Garak: Created page with " Category:Bugweis {| align="right" | TOC |} '''How to set up Spam-filter Amavis (en)'''

In this howto, Postfix int..."

2021-05-22T16:20:42Z

Created page with " Category:Bugweis  {| align="right" | __TOC__ |} '''How to set up Spam-filter Amavis (en)''' In this howto, Postfix int..."

New page

[[Category:Bugweis]]

{| align="right"
| __TOC__
|}
'''How to set up Spam-filter Amavis (en)''' 
In this howto, Postfix integration with amavis-new will be presented. Amavis-new is a wrapper that can call any number of content filtering programs for spam detection, antivirus, etc. In this howto, integration with Spamassassin and Clamav will be presented. This is a classical installation of Postfix + Amavis-new + Spamassassin + Clamav.

== Installation ==
To begin, install the following packages:

<pre>
sudo aptitude install amavisd-new spamassassin clamav-daemon
</pre>

Install the optional packages for better spam detection:

<pre>
sudo aptitude install libnet-dns-perl pyzor razor
</pre>

Install these optional packages to enable better scanning of attached archive files:
<pre>
sudo aptitude install arj bzip2 cabextract cpio file gzip lha nomarch pax rar unrar unzip zip zoo
</pre>

== Configuration ==

=== Clamav ===

Add clamav user to the amavis group and vice versa in order for Clamav to have access to scan files:

<pre>
sudo adduser clamav amavis
sudo adduser amavis clamav
</pre>

=== Spamassassin ===
Edit <code>/etc/default/spamassassin</code> to activate the Spamassassin daemon change ENABLED=0 to:

<pre>
ENABLED=1
</pre>

and to enable automatic rule updates change CRON=0 at the bottom to:

<pre>
CRON=1
</pre>

Now start Spamassassin:

<pre>
sudo /etc/init.d/spamassassin start
</pre>

=== If bayes doesn't work ===
Add this to <code>/etc/spamassassin/local.cf</code>:
<pre>
bayes_path /var/lib/amavis/.spamassassin/bayes
</pre>

and now you have to do this steps:
<pre>
wget http://spamassassin.apache.org/publiccorpus/20050311_spam_2.tar.bz2
wget http://spamassassin.apache.org/publiccorpus/20030228_easy_ham_2.tar.bz2
tar xvfj 20050311_spam_2.tar.bz2
tar xvfj 20030228_easy_ham_2.tar.bz2
sa-learn --spam -u spamd --dir spam_2/*
sa-learn --ham -u spamd --dir easy_ham_2/*
</pre>

check bayes:
<pre>
spamassassin -D --lint 2>&1 | grep bayes
</pre>

Problev with <code>DB expiry</code>
<c>
sa-learn --force-expire -D
</c>

=== Whitelist / Blacklist by content ===
Open <code>/etc/spamassassin/65_debian.cf</code> and add rules to the end:

<pre>
header RULE_NAME Subject =~ /any string/i
score RULE_NAME -999.0
describe RULE_NAME Whitelist by keyword
</pre>

After changing any spamassasin configs run <code>--lint</code> to test configuration for errors
<pre>
spamassassin --lint
</pre>

=== Amavis ===
First, activate spam and antivirus detection in Amavis by editing <code>/etc/amavis/conf.d/15-content_filter_mode</code>:

<pre>
use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

#
# Default antivirus checking mode
# Uncomment the two lines below to enable it
#

@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

#
# Default SPAM checking mode
# Uncomment the two lines below to enable it
#

@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1; # insure a defined return
</pre>

Next modify <code>/etc/amavis/conf.d/05-node_id</code>

<pre>
use strict;

# $myhostname is used by amavisd-new for node identification, and it is
# important to get it right (e.g. for ESMTP EHLO, loop detection, and so on).

chomp($myhostname = <code>hostname --fqdn</code>);

# To manually set $myhostname, edit the following line with the correct Fully
# Qualified Domain Name (FQDN) and remove the # at the beginning of the line.
#
$myhostname = "mail.hostname.tld";

1; # ensure a defined return

</pre>

Next modify @local_domains_acl = in <code>/etc/amavis/conf.d/05-domain_id</code>

<pre>
@local_domains_acl = ( ".$mydomain","." );
</pre>

Now set the spam levels in <code>/etc/amavis/conf.d/20-debian_defaults</code>:

<pre>
$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
</pre>

After configuration Amavis needs to be restarted:

<pre>
sudo /etc/init.d/amavis restart
</pre>

=== Postfix integration ===
For postfix integration, you need to add the content_filter configuration variable to the Postfix configuration file <code>/etc/postfix/main.cf</code>. This instructs postfix to pass messages to amavis at a given IP address and port:

<pre>
content_filter = smtp-amavis:[127.0.0.1]:10024
</pre>

The following postconf command, run as root because of the preceding sudo command, adds the content_filter specification line above to main.cf:

<pre>
postconf -e "content_filter = smtp-amavis:[127.0.0.1]:10024"
</pre>

Next edit <code>/etc/postfix/master.cf</code> and add the following to the end of the file:

<pre>
smtp-amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20

127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
</pre>

Also add the following two lines immediately below the "pickup" transport service:

<pre>
-o content_filter=
-o receive_override_options=no_header_body_checks
</pre>

Reload postfix:

<pre>
sudo /etc/init.d/postfix reload
</pre>

Now content filtering with spam and virus detection is enabled.

== Setting DKIM email signature (Optional) ==
[http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail DKIM] serves for verifing email sender. This can have disadvantage - if signed domain is blocked change of sendout server won't help much.

=== SPF DNS record ===
[http://en.wikipedia.org/wiki/Sender_Policy_Framework SPF] record specify list of IP addresses that are official send out servers for your domain. Use soft fail rule <code>~all</code> to support forwarding.
Add to DNS record (for GoDaddy its TXT section with host set to "@").
<c>
v=spf1 ip4:207.210.202.96 ip4:64.186.145.28 ~all
</c>

=== DKIM signing ===
We will use Amavis to sign outgoing emails [http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-impatient official documentation].
If setting dkim on SMTP only consider using OpenDKIM, [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy install howto]

All commands should be done as super user.

If not existing create folder for certificate:
<c bash>
mkdir -p /var/db/dkim
</c>
Generate certificate for domain:
<c bash>
amavisd-new genrsa /var/db/dkim/KEYNAME.key.pem
</c>

Edit <code>/etc/amavis/conf.d/50-User</code> and enable signing. SELECTOR can be used to specify key for specific user or send location - we just use 'default'.
<c config>
$enable_dkim_signing = 1;
dkim_key('DOMAINNAME', 'SELECTOR', '/var/db/dkim/KEYNAME.key.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
# uncomment to limit signing to specific IP
#@mynetworks = qw(0.0.0.0/8 127.0.0.0/8);;
</c>

Mark all emails coming in throw port 10024 as '''originating''' so they are signed:
<c config>
$policy_bank{'ORIGINATING'} = {
# indicates client is ours, allows signing
originating => 1,
smtpd_discard_ehlo_keywords => ['8BITMIME'],
};
# Use ORIGINATING policy to enable DKIM signing
$interface_policy{'10024'} = 'ORIGINATING';
</c>

Now get public key and publish it in DNS record:
<c config>
amavisd-new showkeys
</c>
Copy down domain name with selector example (<code>default._domainkey.wisemarketing.com</code>. For public key remove '"' and spaces to get something like:
<c>
v=DKIM1; p=VERYLOOOOONGSTRING
</c>

DNS record shoud be in TXT section with <code>default._domainkey</code> as host followed by KEY data. See your specific provider howtos / forums.

After key is published test if DNS record match Amavis settings
<c bash>
amavisd-new testkeys
</c>

If test pass, restart Amavis
<c bash>
service amavis restart
</c>

Test send mail. It should have DKIM signature header.

amavisd testkeys

== Test ==

First, test that the amavis SMTP is listening:

<pre>
telnet localhost 10024
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
^]
</pre>

On messages that go through the content filter you should see:

<pre>
X-Virus-Scanned: Debian amavisd-new at mail.hostname.tld
X-Spam-Flag:
X-Spam-Score:
X-Spam-Level:
X-Spam-Status:
</pre>

Done!

ZhoubaWiki:HowToSetupSpamFilterAmavis - Revision history

Garak: Created page with " Category:Bugweis {| align="right" | __TOC__ |} '''How to set up Spam-filter Amavis (en)''' In this howto, Postfix int..."

Garak: Created page with " Category:Bugweis {| align="right" | TOC |} '''How to set up Spam-filter Amavis (en)'''

In this howto, Postfix int..."