There are a couple of linux how-tos floating on the Internet that deal with this very subject. As a matter of fact, those guides are what inspired to write this one. In the spirit of keeping it simple, let me recommend the Mandrake or as itâ€™s currently known Mandriva Linux distro. This guide has been written with this distro in mind.
What you will need:
- Mandriva Linux Limited Edition 2005 (Iâ€™m sure this will work on Mandrake 10.1 or even older versions. I just havenâ€™t tested it on anything earlier)
- A box with a DVD-ROM for the DVD version of Mandriva LE 2005 or CD-ROM for the CD version of Mandriva LE 2005. (The system specs do not have to be very high. Itâ€™s basically going to be a mail server. Depending on the amount of mail you expect, size the machine accordingly. I installed it on an IBM eServer with a single Xeon CPU, Hardware RAID1 and 512MB of RAM. I know itâ€™s overkill for this application, but the server choice wasnâ€™t my call).
- A Ms Exchange 2000/2003 box that you want to protect. You don’t know how to setup an Exchange server you say? Well then, check out my super dooper “Down and Dirty Guide to setting up Exchange 2000/2003” at this address: http://forums.theonpc.com/viewtopic.php?t=15
- A live working Internet connection (Preferrably broadband).
STEP 1: Install Mandriva LE 2005 Install Mandriva LE 2005 with the following minimum packages:
- Mail server (Postfix)
- SSH server
STEP 2: Remove Installation Media/Update Mandriva Sources:
Itâ€™s important to remove the installation DVD or CD-ROM as the media of choice for your Linux installation and instead use on-line media anytime we want to install or update anything on this installation. The procedures below will help you accomplish this:
a) Create a script file under /root called update.sh or whatever you want. I usually name them by distro. For example, for 2005 LE, I name it “update.2005.sh”. Open up a ssh (putty) windows to your server. It’s a lot easier doing it though putty than trying to type the sources in a console window manually. In a putty window it’s just a matter of copy and paste. In the putty windows type the following:
Enter the following lines:
urpmi –auto-select –auto
b) Goto http://easyurpmi.zarb.org and select your distro and then click on the “Proceed to STEP 2 button. Then, under “2) Select a mirror for each source” section under Core Distribution, check off the following: “Source contrib”, “Source main”, “Source updates” as a bare minimum. Then click on the Proceed to STEP 3 button. This will generate a list of mirrors. Select them and copy the entire list. Go back to your putty window, click the “i” key to put the editor in insert mode and paste what you just copied from your browser in your putty window between the lines you type earlier. So, your screen should look similar to this:
urpmi.addmedia –update updates ftp://ftp.clinet.fi/pub/mirrors/Mandrake-linux/official/updates/LE2005/main_updates/ with media_info/hdlist.cz
urpmi.addmedia main ftp://ftp.clinet.fi/pub/mirrors/Mandrake-linux/official/2005/i586/media/main with media_info/hdlist.cz
urpmi.addmedia contrib ftp://ftp.clinet.fi/pub/mirrors/Mandrake-linux/official/2005/i586/media/contrib with media_info/hdlist.cz
urpmi –auto-select –auto
Of course, don’t copy my sources which are most likely outdated. c) Save your script and make it executable. Type the following in your putty window: Presss the “ESC” key to take the editor out of insert mode. Then press “SHIFT ZZ” to save your file.
chmod 755 update.2005.sh
c) You are ready to go. Type the following in your putty window and watch it go. Once completed, your sources are updated and your installation media has been removed.
