Postfix Anti Spam Anti Virus Email Server With Amavisd-New Spamassassin and ClamAV

Software Used

 

Email Server: Postfix

Operating System: CentOS5

Anti-Spam: Spamassassin

Anti-Virus: Clamav

Other: Amavisd-new


 
Note: In order to
install software/package
we would be enabling
rpmforge repositories.The 
default RPMforge repository
does not replace any CentOS
base packages. The packages
such as amavisd-new is 
not part of normal centos
distribution. 


Prerequisite: Please setup a email server with
postfix. If not already done please refer the 
document to setup a postfix email server

About: We would be using the amavisd-new engine
to implement anti-spam and anti-virus capabilities.
Amavisd-new uses Spamassassin as the anti-spam 
software and calmav as the anti-virus. Amavisd-new
is a single engine which is used to combine multiple
spam and anvit-virus engines.
 

1) Enable rpmforge Repository and install Packages

   A) Run below command as root

# wget RPMForge RPM File (copy paste the link)

   B) Install DAG's GPG key

# rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt

   C) Install repository.

# rpm -i rpmforge-release-0.5.2-2.el5.rf.i386.rpm
   
   D) Install packages.

# yum install spamassassin.i386 clamd.i386 amavisd-new.i386

2) Configure Postfix to send email to amavisd for filtering.
   
   A) Edit mail.cf
#vi /etc/postfix/main.cf

content_filter = smtp-amavis:[127.0.0.1]:10024

   B) Edit master.cf
#vi /etc/postfix/master.cf

smtp-amavis  unix    -    -    y    -    2    smtp
 -o smtp_data_done_timeout=1200
 -o smtp_send_xforward_command=yes
 -o disable_dns_lookups=yes


127.0.0.1:10025 inet    n    -    y    -    -    smtpd
 -o content_filter=
 -o local_recipient_maps=
 -o relay_recipient_maps=
 -o smtpd_restriction_classes=
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o mynetworks=127.0.0.0/8
 -o strict_rfc821_envelopes=yes
 -o smtpd_error_sleep_time=0
 -o smtpd_soft_error_limit=1001
 -o smtpd_hard_error_limit=1000
 -o receive_override_options=no_header_body_checks



3) Configure Amavisd to filter SPAM and virus emails

 A) We would pass spam emails with a TAG of 
    ***SPAM*** in the subject line
 B) We would quarantine all virus emails

 Edit the Amavisd configuration file

# vi /etc/amavisd.conf

$max_servers = 4; # Incrrease this to 4 if you 
                  # have high email traffic default is 2
           
$daemon_user  = "amavis";  # (no default)
$daemon_group = "amavis";  # (no default)

$mydomain = 'linuxsol.in'; # 

$MYHOME = '/var/amavis';    # check the home directory
                            # of amavis user in /etc/passwd
$TEMPBASE = "$MYHOME/tmp";  # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE;   # environment variable TMPDIR, 
                            # used by SA, etc.
$QUARANTINEDIR = "/var/virusmails";

$db_home   = "$MYHOME/db";  # dir for bdb nanny/cache/
                            # snmp databases, -D

$log_level = 0;              # verbosity 0..5, -d
$log_recip_templ = undef;    # disable by-recipient 
                             # level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_facility = 'mail';   # Syslog facility as a string
           # e.g.: mail, daemon, user, local0, ... local7
$syslog_priority = 'debug';  # Syslog base (minimal)
                             # priority as a string,
# choose from: emerg, alert, crit, err, warning, notice, info, debug

$enable_db = 1;            # enable use of BerkeleyDB/libdb 
                           # (SNMP and nanny)
$enable_global_cache = 1;  # enable use of libdb-based cache if 
                           # $enable_db=1
$nanny_details_level = 2;  # nanny verbosity: 1: traditional, 2: 
                           # detailed
$enable_dkim_verification = 1;  # enable DKIM signatures 
                                # verification
$enable_dkim_signing = 1;  # load DKIM signing code, keys 
                           # defined by dkim_key


