Difference between revisions of "Amavis"

From ArchWiki
Jump to navigation Jump to search
(Fixes and new contents.)
m (Basic configuration: Renamed clamd.service to clamav-daemon.service)
 
(18 intermediate revisions by 11 users not shown)
Line 1: Line 1:
[[Category:Mail Server]]
+
[[Category:Mail server]]
Amavis gives you an interface between mail servers (MTAs such as [[Postfix]] or [[Dovecot]]) and mail filters ([[ClamAV]], Spamassassin). In many cases it is more efficient than running separate daemons like spamd.
+
[[ja:Amavis]]
 +
{{Related articles start}}
 +
{{Related|ClamAV}}
 +
{{Related|Postfix}}
 +
{{Related|Dovecot}}
 +
{{Related articles end}}
  
 +
From [http://www.ijs.si/software/amavisd/ Amavis's site]:
 +
:amavisd-new is a high-performance interface between mailer (MTA) and content checkers: virus scanners, and/or SpamAssassin. It is written in Perl for maintainability, without paying a significant price for speed. It talks to MTA via (E)SMTP or LMTP, or by using helper programs. Best with Postfix, fine with dual-sendmail setup and Exim v4, works with sendmail/milter, or with any MTA as a SMTP relay.
  
==Installation and Setup==
+
== Installation and setup ==
  
* Install {{AUR|amavisd-new}} from the [[AUR]]. You'd be wise to also install optdepends such as {{Pkg|p7zip}} and {{Pkg|unrar}} so your filters can actually see inside compressed files.
+
In this setup it is assumed that you are using [[ClamAV]] as anti-virus scanner.
* Install [[ClamAV]] from the official repositories.
+
* Install {{Pkg|amavisd-new}}. You would be wise to also install optdepends such as {{Pkg|p7zip}} and {{Pkg|unrar}} so your filters can actually see inside compressed files.
===Basic Configuration===
+
* Install {{pkg|clamav}}.
  
* If your hostname is not a FQDN, you must set {{ic|$myhostname}} and {{ic|$mydomain}} accordingly in {{ic|/etc/amavisd/amavisd.conf}}.
+
=== Basic configuration ===
  
* You can enable ClamAV support by commenting out the following lines like this:
+
If your hostname is not a FQDN, you must set {{ic|$myhostname}} and {{ic|$mydomain}} accordingly in {{ic|/etc/amavisd/amavisd.conf}}.
<pre>
+
 
 +
You can enable [[ClamAV]] support by commenting out the following lines (do not forget to put the same {{ic|clamd.sock}} as in {{ic|/etc/clamav/clamd.conf}}):
 +
{{bc|<nowiki>
 
# ### http://www.clamav.net/
 
# ### http://www.clamav.net/
 
['ClamAV-clamd',
 
['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
+
   \&ask_daemon, ["CONTSCAN {}\n", "/var/lib/clamav/clamd.sock"],
 
   qr/\bOK$/m, qr/\bFOUND$/m,
 
   qr/\bOK$/m, qr/\bFOUND$/m,
 
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
 
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
Line 23: Line 32:
 
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
 
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
 
# #  this entry; when running chrooted one may prefer a socket under $MYHOME.
 
# #  this entry; when running chrooted one may prefer a socket under $MYHOME.
</pre>
+
</nowiki>}}
 +
 
 +
Add a comment to this line to enable anti-virus scan:
 +
 
 +
# @bypass_virus_check_maps = (1);  # controls running of anti-virus code
 +
 
 +
Add {{ic|AllowSupplementaryGroups true}} to {{ic|/etc/clamav/clamd.conf}}.
  
After that, you can start the {{ic|amavisd}} service with [[systemctl]] and possibly enable it:
+
After that, add {{ic|clamav}} user to {{ic|amavis}} group to avoid permission problems:
<pre>
+
 
# systemctl start amavisd.service
+
# usermod -a -G amavis clamav
# systemctl enable amavisd.service
+
 
</pre>
+
Finally restart the services:
 +
* [[restart]] {{ic|clamav-daemon.service}}.
 +
* [[start]] {{ic|amavisd.service}} and possibly [[enable]] it.
  
