Integrating DSPAM with Sendmail
Original author: JasonBradleyNance < aitrus@tresgeek.net >
This document outlines the setup of a typical Sendmail -> DSPAM -> Procmail system. If you don't use Procmail, then substitute your LDA where applicable.
Please read the documents that ship with the DSPAM source before attempting an install. This guide is merely step-by-step instructions adapted from the documentation and my own experiences.
Introduction
This installation was done on an RHEL4 server, but should work just fine on other distros with Sendmail -> Procmail setups. Substitute your distro's little quirks where necessary.
Additionally, MySQL 4.1 was used for the storage mechanism, which is now included in RHEL4. Substitute your storage driver and options where necessary as well. These instructions are known to work for the 3.2, 3.4, and 3.6 series of DSPAM, but have been updated specifically for the 3.6 series. The major change to be aware of is how your users report missed spam.
Disclaimer
This document has been written in good faith as a guide to setting up a service on your server. That being said, I cannot be held responsible for any actions described within that result in damage, data loss, or any other undesired effect. This is a guide, not a bible. Do research, read other documentation, use common sense, have backups, follow basic system administration standards and practices - including security - and above all, think about what you are doing.
Requirements
a working Sendmail -> Procmail setup
a working storage mechanism (MySQL, PostgreSQL, etc)
root privileges on the system that DSPAM is to be installed on
All of the commands in this guide should be run with root privileges. I recommend you use sudo.
Preparing your system
First, let's create a DSPAM user and group:
useradd -G mail,smmsp -M -d /var/dspam -s /sbin/nologin -r dspam
This creates a user dspam and a group dspam (this varies from distro to distro - you may need to create the dspam group by hand) who belongs to the groups mail and smmsp (-G). The user's home dir is NOT created (-M) (this will be done when we install DSPAM) but is set to /var/dspam (-d) (substitute with your --dspam-home). The user's shell is set to /sbin/nologin (-s) to disable logins, and the user is given a system uid (-r) (a uid less than 500), which is a Red Hat specific option.
Since we are going to run DSPAM in trusted mode, let's create an suid copy of procmail for it to run:
cp /usr/bin/procmail /usr/local/bin/procmail.dspam chown root.dspam /usr/local/bin/procmail.dspam chmod 550 /usr/local/bin/procmail.dspam chmod u+s /usr/local/bin/procmail.dspam
The permissions on procmail.dspam are extremely important!! Installing an suid copy of Procmail that can be executed by normal users will allow malicious users to do bad things. So be careful.
Since we are trusting DSPAM to handle some aspects of our mail, let's make a couple more changes to ensure a smooth flow:
chmod 2770 /var/spool/clientmqueue chmod 2775 /var/spool/mail chmod 660 /var/spool/mail/* chgrp -R mail /var/spool/mail chmod 2770 /var/spool/mqueue
If you set your /var/spool/mail/ directory to 2770, mail delivery will fail.
Sometimes, when new users are created, the user's spool permissions get set to 600. So far, this doesn't seem to be a problem since procmail.dspam is running as root, but keep it in mind if you see funky things happening.
Also, you will occasionally see warnings in your mail logs about the spool file being group writable. Ignore those since the group ownership is mail, and no standard user should be in the mail group anyway.
Compiling and installing DSPAM
Download the source from http://dspam.nuclearelephant.com/download.shtml
tar -zxf dspam-3.6.3.tar.gz
cd dspam-3.6.3
./configure \
--prefix=/usr/local \
--sysconfdir=/etc \
--with-dspam-home=/var/dspam \
--with-dspam-home-mode=2770 \
--with-dspam-home-group=dspam \
--with-delivery-agent=/usr/local/bin/procmail.dspam \
--with-storage-driver=mysql_drv \
--enable-preferences-extension \
--with-mysql-includes=/usr/include/mysql \
--with-mysql-libraries=/usr/lib/mysql
make
make install
This installs the DSPAM binaries to /usr/local/bin/, writes the config file as /etc/dspam.conf, tells DSPAM to use its MySQL storage driver, sets the local delivery agent to our suid copy of Procmail, stores preferences in the database, and sets up DSPAM's home tree in /var/dspam/.
