Docbook2Wiki: Initial conversion from Docbook

Docbook2Wiki — Fri, 07 Mar 2008 10:53:32 GMT

Initial conversion from Docbook

New page

{{SpamAssassin/TOC}}
qmail is a mail transport agent written by cryptography researcher Dan Bernstein and designed to provide a highly secure mail system. It consists of several components, each of which runs with least privilege and none of which trusts data from the other without validating it itself. qmail works best in concert with several other systems designed by Bernstein that take over other functions traditionally performed by standard system utilities.

This chapter explains how to integrate SpamAssassin into a qmail-based mail server to perform spam-checking for local recipients or to create a spam-checking mail gateway.

<div class="warning">
'''Warning'''

qmail is a complex piece of software and, like most MTAs, offers scores of configuration choices. This chapter assumes that you are running the netqmail 1.05 version of qmail 1.03 and does not cover how to securely install, configure, or operate qmail itself. For that information, see the qmail documentation, David Sill's ''Life with qmail'' web site (''http://www.lifewithqmail.org'') and ''The qmail Handbook''by David Sill (Apress) or ''qmail'' by John Levine (O'Reilly).

This chapter assumes that you have set up your qmail system as described in ''Life with qmail'' and that you are using the recommended ''daemontools'' and ''ucspi-tcp'' packages.
</div>

== qmail Architecture ==

Several different qmail components play roles in receiving messages from the Internet. Messages from the Internet typically enter the mail server via the <tt>qmail-smtpd</tt> daemon, which listens on port 25 and conducts the SMTP transaction with the remote sender. <tt>qmail-smtpd</tt> passes the messages to the <tt>qmail-queue</tt> program, which stores them in an outgoing queue for further processing. The <tt>qmail-send</tt> daemon reads the messages in the outgoing queue and attempts to deliver them using either the <tt>qmail-lspawn</tt> daemon (which passes it to the <tt>qmail-local</tt> program for local delivery) or the <tt>qmail-rspawn</tt> daemon (which passes them to the <tt>qmail-remote</tt> program for relaying to remote hosts). [[SpamAssassin/Integrating SpamAssassin with qmail#spamassassin-CHP-7-FIG-1|Figure 7-1]] illustrates the flow of email through qmail components.

<div id="spamassassin-CHP-7-FIG-1">
'''Figure 7-1. qmail architecture during message receipt'''

[[Image:SpamAssassin_I_7_tt122.png|qmail architecture during message receipt]]
</div>

Most systems keep all of qmail's files in ''/var/qmail''. Configuration files reside in ''/var/qmail/control''.

== Spam-Checking During Local Delivery ==

The easiest way to add SpamAssassin to a qmail system is to configure qmail to pipe messages through SpamAssassin during local delivery.

The advantages of this approach are:

* It's easy to set up.
* You can run <tt>spamd</tt> and can use <tt>spamc</tt> for faster spam-checking.
* User preference files, autowhitelists, and Bayesian databases can be used, because qmail will invoke SpamAssassin as the user to whom it is delivering a message.

However, qmail runs a local delivery agent only for email destined for a local recipient. You cannot create a spam-checking gateway with this approach.

If you're using the installation described in the ''Life with qmail'' web site, the ''/var/qmail/control/defaultdelivery''file contains a line that specifies either a directory (e.g., ''./Maildir/'') or a filename (e.g., ''./Mailbox''). The ''/var/qmail/rc'' script passes the contents of ''defaultdelivery'' to <tt>qmail-start</tt>, and thence to <tt>qmail-lspawn</tt> and <tt>qmail-local</tt>.

If you deliver to a ''maildir'' directory, change the line in your ''defaultdelivery'' file to read:

| /usr/bin/spamc | maildir ''./Maildir/''

In this case, be sure you've installed the ''safecat'' package, which includes the <tt>maildir</tt> script. You can get ''safecat'' at ''http://www.pobox.com/~lbudney/linux/software/safecat.html''.

