most of this has been taken from the
FairlySecureAntiSpamWiki, but has been
modified to suit the selco.info network. it passes mail on to the exchange
server at 172.20.100.81 and doesn't use dcc or pyzor. other than that, it's
strikingly similar.
-
remove sendmail
- Delete the old sendmail executable.
note that on OpenBSD, the real sendmail executable will still be
available at /usr/libexec/sendmail/sendmail.
# rm /usr/sbin/sendmail
- Remove sendmail queue runner command in crontab
# crontab -e
Look for the lines that look like this and remove them
or comment them out with a #
# sendmail clientmqueue runner
*/30 * * * * /usr/sbin/sendmail -L sm-msp-queue -Ac -q
- Edit the /etc/rc.conf file to prevent sendmail from
starting when the computer boots. make the sendmail_flags line
look like this:
sendmail_flags = NO
- Kill off any existing sendmail processes.
# kill `head -1 /var/run/sendmail.pid`
# ps -ax |grep [s]endmail
-
add users
- Use vipw to edit the password file. Go to the bottom of
the file and add the following line:
amavisd:*:3000:3000::0:0:Amavis Mail Scanner
Daemon:/var/amavisd:/sbin/nologin
- add the group account for our new user. edit the
/etc/group file. Add the following line (preferrably in
numeric order with any other groups in the list):
amavisd:*:3000:
-
install & configure postfix
- install postfix
# pkg_add
ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/postfix-2.1.4.tgz
- add "-a /var/spool/postfix/dev/log" to
syslogd_flags in /etc/rc.conf and restart syslogd
# kill -HUP `cat /var/run/syslog.pid`
- enable postfix (ignore the instruction to edit the
sendmail_flags)
# /usr/local/sbin/postfix-enable
# ln -s /usr/local/sbin/sendmail /usr/sbin/sendmail
- change your postfix configs.
note: this is the part that enables the xbl and sbl in
postfix
your best bet is to just use the following patch: and apply it like so:
# ftp -o -
~dlg/spam/postfix-config.patch |
patch
- set up postfix to pass our email (and no-one else's!)
# cat << EOF > /etc/postfix/relay_domains
selco.info OK
.selco.info OK
selco.lib.mn.us OK
.selco.lib.mn.us OK
EOF
# echo "* smtp:[172.20.100.81]" > /etc/postfix/transport
# postmap /etc/postfix/transport
- start postfix at boot
# echo "/usr/local/sbin/postfix start" >>
/etc/rc.local
- start postfix
# /usr/local/sbin/postfix start
-
install perl modules
- go to the perl CPAN shell
# perl -MCPAN -e shell
note: when it asks you for manual configuration, say
"yes" and select all the defaults until you get to the mirror
selection. then, obviously, you should choose a mirror that works for
you.
- install, install, install
cpan> install MD5 LWP Mail::Internet Archive::Tar
Archive::Zip IO::Wrap IO::Stringy Unix::Syslog MIME::Words
MIME::Head MIME::Body MIME::Entity MIME::Parser Net::SMTP Net::DNS
Net::Ping Net::Server Net::Server::PreForkSimple Convert::TNEF
Convert::UUlib MIME::Decoder::Base64 MIME::Decoder::Binary
MIME::Decoder::Gzip64 MIME::Decoder::NBit
MIME::Decoder::QuotedPrint MIME::Decoder::UU Time::HiRes
Digest::SHA1 Digest::Nilsimsa Getopt::Long File::Copy Bit::Vector
Date::Calc
cpan> install R/RH/RHANDOM/Net-Server-0.84.tar.gz
cpan> q
notes:
- defaults are usually sufficient. in fact, they're all i used.
use your best judgement.
- you will also be asked about dependencies required. for
example:
---- Unsatisfied dependencies detected during [G/GA/GAAS/libwww-perl-5.803.tar.gz] -----
URI
Compress::Zlib
HTML::Parser
Shall I follow them and prepend them to the queue
of modules we are processing right now? [yes]
always say yes.
- see
for an explanation of the old Net-Server package.
