Integrating amavisd-new Into Postfix For Spam- And Virus-Scanning

Version 1.0
Author: Falko Timme

This article shows how to integrate amavisd-new into a Postfix mail server for spam- and virus-scanning. amavisd-new is a high-performance interface between MTAs such as Postfix and content checkers: virus scanners, and/or SpamAssassin. We will use ClamAV for virus scanning and SpamAssassin for spam scanning in this tutorial.

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

In this tutorial I will describe how to install/configure amavisd-new on Debian Etch/Ubuntu 6.10 Edgy Eft (the steps are identical for both distributions) and on Debian Sarge. The amavisd-new configuration is suitable for systems where system users are used for email accounts; if you use virtual users, a few modifications to the amavisd-new configuration might or might not be required (but that depends on the actual setup). If you use virtual email users, take a look at these two tutorials:

amavisd-new works like this: Postfix receives an email on port 25, passes it to amavisd-new on port 10024 which then invokes ClamAV and SpamAssassin, and afterwards amavisd-new re-injects the mail into Postfix on port 10025 which then finally delivers the mail (if it's clean). Here's a small layout of the process:

                                      [SpamAssassin]
                                             ^
                                             |
 Email --> [(Port 25) Postfix] --> [(10024) amavisd-new] --> [(10025) Postfix] --> Mailbox
                                             |
                                             v
                                          [ClamAV]

I assume that Postfix and your email accounts are already set up and working as I don't cover Postfix installation/configuration here.

All steps in this tutorial are done as root, so make sure you're logged in as root.

 

2 Debian Etch/Ubuntu 6.10 Edgy Eft

First we install amavisd-new, SpamAssassin, and ClamAV together with a few other programs (mainly programs that amavisd-new needs to unpack archives, because emails can contain archives as attachments):

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 unzoo libnet-ph-perl libnet-snpp-perl libnet-telnet-perl nomarch lzop

Afterwards we must configure amavisd-new. The configuration is split up in various files which reside in the /etc/amavis/conf.d directory. Take a look at each of them to become familiar with the configuration. Most settings are fine, however we must modify two files:

First we must enable ClamAV and SpamAssassin in /etc/amavis/conf.d/15-content_filter_mode by uncommenting the @bypass_virus_checks_maps and the @bypass_spam_checks_maps lines:

vi /etc/amavis/conf.d/15-content_filter_mode

The file should look like this:

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

#
# Default antivirus checking mode
# Uncomment the two lines below to enable it back
#

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);


#
# Default SPAM checking mode
# Uncomment the two lines below to enable it back
#

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1;  # insure a defined return

And then you should take a look at the spam settings and the actions for spam-/virus-mails in /etc/amavis/conf.d/20-debian_defaults. There's no need to change anything if the default settings are ok for you. The file contains many explanations so there's no need to explain the settings here:

vi /etc/amavis/conf.d/20-debian_defaults
$QUARANTINEDIR = "$MYHOME/virusmails";

$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug';  # switch to info to drop debug output, etc

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

$inet_socket_port = 10024;   # default listenting socket

$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;    # only tests which do not require internet access?

[...]
$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
$final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA
$final_spam_destiny       = D_BOUNCE;
$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
[...]

Afterwards, run these commands to add the clamav user to the amavis group and to restart amavisd-new and ClamAV:

adduser clamav amavis
 /etc/init.d/amavis restart
 /etc/init.d/clamav-daemon restart

Next we must edit the configuration file of the Freshclam daemon (that's the daemon that regularly and automatically fetches the newest virus signatures from a ClamAV mirror) because it contains a small bug. Open /etc/clamav/freshclam.conf and modify the NotifyClamd line as shown below:

vi /etc/clamav/freshclam.conf
[...]
NotifyClamd /etc/clamav/clamd.conf
[...]

