The Perfect SpamSnake - Ubuntu Jeos 10.10 Maverick Meerkat - Page 4

14. KAM

vi /etc/cron.daily/kam.sh

Add the following content and

chmod +x /etc/cron.daily/kam.sh

#!/bin/bash
   
 # Original version modified by Andrew MacLachlan (andrew@gdcon.net)
 # Added additional MailScanner restarts on inital restart failure
 # Made script run silently for normal (successful) operation
 # Increased UPDATEMAXDELAY to 900 from 600
 
 # Insert a random delay up to this value, to spread virus updates round
 # the clock. 1800 seconds = 30 minutes.
 # Set this to 0 to disable it.
 UPDATEMAXDELAY=0
 if [ -f /opt/MailScanner/var/MailScanner ] ; then
 . /opt/MailScanner/var/MailScanner
 fi
 export UPDATEMAXDELAY
 
 if [ "x$UPDATEMAXDELAY" = "x0" ]; then
 :
 else
 logger -p mail.info -t KAM.cf.sh Delaying cron job up to $UPDATEMAXDELAY seconds
 perl -e "sleep int(rand($UPDATEMAXDELAY));"
 fi
 
 # JKF Fetch KAM.cf
 #echo Fetching KAM.cf...
 cd /etc/mail/spamassassin
 rm -f KAM.cf
 wget -O KAM.cf http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf > /dev/null 2>&1
 if [ "$?" = "0" ]; then
 #echo It completed and fetched something
 if ( tail -10 KAM.cf | grep -q '^#.*EOF' ); then
 # echo It succeeded so make a backup
 cp -f KAM.cf KAM.cf.backup
 else
 echo ERROR: Could not find EOF marker
 cp -f KAM.cf.backup KAM.cf
 fi
 else
 echo It failed to complete properly
 cp -f KAM.cf.backup KAM.cf
 fi
 #echo Reloading MailScanner and SpamAssassin configuration rules
 /etc/init.d/mailscanner reload > /dev/null 2>&1
 if [ $? != 0 ] ; then
 echo "MailScanner reload failed - Retrying..."
 /etc/init.d/mailscanner force-reload
 if [ $? = 0 ] ; then
 echo "MailScanner reload succeeded."
 else
 echo "Stopping MailScanner..."
 /etc/init.d/mailscanner stop
 echo "Waiting for a minute..."
 perl -e "sleep 60;"
 echo "Attemping to start MailScanner..."
 /etc/init.d/mailscanner start
 fi
 
 fi 

 

15. ScamNailer

vi /usr/sbin/update_scamnailer

and

chmod +x /usr/sbin/update_scamnailer

*Note: Content is in scamnailer.doc.)

Add it to cron:

@daily /usr/sbin/update_scamnailer &> /dev/null #Update Scamnailer

 

16. Firewalling the SpamSnake with Firehol

Introduction

Firehol is a stateful iptables packet filtering firewall configurator. It is abstracted, extensible, easy and powerful. It can handle any kind of firewall, but most importantly, it gives you the means to configure it, the same way you think of it.

 

Install Firehol

apt-get install firehol

 

Firehol Settings:

vi /etc/default/firehol

and change the following:

START_FIREHOL=YES

vi /etc/firehol/firehol.conf

and add the following:

version 5
   # Accept all client traffic on any interface
   interface any internet
   protection strong
   server "icmp ping ICMP ssh http https telnet webmin dns dcc echo smtp" accept
 client all accept

This filters all incoming connections that are not related to the above services. If you want to be less polite, you can drop them by adding the following after 'protection strong': policy drop

