diff --git a/HOWTO b/HOWTO new file mode 100644 index 0000000000000000000000000000000000000000..99091c7d99294af19404b02ff228afbed5524683 --- /dev/null +++ b/HOWTO @@ -0,0 +1,154 @@ +On Sun, 11 Feb 2007, Rick Saul wrote: + +> Stuart I was planning to move to centos4.4 in a couple of weeks anyway... +> Your advice of where to go from here. + +Oh - you are asking for a howto. + + Step one. Which DSPAM is right for you? + +The DSPAM project makes dspam part of the LDA (Local Delivery Agent). +Pydspam puts dspam into the MTA (Mail Transfer Agent - sendmail with pymilter). + +The advantage of doing dspam in the LDA is that any aliasing has already been +resolved. You need only configure mailboxes. + +The advantage of doing dspam in the MTA is it can screen an entire +company as a gateway with multiple domains. Unfortunately, this +means you have to tell it about all the aliases that comprise each +account. (Also, pydspam is still uses dspam-2.6.5.2 - the Dspam API +has changed for newer versions.) + +If the LDA is right for you, you'll want to use the official Dspam +package. http://www.nuclearelephant.com/projects/dspam/ + +If the MTA approach is what you want, then pydspam is what you want. + +In either case, you will still want pymilter to block forgeries, Windows +executables, etc. + +So, lets assume you want to install pymilter, and may or may not +wish to install pydspam. + + Step two. Obtaining RPMS. + +For basic pymilter you'll need: + +python-2.4 +milter-0.8.10 +sendmail-8.13.x (with milter support enabled) + +and for SPF you'll need: + +pydns-2.3.3-2.4 +pyspf-2.0.5-1.py24 + +and for SRS you'll need: + +pysrs-0.30.11-1.py24 + +I'm pretty sure you will want to have SPF and SRS available. + + Step three. Activate basic milter. + +Activate the basic milter and pysrs by editing /etc/mail/sendmail.mc and adding: + +define(`NO_SRS_FILE',`/etc/mail/no-srs-mailers')dnl +dnl define(`NO_SRS_FROM_LOCAL')dnl +HACK(`pysrs',`/var/run/milter/pysrs')dnl +INPUT_MAIL_FILTER(`pythonfilter', `S=local:/var/run/milter/pythonsock, F=T, T=C:5m;S:20s;R:5m;E:5m') + +You can then "make sendmail.cf" and restart sendmail. + +Start milter and pysrs with "service milter start", "service pysrs start". + +Tail /var/log/milter/milter.log while SMTP clients connect to your +sendmail instance. This should show you what the milter is doing. + +By default, milter-0.8.10 rejects on SPF fail. + + Step four. Tweaking the basic config. + +Most pymilter configuration is in /etc/mail/pymilter.cfg. To activate +changes, "service milter restart". + +By default, milter scans attachments for executable extensions. You can +turn this off by setting banned_exts to the empty list. There are options +to scan ZIP attachments and rfc822 attachments. When it finds a banned +file type, milter saves the original message in /var/log/milter/save, +and replaces the attachment with a plain text warning message. + +Configure hello_blacklist with your own helo name and domains - which +you know cannot legitimately be used by external MTAs. + +Configure trusted_relay with your secondary MX servers, if any. These +should also run pymilter with similar policies. (But this isn't +needed for initial testing.) + +Configure internal_connect with subnets of your internal SMTP clients. +Internal connections skip SPF testing and other policies. You will +likely need to set this to allow outgoing mail if you have +an SPF policy already. + +Configure internal_domains with domains used by your internal SMTP clients. +If they attempt to use any other domain, the attempt is blocked and the +client is logged as a "zombie". Conversely, any attempt by an external +MTA to use one of your internal domains is treated as a forgery and +blocked (a simplified form of local SPF). + +Adjust porn_words and spam_words - these block emails with a Subject +containing the listed strings. They can be empty to disable Subject +string blocking. + + Advanced SPF configuration. + +The sendmail access file, or another readonly database with that +format, can be used for detail spf policy. SPF access policy +record are tagged with "SPF-{Result}:". Results are +Pass, Neutral, Softfail, Fail, PermError. Currently supported +policy keywords are OK, CBV, REJECT. Currently, TempError always +results in TEMPFAIL. + +The default policies are set in pymilter.cfg. The defaults +if none of the config options are set are as follows: + +SPF-Fail: REJECT +SPF-Softfail: CBV +SPF-Neutral: OK +SPF-PermError: REJECT +SPF-Pass: OK + +The tag may be followed by a specific domain. For instance, to +require a Pass from aol.com: + +SPF-Neutral:aol.com REJECT +SPF-Softfail:aol.com REJECT + +The CBV policy requires a valid HELO name. If the EHLO name is +RFC2822 compliant, then a DSN is sent to the alleged sender. The +template for the DSN is selected according to the SPF result: + +Fail: fail.txt +SoftFail: softfail.txt +Neutral: neutral.txt +PermError: permerror.txt +None: strike3.txt + +An SPF-Pass is always accepted by the milter. Domains can be blacklisted +via sendmail in the access file or via a RHS DNS blacklist. + + To be continued. + +Forthcoming topics: + +SRS config + + +pydspam config +wiretap config + +-- + Stuart D. Gathman <stuart@bmsi.com> + Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154 +"Confutatis maledictis, flammis acribus addictis" - background song for +a Microsoft sponsored "Where do you want to go from here?" commercial. diff --git a/MANIFEST.in b/MANIFEST.in index 0ee6bf027e4dd83f5e166f054ecf8be64b6c76e0..dca383e3ada6733f43641ee86c39cb106184b0d8 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -12,8 +12,6 @@ include test.py include sample.py include milter-template.py include test/* -include doc/* include Milter/*.py include *.spec -include *.html include start.sh