7.4 Building a Spam-Checking Gateway

‚  < ‚  Day Day Up ‚  > ‚  

Several content-filtering daemons that call SpamAssassin are available for qmail. This section provides a complete sample installation of qmail-scanner, a particularly flexible filter that supports both spam-checking and virus-checking. qmail-scanner is written in Perl and available at http://qmail-scanner. sourceforge .net/. The version used in this section's example is 1.21. Some of qmail-scanner 's features include:

  • The filter was specifically developed and tested for qmail.

  • Messages can be rejected based on MIME type or extensions of attached filenames.

  • Messages can be rejected based on invalid formatting.

  • Messages can be checked with multiple virus scanners , and messages carrying viruses can be refused , discarded, or quarantined.

  • SpamAssassin can be invoked on a message, and spam can be refused, discarded, quarantined, or tagged.

The rest of this chapter details the installation, configuration, and operation of qmail-scanner as an example of a full-scale approach to using SpamAssassin with qmail. qmail-scanner's other functions, such as virus-checking, are mentioned but not covered in detail; read the documentation to learn more about these features.

7.4.1 Installation

qmail-scanner is written in Perl and invokes SpamAssassin by running spamc , so you must run spamd to use qmail-scanner. You should set up spamd before you install qmail-scanner. Install SpamAssassin (and your antivirus software) first, then install qmail-scanner. qmail-scanner also requires some other Perl modules, including: Time::HiRes , DB_File , and Sys::Syslog . You can install these Perl modules using CPAN as described in Chapter 2. You must also install the Maildrop software package (http://www.courier-mta.org/download.php), and if you plan to perform virus-checking, TNEF (http://sourceforge.net/projects/tnef/).

qmail-scanner requires the 5.005_03 version of Perl or later. Perl must be compiled to allow setuid Perl scripts; often this means that a separate suidperl program is available on the system. If your system's Perl does not support setuid Perl scripts, you may be able to find a package for your system that does, you may build Perl from source code and enable support, or you may compile a setuid wrapper program in C (described later in this chapter).


Begin the install process by creating a new user account and group for running qmail-scanner; the usual name for both the user and group is qscand . The new user will own qmail-scanner's files, and the user (or group) must have access to SpamAssassin's configuration and database files as well. The user's home directory is traditionally /home/qscand , but you can create it anywhere that fits your system's needs.

qmail-scanner uses several important directories and files in /var/spool/qmailscan . For example, quarantined messages are stored in /var/spool/qmailscan/quarantine , and qmail-scanner logs its operations in /var/spool/qmailscan/qmail-queue.log . The directories /var/spool/qmailscan/tmp and /var/spool/qmailscan/working are temporary directories used for unpacking and processing messages. For optimal performance, these directories should be on a fast disk ‚ even a RAM disk if your operating system supports it and you have enough memory to spare. In contrast, the quarantine directory should never be located on a RAM disk because you will often want to be sure that you can access quarantined files.

Next, download the qmail-scanner source code, unpack it, and build it. You must be root to configure and build qmail-scanner. The qmail-scanner build process uses the familiar configure command to configure and build qmail-scanner's components , which you then install.

qmail-scanner Configuration Options

qmail-scanner has only a few configure options related to SpamAssassin. If you don't specify any options, qmail-scanner will use spamc -c for spam-checking and will add X-Spam-Status and X-Spam-Level headers to messages, but will not modify the Subject header of spam messages.

If you specify the --scanners 'fast_spamassassin= string ' command-line option to configure , qmail-scanner will also modify the Subject header of spam messages by prepending a string . A typical choice for string might be SPAM . If you plan to use other virus-scanners, you must specify thom in this command-line option as well or qmail-scanner will not use them. (If you've already installed qmail-scanner and want to start adding a Subject header tag, you can also edit the /var/qmail/bin/qmail-scanner-queue.pl file itself; search for the line that defines the $spamc_subject variable, and modify it to set your subject prefix.)

If you specify the --scanners verbose_spamassassin command-line option to configure , qmail-scanner will use spamc without the -c option. This alternative runs more slowly, because the entire spam-checked message is read back from spamc instead of just the spam scores. The advantage of this configuration, however, is that messages will be tagged exactly as defined in the SpamAssassin rules and report templates. For example, you'll get the SpamAssassin headers that report which spam tests matched, any custom headers you've defined, and full MIME-rewriting of messages. If you plan to use other virus scanners, you must specify them in this command-line option as well or qmail-scanner will not use them.


