Spamassassin Whitelists

Posted by Filed Under Spam Control with Comments Off

Global Manual Whitelist
Once you have set up Spamassassin so it is working and you have run it for some time you may want to tune it to provide automatic whitelists and blacklists.  The whitelist will provide a way to insure that the mail from a particular source will never get rejected.  This may be important clients, users on the system or messages from servers that do not necessarily have the right credentials for sending mail. Your company may have important clients that send email that has characteristics that put it on the edge with Spamassassin and you may want to ensure that you do not loose an email.  Or you may have users who are on the system that do not always follow the best protocol for how they construct messages but you want to make sure that their mail is not rejected.  An important use for whitelists is when you have servers that are sending logs, error messages, or monitoring information to a mail account and this mail does not have the format or the sender format that Spamassassin needs to see.  If you are looking for documentation of this information check out our Postfix Mail Server Manual.

The whitelist will automatically reduce the spam score for a user  which is listed in the whitelist.  The score is reduced by 100 points so that would suggest there is very little chance of the mail being rejected.
The procedure for using a whitelist is straightforward.  Use the directive whitelist_from to list any sources that you want to ensure get whitelisted.
Edit the /etc/mail/spamassassin/local.cf file to place these entries.  Listed is the default contents of this file.

required_hits 5
report_safe 0
rewrite_header Subject [SPAM]

Add your whitelists to the file, save and restart Spamassassin.

whitelist_from tom@example.com
whitelist_from *.@example.com *@goodexample.com
whitelist_from mail.server@myexample.com

When you list a user or source, you will list what you see in the Resent-From, From, Envelope-Sender, Recent-Sender or X-Envelope-From headers.  The wildcard “*” can be used to provide all of the users for a domain as you see in the examples above.

You can remove users that you place in the whitelist with unwhitelist_from.

unwhitelist_from tom@example.com

You may want to review the information found in 60_whitelist.cf which Spamassassin uses automatically as there may be some users listed that you want to remove.

You do have an additional option for sender whitelisting.  You can use whitelist_from_rcvd which does a reverse lookup with DNS to verify the IP Address of the last trusted relay.  So basically what it is doing is looking up the IP of where the mail came from to make sure it came from an IP Address on the senders network.  Now, this has several problems related to it.  First, you are using precious resources doing reverse DND lookups.  And second, depending how the sender network is designed, you may have problems verifying the IP Address.  Here is how you can use it to drop the score 100 points.

whitelist_from_rcvd tom@example.com example.com

Note that what you are requiring is that the mail sent by tom must come from a mail server on the example.com domain.

Whitelist Recipients
There are three separate levels of whitelisting you can perform for recipients.    If you had a user that did not want any spam checks on their account you would use this method of checking.  The whitelist_to directive can use the Resent-To, Resent-Cc, To, Apparently-To, Delivered-To, Envelope-Recipients, Apparently-Resent-To, X-Envelope-To, Envelope-To, X-Delivered-To, X-Original-To, X-Rcpt-To, X-Real-To, or Cc.

The three levels can be used like this:

whitelist_to  tom@mycompany.com   (lowers score by 6)
or
more_spam_to  tom@mycompany.com   (lowers score by 20)
or
all_spam_to   tom@mycompany.com   (lowers score by 100)

Vacation Option with PostfixAdmin

Posted by Filed Under Postfixadmin with Comments Off

Install and Configure the Vacation Option
This installation is for Ubuntu 9.10 but should work for just about any Linux distro.  The vacation package is nice in that you can create an automatic message for when you are not available.

