Since last weekend, the Web and mail servers for clasohm.com have been running on the new machine without too much problems. So let's look at the mail setup.

SpamAssassin 2.6 -> 3.0

After upgrading to the latest version of SpamAssassin, I got more spam than before! As I couldn't find any postings from disappointed users on the mailing list, and training the Bayesan filter did not help, I finally ran spamassassin -D <spam. Because SpamAssassin uses all installed tools and packages it can, but silently ignores those it cannot find, analysing the output is a bit tedious, but worth it. Looking for messages about skipped tests, I quickly found out what was missing. While I installed Mail::SpamAssassin, CPAN did not upgrade the DNS package. So SpamAssassin complained about an old DNS package in the debug output, and skipped all blackhole tests and other DNS-related checks. This was easily fixed by running cpan Net::DNS.

To further improve SpamAssassin's performance, install tools like Vipul's Razor or the Distributed Checksum Clearinghouses (DCC).

MailScanner and ClamAV

MailScanner sits on top of MTAs like Sendmail or Postfix, and scans for viruses and dangerous HTML before delivering mails. It supports a long list of virus scanners, including ClamAV. The way it works is pretty cool - you have one sendmail daemon listening for incoming mail and putting mails into the incoming queue, one sendmail daemon processing the outgoing mail queue, and MailScanner shovelling mails from the incoming to the outgoing queue. If a mail contains a virus, it is discarded or put into a quarantine directory. The great thing is that you don't have to modify your MTA configuration at all. The init script of MailScanner takes care of starting the two sendmail daemons in the right way. And the MailScanner configuration is very flexible, so you can have different settings for different domains hosted on the same machine.

Greylisting with DCC

With more than 1,000 spam mails a day, I decided to give greylisting a try. DCC both offers a Milter interface and a greylisting mode. To configure it, modify /var/dcc/dcc_conf like this:

GREY_ENABLE=on
GREY_SRVR_ID=32702
DCCM_ARGS=-G
DCCIFD_ENABLE=on

The last parameter is not for greylisting, but allows Spamassassin to use the dccifd daemon instead of spawning a new process for every mail. The server ID is copied from the "auto local greylist server-ID" in /var/dcc/ids.

To activate the greylisting check in sendmail, one translates /etc/mail/sendmail.mc with DCC's hackmc script instead of the usual m4 invocation. With RHEL, these lines in /etc/mail/Makefile do the trick:

%.cf: %.mc
        umask 022
        mv -f $@ $@.bak
        /var/dcc/libexec/hackmc -T $< > $@

The "-T" parameter tells hackmc to not greylist mail when SMTP AUTH is used, which would obviously be a bad idea.

To prevent loss of mail, it is important to extend the default whitelist. Currently, Evan Harris provides a good whitelist. DCC uses a different format, so here is the file I currently use. To activate it, add this line to /var/dcc/whiteclnt:

include white-puremagic

The rest is standard DCC setup - /etc/init.d/dcc and the daily execution of /var/dcc/libexec/cron-dccd.