• Introduction
• Installing SAproxy
• Configuring mail clients
• Configuring SAproxy
• Advanced notes
• Frequently asked questions

Configuring SAproxy

When SAproxy is running, right click on the SAproxy tray icon. It will bring up a Configuration dialog. After making changes, if you want to save those changes click on the OK button. To avoid making any changes, click on the Cancel button.

Settings

These are some basic settings for the SpamAssassin engine.

The settings are system-wide (for all users on your computer) and to modify them you must have write permissions in the etc subfolder of the folder where SAproxy is installed (typically C:\Program Files\SAproxy\etc). However, each user can customize the settings in Rules and Host Map tabs (see below).

Use non-local network tests

If this box is checked, SAproxy will do tests that require an internet connection to operate. These tests significantly reduce the amount of spam that is able to slip through SAproxy, but may slow down the rate at which SAproxy can check mail. The amount of additional time also varies depending on server availability and load.

Automatically learn from past spam to recognize new spam

If this box is checked, SAproxy will automatically feed high-scoring mails (or low-scoring mails, for non-spam) into its learning systems in order to better recognize future messages of the same type. This option will slightly slow down the rate at which SAproxy can check mail and requires about 5 to 20 MB of additional disk space. (The learning system is a naive-Bayesian-style classifier.)

Note that learning doesn't happen on every message since SAproxy is very careful to only learn on messages that are very clearly spam or very clearly non-spam. In addition, a minimum of 200 spam and 200 non-spam messages need to be learned before the learning system is actively used to help classify incoming messages, so many more than 200 spam and non-spam messages need to be scanned by SAproxy before learning starts working.

Rewrite spam subject headers with subject tag

If this box is checked, SAproxy will add "*****SPAM*****" to the Subject: header of suspected spam. Leave this box checked if your mail client can only filter using the Subject: header (check the tested mail clients list to see if that is the case).

Use terse report format

By default, SpamAssassin uses a fairly long report format. Checking this box uses a shorter format which includes all the information in the normal one, but without some of the explanation.

Encapsulating spam for safety

By default, SAproxy will include its report in the body of suspected spam and encapsulate the original spam in a MIME attachment that can be easily opened in most mail programs. This prevents dangerous scripting and makes it easy for you to identify whether a message is spam before opening it.

• Low safety: do not encapsulate spam in an attachment
  Incoming spam is only modified by adding some headers and no changes will be made to the body.
• Normal safety: encapsulate spam in an attachment
  The normal default behavior is used.
• High safety: encapsulate spam in a plain text attachment
  The MIME attachment of the spam original message will be text-only attachments for increased safety.

If your mail program is allowing spam to download files without any action on your part (such as clicking on a link or a spam attachment), it is advisable to increase this setting.

Languages

Set the list of languages that are considered acceptable for incoming mail. The default is to accept mail written in any language.

If the Accept any language for incoming mail box is unchecked and an incoming mail appears to be written in a language that is not listed in Accepted Languages, then that message will be much more likely to be marked as spam.

Rules

This tab allows the users to customize the filter.

Edit this file to add whitelist entries for people who send you messages that sometimes look like spam, but are not.

There are additional settings you can make in this file. Please see the SpamAssassin documentation under Mail::SpamAssassin::Conf for more information.

Host Map

You probably do not need to worry about the host map settings, but setting up the host map may be necessary if one of the following is true:

• Your POP3 server doesn't allow simple USER and PASS authentication.
• Your SMTP server requires SMTP authentication, your mail client isn't SAproxy-ready, and your mail client can only use one user name for both POP and SMTP.

