This documentation is applicable to the current release, and should mostly be applicable to older releases..
This documentation is FreeBSD centric (because that is what I use and develop on), so you may have to use eqivalent methods for your flavor of OS.
- Decide, when started as ROOT, what user id Spamilter should switch to.
If the user Nobody is fine, then your set, go to the next step.
Otherwise, you may want to create a new user, or use an existing one. Either way, you'll need to modify the UserName parameter of spamilter.rc. See Configuration
- If you are going to use the SPF feature, pull and build the latest libspf distribution in an adjacent directory to spamilter, since it is no longer included the the tar ball. NB. You will need to add something like
--with-libspf ../libspfto your spamilter configure invocation below in order to link to the library. Unpack the tar ball with something like;
- You must have a libmiter enabled version of Sendmail. Otherwise all is for naught.
On FreeBSD 4.8 and greater, sendmail is libmilter enabled out of the box. Otherwise, it is not. To build an enabled version, you must have the system source installed, or have installed sendmail from scratch with -D_FFR_MILTER. If you have the FreeBSD 4.x system source installed, put the libmilter.sh script in /usr/src, (or your src tree directory equivalent) and run it. This will build and install all that is needed for the version of sendmail that came with the system.
If your OS installation doesn't come with a libmilter enabled sendmail, then you'll need to download the source and build it with
APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER')in your sendmail-x.x.x/devtools/Site/site.config.m4 file. After you build and install sendmail, you'll need to cd to the libmiter directory in the distribution and run make before Spamilter will compile.
./configure --helpto show all available compile time options that you may want to use, such as pop before stmp.
- Then do;
cd spamilter && ./configure && make all install
cd spamilter && ./configure --sendmail_dir ../sendmail-x.x.x && make all install
tar xvfz spamilter-0.50.tgz
This will build Spamilter and install it in /usr/local/bin with mode 0555. Spamilter has no need to be setuid or setgid enabled.
!Spamilter *.=info /var/log/spam.log *.<>info /var/log/spam.errNotice the capitalized S.
/var/log/spam.log 644 7 * $D0 Z /var/log/spam.err 644 7 100 * Z
touch /var/log/spam.log /var/log/spam.errand HUP syslogd with;
killall -s -HUP syslogd
mkdir /var/db/spamilterand copy the default database files into it;
cp conf/db.* /var/db/spamilterMake sure that the directory has the right permissions for the Spamilter user to be able to read the files. Write access is not needed.
cp conf/spamilter.rc /etc
Add the following to your sendmail.m4 and rebuild the sendmail.cf file, then restart sendmail;
INPUT_MAIL_FILTER(`spamilter', `S=inet:7726@localhost, F=T, T=C:30s;R:4m;S:30s;E:30s')Alternately, add the following somewhere near the top of the file, and then restart sendmail;
Xspamilter, S=inet:7726@localhost, F=T, T=C:30s;R:4m;S:30s;E:30s O InputMailFilters=spamilterNB. That F=T wil configure sendmail to TempFail any incomming mail when Spamilter is unavailable. This should cause the connecting MTA to queue the email for later delivery attempts.
Edit the following files to taste; Note: The files that are linked to here, are the same that are in the tarball.
