Installing and configuring Spamassassin

SpamAssassin is a mature, widely-deployed open source project that serves as a mail filter to identify Spam. SpamAssassin uses a variety of mechanisms including header and text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases. SpamAssassin runs on a server, and filters spam before it reaches your mailbox.

Upgrading spamassassain to version 3.4.1

The release of version 3.4.1 was announced on Apr 30 2015. The TxRep plugin is now included and disabled by default for new installs, because it goes in confict with AWL, which must be disabled.

Here is how to update quickly:

qmailctl stop
spamdctl stop
perl -MCPAN -e shell
cpan> o conf prerequisites_policy ask
cpan> force notest install  Mail::SpamAssassin Mail::SpamAssassin::Plugin::Razor2
cpan> quit

Now I enabled all new plugins from /etc/mail/spamassassin/v341.pre and disabled Mail::SpamAssassin::Plugin::AWL from v310.pre. Finally I inserted those two options in my

use_txrep 1
txrep_factory Mail::SpamAssassin::SQLBasedAddrList

Then I restarded spamd and qmail

spamdctl start
qmailctl start

qmailadmin password-strenght patch

A big lack of qmail account managers, expecially qmailadmin, is that they do not provide any password complexity check. A couple of days ago I discovered in one of my servers a "test 123456" account and I realized that the time has come to put a patch on it.

Since I had no luck in having cracklib working inside qmailadmin (see crackilib patch, any help  on the purpose would be veeerrry much appreciated) I've quickly found a solution via a javascript form validation, which refuses unsecure passwords. You can easily customize how it decides to accept/refuse the passwords modifying the file pw_strenght_chk.js in the html dir.

Sieve interpreter & Dovecot ManageSieve

The Pigeonhole project provides Sieve support as a plugin for Dovecot's Local Delivery Agent (LDA) and also for its LMTP service. The plugin implements a Sieve interpreter, which filters incoming messages using a script specified in the Sieve language. The Sieve script is provided by the user and, using that Sieve script, the user can customize how incoming messages are handled. Messages can be delivered to specific folders, forwarded, rejected, discarded, etc.

Dovecot Managesieve Server is a service used to manage a user's Sieve script collection.


ezmlm-web is a web interface for the administration of ezmlm mailing lists.

Howto avoid being "cut off" by

As you probably know spamhaus limits your smtp and DNS traffic ( for more info) and in case of big servers this can be a serious problem.

Luckily, Costel Balta sent me a solution to the problem that I'm going to paste below. In short, he suggests to dinamically create firewall rules via iptables (or better shorewall) to avoid connections from suspicious IPs in order to decrease the number of requests to the RBL lists of about 80%.

ipsets and swatch are also needed to manage iptables rules and scan your logs respectively.

A big thanks to Costel Balta for the following tutorial; this is not the first time that he posts an original idea.

How to backup a server with rsync via ssh login without password

Rsync is a fast and extraordinarily versatile file copying tool.  It can copy locally, to/from another host over any remote shell, or to/from a remote rsync daemon.
It offers a large number of options that control every aspect of its behavior and permit very flexible specification of the set of files to be copied.  It is famous for  its  delta-transfer algorithm, which reduces the amount of data sent over the network by sending only the differences between the source files and the existing files in the destination.  Rsync is widely used for backups and mirroring and as an improved copy command for everyday use.
Rsync finds files that need to be transferred using a "quick check" algorithm (by default) that looks for files that have changed in size or in last-modified  time.
Any  changes  in  the  other preserved attributes (as requested by options) are made on the destination file directly when the quick check indicates that the file's data does not need to be updated.

qmail, spf and IPv6

Today Erwin Hoffmann has released his ucspi-tcp6 v. 0.99. The current version includes an hack by Manvendra Bhangui from which gets tcpserver and qmail's spfcheck to be IPv4-mapped IPv6 addresses compliant, provided that you use his fix to the qmail-spf patch (my combined patch already has this adjustment to spf).

Fot those interested, a few days ago Manvendra Bhangui released a package of patches including now not only DKIM and SURBL but also substancial modifications which get SPF and the entire qmail totally IPv6 compliant. The upgrade for me is not so straightforward, but I'm planning to have it in my big patch soon or later. For the moment you can play with it downloading from

SURBL filtering configuration

SURBLs are lists of web sites that have appeared in unsolicited messages. Unlike most lists, SURBLs are not lists of message senders.

Web sites seen in unsolicited messages tend to be more stable than the rapidly changing botnet IP addresses used to send the vast majority of them. Sender lists like can be used in a first stage filter to help identify 80% to 90% of unsolicited messages. SURBLs can help find about 75% of the otherwise difficult, remaining unsolicited messages in a second stage filter. Used together with sender lists, SURBLs have proven to be a highly-effective way to detect 95% of unsolicited messages.

The SURBL filter is part of the DKIM patch by Manvendra Bhangui and it's embedded in my combined patch.

Adjusting the tcprules files for qmail

This is my tcprules file:

> more /home/vpopmail/etc/tcp.smtp,RELAYCLIENT="",SMTPD_GREETDELAY="0",RELAYCLIENT="",SMTPD_GREETDELAY="0"

As you can see, the localhost, the internal subnet 10.0.0., and the external server's IP are allowed to use the MTA as a relay (RELAYCLIENT=""), and does not face a GREETDELAY.

All other clients are allowed to send us emails (allow:), will face a GREETDELAY specified in the qmail-smtpd run script, and are not allowed to use our MTA as a relay.