Difference between revisions of "Amavis"

From ArchWiki
Jump to navigation Jump to search
(some style fixes, see Help:Style)
(Added missing sections. The new sections are just drafts, they need majour re-write.)
Line 3: Line 3:
 
Amavis gives you an interface between mail servers (MTAs such as Postfix or DoveCot) and mail filters (ClamAV, SpamAssassin). In many cases it is more efficient than running separate daemons like spamd.
 
Amavis gives you an interface between mail servers (MTAs such as Postfix or DoveCot) and mail filters (ClamAV, SpamAssassin). In many cases it is more efficient than running separate daemons like spamd.
  
==Install & Setup==
+
==Installation & Setup==
  
Install {{AUR|amavisd-new}} from the [[AUR]]. You'd be wise to also install optdepends such as {{Pkg|p7zip}} and {{Pkg|unrar}} so your filters can actually see inside compressed files.
+
* Install {{AUR|amavisd-new}} from the [[AUR]]. You'd be wise to also install optdepends such as {{Pkg|p7zip}} and {{Pkg|unrar}} so your filters can actually see inside compressed files.
 +
* Install [[ClamAV]] from the official repositories.
 +
===Configuration===
  
 
If your hostname is not a FQDN, you must set {{ic|$myhostname}} in {{ic|/etc/amavisd/amavisd.conf}}. You probably want to set {{ic|$mydomain}} too.
 
If your hostname is not a FQDN, you must set {{ic|$myhostname}} in {{ic|/etc/amavisd/amavisd.conf}}. You probably want to set {{ic|$mydomain}} too.
Line 13: Line 15:
 
Some ways to check for errors:
 
Some ways to check for errors:
  
  systemctl status amavisd
+
  # systemctl status amavisd
  journalctl -xbo short -u amavisd
+
  # journalctl -xbo short -u amavisd
 +
 
 +
===Test your configuration===
 +
 
 +
{{Expansion|todo}}
 +
 
 +
* To test the new configuration just telnet to the amavis listening port:
 +
telnet 127.0.0.1 10024
  
 
==Postfix==
 
==Postfix==
 +
===Quick start===
 +
 +
* To configure amavis for [[Postfix]] add the following to {{ic|/etc/postfix/master.cf}} :
 +
<pre>
 +
#
 +
# spam/virus section
 +
#
 +
amavisfeed      unix  -    -      n      -      2      smtp
 +
-o smtp_data_done_timeout=1200
 +
-o smtp_send_xforward_command=yes
 +
-o disable_dns_lookups=yes
 +
-o max_use=20
 +
127.0.0.1:10025 inet n  -      y      -      -      smtpd
 +
-o content_filter=
 +
-o smtpd_delay_reject=no
 +
-o smtpd_client_restrictions=permit_mynetworks,reject
 +
-o smtpd_helo_restrictions=
 +
-o smtpd_sender_restrictions=
 +
-o smtpd_recipient_restrictions=permit_mynetworks,reject
 +
-o smtpd_data_restrictions=reject_unauth_pipelining
 +
-o smtpd_end_of_data_restrictions=
 +
-o smtpd_restrictions_classes=
 +
-o mynetworks=127.0.0.0/8
 +
-o smtpd_error_sleep_time=0
 +
-o smtpd_soft_error_limit=1001
 +
-o smtpd_hard_error_limit=1000
 +
-o smtpd_client_connection_count_limit=0
 +
-o smtpd_client_connection_rate_limit=0
 +
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
 +
-o local_header_rewrite_clients=
 +
</pre>
 +
 +
In this configuration we assume that postfix and amavis are running on the same machine (i.e. {{ic|127.0.0.1}}).
 +
 +
You also have to add other configuration in your {{ic|smtp}} or {{ic|submission}} sections:
 +
<pre>
 +
  -o content_filter=amavisfeed:[127.0.0.1]:10024
 +
</pre>
  
 
Digest of the excellent [http://www.ijs.si/software/amavisd/README.postfix.html upstream README].
 
