Let's try the hard way to secure our mailsystems. Not as convenient as using spamd and spamc is the approach mentioned in the postfix FilterReadme. Some guys at http://www.WorldDesign.com/index.cfm/rd/mta/spampd.htm have published a spamd replacement that works as a SMTP-proxy. The advantage over spamd/spamc is that problems with either PERL, Spamassassin or it's configuration don't lead to lost mail. The SMTP-proxy is designed to reject mail in case of non-recoverable faults.
It can easily be integrated as a "content_filter" in postfix. The knack is, that mail classified as spam is forwarded to users, where the filter of their local eMail client should detect the spam-status. Goal should be to forward spam to a special user named "spamking". This could be done by using an alias-map for all users that like their spam removed. The solution described here is for a Mail-server with a limited number of users with varying knowledge. All users are "local", meaning they get their mail via POP/IMAP from the mailserver.
First of all make sure your postfix-server is healthy. The things we'll do are somewhat confusing in the simple world of Postfix.
Begin by editing /etc/postfix/master.cf:
# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) # ========================================================================== ... smtp inet n - n - - smtpd ... scan unix - - n - 10 smtp localhost:10026 inet n - n - 10 smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o myhostname=filter.mynetwork.local -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 spamtnsp unix - n n - - local -o alias_maps=hash:/etc/postfix/spamalias |
Next edit /etc/postfix/main.cf:
content_filter =scan:[127.0.0.1]:10025 header_checks = regexp:/etc/postfix/spamheadercheck |
The service name "scan" is free and refers to the entry content_filter in main.cf. Scan defines that SMTP should be used. The scanpd-daemon is listening to 10025 and will deliver to localhost:10026. The transport "localhost:10026" defines an smtpd-server, with options slightly different to the main SMTP server. Especially the "content_filter=" is needed.
The file "spamheadercheck" mentioned in main.cf consist of one line:
/^X-Spam-Status: Yes/ FILTER spamtnsp:local |
The regular expression searches every mail (including those coming from the local net!) for the header "X-Spam-Status: Yes", which is added by spamassassin in case of spam. The spam will be passed to the local transport spamtnsp defined in master.cf. The spamtnsp has the option alias_maps pointing to "spamalias". In spamalias every user that doesn't want his spam delivered to his mailbox has an alias:
user1: spamking user2: spamking ... |
The "spamking" user must have a home directory. Spamking can be used as a user for the site-wide bayes-filtering and as daemon user for spampd.
After thinking about we have done, we can start the spampd and postfix by calling
spampd --port=10025 --relayhost=127.0.0.1:10026 --user=spamking --tagall rcpostfix reload |
A test should be made with "telnet 127.0.0.1 10025". The Postfix-SMTP should be accessible via the Proxy.
Next step is ripping the spamassassin rc-script in order to start spampd. Perhaps someone is able to change spampd in the way that it can be started by postfix itself via master.cf.
I found that with this setup on my sever, SpamAssassin couldn't determine the envelope sender as needed for certain rules (e.g. DNS_FROM_*, NO_DNS_FOR_FROM, SPF_*). I fixed this by passing the -sef (-seh could work as well; but see documentation first) switch to spampd and then adding
envelope_sender_header X-Envelope-From |
to my SpamAssassin config. - JoshuaPettett