You will need to install a number of packages.

sudo apt-get install libmail-sender-perl libdbd-mysql-perl libemail-valid-perl libmime-perl liblog-log4perl-perl liblog-dispatch-perl libgetopt-argvfile-perl libmime-charset-perl libmime-encwords-perl

Install a Perl Module
From the command line install the Mail::Sendmail perl module.

perl -MCPAN -e shell;

Set it up, likely just hitting enter will provide the options you need.  Once it is complete you will have a shell login for installing modules.  Issue this command:

install Mail::Sendmail

Note it is case sensitive and two colons separate the names.  When it is installed issue the “quit” command to return.

groupadd -r -g 65501 vacation
useradd -r -u 65501 -g vacation -d /var/spool/vacation -s /sbin/nologin vacation

cp /usr/share/doc/postfixadmin/VIRTUAL_VACATION/vacation.pl.gz .
gunzip vacation.pl.gz
cp vacation.pl vacation.pl.original
wget http://www200.pair.com/mecham/spam/vacation.2211.patch.txt
patch -p0 < vacation.2211.patch.txt

or

cd /var/www/postfixadmin/VIRTUAL_VACATION
cp vacation.pl /var/spool/vacation/vacation.pl
wget http://www200.pair.com/mecham/spam/vacation.2211.patch.txt
patch -p0 < vacation.2211.patch.txt
chown -R vacation:vacation /var/spool/vacation
chmod -R 700 /var/spool/vacation

Update the vacation script with your settings

nano /var/spool/vacation/vacation.pl

our $db_type = ‘mysql’;
our $db_username = ‘postfix’;
our $db_password = ‘db_passwd’;
our $db_name = ‘postfix’;

our $vacation_domain = ‘autoreply.yourdomain.com’;
Save and close (CTRL + X)

Update the postfixadmin config file

cd /var/www/postfixadmin
sudo nano config.inc.php

$CONF['vacation'] = ‘YES’;
$CONF['vacation_domain'] = ‘autoreply.yourdomain.com’;

cd /etc/postfix
nano master.cf

Add (near the end of the file):
vacation unix – n n – - pipe flags=Rq user=vacation argv=/var/spool/vacation/vacation.pl -f ${sender} ${recipient}
Save

nano main.cf

transport_maps = hash:/etc/postfix/transport
Save

Create a virtual file
jane@your_domain.com jane@your_domain.com@autoreply.your_domain.com
tom@your_domain.com tom@your_domain.com@autoreply.your_domain.com

Save

Create (or update) a transport map to handle the redirected email

nano transport

autoreply.your_domain.com vacation
Save

Postfix uses a hashed file to do the lookups, the postmap command creates that file.

postmap /etc/postfix/transport

Reload the postfix config to activate the changes

sudo /etc/init.d/postfix reload

You should now have a working vacation option with Postfix.

PostfixAdmin on Ubuntu 9.10

Posted by Filed Under Postfixadmin with Comments Off

PostfixAdmin provides a way to manage your virtual accounts, multiple domains, using a web based interface.  Once it is set up it is very easy to use.  This install process is not easy to do as there are many commands and a lot of configuration that must be done without mistakes.  If you would like a Live Virtual Class for Postfix, click on the link for more information.  To get started you will need to install postfix and dovecot-postfix.

apt-get install postfix dovecot-postfix

If you install Postfix at install you can just choose this option.

Install The Postfix Mail Server

When you have the options to choose what type of mail site select “Internet Site” and enter the domain you will use as the canonical or main domain.  Note the canonical domain cannot be listed as a virtual domain.

The next step is to use MySQL for the virtual users and configure dovecot-postfix to connect to the MySQL database.

Install MySQL and Postfix MySQL

apt-get install mysql-server postfix-mysql

When you install MySQL it will require a password for the root user for MySQL, do not confuse this with the root user on the system…and write down the password you use…you will need it.

Now secure the user and create the database.

Start  MySQL

mysql -u root -p

CREATE DATABASE postfix;
CREATE USER ‘postfix’@'localhost’ IDENTIFIED BY ‘your_password’;
GRANT ALL ON postfix.* to ‘postfix’@'localhost’;

Install PostfixAdmin

The PostfixAdmin program is a web based administration panel for Postfix.  There are several advantages for this program.  It is an easy interface to work with to install new domains, users and of course set up autoresponders for your users.  You still have to be able to work at the command line to set up Postfix features however.  You need to install PHP5 and apache2 as well and several helper programs.

sudo apt-get install apache2 php5 php5-mysql php5-imap

sudo  /etc/init.d/apache2 restart

Once that is done you should be able to see the default web server page when you point your browser to the server IP Address.

