Use postfix and spamassassin packages on CentOS 6 to reject SPAM

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Use postfix and spamassassin packages on CentOS 6 to reject SPAM

Alexander Farber
Dear postfix users,

here is what I'm trying at my CentOS 6.5 Linux server:

1) Installed postfix and spamassassin packages
2) Configured postfix - it works well (see "postconf -n" below)
3) Added "-x" to the SPAMDOPTIONS in /etc/sysconfig/spamassassin
4) Added the following 2 lines to the /etc/postfix/master.cf

    smtp         inet n - n - - smtpd -o content_filter=spamassassin

    spamassassin unix - n n - - pipe user=nobody argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Unfortunately, when I send the test SPAM mail with the subject

    XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

- it still comes through! 

And the subject isn't rewritten despite "rewrite_header Subject [SPAM]" in the unmodified /etc/mail/spamassassin/local.cf

I wonder, what have I missed? My /var/log/maillog is below too.

Regards
Alex

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

debug_peer_level = 2

header_checks = pcre:/etc/postfix/header_checks

html_directory = no

inet_interfaces = all

inet_protocols = ipv4

mail_owner = postfix

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

mydestination = $myhostname, localhost.$mydomain, localhost

myhostname = www.afarber.de

newaliases_path = /usr/bin/newaliases.postfix

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES

sample_directory = /usr/share/doc/postfix-2.6.6/samples

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

smtp_destination_concurrency_limit = 2

smtp_destination_rate_delay = 40s

smtp_generic_maps = hash:/etc/postfix/generic

unknown_local_recipient_reject_code = 550

virtual_alias_domains = videoskat.de balkan-preferans.de simplex.ru larissa-farber.de bukvy.de slova.de

virtual_alias_maps = hash:/etc/postfix/virtual


postfix/postfix-script[2546]: starting the Postfix mail system
postfix/master[2547]: daemon started -- version 2.6.6, configuration /etc/postfix
postfix/qmgr[2550]: D5B19807033: from=<[hidden email]>, size=1843, nrcpt=1 (queue active)
postfix/qmgr[2550]: 831CA809733: from=<[hidden email]>, size=41369, nrcpt=1 (queue active)
postfix/qmgr[2550]: 42B7A80A312: from=<[hidden email]>, size=4399, nrcpt=1 (queue active)
postfix/qmgr[2550]: AED94809D29: from=<[hidden email]>, size=28035, nrcpt=1 (queue active)
postfix/qmgr[2550]: E69AA809D3C: from=<>, size=3487, nrcpt=1 (queue active)
postfix/qmgr[2550]: 2BDE980A61B: from=<[hidden email]>, size=4073, nrcpt=1 (queue active)
postfix/qmgr[2550]: 0D37280A51F: from=<[hidden email]>, size=7888, nrcpt=1 (queue active)
postfix/smtp[2552]: D5B19807033: host gmail-smtp-in.l.google.com[74.125.136.27] said: 421-4.7.0 [144.76.184.154      15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. l16si23407549wjr.0 - gsmtp (in reply to end of DATA command)
postfix/smtp[2552]: D5B19807033: to=<[hidden email]>, orig_to=<[hidden email]>, relay=alt1.gmail-smtp-in.l.google.com[74.125.25.27]:25, delay=6325, delays=6323/0/1.2/0.61, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-in.l.google.com[74.125.25.27] said: 421-4.7.0 [144.76.184.154      15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. f7si4794087pdm.22 - gsmtp (in reply to end of DATA command))
postfix/smtpd[2557]: connect from mail-ie0-f180.google.com[209.85.223.180]
postfix/smtpd[2557]: B3FFF809367: client=mail-ie0-f180.google.com[209.85.223.180]
postfix/cleanup[2561]: B3FFF809367: message-id=<CAADeyWgi9VjXoXoUXtTf0n4jp_WJzMd2q7C7zqkRpK7=[hidden email]>
postfix/qmgr[2550]: B3FFF809367: from=<[hidden email]>, size=1767, nrcpt=1 (queue active)
spamd[2034]: spamd: connection from localhost [127.0.0.1] at port 42928
spamd[2034]: spamd: setuid to nobody succeeded
spamd[2034]: spamd: processing message <CAADeyWgi9VjXoXoUXtTf0n4jp_WJzMd2q7C7zqkRpK7=[hidden email]> for nobody:99
postfix/smtpd[2557]: disconnect from mail-ie0-f180.google.com[209.85.223.180]
spamd[2034]: spamd: identified spam (999.9/5.0) for nobody:99 in 0.2 seconds, 1730 bytes.
spamd[2034]: spamd: result: Y 999 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,GTUBE,HTML_MESSAGE,T_TO_NO_BRKTS_FREEMAIL scantime=0.2,size=1730,user=nobody,uid=99,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=42928,mid=<CAADeyWgi9VjXoXoUXtTf0n4jp_WJzMd2q7C7zqkRpK7=[hidden email]>,autolearn=no
postfix/pickup[2549]: 3124F80A3DA: uid=99 from=<[hidden email]>
postfix/cleanup[2561]: 3124F80A3DA: message-id=<CAADeyWgi9VjXoXoUXtTf0n4jp_WJzMd2q7C7zqkRpK7=[hidden email]>
postfix/pipe[2562]: B3FFF809367: to=<[hidden email]>, orig_to=<[hidden email]>, relay=spamassassin, delay=0.59, delays=0.37/0.01/0/0.22, dsn=2.0.0, status=sent (delivered via spamassassin service)
postfix/qmgr[2550]: B3FFF809367: removed
spamd[2032]: prefork: child states: II
postfix/qmgr[2550]: 3124F80A3DA: from=<[hidden email]>, size=2843, nrcpt=1 (queue active)


