Setting up Postfix/Amavisd/SpamAssassin
Posted: Fri Feb 17, 2012 12:46 pm
In my ongoing quest to try out alternate MTA/anti-spam on plesk, here is a guide to amavisd-new + postfix + spamassassin + clamav. Wrote this mainly for my own reference, but guess others may find it interesting/useful. If you spot any errors/improvements/omissions, just comment.
Been running this set-up for 2 weeks with no issues and no obvious heavy load caused even with a heavy stream of spam (64-bit/quad core/8GB RAM on this server). YMMV. Here's goes:
1. SWITCH FROM QMAIL TO POSTFIX:
Copy http Server Private key/Certificate/CA certificate into:
2. HARDEN POSTFIX SPAM MAIL POLICY:
3. INSTALL AMAVISD-NEW:
set-up RPMForge repo
This adds user amavis and add them to clamav group check:
Comment out existing SA custom headers/header_rewrite as this will be done via AMAVISD-NEW:
4. AMAVISD-NEW CONFIGURATION:
5. POSTFIX CONFIGURATION:
Watch log tail -f /usr/local/psa/var/log/maillog /var/log/messages
6. SPAMASSASSIN BAYES IMPORT:
Export Qmail/SpamAssassin Bayes DB and Import into amavis:
Check all folders exists and have correct permissions, commands to get dcc/razor2, couldn't get pyzor working reliably, nothing to do with postfix/amavis/spamassassin, will revisit.
7. PIPING POSTFIX MAIL TO PHP/SCRIPT:
Piping mail with virtual aliases, allows newsletter bounces/support/etc mail to be handled by script. This took the longest time to figure out an easy way
This address needs to be set-up in a virtual mailbox file - as follows:
Create db for postfix
One final point - if you want to manage multiple bounces/support etc make this one change:
This will allow delivery of vbounce+special-reference@example.com (if it doesn't exists as an account) to be delivered to vbounce@example.com, vbounce.php can be configured to do extra stuff with this as ${recipient} in master.cf is the original rcpt to: address
8. PIPING TO PHP SCRIPT:
9. OTHER:
Changes in Plesk (adding/modifying IP's, adding/modifying domains to IP's) updates postfix files, but not devastatingly (it'll drop custom settings to smtp_*_restrictions). Avoiding making changes to Mail Server Settings in Plesk UI seems to be best policy to keep everything in order.
back-up the *.cf files and compare after any major Plesk changes. It might be possible to include a file to manage these alterations.
Spam scoring seems to be lower, not less accurate, but under qmail-scanner a message might have scored 5+, will be marked as -5 and one which was marked 1+, will be -0.
ClamAV is scanning, but doesn't block anywhere near as many messages (mostly it was FP anyway, bulk mail from ebay etc).
# FILES:
/etc/postfix/master.cf
/etc/postfix/main.cf
/etc/amavisd.conf
# PATHS:
/etc/postfix
/var/spool/postfix/plesk
/var/amavis
# SERVICES:
service postfix status | restart
service amavisd status | restart
# SOURCE (these were the most useful of the hundreds of pages out there):
http://wiki.centos.org/HowTos/Amavisd
http://www.phpvs.net/articles/blakes-ce ... e/postfix/
Been running this set-up for 2 weeks with no issues and no obvious heavy load caused even with a heavy stream of spam (64-bit/quad core/8GB RAM on this server). YMMV. Here's goes:
1. SWITCH FROM QMAIL TO POSTFIX:
Code: Select all
/usr/local/psa/admin/sbin/autoinstaller --select-release-current --install-component postfix
Code: Select all
/etc/postfix/postfix_default.pem
2. HARDEN POSTFIX SPAM MAIL POLICY:
Code: Select all
/etc/postfix/main.cf
smtpd_sender_restrictions =
check_sender_access hash:/var/spool/postfix/plesk/blacklists,
permit_sasl_authenticated,
check_client_access pcre:/var/spool/postfix/plesk/non_auth.re,
reject_non_fqdn_sender,
reject_unauthenticated_sender_login_mismatch,
reject_unknown_sender_domain
smtpd_client_restrictions =
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client b.barracudacentral.org
smtpd_recipient_restrictions =
permit_mynetworks,
check_client_access pcre:/var/spool/postfix/plesk/no_relay.re,
permit_sasl_authenticated,
reject_non_fqdn_hostname,
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain
# fix ssl cert issue - on CentOS6 server at least
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
# slow down spammers who send errors or scan for accounts, maybe not worthwhile doing here
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
3. INSTALL AMAVISD-NEW:
set-up RPMForge repo
Code: Select all
yum install amavisd-new
Code: Select all
groups clamav
clamav : clamav amavis
Code: Select all
/etc/mail/spamassassin/local.cf
# Leave these:
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1
