Perl Antispam ESMTPD

UPDATE:

I've personally discontinued using the Perl ESMTPD in favor of SpamAssassin's smtp proxy. See http://www.spamassassin.org/dist/spamproxy/README

I'll keep the esmtpd project here because I think the code has some merrit and some may want to borrow from it, but anyone who's interested in this project should definately see what they're doing at SpamAssassin.

john

About the project...

I support a number of Outlook Express (and Outlook) clients. They want to send and receive email in the office and at home, ie using our office LAN and using their dialup service. I found that Stunnel could provide them secure IMAP and POP3 service, but the qmail-smtp I was using would be an open relay if I ran it through Stunnel. I tried the smtp-auth patches for qmail, but I was getting core dumps. What I really wanted was an integrated package which included:

RBL-sytle black-hole dns checking when not relaying
Verification of valid MX records for the MAIL FROM: <address> when not relaying
Ability to use Stunnel for smtps connections and still do RBL checks, etc
Simple authentication (ie PLAIN or LOGIN) for offsite users
Ability to reject email with certain key phrases
Ability to reject likely virus files at the server
Ability to bounce null-subject/null-body messages (mail probes)
Antivirus scanning
Create MD5 digests of known spam which passes the phrase check and collect a log of spam MD5s
Reject email which matches MD5s of known spam
Ability to easily add other anti-spam features as I become aware of them
Reasonbly good performance

Then I found the Courier project. It seemd to have most of what I wanted. The trouble was, after three weeks of hacking with it, I still couldn't make it build and run stablely. I monitored the maillist and saw that I wasn't alone. It's a good project, but not yet ready for FreeBSD.

So, back to the drawing board... I figured I could write a SMTP daemon to do most of what I wanted, so that's what I did. And since I do all my development in Perl these days...

Questions	Answers
Isn't PERL fat and slow for a daemon?	Yes, but it's quick to develop, easy to maintain, and, as it turns out, I was running Perl for all my local deliveries anyway, so this will probably end up being a lighter-weight solution for me in the long run. Besides, RAM is cheep these days.
Isn't there already a SMTP-Server-1.1 on CPAN?	Yes, and I plan to keep Habeeb J. Dihu abreast of the project. I hope he will find some of my material useful for integration to the Net::SMTP::Server module. Honestly, I don't trust modules. I suppose that's my failing... Anyway, Dihu's work didn't contain any of the bells & whistles which were central to my project, so I hacked away.
Wouldn't this be better in C or Python?	Probably -- but I wrote mine in Perl.
Is it stable?	I'm just deploying it here. We do a few thousand emails a week, so I expect to have the bugs worked out real soon. -- Actually we've run it for more than a year now with great success. I don't know of any other tool which filters so much spam at the server level.
How do you virus-scan your incoming email?	I'm using AvpBSD from Kaspersky Labs which has been quite effective for me. You can use whatever you want -- it should take about 10 minutes to switch to another scanner.
Where do you plan to go with the project?	I'm releasing the current version and I doubt I'll do much more with it. I've wondered about creating an SPAM IP log to try to may my own blacklist, but I think the existing spam checks are probably sufficient.
But you didn't answer my question!	Then email me and let me know what it is!

Assumptions

Ok, so I wanted to simplify some things to streamline the project. If you don't like my assumptions, fix them in your copy and I'll make the patch available.

Your aliases are in .qmail files in the user homes and in ~alias (ala qmail).
Your user homes are all in one folder (ala /usr/home/*/Maildir).
You can live with a single site password to enable relaying. This speeds & simplifies authentication tons.
You can force your users to use smtps to protect your relay password.

Installation

Get the files from here. Unpack them somewhere you like.
Get Net-DNS from cpan and unpack it where you like. Do perl Makefile.PL; make; make check; make install to set it up.
-- note that you don't need to do this if you want to disable the MAIL FROM address mx checking
Edit the esmtpd file -- the first few lines are configuration settings. If you have questions, see below.
Download, install and test Avp from Kaspersky Labs or setup the virus checker of your choice.
-- note that the thing I like about Avp is that it handles unpacking mime & uucp data without my intervention.
Edit the viruscheck.sh script to work with your virus checker.
Download and install Stunnel
Create the /usr/home/incomingmail folder and set it's permissions to (??? still working on the correct settings here).
Test everything works
-- I do this by setting the port to 125 and telling my client to use that port, then sending messages to myself.
- Send yourself a message -- do you get it?
- Send yourself a virus, make sure it comes back packaged.
- Clear your $relays configuration and see if you can mail to someone not local.
- Turn on authentication and smtps in your client and send yourself a message.
- Use telnet and do some "MAIL FROM: <addr>" and "RCPT TO: <addr>" and "DATA" commands -- see if the responses are reasonable
- Note that it is normal behavior for the SMTP port to block for a few seconds after you close the server, so restarting can take a minute.
Decomission your current smtp server: ie kill the running process and disable the startup @ boot time.
Run esmtpd server & to start the new server and put that in your startup script location.
Put a command in your startup script like:
/usr/local/sbin/stunnel -P none -D 0 -d smtps -p $CER -l esmtpd && echo -n ' smtp-stunnel'

Virus Check Script

The point of the virus check script is to (a) find out if the email contains a virus and (b) sequester it if found. I do that by zipping and uuencoding the email, relaying only the sender address and the subject. When the client receives it the user is alerted to the infection and must unzip the file before opening it. This prevents any VBS type email bombs from activating.

Configuration Options

$locals= ## hosts for whom you accept mail
'mydomain.com|mydomain.org';

$localrelays= ## hosts for whom we accept mail to relay
'myfriend.org|myotherfriend.org';

$me= ## your host name
'mydomain.com';

$pw= ## your relay password -- must be lowercase
'secret';

$home= ## where your homes are
'/usr/home';

$alias= ## where your alias list is
'/usr/local/qmail/alias';

$spamboxes= ## addresses which only receive spam
'spamme|olduser';

$spamdb= ## location of spam dbm file
'/usr/home/incomingmail/spam';

$inject= ## your local mailer
'/usr/local/qmail/bin/qmail-inject';

$tmp= ## your temp file location
'/usr/home/incomingmail';

$blackholes= ## blackhole dns's to test
'rbl.maps.vix.com|dul.maps.vix.com|relays.mail-abuse.org';

$relays= ## relaying is allowed for these hosts
'10.|127.0.0.1';

$user= ## who daemon runs as
'nobody';

$log= ## your log file location
'/var/log/smtp.log';

$blackholedelay=30; ## seconds to make blackholed servers wait

$port=25; ## your smtp port -- probably 25

$interface='127.0.0.1'; ## interface to bind to

$evil= ## list of re phrases to cause bounce (case ignored)
'\bbarely legal\b
\bUnsensored pics\b
\brated adult site\b
(find out|learn|discover) ANYTHING about anyone
(remove.*\@dcemail\.com)
bagboy\@burmeses\.net
$a$ *$2$ *$C$.*1618
hot\w*\s+hardcore';

$smallestvirus=2500; ## size must be greater than this for viruscheck to run

$viruscheck='/usr/local/bin/viruscheck.sh'; ## adjust your antivirus settings here

Updated 8/15/01