 
Check for errors with these commands:
 
Check for errors with these commands:
<pre>
 
# systemctl status amavisd
 
# journalctl -xbo short -u amavisd
 
</pre>
 
===Testing===
 
  
* To test the new configuration just telnet to the amavisd default listening port:
+
# systemctl status amavisd
<pre>
+
# journalctl -xbo short -u amavisd
$ telnet 127.0.0.1 10024
+
 
</pre>
+
=== Testing ===
* You should see something like:
+
 
<pre>
+
To test the new configuration just telnet to the amavisd default listening port:
 +
 
 +
$ telnet 127.0.0.1 10024
 +
 
 +
You should see something like:
 +
{{bc|
 
Trying 127.0.0.1...
 
Trying 127.0.0.1...
 
Connected to 127.0.0.1.
 
Connected to 127.0.0.1.
 
Escape character is '^]'
 
Escape character is '^]'
 
220 [127.0.0.1] ESMTP amavisd-new service ready
 
220 [127.0.0.1] ESMTP amavisd-new service ready
</pre>
+
}}
* type {{ic|ehlo 127.0.0.1}}:
+
 
<pre>
+
Type {{ic|ehlo 127.0.0.1}}:
 +
{{bc|
 
EHLO localhost
 
EHLO localhost
 
250-[127.0.0.1]
 
250-[127.0.0.1]
Line 60: Line 78:
 
250-DSN
 
250-DSN
 
250 XFORWARD NAME ADDR PORT PROTO HELO IDENT SOURCE
 
250 XFORWARD NAME ADDR PORT PROTO HELO IDENT SOURCE
</pre>
+
}}
* Now just type {{ic|quit}} to exit.
 
==Integration with Postfix==
 
  
===Quick start===
+
Now just type {{ic|quit}} to exit.
  
* To configure amavis for [[Postfix]] add the following to {{ic|/etc/postfix/master.cf}} :
+
== Integration with Postfix ==
<pre>
+
 
 +
=== Quick start ===
 +
 
 +
To configure amavis for [[Postfix]] add the following to {{ic|/etc/postfix/master.cf}}:
 +
{{bc|1=
 
#
 
#
 
# anti spam & anti virus section
 
# anti spam & anti virus section
Line 94: Line 114:
 
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
 
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
 
  -o local_header_rewrite_clients=
 
  -o local_header_rewrite_clients=
</pre>
+
}}
 +
 
 +
In this configuration we assume that postfix and Amavis are running on the same machine (i.e. {{ic|127.0.0.1}}). If that is not the case edit {{ic|/etc/amavisd/amavisd.conf}} and the prevous Postfix entry accordingly.
 +
 
 +
Postfix will listen to port {{ic|10025}} so that Amavis can send back checked emails to that port.
 +
 
 +
You also have to add another other configuration in your {{ic|smtp}} or {{ic|submission}} sections:
  
* In this configuration we assume that postfix and Amavis are running on the same machine (i.e. {{ic|127.0.0.1}}). If that is not the case edit {{ic|/etc/amavisd/amavisd.conf}} and the prevous Postfix entry accordingly.
+
-o content_filter=amavisfeed:[127.0.0.1]:10024
* Postfix will listen to port {{ic|10025}} so that Amavis can send back checked emails to that port.
 
  
* You also have to add another other configuration in your {{ic|smtp}} or {{ic|submission}} sections:
 
<pre>
 
-o content_filter=amavisfeed:[127.0.0.1]:10024
 
</pre>
 
 
Using this options implies that Postfix will send emails to Amavis on port {{ic|10024}}, so that these can be checked. If mail passes the control then these are sent to port {{ic|10025}}, as explained before.
 
Using this options implies that Postfix will send emails to Amavis on port {{ic|10024}}, so that these can be checked. If mail passes the control then these are sent to port {{ic|10025}}, as explained before.
  