#List all the domains in this file 
# /var/amavis/local_domains
# if you want to TAG the SPAM
#EMails with ****SPAM****

@local_domains_maps = ( read_hash("/var/amavis/local_domains") );


@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
                  10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );

$unix_socketname = "$MYHOME/amavisd.sock"; #amavisd-release
               # or amavis-milter
               # option(s) -p overrides $inet_socket_port 
               # and $unix_socketname

$inet_socket_port = 10024;   # listen on this local TCP port(s)


$sa_tag_level_deflt  = -12.0;  # add spam info headers if at, or 
                               # above that level
                               # even if the emails are not spam. 
                               # We would come
                               # to know what all spam rules 
                               # were applied and
                               # their scores
$sa_tag2_level_deflt = 4.2;  # add ***SPAM*** in the subject 
                             # line (look headers)
$sa_kill_level_deflt = 6.9;  # triggers spam evasive actions 
                             # (e.g. blocks mail)
$sa_dsn_cutoff_level = 10;   # spam level beyond which 
                             # a DSN is not sent
$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for 
                                        # a likely 
                                        # valid From
# $sa_quarantine_cutoff_level = 25; #spam level beyond which 
                                    #quarantine is off
$penpals_bonus_score = 8;    #(no effect without a 
                             #@storage_sql_dsn 
                             #database)
$penpals_threshold_high = $sa_kill_level_deflt; #dont waste time
                                               # on hi spam
$bounce_killer_score = 100;# spam score points to add 
                          # for joe-jobbed bounces


$sa_mail_body_size_limit = 400*1024; # don't waste time on 
                                     # SA if mail is larger
$sa_local_tests_only = 1;# only tests which do not require 
                         # internet access?
                         # looks for rules over the internet, 
                         # 0 by default

$notify_method  = 'smtp:[127.0.0.1]:10025';
$forward_method = 'smtp:[127.0.0.1]:10025';#Send email to postfix
                                          # after scanning
$final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_BOUNCE;
$final_spam_destiny       = D_PASS; # D_BOUNCE by default
$final_bad_header_destiny = D_PASS;

@av_scanners = (

# ### http://www.clanfield.info/sophie/ (http://www.vanja.com
# /tools/sophie/)
# ['Sophie',
#   \&ask_daemon, ["{}/\n", '/var/run/sophie'],
#   qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m,  qr/(?x)^ 1 
# ( : | [\000\r\n]* $)/m,
#   qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
# ['Sophos SAVI', \&sophos_savi ],
# ### http://www.clamav.net/
['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
   qr/\bOK$/m, qr/\bFOUND$/m,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
# # NOTE: run clamd under the same user as amavisd, or run 
# # it under its own
# #   uid such as clamav, add user clamav to the amavis 
# #group, and then add


 4) Make entry of your domain in /var/amavis/local_domains

#vi /var/amavis/local_domains
linuxsol.in

 5) Change owner of the file

# chown amavis:amavis /var/amavis/local_domains


 6) Start clamd service
 #/etc/init.d/clamd start

 7) Start Amavisd-new service
 #/etc/init.d/amavisd start

 8) Restart Postfix
 #/etc/init.d/postfix restart

 9) Add Postfix,Amavisd and clamd to Default runlevel

  # chkconfig --level 2345 amavisd on
  # chkconfig --level 2345 clamd on
  # chkconfig --level 2345 postfix on

 10) Get Sample Spam and virus and save in a test file
 As normal user, go to your home directory
 # mkdir email
 $echo "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X" > Sample-Spam.txt
 $echo "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" > Sample-Virus.txt

 11) Send emails from the command line and check.