vi /usr/sbin/get-iana

with the following and

chmod +x /usr/sbin/get-iana

#!/bin/bash
 # $Id: get-iana.sh,v 1.13 2010/09/12 13:55:00 jcb Exp $
   #
   # $Log: get-iana.sh,v $
   # Revision 1.13 2010/09/12 13:55:00 jcb
   # Updated for latest IANA reservations format.
   #
   # Revision 1.12 2008/03/17 22:08:43 ktsaou
   # Updated for latest IANA reservations format.
   #
   # Revision 1.11 2007/06/13 14:40:04 ktsaou
   # *** empty log message ***
   #
   # Revision 1.10 2007/05/05 23:38:31 ktsaou
   # Added support for external definitions of:
   #
   # RESERVED_IPS
   # PRIVATE_IPS
   # MULTICAST_IPS
   # UNROUTABLE_IPS
   #
   # in files under the same name in /etc/firehol/.
   # Only RESERVED_IPS is mandatory (firehol will complain if it is not  there,
   # but it will still work without it), and is also the only file that  firehol
   # checks how old is it. If it is 90+ days old, firehol will complain  again.
   #
   # Changed the supplied get-iana.sh script to generate the RESERVED_IPS  file.
   # FireHOL also instructs the user to use this script if the file is  missing
   # or is too old.
   #
   # Revision 1.9 2007/04/29 19:34:11 ktsaou
   # *** empty log message ***
   #
   # Revision 1.8 2005/06/02 15:48:52 ktsaou
   # Allowed 127.0.0.1 to be in RESERVED_IPS
   #
   # Revision 1.7 2005/05/08 23:27:23 ktsaou
   # Updated RESERVED_IPS to current IANA reservations.
   #
   # Revision 1.6 2004/01/10 18:44:39 ktsaou
   # Further optimized and reduced PRIVATE_IPS using:
   # http://www.vergenet.net/linux/aggregate/
   #
   # The supplied get-iana.sh uses .aggregate. if it finds it in the path.
   # (aggregate is the name of this program when installed on Gentoo)
   #
   # Revision 1.5 2003/08/23 23:26:50 ktsaou
   # Bug #793889:
   # Change #!/bin/sh to #!/bin/bash to allow FireHOL run on systems that
   # bash is not linked to /bin/sh.
   #
   # Revision 1.4 2002/10/27 12:44:42 ktsaou
   # CVS test
   #
 #
   # Program that downloads the IPv4 address space allocation by IANA
   # and creates a list with all reserved address spaces.
   #
 IPV4_ADDRESS_SPACE_URL="http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt"
 # The program will match all rows in the file which start with a  number, have a slash,
   # followed by another number, for which the following pattern will also  match on the
   # same rows
   IANA_RESERVED="(RESERVED|UNALLOCATED)"
 # which rows that are matched by the above, to ignore
   # (i.e. not include them in RESERVED_IPS)?
   #IANA_IGNORE="(Multicast|Private use|Loopback|Local  Identification)"
   IANA_IGNORE="Multicast"
 tempfile="/tmp/iana.$$.$RANDOM"
 AGGREGATE="`which aggregate 2>/dev/null`"
   if [ -z "${AGGREGATE}" ]
   then
   AGGREGATE="`which aggregate 2>/dev/null`"
   fi
 if [ -z "${AGGREGATE}" ]
   then
   echo >&2
   echo >&2
   echo >&2 "WARNING"
   echo >&2 "Please install 'aggregate' to shrink the list of  IPs."
   echo >&2
   echo >&2
   fi
 echo >&2
   echo >&2 "Fetching IANA IPv4 Address Space, from:"
   echo >&2 "${IPV4_ADDRESS_SPACE_URL}"
   echo >&2
 wget -O - -proxy=off "${IPV4_ADDRESS_SPACE_URL}" |\
   egrep " *[0-9]+/[0-9]+.*${IANA_RESERVED}" |\
   egrep -vi "${IANA_IGNORE}" |\
   sed -e 's:^ *\([0-9]*/[0-9]*\).*:\1:' |\
   (
 while IFS="/" read range net
   do
   if [ ! $net -eq 8 ]
   then
   echo >&2 "Cannot handle network masks of $net bits  ($range/$net)"
   continue
   fi
 first=`echo $range | cut -d '-' -f 1`
   first=`expr $first + 0`
   last=`echo $range | cut -d '-' -f 2`
   last=`expr $last + 0`
 x=$first
   while [ ! $x -gt $last ]
   do
   # test $x -ne 127 && echo "$x.0.0.0/$net"
   echo "$x.0.0.0/$net"
   x=$[x + 1]
   done
   done
   ) | \
   (
   if [ ! -z "${AGGREGATE}" -a -x "${AGGREGATE}" ]
   then
   "${AGGREGATE}"
   else
   cat
   fi
   ) >"${tempfile}"
 echo >&2
   echo >&2
   echo >&2 "FOUND THE FOLLOWING RESERVED IP RANGES:"
   printf "RESERVED_IPS=\""
   i=0
   for x in `cat ${tempfile}`
   do
   i=$[i + 1]
   printf "${x} "
   done
   printf "\"\n"
 if [ $i -eq 0 ]
   then
   echo >&2
   echo >&2
   echo >&2 "Failed to find reserved IPs."
   echo >&2 "Possibly the file format has been changed, or I  cannot fetch the URL."
   echo >&2
 rm -f ${tempfile}
   exit 1
   fi
   echo >&2
   echo >&2
   echo >&2 "Differences between the fetched list and the list  installed in"
   echo >&2 "/etc/firehol/RESERVED_IPS:"
 echo >&2 "# diff /etc/firehol/RESERVED_IPS  ${tempfile}"
   diff /etc/firehol/RESERVED_IPS ${tempfile}
 if [ $? -eq 0 ]
   then
   echo >&2
   echo >&2 "No  differences found."
   echo >&2
 rm -f ${tempfile}
   exit 0
   fi
 echo >&2
   echo >&2
   echo >&2 "Would you like to save this list to  /etc/firehol/RESERVED_IPS"
   echo >&2 "so that FireHOL will automatically use it from  now on?"
   echo >&2
   while [ 1 = 1 ]
   do
   printf >&2 "yes or no > "
   read x
 case "${x}" in
   yes) cp -f /etc/firehol/RESERVED_IPS /etc/firehol/RESERVED_IPS.old  2>/dev/null
   cat "${tempfile}" >/etc/firehol/RESERVED_IPS || exit 1
   echo >&2 "New RESERVED_IPS written to  '/etc/firehol/RESERVED_IPS'."
   echo "Firehol will now be restart"
   sleep 3
   /etc/init.d/firehol restart
   break
   ;;
 no)
   echo >&2 "Saved nothing."
   break
   ;;
 *) echo >&2 "Cannot understand '${x}'."
   ;;
   esac
   done
 rm -f ${tempfile}

vi /usr/sbin/update-iana

with the following content and

chmod +x /usr/sbin/update-iana

#!/bin/sh
 /usr/sbin/get-iana  < /etc/firehol/get-iana-answerfile

vi /etc/firehol/get-iana-answerfile

with the following content:

yes

Run the script to update RESERVED_IPS:

/usr/sbin/update-iana

Now your server is set up to only accept connections for the services you allowed.

Add it to cron:

@monthly /usr/sbin/update-iana &> /dev/null #Update firehol reserved ips

 

17. Apply Relay Recipients

The following directions are meant for people using Microsoft Exchange 2000 or Microsoft Exchange 2003.

This page describes how to configure your mail gateway to periodically get a list of valid recipient email addresses from your Exchange system. By doing this, you can configure your server to automatically reject any email addressed to invalid addresses. This will reduce the load on your exchange server, since it no longer has to process non-delivery reports, and it will reduce the load on your postfix server since it won't have to perform spam and virus scanning on the message.

 

Install Dependencies

Install the perl module Net::LDAP:

perl -MCPAN -e shell
install Net::LDAP

vi /usr/bin/getadsmtp.pl

with the following:

#!/usr/bin/perl -T -w
   # This script will pull all users' SMTP addresses from your Active Directory
   # (including primary and secondary email addresses) and list them in the
   # format "user@example.com OK" which Postfix uses with relay_recipient_maps.
   # Be sure to double-check the path to perl above.
   # This requires Net::LDAP to be installed.  To install Net::LDAP, at a shell
   # type "perl -MCPAN -e shell" and then "install Net::LDAP"
   use Net::LDAP;
   use Net::LDAP::Control::Paged;
   use Net::LDAP::Constant ( "LDAP_CONTROL_PAGED" );
   # Enter the path/file for the output
   $VALID = "/etc/postfix/relay_recipients";
   open VALID, ">$VALID" or die "CANNOT OPEN $VALID $!";
   # Enter the FQDN of your Active Directory domain controllers below
   $dc1="domaincontroller1.example.com";
   $dc2="domaincontroller2.example.com";
   # Enter the LDAP container for your userbase.
   # The syntax is CN=Users,dc=example,dc=com
   # This can be found by installing the Windows 2000 Support Tools
   # then running ADSI Edit.
   # In ADSI Edit, expand the "Domain NC [domaincontroller1.example.com]" &
   # you will see, for example, DC=example,DC=com (this is your base).
   # The Users Container will be specified in the right pane as
   # CN=Users depending on your schema (this is your container).
   # You can double-check this by clicking "Properties" of your user
   # folder in ADSI Edit and examining the "Path" value, such as:
   # LDAP://domaincontroller1.example.com/CN=Users,DC=example,DC=com
   # which would be $hqbase="cn=Users,dc=example,dc=com"
   # Note:  You can also use just $hqbase="dc=example,dc=com"
   $hqbase="cn=Users,dc=example,dc=com";
   # Enter the username & password for a valid user in your Active Directory
   # with username in the form cn=username,cn=Users,dc=example,dc=com
   # Make sure the user's password does not expire.  Note that this user
   # does not require any special privileges.
   # You can double-check this by clicking "Properties" of your user in
   # ADSI Edit and examining the "Path" value, such as:
   # LDAP://domaincontroller1.example.com/CN=user,CN=Users,DC=example,DC=com
   # which would be $user="cn=user,cn=Users,dc=example,dc=com"
   # Note: You can also use the UPN login: "user\@example.com"
   $user="cn=user,cn=Users,dc=example,dc=com";
   $passwd="password";
   # Connecting to Active Directory domain controllers
   $noldapserver=0;
   $ldap = Net::LDAP->new($dc1) or
   $noldapserver=1;
   if ($noldapserver == 1)  {
   $ldap = Net::LDAP->new($dc2) or
   die "Error connecting to specified domain controllers $@ \n";
   }
   $mesg = $ldap->bind ( dn => $user,
   password =>$passwd);
   if ( $mesg->code()) {
   die ("error:", $mesg->error_text((),"\n"));
   }
   # How many LDAP query results to grab for each paged round
   # Set to under 1000 for Active Directory
   $page = Net::LDAP::Control::Paged->new( size => 990 );
   @args = ( base     => $hqbase,
   # Play around with this to grab objects such as Contacts, Public Folders, etc.
   # A minimal filter for just users with email would be:
   # filter => "(&(sAMAccountName=*)(mail=*))"
   filter => "(& (mailnickname=*) (| (&(objectCategory=person)
   (objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))
   (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)
   (msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))
   (objectCategory=group)(objectCategory=publicFolder) ))",
   control  => [ $page ],
   attrs  => "proxyAddresses",
   );
   my $cookie;
   while(1) {
   # Perform search
   my $mesg = $ldap->search( @args );
   # Filtering results for proxyAddresses attributes
   foreach my $entry ( $mesg->entries ) {
   my $name = $entry->get_value( "cn" );
   # LDAP Attributes are multi-valued, so we have to print each one.
   foreach my $mail ( $entry->get_value( "proxyAddresses" ) ) {
   # Test if the Line starts with one of the following lines:
   # proxyAddresses: [smtp|SMTP]:
   # and also discard this starting string, so that $mail is only the
   # address without any other characters...
   if ( $mail =~ s/^(smtp|SMTP)://gs ) {
   print VALID $mail." OK\n";
   }
   }
   }
   # Only continue on LDAP_SUCCESS
   $mesg->code and last;
   # Get cookie from paged control
   my($resp)  = $mesg->control( LDAP_CONTROL_PAGED ) or last;
   $cookie    = $resp->cookie or last;
   # Set cookie in paged control
   $page->cookie($cookie);
   }
   if ($cookie) {
   # We had an abnormal exit, so let the server know we do not want any more
   $page->cookie($cookie);
   $page->size(0);
   $ldap->search( @args );
   # Also would be a good idea to die unhappily and inform OP at this point
   die("LDAP query unsuccessful");
   }
   # Add additional restrictions, users, etc. to the output file below.
   #print VALID "user\@domain1.com OK\n";
   #print VALID "user\@domain2.com 550 User unknown.\n";
   #print VALID "domain3.com 550 User does not exist.\n";
 close VALID;

Next set the permissions on the file to allow it to be executed:

chmod +x /usr/bin/getadsmtp.pl

Edit the file to customize it for your specific domain. Since the file is read only, you will need to use :w! to save the file in vi.

