Postfix as Relay - Step by Step instructions

References:http://dspamwiki.expass.de/Installation/Postfix/RelayStepByStep?highlig
ht=(relay)

OS:Fedora Core 4 with Apache and Mysql preinstalled

Users and group creation

# groupadd -g 2000 postfix

# groupadd -g 2002 dspam
# groupadd -g 2004 clamav
# groupadd -g 3000 postdrop
# useradd -u 2000 -g 2000 -d /var/empty -c "Postfix Server" -s /sbin/nologin
postfix
# useradd -u 2002 -g 2002 -d /var/empty -c "DSPAM Server" -s /sbin/nologin -G
postdrop dspam
useradd -u 2004 -g 2004 -d /var/empty -c "ClamAV Server" -s /sbin/nologin -G
clamav clamav

# mysqladmin -u root password 'ROOTPASS'

Downloading, compiling and starting Clamav

# cd /tmp
# wget http://internap.dl.sourceforge.net/sourceforge/clamav/clamav-0.88.tar.gz
# ./configure
# make
# make install
cp /tmp/clamav-0.88/contrib/init/RedHat/clamd /etc/rc.d/init.d/
chkconfig --add clamd
chkconfig --level 3 clamd on
/etc/rc.d/init.d/clamd start

vi /usr/local/etc/clamd.conf

Make sure the following entries are uncommented and present

TCPSocket 3310
TCPAddr 127.0.0.1
User clamav
ScanMail

Please see http://wiki.clamav.net/index.php/UpgradeInstructions for upgrading

Clamav from a previous version

Downloading, compiling and starting Postfix-2.2.9

# mkdir -p /var/work/source
# mkdir -p /var/work/compile/configure

# cd /var/work/source
# wget http://www.tigertech.net/mirrors/postfix-release/official/postfix-
2.2.9.tar.gz
# cd ../compile
# tar -zxf ../source/postfix-2.2.9.tar.gz
# cd postfix-2.2.9
# vim ../configure/postfix
#!/bin/sh
 make -f Makefile.init makefiles \
"CCARGS=-DHAS_MYSQL -I/usr/include/mysql" \
"AUXLIBS=-L/usr/lib/mysql -lmysqlclient -lz -lm"
# chmod 755 ../configure/postfix
# ../configure/postfix
# make && make install
( answer default settings to all prompts )
# postfix start
( see that postfix starts )
# ps axf

*******
Warning: you still need to edit myorigin/mydestination/mynetworks
parameter settings in /etc/postfix/main.cf.

See also http://www.postfix.org/faq.html for information about dialup

sites or about sites inside a firewalled network.

BTW: Check your /etc/aliases file and be sure to set up aliases

that send mail for root and postmaster to a real person, then run
/usr/bin/newaliases.
******
We do this to start postfix at boot time:

# vi /etc/rc.local
# start postfix
/usr/sbin/postfix start

Downloading, compiling DSPAM-3.6.4

# cd /var/work/source
# wget http://www.nuclearelephant.com/projects/dspam/sources/dspam-3.6.4.tar.gz
# cd ../compile
# tar -zxf ../source/dspam-3.4.2.tar.gz
# cd dspam-3.4.2/
# vi ../configure/dspam
#!/bin/sh
./configure \
--with-dspam-home=/var/dspam \
--with-dspam-home-mode=770 \
--with-dspam-home-owner=dspam \
--with-dspam-home-group=postdrop \
--with-dspam-mode=2510 \
--with-dspam-owner=dspam \
--with-dspam-group=postfix \
--with-delivery-agent=/usr/sbin/sendmail \
--with-storage-driver=mysql_drv \
--with-mysql-includes=/usr/include/mysql \
--with-mysql-libraries=/usr/lib/mysql \
--enable-preferences-extension \
--enable-virtual-users \
--enable-daemon \
--enable-debug --enable-clamav --build=i686-pc-linux-gnu

# chmod 755 ../configure/dspam

# ../configure/dspam
# make && make install
# mkdir -p /usr/local/share/dspam/
Downloading, compiling Apache-2.0.53

# cd /var/work/source
# wget http://gulus.usherbrooke.ca/pub/appl/apache/httpd/httpd-2.0.53.tar.gz
# cd ../compile
# tar -zxf ../source/httpd-2.0.53.tar.gz
# cd httpd-2.0.53/
# vi ../configure/apache
#!/bin/sh
./configure \
--enable-rewrite \
--enable-cgi \
--disable-userdir \
--enable-suexec \
--with-suexec-caller=apache \
--with-suexec-docroot=/var/www \
--with-suexec-uidmin=1000 \
--with-suexec-gidmin=1000 \
--enable-ssl
# chmod 755 ../configure/apache
# ../configure/apache
# make && make install

Closer

We have now installed the main tools; we will now start configuration!
Mysql DSPAM user and database creation.

