Amavis, Spamassassin & ClamAV Setup

Amavis, Spamassassin & ClamAV Setup

This article covers:

  1. Spam filtering setup using spamassassin
  2. Antivirus scanning using clamav

Installing packages amavis, clamav, spamassassin

apt-get install amavisd-new spamassassin clamav clamav-daemon arj zoo nomarch cpio lzop cabextract apt-listchanges libauthen-sasl-perl  libdbi-perl libmail-dkim-perl p7zip rpm unrar-free libsnmp-perl

Please note that amavis itself doesn’t do any kind of spam-checking or virus-checking. It uses spamassassin for spam-testing and clamav for virus-testing. So we need to configure amavis only to spam & virus filtering implemented.

Amavis Configuration

By default, amavis comes with all kind of checks disabled! Might sound strange but we need to enable everything.

Enable virus & spam checking:

vim /etc/amavis/conf.d/15-content_filter_mode

Uncomment following lines:

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

If your server has less spare CPU power, you may leave virus-checking disabled. ClamAV consumes considerable CPU resources. Also note that these checks delays mail delivery (generally by few seconds).

Set filtering preference:

Open

vim /etc/amavis/conf.d/50-user

Add following:

$sa_spam_subject_tag = undef;
$spam_quarantine_to  = undef;
$sa_tag_level_deflt  = undef;

# Prevent spams from automatically rejected by mail-server
$final_spam_destiny  = D_PASS;

# We need to provide list of domains for which filtering need to be done
@lookup_sql_dsn = (
    ['DBI:mysql:database=vimbadmin;host=127.0.0.1;port=3306',
     'vimbadmin',
     'password']);

$sql_select_policy = 'SELECT domain FROM domain WHERE CONCAT("@",domain) IN (%k)';

If you are getting too many false positives, you may change $sa_tag_level_deflt to a positive value.

For lookup_sql_dsn, please make sure your mysql database details matches one that is used by postfix & dovecot.

To finalize changes:

service amavis restart

Postfix config

Configuring amavis alone won’t work. We need to tell postfix to use amavis content-filters during mail processing.

Open vim /etc/postfix/master.cf

Find line containing:

pickup    fifo  n       -       -       60      1       pickup

Add 2-lines below it so it looks like:

pickup    fifo  n       -       -       60      1       pickup
        -o content_filter=
        -o receive_override_options=no_header_body_checks

Add following towards end:

smtp-amavis unix -      -       n     -       2  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n    -       n       -       -     smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
    -o local_header_rewrite_clients=

Restart postfix

service postfix restart

Testing

Its better to test if above setup is actually filtering spam & virus. Use following test:

Leave a Reply