In this part we will be adding to the mail server created in Installing A Mailserver on Ubuntu 14.04 LTS Part 1, in this part we will be building on that and adding anti-virus and anti-spam software and a tool to greylist emails to cut down on the work our server has to do. This will be added to postfix via amavis-new.

The server called mailserver will end up running the following servers and services. Once all the parts of this series posts are completed.

• Postfix mail server.
• Emails will be checked with anti-virus service ClamAV
• Emails will be checked with anti-spam filters from Spamassassin
• Grey listing of incoming mail servers with postgrey

Installing the Software

sudo apt-get install amavisd-new clamav-daemon spamassassin postgrey \
               pyzor razor unrar-free zoo nomarch ripole rpm2cpio lhasa

Amavis

It is a necessary evil that we should scan all incoming and outgoing email for viruses and all incoming email for possible spam content. We do that with a service called Amavis this plugs into Postfix and accepts mail before it is delivered to the users mailbox.

Installing Amavis

The extra compression modules are not normally installed by default as they are supplied on a less then free GPL license. The choice is yours whether you install them or not. If you do add them then you will need to turn them on by editing the file 50-user. Adding changes to this file means these settings override those of the earlier files and makes it simpler to upgrade.

Now we add a bunch of lines to the 50-user file. This is the only file we update. It is loaded last and therefore over-rides any duplicate settings.

sudo nano /etc/amavis/conf.d/50-user

$lha      = 'lha'; #disabled (non-free, no security support)

# Anti-Virus code
@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);


# Anti-Spam checking
@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

$sa_spam_subject_tag = '[**SPAM**] ';
$final_spam_destiny  = D_PASS;

@lookup_sql_dsn = (
    ['DBI:mysql:database=postfix;host=127.0.0.1;port=3306',
     'mail',
     'mysqlpasswd']);
$sql_select_policy = 'SELECT domain FROM domain WHERE CONCAT("@",domain) IN (%k)';

$sa_tag_level_deflt  = undef;

# Add these two lines while testing and debugging, then comment them out
$log_level = 3;
@whitelist_sender_acl = [];

The lha line turns on scanning for, erm umm, lha files. When you restart Amavis look in the mail log to see if there are any other missing modules. Look in 01-debian to see what compression program Amavis is looking for.

If the output you get from running the following command is the fully qualified domain name for your server. You do not need to update 05-node_id. It is better to fix the return from hostname then to update the amavis-new file.

hostname --fqdn

I like to see that the spam detector is working so I get it to update the subject line for any emails it the scanner believes are spam. This is purely cosmetic, it simply changes the string that is added to the subject line emails it believes are spam. Since I already have a rule in my email client looking for the string “[**SPAM**] that is what I change it to.

The variable $final_spam_destiny is used to determine the outcome of finding an email that is believed to be spam. Since one man’s spam is another man’s valuable message. We shall let the user decide, It will be marked as suspected spam but allow it to be delivered.

The last variable for lookup_sql_dsn, is required because AMaViS tries to find out whether an email is incoming (sent from the internet to your domains) or outgoing (sent from your system to the internet) by looking at the @acl_local_domains setting. You need to tell AMaVis where to check if a certain domain is one of your destination domains. The reason is that you usually don’t want to scan your outgoing emails. Imagine that an email is accidentally deemed to be spam and your customer gets warned of your emails.

While debugging you can also set the following variable so that the spam header flags are always added to the delivered mail.

And the now usual change of ownership as this file now contains our Mysql password in open text.

sudo chmod 640 /etc/amavis/conf.d/50-user

Restart amavis, take a look at the log file to check for any missing compression modules.

sudo service amavis restart

Now setup the interface configuration for Postfix to talk to Amavis

sudo postconf -e content_filter=amavisfeed:[127.0.0.1]:10024
sudo postconf -e receive_override_options=no_address_mappings

And the following long set of lines to the end of the master.cf file.

sudo nano /etc/postfix/master.cf

amavisfeed unix -      -       n     -       2  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n    -       n       -       -     smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
    -o local_header_rewrite_clients=

