Filtering Strategies

SYSADMIN Sendmail Strategies www.sxc.hu

Fighting spam and viruses with Sendmail FILTERING STRATEGIES

A structured approach to Sendmail helps to maximize your spam and Amavisd-new plays piggy in the middle, and acts as a spam and virus filter. The virus protection. BY HANNES KASPARICK MTA-RX process listens on TCP port 25, and reads its configuration from /etc/ mail/sendmail-rx.cf and /etc/mail/ he versatile Sendmail Mail Trans- a security point of view, as the Perl pro- submit.cf, along with the source file port Agent (MTA) offers several gram is not susceptible to buffer over- /etc/mail/hostname-rx.mc. Tapproaches to managing the flows. Amavis does not normally need Type mkdir /var/spool/mqueue-rx to virus and spam epidemic. This article in- root privileges; it is happy to run in a ch- create the mail queue directory. The fol- troduces three workable anti-spam and root jail, and it gives administrators con- lowing line gives you the required per- anti-virus scenarios before finishing with figuration options to prevent Denial of missions: a discussion of a radical approach that Service attacks based on mail bombs. more or less entirely eliminates spam. The interface is easily installed. For chown root:amavis U The discussion assumes you have some Debian-based systems, run apt-get install /var/spool/mqueue-rx && U basic familiarity with how to configure amavisd-new. As Amavis typically also chmod 700 /var/spool/mqueue-rx Sendmail. I will concentrate on practical checks for viruses, you will want to in- add-on tools. Certain internal Sendmail stall a virus scanner. The configuration Then go on to define your own control configuration settings [1], as well as pre- is located in /etc/amavis/amavisd.conf. socket to stop the two Sendmail pro- vention strategies such as blacklists, also There are several approaches to inte- cesses from arguing: help to fight malware, though these tech- grating Amavis with Sendmail. The rec- niques rarely provide a complete solu- ommended approach is the Sendmail defineU tion. For more information on configur- Dual variant. In this scenario, Amavis (`confCONTROL_SOCKET_NAME',U ing Sendmail, see the summary of accepts email on port 10024 of the local `/var/run/sendmail/mta/U sources at the Sendmail website [2]. interface of the first Sendmail instance smcontrol-rx')dnl and forwards messages to the second Connecting Interface Sendmail instance after verification. The MTA-TX process binds port 10025 Amavisd-new [3] is an interface between on the local interface and uses the nor- an MTA and a content filter such as a Sendmail Dual mal mail queue and configuration file. virus scanner and/ or Spamassassin. See Running Amavis means setting up two To keep things readable, we will be using Linux Magazine, January 2006, for a dis- Sendmail processes that manage sepa- a shared source file /etc/mail/Hosname cussion of Amavisd-new [4]. Various rate mail queues. One process manages -tx.mc. Define settings for receiving mail, Amavis configurations are available for the receiving queue (MTA-RX), and the including resource limits, in hostname many MTAs. Amavis is pretty safe from second the transmission side (MTA-TX): -rx.mc. The sending side is handled by

