Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

Installing SpamAssassin

Before getting to the specifics of installing the supporting software for each MTA, we first cover the installation of SpamAssassin. If SpamAssassin is installed first, several of the packages will automatically determine that SpamAssassin has been installed and adjust their configuration.

The first step is to download the sources, which are available from the SpamAssassin site: http://useast.spamassassin.org/released/Mail-SpamAssassin-2.63.tar.gz . After you have downloaded them to a location such as /usr/local/src, uncompress and extract the files as follows:

bash$ gzip -d Mail-SpamAssassin-2.63.tar.gz
bash$ tar xf Mail-SpamAssassin-2.63.tar.gz
bash$ cd Mail-SpamAssassin-2.63

To install SpamAssassin, perform the following:

bash$ perl ./Makefile.PL
What email address or URL should be used in the suspected-spam report
text for users who want more information on your filter installation?
(In particular, ISPs should change this to a local Postmaster contact)
default text: [the administrator of that system] user@mydomain.com

Checking if your kit is complete...
Looks good
Writing Makefile for Mail::SpamAssassin
Makefile written by ExtUtils::MakeMaker 6.03

bash$ make
bash$ sudo su
# make install

SpamAssassin is now installed. Configuration of SpamAssassin is covered later in this chapter.

SpamAssassin and Sendmail

To give you an idea of how SpamAssassin is integrated into Sendmail, Figure 3.3 illustrates the flow of email through a Sendmail system filtered with SpamAssassin and MIMEDefang on a system-wide basis.

03fig03.gif

Figure 3.3 SpamAssassin and Sendmail.

The first step is to download and install SpamAssassin. After that is accomplished, milter and MIMEDefang must be installed to complete the installation.

Installing milter

The next task is to ensure that milter is installed. Under most Linux/Unix distributions, milter is not enabled, so Sendmail must be recompiled with milter support. To check whether your version of Sendmail was compiled with milter support, run this command: path-to-sendmail/sendmail -bp -d0.4 | grep MILTER . If the command returns a blank, then you need to install milter. Otherwise, you can skip this section.

We start off by installing milter. In order to enable Sendmail milter functionality, Sendmail must be recompiled. Let's assume the Sendmail sources are located in the /usr/local/src/sendmail-8.12.10 directory. Create a file in the devtools/Site directory of the Sendmail sources called site.config.m4 with the following contents:

dnl Milter
APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER')
APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE')

These lines tell Sendmail to run milter and the environment for its execution. After making the changes to the configuration file, rebuild Sendmail by executing ./Build.sh from the root of the Sendmail source directory. Install Sendmail by executing the ./Build.sh install command, and you now have a Sendmail binary that supports milter.

Installing MIMEDefang

The final step is to install MIMEDefang. It is important to note that the MIMEDefang installation automatically detects the SpamAssassin installation and will configure itself appropriately. So, installing SpamAssassin prior to MIMEDefang is a time-saver.

There are two aspects to installing MIMEDefang. MIMEDefang depends upon a number of Perl modules. The developers of MIMEDefang have made a nice package of all the required Perl modules, which can be installed in one shot. Point your browser to http://www.mimedefang.org/node.php?id=1 and download the MIME-tools-5.411a-RP-Patched-02.tar.gz sources. Then install them like this:

bash$ tar xzvf MIME-tools-5.411a-RP-Patched-02.tar.gz

bash$ cd MIME-tools-5.411a-RP-Patched-02

bash$ perl Makefile.PL
Checking if your kit is complete...
Looks good
Writing Makefile for MIME-tools

bash$ make
bash$ sudo su
# make install

The second step is to download the MIMEDefang sources from a repository. A good choice would be the MIMEDefang page at http://www.mimedefang.org/node.php?id=1 . After downloading, the package is installed as follows:

bash$ tar xzf mimedefang-2.39.tar.gz
bash$ cd mimedefang-2.39
bash$ ./configure

bash$ sudo groupadd defang

bash$ sudo useradd -c 'MIMEDefang user' -d /var/empty -s /bin/false defang

bash$ make
bash$ sudo su
# make install

# mkdir /var/spool/MIMEDefang
# chmod 700 /var/spool/MIMEDefang

# cp -p examples/init-script /usr/local/bin/mimedefang.sh

# chown defang.defang /usr/local/bin/mimedefang.sh

The configuration file mimedefang-filter that the installation package includes is reasonable. However, you might need to change some of the parameters, including the following.

