PROBLEM
How do I install aspamd?
ENVIRONMENT
- atmail aspamd
CAUSE
Requirement to install and configure aspamd service.
RESOLUTION
System Requirements
- Red Hat/Centos Operating System
- atmail-common-1.0.x
Download
If you have not already done so, add access to Atmail's on line software repository to your server by executing the following command:
bash <(curl -s https://repo.atmail.com/add_repo)
Installation
-
Use yum to install the atmail-aspamd-[version] software package, and it's prerequisite
yum install atmail-common
yum install atmail-aspamd -
Anti-Spam and Malware Protection are licensed separately. Enter your atmail id, and anti-spam / malware detection licenses in /etc/atmail/aspamd/aspamd-ingress.conf (ingress) and/or /etc/atmail/aspamd/aspamd-egress.conf (egress). Licenses are comma separated, and should be enclosed in single quotes:
vi /etc/atmail/aspamd/aspamd-ingress.conf # aspamd ingress config file. # the defaults are listed commented out. They should be sane, aspamd will do it’s best # to run with no configuration at all. To enable the premium engine, enter your license ATMAIL_ID=user@example.com LICENSE_KEY=‘anti-spam-license,anti-abuse-license’
vi /etc/atmail/aspamd/aspamd-egress.conf
# aspamd egress config file
# the defaults are listed commented out. They should be sane, aspamd will do it's best
# to run with no configuration at all. To enable the premium engine, enter your license.
ATMAIL_ID=user@example.com
LICENSE_KEY=‘anti-spam-license,anti-abuse-license’ - Start the aspamd ingress service
systemctl start aspamd@ingress
systemctl enable aspamd@ingress
systemctl status aspamd@ingress
● aspamd.service - atmail-aspamd - aspamd ingress server
Loaded: loaded (/usr/lib/systemd/system/aspamd@ingress.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2019-06-05 09:00:46 AEST; 6 days ago
Docs: http://www.atmail.com/
Main PID: 948 (aspamd)
CGroup: /system.slice/aspamd.service/aspamd@ingress.service
└─948 /usr/bin/aspamd -c /etc/atmail/aspamd/aspamd-ingress.conf -syslogEnable
Jun 05 09:00:46 vm1 systemd[1]: Started atmail-aspamd - aspamd ingress server.
Jun 05 09:00:55 vm1 aspamd[948]: time=“2019-06-05T09:00:55+10:00” level=info msg=“aspamd engine initializing”
Jun 05 09:00:55 vm1 aspamd[948]: time=“2019-06-05T09:00:55+10:00” level=info msg=“aspamd listening on 127.0.0.1:7830"
You now have a running atmail aspamd ingress server, but it will require further integration with Exim before it is useful.
CLI Reference
aspamd -h
NAME:
aspamd - atmail spamd server
USAGE:
aspamd [global options] command [command options] [arguments...]