Reply | Threaded
Open this post in threaded view
|

Re: Use postfix and spamassassin packages on CentOS 6 to reject SPAM

lists@rhsoft.net

Am 11.08.2014 um 16:19 schrieb Alexander Farber:
> Dear postfix users,
> here is what I'm trying at my CentOS 6.5 Linux server

please make a decision if you would like to have that topic
on the CenOS list, on the postfix list or on serverfault
which you linked at the same message to the CentOS list

http://serverfault.com/questions/619537/use-postfix-and-spamassassin-packages-on-centos-6-to-reject-spam-without-custo
Reply | Threaded
Open this post in threaded view
|

Re: Use postfix and spamassassin packages on CentOS 6 to reject SPAM

Bill Cole-3
On 11 Aug 2014, at 10:22, [hidden email] wrote:

> Am 11.08.2014 um 16:19 schrieb Alexander Farber:
>> Dear postfix users,
>> here is what I'm trying at my CentOS 6.5 Linux server
>
> please make a decision if you would like to have that topic
> on the CenOS list, on the postfix list or on serverfault
> which you linked at the same message to the CentOS list
>
> http://serverfault.com/questions/619537/use-postfix-and-spamassassin-packages-on-centos-6-to-reject-spam-without-custo

Also worth noting: embedding the GTUBE pattern in a message is an
excellent way to minimize visibility of a message among SpamAssassin
users.
Reply | Threaded
Open this post in threaded view
|

Re: Use postfix and spamassassin packages on CentOS 6 to reject SPAM

Alexander Farber
On Tue, Aug 12, 2014 at 1:44 AM, Bill Cole <[hidden email]> wrote:
Also worth noting: embedding the GTUBE pattern in a message is an excellent way to minimize visibility of a message among SpamAssassin users.

The GTUBE mail (and the other mails I try) come through, because I haven't touched header_checks yet.

The problem is - why don't subjects get rewritten by Spamassassin - despite having "rewrite_header Subject [SPAM]" in /etc/mail/spamassassin/local.cf?

But maybe the Postfix side is okay and I should ask at the Spamassassin mailing list - even though Mr. rhsoft.net disapproves.

Regards
Alex
Reply | Threaded
Open this post in threaded view
|

Re: Use postfix and spamassassin packages on CentOS 6 to reject SPAM

Alexander Farber
Hello again,
the point of my question (maybe I haven't stated it clearly enough) has been: how to combine Postfix and Spamassassin on CentOS with minimal efforts.

I didn't want to add custom shell scripts or users - as suggested in many HOWTOs on the web.

I think I have the answer now:

1) Install the spamassassin package (the postfix package is installed by default)

2) Add a user to your system with "useradd spam" (you can't omit this step - this has been the culprit in my case - I was trying to use the user "nobody", but it didn't have a home dir and that has broken Spamassassin despite me passing "-x" to spamd)

3) Add "/^Subject: \[SPAM\]/ DISCARD" to the /etc/postfix/header_checks (check the /etc/mail/spamassassin/local.cf to see the exact string to match)

4) Add the following 2 lines to the /etc/postfix/master.cf:

smtp         inet n - n - - smtpd -o content_filter=spamassassin
spamassassin unix - n n - - pipe user=spam argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Regards
Alex
Reply | Threaded
Open this post in threaded view
|

Re: Use postfix and spamassassin packages on CentOS 6 to reject SPAM

/dev/rob0
BTW, the point of Bill Cole's post (I almost posted something
similar) was that you put the GTUBE string right here in a public
mailing list.  Most people who use SpamAssassin thus would not get
your post: it was flagged as spam, of course.  That's the idea; the
GTUBE string is to test filters.

The very people you most needed to reach, SA users with working
configurations, did not see your message.

