Setting up a spam filtering mail gateway for Exchange 2010

Sorry for the long boring title, I wasn’t sure what to call this.  There are a variety of components to this filtering system so it is hard to classify.  It has a MTA built into it, is a spam filter, a mail anti-virus solution, a graphing tool and has a log analysis component.

Alright, so let’s get going.  This has been an ongoing project for me at work as I had no prior experience in setting something like this up.  The first step for me was determining what sorts of tools were going to work the best for me.  We are on a strict budget where I work at so any paid, third party solutions were out of the picture (Postini, GFI Mail Essentials were two that actually showed some promise).  Instead I had to take the Open Source route, which it turns out has a multitude of different options, whew!

Enter Spamassassin.  This is the main service that I decided to build this system around.  It is easy to set up and get running and provides a robust spam filtering system, easy enough.  Here is the list of tools that I have put together for this system, based on Ubuntu Server 10.04 LTS with everything but SSH disabled initially:

postfix – mail transfer agent
spamassasin – spam filter
clamAV – anti-virus
amavis-new –  interface for postfix -> SA/clamAV
mailgraph – tool to visualize mail statistics
rrdtool – graphing tool for mailgraph to functions

Configuring Postfix:

This piece was confusing to me initially so I hope that this guide will make things a little easier to understand.  If there are questions I will do my best to answer them through my own experience with this project.

Ok, the first step is to grab and install Postfix on the new server.

sudo aptitude install postfix

Next, we need to edit the Postfix  configuration  file /etc/postfix/main.cf to act as the gateway for our Exchange server, these are the settings that I have currently configured for my gateway so you will need to alter yours accordingly.

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = computer.local.domain
mydomain = local.domain
myorigin = $mydomain
inet_interfaces = all
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = localhost, localhost.local.domain
mydestination = mail.site.com, site.com, localhost
relay_domains = site.com
relayhost =
mynetworks = 192.168.1.0/24 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
transport_maps = hash:/etc/postfix/transport
append_at_myorigin = no
local_recipient_maps =
smtpd_helo_required = yes
smtpd_recipient_restrictions =
 permit_mynetworks reject_unauth_destination

# Content filtering
content_filter = smtp-amavis:[127.0.0.1]:10024

Now we need to configure Postfix to relay mail through our filter to our Exchange server. To do this we need to make sure our domain is the only place email gets forwarded to. Add this line to the file /etc/postfix/transport

site.com smtp:[192.168.1.69]

This maps our external site “site.com” to our Exchange server living comfortably inside the network. Finally, build the hash table for Postfix to use to forward mail

postmap /etc/postfix/transport

and then restart Postfix to update all of the new settings

sudo /etc/init.d/postfix restart

Configuring the Spam Filter:

Ok, so once everything is updated and you have configured postfix the way you want it, you should be able to start the installation/configuration process.

sudo aptitude install amavisd-new spamassassin clamav-daemon
sudo aptitude install libnet-dns-perl libmail-spf-query-perl pyzor razor

This will install all of the necessary items for the filtering system.  Next, we need to set up clamAV and amavis-new to talk to each other.

sudo adduser clamav amavis
sudo adduser amavis clamav

To get these new settings to work (figured this out the hard way) we need to restart the amavis and clamAV services.

sudo /etc/init.d/clamav-daemon restart

Next, we need to enable virus scanning in amavis by editing  /etc/amavis/conf.d/15-content_filter_mode and uncommenting the following lines in the configuration:

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

Restart amavis service for the changes to take effect.

/etc/init.d/amavis restart

Ok, now we need to integrate these pieces into the postfix service. Edit the /etc/postfix/master.cf and add these lines at the bottom

smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

and this to the section immediatley below the “pickup” transport service.

         -o content_filter=
         -o receive_override_options=no_header_body_checks

Finally, we need to restart the postfix service to update the changes.

sudo /etc/init.d/postfix restart

Everything should be ready to go.  If you have a port forward pointing to your Exchange server on your firewall, now is the time to point the port forward to the new address.  Now we are ready to go!

