Home / server / Questions / 8936
In Process
Paul Tomblin
Asked: 2009-05-17 07:44:09 +0800 CST

Run SpamAssassin on virtual_alias in Postfix

  • 772

Ever since I started using Postfix virtual_alias_maps to forward all my email to gmail, I'm getting a ton more spam than when I delivered the mail locally and used SpamAssassin/spamd to filter it. I'm already using smtpd_recipient_restrictions to do the standard spam filtering.

smtpd_recipient_restrictions =
                reject_invalid_hostname,
                reject_non_fqdn_hostname,
                reject_non_fqdn_sender,
                reject_non_fqdn_recipient,
                reject_unknown_sender_domain,
                reject_unauth_pipelining,
                permit_mynetworks,
                reject_unauth_destination,
                reject_rbl_client zen.spamhaus.org,
                reject_rbl_client list.dsbl.org,
                reject_rbl_client korea.services.net,
                permit

Is there anyway to run the mail through SpamAssassin before virtual_alias_maps forwarding?

postfix spamassassin

3 Answers

  1. You don't describe how you're doing your SA filtering at the moment, but if you're not putting virtual mail through it at the moment, I'm assuming that you're not using content_filter, which is the way it's usually hooked up. The SpamAssassin wiki seems to cover this setup pretty well, from a quick glance: http://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix

    • 3

  2. A remote MTA sends mail to Postfix via SMTP. The recipient list is a series of RCPT commands. Each RCPT command adds one recipient address. When Postfix gets a recipient address in virtual_alias_maps, it replaces the address by the result of the virtual_alias_maps lookup. This happens in your smtpd(8) process.

    You have some choices about how to hook up the spam filtering mechanism(s) of your choice.

    You could use SpamAssassin on the expanded list of recipients. The recommended mechanism for this is to use a content_filter. See http://www.postfix.org/FILTER_README.html for details. The most commonly recommended filter is http://www.ijs.si/software/amavisd/

    Mailscanner has issues because it looks directly at the queue file instead of using standard mechanisms. It can and does break when you upgrade Postfix.

    The second, less recommended option is to use a pre-queue filtering mechanism via a SMTP proxy (http://www.postfix.org/SMTPD_PROXY_README.html) or via a milter (http://www.postfix.org/MILTER_README.html).

    If you only want to filter messages going to certain recipients, use the FILTER target via check_recipient_access. See http://www.postfix.org/access.5.html

    If you want to run SpamAssassin on the original address, I would go with the content_filter approach using amavisd-new. Put your virtual_alias_maps in the re-injection smtpd using -ovirtual_alias_maps in the master.cf entry. You may need to add a check_recipient_access map in smtpd_recipient_restrictions returning OK for your valid addresses in main.cf.

    • 1

  3. Highly depending on your OS and/or distro, and whatever user you want to run SA as, etc etc....

    In master.cf put something like:

    # aa.bb.cc.dd == your IP
# example.com == your hostname

aa.bb.cc.dd:smtp      inet    n       -       n       -       -       smtpd
    -o content_filter=spamassassin
    -o myhostname=example.com
    -o smtp_bind_address=aa.bb.cc.dd

# (note content_filter)
#
# -snip-
#

spamassassin unix -     n       n       -       -       pipe
  user=sa argv=/usr/bin/spamc -e /etc/alternatives/mta -oi -f ${sender} ${recipient}

# change 'user=sa' to whatever user you have setup.
# change '/etc/alternatives/mta' to whatever you're using to put
# mail back into the queue. (eg: /usr/local/sbin/sendmail )
# change /usr/bin/spamc to the location of your spamc binary, obviously. :)
    • 0