How can we help?




Follow

aspamd - Installation

Steve -

PROBLEM

How do I install aspamd? 

ENVIRONMENT

  • atmail aspamd

CAUSE

Requirement to install and configure aspamd service.

RESOLUTION

System Requirements

  • Red Hat/Centos Operating System
  • atmail-common-1.0.x

Download

If you have not already done so, add access to Atmail's on line software repository to your server by executing the following command:

bash <(curl -s https://repo.atmail.com/add_repo)

Installation

  1. Use yum to install the atmail-aspamd-[version] software package, and it's prerequisite

    yum install atmail-common
    yum install atmail-aspamd
  2. Anti-Spam and Malware Protection are licensed separately. Enter your atmail id, and anti-spam / malware detection licenses in /etc/atmail/aspamd/aspamd-ingress.conf (ingress) and/or /etc/atmail/aspamd/aspamd-egress.conf (egress). Licenses are comma separated, and should be enclosed in single quotes:
    vi /etc/atmail/aspamd/aspamd-ingress.conf
    # aspamd ingress config file.  
    # the defaults are listed commented out. They should be sane, aspamd will do it’s best
    # to run with no configuration at all. To enable the premium engine, enter your license
         
    ATMAIL_ID=user@example.com
    LICENSE_KEY=‘anti-spam-license,anti-abuse-license’


    vi /etc/atmail/aspamd/aspamd-egress.conf
    # aspamd egress config file
    # the defaults are listed commented out. They should be sane, aspamd will do it's best
    # to run with no configuration at all. To enable the premium engine, enter your license.

    ATMAIL_ID=user@example.com
    LICENSE_KEY=‘anti-spam-license,anti-abuse-license’
  3. Start the aspamd ingress service
    systemctl start aspamd@ingress
    systemctl enable aspamd@ingress

    systemctl status aspamd@ingress
    aspamd.service - atmail-aspamd - aspamd ingress server

       Loaded: loaded (/usr/lib/systemd/system/aspamd@ingress.service; enabled; vendor preset: disabled)

       Active: active (running) since Wed 2019-06-05 09:00:46 AEST; 6 days ago

         Docs: http://www.atmail.com/

     Main PID: 948 (aspamd)

       CGroup: /system.slice/aspamd.service/aspamd@ingress.service

               └─948 /usr/bin/aspamd -c /etc/atmail/aspamd/aspamd-ingress.conf -syslogEnable

    Jun 05 09:00:46 vm1 systemd[1]: Started atmail-aspamd - aspamd ingress server.
    Jun 05 09:00:55 vm1 aspamd[948]: time=“2019-06-05T09:00:55+10:00” level=info msg=“aspamd engine initializing”
    Jun 05 09:00:55 vm1 aspamd[948]: time=“2019-06-05T09:00:55+10:00” level=info msg=“aspamd listening on 127.0.0.1:7830"

You now have a running atmail aspamd ingress server, but it will require further integration with Exim before it is useful.

CLI Reference

aspamd -h
NAME:
   aspamd - atmail spamd server

USAGE:
   aspamd [global options] command [command options] [arguments...]

