This is a disclaimer: 
Using the notes below is dangerous for both your sanity and peace of mind.  
If you still want to read them beware of the fact that they may be "not even wrong".

Everything I write in there is just a mnemonic device to give me a chance to
fix things I badly broke because I'm bloody stupid and think I can tinker with stuff
that is way above my head and go away with it. It reminds me of Gandalf's warning: 
"Perilous to all of us are the devices of an art deeper than we ourselves possess."

Moreover, a lot of it I blatantly stole on the net from other obviously cleverer 
persons than me -- not very hard. Forgive me. My bad.

Please consider it and go away. You have been warned!

(:#toc:)

Draft of the BIC Mail Infrastructure.

Old CVS tag, left for posterity 

###########################################################################
#
# $Id: bic-mail.txt,v 1.7 2013-10-24 19:51:10 malin Exp $
# $Author: malin $
# $Date: 2013-10-24 19:51:10 $
# 
###########################################################################

I like ascii diagrams so here it goes :) 

                ..> /var/spool/mqueue
                ..> /var/spool/mqueue-client
                .
                .                        
           ----------      ----------     ..>  /home/bic
  out <--> |smtphost| <--> |mailhost| ......>  /var/mail
           ----------      ----------     ..>  /var/spool/mqueue 
                ^                         ..>  /var/spool/mqueue-client
                |                        
                |          -------------              
                +--------- |nullclients|
                           -------------

In a nutshell: smtphost.bic.mni.mcgill.ca acts as a gateway for emails, sanitizing (virus and spams) inbound and outbound smtp connections. All hosts behind it at the BIC smarthost to it.

smtphost.bic.mni.mcgill.ca relays incoming mails to mailhost.bic.mni.mcgill.ca for final delivery. In a sense, smtphost.bic.mni.mcgill.ca is the edge box while mailhost.bic.mni.mcgill.ca is the core box.

Mailbox access using IMAP with TLS/SSL is available on mailhost using University of Washington server software, UW-imapd. Note that this will change soon as Debian/Wheezy don’t support it anymore. Testing is underway with dovecot.

smtphost runs 3 different type of Sendmail Mail Filter (Milters):

  • Greylist Milter for sendmail, milter-greylist version 4.5.11–1
  • milter for filtering mail through spamassassin, spamass-milter version 0.3.2–1+b1
  • CalmAV anti-virus utility for Unix - sendmail integration, clamav-milter version 0.99.2+dfsg-0+deb8u2
  • OpenDKIM (DomainKeys Identified Mail Signatures) Milter version 2.6.8 in testing mode at present time (20160113).

DNS Setup

bic.mni.mcgill.ca.   86400 IN  MX    10 krishna.bic.mni.mcgill.ca.
kurma                      IN  A     132.206.178.241
mail                       IN  CNAME krishna.bic.mni.mcgill.ca.
mailhost                   IN  CNAME tubal.bic.mni.mcgill.ca.
mailhub                    IN  CNAME tubal.bic.mni.mcgill.ca.
smtphost                   IN  CNAME krishna.bic.mni.mcgill.ca.
; --------[ Sender Policy Framework (SPF) for domain ] ----------
bic.mni.mcgill.ca. IN TXT "v=spf1 a:smtphost.bic.mni.mcgill.ca. mx ip4:132.206.178.246 ~all"

; --------[ googgle site verification dung ] ----------
bic.mni.mcgill.ca. IN TXT "google-site-verification=gA-rxpZ4fHj09quaKKaDAr2ykkHLIMji8-9mlnY7kpM"

; --------[ DomainKeys Identified Mail (DKIM) for domain ] ----------
kurma._domainkey 3600 IN TXT "v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGS....jXESkwIDAQAB" ; ----- DKIM kurma for bic.mni.mcgill.ca in test mode t=y

EDGE SMTPHOST

  • MX record for bic.mni.mcgill.ca points to krishna.bic.mni.mcgill.ca.. Note that one should not use the CNAME smtphost.bic.mni.mcgill.ca for an MX. Allways use the True Name for an MX record. Using CNAMEs for MX records is considered a Sin.
  • No aliasing, no forwards, no NIS, no lusers info, no home dirs for lusers, ie no lusers logins allowed and no disks mounted except maybe the Debian mirror stuff for updates/upgrades.
  • The only luser information on smtphost consists of luser remapping namespace through the virtusertable and genericstable databases to rewrite addresses <luser> → <joe.doe@bic.mni.mcgill.ca> and the users who are greylisted (/etc/mail/greylist.conf)
  • This box is essentially an email sanitizer. Nothing is written to disk except for /var/spool/mqueue (outbound connections timeouts) or /var/spool/mqueue-client for inbound connections timeouts to the mailhost
  • All inbound or outbound messages are miltered using ClamAV, SpamAssassin and GreyList for virii and spams.
  • Third-party ClamAV signature databases provided by Sanesecurity, SecuriteInfo, MalwarePatrol, OITC, INetMsg and ScamNailer are also used.
  • GreyList is configured to whitelist all traffic originating from the bic.mni.mcgill.ca domain. Greylisting and blacklisting is done in smtphost:/etc/mail/greylist.conf. The milter will detect changes in that file and will automatically reloads itself when it is modified.
  • The greylist milter on smtphost is SPF-aware and an entry in our DNS maps exists so that ONLY emails originating from our core smtp server is considered legit. Note: SPF HAS BEEN RE-ENABLED
  • Spams are tagged but not discarted: it’s up to the user to intercept them with a procmail recipe (or whatever they fancy) and set its own tolerance level.
  • If virii are detected, plonk! the message is discarded, no question asked. No bounce is generated either as it just generates more crap traffic and, anyways, the return address of such mail is bogus the vast majority of time.
  • Clean inbound mail is relayed to mailhost.bic.mni.mcgill.ca for final delivery in /var/mail or rerouted depending on aliases and/or forward files and users preferences.
  • Outbound mail coming from nullclients or mailhost.bic.mni.mcgill.ca is miltered and, if clean, sent out. Headers and envelope are masqueraded as ‘bic.mni.mcgill.ca’.
  • smtphost.bic.mni.mcgill.ca should have MAIL_HUB set to ``mailhost.bic.mni.mcgill.ca.′ in sendmail.mc:

(:source:) 

 define(MAIL_HUB’, `mailhost.bic.mni.mcgill.ca.’)

(:sourceend:)

  • /etc/mail/local-host-names on smtphost.bic.mni.mcgill.ca should contain the name of all hosts considered local, ie, inbound mail directed to them will be considered local (in class =$w) and sent to mailhost.bic.mni.mcgill.ca for final delivery.
  • virtusertable and generistable must be setup on smtphost.bic.mni.mcgill.ca as outbound mail from a nullclient is not processed on mailhost. This is the only place where users info is required on smtphost.bic.mni.mcgill.ca if one wants to remap users addresses.
  • Relaying using smtphost.bic.mni.mcgill.ca is specified in the file /etc/mail/access. Only BIC hosts can relay.

Sendmail Config

Version info: 

ii  sendmail         8.14.4-8+deb8u2  powerful, efficient, and scalable Mail Transport Agent (metapackage)
ii  sendmail-base    8.14.4-8+deb8u2  powerful, efficient, and scalable Mail Transport Agent (arch independent files)
ii  sendmail-bin     8.14.4-8+deb8u2  powerful, efficient, and scalable Mail Transport Agent
ii  sendmail-cf      8.14.4-8+deb8u2  powerful, efficient, and scalable Mail Transport Agent (config macros)

Sendmail is TCP wrapped as it is linked with libwrap: 

root@krishna:/etc/mail# ldd /usr/sbin/sendmail | grep libwrap
        libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007fe537835000)

so one must setup proper access for smtphost in /etc/hosts.allow (:source:) sendmail: ALL (:sourceend:)

First, configure sendmail’s /etc/mail/sendmail.conf with the following values. Essentially they specify that sendmail will run as listener and queue runner with 10 minutes interval to run the queues. DAEMON_MAILSTATS=“Yes” is for Munin statistics collection.

(:source:) root@kurma:~# ~malin/bin/crush /etc/mail/sendmail.conf DAEMON_NETMODE=“Static”; DAEMON_NETIF=“eth0”; DAEMON_MODE=“Daemon”; DAEMON_PARMS=“ ”; DAEMON_HOSTSTATS=“No”; DAEMON_MAILSTATS=“Yes”; QUEUE_MODE=“${DAEMON_MODE}”; QUEUE_INTERVAL=“10m”; QUEUE_PARMS=“ ”; MSP_MODE=“Daemon”; MSP_INTERVAL=“10m”; MSP_PARMS=“ ”; MSP_MAILSTATS=“${DAEMON_MAILSTATS}”; MISC_PARMS=“ ”; CRON_MAILTO=“root”; CRON_PARMS=“ ”; LOG_CMDS=“No”; HANDS_OFF=“No”; AGE_DATA=“ ”; DAEMON_RUNASUSER=“No”; DAEMON_STATS=“${DAEMON_MAILSTATS}”; MSP_STATS=“${MSP_MAILSTATS}”; (:sourceend:)

Now the hard ones: /etc/mail/sendmail.mc and /etc/mail/submit.mc.

I won’t comment on every single features in these files since that would require rewritting the Bat Book!

sendmail.mc

  • Remove the default Message Submission Agent (MSA) and configure the daemon options:

(:source:) FEATURE(`no_default_msa’)dnl DAEMON_OPTIONS(Port=smtp, Name=MTA’)dnl (:sourceend:)

  • Masquerade as the BIC and define a MAIL_HUB for local delivery (there is no local delivery so below we undefine it):

(:source:) dnl # MASQUERADE_AS(`bic.mni.mcgill.ca’)dnl define(MAIL_HUB’, `mailhub.bic.mni.mcgill.ca.’)dnl dnl # (:sourceend:)

  • Undefine a bunch of stuff not needed on the edge server:

(:source:) dnl # Undefine those as they are not needed for this server. undefine(FORWARD_PATH’)dnl undefine(ALIAS_FILE’)dnl undefine(UUCP_RELAY’)dnl undefine(BITNET_RELAY’)dnl undefine(DECNET_RELAY’)dnl undefine(FAX_RELAY’)dnl dnl # (:sourceend:)

  • Log level and paranoia/security level
    • Note: goaway is a short hand for authwarnings, noexpn, novrfy, noverb, needmailhelo, needexpnhelo, needvrfyhelo, nobodyreturn
    • noreceipts is usually recommended as it might be useful DSN (Delivery S? Notification).