To configure qmail-scanner, use the commands shown in Example 7-1. The example also reproduces the output you should expect.

Example 7-1. Building qmail-scanner
 $  tar xfz qmail-scanner-1.21.tar.gz  $  cd qmail-scanner-1.21  $  su  Password:    XXXXXXXX    #  ./configure --install  Building Qmail-Scanner 1.21... This script will search your system for the virus scanners it knows about, and will ensure that all external programs qmail-scanner-queue.pl uses are explicitly pathed for performance reasons. It will then generate qmail-scanner-queue.pl - it is up to you to install it correctly. Continue? ([Y]/N)  Y  /usr/bin/uudecode works as expected on system... The following binaries and scanners were found on your system: mimeunpacker=/usr/local/bin/reformime uudecode=/usr/bin/uudecode unzip=/usr/bin/unzip Content/Virus Scanners installed on your System fprot=/usr/local/bin/f-prot fast_spamassassin=/usr/local/bin/spamc Qmail-Scanner details. log-details=0 fix-mime=2 ignore-eol-check=0 debug=1 notify=psender,nmlvadm redundant-scanning=no virus-admin=postmaster@example.com local-domains='example.com' silent- viruses='klez','bugbear','hybris','yaha','braid','nimda','tanatos','sobig','winevar','pal yh','fizzer','gibe','cailont','lovelorn','swen','dumaru','sober','hawawi','holar- i','mimail','poffer','bagle','worm.galil','mydoom','worm.sco','tanx','novarg','@mm' scanners="fprot_scanner","fast_spamassassin" If that looks correct, I will now generate qmail-scanner-queue.pl for your system... Continue? ([Y]/N)  Y  Finished. Please read README(.html) and then go over the script to check paths/etc, and then install as you see fit. Remember to copy quarantine-attachments.txt to /var/spool/qmailscan and then run "qmail-scanner-queue.pl -g" to generate DB version.               ****** FINAL TEST ****** Please log into an unpriviledged account and run /var/qmail/bin/qmail-scanner-queue.pl -g If you see the error "Can't do setuid", or "Permission denied", then refer to the FAQ. (e.g.  "setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g") That's it! To report success:    % (echo 'First M. Last'; cat SYSDEF)mail jhaar-s4vstats@crom.trimble.co.nz Replace First M. Last with your name. 

No setuid Perl

When qmail-scanner's configure script can't find a suitable version of Perl for running setuid scripts, it prints out an error like this:

 Testing suid nature of /usr/bin/suidperl... Whoa - broken perl install found. Cannot even run a simple script setuid Installation of Qmail-Scanner FAILED 

If you can't (or don't want to) install a Perl that runs setuid scripts, you can use a setuid wrapper in C instead. Follow these steps as root :

  1. Install qmail-scanner with ./configure --skip-setuid-test --install . This will produce an error at the end of the installation.

  2. Compile and install the C wrapper with (cd contrib ; make install) . If you're not using the default qscand user and group and /var/qmail/bin directory for installation, you'll have to edit contrib/Makefile first.

  3. Remove the setuid bit from /var/qmail/bin/qmail-scanner-queue.pl with chmod 0755 /var/qmail/bin/qmail-scanner-queue.pl .

  4. Edit /var/qmail/bin/qmail-scanner-queue.pl and change the first line from #!/usr/bin/suidperl -T to #!/usr/bin/perl -T .

  5. Use qmail-scanner-queue (the compiled C wrapper) in place of qmail-scanner-queue.pl in the rest of the qmail-scanner setup process.


As with qmail-spamc , ensure that qmail-smtpd has enough memory available to allow it to run qmail-scanner-queue.pl , any virus checkers you have configured, and spamc . Edit /var/qmail/supervise/qmail-smtpd/run and modify the -m and/or -a arguments of softlimit to increate the number of bytes available to qmail-smtpd and its child processes to an amount sufficient to allow all of the processes to execute completely on a large message.

To enable qmail-scanner, edit /etc/tcp.smtp . Add or modify lines such as those shown in bold:

 127.:allow,RELAYCLIENT=""  192.168.:allow,RELAYCLIENT="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl  "  10.:allow,RELAYCLIENT="",QS_SPAMASSASSIN="on",QMAILQUEUE="/var/qmail/bin/qmail- scanner-queue.pl  "  :allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl  " 

When you invoke qmail-scanner with qmail's RELAYCLIENT variable set, as in the line for connections from the 192.168/16 network, only virus-checking is performed, unless you also include QS_SPAMASSASSIN="on ", as in the line for connections from the 10/8 network. When you invoke it without setting RELAYCLIENT , as in the line for default connections, both virus-checking and spam-checking are performed.

