SpamAssassin Integration with Postfix, using Amavis
This is just a summary of the following websites. Go there for more detailed information.
http://www.geocities.com/scottlhenderson/spamfilter.html
http://www.dambrosioauto.com/razor_config.html
http://www.ijs.si/software/amavisd/#faq-spam
http://www.xmission.com/~jmcrc/index.html
This document describes the configuration for sitewide use of SpamAssassin with Amavis and Razor. The distribution used is SuSE Linux 9.0. If you use something else, some options may be different. For example Amavis may run as user amavis, not vscan and the path to the Amavis spool directory may be
/var/amavis not /var/spool/amavis
- Postfix Configuration*
/etc/postfix/master.cf:
Add these lines to the end of the file
smtp-amavis unix - - y - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes
After that, the master.cf file should look like this
# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - y - - smtpd #628 inet n - n - - qmqpd pickup fifo n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr fifo n - y 300 1 qmgr #qmgr fifo n - n 300 1 nqmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - y - - smtp relay unix - - y - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - y - - showq error unix - - y - - error local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp smtp-amavis unix - - y - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes
/etc/postfix/main.cf:
- myorigin - domain mail from this machine appears to come from.
postconf -e "myorigin = domain1.com"
Replace domain1.com with your actual domain.
- myhostname - the fully-qualified domain name ("FQDN") of the machine running the Postfix system.
postconf -e "myhostname = spamfilter.domain1.com"
- mydestination - specifies for which domains this machine will accept mail
(from the outside, i.e., from the Internet). You want to list here ONLY
domains that you are responsible for which you are responsible for accepting mail.
Separate them with commas.
postconf -e "mydestination = domain1.com, domain2.com"
- mynetworks - the machines I trust, and will relay mail for, to any destination.
Generally, this is set to my LAN, or just one, or a few trusted internal mail servers.
This is an important one to get right, or else you can become an "open relay".
In other words, your box could accept and forward mail to domains for which it has
no business doing so. Being an "open relay" is a serious issue, and can cause you to get
"blacklisted" by various Internet anti-spam lists, among other problems.
postconf -e "mynetworks = x.x.x.x/32"
(where x.x.x.x is the IP address of a specific machine)
If you will be dealing with multiple internal mail servers, and/or want to allow several machines
and/or subnets to relay through this server (carefull!!), just add them to this parameter in CIDR format,
like this:
postconf -e "mynetworks = 172.20.32.5/32, 10.0.0.0/16, 172.20.16.0/8"
(the above will allow the machine 172.20.32.5, and any machines that have an IP address starting
with 10.0, or 172.20.16, to relay smtp mail through this box)
- biff - we won't use biff notifications
postconf -e "biff = no"
- smtpd_banner - what this server calls itself, when talking with other mail servers
postconf -e "smtpd_banner = mail.domain1.com"
- message_size_limit - maximum size email that postfix will let in the "front door"
postconf -e "message_size_limit = 1000000000"
(The above allows emails up to 1GB)
- local_transport - give an error message for local delivery attempts.
postconf -e "local_transport = no local mail delivery"
- local_recipient_maps - don't try to determine valid email recipients
In our situation, the postfix server will have no idea if we have a bob@domain1.com or a
jsmith@domain2.com, etc. It doesn't have any such lists to check against!
We could fix this, but it is far easier to just ignore this problem.
If mail comes in to a recipient that I don't have, postfix will process it and
transport it on to the internal mail server, which will promptly reject it and will
attempt to do the NDR (non-delivery report) to the stated sender email address.
There are other potential solutions here, but I will only cover this simple configuration,
which works fine. So we'll just set this value to nothing:
postconf -e "local_recipient_maps = "
/etc/postfix/transport
Postfix will check the transport file for redirection or relaying of mail addressed to particular domains. In our case, all inbound mail will be relayed on to other mail servers:
domain1.com smtp:[x.x.x.x]
domain2.com smtp:[y.y.y.y]
(DO include the brackets on these lines!)
*These lines tell postfix to transport any mail addressed to recipients in domain#.com to the mail servers at the IP address(es) specified (i.e. your internal mail server(s), using the smtp protocol. The format is exacting, get every symbol correct and leave some white space between the domains and the "smtp" part.
After that run the command:
postmap /etc/postfix/transport
- Amavis configuration*
Amavis is just used for spam detection, not virus protection. See the options below.
/etc/amavisd.conf
Change the following options:
- $mydomain = 'example.com'
Change 'example.com' to 'domain1.com'
- @bypass_virus_checks_acl . . . .
Change to @bypass_virus_checks_acl = qw( . );
We only want spam protection and no virus scanning, so this will disable virus scanning for all
your domains.
- $mailfrom_notify_spamadmin . . .
Change
"spam.police@$mydomain"; to "postmaster@domain1.com";
- #$spam_quarantine_to = 'spam-quarantine';
and insert a # symbol at the beginning of that line On the very next line, you'll see:
#$spam_quarantine_to = "spam-quarantine@$mydomain";
Here, remove the leading # symbol. (And make sure you have an emailbox for this address on a destination server -
This is where you will review quarantined emails, and will forward on any "false positives" to the proper recipient.)
*Alternative:* Instead of delivering the spam to an emailbox on the internal server, drop it into a folder right on the spamfilter. To do that, comment out the "spam_quarantine_to" line above that references the email address, and instead select and indicate a folder name for the value "spam_quarantine_to". (Read the comments in this area of amavisd.conf for more info.)
Go to the chapter # SpamAssassin settings When you run SpamAssassin with Amavis, you have to do most of the configuration in amavisd.conf.
See http://www.ijs.si/software/amavisd/#faq-spam for details.
- $sa_local_tests_only = 0;
If you want to use Razor, this has to be set to 0.
- $sa_tag_level_deflt = -999;
The number of hits needed to update the mail headers.
With a value of -999 all headers will be updatedt with X_Spam_Flag, X_Spam_Level and X_Spam_Status
- $sa_tag2_level_deflt = 5.0;
The number of hits required to set X_Spam_Flag to Yes.
- $sa_spam_subject_tag = '***SPAM*** ';
Remove the # if you want ***SPAM*** to be added to the subject of spam mails.
- SpamAssassin configuration*
Go to /etc/mail/spamassassin and edit local.cf. My file looks like this.
Be sure to doublecheck this options with amavisd.conf. If one of these options is in amavisd.conf, the one in local.cf will not be used.
# Add your own customisations to this file. See 'man Mail::SpamAssassin::Conf' # for details of what can be tweaked. # # How many hits before a message is considered spam. required_hits 5.0 # Whether to change the subject of suspected spam rewrite_subject 0 # Text to prepend to subject if rewrite_subject is used subject_tag *****SPAM***** # Encapsulate spam in an attachment report_safe 1 # Use terse version of the spam report use_terse_report 0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_dcc 0 use_pyzor 0 # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. ok_languages all # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign language. ok_locales all
Amavis expects to see spamassassin's user_prefs file in /var/spool/amavis/.spamassassin but that directory and that file do not exist. Spamassassin's Bayes data is also stored there.
cp -r /root/.spamassassin /var/spool/amavis
This will create it (and copy user_prefs to that directory at the same time).
chown -R vscan:vscan /var/spool/amavis/.spamassassin
Give amavis ownership
If you run spamassassin --lint -D from a command line you will notice that
spamassassin looks for config files in /root/.spamassassin and razor files in /root/.razor
This is misleading and confusing because
that is not where it looks when it runs under amavis.
You can create symbolic links to help make the command line debug look cleaner.
Also, it will not find any Bayes files in /root/.spamassassin so the
symbolic links will help there too.
cd /root/.spamassassin
rm user_prefs
ln -s /var/spool/amavis/.spamassassin/user_prefs user_prefs
ln -s /var/spool/amavis/.spamassassin/bayes_seen bayes_seen
ln -s /var/spool/amavis/.spamassassin/bayes_toks bayes_toks
- Razor configuration*
Open port 2703 in your firewall.
razor-client
This creates sym-links
razor-admin -d -create
Creates files in /root/.razor and shows debugging info.
razor-admin -register
Creates a random user name and password.
Necessary for data access to Razor2 servers.
razor-admin -discover
Refreshes the list of razor servers
Razor has to be patched to run under SpamAssassin.
Browse to http://www.ijs.si/software/amavisd/Razor2.patch-quinlan
use Save Page As and save in:
/usr/lib/perl5/vendor_perl/5.8.1/i586-linux-thread-multi/Razor2
cd /usr/lib/perl5/vendor_perl/5.8.1/i586-linux-thread-multi/Razor2
patch -p0 < Razor2.patch-quinlan
vi /root/.razor/razor-agent.conf
and insert
razorhome = /var/spool/amavis/.razor
Change the debuglevel from 3 to 0 or the log file will eventually
consume all disk space.
Save the file. We are going to copy Razor to it's new home in a moment.
Seems Amavis is not happy unless Razor is in that directory and it owns it.
cp -r /root/.razor /var/spool/amavis
This copies the stuff we need to where we need it.
razor-admin -d -create -home=/var/spool/amavis/.razor
This tries to force Razor to live there.
chown -R vscan:vscan /var/spool/amavis/.razor
Now amavis owns it.
vi /var/spool/amavis/.spamassassin/user_prefs
and insert
razor_config /var/spool/amavis/.razor/razor-agent.conf
This forces SpamAssassin to find the file here.