Inbound and Outbound Spam/AntiVirus Mail Gateway

Spamfilter and Antivirus[3]

The description in [3] may be sufficient (for German speaking people of course). Nevertheless, I try to translate it to English and adapt some steps (because of some compatibility issues with new versions).

Installation

Install all packages which are at least necessary

apt-get install clamav clamav-daemon amavisd-new spamassassin

If you want to increase the spam detection, you have to install these packages too.

apt-get install arj bzip2 cabextract cpio file gzip nomarch pax unzip zoo zip zoo

AntiVirus

Activate ClamAV in AMaViS

In the file /etc/amavis/conf.d/15-content_filter_mode enable the following lines (delete the “#”)

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

Configure Postfix to redirect mails to AMaViS

We have to create a new sub-daemon for amavis checks, so we have to add the following lines to the /etc/postfix/master.cf file:

smtp-amavis  unix    -    -    n    -    2    smtp
 -o smtp_data_done_timeout=1200
 -o smtp_send_xforward_command=yes
 -o disable_dns_lookups=yes

To redirect the mails to the amavis-daemon (listen to port 10024), add the following lines in the /etc/postfix/main.cf file:

#ContentFilter:
content_filter = smtp-amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

Add a second postfix-instance

Per default, the amavis-daemon forwards the checked mails to a smtp server, running local on port 10025. Create this daemon in the /etc/postfix/master.cf file:

127.0.0.1:10025 inet    n    -    n    -    -    smtpd
 -o content_filter=
 -o local_recipient_maps=
 -o relay_recipient_maps=
 -o smtpd_restriction_classes=
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o mynetworks=127.0.0.0/8
 -o strict_rfc821_envelopes=yes
 -o smtpd_error_sleep_time=0
 -o smtpd_soft_error_limit=1001
 -o smtpd_hard_error_limit=1000
 -o receive_override_options=no_header_body_checks

Restart Postfix and test the second daemon

Restart postfix per service postfix restart and test the second postfix daemon per telnet.

telnet localhost 10025

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 smtp.example1.net ESMTP Postfix (Debian/GNU)

Spamfilter

Activate SpamAssassin in AMaViS

Like activating ClamAV, open the file /etc/amavis/conf.d/15-content_filter_mode and enable the following lines (by removing the “#”)

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

Restart and prove the configuration

Restart both, postfix and amavis

service postfix restart
service amavis restart

In the mail logfile, you should see at least the following lines:

amavis[4290]: ANTI-VIRUS code      loaded
amavis[4290]: ANTI-SPAM code       loaded
amavis[4290]: ANTI-SPAM-SA code    loaded

Train the bayes-database of SpamAssassin

Because SpamAssassin starts with an empty bayes-database, the spam filtering isn’t that good. You have to train the bayes-database with spam and “ham” (good) mails.

If you don’t have a source of already known mails, there is a public spam-database for the initial training available under http://spamassassin.apache.org/publiccorpus/. I’m switching from one spamfilter-system to another, so I already have a big database of spam and ham-mails.

Create a new directory for the spam/ham mails and download either your or the public spam-database.

mkdir -p /home/amavis; cd /home/amavis
wget http://spamassassin.apache.org/publiccorpus/20050311_spam_2.tar.bz2

Unzip the archive

tar xzvf 20050311_spam_2.tar.bz2

Now, train the bayes-database with the following command

su amavis -c 'sa-learn --spam /home/amavis/spam/'

If you already have a database with good emails, unzip them under /home/amavis/ham/ and train the bayes-database with the following command

su amavis -c 'sa-learn --spam /home/amavis/ham/'

If you have to update the rules, execute sa-update -D.

You can also update the rules per cronjob. Just enable CRON=1 in /etc/default/spamassassin

If you want to check the current status of the bayes-database, execute:

su amavis -c 'sa-learn --dump magic'

You should see something similar like this:

0.000          0          3          0  non-token data: bayes db version
0.000          0       6034          0  non-token data: nspam
0.000          0      10899          0  non-token data: nham
0.000          0     369618          0  non-token data: ntokens
0.000          0  993467899          0  non-token data: oldest atime
0.000          0 1483084655          0  non-token data: newest atime
0.000          0          0          0  non-token data: last journal sync atime
0.000          0 1483061044          0  non-token data: last expiry atime
0.000          0      86400          0  non-token data: last expire atime delta
0.000          0     180353          0  non-token data: last expire reduction count

The “nspam” counts the number of imported spam-messages while “nham” counts the number of imported ham-messages. You should import about 1-2.000 spam and ham-messages to increase the efficiency of the filter.

Spamfilter with Razor and Pyzor

“Razor” and the python version “Pyzor” are community-based spam-database. We can use this database to increase the recognition-time of new spam-mail-types. But be careful to use this database with your own bayes-database, because different scores with pyzor/razor and with your local bayes-database will maybe lead to wrong results.

Nevertheless, I activated both and had no significant drawbacks so far.

Install both spamfilters with this command:

apt-get install pyzor razor

No you have to register yourself at a razor database with the following commands:

su - amavis -s /bin/bash
razor-admin -create
razor-admin -register

Normally, you have to initialize a server-list at pyzor too, but since the new updates, the command pyzor discover doesn’t exist anymore. But with my settings, pyzor nevertheless worked.

That’s it. Try the checks with the following command:

spamassassin -D -t < /usr/share/doc/spamassassin/examples/sample-spam.txt 2>&1 | tee sa.out

If pyzor and razor is working, you will find both checks, razor and pyzor, in the output-file:

... check_spf: 23 (1.1%), check_razor2: 218 (10.5%), check_pyzor: 92 (4.4%), ...
Pages: Page 1, Page 2, Page 3

6 thoughts on “Inbound and Outbound Spam/AntiVirus Mail Gateway”

  1. Hello,
    Thank you for your tutorial, it is clear and simple.
    I installed this on Debian 8.7 and I had to setup the instances in /etc/postfix/master.cf and not in main.cf .
    Hope that help
    mterrasson

    Reply

    1. Hi,

      You’re right. I updated it for the second postfix-instance (amavis-instance).
      Thanks for your help

      kind regards,
      Philipp

      Reply

      1. Dear Philipp,
        Thank you for your tutorial, it is clear and simple.
        Some Image in your tutorial does not show. Can you repair it.
        Thank you very much.

        Reply

  2. You made a mistake here :
    This is not in the main.cf file but in master.cf who need to write this:

    smtp-amavis unix – – n – 2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes

    Reply

  3. Hi, thankyou for your tutorial.
    Is there some way to monitor/view the queues, sent mail, historical outbound addresses, etc in a management back-end of sorts? Some sort of granularity in knowing the volume of mail and from what addresses, etc. over time. Kind of like what CPanel has?
    Thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.