The main purpose of these two-page articles is to stop mail spam attacks from compromised machines via PHP socket opening method and to prevent our mail servers from being blacklisted. The tools we use to achieve this are all Open Source projects that are still being actively developed.

To briefly explain the structures we use and their functions: we used the relay server concept to control and log different machines under a single structure. The main programs used in this structure are Postfix as MTA, Spamassassin which automatically checks the content of emails, and Policyd Cluebringer which handles the bulk of the work.

Policyd, a Postfix plugin, with its lightweight structure checks only the headers of incoming mail without looking at the content, verifies whether the sender is our customer, and allows mail to be sent if the user is authorized in the system. As you can imagine, with this structure we can block outbound mails at a rate 60% higher by blocking mails not defined in the system, while delivering registered users’ mails without any issues.

Note: Ubuntu 15.04 was used in this installation.

1 Postfix, Spamassassin, Policyd Installation and Configuration

1.1 Redirecting Exim Cpanel Server

nano /etc/exim.conf

Edit the smart route line if it exists, or add it yourself:

smart_route:

driver = manualroute

domains = !+local_domains

transport = remote_smtp


This ensures all incoming port traffic on the Exim MTA system is forwarded to the other machine

route_data = <RELAY SERVER IP>

1.1.1 Testing the Redirect

echo “This is the body of the email” | mail -s “This is the subject line” user@example.com

Send a mail to any address using this command and listen on the relay server machine with tcpdump. If output appears on the page, the redirect was done correctly.

tcpdump host <CPanel IP>

If we can receive packets from our server here, we can proceed to the Relay server where the main operations will be performed.

1.2 Postfix Installation

1.2.1 Prerequisites for Postfix Installation

• Root privileges for installation
• The mailutils package containing mail commands like mailx for testing Postfix:

  apt-get install mailutils

1. Downloading Postfix

   apt-get install postfix

   
   

   1. Configuring Postfix - Editing main.cf

      
      

      sudo nano /etc/postfix/main.cf

      
      

      smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
      
      myhostname = SERVERNAME
      
      alias_maps = hash:/etc/aliases
      
      alias_database = hash:/etc/aliases
      
      mydestination = localdomain, localhost, localhost.localdomain, localhost
      
      relayhost =
      
      mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128, 31.192.215.72
      
      mailbox_command = procmail -a “$EXTENSION”
      
      mailbox_size_limit = 0
      
      recipient_delimiter = +
      
      inet_interfaces = all

      
      

      sudo service postfix restart

   
   

   2. Testing the system

      
      

      echo “This is the body of the email” | mail -s “This is the subject line” user@example.com

1.3 Spamassassin Installation

apt-get install spamassassin spamc

groupadd spamd

useradd -g spamd -s /bin/false -d /var/log/spamassassin spamd

mkdir /var/log/spamassassin

chown spamd:spamd /var/log/spamassassin

1.3.1 Activating Spamassassin

nano /etc/default/spamassassin

Change ENABLED=0 to ENABLED=1

Change CRON=0 to CRON=1

SAHOME=“/var/log/spamassassin/”

OPTIONS=“–create-prefs –max-children 5 –username spamd -H ${SAHOME} -s ${SAHOME}spamd.log”

service spamassassin start

1.3.2 Integrating Spamassassin with Postfix

nano /etc/postfix/master.cf

Replace: #smtp inet n - - - - smtpd

With: smtp inet n - - - - smtpd -o content_filter=spamassassin

spamassassin unix - n n - - pipe user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

service postfix restart

1.3.3 Customizing Spamassassin Configuration

nano /etc/spamassassin/local.cf

rewrite_header Subject [***** SPAM SCORE ****]

required_score           5.0

use_bayes               1

bayes_auto_learn        1

service spamassassin restart

tail -f /var/log/spamassassin/spamd.log

apt-get install postfix-cluebringer

apt-get install mysql-server mysql-client

/usr/bin/perl -MCPAN -e ‘install Net::Server’

/usr/bin/perl -MCPAN -e ‘install Net::CIDR’

apt-get install libconfig-inifiles-perl

apt-get install libcache-fastmmap-perl

/usr/bin/perl -MCPAN -e ‘install Mail::SPF ‘

mysql –version

cd

mkdir policyd-cluebringer

cd policyd-cluebringer

wget http://download.policyd.org/v2.0.14/cluebringer-v2.0.14.tar.xz

unxz -c clue | tar xv

cd clue*

cd database

for i in core.tsql access_control.tsql quotas.tsql amavis.tsql checkhelo.tsql checkspf.tsql greylisting.tsql

do

./convert-tsql mysql55 $i

done > policyd.mysql

1.4.5 Activating the Database

mysql -p

mysql> create database cluebringer;

mysql> use cluebringer;

mysql> CREATE USER ‘cluebringer’@‘localhost’ IDENTIFIED BY ‘mypassword’;

mysql> GRANT ALL PRIVILEGES ON cluebringer.* TO ‘cluebringer’@‘localhost’;

exit

mysql -u root -p cluebringer < policyd.mysql

1.4.6 Configuring Cluebringer for Database

nano /etc/cluebringer/cluebringer.conf

DSN=DBI:mysql:dbname=cluebringer;host=localhost

DB_Type=mysql

DB_Host=localhost

DB_Port=3306

DB_Name=cluebringer

Username=cluebringer

Password=mypassword

service postfix-cluebringer start

service postfix-cluebringer status

1.4.7 Integrating Cluebringer with Postfix

nano /etc/postfix/main.cf

smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_mynetworks

smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031, permit_mynetworks

nano /etc/postfix/master.cf

policy-spf  unix  -       n       n       -       -       spawn

     user=nobody argv=/usr/sbin/postfix-policyd-spf-perl

1.4.8 Cluebringer WebUI Configuration

nano /etc/cluebringer/cluebringer-webui.conf

$DB_DSN=“mysql:host=localhost;dbname=cluebringer”;

$DB_USER=“cluebringer”;

$DB_PASS=“mypassword”;

cd /var/www/html

ln -s /usr/share/postfix-cluebringer-webui/webui/

apt-get install php5-mysql

1.5 Final Notes

• Our server is now practically operational. All further configurations depend on your server’s situation and how you define permissions in Policyd.

1.6 References

• Postfix Installation


• Spamassassin Installation


• Policyd Installation

Abdullah Altunbaş

Content Writer

Netinternet Bilişim Teknolojileri A.Ş.'de teknik konularda liderlik yapıyorum. 15 yıldır bu alanda çalışıyorum ve özellikle sistem yönetimi, ağ teknolojileri ve yazılım geliştirme konularına odaklanıyorum.