I have a problem getting spamd and sendmail (both stock CentOS4 rpms) to work together on a couple of smtp relay machines. This is clearly a configuration issue and no doubt revolves around my lack of comprehension of how this is to work. Basically, the setup consists of two frontend public smtp transports that redirect all email through a firewall to an internal imap server for final delivery. The firewall and sendmail access map prohibit connections to the imap server except for the local MX gateway. The external MX gateway is a fallback mx server that routes everything it queues through the primary gateway. So: MX 2 routes to MX 1 that routes to IMAP MX 2 and MX 1 are running spamd. the sendmail.m4 file has the following at its very end: dnl # dnl # MAILERs are always last after all FEATURES are defined MAILER(smtp)dnl MAILER(procmail)dnl The contents of /etc/procmailrc are: :0fw | /usr/bin/spamassassin Spamd is running on both. There is a local configuration rule set in /etc/mail/spamassassin/local.cf Passing a test message through spamc on MX 1 or MX 2 does not seem to pick up this rule even for messages constructed to trigger it. Passing spam messages through spamc -R identifies messages that have passed through the relays without any spam tags as being high scoring spam. What am I doing wrong? Regards, Jim -- *** e-mail is NOT a secure channel *** James B. Byrne mailto:ByrneJB.<token>@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3CE delivery <token> = hal
On Mon, 2005-06-27 at 11:55, James B. Byrne wrote:> I have a problem getting spamd and sendmail (both stock CentOS4 rpms) > to work together on a couple of smtp relay machines. This is clearly > a configuration issue and no doubt revolves around my lack of > comprehension of how this is to work. > > Basically, the setup consists of two frontend public smtp transports > that redirect all email through a firewall to an internal imap server > for final delivery. The firewall and sendmail access map prohibit > connections to the imap server except for the local MX gateway. The > external MX gateway is a fallback mx server that routes everything it > queues through the primary gateway. > > So: > > MX 2 routes to MX 1 that routes to IMAP > > MX 2 and MX 1 are running spamd. > > the sendmail.m4 file has the following at its very end: > > dnl # > dnl # MAILERs are always last after all FEATURES are defined > MAILER(smtp)dnl > MAILER(procmail)dnl > > > The contents of /etc/procmailrc are: > > :0fw > | /usr/bin/spamassassin >Procmail only runs during local delivery to a mailbox. If you are relaying on to a 3rd IMAP machine it will go via the smtp mailer, not procmail. A good approach for this is to run MimeDefang (http://www.mimedefang.org) with the sendmail milter interface and let it coordinate your virus and spam scans. -- Les Mikesell lesmikesell at gmail.com
> -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On > Behalf Of James B. Byrne > Sent: Monday, June 27, 2005 11:56 AM > To: centos at centos.org > Subject: [CentOS] sendmail and spamassassin > > I have a problem getting spamd and sendmail (both stock CentOS4 rpms) > to work together on a couple of smtp relay machines. This is clearly > a configuration issue and no doubt revolves around my lack of > comprehension of how this is to work. > > Basically, the setup consists of two frontend public smtp transports > that redirect all email through a firewall to an internal imap server > for final delivery. The firewall and sendmail access map prohibit > connections to the imap server except for the local MX gateway. The > external MX gateway is a fallback mx server that routes everything it > queues through the primary gateway. > > So: > > MX 2 routes to MX 1 that routes to IMAP > > MX 2 and MX 1 are running spamd. > > the sendmail.m4 file has the following at its very end: > > dnl # > dnl # MAILERs are always last after all FEATURES are defined > MAILER(smtp)dnl > MAILER(procmail)dnl > > > The contents of /etc/procmailrc are: > > :0fw > | /usr/bin/spamassassin > > > Spamd is running on both. > > There is a local configuration rule set in > /etc/mail/spamassassin/local.cf > > Passing a test message through spamc on MX 1 or MX 2 does not seem to > pick up this rule even for messages constructed to trigger it. > Passing spam messages through spamc -R identifies messages that have > passed through the relays without any spam tags as being high scoring > spam. > > What am I doing wrong?Regardless of your test, your biggest problem is that procmail isn't, and