[PREV] | [UP] | [NEXT]

Integrating RBL, Amavis, Clamav and Spamassassin in Postfix

Do not start with this section before you finished testing the previous! We are on our way to add a new level of complexitiy, so error messages will get mixed up if you do not test after every step!

Getting and Installing the software

Amavisd-new can be found here and Spamassassin here. Installing from source should work fine, but we are using the debian Sarge packages:
apt-get install amavisd-new spamassassin clamav clamav-freshclam
LDAP support is already included in Amavisd-new, even though we will need to fix some glitches and bugs in their implementation later.

Overview of the Implementation:

Virus and spam control is handled by amavisd-new. Amavisd-new uses spamassassin to filter for spam and clamav to filter out virusses. The ldap database contains per-user settings where you can change:

  • bypass virus-scanning
  • bypass spam-checking
  • modify subject if spam is detected
  • tag_level controls adding the X-Spam-Status and X-Spam-Level headers
  • tag2_level controls adding 'X-Spam-Flag: YES', and editing Subject,
  • kill_level controls 'evasive actions' (reject, quarantine, extensions);
    Amavisd-new comes with an ldap schema called amavis.schema. We use this with some small adaptions.

    As virus scanner we installed clam anti virus (clamav.elektrapro.com) which is a free GPL virus scanner featuring maildir support. Amavis supports many virus scanners and can even use more then one in one configuration. The virus scanner does not interact with LDAP, so you can choose one to your liking.

    For Postfix integration the master.cf and the main.cf files have to be modified (see below). Amavisd-new creates it's own SMTP facility. Postfix will send mail to the Amavis SMTP where it is tested and then sent back to Postfix for actual delivery.

    Clamav

    Clamav just works out of the box, but you need to add the user clamav to the group amavis.

    Configure amavis

    Like with other software, we are not going to give a complete account on how to configure Amavis. Virus scanner and spamfilter configuration can get quite complex, so we recommend reading up on it before you enter the directives you need for DISC operation. Again we only explain things here that are crucial for integration with DISC (even though, others may find the pointers to the bugs in the LDAP implementation helpful too).

    Schema Modification:

    The amavisd.schema needs to be modified to accept floating point values for the tag and kill levels. By default these attributes accept only whole numbers because they are configures with integerMatch which only accepts whole numbers. Spamassassin, however, requires these numbers to be comma values, even if the value were to be 2, then it has to be 2.0.

    The amavisd.schema also needs to be modified for our purposes to include the maildrop attribute as part of the amavisAccount object class because we use it as the container of user email adresses.

    The modifications look like this:
    attributetype ( 1.3.6.1.4.1.15312.2.2.1.5
      NAME 'amavisSpamTagLevel'
      DESC 'Spam Tag Level'
      EQUALITY telephoneNumberMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.50
      SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.15312.2.2.1.6
      NAME 'amavisSpamTag2Level'
      DESC 'Spam Tag2 Level'
      EQUALITY telephoneNumberMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.50
      SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.15312.2.2.1.7
      NAME 'amavisSpamKillLevel'
      DESC 'Spam Kill Level'
      EQUALITY telephoneNumberMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.50
      SINGLE-VALUE )
    
    The equality index is set to telephoneNumberMatch here and the syntax number has to be modified accordingly. TelephoneNumberMatch recognizes floating point values unlike the integerMatch that is in the original schema.

    Then, you also need to modify the ObjectClass definition as follows:
    objectclass ( 1.3.6.1.4.1.15312.2.2.2.1
      NAME 'amavisAccount' AUXILIARY
      DESC 'Amavisd Account'
      SUP top
      MUST ( mail )
      MAY ( amavisVirusLover $ amavisBannedFilesLover $
            amavisBypassVirusChecks $ amavisBypassSpamChecks $
            amavisSpamTagLevel $ amavisSpamTag2Level $
            amavisSpamKillLevel $ amavisSpamModifiesSubj $
            amavisWhitelistSender $ amavisBlacklistSender $
            cn $ description $ maildrop ) )
    
    The only change here is the addition of $ maildrop at the end of the MAY list.

    LDAP Implementation Configuration in amavisd.conf:

    To make amavisd ldap aware, amavisd.conf has to be modified in a similar way to the postfix lookups in main.cf. We have to define a host, dn and password to point Amavis somewhere for LDAP lookups, and then we state which lookups we want to do.

