Creating an Outgoing Mail Relay with Postfix and SpamAssassin

We have been fighting a lot of spam recently on our web hosting service. We decided the best route to go was to set up a mail gateway on a separate server and run spam scans on all outgoing mail with SpamAssassin to discard junk. This helps prevent our servers from appearing on blacklists and helps keep customers happy. This tutorial walks through the process we used to set up our mail gateway. We are running CentOS 6.6 x64 with postfix and SpamAssassin. We always assume your server has been updated, selinux is off, and iptables is either off or has the appropriate rules set up.

Install SpamAssassin and Configure Postfix

Begin by installing SpamAssassin. By default, even in the minimal installs, postfix is already installed and ready to go.

yum install spamassassin

We will want to enable the AutoWhitelist plugin in SpamAssassin. The AutoWhitelist plugin monitors emails sent and helps prevent false positives. For example, it may adjust scores for those users who send a lot of “good” email.

vim /etc/mail/spamassassin/v310.pre

Find and Uncomment
loadplugin Mail::SpamAssassin::Plugin::AWL

Next, we need to make some configuration changes to Postfix. The configuration file is in /etc/postfix/main.cf

1) Set your server’s hostname. Find and uncomment settings below. Make sure to use your fully-qualified domain and that you have a reverse DNS entry set up for your IP address to match.
mydomain = mail.yourdomain.com
myorigin = mail.yourdomain.com

2) Ensure these settings are uncommented and set to “all”.
inet_interfaces = all
inet_protocols = all

3) Since we are operating a relay, not an actual mail server with mailboxes, we don’t want any mail stopping here. Find the values below, make sure they are uncommented, and leave them blank.
mydestination =
local_recipient_maps  =

4) Again, because this is just a relay… Add this to the end of the configuration file as a new line
local_transport = error:local mail delivery is disabled

5) To avoid spam, we need to secure the service. Right now, it will accept mail from anyone and relay it (open relay). We have iptables set up to only allow specific IPs. In addition, we recommend setting IP restrictions in postfix configuration as well. Find and uncomment one of the “mynetworks” lines. You can set a comma-separated list, or use CIDR notation, such as 127.0.0.1/24. We always recommend adding localhost in addition to your list of IPs.
mynetworks = localhost, 192.168.0.16

6) Then, to enforce the restrictions, add this line to the very bottom of the file as a new line
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

7) Later on, we’ll be setting up some real email addresses to map to virtual host names. To prepare for this, add this line to the end of the file.
virtual_alias_maps = hash:/etc/postfix/virtual

8) Find and uncomment the header checks line. This will be used to handle spam.
header_checks = regexp:/etc/postfix/header_checks

9) Add to the end of the file…
parent_domain_matches_subdomains
transport_maps = hash:/etc/postfix/transport
show_user_unknown_table_name = no

Next, we need to make a small change to /etc/postfix/master.cf to disable local delivery. Find and commend the line below.
#local     unix  –       n       n       –       –       local

In /etc/postfix/virtual, we want to define our real email addresses. We recommend setting up at least these three.
postmaster admin@yourdomain.com
abuse admin@yourdomain.com
root admin@yourdomain.com

You’re ready to start your postfix server!

service postfix start
chkconfig postfix on

 

Configure SpamAssassin

Next, we need to tell postfix to scan emails with SpamAssassin. We will create a new user/group for the SpamAssassin service to run under.

groupadd spamd
useradd -g spamd -s /bin/false -d /usr/local/spamassassin spamd
chown spamd: /usr/local/spamassassin

Lastly, we need to tell SpamAssassin to run as the newly-created spamd user. Edit /etc/sysconfig/spamassassin and replace its contents with the following.

SAHOME="/usr/local/spamassassin"
SPID_DIR="/var/run/spamassassin"
SUSER="spamd"
SPAMDOPTIONS="-d -c -m5 --username ${SUSER} -H ${SAHOME} -s ${SAHOME}/spamfilter.log"

Ready to start SpamAssassin!

service spamassassin start
chkconfig spamassassin on

Great! Now we have postfix and SpamAssassin running, but they still need to be interfaced with each other. To do this, edit the /etc/postfix/master.cf file. Add the following lines to the existing list of rules.

smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin
spamassassin unix -     n       n       -       -       pipe user=spamd argv=/usr/bin/spamc -f -e  /usr/sbin/sendmail -oi -f ${sender} ${recipient}

When we receive a spam message, we want to discard it. Edit /etc/postfix/header_checks and add this to the bottom. This will tell postfix to discard any message where SpamAssassin indicated the message is spam.

/^X-Spam-Flag:.YES/ DISCARD This is spam

Restart postfix so the changes take affect.

service postfix restart

 

Installing STARTTLS SSL Support

Nobody wants plain-text unencrypted emails these days. To begin with the SSL setup, we’ll need to create a new directory to store our certificates and generate a new request. Make sure your key is at least 2048 bits. Anything 1024 and below is considered unsafe in 2015. As you’re entering the information in the key generation prompts, make sure your Common Name matches your host name exactly.

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl
openssl req -nodes -newkey rsa:2048 -keyout mail.mydomain.com.key -out mail.mydomain.com.csr

Once your certificate is signed, upload the new files to /etc/postfix/ssl and edit /etc/postfix/main.cf and add the following lines to the bottom.

# SSL Configuration
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/mail.yourdomain.com.key
smtpd_tls_cert_file = /etc/postfix/ssl/mail.yourdomain.com.crt
smtpd_tls_CAfile = /etc/postfix/ssl/mail.yourdomain.com-ca.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Restart postfix (again)…

service postfix restart

 

Install Razor2 with SpamAssassin

Razor is a plugin for SpamAssassin that helps catch a large portion of emails that might otherwise be missed. We always recommend installing this with all SpamAssassin installations.

To install Razor, you need the EPEL repositories. For CentOS 6 x64, use the command below

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6*.rpm

Install the software

yum install pyzor perl-Razor-Agent

Restart spamassassin again…

service spamassassin restart

You can test the Razor plugin by feeding it some sample spam data

spamassassin -t -D razor2 < /usr/share/doc/spamassassin-3.3.1/sample-spam.txt

 

Installing SOUGHT Ruleset

For additional protection, we also recommend installing the SOUGHT ruleset. For more information on this ruleset, please visit their official page. Installation is simple. We only need to import their key then do an sa-update to update the rules.

wget http://yerp.org/rules/GPG.KEY
sa-update --import GPG.KEY
sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org --channel updates.spamassassin.org

 

 

Leave a Reply