[heavyboots]

Well, I debated responding to this since my response it so OT, but finally decided to toss it in the hopper, just in case it’s useful. Feel free to ignore it–it doesn’t actually pertain directly to installing SpamAssassin.

Having said that…

IMHO, if you’re going to set up your own spam filter anyway, you might just consider assp instead. Fairly easy to set up and changes practically nothing about the default install (mostly just the port that postfix listens on).

http://assp.sourceforge.net

Here’s what the relevant portion of my master.cf file looks like after I changed the port. There may have been changes to the main.cf file for postfix too, but I can’t recall anymore because I’ve tweaked that a lot compared to what it looked like in default mode anyway.

# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
# Copy/paste smtp line, change to 225, set assp to forward to 127.0.0.1:225 in web config
225      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       -       smtpd 

ASSP 1.1.2b1 (yes, beta1 but 3 months of stable operation would suggest it’s fine to use) is the best version out. It’s in the CVS at sourceforge.net. The main improvement is that it adds graylisting, which currently stops about 90% of all spam engines in their tracks. The downside of graylisting is that unrecognized ips are delayed an extra 5 or 10 minutes before they can try and send mail to you.

Well anyways, it’s just a thought. Personally, last time I tried to set up Spam Assassin (admittedly years ago now), it was hard to set up and hard to maintain. ASSP has always been pretty simple and useable for us, particularly since most of the config is done from a nice web interface. Worst case scenario is that you have to rebuild the bayesian db from time to time if it gets exceptionally confused.

Best o’ luck!

[heavyboots]

Given that I wouldn’t trust a LinkSys BEFSX41 farther than I could throw it with both arms tied behind my back, I have to ask–have you ever successfully established a VPN with it using the current version of the firmware on it?

I have an FSR41 and an FSX41. We basically don’t use the FSX41 anymore because it’s either so unstable or so broken, depending on which variant of the firmware I put on it.

[heavyboots]

[QUOTE BY= mkalien] or allow SSH but not let user’s out of their home directory and disallow executing scripts/files? Even so, they could still run all sorts of terminal commands that could tie up the processor and other resources.[/QUOTE]

Chroot ssh isn’t that hard to set up actually (however, I am still on 10.3.9 so I can’t say with certainty this will work on a Tiger box too). The weird thing I ran into was that something besides xinetd seems to need to restart for it to notice your new paths. Basically, I followed this tip over at MacOSXHints and got it set up. (Follow the instructions of the first guy and remember that if you want to restrict Users to just their their own folder, you’re going to need to put all the goodies they will need in each of their folders for chroot to work right. The example given in the hint just restricts them to the Users folder, meaning they can wander around in other user’s folders too.

One more important tip: After each system update, be sure to verify that Apple didn’t overwrite your custom /usr/libexec/sshd-keygen-wrapper. Because if they did, everyone has top-level directory access to the box again!

Argh, one more note: The winning property to edit the path in was NFSHomeDirectory. That’s where you want to add the /./ to the path to turn on chrooting.

[heavyboots]

I’ve got an AttoTech U4LS scsi card and a Quantum SDLT 320 running with various revs of Retrospect 6 (avoid Retrospect 5 like the Plague!). It has been very, very stable for over a year now. Perhaps 5 random hangs that whole time (with nightly BUs Mon thru Fri year-round and approx 400gb fully verified backups at the beginning of each month). The couple times it has randomly hung, I’ve gone and hunted up the latest Atto scsi drivers and it has been fine again after an update. One sure-fire hang for a while was inserting a fresh tape that was “bad”. Retrospect wouldn’t stop with a bad tape message, it would just hang at the tape request dialog. I complained in their forums several times (and even verified I wasn’t along because I solved the problem for someone else with similar issues) to no avail. Not sure if that’s still an issue in the most recent Retrospect 6 or not as I exchanged the bad tape in the end…

One other thing I noticed–a Granite Digital external firewire case wouldn’t EVER verify correctly via Retrospect. This was around Dec. of last year, so they may have hacked their firewire drivers to better operation by now, but I highly suspect the Retrospect firewire drivers were the culprit. I could Finder-copy the same data and do diffs and it would be fine. I could even restore from the drive that claimed it had verify errors and do diffs it would be fine. Retrospect, however, was always under the impression Something Bad had happened during the verify stage…

NOTE: One reason I posted this is that I suffered with an Exabyte Mammoth 2 drive for YEARS (must have exchanged 5 or 6 of those units!). As a result, I wouldn’t touch Exabyte product again with a 10-ft pole.

[heavyboots]

You might want to check out the AnandTech article on optimizing for G5. It looks like the answer may be “yes” from their article. Or you could reformat with YDL on the XServe, at a very minimum (if you’re not doing anything with AFP or other Apple technologies anyway).

Also, have you tried msyqladmin refresh? Perhaps (if it works) an hourly refresh cronjob would be enough to keep it from bogging?

[heavyboots]

You can always go with a commercial solution, such as no-ip.com offers (I think it is called Alternate Mail Port or some such thing). It’s something like $40, IIRC. I’ve never tried it but I was just there the other day looking into dynamic dns services and noticed it was an option.

