|
|
| Using Brightmail with iPlanet Messaging Server 5.2 |
Using Brightmail with iPlanet Messaging Server 5.2
Brightmail Inc. is a company that provides an anti-spam and anti-virus software solution for email servers. The Brightmail solution consists of the Brightmail server along with realtime anti-spam and anti-virus rule updates downloaded to email servers. See “The Conversion Channel” in the iPlanet Messaging Server 5.2 Administrators Guide for another method of integrating anti-virus software into your system.
How Brightmail WorksThe Brightmail server is deployed at a customer site. Brightmail has email probes set around the internet for detection of new spam. Brightmail technicians create custom rules to block this spam in realtime. These rules are downloaded to Brightmail servers, also in realtime. The Brightmail database is updated and Brightmail server runs this database filter against the email for the specified users or domains.
In order to support Brightmail, you must set up messaging server to operate in direct LDAP lookup mode. Brightmail is not supported on systems that operating in the dirsync mode.
Brightmail Architecture
Figure 1 depicts the Brightmail architecture.
Figure 1
Brightmail and Messaging Server Architecture
When the Brightmail Logistics and Operations Center (BLOC) receives spam from email probes, operators immediately create appropriate anti-spam rules, which are downloaded to Brightmail customer machines. Similarly, the Symantec Security Response realtime virus rules are also sent from Brightmail. These rules are used by customer’s Brightmail servers to catch spam and viruses.
The MTA uses the Brightmail SDK to communicate with the Brightmail Server. The MTA dispatches messages based on the response back from Brightmail. After the mail (1a) or (1b) is received by the MTA, the MTA sends the message to the Brightmail server (2). The Brightmail server uses its rules and data to determine if the message is a spam or virus (3), and returns a verdict back to the MTA. Based on the verdict, the MTA either (4a) discards the message or files the message into a folder, or (4b) delivers it normally to the destination.
Since the Brightmail SDK is third party software, we do not include it in our installation kit. The Brightmail SDK and server software must be obtained by the customer through Brightmail Inc. The MTA has configuration settings to tell it whether and where to load the Brightmail SDK to enable Brightmail integration.
Once the SDK is loaded, Brightmail message processing is determined by several factors and levels of granularity (the term used by Brightmail to specify active processing is optin). This is specified by the following criteria:
For any particular message recipient, the optin’s and defaults above are combined, which means, if the channel default is already specified for both spam and virus, then there is no reason to bother with per-user optin. That is, if the system administrator decides to do spam and virus filtering for everyone, then there is no reason to expose to the user the ability to optin for spam or virus. There is no way to opt out of processing, that is, you can not say you do not want the service if it is already opted in for you.
There are only two services offered, virus or spam detection. Brightmail also provides “content-filtering” service, but this functionality is provided using Sieve. So there is no added value to have Brightmail do the Sieve filtering.
When a message is determined to be virus, the Brightmail server can be configured to clean the virus and resubmit the cleaned message back to the MTA. When the message is spam, the verdict back from the Brightmail along with the configuration in Brightmail allows the MTA to determine what happens to the message. Basically, three things can happen, either the message is discarded, it is filed into a folder, or it is delivered normally in the INBOX.
The Brightmail servers can be located on the same system as the MTA, or it can be on a separate system. In fact, you can have a farm of Brightmail servers serving one or more MTAs. The Brightmail SDK uses the Brightmail configuration file to determine which Brightmail server to use. It is not something the MTA has to worry about.
Brightmail Requirements and Performance Considerations
Deploying BrightmailThis section describes how to deploy Brightmail for the following configurations:
BrightMail filtering is enabled in Messaging Server using channel keywords or the Brightmail LDAP attribute. The method of filtering on the system is additive. That is, it is the combination of both keywords and the attribute.
To Activate Brightmail Processing for All Users on a Destination or Source Channel
- Specify the desired Brightmail options in the MTA options file (Table 1) and Brightmail configuration file (Table 3).
- Specify the channels and email direction (source or destination) on which Brightmail processing will occur.
Set the keyword sourcebrightmailoptin or destinationbrightmailoptin on a channel block.
sourcebrightmailoptin specifies that every message coming from the channel be processed by Brightmail software.
