SpamAssassin Integration with Postfix, using Amavis

This is just a summary of the following websites. Go there for more detailed information.

http://flakshack.com/anti-spam/wiki/index.php (Detailed instructions for OpenBSD, RedHat, and Debian)

http://www.freespamfilter.org/

http://www.ijs.si/software/amavisd/README.postfix.html

http://www.ijs.si/software/amavisd/#faq-spam

http://www.ijs.si/software/amavisd/amavisd-new-docs.html

http://www200.pair.com/mecham/spam/

This document describes the configuration for sitewide use of SpamAssassin with Amavis and Razor. The distribution used is SuSE Linux 9.0. If you use something else, some options may be different. For example Amavis may run as user amavis, not vscan and the path to the Amavis spool directory may be /var/amavis not /var/spool/amavis

Postfix Configuration

This section describes how to configure Postfix to use amavisd-new as an after-queue content filter (see the FILTER_README file that comes with your version of Postfix).

First, a few services must be defined in master.cf. The first service will setup an extra SMTP listener on a different port (10025 in this example). It will be used for the reinjection of mail back into Postfix. By unsetting the content_filter parameter, content filtering will be disabled for incoming mail on this port. This avoids loops.

127.0.0.1:10025 inet    n       -       y       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes

The second service added is not strictly necessary, but is a good idea to have. It defines a service to use when sending the mail into amavisd-new. The "2" in the seventh column is the maximum number of processes of this type. Do not set this number too high, and make sure it is equal to the maximum number of amavisd-new processes (set in amavis.conf).

smtp-amavis     unix    -       -       y       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o disable_dns_lookups=yes

Finally, we must configure Postfix to actually use our content filter. This is done with the content_filter parameter which we add to main.cf. We configure Postfix to use our newly defined smtp-amavis service and to connect to a certain host and certain port. Obviously, the port set here must be the port amavisd-new is listening to.

content_filter = smtp-amavis:[127.0.0.1]:10026

In this case, amavisd-new is running on the same host as Postfix, but it can be any host. With brackets surrounding the hostname, MX lookups of the hostname are suppressed. They are also necessary when specifying bare IP addresses instead of hostnames. MX records in DNS can be used to create simple load-balancing and fallback configurations.

This simple setup will cause address rewriting both before and after the content filter. For most configurations this is not only unnecessary, but will cause duplicate mail to be delivered in configurations with virtual aliases of the form a -> a,b. Virtual rewriting must be turned off either before or after the content filter. How this is done is, again, documented in Postfix's FILTER_README file doc.

Amavis configuration

Amavis is just used for spam detection, not virus protection. See the options below.

/etc/amavisd.conf

Change the following options:

- $mydomain = 'example.com'

- @bypass_virus_checks_acl . . . .

- $mailfrom_notify_spamadmin . . .

- #$spam_quarantine_to = 'spam-quarantine';

and insert a # symbol at the beginning of that line On the very next line, you'll see:

#$spam_quarantine_to = "spam-quarantine\@$mydomain";

Here, remove the leading # symbol. (And make sure you have a mailbox for this address on a destination server - This is where you will review quarantined emails, and will forward on any "false positives" to the proper recipients.) *Alternative:* Instead of delivering the spam to a mailbox on the internal server, drop it into a folder right on the spamfilter. To do that, comment out the "spam_quarantine_to" line above that references the email address, and instead select and indicate a folder name for the value "spam_quarantine_to". (Read the comments in this area of amavisd.conf for more info.)

Go to the chapter # SpamAssassin settings When you run SpamAssassin with Amavis, you have to do most of the configuration in amavisd.conf.

See http://www.ijs.si/software/amavisd/#faq-spam for details.

- $sa_local_tests_only = 0;

- $sa_tag_level_deflt = -999;

- $sa_tag2_level_deflt = 5.0;

- $sa_spam_subject_tag = '***SPAM*** ';

SpamAssassin configuration

Go to /etc/mail/spamassassin and edit local.cf. My file looks like this.

Be sure to doublecheck this options with amavisd.conf. If one of these options is in amavisd.conf, the one in local.cf will not be used.

# Add your own customisations to this file.  See 'man Mail::SpamAssassin::Conf'
# for details of what can be tweaked.
#
# How many hits before a message is considered spam.

required_hits           5.0

# Whether to change the subject of suspected spam

rewrite_subject         0

# Text to prepend to subject if rewrite_subject is used

subject_tag             *****SPAM*****

# Encapsulate spam in an attachment

report_safe             1

# Use terse version of the spam report

use_terse_report        0

# Enable the Bayes system

use_bayes               1

# Enable Bayes auto-learning

auto_learn              1

# Enable or disable network checks

skip_rbl_checks         0
use_razor2              1
use_dcc                 0
use_pyzor               0

# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.

ok_languages            all

# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.

ok_locales              all

Amavis expects to see spamassassin's user_prefs file in /var/spool/amavis/.spamassassin but that directory and that file do not exist. Spamassassin's Bayes data is also stored there.

cp  -r  /root/.spamassassin  /var/spool/amavis

chown  -R  vscan:vscan  /var/spool/amavis/.spamassassin

cd  /root/.spamassassin

rm  user_prefs

ln  -s  /var/spool/amavis/.spamassassin/user_prefs  user_prefs

ln  -s  /var/spool/amavis/.spamassassin/bayes_seen  bayes_seen

ln  -s  /var/spool/amavis/.spamassassin/bayes_toks  bayes_toks

Razor configuration

Open port 2703 in your firewall.

razor-client

razor-admin  -d  -create

razor-admin  -register

razor-admin  -discover

cd /usr/lib/perl5/vendor_perl/5.8.1/i586-linux-thread-multi/Razor2

patch  -p0  <  Razor2.patch-quinlan

vi  /root/.razor/razor-agent.conf

cp  -r  /root/.razor  /var/spool/amavis

razor-admin  -d  -create  -home=/var/spool/amavis/.razor

chown  -R  vscan:vscan  /var/spool/amavis/.razor

vi  /var/spool/amavis/.spamassassin/user_prefs

razor_config  /var/spool/amavis/.razor/razor-agent.conf

IntegratedInPostfixWithAmavis (last edited 2009-09-20 23:17:31 by localhost)