# cd /var/work/compile/dspam-3.4.2/src/tools.mysql_drv/
# mysql -e "create database dspam"
# mysql -e "grant all on dspam.* to dspam@localhost identified by 'yourpassword'"
# mysql dspam < mysql_objects-4.1.sql

You can use any of the following lines based on whether u want dspam to add non-
exixtant users automaically in to the system or whether you would add users using
the mysql backend

#This script will require you to manually add users

mysql dspam < virtual_user_aliases.sql

If you want users to be created automatically ,use this script

mysql dspam < virtual_users.sql

# cp purge-4.1.sql /usr/local/share/dspam/

(To keep your database nice and clean you will want to run this command nightly)

# crontab -e
0 0 * * * /usr/local/bin/mysql -udspam -pDSPAMSQLPASS dspam <
/usr/local/share/dspam/purge-4.1.sql

Postfix configuration

The following configuration steps will make your postfix act as a relay (not
opened), uses DSPAM for users validation and forward mails to your real inside
server.

# cd /etc/postfix/
# vi master.cf
( Add/Remove what is needed )
smtp inet n - n - - smtpd
-o content_filter=dspam:
dspam unix - n n - 10 pipe
flags=Rhqu user=dspam argv=/usr/local/bin/dspam --deliver=innocent --user
${recipient} -i -f ${sender} -- ${recipient}

Now replace the content of your main.cf by this one; and modifie the 4 lines
(you'll see where) with your data

# vi main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = no
# Modify to your need thoses 4 lignes
mynetworks = 127.0.0.0/8 12.34.56.0/24
myorigin = dspam.lab.infoglobe.ca
mydomain = lab.infoglobe.ca
virtual_mailbox_domains = dspam.lab.infoglobe.ca
virtual_transport = lmtp:unix:/tmp/dspam.sock
virtual_mailbox_maps = mysql:/etc/postfix/vmailbox.cf
dspam_destination_recipient_limit = 1
mydestination =
local_recipient_maps =
local_transport = error:local mail delivery is disabled
unknown_local_recipient_reject_code = 550
parent_domain_matches_subdomains =
debug_peer_list smtpd_access_maps
smtpd_recipient_restrictions =
permit_mynetworks reject_unauth_destination
relay_recipient_maps = hash:/etc/postfix/relay_recipients
transport_maps = hash:/etc/postfix/transport
alias_maps = hash:/etc/aliases
relay_domains = $transport_maps
smtpd_helo_required = yes
disable_vrfy_command = yes
biff = no
empty_address_recipient = MAILER-DAEMON
queue_minfree = 40000000
 message_size_limit = 20000000
mailbox_size_limit = 100000000
smtpd_banner = $myhostname ESMTP Postfix
local_transport = local
# vi vmailbox.cf
user = dspam
password = DSPAMSQLPASS
dbname = dspam
query = SELECT username FROM dspam_virtual_uids WHERE username='%s'
table = dspam_virtual_uids
host = 127.0.0.1
select_field = username
where_field = username

Put every domain you want to relay mail for in the transport table, and what
server to relay each one to. This will route mail for "domain.com" to the inside
gateway machine. The [] forces Postfix to do no MX lookup.

# vi transport
domain.com smtp:[inside-gateway.domain.com]

Now we enter every valid e-mail address in the relay_recipient table. Any not
found will get rejected right here. If you want to allow any e-mail address for a
domain, leave off the user name. The right-hand "dummy" value must be present. It
is ignored, but the file must be in name/value pairs.

# vi relay_recipients
# domain1.com, three valid addresses
foo@domain1.com dummy
foo2@domain1.com dummy
foo3@domain1.com dummy
# domain2.com, one valid address
foo@domain2.com dummy
# domain3.com, allow any address
@domain3.com dummy

Do not forget to use this each times you modifie one of theses files:

# postmap transport
# postmap relay_recipients

You need to setup an address that root mail goes to (not here!):

# vi aliases
root: you@domain.com
# postalias aliases
# postfix reload
# tail /var/log/maillog

Verify you logs (# tail /var/log/maillog) that postfix started correctly.

