You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Integrating SpamAssassin into Postfix using spampd

Let's try the hard way to secure our mailsystems. Not as convienient as using spamd and spamc is the aproach menthioned in the postfix FilterReadme. Some guys at http://www.WorldDesign.com/index.cfm/rd/mta/spampd.htm have puplished a spamd-replacement that is working as a SMTP-Proxy. The advantage compared to spamd/spamc is, that problems with either PEARL, Spamassassin and it's configuration doesn't lead in loosing mail. The SMTP-proxy is designed to reject Mail in case of not recoverable faults.

It can easily be integrated as an "content_filter" in postfix. The knack is, that mail that is classified as spam is forwarded to users, where the filter of their local eMail-client should detect the spamstatus. Goal should be, to forward spam to a special user named "spamking". This could be done by using a alias-map for all users that like their spam removed. The solution described here is for a Mail-server with a limited number of users with varying knowledge. All users are "local", meaning they get their mail via POP/IMAP from the mailserver.

First of all make shure, your postfix-server is heathy. The things we'll do are somewhat confusing the simple world of Postfix.

At the beginning, edit /etc/postfix/master.cf:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (50)
# ==========================================================================
...
smtp      inet  n       -       n       -       -       smtpd
...
scan               unix    -        -        n        -        10        smtp
localhost:10026    inet    n        -        n        -        10        smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o myhostname=filter.mynetwork.local
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
spamtnsp	  unix	-	n	n	-	-	local
        -o alias_maps=hash:/etc/postfix/spamalias

second, edit /etc/postfix/main.cf:

content_filter =scan:[127.0.0.1]:10025
header_checks = regexp:/etc/postfix/spamheadercheck

The servicename "scan" is free and refers to the entry content_filter in main.cf. Scan defines, that smtp should be used. The scanpd-daemon is listening to 10025 and will deliver to localhost:10026. The transport "localhost:10026" defines an smtpd-server, with options slightly different to the main smtp server. Especialy the "content_filter=" is needed.

The file "spamheadercheck" mentioned in main.cf consist of one line:

/^X-Spam-Status: Yes/ FILTER spamtnsp:local

The regular expression searches every mail (including that, coming from the local net!) for the header "X-Spam-Status: Yes", whitch is placed by spamassassin in case of spam. The spam will be passed to the local transport spamtnsp. defined in master.cf. The spamtnsp has the option alias_maps pointing to "spamalias". In spamalias every user, witch doesn't want his spam delivered has an alias:

user1:  spamking
user2:  spamking
...

The menthioned user spamking must have a home-directory. Spamking can be used as user for the sitewide bayes-filter and as daemonuser for spampd.

After thinking about we have done, we can start the spampd and postfix by calling

spampd --port=10025 --relayhost=127.0.0.1:10026 --user=spamking --tagall
rcpostfix reload

A test should be made with "telnet 127.0.0.1 10025". The Postfix-SMTP should be accessible via the Proxy.

Next step is ripping the rc-script spamassassin in order to start spampd. Perhaps someone is able to change spampd in the way that it can be started by postfix itself via master.cf.

  • No labels