Sendmail & spamassassin

[graemef]

I have had our scalix server "popping" email from pop3 accounts on the net using fetchmail then sending them to the local server. This has been working well using clamav and spamassassin. I have just changed our MX records so that the mail now comes directly into our server.
I have Sendmail listening on 127.0.0.1 on port 25 and scalix smtpd listening on the external interface on port 25. This means emails sent from fetchmail locally go through sendmail and get spam scanned, unfortunately incoming external emails just get delivered, though they do still get virus scanned.
When I changed the smtpd conf to listen on a different port then changed sendmail to also listen on the external interface I could get sendmail to receive emails, I managed to fix the relay problem (though I am possibly relaying for the world i will work this out later.) What I am now getting is a message "Unknown User" when it tries to send to user@mydomain.com.
How do I get sendmail to send it's email to port 437 that scalix is listening on ?

Thanks for any help.

[florian]

There are several ways to address the problem; one is to use multiple IP addresses. The whole setup of spamassassin and sendmail with multiple IP addresses is discussed in a knowledgebase article on Scalix.com; please go to Support/Knowledgebase and CheckOut the How-TO section on the article.

However, there is another way to do this:
1. in /var/opt/scalix/sys/smtpd.cfg, add a line reading
SMTPFILTER=TRUE
2. restart the SMTP relay using
omoff -d 0 -w smtpd; omon -w smtpd

Then, the SMTP relay will accept the message but still route it through sendmail before it is finally passed to the incoming internet mail gateway. therefore, any SpamAssassin configuration on the sendmail side will check incoming messages.

This setting has been available for a while, however as of Scalix 9.4, it is undocumented. We are going to change documentation and brand this as our recommended way to integrate sendmail-filters into Scalix in the next upcoming release.

Cheers,
Florian.

[pete]

Any chance that the spamassasin integration document could be updated to relect this? I have been holding off implementing spamassasin as it seemed to be a bit of a "hack' to get it to work with Scalix. This looks much cleaner.

[florian]

indeed it does...

as we will be documenting the SMTPFILTER option as part of our next product release, the KnowledgeBase doc will also be updated to reflect the change in recommended best practice.

Cheers,
Florian.

[graemef]

Thanks for that, I am still running 9.2.1.24 as I am running FC3, I guess it is time to upgrade the OS to the latest. Tried this setting and it does not seem to make any difference with this version. Will live with Spam unit I get a change to upgrade.

[florian]

No, that must be something else.

The setting has been around since Scalix 9.1 or so, certainly 9.2.1 has it.

Just to verify...

1. Edit /var/opt/scalix/sys/smtpd.cfg and add a new line somewhere near the beginning of the file that says

Code: Select all

SMTPFILTER=TRUE

2. restart your SMTP relay; from the command line, you can use the

Code: Select all

omoff -d 0 - w smtpd; omon -w smtpd

commands

Try to send a message from the outside (attention - Scalix-internal messages never pass the SMTP relay this ways). Then check your sendmail maillog (normally in /var/log/maillog) and see if you notice your message passing through sendmail.

If this happens, you can now go on configuring your sendmail/spamassassin integration using the sa-milter (as described in the Knowledgebase article on SpamAssassin integration) or Amavis.

[graemef]

If I send an email from 127.0.0.1 sendmail picks it up and runs it through spamassassin (I get these from ClamAV health script etc. These emails actually don't go to scalix, rather they wind up in root@localhost in the standard unix mailbox, interestingly enough Sendmail never seems to get a look in ? Log follows.
------------------
Oct 24 08:19:01 penguin2 clamd[25994]: /tmp/clamdwatch-R3p8yGdh1EuLa8i8: Eicar-Test-Signature FOUND
Oct 24 08:19:02 penguin2 spamd[32070]: connection from localhost.localdomain [127.0.0.1] at port 52413
Oct 24 08:19:02 penguin2 spamd[32070]: info: setuid to nagios succeeded
Oct 24 08:19:02 penguin2 spamd[32070]: processing message (unknown) for nagios:102.
Oct 24 08:19:02 penguin2 spamd[32070]: clean message (1.1/5.0) for nagios:102 in 0.0 seconds, 5 bytes.
Oct 24 08:19:02 penguin2 spamd[32070]: result: . 1 - MISSING_SUBJECT scantime=0.0,size=5,mid=(unknown),autolearn=no
-----------------

Sending an email from external sources sendmail does grab it, it gets scanned for virus and delivered, not spammassassined. Logs follow.

