Uncategorized

How-to set up and configure policyd-weight for additional spam prevention

As another weapon in my anti-spam arsenal, I wanted to give policyd-weight a shot within my existing postfix setups. Policyd-weight is a great daemon that sits between postfix’s authentication and data delivery phases. After handling SMTP authentication, etc it will hand over the headers to policyd-weight before the data transmission. This is great, since this will aide in bandwidth usage and processing time.

Policyd-weight then begins some basic checks to determine some ‘shadey’ behaviour. For example it sees if helo matches hostname, checks against various RBLs and verifies it has a valid MX just to name a few.


As another weapon in my anti-spam arsenal, I wanted to give policyd-weight a shot within my existing postfix setups. Policyd-weight is a great daemon that sits between postfix’s authentication and data delivery phases. After handling SMTP authentication, etc it will hand over the headers to policyd-weight before the data transmission. This is great, since this will aide in bandwidth usage and processing time.

Policyd-weight then begins some basic checks to determine some ‘shadey’ behaviour. For example it sees if helo matches hostname, checks against various RBLs and verifies it has a valid MX just to name a few.

Each one of the tests returns a positive and/or negative score. The combined value is used to determine the action. If the score is above the set threshold, it will reject the mail.

To learn everything about policyd-weight, check out their web site:
http://www.policyd-weight.org/

This how-to will explain what is needed to include policyd-weight to your postfix system in the Gentoo environment. This can be easily applied to other distros, since policyd-weight is basically a perl script with a configuration file.

Currently, policyd-weight is masked in portage. I went ahead added it to my portage.keywords file.


/etc/portage/package.keywords
=mail-filter/policyd-weight-0.1.14.4 ~x86

I made a few changes to the policyd-weight.conf. The default REJECTLEVEL is set to 1 which can reject a lot of ‘valid’ email. There are alot of ‘good’ servers that have been misconfigured or DNS is not fully dialed. The ‘safe’ reject level is around 4.25, but you might want to play with this to suite your needs.

Along with that, I did not like the location of the .policy-weight sock, and wanted to keep it with the rest of my services instead of /tmp


/etc/policyd-weight.conf
$REJECTLEVEL = 4.25;
$LOCKPATH = '/var/run/.policyd-weight/';

Next we need to let postfix know about policyd-weight. First will set up a restriction_class. This is defined in the policyd hash files that we’ll create later on.


/etc/postfix/main.cf
smtpd_restriction_classes = check_policyd_weight
check_policyd_weight =
check_policy_service inet:127.0.0.1:12525

Now we need to add our users and white lists. This is something I’ll be tweaking, so this might not be the best way to do this. It is EXTREMELY important to added your policy hashes AFTER reject_unauth_destination!!!!


smtpd_recipient_restrictions =
...
reject_unauth_destination
check_client_access hash:/etc/postfix/policyd_weight_client_whitelist,
check_recipient_access hash:/etc/postfix/policyd_weight_recipient_whitelist,
check_recipient_access hash:/etc/postfix/policyd_weight_users

Time to create our hash files. I added ‘comments’ there so I can refer to them later on.


vi policyd_weight_client_whitelist
# 123.124.125.126 OK

vi policyd_weight_recipient_whitelist
# special@mydomain.tld OK

vi policyd_weight_users
# per user
# recipient1@domain.tld check_policyd_weight
# for an entire domain
# domain2.tld check_policyd_weight
yourdomain1.com check_policyd_weight
yourdomain2.com check_policyd_weight

After creating the text files, we need to hash them with postmap


postmap policyd_weight_client_whitelist
postmap policyd_weight_recipient_whitelist
postmap policyd_weight_users

Time to add policyd-weight service to the default runlevel and start the service.


rc-update add policyd-weight default
/etc/init.d/policyd-weight start
rc-status
policyd-weight [ started ]

I always like to verify that the port is listening before I commit the change with postfix.


netstat -lnp | grep policy
tcp 0 0 127.0.0.1:12525 0.0.0.0:* LISTEN 10147/policyd-weigh
unix 2 [ ACC ] STREAM LISTENING 14118298 10150/policyd-weigh /tmp/.policyd-weight//polw.sock

With everything configured and running, restart postfix. Make sure you tail -f your mail.log and begin testing. Start sending emails to the domains you have configured in policyd_weight_users and watch the logs. You should see something similar to this:


May 8 15:33:34 server.com postfix/policyd-weight[12362]: decided action=PREPEND X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_FROM_MX=-3.1 <client=xxx.xxx.xxx.xxx> <helo=test.server.com> <from=test@randomdomain.com> <to=test@yourdomain.com.com>, rate: -7.6; delay: 3s

The ‘rate’ is the score. So the score was -7.6, well below the 4.25 threshold we set.

Using policyd-weight is another piece to your defense against spam. You should still be using spamassassin and clamav to scan mails after this stage. I’ll be implementing fuzzy-ocr technology next to help stop the image spam, and we’ll be sure to write up a how-to and my experience with it.

Good luck!