64 ISSUE 68 JULY 2006 WWW.LINUX - MAGAZINE.COM Sendmail Strategies SYSADMIN

hostname-tx.mc. One advantage of the

Sendmail Dual installation is that the Sasl ~/.procmailrc MTA-RX, which is accessible from the Internet, does not need to run with root privileges as it does not access the user SM-MTA-RX SM-MTA-TX Dovecot Procmail home directories. with Port 25 with Port 10025 POP3(s), IMAP(s) Solution 1: Amavis Home Amavisd-new Alone with Port 10024 TMDA The simplest, and least flexible, ap- (optional) proach to fighting spam and viruses is to use Amavis (Figure 1) on its own. Squirrel- Spamassassin Clam-AV The interface automatically integrates (clamd) mail Spamassassin, its plugins, and an anti- Email virus program. If you fail to set the Client $mydomain variable, more or less noth- Razor DCC ing will work, so start by assigning a value. Define suitable values for Figure 1: Simple, but fairly inflexible: Sendmail and Amavis battling spam and viruses on their both $LOGFILE and $log_level to enable own. troubleshooting and log analysis. Then you have to consider what will scanners. Once one virus scanner has bombs in particular expand to such an happen to spam and virus-infected mes- detected a virus, it would be a waste of enormous size that when you unpack a sages, and define $final_virus_destiny resources to feed the message to the mail bomb for scanning, you might eas- and $final_spam_destiny to match. Your other. The parameter $first_infected_ ily run out of memory and swapspace. options are D_PASS, D_DISCARD, D_ stops_scan = 1 prevents this. The $MAXLEVELS parameter mitigates BOUNCE>, and D_REJECT; responsible You could also warn the sender of the this by restricting the nesting levels of admins will opt for D_BOUNCE, rather infected mail by specifying the para- files that have been compressed multiple than D_REJECT to allow for address meter $warnvirussender = 1; however, times. After reaching the predefined spoofing. this service does not make much sense, level, Amavis stops trying to unpack the This method uses the $sa_* parame- as happy-go-lucky admins will probably file. $MAXFILES restricts the number of ters to control Spamassassin. To tag treat your warnings as spam, or spoofed files per mail. every mail with an X-Spam header, set addresses will prevent you from ever The $MAX_EXPANSION* parameter $sa_tag_level_deflt = -999. To allow being able to reach the perpetrator. If allows you to set a memory limit in users to identify spam by the email sub- you prefer not to delete virus-infected bytes that can be used by the decom- ject line, a clear $sa_spam_subject_tag is messages automatically, you can set up pression process. Whenever an email ex- useful. To improve the detection rate, a $QUARANTINEDIR. ceeds one of these three limits, Amavisd- you may want Amavis to reference exter- Virus scanning can quickly consume new version 20030616-p8 or later adds nal sources (blacklists, DCC, Razor, resources on a mail server, thus leading an ***UNCHECKED*** tag to the sub- Pyzor). To do so, set the $sa_local_tests_ to a Denial of Service condition. Mail ject line. You should routinely filter only = 0 option. Values between 2 and 2.5 have proved ~/.procmailrc useful for $sa_tag2_level_deflt, which Sasl tags messages as spam or legitimate. If you have too many false positives, you will need to raise this value carefully. SM-MTA-RX SM-MTA-TX Dovecot with Port 25 (Port 10025) Procmail POP3(s), IMAP(s) $sa_mail_body_size_limit lets you control the mail size above which Amavis does not perform spam checking on mail TMDA – large mails are very rarely spam. And Amavisd-new (optional) Spamassassin $sa_timeout sets the number of seconds with Port 10024 that Amavis waits for Spamassassin before forwarding messages. The whitelists Razor Squirrel- mail and blacklists, as well as recipients that Clam-AV MySQL-DB (clamd) prefer to disable spam checking ($spam_ Email DCC Client lovers) can be configured flexibly.

Maia Mailguard Cascading Scanners (Webfontend mit PHP) Solution 1 gives you virus checking, and it can even use multiple, parallel virus Figure 2: A more flexible, database-based scenario with Sendmail, Amavis, and Maia.

