( ! ) Warning: session_start(): open(/var/lib/php/session/sess_oithu7danqap438mo9jka1t130, O_RDWR) failed: No such file or directory (2) in /var/www/bitweaver/live/users/includes/bit_setup_inc.php on line 82
Call Stack
10.0000247792{main}( ).../page_history.php:0
20.0001249848require_once( '/var/www/bitweaver/live/kernel/includes/setup_inc.php' ).../page_history.php:16
30.01731928256BitSystem->scanPackages( ).../setup_inc.php:141
40.01912196544BitSystem->loadPackage( ).../BitSystem.php:1183
50.01912199576include_once( '/var/www/bitweaver/live/users/includes/bit_setup_inc.php' ).../BitSystem.php:1109
60.01952603840session_start ( ).../bit_setup_inc.php:82

( ! ) Warning: session_write_close(): open(/var/lib/php/session/sess_oithu7danqap438mo9jka1t130, O_RDWR) failed: No such file or directory (2) in /var/www/bitweaver/live/kernel/includes/classes/BitSystem.php on line 580
Call Stack
10.0000247792{main}( ).../page_history.php:0
20.04324026976BitSystem->display( ).../page_history.php:57
30.04334028512BitSystem->preDisplay( ).../BitSystem.php:505
40.04474043120session_write_close ( ).../BitSystem.php:580

( ! ) Warning: session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) in /var/www/bitweaver/live/kernel/includes/classes/BitSystem.php on line 580
Call Stack
10.0000247792{main}( ).../page_history.php:0
20.04324026976BitSystem->display( ).../page_history.php:57
30.04334028512BitSystem->preDisplay( ).../BitSystem.php:505
40.04474043120session_write_close ( ).../BitSystem.php:580
- bitweaver

History of postmax

This installation guide is intended to walk you through completely setting up a mail server with the maximum spam and anti-virus protection available from the open-source community. This technique is almost identical to installed in ((Mac OS X Server Mail)). It is an amalgamation of several online tutorials available throughout the net and from the software vendors, but all in one neat and tidy place. Our sincere thanks to all who contributed such wonderful software to make this world a better place.

!1. Software Install
{code source="bash"}yum install postfix spamassassin amavisd-new clamav
chkconfig postfix on
chkconfig clamd on
chkconfig freshclam on
chkconfig amavisd on

For RedHat / CentOS, you might need to get the RPM's from [http://dag.wieers.com/rpm/FAQ.php#B|DAG]

!2. Anti-Virus Configuration
Tweak __/etc/amavisd.conf__ with your host information, and uncomment the clamd scanner
{code source="txt"}['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", ""],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],{/code}
You might need to change the socket listed with "" as listed above. SpamAssassin settings are made in this file. Also, make sure __$inet_socket_port = 10024;__ See [http://www200.pair.com/mecham/spam/amavisd-settings.html|detailed explanation of amavisd.conf] for more information.

{code souce="bash"}/etc/init.d/clamd start
service amavisd start
service clamd start
# If you are behind a proxy, you need adjust /etc/freshclam.conf
service freshclam start{/code}

postconf -e 'content_filter = amavis:[]:10024'
postconf -e 'receive_override_options = no_address_mappings'

Append these lines to __/etc/postfix/master.cf__
{code source="text"}amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=
-o strict_rfc821_envelopes=yes
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_bind_address={/code}
Restart postfix

If you run a server for a significant number of users, you will want to run several virus scans at once. Change the 2 in two places: "- - - - 2" as above in master.cf, and "$max_servers = 2;" in amavisd.conf. These numbers should always match.

!3. Test Setup
Use telnet to see if the appropriate ports are open:

telnet yourhost.com 25
telnet localhost 3310
telnet localhost 10025
telnet localhost 10024

!4. IP Address Spam Prevention
This is a local DNS server database that performs local (e.g. FAST) DNS lookups against a list of dynamic and blacklisted IP's. Successful local lookup means it's on the blacklist and will be rejected.

