ASSP on Debian 8/9/Ubuntu 16.04

Introduction

ASSP stands for Anti-Spam SMTP Proxy and that’s exactly what it is. You install it as a proxy between the internet and your mailserver and it filters out spam for you. For more information on ASSP check out my previous article on ASSP, which is much more verbal and also discusses in some detail how to operate your ASSP installation.

This article explains how to set up ASSP on Debian 8 “Jessie”. It will most probably work on any Debian derevative as well, like Ubuntu or Linux Mint.

Update: added notes for installing on Ubuntu 16.04.1.
Update 2: updated to work with Debian 9; added workaround for Perl bug

Ubuntu doesn’t have aptitude installed by default so if you’re running Ubuntu you must either install it (# apt-get install aptitude) or substitute aptitude for apt-get in this article.

Backends
ASSP can use a number of database backends, including:
– flat text files (this is the default)
– BerkeleyDB (easy to set up but not managed)
– MySQL (a bit more complicated to set up but works better in the long run)
– many other databases

We’ll start out with text files and migrate to MySQL once everything is running.

Mailserver
You will need to set up your own mailserver (e.g. Exchange, Domino, Postfix) and have it relay outgoing mail through the ASSP server. We’ll set up ASSP on a separate machine. It’s perfectly possible to run ASSP on your mailserver itself but isolating it on a separate machine makes for easier troubleshooting.

System requirements
During setup ASSP may complain that it needs at least four processors and two DNS servers. It will work with less but the complaints are valid: in order to secure smooth operations you *will* need a decent server. Also the DNS servers need to be servers on your LAN, not on the internet. External DNS servers may return non-standard replies to dnsbl queries and even if they don’t they may start doing so in the future without warning. For this test setup I’m using just one DNS server but in a corporate environment in which you’re depending on DNS for your daily network operations (say Active Directory or any type of LDAP based network) your DNS server(s) must be sufficiently responsive to service both LDAP and ASSP queries.

Why not use Exim4 instead of Postfix? Because I am more familiair with Postfix. Use Exim4 if you like.

Network lay-out
For this article I will be using three machines:
192.168.1.1 – router
192.168.1.2 – ASSP + Postfix
192.168.1.3 – mailserver (Postfix) to which the end-users connect
Domain: testnet.lab
User: vorkbaard – but feel free to add your own

Do keep the IP addresses in mind when copying and pasting example code into your own server.

Versions
– Debian 8.6
– ASSP 2.5.1 16177

Installing the server

When installing Debian you’ll be asked which server roles you would like to install. Ubuntu and other derevatives may differ from Debian itself but in any case you do not need to select anything in particular. SSH will be handy and the so-called standard system utilities.

No particular software collections necessary:
[*] SSH Server
[*] Standard system utilities

Note for Ubuntu 16: you may install the Mailserver role here, which will install Postfix.

Debian Jessie's Task Selector
Debian Jessie’s Task Selector

If you’re using a VM it is advisable to install ntpdate so your mail and logs will use the correct time stamps:

# aptitude install ntpdate ntp
# service ntp stop && ntpdate 2.debian.pool.ntp.org && service ntp start

After exporting or importing the VM do

# ntpdate 2.debian.pool.ntp.org

to sync the time.
(Pick a close ntp server from the list at http://www.pool.ntp.org.)

Postfix

# aptitude install postfix

If asked to replace Exim, choose Yes. Type of server: Internet Site. System mail name: like the explanation on-screen says: if a mail address on the local host is foo@example.org, the value would be example org.

In the file /etc/postfix/master.cf find:

smtp    inet    n   -   -   -   -   smtpd

and change it to:

125     inet    n   -   -   -   -   smtpd

Set message size limit
We need to take a careful look at the maximum allowed e-mail size because if ASSP and Postfix are not using the same size strange errors may occur. I have had mails stuck in the queue indefinitely because Postfix’s maximum size was smaller than ASSP’s.

For this article we’ll be going with a 20MB e-mail limit.

In the file /etc/postfix/main.cf change the following value (or add it if it doesn’t exist):

message_size_limit = 26214400

Secure so only the ASSP server may use Postfix: in /etc/postfix/main.cf change mynetworks to:

mynetworks = 127.0.0.0/8 192.168.1.2/32 [::ffff:127.0.0.0]/104 [::1]/128

Take care to use your own server’s address in the above line where I wrote 192.168.1.2.
At the end of the file add:

smtpd_client_restrictions = permit_mynetworks, reject
smtpd_delay_reject = no
transport_maps = hash:/etc/postfix/transport

This tells Postfix:
– to allow the addresses in the mynetworks value
– to reject immediately if not allowed
– to use a hash of the file /etc/postfix/transport to look for routing instructions.