Apache configuration

Add/modify the following to your apache configuration:

# vi /usr/local/apache2/conf/httpd.conf
User apache
Group apache
 AddHandler cgi-script .cgi
# Modify /dspam.example.com/ to your needs
<VirtualHost *:80>
DocumentRoot "/var/www/antispam.stpimumbai.net/cgi-bin"
ServerName antispam.stpimumbai.net
ServerAdmin server-manager@megaesecure.com
ErrorLog /var/log/httpd/antispam.stpimumbai.net-error_log
TransferLog /var/log/httpd/antispam.stpimumbai.net-access_log
RewriteEngine on
RewriteRule ^/$ /dspam.cgi [R]
SuexecUserGroup dspam dspam
<Directory "/var/www/antispam.stpimumbai.net/cgi-bin">
Options FollowSymLinks ExecCGI
AllowOverride None
Order deny,allow
Deny from all
AuthType Basic
AuthName "DSPAM Control Center"
AuthUserFile /var/www/etc/htpasswd
Require valid-user
Satisfy Any
</Directory>
</VirtualHost>

# apachectl restart
# ps axf

Setting up the DSPAM web interface

# mkdir -p /var/www/etc/
# chown apache.dspam /var/www/etc/
Setup the password file for logging into the web interface:
# htpasswd -c /var/www/etc/htpasswd user@domain.com
# htpasswd /var/www/etc/htpasswd user2@domain.com

Create an administrative account (you'll be able in a few lines to edit a file

containing the list of user with have access to admin interface; file is called
/admins/):

# htpasswd /var/www/etc/htpasswd root

Replace /dspam.exemple.com/ by the path defined in your apache configuration:

# mkdir -p /var/www/dspam.exemple.com
# chmod 555 /var/www/dspam.exemple.com
# chown dspam.dspam /var/www/dspam.example.com
# cd /var/www/dspam.example.com
# cp -r /var/work/compile/dspam-3.4.2/cgi/* .
# rm -f Makefile*
# chown -R dspam.dspam *
# chmod 444 *.*
# chmod 554 *.cgi
# chmod 555 templates
# chmod 444 templates/*

You need to modify 2 littles things:

# vi configure.pl
 $CONFIG{'LOCAL_DOMAIN'} = "YourDomain.com";
$CONFIG{'DSPAM_HOME'} = "/var/dspam";

And you need (for the configuration we choses (authentication with the domain
name) to remove the domain:

# vi templates/nav_performance.html
- <strong>spam-$REMOTE_USER$@yourdomain.com</strong>
+ <strong>spam-$REMOTE_USER$</strong>

You should now be able to test the web interface! BUT graphics generation is not
ready!...
Downloading, compiling and installing GD & Co.

# apt-get install libpng-devel libjpeg-devel

# cd /var/work/source
# wget http://www.boutell.com/gd/http/gd-2.0.33.tar.gz
# mkdir CPAN; cd CPAN
# wget http://www.perl.com/CPAN/modules/by-module/GD/GDGraph-1.43.tar.gz
# wget http://www.perl.com/CPAN/modules/by-module/GD/GDTextUtil-0.86.tar.gz
# wget http://www.perl.com/CPAN/modules/by-module/GD/GD-Graph3d-0.63.tar.gz
# wget http://www.perl.com/CPAN/modules/by-module/GD/GD-2.23.tar.gz
# cd ../../compile/
# tar xzf ../source/gd-2.0.33.tar.gz
# cd gd-2.0.33/
# vi ../configure/gd
#!/bin/sh
./configure
# chmod 755 ../configure/gd
# ../configure/gd
# make
# make install
# cd ..
# mkdir CPAN; cd CPAN
# tar xzf ../../source/CPAN/GDGraph-1.43.tar.gz
# tar xzf ../../source/CPAN/GDTextUtil-0.86.tar.gz
# tar xzf ../../source/CPAN/GD-Graph3d-0.63.tar.gz
# tar xzf ../../source/CPAN/GD-2.23.tar.gz
# cd GD-2.23
# perl Makefile.PL
# make && make test
# make install
# cd ../GDTextUtil-0.86/
# perl Makefile.PL
# make && make test
# make install
# cd ../GDGraph-1.43/
# perl Makefile.PL
# make && make test
# make install
# cd ../GD-Graph3d-0.63/
# perl Makefile.PL
# make && make test
# make install

If you followed thoses steps graphics should be printed now!

