In this part we will be adding to the mail server created in Installing A Mailserver on Ubuntu 14.04 LTS Part 1, in this part we will be building on that and adding anti-virus and anti-spam software and a tool to greylist emails to cut down on the work our server has to do. This will be added to postfix via amavis-new.
The server called mailserver will end up running the following servers and services. Once all the parts of this series posts are completed.
- Postfix mail server.
- Emails will be checked with anti-virus service ClamAV
- Emails will be checked with anti-spam filters from Spamassassin
- Grey listing of incoming mail servers with postgrey
Installing the Software
sudo apt-get install amavisd-new clamav-daemon spamassassin postgrey \
pyzor razor unrar-free zoo nomarch ripole rpm2cpio lhasa
It is a necessary evil that we should scan all incoming and outgoing email for viruses and all incoming email for possible spam content. We do that with a service called Amavis this plugs into Postfix and accepts mail before it is delivered to the users mailbox.
The extra compression modules are not normally installed by default as they are supplied on a less then free GPL license. The choice is yours whether you install them or not. If you do add them then you will need to turn them on by editing the file 50-user. Adding changes to this file means these settings override those of the earlier files and makes it simpler to upgrade.
Now we add a bunch of lines to the 50-user file. This is the only file we update. It is loaded last and therefore over-rides any duplicate settings.
sudo nano /etc/amavis/conf.d/50-user
$lha = 'lha'; #disabled (non-free, no security support) # Anti-Virus code @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); # Anti-Spam checking @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); $sa_spam_subject_tag = '[**SPAM**] '; $final_spam_destiny = D_PASS; @lookup_sql_dsn = ( ['DBI:mysql:database=postfix;host=127.0.0.1;port=3306', 'mail', 'mysqlpasswd']); $sql_select_policy = 'SELECT domain FROM domain WHERE CONCAT("@",domain) IN (%k)'; $sa_tag_level_deflt = undef; # Add these two lines while testing and debugging, then comment them out $log_level = 3; @whitelist_sender_acl = ;
The lha line turns on scanning for, erm umm, lha files. When you restart Amavis look in the mail log to see if there are any other missing modules. Look in 01-debian to see what compression program Amavis is looking for.
If the output you get from running the following command is the fully qualified domain name for your server. You do not need to update 05-node_id. It is better to fix the return from hostname then to update the amavis-new file.
I like to see that the spam detector is working so I get it to update the subject line for any emails it the scanner believes are spam. This is purely cosmetic, it simply changes the string that is added to the subject line emails it believes are spam. Since I already have a rule in my email client looking for the string “[**SPAM**] that is what I change it to.
The variable $final_spam_destiny is used to determine the outcome of finding an email that is believed to be spam. Since one man’s spam is another man’s valuable message. We shall let the user decide, It will be marked as suspected spam but allow it to be delivered.
The last variable for lookup_sql_dsn, is required because AMaViS tries to find out whether an email is incoming (sent from the internet to your domains) or outgoing (sent from your system to the internet) by looking at the @acl_local_domains setting. You need to tell AMaVis where to check if a certain domain is one of your destination domains. The reason is that you usually don’t want to scan your outgoing emails. Imagine that an email is accidentally deemed to be spam and your customer gets warned of your emails.
While debugging you can also set the following variable so that the spam header flags are always added to the delivered mail.
And the now usual change of ownership as this file now contains our Mysql password in open text.
sudo chmod 640 /etc/amavis/conf.d/50-user
Restart amavis, take a look at the log file to check for any missing compression modules.
sudo service amavis restart
Now setup the interface configuration for Postfix to talk to Amavis
sudo postconf -e content_filter=amavisfeed:[127.0.0.1]:10024
sudo postconf -e receive_override_options=no_address_mappings
And the following long set of lines to the end of the master.cf file.
sudo nano /etc/postfix/master.cf
amavisfeed unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters -o local_header_rewrite_clients=
Search the master.cf for “pickup” it should find the FIRST line below. Add the two other
lines from below.
pickup fifo n - - 60 1 pickup -o content_filter= -o receive_override_options=no_header_body_checks
Do not forget to reload the postfix files now you have updated them.
sudo postfix reload
To turn on Spamassassin you need to edit the spamassassin file in /etc/default.
sudo nano /etc/default/spamassassin
Now change the two lines for ENABLE and CRON to a number larger than zero (0). Save the changes.
Save the changes and restart the Spamassassin service.
sudo nano /etc/cron.daily/spamassassin
sudo service spamassassin restart
The script that updates the rules for Spamassassin is called “sa-update” and is normally run via a daily crontab job when the CRON flag is set to 1. To update any existing rules, we can run it now. After the update we need to restart “spamd” or otherwise cause the scanner to reload the now updated spamassassin ruleset. In order to run the update we need a few steps do download and install some GPG keys.
sa-update --import GPG.KEY
Make sure the directory and the keys have the correct permissions, so that debian-spamd is the owner and have the group root.
sudo chown -R debian-spamd:root /var/lib/spamassassin/sa-update-keys
sudo chmod 770 /var/lib/spamassassin/sa-update-keys
sudo chmod -R 660 /var/lib/spamassassin/sa-update-keys/*
Now we can run the command from the daily cron job and reload the spamassassin daemon.
sudo su - debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys -v"
sudo service spamassassin reload
Adding extra checking with razor.
Just install it with Spamassassin as we did show above and that’s it. Sorry that was rather boring 🙂
Adding extra checking with pyzor.
