Full Installation Guide - AntiSPAM
From Qmail-LDAP Wiki
Contents |
Introduction
In this section we show how to use SpamAssassin in conjunction with Simscan, but the use of other antispam software such as DSPAM should be possible.
SpamAssassin
SpamAssassin is a software which through multiple tests can decide if a mail is considered or not as SPAM. You can configure it globally or per user, in the latter case you can setup personalized rules for each one of them.
LDAP
Global rules are defined usually in file /etc/mail/spamassassin/local.cf/ and in systems with local unix users, each user can have a file called ~/.spamassassin/user_prefs where his personal preferences are stored in qmail-ldap you can do it with Simscan and the ability of SpamAssassin to use LDAP stored preferences. In LDAP stored preferences you can define things like required_score and black and white lists. This helps a lot to differentiate users in the antispam behavor.
Note that this will NOT look for test rules.
LDAP Configuration for SpamAssassin
In order to force SpamAssassin to read per user preferences from an LDAP server, you need to add an spamassassin attribute to a schema so that every user has this value.
You can do this doing the next:
Add the 'spamassassin' attribute to /usr/local/etc/openldap/schema/inetorgperson.schema:
# spamassassin
# see http://SpamAssassin.org/ .
attributetype ( 2.16.840.1.113730.3.1.220
DESC 'SpamAssassin user preferences settings'
EQUALITY caseExactMatch
NAME 'spamassassin'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
† You must use tabs, not spaces.
Integrate the attribute to the class. In /usr/local/etc/openldap/schema/inetorgperson.schema in the last part change:
userSMIMECertificate $ userPKCS12 )
to this:
userSMIMECertificate $ userPKCS12 $ spamassassin )
This will actually add the attribute.
SpamAssassin and LDAP integration
Now we must make SpamAssassin to connect the LDAP database. Modify /etc/mail/spamassassin/local.cf and add the next parameters:
user_scores_dsn ldap://127.0.0.1:389/ou=users,dc=domain,dc=com?spamassassin?sub?uid=__USERNAME__ user_scores_ldap_username cn=Manager,dc=isp,dc=com user_scores_ldap_password your_secret
† Use your valid server and proper credentials.
This is: user_scores_dsn: defines the IP of LDAP server, the users container, the attribute where preferences are stored, scope of search(base, one o sub) and user. In runtime __USERNAME__ is replaced with uid of the user. user_scores_ldap_username: login to connect to the database. user_scores_ldap: password to connect of the database.
Like we specified spamassassin in user_scores_dsn, in that attribute will the per users preferences be searched. This is a multivalue attribute and in each entry you can use the format used in local.cf. However you are restricted only to a subset of all valid values of local.cf. Some supported values are:
- whitelist_from
- blacklist_from
- required_score
Note that this will NOT look for test rules, only local scores, whitelist_from(s), and required_score.
Example
If for example you have a mail called demo@mpsnet.net.mx and want to enable LDAP SpamAssassin preferences, you just have to add the next values to the spamassassin attribute of the user:
spamassassin: required_score 3 spamassassin: blacklist_from spammer@yahoo.com
This will make that the default required_score for this user be 3(a little paranoid) and that all mail from spammer@yahoo.com be tagged as SPAM.
IMPORTANT: In order to have this configuration working, the uid attribute of the user must be the same that the mailbox. For example: for demo@domain.com, the uid attribute in LDAP database must be demo@domain.com Also you must have maildrop enabled(there are other techiques) to force each mail to be scanned by SpamAssassin.
Other AntiSPAM techniques
RBL
qmail-ldap includes a patch to make qmail-smtpd verify if each connecting IP is or not considered as SPAM generator. If the incoming IP is in a black list, it can be blocked or marked(X-RBL header). To configure you must enable the RBL(Relay Blocking List) through the proper control file: /var/qmail/control/rbllist. Example: In /var/qmail/control/rbllist put the following:
sbl.spamhaus.org reject 127.0.0.2 Spamhaus - http://www.spamhaus.org/SBL/ relays.ordb.org reject 127.0.0.2 ORDB - http://www.ordb.org/faq/ list.dsbl.org reject 127.0.0.2 DSBL - http://dsbl.org/main/ bl.spamcop.net reject 127.0.0.2 Spamcop - http://spamcop.net/ relays.ordb.org reject any ORDB - http://ordb.org/ spamguard.leadmon.net reject 127.0.0.2 Dialup - Address is a dialup address
Where each line consist of four separated fields for one or more spaces. If you use the reject directive the mails are rejected.
To activate this feature, you setup the RBL variable in /service/smtp/tcp:
127.:allow,RELAYCLIENT="" :allow,RBL=""
The RBL variable is defined for all connections(:allow means that) except 127.*.
And then regenerate the tcp database:
cd /service/smtpd make
Check for valid recipients(RCPTCHECK)
If a spammer sends a mail to a nonexisting user, this mails are normally accepted by smtpd, but later qmail(qmail-local) will discover that the address doesnt exist and will generate an error email to the remitent. If the remitent doesnt exist(common with spammers), a new error mail is generated to postmaster. All this traffic can be avoided if before accepting a message we verify if the account exist. This is done through RCPTCHECK
Esto se hace con RCPTCHECK, que cuando es habilitado al arribar un mensaje checa si el correo enviado pertenece a dominios listasdos en control/locals y verifica si la cuenta en el servidor LDAP existe. Si la cuenta no existe, el correo es rechazado por qmail-smtpd con un error 550. Para habilitar esta funcion se define la variable RCPTCHECK con un valior vacio y para cualquier rango de direcciones. En /service/smtpd/tcp se agrega: 127.:allow,RELAYCLIENT="" 192.168.101.:allow,RELAYCLIENT=""
- allow,SMTPAUTH=AUTHREQUIRED,RBL="",RCPTCHECK=""
Se regenera tcp.cdb y listo.
