HowTos/Amavisd

From Scalix Wiki
Revision as of 18:55, 22 May 2006 by Btisdall (Talk | contribs) (Introduction)

Jump to: navigation, search

Introduction

I decided to use amavisd-new with Scalix partly because I already had a fair bit of experience using it, but also because I like the way it keeps configuration for both virus & spam filtering largely under one roof & away from Scalix. It also, in my opinion, gives more-readily comprehensible control of spam/virus actions (reject, quarantine, etc).

This HOWTO details a setup that uses amavisd-new to do both spam & virus scanning & should be followed in place of the following procedures:


  • Scalix Knowledgebase: ScalixReady - SpamAssassin in a Scalix Environment (126747) [RH/FC]
  • Scalix Knowledgebase: Configuring SpamAssassin on SuSE Systems (165119) [SuSE]
  • Scalix Administration Guide Chapter 18: Virus & Spam Protection (Configuring Scalix Virus Protection)

Test platforms

  • Scalix CE on Fedora Core 4
  • Scalix CE on CentOS 4

Prerequesites

You'll obviously need the amavisd-new package, plus spamassassin & clamd to do the spam/virus detection if you haven't already got them.


The sendmail-cf package provides the m4 program used to rebuild sendmail.cf. Likely as not you have this already but check!


The gcc & sendmail-devel packages are required to compile amavisd-milter.

Installing amavisd-milter

Firstly, DO NOT install the amavisd-new-milter binary package - despite the 'new' tag this is a different, older version that lacks the ability to add anything other than a hard-coded 'virus scanned by amavisd-new-milter' to the message headers. As a consequence of this it's pretty useless if you want to sort messages into Spam folders downstream.


As far as I'm aware there's no binary package available for amavisd-milter but it's an quick & easy compile, just grab the source from :http://sourceforge.net/project/showfiles.php?group_id=138169 and do the usual: 


cd /usr/local/src && tar xvzf /path/to/amavisd-milter-1.x.x.tar.gz

cd amavisd-milter-1.x.x

./configure && make && sudo make install


Assuming you compiled in /usr/local/src and ran the commands above, the binary will be installed in /usr/local/sbin

Configuring amavisd-new

The config file for amavisd-new is fairly huge, but don't be put off as most of the values can safely stay at the defaults. The critical ones to add/edit/uncomment/comment are: 


$protocol = "AM.PDP"; # Use AM.PDP protocol.

$unix_socketname = "$MYHOME/amavisd.sock"; # uncomment when using milter.

#$inet_socket_port = 10024; #comment out with milter.

$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail \
-Ac -i -odd -f ${sender} -- ${recipient}';

$forward_method = undef; #must be set like this with sendmail milter.

$mydomain='example.com #Your domain

$myhostname='cosmo.example.com #The FQDN of the Scalix host

$virusadmin='virusalert\@$mydomain #NDR recipient if virus found

$virusadmin='virusalert\@$mydomain #The sender address for NDRs


This lines below control how amavisd-new will respond to the spam scores from SA. I set the first to undef so that the info headers are always added even if the message is deemed 'ham' (if your box is heavily-loaded you'll probably want to change this after debugging). The second sets the 'is spam' score, above which SA will add the 'X-Spam-Status: Yes' header & (optionally) rewrite the subject line, prepending whatever you define with $sa_spam_subject_tag. You'll probably want to leave the next three commented to prevent amavisd-new doing anything extreme with mail until you're comfortable with the setup. Set the last to undef if you want to leave subject lines alone for spam mail. 


$sa_tag_level_deflt  = undef; # add spam info headers if at, or above that level

$sa_tag2_level_deflt = 3.4; # add 'spam detected' headers at that level

#sa_kill_level_deflt = 6.31; # triggers spam evasive actions

#sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent

#$sa_quarantine_cutoff_level = 20; # spam level beyond which quarantine is off

$sa_spam_subject_tag = '[SPAM] '; # Prepended to the subject line if defined.


The following line is analogous to /etc/mail/local-host-names in as far which messages amavisd-new will hand off to spamassassin for checking (all mail is virus scanned). By default it will be set the the value of '$mydomain': 


@local_domains_maps = ( [".$mydomain"] );


But you can add additional domains in a variety of ways, eg: 


@local_domains_maps = ( [".$mydomain", ".foo.com"] );


See the documentation for more details.


Finally, uncomment the code near the bottom that tells amavis to use the clamd daemon and edit the value /var/run/clamav/clamd to read /var/run/clamav/clamd.sock (matching the value in /etc/clamav.conf) 


### http://www.clamav.net/ 

['ClamAV-clamd', 

\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"], 

qr/\bOK$/, qr/\bFOUND$/,

qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Initscripts/Sysconfig files for amavisd & amavisd-milter

Since originally posting the combined amavisd/milter script/config I've observed that yum has a tendency to stomp on any customised init. scripts when upgrading, so I've separated the milter stuff off into a separate script/config.


NB: Before using the amavisd-milter scripts below, check that the amavisd scripts installed by your package manager don't already contain the code necessary to start the milter:


http://www.redcircleit.com/public/scripts/amavisd-milter-init.txt

http://www.redcircleit.com/public/scripts/amavisd-milter-sysconfig.txt


If necessary, copy the above files to /etc/init.d/amavisd-milter & /etc/sysconfig/amavsid-milter respectively & do: 


sudo chkconfig --add amavisd-milter


The standalone amavisd script/config (with the milter stuff removed) is here for completeness but I recommend sticking with the ones installed by your package manager.


http://www.redcircleit.com/public/scripts/amavisd-init.txt

http://www.redcircleit.com/public/scripts/amavisd-sysconfig.txt


If you need them copy to /etc/init.d/amavisd & /etc/sysconfig/amavsid respectively & do: 


sudo chkconfig --add amavisd

Configuring sendmail

Backup sendmail.cf & sendmail.mc & then edit sendmail.mc, adding the following two lines at the end of the file: 


define(`MILTER', 1)dnl

INPUT_MAIL_FILTER(`milter-amavis', `S=local:/var/amavis/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m')dnl


NB: The suggested lines in the amavisd-milter manpage seem a bit broken!


Rebuild sendmail.cf: 

sudo sh -c "m4 sendmail.mc > sendmail.cf"


Run omsendin to reinsert the Scalix mods: 

sudo omsendin


NB: Virus notification mails are deferred to avoid the the milter being called twice. This means that if amavisd catches an infected mail the '$virusadmin' user won't be sent the notification until the queue is next run, which by default is every hour. Therefore, edit /etc/sysconfig/sendmail & set the queue runner to a reasonably low value at least for debugging, e.g. 


QUEUE=1m

Configuring clamd

Firstly, check that during the installation of clamd that the clamav user was made a member of the amavis group (it needn't be its primary group): 


groups clamav


And if not add it with something like: 


sudo gpasswd -a clamav amavis


Then, edit /etc/clamav.conf, [un]commenting or changing: 


LocalSocket /var/run/clamav/clamd.sock #Must match value in /etc/amavisd.conf 

#TCPSocket 3310 #Only use one connection method or clamd won't start. 

AllowSupplementaryGroups #Avoids a raft of permission issues! 

FixStaleSocket


Then edit /etc/freshclam.conf 


UpdateLogFile /var/log/clamav/freshclam.log

PidFile /var/clamav/freshclam.pid

NotifyClamd

Configuring Scalix

Backup /var/opt/sys/smtpd.cfg and add the following line to the end: 


SMTPFILTER=TRUE

Starting it all up

sudo service spamassassin start

sudo service clamd start

sudo service amavisd-milter start

sudo service amavisd start


Restart sendmail: 

sudo service sendmail restart


Restart the Scalix SMTP Relay: 

sudo omoff -d0 smtpd && sudo omon smtpd

Debugging

Tail /var/log/maillog and try sending clean, virus and spam mails e.g. 


mail -s test me@example.com < clean.txt

mail -s test me@example.com < eicar.sig
 
mail -s test me@example.com < gtube.txt


Check the headers of your received mails & the mailbox your virus notifications go to & debug.


There's lots of useful information here, particularly concerning SA integration.:


http://www.ijs.si/software/amavisd/


NB: If you encounter any permission errors when debugging, DO NOT attempt to solve them by changing the permissions on /var/amavis away from 0750 - for security reasons milters insist that the work directory is not world-readable or group-writable.


Support

Whilst this isn't an 'officially supported' configuration, it is almost identical to the Scalix/Spamass-milter setup (as detailed in the Tech Note) in the way it interfaces with Scalix/Sendmail & so should be reasonably 'supportable'. I'm pretty active on the support forum, at least for the moment, so will do what I can to keep this document updated & help with issues.

Credits

Big thanks to STrRedWolf for the Scalix/Amavisd-New (using Postfix) HOWTO which enabled me to get a working mailscanning setup up & running in the first place! Whilst the postfix setup still has some advantages (easy integration with Mailguard for one) I hope that this HOWTO will give most users the goodness of amavisd without having to use an additional MTA.

Retrieved from "https://www.scalix.com/wiki/index.php?title=HowTos/Amavisd&oldid=1747"