Integrating amavisd-new Into Postfix For Spam- And Virus-Scanning - Page 2

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Submitted by falko (Contact Author) (Forums) on Thu, 2007-03-15 19:33. ::

3 Debian Sarge

For volatile packages such as ClamAV (there are new ClamAV releases very often), there exists the Debian-volatile repository (for Sarge and Woody only at the time of this writing). To make sure that we install the latest ClamAV package, we edit /etc/apt/sources.list first and add the following line to it:

vi /etc/apt/sources.list

[...]
deb http://volatile.debian.net/debian-volatile sarge/volatile main contrib non-free

Afterwards we update our packages database by running:

apt-get update

Then we install amavisd-new, SpamAssassin, and ClamAV together with a few other programs (mainly programs that amavisd-new needs to unpack archives, because emails can contain archives as attachments):

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip unarj bzip2 unzoo libnet-ph-perl libnet-snpp-perl libnet-telnet-perl nomarch lzop

You will be asked a few questions:

Virus database update method: <-- daemon
Local database mirror site: <-- db.de.clamav.net (Germany; select the mirror that is closest to you)
HTTP proxy information (leave blank for none): <-- (blank)
Should clamd be notified after updates? <-- Yes

Afterwards we must configure amavisd-new by editing /etc/amavis/amavisd.conf. This is a very long file with lots of comments. Most default settings are ok, however please make sure that the @bypass_virus_checks_acl and @bypass_spam_checks_acl are commented out because otherwise amavisd-new will not load the anti-spam/-virus code (in my copy the @bypass_spam_checks_acl line was active so I had to comment it out):

vi /etc/amavis/amavisd.conf

[...]
# @bypass_virus_checks_acl = qw( . );  # uncomment to DISABLE anti-virus code
[...]
# @bypass_spam_checks_acl  = qw( . );    # No default dependency on spamassassin
[...]

And then you should take a look at the spam settings and the actions for spam-/virus-mails in the same file. There's no need to change anything if the default settings are ok for you. The file contains many explanations so there's no need to explain the settings here:

[...]
$final_virus_destiny      = D_DISCARD; # (defaults to D_BOUNCE)
$final_banned_destiny     = D_BOUNCE;  # (defaults to D_BOUNCE)
$final_spam_destiny       = D_REJECT;  # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested

[...]

$virus_admin = "postmaster\@$mydomain";         # due to D_DISCARD default

[...]

$QUARANTINEDIR = '/var/lib/amavis/virusmails';
#$virus_quarantine_method = "local:virus-%i-%n";    # default
#$spam_quarantine_method  = "local:spam-%b-%i-%n";  # default
$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine
$spam_quarantine_to = 'spam-quarantine';

[...]

$sa_local_tests_only = 1;   # (default: false)
#$sa_auto_whitelist = 1;    # turn on AWL (default: false)

# Timout for SpamAssassin. This is only used if spamassassin does NOT
# override it (which it often does if sa_local_tests_only is not true)
$sa_timeout = 30;           # timeout in seconds for a call to SpamAssassin
                            # (default is 30 seconds, undef disables it)

# AWL (auto whitelisting), requires spamassassin 2.44 or better
# $sa_auto_whitelist = 1;   # defaults to undef

$sa_mail_body_size_limit = 150*1024;  # don't waste time on SA is mail is larger
                            # (less than 1% of spam is > 64k)
                            # default: undef, no limitations

# default values, can be overridden by more specific lookups, e.g. SQL
$sa_tag_level_deflt  = 4.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
                           # at or above that level: bounce/reject/drop,
                           # quarantine, and adding mail address extension

$sa_dsn_cutoff_level = 10;  # spam level beyond which a DSN is not sent,
                            # effectively turning D_BOUNCE into D_DISCARD;
                            # undef disables this feature and is a default;

$sa_spam_subject_tag = '***SPAM*** ';   # (defaults to undef, disabled)
[...]

Afterwards, run these commands to add the clamav user to the amavis group and to restart amavisd-new and ClamAV:

adduser clamav amavis
/etc/init.d/amavis restart
/etc/init.d/clamav-daemon restart

Next we must edit the configuration file of the Freshclam daemon (that's the daemon that regularly and automatically fetches the newest virus signatures from a ClamAV mirror) because it contains a small bug. Open /etc/clamav/freshclam.conf and modify the NotifyClamd line as shown below:

vi /etc/clamav/freshclam.conf

[...]
NotifyClamd /etc/clamav/clamd.conf
[...]