The host map is used to link localhost ports with remote POP3 servers. If you are configuring the host map, follow these steps:

• In your mail client configuration, find the POP3 server and account settings.
• Change the POP3 server to be "127.0.0.1".
• Start SAproxy, then right-click on the SAproxy icon in your system tray and select Configure.
• Click the Host Map tab.
• To filter a single POP account, enter the line:

  110 = pop.company.com:110

  Replace pop.company.com with the name of your POP server. Make sure the line does not start with a "#" sign (which would mean the line was a comment). If you are only setting up SAproxy for a single account, you can click OK at this point.
• If the POP3 server requires secure (SSL) connection, you will need to set the remote port accordingly and add :ssl to the end of the line:

  110 = secure-pop.company.com:995:ssl

  In this case the mail client should not be configured to use SSL connection to the mail server localhost ("127.0.0.1").
• To filter additional accounts, first check the tested mail clients table to confirm that your client can be configured to use SAproxy with multiple POP servers.
• Enter new lines in the format:

  localport = remote.host.name:remoteport

  This format describes which local ports the proxy should map to which remote hosts and ports. Here is an example for two remote POP3 servers:

  110 = pop.company.com:110
  818 = mail.another.place.org:110

  This will cause connections on the local port 110 to proxy to pop.company.com on port 110, and connections on port 818 to proxy to host mail.another.place.org, also on port 110.

• For each additional account, change the POP3 server to be "127.0.0.1" and also change the port to the local port which maps to that remote server as you specified in the previous step.
• Click OK to save your changes. Quit SAproxy and restart it.

Host map and multiple domains: an alternative method

As we have seen above, if you get mail from multiple domains, for each POP3 server you need to specify a different port in hostmap.txt and then configure your email client to download messages from localhost on that port.

Some people find it inconvenient. There is an alternative method that does not involve the host map at all. First, comment out or delete all lines in hostmap.txt. Second, open the email client and in the incoming (POP3) server configuration screen replace your account name (say, "joe") with a combination of that name and the incoming server separated by a colon: joe:pop.company.com. Repeat this for every POP3 account. You still need to replace the names of the incoming servers with localhost or 127.0.0.1, however, you do not need to change the port.

Advanced

These are some advanced settings for SAproxy. These options should normally be turned off.

Allow the AUTH command to be proxied

If this box is checked, SAproxy allows the POP3 AUTH command to be proxied, otherwise the client will receive an error response that indicates that AUTH is not supported. AUTH by itself is harmless, the client normally receives a list of supported authorization schemes back. AUTH MSN will initiate an encrypted challenge/response sequence which ends with the server saying either +OK or -ERR. However, some authorization schemes can encrypt the entire POP3 connection which causes major problems for POP3 proxies like SAproxy.

Best current advice: turn this on if you're using MSN, otherwise leave it off for best results.

Allow the TOP command to be proxied

If this box is checked, SAproxy allows the POP3 TOP command to be proxied, otherwise the client will receive an error response that indicates that TOP is not supported. TOP is specified as an optional POP3 command which allows the client to fetch the headers of a mail message and some number of lines of the body. The idea is that you can use TOP to pre-filter which messages are downloaded without actually downloading them. This can cause problems for POP3 proxies like SAproxy since we modify and add headers after retrieving the message.

If your client sends a TOP command while this option is disabled, you will probably receive an error “-ERR: not supported by proxy.”

Best current advice: turn this on if you need to use a pre-filter to download only certain messages, otherwise leave it off for best results.

Secure (SSL) local connections

This option is not yet part of the graphic interface and currently can be implemented only by a command-line switch.

Since SAproxy sits in the middle between the mail client and the mail server, its connections to them are secured independently. Securing the connection to the mail server when it is required has been explained above. However, you may wish to use SSL for all local connections to SAproxy, too. This can be achieved by launching saproxy.exe with the switch --localssl. Your mail client has to be configured to connect to localhost ("127.0.0.1") with SSL as well. Remember that the standard localport for SSL connections is 995, therefore, Host Map should be edited accordingly so that it will contain, for example,

995 = secure-pop.company.com:995:ssl

Note that when you get messages, the mail client may warn you about an untrusted certificate that is being used for the local connection between the client and SAproxy. (The certificate in question is in the file stunnel.pem and is self-signed rather than purchased from a trusted certification authority. You can make your own self-signed certificate using OpenSSL.)