Building an Advanced Mail Server, Part 3

A bad side effect of email has been the rapid spread of viruses and spam, both of which are illegal in one form or another these days. However, this doesn't stop virus writers or spam moguls from doing what they do. This means that it's up to our mail server to protect our users from such things.

Luckily, great applications can help us in our fight against spam and viruses. For spam protection we will, of course, be using SpamAssassin. For virus protection, we will be using Qmail-Scanner and ClamAV.

SpamAssassin is a lifesaver in my daily life. Every day, it catches about 48 messages before they hit my inbox. Because I don't send a message to the recipients, I'm not sure how many viruses are stopped by Qmail-Scanner, but I'm sure more than a few have been rejected.

SpamAssassin

SpamAssassin is available for most Linux distributions. If you can't find a package for your distribution, you must install from the source. You can find more information in SpamAssassin's INSTALL file. You will most likely also want to install Razor, which SpamAssassin can also use. Debian users can apt-get the package spamassassin.

After you have SpamAssassin up and running, you need to create some procmail rules and edit your domain's .qmail files. First, let's create a procmail file with our spam recipes. Please remember that any recipes in this file are global for the entire virtual domain. Also, I use a program called safecat to properly place messages into my Maildir folders.

# The user's home directory
VHOME=`/var/lib/vpopmail/bin/vuserinfo -d $EXT@$HOST`

# Path to the safecat utility
SAFECAT=/usr/bin/safecat

# What folder you want spam to go to
SPAMHOME=$VHOME/Maildir/.Spam

# Create spam folders
SPAM_CREATE=`/var/lib/vpopmail/bin/spam.sh $VHOME`

# Run SpamAssassin
:0fw
| spamassassin

# Move spam to where it belongs
:0w
* ^X-Spam-Status: Yes
| $SAFECAT $SPAMHOME/tmp $SPAMHOME/new

# Deliver good mail
:0w
| /var/lib/vpopmail/bin/vdelivermail '' bounce-no-mailbox

I'm no procmail wizard, but this file works for me without any major problems. I use the call to spam.sh to check and see if the spam directory exists. If it doesn't, I create it. I've reproduced the script below.

#!/bin/sh
if [ ! -d $1/Maildir/.Spam ]
then
  /usr/bin/maildirmake $1/Maildir/.Spam
  chown -R vpopmail.vchkpw $1/Maildir/.Spam
fi

Now that your procmailrc is all set up and working, you can enable it in your .qmail files. To do this, you need to go to your virtual domain directory and change a line in the .qmail-default file.

bash$ cd /var/lib/vpopmail/domains/example1.com

Open .qmail-default in your favorite editor and delete the only line in there. Replace it with | preline procmail -p -m ./procmailrc. Once that is done, send yourself a test email. View all headers in your favorite MUA and you should see something like this:

X-Spam-Status: No, hits=-2.8 required=5.0
tests=BAYES_10,FROM_EGROUPS,GROUPS_YAHOO_1,HTML_20_30,TONER
version=2.55
X-Spam-Level:
 X-Spam-Checker-Version: SpamAssassin 2.55
(1.174.2.19-2003-05-19-exp)

You will notice that my spam level is set to 5.0. If you are running an ISP or have a lot of users who get business-type email, you may wish to raise this. The magic number appears to be somewhere between 7 and 8.5. To change your settings, open up /var/lib/vpopmail/.spamassassin/user_prefs and change the required_hits variable appropriately. You can also change the individual scores for each test SpamAssassin checks. First, look over the list of tests and then simply add the alternate scores to vpopmail's user_prefs file.

Qmail-Scanner and ClamAV

Before you attempt to install Qmail-Scanner, you must have compiled your Qmail with Bruce Guenter's QMAILQUEUE patch. If you don't have this installed, then you won't be able to run Qmail-Scanner, which means that you can't use ClamAV.

Before you install Qmail-Scanner, you need to install ClamAV. However, it should be noted that Qmail-Scanner supports a wide range of antivirus software and that you do not need to use ClamAV. It seems that, at the time of this writing, the ClamAV site is down; however, I was able to find Debian packages without any problems. A quick search on Google turned up RPM packages as well.

After you have verified that everything is ready to go, download and untar Qmail-Scanner.

bash$ ./configure \
      --bindir=/usr/sbin
      --notify="sender,recips"

bash$ ./configure \
      --bindir=/usr/sbin
      --notify="sender,recips"
      --install

The first ./configure is to verify that Qmail-Scanner finds your antivirus software, while the second one actually installs the software. Once you have the software installed, you need to tell Qmail to use it. This requires editing your TCP server rules. On Debian, this file is /etc/tcp.smtp, but it may be /etc/tcpserver/smtp.rules on other systems. It should look something like the following:

:allow,QMAILQUEUE="/usr/sbin/qmail-scanner-queue.pl"

After you have edited the file you will need to rebuild your SMTP access database with the following command:

bash$ tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
bash$ chmod 644 /etc/tcp.smtp*

For more information on relaying, you will definitely want to check out Life with Qmail's relaying section. If you compiled Qmail with the SMTP-AUTH patch, then you will not have to worry about this, because each time a user sends an email his MUA will send authentication as well.

You will need to restart Qmail now. After you have restarted Qmail, send yourself a test message. You should see the following in your headers:

X-Qmail-Scanner-Mail-From:
watchblog-discuss-admin@watchblog.com via bubba
X-Qmail-Scanner: 1.16 (Clear:. Processed in 0.873544 secs)

That's it! Now all incoming and outgoing mail will be scanned for viruses. You may optionally choose to have Qmail-Scanner invoke SpamAssassin as well. I didn't do this because I wanted control over what happened to the spam after it was detected.

Conclusion

If you've followed this entire series, you should have a mail server that supports IMAP and POP3, as well as a web front end. Not only that, but you have virtual domains and a web interface to manage users (if you installed qmailadmin). To make things better, all incoming email is scanned for spam and viruses.

Sometimes it's not easy to integrate open source solutions into a large system that addresses all of your needs, but I think the mail server outlined in these articles covers just about everything.

Joe Stump is the Lead Architect for Digg where he spends his time partitioning data, creating internal services, and ensuring the code frameworks are in working order.

Return to the Linux DevCenter.