Use postfix and spamassassin packages on CentOS 6 to reject SPAM

Discussion:

(too old to reply)

Alexander Farber

2014-08-11 14:19:21 UTC

Dear postfix users,

here is what I'm trying at my CentOS 6.5 Linux server:

1) Installed postfix and spamassassin packages
2) Configured postfix - it works well (see "postconf -n" below)
3) Added "-x" to the SPAMDOPTIONS in /etc/sysconfig/spamassassin
4) Added the following 2 lines to the /etc/postfix/master.cf

smtp inet n - n - - smtpd -o content_filter=spamassassin

spamassassin unix - n n - - pipe user=nobody argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}

Unfortunately, when I send the test SPAM mail with the subject

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

- it still comes through!

And the subject isn't rewritten despite "rewrite_header Subject [SPAM]" in
the unmodified /etc/mail/spamassassin/local.cf

I wonder, what have I missed? My /var/log/maillog is below too.

Regards
Alex

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

debug_peer_level = 2

header_checks = pcre:/etc/postfix/header_checks

html_directory = no

inet_interfaces = all

inet_protocols = ipv4

mail_owner = postfix

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

mydestination = $myhostname, localhost.$mydomain, localhost

myhostname = www.afarber.de

newaliases_path = /usr/bin/newaliases.postfix

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES

sample_directory = /usr/share/doc/postfix-2.6.6/samples

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

smtp_destination_concurrency_limit = 2

smtp_destination_rate_delay = 40s

smtp_generic_maps = hash:/etc/postfix/generic

unknown_local_recipient_reject_code = 550

virtual_alias_domains = videoskat.de balkan-preferans.de simplex.ru
larissa-farber.de bukvy.de slova.de

virtual_alias_maps = hash:/etc/postfix/virtual

postfix/postfix-script[2546]: starting the Postfix mail system
postfix/master[2547]: daemon started -- version 2.6.6, configuration
/etc/postfix
postfix/qmgr[2550]: D5B19807033: from=<***@yandex.ru>, size=1843,
nrcpt=1 (queue active)
postfix/qmgr[2550]: 831CA809733: from=<***@saic.com>, size=41369,
nrcpt=1 (queue active)
postfix/qmgr[2550]: 42B7A80A312: from=<***@minzhigroup.vicp.cc>,
size=4399, nrcpt=1 (queue active)
postfix/qmgr[2550]: AED94809D29: from=<***@groupmenumagazine.co.uk>,
size=28035, nrcpt=1 (queue active)
postfix/qmgr[2550]: E69AA809D3C: from=<>, size=3487, nrcpt=1 (queue active)
postfix/qmgr[2550]: 2BDE980A61B: from=<***@yahoo.co.jp>, size=4073,
nrcpt=1 (queue active)
postfix/qmgr[2550]: 0D37280A51F: from=<***@c21.com>, size=7888, nrcpt=1
(queue active)
postfix/smtp[2552]: D5B19807033: host gmail-smtp-in.l.google.com[74.125.136.27]
said: 421-4.7.0 [144.76.184.154 15] Our system has detected an unusual
rate of 421-4.7.0 unsolicited mail originating from your IP address. To
protect our 421-4.7.0 users from spam, mail sent from your IP address has
been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0
http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0
Email Senders Guidelines. l16si23407549wjr.0 - gsmtp (in reply to end of
DATA command)
postfix/smtp[2552]: D5B19807033: to=<***@gmail.com>, orig_to=<
***@simplex.ru>, relay=alt1.gmail-smtp-in.l.google.com[74.125.25.27]:25,
delay=6325, delays=6323/0/1.2/0.61, dsn=4.7.0, status=deferred (host
alt1.gmail-smtp-in.l.google.com[74.125.25.27] said: 421-4.7.0
[144.76.184.154 15] Our system has detected an unusual rate of
421-4.7.0 unsolicited mail originating from your IP address. To protect our
421-4.7.0 users from spam, mail sent from your IP address has been
temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0
http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0
Email Senders Guidelines. f7si4794087pdm.22 - gsmtp (in reply to end of
DATA command))
postfix/smtpd[2557]: connect from mail-ie0-f180.google.com[209.85.223.180]
postfix/smtpd[2557]: B3FFF809367: client=mail-ie0-f180.google.com
[209.85.223.180]
postfix/cleanup[2561]: B3FFF809367:
message-id=<CAADeyWgi9VjXoXoUXtTf0n4jp_WJzMd2q7C7zqkRpK7=
***@mail.gmail.com>
postfix/qmgr[2550]: B3FFF809367: from=<***@gmail.com>, size=1767,
nrcpt=1 (queue active)
spamd[2034]: spamd: connection from localhost [127.0.0.1] at port 42928
spamd[2034]: spamd: setuid to nobody succeeded
spamd[2034]: spamd: processing message
<CAADeyWgi9VjXoXoUXtTf0n4jp_WJzMd2q7C7zqkRpK7=***@mail.gmail.com> for
nobody:99
postfix/smtpd[2557]: disconnect from mail-ie0-f180.google.com
[209.85.223.180]
spamd[2034]: spamd: identified spam (999.9/5.0) for nobody:99 in 0.2
seconds, 1730 bytes.
spamd[2034]: spamd: result: Y 999 -
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,GTUBE,HTML_MESSAGE,T_TO_NO_BRKTS_FREEMAIL
scantime=0.2,size=1730,user=nobody,uid=99,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=42928,mid=<CAADeyWgi9VjXoXoUXtTf0n4jp_WJzMd2q7C7zqkRpK7=
***@mail.gmail.com>,autolearn=no
postfix/pickup[2549]: 3124F80A3DA: uid=99 from=<***@gmail.com>
postfix/cleanup[2561]: 3124F80A3DA:
message-id=<CAADeyWgi9VjXoXoUXtTf0n4jp_WJzMd2q7C7zqkRpK7=
***@mail.gmail.com>
postfix/pipe[2562]: B3FFF809367: to=<***@gmail.com>, orig_to=<
***@bukvy.de>, relay=spamassassin, delay=0.59,
delays=0.37/0.01/0/0.22, dsn=2.0.0, status=sent (delivered via spamassassin
service)
postfix/qmgr[2550]: B3FFF809367: removed
spamd[2032]: prefork: child states: II
postfix/qmgr[2550]: 3124F80A3DA: from=<***@gmail.com>, size=2843,
nrcpt=1 (queue active)

