The ‘Bastion’ Host Author Andy Millett Version 1.0 – initial release (Aug 06) Version 1.1 - (Oct 06) sbl-xbl.spamhaus.org has now changed to zen.spamhaus.org to include Non-MTA sending IP blocks. SuSE Setup procedure errors, thanks to Damien Parker at IP Performance for finding these. Version 1.2 – (Nov 06) ClamAV version change to 0.88.6 Version 1.3 – (Nov 06) Added Greylisting section Preamble Hi there. I created this document to bring together all of the components of what I consider to be a fairly effective mail gateway which has the ability to block spam and viruses. I’ve used Linux because it is stable, adaptable and above all free to the net community at large to use (for personal use of course). I use this server to protect my own domains and find it very effective. The components of the system are based on Open Source programs for which I would like to thank the authors of for themselves releasing to us all to use. One final thing I’d like to mention is this document isn’t for the faint hearted user. It assumes you have knowledge of using the programs mentioned or at least are able to figure out what is going on when something doesn’t work. If you aren’t, please feel free to google your issue, error or whatever, I’ve found that the best place to find the answers to the questions I’ve had. You can post a question on my forum if you wish and I’ll attempt to answer it or help you along – http://andymillett.co.uk/andym/forum . 1. Overview 6.6. Recipients 1.1. Before Queue Content Filter 6.7. MX_Access 1.2. After Queue Content Filter 6.8. getadsmtp.pl 2. Hardware Requirements 7. ClamAV Setup 7.1. freshclam.conf 3. Software Requirements 7.2. clamd.conf 3.1. Operating System 3.2. Postfix 8. AmavisD Setup 3.3. SpamAssassin 8.1. amavis.conf 3.4. ClamAV 3.5. Getadsmtp.pl 9. PolicyD-Weight Setup 3.6. AmavisD 9.1. Whitelisting 3.7. PolicyD-Weight 3.8. Pflogsumm 10. SpamAssassin Setup 3.9. Mailgraph 10.1 Whitelisting/Blacklisting 4. Topology 11. Grey-Listing. 11.1 Whitelisting. 5. OS Installation 12. Starting the Daemons 6. Postfix Setup 6.1. Main.cf 13. Reporting 6.2. Master.cf 13.1 Pflogsumm 6.3. Transport 13.2 Mailgraph 6.4. Virtual 6.5. Helo_checks 14. Links - 1 - 1. Overview Whilst commercial Anti-Spam products are extremely adept at blocking spam and catching viruses sometimes you just wonder if it can be done without the expense. Here’s how, with a little time and a spare computer you can build your own ‘Bastion’ host. Using Postfix, Spam-Assassin and ClamAV on a Linux distribution you can successfully deploy a string-budget anti-spam/anti-virus host by utilizing two areas of the SMTP protocol as it is applied by Postfix (the MTA). 1.1 Before Queue Content Filter By tightening up on rules applied it is possible to block 60-70% of all spam attempts at the initial connection stage. Strict (but fair) application of the SMTP Protocol is used here via Postfix rules and the PolicyD-Weight script. 1.2 After Queue Content Filter Any rules that pass successfully through the Before Queue content-filter pass through Spam- Assassin and ClamAV (After Queue Filter(s)) and are scored against both local rules and SURBL’s and checked for viruses. 2. Hardware requirements 1 x PC or 1U Rack server with a minimum 700mhz P3 CPU, 512mb RAM, 1 IDE disk (preferably two to setup RAID), 1 NIC. A graphics card is recommended but not necessary after the initial setup of the OS. The above hardware will quite happily handle both inbound and outbound email for a small to medium site (50 users / up to 500 messages per hour). For higher volume sites (50-1000+ users / 10000+ messages per hour) a faster processor (preferably dual), more memory (a minimum 2GB) and a dual disk SCSI RAID0 should be considered. 3. Software requirements 3.1 Operating System – pick a distro, any distro you like, Slackware, SuSE, Red-Hat, Debian. All can be downloaded for free but for ease of install and setup use SuSE (9.3 or later). 3.2 Postfix – a secure, highly configurable MTA (Mail Transfer Agent) which accepts email and either delivers it to a local mailbox (local delivery) or forwards it on to a local/remote server (network delivery). 3.3 SpamAssassin – A Perl based Anti-Spam filter with many features. 3.4 ClamAV – An Open Source Anti-Virus server 3.5 Getadsmtp.pl – A free Perl script which contacts you AD/LDAP server for a valid list of recipients. 3.6 AmavisD – A perl based script that integrates a Virus Scanner and Anti-virus program for use within an MTA. 3.7 PolicyD-Weight – A ‘scoring’ perl script which runs prior to the mail being queued and scores based on HELO, MX, and DNSBL inclusion. 