Examples
Example 1 - mail going into the tcp_siroemail channel will be filtered by Brightmail for spam and viruses:
Example 2, mail coming from the tcp_local channel will be filtered by the Brightmail for spam:
To Activate Brightmail Processing for Selected Users
This section describes how to activate Brightmail processing for selected users. Note that in this 5.2 release, you cannot enable per user Brightmail processing from an access layer MTA. In other words, the MTA which calls the Brightmail server must be on the same machine as the message store containing the user.
Example
Assume that LDAP_SPARE_2 was set to mailAntiUBEService in the option.dat file. If the user, Otis Fanning, has the mailAntiUBEService attribute set to spam and virus in his user entry, then his mail will be filtered by Brightmail for spam and viruses. Code Example 1 shows the Brightmail enabled user entry for Otis Fanning.
To Activate Brightmail Processing for Selected Domains on a System
Example
Assume that LDAP_DOMAIN_ATTR_OPTIN was set to mailAntiUBEService in the option.dat file. The mailAntiUBEService attribute is set to spam and virus in the example.com domain entry in the DC tree. Code Example 2 shows the Brightmail-enabled domain entry.
Code Example 2 Example LDAP Domain Entry for Brightmail
dn: dc=sesta,dc=com,o=internet
objectClass: domain
objectClass: inetDomain
objectClass: mailDomain
objectClass: nsManagedDomain
objectClass: icsCalendarDomain
description: DC node for sesta.com hosted domain
dc: sesta
inetDomainBaseDN: o=sesta.com,o=isp
inetDomainStatus: active
mailDomainStatus: active
mailDomainAllowedServiceAccess: +imap, pop3, http:*
mailRoutingHosts: manatee.siroe.com
preferredMailHost: manatee.siroe.com
mailDomainDiskQuota: 100000000
mailDomainMsgQuota: -1
mailClientAttachmentQuota: 5
mailAntiUBEService: spam
mailAntiUBEService: virus
Brightmail Options and Keywords
Table 1and Table 2 show the Messaging Server’s Brightmail options and keywords. Selected Brightmail configuration file options are shown in Table 3. The latest and complete listing of Brightmail configuration file options can be obtained from Brightmail.
Table 1 Brightmail MTA Options (option.dat)
Option
Description and Default
Brightmail_library
Required to activate Brightmail. Full file path and name of the Brightmail SDK shared library. When specified along with Brightmail_config_file, this library is loaded by the MTA at run time. Can also be used with SpamAssassin.
Example: /opt/mailwall/lib/libbmiclient.so
Default: NoneBrightmail_config_file
Required to activate Brightmail. Full file path and name of the Brightmail configuration file. When specified along with Brightmail_library, the MTA is enabled for Brightmail integration. Can also be used with SpamAssassin.
Example: /opt/mailwall/config
Default: NoneLDAP_SPARE_2
The name of the LDAP attribute used to activate Brightmail on a per-user basis. This should be an attribute in the inetMailUser objectclass. If you do not have another predefined attribute, use mailAntiUBEService.
The attribute itself (example: mailAntiUBEService) is multi-valued, case-sensitive. Its value could be either spam or virus in lowercase. If the user is opting for both, then he would have two such attributes, one containing spam, one containing virus.
Default: none
LDAP_domain_attr_optin
The name of the LDAP attribute used to activate Brightmail on a per-domain basis. It applies to the destination domain. It is just like LDAP_SPARE_2 above except it should be in the objectclass mailDomain.
Default: none
Brightmail_verdict_n
Brightmail_verdict_n and Brightmail_action_n are matched pairs, where n is a number from 0 to 9. These options are not normally specified if you take the default interpretation of Brightmail verdicts. The possible values for this option are only spam and virus.
Default: none
Brightmail_action_n
As a pair with the matching Brightmail_verdict_n option, this can specify a Sieve command with optional if-then-else statement* to execute. For example, if you want to reject spam, then you may have the pair:
Brightmail_verdict_0=spam
Brightmail_action_0=data:,require "reject"; reject "Rejected by Brightmail";The template for the Sieve command is:
data:,[require “command”;] command;
Where the require statement is needed for reject and fileinto.Default: none
Brightmail_null_action
Specifies a Sieve command with optional if-then-else statement* to execute when the verdict from Brightmail matches the Null action in the Brightmail configuration file. For example, if the Brightmail configuration file has:
blSWClientDestinationLocal: spam|
where the null or nothing after the | means the null action. If the verdict for the message is spam, matching the word spam before the |, then the null action will be taken by the MTA. There is usually no reason to specify this option, since the default action is discard, matching what Brightmail means by the null action.
