MTA configuration

Please make sure you've read and executed all steps in Installation and configuration before configuring your MTA.

Postfix

Integrating spmfilter into the Postfix delivery process requires that Postfix is able to delegate messages to external content filters. The minimum version that provides content filtering is Postfix release-20010228. The integration can be done as Before-Queue or After-Queue filter.

  • Set up spmfilter to act as a daemon listening on a free port.
  • Configure your MTA to push every incoming message through spmfilter. The MTA is the public/default interface to the outside. Any incoming message will therefore automatically be scanned by spmfilter.
  • spmfilter examines the content of the incoming messages. The result is reported back to the first MTA instance, which, in it's turn, reports this status back to the sender.
  • Legitimate messages are re-injected by spmfilter to a second postfix instance which takes care of the "actual" delivery of the messages

As mentioned, you need to setup a second instance of Postfix. Furthermore, the first instance has to be set up to push everything to spmfiler. This can be achieved by appending the following snippet to
master.cf of Postfix:

pre-cleanup unix n      -       -       -       0  cleanup
    -o virtual_alias_maps=
    -o canonical_maps=
    -o sender_canonical_maps=
    -o recipient_canonical_maps=
    -o masquerade_domains=

spmfilter      unix  -       -       n       -       -      smtp 
    -o smtp_data_done_timeout=1200
    -o disable_dns_lookups=yes
    -o max_use=20
    -o smtp_send_xforward_command=yes

localhost:10025 inet  n       n       n       -       -      spawn
    user=mail argv=/usr/local/sbin/spmfilter

To gain more control over a cleanup service than offered by receive_override_options, two (or more) cleanup services, each with its own set of options, must be run. A Postfix setup with more than one cleanup service is possible either with two separate Postfix instances, or through a specification of services and their options in master.cf file of a single Postfix instance.

Message flow with two cleanup services:

1. Messages enter the Postfix system at the regular smtpd or pickup service.

2. The pre-cleanup cleanup service performs transformations and checks on these messages.

3. The qmgr service schedules the messages to be sent to the spmfilter content filter.

4. spmfilter executes all plugins on the messages.

5. Messages are re-injected into the Postfix mail system, sending them to a dedicated, local smtpd service.

6. The cleanup cleanup service performs transformations and checks that must be done at this stage, but omits the ones that have already been carried out in step 2.

The already existing cleanup service - having the service name cleanup - will be used to process messages that re-enter the Postfix mail system (also for delivery notifications and forwarding as generated internally by Postfix). Cleanup jobs that already have been performed by the pre-cleanup service should not be run again. The following example disables typical checks that have been run before or are not needed for internally generated notifications:

 cleanup unix    n       -       n       -       0       cleanup
     -o mime_header_checks=
     -o nested_header_checks=
     -o body_checks=
     -o header_checks=

Furthermore, we need to modify both the smtp and pickup services to use our “pre-cleanup” instead of the normal "cleanup" service. Modify the existing smtp and pickup services as follows:

smtp      inet  n       -       n       -       -       smtpd
    -o cleanup_service_name=pre-cleanup
pickup    fifo  n       -       n       60      1       pickup
    -o cleanup_service_name=pre-cleanup

To re-inject the e-mails back into Postfix, we have to setup the second Postfix instance. Please note, spmfilter will send filtered mails to the nexthop destination (see Installation and configuration), so the port should be the same, as configured in spmfilter.conf.


# 2nd postfix instance
localhost:2525 inet n    -       n       -       -     smtpd
    -o content_filter= 
    -o receive_override_options=no_unknown_recipient_checks,no_milters,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8

Now the first instance of Postfix needs to push every incoming e-mail to our spmfilter service. To run spmfilter as After-Queue filter, we need to add the following snippet to main.cf:

# The connection to our spmfilter
content_filter = spmfilter:[127.0.0.1]:10025

If spmfilter should run as Pre-Queue filter instead, add the following line to the smtpd-service in master.cf

smtp      inet  n       -       n       -       -       smtpd
    -o cleanup_service_name=pre-cleanup
    -o smtpd_proxy_filter=spmfilter:[127.0.0.1]:10025

Postfix is now completely configured. Restart it to make the settings final. Check your logfiles (e.g. /var/log/mail.log) to make sure you've made no mistakes and everything is up and running.

Powered by SpaceNet