On Mon, 2004-06-28 at 21:04, Cowles, Steve wrote: > Travis Fraser wrote: > > Thank you for the smtpd_recipient_restrictions information. I have > > been using Postfix on a test network first, as you suggest. > > > > As far as implementing SpamAssassin with Postfix, I was looking at > > Mailscanner or amavisd-new. Do you have a simpler suggestion for > > calling SA from within the recipient_restrictions checks? > > Before I answer your post, be sure you define your e-mail requirements to > meet your needs. Mailscanner/Amavisd-new all have their purpose in life, > especially if you are implementing a high volume mail server that requires > both AV and SA to be called for each inbound e-mail. In my case, I admin a > low volume (2000+) e-mail a day postfix MTA which front-ends an Exchange > server. Furthermore, virus checking is done on the Exchange server, not > through postfix filtering. So implementing a product such as amavisd-new was > an unnecessary overhead in my opinion. Your requirements may differ. > > With the above in mind, I simply call SA using postfix's builtin filtering > capabilites as follows: > > 1) Get SA (spamd) running on your MTA first. I'll leave the details of > starting and verifying SA is working properly on your system to you. > > 2) In /etc/mail/master.cf, add the following: > filter unix - n n - 10 pipe > flags=Fq > user=spamassassin > argv=/usr/bin/spamc -f -x -e /usr/sbin/sendmail -i -f $sender $recipient > > NOTE: I limit postfix to spawning 10 instances of spamc simultainiously. > This meets my load requirements. Also, adjust the flags setting to meet your > requirements. The call to /usr/bin/sendmail is actully the postfix supplied > sendmail, not the sendmail MTA. The postfix supplied sendmail simply > re-injects the scanned (filtered) e-mail back into postfix on a pipe for > final delivery. > > 3) Add the following to /etc/postfix/main.cf smtpd_recipient_restrictions > section. > > smtpd_recipient_restrictions = > [snip...] > check_recipient_access hash:/etc/postfix/filtered_domains > permit > > 4) In /etc/postfix/filtered_domains add an entry for each of your hosted > domains: > mydomain1.com FILTER filter:spamassassin > mydomain2.com FILTER filter:spamassassin > mydomain3.com FILTER filter:spamassassin > > NOTE: My MTA is also a backup MX for another site, so I run spamassassin > only for e-mail being delivered to the domains that I host, not for e-mail > that is queued up on my MTA in a backup MX mode. Also, this stops outbound > e-mail from being processed by SA, but still allows Exchange to scan > outbound e-mail for viruses prior to submitting to postfix. > > 5) Build the /etc/postfix/filtered_domains database > # postmap /etc/postfix/filtered_domains > > 6) Reload postfix and test. Be sure you test from an external source, not a > system from your local network (mynetworks) or SA will not be called. > Remember the order specified in smtpd_recipient_restrictions. If you want to > test from a system on your network, move the call to check_recipient_access > above mynetworks. > > Again, the method I present above meets my requirements. This is NOT the > preferred method if you are running a high volume MTA. Especially if you > need to call both SA and AV filters for each inbound e-mail on your postfix > MTA. If that's the case, use amavisd-new or a product that meets your > requirements to perform filtering. > > Steve Cowles > Thank you for the SA with Postfix explanation. My mail server is not what you would call high-volume, just a couple of small domains. I have already setup SMTP AUTH with SASL and working on adding SSL/TLS. Travis Fraser