VERSION:
   dev

COMMANDS:
     help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --config FILE, -c FILE     Load configuration from FILE [$CONFIG_FILE]
   --listen value             Listen Address for aspamd (default: "127.0.0.1:7830") [$LISTEN]
   --readTimeout value        Server timeout (default: 0s) [$READ_TIMEOUT]
   --writeTimeout value       Server timeout (default: 0s) [$WRITE_TIMEOUT]
   --metricsAddr value        Prometheus /metrics address (default: "127.0.0.1:9996") [$METRICS]
   --cosURI value             The URI CoS data will be retrieved from [$COS_URI]
   --cosInsecure              allow insecure communications with CoS [$COS_ALLOW_INSECURE]
   --cosV1                    using CoS V1 [$COS_V1]
   --cosVerbose               verbose CoS (http only) [$COS_VERBOSE]
   --consulAddr value         Use consul to locate cosd grpc services at this api addr [$CONSUL_ADDR]
   --consulScheme value       Use consul to locate cosd grpc services with this scheme (default: "http") [$CONSUL_SCHEME]
   --cosCacheTimeout value    CoS Cache timeout (duration) for cache lookups, to reduce traffic. Defaults to -1s (disabled) (default: -1m0s) [$COS_CACHE_KEY_TIMEOUT]
   --defaultEngine value      Default Spamd Engine(s), comma separated (default: "localhost:11333") [$DEFAULT_ENGINE_ADDR]
   --spamThreshold value      (default: 50) [$SPAM_THRESHOLD]
   --unknownScore value       (default: 0) [$SPAM_UNKNOWN_SCORE]
   --unknownAction value      (default: "no action") [$SPAM_UNKNOWN_ACTION]
   --confirmedScore value     (default: 100) [$SPAM_CONFIRMED_SCORE]
   --confirmedAction value    (default: "reject") [$SPAM_CONFIRMED_ACTION]
   --bulkScore value          (default: 50) [$SPAM_BULK_SCORE]
   --bulkAction value         (default: "reject") [$SPAM_BULK_ACTION]
   --suspectedScore value     (default: 50) [$SPAM_SUSPECTED_SCORE]
   --suspectedAction value    (default: "rewrite subject") [$SPAM_SUSPECTED_ACTION]
   --nonSpamScore value       (default: -100) [$SPAM_NON_SPAM_SCORE]
   --nonSpamAction value      (default: "no action") [$SPAM_NON_SPAM_ACTION]
   --virusScore value         (default: 200) [$SPAM_VIRUS_SCORE]
   --virusAction value        (default: "reject") [$SPAM_VIRUS_ACTION]
   --virusHighScore value     (default: 150) [$SPAM_VIRUS_HIGH_SCORE]
   --virusHighAction value    (default: "reject") [$SPAM_VIRUS_HIGH_ACTION]
   --virusMediumScore value   (default: 4) [$SPAM_VIRUS_MEDIUM_SCORE]
   --virusMediumAction value  (default: "no action") [$SPAM_VIRUS_MEDIUM_ACTION]
   --validBulkScore value     (default: 49) [$VALID_BULK_SCORE]
   --validBulkAction value    (default: "no action") [$SPAM_VALID_BULK_ACTION]
   --egress                   Run in egress mode [$EGRESS]
   --cacheFile value          Local cache file (default: "/var/lib/atmail/aspamd/aspamd.cache") [$CACHE_FILE]
   --cacheSaveDuration value  Cache is saved periodically (default: 2m0s) [$CACHE_FILE_SAVE_EVERY]
   --atmailId value           Atmail ID [$ATMAIL_ID]
   --licenceKey value         Atmail License Key(s, comma separated) [$LICENSE_KEY]
   --syslogEnable             enable syslog [$SYSLOG_ENABLE]
   --syslogAddr value         syslog server. Value can be host:port. If not set, uses local syslog [$SYSLOG_ADDR]
   --syslogFacility value     set syslog facility, defaults to mail. See /usr/include/sys/syslog.h (default: 16) [$SYSLOG_FACILITY]
   -V                         Verbose [$VERBOSE]
   --logLevel value           Log Level (panic,fatal,error,warn,info,debug,trace) (default: "info") [$LOG_LEVEL]
   --auditSpamDir value       If set, a copy of all emails classified as spam are copied here. WARNING: i/o intensive [$AUDIT_SPAM_DIR]
   --auditActions value       csv list of auditable actions. WARNING: i/o intensive [$AUDIT_ACTIONS]
   --json                      [$LOG_JSON]
   --logFile value             [$LOG_FILE]
   --help, -h                 show help
   --version, -v              print the version

Integration with MTA

aspamd performs mail content scanning by operating as an rspamd server. It has been tested using the Exim MTA, but if you require integration with other MTA, support may be considered, and may already work, if they support rspamd.

