Fairly-Secure Anti-SPAM Gateway Using OpenBSD, = Postfix, Amavisd-new, SpamAssassin, Razor and DCC

From: Subject: Fairly-Secure Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC Date: Thu, 8 May 2003 08:50:10 +0200 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0000_01C3153E.D5624A10"; type="text/html" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 This is a multi-part message in MIME format. ------=_NextPart_000_0000_01C3153E.D5624A10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Location: http://216.239.39.100/search?q=cache:E1ZYyFwhfh4J:lawmonkey.org/anti-spam.html+spamassassin+user_prefs+amavisd&hl=en&lr=lang_en|lang_hr|lang_sr&ie=UTF-8 Fairly-Secure Anti-SPAM Gateway Using OpenBSD, = Postfix, Amavisd-new, SpamAssassin, Razor and DCC

This = is G o = o g = l e's cache of http://lawmonkey.org/anti-spam.html.
G o = o g = l e's cache is=20 the snapshot that we took of the page as we crawled the = web.
The=20 page may have changed since that time. Click here for the current=20 page without highlighting.
To link to or = bookmark this=20 page, use the following url:=20 =

http://www.google.com/search?q=3Dcache:E1ZYyFwhfh4J:lawmonkey.org/a=
nti-spam.html+spamassassin+user_prefs+amavisd&hl=3Den&lr=3Dlang_e=
n%7Clang_hr%7Clang_sr&ie=3DUTF-8

Google is not affiliated with the = authors=20 of this page nor responsible for its=20 content.

These=20 search terms have been highlighted:

spamassassin

user_prefs

amavisd

Fairly-Secure Anti-SPAM Gateway Using = OpenBSD, Postfix,=20 Amavisd-new, SpamAssassin, = Razor and=20 DCC

By Scott Vintinner (scottv@rbh.com)
Last Edited 5/2/2003 4:50 PM = EDT (Changelog at=20 bottom)
Latest version of this document always available at http://lawmonkey.org/anti-sp= am.html
Read=20 and post comments here=20 or here= .

This=20 document describes how to setup a spam-blocking email gateway based on = open=20 source and freely available software. This procedure is designed for a = small to=20 medium sized company with a single domain (multiple domains are = possible...just=20 not described here). I will describe how to setup a new computer that is = meant=20 to run on your network's DMZ in between the Internet and a corporate = email=20 server like Lotus Notes or Microsoft Exchange.

This entire procedure has been developed with security as a primary = focus.=20 The operating system is OpenBSD=20 (www.openbsd.org), which is a "Secure by Default" system with an = amazing=20 track record for security. The email MTA is Postfix (www.postfix.org) which = also has a=20 good record for security and is the easier of the 2 main competitors to = the=20 troubled sendmail program. Amavisd-new=20 (www.ijs.si/software/amavisd) is = the main=20 filter which processes email from postfix and ensures that we don't lose = any=20 mail. Amavisd-new is an=20 huge improvement over the original amavis which was a simple virus = scanner, and=20 I think it is the best way of implementing SpamAssassin = (www.spamassassin.org). SpamAssassin is = the main=20 anti-spam component which works by comparing messages to a ruleset and = by using=20 a statistical analysis that is custom built based on your email. In = addition to=20 the SpamAssassin spam=20 detection software, we will be using 2 online SPAM databases: DCC=20 (www.rhyolite.com/anti-spam/dcc) and Vipul's Razor = (razor.sourceforge.net).=20 These databases work by comparing hashes of our email messages with = hashes of=20 known spam. As a final security precaution, we will run all network = processes in=20 a restricted-user/chroot environment,so if an attacker were able to = compromise=20 one of the modules, the amount of damage they could do would be = seriously=20 limited.

There are many different ways to customize the handling = of SPAM=20 with this solution. At my company we debated the merits of a number of = different=20 methods. We considered using the ability of amavisd to add = extensions on=20 spam emails (so a spam email to john@domain.com becomes = john+spam@domain.com).=20 Under this plan, we would setup a public folder on Exchange for each = user and=20 assign it that +spam email address. This way the spam would not take up = space in=20 their mailbox, and similar to Hotmail, the user could occasionally check = the=20 folder for false-positives. We could then write a VB program to clean = out those=20 public folders every 90 days. We also considered showing users how to = create=20 rules in Outlook to detect the X-SPAM header and automatically move the = email to=20 a subfolder that they would again check less frequently, or directly to = their=20 Deleted Items. In the end, we decided that a spam bouncing system made = the most=20 sense. Every other method was only a minor improvement over receiving = the spam=20 directly in the first place. By bouncing the spam back to the sender, we = put the=20 ball back in the sender's court by letting the sender know their message = was=20 rejected.

Since false positives were such a big concern, we = implemented=20 this process in 2 stages: a learning stage followed by a blocking stage. = For the=20 first 45 days we ran the system in learning mode only. In other words, = the=20 system didn't actually block any spam, it just tagged the spam. This 45 = day=20 period gave SpamAssassin=20 time to become more accurate by building up its Bayes database and=20 auto-whitelist. After this 45 day period, when we were sure that our = false=20 positive rate had been reduced as low as it could go, we switched amavisd over to = Bounce mode.=20 In this mode, the system rejects any message it diagnoses as spam. The = sender of=20 the message receives a nice email from the system telling them why their = message=20 was rejected (including the SpamAssassin score = distribution) and how they can get on our whitelist. Since spammers = rarely use=20 real addresses, few if any of these bounce messages will be delivered to = spammers, so we also include a script to delete these undeliverable = messages so=20 they don't clog up the queue.

In the end, you'll have an = anti-spam=20 solution that requires no effort by your end users. There are no = spam-folders=20 for them to check; the spam just stops. In the rare event of a false = positive,=20 the sender receives a nice message telling them how to get their message = delivered. This document describes how to setup the system we=20 used.

Notes and=20 Conventions

This document is not really meant for = the=20 unix newbie. If you have never worked with linux or unix before, you may = experience some difficulty with these directions. Specifically, I expect = that=20 you will know how to use vi to edit files (here's a vi cheat = sheet).=20 (Actually I've been informed that you can set the EDITOR environment = variable to=20 get OpenBSD to use whatever editor you want for vipw and crontab -e, so = I guess=20 you can use whatever editor you want.)

Also, you'll want to grab = a copy=20 of = PuTTY=20 and WinSCP2. I'm = not a big=20 fan of installing X with KDE or GNOME on servers, especially when the = server is=20 open to the Internet. These 2 utilities will help you configure your = server=20 remotely without the need for a GUI running on the server itself. PuTTY = is an=20 awesome SSH client that you can use to talk to your OpenBSD server over = a secure=20 link. It has 2 great features: anything you select with your mouse is = copied to=20 the Windows clipboard, and right-clicking the mouse anywhere in the = window will=20 paste the contents of the clipboard. It works great in insert mode in vi = to=20 paste hundreds of lines. My servers are rack-mounts, so usually as soon = as I get=20 the network running on the OS, I head back to my PC and pull up PuTTY. = WinSCP2=20 is a gui file browser for SSH. It will let you easily copy files back = and forth=20 between your Windows PC and the OpenBSD server.

Text listed in = blue are commands that you type into the console. = Text=20 listed in red are edits in text files. Text = listed in=20 gray tables are full files. The # sign = followed by a=20 blue command indicates a shell prompt (so = don't type=20 it). The # sign in configuration files or text edits is used as a = comment block,=20 and may be included in the actual files without harming = anything.

I=20 really dislike configuration files that include page after page of = commented=20 instructions. I know it is really the Open Source configuration "thing" = to have=20 fifty lines of comments to explain a single configuration option (as = anyone that=20 has ever run apache will tell you). While that may be an easy way for = the=20 authors to explain their config files, it is definitely not a good way = for=20 administrators to work. By taking the comments out of the amavisd.conf file, = it went=20 from a twenty page monster down to more manageable page and a half. If = you want=20 my advice, print out the original conf file as a reference, then remove = all the=20 comments except the absolute essentials.

One last note: obviously = these=20 directions require some customization to fit into your network. = Specifically=20 you'll want to replace the sample server names and IP addresses with = your own.=20 Here's a little diagram of what we'll be setting up:

3D"Sample

For our examples, our internal network numbering uses = the=20 10.0.0.0/8 private domain range. The 10.1.0.0/16 network is our main = network.=20 The 10.2.0.0/16 network is our DMZ network. Our pretend public internet = class C=20 is 65.0.0.0/24. Additionally, the server we will be setting up will be = called=20 mta1 in these directions. You can call your server = whatever you=20 want, just replace it with your name where ever you see it. For = simplicity,=20 we'll pretend that our company's domain name is = domain.com.

Provide=20 Firewall Access

Hopefully you have a firewall at your company. Here's a list of what = traffic=20 you will need to allow through your firewall to make all of this = work.

Source	Destination	Type	Port	Description
10.2.1.50	10.1.1.50 and any External	TCP	25	Outgoing SMTP
10.1.1.50	10.2.1.50	TCP	25	SMTP from Exchange to our MTA
10.2.1.50	any External	UDP	6277	Outgoing from our MTA to the DCC = servers
10.2.1.50	any External	TCP	2703	Outgoing from our MTA to the Razor = servers
10.2.1.50	any External	TCP	7	Outgoing ping from our MTA to the Razor=20 servers
10.2.1.50	any External	TCP	22	Outgoing SSH (used to update our source code = from the=20 OpenBSD servers using CVS)
10.2.1.50	any External	TCP	21	Outgoing FTP (so we can download files that we=20 need)
10.2.1.50	any External	TCP	80	Outgoing HTTP (also so we can download=20 files)

Additionally mta1 needs to have access to a DNS server. In my=20 configuration the DNS is on the DMZ so no extra firewall rules were=20 required.

Installing OpenBSD

The OpenBSD FAQ Chapter 4 = provides=20 an excellent step by step explanation of how to install the latest = version of=20 OpenBSD, so I won't repeat it all here. I'll just give some minor=20 tips:

The hardest part about an initial OpenBSD install is doing the = disk=20 partitioning. Since we won't be multi-booting (between windows or some = other=20 OS and OpenBSD), our job will be much easier. Just follow the = directions in=20 the FAQ step by step and you'll make it through...trust me. When = setting up=20 your disk partitions, use these guidelines. The sizes in the FAQ are = really=20 the absolute minimums (sorta like how Microsoft says you can run NT on = a 386).=20 Disk space is cheap, so if you are running this server on an old = computer, do=20 yourself a favor and spend $100 to get at least a 20 gig hard=20 drive.

wd0a - / (root) 500M - This partition is where the / = /etc /root=20 /dev directories will be kept.
wd0b - (swap) - give it at least as = much=20 space as you have in RAM, so if your computer has 256 MB RAM, make the = swap at=20 least 256M.
wd0d - /tmp 300M
wd0e - /var 8G - Again disk space = is cheap,=20 so give the var directory lots of space. All of the mail queues, local = mailboxes, logs and nearly everything else get stored here.
wd0f - = /usr 2G=20 - You absolutely must have at least 2 gigs in the /usr volume. If you = ever=20 need to patch your operating system (and you will) you'll need this = space to=20 store all the source code and compiled files.
wd0g - /home 1G - We = won't do=20 much with the home directories on this computer since there really = won't be=20 any local users other than the administrator. One gig of space will be = plenty.

Hopefully after this you'll have plenty of space left = over. If=20 you ever need extra space somewhere else, you can create a new volume = and=20 mount it wherever you need it. As far as I know, there is no Partition = Magic=20 for OpenBSD, so make sure you give yourself enough space now.=20
Do yourself a favor and configure the network through the OpenBSD = install=20 even though you will be installing from CD.=20
When asked to select which filesets you want, accept the defaults. = I=20 personally don't recommend installing X on the server because it will = make it=20 needlessly more complicated.=20
When choosing your time zone, look for the version that supports = daylight=20 savings time (if you are in North America): EST5EDT, MST7MDT, CST6CDT, = etc.=20 otherwise your server's clock will be off for half the year. =

Configuring OpenBSD

Once OpenBSD has been installed, head back to your desk and pull = up PuTTY=20 to remotely access the system through SSH. It is much easier to do it = from=20 your desk when you can have multiple remote sessions going and can cut = and=20 paste using PuTTY.
(OPTIONAL) The first thing I like to do on any OpenBSD box that I = have is=20 change the default root shell from csh to ksh. Although not as secure = as csh,=20 ksh has necessary features of command history and tab expansion. The = command=20 history means that you can press the up-arrow key to access previously = listed=20 commands (similar to the way a cmd prompt works in Windows 2000). The = tab=20 expansion allows you to press the tab key to fill out lengthy = filenames. For=20 example if you want to change directory to=20 /root/hereisareallylongdirectoryname, you could type cd /root/her and = press=20 the TAB key. The system will then fill in the rest of the filename for = you. To=20 make this change, run vipw and change the default shell for root to=20 /bin/ksh.

#=20 vipw
root:$asdfasdfqwerqwer$%.:0:0:daemon:0:0:MTA1 Sendmail = &:/root:/bin/ksh

After making this = change=20 and saving the file, go ahead and open up another SSH session and = login as=20 root just to test. If you edited the file incorrectly, root would not = be able=20 to login, so it is important to test it before you logout of the = original=20 session. If you are unable to login, just switch back to the original = session=20 and fix the problem.

BTW, if you are really concerned about = security,=20 you could just make this change while heavily working on the system, = then=20 change it back to the default when you are done.

NOTE: I've also had it = pointed=20 out to me that /bin/sh also provides these same features and is also = POSIX=20 compliant.
Setup your system to = make sure=20 that it keeps correct time. You can do this one of 2 ways. The easiest = way is=20 to setup the rdate program to run periodically to update the time from = a=20 remote NTP server. The not-so easy, but more accurate way is to setup = NTP on=20 this computer. Personally I used NTP on my server, but we'll save the=20 directions for setting up NTP for another day. To setup rdate to run = on a=20 schedule, run the crontab program to edit root's = scheduler.

# crontab = -e

Now add=20 the following lines to the bottom of the file:

#=20 update time with ntp server
0 * * * * /usr/sbin/rdate -ncva = 128.2.136.71=20 |logger -t NTP

This line will get cron to update the = time on the=20 computer every day at midnight. The computer will contact the = Carneigie Mellon=20 public NTP server. Please take a look at this list of = public NTP=20 servers and select a server that is close to you. The |logger -t = NTP line=20 makes sure that any adjustments are added to the /var/log/messages log = file.=20 Remember that it would be impolite and inefficient for you to = configure=20 multiple servers at your site to all talk directly to one of the = public NTP=20 servers. If you find yourself doing that, it may be time to setup your = own NTP=20 server. Note: you may want to run rdate once without the -a parameter = so that=20 it adjusts your time initially. The -a parameter tells rdate to change = the=20 time very slowly, even if it is off by a lot, so if you system clock = is=20 currently incorrect it could take hours or days before it is = synchronized.
Create a .forward file in root's home directory. The email system = will use=20 this file to forward any email for the root account to your personal=20 (exchange) account. This file should be a one line file with just a = single=20 email address in it.

#=20 vi /root/.forward
Edit the hosts file to include the local address for our computer. = The=20 installs for some of the perl modules will run some network tests that = won't=20 work properly without this setting.

# vi /etc/hosts

Add the following line to = the=20 bottom of the file:

10.2.1.50 = mta1.domain.com=20 mta1

Patching/Upgrading OpenBSD

The great folks over at OpenBSD release 2 new sub-versions a year.=20 Unfortunately this means that in between those releases, the only way to = install=20 patches is to apply them yourself. As of this date, the OpenBSD errata page = lists 14=20 patches have been released for OpenBSD 3.2. There are 2 ways to do this. = The=20 first involves download each of the 14 patch files then reading and = following=20 the directions in each (which usually involves re-compiling some part of = OpenBSD). The second way involves using CVS to automatically download = and update=20 the source tree, then recompiling. I'll discuss the second way, since it = is also=20 how you can upgrade OpenBSD from one version to the next. You might as = well=20 learn how to do this now, rather than 1 year from now when the system is = in=20 production and you need to upgrade it to fix some security = hole.

If you=20 are upgrading from one verison of OpenBSD to another (like from version = 3.3 to=20 version 3.4), you will want to read the Upgrading = mini-FAQ.=20 It describes some extra steps you should take to upgrade your system = from older=20 versions. Most of these directions are identical to the ones listed in = that=20 document.

The first step in upgrading/patching from CVS is to download the = source=20 code. In the directions below, we're downloading from the main OpenBSD = site in=20 Canada. You will probably want to check the list of other=20 AnonymousCVS mirrors to find one closer to you. Note that these = directions=20 are for the ksh, so if you aren't running it as the defautl shell for = root,=20 just start it now by typing # ksh.

