mb-filter Service¶

Email content filtering daemon integrating spam detection, virus scanning, and policy enforcement.

Overview¶

mb-filter is the primary email filtering engine responsible for:

Spam Detection - Rspamd and SpamAssassin integration
Virus Scanning - ClamAV antivirus integration
Policy Enforcement - Custom rules and policies
Content Analysis - Header and body inspection
GeoIP Filtering - Geographic restrictions
Authentication Checking - SPF, DKIM, DMARC validation

Acts as Postfix content filter on port 10031.

Architecture¶

Integration Flow¶

Postfix
  ↓ (SMTP forward)
mb-filter (port 10031)
  ↓
Spam Check (Rspamd/SpamAssassin)
  ↓
Virus Scan (ClamAV)
  ↓
Policy Check (custom rules)
  ↓
Verdict: Pass / Quarantine / Reject
  ↓
Postfix (reinject port 10025)

Processing Pipeline¶

Receive email from Postfix
Extract metadata (sender, recipient, IPs)
Check whitelist/blacklist
Perform GeoIP lookup
Validate SPF/DKIM/DMARC
Scan for spam (parallel: Rspamd + SpamAssassin)
Scan for viruses (ClamAV)
Apply policies
Calculate final verdict
Quarantine or reinject to Postfix

Configuration¶

Service File¶

Location: /etc/systemd/system/mb-filter.service

[Unit]
Description=Mailborder Email Filter
After=network.target mb-rpcd.service rspamd.service clamav-daemon.service
Requires=mb-rpcd.service

[Service]
Type=forking
User=mailborder
Group=mailborder
ExecStart=/usr/libexec/mailborder/php_enc/mb-filter start
ExecStop=/usr/libexec/mailborder/php_enc/mb-filter stop
ExecReload=/usr/libexec/mailborder/php_enc/mb-filter reload
PIDFile=/var/run/mailborder/mb-filter.pid
Restart=always
RestartSec=10

# Security
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ReadWritePaths=/var/run/mailborder /var/log/mailborder /var/spool/mailborder

# Resource Limits
LimitNOFILE=65536
MemoryLimit=1G

[Install]
WantedBy=multi-user.target

Filter Settings¶

Worker configuration:

sudo mb-config set filter.workers 8
sudo mb-config set filter.max_concurrent 50
sudo mb-config set filter.timeout 120

Processing limits:

sudo mb-config set filter.max_message_size 52428800  # 50 MB
sudo mb-config set filter.skip_large_files true

Apply changes:

sudo systemctl reload mb-filter

Operations¶

Service Management¶

Start:

sudo systemctl start mb-filter

Stop:

sudo systemctl stop mb-filter

Restart:

sudo systemctl restart mb-filter

Status:

sudo systemctl status mb-filter

Testing¶

Test email file:

sudo mb-filter-test /path/to/email.eml

Example output:

Processing: email.eml
====================

Spam Check:
  Rspamd Score: 4.2
  SpamAssassin Score: 3.8
  Combined Score: 4.0

Virus Scan:
  ClamAV: CLEAN

Authentication:
  SPF: PASS
  DKIM: PASS
  DMARC: PASS

GeoIP:
  Country: US
  Action: ALLOW

Policy Match:
  None

Verdict: PASS
Processing Time: 234ms

Test with live email:

# Send test through Postfix
echo "Test" | mail -s "Filter Test" test@example.com

# Watch logs
sudo tail -f /var/log/mailborder/mb-filter.log

Monitoring¶

Real-time Monitoring¶

Watch filter log:

sudo tail -f /var/log/mailborder/mb-filter.log

Example log entries:

2025-01-13 14:23:45 [INFO] Processing message <abc123@sender.com>
2025-01-13 14:23:45 [DEBUG] Spam score: 3.2 (pass threshold: 6.0)
2025-01-13 14:23:45 [DEBUG] Virus scan: CLEAN
2025-01-13 14:23:45 [INFO] Verdict: PASS (234ms)
2025-01-13 14:23:46 [INFO] Reinjected to Postfix

Performance Metrics¶

View statistics:

sudo mb-filter-stats

Example output:

mb-filter Statistics
====================

Last 24 Hours:
  Messages Processed: 45,678
  Pass: 38,234 (83.7%)
  Quarantine: 6,234 (13.6%)
  Reject: 1,210 (2.6%)

Performance:
  Average Processing Time: 234ms
  Messages/Second: 52
  Current Queue: 3

Spam Detection:
  Spam Caught: 7,444 (16.3%)
  False Positives: ~120 (est. 0.26%)

Virus Detection:
  Viruses Found: 45
  Clean: 45,633 (99.9%)

Top Rejection Reasons:
  1. Spam (score > 20): 4,567
  2. Virus detected: 45
  3. Policy violation: 1,234
  4. GeoIP block: 890

Queue Management¶

Check queue depth:

sudo mb-filter-queue

If queue backing up:

# Increase workers
sudo mb-config set filter.workers 12
sudo systemctl reload mb-filter

# Check bottleneck
sudo tail -f /var/log/mailborder/mb-filter.log | grep -i slow

Integration¶

Postfix Configuration¶

Main config (/etc/postfix/main.cf):

content_filter = mb-filter:[127.0.0.1]:10031

Master config (/etc/postfix/master.cf):

# mb-filter
mb-filter unix  -       -       n       -       10      smtp
  -o smtp_send_xforward_command=yes
  -o smtp_fallback_relay=

# Re-injection
127.0.0.1:10025 inet n  -       y       -       -       smtpd
  -o content_filter=
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
  -o smtpd_recipient_restrictions=permit_mynetworks,reject

Test integration:

sudo postfix check
sudo postfix reload

Rspamd Integration¶

Check Rspamd connection:

rspamc ping
rspamc stat

Test spam detection:

sudo rspamc < /path/to/email.eml

ClamAV Integration¶

Check ClamAV status:

sudo systemctl status clamav-daemon
sudo clamdscan --version

Test virus scanning:

sudo clamdscan /path/to/email.eml

Troubleshooting¶

Emails Not Being Filtered¶

Check service:

sudo systemctl status mb-filter

Check Postfix integration:

sudo postconf | grep content_filter
# Should show: content_filter = mb-filter:[127.0.0.1]:10031

Check port:

sudo netstat -tulpn | grep 10031
# Should show mb-filter listening

Test manually:

telnet 127.0.0.1 10031
# Should connect to mb-filter

Emails Stuck in Queue¶

Check queue:

sudo mailq

If many deferred:

# Check mb-filter logs
sudo tail -n 100 /var/log/mailborder/mb-filter.log

# Check if mb-filter is responding
sudo systemctl status mb-filter

# Restart if needed
sudo systemctl restart mb-filter
sudo postfix flush

Slow Filtering¶

Check processing time:

sudo grep "Processing Time" /var/log/mailborder/mb-filter.log | tail -n 20

If slow:

Check Rspamd:

rspamc stat
# High processing time? Restart Rspamd
sudo systemctl restart rspamd

Check ClamAV:

sudo systemctl status clamav-daemon
# Signature database too large?

Increase workers:
```
sudo mb-config set filter.workers 12
```

Reduce scan depth:

sudo mb-config set antivirus.max_recursion 8

High Memory Usage¶

Check memory:

ps aux | grep mb-filter
sudo systemctl status mb-filter | grep Memory

Optimize:

# Reduce max message size scanned
sudo mb-config set filter.max_message_size 26214400  # 25 MB

# Skip large files
sudo mb-config set filter.skip_large_files true

# Restart workers more frequently
sudo mb-config set filter.max_requests_per_worker 100

False Positives/Negatives¶

Too much spam getting through:

# Lower threshold
sudo mb-config set spam.threshold.pass 5.0
sudo mb-config set spam.threshold.quarantine 5.0

# Enable all RBLs
sudo mb-rbl list
sudo mb-rbl add zen.spamhaus.org --weight 3.0

Too many false positives:

# Raise threshold
sudo mb-config set spam.threshold.pass 7.0

# Whitelist legitimate senders
sudo mb-whitelist add @partner-domain.com

# Train Bayesian filter
sudo mb-rspamd-learn --ham /path/to/ham-samples/

Best Practices¶

Performance Tuning¶

Match workers to load:
1 worker per 100 emails/hour
Monitor queue depth
Scale up during peak times
Set appropriate timeouts:
Default: 120 seconds
Increase for large attachments
Monitor slow emails

Cache aggressively:

sudo mb-config set filter.cache_enabled true
sudo mb-config set filter.cache_ttl 3600

Reliability¶

Monitor continuously:
```
watch -n 5 'sudo mb-filter-queue'
```

Alert on queue backup:

# Add to monitoring script
QUEUE=$(sudo mb-filter-queue | wc -l)
if [ $QUEUE -gt 100 ]; then
    mail -s "Filter Queue Alert" admin@example.com <<< "Queue depth: $QUEUE"
fi

Regular health checks:

sudo mb-filter-test /usr/share/mailborder/test-emails/spam.eml

Maintenance¶

Update signatures daily:
```
sudo freshclam
sudo rspamc reload
```
Review statistics weekly:
```
sudo mb-filter-stats --weekly
```
Clean up logs monthly:
```
sudo mb-maintenance --cleanup-logs
```