Multiple milter help
2014-03-06 by Thomas Cameron
All - I'm using spamass-milter and milter-greylist on RHEL 6 with sendmail-8.14.4-8.el6.x86_64. I am hoping someone has an example of what my sendmail.mc should look like to run both milters. Help?
Thread
Multiple milter help
Re: [milter-greylist] Multiple milter help
2014-03-06 by Jim Klimov
On 2014-03-06 01:20, Thomas Cameron wrote:
> I'm using spamass-milter and milter-greylist on RHEL 6 with
> sendmail-8.14.4-8.el6.x86_64.
>
> I am hoping someone has an example of what my sendmail.mc should look
> like to run both milters.
Our typical config is somewhat large and complex, but the bits you
might need, include:
FEATURE(`access_db')
FEATURE(`use_ct_file')
FEATURE(`blacklist_recipients')
FEATURE(`delay_checks', `friend')dnl
FEATURE(`greet_pause', `2000')dnl
dnl INPUT_MAIL_FILTER(`milter-regex',
`S=unix:/var/milter-regex/milter-regex.sock, T=S:30s;R:2m')dnl
dnl# See also: http://wiki.apache.org/spamassassin/DnsBlocklists
FEATURE(`dnsbl', `bl.spamcop.net', `"Spam blocked - see
http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
dnl# ORDB closed in 2010(?), mail-abuse in Nov 2012
dnl# FEATURE(`dnsbl', `relays.ordb.org', `Spam blocked - see
http://ordb.org')dnl
dnl# FEATURE(`dnsbl', `blackholes.mail-abuse.org', `Rejected - see
http://www.mail-abuse.org/rbl/')dnl
dnl# FEATURE(`dnsbl', `dialups.mail-abuse.org', `Dialup - see
http://www.mail-abuse.org/dul/')dnl
dnl# FEATURE(`dnsbl', `relays.mail-abuse.org', `Open spam relay - see
http://www.mail-abuse.org/rss/')dnl
FEATURE(`dnsbl', `dul.ru', `ISP-self-registered Dialup - Use mail relays
of your ISP, see http://www.dul.ru/')dnl
FEATURE(`dnsbl', `zen.spamhaus.org', `"Spam blocked - see
http://www.spamhaus.org/query/ip/"$&{client_addr}')dnl
INPUT_MAIL_FILTER(`greylist',`S=unix:/var/milter-greylist/milter-greylist.sock,
F=T, T=S:320s;R:320s;E:1h')dnl
dnl
INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/milter/clamav/milter.sock, F=,
T=S:4m;R:4m')dnl
dnl INPUT_MAIL_FILTER(`clmilter',`S=inet:7357@clamav, T=S:320s;R:320s;E:1h'
Note that "dnl" marks the start of comment, so this particular
installation currently uses only one milter, which is used if
the connecting host is not rejected by a DNS RBL or (earlier)
some regex tests (now moved into milter-greylist).
Also the SMTP banner delay (greet pause) is used to reject
submitters who can't keep up a proper dialogue. There is also
connection throttling somewhere there in the accessdb ;)
And whenever possible, your relay should "know" (via local users,
LDAP, a forward verification milter, etc.) what user names are
defined for your domains, so messages for random usernames can
be discarded with a proper dialog error (instead of a later
bounce message) during the submission from the spammer or an
erring user.
After the "cheap" tests you can do heavier ones like clamav
(antivirus) or spamassassin (content checks) - by this time
the incoming stream of messages that have passed the initial
filters should be at least 5-10 times less than the number of
SMTP connections you've received (in our random summaries we
saw about 4% to 10% of connections making it into accepted
messages, with no complaints from users about lost valid mail,
and still part of that received traffic is spam). So it is
rather important to do "expensive" tests late in the chain
so as to not waste too much of your CPUs on all that easily
caught spam.
HTH,
//Jim KlimovRe: [milter-greylist] Multiple milter help
2014-03-06 by Thomas Cameron
On 03/05/2014 06:40 PM, Jim Klimov wrote:
>
>
> On 2014-03-06 01:20, Thomas Cameron wrote:
>> I'm using spamass-milter and milter-greylist on RHEL 6 with
>> sendmail-8.14.4-8.el6.x86_64.
>>
>> I am hoping someone has an example of what my sendmail.mc should look
>> like to run both milters.
