Grey-Listing: Installing the "RelayDelay" milter on OpenBSD 3.4

Grey-Listing: Installing the Greylisting Milter "RelayDelay" on OpenBSD 3.4
by Chris Paul

Overview

RelayDelay, an example implementation of Greylisting by Evan Harris, relies on the fact that most mass-mailing (spamming) applications do not retry if they recieve an SMTP temporary failure.
We use a database to track "triplets":

The IP address of the host attempting the delivery
The envelope sender address
The envelope recipient address

For triplets we don't recognize, our MTA will refuse mail with a "451 4.7.1 Please try again later (TEMPFAIL)"
After a specified amount of time, our MTA unblocks the new triplet. Since only valid MTA's normally retry, valid mail will eventually be delivered, while most spammers will give up and spam the next guy.
This is meant as a tutorial in configuring and installing relaydelay to run as securely as possible (nonroot, chroot jailed) on OpenBSD 3.4. For a more detailed and well-written specification of Evan's implementation in detail, please read Evan's web-page describing how Greylisting works and some preliminary analysis of its current effectiveness.
Since some spammers MX domains, all your mailhosts for a domain must greylist if you greylist. From Evan's specification:

"Greylisting will not be nearly as effective against spam unless ALL of the MX hosts for a particular domain use mail software that incorporates it."

Also from Evan's specification:

"The great thing about Greylisting is that the only methods of circumventing it will only make other spam control techniques just that much more effective (primarily DNS and other methods of blacklisting based on IP address) even after this adaptation by the spammers has occurred."

Every weapon has a shelf-life.

Requirements

OpenBSD 3.4 CD
On your purchased OpenBSD CD you should have the following packages on CD number (TBD):
- mysql-client-3.23.57 multithreaded SQL database (client)
- mysql-server-3.23.57 multithreaded SQL database (server)
Sendmail with -DMILTER
Perl with -Dusethreads
Perl DBI Module (not from OpenBSD ports)
Perl DBD::mysql (not from OpenBSD ports)
Sendmail::Milter
RelayDelay

Rebuilding sendmail with -DMILTER

Add to /etc/mk.conf:


	WANT_LIBMILTER=1

Re-compile sendmail:

# cd /usr/src/gnu/usr.sbin/sendmail/ # rm -rf /usr/obj/gnu/usr.sbin/sendmail/* # make obj # make # make install

Rebuilding perl with -Dusethreads

Edit /usr/src/gnu/usr.bin/perl/Makefile.bsd-wrapper and uncomment the THREADED line:

 THREADED=-Dusethreads

Re-compile perl:

# cd /usr/src/gnu/usr.bin/perl/ # rm -rf /usr/obj/gnu/usr.bin/perl/* # make -f Makefile.bsd-wrapper obj # make -f Makefile.bsd-wrapper depend # make -f Makefile.bsd-wrapper perl.lib # make -f Makefile.bsd-wrapper install.lib # make -f Makefile.bsd-wrapper # make -f Makefile.bsd-wrapper install

Installing Dependency Packages:

RelayDelay will not work with the DBI and DBD-mysql modules from OpenBSD ports. You will have to build the perl modules using CPAN.

# perl -MCPAN -e shell cpan> install DBI cpan> force install DBD::mysql

Install MySQL package from CD:

# pkg_add -v /path/to/cdrom/packages/arch/mysql-client-3.23.55.tgz # pkg_add -f -v /path/to/cdrom/packages/arch/mysql-server-3.23.55.tgz

Installing Sendmail::Milter

Download the latest Sendmail::Milter from the closest mirror. This guide was tested with Sendmail-Milter-0.18.tar.gz.
Unpack and build:
$ tar xzvf Sendmail-Milter-0.18.tar.gz $ cd Sendmail-Milter-0.18 $ perl Makefile.PL /usr/src/gnu/usr.sbin/sendmail /usr/obj/gnu/usr.sbin/sendmail $ make $ sudo sh # make install

Installing RelayDelay

Get the source (which, as of testing this document, is currently version 0.04):
$ cd ~ $ ftp http://projects.puremagic.com/greylisting/releases/relaydelay-0.04.tgz
Unpack and copy files into place:
$ tar xzvf relaydelay-0.04.tgz $ sudo sh # cp ~/relaydelay-0.04/relaydelay.pl /usr/local/sbin # cp ~/relaydelay-0.04/relaydelay.conf /etc/mail # chmod 400 /etc/mail/relaydelay.conf
Edit the relaydelay.conf and set the $database_pass parameter with a value you will later use in the mysql.sql script to set the MySQL user password. Read through this self-documented config file and change other values, as necessary.
Add the milter config to your sendmail.mc and rebuild your sendmail.cf.


        define(`MILTER',1)
        INPUT_MAIL_FILTER(`relaydelay', `S=local:/var/run/relaydelay.sock, F=T, T=S:1 m;R:2m;E:3m')dnl

Note:

Add the following to /etc/rc.local:
if [ -x /usr/local/sbin/relaydelay.pl]; then . /usr/local/sbin/relaydelay.pl >>/var/log/relaydelay fi

Configure MySQL

Copy the MySQL control script to /usr/local/sbin:

# cp /usr/local/share/mysql/mysql.server /usr/local/sbin/

Copy the MySQL configuration file:

# cp /usr/local/share/mysql/my-medium.cnf /etc/my.cnf

Start MySQL database server:

# /usr/local/sbin/mysql.server start

Add the following to rc.local so MySQL starts automatically:


        if [ -x /usr/local/sbin/mysql.server ]; then
           . /usr/local/sbin/mysql.server start
        fi

Add the following to rc.shutdown so MySQL shuts down automatically:


        if [ -x /usr/local/sbin/mysql.server ]; then
           . /usr/local/sbin/mysql.server stop
        fi

set the root database user password:

# /usr/local/bin/mysqladmin -u root password 'rootpassword';

Edit the mysql.sql file from the relaydelay distribution (~/relaydelay-0.04/).

grant select,insert,update,delete on relaydelay.* to rdelay@'localhost' identified by 'rdelaypasswd';

Create the relaydelay database

$ mysql -u root -p mysql> source ~/relaydelay-0.04/mysql.sql mysql> connect relaydelay; mysql> show tables; mysql> quit;

Conclusion

Still need to evaluate the potential malefaction of perl on OpenBSD with -Dusethreads (necessary for Sendmail::Milter). If you please, share results and I will post a cumulative report of sorts.