WWW.LINUX - MAGAZINE.COM ISSUE 68 JULY 2006 65 SYSADMIN Sendmail Strategies

mails with this tag as they are likely to contain viruses. Sasl ~/.procmailrc Solution 2: Amavis with Maia SM-MTA-RX SM-MTA-TX Dovecot Procmail Solution 1 is easy to configure, although with Port 25 with Port 10025 POP3(s), IMAP(s) it does not leave you with much scope for user-specific settings. One way of ex- Amavisd-new tending Amavis is to add Maia Mail- Spamass- with Port 10024 TMDA Milter (optional) guard [7], as shown in the schematic in Figure 2. Maia is an easy-to-use, multi- Razor Squirrel- ple-language Web front-end based on Spamd Clam-AV mail PHP and Perl. It uses a patched version (Clamd) of Amavisd-new, which stores user-spe- DCC Email cific settings in a MySQL or PostgreSQL Client database. ~/.spamassassin/ Users access their individual settings user_prefs via the Web front-end. Users are required to log in with their complete (!) Figure 4: An even more flexible solution makes use of Sendmail's Milter interface. email address. After doing so, users can manage mailboxes, define individual Milter interface to access a separate in- tions are detailed at [9]. Spamassassin blacklists (Figure 3), or change the stance of Spamd (the Spamassassin dae- scores email content, and if the score ex- threshold value for spam. mon). Each user can define their own ceeds a threshold, or required_score, it The price of more user convenience is settings in ~/.spamassassin/user_prefs. tags the message as spam. To boost the more risk for the admin: more compo- Spamd accesses the user_prefs file and spam detection rate, it is advisable to as- nents always mean more risk of failure. detects spam based on these values. If sign a higher score to RAZOR2_CHECK, If the database hangs, the server simply the file is missing, Spamassassin will RAZOR2_CF_RANGE_51_100, and DCC_ stops delivering mail. (It does store mes- automatically apply the administrator’s CHECK. The PYZOR_CHECK value is sage temporarily, and delivers later if preferences, which are located in /etc/ high enough. necessary.) To improve availability, ad- spamassassin/local.cf. mins can define multiple SQL servers. Sinvr Spamd needs access to the home Three Hunters: DCC, Razor, The second critical point is that the directories, it runs under the root ac- and Pyzor Maia patch prevents you installing your count. You can set up regular user-level The parameters just referred to specify distribution’s binary security updates for access to the home directories for the the evaluation criteria for data from the Amavisd-new – this would simply re- Spamd process to avoid running the pro- three global mail networks, DCC, Razor, move the path. For mailservers with a cess as root, and therefore increase secu- and Pyzor, which collect and evaluate large volume of mail, the performance rity. Solution 3 is easy to install: apt-get mail hashes. The hash functions used hits due to repeated database access can install spamass-milter spamassassin. for this purpose work in a different way also be significant. Again, administrators Then add the following lines: than the better known MD5 and SHA1 can work around this issue by assigning hashes. They use what are called soft multiple servers. INPUT_MAIL_FILTER(U hashes, which allow some items in the `spamassassin',` mail to change, such as the target, with- Solution 3: Milter-based S=local:/var/run/sendmail/U out changing the hash. Spamd spamass.sock, Each mail server that uses these exter- For maximum individual configurability, F=,T=S:4m;R:4m;E:10m')dnl nal networks sends the hashes of any without graphical overhead, a model like mails it receives. If 100,000 hashes reach the one shown in Figure 4 is probably to the hostname-rx.mc configuration file the networks – and this value is configu- your best approach. It uses Sendmail’s for the MTA-RX, compile the configura- rable – you can assume that the mail is tion files by running m4, and relaunch spam. After all, it is unlikely that anyone Sendmail. Define global preferences in would send 100,000 identical emails /etc/spamassassin/local.cf. Check out [8] with legitimate content. for a full list of options. The most impor- Run apt-get to install DCC, Razor, and tant options are as follows: to enable in- Pyzor. Spamassassin automatically de- dividual user configurations, set allow_ tects their existence. DCC requires a sep- user_rules 1. To tag spam, use required_ arate DCC server for volumes above score 2.5, rewrite_subject 1, and rewrite_ 250,000 emails and will block any access Figure 3: The Maia Web front-end gives mail header Subject ***Spam***. above. To check whether these plugins users the ability to set up individual configu- The default detection criteria are fairly are working, you can run Tcpdump to rations – blacklists in this example. good; more granular configuration op- check the email headers of spam mails,

66 ISSUE 68 JULY 2006 WWW.LINUX - MAGAZINE.COM ADVERTISEMENT SYSADMIN Sendmail Strategies

Figure 5 shows you how this works in crease. This prompted us to put the solu- Incoming Mail Sent to principle: an external mail server is at- tions discussed in this article through a tempting to send a message to a mailbox performance test. Mailserver on your mail server. Your own mail We used Postal [11] to stress test a server asks the sender to confirm and Pentium 4 with a 2.8 GHz CPU and Request Confirmation does not deliver the original mail until it 512MB RAM. The benchmark program Confirmation Mail has received the confirmation. Spam- send emails with a maximum size of Accepted mers will not send a confirmation mes- 15KB to the server over a period of five sage, as they automatically send mass minutes. Solution 1 (Amavis Home Mail server mail, and will not receive the confirma- Alone) proved capable of handling 600 tion request due to address spoofing. emails per minute. It took another five Delivers Mailbox This reduces undesirable messages to minutes to deliver all the messages. En- zero percent but at the cost of consider- abling ClamAV did not slow the process Figure 5: A challenge response approach to able overhead. Figure 6 shows a more noticeably. If you use Spamassassin with preventing spam by means of a Tagged Mes- sophisticated approach to TMDA. external tests as described in Solution 3, sage Delivery Agent. If you opt for this zero tolerance the performance depends to a great ex- approach, remember the following: tent on the available Internet bandwidth or the ports 6277/ UDP (DCC), 2703/ TCP, • As spammers typically use other peo- and latency. A TMDA (Solution 4) has a 7/ TCP (Razor), and 24441/ UDP (Pyzor). ple’s addresses, your mail server significant effect on performance. You need to configure your firewall to should not bother these innocent by- allow outward bound traffic on these standers by asking them for confirma- All’s Well that Ends Well ports to allow connections to be opened tion. In other words you should not The first of the three designs we looked to the respective networks. It may seem give the TMDA messages that the filter into should work fine at first attempt in slightly paranoid to use all three pro- has already identified as spam. most environments. Before enabling So- grams in parallel, but doing so genuinely • Emails with a very low spam level can lution 4, weigh the pros and cons care- improves your spam detection rate. be delivered directly, without passing fully. What all four have in common is through the TMDA. that they scale well thanks to their ex- Solution 4: Zero Percent • If two TMDA systems happen to meet, tremely modular design. ■ Spam infinite loops are possible. The TMDA A less-known method of fighting spam, homepage [10] states that this should INFO which will only work under specific cir- not happen, but there are no guaran- [1] Sendmail anti-spam features: cumstances, is the Tagged Message De- tees. The FAQ on the homepage looks http:// www. sendmail. org/ m4/ anti_ livery Agent (TMDA) [10]. The TMDA at more issues and suggests solutions. spam. html adopts a challenge-response approach in • You are advised to set up a personal [2] Sendmail: http:// www. sendmail. org which each message sent to the server whitelist, independently of Spamas- [3] Amavis-new: for delivery has to prove its legitimacy to sassin; your best approach is to add http:// www. ijs. si/ software/ amavisd/ the server. your addressbook. Whitelists are par- ticularly important for reg- [4] “Scan Manager: Filtering spam and viruses with Amavisd-new,” istering with and using by Larkin Cunningham; Linux Incoming Mail Send to mailing lists. Magazine, January 2006, p. 35. One positive side effect is [5] Securityfocus and Frsirt: Mail Server that anyone who sends http:// www. securityfocus. com you mail, and doesn’t http:// www. frsirt. com happen to be on your [6] “Virus Checkers: Virus protection Score < 1 Spam / whitelist, receives confir- = Whitelist Virus Check tools for the Linux environment,” mation that the message Score > 2.5 by James Mohr; Linux Magazine, Mailbox Deliver as Spam has arrived. At the same January, 2006, p. 25. time, it should be noted 1 < Score < 2,5 [7] Maia Mailguard: Requests Mailbox that the TMDA is not the Confirmation http:// www. renaissoft. com/ maia/ perfect solution for scenar- Mail Accepted [8] Spamassassin setup for incoming ios due to its complexity. mail: http:// spamassassin. apache. org/ Mail Server full/ 3. 0. x/ dist/ doc/ Confirms Performance Sender Mail_SpamAssassin_Conf. html Delivers A mail server that at- [9] Default score values for Spamassas- tempts to provide a perfect sin: http:// spamassassin. apache. org/ Mail Delivered Mailbox solution in any scenario is tests_3_0_x. html always in danger of affect- [10] TMDA: http:// www. tmda. net Figure 6: In a more sophisticated TMDA scenario, Spamas- ing performance whenever [11] Postal: http:// www. cocker. com/ postal/ sassin preselects messages. mail volume starts to in-

68 ISSUE 68 JULY 2006 WWW.LINUX - MAGAZINE.COM