Virtual Users And Domains With Postfix, Courier And MySQL (Ubuntu 6.10 Edgy Eft) - Page 4

9 Install amavisd-new, SpamAssassin, And ClamAV

To install amavisd-new, spamassassin and clamav, run the following command:

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 unzoo libnet-ph-perl libnet-snpp-perl libnet-telnet-perl nomarch lzop pax

Afterwards we must configure amavisd-new. The configuration is split up in various files which reside in the /etc/amavis/conf.d directory. Take a look at each of them to become familiar with the configuration. Most settings are fine, however we must modify three files:

First we must enable ClamAV and SpamAssassin in /etc/amavis/conf.d/15-content_filter_mode by uncommenting the @bypass_virus_checks_maps and the @bypass_spam_checks_maps lines:

vi /etc/amavis/conf.d/15-content_filter_mode

The file should look like this:

use strict;



# You can modify this file to re-enable SPAM checking through spamassassin

# and to re-enable antivirus checking.



#

# Default antivirus checking mode

# Uncomment the two lines below to enable it back

#



@bypass_virus_checks_maps = (

   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);





#

# Default SPAM checking mode

# Uncomment the two lines below to enable it back

#



@bypass_spam_checks_maps = (

   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);



1;  # insure a defined return

And then you should take a look at the spam settings and the actions for spam-/virus-mails in /etc/amavis/conf.d/20-debian_defaults. There's no need to change anything if the default settings are ok for you. The file contains many explanations so there's no need to explain the settings here:

vi /etc/amavis/conf.d/20-debian_defaults

$QUARANTINEDIR = "$MYHOME/virusmails";



$log_recip_templ = undef;    # disable by-recipient level-0 log entries

$DO_SYSLOG = 1;              # log via syslogd (preferred)

$syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages

$syslog_facility = 'mail';

$syslog_priority = 'debug';  # switch to info to drop debug output, etc



$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)

$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1



$inet_socket_port = 10024;   # default listenting socket



$sa_spam_subject_tag = '***SPAM*** ';

$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level

$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level

$sa_kill_level_deflt = 6.31; # triggers spam evasive actions

$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent



$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger

$sa_local_tests_only = 0;    # only tests which do not require internet access?



[...]

$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)

$final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA

$final_spam_destiny       = D_BOUNCE;

$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)

[...]

Finally, edit /etc/amavis/conf.d/50-user and add the line $pax='pax'; in the middle:

vi /etc/amavis/conf.d/50-user

[...]

$pax='pax';

[...]

Afterwards, run these commands to add the clamav user to the amavis group and to restart amavisd-new and ClamAV:

adduser clamav amavis
/etc/init.d/amavis restart
/etc/init.d/clamav-daemon restart

Next we must edit the configuration file of the Freshclam daemon (that's the daemon that regularly and automatically fetches the newest virus signatures from a ClamAV mirror) because it contains a small bug. Open /etc/clamav/freshclam.conf and modify the NotifyClamd line as shown below:

vi /etc/clamav/freshclam.conf

[...]

NotifyClamd /etc/clamav/clamd.conf

[...]

Then restart Freshclam (make sure no other Freshclam process (maybe of another ClamAV installation) is running because then our Freshclam will fail to start):

/etc/init.d/clamav-freshclam restart

Now we have to configure Postfix to pipe incoming email through amavisd-new:

postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
postconf -e 'receive_override_options = no_address_mappings'

Afterwards append the following lines to /etc/postfix/master.cf:

vi /etc/postfix/master.cf

[...]

amavis unix - - - - 2 smtp

        -o smtp_data_done_timeout=1200

        -o smtp_send_xforward_command=yes



127.0.0.1:10025 inet n - - - - smtpd

        -o content_filter=

        -o local_recipient_maps=

        -o relay_recipient_maps=

        -o smtpd_restriction_classes=

        -o smtpd_client_restrictions=

        -o smtpd_helo_restrictions=

        -o smtpd_sender_restrictions=

        -o smtpd_recipient_restrictions=permit_mynetworks,reject

        -o mynetworks=127.0.0.0/8

        -o strict_rfc821_envelopes=yes

        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

        -o smtpd_bind_address=127.0.0.1

Then restart Postfix:

/etc/init.d/postfix restart

Now run

netstat -tap

and you should see Postfix (master) listening on port 25 (smtp) and 10025, and amavisd-new on port 10024:

root@server1:/usr/local/sbin# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 localhost.localdo:10024 *:*                     LISTEN     16043/amavisd (mast
tcp        0      0 localhost.localdo:10025 *:*                     LISTEN     15794/master
tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     4783/mysqld
tcp        0      0 *:smtp                  *:*                     LISTEN     15794/master
tcp6       0      0 *:imaps                 *:*                     LISTEN     13452/couriertcpd
tcp6       0      0 *:pop3s                 *:*                     LISTEN     13517/couriertcpd
tcp6       0      0 *:pop3                  *:*                     LISTEN     13480/couriertcpd
tcp6       0      0 *:imap2                 *:*                     LISTEN     13412/couriertcpd
tcp6       0      0 *:www                   *:*                     LISTEN     4489/apache2
tcp6       0      0 *:ssh                   *:*                     LISTEN     3193/sshd

 

10 Install Razor, Pyzor And DCC And Configure SpamAssassin

Razor, Pyzor and DCC are spamfilters that use a collaborative filtering network. To install them, run

apt-get install razor pyzor dcc-client

Now we have to tell SpamAssassin to use these three programs. Edit /etc/spamassassin/local.cf and add the following lines to it:

vi /etc/spamassassin/local.cf

[...]