If you deliver to a ''mailbox'' file in each user's home directory, install procmail and change the line in ''defaultdelivery'' to read:

| preline procmail

In this case, the system's ''/etc/procmailrc'' file should have a default recipe that looks like this:

:0fw
* <300000
|/usr/bin/spamc

:0:
$HOME/Mailbox

<div class="tip">
'''Tip'''

The default delivery method is used only when users don't have their own ''.qmail'' files. This permits users to override spam-checking. Conversely, if you don't do spam-checking by default during local delivery, any user can add the preceding lines to her ''.qmail'' file and have her messages checked.
</div>

== Spam-Checking All Incoming Mail ==

If you want to set up a spam-checking gateway for all recipients, local or not, you need a way to perform spam-checking as mail is received, before final delivery. qmail provides this capability through the QMAILQUEUE patch, which is included in the netqmail distribution of qmail (and most packaged qmail distributions).

<div class="tip">
'''Tip'''

You can find out if your qmail installation has the QMAILQUEUE patch applied by executing the following commands:

# '''cd /var/qmail/bin'''

# '''strings qmail-smtpd | grep QMAILQUEUE'''

QMAILQUEUE

If you don't see <tt>QMAILQUEUE</tt> in response to the strings command, the patch has not been applied. You will have to recompile qmail from the netqmail source code.
</div>

With the QMAILQUEUE patch applied, the <tt>qmail-smtpd</tt> daemon checks to see if the environment variable <tt>QMAILQUEUE</tt> has been set. If so, <tt>qmail-smtpd</tt> hands the message off to the program specified in that variable instead of to the default <tt>qmail-queue</tt> program. The new program can call SpamAssassin and then pass the (possibly tagged) message to <tt>qmail-queue</tt>. [[SpamAssassin/Integrating SpamAssassin with qmail#spamassassin-CHP-7-FIG-2|Figure 7-2]] illustrates this arrangement.

<div id="spamassassin-CHP-7-FIG-2">
'''Figure 7-2. qmail configuration to check all incoming email for spam'''

[[Image:SpamAssassin_I_7_tt127.png|qmail configuration to check all incoming email for spam]]
</div>

SpamAssassin includes a small C program called <tt>qmail-spamc</tt> by John Peacock, with its source code (in the ''qmail'' subdirectory in SpamAssassin 2.63, and in the ''spamc'' subdirectory in SpamAssassin 3.0). When compiled, <tt>qmail-spamc</tt> is suitable for use as a <tt>QMAILQUEUE</tt> program; it invokes <tt>spamc</tt> on an incoming message and pipes the result to <tt>qmail-queue</tt>. Because it's written in C and is a very simple program, it runs quickly. To set up <tt>qmail-spamc</tt>, perform the following steps:

<ol>
<li><div>Compile ''qmail-spamc.c''. On most systems, issue a command like the following in the directory containing ''qmail-spamc.c'':

'''cc -O -o qmail-spamc qmail-spamc.c'''

</div></li>

<li><div>As ''root'', install <tt>qmail-spamc</tt> in an appropriate location on your system (e.g., ''/var/qmail/bin'' or ''/usr/local/bin''). Make it executable. For example:

'''install -m 755 qmail-spamc '''

''' /var/qmail/bin'''
''' '''

</div></li>

<li><div>Ensure that <tt>qmail-queue</tt> is on the system's default path. The easiest way to do so is usually to create a symbolic link from ''/var/qmail/bin/qmail-queue'' to ''/usr/bin/qmail-queue''. Do the same for <tt>spamc</tt> if it is not already installed in ''/usr/bin''. For example:

ln -s /var/qmail/bin/qmail-queue /usr/bin/qmail-queue
</div></li>

<li><div>Ensure that <tt>spamd</tt> is running.
</div></li>

<li><div>Ensure that <tt>qmail-smtpd</tt> has enough memory available to allow it to run <tt>qmail-spamc</tt> and <tt>spamc</tt>. Edit ''/var/qmail/supervise/qmail-smtpd/run'' and modify the <tt>-m</tt> and/or <tt>-a</tt> arguments of <tt>softlimit</tt> to increase the number of bytes available to <tt>qmail-smtpd</tt> and its child processes to an amount sufficient to allow all of the processes to execute completely on a large message. A setting of 10MB (roughly 10,000,000) is usually sufficient, but you may have to vary the setting and keep an eye on your logs to find the right amount. If the setting is too low, you will see errors such as the following at the end of the DATA step during SMTP transactions:

fatal: qq temporary problem (#4.3.0)
</div></li>

<li><div>Edit ''/etc/tcp.smtp''. This file controls access to the SMTP service when you're using ''ucspi-tcp''. Add or modify the line shown in bold:

