[Rspamd-Users] Could someone please review my first steps?

[G.W. Haywood]

Hi there,

On Sat, 20 Aug 2022, lutz.niederer at gmx.net wrote:

> I would really appreciate and be very thankful if someone could
> review my first small customizations.

I'm no expert on rspamd so I'll leave it to others to make their
observations on the configuration details, but I will offer some
insights (if that's what you'd call them:) on the general setup.

> We will have 2 mail servers, one in the dmz and one behind (with
> submission, imap etc.)  rspamd will run in the dmz ...

This seems unnecessarily complex to me, although I can see what your
reasoning might be.  After experimenting with this kind of setup years
ago eventually I decided that it's less work, and more likely to be
successful, if you only have to secure one server - rather than two,
or possibly even more.  I'm perfectly comfortable with a mail server
which is directly connected to the LAN port on the perimeter firewall.
The mail server doesn't *see* most of the connections to the firewall
which might be making attempts to connect to the server, and in any
case it only accepts a very limited set of connections.  So if by some
mistake the firewall were to forward packets other than e.g. mail on
ports 25/465/587 and (after port knocking elsewhere) ssh on port, er,
ZZ9 plural Z alpha, the server would just reject them.  Obviously you
need to be very confident of the state of the mail server software as
regards critical updates so tune into the right 'announcements' lists.

> ... Sending mail into the world goes the other way around, but the
> smtp server in the dmz listens on a specific port where we expect
> rspamd to add our dkim etc stuff, leave off icap, antivirus ...

Not scanning outgoing mail with the virus scanners?  Depends on your
user base of course but I'd call that a little bit anti-social.  What
do you tell your peers if you accidentally send them a virus?  "Sorry,
we've never bothered scanning our outgoing mail..."?

> When getting mail from the internet we use two virus scanners (via
> icap & clamav), rbls (spamhaus, abusix), dcc, razor & pyzor.  If
> mail gets over the spam threshold of 15 we decided to reject the
> mail.  First question: Is that a really good idea?

Well, it's a start.  I would strongly recommend more DNSBLs.  We use
fourteen at the moment.  A milter produces a score which is based on
what we percieve as the 'quality' of each individual DNSBL.  Quality
here means an integer which is between 1 and 3.  Purely for the sake
of example, spamhaus.net, fmb.la and gbudb.net all get a score of 3;
mailspike.net and spamcop.net get a score of 2; the rest get a score
of 1; we don't use free.v4bl.org, bad.psky.me nor barracuda.anything.

So if a message trips the Spamhuas, GBudb and Spamcop DNSBL checks it
gets a score of 8, which is well above our tempfail threshold (1.5).
I quite often see connections getting scores in the low twenties, and
regularly in the high teens.  By design the DNS lookups are in series
not in parallel, so it takes a few seconds to get all the replies.  A
lot of the pump'n'dump stuff doesn't even wait for a quorum.

> ... about virus scanning:
> - if both virus scanners detect a mail with virus the mail gets rejected at the dmz.
> - if only one detects a virus the mail gets a specific header and another header that notes the scanning engine.
> - if one scanner fails then the mail is handled as if one said "virus". (see before)
> - if both scanners fail, the mail will be soft rejected.

I wouldn't do that.  I think you will be letting in a lot more virus-
ridden mail than you need to.  I'd say treat them as a single scanner
and reject the mail if *either* scanner finds anything.

I'd recommend that you look into virus scanning a bit more, and most
importantly into the probability that a scanner will find something if
it's there.  I've only used ClamAV for any great length of time (about
two decades) and my assessments of its efficacy are on record on the
ClamAV Users' mailing list.  Long story short, the best virus scanner
will give you about 85% hit rate - or five out of six.  That means one
in six will probably get through.  Using two virus scanners does *NOT*
mean you get a proportionally better hit rate.  For the viruses that I
see in mail attempting to reach us, with only the Official Signatures
AFAICT ClamAV gets about a 5% (five percent) hit rate.  Using some of
the third-party signatures improves on that somewhat, but no miracles.
I'm happy to share the evidence from my logs if anyone is interested.

My general feeling is that DNSBLs are more likely to stop more viruses
than virus scanners, simply because machines sending viruses get onto
the DNSBLs pretty quickly.  Of course you might be unlucky, and be one
of the first victims, or the virus might come from AS 8075 or AS 15169
which each have *thousands* of sending IPS as that's the only way they
can keep their servers from being listed.  So you wouldn't want to run
without using any scanner at all, but it's really all about doing your
best with the probabilities.  Greylisting can help improve the odds.

DNSBLs take a lot less CPU cycles and a lot less RAM than scanning for
viruses and spam.

> In case one or more scanners fails there should be a notification
> sent out to admin via mail as this should not happen and ...

Speaking only about ClamAV, it's been very reliable here (meaning that
it doesn't often crash) apart from the time when I tried to get it to
use our custom Yara rules.  Then it was a real pain, it would crash if
I so much as missed off a curly brace, so I gave up with that approach
and built a separate Yara (4.2.2) scanner.  The Yara version in ClamAV
is only 2.something anyway so it's hopelessly out of date.  Primarily
we use ClamAV to look for spam; we have no Windows boxes nor Macs and
our users are clueful, so there are no big worries here about viruses.
Having said that, every time we find something malicious in mail, out
of interest I log a comparison of the results from about fifteen virus
scanners (courtesy of Jotti.org) and then produce a league table from
the results.  That's how I can get what I think is a pretty good feel
for the hit rates.  It's fairly depressing.

> ... be fixed asap.  I have no clue how.

There will be occasions when a rogue signature or PDF file gets things
into some kind of a tizzy but depending on your usage profile I expect
things like that to be rare.  I run a separate server for ClamAV, and
if running the init script to restart the clamd daemon didn't have the
desired effect I'd probably just reboot it.  Can't say I can remember
ever having to do that because of anything that came down the wire, it
usually runs for months at a time with no care and feeding whatsoever.
It finds of the order of two percent of the things that we don't want
to see; Yara with a couple of dozen rules finds over ninety percent.
The only times I see spam in my inbox are if I've screwed up a rule,
or maybe if they sent it to my [redacted] account.

> ... mail should always have a header where we can find the direction
> (incoming or outgoing).

I'd have said it would be hard to avoid that. :)

> One question regarding authenticated users / milter auth_authen /
> sasl.  On a relay we don't have any user connecting to the smtp
> server when sending mail internally.  What does postfix send ...

Sorry, no idea - I don't use Postfix.

> ... If everything "should" work, we will start with one domain.

Seems eminently sensible, I wish you luck.  You haven't soent much
time talking about logging, I guess you'll do a lot of it.  I trawl
through rather more than a gigabyte of mail logs per month. ;(

-- 

73,
Ged.