Sorting mail using SpamAssassin in OTRS

0f3b3bf1Fighting spam is more difficult than ever and many people let other parties handle their spam filtering. This is just one of the reasons products like Office365 and Google Apps for Work have become so successful. After all, there is not much glamor in running your own mail server.

If you run your own mail server you’ll have to handle spam yourself. If you have OTRS on its own server and you’re receiving spam, this is very annoying as it might send out false notifications and wastes time.

Luckily, it is very easy to use SpamAssassin to filter out spam emails in order to make sure you only receive valid mails in OTRS. SpamAssassin is an Apache foundation open source software that is used very widely to combat spam.

Installing SpamAssassin on your system

You can simply install SpamAssassin from your linux package manager, on CentOS/RHEL based systems:

sudo yum install -y spamassassin

and on Debian- or Ubuntu-systems:

sudo apt-get install spamassassin

After you’ve installed the package you can test if it’s available by typing  /usr/bin/spamassassin –version in your console.

Updating rules

Of course spammers and spam-fighters are in a never-ending battle. New heuristics to determine spam messages are created often. On some systems the spamassassin rules can be out of date, run the sa-update command as root to update the rules. If you want you could run this as a cron job.

Setting up OTRS to use SpamAssassin

First, there are two options for handling spam. One is to delete incoming email marked as spam and one is to move it to a separate queue. The last option I would strongly recommend. If a message would falsely be marked as spam, it will be deleted from your system and you’d not know about it! It’s much better if the message is still available, at least for a small period of time, so you can restore it if needed.

So in order to make this happen, you can set up a special queue on the system where the message should be sorted into. If you make sure your agents only have read-permissions on this queue (and probably also move-into, but at least not read-write) they will not see the queue in the dashboard and in the queue view, they’ll not get notifications, but they are able to search through tickets in this queue.

In SysConfig, under Ticket > Core::PostMaster, there is a pre-defined filter called PostMaster::PreFilterModule###6-SpamAssassin. Just please make sure to fill in the queue you want under the Set: option, check the box, and save the SysConfig. Your setup is active now.

SpamAssSysConfig

Verifying your setup

If a spam message reaches your system, a nice short message is added to your system log and the ticket is created in the spam queue automatically!

spamfilter

How to install OTRS 4 on CentOS 7

Centos_full.svgIn this post I’m going to walk you through installing OTRS 4 on CentOS 7. The procedure will be very similar for Red Hat Enterprise Linux (RHEL) version 7 as this is binary compatible.

Please note that there are some differences between CentOS 6 and CentOS 7: it now ships with systemd and with firewalld so the instructions to install OTRS are pretty different.

Setting up your production server or migrating from one is something you don’t want to do every day. This means you better take a distribution that will receive security upgrades for a long time. This is why I would recommend CentOS version 7 over version 6 at this point in time.

Preparation: deactivation of SELinux

OTRS does not ship with a profile for SELinux. This means that you’ll have problems if you don’t turn it off. If you’re an advanced system administrator, you’d be able to create a profile for OTRS. This is beyond the scope of this post.

You can check the status of SELinux with the sestatus command:

[root@localhost ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Edit the file /etc/selinux/config and set SELINUX=permissive.  This will make sure after a reboot selinux will not be enabled.

Type setenforce Permissive to set the current SELinux status to ‘permissive’. I chose Permissive here, rather than disabled, because otherwise you might loose the security context on files and would you want to enable SELinux on some later point you’d need to re-label files which is difficult.

[root@localhost ~]# setenforce Permissive
[root@localhost ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Preparation: installation of a database

Of course you can use OTRS with a database that is on some central location in your setup. You can use OTRS with PostgreSQL or MySQL, or even with Oracle if you need to. In this example, I’m going to assume that you’ll use a database installed on the OTRS machine itself, which is the most common setup and recommended for all except very big installations.

The most widely used database for OTRS is MySQL. In CentOS 7, MySQL Server is no longer available; the fork MariaDB is available and you can use that as a drop-in replacement.

If you want to install MySQL instead of MariaDB, this is no problem; the MySQL project has provided a yum repository that you can use.

Otherwise, if you’d want to install MariaDB, just use these commands:

yum install -y mariadb-server
echo -e "[server]\nmax_allowed_packet=20M\nquery_cache_size=32M" > /etc/my.cnf.d/otrs.cnf
systemctl enable mariadb.service
systemctl start mariadb.service

The echo command is used to create a small configuration file called /etc/my.cnf.d/otrs.cnf which contains specific settings in order to make OTRS happy. The contents of this file is:

[server]
max_allowed_packet=20M
query_cache_size=32M

Get and install OTRS

Now you can get and install the OTRS software itself. You can find RPM installation files on the web server of OTRS. For the current version the install command is:

yum -y install http://ftp.otrs.org/pub/otrs/RPMS/rhel/7/otrs-4.0.2-01.noarch.rpm

Please note this will install loads of dependencies so it might take a brief while.

Install additional dependencies

Now you can install additional dependencies from EPEL, the enterprise quality package repository maintained by the Fedora project. Note that this step is kind of important as it also will bring you mod_perl which is really needed to have proper performance of the web server!

yum -y install epel-release
yum install -y mod_perl "perl(Crypt::Eksblowfish::Bcrypt)" "perl(JSON::XS)" "perl(GD::Text)" "perl(Encode::HanExtra)" "perl(GD::Graph)" "perl(Mail::IMAPClient)" "perl(PDF::API2)" "perl(Text::CSV_XS)" "perl(YAML::XS)"

Configure firewall and start Apache

Now you can start the Apache web server.  You should also add a rule to the firewall to allow access to the web server. CentOS 7 ships with firewalld, a new generation firewall that allows you to make these changes pretty easily.

You might want to remove the ‘welcome page’ of CentOS as it is kind of annoying.

rm /etc/httpd/conf.d/welcome.conf
systemctl enable httpd.service
systemctl start httpd.service
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --reload

At this point you can continue using the Web Installer as explained in the OTRS documentation. As database you should choose ‘MySQL’ , also if you’re using MariaDB, because they really are forks and in this regard compatible. The database administrative password is empty. Note that this is not a security risk per se as the database only listens on localhost, so you can only access it from the local machine.

Of course there are many more tasks you should perform before considering your OTRS installation ready, but this is a nice quick start into setting up OTRS on a very popular, long-supported server OS.