Do not start with this section before you finished testing the previous! We are on our way to add a new level of complexitiy, so error messages will get mixed up if you do not test after every step!
Amavisd-new can be found here and Spamassassin here. Installing from source should work fine, but we are using the debian Sarge packages:
apt-get install amavisd-new spamassassin clamav clamav-freshclam |
Virus and spam control is handled by amavisd-new. Amavisd-new uses spamassassin to filter for spam and clamav to filter out virusses. The ldap database contains per-user settings where you can change:
As virus scanner we installed clam anti virus (clamav.elektrapro.com) which is a free GPL virus scanner featuring maildir support. Amavis supports many virus scanners and can even use more then one in one configuration. The virus scanner does not interact with LDAP, so you can choose one to your liking.
For Postfix integration the master.cf and the main.cf files have to be modified (see below). Amavisd-new creates it's own SMTP facility. Postfix will send mail to the Amavis SMTP where it is tested and then sent back to Postfix for actual delivery.
Clamav just works out of the box, but you need to add the user clamav to the group amavis.
Like with other software, we are not going to give a complete account on how to configure Amavis. Virus scanner and spamfilter configuration can get quite complex, so we recommend reading up on it before you enter the directives you need for DISC operation. Again we only explain things here that are crucial for integration with DISC (even though, others may find the pointers to the bugs in the LDAP implementation helpful too).
The amavisd.schema needs to be modified to accept floating point values for the tag and kill levels. By default these attributes accept only whole numbers because they are configures with integerMatch which only accepts whole numbers. Spamassassin, however, requires these numbers to be comma values, even if the value were to be 2, then it has to be 2.0.
The amavisd.schema also needs to be modified for our purposes to include the maildrop attribute as part of the amavisAccount object class because we use it as the container of user email adresses.
The modifications look like this:
attributetype ( 1.3.6.1.4.1.15312.2.2.1.5 NAME 'amavisSpamTagLevel' DESC 'Spam Tag Level' EQUALITY telephoneNumberMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.15312.2.2.1.6 NAME 'amavisSpamTag2Level' DESC 'Spam Tag2 Level' EQUALITY telephoneNumberMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.15312.2.2.1.7 NAME 'amavisSpamKillLevel' DESC 'Spam Kill Level' EQUALITY telephoneNumberMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 SINGLE-VALUE ) |
Then, you also need to modify the ObjectClass definition as follows:
objectclass ( 1.3.6.1.4.1.15312.2.2.2.1
NAME 'amavisAccount' AUXILIARY
DESC 'Amavisd Account'
SUP top
MUST ( mail )
MAY ( amavisVirusLover $ amavisBannedFilesLover $
amavisBypassVirusChecks $ amavisBypassSpamChecks $
amavisSpamTagLevel $ amavisSpamTag2Level $
amavisSpamKillLevel $ amavisSpamModifiesSubj $
amavisWhitelistSender $ amavisBlacklistSender $
cn $ description $ maildrop ) )
|
To make amavisd ldap aware, amavisd.conf has to be modified in a similar way to the postfix lookups in main.cf. We have to define a host, dn and password to point Amavis somewhere for LDAP lookups, and then we state which lookups we want to do.
Since amavisd.conf will contain the vmail ldap password, we have to change its permissions to be readable only by root:
chmod og-rwx amavisd.conf |
amavisd.conf is split into Sections. We will go through the file section by section.
@bypass_spam_checks_acl = qw( . ); @local_domains_acl |
$enable_ldap = 1;
$default_ldap = {
hostname => 'localhost', tls => 0,
base => 'dc=dot', scope => 'sub',
query_filter => '(&(objectClass=amavisAccount)(mail=%m))',
bind_dn => 'uid=vmail,ou=system-users,dc=dot',
bind_password => 'xxxxxx'
};
|
no changes needed
Change to your own preferences. While testing, a high loglevel can be convinient.
What to do with detected virusses and spam. This is not relevant to DISChosting. Our preferred policy is not to save virusses and spam and not to send out warning messages.
Here we add our ldap settings per user:
$bypass_virus_checks_ldap = {res_at => 'amavisBypassVirusChecks'};
$bypass_spam_checks_ldap = {res_at => 'amavisBypassSpamChecks'};
|
No changes required for DISChosting
Set spamassassin to add header-value only on request:
$sa_spam_modifies_subj_ldap = {res_at => 'amavisSpamModifiesSubj'};
$spam_tag_level_ldap = {res_at => 'amavisSpamTagLevel'};
$spam_tag2_level_ldap = {res_at => 'amavisSpamTag2Level'};
$spam_kill_level_ldap = {res_at => 'amavisSpamKillLevel'};
|
You can comment out virus-scanners you dont have for faster startup, but it is not necessary.
No changes need
Now start amavis and look at the logs. If it doesn't start from init.d, try amavisd-new debug. Check for missing utilities (arc, unrar...) and for recognition of the virus scanner (clamav).
!!! ATTENTION !!! the documentation of amavisd is not correct here!! Reading through the source of the Perl module Net::LDAP::Schema which is used by Amavis, reveals that the handle for attribute requests is "res_at" not "res_attr". like the Amavis source insists.
Thus, there is a bug in Amavis that results from an inconsistency between Amavis itself and the LDAP modules of Perl. To fix the problem, locate the amavisd-new file (usually in /usr/sbin and use the following commands):
sed 's/res_attr/res_at/g' /usr/sbin/amavisd-new > /tmp/amavisd mv /tmp/amavisd /usr/sbin/amavisd-new chmod +x /usr/sbin/amavisd-new |
As mentioned above, the main.cf file for postfix needs to be edited so postfix is aware that mail content should be filtered by Amavis. First we add the content_filter to our virtual settings:
virtual_transport = virtual virtual_mailbox_domains = ldap:domains virtual_alias_maps = ldap:aliases virtual_uid_maps = ldap:accounts virtual_gid_maps = ldap:accounts virtual_mailbox_base = /hosting virtual_mailbox_maps = ldap:mailbox virtual_minimum_uid = 2000 content_filter = smtp-amavis:[127.0.0.1]:10025 |
The postfix master.cf also needs to be edited so postfix can use the Amavis mailfilter properly. For that to work, the following two lines (they are both single lines despite formatting here) at the end of the master.cf file:
smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtp_client_restrictions= -o smtp_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes |
Your Amavis/Spamassassin configuration is complete with that.