DSPAM Configuration on an ISPConfig Server
This document is purposed to walk through the steps to replace the antispam and/or antivirus filters that come with ISPConfig. I am also the author of DSPAM as an Exchange Relay..., which I did first and gave me the idea to use DSPAM on my own server.
We will be setting up DSPAM as a Postfix content filter, with usernames being taken from the virtual users table. DSPAM will be filtering through ClamAV and placing its signature at the bottom of all incoming messages. I have setup a single spam@mydomain.com and notspam@mydomain.com for retraining purposes. I am offering the WebUI to all of my users in order to retrain en masse and tweak configuration settings as desired.
Assumptions:
I assume that you have already completed a "perfect install" of your distribution of choice and ISPConfig. My specific configuration is done on a "perfect install" of Ubuntu Server 6.06 "Dapper Drake".
References:
doc/appliance.txt
doc/mysql_drv.txt
First Draft
This first draft will be for technically knowledgeable people only, as its basically a regurgitation of my config
Dependency installation:
# apt-get install libapache2-mod-proxy-html libgd-gd2-noxpm-perl libgd-graph-perl clamav-dev clamav clamav-daemon # a2enmod proxy # a2enmod proxy_html
/etc/clamav/clamd.conf: (changes only)
#LocalSocket /var/run/clamav/clamd.ctl #FixStaleSocket TCPSocket 3310 TCPAddr 127.0.0.1
Restart clamd:
# /etc/init.d/clamav-daemon restart
DSPAM compile and install: (no CVS password)
# groupadd -g 2000 dspam # useradd -g dspam -u 2000 dspam # mkdir /usr/local/src # cd /usr/local/src # cvs -z3 -d :pserver:cvs@cvs.nuclearelephant.com:/usr/local/cvsroot login # cvs -z3 -d :pserver:cvs@cvs.nuclearelephant.com:/usr/local/cvsroot checkout dspam # cd dspam # ./configure --enable-daemon --enable-clamav --enable-debug --enable-syslog --enable-preferences-extension --enable-long-usernames --enable-domain-scale --enable-virtual-users --with-dspam-home-owner=dspam --with-dspam-home-group=mail --with-dspam-mode=2510 --with-dspam-owner=dspam --with-dspam-group=postfix --with-storage-driver=mysql_drv --with-mysql-includes=/usr/include/mysql --with-mysql-libraries=/usr/lib --with-logdir=/var/log/dspam --prefix=/usr/local/dspam --with-delivery-agent=/usr/sbin/sendmail # make -j5 # make install # mysql -u root -p -e "create database dspam" # mysql -u root -p -e "grant all on dspam.* to dspam@localhost identified by 'DSPAMSQLPASS'" # mysql -u dspam -p < src/tools.mysql_drv/mysql_objects-4.1.sql # mysql -u dspam -p < src/tools.mysql_drv/virtual_users.sql # cp src/tools.mysql_drv/purge-4.1.sql /usr/local/dspam/var/dspam/purge.sql # crontab -e 0 0 * * * /usr/bin/mysql -u dspam -p'DSPAMSQLPASS' dspam < /usr/local/dspam/var/dspam/purge.sql
/usr/local/dspam/etc/dspam.conf: (changes only)
Trust dspam Trust postfix Preference "spamAction=quarantine" Preference "signatureLocation=message" # 'message' or 'headers' Preference "showFactors=off" #Preference "spamSubject=**SPAM**" AllowOverride localStore MySQLServer /var/lib/mysql/mysql.sock #MySQLPort MySQLUser dspam MySQLPass DSPAMSQLPASS MySQLDb dspam MySQLCompress true MySQLUIDInSignature on #LocalMX 127.0.0.1ParseToHeaders on #ChangeModeOnParse on ChangeUserOnParse user ClamAVPort 3310 ClamAVHost 127.0.0.1 ClamAVResponse accept
/etc/postfix/master.cf: (changes/additions only)
smtp inet n - - - - smtpd
-o content_filter=dspam:
dspam unix - n n - 10 pipe
flags=Rhqu user=dspam argv=/usr/local/dspam/bin/dspam --deliver=innocent --user $user -i -f $sender -- $recipient
spam unix - n n - 10 pipe
flags=Ru user=dspam argv=/usr/local/dspam/bin/dspam --class=spam --source=error --user dspam
notspam unix - n n - 10 pipe
flags=Ru user=dspam argv=/usr/local/dspam/bin/dspam --class=innocent --source=error --user dspam
/etc/postfix/main.cf: (changes/additions only)
transport_maps = hash:/etc/postfix/transport smtpd_client_restrictions = check_client_access pcre:/etc/postfix/dspam_filter_access local_recipient_maps = proxy:unix:passwd.byname $transport_maps $alias_maps dspam_destination_recipient_limit = 1
The smtpd_client_restrictions directive accesses the next file to ensure that only incoming mail is being scanned and tagged.