(:source:) dnl # define(`confLOG_LEVEL’,`9’)dnl define(`confPRIVACY_FLAGS’,`goaway,restrictmailq,restrictqrun,nobodyreturn,noreceipts’)dnl dnl # (:sourceend:)

  • Fine tune different windows lengths and throttling values to repel the cockroaches-spammers. Also set the maximum number of daemon children to 500, the timezone, the load average values for queuing only and connections delay and refusal (24,32,36), the maximum message size (10MB), and the number of days for deletion of undelivered queued messages (3d):

(:source:) dnl # dnl # Define connection throttling and window length define(`confCONNECTION_RATE_THROTTLE’, `10’)dnl define(`confCONNECTION_RATE_WINDOW_SIZE’,`60s’)dnl define(`confMAX_DAEMON_CHILDREN’, `500’)dnl define(`confTIME_ZONE’,EST5EDT’)dnl define(`confQUEUE_LA’,`24’)dnl define(`confDELAY_LA’,`32’)dnl define(`confREFUSE_LA’,`36’)dnl define(`confTO_ICONNECT’, `15s’)dnl define(`confTO_CONNECT’, `3m’)dnl define(`confTO_HELO’, `5m’)dnl define(`confTO_MAIL’, `5m’)dnl define(`confTO_RCPT’, `5m’)dnl define(`confTO_DATAINIT’, `2m’)dnl define(`confTO_DATABLOCK’, `10m’)dnl define(`confTO_DATAFINAL’, `10m’)dnl define(`confTO_RSET’, `5m’)dnl define(`confTO_QUIT’, `2m’)dnl define(`confTO_MISC’, `2m’)dnl define(`confTO_COMMAND’, `5m’)dnl define(`confTO_STARTTLS’, `2m’)dnl define(`confMAX_MESSAGE_SIZE’,`10485760’)dnl define(`confDONT_PROBE_INTERFACES’,True’)dnl define(`confTO_QUEUERETURN’,`3d’)dnl dnl # (:sourceend:)

  • Security by obscurity: hide sendmail and .mc versions from the greetings, Received: headers and HELP command.

Note: using define(`HELP_FILE',`') will actually display sendmail version! Better to simply zero out the helpfile. (:source:) dnl # Some security by obscurity. dnl # Hide sendmail version from greeting, headers and help. dnl # Default greeting is `$j Sendmail $v/$Z; $b; (No UCE/UBE) $?{client_addr}logging access from: ${client_name}(${client_resolve})-$_$.’ dnl # Remove the chunk “Sendmail $v/$Z”: define(`confSMTP_LOGIN_MSG’,`$j MTA ready and waiting; $b; (No UCE/UBE) $?{client_addr}logging access from: ${client_name}(${client_resolve})-$_$.’)dnl dnl # The HReceived header is defined in /usr/share/sendmail/cf/m4/proto.m4 dnl # as: HReceived: confRECEIVED_HEADER dnl # confRECEIVED_HEADER in turn is build among other things from _REC_BY_ in /usr/share/sendmail/cf/m4/cfhead.m4 dnl # with default `$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}’. dnl # Remove the ($v/$Z) chunk that displays the sendmail ($v) and m4 config file version ($Z): define(`_REC_BY_’, `$.by $j $?r with $r$. id $i$?{tls_version}’)dnl dnl # Remove the help file so the HELP command shows nothing: dnl define(HELP_FILE’,’)dnl (:sourceend:)

  • Different sets of features for domain masquerading, flat files and databases defines:

(:source:) dnl # GENERICS_DOMAIN_FILE(÷etc/mail/generics_domain’)dnl FEATURE(`masquerade_envelope’)dnl FEATURE(`always_add_domain’)dnl FEATURE(`redirect’)dnl FEATURE(`use_ct_file’)dnl FEATURE(`use_cw_file’)dnl FEATURE(`access_db’)dnl FEATURE(`blacklist_recipients’)dnl FEATURE(`genericstable’)dnl FEATURE(`genericstable’)dnl FEATURE(`virtusertable’)dnl dnl # (:sourceend:)

  • Even more stuff for the cockroaches shit-heads:

(:source:) dnl # dnl # The greet_pause feature stops some automail bots - but check the dnl # provided access db for details on excluding localhosts… dnl # Must be put after the FEATURE(`access_db’) line. FEATURE(`greet_pause’, `5000’)dnl 5 seconds dnl # dnl # Delay_checks allows sender↔recipient checking FEATURE(`delay_checks’, `friend’, `n’)dnl dnl FEATURE(`delay_checks’, `hater’, `n’)dnl dnl # dnl # If we get too many bad recipients, slow things down… dnl # Argument is the number of bad recipients. define(`confBAD_RCPT_THROTTLE’,`1’)dnl dnl # dnl # Stop connections that overflow our concurrent and time connection rates FEATURE(`conncontrol’, `nodelay’, `terminate’)dnl FEATURE(`ratecontrol’, `nodelay’, `terminate’)dnl dnl # dnl # DNS Black Listing. dnl # /JF/ 20160115. spamhaus.org has merged the SBL-XBL and PBL DNS zones to one zone, ZEN. dnl # dnl FEATURE(`enhdnsbl’, `sbl-xbl.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.2.’)dnl dnl FEATURE(`enhdnsbl’, `sbl-xbl.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.3.’)dnl dnl FEATURE(`enhdnsbl’, `sbl-xbl.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.4.’)dnl dnl FEATURE(`enhdnsbl’, `sbl-xbl.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.5.’)dnl dnl FEATURE(`enhdnsbl’, `sbl-xbl.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.6.’)dnl dnl # FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.2.’)dnl FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.4.’)dnl FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.10.’)dnl FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.11.’)dnl dnl # (:sourceend:)

  • Finally the Milter stuff, again to repel the cockroaches slime-balls:

Explicitely include the m4 files necessary for the clamav milter since the packagers didn’t include them in the default sendmail m4 tree /usr/share/sendmail/cf. I stuff them in /etc/mail/m4.

(:source:) dnl # dnl # Milters dnl # dnl #/JF/ INPUT_MAIL_FILTER options declares the Milters and also set their processing order. dnl # See the Bat Book, 4th Ed., Section 26.2.2 The InputMailFilters Option dnl # dnl #/JF/ greylist milter is already setup by FEATURE(`milter-greylist’) above. dnl INPUT_MAIL_FILTER(`greylist’, `S=local:/var/run/milter-greylist/milter-greylist.sock, F=, T=S:4m;R:4m′)dnl FEATURE(`milter-greylist’)dnl dnl #/JF/ clamav is already setup by the use of the include(÷etc/mail/m4/clamav-milter.m4’) dnl INPUT_MAIL_FILTER(`clamav’, `S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m′)dnl include(÷etc/mail/m4/clamav-milter.m4’)dnl INPUT_MAIL_FILTER(`spamassassin’, `S=local:/var/run/spamass/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m′)dnl INPUT_MAIL_FILTER(`opendkim’, `S=local:/var/run/opendkim/opendkim.sock, F=, T=C:10m;S:10m;R:20m;E:20m′)dnl dnl # dnl #/JF/ INPUT_MAIL_FILTERS option defines the processing order of the Milters. dnl # Needed only if MAIL_FILTER is used rather than the INPUT_MAIL_FILTER macros dnl # or if one needs/wants to force a specific Milter calling order. dnl define(`confINPUT_MAIL_FILTERS’, ``clamav,greylist,spamassassin,opendkim′)dnl dnl # dnl #/JF/ Modify the Milters End-of-Message handling routine from its default, ${msg_id}. dnl # See the Bat Book, 4th ed., Section 24.9.76.8 Milter.macros.eom define(`confMILTER_MACROS_EOM’, confMILTER_MACROS_EOM``, {mail_addr}, {rcpt_addr}, i′)dnl dnl # (:sourceend:)

The MILTER_MACROS_EOM thingie at the end is needed in order for the clamAV milter to log and report in verbose mode. More on this in the Bat Book, 4th ed., Section 24.9.76.8 Milter.macros.eom.

  • At last, the mailer define:

(:source:) dnl # Mailer definitions. local is not needed as nothing is delivered locally. dnl MAILER(local)dnl MAILER(smtp)dnl (:sourceend:)

  • For completeness, here it is in all its glory:

(:source:) divert(−1)dnl

  1. -----------------------------------------------------------------------------
  2. $Sendmail: debproto.mc,v 8.14.3 2010–09–21 11:05:34 cowboy Exp $
  4. Copyright (c) 1998–2009 Richard Nelson. All Rights Reserved.
  6. cf/debian/sendmail.mc. Generated from sendmail.mc.in by configure.
  8. sendmail.mc prototype config file for building Sendmail 8.14.3
  10. Note: the .in file supports 8.7.6 - 9.0.0, but the generated
  11. file is customized to the version noted above.
  13. This file is used to configure Sendmail for use with Debian systems.
  15. If you modify this file, you will have to regenerate /etc/mail/sendmail.cf
  16. by running this file through the m4 preprocessor via one of the following:
  17. * make (or make -C /etc/mail)
  18. * sendmailconfig
  19. * m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
  20. The first two options are preferred as they will also update other files
  21. that depend upon the contents of this file.
  23. The best documentation for this .mc file is:
  24. /usr/share/doc/sendmail-doc/cf.README.gz
  26. -----------------------------------------------------------------------------

divert(0)dnl

  2. Copyright (c) 1998–2005 Richard Nelson. All Rights Reserved.
  4. This file is used to configure Sendmail for use with Debian systems.

define(`_USE_ETC_MAIL_’)dnl include(÷usr/share/sendmail/cf/m4/cf.m4’)dnl VERSIONID(`$Id: sendmail.mc, v 8.14.3–9.4 2010–09–21 11:05:34 cowboy Exp $’) OSTYPE(`debian’)dnl DOMAIN(`debian-mta’)dnl undefine(`confHOST_STATUS_DIRECTORY’)dnl #DAEMON_HOSTSTATS= FEATURE(`no_default_msa’)dnl DAEMON_OPTIONS(Port=smtp, Name=MTA’)dnl MASQUERADE_AS(`bic.mni.mcgill.ca’)dnl MASQUERADE_EXCEPTION(`omega.bic.mni.mcgill.ca’) define(MAIL_HUB’, `mailhub.bic.mni.mcgill.ca.’)dnl undefine(FORWARD_PATH’)dnl undefine(ALIAS_FILE’)dnl undefine(UUCP_RELAY’)dnl undefine(BITNET_RELAY’)dnl undefine(DECNET_RELAY’)dnl undefine(FAX_RELAY’)dnl define(`confLOG_LEVEL’,`9’)dnl define(`confPRIVACY_FLAGS’,``goaway,restrictexpand,restrictmailq,restrictqrun,noreceipts′)dnl define(`confCONNECTION_RATE_THROTTLE’, `10’)dnl define(`confCONNECTION_RATE_WINDOW_SIZE’,`60s’)dnl define(`confMAX_DAEMON_CHILDREN’, `500’)dnl define(`confTIME_ZONE’,EST5EDT’)dnl define(`confQUEUE_LA’,`24’)dnl define(`confDELAY_LA’,`32’)dnl define(`confREFUSE_LA’,`36’)dnl define(`confTO_ICONNECT’, `15s’)dnl define(`confTO_CONNECT’, `3m’)dnl define(`confTO_HELO’, `5m’)dnl define(`confTO_MAIL’, `5m’)dnl define(`confTO_RCPT’, `5m’)dnl define(`confTO_DATAINIT’, `2m’)dnl define(`confTO_DATABLOCK’, `10m’)dnl define(`confTO_DATAFINAL’, `10m’)dnl define(`confTO_RSET’, `5m’)dnl define(`confTO_QUIT’, `2m’)dnl define(`confTO_MISC’, `2m’)dnl define(`confTO_COMMAND’, `5m’)dnl define(`confTO_STARTTLS’, `2m’)dnl define(`confMAX_MESSAGE_SIZE’,`10485760’)dnl define(`confDONT_PROBE_INTERFACES’,True’)dnl define(`confTO_QUEUERETURN’,`3d’)dnl define(`confSMTP_LOGIN_MSG’,`$j MTA ready and waiting; $b; (No UCE/UBE) $?{client_addr}logging access from: ${client_name}(${client_resolve})-$_$.’)dnl define(`_REC_BY_’, `$.by $j $?r with $r$. id $i$?{tls_version}’)dnl GENERICS_DOMAIN_FILE(÷etc/mail/generics_domain’)dnl FEATURE(`masquerade_envelope’)dnl FEATURE(`always_add_domain’)dnl FEATURE(`redirect’)dnl FEATURE(`use_ct_file’)dnl FEATURE(`use_cw_file’)dnl FEATURE(`access_db’)dnl FEATURE(`blacklist_recipients’)dnl FEATURE(`genericstable’)dnl FEATURE(`virtusertable’)dnl FEATURE(`greet_pause’, `5000’)dnl 5 seconds FEATURE(`delay_checks’, `friend’, `n’)dnl define(`confBAD_RCPT_THROTTLE’,`1’)dnl FEATURE(`conncontrol’, `nodelay’, `terminate’)dnl FEATURE(`ratecontrol’, `nodelay’, `terminate’)dnl FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.2.’)dnl FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.4.’)dnl FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.10.’)dnl FEATURE(`enhdnsbl’, `zen.spamhaus.org’, ”550 5.7.1 ACCESS DENIED to “$&{client_name}” using Spamhaus Anti-Spam DNSBL - (see http://www.spamhaus.org/SBL)” ’, `t’, ½7.0.0.11.’)dnl FEATURE(`milter-greylist’)dnl include(÷etc/mail/m4/clamav-milter.m4’)dnl INPUT_MAIL_FILTER(`spamassassin’, `S=local:/var/run/spamass/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m′)dnl INPUT_MAIL_FILTER(`opendkim’, `S=local:/var/run/opendkim/opendkim.sock, F=, T=C:10m;S:10m;R:20m;E:20m′)dnl define(`confMILTER_MACROS_EOM’, confMILTER_MACROS_EOM``, {mail_addr}, {rcpt_addr}, i′)dnl MAILER(smtp)dnl (:sourceend:)