Look for the value of mydestination and remove your mail domain (note: this is already done in Ubuntu 16):
From

mydestination = example.com, assp.testnet.lab, localhost.testnet.lab, localhost

To:

mydestination = assp.testnet.lab, localhost.testnet.lab, localhost

If you don’t do this Postfix will assume it is the final recipient of incoming mail for your domain, which it isn’t: it must be routed through ASSP and delivered to your ‘real’ mailserver.

Create the file /etc/postfix/transport and add to it:

example.com smtp:192.168.1.3

This tells Postfix that mail to the example.com domain should be routed to 192.168.1.3 using the smtp protocol. Again, use your own domain name and mailserver IP address.

Load the transport file in Postfix and reload Postfix:

# postmap /etc/postfix/transport
# postfix reload

The postmap command creates a hash file for the /etc/postfix/transport. Our file contains only one entry but if there a lot more the hashing would make it easier to read for the computer, thus faster. It’s just the way Postfix does things.

Note that if you change the transport file you need to rehash it by rerunning the above postmap command.

Perl modules from Debian’s repositories

A lot of Perl modules exist in Debian’s repositories. The format is usually: net::dns::perl becomes libnet-dns-perl. To install the lot of them:

# apt-get install libnet-dns-perl libauthen-sasl-perl libmail-spf-perl \
          libregexp-optimizer-perl libfile-readbackwards-perl \
          libnetaddr-ip-perl libnet-cidr-lite-perl libmail-dkim-perl \
          libnet-ldap-perl libunicode-string-perl \
          libemail-mime-perl libtext-unidecode-perl \
          liblingua-stem-snowball-perl libsys-cpu-perl libthreads-perl \
          libschedule-cron-perl libdigest-sha-perl libmime-types-perl \
          libclamav-client-perl libarchive-zip-perl libberkeleydb-perl \
          liblingua-identify-perl libsys-cpuload-perl \
          libthreads-shared-perl libunicode-linebreak-perl

Dependencies

We’ll be installing as many Perl modules as possible from Debian’s repositories. This ensures they will play nice with the rest of the OS and be updated automatically.

Some modules have dependencies that need to be fulfilled first.

Module:				   Included in package:
OCR modules:                       libgd2-xpm-dev
Crypt::OpenSSL::AES:               libssl-dev					
Image::OCR::Tesseract:             tesseract-ocr and imagemagick
PDF::OCR and PDF::OCR2:            xpdf
installing Perl modules from CPAN: make and build-essential
# aptitude install make build-essential libgd2-xpm-dev libssl-dev tesseract-ocr imagemagick xpdf

Perl modules

Some Perl modules are not available as a Debian repository package. We need to install those with CPAN.

First, upgrade CPAN:

# cpan
Would you like to configure as much as possible automatically? [yes]
CPAN> install CPAN
CPAN> reload cpan

Now let’s install the modules.

cpan> install Digest::SHA1 LWP::Simple Net::IP::Match::Regexp Net::SMTP Net::SenderBase Net::Syslog Thread::State File::PathInfo LEOCHARRE::DEBUG LEOCHARRE::CLI Tie::RDBM Sys::CpuAffinity Sys::MemInfo Unicode::GCString Mail::DKIM::Verifier PDF::GetImages Crypt::OpenSSL::AES Image::OCR::Tesseract PDF::OCR PDF::OCR2 Email::Send

This may take a while. Get coffee.

LWP will ask if you want to run tests. Answer it No. Get more coffee.

Installing PDF::Burst
PDF::Burst was written by the artist Leo Charre who is no longer updating his code. PDF::Burst will not install without a fight. To install it:

# cpan
cpan> install PDF::Burst (this will fail)
cpan> look file PDF::Burst
cpan> exit
# vi lib/PDF/Burst.pm

Replace the line that reads

defined %dat or warn("had nothing in '$doc_dat'?") and return;

with

%dat or warn("had nothing in '$doc_dat'?") and return;

[Source: https://rt.cpan.org/Public/Bug/Display.html?id=103188]

Save the file

# make test
# make install

# exit
> quit

SPF
Mail::SPF::Query is used for upgrade compatibility with ASSP V1. V2 only uses Mail::SPF. It is possible to force install Mail::SPF::Query and it will work but unless you’re upgrading from V1 (which we’re not; this is a clean install) it is better to disable useMailSPFQuery, not install Mail::SPF::Query and instead enable useMailSPF and install libmail-spf. Enabling and disabling these options can be done in ASSP’s web interface later on.

