I wanted to install pyzor so spamassassin could use it… but pyzor requires python, and the default OpenBSD port of Python requires x11, which doesn’t get installed on my mail servers.
# cd /usr/ports/lang/python/2.4 # make show=FLAVORS no_expat no_gdbm no_idle no_mpz no_tkinter no_bsddb no_tests no_tools # make show=FLAVOR # export FLAVOR=no_tkinter # make show=FLAVOR no_tkinter # make install clean
I run MX for my domains, some good friends do the same. Let’s be backup MX for eachother…
I’m very much a fan of blocking spam as early in the transaction as possible. To this end I use a variety of sendmail tweaks, milters, greylisting etc to keep spam from even being accepted. Recently I ran into the problem that my favorite set of milters required Berkeley DB4 to work… though OpenBSD ships with Berkeley DB1 installed and Sendmail compiles to use DB1 as well. Here’s my adventure through installing DB4, recompiling sendmail to use it, and then reinstalling the milters. Here’s the text file to make using the scripts easier. Good luck.
## install bdb4 from ports ##
cd /usr/ports/databases/db/v4/ && make install
## recompile sendmail to use bdb4 (berkeley db 4) ##
vi /root/downloads/sendmail-8.13.6/devtools/Site/site.config.m4
dnl
#########################################################
APPENDDEF(`confMAPDEF’, `-DFAST_PID_RECYCLE’)dnl
APPENDDEF(`confMAPDEF’, `-D_FFR_USE_SETLOGIN’)dnl
APPENDDEF(`confMAPDEF’, `-DMILTER’)dnl
APPENDDEF(`confMAPDEF’, `-DNEWDB’)dnl
APPENDDEF(`confLIBDIRS’, `-L/usr/local/lib/db4 -R/usr/local/lib’)dnl
APPENDDEF(`confINCDIRS’, `-I/usr/local/include/db4′)dnl
#########################################################
cd /root/downloads/sendmail-8.13.6 && rm obj.OpenBSD.*
sh Build && sh Build install
## build the snert milters ##
cd /root/downloads/snert && for i in *.tar.gz ;do tar zxvf ${i} ;done
cd /root/downloads/snert/com/snert/src/lib &&
make clean
cd /root/downloads/snert/com/snert/src/lib &&
./configure –with-db=/usr/local && make && make build && make install
cd /root/downloads/snert/com/snert/src/milter-gris && \
sed -e s/450/451/g < milter-gris.c > milter-gris.451.c && \
mv milter-gris.451.c milter-gris.c
cd /root/downloads/snert/com/snert/src/milter-limit && \
sed -e s/450/451/g < milter-limit.c > milter-limit.451.c && \
mv milter-limit.451.c milter-limit.c
function pimp {
cd /root/downloads/snert/com/snert/src/milter-${1} &&
make clean
cd /root/downloads/snert/com/snert/src/milter-${1} &&
./configure –enable-run-user=_vilter –enable-run-group=_vilter
–enable-pid=/var/ram/milter-${1}.pid
–enable-cache-type=bdb –enable-socket=/var/ram/milter-${1}.sock
–enable-cache-file=/var/ram/milter-${1}.cache &&
make && make build && make install
}
pimp limit
pimp gris
pimp error
pimp date
## put the proper settings in your mc file, note that order here is important ##
INPUT_MAIL_FILTER(`milter-gris’,`S=unix:/var/ram/milter-gris.sock, T=C:1m;S:30s;R:30s;E:1m’)dnl
INPUT_MAIL_FILTER(`milter-limit’,`S=unix:/var/ram/milter-limit.sock, T=C:1m;S:30s;R:30s;E:1m’)dnl
INPUT_MAIL_FILTER(`milter-date’,`S=unix:/var/ram/milter-date.sock, T=C:1m;S:30s;R:30s;E:1m’)dnl
INPUT_MAIL_FILTER(`milter-error’,`S=unix:/var/ram/milter-error.sock, T=C:1m;S:30s;R:30s;E:1m’)dnl
INPUT_MAIL_FILTER(`smtp-vilter’,`S=unix:/var/smtp-vilter/smtp-vilter.sock, T=C:1m;S:30s;R:30s;E:1m’)dnl
## rebuild the sendmail databases with the new makemap ##
cd /etc/mail/ && newaliases
for i in access genericstable mailertable virtusertable ;do makemap hash $i < $i ;done
m4 /usr/src/gnu/usr.sbin/sendmail/cf/m4/cf.m4 /etc/mail/openbsd-proto-skip.mc > /etc/mail/sendmail.cf
if [[ `ps aux|grep -vi grep |grep -i sendmail` ]]
then kill `head -1 /var/run/sendmail.pid`
else echo “no sendmail found to kill”
fi
rm /etc/mail/helpfile 1>/dev/null 2>/dev/null
touch /etc/mail/helpfile 1>/dev/null 2>/dev/null
/usr/sbin/sendmail -L sm-mta -bd -q15m