STEP 3: Install Spamassassin, Razor, Pyzor, DCC and amavisd-new
a) At the console prompt or a putty window type the following command:
Say yes to the dependencies prompt. This will automatically install spamassassin and razor automatically. Configure spamassassin: If your mail server is behind a NAT firewall, you may consider setting up the trusted_networks and internal_networks in spamassassinâ€™s local.cf file. This is a well known problem with spamassassin on a private IP. Hereâ€™s how to fix it. Edit the /etc/mail/spamassassin/local.cf file:
Add the trusted_networks and internal_networks line for every PUBLIC ip address your mail server is known for:
trusted_networks 123.456.789.123 trusted_networks 987.654.321.987 internal_networks 123.456.789.123 internal_networks 987.456.789.123
(Obviously substitute your own public IP address(es)) Add the following lines still in the /etc/mail/spamassassin/local.cf file to configure spamassassin to use razor, pyzor and dcc:
bayes_auto_learn 1 bayes_path /etc/mail/spamassassin/bayes bayes_file_mode 0666 use_razor2 1 razor_config /root/.razor/razor-agent.conf razor_timeout 10 use_pyzor 1 pyzor_timeout 10 pyzor_max 5 add_header all Pyzor _PYZOR_ use_dcc 1 dcc_timeout 10 dcc_home /var/lib/dcc dcc_path /usr/bin/dccproc
Create a custom rule set for spamassassin by typing the following in the console:
Copy and paste the following into the file:
#!/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/71_sare_redirect_pre3.0.0.cf -O 71_sare_redirect_pre3.0.0.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_bayes_poison_nxm.cf -O 70_sare_bayes_poison_nxm.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_html.cf -O 70_sare_html.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_html4.cf -O 70_sare_html4.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_html_x30.cf -O 70_sare_html_x30.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_header0.cf -O 70_sare_header0.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_header3.cf -O 70_sare_header3.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_header_x30.cf -O 70_sare_header_x30.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_specific.cf -O 70_sare_specific.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_adult.cf -O 70_sare_adult.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/72_sare_bml_post25x.cf -O 72_sare_bml_post25x.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf -O 99_sare_fraud_post25x.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_spoof.cf -O 70_sare_spoof.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_random.cf -O 70_sare_random.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_oem.cf -O 70_sare_oem.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_genlsubj0.cf -O 70_sare_genlsubj0.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_genlsubj3.cf -O 70_sare_genlsubj3.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_genlsubj_x30.cf -O 70_sare_genlsubj_x30.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_unsub.cf -O 70_sare_unsub.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/70_sare_uri.cf -O 70_sare_uri.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://mywebpages.comcast.net/mkettler/sa/antidrug.cf -O antidrug.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.timj.co.uk/linux/bogus-virus-warnings.cf -O bogus-virus-warnings.cf &> /dev/nullcd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.yackley.org/sa-rules/evilnumbers.cf -O evilnumbers.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.stearns.org/sa-blacklist/random.current.cf -O random.current.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_body.cf -O 88_FVGT_body.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_rawbody.cf -O 88_FVGT_rawbody.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_subject.cf -O 88_FVGT_subject.cf &> /dev/nullcd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_headers.cf -O 88_FVGT_headers.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/88_FVGT_uri.cf -O 88_FVGT_uri.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/99_FVGT_DomainDigits.cf -O 99_FVGT_DomainDigits.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/99_FVGT_Tripwire.cf -O 99_FVGT_Tripwire.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.rulesemporium.com/rules/99_FVGT_meta.cf -O 99_FVGT_meta.cf &> /dev/null cd /etc/mail/spamassassin/ &> /dev/null && /usr/bin/wget http://www.nospamtoday.com/download/mime_validate.cf -O mime_validate.cf &> /dev/null /etc/init.d/amavisd restart &> /dev/null exit 0
Save the file and change the permissions to executable: Shift ZZ
chmod 755 /etc/mail/spamassassin/sa_rules_update.sh
Run the file and ensure there are no errors. On the console or putty windowtype:
Under the /etc/mail/spamassassin directory you should see a bunch of files ending in .cf. Examples are: bogus_virus_warnings.cf, etc. That means the rules have been updated for spamassassin. Now, you must schedule this script to run on a regular basis. On the console or putty window type the following to schedule a cron job:
Paste the following in your putty window:
23 4 */2 * * /etc/mail/spamassassin/sa_rules_update.sh &> /dev/null
(This will schedule the script to run every two days on 4:23. Obviously, don’t copy mine verbatim but adjust to your liking. I used 4:23 to show you the hours/minutes.) Save the file: Shift ZZ b) At the console prompt or a putty window type the following command:
(accept all dependencies)
(accept all dependencies)
(accept all dependencies)
Say yes to the dependencies prompt. This will automatically install amavisd-new. c) Configure amavisd by editing the /etc/amavisd/amavisd.conf:
Hit “i” to start editing. Ensure the lines below are set as follows. Add them if they don’t exist: This bypasses all virus checks. Not needed in this particular situation since we will be installing clamav further down. If you are having problems with clamav and cannot get it to work, it could potentially stop your mail server from operating. In that case, remove the # from in front of the line and it will bypass all virus checks.