Search the master.cf for “pickup” it should find the FIRST line below. Add the two other
lines from below.

pickup    fifo  n       -       -       60      1       pickup
         -o content_filter=
         -o receive_override_options=no_header_body_checks

Do not forget to reload the postfix files now you have updated them.

sudo postfix reload

Configuring Spamassassin

To turn on Spamassassin you need to edit the spamassassin file in /etc/default.

sudo nano /etc/default/spamassassin

Now change the two lines for ENABLE and CRON to a number larger than zero (0). Save the changes.
Save the changes and restart the Spamassassin service.

sudo nano /etc/cron.daily/spamassassin
sudo service spamassassin restart

The script that updates the rules for Spamassassin is called “sa-update” and is normally run via a daily crontab job when the CRON flag is set to 1. To update any existing rules, we can run it now. After the update we need to restart “spamd” or otherwise cause the scanner to reload the now updated spamassassin ruleset. In order to run the update we need a few steps do download and install some GPG keys.

sudo -i
cd /var/lib/spamassassin/sa-update-keys
wget https://spamassassin.apache.org/updates/GPG.KEY
sa-update --import GPG.KEY
exit

Make sure the directory and the keys have the correct permissions, so that debian-spamd is the owner and have the group root.

sudo chown -R debian-spamd:root /var/lib/spamassassin/sa-update-keys
sudo chmod 770 /var/lib/spamassassin/sa-update-keys
sudo chmod -R 660 /var/lib/spamassassin/sa-update-keys/*

Now we can run the command from the daily cron job and reload the spamassassin daemon.

sudo su - debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys -v"
sudo service spamassassin reload

Adding extra checking with razor.

Just install it with Spamassassin as we did show above and that’s it. Sorry that was rather boring 🙂

Adding extra checking with pyzor.

Install pyzor which should have happened right at the beginning of this post. We need to tell pyzor which servers to use get get updates.

pyzor --homedir /etc/mail/spamassassin discover

downloading servers from https://pyzor.sourceforge.net/cgi-bin/inform-servers-0-3-x

Restart the Spamassassin daemon

service spamassassin restart

Testing Spam Filtering

You can test that Spamassassin is working by sending an email containing a know spam signature. One such signature was installed already in the following file.

/usr/share/doc/spamassassin/examples/sample-spam.txt

Copy/Paste the contents to an email and send it to yourself. If should be flagged as spam and you should also see some messages in the mail.log.

To test razor is working

spamassassin -t -D < /usr/share/doc/spamassassin/examples/sample-spam.txt 2>&1 | grep -i razor

And you should see something like this:

Nov 17 16:18:49.144 [3823] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC
Nov 17 16:18:49.179 [3823] dbg: razor2: razor2 is available, version 2.84
Nov 17 16:18:49.345 [3823] dbg: config: fixed relative path: /var/lib/spamassassin/3.003002/updates_spamassassin_org/25_razor2.cf
Nov 17 16:18:49.345 [3823] dbg: config: using "/var/lib/spamassassin/3.003002/updates_spamassassin_org/25_razor2.cf" for included file
Nov 17 16:18:49.345 [3823] dbg: config: read file /var/lib/spamassassin/3.003002/updates_spamassassin_org/25_razor2.cf

To test pyzor is working

echo "test" | spamassassin -D pyzor 2>&1 | less

Sep 27 10:14:46.893 [11082] dbg: pyzor: network tests on, attempting Pyzor
Sep 27 10:14:49.185 [11082] dbg: pyzor: pyzor is available: /usr/bin/pyzor
Received: from localhost by 
	with SpamAssassin (version 3.4.0);
	Sat, 27 Sep 2014 10:14:49 +0100
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on 
X-Spam-Flag: YES
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.9 required=5.0 tests=EMPTY_MESSAGE,MISSING_DATE,
	MISSING_FROM,MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,NO_HEADERS_MESSAGE,
	NO_RECEIVED,NO_RELAYS autolearn=no autolearn_force=no version=3.4.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_54268009.64A96195"

This is a multi-part message in MIME format.

