/local/sbin/postfix start
  4. install perl modules
    1. go to the perl CPAN shell
      # perl -MCPAN -e shell
      note: when it asks you for manual configuration, say "yes" and select all the defaults until you get to the mirror selection. then, obviously, you should choose a mirror that works for you.
    2. install, install, install
      cpan> install MD5 LWP Mail::Internet Archive::Tar Archive::Zip IO::Wrap IO::Stringy Unix::Syslog MIME::Words MIME::Head MIME::Body MIME::Entity MIME::Parser Net::SMTP Net::DNS Net::Ping Net::Server Net::Server::PreForkSimple Convert::TNEF Convert::UUlib MIME::Decoder::Base64 MIME::Decoder::Binary MIME::Decoder::Gzip64 MIME::Decoder::NBit MIME::Decoder::QuotedPrint MIME::Decoder::UU Time::HiRes Digest::SHA1 Digest::Nilsimsa Getopt::Long File::Copy Bit::Vector Date::Calc
      cpan> install R/RH/RHANDOM/Net-Server-0.84.tar.gz
      cpan> q
      notes:
      • defaults are usually sufficient. in fact, they're all i used. use your best judgement.
      • you will also be asked about dependencies required. for example:
        ---- Unsatisfied dependencies detected during [G/GA/GAAS/libwww-perl-5.803.tar.gz] -----
        URI
        Compress::Zlib
        HTML::Parser
        Shall I follow them and prepend them to the queue
        of modules we are processing right now? [yes]
        always say yes.
      • see for an explanation of the old Net-Server package.

  5. install berkeley db
    1. install the package
      # pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/db-4.2.52p1.tgz
    2. In order for the perl BerkeleyDB modules to install correctly, you must setup some symlinks:
      # mkdir /usr/local/BerkeleyDB
      # ln -s /usr/local/lib/db4 /usr/local/BerkeleyDB/lib
      # ln -s /usr/local/include/db4 /usr/local/BerkeleyDB/include
    3. install berkeleydb with cpan
      # perl -MCPAN -e shell
      cpan> install BerkeleyDB
      Note that currently this install will fail because testing of the subdb module fails.
      To bypass the testing errors, quit out of CPAN and compile and installe manually without testing.

      cpan> q
      # cd /root/.cpan/build/BerkeleyDB-0.26
      # make clean
      # perl Makefile.PL
      # make
      # make install
  6. install spamassassin
    1. install the perl module (use the defaults, of course)
      # perl -MCPAN -e shell
      cpan> install Mail::SpamAssassin
      cpan> q
    2. set the config (or, )
      # cat << EOF > /etc/mail/spamassassin/local.cf
      report_safe 0

      use_bayes 1
      bayes_path /var/amavisd/.spamassassin/bayes

      skip_rbl_checks 0
      use_razor2 0
      use_dcc 0
      use_pyzor 0

      dns_available yes

      ## Optional Score Increases
      score BAYES_99 4.300
      score BAYES_90 3.500
      score BAYES_80 3.000
      score RCVD_IN_SBL 1000
      score RCVD_IN_XBL 1000
      EOF
    3. setup the amavisd and spamassassin home directory for the amavisd user.
      # mkdir -p /var/amavisd
      # chown amavisd.amavisd /var/amavisd
      # chmod 750 /var/amavisd
      # cd /var/amavisd
      # mkdir .spamassassin
      # touch .spamassassin/user_prefs
      # chown -R amavisd.amavisd .spamassassin
    4. Copy the required files to the amavisd chroot directory:
      # mkdir -p etc/mail/spamassassin usr/local/share
      # cp /etc/mail/spamassassin/local.cf etc/mail/spamassassin/
      # cp /etc/mail/spamassassin/init.pre etc/mail/spamassassin/
      # cp -r /usr/local/share/spamassassin usr/local/share
  7. install amavisd-new
    1. install and set up the chroot
      # cd /root
      # mkdir /var/amavisd
      # chown amavisd:amavisd ~amavisd
      # ftp -o - | tar xzvf -
      # cd amavisd-new-2.2.0
      # cp amavisd /usr/local/sbin/
      # chown root.wheel /usr/local/sbin/amavisd
      # chmod 550 /usr/local/sbin/amavisd
      # cp amavisd.conf /etc/
      # chown root.wheel /etc/amavisd.conf
      # chmod 644 /etc/amavisd.conf
      # touch /var/amavisd/amavis.log
      # chown amavisd.amavisd /var/amavisd/amavis.log
    2. amavisd to make the block reason a variable in the config file.
      ftp -o - ~dlg/spam/amavisd.patch | patch
    3. create /etc/amavisd.conf
      use strict;

      $MYHOME = '/var/amavisd';
      $mydomain = 'selco.info';
      $daemon_user = 'amavisd';
      $daemon_group = 'amavisd';
      $daemon_chroot_dir = $MYHOME;

      $QUARANTINEDIR = "$MYHOME/quarantine";
      $TEMPBASE = "$MYHOME/tmp";
      $ENV{TMPDIR} = $TEMPBASE;
      $helpers_home = $MYHOME;

      $block_reason = "This message has been rejected as SPAM. If you believe this is an error, please call (800) 992-5061";


      $max_servers=8;
      $child_timeout=20*60; # we need to adjust the timeout since it is not a localhost transfer

      $forward_method = 'smtp:127.0.0.1:10025';
      $notify_method = $forward_method;
      $inet_socket_port = 10024;
      $inet_socket_bind = '127.0.0.1';

      @bypass_virus_checks_acl = (1);
      read_hash(\%local_domains, '/etc/postfix/relay_domains');

      $DO_SYSLOG = 1; # (1 = syslog, 0 = logfile)
      $log_level = 5; # (0-5)

      $final_spam_destiny = D_REJECT; # Set to D_REJECT, D_PASS to pass through

      read_hash(\%whitelist_sender, '/var/amavisd/whitelist');
      read_hash(\%blacklist_sender, '/var/amavisd/blacklist');
      read_hash(\%spam_lovers, '/var/amavisd/spam_lovers');

      #defending against mail bombs
      $MAXLEVELS = 14;
      $MAXFILES = 1500;
      $MIN_EXPANSION_QUOTA = 100*1024;
      $MAX_EXPANSION_QUOTA = 300*1024*1024;

      $path = '/usr/bin:/bin';
      $file = 'file';

      $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
      $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1

      # SpamAssassin settings
      $sa_local_tests_only = 0;
      #$sa_auto_whitelist = 1; # comment this line out to turn off auto whitelist
      $sa_mail_body_size_limit = 64*1024; # 64KB

      $sa_tag_level_deflt = 0.0; # controls adding the X-Spam-Status and X-Spam-Level headers,

      $sa_tag2_level_deflt = 6.3; # controls adding 'X-Spam-Flag: YES', and editing Subject,
      $sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions:

      $sa_spam_subject_tag = '***SPAM*** ';
      #$sa_debug = 1; # comment this line out to turn off debugging


      $spam_quarantine_to = "postmaster\@selco.info";
      1; # insure a defined return

    4. create amavisd's directories
      # mkdir /var/amavisd/tmp
      # chown amavisd:amavisd /var/amavisd/tmp
      # chmod 750 /var/amavisd/tmp
      # mkdir /var/amavisd/quarantine
      # chown amavisd:amavisd /var/amavisd/quarantine
      # chmod 750 /var/amavisd/quarantine
      # mkdir /var/amavisd/db
      # chown amavisd:amavisd /var/amavisd/db
      # chmod 750 /var/amavisd/db
    5. give amavisd-new the required files in the chroot jail
      # mkdir -p etc dev tmp var/run bin
      # mkdir -p usr/bin usr/share/zoneinfo usr/lib usr/libexec
      note: assuming var is not mounted nodev, we can create the null character device in the chroot. if it's not, you will have to take "nodev" out of /var's entry in /etc/fstab and reboot.
      # mknod dev/null c 2 2
      make sure there's a /var/amavisd in the chroot:
      # ln -s / var/amavisd
    6. Copy the configuration files for our system to our chroot etc directory.
      Please note that if you ever make any changes in the originals you will need to copy them again to this directory.
      # cp /etc/protocols etc
      # cp /etc/services etc
      # cp /etc/hosts etc
      # cp /etc/magic etc
      # cp /etc/resolv.conf etc
      # cp /etc/group etc
      # cp /etc/passwd etc
    7. the file binary is required for amavisd to run.
      # cp /usr/bin/file /var/amavisd/bin
      # cp /usr/lib/libc.so.* /var/amavisd/usr/lib
      # cp /usr/libexec/ld.so /var/amavisd/usr/libexec
    8. Create a dummy pwd.db file
      # echo amavisd:*:3000:3000::0:0:Amavis Mail Scanner Daemon:/var/amavisd:/sbin/nologin>/var/amavisd/etc/master.passwd
      # pwd_mkdb -d /var/amavisd/etc/ -p /var/amavisd/etc/master.passwd
    9. Set permissions.
      note that amavisd must own its home directory (/var/amavisd) otherwise it will generate permissions errors.
      # chown -R root.wheel etc dev tmp usr var
      # chown -R amavisd:amavisd .spamassassin quarantine
      # chmod 1777 tmp
      # chmod 666 dev/null
    10. Create our whitelist, blacklist and spam_lovers files.
      These files are lists with 1 email address or domain per line (in lower case), of recipients and senders that we want to treat specially. Senders in the blacklist file are automatically marked as SPAM. Senders in the whitelist file are never marked as SPAM. Recipients in the spam_lovers are basically your users that want to opt-out of the spam blocking system. The postmaster account is added because the RFCs require that the postmaster account is unfiltered.
      # touch /var/amavisd/blacklist
      # touch /var/amavisd/whitelist
      # echo postmaster@selco.info > /var/amavisd/spam_lovers
      # echo postmaster@selco.lib.mn.us >> /var/amavisd/spam_lovers
    11. start amavisd at boot.
      add the following to /etc/rc.local, but make sure it starts before postfix.
      # Start amavisd spam filter
      if [ -x /usr/local/sbin/amavisd ]; then
        echo -n ' amavisd'; /usr/local/sbin/amavisd
      fi
  8. setting up greylisting
    1. change /etc/rc.conf on the following lines:
      pf=YES
      spamd_flags="-v -G 5:4:864"
      spamd_grey=YES
    2. edit /etc/pf.conf and add the following lines:
      ext_if="fxp0"
      table persist
      rdr pass on $ext_if proto tcp from ! to port smtp \
          -> 127.0.0.1 port spamd
    3. disable all blocklists in /etc/spamd.conf
      # echo all: > /etc/pf.conf
    4. reboot
阅读(2724) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~