#@bypass_virus_checks_acl = qw( . );
Ensure you enter the domain your mailserver belongs to. This setting is VERY important and without this setting messages WILL NOT be tagged as spam in the subject line.
$mydomain = 'yourdomain.tld';
This line ensures that ALL domains this server delivers mail for will be processed through the spam filter. Without this line, only the domain appearing in the $mydomain = line above will be processed through the spam filter.
@local_domains_acl = qw( . );
Ensure this line is commented out with the â€˜#â€™ symbol just like it looks here.
#@local_domains_maps = ( [".$mydomain"] );
Email tagged as spam is passed but, subject is modified.
$sa_spam_modifies_subj = 1;
Add spam info headers. I suggest you set as high as possible. Setting to undef is highly recommended so that all mail headers are modified no matter what.
$sa_tag_level_deflt = undef;
Add ‘spam detected’ headers at that level. This is the minimum score the system will need to add spam headers to a message. Itâ€™s pretty low. Start out low and increase the value as you see fit. If you start to get a lot of false positives, you should increase this value.
$sa_tag2_level_deflt = 3;
Triggers spam evasive actions
$sa_kill_level_deflt = 15;
Spam level beyond which a DSN is not sent
$sa_dsn_cutoff_level = 9;
The word appended to the subject line of spam emails before passed to the end user
$sa_spam_subject_tag = '***SPAM*** ';
Ensures spam is passed to the end user tagged as such. We never want the spam filter to kill messages. We want the end user to decide whether it’s spam or not.
$final_spam_destiny = D_PASS;
Ensures emails with bad headers is passed to the end user tagged as such.
$final_bad_header_destiny = D_PASS;
HIT “ESC” and then “SHIFT ZZ” to save your amavisd.conf file. Edit your /etc/postfix/master.cf file and add the following entry to it as follows or amavisd will simply not work:
Add the following entry at the very bottom of your master.cf file right before the line ##### END OF CONTENT FILTER CUSTOMIZATIONS #####:
smtp-amavis unix - - y - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes
Now issue the following command for changes to take effect:
STEP 4: Configure Postfix
The steps below outline how to configure postfix to receive e-mail for your Exchange box, forward it to amavisd-new which in turns processes it with spamassasin and razor and if passes all the checks it gets forwarded back to postfix which in turn delivers to your exchange box. a) Issue the following command at your putty prompt to edit your /etc/postfix/main.cf file:
Hit “i” to edit the file, and make sure the settings below are set obviously substituting your info and/or adding lines as necessary:
# User configurable parameters inet_interfaces = all #mynetworks_style = host local_recipient_maps = delay_warning_time = 4h
Do not give out more info to potential hackers than necessary. A lot of people leave the server type and version number on this field. I say, just be as vague as possible. Your choice.
