Différences

Ci-dessous, les différences entre deux révisions de la page.

--- tutoriaux:install-email-server:install-email-server-part-7 [2023/01/06 16:41] – supprimée - modification externe (Unknown date) 127.0.0.1
+++ tutoriaux:install-email-server:install-email-server-part-7 [2023/05/25 20:17] (Version actuelle) – [Header Checks] frater
@@ Ligne 1: / Ligne 1: @@
+====== Build Email Server From Scratch on Debian – Part 7 - Postfix and SpamAssassin Content Filter ======
+Specifically, we will see how to check email header and body with Postfix and SpamAssassin (SA) to detect spam. SpamAssassin is a free, open-source, flexible and powerful spam-fighting tool.
+===== Email Header and Body Checks with Postfix SMTP Server =====
+Postfix provides 4 simple content checking parameters.
+  * header_checks
+  * mime_header_checks
+  * nested_header_checks
+  * body_checks
+Postfix will check all inbound emails when any of the above parameters is being used. Each parameter points to a lookup table containing regular expression patterns and actions. The patterns are compared to strings within email messages (header and body). If Postfix finds a match, the specified action is executed. Header and body checks are done by the Postfix ''cleanup'' daemon.
+<WRAP center round tip>
+when checking with those parameters, you have 2 main options:
+  * DISCARD : appear to accept the message, but the message will be silently discarded
+  * REJECT  : force the message to be bounced
+</WRAP>
+There are mainly two types of regular expressions that can be used by Postfix.
+  * ''regexp'': POSIX regular expression
+  * ''PCRE'': Perl compatible regular expression
+Postfix comes with POSIX regular expression support, but PCRE is way faster. To use PCRE in Postfix, you need to install the ''postfix-pcre'' package.
+<code bash>sudo apt install postfix-pcre</code>
+Run the following command and you will see ''pcre'' is now supported.
+<code bash>postconf -m</code>
+{{ tutoriaux:debian-email:debian-postconf.png |}}
+==== Header Checks ====
+To enable header_checks in Postfix, open the main configuration file.
+<code bash>sudo nano /etc/postfix/main.cf</code>
+Add the following line at the end of the file.
+<code>header_checks = pcre:/etc/postfix/header_checks</code>
+<WRAP round info>
+You may use [[https://regex101.com/|https://regex101.com/]] website to test your pcre (just use problematic header sample as test string)
+</WRAP>
+Save and close the file. Then you need to create the ''/etc/postfix/header_checks'' lookup file with a command line text editor such as Nano.
+<code bash>sudo nano /etc/postfix/header_checks</code>
+You can add regular expression checking like below.
+<code>
+/free mortgage quote/     REJECT
+/repair your credit/      REJECT
+</code>
+The lefthand key is a regular expression enclosed by two forward slashes. If any of the strings on the left-hand appear in any of the headers of an email message (these would most likely show up in the Subject: header), the message is rejected during the SMTP dialog. By default regular expression checking is not case-sensitive.
+You can also use DISCARD, instead of REJECT.
+<code>
+/free mortgage quote/    DISCARD
+/repair your credit/     DISCARD
+</code>
+This will cause Postfix to __claim successful delivery and silently discard__ the message. DISCARD makes it look as if the message was delivered even though it was simply thrown away.
+I often use DISCARD when I don’t want the spammer to know I have blocked a certain phrase for incoming email. DISCARD can also be useful to minimize the backscatter problem. If an innocent user’s email address is used as the sender address, you can claim successful delivery, so that the innocent user does not receive bounce messages.
+Some stupid spammers use multiple email addresses in the ''To:'' header, instead of using Blind Carbon Copy (BCC). If you are sure an email address won’t be accepting emails with multiple recipients in the ''To:'' header, you can add the following lines to discard such email.
+<code>
+/To:.*(gmail.com|yahoo.com|outlook|hotmail.com).*you@yourdomain.com/       DISCARD
+/To:.*you@yourdomain.com.*(gmail.com|yahoo.com|outlook|hotmail.com)/       DISCARD
+</code>
+The above lines will check if an Gmail/Yahoo/Outlook/Hotmail address and your domain email address are in the ''To:'' header at the same time. If true, the email will be discarded. The two characters ''.*'' are a wild card in regular expressions that can be matched to any characters.
+You may also want to do the same with the ''Cc:'' (carbon copy) header, if you are sure an email address won’t be accepting emails with multiple recipients in the ''Cc:'' header
+<code>
+/Cc:.*(gmail.com|yahoo.com|outlook|hotmail.com).*you@yourdomain.com/       DISCARD
+/Cc:.*you@yourdomain.com.*(gmail.com|yahoo.com|outlook|hotmail.com)/       DISCARD
+</code>
+Some spammers use blank email address in the ''From:'' or ''To:'' header, you can add the following checks.
+<code>
+/To:.*<>/           DISCARD
+/From:.*<>/         DISCARD
+</code>
+Once you finish editing the header_checks lookup file, you need to build the index file.
+<code bash>
+sudo postmap /etc/postfix/header_checks
+</code>
+Then restart Postfix for the changes to take effect.
+<code bash>sudo systemctl restart postfix</code>
+==== Body Checks ====
+In addition to header checks, Postfix can check the body of an email message. To enable ''body_checks'' in Postfix, open the main configuration file.
+<code bash>sudo nano /etc/postfix/main.cf</code>
+Add the following line at the end of the file.
+<code>body_checks = pcre:/etc/postfix/body_checks</code>
+Save and close the file. Then you need to create the ''/etc/postfix/body_checks'' lookup file.
+<code bash>sudo nano /etc/postfix/body_checks</code>
+You can add regular expression checking like below.
+<code>
+/free mortgage quote/     REJECT
+/repair your credit/      REJECT
+</code>
+You can use DISCARD, instead REJECT.
+<code>
+/free mortgage quote/     DISCARD
+/repair your credit/      DISCARD
+</code>
+The patterns indicated by the ''body_checks'' parameter are checked against each line of the body of the message. If any of the strings on the leftland appear in the body of an email message, the message is rejected or discarded. Once you finish editing the ''body_checks'' lookup file, you need to build the index file.
+<code bash>sudo postmap /etc/postfix/body_checks</code>
+Then restart Postfix for the changes to take effect.
+<code bash>sudo systemctl restart postfix</code>
+===== SpamAssassin Content Filter =====
+The built-in content checking in Postfix is very simple. However, there is no way to whitelist individual messages that you might want to receive despite their containing phrases that trigger a rejection and you might not want to reject or discard an email message based on a single rule. For more sophisticated analysis, we need to use a dedicated content filter (such as SpamAssassin) specifically designed to detect spam.
+SpamAssassin is a score-based system. It will check email message against a large set of rules, in contrast to a single rule in Postfix. Each rule adds or removes points in the message’s score. If the score is high enough (by default 5.0), the message is considered spam.
+==== Install SpamAssassin ====
+<WRAP round info>
+If you used iRedMail to set up your mail server, then SpamAssassin is already installed alongside Amavis, which can read SpamAssassin rules. You don’t need to follow the instructions in this section.
+</WRAP>
+Run the following command to install SpamAssassin from the default Debian/Ubuntu software repository. Spamc is the client for SpamAssassin spam filtering daemon.
+<code bash>sudo apt install spamassassin spamc</code>
+During the installation, the ''debian-spamd'' user and group will be automatically created. The binary installed by the ''spamassassin'' package is called ''spamd'', which will be listening on TCP port 783 on local host.
+By default, the ''spamassassin'' systemd service is disabled, you can enable auto start at boot time with:
+<code bash>sudo systemctl enable spamassassin</code>
+Then start SpamAssassin.
+<code bash>sudo systemctl start spamassassin</code>
+==== Integrate SpamAssassin with Postfix SMTP Server as a Milter ====
+There are several ways you can use to integrate SpamAssassin with Postfix. I prefer to use SpamAssassin via the sendmail milter interface, because it allows me to reject an email when it gets a very high score such as 8, so it will never be seen by the recipient.
+Install the ''spamass-filter'' packages from Debian default software repository.
+<code bash>sudo apt install spamass-milter</code>
+Next, edit ''/etc/postfix/main.cf'' file and add the following lines at the end of the file.
+<code>
+# Milter configuration
+milter_default_action = accept
+milter_protocol = 6
+smtpd_milters = local:spamass/spamass.sock
+non_smtpd_milters = $smtpd_milters
+</code>
+If you have configured [[tutoriaux:install-email-server:install-email-server-part-4|OpenDKIM]] and [[tutoriaux:install-email-server:install-email-server-part-5|OpenDMARC]], then these lines should look like below. The order matters.
+<code>
+# Milter configuration
+milter_default_action = accept
+milter_protocol = 6
+smtpd_milters = local:opendkim/opendkim.sock,local:opendmarc/opendmarc.sock,local:spamass/spamass.sock
+non_smtpd_milters = $smtpd_milters
+</code>
+If you haven’t configured OpenDMARC, then you should remove ''local:opendmarc/opendmarc.sock'', from ''smtpd_milters''.
