FOLLOW AT YOUR OWN RISK (I was forced into this by a badly behaving QMail)
# As the mail queue is reconfigured while switching MTA, all messages that are still in queue are lost.
# Stop SMTP service first and clear queue
Code: Select all
/usr/local/psa/admin/sbin/mailmng --stop-smtpd
ps -ef | grep qmail-send
kill -ALRM `pidof qmail-send`
Code: Select all
/usr/local/psa/admin/sbin/autoinstaller --select-release-current --install-component postfix
Code: Select all
yum --enablerepo=atomic-testing install clapf
/etc/init.d/clapf start
# su to user qscand with bash feature, check current sa-learn settings, backup and exit
Code: Select all
su -s /bin/bash qscand;
sa-learn --dump magic
sa-learn --backup > ~/.spamassassin/bayes.txt;
exit;
Code: Select all
mv /var/spool/qscan/.spamassassin/bayes.txt /var/spool/clapf/.spamassassin/bayes.txt;
chown clapf:clapf /var/spool/clapf/.spamassassin/bayes.txt;
Code: Select all
su -s /bin/bash clapf;
sa-learn --dump magic;
sa-learn --restore ~/.spamassassin/bayes.txt;
sa-learn --dump magic;
rm -f ~/.spamassassin/bayes.txt;
exit;
Code: Select all
remove clapf entries from /etc/cron.d /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly
Code: Select all
vi /etc/clapf.conf
#comment out lines containing: avg_addr, avg_port, spaminess_of_too_much_spam_in_top15 and if not using avast!, Kaspersky or Dr.Web, comment out those lines also
# check the following paths:
pidfile=/var/spool/clapf/clapf.pid
workdir=/var/spool/clapf/
quarantine_dir=/var/spool/clapf/quarantine/
# ensure ownership for these files/dirs is clapf.clapf
# SPAMASSASSIN BAYES is already tuned (from clamav) so the results can be trusted
spam_overall_limit=0.9
max_ham_spamicity=0.45
spaminess_oblivion_limit=0.99
# mysql
update_tokens=0
mysqlsocket=/var/lib/mysql/mysql.sock
mysqluser=clapf
mysqlpwd=yourpassword
mysqldb=clapf
# comment out all other logging methods/lines
create database clapf
grant all privileges on clapf.* to clapf@localhost identified by 'yourpassword' etc
Download matching version http://clapf.acts.hu/download/clapf-0.4.3-rc2.tar.gz and locate db-mysql.sql for db structure and populate db.
# nothing ever gets logged BTW, but seems to be required for full clapf functionality
# CONFIGURE POSTFIX
Code: Select all
# Reduce backscatter & bounce messages in Plesk, activate smtp-auth & uncheck the dnsbl-feature in mailserver-settings, save then edit main.cf
vi /etc/postfix/main.cf
# fairly strict RBL; all accounts use submission port for SMTP, adjust to your taste/requirements
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client bogons.cymru.com
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_non_fqdn_sender, reject_unauthenticated_sender_login_mismatch, reject_unknown_sender_domain, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re
smtpd_recipient_restrictions = permit_mynetworks, check_client_access pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unverified_recipient
# Leave the settings for smtp-auth and dnsbl in Plesk->mailserver-settings alone and these changes will stick. Max. message size, webmail-frontend etc have no effect for smtpd_client_restrictions in main.cf
# Next, Tighten anti-spam measures - add the following:
# stop techniques used to harvest email addresses
disable_vrfy_command = yes
# allow Postfix to log recipient address information when rejecting an address or sender address, to monitor which mail is being rejected
smtpd_delay_reject = yes
# Require that remote SMTP client send EHLO/HELO at the beginning of SMTP session
smtpd_helo_required = yes
# Set helo restrictions, warn_if_reject logs a warning instead of rejecting request (grep "reject_warning" in maillog), non fqdn gave too many errors for our users
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, warn_if_reject reject_invalid_helo_hostname
# Block clients that speak too early
smtpd_data_restrictions = reject_unauth_pipelining
#tarpit bots/spammers
smtpd_error_sleep_time = 2s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
# limit junk commands (NOOP, VRFY, ETRN, RSET) that a remote SMTP client can send before incrementing error counter (default 100)
smtpd_junk_command_limit = 20
Code: Select all
/etc/init.d/clapf restart
/etc/init.d/postfix restart
tail -f /usr/local/psa/var/log/maillog /var/log/clamav/clamd.log /var/log/clamav/freshclam.log
This is probably not 100% exhaustive and your mileage may vary, but have it working reliably on a busy RHEL5 server. Thought it was about time a working postfix solution was documented. If you spot anything stupid/obvious/otherwise, reply...