VERSION:
dev
COMMANDS:
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--config FILE, -c FILE Load configuration from FILE [$CONFIG_FILE]
--listen value Listen Address for aspamd (default: "127.0.0.1:7830") [$LISTEN]
--readTimeout value Server timeout (default: 0s) [$READ_TIMEOUT]
--writeTimeout value Server timeout (default: 0s) [$WRITE_TIMEOUT]
--metricsAddr value Prometheus /metrics address (default: "127.0.0.1:9996") [$METRICS]
--cosURI value The URI CoS data will be retrieved from [$COS_URI]
--cosInsecure allow insecure communications with CoS [$COS_ALLOW_INSECURE]
--cosV1 using CoS V1 [$COS_V1]
--cosVerbose verbose CoS (http only) [$COS_VERBOSE]
--consulAddr value Use consul to locate cosd grpc services at this api addr [$CONSUL_ADDR]
--consulScheme value Use consul to locate cosd grpc services with this scheme (default: "http") [$CONSUL_SCHEME]
--cosCacheTimeout value CoS Cache timeout (duration) for cache lookups, to reduce traffic. Defaults to -1s (disabled) (default: -1m0s) [$COS_CACHE_KEY_TIMEOUT]
--defaultEngine value Default Spamd Engine(s), comma separated (default: "localhost:11333") [$DEFAULT_ENGINE_ADDR]
--spamThreshold value (default: 50) [$SPAM_THRESHOLD]
--unknownScore value (default: 0) [$SPAM_UNKNOWN_SCORE]
--unknownAction value (default: "no action") [$SPAM_UNKNOWN_ACTION]
--confirmedScore value (default: 100) [$SPAM_CONFIRMED_SCORE]
--confirmedAction value (default: "reject") [$SPAM_CONFIRMED_ACTION]
--bulkScore value (default: 50) [$SPAM_BULK_SCORE]
--bulkAction value (default: "reject") [$SPAM_BULK_ACTION]
--suspectedScore value (default: 50) [$SPAM_SUSPECTED_SCORE]
--suspectedAction value (default: "rewrite subject") [$SPAM_SUSPECTED_ACTION]
--nonSpamScore value (default: -100) [$SPAM_NON_SPAM_SCORE]
--nonSpamAction value (default: "no action") [$SPAM_NON_SPAM_ACTION]
--virusScore value (default: 200) [$SPAM_VIRUS_SCORE]
--virusAction value (default: "reject") [$SPAM_VIRUS_ACTION]
--virusHighScore value (default: 150) [$SPAM_VIRUS_HIGH_SCORE]
--virusHighAction value (default: "reject") [$SPAM_VIRUS_HIGH_ACTION]
--virusMediumScore value (default: 4) [$SPAM_VIRUS_MEDIUM_SCORE]
--virusMediumAction value (default: "no action") [$SPAM_VIRUS_MEDIUM_ACTION]
--validBulkScore value (default: 49) [$VALID_BULK_SCORE]
--validBulkAction value (default: "no action") [$SPAM_VALID_BULK_ACTION]
--egress Run in egress mode [$EGRESS]
--cacheFile value Local cache file (default: "/var/lib/atmail/aspamd/aspamd.cache") [$CACHE_FILE]
--cacheSaveDuration value Cache is saved periodically (default: 2m0s) [$CACHE_FILE_SAVE_EVERY]
--atmailId value Atmail ID [$ATMAIL_ID]
--licenceKey value Atmail License Key(s, comma separated) [$LICENSE_KEY]
--syslogEnable enable syslog [$SYSLOG_ENABLE]
--syslogAddr value syslog server. Value can be host:port. If not set, uses local syslog [$SYSLOG_ADDR]
--syslogFacility value set syslog facility, defaults to mail. See /usr/include/sys/syslog.h (default: 16) [$SYSLOG_FACILITY]
-V Verbose [$VERBOSE]
--logLevel value Log Level (panic,fatal,error,warn,info,debug,trace) (default: "info") [$LOG_LEVEL]
--auditSpamDir value If set, a copy of all emails classified as spam are copied here. WARNING: i/o intensive [$AUDIT_SPAM_DIR]
--auditActions value csv list of auditable actions. WARNING: i/o intensive [$AUDIT_ACTIONS]
--json [$LOG_JSON]
--logFile value [$LOG_FILE]
--help, -h show help
--version, -v print the version
Integration with MTA
aspamd performs mail content scanning by operating as an rspamd server. It has been tested using the Exim MTA, but if you require integration with other MTA, support may be considered, and may already work, if they support rspamd.