-
install berkeley db
- install the package
# pkg_add
ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/db-4.2.52p1.tgz
- In order for the perl BerkeleyDB modules to install correctly, you
must setup some symlinks:
# mkdir /usr/local/BerkeleyDB
# ln -s /usr/local/lib/db4 /usr/local/BerkeleyDB/lib
# ln -s /usr/local/include/db4 /usr/local/BerkeleyDB/include
- install berkeleydb with cpan
# perl -MCPAN -e shell
cpan> install BerkeleyDB
Note that currently this
install will fail because testing of the subdb module fails.
To bypass the testing errors, quit out of CPAN and compile and
installe manually without testing.
cpan> q
# cd /root/.cpan/build/BerkeleyDB-0.26
# make clean
# perl Makefile.PL
# make
# make install
-
install spamassassin
- install the perl module (use the defaults, of course)
# perl -MCPAN -e shell
cpan> install Mail::SpamAssassin
cpan> q
- set the config (or, )
# cat << EOF > /etc/mail/spamassassin/local.cf
report_safe 0
use_bayes 1
bayes_path /var/amavisd/.spamassassin/bayes
skip_rbl_checks 0
use_razor2 0
use_dcc 0
use_pyzor 0
dns_available yes
## Optional Score Increases
score BAYES_99 4.300
score BAYES_90 3.500
score BAYES_80 3.000
score RCVD_IN_SBL 1000
score RCVD_IN_XBL 1000
EOF
- setup the amavisd and spamassassin home directory for the amavisd
user.
# mkdir -p /var/amavisd
# chown amavisd.amavisd /var/amavisd
# chmod 750 /var/amavisd
# cd /var/amavisd
# mkdir .spamassassin
# touch .spamassassin/user_prefs
# chown -R amavisd.amavisd .spamassassin
- Copy the required files to the amavisd chroot directory:
# mkdir -p etc/mail/spamassassin usr/local/share
# cp /etc/mail/spamassassin/local.cf etc/mail/spamassassin/
# cp /etc/mail/spamassassin/init.pre etc/mail/spamassassin/
# cp -r /usr/local/share/spamassassin usr/local/share
-
install amavisd-new
- install and set up the chroot
# cd /root
# mkdir /var/amavisd
# chown amavisd:amavisd ~amavisd
# ftp -o -
| tar
xzvf -
# cd amavisd-new-2.2.0
# cp amavisd /usr/local/sbin/
# chown root.wheel /usr/local/sbin/amavisd
# chmod 550 /usr/local/sbin/amavisd
# cp amavisd.conf /etc/
# chown root.wheel /etc/amavisd.conf
# chmod 644 /etc/amavisd.conf
# touch /var/amavisd/amavis.log
# chown amavisd.amavisd /var/amavisd/amavis.log
-
amavisd to make the block reason a
variable in the config file.
ftp -o - ~dlg/spam/amavisd.patch |
patch
- create /etc/amavisd.conf
use strict;
$MYHOME = '/var/amavisd';
$mydomain = 'selco.info';
$daemon_user = 'amavisd';
$daemon_group = 'amavisd';
$daemon_chroot_dir = $MYHOME;
$QUARANTINEDIR = "$MYHOME/quarantine";
$TEMPBASE = "$MYHOME/tmp";
$ENV{TMPDIR} = $TEMPBASE;
$helpers_home = $MYHOME;
$block_reason = "This message has been rejected as SPAM. If you believe this is an error, please call (800) 992-5061";
$max_servers=8;
$child_timeout=20*60; # we need to adjust the timeout since it is not a localhost transfer
$forward_method = 'smtp:127.0.0.1:10025';
$notify_method = $forward_method;
$inet_socket_port = 10024;
$inet_socket_bind = '127.0.0.1';
@bypass_virus_checks_acl = (1);
read_hash(\%local_domains, '/etc/postfix/relay_domains');
$DO_SYSLOG = 1; # (1 = syslog, 0 = logfile)
$log_level = 5; # (0-5)
$final_spam_destiny = D_REJECT; # Set to D_REJECT, D_PASS to pass through
read_hash(\%whitelist_sender, '/var/amavisd/whitelist');
read_hash(\%blacklist_sender, '/var/amavisd/blacklist');
read_hash(\%spam_lovers, '/var/amavisd/spam_lovers');
#defending against mail bombs
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA = 100*1024;
$MAX_EXPANSION_QUOTA = 300*1024*1024;
$path = '/usr/bin:/bin';
$file = 'file';
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
