Installing a Mailserver on Ubuntu 12.04 LTS Part 2

In this part we will be adding to the mail server created in Installing A Mailserver on Ubuntu 12.04 LTS Part 1, in this part we will be building on that and adding anti-virus and anti-spam software and a tool to greylist emails to cut down on the work our server has to do. This will be added to postfix via amavis-new.

The server called mailserver will end up running the following servers and services. Once all the parts of this series posts are completed.

  • Postfix mail server.
    • Emails will be checked with anti-virus service ClamAV
    • Emails will be checked with anti-spam filters from Spamassassin
    • Grey listing of incoming mail servers with postgrey

Installing the Software

sudo apt-get install amavisd-new clamav-daemon spamassassin postgrey \
                     pyzor razor unrar-free zoo nomarch ripole rpm2cpio lha

Amavis

It is a necessary evil that we should scan all incoming and outgoing email for viruses and all incoming email for possible spam content. We do that with a service called Amavis this plugs into Postfix and accepts mail before it is delivered to the users mailbox.

Installing Amavis

The extra compression modules are not normally installed by default as they are supplied on a less then free GPL license. The choice is yours whether you install them or not. If you do add them then you will need to turn them on by editing the file 50-user. Adding changes to this file means these settings override those ofthe earlier files and makes it simpler to upgrade.

Now we add a bunch of lines to the 50-user file. This is the only file we update. It is loaded last and therefore over-rides any duplicate settings.

sudo nano /etc/amavis/conf.d/50-user
$lha      = 'lha'; #disabled (non-free, no security support)
 
# Anti-Virus code
@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
 
 
# Anti-Spam checking
@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
 
$sa_spam_subject_tag = '[**SPAM**] ';
$final_spam_destiny  = D_PASS;
 
@lookup_sql_dsn = (
    ['DBI:mysql:database=postfix;host=127.0.0.1;port=3306',
     'mail',
     'mysqlpasswd']);
$sql_select_policy = 'SELECT domain FROM domain WHERE CONCAT("@",domain) IN (%k)';
 
$sa_tag_level_deflt  = undef;
 
# Add thses two lines while testing and debugging, then comment them out
$log_level = 3;
@whitelist_sender_acl = [];

The lha line turns on scanning for, erm umm, lha files. When you restart Amavis look in the mail log to see if there are any other missing modules. Look in 01-debian to see what compression program Amavis is looking for.

If the output you get from running the following command is the fully qualified domain name for your server. You do not need to update 05-node_id. It is better to fix the return from hostname then to update the amavis-new file.

hostname --fqdn

I like to see that the spam detector is working so I get it to update the subject line for any emails it the scanner believes are spam. This is purely cosmetic, it simply changes the string that is added to the subject line emails it believes are spam. Since I already have a rule in my email client looking for the string “[**SPAM**] that is what I change it to.

The variable $final_spam_destiny is used to determine the outcome of finding an email that is believed to be spam. Since one man’s spam is another man’s valuable message. We shall let the user decide, It will be marked as suspected spam but allow it to be delivered.

The last variable for lookup_sql_dsn, is required because AMaViS tries to find out whether an email is incoming (sent from the internet to your domains) or outgoing (sent from your system to the internet) by looking at the @acl_local_domains setting. You need to tell AMaVis where to check if a certain domain is one of your destination domains. The reason is that you usually don’t want to scan your outgoing emails. Imagine that an email is accidentally deemed to be spam and your customer gets warned of your emails.

While debugging you can also set the following variable so that the spam header flags are always added to the delivered mail.

