[Dspam-user] Trying to get DSpam+Dovecot working with Postfix and local/virtual domains

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Dspam-user] Trying to get DSpam+Dovecot working with Postfix and local/virtual domains

Jeremy Doran
Hi,

I'm hoping that someone might be able to help, as I've been going in circles with trying to get the right configuration done here. I'm also not sure whether this is more of a Dovecot or DSpam question, so I'm posting the same to both mailing lists.

My goal is to have a mail setup that is as follows:

[Incoming email] --> [Postfix] --> [Amavis] --> [DSpam] --> [Dovecot LDA] -+---(local domain)---> /var/mail/${user}
                                                                           |
                                                                           +---(virtual)---> /home/vmail/${domain}/${user}@{domain}

As of right now, I have Postfix successfully feeding into Amavis, re-injecting into Postfix with a final delivery for the local domain via procmail, and final delivery for virtual domains via the virtual transport into maildir (but /home/vmail/${user}@${domain})

Virtual domains are being managed by PostfixAdmin. Dovecot is running as the IMAP server. Everything (Postfix, PostfixAdmin, Dovecot) is using a Postgres database as backend for the dynamic maps/authentication.

The problem I've been stumbling over is trying to get DSpam to work nicely with both a local domain and virtual domains/mailboxes, and the same for Dovecot, as I would rather like to make use of the Sieve functionality going forward instead of Procmail. I did have DSpam working, but was unable to get the Dovecot antispam plugin working to re-train based on moving mails into/out of a defined 'SPAM' folder, due to permissions relating to how the antispam plugin was calling DSpam.

I'm really not wanting to make the local domain into a virtual mailbox domain, because there are users on the system (for that local domain) that already use the password in /etc/passwd for accessing the server for other uses. While there are also people who do that who have virtual mailbox domains, it's a far lower number.

Here's what I have so far.

Postfix 2.11.0

main.cf (via 'postconf -nf'):

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/usr/local/mailman/data/aliases
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
    $daemon_directory/$process_name $process_id & sleep 5
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
inet_protocols = ipv4 ipv6
local_recipient_maps = $transport_maps unix:passwd.byname $alias_maps
mail_owner = postfix
mailbox_command = /usr/local/bin/procmail -a "$EXTENSION"
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname, localhost.$mydomain, $mydomain
mydomain = critter.net
myhostname = cornix.critter.net
mynetworks = 127.0.0.0/8, 46.4.24.15/32, [::1]/128, [2a01:4f8:131:4263::]/64,
    184.73.168.110/32, [2001:470:7:12ba::]/64
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = -
relay_domains = pgsql:$config_directory/Maps/pgsql_relay_domains_maps.cf
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_tls_CAfile = /etc/ssl/certs/Critter.Net_Certificate_Authority.pem
smtp_tls_cert_file = /etc/ssl/certs/smtp.critter.net.pem
smtp_tls_key_file = /etc/ssl/private/smtp.critter.net.pem
smtp_tls_session_cache_database = /var/db/postfix/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
    reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
    reject_unauth_destination, reject_unauth_pipelining,
    reject_invalid_hostname, reject_rbl_client zen.spamhaus.org,
    check_policy_service inet:127.0.0.1:10023
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
    reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/Critter.Net_Certificate_Authority.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/certs/smtp.critter.net.pem
smtpd_tls_key_file = /etc/ssl/private/smtp.critter.net.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
smtpd_use_tls = yes
soft_bounce = yes
tls_random_source = dev:/dev/urandom
transport_maps = pgsql:$config_directory/Maps/pgsql_transport_maps.cf
unknown_local_recipient_reject_code = 450
virtual_alias_maps = pgsql:$config_directory/Maps/pgsql_virtual_alias_maps.cf
virtual_gid_maps = static:400
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains =
    pgsql:$config_directory/Maps/pgsql_virtual_domain_maps.cf
virtual_mailbox_limit = 51200000
virtual_mailbox_maps =
    pgsql:$config_directory/Maps/pgsql_virtual_mailbox_maps.cf
virtual_minimum_uid = 400
virtual_transport = virtual
virtual_uid_maps = static:400

master.cf (via 'postconf -Mf'):

smtp       inet  n       -       n       -       -       smtpd
24         inet  n       -       n       -       -       smtpd
submission inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
    -o milter_macro_daemon_name=ORIGINATING
smtps      inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
    -o milter_macro_daemon_name=ORIGINATING
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
amavisfeed unix  -       -       -       -       2       smtp
    -o syslog_name=postfix/amavisfeed
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n   -       n       -       -       smtpd
    -o syslog_name=postfix/amavis-reinject
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8,[::1]/128
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
    -o local_header_rewrite_clients=
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=
dovecot    unix  -       n       n       -       -       pipe flags=DRhu
    user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d
    ${user}@${nexthop}

