In this part we will be adding to the mail server created in Installing A Mailserver on Ubuntu 12.04 LTS Part 1, in this part we will be building on that and adding anti-virus and anti-spam software and a tool to greylist emails to cut down on the work our server has to do. This will be added to postfix via amavis-new.
The server called mailserver will end up running the following servers and services. Once all the parts of this series posts are completed.
- Postfix mail server.
- Emails will be checked with anti-virus service ClamAV
- Emails will be checked with anti-spam filters from Spamassassin
- Grey listing of incoming mail servers with postgrey
Installing the Software
sudo apt-get install amavisd-new clamav-daemon spamassassin postgrey \
pyzor razor unrar-free zoo nomarch ripole rpm2cpio lha
Amavis
It is a necessary evil that we should scan all incoming and outgoing email for viruses and all incoming email for possible spam content. We do that with a service called Amavis this plugs into Postfix and accepts mail before it is delivered to the users mailbox.
Installing Amavis
The extra compression modules are not normally installed by default as they are supplied on a less then free GPL license. The choice is yours whether you install them or not. If you do add them then you will need to turn them on by editing the file 50-user. Adding changes to this file means these settings override those ofthe earlier files and makes it simpler to upgrade.
Now we add a bunch of lines to the 50-user file. This is the only file we update. It is loaded last and therefore over-rides any duplicate settings.
sudo nano /etc/amavis/conf.d/50-user
$lha = 'lha'; #disabled (non-free, no security support) # Anti-Virus code @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); # Anti-Spam checking @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); $sa_spam_subject_tag = '[**SPAM**] '; $final_spam_destiny = D_PASS; @lookup_sql_dsn = ( ['DBI:mysql:database=postfix;host=127.0.0.1;port=3306', 'mail', 'mysqlpasswd']); $sql_select_policy = 'SELECT domain FROM domain WHERE CONCAT("@",domain) IN (%k)'; $sa_tag_level_deflt = undef; # Add thses two lines while testing and debugging, then comment them out $log_level = 3; @whitelist_sender_acl = [];
The lha line turns on scanning for, erm umm, lha files. When you restart Amavis look in the mail log to see if there are any other missing modules. Look in 01-debian to see what compression program Amavis is looking for.
If the output you get from running the following command is the fully qualified domain name for your server. You do not need to update 05-node_id. It is better to fix the return from hostname then to update the amavis-new file.
hostname --fqdn
I like to see that the spam detector is working so I get it to update the subject line for any emails it the scanner believes are spam. This is purely cosmetic, it simply changes the string that is added to the subject line emails it believes are spam. Since I already have a rule in my email client looking for the string “[**SPAM**] that is what I change it to.
The variable $final_spam_destiny is used to determine the outcome of finding an email that is believed to be spam. Since one man’s spam is another man’s valuable message. We shall let the user decide, It will be marked as suspected spam but allow it to be delivered.
The last variable for lookup_sql_dsn, is required because AMaViS tries to find out whether an email is incoming (sent from the internet to your domains) or outgoing (sent from your system to the internet) by looking at the @acl_local_domains setting. You need to tell AMaVis where to check if a certain domain is one of your destination domains. The reason is that you usually don’t want to scan your outgoing emails. Imagine that an email is accidentally deemed to be spam and your customer gets warned of your emails.
While debugging you can also set the following variable so that the spam header flags are always added to the delivered mail.
And the now usual change of ownership as this file now contains our Mysql password in open text.
sudo chmod 640 /etc/amavis/conf.d/50-user
Restart amavis, take a look at the log file to check for any missing compression modules.
sudo service amavis restart
Now setup the interface configuration for Postfix to talk to Amavis
sudo postconf -e content_filter=amavisfeed:[127.0.0.1]:10024
sudo postconf -e receive_override_options=no_address_mappings
And the following long set of lines to the end of the master.cf file.
sudo nano /etc/postfix/master.cf
amavisfeed unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters -o local_header_rewrite_clients=
Search the master.cf for “pickup” it should find the FIRST line below. Add the two other
lines from below.
pickup fifo n - - 60 1 pickup -o content_filter= -o receive_override_options=no_header_body_checks
Do not forget to reload the postfix files now you have updated them.
sudo postfix reload
Configuring Spamassassin
To turn on Spamassassin you need to edit the spamassassin file in /etc/default.
sudo nano /etc/default/spamassassin
Now change the two lines for ENABLE and CRON to a number larger than zero (0). Save the changes.
Save the changes and restart the Spamassassin service.
sudo nano /etc/cron.daily/spamassassin
sudo service spamassassin restart
The application that updates the rules for Spamassassin is called “sa-update” and is normally run via a daily crontab job when the value in the file above is set. To update any existing rules now we can run it now. As it will not restart “spamd” or otherwise cause a scanner to reload the now-updated ruleset automatically. We need to run the update and then restart the server.
sudo sa-update
sudo service spamassassin reload
Adding extra checking with pyzor.
This is rather simple to set up just the one liner below and you are done.
pyzor --homedir /etc/mail/spamassassin discover
Adding even more checking with razor.
Ah, just install it with Spamassassin and that’s it.
Testing Spam Filtering
You can test that Spamassassin is working by sending an email containing a know spam signature. One such signature was installed already in the following file.
/usr/share/doc/spamassassin/examples/sample-spam.txt
Copy/Paste the contents to an email and send it to yourself. If should be flagged as spam and you should also see some messages in the mail.log.
