This document describes how to install milter manager toFreeBSD. See Install for general installinformation.
This document assumes that FreeBSD 10.0-RELEASE is used.
To install the following packages, related packages are alsoinstalled:
We use Postfix as MTA:
% sudo pkg install --yes postfix
We use spamass-milter, clamav-milter and milter-greylist asmilters:
% sudo pkg install --yes spamass-milter milter-greylist clamav-milter
Install milter-manager.
% sudo pkg install --yes milter-manager
Here is a basic configuration policy.
We use UNIX domain socket for accepting connection fromMTA because security and speed.
We use general user for milter's effective user. This isalso for security. 'mail' group has permission of read/writeUNIX domain socket. 'postfix' user is joined to 'mail' group.
milter-greylist should be applied only ifS25Rcondition is matched to reduce needless delivery delay.But the configuration is automatically done bymilter-manager. We need to do nothing for it.
First, we configure spamd.
We create /usr/local/etc/mail/spamassassin/local.cf with thefollowing configuration. This configuration is for addingheaders only if spam detected.
remove_header ham Status remove_header ham Level
We need to append the following to /etc/rc.conf to enablespamd:
spamd_enable=YES
If our SMTP server has many concurrent connections, weshould increase max concurrent connections. It is 5 bydefault. It's a good first value that about 1/3 of the maxSMTP connections. e.g. about 30 for about 100 connectionsSMTP server:
spamd_flags="-c --max-children=30 "
We can adjust apposite value after operation. We can seemilter manager's statistics graphs at the time.
Update Spamassassin's rule file and start spamd:
% sudo sa-update % sudo /usr/sbin/service sa-spamd start
Next, we configure spamass-milter. We run spamass-milterwith 'spamd' user and 'spamd' group.
spamass-milter creates a socket fileas /var/run/spamass-milter.sock by default. But a general usercan't create a new file in /var/run/. We create/var/run/spamass-milter/ directory owned by 'spamd'user. spamass-milter creates a socket file in the directory:
% sudo mkdir /var/run/spamass-milter/ % sudo /usr/sbin/chown spamd:spamd /var/run/spamass-milter
We add the following to /etc/rc.conf:
spamass_milter_enable="YES" spamass_milter_user="spamd" spamass_milter_group="spamd" spamass_milter_socket="/var/run/spamass-milter/spamass-milter.sock" spamass_milter_socket_owner="spamd" spamass_milter_socket_group="mail" spamass_milter_socket_mode="660" spamass_milter_localflags="-u spamd -- -u spamd"
spamass-milter should be started:
% sudo /usr/sbin/service spamass-milter start
First, we configure ClamAV.
We add the following to /etc/rc.conf to enable clamd andfreshclam:
clamav_clamd_enable="YES" clamav_freshclam_enable="YES"
Get the latest definition files before run clamd:
% sudo /usr/local/bin/freshclam
clamd and freshclam should be started:
% sudo /usr/sbin/service clamav-clamd start % sudo /usr/sbin/service clamav-freshclam start
clamav-milter is ran as 'clamav' user and 'clamav' group bydefault. We use the configuration because 'clamav' user isgeneral user. We set group read/write permission of socket.
We add the following to /etc/rc.conf:
clamav_milter_enable="YES" clamav_milter_socket_mode="660" clamav_milter_socket_group="mail"
We may need to configure /usr/local/etc/clamav-milter.conf.e.g.:
/usr/local/etc/clamav-milter.conf
Before:
#OnInfected Quarantine #AddHeader Replace #LogSyslog yes #LogFacility LOG_MAIL #LogInfected Basic
After:
OnInfected Reject AddHeader Replace LogSyslog yes LogFacility LOG_MAIL LogInfected Full
Here are explanations of the above configurations:
clamav-milter should be started:
% sudo /usr/sbin/service clamav-milter start
We run milter-greylist as 'mailnull' user and 'mailnull' group.'mailnull' user is the default configuration and it is unuseduser on Postfix environment.
We copy /usr/local/etc/mail/greylist.conf.sample to/usr/local/etc/mail/greylist.conf and change it for thefollowing configurations:
# note The configuration relaxes Greylist check to avoid Greylist adverse effect. It increases received spam mails but we should give priority to avoid false positive rather than false negative. We should not consider that we blocks all spam mails by Greylist. We can blocks spam mails that isn't blocked by Greylist by other anti-spam technique such as SpamAssassin. milter manager helps constructing mail system that combines some anti-spam techniques.
