source: npl/mailserver/dspam/dspam-3.10.2/doc/postfix.txt @ d36701a

$Id: postfix.txt,v 1.0 2009/11/15 20:29:15 sbajic Exp $

POSTFIX INTEGRATION

Please follow the instructions in the README for building DSPAM. Once DSPAM
has been built, the following instructions may be used to integrate it with
Postfix.


INTEGRATING DSPAM AS A CONTENT FILTER

The most seamless way to integrate DSPAM into Postfix is as a content filter.
This requires very little work, and allows the two to communicate seamlessly.
You may want to first read Postfix's FILTER_README from the Postfix source tree
or online at http://www.postfix.org/FILTER_README.html to familiarize yourself
with what we're doing. In a nutshell, Postfix sends all mail to the content
filter instead of delivering it. It's the content filter's job to then pass
the [modified] message back into Postfix (called reinjection) or do something
else with the message. By default, DSPAM will quarantine what it believes is
spam, but it can be configured to tag it instead. We will use DSPAM's LMTP and
SMTP functionality to integrate the two seamlessly together like so:

[Postfix] (LMTP) -> [DSPAM]                     [Postfix] -> { Delivery }
                       |___ (SMTP Reinjection) ____|

Step 1: Configure DSPAM as a server daemon

  The first step is to configure DSPAM to listen as an LMTP server on a local
  UNIX socket. This is what Postfix will connect to when it sends messages to
  DSPAM. Be sure you have configured DSPAM with the --enable-daemon option.
  You will need to use an MT-safe storage driver, such as MySQL or PostgreSQL.
  Once you have DSPAM installed, make the following changes in dspam.conf:

ServerMode              auto
ServerParameters        "--deliver=innocent"
ServerIdent             "localhost.localdomain"
ServerPID               /var/run/dspam.pid
ServerDomainSocketPath  "/tmp/dspam.sock"

  This will tell DSPAM to listen on /tmp/dspam.sock using the options above.

  You'll also need to configure DSPAM to pass the good mail back into Postfix.
  Comment out any "TrustedDeliveryAgent" option in dspam.conf and replace it
  with the options below. We'll use local TCP port 10026 in our example.

DeliveryHost            127.0.0.1
DeliveryPort            10026
DeliveryIdent           localhost
DeliveryProto           SMTP

  This tells DSPAM to deliver using SMTP to port 10026 on the local machine.
  We'll configure Postfix to listen on this port for reinjection.

  Finally, you'll want to use DSPAM's ParseToHeader option. This option tells
  DSPAM to automatically train when it sees a spam- or notspam- address in
  the To: header. Depending on how you have configured DSPAM to manage users,
  your settings may be slightly different. On a typical setup, where the
  entire email address is the user's DSPAM username, you would use something
  like this:

ParseToHeaders          on
ChangeModeOnParse       on
ChangeUserOnParse       full

  This means if a user forwards their spam to spam-bob@example.org, the
  username will be set to bob@example.org and the training mode will be set to
  "learn spam".

  You can then start DSPAM:  dspam --daemon &

Step 2: Configure Postfix to use a content filter

  The next step is to configure Postfix to use DSPAM as a content filter.
  This is relatively simple and requires only a minor change to your
  master.cf file:

  Change:

smtp      inet  n       -       n       -       -        smtpd

  To:

smtp      inet  n       -       n       -       -        smtpd
  -o content_filter=lmtp:unix:/tmp/dspam.sock

  This tells Postfix to send all mail to DSPAM for content filtering.

  If your Postfix installation is chrooted (as eg. the default Postfix 
  configuration in Debian GNU/Linux), make sure the socket is located 
  within the chroot (eg. /var/spool/postfix/var/run/dspam/dspam.sock).

  Make sure the user under which dspam runs has write access to the
  socket directory.

  You can also change Postfix configuration so that it does not run
  chrooted (both smtp and lmtp services should be modified as follows:

smtp      inet  n       -       n       -       -        smtpd
  -o content_filter=lmtp:unix:/var/run/dspam/dspam.sock
lmtp      inet  n       -       n       -       -        smtpd

  The 3rd dash specifies if the process will run chrooted or not.