* We can now restart postfix and amavisd:
+
We can now [[restart]] {{ic|postfix.service}} and {{ic|amavisd.service}}.
<pre>
+
 
# systemctl restart postfix.service
+
To check that Postfix is listening on port {{ic|10025}} do the same operations as the port {{ic|10024}} case.
# systemctl restart amavis.service
 
</pre>
 
  
* To check that Postfix is listening on port {{ic|10025}} do the same operations as the port {{ic|10024}} case.
+
== SpamAssassin support ==
==SpamAssassin support==
 
  
 
{{Expansion|todo}}
 
{{Expansion|todo}}
 +
Install {{Pkg|spamassassin}}
  
* Spamassassin is integrated in Amavis so you don't have to start {{ic|spamassassin.service}}. To enable support for Spamassassin comment the following line in {{ic|/etc/amavis/amavis.conf}} like this:
+
 
<pre>
+
Spamassassin is integrated in Amavis so you do not have to start {{ic|spamassassin.service}}. To enable support for Spamassassin comment the following line in {{ic|/etc/amavis/amavis.conf}} like this:
# @bypass_spam_checks_maps = (1);  # controls running of anti-spam code
+
# @bypass_spam_checks_maps = (1);  # controls running of anti-spam code
</pre>
+
 
* Edit the SpamAssassin configuration based on your needs:
+
Edit the SpamAssassin configuration based on your needs:
<pre>
+
{{bc|1=
 
$sa_tag_level_deflt  = 1.0;  # add spam info headers if at, or above that level
 
$sa_tag_level_deflt  = 1.0;  # add spam info headers if at, or above that level
 
$sa_tag2_level_deflt = 1.0;  # add 'spam detected' headers at that level
 
$sa_tag2_level_deflt = 1.0;  # add 'spam detected' headers at that level
Line 127: Line 146:
 
$sa_dsn_cutoff_level = 8;  # spam level beyond which a DSN is not sent
 
$sa_dsn_cutoff_level = 8;  # spam level beyond which a DSN is not sent
 
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
 
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi spam
+
$penpals_threshold_high = $sa_kill_level_deflt;  # do not waste time on hi spam
 
$bounce_killer_score = 100;  # spam score points to add for joe-jobbed bounces
 
$bounce_killer_score = 100;  # spam score points to add for joe-jobbed bounces
</pre>
+
}}
  
* Now you just need to restart {{ic|amavisd}} service.
+
Before you [[restart]] the {{ic|amavisd}} service, run {{ic|sa-update}}.
==Final test==
+
 
 +
== Final test ==
  
 
{{Expansion|todo}}
 
{{Expansion|todo}}
Line 141: Line 161:
 
* Send an email that would result as spam.
 
* Send an email that would result as spam.
 
* Check both Postfix and Amavis logs.
 
* Check both Postfix and Amavis logs.
 +
 
== See also ==
 
== See also ==
  
 
* [http://www.ijs.si/software/amavisd/README.postfix.html Amavis official documentation]
 
* [http://www.ijs.si/software/amavisd/README.postfix.html Amavis official documentation]
 
* [https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server/amvisd_spamassassin_clamav Complete Virtual Mail Server/amvisd spamassassin clamav] on Gentoo wiki.
 
* [https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server/amvisd_spamassassin_clamav Complete Virtual Mail Server/amvisd spamassassin clamav] on Gentoo wiki.

Latest revision as of 14:55, 19 May 2019

From Amavis's site:

amavisd-new is a high-performance interface between mailer (MTA) and content checkers: virus scanners, and/or SpamAssassin. It is written in Perl for maintainability, without paying a significant price for speed. It talks to MTA via (E)SMTP or LMTP, or by using helper programs. Best with Postfix, fine with dual-sendmail setup and Exim v4, works with sendmail/milter, or with any MTA as a SMTP relay.

Installation and setup

In this setup it is assumed that you are using ClamAV as anti-virus scanner.

  • Install amavisd-new. You would be wise to also install optdepends such as p7zip and unrar so your filters can actually see inside compressed files.
  • Install clamav.

Basic configuration

If your hostname is not a FQDN, you must set $myhostname and $mydomain accordingly in /etc/amavisd/amavisd.conf.