smtpd_banner = yourdomain.tld ESMTP
unknown_local_recipient_reject_code = 550 smtp-filter_destination_concurrency_limit = 2 lmtp-filter_destination_concurrency_limit = 2 smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2 recipient_delimiter = + owner_request_special = no alias_maps = hash:/etc/postfix/aliases, hash:/var/lib/mailman/data/aliases content_filter = smtp-amavis:[127.0.0.1]:10025 receive_override_options = no_address_mappings #empty_address_recipient = header_checks = regexp:/etc/postfix/header_checks message_size_limit = 1024000
In the following line you specify the domains that you will allow this server to relay mail for. Be careful here. Limit this to only your domains or you risk of becoming an open relay!
relay_domains = yourdomain.tld, anotherdomain.tld
Obviously your domain name goes here. Multiple domains can go there separated by commas
mydomain = yourdomain.tld
Enter the FQDN for your box here
myhostname = hostname.yourdomain.tld
In this field, ensure that you put in the IP address of your exchange server and your domain name.
mynetworks = 192.168.1.10/32, yourdomain.tld
This field actually makes the whole relay thing work. Make a note of the file and the path, we’ll deal with it further down.
transport_maps = hash:/etc/postfix/transport
#myorigin = queue_minfree = 0
Enter RBL lists in the following field. Please be very careful which lists you pick. Some lists are ran by tyrrants and sometimes legitimate server go on there. Also, keep in mind, any e-mail matched to a list gets rejected at the door. Which means it doesn’t even get to your server which means the user or you will NEVER see that e-mail. Be very wise about which lists you pick.
maps_rbl_domains = sbl.spamhaus.org, relays.ordb.org, opm.blitzed.org, dun.dnsrbl.net
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject, reject_non_fqdn_hostname, reject_maps_rbl
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient
smtpd_sender_restrictions = reject_unauth_pipelining, reject_unknown_sender_domain, reject_non_fqdn_sender
The field below is very very important. Make a note of it and we’ll deal with it further down this guide.
relay_recipient_maps = hash:/etc/postfix/exchange_recipients
Once done with the editing, hit SHIFT, ZZ to save the file. b) Next issue the following command at your putty prompt where yourdomain.com is the name of the domain this server is going to be relaying e-mail for and 192.168.xxx.xxx is the actual IP address of your exchange server. You can add as many domains as you like.
echo “yourdomain.com smtp:[192.168.xxx.xxx]” >> /etc/postfix/transport
The following command will tell postfix to accept e-mail for ALL domains. I DO NOT recommend you process the following command unless you are 150% sure you know what you are doing. I merely put it there for reference.
echo “* smtp:[192.168.xxx.xxx]” >> /etc/postfix/transport
After you add the previous line(s) in your transport file, issue the following commands. One command per line:
service postfix restart
You should first see the message â€œpostfix/postfix-script: refreshing the Postfix Mail systemâ€? and then â€œShutting Down postfixâ€? and â€œStarting Postfixâ€?. You should see no errors during this. If you do, go back and fix them. Then do the postfix reload and the service postfix restart commands again and look for error. If no error, life is good! Proceed to next step.
STEP 5: Configure Relay Recipient Maps
The steps below outline how to tell postfix who are valid recipients on your Exchange server so that the postfix server doesnâ€™t forward e-mail to invalid e-mail addresses on your domain and have your Exchange server logs fill up with undeliverable receipts. This step requires installing a few extra packages as well as running Chris Covingtonâ€™s getadsmtp.pl script to get all the recipients from your Exchange box. The recipients will be saved on the /etc/postfix/exchange_recipients file. Finally, when we verify that the script works, we will schedule to run at regular intervals with crond depending on how dynamic the accounts on our Exchange server are.
1. First, goto the following link: http://www-personal.umich.edu/~malth/gaptuning/postfix/getadsmtp.pl You will be presented with Christ Covington’s getadsmtp.pl script. In your putty window, create the getadsmtp.pl under your /usr/bin directory as follows:
Now, hit “i” to start editing the file, then select and copy everything from your browser which has the getadsmtp.pl script and paste it your putty window. Hit “ESC” to stop editing, and then “SHIFT ZZ” to save the file.