won't, be run on your MX machines because they are not doing local delivery to the mailboxes as I understand your setup. Procmail only comes into play when the messages are being put into the user's mailboxes. You'll want to look at something like MailScanner if you want to do all your spam/virus filtering on your MX servers since that works directly with the queue files and re-injects them back into an outgoing queue for final delivery. There are some drawbacks to that, primarily being that you can't have per-user variation, but we did it quite successfully for several years for ~37,000 users with the same type of architecture you are trying to implement. We have since moved to using MailScanner on our MXs for virus checks, attachment stripping and general mal-ware removal only and our local delivery machines run spamd as a postfix filter so that we can have per-user spam settings. There are quite a few how-tos out there to help you, starting with the spamassassin wiki. -- Marc
James B. Byrne wrote:> I have a problem getting spamd and sendmail (both stock CentOS4 rpms) > to work together on a couple of smtp relay machines. This is clearly > a configuration issue and no doubt revolves around my lack of > comprehension of how this is to work. > > Basically, the setup consists of two frontend public smtp transports > that redirect all email through a firewall to an internal imap server > for final delivery. The firewall and sendmail access map prohibit > connections to the imap server except for the local MX gateway. The > external MX gateway is a fallback mx server that routes everything it > queues through the primary gateway. > > So: > > MX 2 routes to MX 1 that routes to IMAP > > MX 2 and MX 1 are running spamd. > > the sendmail.m4 file has the following at its very end: > > dnl # > dnl # MAILERs are always last after all FEATURES are defined > MAILER(smtp)dnl > MAILER(procmail)dnl > > > The contents of /etc/procmailrc are: > > :0fw > | /usr/bin/spamassassin > > > Spamd is running on both. > > There is a local configuration rule set in > /etc/mail/spamassassin/local.cf > > Passing a test message through spamc on MX 1 or MX 2 does not seem to > pick up this rule even for messages constructed to trigger it. > Passing spam messages through spamc -R identifies messages that have > passed through the relays without any spam tags as being high scoring > spam. > > What am I doing wrong? > > Regards, > JimProcmail can only take action on locally delivered mail. I suggest using MailScanner for a complete, free & open solution. http://www.mailscanner.info http://wiki.mailscanner.info Other people will probably recommend Amavis, but I've never used it.
James B. Byrne napsal(a):> I have a problem getting spamd and sendmail (both stock CentOS4 rpms) > to work together on a couple of smtp relay machines. This is clearly > a configuration issue and no doubt revolves around my lack of > comprehension of how this is to work. > > Basically, the setup consists of two frontend public smtp transports > that redirect all email through a firewall to an internal imap server > for final delivery. The firewall and sendmail access map prohibit > connections to the imap server except for the local MX gateway. The > external MX gateway is a fallback mx server that routes everything it > queues through the primary gateway. > > So: > > MX 2 routes to MX 1 that routes to IMAP > > MX 2 and MX 1 are running spamd. > > the sendmail.m4 file has the following at its very end: > > dnl # > dnl # MAILERs are always last after all FEATURES are defined > MAILER(smtp)dnl > MAILER(procmail)dnl > > > The contents of /etc/procmailrc are: > > :0fw > | /usr/bin/spamassassin > > > Spamd is running on both. > > There is a local configuration rule set in > /etc/mail/spamassassin/local.cf >You need an milter interface instead of just procmail (it is local delivery program) My solution ===================================================================Instalace +++++++++ Milan Kerslager repository ftp://ftp.linux.cz/pub/linux/people/milan_kerslager/RHEL-4/stable/ ----------------------------------------------- yum install clamav-milter clamav cvgfilter spamass-milter spamassassin sendmail-cf ----------------------------------------------- p?idej do startu systemu ----------------------------------------------- /sbin/chkconfig clamd on /sbin/chkconfig freshclam on /sbin/chkconfig clamav-milter on /sbin/chkconfig cvgfilter on /sbin/chkconfig spamassassin on /sbin/chkconfig spamass-milter on /sbin/chkconfig sendmail on ----------------------------------------------- Make helper scripts ----------------------------------------------- echo '#!