Eric Radman : a Journal

OpenSMTPD Mail Filtering

The title of this post should be "Spam Filtering on OpenSMTPD", but I didn't want to use the word "spam" on my home page. Running an e-mail server is a challanging and low-reward task, so we need to keep this as simple as we possibly can. These days is I classify mail using SpamAssasin, which will retuire three packages

p5-Mail-SpamAssassin
spampd
procmail

SpamAssassin is the classification engine, SpamPD connects to the SpamAssassin daemon and forwards the mail to an MTA, and Procmail writes the messages in the mbox format.

SpamAssassin & SpamPD

Filtering mail with OpenSMTPd is most easily accomplished by running a SpamAssassin proxy that we can forward mail to. The SpamPD relay will add X-Spam- headers to each message and forwarded them back to localhost on the port that we specify

# rc.conf.local
pkg_scripts="spamassassin spampd"
spampd_flags="--port=10025 --relayhost=127.0.0.1:10026 --tagall --log-rules-hit --maxsize=2048"

These SpamPD options only need to match the MTA configuration. Setting --maxsize allows messages with largish attachments to be processed. --tagall and --log-rules-hit are not required, but useful for diagnostics.

Procmail

Procmail can be configured per user with $HOME/.procmailrc or per site with /etc/procmailrc. The following rules will cause suspect mail to be delivered to an mbox named "spam".

:0:
* ^X-Spam-Flag: YES
$HOME/mail/spam

OpenSMTPD Routing

Extending the ideas presented in Run Your Own Server, this adds routing rules that forward incoming mail to the mail proxy for evaluation

# smtpd.conf
listen on localhost port 25
listen on egress port 25
listen on localhost port 10028 tag DKIM
listen on localhost port 10026 tag SPAMD

table aliases db:/etc/mail/aliases.db

accept tagged SPAMD from any for domain "eradman.com" deliver to mda "procmail -f -"
accept from any for domain "eradman.com" relay via smtp://127.0.0.1:10025
accept for local alias <aliases> deliver to mbox

accept tagged DKIM for any relay
accept from local for any relay via smtp://127.0.0.1:10027

Incoming mail on port 25 is not tagged, which matches the rule relay via smtp://127.0.0.1:10025. After SpamAssassin grades the mail, SpamPD relays it back to OpenSMTPD on port 10026 where it matches the tag SPAMD and is handed over to procmail for delivery.

Last updated on March 04, 2017
eradman.com/source