Setting up your storage container
There are already wiki entries for this. Check out the appropriate:
The recommended storage container is MySQL 4.1 or higher.
Configuring DSPAM
Now fire up your favorite editor and open up /etc/dspam.conf.
You'll notice that the settings you passed to the configure script have been written in where appropriate. Scan through this file, read all the great comments, and make changes where you feel is necessary. You really should trust the defaults, though.
There are a couple additions we want to make. In the "Trusted Users" section, add:
Trust dspam
Under the "Preferences" section, I suggest you add:
Preference "spamAction=quarantine" Preference "signatureLocation=message" # 'message' or 'headers' Preference "showFactors=on" Preference "enableBNR=on" Preference "enableWhilelist=on" Preference "statisticalSedation=5" Preference "whitelistThreshold=10"
And under the "Storage driver settings" section, you need to provide the appropriate values for your container. If possible, I suggest you use a unix domain socket to talk to your MySQL server which results in low overhead fast communication.
If you are using an sql server container, you will want to change the following under "Purge configuration":
PurgeSignature off PurgeNeutral 90 PurgeUnused off PurgeHapaxes off PurgeHits1S off PurgeHits1I off
Make sure you automate the running of the correct purge-4.1.sql script (ie - use cron).
Since we are going to support a couple of ways for users to report missed spam and ham, make sure to set:
MySQLUIDInSignature on ParseToHeaders on ChangeUserOnParse on
Configuring Sendmail
Whew! We finally got to the actual MTA configuration. The Sendmail setup is easy.
First, let's tell Sendmail that dspam is okay.
ln -s /usr/local/bin/dspam /etc/smrsh/dspam
It should be noted that some people have reported problems when using Sendmail's restricted shell and DSPAM. This, however, has not been my experience.
Edit /etc/mail/trusted-users and include dspam in the list.
Edit /etc/mail/sendmail.mc and make the following changes:
define(`LOCAL_MAILER_PATH', `/usr/local/bin/dspam')dnl define(`LOCAL_MAILER_ARGS', `dspam -t -Y -a $h "--deliver=innocent" --user $u -d %u')dnl ... MAILER(local)dnl
The order that these directives appear in the config file is important! Also, make sure you comment out all references to PROCMAIL_MAIL_PATH, local_procmail (inside a FEATURE block), and MAILER(procmail).
Wildcard spam domain and spam/ham alias configuration
This setup will support both the "old" way of reporting spam (sending it to spam-username@dspam.my.dom ) and the "new" easy way (sending spam to spam@my.dom and ham to ham@my.dom ), which requires a storage engine that will put the UIDs in the signature. This way, if you have users who are already trained to forward the messages in the former method it will still work while you introduce the latter method (which is ultimately more flexible, easier, and requires less setup). Using the second method also allows for people to have their spam tagged instead of quarantined so that they can forward it on to the ham address easily.
Edit /etc/aliases and add the following line:
spam: "|/usr/local/bin/dspam --user root --class=spam --source=error" notspam: "|/usr/local/bin/dspam --user root --class=innocent --source=error" dspam: "|/usr/local/bin/dspam"
Then run:
newaliases
Edit /etc/mail/virtusertable and add the following line:
@dspam.yourdomain.com dspam
Then run:
makemap hash /etc/mail/virtusertable.db < /etc/mail/virtusertable
ACHTUNG! dspam.yourdomain.com must be a DNS A record to work. A CNAME will /NOT/ work.
Finally, edit /etc/mail/local-host-names and add:
dspam.yourdomain.com
When you have made all your changes, run:
make -C /etc/mail
Then restart sendmail.
That's it. Once you educate your users as to how to train DSPAM you will see your spam catch rate rise to over 90% very quickly.
Comments pertaining to this guide may be sent to: aitrus@tresgeek.net