submit.mc

  • The only line really required is for the message submission program (MSP) to listen to localhost: FEATURE(`msp', `[127.0.0.1]')dnl
  • By default, if not specified, the listening port is SMTP (25).
  • Use FEATURE(`msp', `[127.0.0.1]', `MSA')dnl to submit mail to port MSA (587) on localhost.
  • In that case, in sendmail.mc the DAEMON_OPTIONS must also be specified: DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea, Addr=127.0.0.1′)dnl
  • Hide the MSP version from the Received: headers by modifying define(`_REC_BY_', `$.by $j $?r with $r$. id $i$?{tls_version}')
  • See the section Security By Obscurity And Obfuscation for more details.

(:source:) divert(−1)dnl

  1. -----------------------------------------------------------------------------
  2. $Sendmail: submit.mc,v 8.14.3 2010–09–21 11:05:34 cowboy Exp $
  4. Copyright (c) 2000–2009 Richard Nelson. All Rights Reserved.
  6. cf/debian/submit.mc. Generated from submit.mc.in by configure.
  8. submit.mc prototype config file for building Sendmail 8.14.3
  10. Note: the .in file supports 8.7.6 - 9.0.0, but the generated
  11. file is customized to the version noted above.
  13. This file is used to configure Sendmail for use with Debian systems.
  15. If you modify this file, you will have to regenerate /etc/mail/submit.cf
  16. by running this file through the m4 preprocessor via one of the following:
  17. * make (or make -C /etc/mail)
  18. * sendmailconfig
  19. * m4 /etc/mail/submit.mc > /etc/mail/submit.cf
  20. The first two options are preferred as they will also update other files
  21. that depend upon the contents of this file.
  23. The best documentation for this .mc file is:
  24. /usr/share/doc/sendmail-doc/cf.README.gz
  26. -----------------------------------------------------------------------------

divert(0)dnl

  2. Copyright (c) 2000–2002 Richard Nelson. All Rights Reserved.
  4. This file is used to configure Sendmail for use with Debian systems.

define(`_USE_ETC_MAIL_’)dnl include(÷usr/share/sendmail/cf/m4/cf.m4’)dnl VERSIONID(`$Id: submit.mc, v 8.14.3–9.4 2010–09–21 11:05:34 cowboy Exp $’) OSTYPE(`debian’)dnl DOMAIN(`debian-msp’)dnl dnl # Some security by obscurity. dnl # The HReceived header is defined in /usr/share/sendmail/cf/m4/proto.m4 dnl # as: HReceived: confRECEIVED_HEADER dnl # confRECEIVED_HEADER in turn is build among other things from _REC_BY_ in /usr/share/sendmail/cf/m4/cfhead.m4 dnl # with default `$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}’. dnl # Remove the ($v/$Z) chunk that displays the sendmail ($v) and m4 config file version ($Z): define(`_REC_BY_’, `$.by $j $?r with $r$. id $i$?{tls_version}’)dnl dnl # dnl # dnl #--------------------------------------------------------------------- dnl # Masquerading information, if needed, should go here dnl # You likely will not need this, as the MTA will do it dnl #--------------------------------------------------------------------- dnl MASQUERADE_AS()dnl dnl FEATURE(`masquerade_envelope’)dnl dnl # dnl #--------------------------------------------------------------------- dnl # The real reason we’re here: the FEATURE(msp) dnl # NOTE WELL: MSA (587) should have M=Ea, so we need to use stock 25 dnl #--------------------------------------------------------------------- dnl FEATURE(`msp’, `[127.0.0.1]’, `25’)dnl FEATURE(`msp’, `[127.0.0.1]’)dnl dnl # dnl #--------------------------------------------------------------------- dnl # Some minor cleanup from FEATURE(msp) dnl #--------------------------------------------------------------------- dnl # dnl #--------------------------------------------------------------------- (:sourceend:)

Security By Obscurity And Obfuscation

  • Walk safe: hide some of the information that can be gleaned from the outbound message headers and the SMTP daemons themselves.
  • In submit.mc removes the MSA version information in the message headers.

(:source:) dnl # Obscurity With The Intent To Obfuscate. dnl # dnl # The HReceived header is defined in /usr/share/sendmail/cf/m4/proto.m4 dnl # as: HReceived: confRECEIVED_HEADER dnl # confRECEIVED_HEADER in turn is build among other things from _REC_BY_ in /usr/share/sendmail/cf/m4/cfhead.m4 dnl # with default `$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}’. dnl # ______________________^^^^^^^ dnl # Remove the ___________($v/$Z) chunk that displays the sendmail ($v) and m4 config file version ($Z): dnl # define(`_REC_BY_’, `$.by $j $?r with $r$. id $i$?{tls_version}’)dnl (:sourceend:)

  • Using the above will remove the MSP version number from the message headers, viz: 
Received: (from logcheck@localhost)
        by heitz.bic.mni.mcgill.ca (8.14.4/8.14.4/Submit) id u2FK23T2028453
        for logcheck; Tue, 15 Mar 2016 16:02:03 -0400
  • to something like this —on a nullclient that has been secured— 
Received: (from malin@localhost)
        by agrippa.bic.mni.mcgill.ca  id u2FK5ekb028871
        for malin; Tue, 15 Mar 2016 16:05:40 -0400
  • In sendmail.mc on the edge server, smtphost:

(:source:) dnl # /JF/ 20151126. Obscurity With The Intent To Obfuscate. dnl # dnl # /JF/ Hide sendmail version from greeting, headers and help. dnl # /JF/ Default greeting is `$j Sendmail $v/$Z; $b; (No UCE/UBE) $?{client_addr}logging access from: ${client_name}(${client_resolve})-$_$.’ dnl # /JF/ ________________________^^^^^^^^^^^^^^ dnl # /JF/ Remove the chunk_______”Sendmail $v/$Z”: dnl define(`confSMTP_LOGIN_MSG’,`$j MTA ready and waiting; $b; (No UCE/UBE) $?{client_addr}logging access from: ${client_name}(${client_resolve})-$_$.’)dnl dnl dnl # /JF/ The HReceived header is defined in /usr/share/sendmail/cf/m4/proto.m4 dnl # /JF/ as: HReceived: confRECEIVED_HEADER dnl # /JF/ confRECEIVED_HEADER in turn is build among other things from _REC_BY_ in /usr/share/sendmail/cf/m4/cfhead.m4 dnl # /JF/ with default `$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}’. dnl # /JF/ ______________________^^^^^^^ dnl # /JF/ Remove the____________($v/$Z) chunk that displays the sendmail ($v) and m4 config file version ($Z): dnl define(`_REC_BY_’, `$.by $j $?r with $r$. id $i$?{tls_version}’)dnl dnl dnl # /JF/ Remove the help file so the HELP command shows nothing: dnl dnl define(HELP_FILE’,’)dnl dnl dnl # /JF/ Actually doing this WILL somehow leak information about the server. dnl # /JF/ It is better to just zero the helpfile — DO NOT remove it. dnl # /JF/ 20151126. End. (:sourceend:)

Files and Databases for access, local delivery hosts, username remapping, etc

/etc/mail/access MUST contain the following to allow relaying from inside the BIC:

(:source:) Connect:localhost RELAY 132.206.178 RELAY (:sourceend:)

/etc/mail/genericstable for outbound username remapping:

(:source:) malin Jean-Francois.Malouin@bic.mni.mcgill.ca luser just.another.luser@bic.mni.mcgill.ca (:sourceend:)

/etc/mail/virtusertable for inbound username remapping: (:source:) Jean-Francois.Malouin@bic.mni.mcgill.ca malin just.another.luser@bic.mni.mcgill.ca luser (:sourceend:)

/etc/mail/generics_domain

(:source:) bic.mni.mcgill.ca (:sourceend:)

/etc/mail/local-host-names contains the name of the hosts that are considered local, ie messages addressed to them will be sent to the mailhub for final delivery:

(:source:) aeneas.bic.mni.mcgill.ca agrippine.bic.mni.mcgill.ca ajax.bic.mni.mcgill.ca ambas.bic.mni.mcgill.ca andromache.bic.mni.mcgill.ca angus.bic.mni.mcgill.ca antenor.bic.mni.mcgill.ca ariel.bic.mni.mcgill.ca … (:sourceend:)

ClamAV (clamav, clamav-milter and freshclam) Config and Third Party Signature Databases

ClamAV is a suite of programs to allow filtering and possible disposing of virus-infected email messages. It also included the tools necesssary to update its virus databases and signatures.

Version info: 

ii  clamav                           0.98.7+dfsg-0+deb6u2      anti-virus utility for Unix - command-line interface
ii  clamav-base                      0.98.7+dfsg-0+deb6u2      anti-virus utility for Unix - base package
ii  clamav-daemon                    0.98.7+dfsg-0+deb6u2      anti-virus utility for Unix - scanner daemon
ii  clamav-freshclam                 0.98.7+dfsg-0+deb6u2      anti-virus utility for Unix - virus database update utility
ii  clamav-milter                    0.98.7+dfsg-0+deb6u2      anti-virus utility for Unix - sendmail integration
ii  libclamav6                       0.98.7+dfsg-0+deb6u2      anti-virus utility for Unix - library
  • /etc/default/clamav-milter

(:source:)

  2. clamav-milter init options

OPTIONS=“—max-children=12 -olHNPq”

  1. SOCKET_RWGROUP
  1. by default, the socket created by the milter has permissions
  2. clamav:clamav:755. SOCKET_RWGROUP changes the group and changes the
  3. permissions to 775 to give read-write access to that group.
  5. If you are using postfix to speak to the milter, you have to give permission
  6. to the postfix group to write
  8. SOCKET_RWGROUP=postfix

(:sourceend:)

  • /etc/clamav/clamav-milter.conf

Note that when the parameter LogInfected (Off|Basic|Full)is set to something other than default (Off) sendmail must be configured to have the eom macros msg_id, mail_addr, rcpt_addr and i available. In order to do do set define(`confMILTER_MACROS_EOM’, `{msg_id}, {mail_addr}, {rcpt_addr}, i’) in sendmail.mc as explained above.

