Monitor Only

Questions and answers about how to do stuff
Post Reply
Bauer3139
Posts: 3
Joined: 11 Oct 2018 15:23

Monitor Only

Post by Bauer3139 » 11 Oct 2018 15:27

Is there a way to set EFA to essentially scan traffic only, but take no action on emails? This way emails are evaluated and logged but flow through without being stopped. I know I can whitelist, but this doesn't let me see how the system rates each email. This would be ideal to see it impacts on email, without interrupting allowing me to make any changes needed first.

Mail2GoCa
Posts: 22
Joined: 10 Oct 2018 09:11

Re: Monitor Only

Post by Mail2GoCa » 11 Oct 2018 21:38

Well you definitely don't want any Malware infected emails to get through, but perhaps you'd like SpamAssassin to rate the email and pass it on to the end recipient no matter the spam score. That should not be difficult to achieve.

I'm fairly new to EFA so I am not 100% certain that this solution will work because the setting change indicated below may end up being overwritten by MailScanner. However, it's worth a shot.

1. Launch Webmin (Typically https://yourEFAhostName:10000 ) and log in as root
2. In the left hand navigation pane, click on 'Servers'
3. Click on 'SpamAssassin Mail Filter'
4. In the 'SpamAssassin Mail Filter' main index page, click on 'Spam Classification'
5. In the 'Spam Classification' page, change the bullet beside 'Hits above which a message is considered spam' and enter a number high enough to let all minor spam through. Play with the numbers, but I would try 10 to start (default is 5) and see how that goes.

Please post back and let everyone know how that worked out for you.

Cheers
8-)

Mail2GoCa
Posts: 22
Joined: 10 Oct 2018 09:11

Re: Monitor Only

Post by Mail2GoCa » 12 Oct 2018 08:32

Hah. It seems my suspicions were corrrect.

The SpamAssassin score threshold is configured in /etc/MailScanner/MailScanner.conf

Look for these lines... somewhere around line 2240

# This replaces the SpamAssassin configuration value 'required_hits'.
# If a message achieves a SpamAssassin score higher than this value,
# it is spam. See also the High SpamAssassin Score configuration option.
# This can also be the filename of a ruleset, so the SpamAssassin
# required_hits value can be set to different values for different messages.
Required SpamAssassin Score = 4

# If a message achieves a SpamAssassin score higher than this value,
# then the "High Scoring Spam Actions" are used. You may want to use
# this to deliver moderate scores, while deleting very high scoring messsages.
# This can also be the filename of a ruleset.
High SpamAssassin Score = 7

User avatar
pdwalker
Posts: 1135
Joined: 18 Mar 2015 09:16

Re: Monitor Only

Post by pdwalker » 12 Oct 2018 09:02

No, I think there is a better way:

Look for "Spam Actions" in your /etc/MailScanner/MailScanner.conf configuration file:

Specifically, look for:

Code: Select all

Spam Actions =
High Scoring Spam Actions =
Non Spam Actions =
One thing you will want to to ensure is that all these settings include the "deliver" options - which just means it will pass things on, but the message will contain the spamassassin scores inside the message headers so you can see what is happening.

EFA will still flag and stop what it thinks are viruses. Maybe someone can make a suggestion how to do the same for the virus scanning part as all I can think of is disabling the virus scanning inside EFA for your experiment.

Mail2GoCa
Posts: 22
Joined: 10 Oct 2018 09:11

Re: Monitor Only

Post by Mail2GoCa » 12 Oct 2018 12:30

Good call.

Now I've learned something too :D

Bauer3139
Posts: 3
Joined: 11 Oct 2018 15:23

Re: Monitor Only

Post by Bauer3139 » 12 Oct 2018 20:36

Thanks for the help. It was very useful. I will need to figure out the virus part. Form previous testing I had a server that attached voicemails and this system kept stripping them think they were a virus. I don't think it liked the file name since it looks like it has multiple file extensions. I do see options starting with "Quarantine Infections =" that look like they apply for virus scanners.

Admittedly our systems are used as glorified SMTP relay servers that just relay internal system's mail to Google (who scans our mail) so the chance of spam and infections are low. But I do like the reporting this can provide. Currently, I have MailScanner turned off, but would be nice to get additional information by having it on as long as it takes no actions.

Post Reply