TITLE postfix+spamassassin+razor LFS VERSION any AUTHOR Gerard Beekmans SYNOPSIS Spamassassing and Razor are great spam fighting tools. To make things even better, integrate it into your SMTP server to block spam at the incoming level rather than at the user level through procmail recipies. HINT Version 1.1 - April 5th, 2002 Changelog: 1.1 - Added bugfix for the /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm file The main reason I've set it up at linuxfromscratch.org at the SMTP level is to do a spam check before spam hits the mailinglists. Spam is then delivered (I don't send spam by /dev/null by default myself) to Listar, but it's tagged with special headers. Listar checks for these headers and then forwards the spam to me for moderation. This is done just in case an email was marked as spam mistakenly. This hint does not deal with installing the Spamassassin or Razor programs. I'll tell you where to get the software from: Spamassassin: http://www.spamassassin.org Razor: http://razor.sourceforge.net The current Razor version at the time of writing this hint is version 1.20. However, there's a problem with Spamassassin and Razor 1.20. Get Razor-1.19 for best results, or try out the Spamassassin CVS version (there was a bug in Razor-1.19 that resulted into a workaround added to Spamasassin. This bug in Razor was fixed in razor-1.20 which now breaks the spamassassin workaround. Spamassassin-CVS is updated again, but not official new release is out there). Read the docs, install it. It's all very straightforward. I'll just deal with setting it up to work in Postfix. If you installed Spamassassin-2.11 you need to fix the /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm file. It contains a minor bug that makes the Razor check fail in the majority of the cases (it forgets to add a newline between the header and body so Razor doens't always compute the right SHA because of it). Edit the file, go to line 443 which looks like this: return join ("", $self->{msg}->get_all_headers(), Add "\n", to it, so the line looks like: return join ("", $self->{msg}->get_all_headers(), "\n", Let's continue with setting up postfix. The postfix distribution comes with the README_FILES/FILTER_README file you want to read through. It gives some background information on how the filtering works in Postfix that we're going to use. That FILTER_README file suggests you creating a dedicated filter user with no home directory or shell. This won't work for us, because spamassassin and razor need a home directory to work in. Perhaps this can be changed, I haven't really checked that out yet. There are probably command line options you can use to use alternate config files (I know Spamassasin's has it, but I'm not sure that it will invoke Razor properly with a different config file). I created a user 'postfixfilter' by running: groupadd -g 612 postfixfilter && useradd -u 612 -g 612 -m postfixfilter Create the filter script that postfix will be running for every email that comes in: cat /home/postfixfilter/postfixfilter << "EOF" #!/bin/bash /usr/bin/spamassassin -P | /usr/sbin/sendmail -i "$@" exit $? EOF Chown and chmod that file if you didn't create it as user postfixfilter but as root or something. What does it do? Postfix dumps an email to /usr/bin/postfixfilter. We intercept it and dump to spamassassin. We tell spamassassin to write to stdout (the -P option) and then pipe stdout to sendmail's stdin which re-inserts the email into postfix for continued deliverly. Then exit with whatever sendmail's return value was. Next, configure postfix to do filtering. Edit the /etc/postfix/master.cf (or where ever you keep your postfix configuration files). Find the following line: smtp inet n - n - - smtpd It may look a bit different but this is the default. This is the line that tells Postfix to listen on the smtp port (25) for incoming email and have smtpd deal with it. This is the one we want to modify to filter that incoming email first before delivering it. Directly below that line, add this one: -o content_filter=postfixfilter: It would be advisable to indent it with a tab or some spaces just so you can easier see that it belongs to the previous line. Do not forget the colon at the end of the postfixfilter. I'm not quite sure what it does, but the FILTER_README file warns to do it, so I just do it. I have yet to figure it out. Append the following lines to the end of the master.cf file: postfixfilter unix - n n - - pipe flags=Rq user=postfixfilter argv=/home/postfixfilter/postfixfilter -f ${sender} -- ${recipient} Okay, if you did exactly what I told you to do and I didn't forget to tell you anything in this hint, then you are set to go. Reload postfix by running: postfix reload Incoming mail should now be filtered for spam by spamassassin. You can configure spamassassin and razor through the config files in /home/postfixfilter Disclaimer: I wrote this hint after I set it up on linuxfromscratch.org. Things are setup a little bit differently on linuxfromscratch.org and I didn't use the groupadd/useradd command, nor using /home/postfixfilter. What I wrote here just seems more sensible (I thought of it after I set it up on linuxfromscratch.org, so I'll be changing the setup there one day). Let me know if I wrote down something wrong here, because I did not actually test everything I wrote step-by-step. I may have missed a few steps.