Release 0.8.12

2008-12-13 21:06:16 +00:00
parent f55ddbce83
commit 37d4f99aaf
2 changed files with 0 additions and 156 deletions
@@ -1,154 +0,0 @@
 On Sun, 11 Feb 2007, Rick Saul wrote:
 > Stuart I was planning to move to centos4.4 in a couple of weeks anyway... 
 > Your advice of where to go from here. 
 Oh - you are asking for a howto.
 	Step one.  Which DSPAM is right for you?
 The DSPAM project makes dspam part of the LDA (Local Delivery Agent).
 Pydspam puts dspam into the MTA (Mail Transfer Agent - sendmail with pymilter).
 The advantage of doing dspam in the LDA is that any aliasing has already been
 resolved.  You need only configure mailboxes.
 The advantage of doing dspam in the MTA is it can screen an entire 
 company as a gateway with multiple domains.  Unfortunately, this
 means you have to tell it about all the aliases that comprise each
 account.  (Also, pydspam is still uses dspam-2.6.5.2 - the Dspam API
 has changed for newer versions.)
 If the LDA is right for you, you'll want to use the official Dspam 
 package.  http://www.nuclearelephant.com/projects/dspam/
 If the MTA approach is what you want, then pydspam is what you want.
 In either case, you will still want pymilter to block forgeries, Windows 
 executables, etc.
 So, lets assume you want to install pymilter, and may or may not
 wish to install pydspam.
 	Step two.  Obtaining RPMS.
 For basic pymilter you'll need:
 python-2.4
 milter-0.8.10
 sendmail-8.13.x	(with milter support enabled)
 and for SPF you'll need:
 pydns-2.3.3-2.4
 pyspf-2.0.5-1.py24
 and for SRS you'll need:
 pysrs-0.30.11-1.py24
 I'm pretty sure you will want to have SPF and SRS available.
 	Step three.  Activate basic milter.
 Activate the basic milter and pysrs by editing /etc/mail/sendmail.mc and adding:
 define(`NO_SRS_FILE',`/etc/mail/no-srs-mailers')dnl
 dnl define(`NO_SRS_FROM_LOCAL')dnl
 HACK(`pysrs',`/var/run/milter/pysrs')dnl
 INPUT_MAIL_FILTER(`pythonfilter', `S=local:/var/run/milter/pythonsock, F=T, T=C:5m;S:20s;R:5m;E:5m')
 You can then "make sendmail.cf" and restart sendmail.
 Start milter and pysrs with "service milter start", "service pysrs start".
 Tail /var/log/milter/milter.log while SMTP clients connect to your
 sendmail instance.  This should show you what the milter is doing.
 By default, milter-0.8.10 rejects on SPF fail.
 	Step four.  Tweaking the basic config.
 Most pymilter configuration is in /etc/mail/pymilter.cfg.  To activate
 changes, "service milter restart".
 By default, milter scans attachments for executable extensions.  You can
 turn this off by setting banned_exts to the empty list.  There are options
 to scan ZIP attachments and rfc822 attachments.  When it finds a banned
 file type, milter saves the original message in /var/log/milter/save,
 and replaces the attachment with a plain text warning message.
 Configure hello_blacklist with your own helo name and domains - which
 you know cannot legitimately be used by external MTAs.
 Configure trusted_relay with your secondary MX servers, if any.  These
 should also run pymilter with similar policies.  (But this isn't
 needed for initial testing.)
 Configure internal_connect with subnets of your internal SMTP clients.
 Internal connections skip SPF testing and other policies.  You will
 likely need to set this to allow outgoing mail if you have
 an SPF policy already.
 Configure internal_domains with domains used by your internal SMTP clients.
 If they attempt to use any other domain, the attempt is blocked and the
 client is logged as a "zombie".  Conversely, any attempt by an external
 MTA to use one of your internal domains is treated as a forgery and
 blocked (a simplified form of local SPF).
 Adjust porn_words and spam_words - these block emails with a Subject
 containing the listed strings.  They can be empty to disable Subject
 string blocking.
 	Advanced SPF configuration.
 The sendmail access file, or another readonly database with that
 format, can be used for detail spf policy.  SPF access policy
 record are tagged with "SPF-{Result}:".  Results are
 Pass, Neutral, Softfail, Fail, PermError.  Currently supported
 policy keywords are OK, CBV, REJECT.  Currently, TempError always
 results in TEMPFAIL.
 The default policies are set in pymilter.cfg.  The defaults
 if none of the config options are set are as follows:
 SPF-Fail:	REJECT
 SPF-Softfail:	CBV
 SPF-Neutral:	OK
 SPF-PermError:	REJECT
 SPF-Pass:	OK
 The tag may be followed by a specific domain.  For instance, to
 require a Pass from aol.com:
 SPF-Neutral:aol.com	REJECT
 SPF-Softfail:aol.com	REJECT
 The CBV policy requires a valid HELO name.  If the EHLO name is 
 RFC2822 compliant, then a DSN is sent to the alleged sender.  The 
 template for the DSN is selected according to the SPF result:
 Fail:		fail.txt
 SoftFail:	softfail.txt
 Neutral:	neutral.txt
 PermError:	permerror.txt
 None:		strike3.txt
 An SPF-Pass is always accepted by the milter.  Domains can be blacklisted 
 via sendmail in the access file or via a RHS DNS blacklist.
 	To be continued.
 Forthcoming topics:
 SRS config
 pydspam config
 wiretap config
 -- 
 	      Stuart D. Gathman <stuart@bmsi.com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
 "Confutatis maledictis, flammis acribus addictis" - background song for
 a Microsoft sponsored "Where do you want to go from here?" commercial.
@@ -9,8 +9,6 @@ include MANIFEST.in
 include testsample.py
 include testmime.py
 include testutils.py
 include rejects.py
 include report.py
 include test.py
 include sample.py
 include milter-template.py