Inbound and Outbound Spam/AntiVirus Mail Gateway

Additional Settings

The mail-gateway should work now and filter the most common spam and virus-mails. But spam is an aggressive business and therefore mailservers/ISPs are very restrictive in receiving mails. Your mailserver maybe get blocked by some ISPs with the standard settings (for example checks if there’s a valid reverse DNS entry for your mailserver).

You can check your current mail settings by sending a mail to a Mail Tester (just three checks per day are allowed).

With adding the settings below, mails should work with almost every receiving mailserver,

Reverse DNS[4]

To ensure that your mailserver is allowed to send mails, one common method is to check if the IP of the sending mailserver is valid for the sent domain-name. A reverse DNS entry is only valid between one IP and exactly one domain.

For example, my mailserver has a reverseDNS entry “”. If is sending a mail with the IP, everything is all right. But if I change my mailserver name to (or any other name), the IP is the same with but the expected dns-entry is and not so the receiving mailservers may deny this mails.

You have to set a reverse DNS entry in the admin-panel of your hoster. Here’s an example of my provider (Hetzner)


SPF-Records ensure that mailservers and/or IPs are allowed to send mails in the name of the domain.

It’s a TXT-record in the DNS of your domain and looks similar to this record (of

@                        IN TXT     "v=spf1 a mx ip4: ip4: -all"

You can create such SPF-records with this online-tool: SPF-Record (German)

DKIM-Record[6] (DomainKeys Identified Mail)

DKIM is an email authentication method. It verifies signed mails with the associated, published public key of the domain.

[7] (German) describes, how it works. But I summarize it up for this blog-post.

At first, you need at least the following packages

apt-get install amavisd-new libmail-dkim-perl

Enable DKIM Verification

If you want to enable the DKIM-verification for each incoming mail, add this to /etc/amavis/conf.d/50-user:

$enable_dkim_verification = 1;

Now reload amavis with amavis reload

Add DKIM Signatures to outgoing mails

DKIM needs a public/private key-pair in x509 format. The private key is for signing the outgoing mails (by amavisd-new) and the public key is for publishing it per DNS.

Let’s start with creating the public/private keys with the amavisd-new command.

# amavisd-new genrsa /var/lib/amavis/db/ 2048
Private RSA key successfully written to file "/var/lib/amavis/db/" \
  (2048 bits, PEM format)

Now we have to configure the private key in the /etc/amavis/conf.d/50-user file.

$enable_dkim_signing = 0;
dkim_key('', 'mail201612', '/var/lib/amavis/db/');
@dkim_signature_options_bysender_maps = (
    { '.' =>
                ttl => 21*24*3600,
                c => 'relaxed/simple'

It’s important that you don’t enable dkim signing yet because the public key isn’t published to the DNS yet. So currently the check of DKIM-Signatures of outgoing mails will fail.

Reload amavisd-new and show the public key for the DNS entry (in the right syntax) by executing amavisd-new showkeys

; key#1 2048 bits, i=mail201612,, /var/lib/amavis/db/     3600 TXT (
  "v=DKIM1; p="

Add the whole output to the ZONE file of the domain “”. Afterwards, check with amavisd-new testkeys the output. If the ZONE file was set, the output should be:

TESTING#1:     => pass

Before we can start signing mails with DKIM, the amavis needs to know which mails are outgoing. Therefor amavis sets the ORIGINATING Tag to each outgoing mail. This tag isn’t configured by default, so you have to add a new policy to amavis in the /etc/amavis/conf.d/50-user file:

$policy_bank{'SUBMISSION'} = {
    originating => 1,
    bypass_spam_checks_maps   => [1],
    bypass_banned_checks_maps => [1],
    final_virus_destiny => D_REJECT,
    final_bad_header_destiny => D_PASS,
    terminate_dsn_on_notify_success => 0,
    warnbadhsender => 1,

The other options check that the originating tag is only added to mails of trusted sites and only for submission-senders.

Now enable dkim signing with $enable_dkim_signing = 1; and reload amavis with amavisd-new reload.

Congratulations, you are now signing outgoing mails with DKIM-private keys šŸ™‚


DMARC is an email-validation system and is designed to be on top of the two existing mechanisms SPF and DKIM. I’m not going any further because in my setting, I just disabled any DMARC-Validation with this DNS-entry:  3600 IN TXT     "v=DMARC1; p=none"

As far as I know, only a few mailservers will validate it.


6 thoughts on “Inbound and Outbound Spam/AntiVirus Mail Gateway”

  1. Hello,
    Thank you for your tutorial, it is clear and simple.
    I installed this on Debian 8.7 and I had to setup the instances in /etc/postfix/ and not in .
    Hope that help

    1. Hi,

      You’re right. I updated it for the second postfix-instance (amavis-instance).
      Thanks for your help

      kind regards,

      1. Dear Philipp,
        Thank you for your tutorial, it is clear and simple.
        Some Image in your tutorial does not show. Can you repair it.
        Thank you very much.

  2. You made a mistake here :
    This is not in the file but in who need to write this:

    smtp-amavis unix – – n – 2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes

  3. Hi, thankyou for your tutorial.
    Is there some way to monitor/view the queues, sent mail, historical outbound addresses, etc in a management back-end of sorts? Some sort of granularity in knowing the volume of mail and from what addresses, etc. over time. Kind of like what CPanel has?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.