127.:allow,RELAYCLIENT=""
''':allow,QMAILQUEUE="/var/qmail/bin/qmail-spamc'''"

This change causes the <tt>QMAILQUEUE</tt> environment variable to be set when <tt>qmail-smtpd</tt> is invoked by a connection from hosts outside the ''127''. network (i.e., spam-checking will be performed on email from remote hosts, but not from the local host).

With the version of <tt>qmail-spamc</tt> distributed with SpamAssassin 3.0, you can customize the way <tt>spamc</tt> is invoked by adding additional environment variables to the list in ''/etc/tcp.smtp'', including:

;<tt>SPAMDSOCK=</tt>"<tt>''/path/to/socket''</tt>"
: Direct <tt>spamc</tt> to use the given path to a Unix socket for connecting to <tt>spamd</tt>.
;<tt>SPAMDHOST=</tt>"<tt>''hostname''</tt>"
: Direct <tt>spamc</tt> to connect to <tt>spamd</tt> at the given host.
;<tt>SPAMDPORT=</tt>"<tt>''port-number''</tt>"
: Direct <tt>spamc</tt> to connect to <tt>spamd</tt> at the given TCP port number.
;<tt>SPAMDSSL="1</tt>"
: Direct <tt>spamc</tt> to connect to <tt>spamd</tt> using SSL.
;<tt>SPAMDSIZE=</tt>"<tt>''number-of-bytes''</tt>"
: Direct <tt>spamc</tt> not to perform spam-checking on messages that exceed <tt>''number-of-bytes''</tt> in size.
;<tt>SPAMDUSER=</tt>"<tt>''username''</tt>"
: Direct <tt>spamc</tt> to supply the given username to <tt>spamd</tt>.
</div></li>

<li><div>Update the TCP rules database by running the command <tt>qmailctl cdb</tt>, which is found in your ''/var/qmail/bin/'' directory. At this point, all incoming remote SMTP connections should have their messages passed through <tt>qmail-spamc</tt>.
</div></li>

</ol>

<div class="tip">
'''Tip'''

You can emulate the QMAILQUEUE approach without the QMAILQUEUE patch by renaming <tt>qmail-queue</tt> to <tt>qmail-queue.orig</tt> and writing a new <tt>qmail-queue</tt> script that pipes the message through SpamAssassin and then to <tt>qmail-queue.orig</tt>, like this:

#!/bin/sh

PATH=/var/qmail/bin:$PATH

| spamc | qmail-queue.orig

However, this approach is less flexible than using QMAILQUEUE and more prone to causing trouble later when you want to queue messages without spam-checking them.
</div>

== Building a Spam-Checking Gateway ==

Several content-filtering daemons that call SpamAssassin are available for qmail. This section provides a complete sample installation of qmail-scanner, a particularly flexible filter that supports both spam-checking and virus-checking. qmail-scanner is written in Perl and available at ''http://qmail-scanner.sourceforge.net/''. The version used in this section's example is 1.21. Some of qmail-scanner's features include:

* The filter was specifically developed and tested for qmail.
* Messages can be rejected based on MIME type or extensions of attached filenames.
* Messages can be rejected based on invalid formatting.
* Messages can be checked with multiple virus scanners, and messages carrying viruses can be refused, discarded, or quarantined.
* SpamAssassin can be invoked on a message, and spam can be refused, discarded, quarantined, or tagged.

