[IMC-Tech] Re: [Imc-web] Email and imsahp Tue Aug 22 10:42 CDT
reboot
Zach M
leftistmuppet at gmail.com
Wed Aug 23 09:57:03 CDT 2006
I just upgraded clamav which had a recently discovered buffer overrun
that allowed a denial of service attack. The mail queue is now empty.
I suspect this may have been the problem.
There is no customer list. Someone has to generate one. Look at all
the mailman lists and all the virtual hosts in apache. Figure out who
runs each organization. Ask me about ones you can't figure out.
Mail works like this:
Postfix receives a message via smtpd.
The message is first passed to postgrey which does greylisting (if no
messages have been previously received from this
<sender,recipient,sender-ip> triple before then delivery acceptance
is deferred for 300 seconds. Correctly configured mail daemons resend
every 5-15 minutes. Some spammers tend not to resend. Postgray is a
service that gets a message a message on a localhost port and simply
returns an answer of whether the message should be accepted or
deferred.
When the message gets past postgrey it is sent to amavisd. Which is a
spam and virus filtering daemon that coordinates spamassassin and
clamav. Amavis receives an SMTP style message on a localhost port and
then re-delivers an SMTP style message back to a special localhost
port on postfox.
Amavis sends the message to clamav for a virus check.
If the message passes clamav, Amavis sends the message through
spamassassin for a spam check.
If the message passed spamassassin, amavis sends the message back to
postfix for final delivery.
Things you can tweak: There are a number of envelope checks that
postfix can do that you could enable. You could prevent postfix from
ever even accepting certain messages from certain kinds of spam
sources (using black hole lists, using checks for non-RFC compliant
SMTP behavior, etc). Every one of these checks introduces the
possibility that ham will be lost forever without sender or recipient
knowing that it was mis-identified. These policies must be very
carefully researched and considered.
Spam assassin rules can be adjusted/updated.
Spamassassin rules live in /etc/spamassassin. In particulate check out
/etc/spamassassin/local.cf
Postfix configs live in /etc/postfix. In particularly check out
main.cf and master.cf.
Amavis configs live in /etc/amavis/amavisd.conf
Caught spam and virus mails live in /var/lib/amavis/virusmails (which
I occasionally rotate out since it has tens of thousands of messages
in it).
I have several utilities for redelivering caught spam at:
/home/wolfgang/bin/process_spam.pl and /etc/wolfgang/bin/redeliver_non_spam.pl
If you are going to use the spam redelivery programs PLEASE read them
carefully and understand what they do first. They are quick hacks that
I put together myself and I need you to understand them before running
them.
More information about the IMC-Tech
mailing list