# export = CVSROOT=3Danoncvs@anoncvs.ca.openbsd.org:/cvs
# export CVS_RSH=3D/usr/bin/ssh
# cd /usr
# cvs = -q get=20 -rOPENBSD_3_2 -P src

Note that once you have downloaded = the=20 source code once, you can replace the word get with up to "update" the = existing source code tree. The -q parameter tells cvs to be somewhat=20 quiet....and it is. Don't be surprised if there is no output from the = command=20 until several minutes after you started it. The -r parameter tells cvs = which=20 version you want to download. If you are using a version other than = 3.2,=20 replace the 3_2 with your version numbers. Note that if you leave of = the -r=20 parameter, the system will download the current version of = the OS.=20 Don't be mislead though, the current version is really the development = version=20 and is probably not the best thing to install on a production server. = The -P=20 parameter tells cvs to remove any previously downloaded source code = that no=20 longer applies.
Once the source code has finished being downloaded, run through = the=20 following commands:

# cd=20 /usr/src
# find . -type l -name obj = |xargs=20 rm
# make cleandir
# rm -rf /usr/obj/*
# make=20 obj
# cd /usr/src/etc = && make=20 DESTDIR=3D/ distrib-dirs
Now run the following commands to build and update to the latest = kernel=20 file (/bsd):

# cd=20 /usr/src/sys/arch/i386/conf
# config=20 GENERIC
# cd = ../compile/GENERIC
# make clean && make depend &&=20 make
# cp /bsd /bsd.old
# cp bsd /bsd

Then just reboot. = If you run=20 into problems, just boot from the install CD or install diskette, = mount the=20 volume and rename the bsd.old to bsd again.
Once that is done, we can compile the whole system using the make = build=20 command. Note that this will compile and install all the updated files = onto=20 the server (basically everything except for /dev and /etc). If you = have=20 replaced some programs with your own, you will need to replace them = again. In=20 other words, later on in these directions, we will be replacing = postfix with=20 sendmail. If you ever update your system after replacing sendmail with = postfix=20 using the make build command, you will want to run make=20 install again in the postfix directory to be sure that postfix is = re-installed.

# cd=20 /usr/src
# make=20 build

Depending on the processor speed of your server, = the make=20 build command will probably run for an hour or two.
As I mentioned, the make build command does not update the /etc = directory=20 with changes. The easiest way to make sure that your /etc directory = contains=20 any needed changes is to use the mergemaster program. Mergemaster does = not=20 come with OpenBSD, but is available through the Ports tree (see = below). Once=20 you've installed it, just run:
# mergemaster -v
The program will show help = you compare=20 the contents of your /etc folder with the updated /usr/src/etc/etc = folder and=20 let you easily copy any new files or merge the contents of any changed = files.=20

Install=20 Needed OpenBSD Ports

The best way to install most software for OpenBSD is to use the Ports = collection. The Ports collection is available on your OpenBSD CDROM, or = from any=20 of the FTP mirrors. When unzipped, it contains a number of files that = tell the=20 operating system where to go to download over a thousand programs for = OpenBSD,=20 along with directions on how to compile them. The limitation of the = ports=20 collection is that it does not include the latest and greatest versions = of all=20 the software, so while we will us it to install a bunch of utilities, = we'll=20 install the main programs directly from the source. For more detailed=20 information on how to use the Ports tree, or how to download it using = CVS, see=20 the Ports and Packages=20 mini-faq.

The first step is to get the ports.tar.gz file from = the=20 CD-ROM and copy it to /usr
# mount = /dev/cd0a /mnt=20
# cp /mnt/3.2/ports.tar.gz /usr
# umount = /mnt=20
# cd /usr
# tar -zxvf ports.tar.gz

Once you extract the file, you will find a whole tree of files under=20 /usr/ports. The tree is divided into sections which categorize the = different=20 software packages available. To install a particular software package, = all you=20 need to do is change into the directory of the software package and run = make=20 install:

# cd=20 /usr/ports/archivers/unzip
# make install

The system will = automatically=20 download the source code, compile the program, generate a "package", and = install=20 the software. The cool thing is that the software is installed as a=20 package...meaning you can easily remove it using the pkg_ commands. For = example,=20 to list all installed packages, type # pkg_info. To remove a package type # pkg_delete=20 <packagename>.

So now you need to install = all of=20 the programs listed below. As mentioned, all you need to do is change to = each of=20 the following directories and run make install in each.

Package Source = Directory	Description
/usr/ports/archivers/unzip	A file used by amavisd-new = when=20 scanning MIME attachments.
/usr/ports/archivers/unrar	A file used by amavisd-new = when=20 scanning MIME attachments
/usr/ports/archivers/unace	A file used by amavisd-new = when=20 scanning MIME attachments
/usr/ports/archivers/unarj	A file used by amavisd-new = when=20 scanning MIME attachments
/usr/ports/archivers/arc	A file used by amavisd-new = when=20 scanning MIME attachments
/usr/ports/archivers/bzip2	A file used by amavisd-new = when=20 scanning MIME attachments
/usr/ports/archivers/lha	A file used by amavisd-new = when=20 scanning MIME attachments
/usr/ports/archivers/zoo	A file used by amavisd-new = when=20 scanning MIME attachments
/usr/ports/sysutils/mergemaster	A utility that makes upgrading the OS = easier

In my experience, the package system usually works without a hitch. = If you=20 run into any problems, check the output for any error messages. = Generally the=20 only problem you may run into is with mismatched packages...in other = words, say=20 you install one package from OpenBSD 3.2, then a year from now, you try = to=20 install a package using the ports collection from OpenBSD 3.4. Usually = when you=20 upgrade, you will want to remove all the packages and reinstall the = versions=20 from that version of OpenBSD.

Removing Sendmail

Delete the old sendmail executable. Note that Postfix will install = a=20 program called sendmail in the same location for compatibility. Also = note that=20 on OpenBSD, the real sendmail executable will still be available in=20 /usr/libexec/sendmail/sendmail.
# rm /usr/sbin/sendmail =
Remove sendmail queue runner command in crontab
# crontab = -e
Look for=20 the lines that look like this and remove them or comment them out with = a=20 #
# sendmail clientmqueue runner
*/30 * * = * *=20 /usr/sbin/sendmail -L sm-msp-queue -Ac -q
Edit the /etc/rc.conf file to turn off sendmail from starting when = the=20 computer boots. Change:
sendmail_flags =3D NO =
Kill off any existing sendmail process.
#=20 ps -ax |grep sendmail
# kill `head -1=20 /var/run/sendmail.pid`

NOTE: these directions assume that this is a new server that is not = currently=20 being used. If your server was previously running sendmail or some other = MTA,=20 you will want to check the postfix INSTALL file for better instructions = on=20 migrating to postfix.

Add User Accounts=20

When possible, you never want to run anything as root. The root = account has=20 unrestricted access to everything, so if there is a bug or security hole = in=20 anything you run as root, it could potentially compromise your entire = system. To=20 further tighten the security of our system, we will run different = modules as=20 different user accounts.

Use vipw to edit the password file. You = could=20 also use the adduser or useradd commands, but this is the easiest way = for us. Go=20 to the bottom of the file and add the following lines:

postfix:*:2000:2000::0:0:Postfix Mail=20 Daemon:/var/empty:/sbin/nologin
amavisd:*:3000:3000::0:0:Amavis=20 Mail Scanner Daemon:/var/amavisd:/sbin/nologin=20
spam:*:3001:3001::0:0:Spam Bayes Learner:/var/empty:/sbin/nologin=20
notspam:*:3002:3002::0:0:Not Spam Bayes = Learner:/var/empty:/sbin/nologin=20

Next we want to add the group accounts for our new users. To do this, = edit=20 the /etc/group file. Add the following lines (preferrably in numeric = order with=20 any other groups in the list):

postfix:*:2000:=20
postdrop:*:2001:
amavisd:*:3000:=20
spam:*:3001:
notspam:*:3002:

Here's a quick explanation of what we'll use the new accounts for: = The=20 postfix account is the account that postfix will run under, and likewise = the amavisd account is = the=20 account that the amavisd=20 program will run under. Running these programs in non-root accounts is = good for=20 security, since if an attacker compromises either program, they are = still=20 limited by those accounts. The spam and notspam accounts will be used to = receive=20 mail on this computer for the SpamAssassin Bayes = Learner.=20 Once everything is running, your users will be able to forward email to=20 spam@thisserver.yourdomain or notspam@thisserver.yourdomain. Their mail = will be=20 incorporated into SpamAssassin's = learning=20 process so it can better determine what is spam and what is not spam. = BTW, the *=20 in the first section is in place of where a normal password would be. = The star=20 tells the operating system that the user cannot login. The /sbin/nologin = is the=20 user's shell that is launched when they login...which in this case is = another=20 indicator to the operating system that these users shouldn't be able to=20 login.

Install=20 and Configure Postfix

You can install Postfix from the OpenBSD port collection using the = same=20 methods described above for the various archivers. The postfix port is = located=20 at /usr/ports/mail/postfix. You may want to double-check which version = you are=20 getting with that method. Below I describe how to install Postfix = directly from=20 the source. As I mentioned before, I prefer using ports for minor parts = of the=20 system and using the source for the major parts. This is just a personal = preference.

Download latest version of postfix to /root and compile it. Check = the=20 www.postfix.org website for the latest version since it is updated = frequently=20 and I know for certain that 2.0.7 is no longer the most = current.

# cd /root =
# ftp=20 = http://postfix.energybeam.com/source/official/postfix-2.0.7.tar.gz= =20
# tar -zxvf=20 postfix-2.0.7.tar.gz
# cd postfix-2.0.7
# make
Setup the default postfix config by running make install and = answering=20 questions.

# make=20 install

Answers (most will be the defaults) =
install_root: /=20
tempdir: [/root/postfix-2.0.7] or whichever directory the source = is=20 in
configdir: /etc/postfix
daemondir: /usr/libexec/postfix=20
commanddir: /usr/sbin
queuedir: /var/spool/postfix =
sendmailpath:=20 /usr/sbin/sendmail
newaliases path: /usr/bin/newaliases
mailq = path:=20 /usr/bin/mailq
mail owner: postfix
setgidgroup: postdrop =
man page=20 dir: /usr/local/man
sample dir /etc/postfix
readme no
Setup Postfix CHROOT. Here we need to copy the necessary system = files to=20 the root directory where postfix will be restricted.
# mkdir /var/spool/postfix/etc
# cd /etc
# = cp = localtime=20 services resolv.conf /var/spool/postfix/etc
Setup Aliases File. Here we want to setup the aliases file (which = provides=20 aliases for commonly used accounts). If we had one from sendmail we = could use=20 it. Otherwise we'll just copy the sample one. Basically the aliases = file=20 allows us to redirect any email for non-email receiving accounts (like = www) to=20 the root account. Root's email is forwarded to us using the = /root/.forward=20 file we setup above.

# cp=20 /etc/postfix/aliases /etc/

Run newaliases to hash the = textfile=20 into aliases.db (which is what postfix actually uses).

# newaliases

Next we want to edit the postfix configuration file = (/etc/postfix/main.cf)=20 to customize it for our email system. Search for the following entries = to set.=20 Note that many will not be listed in the default file.

#
#=20 >>>>>>>>>> You must reload postfix = after=20 editing this file
# >> NOTE >> to do this use the = command:
# >>>>>>>>>> # postfix = stop;postfix start
#

queue_directory =3D = /var/spool/postfix
daemon_directory =3D = /usr/libexec/postfix

mail_owner =3D=20 postfix

myhostname =3D=20 mta1.domain.com
mydomain =3D domain.com
myorigin =3D=20 $myhostname
mydestination =3D $myhostname, = localhost.$mydomain,=20 $mydomain, mail.domain.com
mynetworks =3D 10.0.0.0/8, = 65.0.0.0/24,=20 127.0.0.0/8

local_recipient_maps=20 =3D
biff =3D no
empty_address_recipient =3D=20 MAILER-DAEMON
queue_minfree =3D 8000000
message_size_limit = =3D=20 50000000
mailbox_size_limit =3D 100000000

smtpd_banner =3D = $myhostname=20 ESMTP Postfix

transport_maps =3D=20 hash:/etc/postfix/transport
local_transport =3D = local

smtpd_helo_restrictions =3D=20 permit_mynetworks
smtpd_sender_restrictions =3D=20 permit_mynetworks
smtpd_recipient_restrictions =3D = permit_mynetworks,=20 reject_unauth_destination, reject_non_fqdn_recipient

notify_classes =3D=20 2bounce,policy,protocol,resource,software

#content_filter =3D = smtp-amavis:[127.0.0.1]:10024

# Install Time=20 Configuration
sendmail_path =3D = /usr/sbin/sendmail
newaliases_path =3D=20 /usr/bin/newaliases
mailq_path =3D = /usr/bin/mailq
setgid_group =3D=20 postdrop
manpage_directory =3D = /usr/local/man
sample_directory =3D=20 /etc/postfix
readme_directory =3D no

Explanation of Postfix configuration=20 settings:
queue_directory	Postfix's work directory. Where all the mail = will be=20 temporarily stored until it is delivered.
daemon_directory	Specifies the location of all the postfix programs.
mail_owner	Specifies the user account that will own the mail = queues.
myhostname	The name of this computer including the domain part. This is = used=20 when adding received by headers in email messages.
mydomain	This specifies the domain of this current computer.
myorigin	This name is added to locally originating email. So if you = sent=20 yourself a message from root, it would appear to come from=20 root@mta1.domain.com.
mydestination	This setting tells postfix what domains it will accept email = for.=20 Please note this should not be used for virtual domains, or for = backup=20 MX hosts. In our case, we set it so it would receive mail for=20 something@mta1.domain.com, something@localhost.domain.com,=20 something@domain.com, and something@mail.domain.com
mynetworks	This setting tells postfix what networks it should consider = local.=20 In other words, computers connecting from any of these networks = will be=20 able to relay mail, etc. In our case, we put 127.0.0.0 (for = localhost),=20 65.0.0.0 (for any other computers on our external network), and = 10.0.0.0=20 (for any internal computer).
local_recipient_maps	This setting tells postfix where to find the names of local = users to=20 accept mail for. We just want to leave this blank (note that = removing it=20 all together will cause errors).
biff	This setting tells postfix not to use the biff program to let = local=20 users know that they have new email.
empty_address_recipient	This setting is the user that bounced messages will appear to = come=20 from.
queue_minfree	This setting tells postfix not to accept any messages for = delivery=20 if there are less than 8 megs of disk space available.
message_size_limit	This sets the maximum size of a message. Messages larger than = 50=20 megs will be rejected.
mailbox_size_limit	This sets the maximum size of local mailbox files. We set it = to 100=20 megs, although it should never reach this high because our only = local=20 mailboxes are spam and notspam
smtpd_banner	This is the banner that is displayed to connecting computers. = It is=20 a good security practice to give as little information as = possible. I've=20 included just the essentials.
transport_maps	This setting tells postfix where to find the transport = information.=20 The transport file is where we tell Postfix where to route = certain mail.=20 In our case, this file is where we tell Postfix that mail for = domain.com=20 should be delivered to our exchange server.
local_transport	This setting tells postfix that all local mail should be = delivered=20 using the local delivery agent.
smtpd_helo_restrictions, smtpd_sender_restrictions,=20 smtpd_recipient_restrictions	These settings are used to deny access to postfix based on the = HELO=20 command, the sender, or the recipient. The recipient = restrictions=20 settings are used to prevent our mail server from being used as = an open=20 relay. As configured, the helo and sender restrictions are left = open. If=20 you want to play around with these you can, just look them up in = the=20 postfix documentation. Normally these settings can be used to = help block=20 SPAM. Unfortunately they depend on the assumption that all = legitimate=20 senders have their systems correctly configured. In my = experience this=20 is never the case, so these settings are more trouble than they = are=20 worth. Like the RBL lists, I found that enabling these settings = meant=20 that I spent too much time teaching other mail administrators = how to=20 correctly configure their systems.
content_filter	This is where we tell postfix to filter all email through our = amavisd-new mail=20 filter.
notify_classes	This setting tells postfix to send all sorts of notifications = to the=20 postmaster email account. Here's a list of the available=20 options: bounce: Send the postmaster copies of the = headers of=20 bounced mail. 2bounce: Send undeliverable bounced mail to the = postmaster. delay: Send the postmaster copies of the headers = of=20 delayed mail. policy: Send the postmaster a transcript of the = entire=20 SMTP session when a client request was rejected because of (UCE) = policy. protocol: Send the postmaster a transcript of the = entire SMTP=20 session in case of client or server protocol = errors. resource: Inform=20 the postmaster of mail not delivered due to resource=20 problems. software: Inform the postmaster of mail not = delivered due=20 to software problems.
Install Time Configuration	This section holds the settings we used when we installed = postfix.=20 We keep them in the config file so that future upgrades will be=20 easier.

Notice that currently the = content_filter=20 line is commented out. This will allow us to test postfix by itself to = make=20 sure it is working properly before adding amavis into the mix.

Edit /etc/postfix/master.cf File Change the CHROOT setting for all = the=20 base postfix services from 'n' to 'y'. You also want to add the amavis = interface section.