The rest of this chapter details the installation, configuration, and operation of qmail-scanner as an example of a full-scale approach to using SpamAssassin with qmail. qmail-scanner's other functions, such as virus-checking, are mentioned but not covered in detail; read the documentation to learn more about these features.

=== Installation ===

qmail-scanner is written in Perl and invokes SpamAssassin by running <tt>spamc</tt>, so you must run <tt>spamd</tt> to use qmail-scanner. You should set up <tt>spamd</tt> before you install qmail-scanner. Install SpamAssassin (and your antivirus software) first, then install qmail-scanner. qmail-scanner also requires some other Perl modules, including: ''Time::HiRes'', ''DB_File'', and ''Sys::Syslog''. You can install these Perl modules using CPAN as described in [[SpamAssassin/SpamAssassin Basics|Chapter 2]]. You must also install the Maildrop software package (''http://www.courier-mta.org/download.php''), and if you plan to perform virus-checking, TNEF (''http://sourceforge.net/projects/tnef/''). ''''

<div class="tip">
'''Tip'''

qmail-scanner requires the 5.005_03 version of Perl or later. Perl must be compiled to allow ''setuid'' Perl scripts; often this means that a separate <tt>suidperl</tt> program is available on the system. If your system's Perl does not support ''setuid'' Perl scripts, you may be able to find a package for your system that does, you may build Perl from source code and enable support, or you may compile a ''setuid'' wrapper program in C (described later in this chapter).
</div>

Begin the install process by creating a new user account and group for running qmail-scanner; the usual name for both the user and group is ''qscand''. The new user will own qmail-scanner's files, and the user (or group) must have access to SpamAssassin's configuration and database files as well. The user's home directory is traditionally ''/home/qscand'', but you can create it anywhere that fits your system's needs.

qmail-scanner uses several important directories and files in ''/var/spool/qmailscan''. For example, quarantined messages are stored in ''/var/spool/qmailscan/quarantine'', and qmail-scanner logs its operations in ''/var/spool/qmailscan/qmail-queue.log''. The directories ''/var/spool/qmailscan/tmp'' and ''/var/spool/qmailscan/working'' are temporary directories used for unpacking and processing messages. For optimal performance, these directories should be on a fast disk—even a RAM disk if your operating system supports it and you have enough memory to spare. In contrast, the ''quarantine'' directory should never be located on a RAM disk because you will often want to be sure that you can access quarantined files.

Next, download the qmail-scanner source code, unpack it, and build it. You must be ''root'' to configure and build qmail-scanner. The qmail-scanner build process uses the familiar <tt>configure</tt> command to configure and build qmail-scanner's components, which you then install.

<div class="sidebar">
'''qmail-scanner Configuration Options'''

qmail-scanner has only a few <tt>configure</tt> options related to SpamAssassin. If you don't specify any options, qmail-scanner will use <tt>spamc -c</tt> for spam-checking and will add ''X-Spam-Status'' and ''X-Spam-Level'' headers to messages, but will not modify the ''Subject'' header of spam messages.

If you specify the <tt>--scanners 'fast_spamassassin=</tt> <tt>''string''</tt>' command-line option to <tt>configure</tt>, qmail-scanner will also modify the ''Subject'' header of spam messages by prepending a <tt>''string''</tt>. A typical choice for <tt>''string''</tt> might be <tt>SPAM</tt>. If you plan to use other virus-scanners, you must specify thom in this command-line option as well or qmail-scanner will not use them. (If you've already installed qmail-scanner and want to start adding a ''Subject'' header tag, you can also edit the ''/var/qmail/bin/qmail-scanner-queue.pl'' file itself; search for the line that defines the <tt>$spamc_subject</tt> variable, and modify it to set your subject prefix.)