Exim
By default aspamd listens on 127.0.0.1, TCP port 7830. You must set the spamd_address option in the global part of the Exim configuration (/etc/exim/exim.conf) file:
vi /etc/exim/exim.conf
spamd_address = 127.0.0.1 7830 variant=rspamd
Scanning is performed using the spam condition in a DATA ACL. As scanning can be quite resource intensive, and most spam messages are quite small, it is recommended that you do not scan large messages. Here is a simple example:
acl_check_data:
warn condition = ${if < {$message_size}{10K}}
spam = nobody
deny message = This message was classified as SPAM
condition = ${if eq{$spam_action}{reject}}
accept
Egress
When running Exim as an outgoing MTA, to better protect your IP reputation, you should send all outgoing mail to aspamd, running in egress mode. To do this, use the command line, flag, --egress, or set EGRESS=true in the configuration file. This will give better configuration results. The installation creates a systemd service, aspamd@egress, which uses the configuration file at /etc/atmail/aspamd/aspamd-egress.conf. Edit this file to check that the Egress entry is set to true and to remove the hash from LISTEN entry so that the listener can use port 7831.
vi /etc/atmail/aspamd/aspamd-egress.conf
EGRESS=true
LISTEN=127.0.0.1:7831
Start the aspamd egress service
systemctl start aspamd@egress
systemctl enable aspamd@egress
systemctl status aspamd@egress
● aspamd@egress.service - atmail-aspamd-egress - aspamd egress server
Loaded: loaded (/usr/lib/systemd/system/aspamd@egress.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-10-20 17:13:50 BST; 11s ago
Docs: http://www.atmail.com/
Process: 7062 ExecStop=/bin/kill -s QUIT $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 7212 (aspamd)
CGroup: /system.slice/system-aspamd.slice/aspamd@egress.service
└─7212 /usr/bin/aspamd -c /etc/atmail/aspamd/aspamd-egress.conf -syslogEnable
Jun 05 09:00:46 vm1 systemd[1]: Started atmail-aspamd - aspamd egress server.
Jun 05 09:00:55 vm1 aspamd[948]: time=“2019-06-05T09:00:55+10:00” level=info msg=“aspamd engine initializing”
Jun 05 09:00:55 vm1 aspamd[948]: time=“2019-06-05T09:00:55+10:00” level=info msg=“egress mode”
Jun 05 09:00:55 vm1 aspamd[948]: time=“2019-06-05T09:00:55+10:00” level=info msg=“aspamd listening on 127.0.0.1:7831"
atmail Mailserver
atmail Mailserver manages Exim's configuration, so any changes made manually to the exim configuration are likely to be erased on next configuration publish. To integrate this product into a platform that is managed by atmail mailserver the following configurations steps need to be performed (assumes aspamd itself has been configured to listen on port 7830). This requires atmail-mailserver and atmail-mailserver-ansible versions >= 8.6.0-19
Update Exim to use new aspamd Engine
In order to do this it is currently necessary to update and overwrite some configuration variables in the inventory. Firstly change the connection mode from tcp by updating the spamd_mode configuration:
use mailserver;
select * from inventory where configVariable = 'spamd_mode';
+-------------+---------------+---------------+----------------+-------------+
| inventoryId | inventoryItem | configSection | configVariable | configValue |
+-------------+---------------+---------------+----------------+-------------+
| 180 | _default | exim | spamd_mode | tcp |
+-------------+---------------+---------------+----------------+-------------+
update inventory set configValue = 'aspamd' where configVariable = 'spamd_mode' and configSection = 'exim';
select * from inventory where configVariable = 'spamd_mode';
+-------------+---------------+---------------+----------------+-------------+
| inventoryId | inventoryItem | configSection | configVariable | configValue |
+-------------+---------------+---------------+----------------+-------------+
| 180 | _default | exim | spamd_mode | aspamd |
+-------------+---------------+---------------+----------------+-------------+
Next update the variable spamd_socket to take the value for connecting to aspamd:
select * from inventory where configVariable = 'spamd_socket';
+-------------+---------------+---------------+----------------+---------------------------+
| inventoryId | inventoryItem | configSection | configVariable | configValue |
+-------------+---------------+---------------+----------------+---------------------------+
| 197 | _default | exim | spamd_socket | /var/run/spamd/spamd.sock |
+-------------+---------------+---------------+----------------+---------------------------+
update inventory set configValue = '$acl_m_spamd' where configVariable = 'spamd_socket' and configSection = 'exim';
select * from inventory where configVariable = 'spamd_socket';
+-------------+---------------+---------------+----------------+--------------+
| inventoryId | inventoryItem | configSection | configVariable | configValue |
+-------------+---------------+---------------+----------------+--------------+
| 197 | _default | exim | spamd_socket | $acl_m_spamd |
+-------------+---------------+---------------+----------------+--------------+
These changes will allow you to publish out without changing the current exim.conf.j2 template found in mailserver for the default ss1ip role.
