The Distributed Checksum Clearinghouses (or DCC) is an anti-spam content filter based upon the exchange between mail servers of fuzzy checksums identifying message content and the number of such messages received. The checksums are constant across common variations in bulk messages, including "personalizations." The official project website is at rhyolite.com/dcc/.
DCC detects bulk mail. It cannot distinguish between solicited and unsolicited bulk mail. This is the biggest drawback to DCC, and the main mitigation is manual whitelisting.
The idea of DCC is that if mail recipients could compare the mail they receive, they could recognize unsolicited bulk mail. A DCC server totals reports of checksums of messages from clients and answers queries about the total counts for checksums of mail messages. A DCC client reports the checksums for a mail message to a server and is told the total number of recipients of mail with each checksum. If one of the totals is higher than a threshold set by the client and according to local whitelists the message is unsolicited, the DCC client can log, discard, or reject the message.
Because simplistic checksums of spam would not be effective, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves. Since DCC started being used in late 2000, the fuzzy checksums have been modified several times.
Normal users only run the client.
DCC traffic is DNS-like but appears on UDP port 6276 (greylisting traffic) and 6277 (normal DCC traffic). Inbound and outbound firewall rules should be set to allow this traffic.
First, you probably do not want to enable
milter support for DCC, so disable that
USE flag as follows.
echo "mail-filter/dcc -milter" >>/etc/portage/package.use/dcc
Next, emerge the package. This should not pull in the
emerge --ask mail-filter/dcc
Because the ebuild currently installs everything to run as
root we are going to do some permissions cleanup.
useradd -U dcc
chgrp dcc /var/run/dcc
chmod g+w /var/run/dcc
chmod o-rwx /var/run/dcc
chgrp -R dcc /etc/dcc
chmod o-rwx /etc/dcc
Valid concerns have been raised around these directories surviving a reboot. While a tmpfs mounted directory is probably ideal for this data, feel free to adapt the above based upon your own preferences.
Client only (normal scenario)
The most important binaries installed by the package are
cdcc (Control Distributed Checksum Clearinghouse) and
dccifd (Distributed Checksum Clearinghouse Interface Daemon), which is the preferred interface between postfix and DCC.
We want to add
dccifd as a Before-Queue Content Filter.
First, verify that
DCCIFD_ENABLE=on in the
Next, we explicitly specify paths to the sockets that the daemon will create and use to communicate. For more information on this, see
We are using the path
/var/run/dccthat we manually created in the Installation section, above.
DCCIFD_ARGS="-p /var/run/dcc/dccifd.ascii-socket -o /var/run/dcc/dccifd.smtp-proxy-socket"
Next, add the following values to
smtp inet n - n - - smtpd -o smtpd_proxy_filter=/var/run/dcc/dccifd.ascii-socket /var/run/dcc/dccifd.smtp-proxy-socket inet n - n - - smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o mynetworks=127.0.0.0/8 -o receive_override_options=no_unknown_recipient_checks
Warnings in Postfix documentation about the costs of Before-Queue filters apply more to computationally expensive filters such as SpamAssassin (which, confusingly, can also be configured to use DCC) than
Server (only if you run a big mailserver)
Before continuing, see Do I need to run a server? in the DCC FAQ. Probably not.
The server binary is called
dccd. Please contribute documentation regarding configuration here. At a guess, probably the process is basically as follows.
It will now be necessary to connect postfix to the DCC server in some DCC-server specific way, please refer to the DCC documentation for this. There is a start within the server section of
man dcc. Finally...
rc-update add dcc default
To make your changes take effect, reload the postfix configuration.