smtpauth-manager
Smtpauth-manager is an application that enables MTA to reject send mail with the ID of the SMTP authentication. This application is Milter, it is used in conjunction with MTA, such as Postfix or Sendmail. When you append SMTP authentication ID to the configuration file, you can refuse to send mail from that ID. And, in order to detect a mass-mails due sending spam, smtpauth-manager output machine readable maillog.
DOWNLOAD
REQUIREMENT
- Perl
- Sendmail-PMilter >= 1.00
- Readonly
- Time::Piece
- Geo::IP
- Moose
- MooseX::Getopt
- MooseX::Daemonize
- Exception::Class
- Email::Address
- Email::Simple
- Email::Date::Format
- Email::Send
- Authen::SASL
- RRDs
- Net::INET6Glue
- Test::MockObject(for make test)
INSTALL
CentOS 6.6 x86_64 Postfix(RPM)
Add epel repository.
# rpm -Uhv http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Install required packages.
# yum -y install \
perl \
perl-Moose \
perl-MooseX-Getopt \
perl-MooseX-Types \
perl-MooseX-Types-Path-Class \
perl-MooseX-Daemonize \
perl-Readonly \
perl-Exception-Class \
rrdtool-perl \
perl-Authen-SASL \
perl-Email-Address \
perl-Email-Simple \
perl-Email-Date-Format \
perl-Email-Send \
perl-Time-Piece \
perl-version \
perl-JSON \
perl-Net-INET6Glue \
perl-Geo-IP \
perl-CGI \
httpd \
perl-Sendmail-PMilterInstall smtpauth-manager.
# rpm -Uhv https://github.com/sischkg/smtpauth-manager/downloads/perl-Milter-SMTPAuth-0.13.0-0.el6.x86_64.rpm
Create config files.
# cp /etc/sysconfig/smtpauth/filter.sample /etc/sysconfig/smtpauth/filter
# cp /etc/sysconfig/smtpauth/log-collector.sample /etc/sysconfig/smtpauth/log-collector
# cp /etc/smtpauth/weight.sample.json /etc/smtpauth/weight.json
# touch /etc/smtpauth/reject_ids.txtCentOS 6.6 x86_64 Postfix(SOURCE)
Add epel repository.
# rpm -Uhv http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Install required packages.
# yum -y install \
git \
perl \
perl-Moose \
perl-MooseX-Getopt \
perl-MooseX-Types \
perl-MooseX-Types-Path-Class \
perl-MooseX-Daemonize \
perl-Readonly \
perl-Exception-Class \
rrdtool-perl \
perl-Authen-SASL \
perl-Email-Address \
perl-Email-Simple \
perl-Email-Send \
perl-Time-Piece \
perl-version \
perl-JSON \
perl-Net-INET6Glue \
perl-Geo-IP \
perl-CGI \
httpd \
perl-Test-MockObject \
perl-Sendmail-PMilterInstall smtpauth-manager.
# wget https://codeload.github.com/sischkg/smtpauth-manager/tar.gz/0.13.0
# tar xzf smtpauth-manager-0.13.0.tar.gz
# cd smtpauth-manager-0.13.0
# perl Makefile.PL
# make
# make installCreate user and gourp for smtpauth-manager.
# groupadd smtpauth-manager
# useradd -g smtpauth-manager -d /noexistent -s /bin/false smtpauth-manager
# gpasswd -a postfix smtpauth-manager # ( only postfix )Create directries for log files and RRDs.
# mkdir -p /var/log/smtpauth /var/lib/smtpauth/rrd
# chown smtpauth-manager:smtpauth-manager /var/log/smtpauth /var/lib/smtpauth/rrdCreate init files.
# cp smtpauth-manager/data/centos6/smtpauth-manager /etc/init.d
# chmod 744 /etc/init.d/smtpauth-manager
# chkconfig --add smtpauth-managerCreate config files.
# mkdir -p /etc/sysconfig/smtpauth
# cp data/centos6/filter /etc/sysconfig/smtpauth/filter
# cp data/centos6/log-collector /etc/sysconfig/smtpauth/log-collector
# mkdir -p /etc/smtpauth
# touch /etc/smtpauth/reject_ids.txt
# cp data/weight.sample.json /etc/smtpauth/weight.json
# chown -R smtpauth-manager:smtpauth-manager /etc/smtpauth
Config
smtpauth-manager
Reject mail of specified SMTP AUTH ID
Edit reject id file, this file is listed SMTP Auth ID that is denied, per line.
# vi /etc/smtpauth/reject_ids.txt
spammer
virus
evil
Detect bad sender
When smtpauth-manager detects sender whois sends many mails, it can send warning message to SYSLOG(saverity=mail). The condition of detecting bad sender is configured by following parameters.- <period> Period in which smtpauth-manger count messages per sender(second)
- <threshold> Threshod of messages
THRESHOLD=20
PERIOD=60Oct 5 20:42:04 mx smtpauth-log-collector[5788]: too many message sent by spammer( 1048.00 recipients / 60.00 seconds ).Weight
Editing /etc/smtpauth/weight.json multiplied following weight to count of messages.- If client has private IP address, sender is always considerd as non bad sender( ratio = 0 ).
- Because A user were affected the malware many times, the ratio of him is 2.
- Because my customers don't send message from certain country, the ratio of messages from there is 10.
- If messages are sent from multiple countries by same sender, the ratio is 2**(<num of countries> -1 )
# vi /etc/smtpauth/weight.json
{
"network": [
{
"network": "192.168.0.0/16",
"weight": 0
},
{
"network": "10.0.0.0/8",
"weight": 0
},
{
"network": "1.0.0.0/8",
"weight": 3
}
],
"auth_id": [
{
"auth_id": "root",
"weight": 0
},
{
"auth_id": "spam",
"weight": 2
}
],
"country": [
{
"code": "JP",
"weight": 1
},
{
"code": "US",
"weight": 2
},
{
"code": "CN",
"weight": 10
}
],
"country_count": {
"ratio": 2
}
}Reject Automatically
When smtpauth-manager detects bad senders, SMTP AUTH IDs are added to /etc/smtpauth/rejrect_ids.txt automatically. If you use this feature, add following line to /etc/sysconfig/log-collector.AUTO_REJECCT=YES# chown smtpauth-manager /etc/smtpauth /etc/smtpauth/reject_ids.txtMail Alert
When smtpauth-manager detects bad senders, smtpauth-manager send alert mail to specified administrator address.ALERT_EMAIL=YES
ALERT_MAILHOST=<hostname of MTA>
ALERT_PORT=<port number of MTA>
ALERT_SENDER=<sender address>
ALERT_RECIPIENTS=<recipient address of alert mail>MTA
Postfix
Milter configration of Postfix.
# vi /etc/postfix/main.cf
smtpd_milters = unix:/var/run/smtpauth/filter.sock
milter_connect_macros = j {daemon_name} {client_addr} {client_port} vSendmail
Milter configration of Sendmail.
# cd /etc/mail
# vi sendmail.mc
INPUT_MAIL_FILTER(`smtpauth-manager',`S=unix:/var/run/smtpauth/filter.sock, F=T, T=R:1m')dnl
define(`confMILTER_MACROS_CONNECT',`j, _, {daemon_name}, {if_name}, {if_addr}, {client_port}, {client_addr}')dnl
define(`confMILTER_MACROS_EOM',`{msg_id}, {msg_size}')dnl
# make sendmail.cfStart Service
smtpauth-manager
# service smtpauth-manager start
# chkconfig smtpauth-manager onMTA
Postfix
# service postfix start
# chkconfig postfix onSendmail
# service sendmail start
# chkconfig sendmail onLOG FILE
If a client sent one message, smtpauth-manager store log to file( default: /var/log/smtpauth/stats.log ), that format is following.
client_address:<client address 1><tab>client_port:<client_port 1><tab>connect_time:<connect_time 1><tab>sender:<sender 1><tab>eom_time:<eom_time 1><tab>size:<size 1><tab>recipient:<recipient 1><tab>country:<country 1>
client_address:<client address 2><tab>client_port:<client_port 2><tab>connect_time:<connect_time 2><tab>sender:<sender 2><tab>eom_time:<eom_time 2><tab>recipient:<recipient 2.1><tab>recipient:<recipient 2.2><tab>country:<country 2>
sender:<sender 3><tab>client_address:<client address 3><tab>client_port:<client_port 3><tab>eom_time:<eom_time 3><tab>recipient:<recipient 3><tab>connect_time:<connect_time 3><tab>size:<size><tab>country:<country 3>
...
- clinet_address: Client IP address
- clinet_port: Client source port(Postfix >= 2.5)
- auth_id: SMTP AUTH ID
- sender: Envelope from mail address( MAIL From: ).
- recipient: Envelope recipient address( RCPT To: ).
- connect_time: When SMTP Client connected to MTA. Format is YYYY-MM-DD HH:MM:SS.
- eom_time: When MTA received message from Client( End of message ".\r\n" ). Format YYYY-MM-DD HH:MM:SS.
- size: Message size (bytes). only sendmail.
- country: Country code of SMTP client
- tab: TAB ("\t")
This format is nearly equal to LTSV Format, but allows that same labels exist in one line.
Log file is rotated to /var/log/smtpauth/stats.log.YYYYMMDD every day.
LICENSE AND COPYRIGHT
Copyright (C) 2016 Toshifumi Sakaguchi
This program is distributed under the (Revised) BSD License: Lhttp://www.opensource.org/licenses/bsd-license.php