=

#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
#=20 service	type	private	unpriv	chroot	wakeup	maxproc	command=20 + args
#		(yes)	(yes)	(yes)	(never)	(100)
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
smtp	inet	n	-	y	-	-	smtpd
pickup	fifo	n	-	y	60	1	pickup
cleanup	unix	n	-	y	-	0	cleanup
qmgr	fifo	n	-	y	300	1	qmgr
rewrite	unix	-	-	y	300	-	trival-rewrite
bounce	unix	-	-	y	-	0	bounce
defer	unix	-	-	y	-	0	bounce
flush	unix	n	-	y	1000?	0	flush
proxymap	unix	-	-	y	-	-	proxymap
smtp	unix	-	-	y	-	-	smtp
relay	unix	-	-	y	-	-	smtp
showq	unix	n	-	y	-	-	showq
error	unix	-	-	y	-	-	error
local	unix	-	n	n	-	-	local
virtual	unix	-	n	n	-	-	virtual
lmtp	unix	-	-	y	-	-	lmtp

# # The=20 amavis interface #
smtp-amavis	unix	-	-	y	-	2	smtp
	-o=20 smtp_data_done_timeout=3D1200 -o=20 disable_dns_lookups=3Dyes
127.0.0.1:10025	inet	n	-	y	-	-	smtpd
	-o=20 content_filter=3D -o local_recipient_maps=3D -o=20 relay_recipient_maps=3D -o = smtpd_restriction_classes=3D -o=20 smtpd_client_restrictions=3D -o = smtpd_helo_restrictions=3D -o=20 smtpd_sender_restrictions=3D -o=20 = smtpd_recipient_restrictions=3Dpermit_mynetworks,reject -o=20 mynetworks=3D127.0.0.0/8 -o=20 = strict_rfc821_envelopes=3Dyes

I=20 won't bother explaining this file in too much detail. Basically this = file is=20 used by the master program to figure out how to run each of the = individual=20 postfix processes. The amavis interface section sets up the network=20 communications (on the postfix side) between amavisd and=20 postfix.

Next we want to edit the transport file (/etc/postfix/transport). = This is=20 a file that identifies where to our incoming email. Since we want this = server=20 to accept all mail for our domain and route it to our exchange server, = we will=20 add that line here.

domain.com=20 smtp:[10.1.1.50]

If you want to use a FQDN instead of an = IP=20 address, just leave out the brackets (i.e. smtp:exchange.domain.com). = Just=20 make sure that the server will be able to successfully lookup that DNS = record.

After editing the transport file, we need to run the = postmap=20 command. Postfix doesn't actually read the textfile we created because = that=20 would be slow (especially if the file had many entries). Instead we = convert=20 the file into a database format using the postmap = command.

# postmap=20 /etc/postfix/transport

After running this command, you = will see=20 the new database file that has been created: = /etc/postfix/transport.db.
Setup Postfix to launch at Startup by editing the /etc/rc.local = file to=20 include a line: /usr/sbin/postfix start. = Once that=20 is done go ahead and start postfix using the same command.
You should test to make sure that you can connect to the SMTP = interfaces=20 on port 25 and port 10025. To do this use the command:

# telnet = localhost=20 25

The server = should=20 respond with:
Trying 127.0.0.1...
Connected to localhost. =
Escape=20 character is '^]'.
220 mta1.domain.com ESMTP
press ctrl-], = then type=20 'quit' to quit

# telnet localhost 10025

The server should respond with: =
Trying=20 127.0.0.1...
Connected to localhost.
Escape character is = '^]'.
220=20 mta1.domain.com ESMTP
press ctrl-], then type 'quit' to = quit=20

Install Needed Perl Modules=20

Both amavisd-new and=20 SpamAssassin = are written=20 in perl and have a number of other perl modules as dependencies. = Fortunately=20 perl has a built-in way to download and install these modules. To start = the perl=20 command environment use the command:

# perl = -MCPAN -e shell=20

This command will popup a little cpan> = prompt=20 where you can enter commands. To install a module, type install=20 followed by the module name (ex. install=20 MIME::Words ). If you need help, type help.=20

Here is a list of the modules required. Note that same may = return saying=20 they are up to date, so just move on to the next one.

MD5=20
LWP=20
Mail::Internet=20
Archive::Tar=20
Archive::Zip=20
IO::Wrap=20
IO::Stringy=20
Unix::Syslog=20
MIME::Words=20
MIME::Head=20
MIME::Body=20
MIME::Entity=20
MIME::Parser=20
Net::SMTP=20
Net::DNS (when prompted to enable tests, choose no)=20
Net::Ping=20
Net::Server=20
Net::Server::PreForkSimple=20
Convert::TNEF=20
Convert::UUlib=20
MIME::Decoder::Base64=20
MIME::Decoder::Binary=20
MIME::Decoder::Gzip64=20
MIME::Decoder::NBit=20
MIME::Decoder::QuotedPrint=20
MIME::Decoder::UU=20
Time::HiRes=20
Digest::SHA1=20
Digest::Nilsimsa=20
Getopt::Long=20
File::Copy=20
Bit::Vector=20
Date::Calc

Occasionally you will be prompted with the following message:

---- Unsatisfied = dependencies=20 detected during [G/GA/GAAS/Somefile.tar.gz] -----
Name = of=20 Dependency
Shall I follow them and prepend them to the = queue
of=20 modules we are processing right now? [yes]

This is just = telling=20 you that the module you are installing needs some other module to work = properly.=20 It is asking your permission to go ahead and install it first. Go ahead = and=20 press enter to accept the default of yes.

Similarly you will be prompted with a number of other questions = during this=20 install process. Just press enter to accept the defaults on most of = them.

If you run into any errors, try to read the error to figure out what = you=20 should do. In some cases you may get an error when a test that is run as = part of=20 the install fails. To install anyway use the force = install=20 modulename command. For more assistance with cpan and = perl go to=20 http://www.cpan.org/.

Once = everything=20 is installed type 'q' to quit.

Installing and=20 Configuring SpamAssassin=20

Run the perl shell to install it using the command:
# perl -MCPAN -e = shell=20

then type:

install = Mail::SpamAssassin=20

If you are asked if you want to run the Razor2 or DCC = tests,=20 just press enter to select NO. When finished type q=20 and press enter to quit.

Edit the /etc/mail/spamassassin/local.cf file=20 and make the following settings:

rewrite_subject = 1

report_safe = 0
use_terse_report = 0

use_bayes = 1
bayes_path=20 /var/amavisd/.spamassassin/bayes
auto_learn=20 1

skip_rbl_checks 1
use_razor2 1
use_dcc = 1
use_pyzor=20 0
dcc_add_header 1

dns_available = yes

header LOCAL_RCVD Received = =3D~=20 /\S+\.domain\.com\s+$.*\[.*\]$/
describe LOCAL_RCVD = Received from=20 local machine
score LOCAL_RCVD=20 -50

Explanation of SpamAssassin=20 configuration settings:
rewrite_subject	(1\|0) Tells SpamAssassin to=20 change the subject on SPAM messages to include the = subject_tag
report_safe	(0\|1\|2) This setting configures how to handle SPAM. A setting = of 0=20 puts the SpamAssassin report=20 into the headers. A setting of 1 puts it in the main email and = attaches=20 the original email as an attachment. Setting 2 is similar to = setting 1,=20 plus it changes the type of attachment to text/plain (as a = security=20 measure).
use_terse_report	(0\|1) Setting this to 0 gives the normal length explanation of = why=20 the message was considered SPAM. Setting it to 1 gives a shorter = report.=20 (Note that this report only appears if you change the = report_safe=20 setting, or if you configure blocking like we will do...in which = case=20 the sender gets this report).
use_bayes	(0\|1) This setting turns the Bayesean Learning on or off. In = our=20 case we want it on.
bayes_path	(path) Location of systemwide bayes database. We need to set = this so=20 that the root account can run the sa-learn program to update the = bayes=20 database normally used by the amavisd = user.
auto_learn	(0\|1) If turned on (1), this will cause SA to automatically = add very=20 SPAM or very not-SPAM messages to the Baysean statistics = database.
skip_rbl_checks	(0\|1) By default SA would run the RBL (Realtime Blackhole = List)=20 checks. I turn this off because I don't want to waste time = explaining to=20 mail-sysadmins how to fix their broken (relaying) = servers...which is=20 what happens when you suddenly start rejecting their = email.
use_razor2	(0\|1) Tells SA that we want to use Razor version 2
use_DCC	(0\|1) Tells SA that we want to use DCC (Distributed Checksum=20 Clearinghouse)
use_pyzor	(0\|1) Tells SA that we don't want to use Pyzor (since we won't = be=20 installing it).
dcc_add_header	(0\|1) Tells SA to add a header from DCC containing statistics = about=20 the message
dns_available	(yes\|test\|no) Normally SA tests to see if it has access to a = DNS=20 server to do lookups. Since I know my server has access to DNS, = I tell=20 it to skip this test. It saves on initial amavis startup = time.
LOCAL_RCVD rules	The last lines header, describe and score are used to prevent = my=20 outgoing mail from being tested for spam. If you're like me, = your users=20 would be upset if their mail was tagged as spam before a client = read it.=20 This rule basically checks the header for the Received = from:=20 lines showing the message route. You will need to = customize this=20 rule to fit your system. To do this, send a message to your test = hotmail=20 account (or some account outside of your system). Check the = headers for=20 lines that look like this: Received: from mta1.domain.com (mta1.domain.com = [64.132.107.5]) by=20 law122.ms.hotmail.com (8.12.6/8.12.2) with ESMTP id=20 h3EI48pL002768 for <forge@hotmail.com>; Mon, 14 Apr = 2003=20 14:04:08 -0400 (EDT) Received: from = exchange.domain.com=20 (exchange.domain.com [10.1.1.50]) by mta1.domain.com = (Postfix) with ESMTP id F3B7117EFD for = <forge@hotmail.com>;=20 Mon, 14 Apr 2003 14:04:07 -0400 (EDT) Received: by=20 exchange.domain.com with Internet Mail Service = (5.5.2653.19) id=20 <GKFZ3XPK>; Mon, 14 Apr 2003 14:04:03 -0400 The rule is a standard SpamAssassin rule=20 and uses Regular Expression syntax. To explain it in regular = terms, it=20 looks for .domain.com ([*]) on the received = line=20 (where the stars are anything). When it finds a match, it gives = the=20 message a SPAM score of -50 (ensuring it is not counted as=20 SPAM).