Then restart Freshclam (make sure no other Freshclam process (maybe of another ClamAV installation) is running because then our Freshclam will fail to start):

/etc/init.d/clamav-freshclam restart

Now we have to configure Postfix to pipe incoming email through amavisd-new:

postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
postconf -e 'receive_override_options = no_address_mappings'

Afterwards append the following lines to /etc/postfix/master.cf:

vi /etc/postfix/master.cf

[...]
amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_bind_address=127.0.0.1

Then restart Postfix:

/etc/init.d/postfix restart

Now run

netstat -tap

and you should see Postfix (master) listening on port 25 (smtp) and 10025, and amavisd-new on port 10024:

server1:~# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 localhost.localdo:10024 *:*                     LISTEN     4369/amavisd (maste
tcp        0      0 localhost.localdo:10025 *:*                     LISTEN     4895/master
tcp        0      0 *:874                   *:*                     LISTEN     1964/rpc.statd
tcp        0      0 *:sunrpc                *:*                     LISTEN     1553/portmap
tcp        0      0 *:auth                  *:*                     LISTEN     1932/inetd
tcp        0      0 *:smtp                  *:*                     LISTEN     4895/master
tcp6       0      0 *:imaps                 *:*                     LISTEN     3177/couriertcpd
tcp6       0      0 *:pop3s                 *:*                     LISTEN     3094/couriertcpd
tcp6       0      0 *:pop3                  *:*                     LISTEN     3038/couriertcpd
tcp6       0      0 *:imap2                 *:*                     LISTEN     3129/couriertcpd
tcp6       0      0 *:ssh                   *:*                     LISTEN     1943/sshd
tcp6       0      0 *:smtp                  *:*                     LISTEN     4895/master
tcp6       0    148 localhost:ssh           localhost:4631          ESTABLISHED2052/0

If you like you can now add Razor, Pyzor, and DCC to SpamAssassin to improve its filtering performance. Razor, Pyzor and DCC are spamfilters that use a collaborative filtering network. To install them, run

apt-get install razor pyzor dcc-client

Now we have to tell SpamAssassin to use these three programs. Edit /etc/spamassassin/local.cf and add the following lines to it:

vi /etc/spamassassin/local.cf

[...]
# dcc
use_dcc 1
dcc_path /usr/bin/dccproc
dcc_add_header 1
dcc_dccifd_path /usr/sbin/dccifd

#pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
pyzor_add_header 1

#razor
use_razor2 1
razor_config /etc/razor/razor-agent.conf

#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1

Restart amavisd-new afterwards:

/etc/init.d/amavis restart

That's it already. Now watch your mail log (/var/log/mail.log) to see if amavisd-new is working properly. amavisd-new will log whenever it finds a spam or virus email. When you (re)start amavisd-new it should also log that it loads its spam and virus scanning code (if not, you probably did something wrong).

For taking a live look at your mail log, you can use this command:

tail -f /var/log/mail.log

(Press CTRL + c to leave the log.)

 

4 Links

up

Copyright © 2007 Falko Timme
All Rights Reserved.
add comment | view as pdf view as pdf | print: this | all page(s) |
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
old version of Clamav
Submitted by Anonymous (not registered) on Fri, 2008-09-26 22:09.

Hi,

at first I want to say this is a very nice howto. I just would like to add one note, that can save to someone a lot of time and pain.

The version of Clamav in Debian Etch default repository is  quite old (0.90.1) and it takes VERY long time while clamd starts up and creates the socket file. It can take 15 minutes or even more while the CPU is 99% loaded.

So it is more than useful to install Clamav from the Debian volatile project repository. It saves a lot of stress:) 

Yu

reply | view as pdf view as pdf
Sponsored Links: Unified Communications: Thoughts, Strategies and Predictions
Join the discussion.
www.seamlessenterprise.com

IP Convergence
Integrate your wireless and wireline networks.
Learn how from the experts at Sprint.
www.seamlessenterprise.com

Wireless & Wireline Integration
Thoughts, strategies and solutions: join the discussion
www.seamlessenterprise.com

Unified Communications 2009
Join the Discussion. Now.
www.seamlessenterprise.com

Red Hat Virtual Experience - a free virtual event. Dec. 9th