    Since amavisd.conf will contain the vmail ldap password, we have to change its permissions to be readable only by root:
    chmod og-rwx amavisd.conf
    

    amavisd.conf is split into Sections. We will go through the file section by section.

    Section I - Essential daemon and MTA settings
  • Fill in a hostname at $myhostname
  • Comment out the lines that start with:
    @bypass_spam_checks_acl  = qw( . );
    @local_domains_acl
    
    add to the end of the section:
    $enable_ldap = 1;
    $default_ldap = {
      hostname => 'localhost', tls => 0,
      base => 'dc=dot', scope => 'sub',
      query_filter => '(&(objectClass=amavisAccount)(mail=%m))',
      bind_dn => 'uid=vmail,ou=system-users,dc=dot',
      bind_password => 'xxxxxx'
    };
    

    Section II - MTA specific settings

    no changes needed

    Section III - Logging

    Change to your own preferences. While testing, a high loglevel can be convinient.

    Section IV - Notifications etc

    What to do with detected virusses and spam. This is not relevant to DISChosting. Our preferred policy is not to save virusses and spam and not to send out warning messages.

    Section V - Per-recipient and per-sender handling

    Here we add our ldap settings per user:
    $bypass_virus_checks_ldap = {res_at => 'amavisBypassVirusChecks'};
    $bypass_spam_checks_ldap = {res_at => 'amavisBypassSpamChecks'};
    

    Section VI - Resource limits

    No changes required for DISChosting

    Section VII - External programs, virus scanners

    Set spamassassin to add header-value only on request:
    $sa_spam_modifies_subj_ldap = {res_at => 'amavisSpamModifiesSubj'};
    $spam_tag_level_ldap = {res_at => 'amavisSpamTagLevel'};
    $spam_tag2_level_ldap = {res_at => 'amavisSpamTag2Level'};
    $spam_kill_level_ldap = {res_at => 'amavisSpamKillLevel'};
    

    You can comment out virus-scanners you dont have for faster startup, but it is not necessary.

    Section VIII - Debugging

    No changes need

    Now start amavis and look at the logs. If it doesn't start from init.d, try amavisd-new debug. Check for missing utilities (arc, unrar...) and for recognition of the virus scanner (clamav).

    fixing amavis

    !!! ATTENTION !!! the documentation of amavisd is not correct here!! Reading through the source of the Perl module Net::LDAP::Schema which is used by Amavis, reveals that the handle for attribute requests is "res_at" not "res_attr". like the Amavis source insists.

    Thus, there is a bug in Amavis that results from an inconsistency between Amavis itself and the LDAP modules of Perl. To fix the problem, locate the amavisd-new file (usually in /usr/sbin and use the following commands):
    sed 's/res_attr/res_at/g' /usr/sbin/amavisd-new > /tmp/amavisd 
    mv /tmp/amavisd /usr/sbin/amavisd-new
    chmod +x /usr/sbin/amavisd-new
    
    There is also a script called amavispatch.sh in the examples directory, which does exactly this.

    Telling Postfix about amavis

    As mentioned above, the main.cf file for postfix needs to be edited so postfix is aware that mail content should be filtered by Amavis. First we add the content_filter to our virtual settings:
    virtual_transport = virtual
    virtual_mailbox_domains = ldap:domains
    virtual_alias_maps = ldap:aliases
    virtual_uid_maps = ldap:accounts
    virtual_gid_maps = ldap:accounts
    virtual_mailbox_base = /hosting
    virtual_mailbox_maps = ldap:mailbox
    virtual_minimum_uid = 2000
    content_filter = smtp-amavis:[127.0.0.1]:10025
    
    (only the last line is new)

    The postfix master.cf also needs to be edited so postfix can use the Amavis mailfilter properly. For that to work, the following two lines (they are both single lines despite formatting here) at the end of the master.cf file:
    smtp-amavis     unix    -       -     n       -       2       smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes
    127.0.0.1:10025 inet    n       -     n       -       -       smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtp_client_restrictions= -o smtp_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes 
    
    Please make sure that those two directives are indeed only one line each!

    Your Amavis/Spamassassin configuration is complete with that.

    [PREV] | [UP] | [NEXT]