2. Next you must install Net::LDAP. In your console/putty window type:
Accept the the dependencies and have it install automatically.
3. Most of the instructions below have been taken verbatim from http://doc.nettools.ru/Unix/Postfix&intserver/. I have copied and pasted them for convenience and redundancy. These instructions will guide you through configuring and running the getadsmtp.pl script against your exchange server to get a list of valid aliases. I have put some of my own comments where necessary: Important: your spamfilter box will require port 389 access to your Active Directory DC in order for this script to work, so adjust your firewalls accordingly! Open the getadsmtp.pl script in your editor:
Enter the path to your recipient maps file by changing the line:
$VALID = "/etc/postfix/example_recipients";
$VALID = "/etc/postfix/exchange_recipients";
Next you will need to enter either the Fully Qualified Domain Name (FQDN) of your Active Directory Domain Controller or you can enter the DC’s local IP address. You may have to do the latter if your DC uses the “yourdomain.local” naming scheme since your spamfilter would not be able to resolve this address (unless you explicitly tell it). In any event, depending on your situation, this parameter may need some tweaking in order for the spamfilter to “talk” to the DC. If you only have one DC, make sure that both $dc1 and $dc2 lines are set with the same FQDN or IP address of your one and only DC. Change the lines that say:
Where w.x.y.z is the local IP address of your DC, and Backup Domain Controller ($dc2), if you have one. Again, enter the same IP address on both fields if you only have one DC.
Next, you will need to determine and enter the LDAP container of your user base. To do this you should download and install the Windows 2000/2003 Support Tools and install them on your AD DC. The tools are usually located under the /Support/Tools directory of your Windows 2000/2003 Server installation CD if you don’t want to download them. Once you install the support tools, goto your Exchange server and click on Start/Run and then type in “mmc”. You should be presented with the windows root console. Click on File and then “Add/Remove Snap-In”. In the next window click on the “Add” button. In the following “Add Remove Standalone Snap-In” you should see a list of already installed snap-ins. If you installed the support tools correctly, you should see the “ADSI Edit” snap in. Click on it, and then click on “Add” and then click on “Close” and then “Ok”. You should have the ADSI Edit snap-in under the Console Root window. Right-Click on ADSI Edit and then click on “Connect To”. On the next window just click “OK”. Now under the ADSI Edit in your Console Root you should see your domain. Expand the domain tree, then expand the “DC=” tree and then click on the “CN=” tree that contains your Exchange users. Unless you moved your users around different containers in your AD, this is most probably the “CN=Users” tree. Now on the label of your console root window. It should something similar to this:
"Console Root\ADSI Edit\Domain [yourdc.yourdomain.tld]\DC=yourdomain,DC=tld\CN=users"
where yourdc.yourdomain.tld is the FQDN of your DC. So, on the getadsmtp.pl line below, change the default values to the values of your domain using the settings you got from above:
Next, you will need to enter a username and password for a user in your Active Directory. This user does not need any special privileges but you should make sure that the user’s password is set to not expire. The format of the user should be entered as “cn=username,cn=Users,dc=example,dc=com”. Again, I suggest you read the comments in the getadsmtp.pl script carefully. Note that because you are entering a password here in clear text, I would make sure that this script is only readable by root. Once you have the information you need, change the lines:
$user="cn=user,cn=Users,dc=example,dc=com"; $passwd="password"; to the appropriate values.
