The Perfect SpamSnake - Ubuntu Jeos 12.04 LTS Precise Pangolin
Author: Rocky
Version: 5
Postfix w/Bayesian Filtering, Postscreen, Postfix Recipient Callout (Relay Recipients via look-ahead Optional), Nginx/Uwsgi, Mysql, Dnsmasq, MailScanner (Spamassassin, ClamAV, Pyzor, Razor, DCC-Client), Baruwa, SPF Checks, FuzzyOcr, Sanesecurity Signatures, Greyfix, KAM, Scamnailer, FireHOL (Iptables Firewall), Relay Recipients Script (Optional), Webmin (Optional), Outgoing Disclaimer with alterMIME (Optional)
This tutorial shows how to set up an Ubuntu Jeos based server as a spamfilter in Gateway mode. In the end, you will have a SpamSnake Gateway which will relay clean emails to your MTA. You will also be able to view your incoming queue, train your SpamSnake and carry out a few more advanced operations via Baruwa.
I cannot offer any guarantees that this will work for you, the same way it’s working for me.
I will use the following software:
• Web Server: Nginx v1.1.19/Uwsgi v1.0.3
• Database Server: MySQL v5.5.28
• Mail Server: Postfix v2.9.3
• Caching DNS Server: Dnsmasq 2.59
• Filter: MailScanner v4.84.5-3
• Frontend: Baruwa v1.1.2-4sn
Credit goes to the guys at HowToForge and the developers of MailScanner, Baruwa, Clamav, Nginx/Uwsgi, Mysql, Postfix, Spamassassin, Razor/Pyzor/DCC and Firehol.
BASE INSTALL
1. Install minimum vm option
Set hostname to server1
2. Default guided partition method
3. Setup user:
u: administrator
p: password
No encryption
4. No auto-updates
5. Install OpenSSH
POST INSTALLATION
1. Get root Privileges
Enable the root login by running the following and giving root a password. You can then directly log in as root:
sudo passwd root
2. Configure The Network
Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):
vi /etc/network/interfaces
and make it look like the following:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 192.168.0.1
Then restart your network:
/etc/init.d/networking restart
vi /etc/hosts
and make it look like this:
127.0.0.1 localhost.localdomain localhost 192.168.0.100 server1.example.com server1 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts
Now run:
echo server1.example.com > /etc/hostname
reboot now
Afterwards, run:
hostname
hostname -f
Both should show server1.example.com now.
3. Change The Default Shell
/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:
dpkg-reconfigure dash
Install dash as /bin/sh? <-- No
Install a few packages and requirements that are needed later on:
apt-get install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-raw-zlib-perl libdb4.8-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential telnet wget gawk -y
4. Caching Dnsmasq
apt-get install dnsmasq -y
vi /etc/dnsmasq.conf
and make Dnsmasq listen on localhost:
listen-address=127.0.0.1
5. Install Mysql
apt-get install mysql-client mysql-server libdbd-mysql-perl -y
You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as root@server1.example.com, so we don't have to specify a MySQL root password manually later on:
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
6. Install Postfix:
apt-get install postfix postfix-mysql postfix-doc procmail -y
You will be asked two questions. Answer as follows:
General type of mail configuration: --> Internet Site
System mail name: --> server1.example.com
Stop Postfix:
postfix stop
vi /etc/postfix/master.cf
and make it look like the following:
pickup fifo n - - 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
Edit main.cf:
vi /usr/src/postfix.sh
with the following:
#!/bin/sh postconf -e "alias_maps = hash:/etc/aliases" newaliases postconf -e "myorigin = domain.tld" postconf -e "myhostname = server1.domain.tld" postconf -e "mynetworks = 127.0.0.0/8, 192.168.0.0/24" postconf -e "message_size_limit = 10485760" postconf -e "local_transport = error:No local mail delivery" postconf -e "mydestination = " postconf -e "local_recipient_maps = " postconf -e "relay_domains = mysql:/etc/postfix/mysql-relay_domains.cf" postconf -e "relay_recipient_maps = mysql:/etc/postfix/mysql-relay_recipients.cf" postconf -e "transport_maps = mysql:/etc/postfix/mysql-transports.cf" postconf -e "virtual_alias_maps = hash:/etc/postfix/virtual" postconf -e "disable_vrfy_command = yes" postconf -e "strict_rfc821_envelopes = no" postconf -e "smtpd_banner = $myhostname ESMTP SpamSnake" postconf -e "smtpd_delay_reject = yes" postconf -e "smtpd_recipient_limit = 100" postconf -e "smtpd_helo_required = yes" postconf -e "smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, permit" postconf -e "smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, permit" postconf -e "smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit" postconf -e "smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_recipient_domain, reject_unauth_destination, whitelist_policy, grey_policy, rbl_policy, spf_policy, permit" postconf -e "smtpd_data_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining" postconf -e "smtpd_restriction_classes = spf_policy, grey_policy, whitelist_policy" postconf -e "spf_policy = check_policy_service unix:private/policy-spf" postconf –e "policy-spf_time_limit = 3600s" postconf -e "rbl_policy = reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net" postconf -e "grey_policy = check_policy_service unix:private/greyfix" postconf -e "whitelist_policy = check_client_access mysql:/etc/postfix/mysql-global_whitelist.cf, check_sender_access mysql:/etc/postfix/mysql-global_whitelist.cf" postconf -e "header_checks = regexp:/etc/postfix/header_checks" touch /etc/postfix/virtual echo "root administrator@example.com" >> /etc/postfix/virtual && echo "abuse administrator@example.com" >> /etc/postfix/virtual && echo "postmaster administrator@example.com" >> /etc/postfix/virtual postmap /etc/postfix/virtual touch /etc/postfix/header_checks echo "/^Received:/ HOLD" >> /etc/postfix/header_checks postmap /etc/postfix/header_checks cat > /etc/postfix/mysql-global_whitelist.cf <<EOF
#mysql-global_whitelist
user = baruwa
password = password
dbname = baruwa
query = select concat('PERMIT') 'action' from lists where from_address='%s' AND list_type='1';
hosts = 127.0.0.1
EOF
cat > /etc/postfix/mysql-relay_domains.cf <<EOF
#mysql-relay_domains
user = baruwa
password = password
dbname = baruwa
query = select concat(address, ' ', 'OK') 'domain' from user_addresses where user_addresses.address='%s' and user_addresses.enabled='1';
hosts = 127.0.0.1
EOF
cat > /etc/postfix/mysql-relay_recipients.cf <<EOF
#mysql-relay_recipients
user = baruwa
password = password
dbname = baruwa
query = select concat('@', address, 'OK') 'email' from user_addresses where user_addresses.address='%d';
hosts = 127.0.0.1
EOF
cat > /etc/postfix/mysql-transports.cf <<EOF
#mysql-transports
user = baruwa
password = password
dbname = baruwa
query = select concat('smtp:[', mail_hosts.address, ']', ':', port) 'transport' from mail_hosts, user_addresses where user_addresses.address = '%s' AND user_addresses.id = mail_hosts.useraddress_id;
hosts = 127.0.0.1
EOF
Note: For this step, make sure to replace anything@example.com, example.com and @example.com with real values that matches your setup.
Make it executable and run it:
chmod +x /usr/src/postfix.sh
./usr/src/postfix.sh
*Note: The user/password for the cf files needs to be the same as the user/password you'll use with your Baruwa DB setup later on. Make sure to change everything in red before running the script.
Postfix Recipient Callout(Optional)
This feature queries the recipient server to see if the recipient exists. If not, it replies with a 550 error to the sending server and drops the connection. If the user does exist, the SpamSnake will continue processing the email. This is just another method to prevent backscatter, but comes at a price. Read up on it at http://www.postfix.org/ADDRESS_VERIFICATION_README.html. You can skip this method and use the script method (later on in this guide) if you decide it will bog down your server.
vi /etc/postfix/main.cf and add the following:
verify_recipient = reject_unknown_recipient_domain, reject_unverified_recipient
look_ahead = check_recipient_access hash:/etc/postfix/access
unverified_recipient_reject_code = 550
address_verify_map = btree:/var/lib/postfix/verify
Add this to your smtpd_restriction_classes:
verify_recipient, look_ahead
Add this to smptd_recipient_restrictions:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, look_ahead, whitelist_policy, grey_policy, rbl_policy, spf_policy, permit
Create the access file:
touch /etc/postfix/access
Add your domains:
cat > /etc/postfix/access <<EOF
#mysql-transports
example.com verify_recipient
example2.com verify_recipient
EOF
*Note: Make sure to add valid domains you're filtering for.
Postmap it:
postmap /etc/postfix/access
Final look at the Postfix install:
less /etc/postfix/main.cf
Check the contents of the file for errors and repair if needed. Fire up Postfix:
postfix start
Check that Postfix responds:
telnet 127.0.0.1 25
You should see:
220 [yourFQDNhere] ESMTP Postfix (Ubuntu)