Now we want to setup the amavisd and spamassassin = home=20 directory for the amavisd user. =

# mkdir -p /var/amavisd
# chown amavisd.amavisd /var/amavisd
# chmod 750 /var/amavisd
# cd /var/amavisd
# mkdir .spamassassin
# touch .spamassassin/user_prefs =
# chown -R amavisd.amavisd .spamassassin

Installing=20 Razor

Unfortunately I couldn't get Razor working correctly when = not=20 running as chroot. For some reason it had a hard time figuring out what = its=20 razorhome directory was (even though it was explicitly set in the config = file).=20 Fortunately it works great in chroot mode. If you are not going to run = amavisd-new in = chroot mode,=20 you may want to just disable the razor checks in your /etc/mail/spamassassin/local.cf file.=20

Download latest v2 razor-agents Untar and run
# cd /root
# ftp=20 http://unc.dl.sourceforge.net/sourceforge/razor/razor-agents-2.22.tar.gz<= /FONT>
# tar -zxvf razor-agents-2.22.tar.gz
# cd razor-agents-2.22
#=20 perl=20 Makefile.PL
# make
# make test
# make = install=20

Create the default configuration files in /etc/razor
# razor-client
# razor-admin=20 -create

Register yourself with the razor network. Substitute your exchange = email=20 address for the address listed.
# razor-admin -register=20 -user postmaster@domain.com

Copy the razor config files to = the=20 chroot directory
# cp -r=20 /root/.razor /var/amavisd
# chown -R amavisd.amavisd /var/amavisd/.razor

Unfortunately you have to install a patch to Razor to get it to work = properly=20 when called by SpamAssassin. = Unless you=20 have logging set to the highest levels, Razor will actually appear to be = working, but will never tag any messages. Fortunately applying the patch = is easy=20 enough.
# cd=20 /usr/local/libdata/perl5/site_perl/i386-openbsd/Razor2/Client
# ftp http://www.ijs.si/software/amavisd/Razor2.patch
# ftp http://www.ijs.si/software/amavisd/Razor2.patch2
# patch < Razor2.patch
#=20 patch < Razor2.patch2
The patch program will automatically = apply=20 the patch and make a backup of the original file. Otherwise, that's it, = Razor is=20 now ready to go.

You can enable or disable Razor by editing your etc/mail/spamassassin/local.cf file:=20 use_razor2 1

One last note, razor = has its own=20 logfile in /var/amavisd/.razor = called=20 razor-agent.log. Unchecked, this file could potentially grow to fill = your entire=20 /var volume. Therefore, once you are sure that razor is working = properly, you=20 will want to edit the razor config to turn off logging. Unfortunately = you can't=20 use newsyslog to rotate this logfile without having to stop and restart = amavisd. Edit = /var/amavisd/.razor/razor-agent.conf=20 and change:
debuglevel =3D = 5
to
debuglevel =3D 0
then restart = amavisd.

Installing=20 DCC

Download and extract the latest DCC = (http://www.rhyolite.com/anti-spam/dcc)=20

# cd = /root
# ftp=20 http://www.rhyolite.com/anti-spam/dcc/source/dcc-dccd.tar.Z
# tar -zxvf dcc-dccd.tar.Z
#=20 cd dcc-dccd-1.1.36
# ./configure =
# make =
# make = install=20

Make sure udp port 6277 is allowed out from this computer on your = firewall.=20

# /usr/local/bin/cdcc=20 'info'

If everything is working, you should see a bunch = of lines=20 like:

dcc.rhyolite.com, - RTT+0=20 ms anon
# 153.19.44.233,- coral.ely.pg.gda.pl WEiAPG server-ID = 1072
#=20 100% of 3 requests ok 1687.64+0 ms RTT 113 ms queue wait
# = 192.188.61.3,-=20 calcite.rhyolite.com Rhyolite server-ID 101
# 100% of 2 requests ok = 755.52+0=20 ms RTT 50 ms queue wait

Since = amavisd-new will = be running=20 in chroot mode, we need to copy DCC and all the files it needs to the = chroot=20 directory. I was disappointed to discover that DCC required /bin/sh in = order to=20 work properly since it reduces the security of the system. Without it, = you'll=20 receive this error when running amavisd debug: = DCC ->=20 check failed: no response

# = mkdir -p /var/amavisd/var = /var/amavisd/usr/bin = /var/amavisd/usr/libexec /var/amavisd/var/dcc
# mkdir -p /var/amavisd/usr/lib = /var/amavisd/bin
# cp -r /var/dcc /var/amavisd/var/
# cp /usr/local/bin/dccproc = /var/amavisd/usr/bin
# cp /usr/libexec/ld.so = /var/amavisd/usr/libexec
# cp /usr/lib/libc.so.28.5 = /var/amavisd/usr/lib
# cp /usr/lib/libm.so.0.1 = /var/amavisd/usr/lib
# chown -R amavisd:amavisd /var/amavisd/var/dcc
# cp /bin/sh /var/amavisd/bin/

You=20 can enable or disable DCC by editing your etc/mail/spamassassin/local.cf file:=20 use_dcc 1

Installing=20 and Configuring Amavisd-new=20

Installing amavisd-new is = actually=20 pretty simple once all the PERL required modules have been installed = (which we=20 did above). To install, all we have to do is copy the perl code file = where we=20 want it, set the permissions and make it executable.

# cd /root
# ftp=20 http://www.ijs.si/software/amavisd/amavisd-new-20030314-p1.tar.gz
# tar -zxvf amavisd-new-20030314.tar.gz=20
# cd amavisd-new-20030314=20
# cp amavisd = /usr/local/sbin/=20
# chown = root.wheel=20 /usr/local/sbin/amavisd
# chmod 550 /usr/local/sbin/amavisd =
# cp amavisd.conf = /etc/=20
# chown = root.wheel=20 /etc/amavisd.conf
# chmod 644 /etc/amavisd.conf
# touch /var/amavisd/amavis.log
# chown amavisd.amavisd /var/amavisd/amavis.log

Edit the Amavisd-new = configuration=20 /etc/amavisd.conf and=20 make the following changes:

use = strict;

$MYHOME =3D = '/var/amavisd';
$mydomain=20 =3D 'domain.com';
$daemon_user =3D 'amavisd';
$daemon_group=20 =3D 'amavisd';
$daemon_chroot_dir=20 =3D $MYHOME;

$QUARANTINEDIR =3D=20 "$MYHOME/quarantine";
$TEMPBASE =3D = "$MYHOME/tmp";
$ENV{TMPDIR} =3D=20 $TEMPBASE;
$helpers_home =3D $MYHOME;

$forward_method =3D = 'smtp:127.0.0.1:10025';
$notify_method =3D $forward_method;=20
$inet_socket_port =3D 10024;
$inet_socket_bind =3D=20 '127.0.0.1';
@inet_acl =3D qw( 127.0.0.1 );

