Jimmy's weblog

After several months of using qmail to provide email services for hotham.net, I had grown frustrated with my inability to configure it to work with SpamAssassin and other spam fighting tools. Rather than making yet another attempt, I decided to change Mail Transport Agents (MTAs) and try Postfix instead. My decision was based on positive reports I had read, as well as the fact that Postfix is the default MTA for both Red Hat and Mandrake Linux, as well as Apple’s OS X.

Postfix was originally designed and written by Wietse Venema as an alternative for the widely used, but complex and difficult to secure, Sendmail. Open source, Postfix is released under the IBM public license and is available for free download from http://www.postfix.org/.

The first step for replacing qmail on hotham.net was to disable qmail and its associated helper programs. Email servers are designed to retry for several days when message delivery fails, so I had no worries about being unable to accept mail for a few minutes / hours.

After making copies of my aliases and forward files, I deleted the entire /var/qmail directory and qmail control scripts. Postfix is able to use the Mailbox mail format, so I had no worries about losing any users’ email, which was a major consideration as I use IMAP to keep all mail on the server.

Hotham.net runs on Red Hat 7.3 Linux which normally includes Postfix. I had previously removed the Postfix rpm, so I downloaded the appropriate package from Simon Mudd’s website at http://postfix.wl0.org/en/available-packages/. Installation was a simple matter of (as root) typing “rpm -i postfix-version number.rh73.i386.rpm” to install the Postfix binaries and supporting configuration files and documentation.

Most configuration of Postfix is done by editing the /etc/postfix/main.cf file. This file can have potentially hundreds of configuration options, but a basic installation requires only a few modifications including setting:

• myorigin - which domain to send mail from
• mydestination - which domain(s) to receive mail for
• which clients to relay mail for

The main.cf file contains explanatory comments for each parameter and a guide to basic configuration is available at http://www.postfix.org/basic.html.

Under Red Hat, Postfix is installed as a service and can be controlled using “service postfix start / stop / restart/ status”. Once started, Postfix should listen on port 25, and respond to “telnet localhost 25″ with something similar to the following. Typed commands are in bold.

220 mail.example.com ESMTP Postfix
EHLO domain.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-XVERP
250 8BITMIME
MAIL FROM:<user@domain.com>
250 Ok
RCPT TO:<user@example.com>
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Test message
.
250 Ok: queued as 6054B5709E7
QUIT
221 Bye

If there are any problems, check the Postfix log file (/var/log/maillog) to find out what is causing the problem. The log file can also be very handy when testing spam filtering techniques to see which messages were rejected, and why.

Once you are able to send messages, you need to be able to receive them. I tested this by using another email account to send several test messages, while at the same time watching the log file to make sure Postfix was accepting them, and had no problems with this step (as opposed to the hours I had spent trying to configure qmail to do the same thing). Your log file and Google are your best friends if you have any problems here.

So now you have an mail server which is sending and accepting email for your domain. Time to move on the the spam fighting measures? Well, not quite. You also need a way for your users to be able to view or download email from their home computers (unless you are happy with local tools like Mutt or Pine). I already had a Courier-IMAP solution working from my qmail installation, so I was able to skip this step.

If you do not already have a POP3 or IMAP installation running on your mail server, I recommend visiting http://www.postfix.org/docs.html and checking the links under the POP / IMAP section. Which solution you use should be based on how you want your users to access their mail. Hotham.net uses Courier-IMAP over SSL for remote mail access and SquirrelMail for web based mail.

You now have a working mail server for your domain and can experiment with Postfix’s long list of configuration options. My main interest in using Postfix was to fight spam, so anti-spam configuration was high on my list of priorities and I had two objectives in mind.

• Reject sending hosts listed in Realtime Blackhole Lists (RBLs) as well as others with invalid hostnames and other problems
• Filter and test for spam all email accepted and delivered locally or forwarded

Postfix makes both steps easy to do and there is an extensive list of options at http://www.securitysage.com/guides/postfix_uce.html. In order to implement RBL and hostname testing, I simply added the following lines to my main.cf file:

smtpd_recipient_restrictions =
# Allow connections from trusted machines
permit_mynetworks,
# Reject hosts with invalid hostnames
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
# Reject mail sent to or from a fake domain
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
# Use RBL lists to block spamming hosts
# Must be careful to use trusted hosts or mail might not get through
reject_rbl_client relays.ordb.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
# Rejects dynamically created IP addresses as used by Cable / DSL ISPs
reject_rbl_client dul.dnsbl.sorbs.net,
permit

SpamAssassin was already installed on the server, so all I had to do was configure Postfix to pass mail to SpamAssassin for filtering before delivery. If SpamAssassin is not on yours (try “rpm -qa | grep spamassassin”), you can download it from http://spamassassin.org.

Here are the steps I used:

As root, create /usr/local/bin/spamfilter.sh with containing the following:

#!/bin/bash
/usr/bin/spamc | /usr/sbin/sendmail -i "$@"
exit $?

Create a user named spamfilter using “adduser spamfilter”.

Set the script’s permissions using “chmod 755 /usr/local/bin/spamfilter.sh” and change owners with “chown spamfilter /usr/local/bin/spamfilter.sh”.

Edit /etc/postfix/master.cf and alter the smtp inet line to read:

smtp inet n - n - - smtpd -o content_filter=spamfilter:

In the “Interfaces to non-Postfix software” section add:

spamfilter unix - n n - - pipe flags=Rq user=spamfilter argv=/usr/local/bin/spamfilter.sh -f ${sender} — ${recipient}

Restart Postmix and verify that email is still being delivered (using the steps described above). Viewing the email headers should also indicate that SpamAssassin is giving a spam rating to each piece of mail sent to your server.

Congratulations! You now have a working email server that will reject a large proportion of spam email, and a spam filter which should mark the rest as spam. Be sure to turn a regular eye to your /var/log/maillog file to make sure your server is not rejecting any wanted email.