![spamassassin client spamassassin client](https://i0.wp.com/www.exabytes.my/blog/wp-content/uploads/2017/02/1200X628-blog-post-01.png)
A bug in spamd could provide an attacker with root privileges a local attacker could also spoof spamc and claim to be a different user (which can be ameliorated with the -auth-ident option discussed later). Many system administrators are uncomfortable running spamd as root. This enables it to access private, per-user configuration files. When it receives a connection from spamc, it drops privileges and runs as the user that spamc claims to be running as. By default, spamd continues to run as root. You must start spamd as root so that it can bind its TCP port or open its socket for connections. An alternative approach would be to wrap the server and client connections in an SSL tunnel with a program like stunnel that does provide two-way authentication. If you want to provide secure remote access to spamd, the SSL support in spamd / spamc is not sufficient, as it provides no mechanism for spamd to authenticate spamc clients. Specifies the file containing the SSL certificate for spamd, if SSL connections are to be required. Specifies the file containing the SSL private key for spamd, if SSL connections are to be required. This provides for encryption of the data between client and server and potentially for authentication of the server to the client, although SpamAssassin's spamc does not attempt to verify the server certificate. Require connections from clients to use the SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocol. Although this provides a measure of access control for a daemon that accepts remote connections, it should be supplemented with host-based firewall rules for greater security. Specify a comma-separated list of IP addresses from which connections will be accepted. Listen on a TCP port other than the default port (783). This might be useful if you wanted to dedicate a single machine in a LAN to spam-checking in order to manage the processing load or to let many client machines share a well- tuned daemon. This can be used to override the default 127.0.0.1 IP address and allow spamd to receive connections from remote machines. Listen on a TCP port on the specified IP address. Using a Unix domain socket is more efficient than a TCP port and ensures that only local users can access the daemon. Listen on a Unix domain socket at the specified path instead of a TCP port. You can change how it listens with these command-line options: By default, spamd binds TCP port 783 on the local 127.0.0.1 IP address, which should prevent remote users from connecting to it. Spamd can accept connections from spamc clients either by listening on a TCP port or a Unix domain socket. The most common are detailed in the following sections. Several options are used with spamd in many environments. Typically, the child process reads a request to perform spam-checking from the client (including the account name of the user making the request, the message to check, and other data), performs the requested check, returns the (possibly tagged) message back to the client, and exits. When spamd receives a connection, it forks a child process to handle the connection. This option is important because spamd must be signaled with a HUP signal to its process ID whenever the systemwide SpamAssassin configuration is changed (you'll find an example later in this chapter). The -pidfile command-line option specifies the file to which spamd will write its process ID number. The -daemonize command-line option directs spamd to operate as a daemon in the background. The simplest invocation of spamd is: /usr/bin/spamd -daemonize -pidfile /var/run/spamd.pid It is typically started by root from a system boot script but can also be started by root from the shell for testing. 2.4.1 Setting up spamdīy default, spamd is installed in /usr/bin. Once it's properly set up, however, using spamc is simple. Spamd has several important command-line arguments that control its operation. spamc is a lightweight client, written in C and compiled to an executable that simply takes messages, relays them to spamd, and returns the results. Instead of running the spamassassin script on each message, messages are piped to the spamc program. spamd is started once at system boot and loads the SpamAssassin Perl modules to perform spam-checking. An alternative approach is to run the SpamAssassin daemon, spamd.
![spamassassin client spamassassin client](https://pathwayscg.com/wp-content/uploads/2019/07/mail-2237468_1280-768x448.png)
If you are filtering a lot of incoming mail, the processing time required to invoke a new spamassassin script (and starting the Perl interpreter) for each message can become prohibitive.