@bypass_virus_checks_acl =3D=20 qw( . );
@local_domains_acl =3D ( = ".$mydomain"=20 );

$DO_SYSLOG =3D 1; # = (1 =3D=20 syslog, 0 =3D logfile)
$LOGFILE =3D = "$MYHOME/amavis.log";
$log_level =3D=20 5; # (0-5)

$hdrfrom_notify_sender =3D 'SpamAssassin=20 <helpdesk@domain.com>';
$notify_spam_sender_templ =3D=20 read_text("$MYHOME/notify_spam_sender.txt");

$final_spam_destiny = =3D D_PASS;=20 # Set to D_BOUNCE to block/notify, D_PASS to pass = through

read_hash(\%whitelist_sender,=20 '/var/amavisd/whitelist');
read_hash(\%blacklist_sender,=20 '/var/amavisd/blacklist');
read_hash(\%spam_lovers,=20 '/var/amavisd/spam_lovers');

#defending=20 against mail bombs
$MAXLEVELS =3D 14; # Maximum recursion = level for=20 extraction/decoding
$MAXFILES =3D 1500; # Maximum number of = extracted=20 files
$MIN_EXPANSION_QUOTA =3D 100*1024; # bytes (default = undef, not=20 enforced)
$MAX_EXPANSION_QUOTA =3D 300*1024*1024; # bytes = (default=20 undef, not enforced)
$MIN_EXPANSION_FACTOR =3D 5; # times = original mail=20 size (must be specified)
$MAX_EXPANSION_FACTOR =3D 500; # = times=20 original mail size (must be specified)

$path =3D=20 = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';

$b= anned_filename_re=20 =3D new_RE();

$file =3D = 'file';
$arc =3D=20 ['nomarch', 'arc'];
$gzip =3D 'gzip';
$bzip2 =3D=20 'bzip2';
$uncompress =3D ['uncompress', 'gzip -d', = 'zcat'];
$lha =3D=20 'lha';
$unarj =3D 'unarj';
$unrar =3D 'unrar';
$zoo =3D = 'zoo';

# SpamAssassin=20 settings
$sa_auto_whitelist =3D 1; # comment this line out to = turn off=20 auto whitelist
$sa_mail_body_size_limit =3D 64*1024; # = 64KB

$sa_tag_level_deflt = =3D 3.0; #=20 controls adding the X-Spam-Status and X-Spam-Level=20 headers,
$sa_tag2_level_deflt =3D 6.3; # controls adding = 'X-Spam-Flag:=20 YES', and editing Subject,
$sa_kill_level_deflt =3D=20 $sa_tag2_level_deflt; # triggers spam evasive = actions:

$sa_spam_subject_tag =3D=20 '***SPAM*** ';
$sa_debug =3D 1; # = comment this line=20 out to turn off debugging

1; # insure a = defined=20 return

Explanation of Amavisd-new=20 configuration settings:
$MYHOME, $mydomain	These are really just variables used in this = config file=20 so we don't have to type the same things over and over again. = MYHOME is=20 our default work directory, mydomain is the name of our = domain.
$daemon_user, $daemon_group	This is the user and group that amavisd = and all its=20 helper programs will run under for security reasons.
$daemon_chroot_dir	This option tells amavisd to = run in=20 chroot mode. Chroot is a security trick that traps the program = in a=20 certain directory, in our case $MYHOME. By turning this on, amavisd = will not be=20 able to access anything on the computer other than what is in = the=20 /var/amavisd=20 directory.
$QUARANTINEDIR	This is the location where amavisd = would place=20 quarantine files if you were using it for virus scanning. Even = though we=20 aren't virus scanning, it is still needed.
$TEMPBASE	When amavisd=20 does its thing, it creates a bunch of temp files. Normally it = would just=20 store them in $MYHOME. By storing them in $MYHOME/tmp, we can = easily=20 cleanup the temp directory whenever we need to by stopping amavisd = and deleting=20 everything in $MYHOME/tmp/*
$ENV{TMPDIR}, $helpers_home	I found that both of these setting help SpamAssassin, Razor=20 and DCC work better by explicitly telling these helper programs = their=20 home and