 $ echo test | mail sumitk@linuxsol.in -s "Test Email"
  
 A) Check logs
 
 $tail -fn 20 /var/log/maillog
 
 May 13 16:50:14 sumitk postfix/pickup[7783]: 7BAFB19841E: 
 uid=500 from=<sumitk>
 May 13 16:50:14 sumitk postfix/cleanup[7885]: 7BAFB19841E:
 message-id=<20110513112014.7BAFB19841E@sumitk.linuxsol.in>
 May 13 16:50:14 sumitk postfix/qmgr[7782]: 7BAFB19841E: 
 from=<sumitk@sumitk.linuxsol.in>, size=322, nrcpt=1 (queue active)
 May 13 16:50:22 sumitk imapd: Connection, ip=[::ffff:127.0.0.1]
 May 13 16:50:22 sumitk imapd: LOGIN, user=sumitk@linuxsol.in, 
 ip=[::ffff:127.0.0.1], port=[45827], protocol=IMAP
 May 13 16:50:22 sumitk imapd: LOGOUT, user=sumitk@linuxsol.in, 
 ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=87, sent=391, time=0
 May 13 11:20:25 sumitk postfix/smtpd[7794]: connect from unknown[127.0.0.1]
 May 13 11:20:25 sumitk postfix/smtpd[7794]: 95F4B19841D: client=unknown[127.0.0.1]
 May 13 16:50:25 sumitk postfix/cleanup[7885]: 95F4B19841D: message-id=
 <20110513112014.7BAFB19841E@sumitk.linuxsol.in>
 May 13 16:50:25 sumitk postfix/qmgr[7782]: 95F4B19841D: 
 from=<sumitk@sumitk.linuxsol.in>, size=983, nrcpt=1 (queue active)
 May 13 16:50:25 sumitk amavis[7846]: (07846-01) Passed CLEAN,
 <sumitk@sumitk.linuxsol.in> -> <sumitk@linuxsol.in>,
 Message-ID: <20110513112014.7BAFB19841E@sumitk.linuxsol.in>,
 mail_id: Vw9xDa1h8Sv8, Hits: 5.558, size: 322, queued_as: 95F4B19841D, 11053 ms
 May 13 16:50:25 sumitk postfix/smtp[7888]: 7BAFB19841E: 
 to=<sumitk@linuxsol.in>, relay=127.0.0.1[127.0.0.1]:10024, 
 delay=11, delays=0.1/0.02/0.05/11, dsn=2.0.0, status=sent (250 2.0.0 Ok, 
 id=07846-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 95F4B19841D)
 May 13 16:50:25 sumitk postfix/qmgr[7782]: 7BAFB19841E: removed
 May 13 16:50:25 sumitk postfix/virtual[7897]: 95F4B19841D: 
 to=<sumitk@linuxsol.in>, relay=virtual, delay=0.07, 
 delays=0.02/0.03/0/0.02, dsn=2.0.0, status=sent (delivered to maildir)
 May 13 16:50:25 sumitk postfix/qmgr[7782]: 95F4B19841D: removed


 B) Check the headers of the email.

 Return-Path: <sumitk@sumitk.linuxsol.in>
 X-Original-To: sumitk@linuxsol.in
 Delivered-To: sumitk@linuxsol.in
 Received: from localhost (unknown [127.0.0.1])
     by sumitk.linuxsol.in (Postfix) with ESMTP id 95F4B19841D
     for <sumitk@linuxsol.in>; Fri, 13 May 2011 11:20:25 +0000 (UTC)
 X-Virus-Scanned: amavisd-new at linuxsol.in
 X-Spam-Flag: NO
 X-Spam-Score: 5.558
 X-Spam-Level: *****
 X-Spam-Status: No, score=5.558 tagged_above=2 required=6.2 tests=[AWL=-0.256,
     DNS_FROM_OPENWHOIS=2.431, FH_DATE_PAST_20XX=3.384, NO_RELAYS=-0.001]
     autolearn=no
 Received: from sumitk.linuxsol.in ([127.0.0.1])
     by localhost (sumitk.linuxsol.in [127.0.0.1]) (amavisd-new, port 10024)
     with ESMTP id Vw9xDa1h8Sv8 for <sumitk@linuxsol.in>;
     Fri, 13 May 2011 16:50:14 +0530 (IST)
 Received: by sumitk.linuxsol.in (Postfix, from userid 500)
     id 7BAFB19841E; Fri, 13 May 2011 16:50:14 +0530 (IST)
 To: sumitk@linuxsol.in
 Subject: Test Email
 Message-Id: <20110513112014.7BAFB19841E@sumitk.linuxsol.in>
 Date: Fri, 13 May 2011 16:50:14 +0530 (IST)
 From: sumitk@sumitk.linuxsol.in (Sumit Kumar)