------------------
Oct 24 08:21:32 penguin2 sendmail[10288]: NOQUEUE: connect from localhost.localdomain [127.0.0.1]
Oct 24 08:21:34 penguin2 sendmail[10288]: j9O0LWET010288: from=<greydog_11@hotmail.com>, size=1208, class=0, nrcpts=1, msgid=<BAY114-F1129977881FC0F145AC7E7F5770@phx.gbl>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Oct 24 08:21:34 penguin2 sendmail[10285]: j9O0LVb4010285: to=<graemef@mydomain.com.au>, delay=00:00:02, xdelay=00:00:02, mailer=relay, pri=31012, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (j9O0LWET010288 Message accepted for delivery)
Oct 24 08:21:35 penguin2 sendmail[10292]: j9O0LWET010288: to=<graemef@mydomain.com.au>, delay=00:00:01, xdelay=00:00:00, mailer=scalix, pri=121208, relay=any, dsn=2.0.0, stat=Sent (Ok)
Oct 24 08:21:35 penguin2 clamd[25994]: /var/opt/scalix/data/0000069/0021e8h: OK
Oct 24 08:21:35 penguin2 sendmail[10292]: j9O0LWET010288: done; delay=00:00:01, ntries=1
Oct 24 08:21:35 penguin2 clamd[25994]: /var/opt/scalix/data/0000069/0021e8k: OK
------------------

I don'y know if any of this helps.

[florian]

hmmmm...

assume, scalix smtp relay is running on your external IP... to be tested through

telnet my.hostname.com 25


If that's the case and the message (coming from external via this port and SMTP and going to an internal scalix user) should only make it through sendmail if the option is set. if it is not set, sendmail should not see the message at all.

if sendmail sees the message, the problem is not with setup and option, but with sendmail milter integration, so that's then where to check.

did you setup sendmail according to our specs in the KB document?

thanks,
Florian.

[graemef]

When I telnet to the external IP I get the Scalix SMTP welcome message.

If that's the case and the message (coming from external via this port and SMTP and going to an internal scalix user) should only make it through sendmail if the option is set. if it is not set, sendmail should not see the message at all.

I am pretty sure sendmail has always been getting the incoming emails on my system ? I cannot be 100% positive on this..

did you setup sendmail according to our specs in the KB document?

I am sure I did, though I will go back and check to make sure nothing has changed.

Thanks for pointing me in the right direction (I hope).

[graemef]

Happy, found a setting missing from the sendmail.cf file. Thanks for the help, I was looking in the wrong places altogether.
Cheers

[spheretechinc]

There are several ways to address the problem; one is to use multiple IP addresses. The whole setup of spamassassin and sendmail with multiple IP addresses is discussed in a knowledgebase article on Scalix.com; please go to Support/Knowledgebase and CheckOut the How-TO section on the article.

However, there is another way to do this:
1. in /var/opt/scalix/sys/smtpd.cfg, add a line reading
SMTPFILTER=TRUE
2. restart the SMTP relay using
omoff -d 0 -w smtpd; omon -w smtpd

Then, the SMTP relay will accept the message but still route it through sendmail before it is finally passed to the incoming internet mail gateway. therefore, any SpamAssassin configuration on the sendmail side will check incoming messages.

This setting has been available for a while, however as of Scalix 9.4, it is undocumented. We are going to change documentation and brand this as our recommended way to integrate sendmail-filters into Scalix in the next upcoming release.

Cheers,
Florian.

This is great news becasue the whole 2 IP thing is a bit complicated. But, on this configuration what should the sendmail.cf file look like? Because if I add my IP address to the DaemonPortOptions line if rejects mail. I added this line you mention to the smtpd.cfg file. If I take out the DaemonPortOptions line in the sendmail.cf file I continue to receive mail just fine but, I don't think spamassassin is working then.

[florian]

In this case, you don't need to change daemon port options at all from the default sendmail configuration. The handover between the SMTP relay and sendmail will work over invocation of the sendmail binary and a pipe.

Cheers
Florian