UserName The system user id to switch to if Spamilter is run as root. PolicyUrl The URL reference address supplied in email rejections. Dbpath The directory path to where db.sndr, db.rcpt, and db.rdnsbl files are stored. Conn The connection type that sendmail will use to connect to Spamilter. Note: It must match what is specified in sendmail.cf. DnsBlChk If non-zero, the real time DNS block filter will be enabled. SmtpSndrChk If non-zero, the sender address verification filter will be enabled. SmtpSndrChkAction If the sender address verification test fails, either 'Reject' or 'Tag' the email. MtaHostChk If non-zero, and the hostname supplied by the opposing MTA in the "Helo" MTA negotiation phase is not resolvable to a DNS A RR, then the connect attempt is rejected. Note: This goes against RFC! For sites other than low-volume/personal, you may want to disable this filter. MtaHostIpfw If non-zero and an email is marked as Reject in the MtaHostChk filter, then the ip address is injected into the system firewall rules via the ipfwmtad daemon, thereby blocking all further connects by that ip address for 48 hours. MtaHostIpfwNominate If non-zero the connecting MTA ip address will be presented to ipfwmtad for connection rate limiting nomination. MtaHostIpChk If non-zero the connecting MTA ip address will be tested to see if it matches the HELO MTA hostname ip address, and Reject upon failure. MsExtChkAction If the MsExtChk filter finds a listed extension, then either 'Reject' or 'Tag' the email. MsExtChk If non-zero, enables rejection or tagging of emails that have attachments where the extension name is in the specified list from the /var/db/spamilter/db.extensions file. PopAuthChk If non-null, then the specified db file will be consulted to determine if the client connection should be treated as a local net host, there by passing all filters. This should work with Pop-before-smtp and DRAC MtaSpfChk If non-zero, then the client connection is valided with the SPF proccess using libspf
This file is used to match filter rules of the Black/White list filter, against a given sender address. This sender address is the one given to sendmail in the "mail from: " phase of the MTA to MTA negotiation, not the one specified in the "From: " header of the email.
This file is used to match filter rules of the Black/White list filter, against a given recipient address. This recipient address is also the one given to sendmail in the "rcpt to: " phase of the MTA to MTA negotiation, not the one specified in the "To:" header of the email.
This file is used to configure any realtime dns block lists to be consulted for rejection or tagging. See DnsBlChk in spamilter.rc
This file is used to configure which file attachments that should be rejected based on the filename extension.
- Don't forget to create the html file that the policy URL points to. A sample policy file has been provided in conf/policy.html
- Don't forget to publish an SPF record if you are not already. You can use the wizard to quickly generate an appropriate record. It's easy, painless, an will only take 5 minutes.
The rest of the fields in the files are described in the top of each one.
If a given email "Mail from: " or "Rcpt to: " address as provided during the MTA to MTA negotiation phase matches a "rule" entry, then the email is marked with the action specified in the action column.
The action column can be one of the following;
- None The email will continue to be proccessed normally by sendmail and Spamilter.
- Accept The email will continue to be proccessed normally by sendmail and will not be further processed by other Spamilter filters.
- Reject Sendmail will reject reception of the email, causing it to not be delivered to the end user.
- Discard Sendmail will accept the email, but silently discard it, causing it to not be delivered to the end user.
- Fail Sendmail will not accept the message, and further, will instruct the sending MTA to try again later.
- Tarpit Sendmail will, like "Reject", not deliver the email to the end user, but will also delay completion of the MTA negotiation phase by a fixed 2 minutes, and thereby slow down the opposing MTA.
- Exec A match of the rule;
- Connecting MTA ip address
- "Mail from: " address
- "Rcpt to: " address
.netinfo4u.com | | Exec | /usr/local/bin/someexecutablein either db.sndr or db.rcpt will result in /usr/local/bin/someexecutable being called with the following three paramaters respectively;
- 0 - Sendmail and Spamilter will continue to proccess the email.
- 1 - Sendmail will "Reject" the email.
- 2 - Sendmail will "Fail" the email.
- 3 - Sendmail will "Discard" the email.
The rest of the fields in the file are described in the top of the file.
If a given rdnsbl host finds the connecting MTA's ip address in the rdnsbl database, then Spamilter can take one of two actions;
- Tag Accept the email, but flag it for the user in three ways, if sendmail reaches the EOM MTA handling phase;
- Prepend "Spam ? - " to the subject line header.
- Inject an "X-Status: F" header in to the email. (This does not seem to survive traversal of Microsoft Exchange Server)
- Inject an "X-Keywords: $Label5" header into the email. (This does not seem to survive traversal of Microsoft Exchange Server)
- Reject Reject the email.
- Conn When the opposing MTA connects.
- From After the opposing MTA specifies the sender email address.
- Rcpt After the opposing MTA specifies the recipient email address.
- EOM After the headers and the body of the email has been received.
- For manual startup,
spamilterto background the filter or;
spamilter -d1to keep it in the foreground and watch what happens.
For automatic startup, on FreeBSD /usr/local/etc/rc.d/spamilter.sh is installed for you, on other systems, you'll need to craft a startup script.
- Sit back and enjoy the sea of tranquility that is your new inbox.