Clamav Anti-Virus

Installing Clamav

sudo apt-get install clamav-daemon

Configuring Clamav

Clamav is already configured in the file “/etc/amavis/conf.d/15-av_scanners” that is not commented out, and we added the code to start any scanner to /etc/amavis/conf.d/50-user above.

So that the user who is running clamav can “talk” to the amavis service we need to add it to the amavis group.

sudo adduser clamav amavis
sudo adduser amavis clamav
sudo service clamav-daemon restart

grep -P 'clamav|amavis' /etc/group

The output from the grep above, you can see amavis is a member of the clamav group and vice versa.

clamav:x:110:amavis
amavis:x:118:clamav

Make sure the clamav databases are up to date.

sudo freshclam

ClamAV update process started at Fri Nov 13 15:43:28 2009
main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
daily.cld is up to date (version: 10022, sigs: 105525, f-level: 44, builder: ccordes

Testing Clamav

sudo dpkg-reconfigure clamav-freshclam

As your server will be connected 24/7 to the internet use the daemon option for updating to clamav. If you use the daemon update method select to notify clamd of updates.

• Please choose the method for virus database updates. daemon
• Please select the closest local mirror site. UK
• HTTP proxy information (leave blank for none):
• Number of freshclam updates per day: 24
• Should clamd be notified after updates? Yes
• Private Mirror

sudo dpkg-reconfigure clamav-base

There are a large number of questions to answer here, Look out forthe options below, I changed them. For the remaining inputs the default will work.

• Do you want to use the system logger? Yes
• Log file for clamav-daemon (enter none to disable): /var/log/clamav/clamav.log

Now that keeps the virus-DB up to date but not the engine. To keep the engine up to date use apt-get to install updates.

Testing that clamav is working is simple once you get a virus you can email around. Don’t panic the test virus will not do anything, harmful in fact it won’t do anything at all. Go to the following link and have a read

https://www.eicar.org/anti_virus_test_file.htm

Copy the string 68 characters and save them to a file. Now attach the file to an email and send it. You SHOULD see some lines in the mail.log that indicate 🙂 that the file was infected. Also try out the same text file but packed in an archive, tar, zip or compressed file .gzip, tgz zip.

sudo service clamav-daemon restart

The people that use my mailserver are, actually sensible, not your typical end user. Their machines/PC’s are also not on the same network as mine. 🙂 Therefore I do not quarantine mails that are marked as infected with a virus. They have their subject’s updated to clearly show the mail is infected. This means I also PASS infected mail on to their mail box for them to deal with.

Edit the amavis config file again and add the following line to the end.

sudo nano /etc/amavis/conf.d/50-user

$final_virus_destiny = D_PASS;

sudo service amavis restart

Postgrey

There are a number of ways to stop spam from reaching your inbox, we have already setup Amavis and Spamassassin to do some spam filtering. Grey-listing is not designed to replace this but to work with it. By providing a first hurdle for spam to get past before hitting your inbox. It is yet
another tool in your arsenal against the endless barrage of pointless emails we all receive. Grey-listing is very simple and requires very little CPU or processing time. It simply looks at the senders name and if they are not known already, it politely says to them “Please try again later”.
For any well setup mail server this is not a problem and the mail will be redelivered later as requested. But for spammers that want to get as many emails out there as possible, they never bother to “try again later”. 🙂

Configuring Postgrey

We need to tell postfix how to talk to postgrey. Add the following lines to your /etc/postfix/main.cf Postgey defaults to port 10023. as the last two lines of smtpd_recipient_restrictions.

sudo nano /etc/default/postgrey

POSTGREY_OPTS="--inet=127.0.0.1:10023"

sudo nano /etc/postfix/main.cf

smtpd_recipient_restrictions =
        ...
        check_policy_service inet:127.0.0.1:10023
        permit

sudo postfix reload

You can adjust some other settings. These are available in /etc/default/postgrey. There are also some white lists you can add to if you feel lucky.

This would be a good backup point!