Before:
socket "/var/milter-greylist/milter-greylist.sock" user "mailnull:mailnull" racl whitelist default
After:
socket "/var/milter-greylist/milter-greylist.sock" 660 user "mailnull:mail" subnetmatch /24 greylist 10m autowhite 1w racl greylist default
We add the following to /etc/rc.conf:
miltergreylist_enable="YES" miltergreylist_runas="mailnull:mail"
milter-greylist should be started:
% sudo /usr/sbin/service milter-greylist start
We create 'milter-manager' user because we runmilter-manager as 'milter-manager' user:
% sudo /usr/sbin/pw groupadd milter-manager % sudo /usr/sbin/pw useradd milter-manager -g milter-manager -G mail -m
milter-manager detects milters that installed in system.We can confirm spamass-milter, clamav-milter andmilter-greylist are detected:
% sudo /usr/local/sbin/milter-manager -u milter-manager --show-config
The following output shows milters are detected:
...
define_milter("milter-greylist") do |milter|
milter.connection_spec = "unix:/var/milter-greylist/milter-greylist.sock"
...
milter.enabled = true
...
end
..
define_milter("clamav-milter") do |milter|
milter.connection_spec = "unix:/var/run/clamav/clmilter.sock"
...
milter.enabled = true
...
end
..
define_milter("spamass-milter") do |milter|
milter.connection_spec = "unix:/var/run/spamass-milter/spamass-milter.sock"
...
milter.enabled = true
...
end
..
We should confirm that milter's name, socket path and'enabled = true'. If the values are unexpected,we need to change/usr/local/etc/milter-manager/milter-manager.conf.See Configuration for details ofmilter-manager.conf.
But if we can, we want to use milter manager without editingmiter-manager.conf. If you report your environment to themilter manager project, the milter manager project mayimprove detect method.
milter-manager creates socket file as/var/run/milter-manager/milter-manager.sock by default onFreeBSD. We need to create /var/run/milter-manager directorybefore running milter-manager:
% sudo mkdir -p /var/run/milter-manager % sudo /usr/sbin/chown -R milter-manager:milter-manager /var/run/milter-manager
milter-manager's configuration is completed. We start tosetup running milter-manager.
We add the following to /etc/rc.conf to enable milter-manager:
miltermanager_enable="YES"
milter-manager should be started:
% sudo /usr/sbin/service milter-manager start
/usr/local/bin/milter-test-server is usuful to confirmmilter-manager was ran:
% sudo -u mailnull milter-test-server -s unix:/var/run/milter-manager/milter-manager.sock
Here is a sample success output:
status: pass elapsed-time: 0.128 seconds
If milter-manager fails to run, the following message willbe shown:
Failed to connect to unix:/var/run/milter-manager/milter-manager.sock: No such file or directory
In this case, we can use log to solve theproblem. milter-manager is verbosily if –verbose option isspecified. milter-manager outputs logs to standard output ifmilter-manager isn't daemon process.
We add the following to /etc/rc.conf to output verbose logto standard output:
miltermanager_debug="YES"
milter-manager should be started:
% sudo /usr/sbin/service milter-manager restart
Some logs are output if there is a problem. Runningmilter-manager can be exitted by Ctrl+c.
milter_manager_debug configuration in /etc/rc.conf should becommented out after the problem is solved to runmilter-manager as daemon process. And milter-manager shouldrestarted.
We add 'postfix' user to 'mail' group:
% sudo /usr/sbin/pw groupmod mail -m postfix
We start milter's configuration.
We add the following milter configuration to/usr/local/etc/postfix/main.cf:
milter_protocol = 6
milter_default_action = accept
milter_mail_macros = {auth_author} {auth_type} {auth_authen}
Here are descriptions of the configuration.
We need to register milter-manager to Postfix. It'simportant that spamass-milter, clamav-milter,milter-greylist aren't needed to be registered because theyare used via milter-manager.
We add the following to /usr/local/etc/postfix/main.cf:
smtpd_milters = unix:/var/run/milter-manager/milter-manager.sock
Postfix should reload its configuration:
% sudo /usr/sbin/service postfix reload
Postfix's milter configuration is completed.
milter-manager logs to syslog. If milter-manager works well,some logs can be showen in /var/log/maillog. We need to senta test mail for confirming.
There are many configurations to work milter and Postfixtogether. They can be reduced by introducing milter-manager.
Without milter-manager, we need to specify sockets ofspamass-milter, clamav-milter and milter-greylist tosmtpd_milters. With milter-manager, we doesn't need tospecify sockets of them, just specify a coket ofmilter-manager. They are detected automatically. We doesn'tneed to take care some small mistakes like typo.
milter-manager also supports xxx_enabled="NO" configurationused in /etc/rc.conf. If we disable a milter, we use thefollowing steps:
% sudo /usr/sbin/service XXX stop % sudo vim /etc/rc.conf # XXX_enabled="YES" => XXX_enabled="NO"
We need to reload milter-manager after we disable a milter.
% sudo /usr/sbin/service milter-manager reload
milter-manager detects a milter is disabled and doesn't useit. We doesn't need to change Postfix's main.cf.
We can reduce maintainance cost by introducingmilter-manager if we use some milters on FreeBSD.
milter manager also provides tools to helpoperation. Installing them is optional but we can reduceoperation cost too. If we also install them, we will go toInstall to FreeBSD(optional).