Be sure to run /var/qmail/bin/ qmailctl cdb after updating /etc/tcp.smtp .

7.4.2 Initialization

The first time you install qmail-scanner, you must direct it to initialize its databases. As the qscand user, run these commands:

 $  /var/qmail/bin/qmail-scanner-queue.pl -z  $  /var/qmail/bin/qmail-scanner-queue.pl -g  perlscanner: generate new DB file from /var/spool/qmailscan/quarantine-attachments.txt perlscanner: total of 9 entries. 

7.4.3 Basic Operations

qmail-scanner comes with a shell script called test_installation.sh that can be used to exercise an installation. Example 7-2 shows how to run the script, along with its output.

Example 7-2. Testing qmail-scanner
 #  cd contrib  #  QMAILQUEUE="/var/qmai/bin/qmail-scanner-queue.pl" ./test_installation.sh -doit  Sending standard test message - no viruses... done! Sending eicar test virus - should be caught by perlscanner module... done! Sending eicar test virus with altered filename - should only be caught by commercial  anti-virus modules (if you have any)... Sending bad spam message for anti-spam testing - In case you are using SpamAssassin... Done! Finished test. Now go and check Email for root 

If qmail-scanner's spam-checking is operating properly, root (or the user that receives root 's email) should receive a non-spam message like this:

 From MAILER-DAEMON Tue Mar 23 05:03:28 2004 From: Qmail-Scanner Test <example.com@example.com>  Received: from  by example.com by uid 0 with qmail-scanner-1.21   (f-prot: 3.11/. spamassassin: 2.63.  Clear:RC:1(127.0.0.1):SA:0(0.0/5.0):  .  Processed in 5.577981 secs); 23 Mar 2004 05:03:28 -0000  To: Root Account <root@example.com> Subject: Qmail-Scanner test (1/4): inoffensive message Date: 23 Mar 2004 05:03:22 -0000 Delivered-To: root@example.com  X-Spam-Status: No, hits=0.0 required=5.0  Message 1/4 This is a test message. It should arrive unaffected. 

The same user should also receive a spam message like this:

 From MAILER-DAEMON Tue Mar 23 05:03:41 2004  Received: from  by example.com by uid 0 with qmail-scanner-1.21   (f-prot: 3.11/. spamassassin: 2.63.  Clear:RC:1(127.0.0.1):SA:1(16.7/5.0):  .  Processed in 5.129358 secs); 23 Mar 2004 05:03:40 -0000   X-Spam-Status: Yes, hits=16.7 required=5.0   X-Spam-Level: ++++++++++++++++  Delivery-Date: Mon, 19 Feb 2001 13:57:29 +0000 Delivered-To: jm@netnoteinc.com Received: from webnote.net (mail.webnote.net [193.120.211.219])         by mail.netnoteinc.com (Postfix) with ESMTP id 09C18114095         for <jm7@netnoteinc.com>; Mon, 19 Feb 2001 13:57:29 +0000 (GMT) Received: from netsvr.Internet (USR-157-050.dr.cgocable.ca [24.226.157.50] (may +be forged))         by webnote.net (8.9.3/8.9.3) with ESMTP id IAA29903         for <jm7@netnoteinc.com>; Sun, 18 Feb 2001 08:28:16 GMT From: sb55sb55@yahoo.com Received: from R00UqS18S (max1-45.losangeles.corecomm.net [216.214.106.173]) by +netsvr.Internet with SMTP (Microsoft Exchange Internet Mail Service Version +5.5.2653.13)         id 1429NTL5; Sun, 18 Feb 2001 03:26:12 -0500 DATE: 18 Feb 01 12:29:13 AM Message-ID: <9PS291LhupY> Subject: Qmail-Scanner anti-spam test (4/4): checking SpamAssassin [if present] +(There yours for FREE!) To: undisclosed-recipients: ; Congratulations! You have been selected to receive 2 FREE 2 Day VIP Passes to  Universal Studios! Click here http://209.61.190.180 As an added bonus you will also be registered to receive vacations discounted 25%- 75%! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ This mailing is done by an independent marketing co. We apologize if this message has reached you in error. Save the Planet, Save the Trees! Advertise via E mail. No wasted paper! Delete with one simple keystroke! Less refuse in our Dumps! This is the new way of the new millennium To be removed please reply back with the word "remove" in the subject line. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 

Note the bold lines in the messages. These are headers demonstrating that the messages were processed by qmail-scanner, and in the case of the spam message, that qmail-scanner can recognize spam.

qmail-scanner uses /var/spool/qmailscan as a working directory and quarantine area for viruses. By default, qmail-scanner's operations are logged to the /var/spool/qmailscan/qmail-queue.log file, which should be added to your log rotation schedule. Errors are also reported to qmail's log files.

