When using a separated tier network of postfix servers, ie – a cluster at the front, which receive from a cluster in a segmented network, you will need to use the relayhost variable to daisy link the two clusters together. Usually, you may be tempted to simply submit on port 25. This was previously acceptable, but now a concerted drive is being made towards the correct port – 587. When using DKIM implementations such as DKIM proxy mail will not be signed on port 25 without some hackery in master.cf [this is strongly advised against]. As Jason states:

. . .The point is we don’t want to sign mail from untrusted sources, and that’s what could happen if you direct that mail through dkimproxy.out.

So how do we ensure our chain of servers signs mail submitted? Easy!

relayhost = [smtp.domain.tld]:587

You can now sit back and watch as all your mail is digitally signed by what-ever DKIM implementation you have chosen.

• PDF & FDF: usually a blank e-mail with a PDF attachment.
• Greeting Card: invitations from an ‘old friend’ to go to a website with a numerical http address, usually containing malware.
• Image Spam: A gif or png attached to a, usually – though not always, blank e-mail ready to sell the latest software or stock.
• Obfuscate Words: Lines of text take this format, N o*t o,n-l-y d o-e's t,h+i s f i+r*m h+a'v_e grea_t fundamenta,ls*,.

I’m going to show you how using the free-software package, SpamAssassin, you can successfully neuter these 4 major spam attacks.

• Greeting Card: Can be easily defeated using postcards.cf.
• Image Spam: These quickly become extremely popular, but have now decreased in prevalence after very successful methods were implemented to combat them. For SA, use the module Imageinfo: Imageinfo.pm and Imageinfo.cf supplied by SARE Rules Emporium.
• PDF & FDF: Can be successfully discarded by using PDFInfo.pm and PDFInfo.cf again supplied by SARE Rules Emporium.
• Obfuscate Words: These have recently hit, and hit hard. Spammers, seemingly bewildered by their inability to get through current filters using the above popular methods, have now resorted to the old way of securing spam delivery: obfuscation. The good news is that this, again, is easily defeatable. The ruleset(s) originally written by Jennifer Wheeler are mirrored locally by this site.
  1. chickenpox.cf: [words obfuscated by non word characters] Th1s|s a v3ry h4ndy se7 t0 c@tch th!s 50rt 0f (rap.
  2. backhair.cf: [words obfuscated by nonsense html tags] 
     Y<oivugriub>oucou<iuqgheriugv9h>ld rea<y>llyu<owiuer88>se this.

Game on, spammers!

The RT wiki has instructions on setting up your MTA to ‘pipe’ the e-mails into RT:

You need to tell your Mail Transfer Agent (ex sendmail, postfix, or qmail) how to forward messages to RT’s mail gateway. To do this, create an aliases in your system’s mail aliases file. Here’s an example, which routes mail to the mailbox [=rt@example.com] (and [=rt-comment@example.com]) into new tickets in the RT queue named General. Note that the queue name is case-insensitive.

Add the following lines to /etc/aliases (or your local equivalent such as /etc/mail/aliases):

rt: "|/opt/rt3/bin/rt-mailgate --queue general --action correspond --url http://localhost/rt"
rt-comment: "|/opt/rt3/bin/rt-mailgate --queue general --action comment --url http://localhost/rt"

These instructions are accurate, but rely on Postfix not having implemented Virtual Domains. Here’s an example configurationfrom main.cf where virtual domains have been implemented:

virtual_transport = virtual
virtual_uid_maps = static:5000
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf

This configuration will invoke the virtual transport within Postfix. A virtual transport is unable to perform the necessary pipe (“|”) to the rt-mailgate binary. Only the local transport is able to perform a pipe. So, the question is: how do we run virtual domain(s), but still invoke the local transport delivery method to successfully perform the pipe into rt-mailgate?

A Virtual to Local Rewrite Solution

Here’s a quick walkthrough on what steps you need to put in place to ensure that a mail to the (virtual) domain of rt-test@domain.tld is successfully piped as per the RT wiki instructions above.

1. Create an /etc/postfix/aliases file.
2. Within this file add entries that follow this format:

   rt-test                       rt@rt.domain.tld
   support                       support@rt.domain.tld
   abuse                         abuse@rt.domain.tld
   # and so on...
   

3. postmap /etc/postfix/aliases
4. Within /etc/aliases create the pipe aliases referred to in the RT wiki:

   support: "|/opt/rt3/bin/rt-mailgate --queue 'Support' --action \
   correspond --url http://rt.domain.tld/"
   rt: "|/opt/bin/rt-mailgate --queue 'General' --action \
   correspond --url http://rt.domain.tld/"
   abuse: "|/opt/rt3/bin/rt-mailgate --queue 'Abuse'  --action \
   correspond --url http://rt.domain.tld/"
   # Ensure there are no line breaks..
   

5. Run the newaliases command.
6. Insert the appropriate configuration amendments to main.cf

   # To ensure local delivery, rt.domain.tld must be added to
   # $mydestination
   mydestination = localhost localhost.localdomain rt.domain.tld
   # /etc/postfix/aliases is added:
   virtual_alias_maps = hash:/etc/postfix/aliases
   mysql:/etc/postfix/mysql_virtual_alias_maps.cf
   # alias_maps is what is READ by delivery agents etc.
   alias_maps = hash:/etc/aliases
   # alias_databases is what is WRITTEN by newaliases
   alias_database = hash:/etc/aliases
   # masquerade as @rt.example.com unless also on this list,never root
   masquerade_domains = rt.domain.tld
   masquerade_exceptions = root
   

7. Save the file, then reload Postfix’s configuration: /etc/init.d/postfix reload
8. Send an e-mail to support@domain.tld and observe Postfix working its wonders..
   
   Aug 19 21:12:18 solo postfix/local[2972]: 2B91710EB92: to=<support @rt.domain.tld>, orig_to=<support@cjbuckley.net>, relay=local, delay=17, delays=17/0.05/0/0.54, dsn=2.0.0, status=sent (delivered to command: /opt/rt3/bin/rt-mailgate --queue 'Support' --action correspond --url http://rt.domain.tld/)

I wrote this article mainly because I see the question oft repeated on the Postfix Users Mailing List. Any comments and (especially) improvements welcome.