SPAM: MailScanner & Postfix

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

SPAM: MailScanner & Postfix

jdelaparra
Hello,

I am trying to set up MailScanner using Postfix on Suse 9.3. It will just scan mail and afterward pass it on to another mail server.  I am looking at the documentation, but I can't tell how to chroot jail in /var/spool/postfix.  Can someone shed some light on this for me?

Many thanks in advance,

~James

--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SPAM: MailScanner & Postfix

Sandy Drobic
[hidden email] wrote:
> Hello,
>
> I am trying to set up MailScanner using Postfix on Suse 9.3. It will
> just scan mail and afterward pass it on to another mail server.  I am
> looking at the documentation, but I can't tell how to chroot jail in
> /var/spool/postfix.  Can someone shed some light on this for me?

Postfix daemons can be chroot when the corresponding flag (fifth column)
is set in master.cf. Which daemon do you want to chroot?

Here are some how-to's about Postfix chroot:

http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup
http://www.postfix.org/INSTALL.html#hamlet

PS: You might want to know that Mailscanner uses unsupported features of
Postfix, so you can not expect a lot of support from the postfix mailing list.

Sandy
--
List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com

--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SPAM: MailScanner & Postfix

jdp-2
In reply to this post by jdelaparra


>>
>> I am trying to set up MailScanner using Postfix on Suse 9.3. It will
>> just scan mail and afterward pass it on to another mail server.  I am
>> looking at the documentation, but I can't tell how to chroot jail in
>> /var/spool/postfix.  Can someone shed some light on this for me?
>
>Postfix daemons can be chroot when the corresponding flag (fifth column)
>is set in master.cf. Which daemon do you want to chroot?
>
>Here are some how-to's about Postfix chroot:
>
>http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup
>http://www.postfix.org/INSTALL.html#hamlet
>
>PS: You might want to know that Mailscanner uses unsupported features of
>Postfix, so you can not expect a lot of support from the postfix mailing list.

Thank you Sandy. I am in a total bind here. I was running MailScanner & Sendmail on Mandrake, but that server crashed completely.  I was working on the Suse box as an eventual replacement, but now I need to get it up and running as quickly as possible. Oh boy!

I am looking at the Postfix main.cf, but I don't see where to chroot the daemon;
# LOCAL PATHNAME INFORMATION
#
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
#
queue_directory = /var/spool/postfix

The chroot-setup dir has a script for Suse 5.3

What is the best  way to do this?

Again, thank you.

~James

--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SPAM: MailScanner & Postfix

Sandy Drobic
JDP wrote:

>
>>> I am trying to set up MailScanner using Postfix on Suse 9.3. It
>>> will just scan mail and afterward pass it on to another mail
>>> server.  I am looking at the documentation, but I can't tell how to
>>> chroot jail in /var/spool/postfix.  Can someone shed some light on
>>> this for me?
>> Postfix daemons can be chroot when the corresponding flag (fifth
>> column) is set in master.cf. Which daemon do you want to chroot?
>>
>> Here are some how-to's about Postfix chroot:
>>
>> http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup 
>> http://www.postfix.org/INSTALL.html#hamlet
>>
>> PS: You might want to know that Mailscanner uses unsupported features
>> of Postfix, so you can not expect a lot of support from the postfix
>> mailing list.
>
> Thank you Sandy. I am in a total bind here. I was running MailScanner &
> Sendmail on Mandrake, but that server crashed completely.  I was
> working on the Suse box as an eventual replacement, but now I need to
> get it up and running as quickly as possible. Oh boy!

Okay, that is a priority. I can't help you with the Mailscanner
integration, unfortunately. Was it the heat?

> I am looking at the Postfix main.cf, but I don't see where to chroot
> the daemon; # LOCAL PATHNAME INFORMATION # # The queue_directory
> specifies the location of the Postfix queue. # This is also the root
> directory of Postfix daemons that run chrooted. # See the files in
> examples/chroot-setup for setting up Postfix chroot # environments on
> different UNIX systems. # queue_directory = /var/spool/postfix
>
> The chroot-setup dir has a script for Suse 5.3
>
> What is the best  way to do this?