>
> Our typical config is somewhat large and complex, but the bits you
> might need, include:
>
> FEATURE(`access_db')
> FEATURE(`use_ct_file')
> FEATURE(`blacklist_recipients')
> FEATURE(`delay_checks', `friend')dnl
> FEATURE(`greet_pause', `2000')dnl
>
> dnl INPUT_MAIL_FILTER(`milter-regex',
> `S=unix:/var/milter-regex/milter-regex.sock, T=S:30s;R:2m')dnl
>
> dnl# See also: http://wiki.apache.org/spamassassin/DnsBlocklists
> FEATURE(`dnsbl', `bl.spamcop.net', `"Spam blocked - see
> http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
> dnl# ORDB closed in 2010(?), mail-abuse in Nov 2012
> dnl# FEATURE(`dnsbl', `relays.ordb.org', `Spam blocked - see
> http://ordb.org')dnl
> dnl# FEATURE(`dnsbl', `blackholes.mail-abuse.org', `Rejected - see
> http://www.mail-abuse.org/rbl/')dnl
> dnl# FEATURE(`dnsbl', `dialups.mail-abuse.org', `Dialup - see
> http://www.mail-abuse.org/dul/')dnl
> dnl# FEATURE(`dnsbl', `relays.mail-abuse.org', `Open spam relay - see
> http://www.mail-abuse.org/rss/')dnl
> FEATURE(`dnsbl', `dul.ru', `ISP-self-registered Dialup - Use mail relays
> of your ISP, see http://www.dul.ru/')dnl
> FEATURE(`dnsbl', `zen.spamhaus.org', `"Spam blocked - see
> http://www.spamhaus.org/query/ip/"$&{client_addr}')dnl
>
> INPUT_MAIL_FILTER(`greylist',`S=unix:/var/milter-greylist/milter-greylist.sock,
>
> F=T, T=S:320s;R:320s;E:1h')dnl
>
> dnl
> INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/milter/clamav/milter.sock, F=,
>
> T=S:4m;R:4m')dnl
> dnl INPUT_MAIL_FILTER(`clmilter',`S=inet:7357@clamav, T=S:320s;R:320s;E:1h'
>
> Note that "dnl" marks the start of comment, so this particular
> installation currently uses only one milter, which is used if
> the connecting host is not rejected by a DNS RBL or (earlier)
> some regex tests (now moved into milter-greylist).
>
> Also the SMTP banner delay (greet pause) is used to reject
> submitters who can't keep up a proper dialogue. There is also
> connection throttling somewhere there in the accessdb ;)
> And whenever possible, your relay should "know" (via local users,
> LDAP, a forward verification milter, etc.) what user names are
> defined for your domains, so messages for random usernames can
> be discarded with a proper dialog error (instead of a later
> bounce message) during the submission from the spammer or an
> erring user.
>
> After the "cheap" tests you can do heavier ones like clamav
> (antivirus) or spamassassin (content checks) - by this time
> the incoming stream of messages that have passed the initial
> filters should be at least 5-10 times less than the number of
> SMTP connections you've received (in our random summaries we
> saw about 4% to 10% of connections making it into accepted
> messages, with no complaints from users about lost valid mail,
> and still part of that received traffic is spam). So it is
> rather important to do "expensive" tests late in the chain
> so as to not waste too much of your CPUs on all that easily
> caught spam.
Thanks for the reply, I appreciate it!
I should have been more specific, though...
Per the milter-greylist docs, I have added these four lines in
sendmail.mc, and it works great:
INPUT_MAIL_FILTER(`greylist',`S=local:/var/run/milter-greylist/milter-greylist.sock')dnl
define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')dnl
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl
define(`confMILTER_MACROS_ENVRCPT', `{greylist}')dnl
Now, according to the spamass-milter docs, I need to add these two lines
to sendmail.mc:
INPUT_MAIL_FILTER(`spamassassin',
`S=unix:/var/run/spamass-milter/spamass-milter.sock, F=,
T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_ENVRCPT',confMILTER_MACROS_ENVRCPT`, b, r, v,
Z')dnl
but if I do, I will define confMILTER_MACROS_ENVRCPT twice, and as I
understand it, that's a no-no.
I remember years ago that I was able to do a single
confMILTER_MACROS_ENVRCPT section that had the rules for milter-greylist
and spamass-milter, but I can't find those notes.
Anyone know how to integrate both milters into sendmail?
TCRe: [milter-greylist] Multiple milter help
2014-03-06 by Jonathan Siegle
On 2014-03-05 at 19:15, Thomas Cameron wrote: > � > > but if I do, I will define confMILTER_MACROS_ENVRCPT twice, and as I > understand it, that's a no-no. > > I remember years ago that I was able to do a single > confMILTER_MACROS_ENVRCPT section that had the rules for milter-greylist > and spamass-milter, but I can't find those notes. > > Anyone know how to integrate both milters into sendmail? Found this on the SA list which matches my experience: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200905.mbox/%3Calpine.OSX.2.00.0904302348010.276@12.77-137.216.rev.icaen.uiowa.edu%3E So essentially, you take the union of the variables. -- Jonathan
Re: [milter-greylist] Multiple milter help
2014-03-06 by Les Mikesell
On Wed, Mar 5, 2014 at 6:20 PM, Thomas Cameron
<thomas.cameron@...> wrote:
>
>
>
> All -
>
> I'm using spamass-milter and milter-greylist on RHEL 6 with
> sendmail-8.14.4-8.el6.x86_64.