+Save and close the file. Now open the ''/etc/default/spamass-milter'' file and find the following line.
+<code>#OPTIONS="${OPTIONS} -r 15"</code>
+Uncomment this line and change 15 to your preferred reject score such as 8.
+<code>OPTIONS="${OPTIONS} -r 8"</code>
+If the score of a particular email is over 8, Spamassassin would reject it and you would find a message like below in the ''/var/log/mail.log'' file, indicating it’s rejected.
+<code>milter-reject: END-OF-MESSAGE  5.7.1 Blocked by SpamAssassin</code>
+If you want the sender to see a different reject text, then add the ''-R'' (reject text) option like below.
+<code>OPTIONS="-u spamass-milter -i 127.0.0.1 -R SPAM_ARE_NOT_ALLOWED_HERE"</code>
+Save and close the file. Restart Postfix and Spamass Milter for the changes to take effect.
+<code bash>sudo systemctl restart postfix spamass-milter</code>
+<WRAP round tip>
+iRedMail users need to start the SpamAssassin service in order to use ''spamass-milter''.
+</WRAP>
+<code bash>
+sudo systemctl start spamassassin
+sudo systemctl enable spamassassin
+</code>
+==== Checking Email Header and Body with SpamAssassin ====
+SpamAssassin ships with many spam detection rules in ''/usr/share/spamassassin/'' directory. Allow me to explain some of the rules.
+In the ''/usr/share/spamassassin/20_head_tests.cf'' file, you can find the following two lines.
+<code>
+header MISSING_HEADERS       eval:check_for_missing_to_header()
+describe MISSING_HEADERS     Missing To: header
+</code>
+The first line tests if the To: header exists in an email message. The second line, which is optional, explains what the first line does. The uppercase letters is the name of this test.
+The following 3 lines are for testing if there’s a ''Date:'' header in the email message.
+<code>
+header __HAS_DATE            exists:Date
+meta MISSING_DATE            !__HAS_DATE
+describe MISSING_DATE        Missing Date: header
+</code>
+And these 3 lines are for testing if there’s a ''From:'' header in the email message.
+<code>
+header __HAS_FROM            exists:From
+meta MISSING_FROM            !__HAS_FROM
+describe MISSING_FROM        Missing From: header
+</code>
+You might want to use the Cron job shipped with SpamAssassin to automatically update SpamAssassin’s rules on a daily basis. If so, open the ''/etc/default/spamassassin'' file and change ''CRON=0'' to ''CRON=1''.
+====== Set Custom Score for Existing Rules ======
+In the ''50_scores.cf'' and ''72_scores.cf'' file, you can see the default scores for various tests. If you think the default score is too low or too high for a certain test, you can set custom score in ''/etc/spamassassin/local.cf'' file.
+<code bash>sudo nano /etc/spamassassin/local.cf</code>
+For example, RFC 5322 requires that every email message must have //From:// and //Date:// header fields, so I can set a very high score if either of them is missing in an email message by appending the following two lines in ''local.cf'' file.
+<code>
+score MISSING_FROM   5.0
+score MISSING_DATE   5.0
+</code>
+Although the To: header field is not mandatory in RFC 5322, I prefer to set a high score if it’s missing in an email message because I have never seen a legitimate email missing this header field.
+<code>
+score MISSING_HEADERS 3.0
+</code>
+Some spammers uses two email addresses in the //From:// header field like below.
+<code>From: "tonywei_darefly_mold@aliyun.com" <sales10@darefly-mould.com></code>
+I think the default score for this kind of email is low, I prefer to set it to 3.0.
+<code>score PDS_FROM_2_EMAILS 3.0</code>
+There are spammers who send empty message with no subject and no textual parts in the body. I set the score for this kind of email to 5.0, so it will be placed to spam folder. Why read it if it’s empty?
+<code>score EMPTY_MESSAGE 5.0</code>
+And other spammers often ask you to send a read receipt, I set the score to 2.0 for this kind of email.
+<code>score FREEMAIL_DISPTO 2.0</code>
+There are some spammers use different domain names in the //From:// and //Reply-To:// header, I give them a 3.5 score.
+<code>score FREEMAIL_FORGED_REPLYTO 3.5</code>
+I also have seen some spammers using non-existent domain name in the //From:// header field. I set a 5.0 score for this type of email.
+<code>score DKIM_ADSP_NXDOMAIN 5.0</code>
+Last but not least, many spammers spoof the gmail.com domain in the //From:// header field. I set a 2.5 score this kind of email.
+<code>score FORGED_GMAIL_RCVD 2.5</code>
+====== Adding Your Own Rules ======
+You can add custom SpamAssassin rules in ''/etc/spamassassin/local.cf'' file.
