Mail Filtering

One of the largest issues with email today is the problem of Unsolicited Bulk Email (UBE). Also known as SPAM, such messages may also carry viruses and other forms of malware. According to some reports these messages make up the bulk of all email traffic on the Internet.

This section will cover integrating Amavisd-new, Spamassassin, and ClamAV with the Postfix Mail Transport Agent (MTA). Postfix can also check email validity by passing it through external content filters. These filters can sometimes determine if a message is spam without needing to process it with more resource intensive applications. Two common filters are opendkim and python-policyd-spf.

  • Amavisd-new is a wrapper program that can call any number of content filtering programs for spam detection, antivirus, etc.

  • Spamassassin uses a variety of mechanisms to filter email based on the message content.

  • ClamAV is an open source antivirus application.

  • opendkim implements a Sendmail Mail Filter (Milter) for the DomainKeys Identified Mail (DKIM) standard.

  • python-policyd-spf enables Sender Policy Framework (SPF) checking with Postfix.

This is how the pieces fit together:

  • An email message is accepted by Postfix.

  • The message is passed through any external filters opendkim and python-policyd-spf in this case.

  • Amavisd-new then processes the message.

  • ClamAV is used to scan the message. If the message contains a virus Postfix will reject the message.

  • Clean messages will then be analyzed by Spamassassin to find out if the message is spam. Spamassassin will then add X-Header lines allowing Amavisd-new to further manipulate the message.

For example, if a message has a Spam score of over fifty the message could be automatically dropped from the queue without the recipient ever having to be bothered. Another, way to handle flagged messages is to deliver them to the Mail User Agent (MUA) allowing the user to deal with the message as they see fit.

Installation

See Postfix for instructions on installing and configuring Postfix.

To install the rest of the applications enter the following from a terminal prompt:

sudo apt install amavisd-new spamassassin clamav-daemon
sudo apt install opendkim postfix-policyd-spf-python

There are some optional packages that integrate with Spamassassin for better spam detection:

sudo apt install pyzor razor

Along with the main filtering applications compression utilities are needed to process some email attachments:

sudo apt install arj cabextract cpio lha nomarch pax rar unrar unzip zip

If some packages are not found, check that the multiverse repository is enabled in /etc/apt/sources.list

If you make changes to the file, be sure to run sudo apt update before trying to install again.

Configuration

Now configure everything to work together and filter email.

ClamAV

The default behaviour of ClamAV will fit our needs. For more ClamAV configuration options, check the configuration files in /etc/clamav.

Add the clamav user to the amavis group in order for Amavisd-new to have the appropriate access to scan files:

sudo adduser clamav amavis
sudo adduser amavis clamav

Spamassassin

Spamassassin automatically detects optional components and will use them if they are present. This means that there is no need to configure pyzor and razor.

Edit /etc/default/spamassassin to activate the Spamassassin daemon. Change ENABLED=0 to:

ENABLED=1

Now start the daemon:

sudo systemctl start spamassassin.service

Amavisd-new

First activate spam and antivirus detection in Amavisd-new by editing /etc/amavis/conf.d/15-content_filter_mode:

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

#
# Default antivirus checking mode
# Uncomment the two lines below to enable it
#

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);


#
# Default SPAM checking mode
# Uncomment the two lines below to enable it
#

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1;  # insure a defined return

Bouncing spam can be a bad idea as the return address is often faked. The default behaviour is to instead discard. This is configured in /etc/amavis/conf.d/20-debian_defaults where $final_spam_destiny is set to D_DISCARD rather than D_BOUNCE.