(:source:)

  1. Automatically Generated by clamav-milter postinst
  2. To reconfigure clamav-milter run #dpkg-reconfigure clamav-milter
  3. Please read /usr/share/doc/clamav-base/README.Debian.gz for details

MilterSocket /var/run/clamav/clamav-milter.ctl FixStaleSocket true User clamav AllowSupplementaryGroups true ReadTimeout 120 Foreground false PidFile /var/run/clamav/clamav-milter.pid ClamdSocket unix:/var/run/clamav/clamd.ctl OnClean Accept OnInfected Quarantine OnFail Defer AddHeader Replace LogSyslog false LogFacility LOG_LOCAL6 LogVerbose true LogInfected Full MaxFileSize 25M TemporaryDirectory /tmp LogFile /var/log/clamav/clamav-milter.log LogTime true LogFileUnlock false LogFileMaxSize 0M MilterSocketGroup clamav MilterSocketMode 666 (:sourceend:)

  • /etc/clamav/clamd.conf

(:source:)

  1. Automatically Generated by clamav-base postinst
  2. To reconfigure clamd run #dpkg-reconfigure clamav-base
  3. Please read /usr/share/doc/clamav-base/README.Debian.gz for details

LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket true LocalSocketGroup clamav LocalSocketMode 666

  1. TemporaryDirectory is not set to its default /tmp here to make overriding
  2. the default with environment variables TMPDIR/TMP/TEMP possible

User clamav AllowSupplementaryGroups true ScanMail true ScanArchive true ArchiveBlockEncrypted false MaxDirectoryRecursion 15 FollowDirectorySymlinks false FollowFileSymlinks false ReadTimeout 180 MaxThreads 12 MaxConnectionQueueLength 15 LogSyslog false LogFacility LOG_LOCAL6 LogClean false LogVerbose false PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav SelfCheck 3600 Foreground false Debug false ScanPE true ScanOLE2 true ScanHTML true DetectBrokenExecutables false ExitOnOOM false LeaveTemporaryFiles false AlgorithmicDetection true ScanELF true IdleTimeout 30 PhishingSignatures true PhishingScanURLs true PhishingAlwaysBlockSSLMismatch false PhishingAlwaysBlockCloak false DetectPUA false ScanPartialMessages false HeuristicScanPrecedence false StructuredDataDetection false CommandReadTimeout 5 SendBufTimeout 200 MaxQueue 100 ExtendedDetectionInfo true OLE2BlockMacros false StreamMaxLength 25M LogFile /var/log/clamav/clamav.log LogTime true LogFileUnlock false LogFileMaxSize 0 Bytecode true BytecodeSecurity TrustSigned BytecodeTimeout 60000 OfficialDatabaseOnly false CrossFilesystems true (:sourceend:)

For the freshclam config /etc/clamav/freshclam.conf one must add the line: 

DatabaseMirror db.ca.clamav.net

if one wants to check the ClamAV databases more than once per hour. The maximum allowed is 4 times an hour.

  • /etc/clamav/freshclam.conf

(:source:)

  1. Automatically created by the clamav-freshclam postinst
  2. Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav UpdateLogFile /var/log/clamav/freshclam.log LogVerbose false LogSyslog false LogFacility LOG_LOCAL6 LogFileMaxSize 0 LogTime true Foreground false Debug false MaxAttempts 5 DatabaseDirectory /var/lib/clamav DNSDatabaseInfo current.cvd.clamav.net DatabaseMirror db.ca.clamav.net AllowSupplementaryGroups false PidFile /var/run/clamav/freshclam.pid ConnectTimeout 30 ReceiveTimeout 30 TestDatabases yes ScriptedUpdates yes CompressLocalDatabase no Bytecode true

  1. Check for new database 4×24 times a day

Checks 96

  1. DatabaseMirror db.local.clamav.net

DatabaseMirror database.clamav.net (:sourceend:)

Third-party Signatures Databases

Third-party signatures databases from http://sanesecurity.com compatible with the ClamAV engine have also been manually installed. Note that they all have a low probability of false positives, except the 3 foxhole databases who have medium false positive probability hit (Note: foxhole_all.cbd has a HIGH risk of false positive hit and so I don’t use it.)

Database NameDescriptionFalse Positive
junk.ndbGeneral high hitting junk, containing spam/phishing/lottery/jobs/419s etc.Low
jurlbl.ndbJunk Url basedLow
phish.ndbPhishingLow
rogue.hdbMalware, Rogue anti-virus software and Fake codecs etc.Low
 Updated hourly to cover the latest malware threats. 
 Please send any Undetected virus samples to 
 samples@sanesecurity.me.uk 
sanesecurity.ftmMessage file types (REQUIRED for best performance)-
scam.ndbSpam/scamsLow
spamimg.hdbSpam imagesLow
winnow_malware.hdbCurrent virus, trojan and other malware not yet detected by ClamAV.Low
 Undetected virus samples can be sent to virus_samples@oitc.com 
winnow_malware_links.ndbLinks to malwareLow

Foxhole Databases

Zero hour (0hr) emailed malware has always been an issue. There are various ways of blocking dangerous attachments within zip files, such as Mailscanner/SpamAssassin/Postfix, however ClamAV can also be used to block these attachments which in some environments may be useful.

The three new foxhole databases use the .cdb extension which uses the ClamAV engine to look inside certain container files for various filenames and it also allows the use of Regular Expressions, on those filenames.

The three new databases are:

  • foxhole_generic.cdb

This database will block double extensions of certain common file formats that are contained within Zip/Rar and 7Zip files. These files will be detected only if they end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl, vbs.

Example of signatures name formats:

Sanesecurity.Foxhole.Zip_doc: blocks dangerous double extention .doc files, within zip files only

Sanesecurity.Foxhole.Rar_xls: blocks dangerous double extention .xls files, within Rar files only

Sanesecurity.Foxhole.Zip_hidden: blocks dangerous double extention files that are trying to hide their true extension, within zip files only

  • foxhole_filename.cdb

This database will block certain commonly known malware filenames within Zip/Rar/7Zip files.

  • foxhole_all.cdb

This database will block all files (single and double extensions) within Zip/Rar and 7Zip files that end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl, vbs. This will be the most effective database of the three but also has the highest risk of false positives, unless you are using scoring. Currently only .Zip, .7z and .Rar files container are used, however this can be extended to .Arj, .Cab and .Tar files.

Local Modifications

/etc/clamav-unofficial-sigs.conf has been modified according to the way ClamAV is packaged by Debian.

(:source:)

  1. Set path to ClamAV database files location. If unsure, check
  2. your clamd.conf file for the “DatabaseDirectory” path setting.

clam_dbs=“/var/lib/clamav”

  1. Set path to clamd.pid file (see clamd.conf for path location).

clamd_pid=“/var/run/clamav/clamd.pid” work_dir=“/var/lib/clamav/unofficial-dbs”

  1. Log update information to ‘$log_file_path/$log_file_name’.

enable_logging=“yes” log_file_path=“/var/log/clamav” log_file_name=“clamav-unofficial-sigs.log” (:sourceend:)

Here is the full config file: (:source:)

  1. This file contains user configuration settings for the clamav-unofficial-sigs.sh
  2. script provide by Bill Landry (bill@inetmsg.com).
  4. Script documentation and updates can be viewed/downloaded from:
  6. http://www.inetmsg.com/pub/
  8. The latest version will always be named: clamav-unofficial-sigs.tar.gz
  9. Older versions can be found in the “archive” directory.
  10. USER CONFIGURATION FILE FOR SCRIPT: #
  11. * * * #
  12. clamav-unofficial-sigs.sh #
  13. * * * #
  14. SET PROGRAM PATHS AND OTHER VARIABLE OPTIONS FOR THE SCRIPT IN THIS FILE #
  15. Edit the quoted variables below to meet your own particular needs
  16. and requirements, but do not remove the “quote” marks.
  17. Be sure to set the appropriate shell for your OS Platform. It’s been
  18. reported that “sh” works best for BSD variants, “ksh” for Sun Solaris,
  19. and “bash” for Linux variants. If you experience problems running the
  20. script, please try editing the top line of the script file and changing
  21. “sh” to either “ksh” or “bash” before reporting a problem.
  22. Set and export the appropriate program paths for your OS platform. Required
  23. utilities include: find, xargs, sed, awk, cut, dig, grep, tail, chown, chmod,
  24. cmp, diff, gzip, ls, cp, mv, test, gpg, host, sleep, cksum, rsync, curl, perl,
  25. and optionally socat. It’s been reported that on Sun systems, the GNU utilities
  26. should be used rather than the default Sun OS versions of these utilities.

PATH=“/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin” export PATH

  1. Set the appropriate ClamD user and group accounts for your system.
  2. If you do not want the script to set user and group permissions on
  3. files and directories, comment the next two variables.

clam_user=“clamav” clam_group=“clamav”

  1. Set path to ClamAV database files location. If unsure, check
  2. your clamd.conf file for the “DatabaseDirectory” path setting.

clam_dbs=“/var/lib/clamav”

  1. Set path to clamd.pid file (see clamd.conf for path location).

clamd_pid=“/var/run/clamav/clamd.pid”

  1. To enable “ham” (non-spam) directory scanning and removal of
  2. signatures that trigger on ham messages, uncomment the following
  3. variable and set it to the appropriate ham message directory.
  4. ham_dir=“/path/to/ham-test/directory”
  5. If you would like to reload the clamd databases after an update,
  6. change the following variable to “yes”.

reload_dbs=“no”

  1. Set the reload or restart option if the “reload_dbs” variable above
  2. is set to “yes” (only select ‘ONE’ of the following variables or the
  3. last uncommented variable option will be the one used).
  4. - The next variable signals clamd daemon to reload databases (this is the recommended reload option)

reload_opt=“clamdscan —reload” # Default

  1. - The next variable signals clamd’s Process ID (PID) to reload databases
  2. reload_opt=“kill -USR2 `cat $clamd_pid”
  3. - The next variable signals linux based systems to do a full clamd service stop/start
  4. reload_opt=“service clamd restart”
  5. - Use the next variable to set a custom or system specific reload/restart option
  6. reload_opt=“ ”
  7. If running clamd in “LocalSocket” mode (*NOT* in TCP/IP mode), and
  8. either “SOcket Cat” (socat) or the “IO::Socket::UNIX” perl module
  9. are installed on the system, and you want to report whether clamd
  10. is running or not, uncomment the “clamd_socket” variable below (you
  11. will be warned if neither socat nor IO::Socket::UNIX are found, but
  12. the script will still run). You will also need to set the correct
  13. path to your clamd socket file (if unsure of the path, check the
  14. “LocalSocket” setting in your clamd.conf file for socket location).

clamd_socket=“/var/run/clamav/clamd.ctl”

  1. If you would like to attempt to restart ClamD if detected not running,
  2. uncomment the next 2 lines. Confirm the path to the “clamd_lock” file
  3. (usually can be found in the clamd init script) and also enter the clamd
  4. start command for your particular distro for the “start_clamd” variable
  5. (the sample start command shown below should work for most linux distros).
  6. NOTE: these 2 variables are dependant on the “clamd_socket” variable
  7. shown above - if not enabled, then the following 2 variables will be
  8. ignored, whether enabled or not.
  9. clamd_lock=“/var/lock/subsys/clamd”
  10. start_clamd=“service clamd start”
  11. Enable or disable download time randomization. This allows the script to
  12. be executed via cron, but the actual database file checking will pause
  13. for a random number of seconds between the “min” and “max” time settings
  14. specified below. This helps to more evenly distribute load on the host
  15. download sites. To disable, set the following variable to “no”.

enable_random=“yes”

  1. If download time randomization is enabled above (enable_random=“yes”),
  2. then set the min and max radomization times intervals (in seconds).

min_sleep_time=“60” # Default minimum is 60 seconds (1 minute). max_sleep_time=“600” # Default maximum is 600 seconds (10 minutes).