## start the milters ##
/usr/local/libexec/milter-limit -f /etc/mail/sendmail.cf -n -t 60 -z bdb,/var/ram/milter-limit.cache -H /var/ram/milter-limit.sock
/usr/local/libexec/milter-date -A 90000 -r -f /etc/mail/sendmail.cf /var/ram/milter-date.sock
/usr/local/libexec/milter-gris -b 300 -C 1209600 -f /etc/mail/sendmail.cf -H -g 100 -I 120 -k ip,helo,mail,rcpt -n -r 75 -t 60 -z bdb,/var/ram/milter-gris.cache /var/ram/milter-gris.sock
/usr/local/libexec/milter-error -a tag -c 600 -e 12 -f /etc/mail/sendmail.cf -H -v all -z bdb,/var/ram/milter-error.cache /var/ram/milter-error.sock
## done ##
The quicker you block spammers the better. Here’s my recipe:
1. OpenBSD’s PF firewall redirects all incoming SMTP connections to the SPAMD daemon for greylisting. I hate repeating stuff, so at this point you should go read the links I’ve put at the end of this. Other people have written about it way better than I could. It’s a freaking elegant solution really, saving me a ton of resources in that a lot of “undesirables” are stopped at the gate and never get to ring my doorbell, make me put on teh robe and slippers and saunter to the door, gold chain hanging around my neck, just to tell them I’m not interested in their DirectTv offer.
2. Once they pass greylisting (which all “real” MTAs will) an SMTP client has to behave correctly when dealing with sendmail: FEATURE(`greet_pause', `10000')dnl FEATURE(`conncontrol', `nodelay', `terminate')dnl FEATURE(`ratecontrol', `nodelay', `terminate')dnl define(`confBAD_RCPT_THROTTLE', `1')dnl etc… some omgwtfbbq EASY config steps which will block 99% of crappy perl scripts, SMTP worms and old spam shotguns in a heartbeat. Here’s my openbsd-proto-skip.mc for your reading pleasure.
Don’t forget to m4 /usr/src/gnu/usr.sbin/sendmail/cf/m4/cf.m4 /etc/mail/openbsd-proto-skip.mc > /etc/mail/sendmail.cf
3. Upon submitting a message, smtp-vilter runs it through clam anti-virus and spamassassin’s spamd BEFORE sendmail accepts it (yes in almost real time… the delay is negligible). I use a mysql backend for spamassassin and have assigned a ten point spam threshold for this step, because if a message receives ten points by spamassassin it will be rejected. This is an important step… while I do spend a bit more up front on filtering the SMTP transactions on the fly, overall I win because it simply ends there. No procmail calling various tools and perl and written to my drives etc… it’s over right there. There’s some papers on the false-positive rate of spamassassin being godlike at a threshold of ten. For those of you who can’t miss that one in a million email, go for a threshold of say, twelve, I guess. A spam message wih an absurdly high spamassassin rating should never get through to end users.
By the way, thus far I haven’t /dev/null’d anything. The worst that I’ve done is to outright REJECT an smtp client (the whole spamassassin thing) and guess what, eventually that’ll bounce back to the sender. If you’re worried about deleting spam because of false-positives… rejecting is a far better solution because, in the case that it was a false-positive, at least now the person will know that his email was rejected, so he can pick up the phone and call.
4. Also running as a milter is vthrottle, which will temporarily reject (delay) hosts which attempt to send mail too many times per minute for my tastes. The beauty of SMTP is how much redundancy is built in. At any point in the SMTP transaction, one party can say “oh uh yah ummm I’ve got to go for a minute, could you call back in like an hour? k thanks”
5. I’m against outright blacklisting of hosts using any of the million RBL lists… though I will allow spamassassin to add points onto messages that appear on said lists. Too many horror stories of people being wrongly listed and having to beg nazi list owners to remove them, only to get the answer of “You chose the wrong ISP so we won’t un-blacklist you now go away”.