# dcc
use_dcc 1
dcc_path /usr/bin/dccproc
#pyzor
#use_pyzor 0
#pyzor_path /usr/bin/pyzor
#razor
use_razor2 1
Code: Select all
/etc/amavisd.conf
$mydomain = 'example.com';
$max_servers = 4;
$QUARANTINEDIR = "/var/virusmails"; # need to mkdir and set permissions for amavis
$log_level = 1; #increase if needed
@local_domains_maps = ( 1 ); # list of all local domains - needs to be auto-populated by some method?, this works for now
$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level / raise later
$sa_tag2_level_deflt = 4.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 6.9; # spam level beyond which a DSN is not sent
$sa_crediblefrom_dsn_cutoff_level = 15; # likewise, but for a likely valid From
$sa_quarantine_cutoff_level = 15; # spam level beyond which quarantine is off
$sa_spam_subject_tag = '***SPAM*** ';
$myhostname = 'mail.example.com';
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_REJECT;
$final_spam_destiny = D_DISCARD;
@av_scanners = (
# ### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"], #must match the setting in /etc/clamd.conf
qr/\bOK$/m, qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
);
@av_scanners_backup = ();
# read full amavisd-new docs and decide for yourself what to set
5. POSTFIX CONFIGURATION:
Code: Select all
vi /etc/postfix/master.cf
# define amavis service for postfix
# maxproc column here must match the $max_servers in /etc/amavisd.conf
amavisfeed unix - - n - 4 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
# define a service to inject mail back into Postfix
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o relay_recipient_maps=
Code: Select all
vi /etc/postfix/main.cf
# message filtering in Postfix for Amavis mail scan
content_filter=amavisfeed:[127.0.0.1]:10024
Code: Select all
postfix reload OR service postfix restart
6. SPAMASSASSIN BAYES IMPORT:
Export Qmail/SpamAssassin Bayes DB and Import into amavis:
Code: Select all
su -s /bin/bash qscand sa-learn --backup > ~/.spamassassin/bayes.txt
mv /var/spool/qscan/.spamassassin/bayes.txt /var/amavis/.spamassassin/bayes.txt;
su -s /bin/bash amavis sa-learn --restore ~/.spamassassin/bayes.txt;
7. PIPING POSTFIX MAIL TO PHP/SCRIPT:
Piping mail with virtual aliases, allows newsletter bounces/support/etc mail to be handled by script. This took the longest time to figure out an easy way
Code: Select all
/etc/postfix/master.cf
# locate transport_maps and append:
hash:/var/spool/postfix/plesk/vbounce
# add at the end of file add:
vbounce unix - n n - - pipe flags=Fq user=IMPORTANT argv=/var/www/vhosts/example.com/httpdocs/vbounce.php ${recipient}
#IMPORTANT web user must match the vhost UN
Code: Select all
/var/spool/postfix/plesk/vbounce - add:
vbounce@example vbounce:Sent to pipe
Code: Select all
/var/spool/postfix/plesk/vmailbounce
vbounce@example.com example.com/devnull
Code: Select all
postmap /var/spool/postfix/plesk/vbounce
postmap /var/spool/postfix/plesk/vmailbounce
Code: Select all
/etc/postfix/main.cf and uncomment
recipient_delimiter = +
8. PIPING TO PHP SCRIPT:
Code: Select all
<?php
$address = ( isset( $argv[ 1 ] ) ? $argv[ 1 ] : '' );
preg_match( '/^vbounce\+([a-z0-9_-]*)@example\.com$/i', $address, $address_match );
# $address_match[ 1 ] will contain: 'special-reference'
# allowing script to target specific website db/dir with contents of $data:
$data = file_get_contents( 'php://stdin' );
// extract message headers + body
list( $headers, $body ) = explode( "\n\n", $data, 2 );
#etc
?>
Changes in Plesk (adding/modifying IP's, adding/modifying domains to IP's) updates postfix files, but not devastatingly (it'll drop custom settings to smtp_*_restrictions). Avoiding making changes to Mail Server Settings in Plesk UI seems to be best policy to keep everything in order.
back-up the *.cf files and compare after any major Plesk changes. It might be possible to include a file to manage these alterations.
Spam scoring seems to be lower, not less accurate, but under qmail-scanner a message might have scored 5+, will be marked as -5 and one which was marked 1+, will be -0.
ClamAV is scanning, but doesn't block anywhere near as many messages (mostly it was FP anyway, bulk mail from ebay etc).
# FILES:
/etc/postfix/master.cf
/etc/postfix/main.cf
/etc/amavisd.conf
# PATHS:
/etc/postfix
/var/spool/postfix/plesk
/var/amavis
# SERVICES:
service postfix status | restart
service amavisd status | restart
# SOURCE (these were the most useful of the hundreds of pages out there):
http://wiki.centos.org/HowTos/Amavisd
http://www.phpvs.net/articles/blakes-ce ... e/postfix/