Install pyzor which should have happened right at the beginning of this post. We need to tell pyzor which servers to use get get updates.
pyzor --homedir /etc/mail/spamassassin discover
downloading servers from https://pyzor.sourceforge.net/cgi-bin/inform-servers-0-3-x
Restart the Spamassassin daemon
service spamassassin restart
Testing Spam Filtering
You can test that Spamassassin is working by sending an email containing a know spam signature. One such signature was installed already in the following file.
Copy/Paste the contents to an email and send it to yourself. If should be flagged as spam and you should also see some messages in the mail.log.
To test razor is working
spamassassin -t -D < /usr/share/doc/spamassassin/examples/sample-spam.txt 2>&1 | grep -i razor
And you should see something like this:
Nov 17 16:18:49.144  dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC Nov 17 16:18:49.179  dbg: razor2: razor2 is available, version 2.84 Nov 17 16:18:49.345  dbg: config: fixed relative path: /var/lib/spamassassin/3.003002/updates_spamassassin_org/25_razor2.cf Nov 17 16:18:49.345  dbg: config: using "/var/lib/spamassassin/3.003002/updates_spamassassin_org/25_razor2.cf" for included file Nov 17 16:18:49.345  dbg: config: read file /var/lib/spamassassin/3.003002/updates_spamassassin_org/25_razor2.cf
To test pyzor is working
echo "test" | spamassassin -D pyzor 2>&1 | less
Sep 27 10:14:46.893  dbg: pyzor: network tests on, attempting Pyzor Sep 27 10:14:49.185  dbg: pyzor: pyzor is available: /usr/bin/pyzor Received: from localhost by with SpamAssassin (version 3.4.0); Sat, 27 Sep 2014 10:14:49 +0100 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on X-Spam-Flag: YES X-Spam-Level: ******* X-Spam-Status: Yes, score=7.9 required=5.0 tests=EMPTY_MESSAGE,MISSING_DATE, MISSING_FROM,MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,NO_HEADERS_MESSAGE, NO_RECEIVED,NO_RELAYS autolearn=no autolearn_force=no version=3.4.0 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_54268009.64A96195" This is a multi-part message in MIME format.
sudo apt-get install clamav-daemon
Clamav is already configured in the file “/etc/amavis/conf.d/15-av_scanners” that is not commented out, and we added the code to start any scanner to /etc/amavis/conf.d/50-user above.
So that the user who is running clamav can “talk” to the amavis service we need to add it to the amavis group.
sudo adduser clamav amavis
sudo adduser amavis clamav
sudo service clamav-daemon restart
grep -P 'clamav|amavis' /etc/group
The output from the grep above, you can see amavis is a member of the clamav group and vice versa.
Make sure the clamav databases are up to date.
ClamAV update process started at Fri Nov 13 15:43:28 2009 main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven) daily.cld is up to date (version: 10022, sigs: 105525, f-level: 44, builder: ccordes
sudo dpkg-reconfigure clamav-freshclam
As your server will be connected 24/7 to the internet use the daemon option for updating to clamav. If you use the daemon update method select
- Please choose the method for virus database updates. daemon
- Please select the closest local mirror site. UK
- HTTP proxy information (leave blank for none):
- Number of freshclam updates per day: 24
- Should clamd be notified after updates? Yes
- Private Mirror
sudo dpkg-reconfigure clamav-base
There are a large number of questions to answer here, Look out forthe options below, I changed them. For the remaining inputs the default will work.
- Do you want to use the system logger? Yes
- Log file for clamav-daemon (enter none to disable): /var/log/clamav/clamav.log
Now that keeps the virus-DB up to date but not the engine. To keep the engine up to date use apt-get to install updates.
Testing that clamav is working is simple once you get a virus you can email around. Don’t panic the test virus will not do anything, harmful in fact it won’t do anything at all. Go to the following link and have a read
Copy the string 68 characters and save them to a file. Now attach the file to an email and send it. You SHOULD see some lines in the mail.log that indicate 🙂 that the file was infected. Also try out the same text file but packed in an archive, tar, zip or compressed file .gzip, tgz zip.
sudo service clamav-daemon restart
The people that use my mailserver are, actually sensible, not your typical end user. Their machines/PC’s are also not on the same network as mine. 🙂 Therefore I do not quarantine mails that are marked as infected with a virus. They have their subject’s updated to clearly show the mail is infected. This means I also PASS infected mail on to their mail box for them to deal with.
Edit the amavis config file again and add the following line to the end.
sudo nano /etc/amavis/conf.d/50-user
$final_virus_destiny = D_PASS;
sudo service amavis restart
There are a number of ways to stop spam from reaching your inbox, we have already setup Amavis and Spamassassin to do some spam filtering. Grey-listing is not designed to replace this but to work with it. By providing a first hurdle for spam to get past before hitting your inbox. It is yet
another tool in your arsenal against the endless barrage of pointless emails we all receive. Grey-listing is very simple and requires very little CPU or processing time. It simply looks at the senders name and if they are not known already, it politely says to them “Please try again later”.
For any well setup mail server this is not a problem and the mail will be redelivered later as requested. But for spammers that want to get as many emails out there as possible, they never bother to “try again later”. 🙂
We need to tell postfix how to talk to postgrey. Add the following lines to your /etc/postfix/main.cf Postgey defaults to port 10023. as the last two lines of smtpd_recipient_restrictions.
sudo nano /etc/default/postgrey
sudo nano /etc/postfix/main.cf
smtpd_recipient_restrictions = ... check_policy_service inet:127.0.0.1:10023 permit
sudo postfix reload
You can adjust some other settings. These are available in /etc/default/postgrey. There are also some white lists you can add to if you feel lucky.
This would be a good backup point!