Amavis
From Amavis's site:
- amavisd-new is a high-performance interface between mailer (MTA) and content checkers: virus scanners, and/or SpamAssassin. It is written in Perl for maintainability, without paying a significant price for speed. It talks to MTA via (E)SMTP or LMTP, or by using helper programs. Best with Postfix, fine with dual-sendmail setup and Exim v4, works with sendmail/milter, or with any MTA as a SMTP relay.
Installation and setup
In this setup it is assumed that you are using ClamAV as anti-virus scanner.
- Install amavisd-new. You would be wise to also install optdepends such as p7zip and unrar so your filters can actually see inside compressed files.
- Install clamav.
Basic configuration
If your hostname is not a FQDN, you must set $myhostname
and $mydomain
accordingly in /etc/amavisd/amavisd.conf
.
You can enable ClamAV support by commenting out the following lines (do not forget to put the same clamd.sock
as in /etc/clamav/clamd.conf
):
# ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/lib/clamav/clamd.sock"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], # # NOTE: run clamd under the same user as amavisd - or run it under its own # # uid such as clamav, add user clamav to the amavis group, and then add # # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in # # this entry; when running chrooted one may prefer a socket under $MYHOME.
Add a comment to this line to enable anti-virus scan:
# @bypass_virus_check_maps = (1); # controls running of anti-virus code
After that, add clamav
user to amavis
group to avoid permission problems:
# usermod -a -G amavis clamav
Finally restart the services:
Check for errors with these commands:
# systemctl status amavisd # journalctl -u amavisd
Testing
To test the new configuration just telnet to the amavisd default listening port:
$ telnet 127.0.0.1 10024
You should see something like:
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]' 220 [127.0.0.1] ESMTP amavisd-new service ready
Type ehlo 127.0.0.1
:
EHLO localhost 250-[127.0.0.1] 250-VRFY 250-PIPELINING 250-SIZE 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 XFORWARD NAME ADDR PORT PROTO HELO IDENT SOURCE
Now just type quit
to exit.
Integration with Postfix
Quick start
To configure amavis for Postfix add the following to /etc/postfix/master.cf
:
# # anti spam & anti virus section # amavisfeed unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restrictions_classes= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters -o local_header_rewrite_clients=
In this configuration we assume that postfix and Amavis are running on the same machine (i.e. 127.0.0.1
). If that is not the case edit /etc/amavisd/amavisd.conf
and the prevous Postfix entry accordingly.
Postfix will listen to port 10025
so that Amavis can send back checked emails to that port.
You also have to add another other configuration in your smtp
or submission
sections:
-o content_filter=amavisfeed:[127.0.0.1]:10024
Using this options implies that Postfix will send emails to Amavis on port 10024
, so that these can be checked. If mail passes the control then these are sent to port 10025
, as explained before.
We can now restart postfix.service
and amavisd.service
.
To check that Postfix is listening on port 10025
do the same operations as the port 10024
case.
SpamAssassin support
Install spamassassin
Spamassassin is integrated in Amavis so you do not have to start spamassassin.service
. To enable support for Spamassassin comment the following line in /etc/amavis/amavis.conf
like this:
# @bypass_spam_checks_maps = (1); # controls running of anti-spam code
Edit the SpamAssassin configuration based on your needs:
$sa_tag_level_deflt = 1.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 1.0; # add 'spam detected' headers at that level $sa_kill_level_deflt = 5.0; # triggers spam evasive actions (e.g. blocks mail) $sa_dsn_cutoff_level = 8; # spam level beyond which a DSN is not sent # $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off $penpals_threshold_high = $sa_kill_level_deflt; # do not waste time on hi spam $bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces
Before you restart the amavisd
service, run sa-update
.
Final test
To check that everything is working as intended:
- Send a normal email.
- Send an email with an EICAR test file as attachment.
- Send an email that would result as spam.
- Check both Postfix and Amavis logs.