[Rspamd-Users] Could someone please review my first steps?

lutz.niederer at gmx.net lutz.niederer at gmx.net
Wed Aug 24 14:36:15 UTC 2022

Hi Ged,

thanks for your answer.

First I would like to say that outgoing mail will be scanned for viruses!  On the inner postfix!

There have been many thoughts about having only one mail server and no DMZ for mail.  There have even ben some thoughts about virtualizing pfSense on that machine.  Yes, this would make things much more easy.  And postfix is very mature and secure.  But the decision was made to separate things.  This is like the setup that ran for years, but outside and hosted on two other machines.  As there are two different lines coming in and the backup MX was nearly never used because of HW/SW failures but only because of network problems the decision was made to self-host them and have one MX only, but to still draw a line between intern and extern.  (Maybe this will change in future.)

Traditionally two virus scanners are used.  This should stay like it was.  But regarding the blacklists, there was always some uncertainty which one to use.  For this setup spamhaus, abusix and spamcop will be used.  As whitelists dnswl and mailspike will be used.  If you have an advice or better setup with scores, I would be happy to get your suggestions.


> Gesendet: Samstag, 20. August 2022 um 19:40 Uhr
> Von: "G.W. Haywood via Users" <users at lists.rspamd.com>
> An: "User questions" <users at lists.rspamd.com>
> Cc: "G.W. Haywood" <rspamd at jubileegroup.co.uk>
> Betreff: Re: [Rspamd-Users] Could someone please review my first steps?
> Hi there,
> On Sat, 20 Aug 2022, lutz.niederer at gmx.net wrote:
> > I would really appreciate and be very thankful if someone could
> > review my first small customizations.
> I'm no expert on rspamd so I'll leave it to others to make their
> observations on the configuration details, but I will offer some
> insights (if that's what you'd call them:) on the general setup.
> > We will have 2 mail servers, one in the dmz and one behind (with
> > submission, imap etc.)  rspamd will run in the dmz ...
> This seems unnecessarily complex to me, although I can see what your
> reasoning might be.  After experimenting with this kind of setup years
> ago eventually I decided that it's less work, and more likely to be
> successful, if you only have to secure one server - rather than two,
> or possibly even more.  I'm perfectly comfortable with a mail server
> which is directly connected to the LAN port on the perimeter firewall.
> The mail server doesn't *see* most of the connections to the firewall
> which might be making attempts to connect to the server, and in any
> case it only accepts a very limited set of connections.  So if by some
> mistake the firewall were to forward packets other than e.g. mail on
> ports 25/465/587 and (after port knocking elsewhere) ssh on port, er,
> ZZ9 plural Z alpha, the server would just reject them.  Obviously you
> need to be very confident of the state of the mail server software as
> regards critical updates so tune into the right 'announcements' lists.
> > ... Sending mail into the world goes the other way around, but the
> > smtp server in the dmz listens on a specific port where we expect
> > rspamd to add our dkim etc stuff, leave off icap, antivirus ...
> Not scanning outgoing mail with the virus scanners?  Depends on your
> user base of course but I'd call that a little bit anti-social.  What
> do you tell your peers if you accidentally send them a virus?  "Sorry,
> we've never bothered scanning our outgoing mail..."?
> > When getting mail from the internet we use two virus scanners (via
> > icap & clamav), rbls (spamhaus, abusix), dcc, razor & pyzor.  If
> > mail gets over the spam threshold of 15 we decided to reject the
> > mail.  First question: Is that a really good idea?
> Well, it's a start.  I would strongly recommend more DNSBLs.  We use
> fourteen at the moment.  A milter produces a score which is based on
> what we percieve as the 'quality' of each individual DNSBL.  Quality
> here means an integer which is between 1 and 3.  Purely for the sake
> of example, spamhaus.net, fmb.la and gbudb.net all get a score of 3;
> mailspike.net and spamcop.net get a score of 2; the rest get a score
> of 1; we don't use free.v4bl.org, bad.psky.me nor barracuda.anything.
> So if a message trips the Spamhuas, GBudb and Spamcop DNSBL checks it
> gets a score of 8, which is well above our tempfail threshold (1.5).
> I quite often see connections getting scores in the low twenties, and
> regularly in the high teens.  By design the DNS lookups are in series
> not in parallel, so it takes a few seconds to get all the replies.  A
> lot of the pump'n'dump stuff doesn't even wait for a quorum.
