netbsd-help: Re: Junk mail and virus filtering on netbsd mailserver

Subject: Re: Junk mail and virus filtering on netbsd mailserver
To: Scott R. Burns <Scott.Burns@Netcontech.Com>
From: Martti Kuparinen <martti.kuparinen@iki.fi>
List: netbsd-help
Date: 08/25/2003 08:53:00
This is what I have:

- postfix with pcre support
- spamassassing
- procmail

Feel free to ask me more.

Martti


Install the software
====================

# cd /usr/pkgsrc/mail/spamassassin
# make install clean clean-depends

# cd /usr/pkgsrc/mail/procmail
# make install clean clean-depends

# echo POSTFIX_USE_PCRE=YES >> /etc/mk.conf
# cd /usr/pkgsrc/mail/postfix
# make install clean clean-depends

Configure the software
======================

## Disable all incoming mails with dangerous attachments
# cat > /usr/pkg/etc/postfix/body_checks << EOF
#
# Block mails with the following attachments:
#
# bat|chm|cmd|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh]
#
/^begin\s+\d{3}\s+.+?\.(bat|chm|cmd|cnm|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh])\n?$/
   REJECT Windows executable blocked

/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.(bat|chm|cmd|cnm|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh])"?\n?$/
   REJECT Windows executable blocked

/^\s+(file)?name="?.+?\.(bat|chm|cmd|cnm|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh])"?\n?$/
   REJECT Windows executable blocked
EOF

# vi /usr/pkg/etc/postfix/main.cf

   smtpd_client_restrictions =
         permit_mynetworks,
         reject_rbl_client list.dsbl.org,
         reject_rbl_client relays.ordb.org,
         reject_rbl_client sbl.spamhaus.org,
         permit
   smtpd_sender_restrictions =
         check_sender_access regexp:$config_directory/reject_sender,
         permit_mynetworks,
         reject_rbl_client list.dsbl.org,
         reject_rbl_client relays.ordb.org,
         reject_rbl_client sbl.spamhaus.org,
         reject_non_fqdn_sender,
         reject_unknown_sender_domain
   smtpd_recipient_restrictions =
         check_recipient_access regexp:$config_directory/reject_rcpt,
         permit_mynetworks,
         permit_mx_backup,
         reject_non_fqdn_recipient,
         reject_invalid_hostname,
         reject_unknown_recipient_domain,
         reject_rbl_client sbl.spamhaus.org,
         reject_rbl_client relays.ordb.org,
         reject_rbl_client list.dsbl.org,
         reject_unauth_destination,
         reject_unauth_pipelining,
         check_relay_domains

   # Check for harmful attachments
   mime_header_checks = pcre:$config_directory/body_checks

## Add known trouble makers to my local black list
# cat > /usr/pkg/etc/postfix/reject_rcpt << EOF
# Address syntax
/[@!%].*[@!%]/                  550 Please use user@domain address forms only
EOF
# cat > /usr/pkg/etc/postfix/reject_sender << EOF
# Address syntax
/[@!%].*[@!%]/                  550 Please use user@domain address forms only
EOF

# mkdir -p /usr/local/bin
# cat > /usr/local/bin/deliver-wrapper.c << EOF
/*
  * Wrapper for cyrus 'deliver' to allow anyone to run it
  * with restricted set of parameters.
  *
  * This should be
  *
  * # chown root:wheel deliver-wrapper.c
  * # chmod 600 deliver-wrapper.c
  *
  * # gcc -Wall -static -o deliver-wrapper deliver-wrapper.c
  *
  * # chown cyrus:mail deliver-wrapper
  * # chmod 6711 deliver-wrapper
  */

#include <stdio.h>
#include <unistd.h>
#include <pwd.h>
#include <sys/types.h>

int
main(int argc, char *argv[])
{
     char *const envp[] = { NULL };
     struct passwd *ent = getpwuid(getuid());
     const char *uname = (ent && ent->pw_name && ent->pw_name[0])
                         ? ent->pw_name : "anonymous";

     if (argc != 2) {
             fprintf(stderr, "Usage: %s mailbox\n", argv[0]);
             return 64; /* EX_USAGE */
     }

     execle("/usr/pkg/cyrus/bin/deliver", "deliver", "-e",
            "-a", uname, "-m", argv[1],
            NULL, envp);

     perror("exec /usr/cyrus/bin/deliver");
     return 71; /* EX_OSERR */
}
EOF

# cd /usr/local/bin
# gcc -Wall -static -o deliver-wrapper deliver-wrapper.c
# chown cyrus:mail deliver-wrapper
# chmod 6711 deliver-wrapper

Activate spam tagging
=====================

# cat > ${HOME}/.procmailrc << EOF
SHELL=/bin/sh
DELIVER=/usr/local/bin/deliver-wrapper
FORMAIL=/usr/pkg/bin/formail
VACATION=/usr/bin/vacation
SPAMASSASSIN=/usr/pkg/bin/spamassassin
USER=myusername
HOME=/home/$USER
MAILDIR=$HOME/mail
ON_VACATION=no

# SpamAssassin
:0 fw
| $SPAMASSASSIN

# spam
:0:$HOME/.cyrus.lock
* ^Subject: \[SPAM\?\].*
| $FORMAIL -I "From " | $DELIVER user.$USER.spam

# root
:0:$HOME/.cyrus.lock
* ^TO_(root|helpdesk)@
| $FORMAIL -I "From " | $DELIVER user.$USER.root

# everything else
:0
{
         :0 cwi
         * ON_VACATION ?? ^^yes^^
         | $VACATION $USER
         :0:$HOME/.cyrus.lock
         | $FORMAIL -I "From " | $DELIVER user.$USER
}

# The last resort - if all other recipes fail
:0:
IN-ERROR
EOF

# cat > ${HOME}/.forward << EOF
"|exec /usr/pkg/bin/procmail || exit 75"
EOF