 12 ) Now send a SPAM emails

 $ cd $HOME/email
 $ cat Sample-Spam.txt | mail sumitk@linuxsol.in -s "Test Email"
 
 A) CHECK logs 

 $ tail -fn 20 /var/log/maillog

 May 13 16:55:48 sumitk amavis[7954]: (07954-01) Passed SPAM,
 <sumitk@sumitk.linuxsol.in> -> <sumitk@linuxsol.in>, 
 quarantine: spam-2wPeZF4jjk4y.gz, Message-ID: 
 <20110513112548.63A1F19841E@sumitk.linuxsol.in>, 
 mail_id: 2wPeZF4jjk4y, Hits: 1003.348, size: 386, 
 queued_as: C904C19841D, 420 ms
 
 B) CHECK SPAM HEADERS

 X-Spam-Flag: YES
 X-Spam-Score: 1003.348
 X-Spam-Level: ****************************************************************
 X-Spam-Status: Yes, score=1003.348 tagged_above=2 required=4.2
     tests=[AWL=1.275, FH_DATE_PAST_20XX=2.075, GTUBE=1000,
     NO_RELAYS=-0.001] autolearn=no

 13) Now send a Virus email
 
 $cat Sample-Virus.txt | mail sumitk@linuxsol.in -s "Test Email"
 
 A) CHECK logs 

 $tail -fn 20 /var/log/maillog

 May 13 17:00:46 sumitk amavis[7953]: (07953-02) Blocked INFECTED 
 (Eicar-Test-Signature), <sumitk@sumitk.linuxsol.in> -> <sumitk@linuxsol.in>,
 quarantine: virus-6GOMgbRdcknR, Message-ID: <20110513113046.54A9119841E@
 sumitk.linuxsol.in>, mail_id: 6GOMgbRdcknR, Hits: -, size: 386, 272 ms

13) Update Spamassassin rules

#ls -ltr /var/lib/spamassassin/3.002005/updates_spamassassin_org/*

 A) If no files exists. Run the below command
 
# sa-update

 B) Now check the directory once again.

ls -ltr /var/lib/spamassassin/3.002005/updates_spamassassin_org/*
Rules must have been populated by now.
If you want to automatically download new
Spamassassin rules and updates put the command
into cron of root to run daily.

Below Cron runs daily at 1:30 AM

#crontab -e
30 1 * * * /usr/bin/sa-update > /dev/null 2>&1

 NOTE: Check the user amavis and clamd in /etc/passwd file.
      The user clamd should be added to amavis group.
      So that amavis can access the socket file.

 
[sumitk@sumitk ~]$ cat /etc/passwd | grep amav
clamav:x:102:104:Clam Anti Virus Checker:/var/clamav:/sbin/nologin
amavis:x:103:105:Amavis email scan user:/var/amavis:/bin/sh


[sumitk@sumitk ~]$ id clamav
uid=102(clamav) gid=104(clamav) groups=104(clamav),105(amavis)
[sumitk@sumitk ~]$ id amavis
uid=103(amavis) gid=105(amavis) groups=105(amavis)



 Other Articles
 Postifix Email Server Virtual Domain with Mysql and Courier IMAP/POP Server

Please  post you comments and doubts. 

Comments

No comments yet.

    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.


    Click to Rate This Article
    working