3.8 Pflogsumm – A perl script which when run generates a report of mail activities in human readable form. - 2 - 4. Topology The following diagram shows how the Before and After Queue content filters work. Greylist PolicyD- DB Mailbox or Weight Network Transport Process REJECT Before Sending Postfix Greylist Queue Accept NO SMTP Server Master Filter Queue YES Virus Found Postfix After Master Queue Postfix Queue Filter Master Queue AmavisD ClamAV SpamD Process Process Process 5. OS Installation Installing SuSE is fairly straight forward with a couple of exceptions. The default minimum install (Text-Mode) will suffice (we don’t’ need XWindows). Start the installation by booting from the disk and choosing ‘Installation’ from the Menu that appears. - 3 - Choose English (UK) as the selected language. The installation will then continue (if you see a message similar to below, simply click OK). - 4 - Now under the Installation Settings menu, choose ‘Change’ then select ‘Software’ Select ‘Minimum system’ from the choice menu then click on ‘Detailed Selection’ - 5 - Now from the ‘Filter’ option on the top left, drop the list down and choose ‘Search’ Aside from the ‘Minimum system’ you selected the following packages should be installed (you can search for them as written below). pico unzip DB zoo DB-Devel glibc-devel spamassassin perl-Convert-TNEF perl-spamassassin perl-Convert-UUlib amavisd-new perl-Net-Server zlib-devel perl-Net-DNS freetype perl-Archive-Tar freetype2 Perl-Archive-Zip freetype2-devel perl-BerkeleyDB rrdtool perl-Bit-Vector gd perl-Compress-Zlib libpng perl-Date-Calc libpng-devel perl-Inline apache2 perl-IO-stringy apache2-prefork perl-IO-Socket-SSL jpeg perl-ldap libjpeg perl-MailTools apache2 perl-MIME-tools apache2-prefork perl-Net-SSLeay gcc perl-OPENSSL wget perl-Unix-Syslog lha perl-URI unrar perl-TimeDate Once you have finished selecting the programs above, click ‘Accept’ on the bottom right of the screen. A list of required dependencies (if any) will appear. Simply click OK to accept this. - 6 - Once back on the ‘Installation Settings’ menu, click ‘Accept’ again. A message will appear asking you to confirm you wish to create new partitions (and that you will over-write any existing ones). Agree to this. The installation will then continue displaying a progress bar (below). If you wish to see the progress in a more detailed manner you can click on the ‘Details’ tab. When the first stage of the installation is complete the system will automatically reboot itself (this is completely normal). After the reboot the installation will continue. - 7 - Next, choose a root password then choose Next Agree to messages about detecting hardware. As you can see from the picture above, each option (Back, Abort, Next, Change, etc) has a different color on a specific character, you can use this letter in conjunction with the ‘ALT’ key to choose that option. Click Alt-C to change the configuration and choose ‘Firewall’. Set the Firewall configuration to ‘Start Firewall Manually’. Follow with Alt-N to continue. - 8 - Next select Alt-C to change the configuration again, this time select ‘Network Interfaces’. Click on Alt-I to select the presently configured interface (assigned DHCP). On the Network Address Setup screen, select Alt-t to choose a Static Address and enter the settings you require. - 9 - Once this is done, select Alt-H to set the ‘Host Name and Name Server’ settings. Under the ‘Host Name and Name Server’ settings, set your chosen hostname, and DNS domain name (this will be the Primary domain the server is accepting email for). Select OK when you are done. - 10 - Back at the Network Address Setup screen, choose Alt-o to change the routing information of the server. Enter the Default Gateway as required then finish with OK Click Next to finalize the Network Configuration if you are happy you have everything correct. - 11 - The network configuration will then be written. - 12 - Choose ‘Local’ as the authentication method Setup a new user on the system that isn’t root. - 13 - The installation will then ask you if you want to test your internet connection. Agree to this. If the result is ‘Success’ click Next - 14 - You will then be asked if you wish to run Online Update, agree to this. You will be given a choice of update servers with which to download available updates. You can agree to the first selected or choose another. Click Next when ready. - 15 - A list of available updates will then be downloaded finishing at the screen below, simply click OK and the update will continue.