Changes

From SME Server
Jump to navigationJump to search
14,095 bytes added ,  17:15, 29 July 2007
Line 255: Line 255:  
         org
 
         org
    +
====Internal Mail Servers====
 +
SME can be configured as a spam and antivirus filter for one or more "Internal" mail servers on a domain-by-domain basis.
 +
=====Deliver ALL email to a single internal mail server=====
 +
You can deliver all email for all domains on your SME server to a single internal mail server by setting the mail server address in server-manager::Configuration::E-mail::Change e-mail delivery settings::Address of internal mail server.
 +
 +
=====Deliver email for one domain to an internal mail server=====
 +
You can also configure only a single domain to use an internal mail server, or you can configure different domains to use different internal mail servers.
 +
 +
First, create the necessary virtual domains using server-manager::Configuration::Domains::Add Domain.
 +
 +
Then, (assuming your domain is called ''test.com'' and the actual mail server is at ''a.b.c.d''issue the following commands:
 +
db domains setprop test.com MailServer a.b.c.d
 +
signal-event email-update
 +
 +
=====Default Plugin Configuration=====
 +
When configured to deliver email to an internal mail server, SME will use the following [http://wiki.qpsmtpd.org/plugins| qpsmtpd plugins] to evaluate each incoming email:
 +
{| style="color:brown;background-color:#ffffcc;" border="1" cellpadding="5" cellspacing="0"
 +
!Plugin
 +
!Purpose
 +
!Default Status
 +
|-
 +
|logging/logterse
 +
|Allow greater logging detail using smaller log files
 +
|enabled
 +
|-
 +
|auth/auth_cvm_unix_local
 +
|Allow authenticated smtp relay
 +
|enabled
 +
|-
 +
|check_earlytalker
 +
|reject email from servers that talk out of turn
 +
|enabled
 +
|-
 +
|count_unrecognized_commands
 +
|reject email from servers that issue ''X'' invalid commands
 +
|enabled
 +
|-
 +
|bcc
 +
|bcc all email to a specific address for archiving
 +
|'''disabled'''
 +
|-
 +
|check_relay
 +
|Check to see if relaying is allowed (in case the recipient is not listed in one of SME's local domains)
 +
|enabled
 +
|-
 +
|check_norelay
 +
|Check to see if the sending server is specifically forbidden to relay through us.
 +
|enabled
 +
|-
 +
|require_resolvable_fromhost
 +
|Check that the domain listed in the sender's email address is resolvable
 +
|enabled
 +
|-
 +
|check_basicheaders
 +
|reject email that lacks either a From: or Date: header
 +
|enabled
 +
|-
 +
|rhsbl
 +
|Reject email if the sender's email domain has a reputation for disregarding smtp RFCs.
 +
|'''disabled'''
 +
|-
 +
|dnsbl
 +
|Reject email from hosts listed in your configured dnsbl servers
 +
|'''disabled'''
 +
|-
 +
|check_badmailfrom
 +
|Reject email where the sender address is listed in /var/service/qpsmtpd/config/badmailfrom
 +
|enabled
 +
|-
 +
|check_badrcptto_patterns
 +
|Reject email addressed to any address matching an expression listed in /var/service/qpsmtpd/config/badrcptto_patterns
 +
|enabled
 +
|-
 +
|check_badrcptto
 +
|Reject email addressed to any address listed in /var/service/qpsmtpd/config/badrcptto
 +
|enabled
 +
|-
 +
|check_spamhelo
 +
|Reject email from hosts that say 'helo ...' using a value in /var/service/qpsmtpd/config/badhelo
 +
|enabled
 +
|-
 +
|check_smtp_forward
 +
|Verify that the specified recipient is valid on the internal mail server.
 +
|enabled
 +
|-
 +
|check_goodrcptto
 +
|Accept email only if the recipient address matches an entry in /var/service/qpsmtpd/config/goodrcptto.  For domains that are configured to use an internal mail server, the entire domain name will be added to .../goodrcptto.
 +
|enabled
 +
|-
 +
|rcpt_ok
 +
|Return 'OK' if none of the other host checks has returned 'DENY' (??)