#Install the rbldns RPM (available in Fedora Extras, or [http://www.corpit.ru/mjt/rbldnsd.html|source])
#Edit your __named.conf__ and add:{code source="txt"}
zone "clients.blocked.rbl" IN {
type forward;
forward first;
forwarders { port 530; };
zone "hosts.blocked.rbl" IN {
type forward;
forward first;
forwarders { port 530; };
#Edit __/etc/sysconfig/rbldnsd__ and add the following lines:{code source="txt"}RBLDNSD="dsbl -r/var/lib/rbldnsd -b \
clients.blocked.rbl:ip4set:clients,dynamic \
hosts.blocked.rbl:dnset:hosts \
#Get the [http://tqmcube.com/files/dnsbl_lists.tar.bz2|latest RBLDNS databases] and move database files to /var/lib/rbldnsd
# Gentlepeople, start your daemons: "service restart named; service restart rbldnsd;" Test with telnet localhost 53; and telnet locahost 530;
# Preform a test lookup:{code source="text"}
$dig @localhost -t txt
;; ANSWER SECTION: 2048 IN TXT "DNSBL. is a known spam source. Mail from is NOT accepted on this server!"
# Update the following line of your __/etc/postfix/main.cf__{code source="txt"}
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination,reject_rbl_client clients.blocked.rbl,reject_rhsbl_client hosts.blocked.rbl,reject_rhsbl_sender hosts.blocked.rbl{/code}

__En-masse IP Block__ Here is a tutorial for [http://www.fadden.com/techmisc/asian-spam.htm|Blocking E-mail from China and Korea] using Postfix and the [http://okean.com/asianspamblocks.html|Okean CIDR Blocks]

!5. DNS Spam Prevention
There are two main options DomainKeys, and SenderID.
DomainKeys were invented by Yahoo, SenderID was invented by Microsoft. These are arguably competing techniques, however, implementing both seems to have no ill-effect. Given SenderID was invented by Microsoft, you can be assured Outlook Server SMTP gateways employ SenderID, and are unlikely to support DomainKeys any time soon. In early 2005 when these proposals came out simultaneously, they were seen as competing techniques. As time has passed, they are now seen as more complementary, and typically both are implemented.

To use DomainKeys, typically a filter or "plugin" is needed for your SMTP gateway. There is a [http://jason.long.name/dkfilter/|postfix filter] that is fairly easy to install and configure. Several perl modules need to be installed:
#Install necessary perl modules (make sure you have openssl-devel installed):{code source="bash"}cpan -i Crypt::OpenSSL::RSA Mail::Address MIME::Base64 Net::DNS Net::Server Test::More{/code}
#[http://jason.long.name/dkfilter/|download source], extract tarball, cd into directory, and compile source with __./configure --prefix=/usr/local/dkfilter ; make install__
# For outbound mail signing, you will need a public/private key combo. {code source="txt"}
openssl genrsa -out private_domainkey.key 1024
openssl rsa -in private.key -pubout -out public_domainkey.key{/code}
# Tweak __sample-dkfilter-init-script.sh__ and copy to /etc/init.d/dkfilter - Either make a dkfilter user or change DKFILTERUSER and DKFILTERGROUP to postfix. The following are line changes made, adjust to your liking...{code source="bash"}
#start dkfilter with __service dkfilter start__. Test ports are up and running with telnet localhost 10026 and telnet localhost 10027
#Add inbound dkfilter postfix configuration to __/etc/postfix/master.cf__{code source="txt"}#
# Before-filter SMTP server. Receive mail from the network and
# pass it to the content filter on localhost port 10026.
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=
-o smtpd_client_connection_count_limit=10
# After-filter SMTP server. Receive mail from the content filter on
# localhost port 10027.
# inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=
-o receive_override_options=no_unknown_recipient_checks{/code}

!!SenderID (and SPF)
SenderID merged with a smaller group called Sender Policy Framework (SPF). SPF is a very simple mechanism for specifying which servers are valid for sending your email and is much simpler to implement than DomainKeys. Microsoft holds several patents in relation to the SenderID framework, however it released those patents in the "public domain" this past october. Beyond the typical cynicism of Microsoft's ulterior motives, SPF has a significant [http://www.advogato.org/article/816.html|amount of technical criticism]. Regardless, [http://itmanagement.earthweb.com/columns/executive_tech/article.php/3604761|many major ISP's are using SPF] to filter mail, including AOL (and RoadRunner) which has in some reports exclusively implemented SPF to some degree. (Spamassassin reports SOFT_FAIL reports from bogus .rr.com emails.) Spamassassin easily supports SPF with a few simple cpan installs.

The quickest way to get the DNS entries up and running is to [http://www.openspf.org/FAQ/Manage_my_own|follow the wizard].

*Be sure to watch your logs, such as: tail -f /var/log/maillog
*Config tinkering can lead to one of the services being down..
*On SLES 10, it seems clamd can take up to 10 minutes to begin accepting connections. Reason currenly unknown. Please chime in if you have any ideas.

!References and Other tutorails
Page History
30 May 2008 (11:33 UTC)
spamassassin sa-update
Current • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source
View • Compare • Difference • Source