AntiSPAM settings under ASIP 6

Issue: How to configure an AppleShare IP 6 mail server to reject SPAM relaying

Details:
Apple has a Knowkedge Base article (#24942) giving their recommendations for preventing an AppleShare IP mail server to reject SPAM. Unfortunately, our experience is that a server configured as described in that will not consistently pass open-relay tests, and will thus tend to find itself on various open-relay blackhole lists. Also, some of the Apple-recommended settings will actually prevent legitimate mail from being received by the server.

These are the settings we've found to work best for letting legitimate mail through, stopping SPAM relaying, and also passing the tests used by open-relay detectors:

Set up the Host List

In AppleShare IP Admin, under the Mail module's icon, select "Show Host List". This brings up a list of all of the internet domains that this mail server has dealt with (i.e. handled mail for). If you click in the header of the "status" column (this makes it sort by status), you'll see a couple listed as "local"; these are the domains that this server receives mail for. Usually, there'll be one for the mail domain that everyone actually uses, and another for the name of the mail server itself. In the example I'll give here, everyone uses "example.com" (e.g. George Dorn's email address might be "gdorn@example.com"), and the mail server is actually listed in the DNS tables as "mail.example.com". For the approach we give here to work right, it's necessary that these be different.

First, set the Default Host Profile to prohibit relaying. The Default Host Profile does not appear under the host list, but when the host list is open it is accessible via the pulldown menu under the Mail icon. Under the Default Host's "Mail From" tab, make sure the "Deliver mail from this host to local addresses only (no SMTP relay)" option is checked.

Then save changes and close the Default Host window.

Second, set the email server's host profile to prohibit relaying (note: this is the name of the email server, not the domain people actually use as a mail address). Double-click on its entry in the host list, and under its "Mail From" tab, make sure the "Deliver mail from this host to local addresses only (no SMTP relay)" option is checked.

Again, save changes and close the window.

Now, in order to make sure these changes take effect, we need to delete all of the host entries except for the local entries. Just select them in the list and hit the delete button. (Note: if you have set special settings for any other mail hosts, you should not delete them; go into each one that's customized and set the "Deliver mail from this host to local addresses only (no SMTP relay)" option, just as for the mail server's profile).

Basic Mail Server Settings

Bring up the Mail Server Settings (via the Mail icon in ASIP admin), switch to the "Mail In" tab, and make sure the "Require Local "From" Addresses to exist in Users & Groups" option is checked. Save, and close the window.

Advanced Mail Server Settings

It it possible to have ASIP mail check incoming connections against a "blacklist", and reject them if they come from a known or suspected SPAM source. To enable this feature, bring up the Advanced Settings (via the Mail icon in ASIP admin), switch to the "Anti-Spam" tab, and enable the "Check Incoming SMTP Connections" option. To make this useful, you will need to select a custom blacklist server, because the default server (rbl.maps.vix.com) is no longer available. There are a large number of alternate servers available, each of which uses different policies to decide what to block, and take different approaches to the tradeoffs between blocking as much SPAM as possible vs. allowing legitimate mail through vs. (in some cases) punishing ISPs that harbor spammers. The choice of a server is up to you, but keep in mind that no matter which you pick, it's almost certain to block at least a few legit messages, and allow some SPAM through.

Lists of blacklist servers are available at Declude.com and Moensted.dk; the San Diego Supercomputer Center keeps statistics on how many messages (both SPAM and legit) various servers have (/would have) blocked on their servers (the latest results are here); the documentation for the SpamBouncer program includes comments on the servers their program supports.

We recommend leaving the "Log connection if SMTP name does not match IP address" option unchecked, as it will cause slow mail service in many cases. (And the "Reject if name does not match address" option will cause quite a bit of legitimate mail to be rejected.) Save, and close the window.

Some Related Information...

This Document Prepared By Gordon Davisson on 3/18/02.
Updated By Gordon Davisson on 8/19/02.