The template for the Sieve command is:
data:,[require “command”;] command;
Where the require statement is needed for reject and fileinto.Default: data:,discard;
Brightmail_string_action
Specifies a Sieve command with optional if-then-else statement* to execute when the Brightmail verdict matches an action which is a string in the Brightmail configuration file. For example, if in the Brightmail configuration file you have
blSWClientDestinationLocal: spam|spam-folder
then spam-folder is a string. If the verdict is spam, then we have a string which matches the verdict. This option is rarely used, since the default action when a string is specified is to file the message into that folder.
The template for the Sieve command is:
data:,[require “command”;] command;
Where the require statement is needed for reject and fileinto.Default: data:,require "fileinto"; fileinto "$U”;
$U is the string to the right of | in the blSWClientDestinationLocal value (in the example above it would be spam-folder)
* Here is an example, of an optional if-then-else statement in the option.dat file. Note that this can be used for Brightmail_action_n, Brightmail_null_action Brightmail_string_action.
Brightmail_string_action=data:,require "fileinto";\
if header :contains ["resent-from"] ["User-1"] {\
fileinto "testspam";\
} else {\
fileinto "spam";};
Table 2 MTA Channel Keywords for Brightmail
Channel Keyword
Description
sourcebrightmail
Specifies that all messages originating from this channel receive Brightmail processing. All recipient addresses will be made known to Brightmail regardless of destination channel if the recipient or the recipient’s domain has opted in via the LDAP attribute. Looks at recipient’s LDAP attribute mailAntiUBEService (or equivalent) to determine whether spam, virus or both or none are filtered. If mailAntiUBEService doesn’t specify either spam or virus, then mail is not sent to the Brightmail server for filtering.
Syntax:
sourcebrightmaildestinationbrightmail
Specifies that all messages destined to this channel be subject to Brightmail processing if the recipient has opted in via the LDAP attribute mailAntiUBEService (or equivalent).
Syntax:
destinationbrightmailsourcebrightmailoptin
Specifies that all messages originating from this channel will be subject to the specified Brightmail processing (either spam or virus or both) even if those services have not been opted in by the user or domain via the LDAP attribute.The system-wide default filter list follows the keyword. The list following must be either spam or virus or spam,virus or virus,spam.
Example 1:
tcp_local sourcebrightmailoptin spam,virus . . .Specifies that mail be scanned for both spam and virus by Brightmail regardless of the user’s LDAP attribute.
Example 2:
tcp_local sourcebrightmailoptin virus . . .Specifies that mail will default to only virus scanning. In this case, spam filtering can be enabled on a per user basis, or by destination domain via the LDAP attributes.
destinationbrightmailoptin
Specifies that all messages destined to this channel will be subject to the specified Brightmail processing (either spam or virus or both) even if those services have not been opted in by the user or domain via the LDAP attribute. The filter list follows the keyword. The list following must be either spam or virus or spam,virus or virus,spam.
Example 1:
ims-ms destinationbrightmailoptin spam,virus. . .All mail destined for the message store is scanned for both spam and virus by Brightmail
Table 3 Selected Brightmail Configuration File Options
Brightmail Option (Not Case-sensitive)
Description (value of the attributes are case-sensitive)
blSWPrecedence
A given message can have multiple verdicts. This specifies the precedence order. So if a message is processed for virus first, then for spam if you specified this option as virus-spam the verdicts are separated by hyphens (-). This is the recommended setting when using Brightmail with Sun ONE Messaging Server.
blSWClientDestinationDefault
Specifies how to deliver normal messages, that is, not a spam or virus, and thus have no verdict. Usually you want to deliver this message normally, so you would specify inbox as the value. There is no default.
blSWLocalDomain
This attribute specifies what domain(s) are considered to be local. There can be multiple lines of this attribute specifying several domains which are all considered local. Local versus foreign domain is used to specify two different handling for a verdict.
See below blSWClientDestinationLocal and blSWClientDestinationForeign. For example, you can specify
blSWLocalDomain=siroe.com
blSWClientDestinationLocal
This specifies the verdict and action pair for the local domain. You would normally have two lines for this, one for spam and one for virus. The value is of the form verdict|action, For example,
blSWClientDestinationLocal=spam|spambox
blSWClientDestinationLocal=virus|
The default Brightmail interpretation for the “null” action, meaning nothing to the right of the |, is to discard the message. So the example above discards the message if it has a verdict of virus. And if the verdict is spam, the above example files the message into the folder called spambox. If the message is not spam or virus, then the verdicts do not match, and the mail is delivered normally based on what’s set in the blSWClientDestinationDefault setting above.
blSWClientDesintationForeign
Same format and interpretation as blSWClientDestinationLocal above, except this applies to users in the domain which are NOT local.
blSWUseClientOptin
Always set this to TRUE when used with Sun ONE Messaging Server.
blswcServerAddress
Is of the form ip:port[,ip:port,...] to specify one or more Brightmail server’s IP address and port numbers
Common Brightmail Deployment ScenariosThere are several common deployment Brightmail scenarios that are discussed in this section. These are:
- Processing incoming messages to the local message store (ims-ms channel).
- Processing messages going out to the internet (tcp-local channel).
- Processing messages coming in from the internet (tcp-local channel).
- Processing messages going to a specific domain (see "To Activate Brightmail Processing for Selected Domains on a System").
- Processing messages going to specific users (see "To Activate Brightmail Processing for Selected Users").
- Setting up Brightmail processing as a Class-of-Service Option (see the Class of Service section in the iPlanet Messaging Server Provisioning Guide)
Brightmail Processing on Local Incoming Messages
You may wish to configure your system so that all mail delivered locally is screened for spam and viruses. To set up Brightmail processing of all incoming messages to the local message store (that is, to the ims-ms channel in imta.cnf), add the destinationbrightmailoptin keyword to the ims-ms channel definition. Example:
ims-ms defragment subdirs 20 backoff “pt5m” “pt10” “pt30” “pt1h” \
“pt2h” “pt4h” maxjobs 1 pool IMS_POOL fileinto $U+$S@$D filter \
ssrd:$A ims-ms-daemon destinationbrightmailoptin spam,virus
ims-ms-daemonBrightmail Processing on Incoming Messages from the Internet
You may wish to configure your system so that all mail coming from the internet is screened for spam. To set up Brightmail processing of all incoming messages from the internet, add the sourcebrightmailoptin keyword to the tcp-local channel definition. Example:
tcp_local smtp mx single_sys remotehost inner switchchannel \
identnonelimited subdirs 20 maxjobs 7 pool SMTP_POOL maytlsserver \
maysaslserver saslswitchchannel tcp_auth sourcebrightmailoptin spam
tcp-daemon
Note
Brightmail allows you to either discard spam messages, or save them in a designated spam folder. If the ability to designate a spam folder is not available for the receiving system, then the address syntax for the spam folder will be meaningless to that system.
Brightmail Processing on Outgoing Messages to the Internet
You may wish to configure your system so that all mail going to the internet is screened for spam. To set up Brightmail processing of all outgoing messages to the internet, add the destinationbrightmailoptin keyword to the tcp-local channel definition on the outgoing MTA. Example:
tcp_local smtp mx single_sys remotehost inner switchchannel \
identnonelimited subdirs 20 maxjobs 7 pool SMTP_POOL maytlsserver \
maysaslserver saslswitchchannel tcp_auth \
destinationbrightmailoptin spam
tcp-daemonBrightmail Processing on Incoming Messages to a Specific Backend Message Store Host
To configure your system so that all mail coming into a specific backend message store host is screened for virus and spam, do the following:
- Add a rewrite rule in the imta.cnf file of all inbound SMTP servers that will send messages to the backend message store host. Example:
msg_store1.siroe.com $U@msg_store1.siroe.com
- Add a channel corresponding to that rewrite rule with the destinationbrightmailoptin keyword. Example:
tcp_msg_store1 subdirs 20 backoff “pt5m” “pt10” “pt30” “pt1h” \
“pt2h” “pt4h” maxjobs 1 pool IMS_POOL fileinto $U+$S@$D \
destinationbrightmailoptin spam,virus
msg_store1.siroe.com
Using SpamAssassinMessaging Server supports the use of SpamAssassin, a freeware mail filter used to identify spam. SpamAssassin consists of a library written in Perl and a set of applications and utilities that can be used to integrate SpamAssassin into messaging systems.