 If your SMTP server is also used as a relay, and you want DSPAM to
 only inspect incoming mail, you can use the following as an alternative
 to the pure content filtering method:

 You will need Postfix support for PCRE maps (perl compatible regular
 expression).
 
 In Postfix main.cf, add the following to your smtpd_recipient_restrictions:

smtpd_recipient_restrictions = 
  [...]
  check_recipient_access pcre:/etc/postfix/dspam_filter_access

 where dspam_filter_access contains:

/./ FILTER dspam:dspam

 Add he following service at the end of master.cf:

dspam                 unix    -       n       n       -       -    pipe
  flags=Ru user=dspam argv=/usr/bin/dspam
  --client
  --deliver=innocent,spam
  --user ${recipient}
  --mail-from=${sender}

 You will also have to add the following line in main.cf:
dspam_destination_recipient_limit = 1


Step 3: Configure a reinjection port

  You'll also need to configure Postfix to listen on a local port for
  reinjection. This is where DSPAM sends back the "good" mail (or alternatively,
  tagged mail also). Add this to your master.cf:

localhost:10026 inet  n -       n       -       -        smtpd
  -o content_filter=
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8

  Any mail sent to localhost:10026 will be delivered in whatever way you
  have configured Postfix, without being passed through DSPAM again. This is
  also where DSPAM will deliver false positives to when they are retrained by
  the user.

You're now good to go! Turn on Postfix and do a little testing. Send a message
to yourself on port 25. It should have X-DSPAM headers. Send a message to
yourself on port 10026. It should not.

If you are deadset against running DSPAM as a server daemon, this design can
be changed to call DSPAM via commandline, and have DSPAM reinject by calling
Postfix's sendmail function. I wouldn't recommend this, but here's how.
Instead of configuring DSPAM's DeliveryHost and Server options, you'll want to
configure DSPAM to call sendmail to deliver mail:

TrustedDeliveryAgent    /usr/sbin/sendmail
Trust postfix

Use the same ParseToHeader options already outlined above. Next, instead of
having Postfix pass the message to DSPAM via LMTP, you can use:

smtp      inet  n       -       n       -       -        smtpd
  -o content_filter=dspam:

dspam     unix  -       n       n       -      10        pipe
  flags=Ruq user=vmail argv=/usr/local/bin/dspam
  --deliver=innocent
  --user ${recipient}
  -i -f ${sender} -- ${recipient}

To avoid users getting a message multiple times when the message contains
more then one recipient you need to lower the concurrency limit for the
above mentioned Postfix pipe service to 1. Add this to your main.cf:

dspam_destination_recipient_limit = 1


INTEGRATING DSPAM AS A DELIVERY PROXY

Postfix can optionally be configured to integrate with DSPAM as a delivery
proxy if you're using a third party delivery agent for final delivery to
your mailbox.

The first step in getting DSPAM to work is to get mail delivery to work with
one of these external LDAs before integrating DSPAM with Postfix.

You can configure DSPAM with the appropriate LDA using --with-delivery-agent=
at configure time or by specifying TrustedDeliveryAgent in dspam.conf.
For example:

TrustedDeliveryAgent    "/usr/bin/procmail"

You'll also want to configure the untrusted delivery agent in a similar
fashion:

UntrustedDeliveryAgent  "/usr/bin/procmail -d %u"

If you are using maildrop, you'll need to be sure you've compiled maildrop to
trust the user that DSPAM is running as.

Once you have configured a local delivery agent into DSPAM, the simplest way
to configure Postfix for local users is to set the mailbox_command directive
to point to DSPAM. This can be done by editing /etc/postfix/main.cf:

mailbox_command = /usr/local/bin/dspam --deliver=innocent --user $USER -- -d %u

If you're running a delivery agent (such as Cyrus deliver) that has a problem
with the top 'From' header, you may need to perform some sed magic:

mailbox_command = sed '1{/^From /d;}' | /usr/local/bin/dspam --deliver=innocent --user $USER -- -d %u

Now, configure the aliases as prescribed in the README and you're good to go!


CYRUS INTEGRATION

If you're using Cyrus to deliver mail locally, you'll want to specify the
following in dspam.conf:

TrustedDeliveryAgent "/usr/cyrus/bin/deliver $u"

Then use the following in Postfix:

mailbox_command = /usr/local/bin/dspam --user ${user} --deliver=innocent