+<code bash>sudo nano /etc/spamassassin/local.cf</code>
+===== Header Rules =====
+For example, some spammers use the same email address in the From: and To: header, you can add the following lines at the end of the file to add scores to such emails.
+<code>
+header   FROM_SAME_AS_TO   ALL=~/\nFrom: ([^\n]+)\nTo: \1/sm
+describe FROM_SAME_AS_TO   From address is the same as To address.
+score    FROM_SAME_AS_TO   2.0
+</code>
+Some spammers use an empty address for the Envelope From address (aka the Return Path header). Although this is legitimate for sending bounce messages, I prefer to give this kind of email a score.
+<code>
+header    EMPTY_RETURN_PATH    ALL =~ /<>/i
+describe  EMPTY_RETURN_PATH    empty address in the Return Path header.
+score     EMPTY_RETURN_PATH    3.0
+</code>
+If you have configured [[tutoriaux:install-email-server:install-email-server-part-6|OpenDMARC]] on your mail server, you can now add the following lines to add scores to emails that fail DMARC check.
+<code>
+header    CUSTOM_DMARC_FAIL   Authentication-Results =~ /dmarc=fail/
+describe  CUSTOM_DMARC_FAIL   This email failed DMARC check
+score     CUSTOM_DMARC_FAIL   3.0
+</code>
+The above code tells SpamAssassin to check if the Authentication-Results header contains the string “dmarc=fail”. If found, increase the score by 3.0.
+===== Body Rules =====
+You can tell SpamAssassin to increase the score of an email if a certain phrase is found in the body. For example, many spammers use the recipient’s email address in the first body line like below.
+<code>
+Hi frater@nox-rhea.org
+Hello frater@nox-rhea.org
+Dear frater@nox-rhea.org
+</code>
+I don’t want to talk with people who doesn’t bother writing my name in the first line of email. So I created a rule in SpamAssassin to filter this kind of email.
+<code>
+body      BE_POLITE       /(hi|hello|dear) frater\@nox-rhea\.org/i
+describe  BE_POLITE       This email doesn't use a proper name for the recipient
+score     BE_POLITE       5.0
+</code>
+Regular expression in SpamAssassin is case-sensitive by default, you can add the ''i'' option at the end to make it case-insensitive.
+===== Add Negative Scores =====
+You can also add negative score to good emails, so there will be less false positives. For example, many of my blog readers ask me Linux questions and I don’t think spammers would include words like ''Debian'', ''Ubuntu'', ''Linux Mint'' in the email body, so I created the following rule.
+<code>
+body      GOOD_EMAIL    /(debian|ubuntu|linux mint|centos|red hat|RHEL|OpenSUSE|Fedora|Arch Linux|Raspberry Pi|Kali Linux)/i
+describe  GOOD_EMAIL    I don't think spammer would include these words in the email body.
+score     GOOD_EMAIL    -4.0
+</code>
+If the email body contains a Linux distro’s name, then add a negative score (-4.0).
+There are some common phrases that is included in legitimate bounce messages, so I can add negatives scores to these email messages.
+<code>
+body      BOUNCE_MSG    /(Undelivered Mail Returned to Sender|Undeliverable|Auto-Reply|Automatic reply)/i
+describe  BOUNCE_MSG    Undelivered mail notifications or auto-reply messages
+score     BOUNCE_MSG    -1.5
+</code>
+Note that body rules also include the Subject as the first line of the body content.
+===== Meta Rules =====
+In addition to header and body rules, there’s also meta rules. Meta rules are combinations of other rules. You can create a meta rule that fires off when two or more other rules are true. For example, I occasionally receive emails saying that the sender wants to apply for a job and a resume is attached. I have never said on my website that I need to hire people. The attachment is used to spread virus. I created the following meta rule to filter this kind of email.
+<code>
+body      __RESUME        /(C.V|Resume)/i
+meta      RESUME_VIRUS    (__RESUME && __MIME_BASE64)
+describe  RESUME_VIRUS    The attachment contains virus.
+score     RESUME_VIRUS    5.5
+</code>
+The first sub rule ''%%__RESUME%%'' tests if the email body contains the word ''C.V.'' or ''resume''. The second sub rule ''%%__MIME_BASE64%%'' is already defined in ''/usr/share/spamassassin/20_body_tests.cf'' file, as follows, so I don’t need to define it again in local.cf file. This rule tests if the email message includes a base64 attachment.