l***@rhsoft.net

2014-08-11 14:22:57 UTC

Permalink

Post by Alexander Farber
Dear postfix users,
here is what I'm trying at my CentOS 6.5 Linux server

please make a decision if you would like to have that topic
on the CenOS list, on the postfix list or on serverfault
which you linked at the same message to the CentOS list

http://serverfault.com/questions/619537/use-postfix-and-spamassassin-packages-on-centos-6-to-reject-spam-without-custo

Bill Cole

2014-08-11 23:44:15 UTC

Permalink

Post by l***@rhsoft.net

Post by Alexander Farber
Dear postfix users,
here is what I'm trying at my CentOS 6.5 Linux server

please make a decision if you would like to have that topic
on the CenOS list, on the postfix list or on serverfault
which you linked at the same message to the CentOS list
http://serverfault.com/questions/619537/use-postfix-and-spamassassin-packages-on-centos-6-to-reject-spam-without-custo

Also worth noting: embedding the GTUBE pattern in a message is an
excellent way to minimize visibility of a message among SpamAssassin
users.

Alexander Farber

2014-08-12 07:34:04 UTC

Permalink

On Tue, Aug 12, 2014 at 1:44 AM, Bill Cole <

Post by Bill Cole

Post by l***@rhsoft.net
http://serverfault.com/questions/619537/use-postfix-
and-spamassassin-packages-on-centos-6-to-reject-spam-without-custo

Also worth noting: embedding the GTUBE pattern in a message is an
excellent way to minimize visibility of a message among SpamAssassin users.

The GTUBE mail (and the other mails I try) come through, because I haven't
touched header_checks yet.

The problem is - why don't subjects get rewritten by Spamassassin - despite
having "rewrite_header Subject [SPAM]" in /etc/mail/spamassassin/local.cf?

But maybe the Postfix side is okay and I should ask at the Spamassassin
mailing list - even though Mr. rhsoft.net disapproves.

Regards
Alex

Alexander Farber

2014-08-12 08:38:30 UTC

Permalink

Hello again,

On Tue, Aug 12, 2014 at 9:34 AM, Alexander Farber <

Post by l***@rhsoft.net
http://serverfault.com/questions/619537/use-postfix-
and-spamassassin-packages-on-centos-6-to-reject-spam-without-custo

the point of my question (maybe I haven't stated it clearly enough) has
been: how to combine Postfix and Spamassassin on CentOS with minimal
efforts.

I didn't want to add custom shell scripts or users - as suggested in many
HOWTOs on the web.

I think I have the answer now:

1) Install the spamassassin package (the postfix package is installed by
default)

2) Add a user to your system with "useradd spam" (you can't omit this step
- this has been the culprit in my case - I was trying to use the user
"nobody", but it didn't have a home dir and that has broken Spamassassin
despite me passing "-x" to spamd)

3) Add "/^Subject: \[SPAM\]/ DISCARD" to the /etc/postfix/header_checks
(check the /etc/mail/spamassassin/local.cf to see the exact string to match)

4) Add the following 2 lines to the /etc/postfix/master.cf:

smtp inet n - n - - smtpd -o content_filter=spamassassin
spamassassin unix - n n - - pipe user=spam argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}

Regards
Alex

/dev/rob0

2014-08-12 12:38:31 UTC

Permalink

BTW, the point of Bill Cole's post (I almost posted something
similar) was that you put the GTUBE string right here in a public
mailing list. Most people who use SpamAssassin thus would not get
your post: it was flagged as spam, of course. That's the idea; the
GTUBE string is to test filters.