Then restart Freshclam (make sure no other Freshclam process (maybe of another ClamAV installation) is running because then our Freshclam will fail to start):

/etc/init.d/clamav-freshclam restart

Now we have to configure Postfix to pipe incoming email through amavisd-new:

postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
 postconf -e 'receive_override_options = no_address_mappings'

Afterwards append the following lines to /etc/postfix/master.cf:

vi /etc/postfix/master.cf
[...]
amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_bind_address=127.0.0.1

Then restart Postfix:

/etc/init.d/postfix restart

Now run

netstat -tap

and you should see Postfix (master) listening on port 25 (smtp) and 10025, and amavisd-new on port 10024:

server1:~# netstat -tap
 Active Internet connections (servers and established)
 Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
 tcp        0      0 *:4069                  *:*                     LISTEN     3457/rpc.statd
 tcp        0      0 localhost.localdo:10024 *:*                     LISTEN     6886/amavisd (maste
 tcp        0      0 localhost.localdo:10025 *:*                     LISTEN     7268/master
 tcp        0      0 *:sunrpc                *:*                     LISTEN     3083/portmap
 tcp        0      0 *:auth                  *:*                     LISTEN     3417/inetd
 tcp        0      0 *:smtp                  *:*                     LISTEN     7268/master
 tcp6       0      0 *:imaps                 *:*                     LISTEN     4952/couriertcpd
 tcp6       0      0 *:pop3s                 *:*                     LISTEN     4872/couriertcpd
 tcp6       0      0 *:pop3                  *:*                     LISTEN     4815/couriertcpd
 tcp6       0      0 *:imap2                 *:*                     LISTEN     4905/couriertcpd
 tcp6       0      0 *:ssh                   *:*                     LISTEN     3438/sshd
 tcp6       0      0 *:smtp                  *:*                     LISTEN     7268/master
 tcp6       0    148 server1.example.com:ssh localhost:3117          ESTABLISHED3519/0

If you like you can now add Razor, Pyzor, and DCC to SpamAssassin to improve its filtering performance. Razor, Pyzor and DCC are spamfilters that use a collaborative filtering network. To install them, run

apt-get install razor pyzor dcc-client

Now we have to tell SpamAssassin to use these three programs. Edit /etc/spamassassin/local.cf and add the following lines to it:

vi /etc/spamassassin/local.cf
[...]

# dcc
use_dcc 1
dcc_path /usr/bin/dccproc
dcc_add_header 1
dcc_dccifd_path /usr/sbin/dccifd

#pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
pyzor_add_header 1

#razor
use_razor2 1
razor_config /etc/razor/razor-agent.conf

#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1

Restart amavisd-new afterwards:

/etc/init.d/amavis restart

That's it already. Now watch your mail log (/var/log/mail.log) to see if amavisd-new is working properly. amavisd-new will log whenever it finds a spam or virus email. When you (re)start amavisd-new it should also log that it loads its spam and virus scanning code (if not, you probably did something wrong).

For taking a live look at your mail log, you can use this command:

tail -f /var/log/mail.log

(Press CTRL + c to leave the log.)

Share this page:

1 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: rdwild
Reply  

We use the following script that runs every night via cron job (clam antivirus needs to be installed), it seems to work very well.  It scans both email and websites.  Use at your own risk.

 

#!/bin/bash

LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";

set HOST="$(hostname -f)"

EMAIL_FROM="[email protected]";

EMAIL_TO="[email protected]";

DIRTOSCAN="/var/www /var/vmail";

 

for S in ${DIRTOSCAN}; do

 DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);

 

 echo "Starting a daily scan of "$S" directory.

 Amount of data to be scanned is "$DIRSIZE".";

 

 clamscan -ri "$S" >> "$LOGFILE";

 

 # get the value of "Infected lines"

 MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);

 

 # if the value is not equal to zero, send an email with the log file attached

 if [ "$MALWARE" -ne "0" ];then

 # using heirloom-mailx below

 cat "$LOGFILE" | mail -s "Malware Found on $HOST" "$EMAIL_FROM" "$EMAIL_TO";

 fi 

done

 

exit 0