And the now usual change of ownership as this file now contains our Mysql password in open text.

sudo chmod 640 /etc/amavis/conf.d/50-user

Restart amavis, take a look at the log file to check for any missing compression modules.

sudo service amavis restart

Now setup the interface configuration for Postfix to talk to Amavis

sudo postconf -e content_filter=amavisfeed:[127.0.0.1]:10024
sudo postconf -e receive_override_options=no_address_mappings

And the following long set of lines to the end of the master.cf file.

sudo nano /etc/postfix/master.cf
amavisfeed unix -      -       n     -       2  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
 
127.0.0.1:10025 inet n    -       n       -       -     smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
    -o local_header_rewrite_clients=

Search the master.cf for “pickup” it should find the FIRST line below. Add the two other
lines from below.

pickup    fifo  n       -       -       60      1       pickup
         -o content_filter=
         -o receive_override_options=no_header_body_checks

Do not forget to reload the postfix files now you have updated them.

sudo postfix reload

Configuring Spamassassin

To turn on Spamassassin you need to edit the spamassassin file in /etc/default.

sudo nano /etc/default/spamassassin

Now change the two lines for ENABLE and CRON to a number larger than zero (0). Save the changes.
Save the changes and restart the Spamassassin service.

sudo nano /etc/cron.daily/spamassassin
sudo service spamassassin restart

The application that updates the rules for Spamassassin is called “sa-update” and is normally run via a daily crontab job when the value in the file above is set. To update any existing rules now we can run it now. As it will not restart “spamd” or otherwise cause a scanner to reload the now-updated ruleset automatically. We need to run the update and then restart the server.

sudo sa-update
sudo service spamassassin reload

Adding extra checking with pyzor.

This is rather simple to set up just the one liner below and you are done.

pyzor --homedir /etc/mail/spamassassin discover

Adding even more checking with razor.

Ah, just install it with Spamassassin and that’s it.

Testing Spam Filtering

You can test that Spamassassin is working by sending an email containing a know spam signature. One such signature was installed already in the following file.

/usr/share/doc/spamassassin/examples/sample-spam.txt

Copy/Paste the contents to an email and send it to yourself. If should be flagged as spam and you should also see some messages in the mail.log.

To test pyzor is working

cat /usr/share/doc/spamassassin/examples/sample-spam.txt | spamassassin -D pyzor 2>&1 | less

And you should see something like this:

Nov 17 16:23:31.002 [3843] dbg: pyzor: network tests on, attempting Pyzor
Nov 17 16:23:33.246 [3843] dbg: pyzor: pyzor is available: /usr/bin/pyzor
Nov 17 16:23:33.248 [3843] dbg: pyzor: opening pipe: /usr/bin/pyzor check < /tmp/.spamassassin3843aDmFgqtmp
Nov 17 16:23:33.320 [3843] dbg: pyzor: [3845] finished: exit 1
Nov 17 16:23:33.321 [3843] dbg: pyzor: got response: public.pyzor.org:24441 (200, 'OK') 0 0
Received: from localhost by mailserver.example.com
        with SpamAssassin (version 3.3.2);
        Sun, 17 Nov 2013 16:23:33 +0000
From: Sender <sender@example.net>
To: Recipient <recipient@example.net>
Subject: Test spam mail (GTUBE)
Date: Wed, 23 Jul 2003 23:30:00 +0200
Message-Id: <GTUBE1.1010101@example.net>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
        mailserver.example.com
X-Spam-Flag: YES

To test razor is working

spamassassin -t -D < /usr/share/doc/spamassassin/examples/sample-spam.txt 2>&1 | grep -i razor

And you should see something like this:

Nov 17 16:18:49.144 [3823] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC
Nov 17 16:18:49.179 [3823] dbg: razor2: razor2 is available, version 2.84
Nov 17 16:18:49.345 [3823] dbg: config: fixed relative path: /var/lib/spamassassin/3.003002/updates_spamassassin_org/25_razor2.cf
Nov 17 16:18:49.345 [3823] dbg: config: using "/var/lib/spamassassin/3.003002/updates_spamassassin_org/25_razor2.cf" for included file
Nov 17 16:18:49.345 [3823] dbg: config: read file /var/lib/spamassassin/3.003002/updates_spamassassin_org/25_razor2.cf


Clamav Anti-Virus

Installing Clamav

sudo apt-get install clamav-daemon

Configuring Clamav

Clamav is already configured in the file “/etc/amavis/conf.d/15-av_scanners” that is not commented out, and we added the code to start any scanner to /etc/amavis/conf.d/50-user above.