/bin/bash /sbin/service freshclam start /sbin/service clamd start /sbin/service clamav-milter start /sbin/service cvgfilter start /sbin/service spamassassin start /sbin/service spamass-milter start /sbin/service sendmail start ' |cat >/root/bin/mail.start echo '#!/bin/bash /sbin/service sendmail stop /sbin/service spamass-milter stop /sbin/service spamassassin stop /sbin/service cvgfilter stop /sbin/service clamav-milter stop /sbin/service clamd stop /sbin/service freshclam stop ' | cat >/root/bin/mail.stop echo '#!/bin/bash /root/bin/mail.stop /root/bin/mail.start ' | cat >/root/bin/mail.restart chmod 700 /root/bin/mail.* ----------------------------------------------- Configuration +++++++++++++ Changes in /etc/mail/sendmail.mc ----------------------------------------------- dnl # ven jde jen PEPA dnl define(`SMART_HOST',`smtp.your.provider') define(`SMART_HOST',`XXXXX') dnl # Prilohy do 20M dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`UUCP_MAILER_MAX', `20000000')dnl dnl # Trochu pozmenim chovani pri nedorucitelnosti dnl define(`confTO_QUEUEWARN', `4h')dnl dnl define(`confTO_QUEUERETURN', `5d')dnl dnl define(`confQUEUE_LA', `12')dnl dnl define(`confREFUSE_LA', `18')dnl define(`confTO_QUEUEWARN', `6h')dnl define(`confTO_QUEUERETURN', `2d')dnl define(`confQUEUE_LA', `12')dnl define(`confREFUSE_LA', `18')dnl dnl # Not sure dnl dnl FEATURE(always_add_domain)dnl dnl FEATURE(always_add_domain)dnl dnl # nebezpecne , spamoidni dnl dnl dnl FEATURE(`accept_unresolvable_domains')dnl dnl FEATURE(`accept_unresolvable_domains')dnl dnl # Musime prijimat na vsech interfacech ... dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl ----------------------------------------------- and before mailers in /etc/mail/sendmail.mc ----------------------------------------------- dnl # OPEN RELAY Check ... dnl FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected due to sending server misconfiguration - see http://www.ordb.org/faq/\#why_rejected"')dnl dnl # clamav-milter - z README ... dnl INPUT_MAIL_FILTER(`clamav-milter',`S=local:/var/run/clamav/clamav-milter.sock, F=,T=S:4m;R:4m;E:10m')dnl dnl # CVGFILTER - z README ... dnl define(`_FFR_MILTER', `1')dnl INPUT_MAIL_FILTER(`cvgfilter', `S=unix:/var/run/cvgfilter.sock, F=T')dnl dnl # SPAMASSASSIN dnl INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl define(`confMILTER_MACROS_CONNECT',`b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl ----------------------------------------------- /etc/sysconfig/clamav-milter ----------------------------------------------- CLAMAV_FLAGS="--max-children=80 --force-scan -HP -p viry at madeta.cz --server=localhost local:/var/run/clamav/clamav-milter.sock" ----------------------------------------------- /etc/mail/spamassassin/local.cf ----------------------------------------------- # These values can be overridden by editing ~/.spamassassin/user_prefs.cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. required_hits 5 report_safe 0 rewrite_header Subject [SPAM] # additional rewrite_subject 1 subject_tag [SPAM] fold_headers 0 #clear_headers remove_header all Report #remove_header all Status #remove_header all Level #remove_header all Flag #add_header all Status _YESNOCAPS_ , _STARS(*)_, hits=_HITS_ required=_REQD_ ----------------------------------------------- ======================================================================= /root/bin/mail.restart and enjoy the show ... -- Petr Kl?ma JIHOMILK a.s. Rudolfovsk? 246/83 370 50 ?esk? Bud?jovice Czech Rpublic phone: +420 389 136 209 e-mail: petr.klima at jihomilk.cz
Thanks for all of the advice. I was afraid that I would have to add some sort of glue application to tie the two together. We run MailScanner with Sendmail, DCC, Razor and SA on the final delivery machines but I was hoping to have a frontend filter with a somewhat simpler setup from a maintenance point of view. I have installed amavisd (from Dag Wieers repo.) on one of our MX machines for testing purposes and if, as I anticipate, I have further questions then I will be back. Actually, I have one. The setup documentation refers to a duel sendmail setup. Will the default install work with one sendmail instance? If I have to set up two then I might as well go the whole MailScaner route. Regards, Jim -- *** e-mail is NOT a secure channel *** James B. Byrne mailto:ByrneJB.<token>@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3CE delivery <token> = hal