+<code>
+rawbody   __MIME_BASE64  eval:check_for_mime('mime_base64_count')
+describe  __MIME_BASE64  Includes a base64 attachment
+</code>
+My meta rule ''RESUME_VIRUS'' will fire off when both of the sub rules are true, adding a 5.5 score to the email message. Note that sub rule often starts with double underscore, so it has no score in its own right.
+Now you learned how to add score if a string is found. What if you want to add score when a string doesn’t exist in the email headers? Well, you can use the ''!'' operator. For example, I have seen spammers using a single word in the From: address.  I added the following lines to score this kind of email.
+<code>
+header __AT_IN_FROM   From =~ /\@/
+meta  NO_AT_IN_FROM   !__AT_IN_FROM
+score NO_AT_IN_FROM   4.0
+</code>
+The first line checks if the @ sign exists in the From: header. The second line defines a meta rule, which fires off when ''%%!__AT_IN_FROM%%'' is true. ''%%!__AT_IN_FROM%%'' rule is the opposite of the first header rule, which means when there’s no ''@'' sign in the //From:// address, the meta rule fires off.
+You can also add the following lines to check if a dot exists in the From: address.
+<code>
+header __DOT_IN_FROM   From =~ /\./
+meta   NO_DOT_IN_FROM  !__DOT_IN_FROM
+score  NO_DOT_IN_FROM  4.0
+</code>
+==== Whitelist ====
+You can use the ''whitelist_from'' parameter to add a particular email address or domain to your Spamassassin whitelist. For example, add the following two lines at the end of ''local.cf'' file.
+<code>
+whitelist_from frater@nox-rhea.org
+whitelist_from *@canonical.com
+</code>
+A whitelisted sender has a ''-100'' default score. They will still be tested by SpamAssassin rules, but it’s super hard for them to reach a 5.0 score.
+==== Blacklist ====
+To blacklist a sender, use the blacklist_from parameter, which has the same format as ''whitelist_from''.
+<code>
+blacklist_from spam@example.com
+blacklist_from *@example.org
+</code>
+==== Checking Syntax and Restart ====
+After saving the ''local.cf'' file. You should run the ''spamassassin'' command in lint mode to check if there’s any syntax errors.
+<code bash>sudo spamassassin --lint</code>
+Then restart SpamAssassin for the changes to take effect. (If you use Amavis with Spamassasin as in iRedMail, you just need to restart Amavis: ''sudo systemctl restart amavis'')
+<code bash>
+sudo systemctl restart spamassassin
+</code>
+==== SpamAssassin’s Builtin Whitelist ====
+It’s worth mentioning that SpamAssassin ships with its own whitelist. There are several files under ''/usr/share/spamassassin/'' directory that includes ''60_whitelist'' in the filename. These files contain SpamAssassin’s builtin whitelist. For example, the ''60_whitelist_spf.cf'' file contains a list of addresses which send mail that is often tagged (incorrectly) as spam.
+==== Move Spam into the Junk Folder ====
+<WRAP round important>
+iRedMail has this configured out-of-the-box.
+</WRAP>
+I’m going to show you how to move spam to Junk folder with the Dovecot IMAP server and the sieve plugin. This method requires that inbound emails are delivered to the message store via the Dovecot “deliver” LDA (local delivery agent). If you can find the following text in ''/var/log/mail.log'' file, then this requirement is satisfied.
+<code>
+postfix/lmtp
+</code>
+or
+<code>
+delivered via dovecot service
+</code>
+Run the following command install dovecot-sieve from Ubuntu software repository.
+<code bash>sudo apt install dovecot-sieve</code>
+This package installs two configuration files under ''/etc/dovecot/conf.d/'' directory: ''90-sieve.conf'' and ''90-sieve-extprograms.conf''. Open the ''15-lda.conf'' file.
+<code bash>sudo nano /etc/dovecot/conf.d/15-lda.conf</code>
+Add the sieve plugin to local delivery agent (LDA).
+<code>
+protocol lda {
+    # Space separated list of plugins to load (default is global mail_plugins).
+    mail_plugins = $mail_plugins sieve
+}
+</code>
+Save and close the file. If you can find the ''20-lmtp.conf'' file under ''/etc/dovecot/conf.d/'' directory, then you should also enable the sieve plugin in that file like below.
+<code>
+protocol lmtp {
+      mail_plugins = quota sieve
+}
+</code>
+Edit the ''/etc/dovecot/conf.d/10-mail.conf'' file.
+<code bash>sudo nano /etc/dovecot/conf.d/10-mail.conf</code>
+Sieve scripts are stored under each user’s home directory. If you followed my PostfixAdmin tutorial and are using virtual mailbox domains, then you need to enable ''mail_home'' for the virtual users by adding the following line in the file, because virtual users don’t have home directories by default.
