Postfix + Spamassassin + procmail + spamass-milter

snt · 02-02-2010, 11:32 AM

Sorry if this is the wrong place.
I have Postfix and Spamassassin setup on Ubuntu Server 9.10. The mail is working perfectly. Spamassassin is correctly marking messages as spam. My problem is with the milter and procmail.
On past servers I was able to reject spam based on score via the spamass-milter. For whatever reason I can not get it to work. I have also tried with procmail, again, it does not work. Here are the relative lines in their respective config files:

postfix main.cf:

Code:

# Spamass-milter
milter_default_action = accept
smtpd_milters = unix:/var/run/spamass.sock
#non_smtpd_milters = unix:/var/run/spamass.sock

# mailbox_command = mailbox_command = procmail -a "$EXTENSION"
# mailbox_command = /usr/bin/procmail -f- -a "$USER"
mailbox_command = /usr/bin/procmail -a "$EXTENSION" DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir

The commented lines are lines that I have tried before.

procmail:

Code:

:0
* ^X-Spam-Level: \*\*\*\*\*\*
/dev/null

spamass-milter:

Code:

# Reject emails with spamassassin scores > 15.
OPTIONS="-r 6"
# EXTRA_FLAGS="-r 6" -> Tried this too

None of this is working and I can not figure it out. I am sure I am missing something simple.

Thanks

Dave_Devnull · 02-02-2010, 11:46 AM

What do you have in MASTER.CF {not main} and /etc/default/spamass-milter ?

snt · 02-02-2010, 11:52 AM

Thanks for the reply

master.cf

Code:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
        -o content_filter=spamassassin


#submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
	-o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

spamassassin unix -     n       n       -       -       pipe
       user=spamd argv=/usr/bin/spamc -f -e  
       /usr/sbin/sendmail -oi -f ${sender} ${recipient}

spamass-milter:

Code:

# spamass-milt startup defaults

# OPTIONS are passed directly to spamass-milter.
# man spamass-milter for details

# Default, use the nobody user as the default user, ignore messages
# from localhost
#OPTIONS="-u spamass-milter -i 127.0.0.1"

# Reject emails with spamassassin scores > 15.
OPTIONS="-r 6"
#EXTRA_FLAGS="-r 6"

# Do not modify Subject:, Content-Type: or body.
#OPTIONS="-m"

######################################
# If /usr/sbin/postfix is executable, the following are set by
# default. You can override them by uncommenting and changing them
# here.
######################################
#SOCKET="/var/spool/postfix/spamass/spamass.sock"
#SOCKETOWNER="postfix:postfix"
#SOCKETMODE="0660"
######################################

Dave_Devnull · 02-02-2010, 12:11 PM

From your 'master.cf' it looks like you are using spamd, not the milter. I'm not using procmail, but I have two 8.10 machines, one using spamd, the other using the milter to reject at SMTP time (rather than just tag as an after-queue). On the milter box I have commented out the content filter line:

Code:

smtp      inet  n       -       -       -       10       smtpd
# spamassassin as a content filter (after queue)
#       -o content_filter=spamassassin  
#
...
<end lines>
# spamassassin re-inject point
#spamassassin unix -     n       n       -       -       pipe
#       user=spamd argv=/usr/bin/spamc -f -e
#       /usr/sbin/sendmail -oi -f ${sender} ${recipient}

And to make the milter work, I have this in main.cf

Code:

smtpd_milters = unix:/home/mail/private/samilter

{your path will obviously be different}.

With /etc/default/spamass-milter looking like this:

Code:

# spamass-milter startup defaults

# Default, use the spamass-milter user as the default user, ignore
# messages from localhost
OPTIONS="-u spamass-milter -i 127.0.0.1"

# Reject emails with spamassassin scores > 15.
OPTIONS="-r 15"

# Do not modify Subject:, Content-Type: or body.
#OPTIONS="-m"

My init.d scripts that start it up (/etc/init.d/spamass-milter)

Code:

#!/bin/sh
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/sbin/spamass-milter
SOCKET=/home/mail/email/private/samilter
DESC="milter plugin for SpamAssassin"
SOCKETOWNER="postfix:postfix"
#test -x $DAEMON || exit 0

start() {
        echo -n "Starting $DESC: "
        start-stop-daemon --start -b --exec $DAEMON --oknodo --user spamass-milter -- -r 11 -p $SOCKET
        #chown the socket
        /bin/sleep 5s
        chown $SOCKETOWNER $SOCKET
        echo "${DAEMON}"

        }
stop() {
        echo -n "Stopping $DESC: "
        start-stop-daemon --stop --exec $DAEMON --oknodo
        /bin/sleep 5s
        /bin/rm -f $SOCKET
        echo "${DAEMON}"
        RETVAL=0
}
case $1 in
  start)
    start
    ;;
  stop)
    stop
    ;;
  restart)
    stop
    start
    ;;
  *)
    echo "Usage: firewall {start|stop|restart}"
    RETVAL=1
esac

exit

Like I say, I'm not using procmail, but this works for me. I hope it is some use to you.

snt · 02-02-2010, 12:22 PM

Thanks for the reply Dave.

Maybe I am an idiot or something, but if I don't use spamd, then how does mail get tagged? I have the threshold at 3.5 to get tagged, but I want any at 6 or over getting rejected.

Dave_Devnull · 02-02-2010, 12:27 PM

The milter uses spamc to talk to spamd. You don't need to have master.cf push stuff through it. That's the job of the milter :-) I can tell you, when I set it up it took me three days to get it to work - hence I kept my notes :-)

I'd probably not reject at 7 myself - but that's a personal preference. This line in the init.d start script sets the reject score - in my case 11 (-r 11).

start-stop-daemon --start -b --exec $DAEMON --oknodo --user spamass-milter -- -r 11 -p $SOCKET
{This line is not perfect btw, but it works}

snt · 02-02-2010, 12:42 PM

I'll see how it works.

I have had way too much junk above 6.8, that being the lowest above my tag threshold of 3.5.
The important email addresses I have whitelisted anyway since they refuse to put a subject in their email.

Thanks again.

snt · 02-02-2010, 03:14 PM

As soon as I made the changes, Spam was not being tagged and the higher scores were not being rejected.
The mails are still being run through spamassassin which is evident by the headers. I would get a mail with a score of 13, but the subject was not being re-written and the mail did not get rejected.

Dave_Devnull · 02-03-2010, 01:44 AM

A couple of things from my milter system; I never see anything tagged as 'spam' as if it's spam, it's rejected. Looking back at my notes the big issues for me wwhen I set it up, was how it was started. If it was started without the correct parameters it did nothing. There were also issues with access to the unix socket, as it was running chrooted. What it did in the event of a failure was governed by 'milter_default_action = tempfail' in main.cf. You have yours set to 'accept' which {is a better setting as you won't 4xx legitimate mail} but will explain why it's coming through.

First port of call is to take a look through /var/log/mail.info and /var/log/mail.err and look/grep for lines mentioning spamass-milter or milter-reject. I suspect the milter is failing to do it's job.