Articles November 14, 2004 at 11:37 pm

Per User spam settings with Amavis

Allow each of your users to have unique spam settings using Amavis and LDAP.

With a little bit of work you can allow each user to customize their SpamAssassin tag and kill scores using either their LDAP user records, or just by hand-editing the amavisd.conf config file.Ed. note: This article expands on our other articles on spam/virus controls on OS X Server using amavisd, clamav and Spam Assassin. This article is worthless to you unless you have implemented this solution. Testing this method was done with amavisd-new 2.2.0. Earlier version might not work.

1. Using LDAP lookups

Amavisd-new uses its own LDAP schema, which is not included in the default install of OS X Server, so you will need to install this. The schema is available in file LDAP.schema of the distribution, and online.

Before you start, you’ll need to have the Net::LDAP perl module on your system. This is easist to install through CPAN.

% sudo perl -e -MCPAN shell

cpan> install Net::LDAP
cpan> quit

I also recommend reading the latest README.lookups for more information look at the online documentation.

So, to start off with copy the amavis schema to /etc/openldap/schema on your Open Directory Master server.

% sudo cp LDAP.schema /etc/openldap/schema/

Make sure your permissions are correct!

-r--r--r-- 1 root wheel 26346 3 Nov 15:38 LDAP.schema

It would also be a decent idea to change the name to something like amavis.schema so that you’ll be able figure out what it is later.

Now stop amavis

% sudo amavisd stop

Add the Following lines to /etc/amavisd.conf. I placed it right above the av scanners at the end of the file.

# LDAP settings
$enable_ldap = 1; # 0 = false, 1 = true

$default_ldap = {
     hostname => 'ldap.domain.com', # ldap hostname
     timeout => 5,
     tls => 1, # 0 = false, 1 = true
     base => 'cn=users,dc=domain,dc=com', # your searchbase
     query_filter => 
     '(&(objectClass=amavisAccount)(|(mail=%m)(mailAlternateAddress=%m)))'
};

Each user must have the mail attribute defined. This can’t readily be done through Workgroup Manager. Instead you’ll need to use a third-party app like AB4LDAP or manually add the mail attribute to your users. You can read the Readme.Lookups to
see the other options available to you.

At this point, you can either reboot your server or restart slapd by hand.

To restart by hand:

% sudo killall slapd

Then start amavis back up:

% su clamav -c amavisd

Now it’s time to edit your user’s records. I will be using phpldapadmin, a web-based LDAP editor to do this, although you could also use any ldap browser like LDAP Browser for example.

First, see if the amavisAccount schema shows up under schema… look it over. You done? Okay, let’s go to cn=users.

Locate objectClass and click the “add value” button.

Select amavisAccount from the drop-down menu and click “Add new ObjectClass”

Now go to “Add New Attribute”

You will see a bunch of amavis attributes, but I will be only using three of them for this example.

Select amavisSpamTagLevel and give it a value of 0.0, or whatever your site policy dictates. This is the value at which amavisd adds spam info headers if at or above this level.

click “Add”

Repeat these steps to add amavisSpamTag2Level and give it a value. This is the level where the subject line of the message is changed if it’s tagged as spam.

and amavisSpamKillLevel and give it a value. This determines when evasive measures are taken, which depending on your amavisd.conf file, usually means deleting the message.

you get the idea…

Additionally if you added your address book to cn=people, you will find that this is a easy way to add those contacts into white and black lists using the other attributes that the amavis LDAP schema gives you.

2. – Using a Plain Old Perl lookup

For those of you that don’t want to use, or don’t have, ldap, you can achieve per-user settings by adding a simple perl lookup for each user to you spamassassin settings in /etc/amavisd.conf

# default values, can be overridden by more specific lookups, e.g. SQL
$sa_tag_level_deflt = 0.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = {
    "user1@$mydomain"=>"4.0",
    "user2@$mydomain"=>"1.2",
    "user3@$mydomain"=>"8.0",
    "."=>"5.0" # default "catchall" score
}; # add 'spam detected' headers at that level
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
                           # at or above that level: bounce/reject/drop,
                           # quarantine, and adding mail address extension

No Comments

Leave a reply

You must be logged in to post a comment.