Use postfix and spamassassin packages on CentOS 6 to reject SPAM - without custom users and scripts
Solution 1
The point of my question (maybe I haven't stated it clearly enough) has been: how to combine Postfix and Spamassassin on CentOS with minimal efforts.
Here is my solution in only 5 steps:
yum install spamassassin
chkconfig spamassassin on
useradd spam
(you can't omit this step!)Add
/^Subject: \[SPAM\]/ DISCARD
to /etc/postfix/header_checks (consult /etc/mail/spamassassin/local.cf for the exact string to match)Add the following 2 lines to /etc/postfix/master.cf:
(note the usage of the new spam
user from the step 2):
smtp inet n - n - - smtpd -o content_filter=spamassassin
spamassassin unix - n n - - pipe user=spam argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
Finally restart the postfix and spamassassin services.
Send a test SPAM mail to yourself using the GTUBE subject:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
See that mail being discarded in /var/log/maillog:
postfix/smtpd[2048]: connect from mail-ig0-f176.google.com[209.85.213.176]
postfix/smtpd[2048]: 333F28007C1: client=mail-ig0-f176.google.com[209.85.213.176]
postfix/cleanup[2052]: 333F28007C1: message-id=<CAADeyWiTN=Nfmd6Z6P92arctGjZcRgrRtgt3r9TAU+a-=8CGug@mail.gmail.com>
postfix/qmgr[2037]: 333F28007C1: from=<[email protected]>, size=1883, nrcpt=1 (queue active)
spamd[1643]: spamd: connection from localhost [127.0.0.1] at port 53400
spamd[1643]: spamd: setuid to spam succeeded
spamd[1643]: spamd: processing message <CAADeyWiTN=Nfmd6Z6P92arctGjZcRgrRtgt3r9TAU+a-=8CGug@mail.gmail.com> for spam:502
postfix/smtpd[2048]: disconnect from mail-ig0-f176.google.com[209.85.213.176]
spamd[1643]: spamd: identified spam (999.9/5.0) for spam:502 in 0.1 seconds, 1846 bytes.
spamd[1643]: spamd: result: Y 999 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,GTUBE,HTML_MESSAGE scantime=0.1,size=1846,user=spam,uid=502,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=53400,mid=<CAADeyWiTN=Nfmd6Z6P92arctGjZcRgrRtgt3r9TAU+a-=8CGug@mail.gmail.com>,autolearn=no
postfix/pickup[2036]: 92AE8809366: uid=502 from=<[email protected]>
postfix/cleanup[2052]: 92AE8809366: message-id=<CAADeyWiTN=Nfmd6Z6P92arctGjZcRgrRtgt3r9TAU+a-=8CGug@mail.gmail.com>
postfix/cleanup[2052]: 92AE8809366: discard: header Subject: [SPAM] XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X from local; from=<[email protected]> to=<[email protected]>
postfix/pipe[2053]: 333F28007C1: to=<[email protected]>, orig_to=<[email protected]>, relay=spamassassin, delay=0.51, delays=0.35/0.01/0/0.15, dsn=2.0.0, status=sent (delivered via spamassassin service)
postfix/qmgr[2037]: 333F28007C1: removed
spamd[1642]: prefork: child states: II
Solution 2
Ok, so basically, you are piping the email into spamc, and then having spamc email the output to the recipient (well,actually remailing to the sender, but I think the intent was to remail to the recip)..
No offense, but that is nuts.
If you want mail to be rejected based on the SA score, you're going to need a milter or policy deamon to do that. Spamassassin doesn't reject mail, it only scores it. Avamisd-new, or spamass-milter could work for you.
As to why spamassassin is not rewriting, it probably is, its just not sending the modified version of the email to where you are expecting it to.
the original QueueID is 3124F80A3DA
. Spamassassin is remailing it as QueueID B3FFF809367
back to the sender!
Looking at the rest of your log dump, it appears you're doing that with all the incoming spam - and Gmail is even "deferring" your IP due to the volume of it.
Don't reinvent the wheel and accidentally get blacklisted in the process. You want to reject incoming spam based on SA score, use a milter or policy daemon.