When an SMTP session is dropped partway, temporary files may remain in /var/spool/qmailscan . These messages can be cleared out by running /var/qmail/bin/qmail-scanner-queue.pl -z . Set up a cron job to execute this command once a day to delete older files in this directory.

7.4.4 Per-User Spam Preferences

qmail-scanner invokes spamc with the -u recipient argument when a message has a single recipient. Accordingly, in this case, per-user spam-checking preferences (either from users' .spamassassin/user_prefs files or from an SQL or LDAP database if spamd is so configured) will be applied when qmail-scanner checks messages. When a message has multiple recipients, qmail-scanner uses the default preferences.

Although there is no way to configure qmail to force senders to send messages with one recipient at a time, qmail itself always breaks up a multirecipient message when it is sending and sends copies of the message to single recipients. Ron Culler pointed out in a December 2003 message to the qmail-scanner-general mailing list that one way to ensure that every message has only a single recipient is to run a pair of qmail gateways. The first gateway receives messages from the Internet and can perform some general scanning (e.g., refusing viruses) before forwarding messages on to the second gateway for spam-checking. Because the first qmail server will always split up multirecipient messages before sending them, the second qmail server will always receive messages with a single recipient and can apply per-user spam preferences.

If you built qmail-scanner using the default fast_spamassassin configuration (described in the qmail-scanner Configuration Options sidebar), spamc is invoked with the -c option. This limits which per-user spam preferences are applied: spam thresholds and score modifications will work, but preferences that affect the way messages or headers are rewritten will not (because spamc -c returns only a spam score, not a rewritten message). Use the verbose_spamassassin configuration if you need to enable these preferences.


7.4.5 Sitewide Bayesian Filtering

You can easily add sitewide Bayesian filtering to qmail-scanner. Use the usual SpamAssassin use_bayes and bayes_path directives in local.cf , and ensure that the spamd user has permission to create the databases in the directory named in bayes_path .

7.4.6 Sitewide Autowhitelisting

Adding autowhitelisting is just as easy. Add the usual SpamAssassin auto_whitelist_path directive to local.cf , and if you're using SpamAssassin 2.63, invoke spamd with the --auto-whitelist option (which is unnecessary in SpamAssassin 3.0). As with the Bayesian databases, the spamd user must have permission to create the autowhitelist database and read and write to it.

7.4.7 Routing Email Through the Gateway

Once you have qmail and qmail-scanner receiving messages for the local host and performing SpamAssassin checks on them, you can start accepting email for your domain and routing it to an internal mail server after spam-checking. Figure 7-3 illustrates this topology.

Figure 7-3. Spam-checking gateway topology

The following sections describe the changes you need to make to implement the topology shown in Figure 7-3.

7.4.7.1 qmail changes

To configure qmail to relay incoming mail for example.com to internal.example.com , add the following line to /var/qmail/control/rcpthosts :

 example.com 

Then, create the /var/qmail/control/ smtproutes file, and add either:

 example.com:internal.example.com 

or, if mail.example.com can look up an (internal) MX record for example.com that points to internal.example.com (and possibly other internal mail servers), you could use

 example.com: 

7.4.7.2 Routing changes

Mail from the Internet for example.com should be sent to the spam-checking gateway mail.example.com . Add a DNS MX record for the example.com domain that points to mail.example.com .

Once received by mail.example.com , messages will be spam-checked and should then be relayed to internal.example.com by qmail. No DNS records for internal.example.com need be published to the Internet, but it's necessary that mail.example.com can resolve internal.example.com .

7.4.7.3 Internal server configuration

Once the external mail gateway is in place, you can configure the internal mail server to accept SMTP connections only from the gateway (for incoming Internet mail). If you don't have a separate server for outgoing mail, the internal mail server should also accept SMTP connections from hosts on the internal network. These restrictions are usually enforced by limiting access to TCP port 25 using a host-based firewall or a packet-filtering router.

‚  < ‚  Day Day Up ‚  > ‚  


SpamAssassin
SpamAssassin
ISBN: 0596007078
EAN: 2147483647
Year: 2004
Pages: 88

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net