+<code bash>mail_home = /var/vmail/%d/%n</code>
+Save and close the file. Then open the ''90-sieve.conf'' file.
+<code bash>sudo nano /etc/dovecot/conf.d/90-sieve.conf</code>
+Go to line 79 and add the following line, which tells Sieve to always execute the ''SpamToJunk.sieve'' script before any user-specific scripts.
+<code>
+sieve_before = /var/mail/SpamToJunk.sieve
+</code>
+Save and close the file. Then create the sieve script.
+<code bash>sudo nano /var/mail/SpamToJunk.sieve</code>
+Add the following lines, which tells Dovecot to move any email messages with the ''X-Spam-Flag: YES'' header into Junk folder.
+<code>
+require "fileinto";
+if header :contains "X-Spam-Flag" "YES"
+{
+   fileinto "Junk";
+   stop;
+}
+</code>
+Save and close the file. We can compile this script, so it will run faster.
+<code bash>sudo sievec /var/mail/SpamToJunk.sieve</code>
+Now there is a binary file saved as /var/mail/SpamToJunk.svbin. Finally, restart dovecot for the changes to take effect.
+<code bash>sudo systemctl restart dovecot</code>
+==== Set Message Maximum Size ====
+By default, SpamAssassin does not check messages with attachments larger than 500KB, as indicated by the following line in the ''/var/log/mail.log'' file.
+<code>
+spamc[18922]: skipped message, greater than max message size (512000 bytes)
+</code>
+The default ''max-size'' is set to 512000 (bytes). A high value could increase server load, but I think the default size is a little bit small. To increase the max-size, edit ''/etc/default/spamass-milter'' file and add the following lines at the end.
+<code>
+#Spamc options
+OPTIONS="${OPTIONS} -- --max-size=5120000"
+</code>
+The empty ''--'' option tells **spamass-milter** to pass all remaining options to **spamc**, which understands the ''--max-size'' option. I increased the size to 5000KB. Save and close the file. Then restart spamass-milter.
+<code bash>
+sudo systemctl restart spamass-milter
+</code>
+==== How to Configure Individual User Preferences ====
+You may want to set custom rules for emails sent to a specific address on the mail server. I like this feature very much. I have a contact email address for this blog, which is only used for keeping contact with readers. **I don’t use the contact email address elsewhere**, so I can create special spam-filtering rules that apply only to this contact email address.
+First, edit the SpamAssassin main configuration file.
+<code bash>
+sudo nano /etc/spamassassin/local.cf
+</code>
+Add the following line to allow user rules.
+<code bash>
+allow_user_rules 1
+</code>
+Save and close the file. Next, edit the SpamAssassin environment file.
+<code bash>
+sudo nano /etc/default/spamassassin
+</code>
+Find the following line.
+<code>
+OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
+</code>
+We need to change it to
+<code>
+OPTIONS="--create-prefs --max-children 5 --helper-home-dir --nouser-config --virtual-config-dir=/var/vmail/%d/%l/spamassassin --username=vmail"
+</code>
+Where:
+  * ''--nouser-config'': disable per-user configuration file for local Unix users.
+  * ''--virtual-config-dir'': specify the per-user configuration directory for virtual users. The ''%d'' placeholder represents the domain part of email address and ''%l'' represents the local part of email address.
+  * ''--username'': run spamd as the vmail user.
+Save and close the file. Then restart SpamAssassin.
+<code bash>
+sudo systemctl restart spamassassin
+</code>
+By default, spamass-milter will send only the local part of email address to SpamAssassin. We need to make it send the full email address. Edit the spamass-milter configuration file.
+<code bash>
+sudo nano /etc/default/spamass-milter
+</code>
+Find the following line.
+<code>
+OPTIONS="-u spamass-milter -i 127.0.0.1 -R SPAM_ARE_NOT_ALLOWED_HERE"
+</code>
+Add the following option to this line.
+<code>
+-e yourdomain.com
+</code>
+Like this:
+<code>
+OPTIONS="-e yourdomain.com -u spamass-milter -i 127.0.0.1 -R SPAM_ARE_NOT_ALLOWED_HERE"
+</code>
+The ''-e'' option will make spamass-milter pass the full email address to SpamAssassin. Replace yourdomain.com with your real domain name. Save and close the file. Then restart spamass-milter.
+<code bash>
+sudo systemctl restart spamass-milter
+</code>
+Now send an email from Gmail, Hotmail, etc. to your domain email address. You will find the spamassassin directory is automatically created under ''/var/vmail/yourdomain.com/username/'' directory.
