Integrating amavisd-new Into Postfix For Spam- And Virus-Scanning
Author: Falko Timme
This article shows how to integrate amavisd-new into a Postfix mail server for spam- and virus-scanning. amavisd-new is a high-performance interface between MTAs such as Postfix and content checkers: virus scanners, and/or SpamAssassin. We will use ClamAV for virus scanning and SpamAssassin for spam scanning in this tutorial.
I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!
1 Preliminary Note
In this tutorial I will describe how to install/configure amavisd-new on Debian Etch/Ubuntu 6.10 Edgy Eft (the steps are identical for both distributions) and on Debian Sarge. The amavisd-new configuration is suitable for systems where system users are used for email accounts; if you use virtual users, a few modifications to the amavisd-new configuration might or might not be required (but that depends on the actual setup). If you use virtual email users, take a look at these two tutorials:
- Virtual Users And Domains With Postfix, Courier And MySQL (Fedora Core 5)
- Virtual Users And Domains With Postfix, Courier And MySQL (Debian Sarge)
amavisd-new works like this: Postfix receives an email on port 25, passes it to amavisd-new on port 10024 which then invokes ClamAV and SpamAssassin, and afterwards amavisd-new re-injects the mail into Postfix on port 10025 which then finally delivers the mail (if it's clean). Here's a small layout of the process:
Email --> [(Port 25) Postfix] --> [(10024) amavisd-new] --> [(10025) Postfix] --> Mailbox
I assume that Postfix and your email accounts are already set up and working as I don't cover Postfix installation/configuration here.
All steps in this tutorial are done as root, so make sure you're logged in as root.
2 Debian Etch/Ubuntu 6.10 Edgy Eft
First we install amavisd-new, SpamAssassin, and ClamAV together with a few other programs (mainly programs that amavisd-new needs to unpack archives, because emails can contain archives as attachments):
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 unzoo libnet-ph-perl libnet-snpp-perl libnet-telnet-perl nomarch lzop
Afterwards we must configure amavisd-new. The configuration is split up in various files which reside in the /etc/amavis/conf.d directory. Take a look at each of them to become familiar with the configuration. Most settings are fine, however we must modify two files:
First we must enable ClamAV and SpamAssassin in /etc/amavis/conf.d/15-content_filter_mode by uncommenting the @bypass_virus_checks_maps and the @bypass_spam_checks_maps lines:
The file should look like this:
use strict; # You can modify this file to re-enable SPAM checking through spamassassin # and to re-enable antivirus checking. # # Default antivirus checking mode # Uncomment the two lines below to enable it back # @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); # # Default SPAM checking mode # Uncomment the two lines below to enable it back # @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); 1; # insure a defined return
And then you should take a look at the spam settings and the actions for spam-/virus-mails in /etc/amavis/conf.d/20-debian_defaults. There's no need to change anything if the default settings are ok for you. The file contains many explanations so there's no need to explain the settings here:
$QUARANTINEDIR = "$MYHOME/virusmails"; $log_recip_templ = undef; # disable by-recipient level-0 log entries $DO_SYSLOG = 1; # log via syslogd (preferred) $syslog_ident = 'amavis'; # syslog ident tag, prepended to all messages $syslog_facility = 'mail'; $syslog_priority = 'debug'; # switch to info to drop debug output, etc $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 $inet_socket_port = 10024; # default listenting socket $sa_spam_subject_tag = '***SPAM*** '; $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level $sa_kill_level_deflt = 6.31; # triggers spam evasive actions $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger $sa_local_tests_only = 0; # only tests which do not require internet access? [...] $final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine) $final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA $final_spam_destiny = D_BOUNCE; $final_bad_header_destiny = D_PASS; # False-positive prone (for spam) [...]
Afterwards, run these commands to add the clamav user to the amavis group and to restart amavisd-new and ClamAV:
adduser clamav amavis
Next we must edit the configuration file of the Freshclam daemon (that's the daemon that regularly and automatically fetches the newest virus signatures from a ClamAV mirror) because it contains a small bug. Open /etc/clamav/freshclam.conf and modify the NotifyClamd line as shown below:
[...] NotifyClamd /etc/clamav/clamd.conf [...]
Then restart Freshclam (make sure no other Freshclam process (maybe of another ClamAV installation) is running because then our Freshclam will fail to start):
Now we have to configure Postfix to pipe incoming email through amavisd-new:
postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
postconf -e 'receive_override_options = no_address_mappings'
Afterwards append the following lines to /etc/postfix/master.cf:
[...] amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_bind_address=127.0.0.1
Then restart Postfix:
and you should see Postfix (master) listening on port 25 (smtp) and 10025, and amavisd-new on port 10024:
server1:~# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:4069 *:* LISTEN 3457/rpc.statd
tcp 0 0 localhost.localdo:10024 *:* LISTEN 6886/amavisd (maste
tcp 0 0 localhost.localdo:10025 *:* LISTEN 7268/master
tcp 0 0 *:sunrpc *:* LISTEN 3083/portmap
tcp 0 0 *:auth *:* LISTEN 3417/inetd
tcp 0 0 *:smtp *:* LISTEN 7268/master
tcp6 0 0 *:imaps *:* LISTEN 4952/couriertcpd
tcp6 0 0 *:pop3s *:* LISTEN 4872/couriertcpd
tcp6 0 0 *:pop3 *:* LISTEN 4815/couriertcpd
tcp6 0 0 *:imap2 *:* LISTEN 4905/couriertcpd
tcp6 0 0 *:ssh *:* LISTEN 3438/sshd
tcp6 0 0 *:smtp *:* LISTEN 7268/master
tcp6 0 148 server1.example.com:ssh localhost:3117 ESTABLISHED3519/0
If you like you can now add Razor, Pyzor, and DCC to SpamAssassin to improve its filtering performance. Razor, Pyzor and DCC are spamfilters that use a collaborative filtering network. To install them, run
apt-get install razor pyzor dcc-client
Now we have to tell SpamAssassin to use these three programs. Edit /etc/spamassassin/local.cf and add the following lines to it:
[...] # dcc use_dcc 1 dcc_path /usr/bin/dccproc dcc_add_header 1 dcc_dccifd_path /usr/sbin/dccifd #pyzor use_pyzor 1 pyzor_path /usr/bin/pyzor pyzor_add_header 1 #razor use_razor2 1 razor_config /etc/razor/razor-agent.conf #bayes use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1
Restart amavisd-new afterwards:
That's it already. Now watch your mail log (/var/log/mail.log) to see if amavisd-new is working properly. amavisd-new will log whenever it finds a spam or virus email. When you (re)start amavisd-new it should also log that it loads its spam and virus scanning code (if not, you probably did something wrong).
For taking a live look at your mail log, you can use this command:
tail -f /var/log/mail.log
(Press CTRL + c to leave the log.)