1. Set $dc1 and $dc2 to the fully qualified domain names or IP addresses of 2 of your domain controllers.
2. Set $hqbase equal to the LDAP path to the container or organizational unit which holds the email accounts for which you wish to get the email addresses.
3. Set $user and $passwd to indicate which user account should be used to access this information. This account only needs to be a member of the domain, so it would be a good idea to setup an account specifically for this.

Try running the script. If it works correctly, it will create /etc/postfix/relay_recipients.

Note that if your postfix server is separated from your active directory controllers by a firewall, you will need to open TCP port 389 from the postfix server to the ADCs.

getadsmtp.pl

At this point, you may want to edit /etc/postfix/relay_recipients and edit out any unwanted email addresses as this script imports everything.

 

Postmap the file to create the hash db

postmap /etc/postfix/relay_recipients
postfix reload

Finally, you may want to set up a cron job to periodically update and build the /etc/postfix/relay_recipients.db file. You can set up a script called /usr/bin/update-relay-recipients.sh: (Optional)

vi /usr/bin/update-relay-recipients.sh

with the following and

chmod +x /usr/bin/update-relay_recipients.sh

#!/bin/sh
/usr/bin/getadsmtp.pl
postmap /etc/postfix/relay_recipients
postfix reload

Don't forget to make sure the following is in your /etc/postfix/main.cf file:

relay_recipient_maps = hash:/etc/postfix/relay_recipients

Add it to cron:

30 2 * * * /usr/bin/update-relay-recipients.sh #syncronize relay_recipients with Active Directory addresses

:Note that this cron job will run every day at 2:30 AM to update the database file. You may want to run yours more frequently or not depending on how often you add new email users to your system.

 

18. Install Webmin (Optional):

apt-get install perl libnet-ssleay-perl libauthen-pam-perl libio-pty-perl apt-show-versions
cd /tmp && wget http://mirrors.kernel.org/ubuntu/pool/universe/libm/libmd5-perl/libmd5-perl_2.03-1_all.deb
dpkg -i libmd5-perl_2.03-1_all.deb
wget http://downloads.sourceforge.net/project/webadmin/webmin/1.520/webmin_1.520_all.deb
dpkg --install webmin_1.520_all.deb

 

19. Automatically Add A Disclaimer To Outgoing Emails With alterMIME (Optional)

This tutorial shows how to install and use alterMIME. alterMIME is a tool that can automatically add a disclaimer to emails. In this article I will explain how to install it as a Postfix filter on Ubuntu.

Installing alterMIME:

apt-get install altermime

Next we create the user filter with the home directory /var/spool/filter - alterMIME will be run as that user:

useradd -r -c "Postfix Filters" -d /var/spool/filter filter
mkdir /var/spool/filter
chown filter:filter /var/spool/filter
chmod 750 /var/spool/filter

Afterwards we create the script /etc/postfix/disclaimer which executes alterMIME. Ubuntu's alterMIME package comes with a sample script that we can simply copy to /etc/postfix/disclaimer:

cp /usr/share/doc/altermime/examples/postfix_filter.sh /etc/postfix/disclaimer
chgrp filter /etc/postfix/disclaimer
chmod 750 /etc/postfix/disclaimer

Now the problem with this script is that it doesn't distinguish between incoming and outgoing emails - it simply adds a disclaimer to all mails. Typically you want disclaimers only for outgoing emails, and even then not for all sender addresses. Therefore I've modified the /etc/postfix/disclaimer script a little bit - we'll come to that in a minute.

Right now, we create the file /etc/postfix/disclaimer_addresses which holds all sender email addresses (one per line) for which alterMIME should add a disclaimer:

vi /etc/postfix/disclaimer_addresses

user1@example.com
user2@example.org
user3@example.net

Now we open /etc/postfix/disclaimer and modify it as follows (I have marked the parts that I've changed):

vi /etc/postfix/disclaimer

#!/bin/sh
# Localize these.
INSPECT_DIR=/var/spool/filter
SENDMAIL=/usr/sbin/sendmail
####### Changed From Original Script #######
DISCLAIMER_ADDRESSES=/etc/postfix/disclaimer_addresses
####### Changed From Original Script END #######
# Exit codes from <sysexits.h>
EX_TEMPFAIL=75
EX_UNAVAILABLE=69
# Clean up when done or when aborting.
trap "rm -f in.$$" 0 1 2 3 15
# Start processing.
cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit
$EX_TEMPFAIL; }
cat >in.$$ || { echo Cannot save mail to file; exit $EX_TEMPFAIL; }
####### Changed From Original Script #######
# obtain From address
from_address=`grep -m 1 "From:" in.$$ | cut -d "<" -f 2 | cut -d ">" -f 1`
if [ `grep -wi ^${from_address}$ ${DISCLAIMER_ADDRESSES}` ]; then
  /usr/bin/altermime --input=in.$$ \
                   --disclaimer=/etc/postfix/disclaimer.txt \
                   --disclaimer-html=/etc/postfix/disclaimer.txt \
                   --xheader="X-Copyrighted-Material: Please visit http://www.company.com/privacy.htm" || \
                    { echo Message content rejected; exit $EX_UNAVAILABLE; }
fi
####### Changed From Original Script END #######
$SENDMAIL "$@" <in.$$
exit $?

Next we need the text file /etc/postfix/disclaimer.txt which holds our disclaimer text. Ubuntu's alterMIME package comes with a sample text that we can use for now (of course, you can modify it if you like):

cp /usr/share/doc/altermime/examples/disclaimer.txt /etc/postfix/disclaimer.txt

Finally we have to tell Postfix that it should use the /etc/postfix/disclaimer script to add disclaimers to outgoing emails. Open /etc/postfix/master.cf and add -o content_filter=dfilt: to the smtp line:

vi /etc/postfix/master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
   -o content_filter=dfilt:
[...]

