Chapter 16. Building an Anti-Spam Gateway
Many email administrators are happy with the operation of their email server, but still want to add spam filtering. If the current email server is running Windows, then integrating SpamAssassin into Microsoft Exchange Server is difficult and perceived as risky. This is because it may be difficult to revert to the old settings due to the way in which some settings are changed. Whatever the platform, email administrators who lack formal training or do not devote a considerable amount of their time to system administration might lack the confidence to alter the configuration of a running email server.
One safe solution is to use a separate email gateway. The gateway receives all incoming email, SpamAssassin identifies and tags spam, and then emails are forwarded to the original email server. The gateway can additionally provide spam filtering, if desired, and forward spam to a different account or simply delete it. The configuration of the existing server...
One of the selling points of Linux is that older PCs that cannot run the latest version of Windows can often be used for Linux. While this is true, there are other factors affecting the choice of a PC for a critical role.
Spam filtering is CPU-intensive. However, it is rarely worth paying a premium price for a fast processor, which costs more per processing unit than the older slow processors. High-speed disks are not required unless a multiple-CPU machine is highly loaded. Disk I/O is relatively low for spam processing. The disk space usage for an email gateway will be low. The server software installation can be less than 1 GB, and little additional space is required, unless the main email server is down for a period of time, in which case additional spool space will be required.
Older PCs often have no hardware support. If a component fails, there may not be an engineer call-out available, and a suitable replacement part may not be available for several days. Older...
Choosing a Linux Distribution
There are many different Linux distributions. Some include support, and some have no formal support but have a user community that provides effective peer-to-peer support. The main Linux distributions are listed overleaf:
Red Hat Enterprise Linux: This is a commercial product. Payment for the product provides technical support for a limited time; further support is available on an annual contract basis. There are several products within the brand, and the lowest-specification product, Red Hat Enterprise Linux Desktop, is adequate for the purpose of an email gateway as long as single CPU PC is used. Installation can be made through a graphical installer and is very simple to perform. The Red Hat website address is http://www.redhat.com/software/rhel/.
Mandrake: This is the most popular Linux distribution, available for free, but users are requested to pay a small fee to support the distribution. This payment is required to access some parts of the Mandrake website...
The Postfix configuration files normally reside in /etc/postfix
and /etc/mail/
, although this may vary from distribution to distribution. The main files are main.cf
and master.cf
. To create an email gateway, perform the operations described in the following sections.
Accepting Email for the Domain
Postfix needs to be configured to accept email for the domain. To do this, edit the main.cf
file and add or change the following lines, substituting the appropriate domain and hostname:
Mail for the root user and other common aliases should be configured. This is done by editing the /etc/mail/aliases
file and altering the entries as shown in the following example:
Amavisd-new is an interface between MTAs and content checkers. Content-checkers scan email for viruses and/or spam. Amavisd-new is written in Perl and runs as a daemon. Instead of accessing SpamAssassin via the spamc
or spamassassin
clients, it loads SpamAssassin into memory and accesses the SpamAssassin functions directly. It is therefore closely coupled to SpamAssassin, and may need to be upgraded at the same time as SpamAssassin.
Amavisd-new is available in source form, RPMs are available for SuSE and Mandrake Linux, and third-party RPMs are available for RedHat Linux. Details of versions available are listed on http://www.ijs.si/software/amavisd/#download. If an RPM is available, use it.
Installation from Package
To install Amavisd-new from package, use the rpm
command for RPM based distributions. Amavisd-new has many dependencies, all of which are Perl modules. Each version may have different dependencies, which are listed in the install file that is part of the...
Several changes need to be made to the file /etc/amavisd.conf
. This file will be parsed as Perl source and syntax is important. Each line should end in a semicolon, and the casing is important. The following variable declaration lines should be changed:
Ensure that the correct domain is specified for $mydomain
. The number 5
specified for $max_servers
is the number of daemons that will be run.
In /etc/amavisd.conf
, one line needs to be uncommented as virus scanning is not going to be used. If this step is to be omitted, then Amavisd-new will not start. This line begins with # @bypass_virus_checks_acl
. The initial #
and space characters need to be removed.
Configuring Postfix to Run Amavisd-new
Edit /etc/postfix/master.cf
and locate this line:
Add these lines after it:
In the smtp-amavis
line, the number 5
specifies the number of instances that can be used at once. This should correspond to the $max_servers
entry specified in the amavisd.conf
file.
Edit /etc/postfix/main.cf
and add the following line near the end of the file:
Restart Postfix with the postfix reload
command:
Configuring External Services
SpamAssassin can use several external services, such as Pyzor and the DCC. The configuration of these is discussed in Chapter 11. Follow the instructions for these as required.
A firewall prevents unwanted connections from the Internet. Most organizations will have a dedicated firewall and will place their email server in a so-called de-militarized zone, popularly known as DMZ, accessible from both the external network and their internal network. It is possible to use a Linux box as a firewall by using iptables, the Linux kernel firewall. If external services such as DCC are used, Chapter 13 provides firewall information to allow the services to be accessed.
If the email gateway is not behind a corporate firewall, then the Linux kernel firewall should be configured on the email gateway. Consult the documentation for the distribution to configure this.
Backups are an essential part of a service supporting any organization. Unusually, an email server has little data that changes, apart from the various spools of email currently being processed. The content of these spools changes very quickly, and so the data is difficult to back up. As a result, a daily backup is superfluous, but the whole machine configuration should be backed up whenever it is modified to aid recovery after hardware failure. Hardware RAID or software RAID can be used to guard against disk failures.
Before going live, the system should be tested. The machine should be rebooted, and Amavisd and Postfix should be running. This can be tested with the ps
command:
The standard SpamAssassin test emails should be sent to a test user:
The ham email should be delivered to the appropriate user on the original email server, and the spam email should be discarded or sent to the email address that was used when Amavisd-new was...
Switching to the email gateway will involve one of three methods:
If a corporate firewall is in use, then change the firewall configuration to forward SMTP traffic (port 25) to the email gateway .Ensure that traffic for any external services such as Razor or Pyzor is directed to the email gateway. Firewall details for external services are given in Chapter 13.
Give the email gateway the IP address of the old email server. To do this, give the original email server a new IP address and give the new email gateway the IP address of the original email server. Alter the email gateway configuration to use the new IP address.
Alter the DNS MX records for the domain. Make the current email server the new backup MX, and the new gateway the primary MX. It will take time for the change to propagate. This makes the service switchover slow and gradual, so any problems will not affect all email traffic. If there are problems with the new service, the network cable can be disconnected and all...
An organization can add spam filtering by building an email gateway. This is done by using a new machine installed with Linux, SpamAssassin, Postfix, and Amavisd-new.
The email filtering can take place without any changes to the existing mail server. Spam filtering can be enabled and disabled by directing existing traffic to the old email server or the new email gateway as required. Email is tagged for spam, and a threshold can be set where spam email is simply discarded.