Amavisd-new is an interface written in perl between the MTA and supervisor of content like spamassassin or clamav. Use the port 10024 to receive mails from postfix and reinject the mail to postfix with the port 10025 and use the protocol ESMTP or LMTP for communication with the MTA. I’ll explain how configure this communication with postfix and configure the supervisors of mail spamassassin for the prevent the spam and ClamAV to check the mail content of virus or worms. Also we’ll configure our server for sign mails with DKIM and check the mails that we can receive. DKIM use asymmetric key for sign the mails and check the identity of the source.

Installing Amavisd

1.- Import gpg key for rpmforge repositories:

#rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt

– Download and install rpmforge package selectin your host architecture:
i686:

 http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm

x86_64:

 http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
# rpm -ivh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm

2.- Install Amavisd, SpamAssassin, ClamAV and dependencies:

#yum install amavisd-new clamav clamav-devel clamd spamassassin cronie perl-Convert-BinHex

(NOTE: If you have problems with lzop dependency with amavisd-new package try this:)

#rpm -ivh http://pkgs.repoforge.org/lzop/lzop-1.03-1.el5.rf.i386.rpm

– Add the new services to start when the system boot:

#chkconfig --levels 235 amavisd on
#chkconfig --levels 235 clamd on
#chkconfig --levels 235 crond on

3.- Configure clamav to work with amavisd:

– Edit /etc/clamd.conf and add:

# Path to a local socket file the daemon will listen on.
# Uncomment this to use Unix socket
LocalSocket /var/run/clamav/clamd.sock
# TCP port address.
# Comment this
#TCPSocket 3310

4.- Configuring Amavisd:

# vi /etc/amavis.conf
#Global parametres for Amavisd
$inet_socket_port = 10024; # listen on this local TCP port(s)
$max_servers = 2; # num of pre-forked children (2..30 is common), -m
$daemon_user = "amavis"; # (no default; customary: vscan or amavis), -u
$daemon_group = "amavis"; # (no default; customary: vscan or amavis), -g
$mydomain = 'mydomain.com'; # a convenient default for other settings
$myhostname = 'mail.mydomain.com'; # must be a fully-qualified domain name!
@local_domains_maps = ( [".$mydomain", "mydomain2.com", "virtualdomain.net", "virtualdomain.org"] ); # Virtual domains for amavisd
$notify_method = 'smtp:[127.0.0.1]:10025';
$forward_method = 'smtp:[127.0.0.1]:10025'; #reinjection path of mail from amavisd back into postfix
$enable_dkim_verification = 1; # enable DKIM signatures verification
$enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key
$MYHOME = '/var/amavis'; # a convenient default for other settings, -H
$helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S
$lock_file = "$MYHOME/var/amavisd.lock"; # -L
$pid_file = "$MYHOME/var/amavisd.pid"; # -P
#Parametres for SpamAssassin
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.2; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
$penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database)
$penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam
$bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces
$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0; # only tests which do not require internet access?
#E-mail addresses for notifications:
$virus_admin = "[email protected]$mydomain"; # notifications recip.
$mailfrom_notify_admin = "[email protected]$mydomain"; # notifications sender
$mailfrom_notify_recip = "[email protected]$mydomain"; # notifications sender
$mailfrom_notify_spamadmin = "[email protected]$mydomain"; # notifications sender
#Uncomment the section of ClamAv
# ### http://www.clamav.net/
['ClamAV-clamd',
&ask_daemon, ["CONTSCAN {}n", "/var/run/clamav/clamd.sock"],
qr/bOK$/m, qr/bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

5.- Configure postfix to allow mails to be passed to Amavisd and then reinjected back into postfix:

# vi/etc/postfix/master.cf
#Accept mail from postfix to amavisd
amavisfeed unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
#Amavisd Reinjection process
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,
no_unknown_recipient_checks,no_milters,no_address_mappings
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o relay_recipient_maps=

– Edit /etc/postfix/main.cf and add:

content_filter=amavisfeed:[127.0.0.1]:10024

6.- Restart services:

#service amavisd restart
#service clamd restart
#service postfix restart

7.- DKIM signin mails with amavis:

– Create a private key:

# amavisd genrsa /var/amavis/var/mydomain-com-key.pem
# chown -R amavis:amavis /var/amavis/var/mydomain-com-key.pem && chmod -R 700 /var/amavis/var/mydomain-com-key.pem

– Edit /etc/amavisd.conf:

dkim_key ('mydomain.com', 'mykey', '/var/amavis/var/mydomain-com-key.pem');

– Restart the service:

#service amavisd restart

– Show the dkim public key:

#amavisd showkey

– Copy and paste the dns record to our DNS server to allow other servers check our signs:

Look the mail headers and maillog for check that amavisd, spamassassin and clamav are running correct:

Configure an antispam gateway (part II)
Tagged on:                     

2 thoughts on “Configure an antispam gateway (part II)

  • September 5, 2012 at 19:40
    Permalink

    I think you need to chkconfig spamassassin off because AMAVISD use only some files from Spam Assassin

    Reply
    • September 5, 2012 at 21:11
      Permalink

      Yes you have reason in it I corrected the post, spamassassin is loaded by amavisd as a module and it’s not necessary start spamd service. Thanks for the suggestion!!!

      Reply

Leave a Reply

Follow

Get every new post delivered to your Inbox

Join other followers: