@@ -10,13 +10,19 @@ |
|
For RedHat / CentOS, you might need to get the RPM's from [http://dag.wieers.com/rpm/FAQ.php#B|DAG]
|
|
+For Suse/SLES, you should [ftp://ftp.suse.com/pub/projects/clamav/|get the latest clamd] to prevent an odd 5+ minute startup hang. Also, you should [http://www.ijs.si/software/amavisd/#download|upgrade amavis] to 2.4 or later to prevent errors as listed in troubleshooting. |
+ |
+ |
!2. Anti-Virus Configuration
|
Tweak __/etc/amavisd.conf__ with your host information, and uncomment the clamd scanner
|
-{code source="txt"}['ClamAV-clamd',
|
+{code source="txt"}# For very high volume servers, disable db support |
+$enable_db = 0; |
+***snip*** |
+['ClamAV-clamd', |
\&ask_daemon, ["CONTSCAN {}\n", "127.0.0.1:3310"],
|
qr/\bOK$/, qr/\bFOUND$/,
|
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],{/code}
|
-You might need to change the socket listed with "127.0.0.1:3310" as listed above. SpamAssassin settings are made in this file. Also, make sure __$inet_socket_port = 10024;__ See [http://www200.pair.com/mecham/spam/amavisd-settings.html|detailed explanation of amavisd.conf] for more information.
|
+You might need to change the socket listed with "127.0.0.1:3310" as listed above. SpamAssassin settings are made in this file. Also, make sure __$inet_socket_port = 10024;__ See [http://www200.pair.com/mecham/spam/amavisd-settings.html|detailed explanation of amavisd.conf] for more information. db support has [http://www.mail-archive.com/amavis-user@lists.sourceforge.net/msg09069.html|limited impact on features and performance]. |
|
{code souce="bash"}/etc/init.d/clamd start
|
service amavisd start
|
|
|
@@ -80,6 +86,7 @@ |
"{code}
|
#Get the [http://tqmcube.com/files/dnsbl_lists.tar.bz2|latest RBLDNS databases] and move database files to /var/lib/rbldnsd
|
# Gentlepeople, start your daemons: "service restart named; service restart rbldnsd;" Test with telnet localhost 53; and telnet locahost 530;
|
+# Edit your __/etc/resolv.conf__ to include 127.0.0.1 so lookups are performed on the local server first. |
# Preform a test lookup:{code source="text"}
|
$dig @localhost 223.61.83.162.clients.blocked.rbl -t txt
|
;; ANSWER SECTION:
|
|
|
@@ -87,6 +94,7 @@ |
{/code}
|
# Update the following line of your __/etc/postfix/main.cf__{code source="txt"}
|
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination,reject_rbl_client clients.blocked.rbl,reject_rhsbl_client hosts.blocked.rbl,reject_rhsbl_sender hosts.blocked.rbl{/code}
|
+!![http://wiki.apache.org/spamassassin/DnsBlocklists|Spamassassin DNS Blocklists] |
|
__En-masse IP Block__ Here is a tutorial for [http://www.fadden.com/techmisc/asian-spam.htm|Blocking E-mail from China and Korea] using Postfix and the [http://okean.com/asianspamblocks.html|Okean CIDR Blocks]
|
|
|
|
@@ -94,8 +102,9 @@ |
There are two main options DomainKeys, and SenderID.
|
DomainKeys were invented by Yahoo, SenderID was invented by Microsoft. These are arguably competing techniques, however, implementing both seems to have no ill-effect. Given SenderID was invented by Microsoft, you can be assured Outlook Server SMTP gateways employ SenderID, and are unlikely to support DomainKeys any time soon. In early 2005 when these proposals came out simultaneously, they were seen as competing techniques. As time has passed, they are now seen as more complementary, and typically both are implemented.
|
|
-!!DomainKeys
|
-[http://www.dkim.org/|DomainKeys Identified Mail] is the newest open-standard e-mail authentication specification. To use DomainKeys, typically a filter or "plugin" is needed for your SMTP gateway. There is a [http://dkimproxy.sourceforge.net/|postfix filter] that is fairly easy to install and configure. Several perl modules need to be installed:
|
+!!DomainKeys Identified Mail |
+[http://www.dkim.org/|Domain Keys Identified Mail] is the newest open-standard e-mail authentication specification. To use DomainKeys, typically a filter or "plugin" is needed for your SMTP gateway. There is a [http://dkimproxy.sourceforge.net/|postfix filter] that is fairly easy to install and configure. Several perl modules need to be installed: |
+!!!DKIMproxy |
#Install necessary perl modules (make sure you have openssl-devel installed):{code source="bash"}cpan -i Crypt::OpenSSL::RSA Mail::Address MIME::Base64 Net::DNS Net::Server Test::More Mail::DKIM Error{/code}
|
#[http://dkimproxy.sourceforge.net/|download source], extract tarball, cd into directory, and compile source with __./configure --prefix=/usr/local/dkimproxy ; make install__
|
# For outbound mail signing, you will need a public/private key combo. {code source="txt"}
|
|
|
@@ -122,6 +131,11 @@ |
|
# specify what address/port DKIMproxy forwards mail to
|
relay 127.0.0.1:10029
|
+ |
+ |
+ |
+ |
+ |
|
# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
|
domain yourdomain.com
|
|
|
@@ -191,9 +205,36 @@ |
-o mynetworks=127.0.0.0/8
|
-o smtpd_authorized_xforward_hosts=127.0.0.0/8{/code}
|
!!SenderID (and SPF)
|
-SenderID merged with a smaller group called Sender Policy Framework (SPF). SPF is a very simple mechanism for specifying which servers are valid for sending your email and is much simpler to implement than DomainKeys. Microsoft holds several patents in relation to the SenderID framework, however it released those patents in the "public domain" this past october. Beyond the typical cynicism of Microsoft's ulterior motives, SPF has a significant [http://www.advogato.org/article/816.html|amount of technical criticism]. Regardless, [http://itmanagement.earthweb.com/columns/executive_tech/article.php/3604761|many major ISP's are using SPF] to filter mail, including AOL (and RoadRunner) which has in some reports exclusively implemented SPF to some degree. (Spamassassin reports SOFT_FAIL reports from bogus .rr.com emails.) Spamassassin easily supports SPF with a few simple cpan installs.
|
-
|
+SenderID merged with a smaller group called Sender Policy Framework (SPF). SPF is a very simple mechanism for specifying which servers are valid for sending your email and is much simpler to implement than DomainKeys. Microsoft holds several patents in relation to the SenderID framework, however it released those patents in the "public domain" this past october. Beyond the typical cynicism of Microsoft's ulterior motives, SPF has a significant [http://www.advogato.org/article/816.html|amount of technical criticism]. Regardless, [http://itmanagement.earthweb.com/columns/executive_tech/article.php/3604761|many major ISP's are using SPF] to filter mail, including AOL (and RoadRunner) which has in some reports exclusively implemented SPF to some degree. (Spamassassin reports SOFT_FAIL reports from bogus .rr.com emails.) |
+!!!Spamassassin SPF Support |
+#Install SPF perl module{code source="txt"}cpan -i Mail::SPF::Query{/code} |
+!!!SPF Outbound support |
The quickest way to get the DNS entries up and running is to [http://www.openspf.org/FAQ/Manage_my_own|follow the wizard].
|
+ |
+!Spam Detection |
+There are two top spam tools - DSPAM and spamassassin. |
+ |
+!6. Spamassassin Configuration |
+#The spamassassin site has a review on [http://wiki.apache.org/spamassassin/IntegratedInPostfixWithAmavis|integrating amavis and spamassassin], which is mostly ready to go by default.symlinking the bayes databases ( __ln -s /var/spool/amavis/.spamassassin /root__ ) is a good idea so you can use sa-learn by hand to stock you bayes database. Review [http://www.ijs.si/software/amavisd/#faq-spam|amavis + spamassassin FAQ] to tweak your configuration parameters. |
+#Configure __sa-update__ - add [http://saupdates.openprotect.com/|OpenProtect Rules] to update daily.{code source="bash"}$ wget http://saupdates.openprotect.com/pub.gpg |
+$ sa-update --nogpg --import pub.gpg |
+$ crontab -e |
+... add ... |
+1 5 0 0 0 sa-update --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com --channel updates.spamassassin.org |
+{/code} |
+!![http://razor.sourceforge.net/|Razor] |
+#Get the [http://razor.sourceforge.net/|latest SDK source] and install {code source="bash"}wget http://unc.dl.sourceforge.net/sourceforge/razor/razor-agents-sdk-2.07.tar.gz |
+tar xvzf razor-agents-sdk-2.07.tar.gz |
+cd razor-agents-sdk-2.07 |
+perl Makefile.PL && make && make install # Or, if not root: perl Makefile.PL PREFIX=$HOME && make && make install{/code} |
+# Get the [http://razor.sourceforge.net/|latest agents source] and register agents{code source="bash"}wget http://unc.dl.sourceforge.net/sourceforge/razor/razor-agents-2.84.tar.gz |
+tar xvzf razor-agents-2.84.tar.gz |
+cd razor-agents-2.84 |
+perl Makefile.PL PREFIX=$HOME && make && make install # Or, if installing system-wide as root: perl Makefile.PL && make && make install |
+razor-admin -create |
+razor-admin -discover |
+razor-admin -register{/code} |
+# Disable razor logging, else you will quickly fill up /var/. Edit __/var/spool/amavisd/.razor/razor-agent.conf__ and add: debuglevel = 0 |
|
!Troubleshooting
|
*Be sure to watch your logs, such as: tail -f /var/log/maillog
|
|
|
@@ -203,16 +244,22 @@ |
Active Internet connections (only servers)
|
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
|
tcp 0 0 localhost:10024 *:* LISTEN 2011/amavisd (maste
|
-tcp 0 0 localhost:10025 *:* LISTEN 16463/master
|
-tcp 0 0 localhost:10026 *:* LISTEN 15545/perl
|
-tcp 0 0 *:submission *:* LISTEN 16463/master
|
-tcp 0 0 localhost:10027 *:* LISTEN 16463/master
|
-tcp 0 0 localhost:10028 *:* LISTEN 15554/perl
|
-tcp 0 0 localhost:10029 *:* LISTEN 16463/master
|
+tcp 0 0 localhost:10025 *:* LISTEN 19755/master |
+tcp 0 0 localhost:10026 *:* LISTEN 19221/perl |
+tcp 0 0 localhost:10027 *:* LISTEN 19755/master |
+tcp 0 0 localhost:10028 *:* LISTEN 19229/perl |
+tcp 0 0 localhost:10029 *:* LISTEN 19755/master |
tcp 0 0 localhost:dyna-access *:* LISTEN 1803/clamd
|
tcp 0 0 localhost:domain *:* LISTEN 1875/named
|
-tcp 0 0 *:smtp *:* LISTEN 16463/master {/code}
|
+tcp 0 0 *:smtp *:* LISTEN 19755/master |
+tcp 0 0 *:domain *:* LISTEN 1875/named |
+tcp 0 0 *:ssh *:* LISTEN 2064/sshd |
+tcp 0 0 *:smtp *:* LISTEN 19755/master |
+*snip*{/code} |
+* Error like : {code source="text"}child process [20099]: Error closing main::stdin: Bad file descriptor at /usr/sbin/amavisd line 1872, <GEN8> line 74.\n{/code} Net: :Server 0.91 (or later) introduced a change which makes it incompatible with amavisd-new-2.3.3 (or earlier). Either [http://www.ijs.si/software/amavisd/#download|upgrade amavis] or downgrade your perl Net: :Server |
|
!References and Other tutorails
|
+[http://www.akadia.com/services/postfix_amavisd.html] Similar setup to postmax with mysql and quarantining web app. |
+[http://wiki.apache.org/spamassassin/SingleUserUnixInstall] |
[http://devnull.com/kyler/dspam.20040512.html]
|
[http://howtoforge.com/virtual-users-domains-postfix-courier-mysql-squirrelmail-mandriva2008.1-p3] |
|
|