 +
|enabled
 +
|-
 +
|pattern_filter
 +
|Reject email according to content patterns (??)
 +
|'''disabled'''
 +
|-
 +
|tnef2mime
 +
|Convert MS TNEF (winmail.dat) and uuencoded attachments to MIME
 +
|enabled
 +
|-
 +
|disclaimer
 +
|Add a configurable disclaimer to email messages
 +
|'''disabled'''
 +
|-
 +
|spamassassin
 +
|Check email using spamassassin, and optionally reject it completely if the score exceeds a configurable value.
 +
|'''disabled'''
 +
|-
 +
|virus/clamav
 +
|Scan incoming email with ClamAV
 +
|enabled
 +
|-
 +
|queue/qmail-queue
 +
|Deliver the incoming message to qmail for delivery.
 +
|enabled
 +
|-
 +
|}
 +
 +
=====Setup Blacklists & Bayesian Autolearning=====
 +
 +
(Much of what follows has been shamelessly copied from the Sonoracomm howto which has been offline for a while)
 +
 +
The default SME settings (as you can see above) do not include DNSBL filtering, spam rejection, or (which is not obvious from the above) bayesian filtering in spamassassin to allow spamassassin to learn from received email and improve over time.
 +
 +
The following command will enable the default blacklists, enable the bayesian learning filter and set
 +
thresholds for the bayesian filter.
 +
 +
<nowiki>rpm -Uvh \
 +
http://mirror.contribs.org/smeserver/contribs/\
 +
michaelw/sme7/smeserver-spamassassin-features-0.0.2-0.noarch.rpm</nowiki>
 +
sa-learn --sync --dbpath /var/spool/spamd/.spamassassin -u spamd
 +
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes_*
 +
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes.mutex
 +
chmod 750 /var/spool/spamd/.spamassassin/bayes_*
 +
config setprop spamassassin status enabled
 +
config setprop spamassassin RejectLevel 12
 +
config setprop spamassassin TagLevel 4
 +
config setprop spamassassin Sensitivity custom
 +
signal-event post-upgrade
 +
signal-event reboot
 +
 +
These commands will:
 +
* enable spamassassin
 +
* configure spamassassin to reject any email with a score above 12
 +
* tag spam scored between 4 and 12 in the email header
 +
* 'autolearn' as SPAM any email with a score above 12
 +
* 'autolearn' as HAM any email with a score below .10
 +
* enable RHSBL using the default SBLList.  Note that rhsbl checking has been known to place a heavy burden on SME servers.
 +
* enable DNSBL using the default RBLList
 +
 +
=====The entire Sonoracomm howto from Google's text cache=====
 +
 +
The Sonoracomm Howto has been a very well regarded set of instructions for quite a while now, but has recently been offline.
 +
 +
These instructions are aimed mostly at configuring SME as the only mail server, not for using SME with an internal mail server.
 +
 +
Specifically, LearnAsSpam.pl is harder to configure when using an internal mail server - you would have to develop a method for getting the unmarked SPAM into an IMAP folder directly on the SME server itself.  Not impossible, but difficult!
 +
 +
'''SONORA COMMUNICATIONS, INC.'''
 +
This is a quick configuration howto, not an in-depth look at SpamAssassin. Much more can be done
 +
beyond this document, but this will take a big dent out of your spam and free up CPU cycles on your server.
 +
 +
See 'More Information' at the end.
 +
 +
'''SpamAssassin'''
 +
 +
The following command will enable the default blacklists, enable the bayesian learning filter and set thresholds for the bayesian filter.
 +
<nowiki>rpm -Uvh \
 +
http://mirror.contribs.org/smeserver/contribs/\
 +
michaelw/sme7/smeserver-spamassassin-features-0.0.2-0.noarch.rpm</nowiki>
 +
 +
This command will install the FuzzyOCR SA plugin designed to catch those nasty image-based spam messages.
 +
yum -y --enablerepo=smeupdates-testing install FuzzyOcr
 +
 +
'''Server-Manager'''
 +
 +
Using the Server-Manager Configuration/E-Mail panel, adjust the settings to these reasonable defaults.
