As Apple continues to dumb-down their Server offering, spam filtering becomes more and more difficult. Using MailCleaner is a simple way to block most spam, is easy to install manage, provides web-based administration and user accessible quarentine management, and is an invaluable tool if you host your own mail. MailCleaner is the chinese wall to block the mongol hoardes of spammers trying to reach your mail server.
Installing MailCleaner
MailCleaner offers a free Community Edition as a virtual machine which can be downloaded and hosted on a server under VMware Fusion. This makes keeping a backup copy as easy as making a copy of the virtual machine file. If you have the wherewithal, consider purchasing the commercial version.
The instructions on how to setup are pretty straightforward.
After you have MailCleaner setup and working, be sure to:
- Change your domain MX records to only include the static WAN IP of your mailcleaner instance, as this is where you will now be receiving all inbound mail
- Open port 25 on your firewall so that the mailcleaner instance may accept SMTP connections
- Block port 25 on your firewall to your mail server, so that spammers cannot bypass Mailcleaner. You can leave ports for secure IMAP, secure POP and other ports open on your mail server so that users may still use mail services remotely.
- You'll most likely want to leave port 587 (SMTPD) open to your mail server so that remote users may send email via SMTP. If using postfix, be sure your smtpd_sender_restrictions are set properly otherwise you will be an open relay. Strangely, the web based mail server test tools only seem to check port 25, so your warning could be a zillion smtpd connections from foreign servers connecting directly to your mail server (although they should only be able to reach mailcleaner). Be sure you have a suitable entry for smtpd_sender_restrictions in /etc/postfix/main.cf ie.
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, permit
Updating MailCleaner
You will periodically want to update MailCleaner. Shutdown and make a backup copy of your VM in case you screw something up, then login from the command line as root and follow the update instructions.
How To Protect Against Joe Jobs / Backscatter
Joe Jobs or Backscatter is when a spammer uses one of your email addresses as the FROM for their spam. Although spam never traversed your server, you can be flooded with hundreds or thousands of bounce messages from a variety of third party servers bouncing the spam to you.
MailCleaner uses SpamAssassin as one of its filtering tools, and there's a ruleset designed to capture backscatter: VBounceRuleset. This ruleset identifies bounce messages, checks the headers to see that your mail server hostname appears in any RECEIVED block, and filters out any emails which did not originate from your mail server.
To install, shutdown and make a backup copy of your VM in case you screw something up, then login from the command line as root and follow the installation instructions.
Afterwards, be sure to create a sample bounce message and test to ensure that it works as expected. See this thread for testing instructions.
Adding More RBLs
Realtime Black Lists (RBLs)are a very effective way to stop spam before it is accepted by MailCleaner. Here are instructions on how to add a bunch of RBLs to MailCleaner in the Configuration:Anti-Spam:PreRBLS list, but consider only adding only those you review to ensure they are still active and that your usage falls within their terms of service.
To see which RBLs might be most effective, lookup the sending mail server in your spam email headers, and as quickly as possible to see which RBLs are fastest to detect.
Backup MX
If you have SPF checking enabled and have other mail servers which act as backup MX servers for your domain, you need to disable SPF checking of those servers so that MailCleaner will accept the email, avoiding errors like this:
Incoming MTA stage:2016-02-29 14:36:00 H=pmta1.delivery9.ore.mailhop.org [54.186.172.23] F=This email address is being protected from spambots. You need JavaScript enabled to view it. rejected RCPT This email address is being protected from spambots. You need JavaScript enabled to view it.: 54.186.172.23 is not allowed to send mail from cumulus.com (SPF failure)
To do this, add the IP or network range (eg: 0.0.0.0/24) for the backup MX server(s) in Configuration -> SMTP -> Don't check this hosts.
DuoCircle Backup MX servers
DuoCircle, formerly known as DynDns or MailHop, provides backup MX services, as well as many other services. You can find a list of their delivery IP addresses here: https://support.duocircle.com/support/solutions/articles/5000524218-ip-addresses-for-firewalls
Here is a list of IP addresses as of 3/2/2016:
52.28.30.98 52.29.118.68 52.29.142.239 52.29.144.204 52.29.147.143 52.29.152.107 52.29.162.96 52.58.5.29 52.58.7.81 52.58.7.120 54.68.34.165 54.68.193.51 54.69.62.154 54.69.130.42 54.148.30.215 54.148.153.48 54.148.219.64 54.148.222.11 54.148.229.97 54.149.26.35 54.149.35.133 54.149.36.10 54.149.88.251 54.149.154.28 54.149.155.156 54.149.205.143 54.149.206.185 54.149.210.130 54.149.240.58 54.149.250.69 54.186.10.118 54.186.22.84 54.186.27.61 54.186.57.195 54.186.60.165 54.186.172.23 54.186.218.12 54.191.158.99 54.191.214.3 54.191.214.36 54.191.151.194 54.200.129.228 54.200.247.200 54.213.22.21
Whitelisting
MailCleaner strongly disagrees with whitelisting of email addresses or domains. If you are a big ISP using their tools, this probably makes sense as blindly accepting any email might go unnoticed, but for smaller businesses this is a practical way to allow receipt of email from their values customers/companies who may have misconfigured mail servers &etc.
How to Turn On
For whitelists to actually work, you must turn it on in TWO places in the UI:
- Configuration: Anti-spam: Global Settings: [X] Enable access to whitelists
- Configuration: Domains: (Each domain you want to have whitelists) : Filtering : [X] Enable whitelists
You can then add whitelist entries at a global or domain scope.
Proper Syntax for Whitelist Entries
Whitelist entries can either be a specific email address, eg. This email address is being protected from spambots. You need JavaScript enabled to view it. or contain wildcards to apply to entire TLDs, eg. *.domain.com
References:
- https://support.mailcleaner.net/boards/3/topics/10-configuration-anti-spam-global-settings
- https://community.spiceworks.com/topic/350206-help-with-mailcleaner