POSTFIX
- MORE ANTI-SPAM AND ANTI-VIRUSES
I
figured I would go a little further with setting up postfix to stop
spam and viruses, as it is something that all our email users will
appreciate. For this setup I will be using only open-source software
(only the best), specifically spamassassin
and clam, with amavis to
glue it all together. So this paper will be more of a how to get all
this up and running.
What
we need to start?
As
mentioned, you will need a linux server running postfix 2.2 or higher
(use postconf mail_version to
see your version. If you need to upgrade
go to http://www.postfix.org/),
and also the software mentioned below..
ClamAV
For
those of you who do not know, ClamAV is an open source anti-virus
program which can run on multiple platforms but which was built for
linux. Ands it's free! Once you have downloaded the software you will
need to extract it, and then (you may need to update curl)...
- useradd
clamav
- <ClamAV
folder>/configure
- <ClamAV
folder>/make
- <ClamAV
folder>/make install
By
default, the installation process installs to /usr/local/. We
need to edit the two configuration files found in /usr/local/etc/ as follows..
- comment
out the "Example" option in clamd.conf
- enable
the AllowSupplementaryGroups in clamd.conf
- change
user to run as to amavis in both clamd.conf and freshclam.conf
- make
sure freshclam and clamd have log files in /var/log/ and that they are
writable by amavis
- edit
freshclam.conf to comment out the "Example" option
- edit
the freshclam.conf and clamd.conf to enable logging to syslog and set
user to amavis
- Set
the socket option in clamd.conf to /var/run/clamav
Next
we need to setup a init startup script for clam. You can use the below
example...
#!/bin/bash
#
#
clamav: This script controls the clamd
#
#
chkconfig: 2345 79 31
# description: clamav
# processname: clamav
# pidfile: /var/run/clam.pid
#
Source function library.
. /etc/rc.d/init.d/functions
prog="/usr/local/sbin/clamd"
prog_base="ClamD"
prog_config_file="/usr/local/etc/clamd.conf"
##
Check that networking is up.
RETVAL=0
# See how we were called.
case "$1" in
start)
echo -n "Starting $prog_base:"
$prog -c $prog_config_file >>
/var/log/clamd.log &
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/${prog_base}
success
echo
;;
stop)
echo -n "Shutting down $prog_base:"
#Force the kill...
kill `ps -A | grep clamd | cut -c1-6` &> /dev/null
RETVAL=$?
#Sleep for a second or two.
/bin/sleep 3s
#Kill the stale socket.
rm -f /tmp/clamd > /dev/null
if [ $RETVAL -eq 0 ] ; then
success
#echo "${prog_base} stopped"
rm -f /var/lock/subsys/${prog_base}
echo
else
echo
fi
;;
status)
status ${prog_base}
RETVAL=$?
;;
restart)
$0 stop
$0 start
RETVAL=$?
;;
reload)
#action $"Reloading ${prog_base}:" ${prog} -c ${prog_config_file} reload
$0 restart
RETVAL=$?
;;
*)
echo "Usage: $0 {start|stop|status|restart|reload}"
exit 1
esac
exit
$RETVAL
And
the final two steps..
- setup
a cron job for freshclam to enable updates
- chkconfig
--add clamav
Amavisd-New
Amavis
functions as the conduit which postfix uses to gain access to the
spamassasin and clamav functionality. But it is definitely not limited
to just those programs, browse through the configuration file and
you'll see just how much it can do. Once you have extracted amavis,
there is none of the customary make commands, but you do have to
satisfy some perl dependencies..
perl
-MCPAN -e shell
install Archive::Tar
install Archive::Zip
install Compress::Zlib
install Convert::TNEF
install Convert::UUlib
install MIME::Base64
install MIME::Parser
install Mail::Internet
install Net::Server
install Net::SMTP
install Digest::MD5
install IO::Stringy
install Time::HiRes
install Unix::Syslog
install BerkeleyDB
install Mail::ClamAV
Install Digest::MD5
install IO::Wrap
install IO::Stringy
install Unix::Syslog
install Mail::Field
install Mail::Address
install Mail::Header
install Mail::Internet
install MIME::Words
install MIME::Head
install MIME::Body
install MIME::Entity
install MIME::Parser
install MIME::Decoder
install MIME::Decoder::Base64
install MIME::Decoder::Binary
install MIME::Decoder::QuotedPrint
install MIME::Decoder::NBit
install MIME::Decoder::UU
install MIME::Decoder::Gzip64
install Net::Server
install Net::Server::PreForkSimple
After
all of that there are still a couple of steps...
