Agile Tortoise
Greg Pierce’s blog
« Lazy Sunday, revisited OS X Tiger Server: open alternate SMTP port »
OS X Tiger Server: Improving SpamAssassin
Tiger Server comes with SpamAssassin (3.0.1), which can be enabled on Mail services via the “Scan email for junk mail” checkbox in ServerAdmin. SpamAssassin is actually called by AMaVis as a postfix filter when receiving/sending mail.
The default installation leaves something to be desired, however. He’s a few tips I’ve culled from different places on the net to get my server’s email filtering functioning much more accurately than the out of the box config.
Add Blacklists
In ServerAdmin, under the “Relay” tab, add a couple of blacklists under the “Use these junk mail rejection servers”. I realize some people have mixed feelings about blacklists. I personally don’t use the ORBs style lists, but use “sbl-xbl.spamhaus.org” and “bl.spamcop.net”. You could also have SpamAssassin use blacklists, but I find it easier to configure here.
Fix Bayesian Filtering and Train it
First, use bayesian filtering. Per the documentation, setup users named “junkmail” and “notjunkmail”, and check the “Update the Junk mail and virus database” checkbox in ServerAdmin. Use those addresses to redirect (not forward!) a corpus of good and bad mail. Overnight, Tiger server will run the script at /etc/mail/spamassassin/learn_junk_mail to feed these mailboxes to the bayes db. You should clear out these mailboxes periodically. You can also manually train SpamAssassin using sa-learn (see SA docs). You can also run the learn_junk_mail script as follows:
cd /etc/mail/spamassassin sudo ./learn_junk_mail
There is one problem with this. Tiger server has two bayes db locations that are not configured properly. One at /var/amavis/.spamassassin and one at /var/clamav/.spamassassin. SpamAssassin reads from the former, learn_junk_mail posts to the later. To fix this, replace the later with a symlink to the former as follows (WARNING! this will wipe out the existing db built with learn_junk_mail)
sudo rm -rf /var/clamav/.spamassassin sudo ln -s /var/amavis/.spamassassin /var/clamav/.spamassassin
Setup Razor
Next, setup Razor and enable remote tests. By default, Tiger’s SpamAssassin will only run local tests, and does not have an installation of Vipul’s Razor, which I’ve found to dramatically improve the result quality of SpamAssassin. So, download both the “razor-agents” and “razor-agents-sdk” from here, and follow the Installation Instructions, the default installation instructions work like a charm.
Edit SpamAssassin Config
Make a backup of, then open /etc/mail/spamassassin/local.cf in your favorite text editor. Note that SpamAssassin will respect the rules set in it’s config, but any rules that modify the output of the message will be ignored because AMaViS discards the modified message SA produces and acts based on it’s return result values (see below to configure AMaViS). These are the key entries I made:
use_razor2 1 razor_timeout 10 score RAZOR2_CF_RANGE_51_100 4.0
Edit AMaViS Config
Make a backup of, then open /etc/amavisd.conf in your favorite text editor. Here’s some entries to set as desired:
- $sa_local_tests_only = 1 [default is 0, this will enable SpamAssassin to run razor and any other tests you configured that require network access]
- $sa_tag_level_deflt = -999 [and messages that score over this number get X-Spam... headers added, regardless of the outcome of the SA tests. I like all mail tagged with headers, thus the low number]
- $sa_tag2_level_deflt = [number] [SA score at which to consider a message spam and tag it as such]
- $sa_kill_level_deflt = [number] [SA score at which to apply the final destination setting]
- $sa_spam_subject_tag = ‘[SPAM]‘ [Tag to append to subject of messages marked as spam]
- $final_spam_destiny = [D_DISCARD,D_BOUNCE,D_PASS] [What to do with a message that reaches the "kill" score]
- @local_domains_acl [make sure all possible local domains that will be handled by this server are listed here. spam headers will only be added to messages considered "local"]
Note that ServerAdmin only lets you configure a single “score” for Spam. It will write out this config file to have $sa_tag2_level_deflt = $sa_kill_level_deflt. You probably don’t want to do that. I have one level that will get marked as Spam (4.0) and a different level that will get completely rejected (6.0).
NOTES
Be careful what you change in ServerAdmin, or your mods may get written over.
January 25th, 2006 at 10:01 am
On 1/25/06, Greg Pierce said:
>Be careful what you change in ServerAdmin, or your mods may get
>written over.
And I thought that having SpamAssassin built in was going to prevent
that problem. This really annoys me.
Thanks for the write-up, though. It’ll help with my client who’s been
waiting (for ages) to upgrade to Tiger Server.
Seth
January 25th, 2006 at 10:12 am
On Jan 25, 2006, at 10:01 AM, Seth Dillingham wrote:
> And I thought that having SpamAssassin built in was going to prevent
> that problem. This really annoys me.
I honestly haven’t tested it to find out, having managed a Panther
server, I’m a bit hesitant to test it. On the bright side, I don’t
think there’s a lot that you could hose too bad now, because there
are no mods required to the Postfix config files for this sort of stuff.
I expect the SpamAssassin config gets left pretty well alone as well,
as there’s nothing in the way they system works that would be changed
there. I think it’s mainly the Amavisd.conf file that might get
stomped on. I suppose I should test that and see what happens.
greg.
February 14th, 2006 at 4:24 pm
Thanks for the help in decreasing the SPAM in my users INBOX. I do have another question; part of the RAZOR2 setup included creating a user:
Razor v2 requires reporters to be registered so their reputations can
be computed over time and they can participate in the revocation
mechanism. Registration is done with razor-admin -register.
Is this required? Which ‘User’ should I be when I register (root is specificaly not allowed)? Where / How do I use the Identity file that is created?
Thanks!!
Harold Miller
February 21st, 2006 at 11:09 am
Greg, you said to do this:
sudo rm -rf /var/clamav/.spamassassinsudo ln -s /var/clamav/.spamassassin /var/amavis/.spamassassin
That doesn’t actually work… it deletes /var/clamav/.spamassassin, and
then tries to create a link to it at
/var/amavis/.spamassassin/.spamassassin !
I think you meant this:
sudo rm -rf /var/clamav/.spamassassinsudo ln -s /var/amavis/.spamassassin /var/clamav/.spamassassin
The first param to ln is the "original" or existing file, the
second parameter (optional) is the destination location.
Seth