At the end of the same file, add the following two lines:

[...]
dfilt     unix    -       n       n       -       -       pipe
    flags=Rq user=filter argv=/etc/postfix/disclaimer -f ${sender} -- ${recipient} 

Restart Postfix afterwards:

/etc/init.d/postfix restart

That's it! Now a disclaimer should be added to outgoing emails sent from the addresses listed in /etc/postfix/disclaimer_addresses.

 

20. Screenshots

 

Congratulations

You should now have a complete working SpamSnake with all the goodies :-)

Share this page:

39 Comment(s)

Add comment

Comments

From: at: 2010-12-03 02:06:32

Updated.

From: tokamak at: 2010-12-02 01:46:55

 i get an script error for the postfix.sh

Zeile 41: Syntaxfehler beim unerwarteten Wort `(' 

LINE 41: Syntaxerror  unknow word  `('

 

 

 

From: Matt Juaire at: 2011-01-20 01:14:37

I know the howto has this setup on a virtual server. What did you recommend to give to the system for resources (cpu count, memory, hd size)?

From: at: 2011-01-20 15:29:13

This is my current setup:

CPU: 2.8GHZ divided by 3 vms

Ram: 1GB allocated for vm

HDD: 5GB allocated for vm

As you can see, my setup is a vm and I only filter 2 local domains.  Based on your needs, you may need to increase your HDD space for quarantine.  You can install this as a vm or as a stand alone.

From: at: 2011-03-17 16:23:01

your tutorial is very interesting, but i think that it could be more simple for a lot of people to install a solution like  MailCleaner Open Source Edition

Installation CD ISO image and full web admin interface

The result will be quite the same

 Olivier

From: at: 2010-12-21 17:38:17

Hi!

As always, great guide! 

I am using Ubuntu Server 10.04 and in "Install missing perl packages" step I get the following error:

---

root@spamsnake:~# perl -MCPAN -e shell
Terminal does not support AddHistory.

cpan shell -- CPAN exploration and modules installation (v1.9402)
Enter 'h' for help.

cpan[1]> install Crypt::OpenSSL::RSA
CPAN: Storable loaded ok (v2.20)
Going to read '/root/.cpan/Metadata'
  Database was generated on Tue, 21 Dec 2010 16:35:00 GMT
Running install for module 'Crypt::OpenSSL::RSA'
CPAN: Data::Dumper loaded ok (v2.124)
'YAML' not installed, falling back to Data::Dumper and Storable to read prefs '/root/.cpan/prefs'
Running make for I/IR/IROBERTS/Crypt-OpenSSL-RSA-0.26.tar.gz
CPAN: Digest::SHA loaded ok (v5.47)
CPAN: Compress::Zlib loaded ok (v2.02)
Checksum for /root/.cpan/sources/authors/id/I/IR/IROBERTS/Crypt-OpenSSL-RSA-0.26.tar.gz ok
Scanning cache /root/.cpan/build for sizes
............................................................................DONE
CPAN: Archive::Tar loaded ok (v1.52)
Crypt-OpenSSL-RSA-0.26/
Crypt-OpenSSL-RSA-0.26/RSA.xs
Crypt-OpenSSL-RSA-0.26/RSA.pm
Crypt-OpenSSL-RSA-0.26/typemap
Crypt-OpenSSL-RSA-0.26/MANIFEST
Crypt-OpenSSL-RSA-0.26/Makefile.PL
Crypt-OpenSSL-RSA-0.26/LICENSE
Crypt-OpenSSL-RSA-0.26/Changes
Crypt-OpenSSL-RSA-0.26/t/
Crypt-OpenSSL-RSA-0.26/t/format.t
Crypt-OpenSSL-RSA-0.26/t/bignum.t
Crypt-OpenSSL-RSA-0.26/t/rsa.t
Crypt-OpenSSL-RSA-0.26/README
Crypt-OpenSSL-RSA-0.26/META.yml
CPAN: File::Temp loaded ok (v0.22)

  CPAN.pm: Going to build I/IR/IROBERTS/Crypt-OpenSSL-RSA-0.26.tar.gz

Checking if your kit is complete...
Looks good
Warning: prerequisite Crypt::OpenSSL::Random 0 not found.
Writing Makefile for Crypt::OpenSSL::RSA
Could not read '/root/.cpan/build/Crypt-OpenSSL-RSA-0.26-PTQVSZ/META.yml'. Falling back to other methods to determine prerequisites
---- Unsatisfied dependencies detected during ----
----  IROBERTS/Crypt-OpenSSL-RSA-0.26.tar.gz  ----
    Crypt::OpenSSL::Random [requires]
Shall I follow them and prepend them to the queue
of modules we are processing right now? [yes]
Running make test
  Delayed until after prerequisites
Running make install
  Delayed until after prerequisites
Running install for module 'Crypt::OpenSSL::Random'
'YAML' not installed, falling back to Data::Dumper and Storable to read prefs '/root/.cpan/prefs'
Running make for I/IR/IROBERTS/Crypt-OpenSSL-Random-0.04.tar.gz
Checksum for /root/.cpan/sources/authors/id/I/IR/IROBERTS/Crypt-OpenSSL-Random-0.04.tar.gz ok
Crypt-OpenSSL-Random-0.04/
Crypt-OpenSSL-Random-0.04/Random.pm
Crypt-OpenSSL-Random-0.04/Random.xs
Crypt-OpenSSL-Random-0.04/LICENSE
Crypt-OpenSSL-Random-0.04/Changes
Crypt-OpenSSL-Random-0.04/test.pl
Crypt-OpenSSL-Random-0.04/Makefile.PL
Crypt-OpenSSL-Random-0.04/META.yml
Crypt-OpenSSL-Random-0.04/MANIFEST

