HOWTO: Pretty much bulletproof (and spam-proof) email...

Installing, Configuring, Troubleshooting server daemons such as Web and Mail

HOWTO: Pretty much bulletproof (and spam-proof) email...

Postby wizard » 2006/08/18 13:37:34

Don't know if HOWTOs are allowed here, but I thought I'd share in case anyone else is having issues setting up a reasonably bulletproof mail setup - mods can feel free to delete this if I've crossed a line - but I've migrated a lot of the stuff I've learned from the Fedora project here and wrote a simple guide on getting mail working -

We've added a virus scanner, spam control, greylisting and three DNS blacklists to sendmail's configuration. This stuff ought to reduce your spam by about 90%. The only one that's not self-explanatory is milter-greylist. Greylisting temporarily rejects email, assuming that real mail servers will resend the message to you but spam servers will not. Out of the box milter-greylist will accept a resent email after 30 minutes. It means you'll get email a little later, but you can whitelist anyone you like. Works pretty well :-)

First, I highly recommend adding the Misc and Extras repo at http://centos.karan.org - you'll need them for some of this. Just save the two .repo files to /etc/yum.repos.d - if you use yum extender you'll have to enable them in your profile as well - but we'll do all this from the command line.

Here we go - first we install a pile of software. Leave out anything you've already got installed -

yum install sendmail dovecot clamav* milter-greylist spamassassin spamass-milter pyzor perl-Razor-agent

Next we make sure sendmail works. I use sendmail but others might want to use postfix or exim. Anyway, these instructions are for sendmail :-D

Edit /etc/sendmail.mc - change

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl

to

DAEMON_OPTIONS(`Port=smtp, Name=MTA’)dnl

This will lift the restriction that causes sendmail to only listen to localhost.

Also, add the following lines to sendmail.mc - add them right above the MAILER lines at the bottom of the file. Watch for word wrap here - the addition below is 9 lines long.

FEATURE(`dnsbl',`relays.ordb.org')dnl
FEATURE(`dnsbl',`list.dsbl.org')dnl
FEATURE(`dnsbl',`sbl-xbl.spamhaus.org')dnl
INPUT_MAIL_FILTER(`greylist',`S=local:/var/lib/milter-greylist/run/milter-greylist.sock')
define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter/spamass-milter.sock, F=,T=C:15m;S:4m;R:4m;E:10m')dnl
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav-milter/clamav.sock, F=T, T=S:4m;R:4m')

Then rebuild sendmail.cf by opening a terminal window and typing

make -C /etc/mail

Next, we want to make sure sendmail will relay mail from machines on our local subnet - we do that by editing /etc/mail/access - I added the following lines to the file

192.168.1 RELAY
my.wan.ip.address RELAY

Both may not be necessary but I added both of them anyway. It works :-D

Then, rebuild the access database by doing -

cd /etc/mail

makemap hash access.db < access

Okay, now let's fix dovecot. Open /etc/dovecot.conf and change

protocols = imap imaps

to

protocols = imap imaps pop3 pop3s

Next, let's get the virus scanner going. Open /etc/freshclam.conf and look for this:

Comment or remove the line below.
Example

Change it to this:

Comment or remove the line below.
#Example

You'll have to do the same thing with /etc/clamav.conf - as clamav won't run or update without the example lines commented out. I think that's because they want someone to actually look at the configuration files :-D

milter-greylist doesn't need a whole lot of configuring unless you want to whitelist some folks or domains out of the box - you'll find the configuration file at /etc/mail/greylist.conf

On to spamassassin...

There's an excellent (but basic) configuration generator for spamassassin at

http://www.yrex.com/spam/spamconfig.php

and you can use that info to edit the real spamassassin config file at /etc/mail/spamassassin/local.cf

If you want to play with spamass-milter's configuration you'll find it at /etc/sysconfig/spamass-milter. Notice that all the flags in the file are commented out - be particularly careful of the -m flag. If you uncomment the line the -m flag will disable spamassassin subject rewriting. If you're using spamassassin to rewrite subject lines you'll want to take that -m out. I leave the -r 15 at the default. This will tell spamass-milter to reject any email with a spam score of 15 or higher. You can adjust this to your taste.

Okay, we're almost done.

Next we turn a buncha services on but don't start them yet -

chkconfig sendmail on
chkconfig dovecot on
chkconfig clamav-milter on
chkconfig milter-greylist on
chkconfig spamassassin on
chkconfig spamass-milter on

Okay. We're all done. If you're lazy like me you can reboot the machine and everything will come up now. If you're a bit more industrious or don't want to reboot the machine you can start all the services like this -

service clamav-milter start
service milter-greylist start
service spamassassin start
service spamass-milter start
service dovecot start
service sendmail start

Happy emailing :-D
wizard
 
Posts: 25
Joined: 2006/08/15 13:46:12
Location: surreal city, usa

Re: HOWTO: Pretty much bulletproof (and spam-proof) email...

