Virtual Users And Domains With Postfix, Courier And MySQL (Debian Etch) - Page 4

9 Install amavisd-new, SpamAssassin, And ClamAV

To install amavisd-new, spamassassin and clamav, run the following command:

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 unzoo libnet-ph-perl libnet-snpp-perl libnet-telnet-perl nomarch lzop pax

Afterwards we must configure amavisd-new. The configuration is split up in various files which reside in the /etc/amavis/conf.d directory. Take a look at each of them to become familiar with the configuration. Most settings are fine, however we must modify three files:

First we must enable ClamAV and SpamAssassin in /etc/amavis/conf.d/15-content_filter_mode by uncommenting the @bypass_virus_checks_maps and the @bypass_spam_checks_maps lines:

vi /etc/amavis/conf.d/15-content_filter_mode

The file should look like this:

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

# Default antivirus checking mode
# Uncomment the two lines below to enable it back

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

# Default SPAM checking mode
# Uncomment the two lines below to enable it back

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1;  # insure a defined return

And then you should take a look at the spam settings and the actions for spam-/virus-mails in /etc/amavis/conf.d/20-debian_defaults. There's no need to change anything if the default settings are ok for you. The file contains many explanations so there's no need to explain the settings here:

vi /etc/amavis/conf.d/20-debian_defaults

$QUARANTINEDIR = "$MYHOME/virusmails";

$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug';  # switch to info to drop debug output, etc

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

$inet_socket_port = 10024;   # default listenting socket

$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;    # only tests which do not require internet access?

$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
$final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA
$final_spam_destiny       = D_BOUNCE;
$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)

Finally, edit /etc/amavis/conf.d/50-user and add the line $pax='pax'; in the middle:

vi /etc/amavis/conf.d/50-user

use strict;

# Place your configuration directives here.  They will override those in
# earlier files.
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file


#------------ Do not modify anything below this line -------------
1;  # insure a defined return

Afterwards, run these commands to add the clamav user to the amavis group and to restart amavisd-new and ClamAV:

adduser clamav amavis
/etc/init.d/amavis restart
/etc/init.d/clamav-daemon restart
/etc/init.d/clamav-freshclam restart

Now we have to configure Postfix to pipe incoming email through amavisd-new:

postconf -e 'content_filter = amavis:[]:10024'
postconf -e 'receive_override_options = no_address_mappings'

Afterwards append the following lines to /etc/postfix/

vi /etc/postfix/

amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_bind_address=

Then restart Postfix:

/etc/init.d/postfix restart

Now run

netstat -tap

and you should see Postfix (master) listening on port 25 (smtp) and 10025, and amavisd-new on port 10024:

server1:/etc/postfix# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 localhost.localdo:10024 *:*                     LISTEN     14491/amavisd (mast
tcp        0      0 localhost.localdo:10025 *:*                     LISTEN     14869/master
tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     12181/mysqld
tcp        0      0 *:sunrpc                *:*                     LISTEN     1684/portmap
tcp        0      0 *:auth                  *:*                     LISTEN     2036/inetd
tcp        0      0 *:1522                  *:*                     LISTEN     2077/rpc.statd
tcp        0      0 *:smtp                  *:*                     LISTEN     14869/master
tcp        0      0 localhost.localdom:smtp localhost.localdom:2894 TIME_WAIT  -
tcp6       0      0 *:imaps                 *:*                     LISTEN     12453/couriertcpd
tcp6       0      0 *:pop3s                 *:*                     LISTEN     12482/couriertcpd
tcp6       0      0 *:pop3                  *:*                     LISTEN     12463/couriertcpd
tcp6       0      0 *:imap2                 *:*                     LISTEN     12436/couriertcpd
tcp6       0      0 *:www                   *:*                     LISTEN     3712/apache2
tcp6       0      0 *:ssh                   *:*                     LISTEN     2058/sshd
tcp6       0      0 ::ffff: ESTABLISHED2139/0
tcp6       0      0 ::ffff: ESTABLISHED14784/sshd: root@no