Graphing Statistics

Now that everything is set up we will want a way to see what kind of work our new system is doing.  For a graphical representation we will use a tool called mailgraph to give us results in a nice pretty format.  To get started we will need to grab it and put it on our server.

sudo aptitude install rrdtool mailgraph

This should take care of most everything, but we want to be able to take a look at the results locally on our network in a browser

cp -p /usr/lib/cgi-bin/mailgraph.cgi /var/www/cgi-bin

The script should be executable so we simply need to point our browser at the new location.

http://ipaddress/cgi-bin/mailgraph.cgi or
http://hostname/cgi-bin/mailgraph.cgi

Mailgraph in action

Given a little bit of time you should start seeing the graphs fill up with your mail data. W00t!

Resources:

http://www.howtoforge.com/linux_spam_filter_mail_gateway
https://help.ubuntu.com/community/PostfixAmavisNew
https://help.ubuntu.com/community/Postfix
http://jimsun.linxnet.com/postfix_contrib.html
http://www.howtoforge.com/mail_statistics_mailgraph_pflogsumm_p2
http://www.postfix.org/documentation.html
http://mailgraph.schweikert.ch/
http://www.howtoforge.com/postfix_antispam_mailscanner_clamav_ubuntu
http://postfix.state-of-mind.de/patrick.koetter/mailrelay/
http://www.agix.com.au/blog/2010/10/how-to-configure-postfix-as-a-mail-proxy/
http://www200.pair.com/mecham/spam/spamfilter20061118.html

Read More

Resources for System Administrators

I’ve seen a lot of forum posts recently about the best places to keep up with news, get help, network with others, and so on in the IT world. Now I know that what resource you seek out really depends on what you’re trying to do, but my general rule of thumb is to seek out new resources and use them all the time. I can’t count the number of times I have been listening to a podcast on the way to work and have gotten ideas, or thumbing through a magazine and going, “What? That exists?” And then going off and trying it out on my own, eventually incorporating it into my bag of tricks.

At this point I have yet to find a comprehensive list that goes over all the various tools for getting these resources so I have really been focusing the past couple of weeks on compiling my own list and set of resources, trying to think of the most useful media. Even with this list I’m sure I am missing a number of helpful resources but I will try to go over the main ideas here, hopefully adding more detail in future blog posts and expanding details about them in those posts. So here is the list:

  • RSS Feeds —  Dump them all into Google Reader or Atom Reader, start your day off by going through these.  Incredibly helpful.
  • Online forums/social outlets and communities
    • Reddit —  Great place to “talk shop” exchange ideas, etc.   Make sure to look up /r/sysdamin
    • Superuser —  Get help with computer issues
    • Serverfault —  Get help with system administration and desktop support
    • Ubuntuforums —  All things Ubuntu
    • Techexams —  Career help as well as advice on certifications
  • IRC Channels
  • Mailing Lists
  • Local Linux User Groups —  Google should be helpful for finding them.
  • LOPSA — A community of system administrators.
  • SAGE — Another community for system administrators.
  • Podcasts
    • Security Now!
    • Podnutz Pro
    • RunAs Radio
    • Hak5
    • My Hard Drive Died
    • Packet Pushers
    • PowerScripting Podcast
  • Industry Magazines
    • Linux Journal
    • Windows IT Pro
    • Hacker Monthly
  • Books
    • Time Management for System Administrators
    • The Practice of System and Network Administration
  • Conferences — A great way to learn and meet new people.
    • Black Hat
    • DEF CON
    • PhreakNIC
    • ToorCon
    • ShmooCon
    • DerbyCon
    • Pycon
    • SkyDogCon
  • Home Labs —  Build a Virtual server, test out the latest and greatest.
  • Technet — Subscribe to technet to compliment your home lab with Microsoft software.
  • Personal Project(s) — Create your own project ,website or blog, anything to keep your skills fresh.
  • Twitter —  Keep up with a person or what is going on in projects.
  • Open Source Project — Contribute to a cause that you believe in.  Gain tons of skill and experience.

What do you use to stay in loop and improve your tech skills?  I would love to add to this list.

Read More