Installing and configuring Spamassassin

SpamAssassin is a mature, widely-deployed open source project that serves as a mail filter to identify Spam. SpamAssassin uses a variety of mechanisms including header and text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases. SpamAssassin runs on a server, and filters spam before it reaches your mailbox.

Upgrading spamassassain to version 3.4.1

The release of version 3.4.1 was announced on Apr 30 2015. The TxRep plugin is now included and disabled by default for new installs, because it goes in confict with AWL, which must be disabled.

Here is how to update quickly:

qmailctl stop
spamdctl stop
perl -MCPAN -e shell
cpan> o conf prerequisites_policy ask
cpan> force notest install  Mail::SpamAssassin Mail::SpamAssassin::Plugin::Razor2
cpan> quit
sa-update

Now I enabled all new plugins from /etc/mail/spamassassin/v341.pre and disabled Mail::SpamAssassin::Plugin::AWL from v310.pre. Finally I inserted those two options in my local.cf:

use_txrep 1
txrep_factory Mail::SpamAssassin::SQLBasedAddrList

Then I restarded spamd and qmail

spamdctl start
qmailctl start

Install

perl -MCPAN -e shell
o conf commit prerequisites_policy ask
install Mail::SpamAssassin
quit

For Slackware users

  • REQUIRED module missing: HTML::Parser
  • REQUIRED module missing: Net::DNS
  • REQUIRED module missing: NetAddr::IP
  • optional module missing: Digest::SHA1
  • optional module missing: Mail::SPF
  • optional module missing: Razor2
  • optional module missing: IO::Socket::INET6
  • optional module missing: IO::Socket::SSL
  • optional module missing: Mail::DKIM
  • optional module missing: LWP::UserAgent
  • optional module missing: HTTP::Date
  • optional module missing: Encode::Detect
  • optional module missing: Geo::IP
  • optional module missing: IO::Socket::IP
  • optional module missing: Net::Patricia

These modules are missing and must be installed from CPAN. Some of them have dependencies as well...

At the end this is how I have installed everything. Reply yes if dependencies are found, install in this order and force install when needed.

perl -MCPAN -e shell
o conf prerequisites_policy ask

force notest install Socket6 IO::Socket IO::Socket::INET6 LWP MD5 CPAN::DistnameInfo Mail::DKIM

Installed prerequisites of Net::DNS:

force notest install Test::More MIME::Base64 Digest::MD5 Digest::HMAC_MD5 Net::IP

Continue installing (always from CPAN):

force notest install Net::Ping Net::DNS Time::HiRes Digest::SHA1 Getopt::Long Digest::Nilsimsa URI::Escape HTML::Parser HTTP::Date IO::Zlib Archive::Tar  Mail::SPF
force notest install Mail::SPF::Query Net::Ident IO::Socket::SSL Mail::DomainKeys Mail::DKIM LWP::UserAgent HTTP::Date Encode::Detect

Now download and install (in this order) razor-agent-sdk and razor-agent (download latest version from here):

tar xjf razor-agents-sdk-2.07.tar.bz2
cd razor-agents-sdk-2.07
chown -R root.root .
perl Makefile.PL
make
make install

cd ..
tar xjf razor-agents-2.85.tar.bz2
cd razor-agents-2.85
chown -R root.root .
perl Makefile.PL
make
make install

perl -MCPAN -e shell
o conf prerequisites_policy ask

Install these modules

force notest install Storable DB_File Net::SMTP BerkeleyDB
force notest install Geo::IP IO::Socket::IP Net::Patricia

Finally, if everything is ok install spamassassin and Razor  via CPAN

force notest install  Mail::SpamAssassin Mail::SpamAssassin::Plugin::Razor2

I had to skip the tests because off many errors... anyway it works.