The real thing
Edition of you DSPAM configuration file
"But why have you make me wait so long?!" Just to increase pleasure ;)

# vi /usr/local/etc/dspam.conf
+ Trust dspam
+ Trust apache
+ Trust postfix
+ AllowOverride localStore
MySQLServer /tmp/mysql.sock
MySQLPort 3306
MySQLUser dspam
MySQLPass DSPAMSQLPASS
MySQLDb dspam
MySQLCompress true

This prevents Postfix from needing to use any aliases for retraining. When users
email spam-name@domain.com, DSPAM will automatically realize that it needs to
retrain the message.

ParseToHeaders on
ChangeModeOnParse on
ChangeUserOnParse off
ServerQueueSize 32
ServerPID /var/run/dspam.pid
ServerMode standard
ServerParameters "--deliver=innocent"
ServerIdent "localhost.localdomain"
ServerDomainSocketPath /tmp/dspam.sock

Please ensure the following entries are present and uncommented in

/usr/local/etc/dspam.conf
ClamAVPort 3310
#ClamAVPort /tmp/clamd
ClamAVHost 127.0.0.1
ClamAVResponse accept

Misc
Database cleanning

# crontab -e
0 0 * * * /usr/local/bin/mysql -u dspam -p'DSPAMPASS' dspam <
/usr/local/share/dspam/purge-4.1.sql | mail root

Testing the antispam relay server

# telnet 203.129.232.18 25
Trying 203.129.232.18...
Connected to 203.129.232.18 (203.129.232.18).
Escape character is '^]'.
220 antispam.stpimumbai.net ESMTP Postfix
helo myself
250 antispam.stpimumbai.net
MAIL FROM:<spammer@spamserver.com>
250 Ok
RCPT TO:<vaibhav@stpimumbai.net>
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
My message
>
.
250 Ok: queued as 52B821FFA5C

Authentication with IMAP accounts

# locate apxs

If apxs is not found on your server then install httpd-devel using the following
command

# yum install httpd-devel

Download mod_auth_imap from http://www.zhen.org/cowiki/Software/ModAuthImap or any

other mirror

Installation (shared module)

============================
- CD to the mod_auth_imap directory.
- Use Apache's APXS program (you may have to hunt for it):
apxs -i -a -c mod_auth_imap.c
- Note: if you have previously installed mod_auth_imap, don't use the "-a"
flag to APXS, as you already have the necessary changes in httpd.conf
- Make the appropriate changes to your .htaccess or httpd.conf, see the
files in the included "examples" directory for some examples.
- Restart Apache.

Add the following entries to your apache virtual host section in httpd.conf

<VirtualHost *:80>
DocumentRoot "/var/www/antispam.stpimumbai.net/cgi-bin"
ServerName antispam.stpimumbai.net
ServerAdmin server-manager@megaesecure.com
ErrorLog /var/log/httpd/antispam.stpimumbai.net-error_log
TransferLog /var/log/httpd/antispam.stpimumbai.net-access_log
RewriteEngine on
RewriteRule ^/$ /dspam.cgi [R]
SuexecUserGroup dspam dspam
<Directory "/var/www/antispam.stpimumbai.net/cgi-bin">
Options FollowSymLinks ExecCGI
AllowOverride None
Order deny,allow
Deny from all
Auth_IMAP_Enabled on
AuthType Basic
AuthName "mail.stpimumbai.net"
Auth_IMAP_Authoritative on
Auth_IMAP_Server sandesh.stpimumbai.net
Auth_IMAP_Port 143
Require valid-user
Auth_IMAP_Log on
Satisfy Any
</Directory>
</VirtualHost>
Dspam Training

#Touch /var/dspam/group
#vi /var/dspam/group
global_group:classification:*globaluser

# cd /tmp
# wget http://dspam.sourceforge.net/sources/extras/dspam_sa_trainer.tar.gz
Download the public corpus from http://spamassassin.apache.org/publiccorpus/.
It is recommended you grab all of the 20030228 archives except for
easy_ham_2 (to help balance the corpus) and the 2002 spam archive.
Extract and untar each archive in /tmp/spam directory.

# tar zxvf dspam_sa_trainer.tar.gz

#cd /tmp/spam
/tmp/dspam_sa_trainer/publiccorpus.pl global_group

Troubleshooting History page display issues

vi /var/www/antispam.stpimumbai.net/cgi-bin/configure.pl
Modify as follows
$CONFIG{'HISTORY_SIZE'} = 10000;
$CONFIG{'HISTORY_PER_PAGE'} = 10000;