Digest of the excellent [http://www.ijs.si/software/amavisd/README.postfix.html upstream README].
Line 23: Line 70:
  
 
{{Expansion|todo}}
 
{{Expansion|todo}}
 +
* If you need spamassassin support (as well as an antivirus) comment the following line in {{ic|/etc/amavis/amavis.conf}} like this:
 +
<pre>
 +
# @bypass_spam_checks_maps = (1);  # controls running of anti-spam code
 +
</pre>
 +
* Edit the SpamAssassin configuration based on your needs:
 +
<pre>
 +
$sa_tag_level_deflt  = 1.0;  # add spam info headers if at, or above that level
 +
$sa_tag2_level_deflt = 1.0;  # add 'spam detected' headers at that level
 +
$sa_kill_level_deflt = 5.0;  # triggers spam evasive actions (e.g. blocks mail)
 +
$sa_dsn_cutoff_level = 8;  # spam level beyond which a DSN is not sent
 +
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
 +
$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi spam
 +
$bounce_killer_score = 100;  # spam score points to add for joe-jobbed bounces
 +
</pre>
  
 
==ClamAV==
 
==ClamAV==
  
 
{{Expansion|todo}}
 
{{Expansion|todo}}
 +
 +
* Comment out the following lines in {{ic|/etc/amavis/amavisd.conf}} like this:
 +
<pre>
 +
# ### http://www.clamav.net/
 +
['ClamAV-clamd',
 +
  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
 +
  qr/\bOK$/m, qr/\bFOUND$/m,
 +
  qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
 +
# # NOTE: run clamd under the same user as amavisd - or run it under its own
 +
# #  uid such as clamav, add user clamav to the amavis group, and then add
 +
# #  AllowSupplementaryGroups to clamd.conf;
 +
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
 +
# #  this entry; when running chrooted one may prefer a socket under $MYHOME.
 +
</pre>

Revision as of 14:45, 23 April 2015


Amavis gives you an interface between mail servers (MTAs such as Postfix or DoveCot) and mail filters (ClamAV, SpamAssassin). In many cases it is more efficient than running separate daemons like spamd.

Installation & Setup

  • Install amavisd-newAUR from the AUR. You'd be wise to also install optdepends such as p7zip and unrar so your filters can actually see inside compressed files.
  • Install ClamAV from the official repositories.

Configuration

If your hostname is not a FQDN, you must set $myhostname in /etc/amavisd/amavisd.conf. You probably want to set $mydomain too.

After that, you can start the amavisd service with systemctl and possibly enable it.

Some ways to check for errors:

# systemctl status amavisd
# journalctl -xbo short -u amavisd

Test your configuration

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: todo (Discuss in Talk:Amavis#)
  • To test the new configuration just telnet to the amavis listening port:

telnet 127.0.0.1 10024

Postfix

Quick start

  • To configure amavis for Postfix add the following to /etc/postfix/master.cf :
#
# spam/virus section
#
amavisfeed      unix  -    -       n       -       2       smtp
 -o smtp_data_done_timeout=1200
 -o smtp_send_xforward_command=yes
 -o disable_dns_lookups=yes
 -o max_use=20
127.0.0.1:10025 inet n  -       y       -       -       smtpd
 -o content_filter=
 -o smtpd_delay_reject=no
 -o smtpd_client_restrictions=permit_mynetworks,reject
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o smtpd_data_restrictions=reject_unauth_pipelining
 -o smtpd_end_of_data_restrictions=
 -o smtpd_restrictions_classes=
 -o mynetworks=127.0.0.0/8
 -o smtpd_error_sleep_time=0
 -o smtpd_soft_error_limit=1001 
 -o smtpd_hard_error_limit=1000
 -o smtpd_client_connection_count_limit=0
 -o smtpd_client_connection_rate_limit=0
 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
 -o local_header_rewrite_clients=

In this configuration we assume that postfix and amavis are running on the same machine (i.e. 127.0.0.1).

You also have to add other configuration in your smtp or submission sections:

  -o content_filter=amavisfeed:[127.0.0.1]:10024

Digest of the excellent upstream README.

SpamAssassin

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: todo (Discuss in Talk:Amavis#)
  • If you need spamassassin support (as well as an antivirus) comment the following line in /etc/amavis/amavis.conf like this:
# @bypass_spam_checks_maps = (1);  # controls running of anti-spam code
  • Edit the SpamAssassin configuration based on your needs:
$sa_tag_level_deflt  = 1.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 1.0;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 5.0;  # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 8;   # spam level beyond which a DSN is not sent
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi spam
$bounce_killer_score = 100;  # spam score points to add for joe-jobbed bounces

ClamAV

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: todo (Discuss in Talk:Amavis#)
  • Comment out the following lines in /etc/amavis/amavisd.conf like this:
# ### http://www.clamav.net/
['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
   qr/\bOK$/m, qr/\bFOUND$/m,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
# # NOTE: run clamd under the same user as amavisd - or run it under its own
# #   uid such as clamav, add user clamav to the amavis group, and then add
# #   AllowSupplementaryGroups to clamd.conf;
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
# #   this entry; when running chrooted one may prefer a socket under $MYHOME.