If you specify the <tt>--scanners verbose_spamassassin</tt> command-line option to <tt>configure</tt>, qmail-scanner will use <tt>spamc</tt> without the <tt>-c</tt> option. This alternative runs more slowly, because the entire spam-checked message is read back from <tt>spamc</tt> instead of just the spam scores. The advantage of this configuration, however, is that messages will be tagged exactly as defined in the SpamAssassin rules and report templates. For example, you'll get the SpamAssassin headers that report which spam tests matched, any custom headers you've defined, and full MIME-rewriting of messages. If you plan to use other virus scanners, you must specify them in this command-line option as well or qmail-scanner will not use them.
</div>

To configure qmail-scanner, use the commands shown in [[SpamAssassin/Integrating SpamAssassin with qmail#spamassassin-CHP-7-EX-1|Example 7-1]]. The example also reproduces the output you should expect.

<div id="spamassassin-CHP-7-EX-1">
'''Example 7-1. Building qmail-scanner'''

$ '''tar xfz qmail-scanner-1.21.tar.gz'''
$ '''cd qmail-scanner-1.21'''
$ '''su'''
Password:
''' XXXXXXXX'''
''' '''
# '''./configure --install'''
Building Qmail-Scanner 1.21...

This script will search your system for the virus scanners it knows
about, and will ensure that all external programs
qmail-scanner-queue.pl uses are explicitly pathed for performance
reasons.

It will then generate qmail-scanner-queue.pl - it is up to you to install it
correctly.

Continue? ([Y]/N) '''Y'''

/usr/bin/uudecode works as expected on system...

The following binaries and scanners were found on your system:

mimeunpacker=/usr/local/bin/reformime
uudecode=/usr/bin/uudecode
unzip=/usr/bin/unzip

Content/Virus Scanners installed on your System

fprot=/usr/local/bin/f-prot
fast_spamassassin=/usr/local/bin/spamc

Qmail-Scanner details.

log-details=0
fix-mime=2
ignore-eol-check=0
debug=1
notify=psender,nmlvadm
redundant-scanning=no
virus-admin=postmaster@example.com
local-domains='example.com'
silent-
viruses='klez','bugbear','hybris','yaha','braid','nimda','tanatos','sobig','winevar','pal
yh','fizzer','gibe','cailont','lovelorn','swen','dumaru','sober','hawawi','holar-
i','mimail','poffer','bagle','worm.galil','mydoom','worm.sco','tanx','novarg','@mm'
scanners="fprot_scanner","fast_spamassassin"

If that looks correct, I will now generate qmail-scanner-queue.pl
for your system...
Continue? ([Y]/N) '''Y'''

Finished. Please read README(.html) and then go over the script to
check paths/etc, and then install as you see fit.

Remember to copy quarantine-attachments.txt to /var/spool/qmailscan and then
run "qmail-scanner-queue.pl -g" to generate DB version.

****** FINAL TEST ******

Please log into an unpriviledged account and run
/var/qmail/bin/qmail-scanner-queue.pl -g

If you see the error "Can't do setuid", or "Permission denied", then
refer to the FAQ.

(e.g. "setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g")

That's it! To report success:

% (echo 'First M. Last'; cat SYSDEF)|mail jhaar-s4vstats@crom.trimble.co.nz
Replace First M. Last with your name.
</div>

<div class="sidebar">
'''No setuid Perl'''

When qmail-scanner's <tt>configure</tt> script can't find a suitable version of Perl for running ''setuid'' scripts, it prints out an error like this:

Testing suid nature of /usr/bin/suidperl...
Whoa - broken perl install found.
Cannot even run a simple script setuid
Installation of Qmail-Scanner FAILED

If you can't (or don't want to) install a Perl that runs ''setuid'' scripts, you can use a ''setuid'' wrapper in C instead. Follow these steps as ''root'':

# Install qmail-scanner with <tt>./configure --skip-setuid-test --install</tt>. This will produce an error at the end of the installation.
# Compile and install the C wrapper with <tt>(cd contrib; make install)</tt>. If you're not using the default <tt>qscand</tt> user and group and ''/var/qmail/bin'' directory for installation, you'll have to edit ''contrib/Makefile'' first.
# Remove the setuid bit from ''/var/qmail/bin/qmail-scanner-queue.pl'' with <tt>chmod 0755 /var/qmail/bin/qmail-scanner-queue.pl</tt>.
# Edit ''/var/qmail/bin/qmail-scanner-queue.pl'' and change the first line from <tt>#!/usr/bin/suidperl -T</tt> to <tt>#!/usr/bin/perl -T</tt>.
# Use ''qmail-scanner-queue'' (the compiled C wrapper) in place of ''qmail-scanner-queue.pl'' in the rest of the qmail-scanner setup process.
</div>

As with <tt>qmail-spamc</tt>, ensure that <tt>qmail-smtpd</tt> has enough memory available to allow it to run <tt>qmail-scanner-queue.pl</tt>, any virus checkers you have configured, and <tt>spamc</tt>. Edit ''/var/qmail/supervise/qmail-smtpd/run'' and modify the <tt>-m</tt> and/or <tt>-a</tt> arguments of <tt>softlimit</tt> to increate the number of bytes available to <tt>qmail-smtpd</tt> and its child processes to an amount sufficient to allow all of the processes to execute completely on a large message.

To enable qmail-scanner, edit ''/etc/tcp.smtp''. Add or modify lines such as those shown in bold:

127.:allow,RELAYCLIENT=""
'''192.168.:allow,RELAYCLIENT="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl'''"
'''10.:allow,RELAYCLIENT="",QS_SPAMASSASSIN="on",QMAILQUEUE="/var/qmail/bin/qmail-'''
'''scanner-queue.pl'''"
''':allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl'''"

When you invoke qmail-scanner with qmail's <tt>RELAYCLIENT</tt> variable set, as in the line for connections from the 192.168/16 network, only virus-checking is performed, unless you also include <tt>QS_SPAMASSASSIN="on</tt>", as in the line for connections from the 10/8 network. When you invoke it without setting <tt>RELAYCLIENT</tt>, as in the line for default connections, both virus-checking and spam-checking are performed.

Be sure to run <tt>/var/qmail/bin/qmailctl cdb</tt> after updating ''/etc/tcp.smtp''.

=== Initialization ===

The first time you install qmail-scanner, you must direct it to initialize its databases. As the ''qscand'' user, run these commands:

$ '''/var/qmail/bin/qmail-scanner-queue.pl -z'''
$ '''/var/qmail/bin/qmail-scanner-queue.pl -g'''
perlscanner: generate new DB file from /var/spool/qmailscan/quarantine-attachments.txt
perlscanner: total of 9 entries.

=== Basic Operations ===

qmail-scanner comes with a shell script called <tt>test_installation.sh</tt> that can be used to exercise an installation. [[SpamAssassin/Integrating SpamAssassin with qmail#spamassassin-CHP-7-EX-2|Example 7-2]] shows how to run the script, along with its output.

<div id="spamassassin-CHP-7-EX-2">
'''Example 7-2. Testing qmail-scanner'''

# '''cd contrib'''
# '''QMAILQUEUE="/var/qmai/bin/qmail-scanner-queue.pl" ./test_installation.sh -doit'''

Sending standard test message - no viruses...
done!

Sending eicar test virus - should be caught by perlscanner module...
done!

Sending eicar test virus with altered filename - should only be caught by commercial
anti-virus modules (if you have any)...

Sending bad spam message for anti-spam testing - In case you are using SpamAssassin...
Done!

Finished test. Now go and check Email for root
</div>

If qmail-scanner's spam-checking is operating properly, ''root'' (or the user that receives ''root'''s email) should receive a non-spam message like this:

From MAILER-DAEMON Tue Mar 23 05:03:28 2004
From: Qmail-Scanner Test <example.com@example.com>
'''Received: from by example.com by uid 0 with qmail-scanner-1.21'''
'''(f-prot: 3.11/. spamassassin: 2.63. Clear:RC:1(127.0.0.1):SA:0(0.0/5.0):'''.
'''Processed in 5.577981 secs); 23 Mar 2004 05:03:28 -0000'''
To: Root Account <root@example.com>
Subject: Qmail-Scanner test (1/4): inoffensive message
Date: 23 Mar 2004 05:03:22 -0000
Delivered-To: root@example.com
'''X-Spam-Status: No, hits=0.0 required=5.0'''

Message 1/4

This is a test message. It should arrive unaffected.