To change the email address and name to where notifications go:

$AdminAddress = 'postmaster@mydomain.com';
$AdminName = "MIMEDefang Administrator's Full Name";

To change the email address MIMEDefang uses to send email, change this:

$DaemonAddress = 'mimedefang@mydomain.com';

If you want warnings as part of the message instead of an attachment (default is 0), set this variable to 1:

$AddWarningsInline = 1;

The default action is to send logs via email:

md_graphdefang_log_enable(mail,1);

Activating MIMEDefang/SpamAssassin

To activate SpamAssassin, edit sendmail.mc from your Sendmail source directory to include the following line:

INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock,F=T, T=S:1m;R:1m')

This line tells Sendmail to invoke MIMEDefang, which will in turn call SpamAssassin. The Sendmail configuration file is built by running the following command while in the $SRC/cf/cf directory:

# m4 ../m4/cf.m4 sendmail.mc > sendmail.cf

The resulting sendmail.cf file can be installed in /etc/mail and the server restarted by issuing /etc/init.d/sendmail restart.

SpamAssassin and Postfix

The flow of mail under Postfix integrated with SpamAssassin is diagrammed in Figure 3.4 for a system-wide basis setup.

03fig04.gif

Figure 3.4 SpamAssassin and Postfix.

SpamAssassin is activated under Postfix by using the amavisd-new package. More information is available online for amavisd-new at http://www.ijs.si/software/amavisd/ . amavisd-new calls the SpamAssassin libraries directly, making the installation a bit simpler than qmail and Sendmail, which both require additional pieces of software to activate SpamAssassin. Calling the SpamAssassin libraries directly also saves some overhead because additional system resources are not required if spamc and/or spamd are not invoked.

Installing amavisd-new

amavisd-new requires a number of Perl modules to be installed on the target. The INSTALL file notes regarding prerequisites from amavisd-new are as follows:

Archive::Tar   (Archive-Tar-x.xx)
Archive::Zip   (Archive-Zip-x.xx) (1.09 or later is recommended!)
Compress::Zlib (Compress-Zlib-x.xx)
Convert::TNEF  (Convert-TNEF-x.xx)
Convert::UUlib (Convert-UUlib-x.xxx)
MIME::Base64   (MIME-Base64-x.xx)
MIME::Parser   (MIME-Tools-x.xxxx)
(the patched MIME-tools by David F. Skoll is recommended over 5.411,
  as it better handles broken/bad MIME syntax:
    http://www.mimedefang.org/ -> Download section.
  The new 6.2xx from http://search.cpan.org/dist/MIME-tools/
  also includes these patches, and more.
Mail::Internet (MailTools-1.58 or later have workarounds for Perl 5.8.0 bugs)
Net::Server    (Net-Server-x.xx)
Net::SMTP      (libnet-x.xx)     (use libnet-1.16 or later for performance)
Digest::MD5    (Digest-MD5-x.xx)
IO::Stringy    (IO-stringy-x.xxx)
Time::HiRes    (Time-HiRes-x.xx) (use 1.49 or later; some older cause problems)
Unix::Syslog   (Unix-Syslog-x.xxx)

Make sure all of these Perl modules are installed on the target system. If any are missing, download and install them from http://www.cpan.org .

