Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 Jul 2007 03:35:02 -0500
From:      Paul procacci <pprocacci@bellsouth.net>
To:        Olivier Nicole <on@cs.ait.ac.th>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Transparent email proxy
Message-ID:  <46973936.6080104@bellsouth.net>
In-Reply-To: <200707130730.l6D7U6v9086226@banyan.cs.ait.ac.th>
References:  <200707130730.l6D7U6v9086226@banyan.cs.ait.ac.th>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is a multi-part message in MIME format.
--------------050105030203070803000500
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Olivier Nicole wrote:
> Hi,
>
> As an ISP, or the person in charge of a large organisation, have you
> ever set-up a transparent email redirection: all outgoing email would
> be proceeded to an outgoing server in order to check for virus, spam,
> whatever.
>
> Best regards,
>
> Olivier
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>
>   
The answer to your question is yes.  To elaborate a bit more however 
here is a personal document I wrote (i.e. wasn't intended for anyone 
else), hopefully it provides you with good enough information and/or the 
information you were looking for.  Mind you, this is BSD and qmail (yes, 
I'm a fanboy) specific.  This assumes you are familiar with the software 
I decided to use under the components heading.  Certainly feel free to 
ask any questions.  I realize the document isn't "production quality" 
due to the reasons given about, but rest assured I can vouche for this 
method.

Additionally note, this is obviously not the only method.....just that 
it's my method.    ;P  Cheers!

~Paul

----------------------------------------------

I have 5 machines behind a load balancer, one of which is FBSD 4.11, and 
the other 4 are FBSD 6.2.  The component list I used is as follows:

Components
 
tcpserver
daemontools
qmail w/ QMAILQUEUE patch
qmail-qfilter
spamassassin
*custom c scripts  (These are optional; one is provided)


Flow

This is the current flow of any emails that reach the cluster. Note the 
items listed within *'s are custom programs and explained later in this 
document:

tcpserver->qmail-smtpd->qmail-qfilter->spamc->*reject_spam*->qmail-queue->qmail-remote 


**Note :: reject_spam is included because that is needed for denying 
emails.  (You could rewrite it in perl or sh if you needed to)

Installation

The installation for any new and existing proxy boxes is extremely 
straightforward.

For all but qmail listed above, use the ports tree.

Setup spamd to create the /tmp/.spamd.sock socket.  That's what I call 
mine, yours can/will vary.

Once all this is installed, create /etc/tcp.smtp with the following 
entry and build the cdb file:
:+RELAYCLIENT=+QMAILQUEUE=/var/qmail/bin/qmail-queue-spam

Ensure tcpserver uses that file(i.e. -x)

While in /usr/ports/qmail.....

  a) upload the attached files (patch-qmail.c and patch-Makefile) into 
./files/

  b) edit patch-qmail.c to reflect a message you would like to give.
    '+    case 20: return "DAnti-SPAM Threshold Reached see 
http://domain.com/legal_information.aspx";'

  c) type: make extract

  d) type: make patch

  e)  copy the attached file (reject-spam.c) to ./work/qmail*/

  f) Now, I haven't included some of my patches here do to sensative 
information.  Therefore, you'll need to edit the Makefile 
(work/qmail-*/Makefile) to removed any and all references to check_block 
and reject-record-spam.

  g) type: make install

  h) copy reject-spam to /var/qmail/bin

   i) Copy the  attached shell script (qmail-queue-spam) to 
/var/qmail/bin/; that is going to tie this together.

Please note that it's NECESSARY to use the local software FW to allow 
relaying.  IPFW is a good choice (my preference anyways).  Deny 
everything to port 25, and  only allow the hosts you want.  I found this 
to be the easiest.
  Then on those hosts, smarthost the "hidden" (not really) machine.

--------------050105030203070803000500
Content-Type: text/plain;
 name="patch-Makefile"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="patch-Makefile"

--- Makefile.orig	Thu Dec 14 16:23:19 2006
+++ Makefile	Thu Dec 14 16:25:12 2006
@@ -157,6 +157,37 @@
 	> binm2
 	chmod 755 binm2
 
+check_block: \
+load check_block.o alloc.a error.a stralloc.a substdio.a control.o env.a open.a \
+getln.a fs.a str.a
+	./load check_block control.o stralloc.a substdio.a alloc.a \
+	error.a env.a str.a open.a getln.a fs.a str.a -L/usr/local/lib/mysql -lmysqlclient
+
+check_block.o: \
+compile check_block.c stralloc.h substdio.h readwrite.h str.h
+	./compile check_block.c -I/usr/local/include
+
+reject-record-spam: \
+load reject-record-spam.o slurpclose.o alloc.a str.a error.a stralloc.a getln.a \
+substdio.a control.o env.a fs.a
+	./load reject-record-spam control.o slurpclose.o getln.a stralloc.a substdio.a alloc.a \
+	error.a env.a str.a fs.a open.a -L/usr/local/lib/mysql -lmysqlclient
+
+
+reject-record-spam.o: \
+compile reject-record-spam.c stralloc.h substdio.h readwrite.h getln.h str.h scan.h fmt.h
+	./compile reject-record-spam.c -I/usr/local/include
+
+reject-spam: \
+load reject-spam.o alloc.a str.a error.a stralloc.a getln.a \
+substdio.a
+	./load reject-spam getln.a stralloc.a substdio.a str.a alloc.a \
+	error.a
+
+reject-spam.o: \
+compile reject-spam.c stralloc.h substdio.h readwrite.h getln.h str.h
+	./compile reject-spam.c
+
 binm2+df: \
 binm2+df.sh conf-qmail
 	cat binm2+df.sh \
@@ -808,7 +839,7 @@
 forward preline condredirect bouncesaying except maildirmake \
 maildir2mbox maildirwatch qail elq pinq idedit install-big install \
 instcheck home home+df proc proc+df binm1 binm1+df binm2 binm2+df \
-binm3 binm3+df
+binm3 binm3+df check_block reject-record-spam reject-spam
 
 load: \
 make-load warn-auto.sh systype

--------------050105030203070803000500
Content-Type: text/plain;
 name="qmail-queue-spam"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="qmail-queue-spam"

#!/bin/sh

exec /usr/local/bin/qmail-qfilter \
        /usr/local/bin/spamc -t 60 -s 250000 -U /tmp/.spamd.sock -- \
        /var/qmail/bin/reject-spam

--------------050105030203070803000500--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?46973936.6080104>