/etc/postfix/dspam_filter_access: (new file)
/./ FILTER dspam:dspam
The transport_maps directive accesses the next file in order to know what services to pipe to when postfix receives a message for my retraining addresses. /etc/postfix/transport: (new file)
spam@mydomain.com spam notspam@mydomain.com notspam
IIRC you should now be able to /etc/init.d/postfix restart and DSPAM will begin working its magic. Now we can set up the WebUI. Some may find my method to be overkill, but suexec causes problems in the default Ubuntu install since I like to keep things anally organized in my own way.
Download and compile Apache:
# mkdir /usr/local/dspam/webui # chown dspam:dspam /usr/local/dspam/webui # chmod 555 /usr/local/dspam/webui # cd /usr/local/src # wget http://ftp.wayne.edu/apache/httpd/httpd-2.2.3.tar.gz # tar zxf httpd-2.2.3.tar.gz # cd httpd-2.2.3 # ./configure --prefix=/usr/local/dspam/ --enable-rewrite --enable-cgi --disable-userdir --enable-suexec --with-suexec-caller=www-data --with-suexec-docroot=/usr/local/dspam/webui --with-suexec-uidmin=1000 --with-suexec-gidmin=1000 --enable-ssl --enable-so # make -j5 # make install # chmod 4755 /usr/local/dspam/bin/suexec
/usr/local/dspam/conf/httpd.conf: (changes/additions only)
ServerRoot "/usr/local/dspam/" Listen 8081 User www-data Group www-data Include conf/extra/httpd-vhosts.conf
/usr/local/dspam/conf/extra/httpd-vhosts.conf: (changes/additions only)
NameVirtualHost 127.0.0.1:8081
<VirtualHost 127.0.0.1:8081>
DocumentRoot "/usr/local/dspam/webui"
ServerName 127.0.0.1
ErrorLog logs/antispam-error.log
TransferLog logs/antispam-access_log
RewriteEngine on
RewriteRule ^/$ /dspam.cgi [R]
SuexecUserGroup dspam dspam
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
<Directory "/usr/local/dspam/webui">
Options FollowSymLinks ExecCGI
AllowOverride None
Order deny,allow
Deny from all
AuthType Basic
AuthName "Antispam Control Panel"
AuthUserFile conf/htpasswd
require valid-user
Satisfy any
</Directory>
</VirtualHost>
Create the auth file and add a cron job to concatenate all the hashed user passwords of users created with ISPConfig:
# sudo su -c "cat `find /home/www -name .htpasswd` > /usr/local/dspam/conf/htpasswd" # chown dspam:dspam /usr/local/dspam/conf/htpasswd # crontab -e 0 5 * * * /bin/cat `/usr/bin/find /home/www -name .htpasswd` > /usr/local/dspam/conf/htpasswd
Set up the WebUI directory:
# cp -R /usr/local/src/dspam/webui/cgi-bin/* /usr/local/dspam/webui/ # cp -R /usr/local/src/dspam/webui/htdocs/* /usr/local/dspam/webui/ # cd /usr/local/dspam/webui # chown -R dspam:dspam * # rm -rf Makefile* CVS # rm -f templates/Makefile* templates/CVS # chmod 444 * # chmod 554 *.cgi # chmod 555 templates # chmod 444 templates/*
/usr/local/dspam/webui/configure.pl: (changes only)
$CONFIG{'DSPAM_ARGS'} = "--deliver=innocent --class=innocent " .
"--source=error --user %CURRENT_USER% -i -- %u";
$CONFIG{'LOCAL_DOMAIN'} = "mydomain.com";
The $CONFIG{'LOCAL_DOMAIN'} I changed is the second one in the file.
Next you will want to set your personal ISPC-created user/mailname as the WebUI admin. (e.g. My username is web7_blah)
# echo "USERNAME" > /usr/local/dspam/webui/admins
Now we will be finishing up.
We are setting up your front-facing package-installed Apache2 to proxy /antispam universally to the custom Apache2 install for DSPAM.
/etc/apache/apache2.conf: (changes only, added just after the icons are defined)
SetOutputFilter proxy-html ProxyPass /antispam http://127.0.0.1:8081 ProxyPassReverse /antispam http://127.0.0.1:8081 ProxyHTMLURLMap http://127.0.0.1:8081 /antispam <Location /antispam/> ProxyHTMLURLMap / /antispam/ ProxyHTMLURLMap /antispam /antispam </Location>
NOTE: If you have pre-existing ISPC users/mailnames, you will need to manually turn off all of their Antispam settings in the ISPC Users/Email section. If you don't do this, mail will be routed through SA after going through DSPAM:
Turn off Spam Assassin globally in ISPC:
Finally:
# /etc/init.d/apache2 restart # /etc/init.d/ispconfig restart
Hope I didn't forget any of my steps. I'm sure I'll be yelled at soon enough if I did.