The same user should also receive a spam message like this:

From MAILER-DAEMON Tue Mar 23 05:03:41 2004
'''Received: from by example.com by uid 0 with qmail-scanner-1.21'''
'''(f-prot: 3.11/. spamassassin: 2.63. Clear:RC:1(127.0.0.1):SA:1(16.7/5.0):'''.
'''Processed in 5.129358 secs); 23 Mar 2004 05:03:40 -0000'''
'''X-Spam-Status: Yes, hits=16.7 required=5.0'''
'''X-Spam-Level: ++++++++++++++++'''<nowiki>
Delivery-Date: Mon, 19 Feb 2001 13:57:29 +0000
Delivered-To: jm@netnoteinc.com
Received: from webnote.net (mail.webnote.net [193.120.211.219])
by mail.netnoteinc.com (Postfix) with ESMTP id 09C18114095
for <jm7@netnoteinc.com>; Mon, 19 Feb 2001 13:57:29 +0000 (GMT)
Received: from netsvr.Internet (USR-157-050.dr.cgocable.ca [24.226.157.50] (may
+be forged))
by webnote.net (8.9.3/8.9.3) with ESMTP id IAA29903
for <jm7@netnoteinc.com>; Sun, 18 Feb 2001 08:28:16 GMT
From: sb55sb55@yahoo.com
Received: from R00UqS18S (max1-45.losangeles.corecomm.net [216.214.106.173]) by
+netsvr.Internet with SMTP (Microsoft Exchange Internet Mail Service Version
+5.5.2653.13)
id 1429NTL5; Sun, 18 Feb 2001 03:26:12 -0500
DATE: 18 Feb 01 12:29:13 AM
Message-ID: <9PS291LhupY>
Subject: Qmail-Scanner anti-spam test (4/4): checking SpamAssassin [if present]
+(There yours for FREE!)
To: undisclosed-recipients: ;

Congratulations! You have been selected to receive 2 FREE 2 Day VIP Passes to
Universal Studios!

Click here http://209.61.190.180

As an added bonus you will also be registered to receive vacations discounted 25%-
75%!

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
This mailing is done by an independent marketing co.
We apologize if this message has reached you in error.
Save the Planet, Save the Trees! Advertise via E mail.
No wasted paper! Delete with one simple keystroke!
Less refuse in our Dumps! This is the new way of the new millennium
To be removed please reply back with the word "remove" in the subject line.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@</nowiki>

Note the bold lines in the messages. These are headers demonstrating that the messages were processed by qmail-scanner, and in the case of the spam message, that qmail-scanner can recognize spam.

qmail-scanner uses ''/var/spool/qmailscan'' as a working directory and quarantine area for viruses. By default, qmail-scanner's operations are logged to the ''/var/spool/qmailscan/qmail-queue.log'' file, which should be added to your log rotation schedule. Errors are also reported to qmail's log files.

When an SMTP session is dropped partway, temporary files may remain in ''/var/spool/qmailscan''. These messages can be cleared out by running <tt>/var/qmail/bin/qmail-scanner-queue.pl -z</tt>. Set up a <tt>cron</tt> job to execute this command once a day to delete older files in this directory.

=== Per-User Spam Preferences ===

qmail-scanner invokes <tt>spamc</tt> with the <tt>-u</tt> <tt>''recipient''</tt> argument when a message has a single recipient. Accordingly, in this case, per-user spam-checking preferences (either from users' ''.spamassassin/user_prefs'' files or from an SQL or LDAP database if <tt>spamd</tt> is so configured) will be applied when qmail-scanner checks messages. When a message has multiple recipients, qmail-scanner uses the default preferences.

