Last updated: 19 December 2005
This document is a brief howto on building sendmail on a FreeBSD server with Anti-Virus (using ClamAV), Anti-Spam (using Spamd greylisting and PF redirection), SMTP Auth and POP3. This document also assumes that you already know about FreeBSD and the Ports Collection. For more information on FreeBSD click here, and for Ports click here.
FreeBSD 5.x - 6.x
Sendmail
pf
POP3
/usr/ports/mail/popa3d
Spamd
/usr/ports/mail/spamd
Clamav
/usr/ports/security/clamav
SMTP Auth
/usr/ports/security/cyrus-sasl2-saslauthd
First of all we need to configure our firewall to allow redirection for spam filtering. The spamd process uses greylisting to determine what is spam and what is not. An excellent explanation can be found here:-
Basically spamd makes use of the pf tables and the fact that these can be updated dynamically. The 3 tables used in pf for spam filtering are:-
spamd
spamd-white
spamd-mywhite
The tables "spamd" and "spamd-white" are created dynamically by the spamd-setup and spamd processes, respectively, "spamd-mywhite" is a table created by a file that the administrator can update as and when required, in my config the file is "/usr/local/etc/spamd/spamd-mywhite". I use this for manually adding subnet blocks that should be trusted (i.e. your own subnets).
It should also be noted that some large companies will require whole network blocks adding to your "spamd-mywhite" file otherwise mail will never arrive to you from these domains. For example, gmail.com uses so many servers that they will send the initial mail from one ip, then the next attempt will be from a different ip. In this scenario a mail from gmail.com will never arrive, so it is best to place these blocks in your "spamd-mywhite" file.
Here is my pf config file (/etc/pf.conf):-
-------------------------snip-----------------------------------
if="fxp0"
my_address=192.168.0.1
spamd_address=192.168.0.2
set require-order yes
table <spamd> persist
table <spamd-white> persist
table <spamd-mywhite> persist file "/usr/local/etc/spamd/spamd-mywhite"
############################################################################################
### packets normalization
############################################################################################
scrub in all
scrub out all random-id
no rdr on { lo0 } from any to any
rdr pass inet proto tcp from <spamd-mywhite> to $my_address port smtp -> <my-address> port smtp
rdr pass inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
rdr pass inet proto tcp from !<spamd-white> to any port smtp -> 127.0.0.1 port 8025
############################################################################################
### filtering rules
############################################################################################
pass in quick on lo0
pass out quick on lo0
antispoof log quick for $if
block return in log all
## speed up ident connections
#block return in quick on $if proto {tcp,udp} from any to $my_address port auth
## ssh
pass in quick on $if proto tcp from any to $if port 22 flags S/SA keep state
## smtp
pass in log quick on $if proto tcp from any to $if port 25 flags S/SA keep state
pass out log quick on $if proto tcp from $if to any port 25 flags S/SA keep state
## pop3
pass in quick on $if proto tcp from any to $if port 110 flags S/SA keep state
pass out on $if proto {tcp, udp, icmp} from $my_address to any keep state
pass in on $if proto icmp from any to any
pass out on $if proto icmp from any to any
-------------------------snip-----------------------------------
Spamd needs to be able to access the /dev/fd device for writing to pf tables. Run this to mount the /dev/fd device to allow spamd to write to the pf spamd users table:-
mount -t fdescfs fdescfs /dev/fd
An entry in /etc/fstab will do this automagically on boot:-
fdescfs /dev/fd fdescfs rw 0 0
create the sendmail.mc file from the default freebsd.mc file:-
cd /etc/mail
cp freebsd.mc sendmail.mc
edit the new file and rebuild sendmail.cf (best to save the original sendmail.cf first!):-
ee /etc/mail/sendmail.mc
Add the following entries to your configuration:-
-------------------------snip-----------------------------------
# clamav milter
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=T, T=S:4m;R:4m')
# smtp auth
define(`confAUTH_MECHANISMS',`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl
dnl define(`confAUTH_OPTIONS',`p,y')dnl
-------------------------snip-----------------------------------
Add the following settings to your "/etc/make.conf" file, to pass arguments on compilation of sendmail
-------------------------snip-----------------------------------
SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2
-------------------------snip-----------------------------------
After having installed the ports and added the lines above to your "/etc/make.conf" file you can recompile sendmail and reinstall it:
cd /usr/src/usr.sbin/sendmail
make clean depend all install
If you get errors compiling sendmail about missing libsmutil and libsm libraries, clean you obj directory first and rebuild those libraries and try again, eg.
rm -rf /usr/obj/*
cd /usr/src/lib/libsmutil ; make depend all
cd /usr/src/lib/libsm ; make depend all
cd /usr/src/usr.sbin/sendmail
make clean depend all install
Edit your /etc/rc.conf:-
-------------------------snip-----------------------------------
# enable sendmail
sendmail_enable="YES"
# enable SMTP Auth
saslauthd_enable="YES"
# enable spamd with greylisting flags
pfspamd_enable="YES"
pfspamd_flags="-v -g -G 15:4:864"
# enable anti-virus
clamav_milter_enable="YES"
clamav_milter_flags="--postmaster-only --local --outgoing --max-children=50 --noreject --external"
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
-------------------------snip-----------------------------------
Popa3d is a very simple pop3 server and is designed for speed and security. Once installed just edit your /etc/inetd.conf and add the following line:-
-------------------------snip-----------------------------------
pop3 stream tcp nowait root /usr/local/libexec/popa3d popa3d
-------------------------snip-----------------------------------
You can either reboot your server (ouch!), or you can start manually. All of the following scripts should have been installed from ports (you've gotta love FreeBSD ports).
killall -HUP inetd
/usr/local/etc/rc.d/pfspamd.sh start
/usr/local/etc/rc.d/saslauthd.sh start
/usr/local/etc/rc.d/clamav-clamd.sh start
/usr/local/etc/rc.d/clamav-freshclam.sh start
/usr/local/etc/rc.d/clamav-milter.sh start
sh /etc/rc.sendmail stop
sh /etc/rc.sendmail start
pfctl -d
pfctl -ef /etc/pf.conf
Please be aware that these "howtos" are generally a work in progress so if you have any queries or recommendations then feel free to email me at:-