Skip to main content Help Control Panel

Rod Morison Software —  Technotes

Home «   Articles «  

Anti-Spam & Anti-Virus Install

Some of the best mail filtering technology the world has to offer...Most of this "just works" out of the Ubuntu installations. We'll add SPF checking directly info Postfix, too.
Amavisd acts as a "master" daemon to pluggable mail scanning modules. We'll install ClamAV anti-virus and SpamAssassin anti-spam. The SpamAssassin install will include several powerful spam detection tools, e.g., pyzor, razor, and others.
  1. Install the Goods 
    sudo apt-get install amavisd-new spamassassin clamav-daemon
    sudo apt-get install pyzor razor python-policyd-spf
    sudo apt-get install arj cabextract cpio lha nomarch pax rar unrar unzip unzoo zip zoo
  2. Add clamav to amavis group 
    sudo adduser clamav amavis
  3. Enable SpamAssassin - 
    sudo vi /etc/default/spamassassin
    and change line 8 to ENABLED=1
  4. Tell Amavis to Virus & Spam Check 
    sudo vi /etc/amavis/conf.d/15-content_filter_mode
    and uncomment the virus & spam check lines as shown: 
    @bypass_virus_checks_maps = (
       %bypass_virus_checks, @bypass_virus_checks_acl, $bypass_virus_checks_re);
    ... 
    @bypass_spam_checks_maps = (
       %bypass_spam_checks, @bypass_spam_checks_acl, $bypass_spam_checks_re);
  5. Set Local Policy Prefs 
    sudo vi /etc/amavis/conf.d/50-user
    My policy is to tag, but pass all spam. Viruses are not delivered, but the postmaster is notified and the email is quarantined, such that it can be recovered if need be. You may want to study the Amavis docs and customize here.

    Change example.domain to yours. My 50-user reads 
    use strict;

    #
    # Place your configuration directives here.  They will override those in
    # earlier files.
    #
    # See /usr/share/doc/amavisd-new/ for documentation and examples of
    # the directives you can use in this file
    #

    $log_level = 0;

    @local_domains_maps =
       ( [ ".$mydomain", 'example.domain' ] ); 

    $sa_spam_subject_tag = '*SPAM* ';
    $sa_tag_level_deflt  = -999;  # add spam info headers if at, or above that level
    $sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
    $sa_kill_level_deflt = 999; # triggers spam evasive actions
    $sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

    $virus_admin = "postmaster@$mydomain"; # due to D_DISCARD default
    $spam_admin = "postmaster@$mydomain";
    $dsn_bcc = "maildebug@$mydomain";

    $mailfrom_notify_admin     = "virusalert@$mydomain";
    $mailfrom_notify_recip     = "virusalert@$mydomain";
    $mailfrom_notify_spamadmin = "spamalert@$mydomain";

    $final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
    $final_banned_destiny     = D_REJECT;   # D_REJECT when front-end MTA
    $final_spam_destiny       = D_PASS;
    $final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)

    #------------ Do not modify anything below this line -------------
    1;  # ensure a defined return
  6. Integrate Amavisd into Postfix 
    sudo vi /etc/postfix/main.cf
    Add the following to the bottom of /etc/postfix/main.cf 
    # Amavis ClamAV+SpamAssassin
    content_filter = smtp-amavis:[127.0.0.1]:10024

    # Postfix behavior/content controls
    #body_checks = regexp:/etc/postfix/body_checks
    #header_checks = regexp:/etc/postfix/header_checks
    smtpd_helo_required = yes
    disable_vrfy_command = yes
    smtpd_delay_reject = yes
    smtpd_helo_required = yes
    smtpd_error_sleep_time = 15s
    smtpd_soft_error_limit = 10
    smtpd_hard_error_limit = 20
  7. /etc/postfix/master.cf 
    sudo vi /etc/postfix/master.cf
    Add the two "-o" lines shown under the line beginning with "pickup", to read: 
    pickup    fifo  n       -       -       60      1       pickup
             -o content_filter=
             -o receive_override_options=no_header_body_checks
    Then add the following to the bottom of /etc/postfix/master.cf 
    smtp-amavis     unix    -       -       -       -       2       smtp
            -o smtp_data_done_timeout=1200
            -o smtp_send_xforward_command=yes
            -o disable_dns_lookups=yes
            -o max_use=20

    127.0.0.1:10025 inet    n       -       -       -       -       smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_delay_reject=no
            -o smtpd_client_restrictions=permit_mynetworks,reject
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o smtpd_data_restrictions=reject_unauth_pipelining
            -o smtpd_end_of_data_restrictions=
            -o mynetworks=127.0.0.0/8
            -o smtpd_error_sleep_time=0
            -o smtpd_soft_error_limit=1001
            -o smtpd_hard_error_limit=1000
            -o smtpd_client_connection_count_limit=0
            -o smtpd_client_connection_rate_limit=0
            -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
  8. SPF in Postfix - SPF is already a part of SpamAssassin's scoring scheme. We can further utilize SPF in Postfix to reflect sites that disapprove certain usage and reject those messages outright. I recommend a read through of materials on the SPF site and relevant discussion lists.