So that the user who is running clamav can “talk” to the amavis service we need to add it to the amavis group.

sudo adduser clamav amavis
sudo adduser amavis clamav
sudo service clamav-daemon restart
 
grep -P 'clamav|amavis' /etc/group

The output from the grep above, you can see amavis is a member of the clamav group and vice versa.

clamav:x:110:amavis
amavis:x:118:clamav

Make sure the clamav databases are up to date.

sudo freshclam
ClamAV update process started at Fri Nov 13 15:43:28 2009
main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
daily.cld is up to date (version: 10022, sigs: 105525, f-level: 44, builder: ccordes

Testing Clamav

sudo dpkg-reconfigure clamav-freshclam

As your server will be connected 24/7 to the internet use the daemon option for updating to clamav. If you use the daemon update method select to notify clamd of updates. Select a server close to you

Choose the method for virus database updates.  daemon
Choose the closest mirror site:                Pick one :) UK is about 1/3 down
Number of freshclam updates per day            6
Should clamd be notified to reload the database after successful updates. Yes
sudo dpkg-reconfigure clamav-base

There are a number of questions to answer here, The options below are the ones that I changed or needed a mention. For the remaining inputs I used the defaults.

Socket Type      Unix
Local Socket     This should be the same as in /etc/amavis/conf.d/15-av_scanners (the default works)
Do you want to use the system logger    Yes   not default for testing only
Groups for Clamav-daemon         amavis   (should already be set)

Now that keeps the virus-DB up to date but not the engine. To keep the engine up to date use apt-get to install updates.

Testing that clamav is working is simple once you get a virus you can email around. Don’t panic the test virus will not do anything, harmful in fact it won’t do anything at all. Go to the following link and have a read

https://www.eicar.org/anti_virus_test_file.htm

Copy the string 68 characters and save them to a file. Now attach the file to an email and send it. You SHOULD see some lines in the mail.log that indicate 🙂 that the file was infected. Also try out the same text file but packed in an archive, tar, zip or compressed file .gzip, tgz zip.

sudo service clamav-daemon restart

The people that use my mailserver are, actually sensible. There machines are also not on the same network as mine. 7| Therefore I do not quarantine mails that are marked as infected with a virus. They have their subject’s updated to clearly show the mail is infected. This means I also PASS infected mail on to their mail box for them to deal with.

$final_virus_destiny = D_PASS;

Postgrey

There are a number of ways to stop spam from reaching your inbox, we have already setup Amavis and Spamassassin to do some spam filtering. Grey-listing is not designed to replace this but to work with it. By providing a first hurdle for spam to get past before hitting your inbox. It is yet
another tool in your arsenal against the endless barrage of pointless emails we all receive. Grey-listing is very simple and requires very little CPU or processing time. It simply looks at the senders name and if they are not known already, it politely says to them “Please try again later”.
For any well setup mail server this is not a problem and the mail will be redelivered later as requested. But for spammers that want to get as many emails out there as possible, they never bother to “try again later”. :-/

Configuring Postgrey

We need to tell postfix how to talk to postgrey. Add the following lines to your /etc/postfix/main.cf Postgey defaults to port 10023. as the last two lines of smtpd_recipient_restrictions.

sudo nano /etc/default/postgrey
POSTGREY_OPTS="--inet=127.0.0.1:10023"
sudo nano /etc/postfix/main.cf
smtpd_recipient_restrictions =
        ...
        check_policy_service inet:127.0.0.1:10023
        permit
sudo postfix reload

You can adjust some other settings. These are available in /etc/default/postgrey. There are also some white lists you can add to if you feel lucky.

This would be a good backup point!

2 thoughts on “Installing a Mailserver on Ubuntu 12.04 LTS Part 2

  1. Maciej

    Is there a simple way to connect this setup with some web base admin tool to control postfix like postfix admin?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *