ZhoubaWiki:HowToSetupSpamFilterAmavis
How to set up Spam-filter Amavis (en)
In this howto, Postfix integration with amavis-new will be presented. Amavis-new is a wrapper that can call any number of content filtering programs for spam detection, antivirus, etc. In this howto, integration with Spamassassin and Clamav will be presented. This is a classical installation of Postfix + Amavis-new + Spamassassin + Clamav.
Installation
To begin, install the following packages:
sudo aptitude install amavisd-new spamassassin clamav-daemon
Install the optional packages for better spam detection:
sudo aptitude install libnet-dns-perl pyzor razor
Install these optional packages to enable better scanning of attached archive files:
sudo aptitude install arj bzip2 cabextract cpio file gzip lha nomarch pax rar unrar unzip zip zoo
Configuration
Clamav
Add clamav user to the amavis group and vice versa in order for Clamav to have access to scan files:
sudo adduser clamav amavis sudo adduser amavis clamav
Spamassassin
Edit /etc/default/spamassassin to activate the Spamassassin daemon change ENABLED=0 to:
ENABLED=1
and to enable automatic rule updates change CRON=0 at the bottom to:
CRON=1
Now start Spamassassin:
sudo /etc/init.d/spamassassin start
If bayes doesn't work
Add this to /etc/spamassassin/local.cf:
bayes_path /var/lib/amavis/.spamassassin/bayes
and now you have to do this steps:
wget http://spamassassin.apache.org/publiccorpus/20050311_spam_2.tar.bz2 wget http://spamassassin.apache.org/publiccorpus/20030228_easy_ham_2.tar.bz2 tar xvfj 20050311_spam_2.tar.bz2 tar xvfj 20030228_easy_ham_2.tar.bz2 sa-learn --spam -u spamd --dir spam_2/* sa-learn --ham -u spamd --dir easy_ham_2/*
check bayes:
spamassassin -D --lint 2>&1 | grep bayes
Problev with DB expiry
<c>
sa-learn --force-expire -D
</c>
Whitelist / Blacklist by content
Open /etc/spamassassin/65_debian.cf and add rules to the end:
header RULE_NAME Subject =~ /any string/i score RULE_NAME -999.0 describe RULE_NAME Whitelist by keyword
After changing any spamassasin configs run --lint to test configuration for errors
spamassassin --lint
Amavis
First, activate spam and antivirus detection in Amavis by editing /etc/amavis/conf.d/15-content_filter_mode:
use strict; # You can modify this file to re-enable SPAM checking through spamassassin # and to re-enable antivirus checking. # # Default antivirus checking mode # Uncomment the two lines below to enable it # @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); # # Default SPAM checking mode # Uncomment the two lines below to enable it # @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); 1; # insure a defined return
Next modify /etc/amavis/conf.d/05-node_id
use strict; # $myhostname is used by amavisd-new for node identification, and it is # important to get it right (e.g. for ESMTP EHLO, loop detection, and so on). chomp($myhostname = <code>hostname --fqdn</code>); # To manually set $myhostname, edit the following line with the correct Fully # Qualified Domain Name (FQDN) and remove the # at the beginning of the line. # $myhostname = "mail.hostname.tld"; 1; # ensure a defined return
Next modify @local_domains_acl = in /etc/amavis/conf.d/05-domain_id
@local_domains_acl = ( ".$mydomain","." );
Now set the spam levels in /etc/amavis/conf.d/20-debian_defaults:
$sa_spam_subject_tag = '***SPAM*** '; $sa_tag_level_deflt = -999; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 5; # add 'spam detected' headers at that level $sa_kill_level_deflt = 6.31; # triggers spam evasive actions $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
After configuration Amavis needs to be restarted:
sudo /etc/init.d/amavis restart
Postfix integration
For postfix integration, you need to add the content_filter configuration variable to the Postfix configuration file /etc/postfix/main.cf. This instructs postfix to pass messages to amavis at a given IP address and port:
content_filter = smtp-amavis:[127.0.0.1]:10024
The following postconf command, run as root because of the preceding sudo command, adds the content_filter specification line above to main.cf:
postconf -e "content_filter = smtp-amavis:[127.0.0.1]:10024"
Next edit /etc/postfix/master.cf and add the following to the end of the file:
smtp-amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
Also add the following two lines immediately below the "pickup" transport service:
-o content_filter=
-o receive_override_options=no_header_body_checks
Reload postfix:
sudo /etc/init.d/postfix reload
Now content filtering with spam and virus detection is enabled.
Setting DKIM email signature (Optional)
DKIM serves for verifing email sender. This can have disadvantage - if signed domain is blocked change of sendout server won't help much.
SPF DNS record
SPF record specify list of IP addresses that are official send out servers for your domain. Use soft fail rule ~all to support forwarding.
Add to DNS record (for GoDaddy its TXT section with host set to "@").
<c>
v=spf1 ip4:207.210.202.96 ip4:64.186.145.28 ~all
</c>
DKIM signing
We will use Amavis to sign outgoing emails official documentation. If setting dkim on SMTP only consider using OpenDKIM, install howto
All commands should be done as super user.
If not existing create folder for certificate: <c bash> mkdir -p /var/db/dkim </c> Generate certificate for domain: <c bash> amavisd-new genrsa /var/db/dkim/KEYNAME.key.pem </c>
Edit /etc/amavis/conf.d/50-User and enable signing. SELECTOR can be used to specify key for specific user or send location - we just use 'default'.
<c config>
$enable_dkim_signing = 1;
dkim_key('DOMAINNAME', 'SELECTOR', '/var/db/dkim/KEYNAME.key.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
- uncomment to limit signing to specific IP
- @mynetworks = qw(0.0.0.0/8 127.0.0.0/8);;
</c>
Mark all emails coming in throw port 10024 as originating so they are signed: <c config> $policy_bank{'ORIGINATING'} = {
# indicates client is ours, allows signing originating => 1, smtpd_discard_ehlo_keywords => ['8BITMIME'],
};
- Use ORIGINATING policy to enable DKIM signing
$interface_policy{'10024'} = 'ORIGINATING'; </c>
Now get public key and publish it in DNS record:
<c config>
amavisd-new showkeys
</c>
Copy down domain name with selector example (default._domainkey.wisemarketing.com. For public key remove '"' and spaces to get something like:
<c>
v=DKIM1; p=VERYLOOOOONGSTRING
</c>
DNS record shoud be in TXT section with default._domainkey as host followed by KEY data. See your specific provider howtos / forums.
After key is published test if DNS record match Amavis settings <c bash> amavisd-new testkeys </c>
If test pass, restart Amavis <c bash> service amavis restart </c>
Test send mail. It should have DKIM signature header.
amavisd testkeys
Test
First, test that the amavis SMTP is listening:
telnet localhost 10024 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 [127.0.0.1] ESMTP amavisd-new service ready ^]
On messages that go through the content filter you should see:
X-Virus-Scanned: Debian amavisd-new at mail.hostname.tld X-Spam-Flag: X-Spam-Score: X-Spam-Level: X-Spam-Status:
Done!