 +
 +
    * Virus scanning Enabled
 +
    * Spam filtering Enabled
 +
    * Spam sensitivity Custom
 +
    * Custom spam tagging level 4
 +
    * Custom spam rejection level 12
 +
    * Sort spam into junkmail folder Enabled
 +
    * Modify subject of spam messages Enabled
 +
 +
I would also recommend blocking all executable content. To do so, select (highlight) all of the attachment types other than zip files (the last two).
 +
 +
Click Save.
 +
 +
'''How It Works'''
 +
 +
When receiving an incoming message, the server first tests for RBL and DNSBL listings, if enabled.  If the sender is blacklisted, the messages are blocked outright and Spamassassin never sees it. 
 +
 +
With this configuration, the spammiest messages, those marked as 12 or above, will be rejected at the SMTP level. Those spam messages marked between 4 and 12, will be routed to the users' (IMAP) junkmail folder. This is done so the users can check for false-positives...valid messages that were classified as spam by SpamAssassin.
 +
 +
Users may check their junkmail folders for false-positives via webmail, or, if they are using an IMAP mail client, by simply checking the junkmail folder exposed by their mail client.
 +
 +
https://servername/webmail
 +
 +
'''Tweaking'''
 +
 +
The server will automatically delete old spam in the junkmail folders after 90 days. You can control the number of days old spam is kept with the following commands. Where 15 is the number of days you want to keep messages, do...
 +
 +
db configuration setprop spamassassin MessageRetentionTime 15
 +
signal-event email-update
 +
svc -t /service/qpsmtpd
 +
 +
then
 +
 +
config show spamassassin
 +
 +
If you think you are losing misclassified mail, adjust the ''Custom spam rejection level'' higher.
 +
 +
If too much spam is making through to your inbox, carefully adjust the 'Custom spam tagging level' down.  Many people use the level 4.  Anything below that may result in false-positives.  YMMV.
 +
 +
If too much spam is building up in your (IMAP) junkmail folder, adjust the 'Custom spam rejection level' down or change the number of days spam is kept in the junkmail folder before being automatically deleted by the server.
 +
 +
'''Bayesian (Learning) Filter'''
 +
 +
Install the LearnAsSpam.pl, (optional) mailstats and sa-update scripts, then configure nightly cron jobs like this:
 +
<nowiki>cd /usr/bin
 +
wget http://mirror.contribs.org/smeserver/\
 +
contribs//bread/mailstats/LearnAsSpam.pl
 +
wget http://mirror.contribs.org/smeserver/\
 +
contribs//bread/mailstats/spamfilter-stats-7.pl
 +
cd /etc/cron.d
 +
wget http://mirror.contribs.org/smeserver/\
 +
contribs//bread/mailstats/LearnAsSpam.cron
 +
wget http://mirror.contribs.org/smeserver/\
 +
contribs//bread/mailstats/mailstats.cron
 +
cd /etc/cron.daily
 +
wget http://mirror.contribs.org/smeserver/\
 +
contribs//bread/mailstats/sa-update
 +
chmod +x sa-update
 +
/etc/rc.d/init.d/crond restart</nowiki>
 +
 +
Using an IMAP mail client, create a new folder called 'LearnAsSpam' (case sensitive). It can be created at the top level (like 'Inbox') or as a sub-folder.  Create the folder for each user that will help train the Bayesian filter.  Webmail will work fine for creating this folder, as well as for checking the junkmail (filtered mail or quarantine) folder.
 +
 +
If any spam messages make it past the filter and into your inbox, just move them into the LearnAsSpam folder.  A nightly cron job will process them and delete them for you. This is how you train the Bayesian filter.
 +
 +
'''Testing'''
 +
 +
You can check the auto-learning statistics with this command.  You will be able to note the accumulation of the spam tokens (or not).  Note that the Bayesian filtering must receive 200 spam messages before it starts to function, so don't expect instantaneous results.
