You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ed Flecko <ed...@gmail.com> on 2012/11/29 00:32:31 UTC
"Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix,
Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
I'm looking to set up a spam filtering server to replace our ISP's
spam filtering service.
I've seen this tutorial (
ftp://orn.mpg.de/pub/unix/mail/Fairly-Secure_Anti-SPAM_Gateway_Using_SpamAssassin.html#antivirus
) and I'd be very interested in YOUR opinion; do you think,
fundamentally, a server with these software packages could be an
effective combination at fighting spam? We're a (I guess) medium size
organization with appx. 1000 end users.
What about weaving clam-av into the mix?
Although this tutorial uses OpenBSD, I'll probably be using FreeBSD.
Thank you for your input!
:-)
Ed
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new,
SpamAssassin, Razor and DCC ? Can I get your opinion?
Posted by Robert Schetterer <rs...@sys4.de>.
Am 29.11.2012 17:04, schrieb Ed Flecko:
> Gentlemen,
> Thank you for your feedback!
>
> I'll be sure to check into Postgrey.
>
> Are there any special considerations to installing/configuring it or
> is it simply a matter of installing, reading the docs and configuring?
>
> Ed
>
yes dont do greylist all, use selective
also for other checks like rbl, spf etc
i.e
http://www.arschkrebs.de/postfix/postfix_greylisting.shtml
i dont use amavis on gateways i use spamass-milter with sanesecurity
antispam sigs and clamav-milter but thats mostly a matter of taste
amavis has tons of more features but therefor its more complex
anyway in milter mode you are able to reject on smtp income stage
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new,
SpamAssassin, Razor and DCC ? Can I get your opinion?
Posted by Dave Warren <li...@hireahit.com>.
On 11/29/2012 12:01, Ned Slider wrote:
> Indeed. But do also play around with the delays in postgrey (--delay).
> A minimal delay of 60 seconds is enough to force a retry and is
> adequate - legit hosts will retry, non-legit hosts won't so a longer
> delay is generally unnecessary.
This is only one of the benefits of greylisting; it's one that spammers
can trivially bypass by implementing a retry mechanism of their own.
The other benefit of greylisting is that you can defer (or re-check)
DNSBLs before making the final decision to accept or decline, so a fresh
zombie or new spam sender doesn't get a free bite at the inbox. Instead,
fact-acting DNSBLs have a chance to get the new sender listed before a
greylist retry period expires.
Here we do a combination of the two approaches, immediately whitelisting
any address to which the user has sent mail in the past, as well as a
fairly large list of known senders. After that, we only look at
greylisting if the session or message is otherwise a bit suspicious, be
it missing or mismatching rDNS, SPF softfail or worse, DK/DKIM failures,
BAYES 70+ or SpamAssassin 4+, etc.
If it trips one of these normally-too-sensitive-to-use-for-blocking
rules, it gets passed over to the greylisting subsystem and then can try
again after a few minutes before getting through.
This has proved to work very well since it allows a majority of
legitimate mail through without greylisting even on the first attempt,
but still nets us most of the benefits of greylisting in the end.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new,
SpamAssassin, Razor and DCC ? Can I get your opinion?
Posted by Ned Slider <ne...@unixmail.co.uk>.
I'll expand a little on John's comments below
On 29/11/12 18:44, John Hardin wrote:
> On Thu, 29 Nov 2012, Ed Flecko wrote:
>
>> I'll be sure to check into Postgrey.
>>
>> Are there any special considerations to installing/configuring it or
>> is it simply a matter of installing, reading the docs and configuring?
>
> The biggest consideration is not technical, it's managing the
> expectations of your users.
>
> You will need to educate your users that email is *not* instant messaging.
>
Indeed. But do also play around with the delays in postgrey (--delay). A
minimal delay of 60 seconds is enough to force a retry and is adequate -
legit hosts will retry, non-legit hosts won't so a longer delay is
generally unnecessary.
> You will probably want to put a little effort into maintaining lists of
> regular correspondents who can bypass greylisting. There may be tools to
> automate that, e.g. to whitelist someone a local user has sent mail to.
>
Postgrey has an auto-whitelisting mechanism that can be fine tuned by
reducing the number of times a client must successfully retry
(--auto-whitelist-clients) before auto-whitelisting and adjusting the
age of the cache (--max-age) so whitelisted clients are cached for longer.
Generally after a couple weeks of normal mail flow, all regular hosts
should be cached so only new contacts will get greylisted. Also don't be
afraid to whitelist big clients that you receive correspondence from -
you know they are legit and will resend so it's pointless greylisting them.
Postgrey is very configurable and all the options above are documented
in the manpage.
> Some users are extremely allergic to any delays in their email; you may
> have to maintain a list of exception destination addresses to keep them
> happy, or for addresses where no delay is acceptable, e.g. <su...@...>
> or <sa...@...>
>
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix,
Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
Posted by Ed Flecko <ed...@gmail.com>.
Good thoughts...thank you John.
Ed
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix,
Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
Posted by Matt <ma...@gmail.com>.
>> You will probably want to put a little effort into maintaining lists
>> of regular correspondents who can bypass greylisting. There may be
>> tools to automate that, e.g. to whitelist someone a local user has
>> sent mail to.
>
> Has anyone looked into the use of a DNS-based white listing service?
>
> For example: http://www.dnswl.org/
>
> It might be interesting to make a pass over a grey list database
> and see if the sites white listed there appear in the registry.
> And that sites that were black listed or simply did not retry
> are _not_ listed in the white list.
Been using it at least couple years to bypass greylisting. Seems to
give no negative impact. Be sure to add the IP of your servers there.