* Please note that if the password you use contains the $ sign (and perhaps others? I am not familiar with perl really, but some characters such as $ and probably also quotes have special meaning) you will have to escape them appropriatly with the backslash or perl will complain. For exaple, if your password is: pa$$word, you would have to enter: pa\$\$word here. Once you have made all the changes to the getadsmtp.pl script you should save it (hit Esc, and then :wq): save and exit vi Now, make the script executable and test out the script and see if it works:
chmod 755 /usr/bin/getadsmtp.pl
If the script runs successfully, you should now have a file in /etc/postfix called exchange_recipients listing all your email addresses. To verify this, issue the command:
(of course, replace this with the file name you chose earlier, if needed) You should see a list scroll by with format similar to this:
email@example.com OK firstname.lastname@example.org OK email@example.com OK
Some final comments: If you look at your main.cf file, you will see that the unknown_local_recipient_reject_code is set to 550. However, this directive does not control the rejection code for a recipient that is not listed in the relay_recipients_maps. The default rejection code for unknown users is 550, which is most likely what you want, but if you ever wanted to change it, the directive to change is
STEP 6: Install and configure Clam-AV At your putty window, type in the following to install Clam-AV:
Configure clamd to run as the amavis user. Edit /etc/clamd.conf:
Hit “i” to start editing, find the lne that reads “User clamav” and change to user amavis like below:
# Run as a selected user (clamd must be started by root). # Default: disabled User amavis
Change the owner under /var/lib/clamav to amavis as follows:
chown -R amavis:amavis /var/lib/clamav
Start the clamd daemon:
service clamd start
STEP 7: Configure your Exchange Server
First, a little explanation how this whole SPAM thing works with our current setup. Potential SPAM messages get received, they are processed, if found as spam, they are tagged as such in the headers and most notably for the user’s sake, the subject of the email gets appended with ***SPAM*** (If you followed this guide exactly) and it still gets delivered to the user. It’s important to understand that potential spam email does NOT get deleted but instead it’s marked and passed to the user. Now, the user has two choices. If the email really is spam the user can just delete it. If the spam filter screwed up and the e-mail did get tagged as spam even though it shouldn’t have, the user has to have a way of telling you that the e-mail should not get tagged as spam anymore. Vice versa, if the spam filter missed an email that should had been marked as spam but didn’t, the user has to be able to tell you that this e-mail must be marked as spam next time. So we have to give the users a way of moving messages in two separate areas, one for SPAM and one for NON-SPAM or HAM if you will.
How do we do that in Exchange? Well, it’s very simple. We need to create two folders under the public folder store, one called “SPAM” and the other called “HAM” or whatever you want. So, “SPAM” is BAD, and “HAM” is good. So, here’s how to do it:
a. Create Public Folders for HAM and SPAM In your exchange box, fire up Exchange System Manager and navigate to Folders, Public Folders and then right-click on Public Folders and select “New” “Public” Folder. Under the “Name” enter “SPAM” without the quotes of course. Repeat this process and create a “HAM” folder. Now, let’s verify permissions for those folders. Right-click the Public Folders again and click “Refresh”. Your two new folders should appear on the pane on the right-hand side. Right-click one of the folders and click on “Properties”. On the window that appears, click on “Permissions” then “Client Permissions”. Ensure that under the Role author, the following items are checked/unchecked accordingly. “Create items” should be checked, “Read Items” should NOT be checked, “Create Subfolders” should NOT be checked, “Edit Items” should only have “Own” checked. “Folder Visible” should be checked, and under “Delete Items” “Own” should be checked. Repeat steps for other folder. In this configuration, users can move/copy items to those folders but they cannot read other people’s emails and they can only delete their items and they cannot make any other modifications like create subfolders under these folders.
b. Enable IMAP on your Exchange Box Now, we must enable IMAP on your Exchange server. IMAP is disabled by default. Here’s how to enable it: Go under “Services” which should be under “Administrative Tools” and scroll down the services list until you find “Microsoft Exchange IMAP4”. You will see that the service is disabled. Let’s enable it. Right click on the “Microsoft Exchange IMAP4” service and click on “Properties”. Under the “General” tab in the “Startup Type” dropdown, change it to “Automatic”. Under the “Log On” tab, make sure the “Log on as” field is set to “Local System Account”. Next click “OK”. Now, right click on the “Microsoft Exchange IMAP4” service and click on “Start”. You should see the service start and show as “Started” in the service list. Also, ensure the “Startup Type” has been changed to “Automatic”. Your Exchange Server should be accepting connections through IMAP. Test it: From a command prompt on your server type the following:
telnet localhost 143
You should see a reply similar to this:
* OK Microsoft Exchange Server 2003 IMAP4rev1 server version
That means IMAP is working. If you don’t see that, restart your server or restart all your “Microsoft Exchange” services.
