Finally: Direct Postfix<->bogofilter integration

We’ve been running a pipeline our spam tagging and virus removal for a while. It was integrated into the pipeline via procmail, not directly into postfix.

Well, I finally figured out how to do one of the stages as an integrated tagger within postfix. Turns out to be fairly easy. And I didn’t create the method, I simply adapted it. We can always switch back to the other method if needed.

The original article was about integrating spamassassin into postfix. What I did was remarkably similar.


1st:

<code>adduser somefilter -s /sbin/nologin</code>

(note: I changed the user name to protect the innocent … change the user name to one not broadcast out to the world)

2nd: edit /etc/postfix/master.cf, and add the following

<code>spamfilter unix - n n - - pipe
           flags=Rq user=somefilter argv=/usr/local/bin/somefilter -f ${sender} -- ${recipient}
</code>

3rd: edit the line in /etc/postfix/master.cf that handles the SMTP traffic and add the filter

<code>smtp      inet  n       -       n       -       -       smtpd
        -o content_filter=spamfilter:dummy</code>

4th: create a file named /usr/local/bin/somefilter (noting that you want to name it something else so that the bad guys don’t know the name of an important file in your mail processing system, and make sure that this name is also represented in the 2nd step at the argv=/path/… setup)

<code>#!/bin/bash
/usr/bin/bogofilter -p -l | /usr/sbin/sendmail -i "$@"
exit $?
</code>

5th: fix ownership and permissions on this file (using the same caution on naming as in the 4th step)

<code>
chown somefilter /usr/local/bin/somefilter
chmod 755 /usr/local/bin/somefilter</code>

6th: restart postfix

postfix reload

Now bogofilter is integrated directly into the postfix MTA.

You can arguably use many filters in this manner. I am keeping spamassassin outside for the moment as the final arbiter of spamminess or not.

Mail runs though Clamav, bogofilter, and spamassassin. We can add additional filters for DSPAM and others as needed.

Viewed 14593 times by 3783 viewers

Facebooktwittergoogle_plusredditpinterestlinkedinmail

2 thoughts on “Finally: Direct Postfix<->bogofilter integration

  1. Joe, it seems that a lot of your time & energy goes towards securing your email. I know very little on the subject, only that an e-tailer whom I worked for in 2008 purchased Postini service (owned by Google). They were very happy with the result. Have you evaluated Postini?

    Radim

  2. @Radim

    Very little time or energy. This switch was about 2.5 minutes long.

    Actually one of the big arguments against using an external service for this is the loss of control over many things. For example, Yahoo email now purposefully gives 450 type messages out to all mailers. Which means that if you are hosting your mail on Yahoo, you have a problem if the remote MTA doesn’t like this. I discovered this while watching logs, and then googled it. Turns out Yahoo mail has been doing this for 3 years, and annoying an amazingly large array of users in the process. Curiously, it explains why Google mail is so peppy (they don’t do this), and yahoo mail is a crap-shoot as to whether or not you will get your mail in a reasonable time.

    Moreover, there are severe issues in terms of getting changes made on remote systems. You are at their mercy. Heaven forbid you need to make an emergency change out of normal business hours.

    No, the Postini and other hosted type services are for folks where email and general communications are an important, but not time sensitive part of their daily work.

    Basically its a cost benefit analysis. Ceding control costs you what and buys you what. Keeping control costs you what and buys you what. For us, keeping the control is strongly in our favor.

Comments are closed.