    You can omit this step if you choose. 
    sudo vi /etc/postfix/main.cf
    Add a comma to the end of the last line of the smtpd_recipient_restrictions settings and on a new line add 
    check_policy_service unix:private/policyd-spf
    followed by 
    policyd-spf_time_limit = 3600
    This section of your main.cf should look something like 
    smtpd_recipient_restrictions =
            permit_sasl_authenticated,
            permit_mynetworks,
            reject_unauth_destination,
            reject_invalid_hostname,
            reject_non_fqdn_hostname,
            reject_non_fqdn_sender,
            reject_non_fqdn_recipient,
            reject_unknown_sender_domain,
            reject_unknown_recipient_domain,
            reject_unauth_pipelining
            reject_rbl_client bl.spamcop.net,
            reject_rbl_client sbl-xbl.spamhaus.org,
            reject_rbl_client list.dsbl.org,
            check_policy_service unix:private/policyd-spf
    policyd-spf_time_limit = 3600
    In master.cf: 
    sudo vi /etc/postfix/master.cf
    At the bottom, add 
    policyd-spf  unix  -       n       n       -       0 spawn
            user=nobody argv=/usr/bin/python /usr/bin/policyd-spf
  9. Start/Restart All Concerned 
    sudo /etc/init.d/postfix restart
    sudo /etc/init.d/amavis restart
    sudo /etc/init.d/clamav-daemon restart
    sudo /etc/init.d/spamassassin start
  10. Test and Check - Try another mail send and watch the log. 
    tail -f /var/log/mail.log
    Look for the logfile line 
    Sep 29 13:50:25 mailserver amavis[8449]: (08449-01) Passed CLEAN, LOCAL [192.168.66.194] [192.168.66.194] <test@mailserver.morison.org> -> <test@mailserver.morison.org>, Message-ID: <48E13F6D.1010202@mailserver.morison.org>, mail_id: 8HLb1RzoY+ZW, Hits: -1.44, size: 564, queued_as: EC77724624, 3852 ms
    for anti-spam action. Try it with a spam file (I'm sure you can find one.) You'll see 
    Sep 29 13:52:55 mailserver amavis[8454]: (08454-01) Passed SPAMMY, LOCAL [192.168.66.194] [192.168.66.194] <test@mailserver.morison.org> -> <test@mailserver.morison.org>, Message-ID: <48E13FFB.7000908@mailserver.morison.org>, mail_id: moC25mDhimPK, Hits: 8.824, size: 649, queued_as: 4B5E624624, 12174 ms
    and look at the mail headers in your mail client: 
    X-Virus-Scanned: Debian amavisd-new at mailserver.morison.org
    X-Spam-Flag: YES
    X-Spam-Score: 8.824
    X-Spam-Level: ****
    X-Spam-Status: Yes, score=8.824 tagged_above=-999 required=5
    	tests=[ALL_TRUSTED=-1.44, AWL=-10.264, DIGEST_MULTIPLE=0.001,
    	PYZOR_CHECK=2.834, RAZOR2_CF_RANGE_51_100=0.5,
    	RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5,
    	RAZOR2_CHECK=0.5, URIBL_AB_SURBL=1.613, URIBL_JP_SURBL=2.857,
    	URIBL_OB_SURBL=2.132, URIBL_SBL=2.468, URIBL_SC_SURBL=2.523,
    	URIBL_WS_SURBL=2.1]
    Finally, try sending a test virus from (the virus is dead, of course, but it triggers a ClamAV find):

    http://www.eicar.org/download/eicar.com http://www.eicar.org/download/eicar_com.zip http://www.eicar.org/download/eicarcom2.zip

    Look for 
    Sep 29 14:07:56 mailserver amavis[8449]: (08449-02) Blocked INFECTED (Eicar-Test-Signature), LOCAL [192.168.66.194] [192.168.66.194] <test@mailserver.morison.org> -> <test@mailserver.morison.org>, quarantine: J/virus-JfYri+IcyuAB, Message-ID: <48E1438B.5060502@mailserver.morison.org>, mail_id: JfYri+IcyuAB, Hits: -, size: 1062, 934 ms
    and check your postmaster email.


Epilogue

You're done, really. There are some security issues that could be better, discussed further in Lockdown. (Yes, I know, passwords sitting the in filesystem plain readable, but they gotta get in, first.)

Attach a file ·  Discuss this page

Stay tuned
recent comments
podcasted files
AddThis.com