c. Download and configure IMAP2mbox on your Exchange Box Next we have to download a nice freeware utility that will connect to your Exchange server’s public SPAM and HAM folders, get all the e-mail and convert them to mbox format which what our Linux server understands in order to train our spam filter. Goto the following URL and download the IMAP2mbox utility to your Exchange Server: http://www.byteplant.com/support/nospamtoday/contrib.html Extract it to a permanent home on your exchange server hard drive. For example, I extracted it to c:\imap2mbox. Now, we have to create two configuration files for it, one for spam and another one for ham. Goto a command prompt and change directory to your imap2mbox folder: Start/Run/cmd
c: cd imap2mbox
Now, run the following command at the command prompt to create the spam configuration file (spam.cfg) substituting your own information where necessary:
imap2mbox.exe –config=”c:\imap2mbox\spam.cfg” –path=”Pubic Folders/” –folder=”SPAM/” –server=YourExchangeServer –delete –username=”YOURDOMAIN/username” –mbox=”c:\imap2mbox\spam.mbox” –pass=yourpassword
Do the same to create the ham configuration file (ham.cfg) substituting your own information where necessary:
imap2mbox.exe –config=”c:\imap2mbox\ham.cfg” –path=”Pubic Folders/” –folder=”HAM/” –server=YourExchangeServer –delete –username=”YOURDOMAIN/username” –mbox=”c:\imap2mbox\ham.mbox” –pass=yourpassword
You should see at least two more *.cfg files in your imap2mbox folder now. If you followed the instructions exactly, you should have a ham.cfg and a spam.cfg. Now, we have to schedule a task in our exchange box every night in order to get the ham and spam out of our public folders, put them in their perspective ham.mbox and spam.mbox files, copy them over to our linux box and in turn train the spam filter. So, we either have to create a samba share in our linux box, or connecto to a share on our exchange box from our linux box (this is by far the easiest choice). It’s your choice how to do it. I will proceed with the latter choice, being creating a share in the exchange box and the mapping to that share from the linux box. Here’s how to do it:
Create two batch files, one called run-spam.bat and one called run-ham.bat. In the run-spam.bat, put the following command in it:
In the run-ham.bat file, put the following command in it:
Now, under the scheduled tasks in your exchange box, schedule two jobs two run each batch file. So, go under Start, Programs, Accessories, System Tools, Scheduled Tasks. Click on the “Add Scheduled Task” icon, click “Next” then click on the “Browse” and browse to the c:\imap2mbox folder or whatever folder you extracted the imap2mbox archive. Select your run-spam.bat then click on “Weekly”, then “Next”. In the following window under the “Start time” field select the time you want this task to run, preferrably after hours and then select the days you want it to run and then click “Next” again. In the next window under the “Enter the user name:” and “Enter the password:” fields enter an administrative username/password for your server/domain and click on “Next” and then click on “Finish”. Repeat these steps for the run-ham.bat file. I would schedule that approximately 15 minutes after the run-spam.bat file just to be safe. Pay attention to the time and the days you’ve scheduled the two tasks cause we are going to need them in order to adjust cron jobs accordingly on the linux box. Next, let’s share the imap2mbox folder. So, in windows explorer browse to the folder, right-click on it, click on “Sharing and Security”, then click Sharing and then on “Share this folder” and then click on “Permissions” and add whoever user on your domain that you want to have access to it. You could use “Administrator” only, but remember, you are going to be logging in from the linux box using that username/password so I would recommend creating a new account in the domain just for this purpose. Up to you. Just remember what user has access to that folder. I certainly wouldn’t leave everyone to have access to it which is the default. This concludes the imap2mbox configuration.
