Complete Virtual Mail Server/amavisd spamassassin clamav

Introduction
Spam is becoming more and more of an issue on the Internet and a robust and solid solution is required. There are paid services for even more spam protection but that should not be required and will not be discussed in this article.

Postfix
The first line of defense, is postfix itself. Postfix offers a few basic means to block spam, or rather spammers. Using  it is possible to use public DNS blacklists. There are 3 popular DNS blacklists of which one is incorporated into the other. These two lists are also the most accurate ones. The most important one is zen.spamhaus.org and as a backup bl.spamcop.net can be used. Using them with postfix is very simple. Add these domains as  in :

Introduction
Spam-assassin and ClamAV are the tools to block spam and viruses, however amavis is required to tie this all together. Amavis will actually behave as a mail server in itself, accept mail, filter it, and send it onwards again. For this to work, postfix will need to actually listen for mail twice. The default port 25 is where mail initially is received on. From there on it is sent to amavis, which will be listening on port 10024. When amavis is done with the message, it will be sent to postfix on a different port, 10025. The reason for this should be obvious. If mail would be offered again on port 25, it would be passed to amavis again and thus in an endless loop. Obviously, postfix on port 10025 would only be listening to known hosts, like localhost and not check for spam anymore.

Installation
Amavis should have been installed already, if not, emerge it. This should pull in spam-assassin and clamav as its dependencies.

Basic Configuration
Amavisd offers an enormous amount of options and going over all them will take some time. The configuration file however is well documented and divided into clear sections. Each section will be examined as needed. Only options that will be changed will be mentioned to cut down the text for readability.

For this example amavisd will be running on host foo but this could be any other host as well, amavisd does not require to run on the same host as postfix. Also the domain used is only used to identify the server itself with, not the domains amavisd will be scanning.

The first step, is to disable all actual checks and to enable logging. Also some default values should be setup.

Normally restarting postfix should restart amavisd as well. For now, only amavisd should be started to see if there are any initial problems.

Linking amavisd to Postfix
With amavisd working in bare skeletal mode, it should theoretically just pass mail through. Perfect for testing the postfix -> amavisd -> postfix binding.

First, a second postfix transport, where amavis will inject its mail, is added. A lot of options are defaulted to empty, since either they have been checked already, or interfere otherwise.

With this transport in place, it should only listen on localhost and only accept mail from localhost. This should be extended if amavis is run elsewhere, but keep in mind anything is accepted.

Next another transport is added for, which could be considers 'being' amavis in a sense.

After the transport for amavis has been added, smtp should be told to route all mail through amavis. For this two option need to be added to smtpd and change the maxproc to match amavis's.

Restarting both amavisd and postfix then should pass all mail through amavisd.

Testing
Sending a message to testuser@example.com remotely and locally should work fine. After the message has arrived, the headers should be checked.

Looking at the mail headers, it should be noticed that it was sent through amavisd and re-delivered to postfix.

Examining the above it is clearly visible that the mail was received by postfix via SMTPS even. It was then forwarded to amavisd on port 10024 via LMTP and finally redelivered to postfix using SMTP again.

Introduction
ClamAV is the de facto open source virus scanner for linux. Amavis can be linked to many different free and commercial virus scanners, but here clamav will be used. ClamAV is specifically designed for scanning e-mail. It consists of two parts, clamav itself, and freshclam, the clamav updating service. By default it updates every two hours, which should be enough for anyone.

Installation
ClamAV should have been installed already, if not it should be emerged.

Configuration
ClamAV will be configured to run in daemonized mode, e.g. it will be listening for connections (from amavisd). The other option (and the default fallback in amavisd) is to have amavisd use the commandline scanner, which is much slower and much much more resource intensive.

ClamAV does not have to be run on the same host, however it is recommended for performance reasons to keep it on the same host, depending on resource usage.

To be able to communicate, clamav needs to be part of amavisd's group.

It always helps to allow clamd to output some debug information.

Also clamd needs some settings setup in its configuration file so that amavis can talk to it.

When running clamav on a hardened kernel, there will be warnings about certain operations not being permitted:

This is expected and okay. ClamAV can run fine without JIT.

Before starting clamav for the first time, the virus database needs to be downloaded. Freshclam is responsible for downloading and keeping the virus database up to date. Freshclam gets automatically started by the clamd startup script, but clamd will fail to start due to a missing database.

Now monitor the clamav log file to see freshclam download the initial virus database.

Now that the database has been updated, restart clamd:

Linking amavisd to clamav
Amavisd should connect to the socket of clamd and thus clamav needs to be enabled as one of the main antivirus scanners. The fallback of invoking clamav from the commandline should not be changed. Also the virus check bypass needs to be disabled to be effective.

After restarting amavisd viruses should be able to detected and blocked:

Testing
To test whether the virus filter works, an anti-malware testfile exists, sending an e-mail using this string should trigger the virus scanner.

{{CodeBox|title=EICAR-STANDARD-ANTIVIRUS-TEST-FILE| X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* }}

Looking at the file, the following should be revealed:

In theory, the virus scanner should be fully functional now.

Introduction
Spam Assassin is an excellent spam filter. It has become quite complex throughout the years and requires some effort to configure correctly.

Installation
There really should be no need to install spamassassin separately. The  USE flag should have pulled it in as a dependency of amavisd-new.

Configuration
The default configuration suffices for standard use.

Updating
A key feature of Spam Assassin is its ability to self-update. Updates are handled via a so-called update channel.

Spam Assassin comes with the sa-update tool so updates can be fully automated. Spam Assassin updates can be done by using the  flag to ignore gpg keys, but should really only be done as a last resort. Adding the spamassassin GPG key is a simple 2 step process.

After adding the spamassassin update channel, it needs to be updated. After running this command, check for any errors.

Once these updates have completed they need to be compiled for use with Spam Assassin. Also any errors should be spotted here.

Unlike clamav, there is no 'freshassassin' and a cronjob is required to do updates. To keep Spam Assassin up to date, a cronjob should be created for the task.

Making the cronjob executable ensures it runs regularly:

Linking amavisd to Spam Assassin
Actually, Spam Assassin does not need to be linked to amavisd, it is an integral part of amavisd. Enabling the spamfilter in amavisd does spam filtering.

With this change, amavisd needs to be restarted:

Testing
Testing is done again via a client connecting to port 25 that does not have its own spamfilter. For content GTUBE can be used. On that site there is also a suitable mail message in RFC-822 format.

Checking in the testusers inbox, or junkbox more likly, the message can be found and its header examined:

Finetuning Amavisd
Amavis has a few more settings that can be changed to do some fine-tuning.

Recipient delimiter
When using postfix with the  amavisd can be told to make use of this feature.

It might be interesting to add the following to, otherwise the user+foo@domain might not be delivered:

Disperse quarantine
It is possible to disperse the quarantine over several sub-directories. For this directories need to be created first:

Also, setting a spam cutoff level helps in reducing stored spam. The cutoff level makes it that no spam is stored above a certain spam-score.

Spam Delivery
is by default set to, meaning that even with a high score at which it gets marked as spam, it is still delivered to the users mailbox. Modern mail-clients, which trust Spam Assassin, can then automatically move it to their SPAM folder.

Bayes database path
Set the  option in SpamAssassin's configuration file so tools such as sa-learn write to the correct database location.

Virtual hosts
If this server handles more than one domain, telling amavis can help here.

Cleanup
With Spam Assassin and ClamAV working as expected, debugging information can be reduced to the normal minimal.