|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489 |
- SNFServer Installation and Configuration
-
- Copyright (C) 2008 ARM Research Labs, LLC.
-
- See www.armresearch.com for the copyright terms.
-
- Installing SNFServer to filter email involves the following steps:
-
- 1) Check prerequisites.
-
- 2) Create the snfilter user and group.
-
- 3) Build and install the SNFServer package (using a tarball or a
- package).
-
- 4) Configure the SNFServer package.
-
- 5) Interface with the MTA (postfix or sendmail).
-
- 6) Configure the OS to start and stop SNFServer on bootup and
- shutdown.
-
- The following sections describes each of these steps for a default
- installation. Any OS-specific issues are described at the end of each
- section.
-
- Prerequisites
- *************
-
- Before installing SNFServer, make sure that:
-
- 1) The program curl must be installed.
-
- Creating the snfilter user and group
- ************************************
-
- Before installing, the snfilter user and group must be created. For
- increased security, snfilter user has no shell.
-
- OS-specific issues
-
- The commands to create the snfilter user and group are OS dependent.
- For your convenience, the commands for creating the user and group for
- varous OSes are listed here. However, no guarantee is made that these
- commands will work on your system; please refer to your system
- documentation.
-
- 1) OpenBSD:
-
- a) 'useradd -g =uid -m -c "SNFServer Account" -s /bin/false snfilter'.
-
- 2) Ubuntu:
-
- a) 'adduser
-
- 3) RedHat (and variants such as Fedora and CentOS):
-
- a) 'adduser
-
- 4) Suse:
-
- a) 'groupadd snfilter'
-
- b) 'useradd -c "SNFServer Account" -s /bin/false -g snfilter snfilter'
-
- 5) FreeBSD:
-
- a) 'pw user add -c "SNFServer Account" -n snfilter -w no -s /bin/false'
-
- Building and installing SNFServer
- *********************************
-
- For some operating systems, configuration files are normally installed
- in /etc, and the installation of the remaining files are in /usr
- (i.e. /usr/sbin, /usr/share/snf-server, etc). In other operating
- systems, the files are installed in /usr/local/etc or /usr/local.
-
- The directories to install are specified by the '
- '
-
- To build and install from the tarball
-
- 1) Extract the distribution from the tarball: 'tar xvzf
- snf-server-X.Y.Z.tar.gz', where X.Y.Z is the version of the
- distribution.
-
- 1) 'cd' to the source directory.
-
- 2) Run the configure script. See the section on OS-specific issues
- for the options to specify. This configures the package.
-
- 3) Type 'make'. This builds the package.
-
- 4) Type 'make install'. This installs the package in the default
- directories.
-
- The following files are installed:
-
- Executables and scripts in sbin:
- SNFServer
- SNFClient
- SNF2Check
- getRulebase.sample
- snfSniffer.sample
- snfSnifferFilter.sample
- snfscan-standalone.sample
- snfServerControl.sample
-
- Sample configuration files in etc/snf-server:
- SNFServer.xml.sample
- identity.xml.sample
-
- In share/snf-server
- GBUdbIgnoreList.txt.sample
-
- During operation of SNFServer, the following files are created:
-
- In share/snf-server:
- *.snf
- Log files
- UpdateReady.txt
- Temporary files
-
- OS-specific options for ./configure:
-
- 1) OpenBSD:
-
- ./configure
-
- 2) FreeBSD:
-
- ./configure
-
- 3) Ubuntu:
-
- ./configure
-
- 4) RedHat (and variants such as Fedora and CentOS):
-
- ./configure
-
- 5) Suse:
-
- ./configure
-
- Configuration
- *************
-
- Configuration consists of creating the configuration files used by
- SNFServer from the sample configuration files of the distribution.
- There are three configuration files. The location of the files
- described in this section are for the installation in /usr and /etc.
-
- Two of the files are in /etc/snf-server:
-
- 1) SNFServer.xml (sample configuration file is
- SNFServer.xml.sample).
-
- 2) identity.xml (sample configuration file is identity.xml.sample).
-
- and one in /usr/share/snf-server:
-
- 1) GBUdbIngoreList.txt (sample configuration file is
- GBUdbIgnoreList.txt.sample).
-
- To configure SNFServer, do the following:
-
- 1) Copy SNFServer.xml.sample to SNFServer.xml, and edit as follows:
-
- a) Specify the directories. The default directories are:
-
- <node identity='/etc/snf-server/identity.xml'>
- <log path='/usr/share/snf-server/'/>
- <rulebase path='/usr/share/snf-server/'/>
- <workspace path='/usr/share/snf-server/'/>
- <update-script on-off='on' call='/usr/sbin/getRulebase'
- guard-time='180'/>
-
- The paths need to be changed only if the default directories are
- not used.
-
- If desired for security purposes, restrict the permissions of
- SNFServer.xml. For example, to make SNFServer.xml readonly by
- only the snfilter user and snfilter group, enter the following:
-
- chmod 440 SNFServer.xml
-
- 2) Copy identity.xml.sample to identity.xml, and edit to include the
- license ID and authentication attributes of the <identity> element.
