Configure Postfix for the DSPAM content filter

To use DSPAM with our mailserver we will use it as a content filter in Postfix, therefore we need to change the configuration of Postfix to route incoming email to DSPAM.

We define an extra transport in the /etc/postfix/master.cf config file by adding the following lines after the line starting with ‘smtp’:

smtp      inet  n       -       n       -       -       smtpd
dspam   unix    -       n       n       -       10      pipe
  flags=Ru user=dspam argv=/usr/local/bin/dspam
     --deliver=innocent --user ${recipient} -i -f $sender
     -- $recipient

Please make sure that the last line starting with ‘flags’ is all on one line in the config file, to make sure you can download my version of master.cf at the bottom of this page.

To enable the re-insertion of the email into Postfix for delivery into a users mailbox we need to add the following to the master.cf file:

localhost:10026 inet  n -       n       -       -        smtpd
  -o content_filter=
  -o receive_override_options=no_unknown_recipient_checks,
                                 no_header_body_checks
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8

Filtering incoming mail only

To only filter incoming mail we need to do some smart thing with the smtpd_recipient_restrictions settings in the /etc/postfix/main.cf. The list is worked down from top to bottom and if one of the options is valid/checks then the restriction checking stops and the mail process continues with the appropriate steps.

To get this to work we need to setup a filter (using PCRE) which passes the incoming email to DSPAM. To enable this we need to create a file called dspam_filter_access in /etc/postfix/ with the following content:

/./     FILTER dspam:dspam

Next we need to convert this into a postfix readable format using the following command:

sudo postmap /etc/postfix/dspam_filter_access

If everything went correctly there should be a new file called dspam_filter_access.db in /etc/postfix/
.

Next we need to edit the postfix configuration file /etc/postfix/main.cf to enable the filter and add some other DSPAM settings. First the smtpd_recipient_restrictions list:

Your original setting would look like:

smtpd_recipient_restrictions =
  reject_unauth_pipelining,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  warn_if_reject,
  reject_non_fqdn_hostname,
  reject_non_fqdn_sender,
  reject_invalid_hostname,
  reject_rbl_client list.dsbl.org,
  reject_rbl_client sbl-xbl.spamhaus.org,
  permit

Please change the last line so it would look like:

smtpd_recipient_restrictions =
  reject_unauth_pipelining,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  warn_if_reject,
  reject_non_fqdn_hostname,
  reject_non_fqdn_sender,
  reject_invalid_hostname,
  reject_rbl_client list.dsbl.org,
  reject_rbl_client sbl-xbl.spamhaus.org,
  check_client_access pcre:/etc/postfix/dspam_filter_access

Please add the following entry at the bottom of the /etc/postfix/main.cf, to prevent multiple messages to be submitted at the same time:

#dspam options
dspam_destination_recipient_limit = 1

Next up: starting DSPAM

Resources:

master.cf, download, rename to master.cf and copy into /etc/postfix
main.cf, download, rename to main.cf, copy into /etc/postfix and change entries marked with “### please change this entry !!!”

5 Responses to “Configure Postfix for the DSPAM content filter”

  1. Tim Says:

    Richard,

    Am I wrong in that these instructions do not seem to set up a way to retrain dspam for false positives? In the forum – early on – you were using ham aliases?? I dont see any configuration here in addressing false positive retraining?

  2. Greg Combs Says:

    So I’m setting this up on Mac OS X Server. In order to maintain the functionality of the server administration tools, I can’t recompile the existing postfix and cyrus binaries.

    Unfortunately, your recipe as is will not run such that postfix throws up upon the pcre directive in “check_client_access pcre:”. It doesn’t understand pcre. Though I see pcre related things in the sample folder (sample-filter.cf, sample-pcre-access.cf, etc)

    Here’s how they do a content filter in main.cf:
    content_filter = smtp-amavis:[127.0.0.1]:10024

    and then in master.cf:
    smtp-amavis unix – – y – 2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes

    Any ideas on how to set this up without recompiling the binaries?

  3. Richard5 Says:

    You don’t need PCRE to use the DSPAM functionality. I’ve choosen for a PCRE based filter but you can also use a REGEX filter, it only needs a different syntax (which I don’t know, sorry).

    I think you still can recompile the binaries and use them in a server environment. I haven’t got a server myself or the OS version to try it out. As far as I know OS X server config only manages the configuration files and they will still be the same format.

  4. jagowan Says:

    hi,

    I’m still have problem with outgoing, always check by dspam. Any idea?

  5. jagowan Says:

    I’M Sorry, I have miss configuration.
    After i’ve read your configuration example carefully, it’s working for dspam to filtering incoming only.