Exim

By default aspamd listens on 127.0.0.1, TCP port 7830. You must set the spamd_address option in the global part of the Exim configuration (/etc/exim/exim.conf) file:

vi /etc/exim/exim.conf
spamd_address = 127.0.0.1 7830 variant=rspamd

Scanning is performed using the spam condition in a DATA ACL. As scanning can be quite resource intensive, and most spam messages are quite small, it is recommended that you do not scan large messages. Here is a simple example:

acl_check_data:
 
        warn condition = ${if < {$message_size}{10K}}
             spam = nobody
 
        deny message = This message was classified as SPAM
             condition = ${if eq{$spam_action}{reject}}
 
        accept

Egress

When running Exim as an outgoing MTA, to better protect your IP reputation, you should send all outgoing mail to aspamd, running in egress mode. To do this, use the command line, flag, --egress, or set EGRESS=true in the configuration file. This will give better configuration results. The installation creates a systemd service, aspamd@egress, which uses the configuration file at /etc/atmail/aspamd/aspamd-egress.conf. Edit this file to check that the Egress entry is set to true and to remove the hash from LISTEN entry so that the listener can use port 7831.

vi /etc/atmail/aspamd/aspamd-egress.conf
EGRESS=true
LISTEN=127.0.0.1:7831

Start the aspamd egress service

systemctl start aspamd@egress
systemctl enable aspamd@egress
systemctl status aspamd@egress

● aspamd@egress.service - atmail-aspamd-egress - aspamd egress server
Loaded: loaded (/usr/lib/systemd/system/aspamd@egress.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-10-20 17:13:50 BST; 11s ago
Docs: http://www.atmail.com/
  Process: 7062 ExecStop=/bin/kill -s QUIT $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 7212 (aspamd)
   CGroup: /system.slice/system-aspamd.slice/aspamd@egress.service  
           └─7212 /usr/bin/aspamd -c /etc/atmail/aspamd/aspamd-egress.conf -syslogEnable

Jun 05 09:00:46 vm1 systemd[1]: Started atmail-aspamd - aspamd egress server.
Jun 05 09:00:55 vm1 aspamd[948]: time=“2019-06-05T09:00:55+10:00” level=info msg=“aspamd engine initializing”
Jun 05 09:00:55 vm1 aspamd[948]: time=“2019-06-05T09:00:55+10:00” level=info msg=“egress mode”
Jun 05 09:00:55 vm1 aspamd[948]: time=“2019-06-05T09:00:55+10:00” level=info msg=“aspamd listening on 127.0.0.1:7831"

atmail Mailserver

atmail Mailserver manages Exim's configuration, so any changes made manually to the exim configuration are likely to be erased on next configuration publish. To integrate this product into a platform that is managed by atmail mailserver the following configurations steps need to be performed (assumes aspamd itself has been configured to listen on port 7830). This requires atmail-mailserver and atmail-mailserver-ansible versions >= 8.6.0-19

Update Exim to use new aspamd Engine

In order to do this it is currently necessary to update and overwrite some configuration variables in the inventory. Firstly change the connection mode from tcp by updating the spamd_mode configuration:

use mailserver;
select * from inventory where configVariable = 'spamd_mode';
+-------------+---------------+---------------+----------------+-------------+
| inventoryId | inventoryItem | configSection | configVariable | configValue |
+-------------+---------------+---------------+----------------+-------------+
| 180 | _default | exim | spamd_mode | tcp |
+-------------+---------------+---------------+----------------+-------------+

update inventory set configValue = 'aspamd' where configVariable = 'spamd_mode' and configSection = 'exim';

select * from inventory where configVariable = 'spamd_mode';
+-------------+---------------+---------------+----------------+-------------+
| inventoryId | inventoryItem | configSection | configVariable | configValue |
+-------------+---------------+---------------+----------------+-------------+
| 180 | _default | exim | spamd_mode | aspamd |
+-------------+---------------+---------------+----------------+-------------+

Next update the variable spamd_socket to take the value for connecting to aspamd:

select * from inventory where configVariable = 'spamd_socket';
+-------------+---------------+---------------+----------------+---------------------------+
| inventoryId | inventoryItem | configSection | configVariable | configValue |
+-------------+---------------+---------------+----------------+---------------------------+
| 197 | _default | exim | spamd_socket | /var/run/spamd/spamd.sock |
+-------------+---------------+---------------+----------------+---------------------------+

update inventory set configValue = '$acl_m_spamd' where configVariable = 'spamd_socket' and configSection = 'exim';

select * from inventory where configVariable = 'spamd_socket';
+-------------+---------------+---------------+----------------+--------------+
| inventoryId | inventoryItem | configSection | configVariable | configValue |
+-------------+---------------+---------------+----------------+--------------+
| 197 | _default | exim | spamd_socket | $acl_m_spamd |
+-------------+---------------+---------------+----------------+--------------+

These changes will allow you to publish out without changing the current exim.conf.j2 template found in mailserver for the default ss1ip role.

Finally check if the X-atmail-spam-action header variable exists:

select * from inventory where configValue='X-atmail-spam-action';
+---------------+---------------+----------------+----------------------+
| inventoryItem | configSection | configVariable | configValue |
+---------------+---------------+----------------+----------------------+
| _default | exim | h_spam_action | X-atmail-spam-action |
+---------------+---------------+----------------+----------------------+
1 row in set (0.00 sec)

If not then add it:

insert into inventory(inventoryItem, configSection, configVariable, configValue) values('_default','exim','h_spam_action','X-atmail-spam-action');

Update the Exim ACL

This will need to be done on each mailserver instance if using the publish button to push configuration changes.

Change directory the override directory for the in-built ss1ip ansible role.

cd /var/lib/atmail/mailserver/roles/ss1ip/templates/amp/exim

Copy over the current data ACL template file:

cp ../../exim/acl_check_data.j2 .

Ensure that the file has sufficient read permissions:

chmod 0644 acl_check_data.j2

Update the file to use new rules based around aspamd - example is given below:

vi acl_check_data.j2 

acl_check_data:

deny
message = Virus $malware_name detected.
malware = */defer_ok
logwrite = $pid:$tod_epoch:LOG:ACL_CHECK_CONTENT:REJECT:$sender_host_address:$sender_address:$recipients:Malware/Virus $malware_name detected

warn
set acl_m_spamd = 127.0.0.1 7830 variant=rspamd

warn
condition = ${if def:acl_m_outbound}
set acl_m_spamd = 127.0.0.1 7831 variant=rspamd

warn
spam = nobody:true/defer_ok
add_header = {{ exim_h_spam_bar }}: $spam_bar \n\
{{ exim_h_spam_report }}: $spam_report \n\
{{ exim_h_spam_action }}: $spam_action

deny
condition = ${if def:acl_m_outbound}
condition = {{ '${if eq {$spam_action}{reject}{1}{0}}' }}
message = Rejected - messages seen as spam
logwrite = $pid:$tod_epoch:LOG:ACL_CHECK_CONTENT:REJECT:$sender_host_address:$sender_address:Outbound message seen as SPAM

accept
condition = ${if def:acl_m_outbound}
message = Accepted outbound message
logwrite = $pid:$tod_epoch:LOG:ACL_CHECK_CONTENT:ACCEPT:$sender_host_address:$sender_address:Message accepted for outbound

accept
condition = ${if eq {$acl_m_antispam_override}{1}{yes}{no}}
condition = {{ '${if eq {$spam_action}{reject}{1}{0}}' }}
add_header = {{ exim_h_spam_override }}: 1
logwrite = $pid:$tod_epoch:LOG:ACL_CHECK_CONTENT:ACCEPT:$sender_host_address:$sender_address:Message accepted due to antispam override

deny
condition = {{ '${if eq {$spam_action}{reject}{1}{0}}' }}
message = Rejected as SPAM
logwrite = $pid:$tod_epoch:LOG:ACL_CHECK_CONTENT:REJECT:$sender_host_address:$sender_address:$recipients:Rejected as SPAM

accept
logwrite = $pid:$tod_epoch:LOG:ACL_CHECK_CONTENT:ACCEPT:$sender_host_address:$sender_address:$recipients:Message accepted as non SPAM

Any publish will now insert the custom acl_check_data.j2 into the main configuration file.

 

Post-Installation

Exim will require a restart for the new variables so be read.

systemctl restart exim

 

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com