  2. Sanesecurity Database(s)
  4. Add or remove database file names between quote marks as needed. To
  5. disable usage of any of the Sanesecurity distributed database files
  6. shown, remove the database file name from the quoted section below.
  7. To disable usage of all Sanesecurity distributed databases, comment
  8. all of the quoted lines below. Only the following “low” risk define
  9. signature databases have been enabled by default (for additional
  10. information about the signature database ratings, see:
  11. http://www.sanesecurity.com/clamav/databases.htm). Finally, make
  12. sure that the database names are spelled correctly or you will
  13. experience issues when the script runs.

ss_dbs=“ 

  junk.ndb
  jurlbl.ndb
  phish.ndb
  rogue.hdb
  sanesecurity.ftm
  scam.ndb
  spamimg.hdb
  winnow_malware.hdb
  winnow_malware_links.ndb
  foxhole_generic.cdb
  foxhole_filename.cdb

  1. Additional Sanesecruity distributed database that can be used and
  2. their associated potential fales-positive ratings:
  4. USE ‘ONLY’ ONE OF THE FOLLOWING TWO SIGNATURE DATABASES:
  6. INetMsg-SpamDomains-2w.ndb : MEDIUM false-positive rating
  7. INetMsg-SpamDomains-2m.ndb : MEDIUM false-positive rating
  9. ONE DATABASE CONTAINS THE LAST TWO WEEKS OF COLLECTED SPAM DOMAINS (2w), AND
  10. THE OTHER DATABASE CONTAINS THE LAST TWO MONTHS OF COLLECTED SPAM DOMAINS (2m).
  12. jurlbla.ndb : MEDIUM false-positive rating
  13. lott.ndb : MEDIUM false-positive rating
  14. spam.ldb : MEDIUM false-positive rating
  15. spear.ndb : MEDIUM false-positive rating
  16. scamnailer.ndb : MEDIUM false-positive rating
  17. winnow.complex.patterns.ldb : MEDIUM false-positive rating
  18. winnow_phish_complete.ndb : HIGH false-positive rating
  19. winnow_phish_complete_url.ndb : MEDIUM false-positive rating
  20. winnow_spam_complete.ndb : MEDIUM false-positive rating
  22. USE ‘ONLY’ ONE OF THE FOLLOWING TWO SIGNATURE DATABASES:
  24. winnow_phish_complete.ndb : HIGH false-positive rating
  25. winnow_phish_complete_url.ndb : MEDIUM false-positive rating
  27. ONE CONTAINS THE COMPLETE URL PATH (MEDIUM RISK), AND THE OTHER
  28. CONTAINS ONLY THE URL, WITHOUT THE FULL PATH (HIGH RISK).
  30. SecuriteInfo Database(s)
  32. Add or remove database file names between quote marks as needed. To
  33. disable any SecuriteInfo database downloads, remove the appropriate
  34. lines below. To disable all SecuriteInfo database file downloads,
  35. comment all of the following lines.
  36. si_dbs=“
  37. honeynet.hdb
  38. securiteinfobat.hdb
  39. securiteinfodos.hdb
  40. securiteinfoelf.hdb
  41. securiteinfo.hdb
  42. securiteinfohtml.hdb
  43. securiteinfooffice.hdb
  44. securiteinfopdf.hdb
  45. securiteinfosh.hdb
  47. Since the SecuriteInfo databases are only updated a few time each
  48. month, set a time interval to do database update checks.

si_update_hours=“4” # Default is 4 hours (6 update checks daily).

  2. MalwarePatrol Database(s)
  4. Add or remove database file names between quote marks as needed. To
  5. disable any of the MalwarePatrol database file downloads, remove the
  6. appropriate database file name lines below. To disable MalwarePatrol
  7. database downloads, comment all of the following lines.

mbl_dbs=“ 

  mbl.ndb

  1. Since the MalwarePatrol database file is dynamically created,
  2. there is no way to test for changes prior to downloading. For this
  3. reason, you will need to set a reasonable time interval in “hours”
  4. for MBL database file downloads. As shown below, this has been
  5. set to update every “6” hours, which seems appropriate (that’s 4
  6. file downloads per day) Change only if you REALLY feel you must.
  7. However, I would not suggest going below every 4 hour lest you risk
  8. being blacklisted by the MalwarePatrol site.

mbl_update_hours=“6” # Default is 6 hours (4 downloads daily).

  1. Additional signature databases can be specified here in the following
  2. format: PROTOCOL://URL-or-IP/PATH/TO/FILE-NAME (use a trailing “/” in
  3. place of the “FILE-NAME” to download all files from specified location,
  4. but this *ONLY* works for files downloaded via rsync). For non-rsync
  5. downloads, curl is used. For download protocols supported by curl, see
  6. “man curl”. This also works well for locations that have many ClamAV
  7. servers that use 3rd party signature databases, as only one server need
  8. download the remote databases, and all others can update from the local
  9. mirror’s copy. See format examples below. To use, remove the comments
  10. and examples shown and add your own sites between the quote marks.
  11. add_dbs=“
  12. rsync://192.168.1.50/new-db/sigs.hdb
  13. rsync://rsync.example.com/all-dbs/
  14. ftp://ftp.example.net/pub/sigs.ndb
  15. http://www.example.org/sigs.ldb
  17. Set working directory paths (edit to meet your own needs). If these
  18. directories do not exist, the script will attempt to create them.
  19. Top level working directory path:

work_dir=“/var/lib/clamav/unofficial-dbs” #Top level working directory

  1. Sub-directory names:

ss_dir=“$work_dir/ss-dbs” # Sanesecurity sub-directory si_dir=“$work_dir/si-dbs” # SecuriteInfo sub-directory mbl_dir=“$work_dir/mbl-dbs” # MalwarePatrol sub-directory config_dir=“$work_dir/configs” # Script configs sub-directory gpg_dir=“$work_dir/gpg-key” # Sanesecurity GPG Key sub-directory add_dir=“$work_dir/add-dbs” # User defined databases sub-directory

  1. If you would like to make a backup copy of the current running database
  2. file before updating, leave the following variable set to “yes”.

keep_db_backup=“yes”

  1. If you want to silence the information reported by curl, rsync, gpg
  2. or the general script comments, change the following variables to
  3. “yes”. If all variables are set to “yes”, the script will output
  4. nothing except error conditions.

curl_silence=“no” # Default is “no” to report curl statistics rsync_silence=“no” # Default is “no” to report rsync statistics gpg_silence=“no” # Default is “no” to report gpg signature status comment_silence=“no” # Default is “no” to report script comments

  1. Log update information to ‘$log_file_path/$log_file_name’.

enable_logging=“yes” log_file_path=“/var/log/clamav” log_file_name=“clamav-unofficial-sigs.log”

  1. If necessary to proxy database downloads, define the rsync and/or curl
  2. proxy settings here. For rsync, the proxy must support connections to
  3. port 873. Both curl and rsync proxy setting need to be defined in the
  4. format of “hostname:port”. For curl, also note the -x and -U flags,
  5. which must be set as “-x hostname:port” and “-U username:password”.

rsync_proxy=“ ” curl_proxy=“ ”

  1. After you have completed the configuration of this file, set the
  2. following variable to “yes”.

user_configuration_complete=“yes”

  1. END OF USER CONFIGURATION #

(:sourceend:)

A cronjob calling the script /root/bin/clamav-unofficial-sigs.sh is installed on the smtphost. This script will update the signatures databases every 45m ± some random time.

Quarantined Messages

  • Messages flagged as infected by the clamav milter will not be disposed of: they are simply put in the queue directory /var/spool/mqueue. The quarantined envelopes are prefixed with “hf”. The milter can be configured to remove them by using the configuration option “OnInfected Reject” in /etc/clamav/clamav-milter.conf. Presently they are just left in the queue directory.
  • The quarantined messages are invisibles as far as sendmail goes, unless specifically configured. I didn’t. Note that since sendmail doesn’t deal with them once flagged, those quarantined messages will just accumulate over time, and very fast at that as over 90% of our smtp traffic is just spam and virus…
  • To purge them use the command: /usr/share/sendmail/qtool.pl -d -Q /var/spool/mqueue

An example of a quarantined envelope is: (:source:) V8 T1382543405 K1382543579 N0 P39663 qquarantined by clamav-milter Fbs $_[39.45.86.93] $rESMTP $s544275.com ${daemon_flags} ${if_addr}132.206.178.241 S<Lisa68@9802.com>

cc
<luser@bic.mni.mcgill.ca>

rRFC822; luser@bic.mni.mcgill.ca RPFD:<luser@bic.mni.mcgill.ca> H?P?Return-Path: <<81>g> H??Received: from 544275.com ([39.45.86.93]) 

       by kurma.bic.mni.mcgill.ca (8.14.3/8.14.3/Debian-9.4) with ESMTP id r9NFnjvo020352
       for <luser@bic.mni.mcgill.ca>; Wed, 23 Oct 2013 11:50:05 −0400

H??Received: (qmail 22203 invoked by uid 222); 23 Oct 2013 08:49:55 −0700 H??From: Lisa68@9802.com H??To: luser@bic.mni.mcgill.ca H??Subject: This is the funniest picture ever! H??Date: Wed, 23 Oct 2013 08:50:47 −0700 H??Message-ID: <22203763478295.8441.qmail@544275.com> H??Mime-Version: 1.0 H??Content-Type: multipart/mixed; boundary=“----------=_5267F0D8.7940A1CE” H??X-Spam-Flag: YES H??X-Spam-Status: Yes, score=7.9 required=5.0 tests=BASE64_LENGTH_79_INF,BAYES_50, 

       RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RDNS_NONE autolearn=no version=3.3.1

H??X-Spam-Level: ******* H??X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010–03–16) on 

       kurma.bic.mni.mcgill.ca

H??X-Virus-Scanned: clamav-milter 0.97.8 at kurma H??X-Virus-Status: Infected (Sanesecurity.Foxhole.Zip_jpg.UNOFFICIAL) H??X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-4.3.7 (kurma.bic.mni.mcgill.ca [132.206.178.241]); Wed, 23 Oct 2013 11:52:56 −0400 (EDT) (:sourceend:)

To display the quarantine messages and the reason why they were quarantined use the command mailq -qQ: 