- If desired for security purposes, restrict the permissions of
- identity.xml. For example, to make identity.xml readonly by only
- snfilter, enter the following:
-
- chmod 400 identity.xml
-
- 3) Copy GBUdbIngoreList.txt.sample to GBUdbIgnoreList.txt, and edit
- as appropriate (the file format is described in the comments in the
- file). See README for more information on this file.
-
- 4) In the directory for the update script specified in the
- configuration file (default: /usr/sbin):
-
- a) Copy getRulebase.sample to getRulebase, and edit as follows:
-
- i) In the line
-
- AUTHENTICATION=authenticationxx
-
- replace authenticationxx with the authentication for the
- SNFServer license.
-
- ii) In the line
-
- LICENSE_ID=licenseid
-
- replace licenseid with the license ID of the SNFServer
- license.
-
- iii) Any other changes as necessary if the default directories
- are not used.
-
- b) Ensure that getRulebase is executable by the snfilter user.
- This can be done with the command:
-
- chmod +x getRulebase
-
- 5) Ensure that the snfilter user has read/write access to the files
- in workspace (default: /usr/share/snf-server or
- /usr/local/share/snf-server) and configuration directory (default:
- /etc/snf-server). To grant this access, enter the following command,
- as the root user:
-
- chown -R snfilter:snfilter /usr/share/snf-server
-
- chown -R snfilter:snfilter /etc/snf-server
-
- As you modify files in these directories, please ensure that the
- read/write permissions for snfilter is maintained.
-
- 4) Download the rulebase file:
-
- a) 'cd /usr/share/snf-server'. If the workspace specified in the
- configuration file is not the default, this command should be
- changed accordingly.
-
- b) 'touch UpdateReady.txt'.
-
- c) 'chown snfilter UpdateReady.txt'.
-
- d) 'su -m snfilter -c "/usr/sbin/getRulebase"'. If getRulebase
- is in a different directory, this command should be changed
- accordingly.
-
- OS-specific issues
-
- None.
-
- Configuring the OS
- ******************
-
- The OS can be configured to automatically start and stop SNFServer on
- system startup and shutdown. The following gives the procedure for
- each OS:
-
- OpenBSD:
-
- 1) Add the following line to /etc/rc.local:
-
- /usr/local/sbin/snf-server start
-
- 2) Add the following line to /etc/rc.shutdown:
-
- /usr/local/sbin/snf-server stop
-
- 3) Run '/usr/local/sbin/snf-server start' to start the server.
-
- FreeBSD:
-
- 1) Create the directory /etc/rc.conf.d (if it doesn't exist).
-
- 2) Create the file /etc/rc.conf.d/snfsrver with the contents:
-
- snfserver_enable="YES"
-
- 3) Run '/usr/local/etc/rc.d/snf-server start' to start the server.
-
- Ubuntu:
-
- 1) Set the VERBOSE variable in /etc/default/rcS to control the
- script output.
-
- 2) Configure the system to run the script using the appropriate
- procedure.
-
- 3) Run '/etc/init.d/snf-server start' to start the server.
-
- RedHat (and variants such as Fedora) and Suse:
-
- 1) Run 'chkconfig
- run the script on startup and shutdown.
-
- 2) Run 'chkconfig
-
- 3) Run 'service snf-server start' to start the SNFServer.
-
- Integration with MTAs
- *********************
-
- The section assumes you will be using SNFServer with an MTA and simply
- injecting headers that will be used later to remove, quarantine, or
- otherwise redirect messages detected as spam. There are as many ways
- to use SNFServer as there are systems using it
- just a good starting point.
-
- It is presumed that SNFServer is configured with x-header injection
- turned on and that the x-headers have been customized to suit your
- needs. Check the <xheaders/> section of your
- /etc/snf-server/SNFServer.xml file to verify that SNFServer is
- configured to do what you want.
-
- Integration with postfix
-
-
- One way to integrate with postfix is to configure postfix to use the
- snfSniffer script (described below) as a content filter. The
- snfSniffer script passes the message through SNFServer, and then
- reinjects the message into the mail system.
-
- 1) In /usr/sbin (or /usr/local/sbin), copy the script
- snfSniffer.sample to snfSniffer set the correct access rights:
-
- cp snfSniffer.sample snfSniffer
-
- chown snfilter snfSniffer
-
- chmod 550 snfSniffer
-
- The default snfSniffer script creates a temporary copy of the message,
- scans it with SNFServer, and then reinjects the message.
-
- 2) Change /etc/postfix/master.cf as follows (LEADING WHITE SPACES
- ARE IMPORTANT WHEN MAKING THIS CHANGE):
-
- change (each line is enclosed in single quotes; add only the text
- between the single quotes):
-
- 'smtp inet n - n - - smtpd'
-
- to:
-
- 'smtp inet n - n - - smtpd'
- ' -o content_filter=snfilter:dummy'
-
-
- also add:
-
- 'snfilter unix - n n - 10 pipe'
- ' flags=Rq user=snfilter argv=/usr/sbin/snfSniffer'
- ' -f ${sender}
-
- to master.cf. Specify the directory snfSniffer is in if not
- /usr/sbin.
