ispCP - Board - Support
enable spamassassin? - Printable Version

+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Support Area (/forum-30.html)
+--- Forum: System Setup & Installation (/forum-32.html)
+--- Thread: enable spamassassin? (/thread-5789.html)

Pages: 1 2 3 4 5 6 7

enable spamassassin? - pgentoo - 02-22-2009 04:19 AM

Whats the best way to integrate spamassassin to filter mails after they past postgrey and other postfix checks?

Anyone have a good howto for this?

Thanks,
pGentoo

RE: enable spamassassin? - rbtux - 02-22-2009 04:20 AM

give me 30 minutes ;-)

RE: enable spamassassin? - pgentoo - 02-22-2009 04:31 AM

thanks!

RE: enable spamassassin? - rbtux - 02-22-2009 04:48 AM

might take another 45min ;-)

RE: enable spamassassin? - pgentoo - 02-22-2009 04:54 AM

No problem, I'll check back later today.

Thanks!

RE: enable spamassassin? - rbtux - 02-22-2009 06:08 AM

This is how I would enable spamassassin, along with amavis and clamav. Unlike the amavis configuration with maia or the one that partially comes with ispcp, this method uses amavis as pre-queue filter. That makes it possible to reject spam mails instead of only tagging them...


Code:
apt-get install amavisd-new clamav spamassassin clamav-daemon lzop rpm pax unrar zoo arj p7zip-full lha arc cabextract ripole

add the following lines to /etc/postfix/master.cf after:
Code:
smtp      inet  n       -       -       -       -       smtpd
Code:
-o smtpd_proxy_filter=localhost:10024
    -o content_filter=
localhost:10025 inet n  -       n       -       -       smtpd
    -o content_filter=
    -o smtpd_proxy_filter=
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o reveive_override_options=no_unknown_recipient_checks

remove the following from /etc/postfix/master.cf:
Code:
amavis    unix  -       -       n       -       2       smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes

localhost:10025 inet  n -       n       -      -        smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_override_options=no_address_mappings
   -o mynetworks=127.0.0.0/8
   -o strict_rfc821_envelopes=yes

/etc/master.cf will look like:
Code:
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
    -o smtpd_proxy_filter=localhost:10024
    -o content_filter=
localhost:10025 inet n  -       n       -       -       smtpd
    -o content_filter=
    -o smtpd_proxy_filter=
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o reveive_override_options=no_unknown_recipient_checks
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_enforce_tls=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# For AOL-Accounts
587       inet  n       -       -       -       -       smtpd
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
    -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache      unix    -    -    -    -    1    scache
# ====================================================================
# ispCP ω (OMEGA) a Virtual Hosting Control System
#
# @copyright    2001-2006 by moleSoftware GmbH
# @copyright    2006-2008 by ispCP | http://isp-control.net
# @version        SVN: $Id$
# @link            http://isp-control.net
# @author        ispCP Team
# ====================================================================
# AMaViS => Antivir / Antispam

# ispCP autoresponder
ispcp-arpl unix  -      n       n       -       -       pipe
  flags=O user=vmail argv=/var/www/ispcp/engine/messager/ispcp-arpl-msgr

# TLS - Activate, if TLS is avaiable/used
smtps     inet  n       -       -       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
#   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix    -    n    n    -    2    pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

change /etc/amavis/conf.d/01-debian:
uncomment
Code:
#$lha    = 'lha'; #disabled (non-free, no security support)
#$unrar  = ['rar', 'unrar']; #disabled (non-free, no security support)
comment
Code:
$lha    = undef;
$unrar  = undef;

change /etc/amavis/conf.d/20-debian_defaults:
Code:
$sa_tag2_level_deflt = 5.8;
$sa_kill_level_deflt = 6.41;
$final_virus_destiny      = D_REJECT;  # (data not lost, see virus quarantine)
$final_banned_destiny     = D_REJECT;   # D_REJECT when front-end MTA
$final_spam_destiny       = D_REJECT;
$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)

change /etc/amavis/conf.d/15-content_filter_mode:
uncomment
Code:
@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

change /etc/amavis/conf.d/50-user:
Code:
$max_servers = 5;

change in /etc/group:
amavis:x:112:
to
amavis:x:112:clamav

to uid may be different

/etc/init.d/clamav-daemon restart
/etc/init.d/amavis restart
/etc/init.d/postfix restart


EDIT: http://www.isp-control.net/forum/thread-5789-post-48255.html#pid48255

EDIT: Consider using a ramdisk for the amavis temporary directory... this will boost performance... and let you use a higher $max_servers count...

RE: enable spamassassin? - BeNe - 02-22-2009 06:40 AM

Thanks rbtux for your nice write up!
Problem is that the AMaVis Daemon which comes with Maia can´t handle DSN.
But i switched yesterday to the proxy version with Maia and disabled dsn.
We will see how it works. The new Version should be able to handle with it.

Greez BeNe

RE: enable spamassassin? - rbtux - 02-22-2009 06:42 AM

yeah... well... maia... you know ;-))

RE: enable spamassassin? - BeNe - 02-22-2009 06:48 AM

I know Wink
But the Customers love´s it and it is a very easy GUI for them.

Greez BeNe

RE: enable spamassassin? - rbtux - 02-22-2009 06:52 AM

well i don't want my customers to do any antispam config... As most of the people here they don't have a clue;-) a robust default setup is enough imho.