Although there is no way to configure qmail to force senders to send messages with one recipient at a time, qmail itself always breaks up a multirecipient message when it is ''sending'' and sends copies of the message to single recipients. Ron Culler pointed out in a December 2003 message to the ''qmail-scanner-general'' mailing list that one way to ensure that every message has only a single recipient is to run a pair of qmail gateways. The first gateway receives messages from the Internet and can perform some general scanning (e.g., refusing viruses) before forwarding messages on to the second gateway for spam-checking. Because the first qmail server will always split up multirecipient messages before sending them, the second qmail server will always receive messages with a single recipient and can apply per-user spam preferences.

<div class="tip">
'''Tip'''

If you built qmail-scanner using the default <tt>fast_spamassassin</tt> configuration (described in the [[SpamAssassin/Integrating SpamAssassin with qmail|qmail-scanner Configuration Options]] sidebar), <tt>spamc</tt> is invoked with the <tt>-c</tt> option. This limits which per-user spam preferences are applied: spam thresholds and score modifications will work, but preferences that affect the way messages or headers are rewritten will not (because <tt>spamc -c</tt> returns only a spam score, not a rewritten message). Use the <tt>verbose_spamassassin</tt> configuration if you need to enable these preferences.
</div>

=== Sitewide Bayesian Filtering ===

You can easily add sitewide Bayesian filtering to qmail-scanner. Use the usual SpamAssassin <tt>use_bayes</tt> and <tt>bayes_path</tt> directives in ''local.cf'', and ensure that the ''spamd''user has permission to create the databases in the directory named in <tt>bayes_path</tt>.

=== Sitewide Autowhitelisting ===

Adding autowhitelisting is just as easy. Add the usual SpamAssassin <tt>auto_whitelist_path</tt> directive to ''local.cf'', and if you're using SpamAssassin 2.63, invoke <tt>spamd</tt> with the <tt>--auto-whitelist</tt> option (which is unnecessary in SpamAssassin 3.0). As with the Bayesian databases, the ''spamd'' user must have permission to create the autowhitelist database and read and write to it.

=== Routing Email Through the Gateway ===

Once you have qmail and qmail-scanner receiving messages for the local host and performing SpamAssassin checks on them, you can start accepting email for your domain and routing it to an internal mail server after spam-checking. [[SpamAssassin/Integrating SpamAssassin with qmail#spamassassin-CHP-7-FIG-3|Figure 7-3]] illustrates this topology.

<div id="spamassassin-CHP-7-FIG-3">
'''Figure 7-3. Spam-checking gateway topology'''

[[Image:SpamAssassin_I_7_tt139.png|Spam-checking gateway topology]]
</div>

The following sections describe the changes you need to make to implement the topology shown in [[SpamAssassin/Integrating SpamAssassin with qmail#spamassassin-CHP-7-FIG-3|Figure 7-3]].

==== qmail changes ====

To configure qmail to relay incoming mail for ''example.com'' to ''internal.example.com'', add the following line to ''/var/qmail/control/rcpthosts'':

example.com

Then, create the ''/var/qmail/control/smtproutes'' file, and add either:

example.com:internal.example.com

or, if ''mail.example.com'' can look up an (internal) MX record for ''example.com'' that points to ''internal.example.com'' (and possibly other internal mail servers), you could use

example.com:

==== Routing changes ====

Mail from the Internet for ''example.com'' should be sent to the spam-checking gateway ''mail.example.com''. Add a DNS MX record for the ''example.com'' domain that points to ''mail.example.com''.

Once received by ''mail.example.com'', messages will be spam-checked and should then be relayed to ''internal.example.com'' by qmail. No DNS records for ''internal.example.com'' need be published to the Internet, but it's necessary that ''mail.example.com'' can resolve ''internal.example.com''.

==== Internal server configuration ====

Once the external mail gateway is in place, you can configure the internal mail server to accept SMTP connections only from the gateway (for incoming Internet mail). If you don't have a separate server for outgoing mail, the internal mail server should also accept SMTP connections from hosts on the internal network. These restrictions are usually enforced by limiting access to TCP port 25 using a host-based firewall or a packet-filtering router.

SpamAssassin/Integrating SpamAssassin with qmail - Revision history

Docbook2Wiki: Initial conversion from Docbook

Docbook2Wiki: Initial conversion from Docbook