d. Let’s mount the imap2mbox share on our Linux box. Login to your linux box and type the following in your putty/console window: Create a mount point:
Now, mount the share to the mount point you’ve just created:
mount -t smbfs -o username=username,password=apassword //exchangeserver/imap2mbox /mnt/imap2mbox
There have been times where I’ve ran into issues trying to mount a samba share using the command above or even using the smbmount command. If you try to mount the share and you keep getting strange errors, try the command below to mount it as a CIFS share:
mount -t cifs //exchangeserver/imap2mbox /mnt/imap2mbox -o user=username,password=apassword
Create a spam folder as well as an archived spam folder.
mkdir /spamfilter mkdir /spamfilter/archived/ mkdir /spamfilter/archived/spam mkdir /spamfilter/archived/ham
Now, let’s create a script and schedule a cron job to run that script nightly to copy the spam.mbox and the ham.mbox files that the two batch files are going to create into a folder in our linux box and then train our spam filter. Type the following in your console/putty window:
In the window that comes, up, type in “i” without the quotes to get into editing mode and put the following. One command in each line:
#ensure the mountpoint is created mkdir /mnt/imap2mbox #ensure share is mounted mount -t smbfs -o username=username,password=apassword //exchangeserver/imap2mbox /mnt/imap2mbox
mount -t cifs //exchangeserver/imap2mbox /mnt/imap2mbox -o user=username,password=apassword
#Move spam.mbox and ham.mbox from /mnt/imap2mbox /bin/mv /mnt/imap2mbox/spam.mbox /spamfilter /bin/mv /mnt/imap2mbox/ham.mbox /spamfilter #train the spamfilter /usr/bin/sa-learn --spam --mbox /spamfilter/spam.mbox /usr/bin/sa-learn --ham --mbox /spamfilter/ham.mbox #Archive and date stamp the spam-ham mbox files /bin/mv /spamfilter/spam.mbox /spamfilter/archived/spam/`date +%d%m%Y`.spam.mbox /bin/mv /spamfilter/ham.mbox /spamfilter/archived/ham/`date +%d%m%Y`.ham.mbox
Press “ESC” then “SHIFT ZZ” to save the /root/trainfilter.sh file. Now make it executable:
chmod 755 /root/trainfilter.sh
Now, schedule a cron job to run the script nightly, preferrably 15 minutes after your exchange box has run the last of the two batch files. It goes without saying that the linux and exchange box clocks should be pretty darn close to each other. At the your console/putty window type the following:
In the window that comes up, hit “i” to enter edit mode, then add the following line after the last line that appears in your crontab file:
30 1 * * * /root/trainfilter.pl
The “30” signifies the minutes and the “1” signfies the hour. So adjust accordingly but at least 15 minutes after the scheduled tasks have ran on your exchange box. Then, hit “ESC” and then “SHIFT ZZ” to save the new cron job. Now depdending on the amount of spam that you are dealing with, you may want to schedule the cron job to run every week or whatever suits you. Just keep in mind, that the spam.mbox and ham.mbox files that your exchange box creates are appended everytime the scheduled task is ran on your Exchange box. In other words, messages are added to those files, so that’s why it’s a good idea to move them out of there, train the spam filter, date and archive them so that they don’t get too huge. Plus, archiving, dating and then in turn backing them up would give you the capability to train your spam filter back to the way it was if you ever had a catastrophic failure on your relay server. That’s it, you are done!!
Questions, bitches, praises shoot me an e-mail at firstname.lastname@example.org.
That’s right, I posted my full e-mail address. I ain’t skeered!
DISCLAIMER: Anything bad that happens to you or your stuff while following this guide is entirely your fault.