Inbound and Outbound Spam/AntiVirus Mail Gateway

Additional Settings

The mail-gateway should work now and filter the most common spam and virus-mails. But spam is an aggressive business and therefore mailservers/ISPs are very restrictive in receiving mails. Your mailserver maybe get blocked by some ISPs with the standard settings (for example checks if there’s a valid reverse DNS entry for your mailserver).

You can check your current mail settings by sending a mail to a Mail Tester (just three checks per day are allowed).

With adding the settings below, mails should work with almost every receiving mailserver,

Reverse DNS[4]

To ensure that your mailserver is allowed to send mails, one common method is to check if the IP of the sending mailserver is valid for the sent domain-name. A reverse DNS entry is only valid between one IP and exactly one domain.

For example, my mailserver has a reverseDNS entry “”. If is sending a mail with the IP, everything is all right. But if I change my mailserver name to (or any other name), the IP is the same with but the expected dns-entry is and not so the receiving mailservers may deny this mails.

You have to set a reverse DNS entry in the admin-panel of your hoster. Here’s an example of my provider (Hetzner)


SPF-Records ensure that mailservers and/or IPs are allowed to send mails in the name of the domain.

It’s a TXT-record in the DNS of your domain and looks similar to this record (of

You can create such SPF-records with this online-tool: SPF-Record (German)

DKIM-Record[6] (DomainKeys Identified Mail)

DKIM is an email authentication method. It verifies signed mails with the associated, published public key of the domain.

[7] (German) describes, how it works. But I summarize it up for this blog-post.

At first, you need at least the following packages

Enable DKIM Verification

If you want to enable the DKIM-verification for each incoming mail, add this to /etc/amavis/conf.d/50-user:

Now reload amavis with amavis reload

Add DKIM Signatures to outgoing mails

DKIM needs a public/private key-pair in x509 format. The private key is for signing the outgoing mails (by amavisd-new) and the public key is for publishing it per DNS.

Let’s start with creating the public/private keys with the amavisd-new command.

Now we have to configure the private key in the /etc/amavis/conf.d/50-user file.

It’s important that you don’t enable dkim signing yet because the public key isn’t published to the DNS yet. So currently the check of DKIM-Signatures of outgoing mails will fail.

Reload amavisd-new and show the public key for the DNS entry (in the right syntax) by executing amavisd-new showkeys

Add the whole output to the ZONE file of the domain “”. Afterwards, check with amavisd-new testkeys the output. If the ZONE file was set, the output should be:

Before we can start signing mails with DKIM, the amavis needs to know which mails are outgoing. Therefor amavis sets the ORIGINATING Tag to each outgoing mail. This tag isn’t configured by default, so you have to add a new policy to amavis in the /etc/amavis/conf.d/50-user file:

The other options check that the originating tag is only added to mails of trusted sites and only for submission-senders.

Now enable dkim signing with $enable_dkim_signing = 1; and reload amavis with amavisd-new reload.

Congratulations, you are now signing outgoing mails with DKIM-private keys šŸ™‚


DMARC is an email-validation system and is designed to be on top of the two existing mechanisms SPF and DKIM. I’m not going any further because in my setting, I just disabled any DMARC-Validation with this DNS-entry:

As far as I know, only a few mailservers will validate it.


4 thoughts on “Inbound and Outbound Spam/AntiVirus Mail Gateway”

  1. Hello,
    Thank you for your tutorial, it is clear and simple.
    I installed this on Debian 8.7 and I had to setup the instances in /etc/postfix/ and not in .
    Hope that help

    1. Hi,

      You’re right. I updated it for the second postfix-instance (amavis-instance).
      Thanks for your help

      kind regards,

  2. You made a mistake here :
    This is not in the file but in who need to write this:

    smtp-amavis unix – – n – 2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes

Leave a Reply

Your email address will not be published. Required fields are marked *