SpamAssassin calculates a score for every message. Scores are calculated by performing a series of tests on message header and body information. Each test either succeeds or fails, and the score is adjusted accordingly. Scores are real numbers and may be positive or negative. Scores that exceed a certain threshold (typically 5.0) are considered to be spam.
SpamAssassin is highly configurable. Tests may be added or removed at any time and the scores of existing tests may be adjusted. This is all done through various configuration files. Further information on SpamAssassin can be found on the SpamAssassin Web site.
The same mechanism used for calling out to the Brightmail spam and virus scanning library can be used to connect to the SpamAssassin spamd server. The module provided in Sun ONE Messaging Server is called libspamass.so.
SpamAssassin Requirements and Performance Considerations
Deploying SpamAssassin
This section provides step-by step instructions for deploying SpamAssassin on Messaging Server.
- Create a SpamAssassin options file.
Specify this file with the Brightmail_config_file option in the MTA option.dat file. The SpamAssassin options file consists of lines of the form option=value. Options are described in Table 4.
- Configure SpamAssassin as desired.
The default behavior for this interface (implied by the default mode=0) is to discard mail identified as spam. No additional options need to be set in order to accomplish this.
Other behavior can be obtained through a combination of setting of SpamAssassin options and Brightmail MTA options. For example, in order to reject all mail identified as spam, simply set the BRIGHTMAIL_NULL_ACTION MTA option to something like:
data:,require "reject"; reject "Suspected spam message rejected";
Similarly, spam could be filed to a SPAM folder by setting BRIGHTMAIL_NULL_ACTION to:
data:,require "fileinto"; fileinto "SPAM";
Trickier combinations are possible. For example, the spam result could be included in the reject message by setting the BRIGHTMAIL_STRING_ACTION option in the MTA to something like:
data:,require "reject"; reject "Message rejected [$U]";
and setting MODE=1 in the SpamAssassin option file.
- Start the spamd daemon. This is normally done with a command of the general form:
spamd -d
spamd defaults to only accepting connections from the local system. If SpamAssassin and Messaging Server are running on different systems you will require a command of the form:
spamd -d -i <listen_ip_address> -A <allowed_hosts>
where listen_ip_address is the address on which to listen and allowed_hosts is a list of authorized hosts or networks (using IP addresses) which can connect to this spamd instance.
Table 4 SpamAssassin Options
Spam Assassin Options
Description
Default
host
The name of the system where spamd is running
localhost
port
Port number where spamd listens for incoming requests.
783
debug
0 or 1. Specifies whether to turn on debugging in the libspamass.so. Debugging of spamd itself is controlled by the command line invoking spamd.
0
mode
Controls the translation of SpamAssassin results to Brightmail verdict information. Three different modes are available:
0 - Return the verdict string specified by the verdict option if the message is found to be spam; return a default SpamAssassin verdict if it is not. A null verdict is returned if the verdict option is empty or unspecified.
1 - Return the SpamAssassin result as a verdict if the message is found to be spam.
2- Reserved
0
verdict
A string, specifying the verdict string used for MODE 0
“”
field
A string specifying the SpamAssassin result string prefix. SpamAssassin result strings generally look like:
Spam-Test: False ; 0.0 / 5.0
or
Spam-Test: True ; 27.7 / 5.0
The field option provides the means for changing the “Spam-Test” part of the result. Note that the “: “will also be removed if an empty field value is specified.
“Spam-test”
Table 5 MTA Options for SpamAssassin
MTA Options for Spam Assassin
Description
Default
Brightmail_library
Full file path and name of the SpamAssassin shared library.
None
Brightmail_config_file
Full file path and name of the SpamAssassin configuration file.
None
Brightmail_null_action
SIEVE rule specifying what to do with the message when the SpamAssassin verdict returns as null.
data:,discard;
Brightmail_string_action
SIEVE rule specifying what to do with the message if the verdict is a string.
Default: data:,require "fileinto"; fileinto "$U;
$U is the string verdict returned.
See description
