Difference between revisions of "HowTos/Amavisd"

Revision as of 10:31, 19 July 2006

It's easier than it looks!

Through efforts to make this HOWTO both comprehensive & well-structured it has grown to be outwardly rather large.

Don't be deceived - the actual amount of work involved following the instructions is actually rather small & even Linux beginners should be able to have a working setup within an hour.

Why Amavisd-New?

• Large user community
• Centralised configuration
• Ability to apply site-wide rules
• Works with all major UNIX/Linux MTAs

About this HOWTO

This HOWTO details a setup that uses amavisd-new to do both spam & virus scanning & should be followed in place of the following procedures:

• Scalix Knowledgebase: ScalixReady - SpamAssassin in a Scalix Environment (126747) [RH/FC]

• Scalix Knowledgebase: Configuring SpamAssassin on SuSE Systems (165119) [SuSE]

• Scalix Administration Guide Chapter 18: Virus & Spam Protection (Configuring Scalix Virus Protection)

Test platforms

• Fedora Core 4

• CentOS 4

• SuSE OSS 10.0

Before you start

DO NOT install the amavisd-new-milter RPM - see Installing amavisd-milter.

Prerequesites

Please note that in both cases the packages below have various dependencies which your package manager should take care of (or if you're masochistic you can spend an hour with wget & rpm...).

Redhat/CentOS/Fedora RPMs

• amavisd-new

• spamassassin

• clamd

• sendmail-cf

• sendmail-devel

• gcc

SuSE RPMs

• amavisd-new

• spamassassin

• clamav

• sendmail-devel

• gcc

Installing amavisd-milter

Firstly, DO NOT install the amavisd-new-milter RPM - despite the 'new' tag this is a different, older version that lacks the ability to add anything other than a hard-coded 'virus scanned by amavisd-new-milter' to the message headers. As a consequence of this it's pretty useless if you want to sort messages into Spam folders downstream.

As far as I'm aware there's no binary package available for amavisd-milter but it's an quick & easy compile, just grab the source and do :

cd /usr/local/src && tar xvzf /path/to/amavisd-milter-1.x.x.tar.gz

cd amavisd-milter-1.x.x

./configure && make && sudo make install

Assuming you compiled in /usr/local/src and ran the commands above, the binary will be installed in /usr/local/sbin

NB: Startup scripts must be installed separately - see Initscripts/Sysconfig files for amavisd-milter.

Configuring amavisd-new

The config file for amavisd-new is fairly huge, but don't be put off as most of the values can safely stay at the defaults. The critical ones to add/edit/uncomment/comment are:

$protocol = "AM.PDP"; # Use AM.PDP protocol.

$unix_socketname = "$MYHOME/amavisd.sock"; # uncomment when using milter.

#$inet_socket_port = 10024; #comment out with milter.

$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}';

$forward_method = undef; #must be set like this with sendmail milter.

$mydomain='example.com #Your domain

$myhostname='cosmo.example.com #The FQDN of the Scalix host

$virusadmin='virusalert\@$mydomain #NDR recipient if virus found

$virusadmin='virusalert\@$mydomain #The sender address for NDRs

This lines below control how amavisd-new will respond to the spam scores from SA. I set the first to '-9999' so that effectively, the info headers are always added even if the message is deemed 'ham' (if your box is heavily-loaded you'll probably want to change this after debugging). The second sets the 'is spam' score, above which SA will add the 'X-Spam-Status: Yes' header & (optionally) rewrite the subject line, prepending whatever you define with $sa_spam_subject_tag. You'll probably want to leave the next three commented to prevent amavisd-new doing anything extreme with mail until you're comfortable with the setup. Set the last to undef if you want to leave subject lines alone for spam mail.

$sa_tag_level_deflt  = -9999; # add spam info headers if at, or above that level

$sa_tag2_level_deflt = 3.4; # add 'spam detected' headers at that level

#sa_kill_level_deflt = 6.31; # triggers spam evasive actions

#sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent

#$sa_quarantine_cutoff_level = 20; # spam level beyond which quarantine is off

$sa_spam_subject_tag = '[SPAM] '; # Prepended to the subject line if defined.