  CPAN.pm: Going to build I/IR/IROBERTS/Crypt-OpenSSL-Random-0.04.tar.gz

Checking if your kit is complete...
Looks good
Writing Makefile for Crypt::OpenSSL::Random
Could not read '/root/.cpan/build/Crypt-OpenSSL-Random-0.04-T4RbJx/META.yml'. Falling back to other methods to determine prerequisites
cp Random.pm blib/lib/Crypt/OpenSSL/Random.pm
AutoSplitting blib/lib/Crypt/OpenSSL/Random.pm (blib/lib/auto/Crypt/OpenSSL/Random)
/usr/bin/perl /usr/share/perl/5.10/ExtUtils/xsubpp  -typemap /usr/share/perl/5.10/ExtUtils/typemap  Random.xs > Random.xsc && mv Random.xsc Random.c
Please specify prototyping behavior for Random.xs (see perlxs manual)
cc -c   -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g   -DVERSION=\"0.04\" -DXS_VERSION=\"0.04\" -fPIC "-I/usr/lib/perl/5.10/CORE"   Random.c
Random.xs:5:26: error: openssl/rand.h: No such file or directory
make: *** [Random.o] Error 1
  IROBERTS/Crypt-OpenSSL-Random-0.04.tar.gz
  /usr/bin/make -- NOT OK
Warning (usually harmless): 'YAML' not installed, will not store persistent state
Running make test
  Can't test without successful make
Running make install
  Make had returned bad status, install seems impossible
Running make for I/IR/IROBERTS/Crypt-OpenSSL-RSA-0.26.tar.gz
  Has already been unwrapped into directory /root/.cpan/build/Crypt-OpenSSL-RSA-0.26-PTQVSZ

  CPAN.pm: Going to build I/IR/IROBERTS/Crypt-OpenSSL-RSA-0.26.tar.gz

Warning: Prerequisite 'Crypt::OpenSSL::Random => 0' for 'IROBERTS/Crypt-OpenSSL-RSA-0.26.tar.gz' failed when processing 'IROBERTS/Crypt-OpenSSL-Random-0.04.tar.gz' with 'make => NO'. Continuing, but chances to succeed are limited.
CPAN: Time::HiRes loaded ok (v1.9719)
cp RSA.pm blib/lib/Crypt/OpenSSL/RSA.pm
AutoSplitting blib/lib/Crypt/OpenSSL/RSA.pm (blib/lib/auto/Crypt/OpenSSL/RSA)
/usr/bin/perl /usr/share/perl/5.10/ExtUtils/xsubpp  -typemap /usr/share/perl/5.10/ExtUtils/typemap -typemap typemap  RSA.xs > RSA.xsc && mv RSA.xsc RSA.c
cc -c   -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g   -DVERSION=\"0.26\" -DXS_VERSION=\"0.26\" -fPIC "-I/usr/lib/perl/5.10/CORE"  -DPERL5 -DOPENSSL_NO_KRB5 RSA.c
RSA.xs:5:25: error: openssl/bio.h: No such file or directory
[several errors like above...]
make: *** [RSA.o] Error 1
  IROBERTS/Crypt-OpenSSL-RSA-0.26.tar.gz
  /usr/bin/make -- NOT OK
Warning (usually harmless): 'YAML' not installed, will not store persistent state
Running make test
  Can't test without successful make
Running make install
  Make had returned bad status, install seems impossible
Failed during this command:
 IROBERTS/Crypt-OpenSSL-Random-0.04.tar.gz    : make NO
 IROBERTS/Crypt-OpenSSL-RSA-0.26.tar.gz       : make NO

cpan[2]>

---

Any ideas of how to fix it?

From: at: 2010-12-23 06:51:38

You do not have the openssl header files. Random.xs:5:26: error: openssl/rand.h: No such file or directory

 Install the openssl-dev package

From: at: 2012-03-12 00:21:52

on ubuntu its

apt-get install libssl-dev

regards

From: Naz at: 2010-12-08 03:48:32

Hi, thank you for the great how-to. pyzor_add_header 1 is no longer a valid config option with the newer versions of spamassassin and will generate warning. You can see it at the --lint output.

From: at: 2010-12-08 15:22:56

Updated thanks.

From: Anonymous at: 2010-12-07 15:07:58

 spamassing test error
 
Dec  7 15:20:15.262 [15606] warn: config: failed to parse line, skipping, in "/etc/spamassassin/mailscanner.cf": pyzor_add_header 1
Dec  7 15:20:15.264 [15606] warn: config: failed to parse line, skipping, in "/opt/MailScanner/etc/spam.assassin.prefs.conf": pyzor_add_header 1                                          
best regards
 
 
 

From: at: 2010-12-04 17:11:04

Guide updated, mailscanner should be installed first.

From: Anonymous at: 2010-12-04 09:51:46

there is no directory: cp /opt/MailScanner/etc/spam.assassin.prefs.conf

 

From: Eddo at: 2010-11-30 14:49:36

Great I was waiting for this one!

At step 7 I think you mean the libclamav-client-perl?

Regards,

From: Eddo at: 2010-11-30 14:58:36

Great I was waiting for this one!

At step 7 I think you mean the libclamav-client-perl? and should we install spamassassin here or download it and install from source?

Regards,

From: at: 2010-12-01 19:16:11

It should be libclamav6. Also, I moved the dependencies up a bit, we want it before the spamassassin section.