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix,
Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
Posted by Martin Gregorie <ma...@gregorie.org>.
On Mon, 2012-12-03 at 07:27 -0800, Gary Funck wrote:
> On 11/29/12 10:44:54, John Hardin wrote:
> > You will probably want to put a little effort into maintaining lists
> > of regular correspondents who can bypass greylisting. There may be
> > tools to automate that, e.g. to whitelist someone a local user has
> > sent mail to.
>
> Has anyone looked into the use of a DNS-based white listing service?
>
Everybody's mail stream is different (I don't see any of the spam types
discussed over the last week or two) so my guess is that any public
whitelister would not be specific enough for any particular site. Its
quite likely that stuff you and your users don't want would be
whitelisted by it and OTOH you probably have a few mail sources that you
want to see but aren't being whitelisted. For instance, I doubt that a
US-based whitelister would whitelist customer information sent out by,
say, Australian energy companies or British telcos.
Martin
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix,
Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
Posted by Gary Funck <ga...@intrepid.com>.
On 11/29/12 10:44:54, John Hardin wrote:
> You will probably want to put a little effort into maintaining lists
> of regular correspondents who can bypass greylisting. There may be
> tools to automate that, e.g. to whitelist someone a local user has
> sent mail to.
Has anyone looked into the use of a DNS-based white listing service?
For example: http://www.dnswl.org/
It might be interesting to make a pass over a grey list database
and see if the sites white listed there appear in the registry.
And that sites that were black listed or simply did not retry
are _not_ listed in the white list.
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix,
Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
Posted by John Hardin <jh...@impsec.org>.
On Thu, 29 Nov 2012, Ed Flecko wrote:
> I'll be sure to check into Postgrey.
>
> Are there any special considerations to installing/configuring it or
> is it simply a matter of installing, reading the docs and configuring?
The biggest consideration is not technical, it's managing the expectations
of your users.
You will need to educate your users that email is *not* instant messaging.
You will probably want to put a little effort into maintaining lists of
regular correspondents who can bypass greylisting. There may be tools to
automate that, e.g. to whitelist someone a local user has sent mail to.
Some users are extremely allergic to any delays in their email; you may
have to maintain a list of exception destination addresses to keep them
happy, or for addresses where no delay is acceptable, e.g. <su...@...>
or <sa...@...>
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
26 days until Christmas
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix,
Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
Posted by Ed Flecko <ed...@gmail.com>.
Gentlemen,
Thank you for your feedback!
I'll be sure to check into Postgrey.
Are there any special considerations to installing/configuring it or
is it simply a matter of installing, reading the docs and configuring?
Ed
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new,
SpamAssassin, Razor and DCC ? Can I get your opinion?
Posted by Olivier Nicole <Ol...@cs.ait.ac.th>.
Ed,
> I'm looking to set up a spam filtering server to replace our ISP's
> spam filtering service.
>
> I've seen this tutorial (
> ftp://orn.mpg.de/pub/unix/mail/Fairly-Secure_Anti-SPAM_Gateway_Using_SpamAssassin.html#antivirus
> ) and I'd be very interested in YOUR opinion; do you think,
> fundamentally, a server with these software packages could be an
> effective combination at fighting spam? We're a (I guess) medium size
> organization with appx. 1000 end users.
>
> What about weaving clam-av into the mix?
>
> Although this tutorial uses OpenBSD, I'll probably be using FreeBSD.
>
> Thank you for your input!
I use the same setting on FreeBSD with good enought results. Most of
the products are from the ports.
I have added to the scheme:
- postgrey: grey listing is a very effective way to drop spam, at the
cost of a 15 to 60 minutes delay in incoming email;
- ClamAV and Kaspersky for viruses (even though there are not that
many lately); they fit well in amavis as amavis was preliminarily
designed to catch viruses...
- procmail to handle the mail delivery and quarantine and daily
summary of spam.
I have 250 users.
Good luk,
Olivier
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new,
SpamAssassin, Razor and DCC ? Can I get your opinion?
Posted by Ned Slider <ne...@unixmail.co.uk>.
On 28/11/12 23:32, Ed Flecko wrote:
> I'm looking to set up a spam filtering server to replace our ISP's
> spam filtering service.
>
> I've seen this tutorial (
> ftp://orn.mpg.de/pub/unix/mail/Fairly-Secure_Anti-SPAM_Gateway_Using_SpamAssassin.html#antivirus
> ) and I'd be very interested in YOUR opinion; do you think,
> fundamentally, a server with these software packages could be an
> effective combination at fighting spam? We're a (I guess) medium size
> organization with appx. 1000 end users.
>
> What about weaving clam-av into the mix?
>
> Although this tutorial uses OpenBSD, I'll probably be using FreeBSD.
>
> Thank you for your input!
>
> :-)
>
> Ed
>
I use Postfix with Amavisd-new which allows SpamAssassin and Clam-AV to
be easily integrated. I also use Postgrey for greylisting. I find this
setup very flexible and efficient.
Clam-AV doesn't catch a huge amount on my mail flow - email borne
trojans/viruses don't seem to be overly popular these days. You can get
3rd party signatures for things like phishing although I've never tried
these as I've trained SA to do a good job on catching phishing emails.
I'm running on Linux (RHEL5) but I guess the base OS is largely
irrelevant so I'd use what you are comfortable with.
I guess there are many ways to skin this particular cat but the above
setup works very well for me. In other words, I suspect you will get a
number of different answers all providing effective solutions based
around the use of SpamAssassin and/or Clam-AV. The difference mostly
seems to be how you choose to integrate them into your mail server.