6. In a corp setting there will often be an email server such as Lotus or Exchange or Quickmail Pro… leave the existing server intact, but don’t make it your MX. Place a hardened OpenBSD box with these mods out there as your MX, and have it hand off mail to the “real” mail server. Also a good idea because some of the anti-spam settings don’t play well when email clients are connecting directly to send mail, which should be handled by your internal mail server anyway, and not your MX…
=======================================
That’s pretty much it… Read these:
http://www.acme.com/mail_filtering/
Article that was slashdotted a few weeks ago. “Or, how to block a few million spams per day without breaking a sweat.”
http://www.benzedrine.cx/relaydb.html
“Annoying spammers with pf and spamd.”
http://www.aei.ca/~pmatulis/pub/obsd_mfg-1.html
“Installing an OpenBSD mail filter gateway with smtp-vilter, Clam AV, and SpamAssassin”
http://www.flakshack.com/anti-spam/wiki/index.php
“Fairly-Secure Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC.”
http://www.maildroid.org/
“MailDroid is a special “distro” of the popular OpenBSD operating system that is optimized to provide a secure, spam fighting, virus killing, Mail Filtering Gateway, ‘right out of the box’.”
http://www.scanmail-software.com/support/sendmailtuning.html
Sendmail Performance Tuning for Ptsfilter.
http://www.linux-sxs.org/internet_serving/sendm2.html
“Describes installing Sendmail to utilize some of it’s neater features, to be a little more secure (we will run Sendmail under a non-root id), and so we have a better understanding of Sendmail itself.”
http://www.technoids.org/
http://www.technoids.org/dossed.html
“The recent flood of spam, viruses and trojaned Windows machines has brought a dramatic increase in attacks on e-mail servers, including (but not limited to) denial-of-service (DoS) attacks, distributed denial-of-service (DDoS) attacks, Joe Jobs, dictionary attacks, slamming, and other assorted nuisances. This document describes some sendmail facilities–many of them new in version 8.13–that can help foil these attacks.”
http://perlcode.org/lists/vps-mail/msg01572.html
“Re: [vps-mail] Email dictionary attacks – what would you do?”
http://sunsite.mff.cuni.cz/MIRRORS/ftp.mysql.com/doc/en/Adding_users.html
“4.3.5 Adding New Users to MySQL”
http://wiki.apache.org/spamassassin/UsingSQL
How to use spamassassin with SQL.
I recently have gone on a spam rampage… a sprampage if you will. I used to have it in me to “collect” spam, I guess I thought that someday it might be worth something. I dunno. Anyway I’m tired of them using all my bandwidth and clogging up my server. My server was receiving around 50,000 garbage messages a day, which I admit isn’t much, but there’s really only myself and my wife using this machine, spam trap accounts and whatnot. Anyway, after my sprampage there’s maybe two spams that get delivered a day, both of which are tagged as such.
The coolest thing I think is spamd graylisting everyone, with honeypot addresses feeding the blacklist. Essentially no one ever connects directly to the real SMTP server until they’re whitelisted by spamd. I fell in love with PF from the moment we met…
greylisting using openbsd’s spamd, blacklisting using spews1. (greylisting whitepaper here)
“Greylisting is a new weapon to use against spam in this great war being waged upon it. Greylisting is related to whitelisting and blacklisting. What happen is that each time a given mailbox receives an email from an unknown contact (ip), that mail is rejected with a “try again later”-message (This happens at the SMTP layer and is transparent to the end user). This, in the short run, means that all mail gets delayed a few minutes until the sender tries again, but most spam is not sent out using RFC compliant MTAs; the spamming software will not try again later.”
sendmail config tuning. This is more important than many people give it credit for… I’ve been doing this for years, but recently found a nice writeup at acme.com
– tune sendmail delays and timeouts. The default sendmail timeouts are absurd, and introducing a few seconds of pre-greeting delay easily weeds out the email worms and poorly written spamming engions.
– privacy flags w00t. “needmailhelo, noexpn, novrfy, authwarnings, noetrn, noverb, goaway, nobodyreturn, noreceipts, restrictmailq, restrictqrun”
spamassassin spam filtering and tagging. Simply the best anti-spam software ever. I use spamassassin to tag spam, which can then be filtered and sorted client-side. If a given message receives a spam score over a given threshold, I no longer deliver it, but send it directly to /dev/null through procmail. This ensures that any false-positives still arrive at their destination… but ovbious spam is simply deleted.
procmail delivery sorting. Allows me to tag messages with topic headers for accurate sorting.
Other tweaks:
– caching DNS server for localhost
– RAID array for /var/mail and /home
– stunnel and sendmail configured for SSL-SMTP
– SSL IMAP and POP3
– mysql on localhost
– openbsd pf firewall priq tcp prioritization (spamd connections are low priority)
By the way, this is a great article.
omg. i had this cool idea while groking raw mail files… i don’t need to portscan the internet for smtp hosts, they mostly add their type/version to the email headers of messages that pass through. cool. then i noticed a few MTAs that i’ve never seen before…