Related videos on Youtube
Alexander Farber
/me/likes: Java, С#, Perl, PHP, JavaScript, PostgreSQL, Linux, Azure /me/speaks: German, English, Russian /me/learns: https://github.com/afarber/android-questions https://github.com/afarber/unity-questions https://github.com/afarber/ios-questions
Updated on September 18, 2022Comments
-
Alexander Farber over 1 year
Here is what I'm trying at my CentOS 6.5 Linux server:
- Installed postfix and spamassassin packages
- Configured Postfix - it works well (I omit details here)
- Added
-x
to the SPAMDOPTIONS in /etc/sysconfig/spamassassin - Added the following 2 lines to the /etc/postfix/master.cf
Here:
smtp inet n - n - - smtpd -o content_filter=spamassassin spamassassin unix - n n - - pipe user=nobody argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
Unfortunately, when I send the test SPAM mail with the subject
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
it still comes through! (And the subject isn't rewritten - despite
rewrite_header Subject [SPAM]
in the unmodified /etc/mail/spamassassin/local.cf file).I wonder, what have I missed? My /var/log/maillog is below:
postfix/postfix-script[2546]: starting the Postfix mail system postfix/master[2547]: daemon started -- version 2.6.6, configuration /etc/postfix postfix/qmgr[2550]: D5B19807033: from=<[email protected]>, size=1843, nrcpt=1 (queue active) postfix/qmgr[2550]: 831CA809733: from=<[email protected]>, size=41369, nrcpt=1 (queue active) postfix/qmgr[2550]: 42B7A80A312: from=<[email protected]>, size=4399, nrcpt=1 (queue active) postfix/qmgr[2550]: AED94809D29: from=<[email protected]>, size=28035, nrcpt=1 (queue active) postfix/qmgr[2550]: E69AA809D3C: from=<>, size=3487, nrcpt=1 (queue active) postfix/qmgr[2550]: 2BDE980A61B: from=<[email protected]>, size=4073, nrcpt=1 (queue active) postfix/qmgr[2550]: 0D37280A51F: from=<[email protected]>, size=7888, nrcpt=1 (queue active) postfix/smtp[2552]: D5B19807033: host gmail-smtp-in.l.google.com[74.125.136.27] said: 421-4.7.0 [144.76.184.154 15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. l16si23407549wjr.0 - gsmtp (in reply to end of DATA command) postfix/smtp[2552]: D5B19807033: to=<[email protected]>, orig_to=<[email protected]>, relay=alt1.gmail-smtp-in.l.google.com[74.125.25.27]:25, delay=6325, delays=6323/0/1.2/0.61, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-in.l.google.com[74.125.25.27] said: 421-4.7.0 [144.76.184.154 15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. f7si4794087pdm.22 - gsmtp (in reply to end of DATA command)) postfix/smtpd[2557]: connect from mail-ie0-f180.google.com[209.85.223.180] postfix/smtpd[2557]: B3FFF809367: client=mail-ie0-f180.google.com[209.85.223.180] postfix/cleanup[2561]: B3FFF809367: message-id=<CAADeyWgi9VjXoXoUXtTf0n4jp_WJzMd2q7C7zqkRpK7=eKhNGQ@mail.gmail.com> postfix/qmgr[2550]: B3FFF809367: from=<[email protected]>, size=1767, nrcpt=1 (queue active) spamd[2034]: spamd: connection from localhost [127.0.0.1] at port 42928 spamd[2034]: spamd: setuid to nobody succeeded spamd[2034]: spamd: processing message <CAADeyWgi9VjXoXoUXtTf0n4jp_WJzMd2q7C7zqkRpK7=eKhNGQ@mail.gmail.com> for nobody:99 postfix/smtpd[2557]: disconnect from mail-ie0-f180.google.com[209.85.223.180] spamd[2034]: spamd: identified spam (999.9/5.0) for nobody:99 in 0.2 seconds, 1730 bytes. spamd[2034]: spamd: result: Y 999 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,GTUBE,HTML_MESSAGE,T_TO_NO_BRKTS_FREEMAIL scantime=0.2,size=1730,user=nobody,uid=99,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=42928,mid=<CAADeyWgi9VjXoXoUXtTf0n4jp_WJzMd2q7C7zqkRpK7=eKhNGQ@mail.gmail.com>,autolearn=no postfix/pickup[2549]: 3124F80A3DA: uid=99 from=<[email protected]> postfix/cleanup[2561]: 3124F80A3DA: message-id=<CAADeyWgi9VjXoXoUXtTf0n4jp_WJzMd2q7C7zqkRpK7=eKhNGQ@mail.gmail.com> postfix/pipe[2562]: B3FFF809367: to=<[email protected]>, orig_to=<[email protected]>, relay=spamassassin, delay=0.59, delays=0.37/0.01/0/0.22, dsn=2.0.0, status=sent (delivered via spamassassin service) postfix/qmgr[2550]: B3FFF809367: removed spamd[2032]: prefork: child states: II postfix/qmgr[2550]: 3124F80A3DA: from=<[email protected]>, size=2843, nrcpt=1 (queue active)
-
c4f4t0r over 9 yearsyou to edit your postfix mainf.cf
-
c4f4t0r over 9 yearsmaybe you are missing the content_filter in /etc/postfix/main.cf, i used this how-to and i don't find any problem,andrewpuschak.com/dokuwiki/doku.php?id=centos_6_email_server
-
Alexander Farber over 9 yearsBut I already have
smtpd -o content_filter=spamassassin
in the master.cf?
-
Alexander Farber over 9 yearsI don't think it's nuts, because I'm trying to follow these 2 guides: debuntu.org/postfix-and-spamassassin-how-to-filter-spam-page-2 and howto.gumph.org/content/run-spamassassin-with-postfix And yes, I'd like to resubmit the mail (but with the rewritten subject - which doesn't work for some reason) - so that I can reject the mail with header_checks (later, don't have it in my config files right now). As for Gmail deferring - of course - that is why I am trying to add Spamassassin in the 1st place. Here is the picture: akadia.com/services/postfix_spamassassin.html
-
Joe Sniderman over 9 yearsYour setup is resubmitting the mail alright - but not the way you want it to. Do you see in the log where the sender and recip are getting reversed?
-
Joe Sniderman over 9 yearsIf you absolutely must use a post-queue content filter, at least do it the way postfix.org/FILTER_README.html suggests. Those two tutorials you referenced are dangerously wrong. For starters, you need whatever you pipe the mail into to return an appropriate status back to postfix to let postfix know what to do with the message (not something spamc is going to do).
-
Joe Sniderman over 9 yearsYou can also see it reinjected and sent back to the sender in that log....
-
Chloe over 7 yearsDoes this cause backscatter? If so why since step 4 looks like it discards spam?