(:source:)
~# mailq -qQ 
MSP Queue status...
/var/spool/mqueue-client is empty
                Total requests: 0
MTA Queue status...
                /var/spool/mqueue (7 requests)
-----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient-----------
r9NGSAIw026131     2894 Wed Oct 23 12:28 <>
     QUARANTINE: quarantined by clamav-milter
                                         <adrian@bic.mni.mcgill.ca>
r9NG0xIM022166     2796 Wed Oct 23 12:01 <>
     QUARANTINE: quarantined by clamav-milter
                                         <jorge@bic.mni.mcgill.ca>
r9NGL1Na025588     2643 Wed Oct 23 12:21 <>
     QUARANTINE: quarantined by clamav-milter
                                         <dr.jack.loken@bic.mni.mcgill.ca>
r9NGTwIw026164     3005 Wed Oct 23 12:30 <>
     QUARANTINE: quarantined by clamav-milter
                                         <berto@bic.mni.mcgill.ca>
r9NG4Dsm023427     3108 Wed Oct 23 12:04 <>
     QUARANTINE: quarantined by clamav-milter
                                         <dana@bic.mni.mcgill.ca>
r9NGLwWa025592      527 Wed Oct 23 12:22 <service@scotiabank.com>
     QUARANTINE: quarantined by clamav-milter
                                         <garys@bic.mni.mcgill.ca>
r9NFnjvo020352    11661 Wed Oct 23 11:50 <Lisa68@9802.com>
     QUARANTINE: quarantined by clamav-milter
                                         <greg@bic.mni.mcgill.ca>
                Total requests: 7
(:sourceend:)
  • To remove quarantined messages from the queue directory, you can use a tool provided with sendmail:

(:source:) /usr/share/sendmail/qtool.pl -d -Q /var/spool/mqueue (:sourceend:)

Spamassassin (spamd and spamass-milter) Config

Version info: 

ii  spamass-milter    0.3.1-10  milter for filtering mail through spamassassin
ii  spamassassin      3.3.1-1   Perl-based spam filter using text analysis
ii  spamc             3.3.1-1   Client for SpamAssassin spam filtering daemon

Enable spamd in /etc/default/spamassassin and change the default user (‘nobody’) to an already existing user, say ‘clamav-milter’. As the ‘clamav-milter’ has a home directory (‘nobody’ has no home, hence /nonexistent) that will get rid of the annoying messages from spamd in the mail logs: 

spamd: connection from localhost [127.0.0.1] at port 39928
spamd: processing message <201103011602.p21G24lU029558@kurma.bic.mni.mcgill.ca> for logcheck:65534
spamd[15892]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /nonexistent/.spamassassin \
/bayes.lock.kurma.bic.mni.mcgill.ca.15892 for /nonexistent/.spamassassin/bayes.lock: No such file or directory

/etc/default/spamassassin (:source:)

  1. /etc/default/spamassassin
  2. Duncan Findlay
  3. WARNING: please read README.spamd before using.
  4. There may be security risks.
  5. Change to one to enable spamd

ENABLED=1

  1. Options
  2. See man spamd for possible options. The -d option is automatically added.
  3. SpamAssassin uses a preforking model, so be careful! You need to
  4. make sure —max-children is not set to anything higher than 5,
  5. unless you know what you’re doing.
  6. OPTIONS=“—create-prefs —max-children 5 —helper-home-dir”

OPTIONS=“—nouser-config —max-children 5 —username=spamass-milter”

  1. Pid file
  2. Where should spamd write its PID to file? If you use the -u or
  3. —username option above, this needs to be writable by that user.
  4. Otherwise, the init script will not be able to shut spamd down.

PIDFILE=“/var/run/spamd.pid”

  1. Set nice level of spamd
  2. NICE=“—nicelevel 15”
  3. Cronjob
  4. Set to anything but 0 to enable the cron job to automatically update
  5. spamassassin’s rules on a nightly basis

CRON=0 (:sourceend:)

Remove the -i 127.0.0.1 in /etc/default/spamass-milter (:source:)

  1. spamass-milt startup defaults
  2. OPTIONS are passed directly to spamass-milter.
  3. man spamass-milter for details
  4. Non-standard configuration notes:
  5. See README.Debian if you use the -x option with sendmail
  6. You should not pass the -d option in OPTIONS; use SOCKET for that.
  7. Default, use the spamass-milter user as the default user, ignore
  8. messages from localhost
  9. OPTIONS=“-u spamass-milter -i 127.0.0.1”

OPTIONS=“-u spamass-milter”

  1. Reject emails with spamassassin scores > 15.
  2. OPTIONS=“-r 15”
  3. Do not modify Subject:, Content-Type: or body.
  4. OPTIONS=“-m”
  5. If /usr/sbin/postfix is executable, the following are set by
  6. default. You can override them by uncommenting and changing them
  7. here.
  8. SOCKET=“/var/spool/postfix/spamass/spamass.sock”
  9. SOCKETOWNER=“postfix:postfix”
  10. SOCKETMODE=“0660”

(:sourceend:)

Greylist Config

Version info: 

ii  milter-greylist  4.3.7-1   Greylist milter for sendmail

Enable the greylist milter in /etc/default/milter-greylist with ENABLED=1. Note that Debian/Squeeze ships milter-greylist configuration file in /etc/milter-greylist/greylist.conf. However if you want to use it you must setup the options field to have -f /etc/milter-greylist/greylist.conf as the milter-greylist is configured by default to look for it’s config file in /etc/mail/greylist.conf. (:source:) root@kurma:/etc/mail# cat /etc/default/milter-greylist

  1. Defaults for milter-greylist initscript
  2. sourced by /etc/init.d/milter-greylist
  3. installed at /etc/default/milter-greylist by the maintainer scripts
  4. 2006–08–18 Herbert Straub
  5. Change to one to enable milter-greylist
  6. Don’t forget to edit the configuration file
  7. /etc/milter-greylist/greylist.conf

ENABLED=1

  1. PIDFILE=“/var/run/milter-greylist.pid”
  2. SOCKET=“/var/run/milter-greylist/greylist.sock”
  3. USER=“root”
  4. Other options
  5. OPTIONS=“ ”

(:sourceend:)

In the (legacy) config file /etc/mail/greylist.conf

  • Disable SPF

(:source:) nospf (:sourceend:)

  • Pay attention to the permissions of the db dumpfile directory: the user under which the milter is running (smmsp) must be able to write in it.
  • Add the stuff to whitelist bic and other domains, and greylist some local users, blacklists domains and add the control list.
  • I’ve merged the difference between the old and new config files, notably a missing entry for the list “broken mta” addr { } block: 74.125.0.0/16 \ # Google

(:source:)

  2. Simple greylisting config file using the new features
  3. See greylist2.conf for a more detailed list of available options
  5. $Id: greylist.conf,v 1.42 2007/10/25 03:20:11 manu Exp $

pidfile “/var/run/milter-greylist.pid” dumpfile “/var/lib/milter-greylist/greylist.db” dumpfreq 10m

  1. For sendmail use the following two lines

socket “/var/run/milter-greylist/milter-greylist.sock” user “smmsp”

nospf

delayedreject logexpired

  1. Log milter-greylist activity to a file
  2. stat “/var/log/milter-greylist/greylist.log” # “%T{%Y/%m/T} %d [%i] %r → S (ACL Xc Xm %Xh”
  3. Same, sent to syslog
  4. stat “|logger -p local7.info” # “%T{%Y/%m/T} %d [%i] %r → S (ACL Xc Xm %Xh”
  5. Be verbose (or use -v flag)

verbose

  1. Do not tell spammer how long they have to wait

quiet

  1. MX peering
  2. peer 192.0.2.17
  3. peer 192.0.2.18
  4. Your own network, which should not suffer greylisting

list “bic network” addr { 127.0.0.1/8 10.0.0.0/8 192.0.2.0/24 132.206.178.0/24} list “mcgill” domain { mcgill.ca mail.mcgill.ca azuris.ca bellnexxia.net sigmawave.com openstore.com apcc.com linbit.com } list “grey users” rcpt { malin@bic.mni.mcgill.ca malouin@bic.mni.mcgill.ca man@bic.mni.mcgill.ca } list “blacklisted domains” domain { bezeqint.net avangarddsl.ru terra.cl telecomitalia.it consultingweb.it nasx-media.com airtelbroadband.in ttnet.net.tr asianet.co.th georgbell.com svservers.com www.tilburg-enterprise.com icpbounce.com }

  1. And here is the access list

racl blacklist list “blacklisted domains”

  1. racl blacklist list “blacklisted users” flushaddr

racl blacklist rcpt /[0–9][0–9]*\.[0–9][0–9]*@bic\.mni\.mcgill\.ca/ flushaddr racl blacklist rcpt /test\.greylist@bic\.mni\.mcgill\.ca/ flushaddr racl whitelist list “bic network” racl whitelist list “mcgill” racl whitelist list “broken mta”

  1. racl whitelist dnsrbl “MTAWL”
  2. racl blacklist urlcheck “userpref” $usrRBL “CBL” dnsrbl “CBL” # msg “Sender IP caught in CBL blacklist”
  3. racl blacklist $usrRBL “SBL” dnsrbl “BBL” # msg “Sender IP caught in SBL blacklist”
  4. racl blacklist $usrRBL “NJABL” dnsrbl “NJABL” # msg “Sender IP caught in NJABL blacklist”
  5. racl greylist list “grey users” dnsrbl “SORBS DUN” delay 24h autowhite 3d

racl greylist list “grey users” delay 15m autowhite 3d racl whitelist default (:sourceend:)

OpenDKIM (DomainKeys Identified Mail)

Intro

  • https://tools.ietf.org/html/rfc6376 IETF RFC6376 DomainKeys Identified Mail (DKIM) Signatures specifies the standard for DKIM.
  • https://tools.ietf.org/html/rfc5451 IETF RFC5451 Authentication-Results Header Field also relates to DKIM (and SPF too).
  • The most salient features:
  • DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message.
  • Message signature is written as a message email header, not part of the message body.
  • Uses asymmetric cryptographic keys.
  • Not dependent on public/private keys or certificates issued by 3rd party authorities.
  • Not dependent on the deployment of internet services related to keys distribution or revocation.
  • A signature verification failure does not force rejection of the message.
  • Is compatible with the existing email infrastructure and transparent to the fullest extent possible.
  • Requires minimal new infrastructure.
  • Can be deployed incrementally.
  • The deployment will consist in a few steps:
    • Install and configure OpenDKIM itself then test and debug.
    • Add a TXT record to the master DNS server to advertise the DKIM public selector key.
    • Make sendmail aware of the new Milter. Test and Debug.
    • There might be problems with MASQUERADE_AS and GENERICSTABLE rewrite rules on smtphost. Will see.

I initially installed dkim-filter on smtphost but noticed that since being approved by the IETF, a new open source project named OpenDKIM was started. The OpenDKIM Project is a community effort. The project started from a code fork of version 2.8.3 of the open source dkim-milter package developed and maintained by Sendmail, Inc.

  • Install opendkim version 2.6.8 from the squeeze-backports repository. 
 kurma:~# apt-get install -t squeeze-backports opendkim opendkim-tools
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following package was automatically installed and is no longer required:
  libopendkim1
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
  libopendkim7 libvbr2
The following NEW packages will be installed:
  libopendkim7 libvbr2 opendkim-tools
The following packages will be upgraded:
  opendkim

OpenDKIM Configuration

As a test bed, I’m using audrey (BIC mail server in a previous life) as a proof of concept. Even though these notes use audrey it should be understood that the final intent is to make smtphost the DKIM signer/verifier. Note that OpenDKIM version on audrey is at 2.9.2 compared to 2.6.8 on kurma. Sendmail versions are different too (8.14.3 compared to 8.14.4 on audrey) but it shouldn’t really make any difference.