+<code bash>
+cd /var/vmail/yourdomain.com/username/spamassassin/
+</code>
+You can use a command-line text editor to create the per-user preference file here. This file __must be named__ as ''user_prefs''.
+<code bash>
+sudo nano user_prefs
+</code>
+You can add custom rules in this file just as you would do in the ''/etc/spamassassin/local.cf'' file.
+For instance, I found many spammers end their email body with an unsubscribe link to let you remove future contact. I didn’t subscribe to their spam and I don’t think the unsubscribe link will remove my email address from their contact database. So I use SpamAssassin to score this kind of email.  The following rule adds 3.0 score to emails containing the word “unsubscribe” or its variations in the body. (I don’t use the contact email address of this blog to subscribe to anything online.)
+<code>
+body      SUBSCRIPTION_SPAM   /(unsubscribe|u n s u b s c r i b e|Un-subscribe)/i
+describe  SUBSCRIPTION_SPAM   I didn't subscribe to your spam.
+score     SUBSCRIPTION_SPAM   3.0
+</code>
+Sometimes the email body doesn’t contain the word “unsubscribe”, but there’s a ''List-Unsubscribe'' header, which means the spammer added my contact email address to their mailing list without my consent. I can score this type of email too, with the following rule.
+<code>
+header    LIST_UNSUBSCRIBE   ALL =~ /List-Unsubscribe/i
+describe  LIST_UNSUBSCRIBE   I didn't join your mailing list.
+score     LIST_UNSUBSCRIBE   2.0
+</code>
+I occasionally receive emails from Chinese spammers whose ''From:'' domain name has no vowel letters (a, e, i, o, u). The spammer used the ''cdjcbzclyxgs.xyz'' domain name. It is nearly impossible for a normal person/entity to use domain names without vowel letters, considering that many top-level domains have already included vowel letters (.com, .net, .org, .co, .io, .shop, .dev, etc), so I give this kind of email a very high score like below. The default score is 0.5.
+<code>
+score FROM_DOMAIN_NOVOWEL 4.0
+</code>
+Some spam emails use many images in the body but contains very little text. The default score for this kind of email is 1.9, but I prefer to set a high score for my contact email address.
+<code>
+score HTML_IMAGE_RATIO_02 4.0
+</code>
+I also received a spam email with my email address in the subject, so I can add a high score to it.
+<code>
+header    SUBJECT_SPAM   Subject =~ /frater\@nox-rhea.org/i
+describe  SUBJECT_SPAM   Subject contains my email address.
+score     SUBJECT_SPAM   4.0
+</code>
+Some spammers use BCC (Blind Carbon Copy) to hide other recipients. I don’t want to receive such email. So I made the following rule. If my domain name is not in the To: header, add 3.0 to the email.
+<code>
+header __DOMAIN_IN_TO     To =~ /nox-rhea.org/
+meta   DOMAIN_NOT_IN_TO   !__DOMAIN_IN_TO
+score  DOMAIN_NOT_IN_TO   3.0
+</code>
+After adding custom rules, close the file and run the following command to check syntax. Silent output means there’s no syntax error.
+<code bash>
+sudo spamassassin --lint
+</code>
+Finally, restart SpamAssassin for the changes to take effect.
+<code bash>
+sudo systemctl restart spamassassin
+</code>
+Now you can test the user preferences by sending test emails from other email services to your own domain email address.
+==== Whitelisting for Specific Email Addresses ====
+Let’s say you have an email address that accepts emails from a few email addresses, and you want to block all other senders. It’s very easy to accomplish this. Go to ''/var/vmail/yourdomain.com/username/spamassassin/'' directory and create the ''user_prefs'' file. Then add allowed email addresses to the whitelist.
+<code>
+whitelist_from *@your-own-domain.com
+whitelist_from someboday@gmail.com
+</code>
+Next, add all domains to the blacklist.
+<code>
+blacklist_from *
+</code>
+Save and close the file. Restart SpamAssassin for the changes to take effect.
+<code bash>
+sudo systemctl restart spamassassin
+</code>
+==== Reject or Bounce ====
+If a receiving SMTP server determines during the SMTP conversation that it will not accept the message, it rejects the message. Sometimes the SMTP server accepts a message and later discovers that it cannot be delivered, perhaps the intended recipient doesn’t exist or there is a problem in the final delivery. In this case, the SMTP server that has accepted the message bounces it back to the original sender by sending an error report, usually including the reason the original message could not be delivered.
