This guide will be rather complex and involve many parts of the system.
Spammers will try to hit your mail server but there are several ways to block them. But simply blocking them isn't satisfying enough. They have already wasted your bandwidth and should be punished for it, shouldn't they? Spamd is a fake SMTP daemon that responds very, very slowly (one character per second) and returns a temporary error and then just sits there. With the help of pf you can direct known spammers to spamd instead of your real mail server. A spammer with a badly configured server will be stuck for many minutes trying to connect to your server. This will effectively block the spammers outgoing mail queue which hopefully will annoy the spammer having millions of spams to deliver.
Your server will maintain a database with IP addresses of blacklisted, whitelisted and greylisted remote mail servers. Blacklisted mail servers will always be trapped by your spam trap while whitelisted servers will always be let through to the real mail server. Greylisted addresses are mail servers that doesn't exist in either of the previous two lists. They will be trapped the first time they connect to you but if they try again within a certain amount of time, as they are supposed to if they follow the RFC, they will be whitelisted. If they fail to try again within that time, they will just be removed after a while and greytrapped again if they ever retry to connect to you. Spammers, who have millions of mail to deliver, don't usually try the same mail twice so this has proven to be a very effective way of reducing spam.
First install the necessary application.
# cd /usr/ports/mail/spamd # make # make install clean ===> Installing for spamd-4.1.2 pw: unknown group `_spamd' You need a "_spamd" group. Would you like me to create it [YES]? YES Done. pw: no such user `_spamd' You need a "_spamd" user. Would you like me to create it [YES]? YES This system has no entry for spamd in /etc/services Would you like to add it automatically? [y]? y This system has no entry for spamd-cfg in /etc/services Would you like to add it automatically? [y]? y This system has no entry for spamd-sync in /etc/services Would you like to add it automatically? [y]? y
During installation you'll be prompted for the creation of a new user and a group called _spamd. This is the user account which limited privileges will be used to run spamd and you have to answer yes to these questions. A number of services also have to be added to /etc/services and you have to answer yes to those questions too. The output also shows a number of additional steps you have to perform to make it all work and you start by adding these lines to /etc/rc.conf.
Then you have to edit several more configuration files.
/usr/local/etc/spamd/spamd.conf is the main configuration file for spamd. You first have to create it from the example that is included. Note that this file is located in a subfolder to /usr/local/etc.
# cp /usr/local/etc/spamd/spamd.conf.sample /usr/local/etc/spamd/spamd.conf
Then open it in the editor and have a look at it. The main section looks like this:
This section lists all external blacklists you'll use to trap known spammers. In this case there are four blacklists defined and they all have a corresponding section further down, explaining in detail where to get each list of IP addresses and what method to use. You may want to remove china and korea since those lists have the ambition to contain all known mail servers in those countries because of their spam policy, or rather lack of it. These blacklists will be read regularly through a crontab job and update the main spamd database.
In addition to the external blacklists, you should also add a blacklist here that you can maintain locally. It can be used to add mail servers that are not considered spammers but still bother you with unwanted advertising mail. Add a blacklist called myblack to the line above.
Then add the following section to the end of the file:
myblack:\ :black:\ :msg="Your spammy adverts are not welcome here!":\ :method=file:\ :file=/usr/local/etc/myblack:
Exit and save the config file and then create that local blacklist.
# touch /usr/local/etc/myblack
In this file you can add the IP addresses of the mail servers you want to block - one IP address per line.
For spamd to be able to update the pf table, that will hold all the whitelisted IP addresses, it needs access to the file-descriptor file system which isn't mounted by default. You need to add it to /etc/fstab so it gets mounted automatically at boot and then mount it manually for the remainder of this session.
# echo "fdescfs /dev/fd fdescfs rw 0 0" >> /etc/fstab # mount -a
Verify that it's working:
# mount | grep fdescfs fdescfs on /dev/fd (fdescfs)
If the mount command returns the above answer, everything is fine.
Your firewall configuration will differ slightly from what was suggested during installation of spamd. Start by adding the needed table last in the section # TABLES. It's absolutely vital to call it <spamd-white> since this name is hard coded into spamd.
table <spamd-white> persist
The rdr rules in the output from the installation are not optimal. By inverting the logic you only need one rdr rule. Further, the same example also use the pass keyword which allows the redirected traffic to pass the firewall without an explicit matching firewall rule. This is sloppy and not the way I teach here so you'll create a separate firewall rule to pass that traffic in its appropriate place. In the # TRANSLATION section, add this line last:
rdr on $ext_if proto tcp from ! <spamd-white> to any port smtp -> 127.0.0.1 port spamd
This is a fine example of how powerful pf's redirect engine is. Any connection from a server not whitelisted, to the smtp port on the external interface, will be redirected to spamd's listening port on the internal loopback interface.
You need a firewall rule to allow the traffic that is redirected to spamd to pass in through the external interface. You don't need to prioritize this traffic in any way because it will mostly be spam so the line below will be fine. Place it last in the section # Incoming to router.
pass in quick on $ext_if inet proto tcp from any to lo0 port spamd flags S/SA synproxy state queue q_def
Then reload the firewall rules as usual.
# pfctl -nf /etc/pf.conf # pfctl -F nat ; pfctl -F rules ; pfctl -f /etc/pf.conf
To have spamd's activities logged in a separate file you can add these lines last in /etc/syslog.conf as described in the spamd manual page.
!spamd daemon.err;daemon.warn;daemon.info /var/log/spamd
Then you create the logfile, add a logrotate entry and tell syslogd to reread its configuration file.
# touch /var/log/spamd # echo "/var/log/spamd 644 7 100 * JC" >> /etc/newsyslog.conf # killall -HUP syslogd
spamd will be started automatically next time you reboot but start it manually for now.
# /usr/local/etc/rc.d/obspamd start Starting obspamd. # /usr/local/etc/rc.d/obspamlogd start Starting obspamlogd.
The last thing to do is to make sure spamd-setup is run regularly. It will read the blacklists configured in spamd.conf, pick up any changes and feed them to spamd. Once an hour is a reasonable frequency.
# setenv EDITOR ee # crontab -e
Add the following line:
Running spamd-setup manually once now would be a good idea. Remember to run rehash, after you install a new application, to re-index the list of executable files in the shell, otherwise you'll have to enter the full path to the executable.
# rehash # spamd-setup
- /usr/local/etc/spamd/spamd.conf contains blacklists for the spam daemon.
- /var/log/spamd keeps the log entries.
- spamdb lists the current grey and white records in the database and can be used to manipulate them.