------=_NextPart_000_0000_01C3153E.D5624A10 Content-Type: image/png Content-Transfer-Encoding: base64 Content-Location: http://lawmonkey.org/networkdiagram.png iVBORw0KGgoAAAANSUhEUgAAAa4AAADfCAMAAACZIsd4AAAACXBIWXMAAAsTAAALEwEAmpwYAAAA BGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VG AAADAFBMVEUAAP/////Y2Ni/v7+lpaUAAAD///8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABP4nASAAAAB3RSTlP///////8AGksD RgAAD0RJREFUeNpiZGQYBUMHAAQQ02gQDCUAEECj0TWkAEAAjUbXkAIAATQaXUMKAATQaHQNKQAQ QKPRNaQAQACxYHD+oIj8IcaAP6PhSCcAEEAo0UVGuIPjk2U0vugEAAKICXsMAjELCzgqwSSYzcIC ZSPJwmMZogIMkXRDuKOAagAggFgwS7Y/LEAIzjEQCswFMcAkSIABJgtUzcIAy19QTfBMB1czCqgG AAIIW2H4BxbIf6Aif9BUsTAgcg0o9v7A+H/Amlng/NFajcoAIICIKqyQwh9LLfcHmvMorAVHAREA IICYsMYOC0ZcsmBGMQt2JfC8OVptUR8ABBCWuguUV1j+gKLsD6L0g5eHEDZc9g+kIY+sGiY8msGo DwACiJGcCZTRBsRAAYAAYiFHw2hsDRQACCDG0enJoQQAAmh0zHBIAYAAGo2uIQUAAmg0uoYUAAgg IpoakFFceAMDZaAJqfEx2nSnAwAIIBbiVCDG/1gwdf5BVTEKaAcAAoiJqLyFhYvJGAW0BwABRDB3 /cHB/YNsxGiM0QkABBDlA3uDZH4SMhOOzyEsf4Z+QQAQQMNnHPYPlrJg2AGAAGIaXhEOnc+Gzm2j z4wPfQAQQER6AzrCjq2hAZUa8DF4FkQTFd5KhZZ/w6fVChBALCSVMn+QuTDGH6xtkoEpDGF1KVJF xvIHfTZ8CAOAABqec4h/MDsjw8OjAAE0bAehWOATrcMpWQIE0LDMXVjmtgewPMRbqZNY4wME0Oh8 F81zwx9cc7p4JbEDgAAajS56ZSsWtDhhwSeJCwAE0Gh00S62/mBE3x/c8UNchAEE0Gh00Sxr/cET gyx/iIheLAAggEaji05ZC0UYuywR8QUQQKOzyfSMLWgDFYcsEa1XgADClruo0+b9MxpbOKRwyxLM XwABhCW6WP5Sw8XMIzi+8IY63jYFofgCCCDM6KJKbDEz/Gf8MxpbVNcLEEBMtIqt0fqLvCoEf00E EEAswyy2WAa+AqVsqgb/lDdAALEMi9hC+OIfLonhUTQDBBBq3UXN2KJP3cWCLZJwl/p/BnvmImAA QAChbbNjpoJ7/9MzT/0jVvE/uJahnM8AAogF00sUAia6OfwfGDEREUvIXCbarlKgfJEBvtoLIIBY hmoiA8cVCziu/jAxkOK/f0N4aSRAALEMSTeD8sw/YFz9QYo8nLmLCa3SYvkHibE/gzNz4c1eAAHE MkQjCxwLiEU9LHiy2L9/qHnsDws4tmkVYTQFAAHEMkQjCy3AwWezIMXYPyYkVUyIeEFOt9SOMBYq Nj1xNYkAAgi5Ic9CnaYGtGVIk4Y8uhOZ0Bbrw/INrHj8hzYnCI7GPwhTmP5QL66ouPocukcL0zCA ABpa0YXNhUyok+jQvPYPI7IQNRwTUl3HRMXwpUFRgm4sQAANqejC4UAmzIWF/6CZ7A+WQhRN859B G1tYDAYIoKFUd+FKThjtPHDbD2vGwqKZCkFNuwXd6I1EgABiGfKx9Q/iCzR/MTExEMxY1IovWi6/ R4svgAAa8stC/7Fg+uQfUmeYhfixGhbUZX/wshSpUB3ojREAAcQy1DMXE+7Y+MdAVGT9Q1rvwvIH Zcs8+v4VFnpnLvTsBRBAg2FpDfRUUoxswkJyovr37x9GF5kEd7CAz9bEvRds4DcdAQQQy2CJLXxH CxDpSOjoBay3/A97IxJPQkaciYpTAf3jECV7AQTQwEcXC+p8N+IwRbg4lMX0j0CZxgSvc/4hV2ro 7RL8UTi4B6YAAmjgo4vw0QJ/iMpYTEinLwJj9h96ovxHbOoZPM1CTAAQQEOoZfgPOXv9Y0IrBfF2 iP/Axp+wtlWY4NGMOEgTvokXiTFQ6RnJZoAAGkoNeZT4YkLUUShjuLDBQrSjkf7g6isjmfkHlcRk DHxRCRBAQ6rfhRRfTLBjZZFKQaQY+Qep75BnIrFPszD9o3H4/iFUZpKUawECaLBEF56jBbDHF3r2 QS0FmeDdNOQRqj8YEUbr2KI2AAggWkXXXxIW6RA6WgAmCaxkQAh7OwWtyvqHvWpDLRPBhv1jon0I AxMj5LoEyCUKyGfUsZCUvQACiEbR9ff/XxaG/1TcjAQ0699/cGQxodROCH/8wdOp+odWJv6DRxbE VHJdCtT3h6Be+OUWiJssYELghgwphSFAANEoupj//v9DzdhiYASZxwQJemiEocTXH+hYHxO+ASnk bhks1pn+UeBSxv+MJOhlwSgQSAYAAUSrwpD5L7VN/s3IBA96JvhAPLpv/hEc9IDEFVKJ+I+FIleR 3cMkp5kJEEA0q7uonLuA5c5/5AUYKCFOdMsSNoqBUrNR4lKScheWZiCpnTmAAKJZ3cXI8oe6dRfQ PORWAWxFGklxhkXHP0pcCtRHbHyh3nuB1BgmKcoAAohWk/9/mak9+c/yD2sbjtg4w6nuHxNF8/90 GOxAsgIggGhWd9HATCacBRwT1gY8PgkCpg5WABBAw+OQoX+4Av8fw/ACAAE03M6EGm7xgwYAAmj0 oIbBn6OQakeAABqNriEFAAJoNLooBPQ9eQ8ggEaja0gBgAAaja7Bnr1QOnYAATQaXUMKAATQ0Imu P7RyKqWbGmibvVBHTQACaDR3DSkAEEBDKLpolL2YqLBVn16ZiwEggIZS7qJJfDFRZe83nWKLASCA hlRhSIP4os7uyT+0uWOFBWO4HyCAhtaY4R+Wf4MxtqBrrKh3+gMLrsshAQJoiA3x/mGh5iAuExWX eUIWOrFQKbZwndMCEEBDbUSepP119IssiNMIHW9HmlnYAEAADb0JFCpFGNOQPGYIIICG4nzXH7x7 w4nsvtAosv7Qdmc6QADRLLpoepzhHwYKYoxpCJ+RBxBALEMxthAxhj3KQGtwsK+lZmKgdVz9oelB AgABxDJEYwtWH2M7LRS0jvrff7T4ottpoTQFAAFEm4Vr9D6UHO0s3n+g1ZpMqKMA9HMRhdkLr3aA AGIZsnkLe7sXsov5D2xj8xA8Ag+vkwECiGU4xBZGxP1n+D9wbqDlbdoAAcQ0vGILAsBrodHTJPzg DiwneFD3akpKxjYIRDVAALHQKoEPaIUMxSixhXkIDQutQgH/XfaU3IECEEAsVEoVg7o2YMGamjAO 7qBX3UTBPmWAAGIZXPmCtu0QXOJU9zfu7AXeO4lLlnClBxBAI3Lyn/a7RnBNgEFs/sNCrrMAAohp NLZoE19YowRmM15JfAAggFhGY4tmGQzP5a1/yLzZFSCARkx0wQ/uYIEdmEDr2PuD72rkP+TdmwwQ QMP0ZleWQdJqYsHX4mEhvZEHEEAjsDAcDK1SchukAAE0uix0SAGAABqNriEFAAJoNLqGFAAIoNHo GlIAIIBGo2tIAYAAGo2uIQUAAmg0uoYUAAig0egaUgAggEaja0gBgAAaja4hBQACaDS6hhQACKDR 6BpSACCARqNrSAGAABqNriEFAAJoNLqGFAAIoNHoGlIAIIBGo2tIAYAAGo2uIQUAAmg0uoYUAAig 0egaUgAggEaja0gBgAAaja4hBQACaDS6hhQACKDR6BpSACCARqNrSAGAABqNriEFAAJoNLqGFAAI oNHoGlIAIIBGo2tIAYAAGo2uIQUAAmg0uoYUAAig0egaUgAggEaja0gBgAAaja4hBQACaDS6hhQA CKBhGV3/oXj4AYAAGpbRxfif4f/wPNEAIICG9EENOI8t+POfkdCRBkPz/CuAABrK0cXyF1dhCDrc Fb/HmIdmfAEEENPwjC1Gxv94Ky/mIVq1AQQQy/CLLQZGKBx+scUAEEBMwy+2ME4LHT6xxQAQQEzD MLYIgaEbWwwAAcQ0GltDCQAEEMsQdTUzZZ3ooQoAAmhIRhcl10kwDenhDoAAGh0zHFIAIICYRr0y lABAADGN+mUoAYAAYhpGPvkz/OMLIICYhlFsjYD4AgggpmEUWwzDP74AAohpOMXW8AcAATTMkuNw z14AAcQ0zDLXMI8vgABiGl6xNdzjCyCAmIZZbA3z+AIIIJbh44s/uBdvMP0bJtEFEEDDIbr+IYqJ f8M8vgACaKQM8Q4TfwIE0EiJLqJrNJZBXfYABNCImUD5w0S6VwdfTQEQQMMuupiY/gEBlrj5g79A ZAHdpwy6ig0UR5CrlVkG30gJQAANs/u7mP78Y8DVSvyDfxaa5Q/4jlzYtcpAPAjHtQACaHhF1x8c bJgQvvj6g6xusHoQIICG3+14LLgii1B8IWe0wVhvgQBAALEMu8j6B6X/DMdwAQgglmEZWaD+MrYI IyZzgSotlsFaHgIE0JDcgYIt1Jn+YIgz/UFkkj8wfbCFa4xDcoIMIICG+c2u0MqKiei8NcgBQAAN m34XZuZi+MeC3ORgGQaxxQAQQMOom4wZHf9YkGWHwygvQAANl+j6R8CDLMNjSB4ggEbGreT/cE+g gEea4KUmoviEjUCxMMDGSAZD2wQggIZ9dEGG4v/h9T9s4AnBQOp3/UFRMcAAIICGT92Frbj7Ryg1 okXBHwzxQTbMCxBAwzt3MREK7D8ExVkG1ZkOAAE09KOLCVrS/aFOawJLfhtEOQwggJiGfmxRNT2y DO7BDoAAYhrmscVAYWwNstIHIIBYhnxsQQZjgS11zNKQicis8gdSQbH8YYFUVUgNDajUn0FShQEE EMsQj60/eHtbxEQVomUBnz/+gyT+B3+bhM4AIICGcmHIhBxbTJirnViG364UgABiGcpZCxpb8BWh f1iQ+8NMw3APEUAAsQz92EJZZAFr1g/THV8AATSU6y5si2cYWJgGVWVDZQAQQMNuVOPPsKyzYAAg gIZuU+MfzgFBaGwxDcMBNoAAGspe+oc+eI5SBg7L5eQAATSkUyA0vv6hlRb/hu/Cf4AAGto++8fC Muz8hBcABNAQ99q/fyNjOhwGAAJoyPv2H6H8xcSAZzJ5qAGAABr6Bce/EeFLKAAIoGFQlmCb9EcM QIHnF4dN7gIIoGFaLaMUkcMnthgAAmi4tqKGaRMEIICGbaMXEV/DKHMxAATQ8N9Kjj22huYGFAaA ABq+0QXNXsMqthgAAmgY5y5wfA2v2GIACKDhXBjiam4wDtnYYgAIoGE9hvOPBVunjHEIT4cBBNDw HnL7xzC8YosBIIBG3i0NQ3qqGSCAhmTu+sPCMEIBQAAxMjKMgqEDAAJo9MqaIQUAAmg0uoYUAAig 0egaUgAggEaja0gBgAAaja4hBQACaDS6hhQACKDR6BpSACDAAE/j/9Nic9+6AAAAAElFTkSuQmCC ------=_NextPart_000_0000_01C3153E.D5624A10 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://lawmonkey.org/table-background.gif R0lGODlhEgARAIAAAMzMzP///yH5BAEAAAEALAAAAAASABEAAAIPhI+py+0Po5y02ouz3lwVADs= ------=_NextPart_000_0000_01C3153E.D5624A10--