Configuring

Create the spamd user and group:

groupadd spamd
useradd -g spamd -d /home/spamd spamd
chown -R spamd.spamd /home/spamd

You can find the config files into /etc/mail/spamassassin

> cd /etc/mail/spamassassin
> ls
init.pre  local.cf  v310.pre  v312.pre  v320.pre  v330.pre

local.cf

# Add *****SPAM***** to the Subject header of spam e-mails
# rewrite_header Subject *****SPAM*****
# put here your subnet
trusted_networks 10.0.0.
# Set the threshold at which a message is considered spam (default: 5.0)
required_score 5.0
use_bayes 1
bayes_auto_learn 1
use_txrep 1
txrep_factory Mail::SpamAssassin::SQLBasedAddrList

init.pre

# RelayCountry - add metadata for Bayes learning, marking the countries
# a message was relayed through
#
# Note: This requires the IP::Country::Fast Perl module
#
loadplugin Mail::SpamAssassin::Plugin::RelayCountry

# URIDNSBL - look up URLs found in the message against several DNS
# blocklists.
#
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL

# Hashcash - perform hashcash verification.
#
loadplugin Mail::SpamAssassin::Plugin::Hashcash

# SPF - perform SPF verification.
#
loadplugin Mail::SpamAssassin::Plugin::SPF

Testing

Run this debug command. If you get no error you are ready to run the daemon.

sudo -u spamd -H spamassassin -D --lint

sa-update

sa-update updates the rules (it requires gpg 1.4). Before running spamassassin for the first time download the rules:

sa-update

Add to your crontab this line to update the rules once a day

# spamassassin update
30 3 * * * /usr/bin/sa-update --nogpg -v &

The -v option will produce an email notification to postmaster.

Running spamassassin

Download the startup script from here. You have to replace the IP of your firewall and place it in /usr/local/bin/spamdctl or /etc/rc.d/rc.spamd and make it executable. Check that the path where you daemon has been installed (/usr/local/bin/spamd or /usr/local/bin/spamd) matches the one in the run script.

#!/bin/sh

# Spamd init script for Slackware
# August, 2th 2003
# Martin Ostlund, nomicon
# Modified slightly by Troy Belding for Qmailrocks - February 23, 2004
# Modified by Roberto Puzzanghera - September 02, 2014

DAEMON=/usr/local/bin/spamd
NAME=spamd
SNAME=spamdctl
DESC="SpamAssassin Mail Filter Daemon"
PIDFILE="/var/run/$NAME.pid"
PNAME="spamd"

DOPTIONS="-x -u spamd -A 127.0.0.1,[external-IP/firewall-IP] -s /var/log/spamd.log -H /home/spamd -d --pidfile=$PIDFILE"

KILL="/bin/kill"
KILLALL="/bin/killall"
# Defaults - don''t touch, edit /etc/mail/spamassassin/local.cf
ENABLED=0
OPTIONS=""

set -e

case "$1" in
start)
echo -n "Starting $DESC: "
$DAEMON $OPTIONS $DOPTIONS

echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
$KILL -9 `cat $PIDFILE`
/bin/rm $PIDFILE
echo "$NAME."
;;
restart|force-reload)
echo -n "Restarting $DESC: "
$0 stop
$0 start

echo "$NAME."
;;
*)
ME=/usr/local/bin/$SNAME
echo "Usage: $ME {start|stop|restart|force-reload}" >&2
exit 1
;;
esac

exit 0

Now check that spamd is running:

> spamdctl start
> ps axfu
root      1859  0.1  3.4 139360 61044 ?        Ss   19:00   0:01 /usr/bin/spamd -x -u spamd -A 127.0.0.1,[firewall-IP] -H /home/spamd -d --pidfile=/var/run/spamd.pid
spamd     1860  0.0  3.2 139360 58984 ?        S    19:00   0:00  \_ spamd child
spamd     1861  0.0  3.2 139360 58984 ?        S    19:00   0:00  \_ spamd child

Type spamd -c to learn how to use spamd. See also http://spamassassin.apache.org/full/3.4.x/doc/spamd.html

Starting spamassassin at boot time

To start spamassassin at boot time put your startup script in your rc.local:

/usr/local/bin/spamdctl start &

logrotate

Create a file /etc/logrotate.d/spamd like this (slackware) to rotate daily your spamd logs:

/var/log/spamd.log {
rotate 5
daily
missingok
notifempty
delaycompress
postrotate
   /usr/local/bin/spamdctl restart
endscript
}

Comments

Wow, just found this post yesterday when I wanted to install Spamassassin on my Slackware64-current box. I can't thank you enough for this superb post. Grazie mille!