- as
root: useradd -d /var/amavis -m amavis
- as
amavis user: mkdir /var/amavis/tmp /var/amavis/var /var/amavis/db
- as
root: cp <amavis folder>/amavisd /usr/local/sbin/
- as
root: cp <amavis folder>/amavisd.conf /usr/local/etc/
- as
root: mkdir /var/virusmails
- as
root: chown amavis:amavis /var/virusmails
- as
root: chmod 750 /var/virusmails
- as
root: ln -s /usr/local/etc/amavisd.conf /etc/amavisd.conf
- as
root: chown -R amavis. /var/run/clamav/ (for socket)
- as
root: chgrp -R amavis /usr/local/share/clamav
- add
clamav user to amavis group
- install
amavisd init script (copy amavisd_init.sh to /etc/init.d and make
changes needed to startup script)
- as
root:
chkconfig --add amavisd
- edit
file /etc/amavisd.conf to;
- adjust
variables to refelect the created user and directories
- $final_virus_destiny
= D_DISCARD;
- $final_banned_destiny
= D_DISCARD;
- $final_spam_destiny
= D_DISCARD;
- $final_bad_header_destiny
= D_PASS;
- uncomment
clamd virus check section
Spamassassin
This is a brilliant piece of
software to do anti-spam. It does
blacklist, phrase check, bayesian filters, and much more. To install it
we need a couple of perl modules..
perl
-MCPAN -e shell
install ExtUtils::MakeMaker
install File::Spec
install Pod::Usage
install HTML::Parser
install Sys::Syslog
install DB_File
install Net::DNS
install Mail::Audit
install Digest::SHA1
install Archive::Tar
install Archive::Zip
install Compress::Zlib
install Convert::TNEF
install Convert::UUlib
install MIME::Base64
install MIME::Tools
install Net::Server
install IO::Stringy
install Time::HiRes
install Mail::SPF::Query
install IP::Country
install Net::Ident
install IO::Socket::INET6
install IO::Socket::SSL
install DBI
Once all of that is done, then you
can..
install Mail::SpamAssassin
This will install the configuration
files
to /etc/mail/spamassassin and
the rules to
/usr/share/spamassassin. Now
that we have gotten this far, lets finish
with the following steps..
- add
spam user (we will use this as a spamdrop mailbox for review)
- vi
/etc/amavisd.conf
- comment
out @bypass_spam_checks_maps
- point
$spam_quarantine_to = "spam-quarantine\@$mydomain"; to the spam user
email address
- vi
/etc/mail/spamassassin/local.cf
- report_safe
1
- use_terse_report
0
- use_bayes
1
- auto_learn
1
- use_auto_whitelist
- required_hits
5
- rewrite_subject
1
- subject_tag
**[SPAM]**
Getting Postfix
to use it all
So far, so good. The first thing to
do is to test the amavis
installation..
- amavisd
-u amavis -g amavis -c /etc/amavisd.conf debug
- on
a different terminal check that port 10024 is listening
- If all is fine, shutdown this instance, and startup with
/etc/init.d/amavisd start
If you pick up any hassles you will
need to sort them out before
carrying on. But if all is fine, lets setup Postfix..
- edit
your /etc/postfix/master.cf so it looks like;
- smtp
inet n - y - - smtpd
-o
content_filter=smtp-amavis:[127.0.0.1]:10024
- at the bottom put;
- smtp-amavis unix - - y - 2
smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n
- y/n
- - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o
smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o
smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
Lastly, we have the final two
steps..
- postconf -e 'content_filter=smtp-amavis:[127.0.0.1]:10024'
- /etc/init.d/postfix reload
Further Tweaking
A couple of common changes you make
want to make include..
- If you want amavis to knock out
emails with certain extensions tailor the $banned_filename_re to meet
your needs.
- Add additional spamassassin rules
into /usr/share/spamassassin.
Like the ones from
Final Words
There you go. I know it was a bit
of work (easy though), but trust me you and your email users will not
regret it. Even though this setup uses many of the packages default
settings -which do a very good job nonetheless, there is still a
truckload of customizing and tweaking you can do to make it function
the way you want to. As always, learn and have fun.