<!-- NOTES - Notes here --> <!-- GOAL ONE-LINER --> <p>Have AMaViS check for malicious software in e-mails and have it mark e-mail with spam-scores.</p> <!-- RATIONALE --> <!-- NUANCE --> <h2>Procedure</h2> <!-- NARRATIVE FORM --> <!-- Configure `submission` port --> <!-- STEP BY STEP --> <ol> <li> <p>Install required packages:</p> <pre><code class="language-shell"># required packages apt install amavisd-new spamassassin clamav-daemon # optional packages for better spam detection apt install libnet-dns-perl libmail-spf-perl pyzor razor # optional packages to enable better scanning of attached archive files apt install arj bzip2 cabextract cpio file gzip nomarch pax unrar-free unzip zip</code></pre> </li> <li> <p>Add the clamav user to the amavis group and vice versa to provide both with the user permissions required to scan files on disk:</p> <pre><code class="language-shell">adduser clamav amavis adduser amavis clamav</code></pre> <blockquote> <blockquote> <blockquote> <blockquote> <blockquote> <p>The default behavior of Clamav fits our needs. A daemon is launched (clamd) and signatures are fetched every day.</p> </blockquote> </blockquote> </blockquote> </blockquote> </blockquote> </li> <li> <p>Create a "razor-agent.conf" file in AMaViS' homdir to store Razor configuration settings and register an identity of the locally running Razor instance to the Razor servers to have it retrieve distributed spam detection data:</p> <pre><code class="language-shell">su - amavis -c 'razor-admin -create' su - amavis -c 'razor-admin -register'</code></pre> </li> <li> <p>Edit <code>/etc/amavis/conf.d/15-content_filter_mode</code> to have AMaViS activate antivirus detection and spam scoring:</p> <pre><code class="language-diff"> # # Default antivirus checking mode # Please note, that anti-virus checking is DISABLED by # default. # If You wish to enable it, please uncomment the following lines: - #@bypass_virus_checks_maps = ( - # \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); + @bypass_virus_checks_maps = ( + \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); # # Default SPAM checking mode # Please note, that anti-spam checking is DISABLED by # default. # If You wish to enable it, please uncomment the following lines: - #@bypass_spam_checks_maps = ( - # \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); + @bypass_spam_checks_maps = ( + \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);</code></pre> </li> <li> <p>Edit <code>/etc/amavis/conf.d/50-user</code> to accept mails marked as spam for future (Sieve) processing instead of "<a href="https://en.wikipedia.org/wiki/Bounce_message">bouncing</a>" them and to have AMaViS accept all domains for its processing and to pass the built-in FQDN check that is executed when starting AMaViS without requiring a FQDN as hostname of the local machine:</p> <pre><code class="language-diff"># See /usr/share/doc/amavisd-new/ for documentation and examples of # the directives you can use in this file # + $final_banned_destiny = D_PASS; + $final_spam_destiny = D_PASS; + @local_domains_acl = ( "." ); + $myhostname = "<ROOT DOMAIN>";</code></pre> <blockquote> <blockquote> <blockquote> <blockquote> <p><code><ROOT DOMAIN></code> should be replaced with the root domain you have registered (or any other root domain that resolves to an ip adress to prove that it is indeed a FQDN).</p> </blockquote> </blockquote> </blockquote> <p><code>( "." )</code> is technically an empty domain; tricking AMaViS to implicitly accept every domain for its processing. Normally there would be an explicit comma separated list of domains defined there. However, that would be inconvenient as it would mean that when a domain is added to MariaDB it will additionally have to be added here too in order to receive spam scores (in short: This trick has AMaViS accept all, to prevent having to keep a double administration of domains).</p> <blockquote> <blockquote> <blockquote> <blockquote> <p>Note that the <em>user</em> file_ is edited and not the <em>defaults</em> file. This allows keeping for keeping the default configuration clean / unaffected by these settings that are super imposed onto the defaults. This is not necessarily required but is good practice acknowledging a multi-user environment.</p> </blockquote> </blockquote> </blockquote> </blockquote> </blockquote> </li> <li> <p>Restart the services to effectuate the changes:</p> <pre><code class="language-shell">service clamav-daemon restart service clamav-freshclam restart service amavis restart</code></pre> <blockquote> <blockquote> <blockquote> <p><code>clamav-freshclam</code> is likely to start updating after the restart. During the update, ClamAV might respond in a seemingly erroneous manner! <!-- Add how one can detect that the update is finished (e.g. what log files to check). --></p> </blockquote> </blockquote> </blockquote> </li> <li> <p>Configure Postfix to send the e-mails to AMaViS for content filtering:</p> <pre><code class="language-shell">postconf -e "content_filter = smtp-amavis:[127.0.0.1]:10024"</code></pre> </li> <li> <p>Edit <code>/etc/postfix/master.cf</code> to enable Postfix' callback-interface for AMaViS to return the processed e-mail on:</p> <ol> <li> <p>Find the <code>pickup</code> transport service add the following two lines immediately below it to prevent generated spam-report messages from being marked as spam themselves:</p> <pre><code class="language-diff">pickup unix n - y 60 1 pickup + -o content_filter= + -o receive_override_options=no_header_body_checks cleanup unix n - y - 0 cleanup</code></pre> </li> <li> <p><em>Append</em> the following to the <em>end</em> of the file to declare the communication protocol (the first part) and to declare the return address to receive AMaViS' answers on (the second part):</p> <pre><code class="language-diff">+ smtp-amavis unix - - - - 2 smtp + -o smtp_data_done_timeout=1200 + -o smtp_send_xforward_command=yes + -o disable_dns_lookups=yes + -o max_use=20 + + 127.0.0.1:10025 inet n - - - - smtpd + -o content_filter= + -o local_recipient_maps= + -o relay_recipient_maps= + -o smtpd_restriction_classes= + -o smtpd_delay_reject=no + -o smtpd_client_restrictions=permit_mynetworks,reject + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o smtpd_data_restrictions=reject_unauth_pipelining + -o smtpd_end_of_data_restrictions= + -o mynetworks=127.0.0.0/8 + -o smtpd_error_sleep_time=0 + -o smtpd_soft_error_limit=1001 + -o smtpd_hard_error_limit=1000 + -o smtpd_client_connection_count_limit=0 + -o smtpd_client_connection_rate_limit=0 + -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks</code></pre> </li> </ol> </li> <li> <p>Restart Postfix to effectuate changes:</p> <pre><code class="language-shell">service postfix restart</code></pre> </li> </ol> <h2>References</h2> <p>Adapted from the Ubuntu documentation (Community Help Wiki): <a href="https://help.ubuntu.com/community/PostfixAmavisNew">PostfixAmavisNew</a></p> <!-- REFERENCES -->