  • Configure OpenDKIM with a selector set to audrey20160119.
  • Set the domain to audrey.bic.mni.mcgill.ca.
  • Peeve: I don’t like the location of the config file /etc/opendkim.config. Why not in /etc/opendkim/opendkim.conf as it is usually done on Debian systems?
  • Edit /etc/default/opendkim and set DAEMON_OPTS=“-x /etc/opendkim/opendkim.conf”
  • chown opendkim.opendkim /etc/opendkim
  • chmod g+s /etc/opendkim
  • chown opendkim.opendkim /etc/opendkim/*
  • Where to put the private key file? Answer: /etc/opendkim/keys/audrey.bic.mni.mcgill.ca/audrey20160119.private
  • Check ownerships and permissions in /etc/opendkim as the Milter might run not as root. Answer: run as opendkim user.
  • Make sure only user opendkim can read the private key file /etc/opendkim/keys/bic.mni.mcgill.ca/kurma.private 
~# mkdir /etc/opendkim/keys/bic.mni.mcgill.ca
~# /usr/sbin/opendkim-genkey -D  /etc/opendkim/keys/audrey.bic.mni.mcgill.ca -d  audrey.bic.mni.mcgill.ca -s audrey20160119
~# chmod 640 /etc/opendkim/keys/audrey.bic.mni.mcgill.ca/audrey20160119.private
~# chmod 644 /etc/opendkim/keys/audrey.bic.mni.mcgill.ca/audrey20160119.txt
  • /etc/default/opendkim 
 
# Command-line options specified here will override the contents of
# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
#DAEMON_OPTS=""
#
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
SOCKET="local:/var/run/opendkim/opendkim.sock" # default
#SOCKET="inet:54321" # listen on all interfaces on port 54321
#SOCKET="inet:12345@localhost" # listen on loopback on port 12345
#SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345
  • /etc/opendkim/opendkim.conf 
# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog                          yes

# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                           002
UserID                  opendkim:opendkim

## Signing options
#
# Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.
Mode                    sv

# Domain(s) whose mail should be signed by this filter. Mail from other domains will
# be verified rather than being signed. Uncomment and use your domain name.
# This parameter is not required if a SigningTable is in use.
#Domain                  audrey.bic.mni.mcgill.ca
# Defines the name of the selector to be used when signing messages.
Selector                audrey20160119
#Keyfile                 /etc/opendkim/keys/audrey.bic.mni.mcgill.ca/audrey20160119.private
#
# Gives the location of a file mapping key names to signing keys. In simple terms,
# this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
# setting in the configuration file.
#
KeyTable                /etc/opendkim/KeyTable

# Defines a table used to select one or more signatures to apply to a message based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM how to use your keys. refile: -> file referenced contains regex.
SigningTable            refile:/etc/opendkim/SigningTable

# Identifies a set internal hosts whose mail should be signed rather than verified.
InternalHosts           refile:/etc/opendkim/InternalHosts

# Selects the canonicalization method(s) to be used when signing messages.
Canonicalization        relaxed/relaxed

# Add an "DKIM-Filter" header field.
SoftwareHeader          yes

SyslogSuccess           yes
MilterDebug             1
SignatureAlgorithm      rsa-sha256

# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders         From

A few comments about the config file above:

  • Domain parameter is not needed if one uses the parameter SigningTable.
  • KeyFile parameter is also not needed and is in fact overridden by parameter KeyTable if one uses it.
  • InternalHosts file specifies which hosts OpenDKIM will sign outgoing messages.
  • 127.0.0.1 must be present.
  • /etc/opendkim/InternalHosts 
127.0.0.1
  • The KeyTable file tells OpenDKIM where to find your keys.
  • Each entry in the KeyTable file is a single line for each key location.
  • The key name maps to 3 fields delimited by “:”, the domain name d= and selector name s= in the signature and the location of the private key.
  • See https://tools.ietf.org/html/rfc6376#section-3.5 for the meaning of the tags in the DKIM signature header field.
  • /etc/opendkim/KeyTable 
audrey20160119._domainkey.audrey.bic.mni.mcgill.ca audrey.bic.mni.mcgill.ca:audrey20160119:/etc/opendkim/keys/audrey.bic.mni.mcgill.ca/audrey20160119.private
  • The SigningTable file tells OpenDKIM how to use your keys, as in which senders should use which selectors for their signatures.
  • A wildcard “*” requires that it must be specified using the dataset refile: in /etc/opendkim/opendkim.conf.
  • Meaning: use selector audrey20160119 in the domain audrey.bic.mni.mcgill.ca for all (“*”) users in audrey.bic.mni.mcgill.ca.
  • /etc/opendkim/SigningTable 
*@audrey.bic.mni.mcgill.ca audrey20160119._domainkey.audrey.bic.mni.mcgill.ca

Advertise DKIM Selector Public Key on DNS Master

  • Generate a private key with selector name audrey201160119 with 
~# opendkim-genkey -t -D /etc/opendkim/keys/audrey.bic.mni.mcgill.ca -s audrey20160119 -d audrey.bic.mni.mcgill.ca
  • The -t indicates that the generated key record is tagged as a test signing domain.
  • The -D option specifies the directory where to create the private key audrey20160119.private and its associated txt record.
  • The selector name is audrey20160119.
  • The file audrey20160119.private contains the RSA private key with a key size of 1024 bits (default).
  • The file audrey20160119.txt contains the DNS TXT record suitable for inclusion in the domain DNS zone file.
  • Note: as per the RFC6376, the selector name should not be a single name as audrey as it can/will lead to problems later on when or if the key needs to be updated. From Section 3.1 of RFC6376: 
      INFORMATIVE OPERATIONS NOTE: Reusing a selector with a new key
      (for example, changing the key associated with a user's name)
      makes it impossible to tell the difference between a message that
      didn't verify because the key is no longer valid and a message
      that is actually forged.  For this reason, Signers are ill-advised
      to reuse selectors for new keys.  A better strategy is to assign
      new keys to new selectors.
  • Create a DNS TXT record in the DNS master zone file.
  • Set a small TTL (say 3600s/1hr) while tinkering with this. Change it back to default value when setup is validated.
  • Test it by probing the DNS master directly (key in p= has been truncated) 
~$ dig +short @132.206.178.7 audrey20160119._domainkey.audrey.bic.mni.mcgill.ca txt 
"v=DKIM1\; k=rsa\; p=MIGfMA0GC.................................kuCFAm34U3V8wIDAQAB"

Sendmail and OpenDKIM Milter

  • Add the bit for sendmail to connect to the OpenDKIM milter in /etc/mail/sendmail.mc.
  • Note that the socket file is as specified in /etc/default/opendkim.
  • Some care as to be taken with the INPUT_MAIL_FILTER and MAIL_FILTER as I think there might be some overrides.
  • Go back the to Bat Book to make sure.
  • Add opendkim to confINPUT_MAIL_FILTERS and recomoile sendmail.cf and restart sendmail. 
dnl # Milters
dnl #
dnl # /JF/ INPUT_MAIL_FILTER options declares the Milters and also set their processing order.
dnl #      See the Bat Book, 4th Ed., Section 26.2.2 The InputMailFilters Option
dnl #
dnl # /JF/ greylist milter is already setup using FEATURE(`milter-greylist').
dnl INPUT_MAIL_FILTER(`greylist', ``S=local:/var/run/milter-greylist/milter-greylist.sock, F=, T=S:4m;R:4m'')dnl
FEATURE(`milter-greylist')dnl
dnl # /JF/ clamav is already setup by the use of the include(`/etc/mail/m4/clamav-milter.m4') 
dnl INPUT_MAIL_FILTER(`clamav', ``S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m'')dnl
include(`/etc/mail/m4/clamav-milter.m4')dnl
INPUT_MAIL_FILTER(`spamassassin', ``S=local:/var/run/spamass/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m'')dnl
INPUT_MAIL_FILTER(`opendkim', ``S=local:/var/run/opendkim/opendkim.sock, F=, T=C:10m;S:10m;R:20m;E:20m'')dnl
dnl #
dnl # /JF/ INPUT_MAIL_FILTERS option defines the processing order of the Milters. 
dnl #      Needed only if MAIL_FILTER is used rather than the INPUT_MAIL_FILTER macros
dnl #      or if one needs/wants to force a specific Milter calling order.
dnl define(`confINPUT_MAIL_FILTERS', ``clamav,greylist,spamassassin,opendkim'')dnl
dnl #
dnl # /JF/ Modify the Milters End-of-Message handling routine from its default, ${msg_id}.
dnl #      See the Bat Book, 4th ed., Section 24.9.76.8 Milter.macros.eom
define(`confMILTER_MACROS_EOM', confMILTER_MACROS_EOM``, {mail_addr}, {rcpt_addr}, i'')dnl

Testing DKIM Signatures with gmail.com

  • A simple signature check with my gmail address.
  • No MASQUERADE_AS or header rewritting rules on audrey at first.
  • The header Authentication-Results: shows dkim=fail is the important tag to check. 
Delivered-To: jfmalouin@gmail.com
Received: by 10.37.42.15 with SMTP id q15csp3256135ybq;
        Wed, 20 Jan 2016 07:17:03 -0800 (PST)
X-Received: by 10.50.88.7 with SMTP id bc7mr4201679igb.24.1453303023395;
        Wed, 20 Jan 2016 07:17:03 -0800 (PST)
Return-Path: <jf@audrey.bic.mni.mcgill.ca>
Received: from audrey.bic.mni.mcgill.ca (audrey.bic.mni.mcgill.ca. [132.206.178.45])
        by mx.google.com with ESMTPS id o67si6660631ioi.5.2016.01.20.07.17.03
        for <jfmalouin@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 20 Jan 2016 07:17:03 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of jf@audrey.bic.mni.mcgill.ca designates 132.206.178.45 as permitted sender) client-ip=132.206.178.45;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of jf@audrey.bic.mni.mcgill.ca designates 132.206.178.45 as permitted sender) smtp.mailfrom=jf@audrey.bic.mni.mcgill.ca;
       dkim=pass header.i=@audrey.bic.mni.mcgill.ca
Received: from audrey.bic.mni.mcgill.ca (localhost [127.0.0.1])
	by audrey.bic.mni.mcgill.ca (8.14.4/8.14.4/Debian-8) with ESMTP id u0KFH2nq014018
	for <jfmalouin@gmail.com>; Wed, 20 Jan 2016 10:17:02 -0500
DKIM-Filter: OpenDKIM Filter v2.9.2 audrey.bic.mni.mcgill.ca u0KFH2nq014018
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=audrey.bic.mni.mcgill.ca; s=audrey20160119; t=1453303022;
	bh=E797MDnGO/WlBJH6PP2OtOaZ0boUNjFa75y+VxFTA1Q=;
	h=Date:From:To:Subject:From;
	b=NcmV1sxkBMq4jfA0gvY0r7/K42O4StdYM7IYrg8jHvFxMjpi4kCaUgRcXq9rAS09C
	 McoFffXj/QvhmlzUTrHy85KVixw4+u3IlJbbeihw4FYIlTgsbOn7wWfLYkOd/3ex7P
	 yAbkjvRh6GD0RoF5lQ5lgyLQLGOWPuWQ25uFLkek=
Received: (from jf@localhost)
	by audrey.bic.mni.mcgill.ca (8.14.4/8.14.4/Submit) id u0KFH2bL014017
	for jfmalouin@gmail.com; Wed, 20 Jan 2016 10:17:02 -0500
Date: Wed, 20 Jan 2016 10:17:02 -0500
From: Jean-Francois Malouin <jf@audrey.bic.mni.mcgill.ca>
To: jfmalouin@gmail.com
Subject: 0
Message-ID: <20160120151702.GA13996@audrey.bic.mni.mcgill.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
  • Success!