To test pyzor is working
cat /usr/share/doc/spamassassin/examples/sample-spam.txt | spamassassin -D pyzor 2>&1 | less
And you should see something like this:
Nov 17 16:23:31.002 [3843] dbg: pyzor: network tests on, attempting Pyzor Nov 17 16:23:33.246 [3843] dbg: pyzor: pyzor is available: /usr/bin/pyzor Nov 17 16:23:33.248 [3843] dbg: pyzor: opening pipe: /usr/bin/pyzor check < /tmp/.spamassassin3843aDmFgqtmp Nov 17 16:23:33.320 [3843] dbg: pyzor: [3845] finished: exit 1 Nov 17 16:23:33.321 [3843] dbg: pyzor: got response: public.pyzor.org:24441 (200, 'OK') 0 0 Received: from localhost by mailserver.example.com with SpamAssassin (version 3.3.2); Sun, 17 Nov 2013 16:23:33 +0000 From: SenderTo: Recipient Subject: Test spam mail (GTUBE) Date: Wed, 23 Jul 2003 23:30:00 +0200 Message-Id: X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mailserver.example.com X-Spam-Flag: YES
To test razor is working
spamassassin -t -D < /usr/share/doc/spamassassin/examples/sample-spam.txt 2>&1 | grep -i razor
And you should see something like this:
Nov 17 16:18:49.144 [3823] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC Nov 17 16:18:49.179 [3823] dbg: razor2: razor2 is available, version 2.84 Nov 17 16:18:49.345 [3823] dbg: config: fixed relative path: /var/lib/spamassassin/3.003002/updates_spamassassin_org/25_razor2.cf Nov 17 16:18:49.345 [3823] dbg: config: using "/var/lib/spamassassin/3.003002/updates_spamassassin_org/25_razor2.cf" for included file Nov 17 16:18:49.345 [3823] dbg: config: read file /var/lib/spamassassin/3.003002/updates_spamassassin_org/25_razor2.cf
Clamav Anti-Virus
Installing Clamav
sudo apt-get install clamav-daemon
Configuring Clamav
Clamav is already configured in the file “/etc/amavis/conf.d/15-av_scanners” that is not commented out, and we added the code to start any scanner to /etc/amavis/conf.d/50-user above.
So that the user who is running clamav can “talk” to the amavis service we need to add it to the amavis group.
sudo adduser clamav amavis
sudo adduser amavis clamav
sudo service clamav-daemon restart
grep -P 'clamav|amavis' /etc/group
The output from the grep above, you can see amavis is a member of the clamav group and vice versa.
clamav:x:110:amavis amavis:x:118:clamav
Make sure the clamav databases are up to date.
sudo freshclam
ClamAV update process started at Fri Nov 13 15:43:28 2009 main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven) daily.cld is up to date (version: 10022, sigs: 105525, f-level: 44, builder: ccordes
Testing Clamav
sudo dpkg-reconfigure clamav-freshclam
As your server will be connected 24/7 to the internet use the daemon option for updating to clamav. If you use the daemon update method select
Choose the method for virus database updates. daemon Choose the closest mirror site: Pick one :) UK is about 1/3 down Number of freshclam updates per day 6 Should clamd be notified to reload the database after successful updates. Yes
sudo dpkg-reconfigure clamav-base
There are a number of questions to answer here, The options below are the ones that I changed or needed a mention. For the remaining inputs I used the defaults.
Socket Type Unix Local Socket This should be the same as in /etc/amavis/conf.d/15-av_scanners (the default works) Do you want to use the system logger Yes not default for testing only Groups for Clamav-daemon amavis (should already be set)
Now that keeps the virus-DB up to date but not the engine. To keep the engine up to date use apt-get to install updates.
Testing that clamav is working is simple once you get a virus you can email around. Don’t panic the test virus will not do anything, harmful in fact it won’t do anything at all. Go to the following link and have a read
https://www.eicar.org/anti_virus_test_file.htm
Copy the string 68 characters and save them to a file. Now attach the file to an email and send it. You SHOULD see some lines in the mail.log that indicate 🙂 that the file was infected. Also try out the same text file but packed in an archive, tar, zip or compressed file .gzip, tgz zip.
sudo service clamav-daemon restart
The people that use my mailserver are, actually sensible. There machines are also not on the same network as mine. 7| Therefore I do not quarantine mails that are marked as infected with a virus. They have their subject’s updated to clearly show the mail is infected. This means I also PASS infected mail on to their mail box for them to deal with.
$final_virus_destiny = D_PASS;
Postgrey
There are a number of ways to stop spam from reaching your inbox, we have already setup Amavis and Spamassassin to do some spam filtering. Grey-listing is not designed to replace this but to work with it. By providing a first hurdle for spam to get past before hitting your inbox. It is yet
another tool in your arsenal against the endless barrage of pointless emails we all receive. Grey-listing is very simple and requires very little CPU or processing time. It simply looks at the senders name and if they are not known already, it politely says to them “Please try again later”.
For any well setup mail server this is not a problem and the mail will be redelivered later as requested. But for spammers that want to get as many emails out there as possible, they never bother to “try again later”. :-/
Configuring Postgrey
We need to tell postfix how to talk to postgrey. Add the following lines to your /etc/postfix/main.cf Postgey defaults to port 10023. as the last two lines of smtpd_recipient_restrictions.
sudo nano /etc/default/postgrey
POSTGREY_OPTS="--inet=127.0.0.1:10023"
sudo nano /etc/postfix/main.cf
smtpd_recipient_restrictions = ... check_policy_service inet:127.0.0.1:10023 permit
sudo postfix reload
You can adjust some other settings. These are available in /etc/default/postgrey. There are also some white lists you can add to if you feel lucky.
This would be a good backup point!
Is there a simple way to connect this setup with some web base admin tool to control postfix like postfix admin?
Try a Google search for “postfix web admin”.