ClamAV + SpamAssassin with Amavisd/Postfix on Open-Xchange

With the our new Open-Xchange server ready to handle external e-mail once our service provider sets up the forwarding, it seemed like a good idea to set up virus scanning + spam filtering. As we’re not going to be handling a huge number of messages, this doesn’t really warrant a dedicated machine. So, after digging around pulling information from Gentoo, Debian + Fedora guides, here’s how to configure it on CentOS. This assumes you already have ‘apt‘ installed on your system, although the packages should be available through ‘yum‘ if you try, and the base system has come from my installing Open-Xchange on CentOS guide.

Install Packages
There are a number of dependencies that will be downloaded when installing Amavisd, ClamAV + SpamAssassin. Allow all the packages to download, as many are simply Perl libraries:

apt-get install amavisd-new spamassassin clamd

Configure Amavisd-new
First off, we need to set the permissions on our directories to allow amavisd-new to run correctly:

chown amavis:amavis /var/amavis/db
mkdir /var/amavis/quarantine
chown amavis:amavis /var/amavis/quarantine
chown amavis:amavis /var/amavis/tmp

The main configuration file for amavisd-new is located at ‘/etc/amavisd.conf‘ and contains a host of settings. Move through and change the following settings:

$daemon_user = "amavis";
$daemon_group = "amavis";

$mydomain = 'domain.com'; # Set to your mail domain

$sa_tag_level_deflt = undef; # 'undef' means spam status added to all headers - useful
$sa_tag2_level_deflt = 5.0; # A decent, rounded setting - the lower this value, the stricter
$sa_kill_level_deflt = $sa_tag2_level_deflt;

$virus_admin = "virusalert\@$mydomain";
$mailfrom_notify_admin = "virusalert\@$mydomain";
$mailfrom_notify_recip = "virusalert\@$mydomain";
$mailfrom_notify_spamadmin = "spam\@$mydomain";

$forward_method = 'smtp:[127.0.0.1]:10025';
$notify_method = $forward_method;

Note that this is not a full representation of the config file! Feel free to adjust any other settings as you wish, this is just the bear minimum. Also note that we set the scoring system for SpamAssassin in here – it’s important it’s done in the Amavisd config file rather than the SpamAssassin settings we’ll do later or they won’t take effect!

If you don’t wish to create mailboxes for ‘virusalert‘ and ‘spam‘, then edit ‘/etc/aliases‘ to point these two addresses through to another, already existing mailbox before reading in your updated aliases:

postalias /etc/aliases

The default settings will pick up the Clamd virus-scanner and scan for viruses – there are no settings to change for this. If you wish to use another virus scanner, move down the ‘amavisd.conf‘ file and uncomment the appropriate lines depending on which virus engine you wish to use.

Configure SpamAssassin
There’s not a great deal to do for SpamAssassin other than adjust the scoring within ‘/etc/amavisd.conf‘, however there are a couple of settings you may wish to insert into the config file located at ‘/etc/mail/spamassassin/local.cf‘ to allow the bayesian filtering to function:

bayes_auto_learn 1
bayes_auto_learn_threshold_nonspam 1
bayes_auto_learn_threshold_spam 14.00

Read more within the SpamAssassin docs for additional settings. A score of 14.00 is about right, as lower settings tend to cause the filters to incorrectly mark e-mails from domains such as Hotmail or AOL as spam.

Setting up Postfix
With Amavisd configured to handle the virus scanning + spam filtering, the final step is to tell your mail transport agent (MTA), Postfix, that it should pass all e-mails handled through the Amavisd agent. Firstly, add the following to the end of ‘/etc/postfix/master.cf‘:

smtp-amavis unix - - y - 2 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes

127.0.0.1:10025 inet n - y - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes

This basically tells Postfix to enable the processing of messages via Amavisd, and then creates another instance of Postfix to handle the messages that are then passed back to it after Amavisd has checked the content for virus’ or spam.

Secondly, in order to tell Postfix exactly where Amavisd is running, add the following line to the end of ‘/etc/postfix/main.cf‘:

content_filter = smtp-amavis:[127.0.0.1]:10024

Tidying up
Now that we have all the configuration options set, we need to start (or restart) our services:

/etc/inid.d/amavisd start
/etc/init.d/spamassassin start
/etc/init.d/postfix restart

We should also set our Amavisd and SpamAssassin daemon’s to load on boot:

chkconfig --add amavisd
chkconfig --add spamassassin

Testing it works!
A quick way of testing Amavisd and our second instance of Postfix are running correctly can be done using telnet:

telnet localhost 10024

which should return a response from the Amavisd service such as:

220 [127.0.0.1] ESMTP amavisd-new service ready

and then to make sure our second instance of Postfix is running:

telnet localhost 10025

which should bring back:

220 Welcome to Open-Xchange server

If either fails, go back through and check that Amavisd is running and that your ‘master.cf‘ and ‘main.cf‘ options are set correctly. After making any changes, ensure you restart the Postfix daemon. If you encounter messages in your ‘/var/logs/maillog‘ from Postfix attempting to use the Amavisd service that had previously been mis-configured, after making your changes, re-queue the messages:

postsuper -r ALL

Now for the fun bit! We want to send a couple of e-mails to ourself to ensure that our virus scanner + spam filtering is working. To test your virus scanners, send an e-mail to yourself with the following contained in the message body:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

This is a standard Eicar virus test string and won’t harm your computer! It’s simply to ensure that Amavisd picks it up. Check ‘/var/logs/maillog‘ and you should see something along the lines of:

Blocked INFECTED (Eicar-Test-Signature)

An e-mail should also be fired off to whatever mailbox you defined within ‘/etc/amavisd.conf‘ for ‘virusalert’, informing you what virus was detected, the receipient, and the actions carried out, etc.

In order to run a check on the spam filtering, another test string is available. Simply include the following in the message body (again, it’s harmless and simply to check the filters are working):

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

and within ‘/var/logs/maillog‘ the following should appear for the message as it’s being processed:

(30303-07) Blocked SPAM

Now, whenever you send an e-mail, you should see everything nicely working away within the message headers, including the virus scanning results + spam filtering scores!

About

Senior Content Development for Microsoft writing about Azure virtual machines. Occasionally I play video games.

Posted in computing, linux, open-xchange

Leave a Reply

Your email address will not be published. Required fields are marked *

*

About Me

Iain Foulds, 32 years old. Originally from England, now living in Seattle, WA. I currently work as a Senior Content Developer for Microsoft writing about Azure VMs. Gamer. Very passionate about photography. Comments and opinions expressed here are my own. More...

Categories

Archives