That's a pretty open ended question, but I must admit I had to do a bit of digging to figure out what to do.
For the record I've got 2 EFA servers (both virtual, one's a cold standby weekly clone of the first), 2 (virtual) Zen Load Balancers for HA for SMTP/HTTPS, 3 Exchange servers in a DAG (2 onsite (thus the need for Zen), 1 offsite).
Though I have the clone of EFA it needs to manually be spun up, so that's currently a point of failure that has no automatic resolution. I'll probably eventually have two EFAs running and equal weighted MX records pointing to external IPs for each, but the annoyance of that is we've then got 2 servers to check for mail troubleshooting/tracing. Either that or 3 MX records; priority 10 to EFA1, 20 to EFA2, 30 to EFA1 again.
Anyway, on with what I've got noted down/can remember.
SSH into EFA;
- Recommended: IP Settings > Primary and Secondary DNS. Set to internal Active Directory DNS. Also set domain name to your AD domain.local name. Whatever you do, don't use a public DNS, it'll be blocked from doing RBL lookups for you.
- Optional: MailWatch > Enable/Disable greylisting. I have this on, but I have modified the greylisting time to 3 minutes to reduce the delay. Some poor SMTP implementations (printers for example) won't retry so you may have to add exceptions if you enable this (done via CLI).
- Optional: MailWatch > Quarantine retention. I've set it to 14 days. Depends on how much storage you have, how much volume you receive, etc.
- Required: Mail Settings > Outbound mail relay. Add anything that needs to relay through your server.
- Optional: Mail Settings > Outbound smarthost. If you need to relay out through something for sending emails, configure it here.
- Required: Mail Settings > Transport settings. Add every domain you want to accept. Set the internal IP to your Exchange server (or load balancer's virtual IP if, like me, you run Zen Load Balancer).
-- If you've got a lot of domains to add then you can drop to shell and edit "sudo vi /etc/postfix/transport", then run "sudo postmap /etc/postfix/transport" and "sudo service postfix reload".
- Recommended: Spam Settings > Non Spam Settings.
Disable storing non spam: No (this allows training of false positives plus a recent archive/recovery).
Disable non spam signatures: Yes (This setting depends on whether you want the EFA watermark, I disabled it as we (the IT admins) manage the spam, not the users. Additionally most (99%) of our users are external and I haven't exposed EFA to the internet.)
- Recommended: Spam Settings > Spam Settings. Enable spam delivery: Yes. (This, in combination of other rules mentioned later, allows suspect spam to go to the user's junk e-mail folder.
- Optional: Recommended: Spam Settings > MailScanner Max Message Size: 10240 (spammers generally don't send large emails but I did increase this from the default)
- Recommended: Spam Settings > Mailwatch hide high spam/mcp: Yes. If you want users to see really suspect stuff then have it as no, but I block high spam.
- Optional: Virus settings > Cleaned Message Delivery: Yes or no. Up to you.
Then drop to shell.
sudo vi /etc/MailScanner/MailScanner.conf
Code: Select all
Spam Actions = store deliver header "X-Spam-Status:Yes"
Yours may be a little different depending on your settings, but it's important it has "deliver" and "X-Spam-Status: Yes" in it.
I also changed;
Code: Select all
Notify Senders = yes
Notify Senders Of Blocked Size Attachments = yes
sudo vi /var/www/html/mailscanner/conf.php
sudo vi /etc/MailScanner/defaults
Note: This shouldn't be needed, pretty sure it's been fixed (
https://github.com/E-F-A/v3/issues/328) but my config notes mentioned it, so mentioning it here.
sudo vi /etc/MailScanner/filename.rules.conf ... and archives.filename.rules.conf
-- Before the final deny add in "Allow \.ics$ - -". Tab separated, make sure you don't get these as spaces. I added this as ics (calendar) files can have odd names which trip up mailscanner.
I actually also commented out the last deny, found it actually caused too many issues. For some reason we get lots of files with domain names in them. e.g. "file from forum.efa-project.org.doc" would have been blocked.
sudo vi /etc/postfix/main.cf
Changed;
Code: Select all
smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org
To;
Code: Select all
smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spamcop.net
Depends on what RBLs you like to use.
If you need to add any IP exceptions to greylisting then sudo vi /etc/sqlgrey/clients_ip_whitelist.local
Once all the edits are done then;
sudo service MailScanner restart (might be all lower case in latest version?)
sudo service postfix restart
If EFA (or equivalent) is the
only SMTP entry point into the organisation then on Exchange run the Exchange PowerShell command "Set-SenderIDConfig -Enabled $false". No point running senderid checks against connections from your EFA box.
I haven't mentioned LDAP lookups here. I haven't configured it as we (as in IT) manage the EFA box as well as blocking/releasing emails and training SA.
Now, to "integrate" EFA into Exchange
it's vital you;
Log into ECP
- mail flow > rules
- New rule. My rule is unimaginatively called "Tag 'X-Spam-Status: Yes' emails as SCL 8".
- Apply this rule if... A message header matches "X-Spam-Status" header matches "Yes".
- Do the following... Set the spam confidence level (SCL) to... 8.
- Enforce.
- Defer the message if the rule processing doesn't complete.
- Audit... I wouldn't bother to audit.
Order the rule however you like, but make sure it's above any rules that stop processing any rules under it.
Exchange PowerShell
Code: Select all
Set-ContentFilterConfig -SCLRejectThreshold 9 -SCLRejectEnabled $false -SCLDeleteEnabled $false -SCLQuarantineEnabled $false
-- You can mess with these if you like, but if you set something to 8 then the rule above (and the command below) needs to be 7, and so on.
Code: Select all
Set-OrganizationConfig SCLJunkThreshold 8
In a nutshell EFA will deliver suspect spam emails with a header of "X-Spam-Status: Yes". The Exchange rule then gives these emails a SCL confidence of 8. The organisation config then sees this SCL of 8 and puts the email into the user's "Junk E-mail" folder.
That's it. If I can read my notes properly that should have EFA filtering for and integrating into Exchange.
Besides getting the actual configuration right the most important thing to do is
train Bayes.
viewtopic.php?f=5&t=2400&p=10016#p10016 should help. Without training Bayes, and this spamassassin, is going to be fairly useless.
Good luck!