If useMailSPFQuery:=0 ASSP may become unstable, at least that’s what happens when I install it. Force install Mail::SPF::Query and leave useMailSPFQuery:=1. I went with

cpan> force install Mail::SPF::Query

If you’re going to use ClamAV for virus scanning, do

cpan> force install File::Scan::ClamAV

(My previous article explains in more detail how to set up ClamAV with ASSP.)

cpan> quit

Installing ASSP

# aptitude install unzip
$ wget -O assp.zip http://sourceforge.net/projects/assp/files/latest/download

Extract to /usr/share/assp/. You could put it anywhere but I’m using this path.

# unzip -d /usr/share assp.zip

Make the Perl scripts executable:

# chmod +x /usr/share/assp/*.pl

Create a dedicated system user for assp:

# useradd assp -r

Set file permissions

# chown -R assp:assp /usr/share/assp

ASSP will change the permissions a bit. That’s ok. It’s started as root and its code changes it to the assp user.

Start ASSP:

# perl /usr/share/assp/assp.pl &

Press Ctrl + C to fork the process to the background to free your console.
Watch for errors and warnings in /usr/share/assp/logs/maillog.txt.
Point your browser to http://192.168.1.2:55555. The default username is root and the password is nospam4me.

Configuring ASSP

The bare minimum to getting ASSP running:

[Network Setup / Incoming MailNetwork Flow]
SMTP Listen Port (listenPort): 25
SMTP Destination (smtpDestination): 125

[Relaying / Outgoing and Local Mailrelaying not allowed]
Relay Host (relayHost): 127.0.0.1:125 (this is Postfix we set up earlier!)
Relay Port (relayPort): 225
Allow Relay Connection from these IP’s (allowRelayCon): 192.168.1.3

[SMTP Session Limits]
Max Size of Local Message (maxSize): 20971520
Max Size of External Message (maxSizeExternal): 20971520

[Recipients/Local Domains/Transparent Recipients and Domains ]
Local Domains (localDomains): example.com

[Delaying/Greylisting]
[ ] Enable Delaying/Greylisting (in any case for now while we’re testing)

[TestModes]
Prepend Spam Subject (spamSubject): [SPAM]
[v] Prepend Spam Tag (spamTag)
[v] All Test Mode ON (allTestMode)

[Logging]
Notification Email To (Notify): helpdesk@example.com

[DNS Setup]
[v] Use Local DNS (UseLocalDNS)
DNS Name Servers (DNSServers): 192.168.1.1
Use at least two dns servers for production environments. Using one dns server will result in an error message ‘incorrect ‘DNSServers’ – possibly unchanged’. It will still work.

[Server Setup]
Run as UID (RunAsUser): assp
Run as GID (RunAsGroup): assp
My Name (myName): mail.example.com
My Helo (myHelo): SENDERHELO – IP – MYNAME – FQDN | MYNAME
Override the Server SMTP Greeting (myGreeting): MYNAME
[v] Set ASSP File Permission on Startup (setFilePermOnStart)
[v] Check ASSP File Permission on Startup (checkFilePermOnStart)

Do not forget to press Apply Changes after making changes. If you need to restart ASSP scroll all the way up and click Shutdown/Restart. Click the Proceed button and be patient. You can follow the shutdown process from your terminal.

If your browser says the page cannot be found ASSP has stopped and you may restart it.

Now is a good time to test connectivity. Tell your mailserver to relay outgoing mail to 192.168.1.2:225 and verify that incoming and outgoing mail is working. In case of problems check /var/log/mail.log and /usr/share/assp/logs/maillog.txt.

Migrating the databases to MySQL

Install mySql:

# aptitude install mysql-server mysql-client

The installer will ask you for a password. Choose a hard password and remember it.

Set up a database and a user for assp:

# mysql -u root -p
mysql> create database assp;
mysql> create user 'assp'@'127.0.0.1' identified by 'pwd';
mysql> GRANT ALL PRIVILEGES ON `assp`.* TO 'assp'@'127.0.0.1';
mysql> quit

Enable [Network Setup / Incoming Mail] > Disable all new SMTP and Proxy Network Connections (DisableSMTPNetworking). So check the checkbox.
[Apply Changes]

Monitor the ASSP database for changes:

# watch mysql -u root -pMySqlPassword -e \'show tables\' assp

If your MySql root password is pwd do

# watch mysql -u root -ppwd -e \'show tables\' assp

Initially this will not show any output because ASSP has not made any tables yet.

Set all needed DB parameters [File Paths and Database]
database hostname or IP (myhost): 127.0.0.1
database driver name (DBdriver): mysql
database name (mydb): assp
database username (myuser): assp
database password (mypassword): pwd (use the assp user’s database’s password here)

[Apply Changes], verify that ASSP is not throwing errors and that the database settings remain set in the web interface.

Set Email Whitelist Database File (whitelistdb) to: DB:
Press [Apply Changes].

Restart ASSP and verify that the watch command now shows the whitelist table (can take a few seconds).

If that works correctly then ASSP is working well with MySQL and you can set the other lists to DB: as well:
Email Redlist Database File (redlistdb)
Personal Blacklist Database File (persblackdb)
Delaying Database (delaydb)
LDAP Database (ldaplistdb)

[Shutdown/Restart]
Start assp

Uncheck the DisableSMTPNetworking checkbox.

Tips and tricks

* Subscribe to the ASSP mailing list.
* Troubleshooting Postfix:
– Postfix logs to /var/log/mail.log
– ASSP logs to /usr/share/assp/logs/maillog.txt and /usr/share/assp/logs/bmaillog.txt (errors). That is, if you installed ASSP in /usr/share/assp.
– # postconf -n shows all non-default settings in Postfix’s configuration
– Do not start the line ‘125 inet n – – – – smtpd’ with one or more spaces.
– Postfix does not care about the order of the directives in main.cf.
* Check my previous article on ASSP for a more elaborate discussion of the software.

31 Comments

  1. Gual

    Hallo,
    Tx very much for this howto!
    Nevertheless I’m encountering following problem:
    Modules PDF::Burst, PFD::OCR and PDF::OCR2 will install only with force option

    Reason: fail during command:make_test NO

    Greetings

      • Gual

        Hello,
        I checked it: they are installed.

        I removed the forced modules and tried again: the problem seems to be PDF::Burst. Make test fails with this reason:
        Can’t use ‘defined(%hash)’ (maybe you shuold just omit the defined()?) at lib/PDF/Burst.pm line 311

        • Kapitein Vorkbaard

          Hmm, I’m not sure why that happens, sorry. This module is for splitting large (not sure how large exactly) pdf files. Try force installing it, completing the setup, then sending a very large pdf file and check the log files.

          Perhaps it is related to the previously failed OCR modules. Make sure those are installed, leave cpan, try again.

          It that doesn’t help perhaps the Perl Monks can be of service.

    • Kapitein Vorkbaard

      Quite. That’s why I linked to my previous article that’s a bit more in-depth. Installation and configuration of the ClamAV daemon and freshclam is detailed in that one :)

      • bob

        I also struggled getting the perl mysql DBI to work and this command helped get it installed. sudo apt-get install libdbd-mysql-perl . If you want to use the cpan verison you need to create a DB user with your username and then with a password of skr1t or something like that.

  2. Wooza

    I really enjoyed reading your mail server tutorials and I have successfully setup a mail server (Dovecot+Postfix+ASSP). However I have one problem: ASSP is doing it’s job fine with incoming mails but I don’t manage to the same for outgoing ones. I fail to understand how relaying works in the case of all services running on one box without the need of two instances of Postfix.

    I managed that ASSP is reading the outgoing mails just fine but then is relaying to postfix, postfix then does the same and sends it back to ASSP and I end up with mails being bounced. I am new to mail servers and I really have difficulties to make the relaying properly work with ASSP.

    • Kapitein Vorkbaard

      If you are new to mail servers then I compliment you on how far you’ve got :) I haven’t been able to succesfully set up all those components on one server myself. I suppose it is possible because noone’s forcing you to use one port or another and certainly Postfix allows for that kind of routing of mail – BUT: you really need to understand what you’re doing instead of just copying configs from a tutorial, otherwise you risk screwing up your config next time you try out something or install an update. You need to be able to troubleshoot.

      My workaround was to use two VMs on a single machine. If you do figure it out feel free to let me know and I’ll happily add it to the documentation :)

      • Wooza

        Ahoi Kapitein!

        After pausing the project and thinking about it a little more, I come to the conclusion that IF I want to run everything on the same machine, I end up with two instances of ASSP.

        I have successfully told Postfix to relay outgoing mails to ASSP and ASSP is also checking them, but ASSP also wants a relayhost. I set as relayhost the postfix adress and ofc that will end up mails being bounced back and forth between postfix and ASSP.

        Basically I wanted is that clients can report spam by themselves and I havn’t thought I end up spending so many times hehe. But nonetheless I could learn a lot (relaying).

        Thank you again for your great tuts, keep up the good work!

        I let you know when I have made progress

          • Kapitein Vorkbaard

            Yes, two Postfix instances. I came to the same conclusion. Possibly you could use the same Postfix instance with different relaying rules but in either case it gets messy.

  3. I got this error when i sent mail to gmail. I had the spf, dkim, dmar on my domain but when email was relayed by assp, it got error.

    localhost postfix/smtp[10962]: 7E2B18579E: to=, relay=gmail-smtp-in.l.google.com[74.125.204.27]:25, delay=2.8, delays=0.2/0.01/0.76/1.9, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[74.125.204.27] said: 550-5.7.1 Unauthenticated email from ahrockz1.cf is not accepted due to domain’s 550-5.7.1 DMARC policy. Please contact the administrator of ahrockz1.cf domain 550-5.7.1 if this was a legitimate mail. Please visit 550-5.7.1 https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.1 DMARC initiative. 25si4399327pgt.419 – gsmtp (in reply to end of DATA command))

  4. Anthony

    One thing that’s confusing to me is, what settings am I putting in my /etc/postfix/main.cf file to specify the proxy as our smtp server?

    am I defining the relayhost variable?

    like
    relayhost = [myasspserver.mydomain.com]:25
    ?

    do I need to put a uname and password in somewhere?

  5. Discretionary ACLs can be updated more frequently and by different users.
    Marc Taverner – Global Ambassador, Market Development, Bitfury.
    We also maintain the text archives of Metal Leg, the great newsletter that from 1987 through.
    http://duzilkreeoghmaronagamatius.info PATTI SMITH – GLORIA AUDIO Music video by patti smith performing gloria audio.The soul is the source and cause of the body in three ways the source of motion, the telos, and the being or essence of the body 415b9-11.

  6. Raymondfoppy

    Raised on Robbery 10.
    The disconnection, the fleeting warmth don t seek to reconcile the rational and the emotional; the message is that we ve simply rationalized our emotions.
    Thankfully for us horror fiends, Lionsgate released the film on Special Edition DVD Blu-ray back in 2009, finally allowing fans to experience the film as it was originally meant to be seen.
    http://shakalkreemalaramaralsarana.info/flac/la-marisma-se-alborota-manuel-pareja-obregn-sevillanas-antolgicas-vol-ii-cd-album-lp.php Of course,this latter piece of advice assumes that you own BIAB.
    Everyone that s heard of the movie knows about Hilary Swanks performance.
    TyDi Feat Tania Zygar The Moment It Breaks Mp3.

  7. Edwardtow

    They do not influence your personality and they are not to be really taken into account, unless they are involved in numerous aspects or when they emphasize a personal point of your natal chart such as your Ascendant s ruler, an angular planet, i.
    James Brown-Live At The Apollo-1962-mp3.
    I think about 5 percent of guys regularly eat it.
    http://windfirenilisnilargas.info/flac/america-various-remember-60s-vol-3-dvd.php Crosseyed and Painless is a stiff, funky jam that depicts alienation better than anything Byrne has ever written A popular topic for him.
    Рќ, 12 2018 Tattooed On My Brain.
    Those Shoes Eagles Antler Sucking The 70 s II Back In The Saddle.

  8. Sign up for The Vault guys.
    I remember when I gave Joe Walsh an ARP 2600.
    There are some things which can be learned from these athletes and their power files from the Ironman run.
    http://stonescarkagataursharphammer.info/320kbps/niente-pu-fermarmi-mr-phil-guerra-fra-poveri.php Again, a wonderful refrain and beautiful harmonies, although I prefer to concentrate on the subtle guitarwork some of the licks in the verses are magnificent and bring me to tears sooner than the refrain itself.
    But who will but reality wool.
    BTS, here we go.

  9. Blog sites https://cncn2.club can be an extremely marketable and really profitable tool if used appropriately. Benefiting from blogs is just a matter of getting the attention of an audience and also refraining any actual salesmen offering. In this short article you will certainly find out one of the most vital actions to effective blogging.

  10. The even more you comment on various other blogs
    https://mariop.site, the more connections you make with blog owners. This assists in constructing long term networks and partnerships that can work to your advantage on numerous social media systems. Shared connections thrive as well as you get to develop your own neighborhood of blog owners.

  11. Our dinosaur games https://dinosaurgames.org.uk/ give amusement with animals from millions of years ago! You can regulate cavemen and all type of dinos; Tyrannosaurus Rex, Velociraptors, and Brachiosaurus are all included! Our dinosaurs degrees have plenty of different kinds of gameplay, from combating to adventure to texas hold’em. You can play any kind of sort of challenge you want, providing you prehistoric amusement for hrs at a time! Fight as neanderthal versus animals, roam the Planet, and consume your enemies!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.