Amavisd-New scans all mail passing through it for viruses, but will only hand mail for local delivery off to SA for checking - you tell it which domains are local using the @local_domains_maps variable, which by default is set to the value of $mydomain & its subdomains:

@local_domains_maps = ( [".$mydomain"] );

You can add additional domains in a variety of ways (see the docs), eg:

@local_domains_maps = ( [".$mydomain", ".foo.com"] );

In a nutshell, you probably want whatever you have in /etc/mail/local-host-names to be included in @local_domains_maps.

Finally, uncomment the code near the bottom that tells amavis to use the clamd daemon and edit the value /var/run/clamav/clamd to read /var/run/clamav/clamd.sock (matching the value in /etc/clamav.conf)

### http://www.clamav.net/ 

['ClamAV-clamd', 

\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"], 

qr/\bOK$/, qr/\bFOUND$/,

qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Initscripts/Sysconfig files for amavisd

Amavisd-new will come with its own init/sysconfig scripts, which may possibly include code to start the old milter (amavisd-new-milter). Make sure this is disabled to avoid any confusion, for example on SuSE ensure that in /etc/sysconfig/amavis AMAVIS_SENDMAIL_MILTER is set to no, ie:

AMAVIS_SENDMAIL_MILTER="no"

Initscripts/Sysconfig files for amavisd-milter

Sysconfig Script (common)

Download here & copy to: /etc/sysconfig/amavisd-milter.

Be sure to read this file & edit if necessary (the comments in the file provide all the required information).

Init Script (Redhat/CentOS/Fedora)

Download here, copy to: /etc/init.d/amavisd-milter & do:

sudo chkconfig --add amavisd-milter

Init Script (SuSE)

Download here, copy to: /etc/init.d/amavisd-milter & do:

sudo chkconfig --add amavisd-milter

Configuring sendmail

Redhat/CentOS/Fedora

Milter settings

cd to /etc/mail, backup sendmail.cf & sendmail.mc & then edit sendmail.mc, adding the following two lines at the end of the file:

define(`MILTER', 1)dnl

INPUT_MAIL_FILTER(`milter-amavis', `S=local:/var/amavis/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m')dnl

NB: The suggested lines in the amavisd-milter manpage seem a bit broken!

Rebuild sendmail.cf:

sudo sh -c "m4 sendmail.mc > sendmail.cf"

Run omsendin to reinsert the Scalix mods:

sudo omsendin

Other settings

Virus notification mails are deferred to avoid the the milter being called twice. This means that if amavisd catches an infected mail the '$virusadmin' user won't be sent the notification until the queue is next run, which by default is every 1h. Therefore, edit /etc/sysconfig/sendmail & set the queue runner to a suitably low value for debugging, e.g.

QUEUE=1m

Note that common values for QUEUE are between 15-60m & RFC 1123 section 5.3.1.1 recommends that it be at least 30 minutes.

For the purposes of sending notification mails Amavisd-new sets its sender address to the value set in the config file, e.g. virusalert@example.com. To avoid an authentication warning from sendmail each time a notification is sent, the amavis user must be made a member of sendmail's trusted-users, by adding amavis to /etc/mail/trusted-users.

SuSE

Milter settings

With SuSE you have two options:

1. For a new installation IMO it would be best to disable YaST configuration of sendmail & use an *mc file instead - you'll avoid editing sendmail.cf directly & use techniques that are applicable to all modern *nixes.
2. On the other hand if you've already customised sendmail using YaST then you might be better off editing sendmail.cf directly - the edits are very similar to those detailed in the SA integration TechNote [STN 126747].

Option 1 - using /etc/mail/linux.mc

Firstly, in /etc/sysconfig/mail set:

MAIL_CREATE_CONFIG="no"

Backup /etc/sendmail.cf & /etc/mail/linux.mc & edit /etc/linux.mc, adding the following two lines at the end of the file:

define(`MILTER', 1)dnl

INPUT_MAIL_FILTER(`milter-amavis', `S=local:/var/amavis/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m')dnl

NB: The suggested lines in the amavisd-milter manpage seem a bit broken!

Rebuild sendmail.cf:

sudo sh -c "m4 /etc/mail/linux.mc > /etc/sendmail.cf"

Run omsendin to reinsert the Scalix mods:

sudo omsendin

Option 2 - editing /etc/sendmail.mc directly

Backup your sendmail.cf and make the following changes:

Find the line:

#O InputMailFilters 

Change to:

O InputMailFilters=milter-amavis

Underneath this insert:

# Milter options
#O Milter.LogLevel 
O Milter.macros.connect=j, _, {daemon_name}, {if_name}, {if_addr}
O Milter.macros.helo={tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}
O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}
O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host}, {rcpt_addr}
O Milter.macros.eom={msg_id} 

Under MAIL FILTER DEFINITIONS insert:

Xmilter-amavis, S=local:/var/spool/amavis/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m

There's no need to run omsendin after editing sendmail.cf directly.

