Sendmail : Spam Filtering

After configure the following steps, Sendmail won’t even talk to spam anymore.

Editing the file /etc/mail/sendmail.mc, insert the following lines anywhere in the FEATURE section of the file:

dnl #
dnl # Here are Sharky's favorite DNSBL definitions.
dnl #
FEATURE(`dnsbl', `list.dsbl.org')dnl
FEATURE(`dnsbl', `bl.spamcop.net')dnl
FEATURE(`dnsbl', `sbl.spamhaus.org')dnl
FEATURE(`dnsbl', `blackholes.mail-abuse.org')dnl
FEATURE(`dnsbl', `relays.mail-abuse.org')dnl

Apply the changes by saving the file and running the following commands:

service sendmail restart

From this point on, every time an SMTP client connects to Sendmail, Sendmail will refer to the blacklist authorities you added to verify the client’s reputation. If the client is reported to have a shady reputation, Sendmail will hang up on him.

Set Up a Simple FreeBSD Firewall Using IPFW

Setting up a simple freebsd firewall using ipfw

1.First you will want to edit /etc/rc.conf and add the following. You can do so by typing ‘edit /etc/rc.conf’ from the command prompt.

firewall_enable="YES"
firewall_script="YES"
firewall_script="/etc/ipfw.rules"

2.Then you will want to create the rules file. You can do so by typing ‘edit /etc/ipfw.rules’ from the command prompt. I would add some simple rules like the ones below.

# server

cmd="ipfw -q add"

ipfw -q -f flush

ks="keep-state"

#loopback

$cmd 10 allow all from any to any via lo0

$cmd 20 deny all from any to 127.0.0.0/8

$cmd 30 deny all from 127.0.0.0/8 to any

$cmd 40 deny tcp from any to any frag

# stateful

$cmd 50 check-state

$cmd 60 allow tcp from any to any established

$cmd 70 allow all from any to any out keep-state

$cmd 80 allow icmp from any to any

# services

#ftp

$cmd 110 allow tcp from any to any 21 in

$cmd 120 allow tcp from any to any 21 out

#ssh

$cmd 130 allow tcp from any to any 22 in

$cmd 140 allow tcp from any to any 22 out

#smtp

$cmd 150 allow tcp from any to any 25 in

$cmd 160 allow tcp from any to any 25 out

#dns

$cmd 170 allow udp from any to any 53 in

$cmd 175 allow tcp from any to any 53 in

$cmd 180 allow udp from any to any 53 out

$cmd 185 allow tcp from any to any 53 out

#http

$cmd 200 allow tcp from any to any 80 in

$cmd 210 allow tcp from any to any 80 out

#pop3

$cmd 220 allow tcp from any to any 110 in

$cmd 230 allow tcp from any to any 110 out

#ntp

$cmd 240 allow udp from any to any 123 in

$cmd 250 allow udp from any to any 123 out

#https

$cmd 260 allow tcp from any to any 443 in

$cmd 270 allow tcp from any to any 443 out

# deny log

$cmd 999 deny log all from any to any

 

3.Now you can start the firewall by either rebooting your machine or doing this command

# sh /etc/ipfw.rules

4.You can then list the rules in sequence by doing the following command

#sh ipfw list

UTM vs NGFW

SpamAssassin in Sendmail

Sendmail is software for handling mail delivery (MTA). When installing FreeBSD the other two MTAs you can choose from are PostFix and Exim but I chose Sendmail as that's the one I'm most familiar with. The following procedures can only be used for Sendmail.

In order to use SpamAssassin and ClamAV with Sendmail there are various mechanisms which need to be defined in sendmail.cf (the configuration file). Also, definitions must be added to use RBLs (Real-time Black Lists - lists of hostnames, domains, mail addresses etc. found to be used by spammers that can be used to reject spam from these spammers).

Usually you do not directly modify sendmail.cf but rather modify the macro file (m4's .mc file format) which when parsed by m4 will generate sendmail.cf.

When you configure Sendmail on FreeBSD as described below, a macro file with its name as the server's hostname will be automatically created. Do the following:

cd /etc/mail
make

then, for example, if your machine is called mail.example.jp then a file called mail.example.jp.mc will be created in that directory. From here on I will use mail.example.jp.mc to refer to the sendmail.mc macro file as we add various configurations below, eventually leading up to the creation of the final Sendmail configuration file, sendmail.cf.

Once mail.example.jp.mc has been created it'll not be overwritten if you run make again so when you want to add/modify some configuration, edit the file directly.

0) Basic configuration

First we define what kind of e-mail address formats your mail server will receive.