[heavyboots]

Still running 10.3.9 and I use ASSP for spam filtering, so it’s a bit of a different setup. The only RBL’s I’m using are just the default ASSP ones:

bl.spamcop.net
cbl.abuseat.org
sbl-xbl.spamhaus.org
dnsbl.njabl.org
list.dsbl.org
dnsbl.sorbs.net
opm.blitzed.org
dynablock.njabl.org

ASSP is set for 3 replies max, 2 replies necessary to RBL a message.

Actually, the cool new feature that seems to really be making a difference is Delaying/Greylisting. New IP/from-user/to-usr triplets cause the mail server to request a delayed send–ie, tell the mail server at the other end to retry sending the message in 5 minutes. Valid mail servers can handle that; spammer engines being set up for speed and bulk just totally ignore it and don’t call back after the 5 minute time limit.

[heavyboots]

Yes, this is a lowly 10.3.9 machine. Can’t go to Tiger yet (although I’ve been eyeing the Software Update Mirror with great jealousy).

[heavyboots]

Ok, I just successfully completed this bloody install (wipes brick powder from forehead). Some hints:

[1] Follow the instructions completely on page 1 first! You have to do those before anything else. For example, the reason Mr. Shankly is gettig the sasl2 error message during epaulsen5’s update is because he hasn’t successfully completed the cyrus-sasl install on page 1.

[2] As the orginal author says, go back and reread the troubleshooting part several times. Quite likely some of your problems are from there. For example, you can’t use the avelsieve filter in SquirrelMail until you’ve gone in and made the group mail and the permissions 705 for the /usr/lib/sasl2/pwauxprop.* files. And you should also do the chflags nouchg on them so that repairing permissions on the server doesn’t hose the install later.

[3] Now for the tricky part–the timsieved.pkg from page 1 instructions doesn’t work as near as I can tell. I too had to follow epaulsen5’s directions (they are quoted at the top of page 19) to get timseived to activate and send out replies. You’ll know you’ve probably reached this point in the process when you can log into SqurrelMail and correctly set up a vacation notice and view it and emails sent to the account show up in SqurrelMail, but your mail log never shows an outgoing reply to the sender.

[4] Also, if you’re getting an error about “Can’t create INBOX/Send” in the left panel of SquirrelMail, you need to go run the /usr/share/squirrelmail/config/conf.pl script and choose D for pref-defined settings for specific IMAP servers. Type “cyrus” in and hit return and then your settings should be correct for cyrus imap.

[5] cyradm seems like quite a useful addition to any server admin’s arsenal. It also contains some perl libraries that help fix some of the scripts in the cyrus/bin folder (the ones that complain that they can’t find the sieve perl libraries). I’d recommend you go and install that too just for fun (search for the article on how to install it; that one works perfectly).

I hope this helps others. All told, I spent 8 or 10 hours trying to figure out the various things I was doing wrong, so maybe this will lower that time for one or two other people out there…

PS: MacTroll, your timseived package really does seem to be non-functional for a 10.3.9 XServe G5 default install. I redid the install of timsieved.pkg, the BDB.pkg, and the AvelSieve.pkg a total of three times (after removing all three receipts each time) and it still refused to work (although BDB and AvelSieve both were working after I reread the troubleshooting guide a couple times!). Epaulsens5’s config/build instrucs were necessary to create a working timsieved–perhaps they could be integrated into the page 1 install instructions at some point?

In any case, thanks to everyone who posted on this thread & MacTroll, the OP. I’ve finally got autoresponders working on my XServe! Woohoo!

[heavyboots]

I think perhaps you’re looking for this article?

http://maxo.captainnet.net/installs/mailserver/index.html

And if you’re going to replace your default Mail system entirely anyway, might I also recommend a look at ASSP as a spam filter?

http://assp.sourceforge.net

Look for the 1.1.2 beta release in the forums section. Fribo has apparently been running it with OS X with no problems for some time now.

[heavyboots]

[QUOTE] Ok I followed these instructions to the letter but when i get to stage 7 and run the first mod (Joels that is on the first page) I get this??

configure: error: Berkeley DB 3.x or later was not found. You may need to
supply the –with-bdb-libdir or –with-bdb-incdir configure options.
[/QUOTE]

Go back to page 1 and find the Berkeley DB package installer. Install that first.

So… I got to all the way to step 8. Whereupon, I get a response saying:

server:~/Desktop/builds/sieve/cyrus-imapd-2.2.12 root# make
make: *** No targets specified and no makefile found. Stop.

Do I need to specify “make install” instead of just “make” perhaps? Leary of just pulling the trigger since this is a production server…

This is on a Panther Server, version 10.3.5…

[heavyboots]

Just a quick note that I think this new look is incredibly pretty BTW! Much much better than the last iteration.

[heavyboots]

I haven’t messed with the web settings in the Server Admin, but in straight “apache-ese”, it’s just something like this–I use the example below to point everyone not coming from localhost to an under construction page while I’m twiddling with the php code:

RewriteEngine On
RewriteCond %{HTTP_HOST} !^localhost$
RewriteRule ^(.*)\.(php)$ http://yourserver.com/underconstruction.html

See apache docs on mod_rewrite for more details.

[Author]

Posts