Additionally, you may want to adjust the following options to flag more messages as spam:

$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 21.0; # triggers spam evasive actions
$sa_dsn_cutoff_level = 4; # spam level beyond which a DSN is not sent

If the server's hostname is different from the domain's MX record you may need to manually set the $myhostname option. Also, if the server receives mail for multiple domains the @local_domains_acl option will need to be customized. Edit the /etc/amavis/conf.d/50-user file:

$myhostname = 'mail.example.com';
@local_domains_acl = ( "example.com", "example.org" );

If you want to cover multiple domains you can use the following in the/etc/amavis/conf.d/50-user

@local_domains_acl = qw(.);

After configuration Amavisd-new needs to be restarted:

sudo systemctl restart amavis.service

DKIM Whitelist

Amavisd-new can be configured to automatically Whitelist addresses from domains with valid Domain Keys. There are some pre-configured domains in the /etc/amavis/conf.d/40-policy_banks.

There are multiple ways to configure the Whitelist for a domain:

  • 'example.com' => 'WHITELIST',: will whitelist any address from the "example.com" domain.

  • '.example.com' => 'WHITELIST',: will whitelist any address from any subdomains of "example.com" that have a valid signature.

  • '.example.com/@example.com' => 'WHITELIST',: will whitelist subdomains of "example.com" that use the signature of example.com the parent domain.

  • './@example.com' => 'WHITELIST',: adds addresses that have a valid signature from "example.com". This is usually used for discussion groups that sign their messages.

A domain can also have multiple Whitelist configurations. After editing the file, restart amavisd-new:

sudo systemctl restart amavis.service

In this context, once a domain has been added to the Whitelist the message will not receive any anti-virus or spam filtering. This may or may not be the intended behavior you wish for a domain.

Postfix

For Postfix integration, enter the following from a terminal prompt:

sudo postconf -e 'content_filter = smtp-amavis:[127.0.0.1]:10024'

Next edit /etc/postfix/master.cf and add the following to the end of the file:

smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

Also add the following two lines immediately below the "pickup" transport service:

         -o content_filter=
         -o receive_override_options=no_header_body_checks

This will prevent messages that are generated to report on spam from being classified as spam.

Now restart Postfix:

sudo systemctl restart postfix.service

Content filtering with spam and virus detection is now enabled.

Amavisd-new and Spamassassin

When integrating Amavisd-new with Spamassassin, if you choose to disable the bayes filtering by editing /etc/spamassassin/local.cf and use cron to update the nightly rules, the result can cause a situation where a large amount of error messages are sent to the amavis user via the amavisd-new cron job.

There are several ways to handle this situation:

  • Configure your MDA to filter messages you do not wish to see.

  • Change /usr/sbin/amavisd-new-cronjob to check for use_bayes 0. For example, edit /usr/sbin/amavisd-new-cronjob and add the following to the top before the test statements:

    egrep -q "^[ \t]*use_bayes[ \t]*0" /etc/spamassassin/local.cf && exit 0
    

Testing

First, test that the Amavisd-new SMTP is listening:

telnet localhost 10024
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
^]

In the Header of messages that go through the content filter you should see:

X-Spam-Level: 
X-Virus-Scanned: Debian amavisd-new at example.com
X-Spam-Status: No, hits=-2.3 tagged_above=-1000.0 required=5.0 tests=AWL, BAYES_00
X-Spam-Level: 

Your output will vary, but the important thing is that there are X-Virus-Scanned and X-Spam-Status entries.

Troubleshooting

The best way to figure out why something is going wrong is to check the log files.

  • For instructions on Postfix logging see the Troubleshooting section.

  • Amavisd-new uses Syslog to send messages to /var/log/mail.log. The amount of detail can be increased by adding the $log_level option to /etc/amavis/conf.d/50-user, and setting the value from 1 to 5.

    $log_level = 2;
    

    When the Amavisd-new log output is increased Spamassassin log output is also increased.

  • The ClamAV log level can be increased by editing /etc/clamav/clamd.conf and setting the following option:

    LogVerbose true
    

    By default ClamAV will send log messages to /var/log/clamav/clamav.log.

After changing an applications log settings remember to restart the service for the new settings to take affect. Also, once the issue you are troubleshooting is resolved it is a good idea to change the log settings back to normal.

References

For more information on filtering mail see the following links:

Also, feel free to ask questions in the #ubuntu-server IRC channel on freenode.