# SpamAssassin settings
$sa_local_tests_only = 0;
#$sa_auto_whitelist = 1; # comment this line out to turn off auto whitelist
$sa_mail_body_size_limit = 64*1024; # 64KB
$sa_tag_level_deflt = 0.0; # controls adding the X-Spam-Status and X-Spam-Level headers,
$sa_tag2_level_deflt = 6.3; # controls adding 'X-Spam-Flag: YES', and editing Subject,
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions:
$sa_spam_subject_tag = '***SPAM*** ';
#$sa_debug = 1; # comment this line out to turn off debugging
$spam_quarantine_to = "postmaster\@selco.info";
1; # insure a defined return
- create amavisd's directories
# mkdir /var/amavisd/tmp
# chown amavisd:amavisd /var/amavisd/tmp
# chmod 750 /var/amavisd/tmp
# mkdir /var/amavisd/quarantine
# chown amavisd:amavisd /var/amavisd/quarantine
# chmod 750 /var/amavisd/quarantine
# mkdir /var/amavisd/db
# chown amavisd:amavisd /var/amavisd/db
# chmod 750 /var/amavisd/db
- give amavisd-new the required files in the chroot jail
# mkdir -p etc dev tmp var/run bin
# mkdir -p usr/bin usr/share/zoneinfo usr/lib
usr/libexec
note: assuming var is not mounted nodev,
we can create the null character device in the chroot. if it's not,
you will have to take "nodev" out of /var's entry in /etc/fstab and
reboot.
# mknod dev/null c 2 2
make sure there's a
/var/amavisd in the chroot:
# ln -s /
var/amavisd
- Copy the configuration files for our system to our chroot etc
directory.
Please note that if you ever make any changes in the
originals you will need to copy them again to this
directory.
# cp /etc/protocols etc
# cp /etc/services etc
# cp /etc/hosts etc
# cp /etc/magic etc
# cp /etc/resolv.conf etc
# cp /etc/group etc
# cp /etc/passwd etc
- the file binary is required for amavisd to run.
# cp /usr/bin/file /var/amavisd/bin
# cp /usr/lib/libc.so.* /var/amavisd/usr/lib
# cp /usr/libexec/ld.so /var/amavisd/usr/libexec
- Create a dummy pwd.db file
# echo amavisd:*:3000:3000::0:0:Amavis Mail Scanner
Daemon:/var/amavisd:/sbin/nologin>/var/amavisd/etc/master.passwd
# pwd_mkdb -d /var/amavisd/etc/ -p
/var/amavisd/etc/master.passwd
- Set permissions.
note that amavisd must own its home directory
(/var/amavisd) otherwise it will generate permissions
errors.
# chown -R root.wheel etc dev tmp usr var
# chown -R amavisd:amavisd .spamassassin quarantine
# chmod 1777 tmp
# chmod 666 dev/null
- Create our whitelist, blacklist and spam_lovers files.
These files are lists with 1 email address or domain per line (in
lower case), of recipients and senders that we want to treat
specially. Senders in the blacklist file are automatically marked as
SPAM. Senders in the whitelist file are never marked as SPAM.
Recipients in the spam_lovers are basically your users that want to
opt-out of the spam blocking system. The postmaster account is added
because the RFCs require that the postmaster account is
unfiltered.
# touch /var/amavisd/blacklist
# touch /var/amavisd/whitelist
# echo postmaster@selco.info > /var/amavisd/spam_lovers
# echo postmaster@selco.lib.mn.us >>
/var/amavisd/spam_lovers
- start amavisd at boot.
add the following to /etc/rc.local, but make sure it starts before
postfix.
# Start amavisd spam filter
if [ -x /usr/local/sbin/amavisd ]; then
echo -n ' amavisd'; /usr/local/sbin/amavisd
fi
-
setting up greylisting
- change /etc/rc.conf on the following lines:
pf=YES
spamd_flags="-v -G 5:4:864"
spamd_grey=YES
- edit /etc/pf.conf and add the following lines:
ext_if="fxp0"
table persist
rdr pass on $ext_if proto tcp from ! to port
smtp \
-> 127.0.0.1 port spamd
- disable all blocklists in /etc/spamd.conf
# echo all: > /etc/pf.conf
- reboot
阅读(2717) | 评论(0) | 转发(0) |
