# Gentoo/Postfix as spam-filter for Exchange?

## meulie

Hi all!

I have the following issue. Our corporate Exchange server currently gets all its email delivered via a couple of servers at our hosting provider. However, they only scan all email that passes through for viruses, not for spam.

I would like to stick a Gentoo box in between their servers and our Exchange server which does nothing but check all emails for spam, and if they're clean passes them on to the Exchange server.

I am planning on checking all emails against something similar like what I use at home:

```
smtpd_recipient_restrictions =

    permit_sasl_authenticated,

    permit_mynetworks

    check_client_access btree:/var/lib/drac/drac

    reject_unknown_sender_domain

    reject_unauth_destination

    reject_rbl_client bl.spamcop.net

    reject_rbl_client dnsbl.njabl.org

    reject_rbl_client bhnc.njabl.org

    reject_rbl_client zen.spamhaus.org

    reject_rhsbl_sender block.rhs.mailpolice.com

    reject_rhsbl_client block.rhs.mailpolice.com

    check_policy_service inet:127.0.0.1:10031

    permit
```

Are there any howto's written on something like this?

----------

## cach0rr0

i dont have the link handy, but there is indeed a "gentoo mail filter" guide (should be one of first google hits) that gives you a reasonably decent base spam filtering system. 

Specific to your setup:

```

    reject_rbl_client bl.spamcop.net

    reject_rbl_client dnsbl.njabl.org

    reject_rbl_client bhnc.njabl.org

    reject_rbl_client zen.spamhaus.org

    reject_rhsbl_sender block.rhs.mailpolice.com

    reject_rhsbl_client block.rhs.mailpolice.com 

```

Since you'll only ever be receiving connections from your ISP, these checks will provide absolutely zero benefit - the blacklisted hosts will never be connected to your filtering system directly, so their IP won't be exposed to these checks. 

I would take all of your RBL checks out of main.cf

Far as RBL go, it's been ~5 years since SpamCop has had an acceptable ratio of hits/misses/false positives. I never use the others individually, just rely on combined zones. 

To minimize the risk of false positives from something I don't control, only list I use at the perimeter is cbl.abuseat.org. I like their no-questions-asked delisting policy, agree with their policies for including hosts on the list, etc. 

The good news - spamassassin can parse the content of the message headers and extract IP's to be queried against these blacklists. 

If it helps, this is complete doc of my setup - https://whitehathouston.com/topics/index.php/WHHMail

Yours will differ of course, because you're delivering to Exchange as opposed to letting Postfix deliver locally. 

Ah yes, found the gentoo link - http://www.gentoo.org/doc/en/mailfilter-guide.xml

NOW...what I did for one group of folks, was follow that guide to the letter, get amavisd-new all configured...then unmerge it (keeping the bulk of the .conf files around), and dump in Maia Mailguard - a patched amavisd-new system, with an included web interface for end-user quarantine management...digest messages sent to the user reminding them to check blocked spam, things like that. 

Hope this is of some use.

----------

## cach0rr0

after having typed that long monstrosity...summary:

-dont bother with RBLs within main.cf, you will have zero triggers since external hosts are never connecting to your gentoo system

-follow that gentoo mail filter guide

-get that all working properly

-unmerge amavisd

-install Maia Mailguard, and follow their doc to reconfigure their patched amavisd instance to log quarantine to mysql. I have my .conf specific to this sitting around somewhere, if you need a guide.

----------

## meulie

Thanks for your long and short answer!    :Cool: 

I will definitely check it out. In the mean time I also came across MailScanner which looks quite promising for my situation.

----------

## richard.scott

What about this howto?

http://www.gentoo.org/doc/en/mailfilter-guide.xml

I've used amavisd-new for spam checking for years.

Rich.

----------

## meulie

 *richard.scott wrote:*   

> What about this howto?
> 
> http://www.gentoo.org/doc/en/mailfilter-guide.xml
> 
> 

 

Is that one still 100% up-to-date? It's been last edited in august 2007...

----------

## richard.scott

 *meulie wrote:*   

> Is that one still 100% up-to-date? It's been last edited in august 2007...

 

It looks pretty much up to date.

The main part you waint in your postfix/main.cf file is this:

```
content_filter = smtp-amavis:[127.0.0.1]:10024
```

add this into your /etc/postfix/master.cf file:

```
127.0.0.1:10025 inet n        -       n     -       -  smtpd

  -o content_filter=

  -o local_recipient_maps=

  -o relay_recipient_maps=

  -o smtpd_restriction_classes=

  -o smtpd_client_restrictions=

  -o smtpd_helo_restrictions=

  -o smtpd_sender_restrictions=

  -o smtpd_recipient_restrictions=permit_mynetworks,reject

  -o mynetworks=127.0.0.0/8

  -o strict_rfc821_envelopes=yes

  -o smtpd_error_sleep_time=0

  -o smtpd_soft_error_limit=1001

  -o smtpd_hard_error_limit=1000
```

This is so Amavisd-new can feed back in scanned messages back to Postfix and they don't get scanned again.

The part about tweaking /etc/amavisd.conf is a little out of date, so just go with the defaults for now.

Don't forget to emerge SpamAssassin too, otherwise you won't be checking much.

I also emerge ClamAV and bitdefender-console to virus check with.

Change the /etc/clamav.conf file and update the "User" line to be "User amavis" and then also update the /etc/amavisd.conf as in "code listing 2.12" on that howto so it points to the correct clamd socket file.

Apart from that, I think that's a basic setup.

Rich.

----------

## arndawg

I used to have a similar setup but I eventually moved to a much simpler solution. http://www.untangle.com/

Just set untangle in bridged mode before your mail-server and install the spam and virus blockers. good to go.  :Smile: 

----------