SpamAssassin T_DKIM_INVALID Tag Problem

  • On the receiving end, SpamAssassin complains about DKIM invalid signature (T_DKIM_INVALID is inserted in the X-Spam-Status: message header) even though Authentication-Results: says dkim=pass.
  • A hint from http://www.spamresource.com/2014/06/opendkim-spamassassin-gotchas-on-ubuntu.html: needed are libmail-dkim-perl libcrypt-openssl-random-perl libcrypt-openssl-rsa-perl
  • Installing those on smtphost still didn’t solve the problem even after restarting spamassassin.
  • Initially I thought the problem was on smtphost but it turned out to be on the mailhub!
  • On both smtphost and mailhub install those: 
tubal:~# apt-get install libmail-dkim-perl libcrypt-openssl-random-perl libcrypt-openssl-rsa-perl
  • Headers displaying the problem before installing the packages: notice the T_DKIM_INVALID tag. 
From jfmalouin@gmail.com  Sat Dec 19 14:42:51 2015
Return-Path: <jfmalouin@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
        tubal.bic.mni.mcgill.ca
X-Spam-Level:
X-Spam-Status: No, score=-98.2 required=4.5 tests=BAYES_50,FREEMAIL_FROM,
        HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_SOFTFAIL,T_DKIM_INVALID,USER_IN_WHITELIST
        autolearn=no version=3.3.2
Received: from kurma.bic.mni.mcgill.ca (kurma.bic.mni.mcgill.ca [132.206.178.241])
        by tubal.bic.mni.mcgill.ca  with ESMTP id tBJJgpBe029566
        for <malin@mailhub.bic.mni.mcgill.ca>; Sat, 19 Dec 2015 14:42:51 -0500
Received: from mail-yk0-f180.google.com (mail-yk0-f180.google.com [209.85.160.180])
        by kurma.bic.mni.mcgill.ca  with ESMTP id tBJJgjH6007317
        for <malin@bic.mni.mcgill.ca>; Sat, 19 Dec 2015 14:42:50 -0500
Authentication-Results: kurma.bic.mni.mcgill.ca; dkim=pass
        reason="2048-bit key; insecure key"
        header.d=gmail.com header.i=@gmail.com header.b=DZLaqiKv;
        dkim-adsp=pass; dkim-atps=neutral
Received: by mail-yk0-f180.google.com with SMTP id x184so95124517yka.3
        for <malin@bic.mni.mcgill.ca>; Sat, 19 Dec 2015 11:42:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=Fz4+HnCdt0HrklvbrusCCSM0GeMqoF0TspNjDUO+HuU=;
        b=DZLaqiKvOTRWUJ4O/Vg2wLEpaB67Z8fSgWo6Ss2th/NqSa8jZvx4d1RQISfQBCQaz3
        8A91MBixfjDvizrl23QFRf8h9f9K8TGrTGSINLXBuaRFhwWUAzEmvI6tbUKuwjAvMfHR
        3OfftdMD9Rbhm5KD81rSpFYoBAcbVz8syRkv7DIijIz5hs7ufU3SSiOitYL8JkJOmx2o
        +evkcufvZITebZaljwoS8E2wRJP2UTQOCtCaxbq0cJThb6Wq2ywg6V4JabA/Dnch82CI
        TCtoRpViSQr4tEVBdv/dKsY6bauhPb32VBnenASht3pF+uAkEbytEX2bX7Kuz1YZwtXA
        5Prg==
  • After installing the missing packages ON TUBAL.
  • Notice the DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU SpamAssassin tags.
  • The header Authentication-Results: is inserted by OpenDKIM on smtphost and indicates that the signature is ok and verified. See RFC5451. 
From jfmalouin@gmail.com  Sat Dec 19 14:57:21 2015
Return-Path: <jfmalouin@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
        tubal.bic.mni.mcgill.ca
X-Spam-Level:
X-Spam-Status: No, score=-98.3 required=4.5 tests=BAYES_50,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,
        SPF_SOFTFAIL,USER_IN_WHITELIST autolearn=no version=3.3.2
Received: from kurma.bic.mni.mcgill.ca (kurma.bic.mni.mcgill.ca [132.206.178.241])
        by tubal.bic.mni.mcgill.ca  with ESMTP id tBJJvLon010615
        for <malin@mailhub.bic.mni.mcgill.ca>; Sat, 19 Dec 2015 14:57:21 -0500
Received: from mail-yk0-f174.google.com (mail-yk0-f174.google.com [209.85.160.174])
        by kurma.bic.mni.mcgill.ca  with ESMTP id tBJJvDiu010635
        for <malin@bic.mni.mcgill.ca>; Sat, 19 Dec 2015 14:57:19 -0500
Authentication-Results: kurma.bic.mni.mcgill.ca; dkim=pass
        reason="2048-bit key; insecure key"
        header.d=gmail.com header.i=@gmail.com header.b=FNu+aZk/;
        dkim-adsp=pass; dkim-atps=neutral
Received: by mail-yk0-f174.google.com with SMTP id 140so94699292ykp.0
        for <malin@bic.mni.mcgill.ca>; Sat, 19 Dec 2015 11:57:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=GoWZxGQdDc8HzV6f8igaJWOClsIzjCrOecXJpb8CiN4=;
        b=FNu+aZk/DldzJBmmgVvOmCaJV25Sv+0KBI6ZzP+NbHqptjXCHr/Y3+C6OkE3JWGyYo
        eMzlesPK8Hc/fiUu/d0+o7nkZzQT1l9sk+lwKC/hCEd/jjNmxst8KwQcULV1335WqiwB
        OofHXRmagEPwnQVK0FXlEnZsTlllGw1ChKvAoGLouT0gHlT/VzQebmx/IXZXbBJfEQUg
        i42p8EiuXsqNkHHdSFVZ7G6S+Us4lTCxEgIZ3izeooZ08K15APUHdpQQ+rgE9HrBRSEW
        GchCpn7EByzzRUwtyedFVb4g+t3y6pzBETtiUGijMEsRsGgRuZPCpYcAeKHNfOJfsLeD
        A4vQ==

CORE MAILHOST

  • Accept smtp connections from and only from smtphost.
  • Performs final delivery of mail coming from smtphost.bic.mni.mcgill.ca in /var/mail.
  • Performs aliasing and/or forwarding and also remaps addresses through virtusertable and generistable as it is currently done on shadow.
  • Acts as a nullclient for outbound mail: message is relayed to smtphost.bic.mni.mcgill.ca for sanitization and sent out if clean.
  • Inbound mail (say from host1.bic.mni.mcgill.ca to host2.bic.mni.mcgill.ca) is first relayed to smtphost, sanitized and then (if clean) relayed to mailhost.bic.mni.mcgill.ca who performs final delivery.
  • For that to happen smtphost.bic.mni.mcgill.ca needs to know which hosts are ‘local’, ie they must be listed in the Cw class in its sendmail config.
  • mailhost.bic.mni.mcgill.ca should have SMART_HOST set to ``smtphost.bic.mni.mcgill.ca′:

(:source:) 

 define(SMART_HOST’, `smtphost.bic.mni.mcgill.ca.’)

(:sourceend:)

  • IMAP connections should be done on mailhost.bic.mni.mcgill.ca as users authentication information is not available on smtphost. Users authentication is in /etc/cram-md5.txt. This is a flat text file (with TABS as separator!) so it must be readable by root only as the imapd daemon runs as root as per inetd.conf on imaphost.
  • /etc/hosts.allow should have this entry

(:source:) 

sendmail: smtphost.bic.mni.mcgill.ca 127.0.0.1

(:sourceend:)

  • Localhost is necessary because when delivery is done through files (or includes) as for mailman sendmail attemps a connection to 127.0.0.1
  • Maximum message size set at 10MB.
  • Quotas should be enabled for /var/mail.

Null Clients

The new host must be added to the file /etc/mail/local-host-names on smtphost.bic.mni.mcgill.ca and sendmail must be restarted.

Sendmail client

Do not run sendmail in daemon mode, just the msp. Edit the file /etc/mail/sendmail.conf: (:source:) DAEMON_NETMODE=“Static”; DAEMON_NETIF=“eth0”; DAEMON_MODE=“None”; DAEMON_PARMS=“ ”; DAEMON_HOSTSTATS=“No”; DAEMON_MAILSTATS=“No”; QUEUE_MODE=“Daemon”; QUEUE_INTERVAL=“10m”; QUEUE_PARMS=“ ”; MSP_MODE=“Daemon”; MSP_INTERVAL=“10m”; MSP_PARMS=“ ”; MSP_MAILSTATS=“${DAEMON_MAILSTATS}”; MISC_PARMS=“ ”; CRON_MAILTO=“root”; CRON_PARMS=“ ”; LOG_CMDS=“No”; HANDS_OFF=“No”; AGE_DATA=“ ”; DAEMON_RUNASUSER=“No”; DAEMON_STATS=“${DAEMON_MAILSTATS}”; MSP_STATS=“${MSP_MAILSTATS}”; (:sourceend:)

and run /usr/sbin/sendmailconfig to have the new settings take effect.

To just submit to smtphost.bic.mni.mcgill.ca stick the following in /etc/mail/submit.mc: (:source:) define(`_USE_ETC_MAIL_’)dnl include(÷usr/share/sendmail/cf/m4/cf.m4’)dnl VERSIONID(`$Id: submit.mc, v 8.13.4–3 2005–06–03 16:49:22 cowboy Exp $’) OSTYPE(`debian’)dnl DOMAIN(`debian-msp’)dnl FEATURE(`msp’, `smtphost.bic.mni.mcgill.ca.’)dnl (:sourceend:)

and remake the sendmail *.cf files with make -C /etc/mail.

Exim client

A exim client using a smarthost can be configured using the following. First, we only need a queuing daemon as the nullclient doesn’t listen for incoming connection.

(:source:)
~# ~malin/bin/crush /etc/default/exim4 
EX4DEF_VERSION=''
QUEUERUNNER='queueonly'
QUEUEINTERVAL='10m'
COMMONOPTIONS=''
QUEUERUNNEROPTIONS=''
QFLAGS=''
SMTPLISTENEROPTIONS=''

Modify /etc/exim4/update-exim4.conf.conf as below and reconfigure exim4-config with dpkg-reconfigure exim4-config.

There is a funny thing happening when using (the simpler) dc_eximconfig_configtype=‘satellite’: if you try to send an email to an local address (say blah@bic.mni.mcgill.ca) then you’ll get a ‘unroutable address’ if blah is not an exiting user! This obviously breaks the aliasing done on mailhost, and address remapping on smtphost. This might be related to NIS but I find the exim Debian package a bit weird and strange so rather than debuuging this I used the following config:

(:source:)
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file

dc_eximconfig_configtype='smarthost'
dc_other_hostnames=''
dc_local_interfaces='127.0.0.1'
dc_readhost='bic.mni.mcgill.ca'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='smtphost.bic.mni.mcgill.ca'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='false'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'

boo

$Author: malin $
Last Modified on $Date: 2013-10-24 19:51:10 $