I've ugpraded quark's sendmail to 8.13.3 to fix some rare errors with STARTTLS. This was a straight upgrade from ports, mail/sendmail-sasl.
A recent discussion on the SAGE mailing list pointed to milter-greylist as a quick and effective solution to spam. I've installed this for testing purposes on quark, and will monitor to see what kind of results we get.
The idea behind milter-greylist is simple. While most legit email comes from servers with queuing capabilities, most spam comes from botnets that have no queuing capabilities. The receiving MX returns a 4xx temporary error for some period of time---15 minutes to an hour being typical---before performing delivery. Legitimate servers will retry, where spam servers won't.
In response to an increase in spam, I've upgraded some elements in our spam checking software.
1. I upgraded SpamAssassin from 3.0.1 to 3.0.2 to get the latest spam definitions. This went without a hitch.
2. I upgraded MailScanner from 4.3.4 to 4.3.9. I had to comment out the "Log IFrames" option in MailScanner.conf because that was removed in the newer release.
3. I upgraded spamass-milter from 0.2.0 to 0.3.0.
4. I upgraded ClamAV from 0.75 to 0.83.
5. I enabled Pyzor and DCC checks with SpamAssassin.
I've been looking at Yahoo's DomainKey email authentication protocol. It involves using having mail gateways sign messages with a private key, and distribute public keys via DNS so clients can authenticate their origin.
The specific implementation I'm looking at is the Sendmail milter, DK-Milter. I'm running into some compilation problems on quarkprime, but I think I should be able to overcome those. Anyone interested can take a look on quarkprime in /usr/local/src/dk-milter-0.2.4.
After testing it out on quarkprime, I upgraded quark's mailman instance to 2.1.5. The primary motivation is the blanket discard option in the web interface, which allows the discarding of any messages marked as defer.
I configured spamd to use BDB files rather than Postgres, and that improves performance considerably. There's something about their Postgres tables that just makes them hideously slow.
Mic reported that email occassionally took significantly longer than normal to send. I made a tentative conclusion that we were running out of spamd processes. There is also a chance we were running out of connections to the database, so I up'd the maximum number of connections from 100 to 256, and the number of buffers accordingly.
I've upgraded SpamAssassin on quark to 3.0.0 to take advantage of the latest and greatest spam definitions, I also configured it to use the Postgres backend for more flexibility in upgrading in the future.
To do the upgrade, I performed these steps:
1. Created a Postgres user "sa-user" owning the database "sa".
2. Populated the database with schemas from the sql directory in the source tree.
3. Added these lines to /usr/local/etc/mail/spamassassin/local.cf:
# SQL config
bayes_store_module Mail::SpamAssassin::BayesStore::SQL
bayes_sql_dsn DBI:Pg:dbname=sa;host=localhost
bayes_sql_username sa-user
bayes_sql_password xxxxxx
user_scores_dsn DBI:Pg:dbname=sa;host=localhost
user_scores_sql_username sa-user
user_scores_sql_password xxxxxx
4. Built p5-Mail-SpamAssassin-3.0.0 from ports, with the SQL tests enabled.
5. Stopped spamd, and started it with "spamd -c -D" to make sure that it was connecting to the database properly.
6. Restarted spamd with the new script, /usr/local/etc/rc.d/sa-spamd.sh.
I've changed the path to ispell in sqspell_setup.php from "ispell" to "/usr/local/bin/ispell". This fixes a problem where PHP can't find ispell.
Rowan noticed that mail to wernle.org was bouncing due to a broken TLS implementation on their end.
To solve it, he suggested we add this line to /etc/mail/access:
Try_TLS:mail.wernle.org NO
This solved the problem. After adding that line, I used this command to rebuild the access database:
makemap hash access < /etc/mail/access
I've created the bulletin mailing list on quark, as an opt-out option to the clients mailing list for less important system announcements.
To create the user list, I first dumped a listing of /clients/users into a file bulletin.members. I then ran this little bit of sed magic to add "@cs.earlham.edu" to the end of each line:
sed -e 's/.*/&@cs.earlham.edu/' < bulletin.members > bulletin.members.new
Using the add_members command, I added all these email address to the mailing list:
bin/add_members -r bulletin.members bulletin
I've upgraded SpamAssassin to 2.64 to get the latest and greatest spam definitions.
I've re-enabled spamass-milter on quark, and disabled SpamAssaassin checking in MailScanner. This will use the spamd daemon, and allow scanning of user_prefs files.
I've added a rule to allow incoming requests to port 587 on quark. This will allow clients to use the SMTP AUTH port rather than the normal SMTP port.