10 Install Razor, Pyzor And DCC And Configure SpamAssassin

Razor, Pyzor and DCC are spamfilters that use a collaborative filtering network. To install them, run

apt-get install razor pyzor dcc-client

Now we have to tell SpamAssassin to use these three programs. Edit /etc/spamassassin/ and add the following lines to it:

vi /etc/spamassassin/


# dcc
use_dcc 1
dcc_path /usr/bin/dccproc
dcc_add_header 1
dcc_dccifd_path /usr/sbin/dccifd

use_pyzor 1
pyzor_path /usr/bin/pyzor
pyzor_add_header 1

use_razor2 1
razor_config /etc/razor/razor-agent.conf

use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1

Restart amavisd-new afterwards:

/etc/init.d/amavis restart

Share this page:

18 Comment(s)

Add comment


From: at: 2007-06-06 20:11:22


 I don't understand, why you use the smtp-PAM-Module?!

 By the way: In Debian Etch you have to activate DCC in /etc/spamassassin/v310.pre



From: at: 2007-06-24 18:58:29

This setup seems to be extremely insecure.

Mysql function encrypt () encrypts (on some systems, e.g. my Debian Etch) only first eight characters of a string, making hacking of a mailbox extremely easy. For example, passwords




both allow the user to log in (think about people who use password5468d - AOL had similar problem recently).

From: at: 2007-06-24 19:10:25

To fix the security problem I mentioned above, you may possibly use other cyphers, I found this text:


User question/comment: I thought MYSQL_CRYPT_PWFIELD only handles the ENCRYPT() function in stead of MD5() (see postfix-mysql setup). Correct me when I'm wrong

User question/comment: MYSQL_CRYPT_PWFIELD only specifies the name of database field,
it has nothing to do with crypt format. authlib
can automatically detect several different formats of password hash, please refer to cryptpassword.c
inside courier authlib source code for more info. Basically it checks if the first
few characters of password hash is:

  • "$1$": password is MD5 format password used by all Linux systems.

  • "{MD5}": this is followed by standard MD5 hash of password phrase.

  • "{SHA}": this is followed by standard SHA hash of password phrase.

  • "{SHA256}": this is followed by standard SHA256 hash of password phrase.

  • "{CRYPT}": this is followed by standard DES crypt() hash of password phrase.


From: at: 2008-01-18 16:27:33

apt-get source postfix did not work for me.

Replaced by 'apt-src install postfix'.


From: at: 2008-01-29 12:11:27

VERY nice howto. It worked like a dream.
And setting up Squirrelmail for this was a breeze too. 

I encountered some problems while I followed the guide though, which I have listed in my blog @ Ronin's blog[^].

 One was a bug I encountered within Courier-Saslauthdaemon, and 2 were some banal problems with Squirrelmail. But I managed to solve them with some googling around ^^

From: at: 2008-07-25 19:30:16


To fix this problem, just use md5-crypt passwords (as used in /etc/shadow files, starting with $1$) for your mailboxes.

This should work. If it doesn't, append "md5=true" on both lines in /etc/pam.d/smtp.

From: Juan Carlos at: 2008-12-16 17:56:05

hello as are wanting to loguiarme in mailboxes me introduce the following error:


Dec 16 12:43:19 linuxdeb authdaemond: stopping authdaemond children
Dec 16 12:43:19 linuxdeb authdaemond: modules="authmyslq", daemons=5
Dec 16 12:43:19 linuxdeb authdaemond: Installing libauthmyslq
Dec 16 12:43:19 linuxdeb authdaemond: cannot open shared object file: No such file or directory
Dec 16 12:43:46 linuxdeb courierpop3login: Connection, ip=[::ffff:]
Dec 16 12:43:54 linuxdeb courierpop3login: LOGIN FAILED, user=juan, ip=[::ffff:]
Dec 16 12:44:03 linuxdeb courierpop3login: LOGOUT, ip=[::ffff:]
Dec 16 12:44:03 linuxdeb courierpop3login: Disconnected, ip=[::ffff:]


that can be


From: Anonymous at: 2009-06-17 20:42:27


 under debian edge there is a bug in clamav so that it produces 100% cpu load and can´t open a unix socket.