+You should not bounce spam, because the email address in the ''Return-path:'' header or ''From:'' header probably doesn’t exist or is an innocent person’s email address, so the bounce message will probably go to an innocent person’s email address, creating the backscatter problem. Instead of bouncing the spam, you should reject spam during the SMTP dialog, before the email is accepted. This article didn’t show you bouncing a spam message. You should remember this rule in case you are going to create spam-filter rules by yourself. If in doubt, test your spam-filtering rules to see if it’s going to create bounce messages.
+==== URIBL_BLOCKED ====
+By default, SpamAssassin enables URIBL rule, which checks if an email message contains links that are identified as spam by URIBL. This is a very effective anti-spam measurement. However, you might be blocked from querying URIBL. Check the raw email headers of an inbound email message, find the ''X-Spam-Status'' header.
+<code>
+X-Spam-Status: No, score=-92.2 required=5.0 tests=DATING_SPAM,DKIM_SIGNED,
+	DKIM_VALID,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,SPF_PASS,
+	SUBSCRIPTION_SPAM,UNPARSEABLE_RELAY,URIBL_BLOCKED,USER_IN_WHITELIST
+	autolearn=no autolearn_force=no version=3.4.2
+</code>
+If you can find **URIBL_BLOCKED** in this header, that means you are blocked from querying URIBL. Most of the time it’s because you are not using your own local DNS resolver. You can run the following command on your mail server to test which DNS server you are using to query URIBL.
+<code>
+host -tTXT 2.0.0.127.multi.uribl.com
+</code>
+Sample output:
+<code>
+.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: xx.xx.xx.xx]"
+</code>
+To fix this error, you need to run your own local DNS resolver on your mail server.
+Once your local DNS resolver is up and running, test URIBL again.
+<code bash>
+host -tTXT 2.0.0.127.multi.uribl.com
+</code>
+If you see the following output, it means you are now allowed to query URIBL.
+<code>
+.0.0.127.multi.uribl.com descriptive text "permanent testpoint"
+</code>
+From here on out, inbound email messages won’t have the URIBL_BLOCKED tag in the ''X-Spam-Status'' header.
+==== Prevent Outgoing Spam ====
+Postfix header and body checks can also be used to prevent outgoing spam. For example, if you don’t want your email server to send emails to a particular email address, you can add the following line to ''/etc/postfix/header_checks''.
+<code>
+/^To:.*fake.*/       DISCARD
+</code>
+The above line tests if the ''To:'' header contains the ''fake'' word. If found, discard the email. I’m just showing a simple example here. This can be useful when you have a contact form or sign-up form on your website and some visitors use fake email addresses on the form to generate spam on your email server.
+Save and close the file. Then run the following command to rebuild the hash table.
+<code bash>
+sudo postmap /etc/postfix/header_checks
+</code>
+Reload Postfix for the change to take effect.
+<code bash>
+sudo systemctl reload postfix
+</code>
+==== Deleting Email Headers For Outgoing Emails ====
+You can use ''smtp_header_checks'' to delete email headers that could show sensitive information. ''smtp_header_checks'' are only applied when Postfix is acting as an SMTP client, so it won’t affect incoming emails.
+For example, you might not want the recipient to know that you are using SpamAssassin on your mail server, then you can create the ''/etc/postfix/smtp_header_checks'' file
+<code bash>
+sudo nano /etc/postfix/smtp_header_checks
+</code>
+And add the following lines in the file. This tells Postfix to delete the X-Spam-Status and X-Spam-Checker-Version header from the email message when sending emails.
+<code>
+/^X-Spam-Status:/             IGNORE
+/^X-Spam-Checker-Version:/    IGNORE
+</code>
+Save and close the file. Then edit the Postfix main configuration file.
+<code bash>
+sudo nano /etc/postfix/main.cf
+</code>
+Add the following line at the end of the file.
+<code>
+smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
+</code>
+Save and close the file. Next, run the following command.
+<code bash>
+sudo postmap /etc/postfix/smtp_header_checks
+</code>
+Reload Postfix for the change to take effect.
+<code bash>
+sudo systemctl reload postfix
+</code>
+===== Other Tidbits =====
+The ''spamassassin'' package on Debian/Ubuntu ships with a Cron job (''/etc/cron.daily/spamassassin'') to automatically update rulesets daily with the ''sa-update'' command.
+SpamAssassin 4.0 includes a HashBL plugin, which can check if a Bitcoin address in the email body has been used by scammers. And there’s also a new plugin called “Ole Macro” that can check if an email contains an Office attachment with a macro. This plugin would try to detect if the attched macro is malicious or not.
+{{page>install-email-server-footer}}

Nox-Rhea WiKi

Outils pour utilisateurs

Outils du site

Différences

Outils de la page