scam-backscatter milter INSTALL

PREREQUISITES

You should have sendmail version 8.12.x or higher installed.  Sendmail
should have been built with MILTER support enabled.

You should have the milter library and development kit installed

BUILD

1.  Extract the scam-backscatter tarball

2.  Change the current directory to the one where the scam-backscatter
source code was extracted.

3.  If you are using OpenBSD or NetBSD, rename the Makefile.bsd file
    to Makefile.  If you are using FreeBSD, rename the Makefile.freebsd file.

	If you are using a Linux distribution, rename the Makefile.linux file to Makefile.

	The Makefile.solaris file can be used for Solaris.

4.  Type make and press Enter to compile scam-backscatter

You can enable extra features by editing the Makefile or by using the following example:

   CCFLAGS="-DUSEMAILERTABLE" make

Note: If you are using OpenBSD 4.2 or later, edit the Makefile by remove the "-lresolv" from the LIBS line.

INSTALL

1.  Copy the scam-back file created above to the appropriate location
    (/usr/local/sbin for example)

2.  Generate a new sendmail configuration (sendmail.cf) with the following
    additional settings:

      INPUT_MAIL_FILTER(`scam-back', `S=unix:/var/spool/scam/scam-back.sock, F=T, T=S:240s;R:240s;E:5m')dnl

	  and this line if the macro definition for RCPT is undefined:

	define(`confMILTER_MACROS_ENVRCPT', `{rcpt_mailer}, {rcpt_host}, {rcpt_addr}') dnl

	The line should be added to the .mc file used to create the sendmail.cf.

3.  Create a user (scamback for example) which will be used to run the milter

4.  Create the /var/spool/scam directory

5.  Verify that the user created in step 3 has read-write access to the
    /var/spool/scam directory

Alternately, you can use a TCP socket for the milter by using the following for
step 2:

	INPUT_MAIL_FILTER(`scam-back', `S=inet:8900@localhost, F=T, T=S:240s;R:240s;E:5m')dnl

Start the milter with the -p inet:8900@localhost parameter.

START UP

1. Start Scam-backscatter milter as a daemon

	  scam-back -p unix:/var/spool/scam/scam-back.sock -u scamback -D

2. Restart sendmail if you have generated a new sendmail configuration when
   installing scam-backscatter

The -b path parameter specifies the file location where Scam-backscatter
will read the recipient addresses at startup or save them at shutdown.
For example:

scam-back -p unix:/var/spool/scam/scam-back.sock -u scamback
 -b /var/spool/scam/backscatter.txt -D

To display usage and features compiled in, type:
	scam-back -h

SHUTDOWN

Type the following command to stop Scam-backscatter

	kill `cat /var/spool/scam/scam-back.pid`

CONFIGURATION

Define the domain which you want to protect against backscatter and the
IP address of the internal mail server in /etc/mail/scam.conf file as follows:

BackSMTPServer:192.168.0.2
BackAddrDomain:example.net

The BackSMTPServer can be either a hostname or an IP address.  The setting
should be defined before the BackAddrDomain setting.  When there are multiple
BackSMTPServer settings, the BackAddrDomain setting is mapped to the
BackSMTPServer setting preceeding it.

Only one BackSMTPServer setting is allowed with the ALLDOMAINS feature.

These two settings are not required with the USEMAILERTABLE feature as the
mapping of BackAddrDomain to BackSMTPServer is read in from the
mailertable file.


The following entry is optional. It should be used if the backend mail server
is running on a non-standard port. Scam-backscatter will use tcp port 25 by
default.

BackSMTPPort:25

Once Scam-backscatter verification finds a valid email addresses, it gets
cached.  The default expiry value is 86400 seconds.

BackValidAddrExp:86400

Invalid email addresses are also cached by scam-backscatter.  The default
expiry value is 3000 seconds.

BackInvalidAddrExp:3000

When BackAddrSubdomain is set to yes, Scam-backscatter will verify
subdomain email addresses (user@mail.example.net) as well if
example.net is listed as a domain to be verified.  This default value is no.

BackAddrSubdomains:Yes

The BackList setting points to the file where the list of valid and invalid
recipient addresses is read from at startup and saved to at shutdown.

BackList:/var/spool/scam/backscatter.txt

The TimeoutSMTPconnect setting determines the time to wait (seconds)
for a connection to the backend SMTP server.

PreferIPVersion:4

The PreferIPVersion setting determines IPv4 or IPv6 preference when
resolving hostnames.  The setting is optional.

TimeoutSMTPConnect:2

The TimeoutSMTPReply setting determines the time to wait (seconds)
for a reply from the backend SMTP server after sending a SMTP command.

TimeoutSMTPReply:3

Your users can bypass the backscatter verification by relaying through your
server using port 587 instead of port 25.