Like this: 

connect to UNIX socket /var/run/clamav/clamd.ctl: No such file or directory

You have to update the clamav to solve this problem. Add folowing package sources in sources.list

deb etch/volatile main

 then do: apt-get update

and install the packages: 


then it sould work.

Good Luck


From: at: 2008-01-26 16:54:35


Great Howto, thank you very much for your work.

Just a comment: you don't need to set sql parameters and mysql as auxprop_plugin in /etc/postfix/sasl/smtpd.conf as you intend to use PAM for authentication.

The following /etc/postfix/sasl/smtpd.conf should suffice:

pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true

This way, plain PAM will be used, with the options you set in /etc/pam.d/smtpd. Indeed, you don't even need to install libsasl2-modules-sql package (but you still do need libpam-mysql, of course).

Best regards,

Alberto Caso

From: at: 2007-06-05 19:31:53


 why do you add this SMTP-PAM-Module? I don't see any sense in this.

By the way: In Debian Etch you have to enable DCC in /etc/spamassassin/v310.pre



From: at: 2007-07-11 21:17:01

Hi, first ov all thanks for the tut.

In etch you also have to activate spamassasin in /etc/default/spamassasin "ENABLE = 1"

Also I found this in the Fedora tut. about the paths ( it worked for me on etch ):

the dcc_path to the socket is (as I followed exacly the way of installing as described in this tut):


* dcc_add_header and  pyzor_add_header are deprecated (Cf., instead use respectively add_header all DCC _DCCB_: _DCCR_ and add_header all Pyzor _PYZOR_

 * to make amavis keep a part of the spamassassin header, add the following lines to your amavisd.conf :

$remove_existing_spam_headers = 0;

$sa_spam_report_header = 1;

Please correct me if I'm wrong. But it looks like this how it worked for me.

Greets Josh 


From: at: 2007-07-20 18:32:01

You are wrong, spamd is typically not used along with amavisd-new. amavisd-new calls spamassassin directly via Perl module Mail::SpamAssassin. So, I suggest leaving the default of "ENABLE = 0" in /etc/default/spamassasin.

From: at: 2008-02-17 22:56:39

I got this error in /var/log/mail.log
Can't connect to UNIX socket /var/run/clamav/clamd.ctl: No such file or directory

Sollution ->

From: Tim at: 2009-06-14 22:17:31

I was able to make this run in lenny with some light modifications, no DCC (debian boycotted it in lenny), etc.

Everything works nicely, but spamassassin, razor and pyzor do not print any headers in the e-mail, when "$sa_tag_level_deflt = undef;".

On the amavis startup logging, it does show razor2 being loaded, but not pyzor, while both are installed (did not configuration though).

Amavis is logging to mail.log whether the message is spam or not, and the X-Virus-Scanned shows, but no spamassassin, razor (and pyzor, but it won't even load) headers. Should I just install the perl package for spamassassin? I currently have the "spamassasin" lenny deb installed.


"$QUARANTINEDIR = "$MYHOME/virusmails";
$quarantine_subdir_levels = 1; # enable quarantine dir hashing

$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug';  # switch to info to drop debug output, etc

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

$inet_socket_port = 10024;   # default listening socket

$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt = undef;   # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 4.00;   # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31;   # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;     # spam level beyond which a DSN is not sent



From: at: 2010-08-21 19:37:35

Hi i folowed this guide and the server has worked well for over a year but now clamd uses up 100% of my cpu.


From: at: 2007-06-10 11:51:45

Thanks for this tutorial!

Whats with automatic custom rulesets updates for SpamAssassin?



From: at: 2008-05-27 15:32:58

You need to use clamav from Debian's volatile repository, otherwise this won't work at all.

On more thing, if you create new email account, and than try to fetch mail for it and fail miserably, than send an email to it, and then try again.

Good tutorial. Thanks ;) 

From: Bruno Taranto Alvim at: 2008-09-30 23:30:19

Change 2 files ( and authmysqlrc) to Maildir work.

mail:/etc/postfix# more

user = postfix password = postfix dbname = postfix query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/','',SUBSTRING_INDEX(email,'@',1),'/','Maildir/') FROM users WHERE email='%s' hosts =

mail:/etc/courier# more authmysqlrc


Now you can receive and get!