# dcc

use_dcc 1

dcc_path /usr/bin/dccproc

dcc_add_header 1

dcc_dccifd_path /usr/sbin/dccifd



#pyzor

use_pyzor 1

pyzor_path /usr/bin/pyzor

pyzor_add_header 1



#razor

use_razor2 1

razor_config /etc/razor/razor-agent.conf



#bayes

use_bayes 1

use_bayes_rules 1

bayes_auto_learn 1

Restart amavisd-new afterwards:

/etc/init.d/amavis restart

Share this page:

5 Comment(s)

Add comment

Comments

From: at: 2007-05-10 09:06:55

page 1

debian etch uses a different postfix version so you ll find the patch for this version on the blow url

http://vda.sourceforge.net/VDA/postfix-2.3.8-vda.patch.gz

for compiling this newer postfix version you need to get a few more libraries

apt-get install lsb-release libcdb-dev

page 3

/etc/default/saslauthd

change

START=no

into

START=yes

and add these lines to the end of the file (PARAMS has been changed to OPTIONS)

OPTIONS="-m /var/spool/postfix/var/run/saslauthd -r"
PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid"

close file and run

dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
adduser postfix sasl

page 4

NotifyClamd /etc/clamav/clamd.conf
already ok

From: at: 2007-10-24 00:48:02

Followed Falko's The Perfect Server - Ubuntu Gutsy Gibbon (Ubuntu 7.10) tutorial (which is excellent and very timely), but for postfix and apache, substituted the procedures in here.

The only part that did not work at all was the Postfix patch for quotas. Gutsy installed Postfix-2.4.5; I found what may be the updated quota patch here:

http://vda.sourceforge.net/VDA/postfix-2.4.5-vda-ng.patch.gz

but was unable to build the .deb package; there were some issues with libdb4.3-dev among others. If someone would care to elaborate, it would be a great service.

I also skipped the spam/virus portions since I already use a hosted service for this.

Postfix / courier seem to be up and running as described.

 -- DrJohn

Some other quick notes on the installs:

 2. Install Postfix, Courier, Saslauthd, MySQL, phpMyAdmin

:
:

To install Postfix, Courier, Saslauthd, MySQL, and phpMyAdmin, we simply run:

<changed libsasl2 to libsasl2-2>


apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl postfix-tls libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl phpmyadmin apache2 libapache2-mod-php5 php5 php5-mysql


extra qestion appears re phpMyAdmin:


ââââââââââââââââââââââââ⤠Configuring phpmyadmin âââââââââââââââââââââââââ
   â phpMyAdmin supports any web server that PHP does, but this automatic   â
   â configuration process only supports Apache.                            â
   â                                                                        â
   â Web server to reconfigure automatically:                               â
   â                                                                        â
   â    [*] apache2                                                         â
   â    [ ] apache                                                          â
   â    [ ] apache-ssl                                                      â
   â    [ ] apache-perl                                                     â
   â                                                                        â
   â                                                                        â
   â                                 <Ok>                                   â
   â                                                                        â
   ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ






create the SSL certificate that is needed for TLS:


<questions asked are different than the tutorial>

root@myserver/etc/postfix# openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509
Generating a 2048 bit RSA private key
................+++
...........................+++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MyState
Locality Name (eg, city) []:MyCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:Postmaster
Email Address []:info@mydomain.com
root@myserver/etc/postfix#

 

From: at: 2007-06-22 02:17:33

I was having trouble getting it to authenticate so turned on verbose logging for saslauthd. It revealed that the realm was not getting appended to the user and hence the sql select was returning zero records.
The bottom of /etc/defaults/saslauthd shows an "OPTIONS" line rather than "PARAMS". Checking the documentation for my version of saslauthd confirmed this.

Hence for Feisty 7.04 change:
  PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"
to:
  OPTIONS="-m /var/spool/postfix/var/run/saslauthd -r"

From: at: 2007-08-09 12:20:27

With Feisty 7.04 the dcc-client fails with unsatisfied dependencies.

The following line seems to work:

apt-get install dcc-common=1.2.74-2 dcc-client=1.2.74-2

Also the postfix patch for quota may not be needed  under Feisty.

From: at: 2007-08-09 12:23:09

This howto is an excellent tutorial. It has rocksolid step by step instructions, easy to follow and seems to be mistake free in its instructions.

The difference between using this for Edgy and Feisty is very little (except for the quota patch and dcc-client).

Many thanks for  your time and effort.