The very people you most needed to reach, SA users with working
configurations, did not see your message.

Post by Alexander Farber
On Tue, Aug 12, 2014 at 9:34 AM, Alexander Farber <

Post by l***@rhsoft.net
http://serverfault.com/questions/619537/use-postfix-
and-spamassassin-packages-on-centos-6-to-reject-spam-without-custo

the point of my question (maybe I haven't stated it clearly enough)
has been: how to combine Postfix and Spamassassin on CentOS with
minimal efforts.

Consider using amavisd-new. Yes, it's another piece of software to
configure, but it manages and runs SA for you.

Post by Alexander Farber
I didn't want to add custom shell scripts or users - as suggested
in many HOWTOs on the web.

Stick with the Postfix and Amavisd-new documentation. Most random
HOWTOs you can dig up are written by people who at best barely
understand what they did.

Postfix documentation for after-queue content filtering:

http://www.postfix.org/FILTER_README.html

and for before-queue filtering, which according to your Subject:
seems to be what you wanted:

http://www.postfix.org/SMTPD_PROXY_README.html

In either case amavisd-new can help you, acting as either the
content_filter or the smtpd_proxy_filter respectively.
snip

Post by Alexander Farber
3) Add "/^Subject: \[SPAM\]/ DISCARD" to the
/etc/postfix/header_checks (check the
/etc/mail/spamassassin/local.cf to see the exact string to match)

It's not particularly safe to discard mail flagged as spam, your own
GTUBE adventure here being a good example why not.

--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Bill Cole

2014-08-12 16:34:25 UTC

Permalink

Post by /dev/rob0
BTW, the point of Bill Cole's post (I almost posted something
similar) was that you put the GTUBE string right here in a public
mailing list. Most people who use SpamAssassin thus would not get
your post: it was flagged as spam, of course. That's the idea; the
GTUBE string is to test filters.
The very people you most needed to reach, SA users with working
configurations, did not see your message.

Precisely. I only know the message existed because the SA score was an
order of magnitude higher than the worst normal spam and I was tinkering
with my SA config due to recent FPs for this list.

Post by /dev/rob0

Post by Alexander Farber
On Tue, Aug 12, 2014 at 9:34 AM, Alexander Farber <

Post by l***@rhsoft.net
http://serverfault.com/questions/619537/use-postfix-
and-spamassassin-packages-on-centos-6-to-reject-spam-without-custo

the point of my question (maybe I haven't stated it clearly enough)
has been: how to combine Postfix and Spamassassin on CentOS with
minimal efforts.

Consider using amavisd-new. Yes, it's another piece of software to
configure, but it manages and runs SA for you.

Another option in a very similar vein: MIMEDefang. It's a milter that
directly supports SA and anti-virus scanning as well as essentially
anything you can make Perl do. MD is particularly good with MIME
manipulation, so it is an ideal tool if you want to do things like strip
attachments without maiming messages. A simpler alternative than
Amavisd-new or MD would be spamass-milter.

Post by /dev/rob0

Post by Alexander Farber
I didn't want to add custom shell scripts or users - as suggested
in many HOWTOs on the web.

Stick with the Postfix and Amavisd-new documentation. Most random
HOWTOs you can dig up are written by people who at best barely
understand what they did.

Beyond that, it is common for shoddy random HOWTOs to migrate upwards in
web searches as they age and become increasingly obsolete. If there is a
solid simple recipe for a minimalistic Postfix 2.11 & SpamAssassin 3.4
rig on some obscure site, it cannot have been in existence for long
enough to be widely linked, so what you will find instead will be
ancient orphaned pages that document obsolete software.

Post by /dev/rob0
http://www.postfix.org/FILTER_README.html
http://www.postfix.org/SMTPD_PROXY_README.html
In either case amavisd-new can help you, acting as either the
content_filter or the smtpd_proxy_filter respectively.
snip

Post by Alexander Farber
3) Add "/^Subject: \[SPAM\]/ DISCARD" to the
/etc/postfix/header_checks (check the
/etc/mail/spamassassin/local.cf to see the exact string to match)

It's not particularly safe to discard mail flagged as spam, your own
GTUBE adventure here being a good example why not.

In the modern world it's not particularly safe to do anything with mail
that you've flagged as spam after accepting it, which is the main
argument for before-queue filtering.