Dovecot 2.2.10

config (via 'dovecot -n'):

# 2.2.10: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 10.0-RELEASE-p1 amd64
auth_debug = yes
auth_verbose = yes
debug_log_path = /var/log/dovecot-debug.log
first_valid_uid = 400
mail_location = mbox:~/Mail:INBOX=/var/mail/%u
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
passdb {
  driver = pam
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
userdb {
  driver = passwd
}


DSpam 3.9.0

dspam.conf:

Home /var/db/dspam
StorageDriver /usr/local/lib/dspam/libpgsql_drv.so
TrustedDeliveryAgent "/usr/local/bin/procmail"
UntrustedDeliveryAgent "/usr/bin/procmail -d %u"
OnFail error
Trust root
Trust dspam
Trust apache
Trust mail
Trust mailnull
Trust smmsp
Trust daemon
TrainingMode teft
TestConditionalTraining on
Feature whitelist
Algorithm graham burton
Tokenizer chain
PValue bcr
WebStats on
Preference "trainingMode=TEFT"        # { TOE | TUM | TEFT | NOTRAIN } -> default:teft
Preference "spamAction=quarantine"    # { quarantine | tag | deliver } -> default:quarantine
Preference "spamSubject=[SPAM]"        # { string } -> default:[SPAM]
Preference "statisticalSedation=5"    # { 0 - 10 } -> default:0
Preference "enableBNR=on"        # { on | off } -> default:off
Preference "enableWhitelist=on"        # { on | off } -> default:on
Preference "signatureLocation=message"    # { message | headers } -> default:message
Preference "tagSpam=off"        # { on | off }
Preference "tagNonspam=off"        # { on | off }
Preference "showFactors=off"        # { on | off } -> default:off
Preference "optIn=off"            # { on | off }
Preference "optOut=off"            # { on | off }
Preference "whitelistThreshold=10"    # { Integer } -> default:10
Preference "makeCorpus=off"        # { on | off } -> default:off
Preference "storeFragments=off"        # { on | off } -> default:off
Preference "localStore="        # { on | off } -> default:username
Preference "processorBias=on"        # { on | off } -> default:on
Preference "fallbackDomain=off"        # { on | off } -> default:off
Preference "trainPristine=off"        # { on | off } -> default:off
Preference "optOutClamAV=off"        # { on | off } -> default:off
Preference "ignoreRBLLookups=off"    # { on | off } -> default:off
Preference "RBLInoculate=off"        # { on | off } -> default:off
AllowOverride enableBNR
AllowOverride enableWhitelist
AllowOverride fallbackDomain
AllowOverride ignoreGroups
AllowOverride ignoreRBLLookups
AllowOverride localStore
AllowOverride makeCorpus
AllowOverride optIn
AllowOverride optOut
AllowOverride optOutClamAV
AllowOverride processorBias
AllowOverride RBLInoculate
AllowOverride showFactors
AllowOverride signatureLocation
AllowOverride spamAction
AllowOverride spamSubject
AllowOverride statisticalSedation
AllowOverride storeFragments
AllowOverride tagNonspam
AllowOverride tagSpam
AllowOverride trainPristine
AllowOverride trainingMode
AllowOverride whitelistThreshold
AllowOverride dailyQuarantineSummary
MySQLUIDInSignature    on
PgSQLServer        /tmp/
PgSQLUser        dspam
PgSQLPass        xxxxxx
PgSQLDb        dspam
HashRecMax        98317
HashAutoExtend        on
HashMaxExtents        0
HashExtentSize        49157
HashPctIncrease        10
HashMaxSeek        10
HashConnectionCache    10
Notifications    off
PurgeSignatures 14    # Stale signatures
PurgeNeutral    90    # Tokens with neutralish probabilities
PurgeUnused    90    # Unused tokens
PurgeHapaxes    30    # Tokens with less than 5 hits (hapaxes)
PurgeHits1S    15    # Tokens with only 1 spam hit
PurgeHits1I    15    # Tokens with only 1 innocent hit
LocalMX 127.0.0.1
SystemLog    on
UserLog        on
Opt out
ParseToHeaders on
ServerPID        /var/run/dspam.pid
ServerDomainSocketPath  "/var/run/dspam.sock"
ClientHost    /var/run/dspam.sock
ProcessorURLContext on
ProcessorBias on
StripRcptDomain off

All of this is running on a FreeBSD 10-p1 server.

I hope that someone has successfully implemented a similar setup to what I'm aiming for, and might be able to help.

Thanks.

 

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Dspam-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/dspam-user