Re: Sanitizer.cfg question

From: Henry Mason (
Date: Mon 30 Jun 2003 - 15:01:52 GMT

  • Next message: Derrick Webber: "Re: Sanitizer.cfg question"

            Ok - I should probably make a proper how-to and put it online,
            since it took me quite a bit of playing around to get this
            right, and the postfix docs are a little skimpy, to put it mildly.

            There's no particular order to this, but if you're trying to set
            this up on a production server (God forbid) things may be broken
            if you simply make the changes in sequence. The end result should
            be a working configuration, though - if you get everything right :)

            Most of the instructions in the Advosys how-to still apply. Add all
            the domains you want to filter to /etc/postfix/, thus:

    relay_domains = $mydestination,,,,

            I also added this line, which may not be necessary:

    smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination

            And of course you need this:

    transport_maps = hash:/etc/postfix/transport

            Make sure your /etc/postfix/transport routes the mail straight to
            the destination mailservers, and run postmap: smtp:[] smtp:[] smtp:[] smtp:[] smtp:[]
            Now, here's the good part, my /etc/postfix/

    # ==========================================================================
    # service type private unpriv chroot wakeup maxproc command + args
    # (yes) (yes) (yes) (never) (50)
    # ========================================================================== inet n - - - - smtpd inet n - - - - smtpd -o content_filter=filter001:dummy inet n - - - - smtpd -o content_filter=filter002:dummy inet n - - - - smtpd -o content_filter=filter003:dummy
    #628 inet n - - - - qmqpd
    pickup fifo n - - 60 1 pickup
    cleanup unix n - - - 0 cleanup
    qmgr fifo n - - 300 1 qmgr
    #qmgr fifo n - - 300 1 nqmgr
    rewrite unix - - - - - trivial-rewrite
    bounce unix - - - - 0 bounce
    defer unix - - - - 0 bounce
    flush unix n - - 1000? 0 flush
    smtp unix - - - - - smtp
    showq unix n - - - - showq
    error unix - - - - - error
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - n - - lmtp
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    # The Cyrus deliver program has changed incompatibly.
    cyrus unix - n n - - pipe
       flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
    uucp unix - n n - - pipe
       flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    ifmail unix - n n - - pipe
       flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp unix - n n - - pipe
       flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
    scalemail-backend unix - n n - 2 pipe
       flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

    # only used by postfix-tls
    #smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
    #587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

    filter001 unix - n n - - pipe
         user=filter001 argv=/var/spool/filter001/ -f ${sender} -- ${recipient}
    filter002 unix - n n - - pipe
         user=filter002 argv=/var/spool/filter002/ -f ${sender} -- ${recipient}
    filter003 unix - n n - - pipe
         user=filter003 argv=/var/spool/filter003/ -f ${sender} -- ${recipient}

            If you look at the filter definition lines at the bottom, you can
            see where the files live - in /var/spool/filterxxx/, where
            xxx is the filter number. These are the home directories of the
            filter users.

            Of course, you'll have to add these filter users, and create their
            home directories. On debian, this goes something like:

            adduser filter001
            mkdir /var/spool/filter001
            chown -R filter001:filter001 /var/spool/filter001
            usermod -d /var/spool/filter001 filter001

            I like to allow myself to log in as these users, so I can modify
            their configs on the fly (this happens way too often). Also, as
            you'll see, all the files related to these users live in their
            home dirs, so it's nice being able to check on them without having
            to be root.

            Now, this is what /var/spool/filter001/ looks like:

    SENDMAIL="/usr/lib/sendmail -i"

    export ANOMY

    cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }

    # Exit codes from <sysexits.h>

    cat | $SPAMC -f -u filter001 2>/dev/null \
             | $ANOMY $ANOMY_CONF 2>>$ANOMY_LOG \
             | $SENDMAIL "$@" || \
             { echo Message content rejected; exit $EX_UNAVAILABLE; }

    exit 0

            Note that anomy.conf lives in /var/spool/filter001. The setup
            is identical for each filter user - they each get their own
            anomy.conf in their own home directory. Make sure to modify
   to point to these! My anomy.conf is pretty generic,
            I did modify it to catch the recent sobig virus.

            My /etc/spamassassin/ looks like this:

    # This is the right place to customize your installation of SpamAssassin.
    # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
    # tweaked.
    # Note: this is the global preference file used by all filter users! the only
    # thing that should go in here are shared preferences. blacklisting and white
    # listing should be done in the filter user_prefs file...
    # set up subject rewriting the way we want it
    rewrite_subject 1
    #report_safe 1
    spam_level_stars 1
    subject_tag [SPAM]
    required_hits 7.5

    # turn off safe reporting
    report_safe 0
    use_terse_report 0

    # for now, this should be on
    always_add_report 1

            I also have any global tweaks to the various tests in here that I
            want to affect all of the filters. The most important thing to note
            here is that there's no global path for the bayes classifier - or
            anything for that matter - the files get created in the filter users
            home dirs under the .spamassassin directory. This way each client
            gets it's own bayes database.

            That's essentially it for the config files. You'll have to take care
            of adding multiple IPs to the machine; under debian this goes into

    # /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

    # The loopback interface
    auto lo
    iface lo inet loopback

    # The first network card - this entry was created during the Debian installation
    # (network, broadcast and gateway are optional)
    auto eth0
    iface eth0 inet static

    auto eth0:0
    iface eth0:0 inet static

    auto eth0:1
    iface eth0:1 inet static

            Then, I created DNS entries that look like:

            and added as the highest priority MX for the
            domains that use that as their filter, and so on.

            Simple, huh? :>

            I hope it works for you. Any problems I can probably answer, I may have
            left something out inadvertently...


    James Lay wrote:

    > Henry,
    > Yea...that's what I used as well ;) Would LOVE to take a look at those config files. Thanks!
    > James

    hosted by