Move to the /var/www directory

/var/www

Download  postfixadmin

wget http://downloads.sourceforge.net/sourceforge/postfixadmin/postfixadmin_2.3rc7.tar.gz

tar -zxvf postfixadmin_2.3rc7.tar.gz

Rename the directory and remove the tarball

mv postfixadmin-2.3rc7 postfixadmin
rm postfixadmin_2.3rc7.tar.gz

Set the configuration for postfixadmin

cd postfixadmin
nano config.inc.php

$CONF['configured'] = true;
$CONF['postfix_admin_url'] = $_SERVER['HTTP_HOST'].’/postfixadmin’;
$CONF['database_password'] = ‘your_passowrd_for_the_db’;

Update the following variables to what makes sense for your installation
$CONF['admin_email']
$CONF['default_aliases']

Change tis line to “true” as seen to verify a completed configuration.
$CONF['configured'] = true;

Save

Point our browser  to: http://server_ip/postfixadmin/setup.php.

You will see an overview of settings that you need to configure…fix all problems before you proceed.

postfixadmin2

Refresh the setup page each time you make a change to verify it is fixed.

At the bottom you will see that you will need to create a password.

postfixadmin1

The hashed password that is created you will need to place in the config.in.php.

nano config.inc.php

Update $CONF['setup_password']
Save

Now create a new admin with an email.

postfixadmin3

At this point you need to set up the connections to the MySQL database.  To do this you need ot create 4 files so that MySQL and Postfix can communicate.

cd /etc/postfix
nano my_alias_maps.cf

user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT goto FROM alias WHERE address = ‘%s’ AND active = 1

Save

nano my_domains_maps.cf

user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT domain FROM domain WHERE domain = ‘%s’ AND backupmx = 0 AND active = 1

Save

nano my_mailbox_limits.cf

user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT quota FROM mailbox WHERE username = ‘%s’ AND active = 1

Save

nano my_mailbox_maps.cf

user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT CONCAT(domain,’/',maildir) FROM mailbox WHERE username = ‘%s’ AND active = 1

Save

Edit the main.cf file.

virtual_minimum_uid = 150
virtual_uid_maps = static:150
virtual_gid_maps = static:8
virtual_mailbox_base = /var/vmail
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

virtual_alias_maps = proxy:mysql:/etc/postfix/my_alias_maps.cf
virtual_mailbox_limit = proxy:mysql:/etc/postfix/my_mailbox_limits.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/my_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/my_mailbox_maps.cf

Comment out  or delete these options.
#home_mailbox = Maildir/
#mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot-postfix.conf -n -m “${EXTENSION}”

You cannot have virtual domains listed in the mydestination option.

Save

Edit the master.cf

dovecot unix – n n – - pipe flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/deliver -c
/etc/dovecot/dovecot-postfix.conf -f ${sender} -d $(recipient)

Save

Create /var/mail and a user for permissions.

useradd -r -u 150 -g mail -d /var/vmail -s /sbin/nologin vmail
mkdir /var/vmail
chmod 770 /var/vmail
chown vmail:mail /var/vmail/

Finally, you have to make some changes to the dovecot configuration to accept the mail and deliver it

cd /etc/dovecot
Edit dovecot-sql.conf

driver = mysql
connect = host=localhost dbname=postfix user=postfix password=db_password
default_pass_scheme = MD5-CRYPT

user_query = SELECT ‘/var/vmail/%d/%n’ as home, ‘maildir:/var/vmail/%d/%n’ as mail, 150 AS uid, 8 AS gid, concat(‘dirsize:storage=’, quota) AS quota FROM mailbox WHERE username = ‘%u’ AND active = 1

password_query = SELECT username as user, password, ‘/var/vmail/%d/%n’ as userdb_home, ‘maildir:/var/vmail/%d/%n’ as userdb_mail, 150 as userdb_uid, 8 as userdb_gid FROM mailbox WHERE username = ‘%u’ AND active = 1

Save

Edit dovecot-postfix.conf

Adjust several settings.

mail_location = maildir:/var/vmail/%d/%n
first_valid_uid = 150
last_valid_uid = 150

passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = mail
}

Save

Restart both services so changes take effect

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

If you are still having problems consider the Postfix Mail Server Course.