From: w0rldart at: 2011-01-17 13:03:42

Hi, i am suposed to look for 

debug: bayes: Database connection established
debug: bayes: found bayes db version 3
debug: bayes: Using userid: 2

as response to  spamassassin -x -D -p /opt/MailScanner/etc/spam.assassin.prefs.conf --lint , but in stead i get

 Jan 17 13:56:55.129 [10360] dbg: timing: total 1152 ms - init: 770 (66.8%), parse: 0.81 (0.1%), extract_message_metadata: 1.36 (0.1%), get_uri_detail_list: 0.98 (0.1%), tests_pri_-1000: 7 (0.6%), compile_gen: 149 (12.9%), compile_eval: 16 (1.4%), tests_pri_-950: 5 (0.4%), tests_pri_-900: 5 (0.5%), tests_pri_-400: 5 (0.4%), tests_pri_0: 309 (26.8%), tests_pri_500: 45 (3.9%)

Jan 17 13:56:55.129 [10360] warn: lint: 2 issues detected, please rerun with debug enabled for more information

 

 Can any1 help me out?

From: at: 2011-01-18 13:40:28

Hi,

Please post your issue in the support forum and we'll gladly help you out.

Thanks,

Rocky

From: Anvar at: 2011-02-10 07:58:09

Maybe handy to add the location of the master.cf file; /etc/postfix

From: Anvar at: 2011-02-10 08:30:57

Best to install the clamav data;

 apt-get install clamav-data and afterwards /etc/init.d/clamav-daemon start

From: Alexander Meesters at: 2011-04-06 12:33:52

i think its better to use:

 sudo update-rc.d mailscanner defaults

 then creating it by hand...

From: lugi at: 2011-04-15 16:05:24

When i trying to lauch => install Crypt::OpenSSL::RSA i have this problem . Can you help me please.

I trying => Crypt::OpenSSL::Random  but it doesn't work also 

 

Checking if your kit is complete...
Looks good
Writing Makefile for Crypt::OpenSSL::Random
cp Random.pm blib/lib/Crypt/OpenSSL/Random.pm
AutoSplitting blib/lib/Crypt/OpenSSL/Random.pm (blib/lib/auto/Crypt/OpenSSL/Random)
/usr/bin/perl /usr/share/perl/5.10/ExtUtils/xsubpp  -typemap /usr/share/perl/5.10/ExtUtils/typemap  Random.xs > Random.xsc && mv Random.xsc Random.c
Please specify prototyping behavior for Random.xs (see perlxs manual)
cc -c   -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g   -DVERSION=\"0.04\" -DXS_VERSION=\"0.04\" -fPIC "-I/usr/lib/perl/5.10/CORE"   Random.c
Random.xs:5: fatal error: openssl/rand.h: No such file or directory
compilation terminated.
make: *** [Random.o] Error 1
  IROBERTS/Crypt-OpenSSL-Random-0.04.tar.gz
  /usr/bin/make -- NOT OK
Running make test
  Can't test without successful make
Running make install
  Make had returned bad status, install seems impossible
Running make for I/IR/IROBERTS/Crypt-OpenSSL-RSA-0.26.tar.gz
  Has already been unwrapped into directory /root/.cpan/build/Crypt-OpenSSL-RSA-0.26-OaSkf7

  CPAN.pm: Going to build I/IR/IROBERTS/Crypt-OpenSSL-RSA-0.26.tar.gz

Warning: Prerequisite 'Crypt::OpenSSL::Random => 0' for 'IROBERTS/Crypt-OpenSSL-RSA-0.26.tar.gz' failed when processing 'IROBERTS/Crypt-OpenSSL-Random-0.04.tar.gz' with 'make => NO'. Continuing, but chances to succeed are limited.
CPAN: Time::HiRes loaded ok (v1.9719)
cp RSA.pm blib/lib/Crypt/OpenSSL/RSA.pm
AutoSplitting blib/lib/Crypt/OpenSSL/RSA.pm (blib/lib/auto/Crypt/OpenSSL/RSA)
/usr/bin/perl /usr/share/perl/5.10/ExtUtils/xsubpp  -typemap /usr/share/perl/5.10/ExtUtils/typemap -typemap typemap  RSA.xs > RSA.xsc && mv RSA.xsc RSA.c
cc -c   -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g   -DVERSION=\"0.26\" -DXS_VERSION=\"0.26\" -fPIC "-I/usr/lib/perl/5.10/CORE"  -DPERL5 -DOPENSSL_NO_KRB5 RSA.c
RSA.xs:5: fatal error: openssl/bio.h: No such file or directory
compilation terminated.
make: *** [RSA.o] Error 1
  IROBERTS/Crypt-OpenSSL-RSA-0.26.tar.gz
  /usr/bin/make -- NOT OK
Running make test
  Can't test without successful make
Running make install
  Make had returned bad status, install seems impossible

From: at: 2011-04-18 17:53:20

Try:

apt-get install libcrypt-openssl-random-perl libcrypt-openssl-rsa-perl

From: Tony Grenda at: 2011-05-12 19:44:07

I had to open Port 873/TCP on my firewall for the rsync protocol to work for the SaneSecurity signatures to download.