On Tue, Aug 12, 2014 at 10:38:30AM +0200, Alexander Farber wrote:

> On Tue, Aug 12, 2014 at 9:34 AM, Alexander Farber <
> [hidden email]> wrote:
>
> > On 11 Aug 2014, at 10:22, [hidden email] wrote:
> >>
> >>> http://serverfault.com/questions/619537/use-postfix-
> >>> and-spamassassin-packages-on-centos-6-to-reject-spam-without-custo
> >>>
> >>
> the point of my question (maybe I haven't stated it clearly enough)
> has been: how to combine Postfix and Spamassassin on CentOS with
> minimal efforts.

Consider using amavisd-new.  Yes, it's another piece of software to
configure, but it manages and runs SA for you.

> I didn't want to add custom shell scripts or users - as suggested
> in many HOWTOs on the web.

Stick with the Postfix and Amavisd-new documentation.  Most random
HOWTOs you can dig up are written by people who at best barely
understand what they did.

Postfix documentation for after-queue content filtering:

http://www.postfix.org/FILTER_README.html

and for before-queue filtering, which according to your Subject:
seems to be what you wanted:

http://www.postfix.org/SMTPD_PROXY_README.html

In either case amavisd-new can help you, acting as either the
content_filter or the smtpd_proxy_filter respectively.

> I think I have the answer now:
snip
> 3) Add "/^Subject: \[SPAM\]/ DISCARD" to the
> /etc/postfix/header_checks (check the
> /etc/mail/spamassassin/local.cf to see the exact string to match)

It's not particularly safe to discard mail flagged as spam, your own
GTUBE adventure here being a good example why not.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Use postfix and spamassassin packages on CentOS 6 to reject SPAM

Bill Cole-3
On 12 Aug 2014, at 8:38, /dev/rob0 wrote:

> BTW, the point of Bill Cole's post (I almost posted something
> similar) was that you put the GTUBE string right here in a public
> mailing list.  Most people who use SpamAssassin thus would not get
> your post: it was flagged as spam, of course.  That's the idea; the
> GTUBE string is to test filters.
>
> The very people you most needed to reach, SA users with working
> configurations, did not see your message.

Precisely. I only know the message existed because the SA score was an
order of magnitude higher than the worst normal spam and I was tinkering
with my SA config due to recent FPs for this list.


> On Tue, Aug 12, 2014 at 10:38:30AM +0200, Alexander Farber wrote:
>> On Tue, Aug 12, 2014 at 9:34 AM, Alexander Farber <
>> [hidden email]> wrote:
>>
>>> On 11 Aug 2014, at 10:22, [hidden email] wrote:
>>>>
>>>>> http://serverfault.com/questions/619537/use-postfix-
>>>>> and-spamassassin-packages-on-centos-6-to-reject-spam-without-custo
>>>>>
>>>>
>> the point of my question (maybe I haven't stated it clearly enough)
>> has been: how to combine Postfix and Spamassassin on CentOS with
>> minimal efforts.
>
> Consider using amavisd-new.  Yes, it's another piece of software to
> configure, but it manages and runs SA for you.

Another option in a very similar vein: MIMEDefang. It's a milter that
directly supports SA and anti-virus scanning as well as essentially
anything you can make Perl do. MD is particularly good with MIME
manipulation, so it is an ideal tool if you want to do things like strip
attachments without maiming messages. A simpler alternative than
Amavisd-new or MD would be spamass-milter.

>> I didn't want to add custom shell scripts or users - as suggested
>> in many HOWTOs on the web.
>
> Stick with the Postfix and Amavisd-new documentation.  Most random
> HOWTOs you can dig up are written by people who at best barely
> understand what they did.

Beyond that, it is common for shoddy random HOWTOs to migrate upwards in
web searches as they age and become increasingly obsolete. If there is a
solid simple recipe for a minimalistic Postfix 2.11 & SpamAssassin 3.4
rig on some obscure site, it cannot have been in existence for long
enough to be widely linked, so what you will find instead will be
ancient orphaned pages that document obsolete software.

> Postfix documentation for after-queue content filtering:
>
> http://www.postfix.org/FILTER_README.html
>
> and for before-queue filtering, which according to your Subject:
> seems to be what you wanted:
>
> http://www.postfix.org/SMTPD_PROXY_README.html
>
> In either case amavisd-new can help you, acting as either the
> content_filter or the smtpd_proxy_filter respectively.
>
>> I think I have the answer now:
> snip
>> 3) Add "/^Subject: \[SPAM\]/ DISCARD" to the
>> /etc/postfix/header_checks (check the
>> /etc/mail/spamassassin/local.cf to see the exact string to match)
>
> It's not particularly safe to discard mail flagged as spam, your own
> GTUBE adventure here being a good example why not.

In the modern world it's not particularly safe to do anything with mail
that you've flagged as spam after accepting it, which is the main
argument for before-queue filtering.