Postfix: Bayesian Learning System

Posted by Filed Under Spam Control with Comments Off

Learning System
You are able to additionally tune SpamAssassin to learn about your email.  Two programs are used together to create this learning system; autowhitelisting and Bayesian filtering.  Autowhitelisting is an algorithm that learns about each senders history and modifies the spam score of their subsequent mail.  This should reduce false positives.  Autowhitelisting develops a database for each sender’s mail address and IP address.  Each time a message is received from that sender the score is added to the database score for that sender.  The average score divided by the number of messages is used to modify any new messages.

The most important issue with autowhitelisting is the weight you place on the sender history.  The auto_whitelist_factor is the directive that sets the multiplier between 0-1.  The default is .5 which will make the final score halfway between the message spam score.  If you wanted to increase the weight set the factor to 1.

The system-wide autowhitelist with amavisd.
Edit the /etc/mail/spamassassin/local.cf

auto_whitelist_path
auto_whitelist_file_mode

Sitewide Bayesian Filtering for Amavisd
The idea behind Bayesian filtering is that it will learn aspects of email which will determine how to distinguish between spam and non-spam.  The advantage is that it can help facilitate a more accurate Spam filtering process.  The Bayesian rules sets up baselines that determine how much each rule should change the possibility that the email is Spam.  These rules have features that are likely to be Spam, thus increasing the probability, and they have rules that typically are not in Spam, thus reducing the probablity of Spam.
Edit the /etc/mail/spamassassin/local.cf

use_bayes 1
bayes_path /var/amavisd/bayes/bayes

Create the directories you need in /var both amavisd and the subdirectory bayes.  Be sure to chmod 700 the database file so no others can access it.  The user is vscan as is set up in the /etc/amavisd.conf file so that user must have access to the file.  Now with the new version of Spamassassin the line for bayes_pay must not end in a folder, so add the name bayes to it per the example.

chown -R vscan:vscan /var/amavisd/

ls -la /var/amavisd/bayes/
total 8
drwx—— 2 vscan vscan 4096 May 11 07:32 .
drwx—— 3 vscan vscan 4096 May 11 07:32 ..

Postfix Features

Posted by Filed Under Postfix Configuration with Comments Off

Sometimes when you are working with Postfix you may be on an older version that does not support a feature you need.  Here is a list of the version and the major features that were added for that version.

Postfix 2.5 Stress-dependent configuration
Postfix 2.3 DKIM, DomainKeys and SenderID authentication, DSN status notifications, Enhanced status codes, Plug-in support for multiple SASL implementations (Cyrus, Dovecot), Configurable delivery status notification message text, Sender-dependent SMTP relay lookup, Sender-dependent SASL password lookup, Sendmail Milter (mail filter) protocol
Postfix 2.2 Connection cache for SMTP, IP version 6, TLS encryption and authentication, SMTP server per-client rate and concurrency limits, CDB database, Masquerading addresses in outbound SMTP mail, Selective address rewriting
Postfix 2.1 Access control per client/sender/recipient/etc., Address probing callout, Greylisting plug-in, SPF plug-in
Postfix 2.0 MIME (including 8BITMIME to 7BIT conversion), PostgreSQL database
Postfix 1.1 QMQP server, Content filter, VERP envelope return addresses
Postfix 1.0 ETRN on-demand relay, LMTP client, Pipelining (SMTP client and server), SASL authentication, Berkeley DB database, DBM database, LDAP database, MySQL database, Maildir and mailbox format, Virtual domains

Syslog Configuration

Posted by Filed Under Logs with Comments Off

Reducing Syslogd Performance Issues
Syslogd is the main logging program for many Linux systems.  Unfortunately it can cause performance issues by using synchronous writes by default.  If you open syslog.conf you will see that the mail logging goes to /var/log/mail.log.  In order to prevent synchronous writes a “-” is placed in front of the log.

mail.*                          -/var/log/mail.log

This is a default on most Linux systems so you do not have to do anything but it does provide an explanation for why the log file is different in the syslog.conf.