Postby jdonz » 2006/08/19 23:11:24

Great write up, thanks for sharing. You may also want to consider implementing SMTP authentication for further bulletproofing.
jdonz
 
Posts: 32
Joined: 2006/03/05 20:35:34
Location: Phoenix

Re: HOWTO: Pretty much bulletproof (and spam-proof) email...

Postby wizard » 2006/08/20 14:58:37

Great idea - thanks :-)
wizard
 
Posts: 25
Joined: 2006/08/15 13:46:12
Location: surreal city, usa

Re: HOWTO: Pretty much bulletproof (and spam-proof) email...

Postby jerdman » 2006/09/28 04:56:27

That bullet proof tutorial rocked! I took your tuorial and a few others and wrote a whoel article on the subject that includes SMTP AUTH and also automatic learning for the bayesian filters. You can find it at:
Securing Your Sendmail Server

Joshua Erdman
jerdman
 
Posts: 1
Joined: 2006/09/28 04:50:36

Re: HOWTO: Pretty much bulletproof (and spam-proof) email...

Postby lolocf » 2006/12/26 16:29:18

Hello,

this is indeed a useful post even for a winman like me :-).
I may just add that I heard that ordb is going out of service on January 2007.
So, one should remove it from the config.

Spamcop is a bit touchy to use.
Spamhaus is my RBL of choice.
lolocf
 
Posts: 1
Joined: 2006/12/26 16:06:57
Location: Bordeaux

Re: HOWTO: Pretty much bulletproof (and spam-proof) email...

Postby locutius » 2007/01/19 03:01:02

my server is a a CentOS4.3 x86_64 full install and fully up to date
i followed the above instructions omitting only the following (which i understand is not important):

Code: Select all
192.168.1 RELAY
my.wan.ip.address RELAY


i attempt to send a mail from admin@mysite.com to me@mysite.com (both users are created with passwords) using squirrelmail i see this error (with firewall enabled and disabled):

Code: Select all
Email delivery error
Server replied: 69 Can't execute command '/usr/sbin/sendmail -i -t -fadmin@mysite.com'.


i then try to send to admin@mysite.com from me@gmail.com

the maillog reads:

Code: Select all
Jan 19 03:05:01 h33t sendmail[480]: l0J251OM000480: from=root, size=295, class=0, nrcpts=1, msgid=<200701190205.l0J251OM000480@mysite.com>, relay=root@localhost
Jan 19 03:05:01 h33t sendmail[575]: l0J251Rh000575: tcpwrappers (localhost, 127.0.0.1) rejection
Jan 19 03:05:01 h33t sendmail[480]: l0J251OM000480: to=root, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30295, relay=[127.0.0.1] [127.0.0.1], dsn=5.0.0, stat=Service unavailable
Jan 19 03:05:01 h33t sendmail[480]: l0J251OM000480: l0J251ON000480: DSN: Service unavailable
Jan 19 03:05:01 h33t sendmail[480]: l0J251ON000480: to=root, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=31319, relay=[127.0.0.1], dsn=5.0.0, stat=Service unavailable
Jan 19 03:05:01 h33t sendmail[480]: l0J251ON000480: l0J251OO000480: return to sender: Service unavailable
Jan 19 03:05:01 h33t sendmail[480]: l0J251OO000480: to=postmaster, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=32343, relay=[127.0.0.1], dsn=5.0.0, stat=Service unavailable
Jan 19 03:05:01 h33t sendmail[480]: l0J251ON000480: Losing ./qfl0J251ON000480: savemail panic
Jan 19 03:05:01 h33t sendmail[480]: l0J251ON000480: SYSERR(root): savemail: cannot save rejected email anywhere
Jan 19 03:05:06 h33t milter-greylist: l0J256pw006358: addr 64.233.162.233 from <me@gmail.com> to <admin@mysite.com> delayed for 00:30:00
Jan 19 03:05:06 h33t sendmail[6358]: l0J256pw006358: Milter: to=<admin@mysite.com>, reject=451 4.7.1 Greylisting in action, please come back in 00:30:00
Jan 19 03:05:06 h33t sendmail[6358]: l0J256pw006358: from=<me@gmail.com>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=nz-out-0506.google.com [64.233.162.233]


i then also tried with this configuration in the sendmail.mc from this page http://www.redhat.com/magazine/025nov06 ... index.html

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl ... change to - DAEMON_OPTIONS(`Port=smtp, Name=MTA')
LOCAL_DOMAIN(`localhost.localdomain')dnl ... change to - LOCAL_DOMAIN(`emailjunkie.org')
dnl MASQUERADE_AS(`mydomain.com')dnl ... change to - MASQUERADE_AS(`emailjunkie.org')
dnl FEATURE(masquerade_envelope)dnl ... change to - FEATURE(`masquerade_envelope')
and added the line ... FEATURE(`allmasquerade')

and received the same error:

Code: Select all
Email delivery error
Server replied: 69 Can't execute command '/usr/sbin/sendmail -i -t -fadmin@mysite.com'.


this time the maillog reads:

Code: Select all
Jan 19 03:22:20 mysite sendmail[8150]: l0J2MKlq008150: Authentication-Warning: mysite.com: apache set sender to me@mysite.com using -f
Jan 19 03:22:20 mysite sendmail[8150]: l0J2MKlq008150: from=me@mysite.com, size=525, class=0, nrcpts=1, msgid=<4024.86.138.26.160.1169173340.squirrel@www.mysite.com>, relay=apache@localhost
Jan 19 03:22:20 mysite sendmail[8592]: l0J2MKlT008592: tcpwrappers (localhost, 127.0.0.1) rejection
Jan 19 03:22:20 mysite sendmail[8150]: l0J2MKlq008150: to=admin@mysite.com, ctladdr=me@mysite.com (502/503), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30525, relay=[127.0.0.1] [127.0.0.1], dsn=5.0.0, stat=Service unavailable
Jan 19 03:22:20 mysite sendmail[8150]: l0J2MKlq008150: l0J2MKlr008150: DSN: Service unavailable
Jan 19 03:22:20 mysite sendmail[8150]: l0J2MKlr008150: to=me@mysite.com, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=31549, relay=[127.0.0.1], dsn=5.0.0, stat=Service unavailable
Jan 19 03:22:20 mysite sendmail[8150]: l0J2MKlr008150: l0J2MKls008150: return to sender: Service unavailable
Jan 19 03:22:20 mysite sendmail[8150]: l0J2MKls008150: to=postmaster, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=32573, relay=[127.0.0.1], dsn=5.0.0, stat=Service unavailable
Jan 19 03:22:20 mysite sendmail[8150]: l0J2MKlr008150: Losing ./qfl0J2MKlr008150: savemail panic
Jan 19 03:22:20 mysite sendmail[8150]: l0J2MKlr008150: SYSERR(apache): savemail: cannot save rejected email anywhere


the problem in both instances appears to be tcpwrappers (localhost, 127.0.0.1) rejection and DSN: Service unavailable

please i ask your help

thank you in advance for any help you can offer
locutius
 
Posts: 47
Joined: 2006/05/11 23:00:15

Re: HOWTO: Pretty much bulletproof (and spam-proof) email...

Postby jult » 2007/01/19 05:03:48

But why would anyone still use sendmail if postfix is available as well? (hence all the errors!)

And spamassassin is only interesting if you're ready to spend about 1 to 4 hours daily on administrating it, and have a load of RAM and CPU-space left. All this is not what spam is for. ;-)
jult
 
Posts: 40
Joined: 2007/01/04 02:10:11
Location: Amsterdam, .NL

Re: HOWTO: Pretty much bulletproof (and spam-proof) email...

Postby phoenix » 2007/01/19 14:20:23

Why would anyone bother with this type of setup when you can have a mailserver up and running in about 1 hour with amavis, spamassassin, dpsam, mysql, tomcat etc. etc. - just try using Zimbra It's extremely easy to set-up and save the hassle of trying to integrate multiple packages.

I was a complete novice with Linux (I still am) and I managed to do it real easy, I've posted the link before but for posterity here it is again - www.zimbra.com Two versions available a paid-for version and for cheapskates like me an Open Source version with all the features you'd need.
phoenix
 
Posts: 135
Joined: 2005/09/07 08:39:55

Re: HOWTO: Pretty much bulletproof (and spam-proof) email...

Postby locutius » 2007/01/20 22:39:23

thanks for the advice. if you can't beat 'em ....

meanwhile, where is the sendmail guru? sendmail is possible it is a redhat basic
locutius
 
Posts: 47
Joined: 2006/05/11 23:00:15

Re: HOWTO: Pretty much bulletproof (and spam-proof) email...

Postby jult » 2007/01/21 05:21:05

phoenix wrote:
Why would anyone bother with this type of setup when you can have a mailserver up and running in about 1 hour
with amavis, spamassassin, dpsam, mysql, tomcat etc. etc. - just try using Zimbra

Any package that 'integrates' MySQL is asking for RAM, CPU, time and dependencies
many people don't feel like having.
Why would anyone use MySQL for mail-integration, even? The monstrosity
of using separate databases when it's all just lines of text we have to parse!
Flatfile would do just fine.

I say: Postfix, dovecot, clamd, clamsmtp with decent config will do just fine.
Amavis and Spamassassin are monsters, both administrative and memory/cpu-wise.

By the way, why is this forum running on such a strange UI?
punBB or phpBB are still so much better.
jult
 
Posts: 40
Joined: 2007/01/04 02:10:11
Location: Amsterdam, .NL

Next

Return to CentOS 4 - Server Support

Who is online

Users browsing this forum: Yahoo [Bot] and 1 guest

cron