From: at: 2011-12-06 19:43:45

How can i customize spamassassin rules? baruwa is reporting valid mail marked as spam:

3.09  DOS_OE_TO_MX                  Delivered direct to MX with OE headers
0.00  DYN_RDNS_SHORT_HELO_HTML      Sent by dynamic rDNS, short HELO, and HTML
0.00  FSL_HELO_NON_FQDN_1
0.00  HELO_NO_DOMAIN                Relay reports its domain incorrectly
0.00  HTML_MESSAGE                  HTML included in message
3.56  RCVD_IN_PBL                   Received via a relay in Spamhaus PBL
1.28  RCVD_IN_RP_RNBL               Relay in RNBL, https://senderscore.org/blacklistlookup/
0.36  RDNS_DYNAMIC                  Delivered to internal network by host with dynamic-looking rDNS
Thanks

From: Eddo Jansen at: 2010-12-09 12:53:50

Even after your latest changes I get the Insecure dependency error.

save_execute: Insecure dependency in open while running with -T switch at /usr/share/perl5/FuzzyOcr/Misc.pm line 92.
save_execute: Insecure dependency in open while running with -T switch at /usr/share/perl5/FuzzyOcr/Misc.pm line 92.
Dec  9 13:49:16.320 [26635] dbg: FuzzyOcr: Elapsed [26653]: 0.041086 sec. (/usr/bin/giftext: exit 8)
Dec  9 13:49:16.320 [26635] warn: readline() on closed filehandle INFILE at /usr/share/perl5/FuzzyOcr/Misc.pm line 205.
Dec  9 13:49:16.321 [26635] info: FuzzyOcr: Image is single non-interlaced...
Dec  9 13:49:16.324 [26635] warn: rules: failed to run FUZZY_OCR test, skipping:
Dec  9 13:49:16.324 [26635] warn:  (Insecure dependency in printf while running with -T switch at /usr/share/perl5/FuzzyOcr.pm line 469.
Dec  9 13:49:16.324 [26635] warn: )
root@srvnld0005:/usr/src# Insecure dependency in printf while running with -T switch at /usr/share/perl5/FuzzyOcr.pm line 469.

apt-get install fuzzyocr 3 does not work for me... only if I do not configure the database...

Any thoughts on this?

From: at: 2010-12-10 22:13:37

For future problems, please post support questions in the forum.

 Please remove Fuzzy by doing:

apt-get install fuzzyocr netpbm gifsicle libungif-bin gocr ocrad libstring-approx-perl libmldbm-sync-perl libdigest-md5-perl libdbd-mysql-perl imagemagick tesseract-ocr fuzzyocr3

If anything is left, run apt-get autoremove to get rid of them.

Redo the complete FuzzyOcr section and you shouldn't have any problems.

From: at: 2010-12-04 20:34:29

Hmm, that is really strange, I must have uploaded the wrong baruwa to my storage.  I have a modified version for this install. 

 Link is good now.

From: Eddo Jansen at: 2010-12-03 12:34:31

Great guide but I came across some minor issue's...

Beside making the Spamassassin modifications after you install MailScanner, Baruwa installs a package maintained version of MailScanner as a missing dependency and places the essential .pm files in /etc/MailScanner/CustomFunctions...

You will have to move these files to the correct location:

mv /etc/MailScanner/CustomFunctions/Baruwa* /opt/MailScanner/lib/MailScanner/CustomFunctions/

Rename the old version of MailScanner to avoid problems:

mv /etc/MailScanner/ /etc/MailScanner_obsolete

Make sure you have not overwritten the /etc/init.d/mailscanner script by installing the Baruwa dependencies, otherwise make the appropriate changes to that file.

I thought I should share this with you, it might give people a headache (It gave me one  )

Cheers!

From: Sander de Rijk at: 2011-02-11 07:15:19

Great guide, I followed it and it indeed stops all my spam with no false positives :)

A few notes though: 

Baruwa recommends to install it on apache and most people already have apache running. It took me some extra work to get it running on apache but I suggest you include that in your guide or a link telling that you can actually also run it on apache.

The second one is SPF related. My DNS service also has a relayservice for email in case my mailserver is down. The current SPF setup will bounce mail because it doesnt understand that the relayservice should be trusted for the SPF module. I turned it off and still need to dig into it so that host is excluded from SPF checks.

 If you install all the cronjobs that you specified directly you will get ALOT of emails from the mailserver. I suggest to test them and then add &> /dev/null at the end of every line.

From: at: 2011-02-15 02:03:46

Thank you, really appreciate your suggestions.

Baruwa can be installed on any webserver than can run Django and nginx happens to be very fast and light.  Apache is supported out of the box with the distributed release but my custom package is strictly for nginx, which was chosen to make the system as slim as possible.

As for the SPF issue, this build has a global whitelist, which will bypass all checks once you have that ip/host in the whitelist.  Go ahead and whitelist your relayhost and that should bypass SPF checks.

From: John M at: 2011-04-06 18:40:26

The /usr/sbin/fuzzy-cleanmysql didn't work for my until I changed the following line while () { to while(<CONFIG>) { A nasty infinite loop occurs otherwise.

From: at: 2011-04-20 13:49:19

Thanks.

From: Tony Grenda at: 2011-05-12 18:49:28

I had to create a symlink to the /tmp/mysql.sock file since Ubuntu does not use this file (it is /var/run/mysqld/mysqld.sock). Use the next line to creat the symlink. sudo ln -s /var/run/mysqld/mysqld.sock /tmp/mysql.sock I could not get the FuzzyOcr check using spamassassin to work properly until I made the change.

From: at: 2011-06-10 08:08:56

Upgrade worked like a charm, thanks.

From: at: 2011-07-12 07:13:00

Great guide but shouldnt you have Baruwa installed AFTER Nginx? as you call for it to be restarted in step 8 but it isnt installed until step 9.

From: at: 2012-02-16 13:18:01

The confusion is caused by the upgrade section.  You have to completely finish the build first then go back and do the upgrade.

From: kup at: 2011-10-24 08:25:47

Hello. For the first, I would like to say - this is a great howto. My question ... do you have in your repositories the latest version of Baruwa frontend (1.1.1)? Many thanks.

From: at: 2012-02-16 13:18:38

Done, check the guide.