Thank you for a great tutorial.

I was wondering did you manage to make the new Geo::IP plug in working. I have installed from cpan and updated (geoiplookup works) but spamassassin doesn't seems to take that in consideration when I block a country. I have enable it from init.pre. Any ideea what can be?

Thanks

Sorry, I don't use that plugin

How can I disable the use of spamassassin? Just uninstalling it?

Thanks!

no, just edit /var/qmail/control/simcontrol and put spam=no. update the simcontrol after that:

$ /var/qmail/bin/simscanmk

For update Spamassassin 3.4.1 is necesary update the db (in my case):

ALTER TABLE `awl` ADD signedby VARCHAR(255) NOT NULL DEFAULT '' AFTER totscore;

Regards

Hi,

I have this error on load :

error: Can't locate loadable object for module Geo::IP in @INC (@INC contains: /usr/local/share/perl5 /usr/local/lib64/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at /usr/local/share/perl5/Geo/IP.pm line 42.

Thanks

did you installed GEO:IP?

I have this in cpan

install Geo::IP

Geo::IP is up to date (1.45).

I had to disable loadplugin Mail::SpamAssassin::Plugin::URILocalBL  in v341.pre   to get rid of this error in the spamd.log

error: Can't locate loadable object for module Geo::IP in @INC

I would try to see which module is missing looking inside that file/line

Spamassassin 3.4.1 was not working.  I was getting spamd.log hits

warn: spamd: unauthorized connection from ::1 [::1]:52080 to port 783, fd 5 at /usr/local/bin/spamd line 1600.

and spamd was not working at all.

I added ::1  in the spamdctl file like so:

DOPTIONS="-x -u spamd -A 127.0.0.1,::1 -s /var/log/spamd.log -H /home/spamd -d -c --pidfile=$PIDFILE"

I think you have to check that spamd is listening on IPv6 as well and eventually add a "-i [::1]:783" option to your spamdctl. Look here for details http://spamassassin.apache.org/full/3.4.x/doc/spamd.html

Roberto,

We have a new email server for 300 people thanks to your guide.  Being able to use Roundcube with PGP was the key piece.   I had to keep the old qmail / sqmail  with the PGP plugin up until today.

IPv6 is working great and spamassassin is doing the job.

I sent you a couple of coffee's and we thank you for keeping the awesome qmail alive.

John D. Trolinger

Hello,

Being a long time qmail user  I recently wanted to switch to full SSL. Unfortunately I cannot succeed having both SSL and AUTH working at same time.

When using stunnel, it just creates an openrelay : any login/pass is considered as OK (all vars are the same as for normal smtp)

/usr/local/bin/tcpserver -v -R -l mail.watchmusic.com -x /etc/tcp.smtp.cdb -c 50 -u 1008 -g 1003 0 465 /usr/local/bin/stunnel /var/qmail/control/stunnel_smtpd.conf

and stunnel_smtpd.conf

foreground = yes
cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-smtpd
execargs = /var/www/vpopmail/bin/vchkpw /bin/true

When using sslserver, I've no openrelay, but I don't get AUTH on prompt (I've well exported the SMTPAUTH var)

sslserver -e -vR -l myserverfqdn -c 30 -u 508 -g 503 -x /etc/tcp.ssmtp.cdb 0.0.0.0 465 qmail-smtpd myserverfqdn /var/www/vpopmail/bin/vchkpw /bin/true


Has anybody succeeded having SSL and AUTH at same time ?

I think I did manage to have SSL on 465 with AUTH. I had to play with the run file of the specific service (on my system, /var/qmail/service/smtpd-465/run). Can you post yours ?

I don't use SSL 465