Introduction

In this howto, Postfix integration with amavis-new will be presented. Amavis-new is a wrapper that can call any number of content filtering programs for spam detection, antivirus, etc. In this howto, integration with Spamassassin and Clamav will be presented. This is a classical installation of Postfix + Amavis-new + Spamassassin + Clamav.

Prerequisite

You should have a functional Postfix server installed. If this is not the case, follow the Postfix guide.

Installation

To begin, install (see InstallingSoftware) the following packages:

sudo apt-get install amavisd-new spamassassin clamav-daemon

Install the optional packages for better spam detection (who does not want better spam detection?):

sudo apt-get install libnet-dns-perl libmail-spf-query-perl pyzor razor

Note: Replace libmail-spf-query-perl with libmail-spf-perl

Install these optional packages to enable better scanning of attached archive files:

sudo apt-get install arj bzip2 cabextract cpio file gzip lha nomarch pax rar unrar unzip unzoo zip zoo

Configuration

Clamav

The default behaviour of Clamav will fit our needs. A daemon is launched (clamd) and signatures are fetched every day. For more Clamav configuration options, check the configuration files in /etc/clamav.

Add clamav user to the amavis group and vice versa in order for Clamav to have access to scan files:

sudo adduser clamav amavis
sudo adduser amavis clamav

Spamassassin

As amavis is its own spamassassin-daemon (amavis uses the spamassassin libraries), there is no need in configuring or starting spamassassin. amavis will not use any running instance of spamd! Even changes in /etc/spamassassin will have no effect on the behaviour of amavis.

The use of razor and pyzormust be enabled by

# su - amavis -s /bin/bash
# razor-admin -create
# razor-admin -register
# pyzor discover

There is no need of configuring razor or pyzor.

Amavis

First, activate spam and antivirus detection in Amavis by editing /etc/amavis/conf.d/15-content_filter_mode:

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

#
# Default antivirus checking mode
# Uncomment the two lines below to enable it
#

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);


#
# Default SPAM checking mode
# Uncomment the two lines below to enable it
#

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1;  # insure a defined return

After configuration Amavis needs to be restarted:

sudo /etc/init.d/amavis restart

Postfix integration

For postfix integration, you need to add the content_filter configuration variable to the Postfix configuration file /etc/postfix/main.cf. This instructs postfix to pass messages to amavis at a given IP address and port:

content_filter = smtp-amavis:[127.0.0.1]:10024

The following postconf command, run as root because of the preceding sudo command, adds the content_filter specification line above to main.cf:

sudo postconf -e "content_filter = smtp-amavis:[127.0.0.1]:10024"

Alternatively, you can manually edit main.cf yourself to add the content_filter line.

Next edit /etc/postfix/master.cf and add the following to the end of the file:

smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Also add the following two lines immediately below the "pickup" transport service:

         -o content_filter=
         -o receive_override_options=no_header_body_checks

This will prevent messages that are generated to report on spam from being classified as spam.

More information can be found from "README.postfix from amavisd-new" and "D.J.Fan"

Reload postfix:

sudo /etc/init.d/postfix reload

Now content filtering with spam and virus detection is enabled.

Test

First, test that the amavis SMTP is listening:

telnet localhost 10024
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
^]

Check on your /var/log/mail.log that everything goes well. If you raise the log level, you can check every step of the content filtering: spam check, virus check, etc. Don't forget to lower the log level after your checks!

On messages that go through the content filter you should see:

X-Spam-Level: 
X-Virus-Scanned: Debian amavisd-new at example.com
X-Spam-Status: No, hits=-2.3 tagged_above=-1000.0 required=5.0 tests=AWL, BAYES_00
X-Spam-Level: 

Note: $sa_tag_level in /etc/amavis/conf.d/20-debian_defaults must be lower than spam hit rating for the header to appear on the message. For troubleshooting set $sa_tag_level to -999

Troubleshooting

If the filtering is not happening, adding the following to /etc/amavis/conf.d/50-user may help:

@local_domains_acl = ( ".$mydomain" );

If you receive mail for other domains, add them to the list. This information was obtained from the Amavis-New FAQ here.

If you see the following error in /var/log/syslog when amavisd is trying to scan a message:

amavis[30807]: (30807-01) (!!) ask_av (ClamAV-clamd) FAILED - unexpected result: /var/lib/amavis/tmp/amavis-20070615T125025-30807/parts: lstat() failed. ERROR\n

Try changing the permissions on /var/lib/amavis/tmp:

chmod -R 775 /var/lib/amavis/tmp

Another way to trouble shoot errors associated with Amavisd-new, Spamassassin, Postfix, or Clamav is to restart all the services with Amavisd-new being the last one to start:

sudo /etc/init.d/postfix restart
sudo /etc/init.d/spamassassin restart
sudo /etc/init.d/clamav-daemon restart
sudo /etc/init.d/amavis restart

Then check /var/log/mail.log and see if the error has gone away.

Note: $sa_tag_level in /etc/amavis/conf.d/20-debian_defaults must be lower than spam hit rating for the header to appear on the message. For troubleshooting set $sa_tag_level to -999

Amavis Performance

To increase the number of processes that amavisd-new uses above the default 2 edit the file /etc/amavis/conf.d/50-user inserting the line:

$max_servers = X;

above the line:

#------------ Do not modify anything below this line -------------

where X is the number of processes you wish amavis to use.

Amend the following line in /etc/postfix/master.cf with the same value for the max_procs (marked below as X)

smtp-amavis     unix    -       -       -       -       X       smtp

Restart amavis and reload postfix's config

sudo /etc/init.d/amavis restart
sudo postfix reload

You can check the configuration change has taken affect by running amavisd-nanny:

sudo amavisd-nanny

For guidance on how many processes to set this value to please see:

zcat /usr/share/doc/amavisd-new/README.performance.gz | less

and http://www.ijs.si/software/amavisd/amavisd-new-magdeburg-20050519.pdf


Note: This guide has been tested on Ubuntu 7.10 (Gutsy Gibbon), Ubuntu 10.04 LTS Server (Lucid Lynx) and Ubuntu 12.04.3 LTS (Precise Pangolin).


PostfixAmavisNew (last edited 2015-04-01 15:14:10 by magnum-pestilenz)