 +
sa-learn --dump magic
 +
 +
You can check the spam filter log with this command:
 +
tail -50 /var/log/spamd/current | tai64nlocal
 +
 +
If you ever see an error such as:
 +
''warn: bayes: cannot open bayes databases /etc/mail/spamassassin/bayes_* R/W: tie failed: Permission denied''
 +
Try adjusting some permissions with these commands:
 +
chown :spamd /var/spool/spamd/.spamassassin/*
 +
chmod g+rw /var/spool/spamd/.spamassassin/*
 +
 +
'''Whitelist and Blacklist'''
 +
 +
If mail comes in and it is misclassified as spam, you can add the sender to the whitelist so that future messages coming in from that sender are not filtered.
 +
 +
Conversely, you can add a spammer to the blacklist so you never see their spam again.
 +
 +
Add senders (or their entire domains) to the global whitelist (or blacklist) with commands similar to these (as root):
 +
db spamassassin setprop wbl.global *@vonage.com White
 +
db spamassassin setprop wbl.global *domain2.com White
 +
db spamassassin setprop wbl.global This e-mail address is being protected from spam bots, you need JavaScript enabled to view it White
 +
db spamassassin setprop wbl.global This e-mail address is being protected from spam bots, you need JavaScript enabled to view it Black
 +
expand-template /etc/mail/spamassassin/local.cf
 +
svc -t /service/spamd
 +
 +
You can view the lists with this command:
 +
db spamassassin show
 +
 +
'''Clam Antivirus'''
 +
 +
Update and check your Clam Antivirus with this command.  This is normally done automatically every hour via cron.
 +
freshclam -v
 +
 +
or
 +
freshclam --debug
 +
 +
Verify hourly update checking by viewing the freshclam/current log file via the Server-Manager View Log Files panel.
 +
 +
'''Realtime Blackhole Lists and DNS Blacklists'''
 +
 +
To view the settings for the RBL and DNSBL, use this command:
 +
config show qpsmtpd
 +
 +
If you followed the instructions above, both checks are enabled.
 +
 +
To see the log of these tests, use a command like:
 +
tail /var/log/qpsmtpd/current | tai64nlocal
 +
 +
To specify multiple RBLs, use a command like this:
 +
config setprop qpsmtpd RBLList \
 +
bl.spamcop.net,combined.njabl.org,dnsbl.ahbl.org,dnsbl-1.uceprotect.net,\
 +
list.dsbl.org,multihop.dsbl.org,psbl.surriel.com,sbl-xbl.spamhaus.org
 +
 +
Note: we have had trouble with the uceprotect.net level 2 list and sometimes remove it from the list as shown here.
 +
 +
To enable or disable both available lists, use something like:
 +
config setprop qpsmtpd DNSBL enabled RHSBL enabled
 +
 +
To confirm any configuration changes and enact them:
 +
signal-event email-update
 +
svc -t /service/qpsmtpd
 +
 +
'''More Information'''
 +
 +
Introduction to Antispam Practices - [http://www.howtoforge.com/introduction_antispam_practices| here]
 +
 +
Here is another great [http://mirror.contribs.org/smeserver//contribs/rmitchell/smeserver/howto/Spam%20blocking%20HOWTO%20using%20qpsmtpd%20&%20RBL%20for%20sme%20server.htm| howto].
 +
 +
Informative URLs:
 +
* http://forums.contribs.org/index.php?topic=35178.0
 +
* http://forums.contribs.org/index.php?topic=31278.0
 +
* http://forums.contribs.org/index.php?topic=31279.0
 +
* http://forums.contribs.org/index.php?topic=32158.0
 +
* http://mirror.contribs.org/smeserver/contribs/michaelw/sme7/
 +
* http://mirror.contribs.org/smeserver/contribs/bread/mailstats/
 +
* http://wiki.apache.org/spamassassin/BayesInSpamAssassin
 +
* Enter this command at a console:
 +
perldoc Mail::SpamAssassin::Conf
 +
Last Updated ( Thursday, 21 June 2007 )
    
<noinclude>[[Category:Howto]]</noinclude>
 
<noinclude>[[Category:Howto]]</noinclude>

Navigation menu