BackSkipDaemon:MSA
BackSkipDaemon:MSA-v6

If your configuration file has one or more BackSkipDaemon settings,
add the MSA daemon as it is only automatically included when the setting
is not defined.

BackSkipVerify:127.0.0.1

Recipient validation is skipped for the IP address.  This setting also accepts
a cidr such as 192.0.2.0/24

BackSkipVerify:192.0.2.2
BackSkipVerify:192.0.2.32/28

Scam-backscatter does not perform verification for locally submitted mail.

BackErrorTempfail:No

By default, Scam-backscatter does not return a temporary failure if the
Backend SMTP server cannot be reached.  Setting BackErrorTempfail to
Yes will return a temporary failure.

BackSMTPBackoff:60

The BackSMTPBackoff setting is used with the BACKOFF feature.  Connections
to the backend SMTP will not be attempted within the backoff period starting
from the time a connection could not be established.

The Mailertable setting provides the path to the mailertable file.  The
default value is /etc/mail/mailertable if the setting is undefined.

Mailertable:/etc/mail/mailertable

You can use the following configuration to validate recipient addresses
against different backend SMTP servers:

BackSMTPServer:192.0.2.1
BackAddrDomain:example.net
BackSMTPServer:192.0.2.2
BackAddrDomain:example.org

Or you can run multiple instances of Scam-backscatter as follows:

First instance:

scam-back -p unix:/var/spool/scam/scam-back.sock -u scamback -D

Second instance:

scam-back -p unix:/var/spool/scam/scam-back2.sock -u scamback \
-f /etc/mail/scam2.conf -P /var/spool/scam/scam-back2.pid -D


SMTP Backend out of service

Scam-backscatter can cache valid and invalid recipient addresses. If the
SMTP backend is out of service, you can stop the Scam-backscatter milter,
increase the BackValidAddrExp and BackInvalidAddrExp values and restart
the milter.

FEATURES

These compile time options can be enabled by appending
a -Dfeature_name to the CCFLAGS line of the Makefile.

EHLO Use EHLO instead of HELO when verifying against backend.

USEMAILERTABLE Reads the list of domains to verify and the backend SMTP
server IP address from sendmail's mailertable file.

example.com            SMTP:[192.0.2.1]
example.org             ESMTP:[mail.example.org]
example.net             ESMTP:[2001:db8:1:1::25]

Only the first entry on the right-hand side will be read.

BITBUCKET Silently deletes invalid recipients.  This feature is
not recommended as it can cause loss of mail.

SM813 Compile time option for Sendmail 8.13.x and 8.14.x

ALLDOMAINS Verify recipient addresses for all domains against the SMTP backend.
The BackAddrDomain setting is not required.

VERBOSE Logs the output of the SMTP session with the backend

FALLBACKEND Support for two SMTP backends per domain.  This feature
should only be enabled with the USEMAILERTABLE feature.

example.net             ESMTP:[mail.example.net]:[mail2.example.net]

HELOHOST Sets the hostname used for HELO/EHLO during compilation.

BACKOFF Enables a backoff of the SMTP connection to the SMTP backend
if there isn't any SMTP service running.

HAVEPOLL use poll() instead of select() for sockets.

TROUBLESHOOTING

The syslog facility is used to log information to maillog.  If you experience
any trouble, review your maillog for errors.

Scam-backscatter initiates a SMTP session with the Backend SMTP server.  If
the Backend rate limits SMTP connections, it may cause Scam-backscatter
to fail.

Scam-backscatter may fail if it the system runs out of file descriptors.
Refer to your operating system documentation to find out how to increase that.

The following is used on CentOS:

ulimit -n 4096
ulimit -s 2048

If you see the following error in your mail log:

 scam-back: accept() returned invalid socket (Numerical result out of range), try again

recompile libmilter with the following option:

 APPENDDEF(`confENVDEF', `-DSM_CONF_POLL=1 ')dnl

You can increase the TimeoutSMTPReply value if the following error messages
appear frequently in your log:

 cannot read backend SMTP banner

 cannot read helo reply

 cannot read mailfrom reply

 cannot read rcptto reply

If you see the following error:

  scam-back: cannot get rcpt address

Verify whether your sendmail configuration (mc) file has this definition:

  define(`confMILTER_MACROS_ENVRCPT', `{rcpt_mailer}, {rcpt_host}, {rcpt_addr}') dnl

If Scam-backscatter cannot connect to the backend, the following message

  cannot connect to backend SMTP at 192.0.2.1 status Connection refused

is logged.  See errno in your system manual for more information.

Refer to http://www.elandsys.com/resources/sendmail/milter.html for more
information about libmilter.

http://www.elandsys.com/scam/
scam-backscatter
Copyright  2006 - 2009 Eland Systems All Rights Reserved.