>
> I am hoping someone has an example of what my sendmail.mc should look
> like to run both milters.
It has been a while since I ran a busy mailer, but when I did, I used
mimedefang to run spamassassin and virus scans because it is very
flexible and efficient. It doesn't include greylisting - you could
roll your own in perl in the mimedefang filter, but it was easier to
run both milters with entries like this:
INPUT_MAIL_FILTER(`greylist',
`S=local:/var/milter-greylist/milter-greylist.sock, F=T, T=S:3m;R:3m')
INPUT_MAIL_FILTER(`mimedefang',
`S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T,
T=S:60s;R:60s;E:5m')
--
Les Mikesell
lesmikesell@...Re: [milter-greylist] Multiple milter help
2014-03-06 by Oliver Fromme
Thomas Cameron wrote:
> Now, according to the spamass-milter docs, I need to add these two lines
> to sendmail.mc:
>
> INPUT_MAIL_FILTER(`spamassassin',
> `S=unix:/var/run/spamass-milter/spamass-milter.sock, F=,
> T=C:15m;S:4m;R:4m;E:10m')dnl
> define(`confMILTER_MACROS_ENVRCPT',confMILTER_MACROS_ENVRCPT`, b, r, v,
> Z')dnl
>
> but if I do, I will define confMILTER_MACROS_ENVRCPT twice, and as I
> understand it, that's a no-no.
If I read that last "define" correctly, it does not overwrite
the first definition, but it adds to it, because it references
the previous value of confMILTER_MACROS_ENVRCPT.
So it should work fine.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Handelsregister: Amtsgericht Muenchen, HRA 74606, Gesch\ufffdftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsreg.: Amtsgericht M\ufffdnchen,
HRB 125758, Gesch\ufffdftsf\ufffdhrer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen/-Produkte + mehr: http://www.secnetix.de/bsd
"It combines all the worst aspects of C and Lisp: a billion different
sublanguages in one monolithic executable. It combines the power of C
with the readability of PostScript."
-- Jamie Zawinski, when asked: "What's wrong with perl?"Re: [milter-greylist] Multiple milter help
2014-03-07 by Thomas Cameron
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/06/2014 07:57 AM, Jonathan Siegle wrote: > > > On 2014-03-05 at 19:15, Thomas Cameron wrote: > >> >> >> but if I do, I will define confMILTER_MACROS_ENVRCPT twice, and >> as I understand it, that's a no-no. >> >> I remember years ago that I was able to do a single >> confMILTER_MACROS_ENVRCPT section that had the rules for >> milter-greylist and spamass-milter, but I can't find those >> notes. >> >> Anyone know how to integrate both milters into sendmail? > > Found this on the SA list which matches my experience: > http://mail-archives.apache.org/mod_mbox/spamassassin-users/200905.mbox/%3Calpine.OSX.2.00.0904302348010.276@12.77-137.216.rev.icaen.uiowa.edu%3E > > So essentially, you take the union of the variables. Perfect! Thanks! TC -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMZUUoACgkQmzle50YHwaC7uwCgsMlKLLQ+cJF2IfK27VHwtGql RkEAniR7i3/nugxluNQbbD8vOj0ZdhRQ =Bgxm -----END PGP SIGNATURE-----
Re: [milter-greylist] Multiple milter help
2014-03-07 by Thomas Cameron
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/06/2014 10:16 AM, Les Mikesell wrote: > > > On Wed, Mar 5, 2014 at 6:20 PM, Thomas Cameron > <thomas.cameron@...> wrote: >> >> >> >> All - >> >> I'm using spamass-milter and milter-greylist on RHEL 6 with >> sendmail-8.14.4-8.el6.x86_64. >> >> I am hoping someone has an example of what my sendmail.mc should >> look like to run both milters. > > It has been a while since I ran a busy mailer, but when I did, I > used mimedefang to run spamassassin and virus scans because it is > very flexible and efficient. It doesn't include greylisting - you > could roll your own in perl in the mimedefang filter, but it was > easier to run both milters with entries like this: > > INPUT_MAIL_FILTER(`greylist', > `S=local:/var/milter-greylist/milter-greylist.sock, F=T, > T=S:3m;R:3m') INPUT_MAIL_FILTER(`mimedefang', > `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, > T=S:60s;R:60s;E:5m') Thanks, Les, I appreciate it! TC -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMZUYYACgkQmzle50YHwaCLTQCfXteNO04orn8rdhQtaC9vKU7M djQAoKEsVZNXog9hzRmvbJc+8nst5191 =6tVR -----END PGP SIGNATURE-----