Hm, perhaps you are working on the basis of uncorrect assumptions. Postfix
  is composed of different daemons for different tasks, it is not a
monolithic beast like sendmail 8.x, more like Sendmail X.

Postfix is also very concerned about security, the only incident I can
recall in the last years was introduced by a third-party TLS-Patch for
Postfix 2.1. So I wouldn't worry too much about chrooting the daemons if
you're in a hurry to set up the system.

In the master.cf you can see lines for most of the daemons.

==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================

smtp      inet  n       -       n       -       100       smtpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil

                                 ^
                                 |

Change here to "y" or "-" for chroot execution. Though you should be aware
that chroot installations are not easy. I haven't bothered till now to set
up a chroot environment. Depending on your setup you might run into
problems, such as connections to mysql database breaking, no name server
resolution for smtp delivery etc.

You can try the chroot-setup script. In your case, it might even work
since you are setting up a pure relay server without local delivery.

I would suggest you start without chroot, then set up a test environment
wher you can test your installation without dead line pressure.

Sandy
--
List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com

--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]


Reply | Threaded
Open this post in threaded view
|

RE: SPAM: MailScanner & Postfix

James D. Parra
In reply to this post by jdelaparra
Hello Sandy,

Just want to thank you for all of your help and suggestions on getting
Postfix running. The ultimate problem was with the configuration of
spamassassin and mailscanner.

Best regards,

James


--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SPAM: MailScanner & Postfix

Sandy Drobic
James D. Parra wrote:
> Hello Sandy,
>
> Just want to thank you for all of your help and suggestions on getting
> Postfix running. The ultimate problem was with the configuration of
> spamassassin and mailscanner.

Hello James,

good to know that your server is up and running again. If you would like
we can tune the configuration to reject most of the spam right away
without the need to process them with mailscanner. (^-^)

I usually reject about 90-95% of attempted spam deliveries with Postfix
checks alone. It saves a lot of resources and even more important it saves
the time to check them by hand, which is necessary even when spamassassin
already marks them as spam (it's a bad idea to delete mails automatically).

It's also advisable to set up a kind of report or log review, so you know
what happened on your system during the day. pflogsumm and mailgraph for
example are easy to set up and give you a fast overview what happens on
your system.

Sandy
--
List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com

--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SPAM: MailScanner & Postfix

Patrick Shanahan
* Sandy Drobic <[hidden email]> [08-07-06 13:25]:
> If you would like we can tune the configuration to reject most of the
> spam right away without the need to process them with mailscanner.
> (^-^)

I've been following this with interest.  Please go ahead and hit the
high points to accomplish the above.

tks,
--
Patrick Shanahan                        Registered Linux User #207535
http://wahoo.no-ip.org                        @ http://counter.li.org
HOG # US1244711         Photo Album:  http://wahoo.no-ip.org/gallery2

--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SPAM: MailScanner & Postfix

Per Jessen
In reply to this post by Sandy Drobic
Sandy Drobic wrote:

> I usually reject about 90-95% of attempted spam deliveries with
> Postfix checks alone.  

greylisting I presume?  



/Per Jessen, Z├╝rich


--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: SPAM: MailScanner & Postfix

Sandy Drobic
Per Jessen wrote:
> Sandy Drobic wrote:
>
>> I usually reject about 90-95% of attempted spam deliveries with
>> Postfix checks alone.  
>
> greylisting I presume?  

Not yet, I am still testing greylisting on my server at home. It's the
cumulative result of HELO-, client- and sender-checks, RBLs and a bit of
tuning, a smaller percentage of spam is rejected due to message id checks.

What kind of checks are usable depends on your situation, of course. As a
company I can afford to apply stricter checks than a hosting ISP, for example.

Now, with Postfix 2.3 and Milter, I'll probably use domain key checks in
addition to greylisting soon.

Since there seems to be a bit of general interest, maybe we can put
together some guide lines and experiences about fighting spam with
Postfix, so people can find it through the archives.

Sandy
--
List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com

--
Check the headers for your unsubscription address
For additional commands send e-mail to [hidden email]
Also check the archives at http://lists.suse.com
Please read the FAQs: [hidden email]