You can enable ClamAV support by commenting out the following lines (do not forget to put the same clamd.sock as in /etc/clamav/clamd.conf):

# ### http://www.clamav.net/
['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/lib/clamav/clamd.sock"],
   qr/\bOK$/m, qr/\bFOUND$/m,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
# # NOTE: run clamd under the same user as amavisd - or run it under its own
# #   uid such as clamav, add user clamav to the amavis group, and then add
# #   AllowSupplementaryGroups to clamd.conf;
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
# #   this entry; when running chrooted one may prefer a socket under $MYHOME.

Add a comment to this line to enable anti-virus scan:

# @bypass_virus_check_maps = (1);  # controls running of anti-virus code

Add AllowSupplementaryGroups true to /etc/clamav/clamd.conf.

After that, add clamav user to amavis group to avoid permission problems:

# usermod -a -G amavis clamav

Finally restart the services:

Check for errors with these commands:

# systemctl status amavisd
# journalctl -xbo short -u amavisd

Testing

To test the new configuration just telnet to the amavisd default listening port:

$ telnet 127.0.0.1 10024

You should see something like:

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'
220 [127.0.0.1] ESMTP amavisd-new service ready

Type ehlo 127.0.0.1:

EHLO localhost
250-[127.0.0.1]
250-VRFY
250-PIPELINING
250-SIZE
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 XFORWARD NAME ADDR PORT PROTO HELO IDENT SOURCE

Now just type quit to exit.

Integration with Postfix

Quick start

To configure amavis for Postfix add the following to /etc/postfix/master.cf:

#
# anti spam & anti virus section
#
amavisfeed      unix  -    -       n       -       2       smtp
 -o smtp_data_done_timeout=1200
 -o smtp_send_xforward_command=yes
 -o disable_dns_lookups=yes
 -o max_use=20
127.0.0.1:10025 inet n  -       y       -       -       smtpd
 -o content_filter=
 -o smtpd_delay_reject=no
 -o smtpd_client_restrictions=permit_mynetworks,reject
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o smtpd_data_restrictions=reject_unauth_pipelining
 -o smtpd_end_of_data_restrictions=
 -o smtpd_restrictions_classes=
 -o mynetworks=127.0.0.0/8
 -o smtpd_error_sleep_time=0
 -o smtpd_soft_error_limit=1001 
 -o smtpd_hard_error_limit=1000
 -o smtpd_client_connection_count_limit=0
 -o smtpd_client_connection_rate_limit=0
 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
 -o local_header_rewrite_clients=

In this configuration we assume that postfix and Amavis are running on the same machine (i.e. 127.0.0.1). If that is not the case edit /etc/amavisd/amavisd.conf and the prevous Postfix entry accordingly.

Postfix will listen to port 10025 so that Amavis can send back checked emails to that port.

You also have to add another other configuration in your smtp or submission sections:

-o content_filter=amavisfeed:[127.0.0.1]:10024

Using this options implies that Postfix will send emails to Amavis on port 10024, so that these can be checked. If mail passes the control then these are sent to port 10025, as explained before.

We can now restart postfix.service and amavisd.service.

To check that Postfix is listening on port 10025 do the same operations as the port 10024 case.

SpamAssassin support

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: todo (Discuss in Talk:Amavis#)

Install spamassassin


Spamassassin is integrated in Amavis so you do not have to start spamassassin.service. To enable support for Spamassassin comment the following line in /etc/amavis/amavis.conf like this:

# @bypass_spam_checks_maps = (1);  # controls running of anti-spam code

Edit the SpamAssassin configuration based on your needs:

$sa_tag_level_deflt  = 1.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 1.0;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 5.0;  # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 8;   # spam level beyond which a DSN is not sent
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
$penpals_threshold_high = $sa_kill_level_deflt;  # do not waste time on hi spam
$bounce_killer_score = 100;  # spam score points to add for joe-jobbed bounces

Before you restart the amavisd service, run sa-update.

Final test

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: todo (Discuss in Talk:Amavis#)

To check that everything is working all right:

  • Send a normal email.
  • Send an email with an EICAR file as attachment.
  • Send an email that would result as spam.
  • Check both Postfix and Amavis logs.

See also