Finally check if the X-atmail-spam-action header variable exists:
select * from inventory where configValue='X-atmail-spam-action';
+---------------+---------------+----------------+----------------------+
| inventoryItem | configSection | configVariable | configValue |
+---------------+---------------+----------------+----------------------+
| _default | exim | h_spam_action | X-atmail-spam-action |
+---------------+---------------+----------------+----------------------+
1 row in set (0.00 sec)
If not then add it:
insert into inventory(inventoryItem, configSection, configVariable, configValue) values('_default','exim','h_spam_action','X-atmail-spam-action');
Update the Exim ACL
This will need to be done on each mailserver instance if using the publish button to push configuration changes.
Change directory the override directory for the in-built ss1ip ansible role.
cd /var/lib/atmail/mailserver/roles/ss1ip/templates/amp/exim
Copy over the current data ACL template file:
cp ../../exim/acl_check_data.j2 .
Ensure that the file has sufficient read permissions:
chmod 0644 acl_check_data.j2
Update the file to use new rules based around aspamd - example is given below:
vi acl_check_data.j2
acl_check_data:
deny
message = Virus $malware_name detected.
malware = */defer_ok
logwrite = $pid:$tod_epoch:LOG:ACL_CHECK_CONTENT:REJECT:$sender_host_address:$sender_address:$recipients:Malware/Virus $malware_name detected
warn
set acl_m_spamd = 127.0.0.1 7830 variant=rspamd
warn
condition = ${if def:acl_m_outbound}
set acl_m_spamd = 127.0.0.1 7831 variant=rspamd
warn
spam = nobody:true/defer_ok
add_header = {{ exim_h_spam_bar }}: $spam_bar \n\
{{ exim_h_spam_report }}: $spam_report \n\
{{ exim_h_spam_action }}: $spam_action
deny
condition = ${if def:acl_m_outbound}
condition = {{ '${if eq {$spam_action}{reject}{1}{0}}' }}
message = Rejected - messages seen as spam
logwrite = $pid:$tod_epoch:LOG:ACL_CHECK_CONTENT:REJECT:$sender_host_address:$sender_address:Outbound message seen as SPAM
accept
condition = ${if def:acl_m_outbound}
message = Accepted outbound message
logwrite = $pid:$tod_epoch:LOG:ACL_CHECK_CONTENT:ACCEPT:$sender_host_address:$sender_address:Message accepted for outbound
accept
condition = ${if eq {$acl_m_antispam_override}{1}{yes}{no}}
condition = {{ '${if eq {$spam_action}{reject}{1}{0}}' }}
add_header = {{ exim_h_spam_override }}: 1
logwrite = $pid:$tod_epoch:LOG:ACL_CHECK_CONTENT:ACCEPT:$sender_host_address:$sender_address:Message accepted due to antispam override
deny
condition = {{ '${if eq {$spam_action}{reject}{1}{0}}' }}
message = Rejected as SPAM
logwrite = $pid:$tod_epoch:LOG:ACL_CHECK_CONTENT:REJECT:$sender_host_address:$sender_address:$recipients:Rejected as SPAM
accept
logwrite = $pid:$tod_epoch:LOG:ACL_CHECK_CONTENT:ACCEPT:$sender_host_address:$sender_address:$recipients:Message accepted as non SPAM
Any publish will now insert the custom acl_check_data.j2 into the main configuration file.
Post-Installation
Exim will require a restart for the new variables so be read.
systemctl restart exim
Comments