-
- At this point you could just restart postfix, and hope nothing goes
- wrong. Instead, it would be smarter to first test the installation
- from the command line by injecting a message directly into the filter
- script "snfSniffer". We can issue a command like (in directory
- /usr/share/snf-server):
-
- /usr/sbin/snfSniffer -f sender recipient < junkmsg.txt
-
- Where junkmsg.txt is a spam test message. We should also test
- a clean message to make sure that this script is working as we
- expect it to. In this case we would issue a command like
-
- /usr/sbin/snfSniffer -f sender recipient < cleanmsg.txt
-
- If you've done everything correctly then all you have to do is reload
- postfix to start the content_filter working.
-
- 4) 'postfix reload'. Restart postfix.
-
- 5) To stop using the snfSniffer filter:
-
- i) Comment out or remove the '-o content_filter=snfilter:dummy'
- line in the /etc/postfix/master.cf file.
-
- ii) 'postsuper -r ALL' to remove content filter request records
- from existing queue files.
-
- iii) 'postfix reload' to reload the postfix configuration.
-
- OS-specific issues
-
- 1) OpenBSD: In the default postfix configuration for OpenBSD, the
- postfix programs run chrooted in /var/spool/postfix. For that
- configuration, the /etc/pwd.db file needs to be made available to
- the postfix programs. This can be done by copying pwd.db:
-
- cp /etc/pwd.db /var/spool/postfix/etc
-
- If the /etc/pwd.db file is modified after copying, the postfix
- system issues a warning. To avoid this warning, copy the
- /etc/pwd.db file to /var/spool/postfix/etc directory whenever
- /etc/pwd.db is modified.
-
- Integration with sendmail
-
-
- One way to integrate with send is to configure sendmail to use the
- snfSnifferFilter script (described below) as a filter. The snfSniffer
- script passes the message through SNFServer, and then sends the
- message to stdout. The integration is done by having sendmail use
- procmail to filter all mail (which is normally the default), and
- configuring procmail to use snfSnifferFilter as a filter.
-
- 1) In /usr/sbin (or /usr/local/sbin), copy the script
- snfSnifferFilter.sample to snfSnifferFilter set the correct access
- rights:
-
- cp snfSnifferFilter.sample snfSnifferFilter
-
- chown snfilter snfSnifferFilter
-
- chmod 550 snfSnifferFilter
-
- The default snfSnifferFilter script creates a temporary copy of the
- message, scans it with SNFServer, and then send the message to
- stdout.
-
- 2) Verify that sendmail is configured to use procmail to deliver
- mail. Please see the sendmail and procmail documentation for how
- to do this.
-
- 3) Create the file /etc/procmailrc (or whatever the system procmail
- rcfile is; see the procmail documentation for the path on your
- system) to contain the following lines:
-
- ':0 fw'
- '| /usr/sbin/snfSnifferFilter'
-
- where the single quotes are not to be included.
-
- At this point mail should be filtered by SNFServer. To check this,
- issue a command like (in directory /usr/share/snf-server):
-
- /usr/sbin/snfSnifferFilter < junkmsg.txt
-
- Where junkmsg.txt is a spam test message. We should also test a clean
- message to make sure that this script is working as we expect it to.
- In this case we would issue a command like
-
- /usr/sbin/snfSnifferFilter < cleanmsg.txt
-
- In either case you should see the message with the headers added by
- SNFServer.
-
- 4) To stop using the snfSnifferFilter:
-
- i) Comment out or remove the two lines you added to /etc/procmailrc.
-
- OS-specific issues
-
- 1) OpenBSD: The default sendmail confiugration might not use
- procmail. To configure sendmail to use procmail, please ensure that
- procmail is installed and see the procmail documentation
- (/usr/local/share/examples/procmail/advanced) for the procedure to
- integrate procmail as an integrated local mail delivery agent.
-
- By default, procmail is installed in /usr/local/bin, and the system
- procmail rcfile is /etc/procmailrc.
-
- After you make the changes, stop sendmail with 'pkill sendmail', and
- start it with 'sendmail -bd'.
-
- 2) FreeBSD: The default sendmail confiugration might not use
- procmail. To configure sendmail to use procmail, please ensure that
- procmail is installed and see the procmail documentation
- (/usr/local/share/examples/procmail/advanced) for the procedure to
- integrate procmail as an integrated local mail delivery agent.
-
- By default, procmail is installed in /usr/local/bin, and the system
- procmail rcfile is /usr/local/etc/procmailrc.
-
- After you make the changes, restart sendmail with
- '/etc/rc.d/sendmail restart'.
-
- 3) RedHat, Fedora, Centos, Suse, and Ubuntu: Restart sendmail with
- '/etc/init.d/sendmail restart'.
|