oreilly.comSafari Books Online.Conferences.


Mail Server Filtering
Pages: 1, 2

Install MIMEDefang

MIMEDefang can add the common legalese found at the bottom of some email messages, provide very fine-grained access control, and alter emails in almost any other way desired. Our main interest is in using MIMEDefang to strip out unwanted attachment types and coordinate ClamAV and SpamAssassin activities. MIMEDefang's port lives under /usr/ports/mail/mimedefang. Like SpamAssassin, it's written in Perl. Like ClamAV, it runs in daemon mode, so that the system can avoid the massive overhead of starting up a Perl program for every email that passes through the system. When you install MIMEDefang, the configure script will automatically detect that you have both ClamAV and SpamAssassin and will build itself appropriately.

MIMEDefang's configuration file, /usr/local/etc/mimedefang/mimedefang-filter, contains fragments of Perl code that integrate with the main MIMEDefang daemon. If you are not comfortable with Perl, don't worry; just be certain that you implement new functions exactly as they are shown and you won't have any trouble. (I also highly recommend that you spend a few hours with an introductory Perl text; even though I'm a systems administrator and not a programmer, Perl is far too useful in my day-to-day work.)

You should set a few variables in mimedefang, such as $AdminAddress and $AdminName. If you have a separate MIMEDefang administrator, you can enter a specific name and email address, but otherwise, just use your network's generic mail management information. (For those of you unfamiliar with Perl, the single and double quotation marks are very important and must be as shown.)

$AdminAddress = '';
$AdminName    = "Mail Administrator";

MIMEDefang will occasionally send an email about an action it has taken. Set the $DaemonAddress variable to the email address you want it to use.

$DaemonAddress = '';

Everything else in this file is strictly optional. Take a look at some of the settings, however, as you might find them useful in your network. There are examples of blocking emails with too many MIME parts, as well as configuring where MIMEDefang will place its alerts. The default includes antispam and antivirus functions, as well as mail quarantine.

Personally, I find that MIMEDefang's mail quarantine functions are reliable enough that I'm comfortable simply rejecting viral emails. There's a comment in the mimedefang-filter file much like this:

  # But quarantine the part for examination later.  Comment
  # the next line out if you don't want to bother.
  action_quarantine($entity, "A known virus was discovered and deleted.  \
  	Virus-scanner messages follow:\n$VirusScannerMessages\n\n");

By commenting out the line beginning with action_quarantine, MIMEDefang will make Sendmail reject incoming viruses as soon as possible.

Finally, the variable $bad_exts contains a list of extensions that MIMEDefang will block. Extend this list as needed. For example, if some evil mastermind were to write a high-powered virus that propagated via files with the .doc extension, you could block them by adding .doc to this list and restarting MIMEDefang.

To make MIMEDefang start at boot time, go into /usr/local/etc/rc.d and copy to By default, this program does not start when the system boots. You must have clamd(8) and MIMEDefang running; SpamAssassin is included as part of MIMEDefang, so you don't need spamd(8) as you would for a standalone SpamAssassin installation.

Configuring SpamAssassin for MIMEDefang

MIMEDefang includes a configuration file for its SpamAssassin calls: /usr/local/etc/mimedefang/spamassassin/ If you want to make any changes to the global SpamAssassin settings, change this file. Editing other SpamAssassin configuration files will have no effect whatsoever on SpamAssassin. You can configure SpamAssassin in almost endless ways; we'll cover only the bare bones.

Adjust the sensitivity of the filter with the required_hits variable. The default is 5. When a piece of email scores more than 5 points on the spam-o-meter, SpamAssassin flags it as a piece of spam. Users can choose to filter as they see fit.

Another important feature is the whitelist, which allows you to list email addresses that should never be considered spam sources. For example, my sister sends HTML-laden, image-heavy email from a known spam sewer. By listing her email address on a whitelist_from line, SpamAssassin will let it pass, even if she forwards me a piece of pornographic spam and asks me where it came from. Similarly, blacklist_from variables allow me never to see email from chosen addresses.

Making Filtering Easier

One surprise for users familiar with SpamAssassin is that MIMEDefang does not allow SpamAssassin to alter the email in any way. Instead, SpamAssassin reports a score back to MIMEDefang and lets MIMEDefang change the message. The MIMEDefang FAQ includes several suggestions for editing the filter configuration so as to display SpamAssassin information as desired.

By default, MIMEDefang displays a single header that contains the SpamAssassin score and a series of asterisks, much as the example below shows.

X-Spam-Score: 21.207 (*********************)

Many email clients have difficulty filtering on this header; their filtering rules will not let them compare the numerical score. By making one minor change in how MIMEDefang marks spam email, you can make life much easier for these users.

In /usr/local/etc/mimedefang/mimedefang-filter, you'll see a line like this:

action_change_header("X-Spam-Score", "$hits ($score) $names");

If you exchange the $score and the $hits variables as shown below, your users will be able to filter on the number of asterisks instead.

action_change_header("X-Spam-Score", "$score ($hits) $names");

Your email header will then look something like this:

X-Spam-Score: ************* (13.002)

You can write a rule that searches the X-Spam-Score header for a certain number of asterisks and filters those messages away. With this header setup, users can easily adjust their own spam tolerances; you can be harsh on spam detection on the server, knowing that all you're really doing is adding a header. If a user decides to set his sensitivity to two asterisks and loses some vital email, that's not your fault.

Integrating with Sendmail

Now that you have a working MIMEDefang/SpamAssassin/ClamAV installation, how do you tie all this into Sendmail's milter interface? A modern Sendmail system includes Makefiles that simplify creating a configuration file. You need a custom Sendmail .mc file, so go into /etc/mail and copy to a file named after the host. For example, on, I use a .mc file called Next, enter this filename in /etc/make.conf as the SENDMAIL_MC variable.


Whenever you rebuild your system, this tells make(1) to use your custom .mc file instead of the default. This retains your customizations, instead of making your spam protection fail after every make installworld. (After an upgrade, be certain you compare the newly updated with your custom file, just in case something important changes.) Now add the lines below to the end of your custom .mc file.

MAIL_FILTER(`mimedefang', `S=local:/var/spool/MIMEDefang/mimedefang.sock, \
	F=T, T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confINPUT_MAIL_FILTERS', `mimedefang')dnl

Stay in the /etc/mail directory and run make all install restart. This will rebuild your file from your customized configuration file and restart Sendmail with it.


If you tail -f /var/log/maillog, you will be able to see log entries from MIMEDefang as it processes every message. Viruses will bounce at the border, while spam will be conveniently flagged for your users. Even a small mail server such as mine is hit with hundreds of viruses and thousands of pieces of spam a day; now, it's all flagged or rejected. Just as much junk will travel across the Internet, but you won't be so aware of it. Today, that's as good as you're going to get.

Michael W. Lucas

Read more Big Scary Daemons columns.

Return to the BSD DevCenter.

Sponsored by: