ZhoubaWiki:HowToSetupSpamFilterAmavis

From ZhoubaWiki
Jump to: navigation, search

How to set up Spam-filter Amavis (en)

In this howto, Postfix integration with amavis-new will be presented. Amavis-new is a wrapper that can call any number of content filtering programs for spam detection, antivirus, etc. In this howto, integration with Spamassassin and Clamav will be presented. This is a classical installation of Postfix + Amavis-new + Spamassassin + Clamav.

Installation

To begin, install the following packages:

sudo aptitude install amavisd-new spamassassin clamav-daemon

Install the optional packages for better spam detection:

sudo aptitude install libnet-dns-perl pyzor razor

Install these optional packages to enable better scanning of attached archive files:

sudo aptitude install arj bzip2 cabextract cpio file gzip lha nomarch pax rar unrar unzip zip zoo

Configuration

Clamav

Add clamav user to the amavis group and vice versa in order for Clamav to have access to scan files:

sudo adduser clamav amavis
sudo adduser amavis clamav

Spamassassin

Edit /etc/default/spamassassin to activate the Spamassassin daemon change ENABLED=0 to:

ENABLED=1

and to enable automatic rule updates change CRON=0 at the bottom to:

CRON=1

Now start Spamassassin:

sudo /etc/init.d/spamassassin start

If bayes doesn't work

Add this to /etc/spamassassin/local.cf:

bayes_path /var/lib/amavis/.spamassassin/bayes

and now you have to do this steps:

wget http://spamassassin.apache.org/publiccorpus/20050311_spam_2.tar.bz2
wget http://spamassassin.apache.org/publiccorpus/20030228_easy_ham_2.tar.bz2
tar xvfj 20050311_spam_2.tar.bz2
tar xvfj 20030228_easy_ham_2.tar.bz2
sa-learn --spam -u spamd --dir spam_2/*
sa-learn --ham -u spamd --dir easy_ham_2/*

check bayes:

spamassassin -D --lint 2>&1 | grep bayes

Problev with DB expiry <c> sa-learn --force-expire -D </c>

Whitelist / Blacklist by content

Open /etc/spamassassin/65_debian.cf and add rules to the end:

header   RULE_NAME      Subject =~ /any string/i
score    RULE_NAME      -999.0
describe RULE_NAME      Whitelist by keyword

After changing any spamassasin configs run --lint to test configuration for errors

spamassassin --lint

Amavis

First, activate spam and antivirus detection in Amavis by editing /etc/amavis/conf.d/15-content_filter_mode:

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

#
# Default antivirus checking mode
# Uncomment the two lines below to enable it
#

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);


#
# Default SPAM checking mode
# Uncomment the two lines below to enable it
#

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1;  # insure a defined return

Next modify /etc/amavis/conf.d/05-node_id

use strict;

# $myhostname is used by amavisd-new for node identification, and it is
# important to get it right (e.g. for ESMTP EHLO, loop detection, and so on).

chomp($myhostname = <code>hostname --fqdn</code>);

# To manually set $myhostname, edit the following line with the correct Fully
# Qualified Domain Name (FQDN) and remove the # at the beginning of the line.
#
$myhostname = "mail.hostname.tld";

1;  # ensure a defined return

Next modify @local_domains_acl = in /etc/amavis/conf.d/05-domain_id

@local_domains_acl = ( ".$mydomain","." );

Now set the spam levels in /etc/amavis/conf.d/20-debian_defaults:

$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt  = -999;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

After configuration Amavis needs to be restarted:

sudo /etc/init.d/amavis restart

Postfix integration

For postfix integration, you need to add the content_filter configuration variable to the Postfix configuration file /etc/postfix/main.cf. This instructs postfix to pass messages to amavis at a given IP address and port:

content_filter = smtp-amavis:[127.0.0.1]:10024

The following postconf command, run as root because of the preceding sudo command, adds the content_filter specification line above to main.cf:

postconf -e "content_filter = smtp-amavis:[127.0.0.1]:10024"

Next edit /etc/postfix/master.cf and add the following to the end of the file:

smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Also add the following two lines immediately below the "pickup" transport service:

        -o content_filter=
        -o receive_override_options=no_header_body_checks

Reload postfix:

sudo /etc/init.d/postfix reload

Now content filtering with spam and virus detection is enabled.

Setting DKIM email signature (Optional)

DKIM serves for verifing email sender. This can have disadvantage - if signed domain is blocked change of sendout server won't help much.

SPF DNS record

SPF record specify list of IP addresses that are official send out servers for your domain. Use soft fail rule ~all to support forwarding. Add to DNS record (for GoDaddy its TXT section with host set to "@"). <c> v=spf1 ip4:207.210.202.96 ip4:64.186.145.28 ~all </c>

DKIM signing

We will use Amavis to sign outgoing emails official documentation. If setting dkim on SMTP only consider using OpenDKIM, install howto

All commands should be done as super user.

If not existing create folder for certificate: <c bash> mkdir -p /var/db/dkim </c> Generate certificate for domain: <c bash> amavisd-new genrsa /var/db/dkim/KEYNAME.key.pem </c>

Edit /etc/amavis/conf.d/50-User and enable signing. SELECTOR can be used to specify key for specific user or send location - we just use 'default'. <c config> $enable_dkim_signing = 1; dkim_key('DOMAINNAME', 'SELECTOR', '/var/db/dkim/KEYNAME.key.pem'); @dkim_signature_options_bysender_maps = (

   { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
  1. uncomment to limit signing to specific IP
  2. @mynetworks = qw(0.0.0.0/8 127.0.0.0/8);;

</c>

Mark all emails coming in throw port 10024 as originating so they are signed: <c config> $policy_bank{'ORIGINATING'} = {

 # indicates client is ours, allows signing
 originating => 1,
 smtpd_discard_ehlo_keywords => ['8BITMIME'],

};

  1. Use ORIGINATING policy to enable DKIM signing

$interface_policy{'10024'} = 'ORIGINATING'; </c>


Now get public key and publish it in DNS record: <c config> amavisd-new showkeys </c> Copy down domain name with selector example (default._domainkey.wisemarketing.com. For public key remove '"' and spaces to get something like: <c> v=DKIM1; p=VERYLOOOOONGSTRING </c>

DNS record shoud be in TXT section with default._domainkey as host followed by KEY data. See your specific provider howtos / forums.

After key is published test if DNS record match Amavis settings <c bash> amavisd-new testkeys </c>

If test pass, restart Amavis <c bash> service amavis restart </c>

Test send mail. It should have DKIM signature header.

amavisd testkeys

Test

First, test that the amavis SMTP is listening:

telnet localhost 10024
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
^]

On messages that go through the content filter you should see:

X-Virus-Scanned: Debian amavisd-new at mail.hostname.tld
X-Spam-Flag:
X-Spam-Score:
X-Spam-Level:
X-Spam-Status:

Done!