> > ... about virus scanning:
> > - if both virus scanners detect a mail with virus the mail gets rejected at the dmz.
> > - if only one detects a virus the mail gets a specific header and another header that notes the scanning engine.
> > - if one scanner fails then the mail is handled as if one said "virus". (see before)
> > - if both scanners fail, the mail will be soft rejected.
> I wouldn't do that.  I think you will be letting in a lot more virus-
> ridden mail than you need to.  I'd say treat them as a single scanner
> and reject the mail if *either* scanner finds anything.
> I'd recommend that you look into virus scanning a bit more, and most
> importantly into the probability that a scanner will find something if
> it's there.  I've only used ClamAV for any great length of time (about
> two decades) and my assessments of its efficacy are on record on the
> ClamAV Users' mailing list.  Long story short, the best virus scanner
> will give you about 85% hit rate - or five out of six.  That means one
> in six will probably get through.  Using two virus scanners does *NOT*
> mean you get a proportionally better hit rate.  For the viruses that I
> see in mail attempting to reach us, with only the Official Signatures
> AFAICT ClamAV gets about a 5% (five percent) hit rate.  Using some of
> the third-party signatures improves on that somewhat, but no miracles.
> I'm happy to share the evidence from my logs if anyone is interested.
> My general feeling is that DNSBLs are more likely to stop more viruses
> than virus scanners, simply because machines sending viruses get onto
> the DNSBLs pretty quickly.  Of course you might be unlucky, and be one
> of the first victims, or the virus might come from AS 8075 or AS 15169
> which each have *thousands* of sending IPS as that's the only way they
> can keep their servers from being listed.  So you wouldn't want to run
> without using any scanner at all, but it's really all about doing your
> best with the probabilities.  Greylisting can help improve the odds.
> DNSBLs take a lot less CPU cycles and a lot less RAM than scanning for
> viruses and spam.
> > In case one or more scanners fails there should be a notification
> > sent out to admin via mail as this should not happen and ...
> Speaking only about ClamAV, it's been very reliable here (meaning that
> it doesn't often crash) apart from the time when I tried to get it to
> use our custom Yara rules.  Then it was a real pain, it would crash if
> I so much as missed off a curly brace, so I gave up with that approach
> and built a separate Yara (4.2.2) scanner.  The Yara version in ClamAV
> is only 2.something anyway so it's hopelessly out of date.  Primarily
> we use ClamAV to look for spam; we have no Windows boxes nor Macs and
> our users are clueful, so there are no big worries here about viruses.
> Having said that, every time we find something malicious in mail, out
> of interest I log a comparison of the results from about fifteen virus
> scanners (courtesy of Jotti.org) and then produce a league table from
> the results.  That's how I can get what I think is a pretty good feel
> for the hit rates.  It's fairly depressing.
> > ... be fixed asap.  I have no clue how.
> There will be occasions when a rogue signature or PDF file gets things
> into some kind of a tizzy but depending on your usage profile I expect
> things like that to be rare.  I run a separate server for ClamAV, and
> if running the init script to restart the clamd daemon didn't have the
> desired effect I'd probably just reboot it.  Can't say I can remember
> ever having to do that because of anything that came down the wire, it
> usually runs for months at a time with no care and feeding whatsoever.
> It finds of the order of two percent of the things that we don't want
> to see; Yara with a couple of dozen rules finds over ninety percent.
> The only times I see spam in my inbox are if I've screwed up a rule,
> or maybe if they sent it to my [redacted] account.
> > ... mail should always have a header where we can find the direction
> > (incoming or outgoing).
> I'd have said it would be hard to avoid that. :)
> > One question regarding authenticated users / milter auth_authen /
> > sasl.  On a relay we don't have any user connecting to the smtp
> > server when sending mail internally.  What does postfix send ...
> Sorry, no idea - I don't use Postfix.
> > ... If everything "should" work, we will start with one domain.
> Seems eminently sensible, I wish you luck.  You haven't soent much
> time talking about logging, I guess you'll do a lot of it.  I trawl
> through rather more than a gigabyte of mail logs per month. ;(
> --
> 73,
> Ged.
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users

More information about the Users mailing list