Unfortunately, there is no install script, so the software must be installed and configured manually. To begin, download the amavisd-new sources from http://www.ijs.si/software/amavisd/amavisd-new-20030616-p6.tar.gz in a directory, such as /usr/local/src. Extract it and change directory into the directory by running:

# gzip -d amavisd-new-20030615-p6.tar.gz
# tar xvf amavisd-new-20030615-p6.tar.gz
# cd amavisd-new-20030616

Then create a directory under /var called amavis as the amavisd home directory:

# mkdir /var/amavis

Create the group amavis and user amavis:

# groupadd amavis
# useradd -c 'Amavis Daemon' -d /var/amavis -g amavis -s /bin/false amavis

Make the permissions and ownership correct on the directory /var/amavis:

# chown amavis:amavis /var/amavis
# chmod 750 /var/amavis

Copy the amavisd executable to /usr/local/sbin and change the permissions appropriately:

# cp amavisd /usr/local/sbin/
# chown root /usr/local/sbin/amavisd
# chmod 755  /usr/local/sbin/amavisd

Copy the amavisd.conf configuration file to its default location, /etc, and make the permissions correct:

# cp amavisd.conf /etc/
# chown root /etc/amavisd.conf
# chmod 644  /etc/amavisd.conf

(If you change the location, you must start up amavisd with the -c option to tell it where to read its configuration from.)

Next, you must create the quarantine directory (where amavisd stores viruses that are caught) and set the permissions and ownership:

# mkdir /var/quarantine
# chown amavis:amavis /var/quarantine
# chmod 750 /var/quarantine

Finally, you need to adjust the amavisd.conf configuration file to reflect the appropriate settings. If you followed the preceding recommendations, then set the following values as follows:

$mydomain = 'example.com';
$daemon_user  = 'amavis';
$daemon_group = 'amavis';
$TEMPBASE = "$MYHOME/tmp";
$forward_method = 'smtp:127.0.0.1:10025'; # for postfix
$notify_method = $forward_method;         # for postfix
$inet_socket_bind = '127.0.0.1';          # improves security
$QUARANTINEDIR = '/var/quarantine';

You will want to change example.com to the name of the domain you are receiving email for. $daemon_user and $daemon_group are set to the name of the amavisd-new user—in our case, amavis. $TEMPBASE is set to the amavisd-new variable $MYHOME appended with /tmp. You may want to set this to /var/tmp or /tmp, depending upon your setup. The $forward_method setting tells amavisd-new what to do with the message after processing it. In our case, Postfix expects to receive the message on port 10025 of the local machine. $notify_method tells amavisd what to do with notify messages—in our case, treat them the same as the $forward_method. $inet_socket_bind is set to loopback in order to restrict the IP addresses that are allowed to connect to amavisd. Finally, the $QUARANTINEDIR keyword tells amavisd-new what to do with messages if they are identified as a problem and need to be set aside.

If you are not running virus checks, you will want to enable this line:

@bypass_virus_checks_acl = qw( . );

This will disable virus checking, if necessary. The log level can be set anywhere from 0 (no logging) to 5 (everything is logged). For debugging purposes, start with 5 and then reduce it down to 2 after everything is running smoothly.

$log_level = 2;

After all of the settings have been changed, start amavisd with the debug option to check for any missing Perl libraries or other misconfigurations:

bash$ sudo su
# /usr/local/sbin/amavisd debug

After it starts cleanly, enable amavisd-new to start on bootup by executing the following, assuming you are running a recent version of Linux:

# cp amavisd_init.sh /etc/init.d/
# ln -s /etc/rc.d/init.d/amavisd_init.sh /etc/rc.d/init.d/rc2.d/amavisd

Configuring Postfix

The Postfix configuration required to activate SpamAssassin and amavisd-new is relatively straightforward. Only a few lines need to be added to your main.cf and master.cf located by default in /etc/postfix.

In main.cf, add the following line:

content_filter = smtp-amavis:[127.0.0.1]:10024

The above line tells Postfix to invoke the amavisd-new content filter by connecting to the loopback interface on port 10024. In master.cf, add the following lines:

#
# The amavis interface
#
smtp-amavis unix - - y - 2 smtp
      -o smtp_data_done_timeout=1200
      -o disable_dns_lookups=yes

127.0.0.1:10025 inet n - y - - smtpd
      -o content_filter=
      -o local_recipient_maps=
      -o relay_recipient_maps=
      -o smtpd_restriction_classes=
      -o smtpd_client_restrictions=
      -o smtpd_helo_restrictions=
      -o smtpd_sender_restrictions=
      -o smtpd_recipient_restrictions=permit_mynetworks, reject
      -o mynetworks=127.0.0.0/8

The first configuration entry beginning with smtp-amavis here tells smtp (Postfix's delivery agent) to run in a chroot'ed environment with a maximum of two instances. It invokes smtpd, sets the smtp done timeout to 1200 seconds, and disables DNS lookups to improve performance. The second configuration entry starting with 127.0.0.1 tells amavisd-new to reinject the filtered results into a chroot'ed instance of Postfix's smtpd on port 10025 configured with the listed restrictions.