The e-mail address formats mail.example.jp will receive are:

test@example.jp
test@mail.example.jp

We create a file called /etc/mail/local-host-names and add the following:

example.jp
mail.example.jp

mail.example.jp is optional because it has the same domain as the first entry (example.jp). Please make sure that there are no inconsistencies between this file and the DNS MX settings for example.jp. Regardless of which e-mail address format is used, all mail will be delivered to mail.example.jp.

Next, create /etc/mail/relay-domains and add the following to define who is allowed to send mail from this server:

example.jp
192.168.0

The second line allows any machines on the local 192.168.0.0/24 network (assuming the mail server has global and local network interfaces) to relay e-mail through this server. Change this value according to your local network.

With the above configuration basic mail delivery can now be performed.


1) Add SpamAssassin and ClamAV settings

cd /etc/mail
vi mail.example.jp.mc 

and add the following:

INPUT_MAIL_FILTER(`spamassassin',`S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
INPUT_MAIL_FILTER(`clmilter', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl
define(`confINPUT_MAIL_FILTERS', `clmilter,spamassassin')dnl

2) Settings related to reverse DNS lookups

Here we configure Sendmail to reject mail sent from hosts with no reverse DNS lookup. By doing this we're able to avoid most spam from Chinese and Korean servers which don't have reverse DNS lookup entries.

A side effect of this setting though is that mail from legit hosts maybe rejected due to bad server configuration. There are some people who are against setting their SMTP to use this mechanism. Do some research on Google yourself first before deciding if you want to set this on your mail server.

Add these settings to mail.example.jp if you want to ONLY reject hosts with no reverse DNS lookup.

OR if you want to reject both the above and hosts whose reverse DNS lookup and normal DNS lookup do not match then add these settings.

The tab characters must be preserved so be careful when copy/pasting.

If you want to be able to receive mail from hosts which do not have a reverse DNS lookup entry then you must not use these settings. Likewise, if you're likely to receive lots of legit mail from China and/or Korea (which have many such mail servers) you should avoid using these settings.


3) Setting up Sendmail RBLs

If an incoming mail is marked as spam by SpamAssassin the mail will still be delivered (and left for something else to filter it) but if you enable the RBL features in Sendmail, as we do below, then mail from a host that is rejected because of some RBL policy will not be delivered. Please keep this in mind when deciding whether to use the following.

There are various RBLs out there, we chose to use the following 4. Add this to mail.example.jp.mc:

FEATURE(dnsbl,`bl.spamcop.net')dnl
FEATURE(dnsbl,`sbl-xbl.spamhaus.org')dnl
FEATURE(dnsbl,`list.dsbl.org')dnl
FEATURE(dnsbl,`all.rbl.jp')dnl

Make sure the above lines come before MAILER(smtp) and MAILER(local) lines in mail.example.jp.mc.

There are many stories in Japanese mailing lists that too many legit addresses get registered in spamcop.net so if you are thinking on the safe side it would be okay to leave this line out.

The following 3 RBLs have not so good reputations , we don't recommend to use them.

BLARS
JAMM
SORBS

Sendmail's requests to the RBLs are done in the order listed in the configuration file. Even if all RBLs had exactly the same data, a culprit host would be rejected by the first RBL and the rejection would stop there. So only the rejection from the first RBL would be recorded in the Sendmail log file.

Just because you have a high number of RBLs configured it does not mean your server will be effective in avoiding spam. Unnecessary amounts of traffic and server load will be generated if you have too many RBLs defined so please choose an amount suitable for your mail server's purpose and intended use. Once all your configuration is done, run your server for a while, look at the mail log and see if there are one or more configured RBLs which don't appear much (or at all). This would indicate that they're not doing much in the way of contributing to rejecting hosts, most probably because they've got data in their databases similar (or the same) as one of the RBLs you've configured higher up in the list which do the rejecting first. Determine which one(s) are so and delete them.

So far, the updates we've added to mail.example.jp.mc are here. The tab characters must be preserved so make sure your browser doesn't break them if you copy/paste.

MAILER(local) and MAILER(smtp) were already in mail.example.jp.mc before we started changing it. It's important that the RBL definitions (FEATURE(...) etc) come before the MAILER(...) definitions. The order is critical. The stuff below LOCAL_RULESETS are the definitions to only reject mail from hosts which don't have a reverse DNS lookup and not when the normal and reverse DNS entries do not match.


4) Generating sendmail.cf

After the above configuration steps have been completed:

cd /etc/mail
make

and a file called mail.example.jp.cf will be made. This will now become our new Sendmail configuration file. Copy the file as follows:

cp mail.example.jp.cf sendmail.cf