Other settings

Virus notification mails are deferred to avoid the the milter being called twice. This means that if amavisd catches an infected mail the '$virusadmin' user won't be sent the notification until the queue is next run, which by default is every 30m. Therefore, edit /etc/sysconfig/sendmail & set the queue runner to a suitably low value for debugging, so you end up with something like:

SENDMAIL_ARGS="-L sendmail -Am -bd -q1m -om"

Note that common values for QUEUE are between 15-60m & RFC 1123 section 5.3.1.1 recommends that it be at least 30 minutes.

For the purposes of sending notification mails Amavisd-new sets its sender address to the value set in the config file, e.g. virusalert@example.com. To avoid an authentication warning from sendmail each time a notification is sent, the vscan user should belong to sendmail's trusted-users. Check that YaST hasn't already done this for you by doing:

grep vscan /etc/sendmail.cf

Which should produce a line like:

Tmdom vscan wwwrun root uucp daemon mail

Otherwise add vscan to /etc/mail/trusted-users.

Configuring clamd

Firstly, check that during the installation of clamd that the clamav user was made a member of the amavis (Redhat/CentOS/Fedora) or vscan (SuSE) group:

groups clamav

And if not add it with something like (Redhat/CentOS/Fedora):

sudo usermod -a -G amavis clamav

or (SuSE):

sudo usermod -A vscan clamav

Then, edit /etc/clamav.conf, [un]commenting or changing:

LocalSocket /var/run/clamav/clamd.sock #Must match value in /etc/amavisd.conf 

#TCPSocket 3310 #Only use one connection method or clamd won't start. 

AllowSupplementaryGroups #Avoids a raft of permission issues! 

FixStaleSocket

Then edit /etc/freshclam.conf

UpdateLogFile /var/log/clamav/freshclam.log

PidFile /var/clamav/freshclam.pid

NotifyClamd

Configuring Scalix

Backup /var/opt/scalix/sys/smtpd.cfg and add the following line to the end:

SMTPFILTER=TRUE

Starting it all up

sudo service spamassassin start

sudo service clamd start

sudo service amavisd-milter start

sudo service amavisd start

Restart sendmail:

sudo service sendmail restart

Restart the Scalix SMTP Relay:

sudo omoff -d0 smtpd && sudo omon smtpd

Debugging

Tail /var/log/maillog and try sending clean, virus and spam mails e.g.

mail -s test me@example.com < clean.txt

mail -s test me@example.com < eicar.sig
 
mail -s test me@example.com < gtube.txt

Check the headers of your received mails & your virusadmin mailbox, debug.

There's lots of useful information here, particularly concerning SA integration:

http://www.ijs.si/software/amavisd/

NB: If you encounter any permission errors when debugging, DO NOT attempt to solve them by changing the permissions on /var/amavis away from 0750 - for security reasons milters insist that the work directory is not world-readable or group-writable.

Support

Whilst this isn't an 'officially supported' configuration, it is almost identical to the Scalix/Spamass-milter setup (as detailed in the Tech Note) in the way it interfaces with Scalix/Sendmail & so should be reasonably 'supportable'. I'm pretty active on the community fora, at least for the moment, so will do what I can to keep this document updated & help with issues.

Pimping Spamassassin

I would say that adding dcc, pyzor & razor are essential to good detection rates. Packages are available for most distros & there's plenty of info out there on setting them up.

I also recommend looking at 'Rules du Jour' from the Spamassassin Rules Emporium - a collection of nifty extra rules that will further boost your detection rate & come with an update script that can be run as a cronjob.

http://www.exit0.us/index.php?pagename=RulesDuJour

http://www.rulesemporium.com/index.html

Credits

Big thanks to STrRedWolf for the Scalix/Amavisd-New (using Postfix) HOWTO which enabled me to get a working mailscanning setup up & running in the first place! Whilst the postfix setup still has some advantages (easy integration with Mailguard for one) I hope that this HOWTO will give most users the goodness of amavisd without having to use an additional MTA.