The next step is to tell Postfix to re-read its configuration files:

bash$ sudo postfix reload

You should now be up and running with SpamAssassin/amavisd-new support in Postfix. You may skip ahead to the "Verifying SpamAssassin Operation" section now.

SpamAssassin and Qmail

The flow of mail when utilizing SpamAssassin and qmail on a system-wide basis is shown in Figure 3.5. For the purposes of this book, it is assumed that qmail (and required associated programs) have been previously installed by the administrator.

03fig05.gif

Figure 3.5 SpamAssassin and qmail.

In order to integrate SpamAssassin into qmail, a number of additional packages are required. These include

Qmail-Scanner allows anti-virus and anti-spam tools such as SpamAssassin to be invoked by qmail. More information on Qmail-Scanner is available at http://qmail-scanner.sourceforge.net/ . The qmail sources need to have the qmail-queue patch, which is available at http://www.qmail.org/qmailqueue-patch , installed. The qmail-queue patch allows filtering, header rewriting, and other functionality required for programs like SpamAssassin. If you are running Linux, a qmail-queue patched version of qmail-1.03 pre-built RPM prepackaged binary is available at http://untroubled.org/qmail+patches/ . The instructions here assume that you are building qmail from scratch and not using the RPM.

To enable qmail to invoke SpamAssassin, you must apply a simple patch to qmail-1.03. From the http://www.qmail.org/qmailqueue-patch site, copy the lines beginning with diff to the last line from the qmail-queue patch page to a file called patchfile in your qmail-1.03 directory. Apply the patch from the directory containing the root of qmail-1.03 like this:

bash$ patch -p0 < patchfile

Become root and reconfigure, recompile, and reinstall qmail:

bash$ sudo su
# ./config

Next, install maildrop. Please note that you need to have GNU make installed in order to build maildrop. GNU make is installed on most free operating systems such as Linux and BSD variants. To install maildrop, download the sources from http://www.couriermta.org/maildrop/ to /usr/local/src and unpack them:

bash$ bzip2 -d maildrop-1.6.3.tar.bz2
bash$ tar xf maildrop-1.6.3.tar
bash$ cd maildrop-1.6.3

Then, compile and install the package as follows:

bash$ ./configure
bash$ make
bash$ sudo su
# make install

Next, we must prepare to install Qmail-Scanner. The Qmail-Scanner package has a number of prerequisites, namely:

  • Perl module Time::HiRes
  • Perl module DB_File
  • Perl module Sys::Syslog

Be sure they are downloaded and installed prior to continuing the installation. After the environment is set, download qmail-scanner 1.20 from http://prdownloads.sourceforge.net/qmail-scanner/qmail-scanner-1.20.tgz?download to a location on your system, such as /usr/local/src. Unpack the archive:

bash$ gzip -d qmail-scanner-1.20.tgz
bash$ tar xf qmail-scanner-1.20.tar
bash$ cd qmail-scanner-1.20

After that is accomplished, compile and install Qmail-Scanner:

bash$ ./configure
bash$ sudo su
# ./configure --install

After Qmail-Scanner has been installed, you need to update the tcprules to have qmail run the qmail-scanner-queue.pl executable instead of the default qmail-queue binary. This is accomplished by copying the following lines into a file in your local directory called tcprules.tmp:

127.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-queue"
10.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"

When loaded into the local tcprules.tmp file, update your tcprules by executing the following command as root:

# tcprules /etc/tcp.smtp.cdb ./tcprules.tmp < /etc/tcp.smtp

This command builds a new tcp.smtp.cdb file with the new configuration from your ./tcprules.tmp file. After the tcprules have been updated and qmail restarted, qmail will process incoming messages through SpamAssassin.

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020