Thunderbird Configuration

Posted by Filed Under Mail Client with Comments Off

Thunderbird, Icedove if you are on Debian is an excellent choice for an email client especially as it is capable of connecting using SSL or TLS and SMTP AUTH.  Many email clients are not able to do that.  Why TLS, well it is all about encrypting your password and data when you connect to your mail server.  In addition, when you use SMTP AUTH, you can travel and your mail server will allow you to send email because you have authenticated.

th3

Create an account with Thunderbird.

Enter a name for the account and the email address you want to use.

th1a

In the example, IMAP is the server of choice which means your mail stays on the server.  This allows you to retrieve mail and also leave the mail on the server so you could share accounts.  An important setting is the “Incoming Server”.  Make sure you enter a FQDN (Fully Qualified Domain Name) which means it must have a hostname and domain name.

th1b

Now configure an incoming user name.

tha3

Check your account settings, one important setting is the “Outgoing Server” at the end of the file.  The “Outgoing Server” is the server that will authenticate the mobile user and allow you to send email through the mail server.

th5

If you do not have anything set for the ”Outgoing Server” just skip down in the tutorial to see how to set it up.

The “Server Settings” is how you will retrieve mail.  Note that the server  is listening on port 993 so that it is secure, IMAPS.  Also note to select SSL in this setting so the port is changed.

th6

Here is how to configure the “Outgoing Server”.  Note the port number, the User Name that you will authenticate with and that TLS is selected.

th4

If your mail server and client are configured correctly you will be able to send and receive mail, securely.  If it is not configured correctly you will see this message.  You will not  be able to relay through the mail server, in other words you cannot send mail.

smtp_auth

Create Virtual Accounts with CRAM-MD5

Posted by Filed Under Dovecot with Comments Off

Virtual Accounts with CRAM-MD5
The major disadvantage of PLAIN text passwords on the server of course is that they are readable.  Even if your communication with the server is encrypted it is troubling to have readable passwords on the server.  You can easily change this by using the dovecotpw command and creating encrypted passwords.

As root login to the mail server and use the dovecotpw command as seen below.  It will ask for the password you want to encrypt and then provide you with the output.

# dovecotpw
Enter new password:
Retype new password:
{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6

In the /etc/dovecot directory create two files, userdb for a list of users and passdb for the encrypted passwords.

userdb
This file has a list of the users and the location of their virtual accounts.  Note the virtual accounts are accounts that you have set up for the domains that you manage mail for, this is not the canonical domain on the server.  For example, if you set up a mail server and the hostname is mail.my_mail_server.com then mail accounts that are local will be canonical accounts with a home directory.  However, virtual accounts for the virtual domains that your mail server uses will not be able to login to the server as you can see from the /bin/false.  These are only mail users who can retrieve mail.

tom@example.com::510:510::/var/spool/vhosts/example.com/:/bin/false::
sue@example.com::510:510::/var/spool/vhosts/example.com/:/bin/false::
joe@secondexample.com::510:510::/var/spool/vhosts/spidertools.com/:/bin/false::

passdb
The passdb will include the users and their passwords.  You can see that virtual users must be indicated by username and the domain they have an account with. The password that was encrypted is then listed after their name.

tom@example.com:{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
sue@example.com:{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
joe@secondexample.com:{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6

Here is the configuration you must add to /etc/dovecot.conf in order to use CRAM-MD5 with the virtual accounts.

}

default_mail_env = maildir:/var/spool/vhosts/%d/%n
auth_mechanisms = plain DIGEST-MD5 CRAM-MD5
auth_verbose = yes
auth default {
mechanisms = plain cram-md5
passdb passwd-file {
args = /etc/dovecot/passdb
}
userdb static {
args = uid=virtual gid=virtual /etc/dovecot/userdb
}
}

« Older Entries   Newer Entries »