HowTos/Amavisd
Contents
- 1 Introduction
- 2 Test platforms
- 3 Prerequesites
- 4 Installing amavisd-milter
- 5 Configuring amavisd-new
- 6 Initscripts/Sysconfig files for amavisd
- 7 Initscripts/Sysconfig files for amavisd-milter
- 8 Configuring sendmail
- 9 Configuring clamd
- 10 Configuring Scalix
- 11 Starting it all up
- 12 Debugging
- 13 Support
- 14 Credits
Introduction
I decided to use amavisd-new with Scalix partly because I already had a fair bit of experience using it, but also because I like the way it keeps configuration for both virus & spam filtering largely under one roof & away from Scalix. It also, in my opinion, gives more readily comprehensible control of spam/virus actions (reject, quarantine, etc).
This HOWTO details a setup that uses amavisd-new to do both spam & virus scanning & should be followed in place of the following procedures:
- Scalix Knowledgebase: ScalixReady - SpamAssassin in a Scalix Environment (126747) [RH/FC]
- Scalix Knowledgebase: Configuring SpamAssassin on SuSE Systems (165119) [SuSE]
- Scalix Administration Guide Chapter 18: Virus & Spam Protection (Configuring Scalix Virus Protection)
Test platforms
- Scalix CE on Fedora Core 4
- Scalix CE on CentOS 4
Prerequesites
You'll obviously need the amavisd-new package, plus spamassassin & clamd to do the spam/virus detection if you haven't already got them.
The sendmail-cf package provides the m4 program used to rebuild sendmail.cf. Likely as not you have this already but check!
The gcc & sendmail-devel packages are required to compile amavisd-milter.
Installing amavisd-milter
Firstly, DO NOT install the amavisd-new-milter binary package - despite the 'new' tag this is a different, older version that lacks the ability to add anything other than a hard-coded 'virus scanned by amavisd-new-milter' to the message headers. As a consequence of this it's pretty useless if you want to sort messages into Spam folders downstream.
As far as I'm aware there's no binary package available for amavisd-milter but it's an quick & easy compile, just grab the source from: http://sourceforge.net/project/showfiles.php?group_id=138169 and do the usual:
cd /usr/local/src && tar xvzf /path/to/amavisd-milter-1.x.x.tar.gz cd amavisd-milter-1.x.x ./configure && make && sudo make install
Assuming you compiled in /usr/local/src and ran the commands above, the binary will be installed in /usr/local/sbin
Configuring amavisd-new
The config file for amavisd-new is fairly huge, but don't be put off as most of the values can safely stay at the defaults. The critical ones to add/edit/uncomment/comment are:
$protocol = "AM.PDP"; # Use AM.PDP protocol.
$unix_socketname = "$MYHOME/amavisd.sock"; # uncomment when using milter.
#$inet_socket_port = 10024; #comment out with milter.
$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}';
$forward_method = undef; #must be set like this with sendmail milter.
$mydomain='example.com #Your domain
$myhostname='cosmo.example.com #The FQDN of the Scalix host
$virusadmin='virusalert\@$mydomain #NDR recipient if virus found
$virusadmin='virusalert\@$mydomain #The sender address for NDRs
This lines below control how amavisd-new will respond to the spam scores from SA. I set the first to undef so that the info headers are always added even if the message is deemed 'ham' (if your box is heavily-loaded you'll probably want to change this after debugging). The second sets the 'is spam' score, above which SA will add the 'X-Spam-Status: Yes' header & (optionally) rewrite the subject line, prepending whatever you define with $sa_spam_subject_tag. You'll probably want to leave the next three commented to prevent amavisd-new doing anything extreme with mail until you're comfortable with the setup. Set the last to undef if you want to leave subject lines alone for spam mail.
$sa_tag_level_deflt = undef; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 3.4; # add 'spam detected' headers at that level #sa_kill_level_deflt = 6.31; # triggers spam evasive actions #sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent #$sa_quarantine_cutoff_level = 20; # spam level beyond which quarantine is off $sa_spam_subject_tag = '[SPAM] '; # Prepended to the subject line if defined.
The following line is analogous to /etc/mail/local-host-names in as far which messages amavisd-new will hand off to spamassassin for checking (all mail is virus scanned). By default it will be set the the value of '$mydomain':
@local_domains_maps = ( [".$mydomain"] );
But you can add additional domains in a variety of ways, eg:
@local_domains_maps = ( [".$mydomain", ".foo.com"] );
See the documentation for more details.
Finally, uncomment the code near the bottom that tells amavis to use the clamd daemon and edit the value /var/run/clamav/clamd to read /var/run/clamav/clamd.sock (matching the value in /etc/clamav.conf)
### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
Initscripts/Sysconfig files for amavisd
Amavisd-new will come with its own init/sysconfig scripts, which may possibly include code to start the old milter (amavisd-new-milter). Make sure this is disabled to avoid any confusion, for example on SuSE ensure that in /etc/sysconfig/amavis AMAVIS_SENDMAIL_MILTER is set to no, ie:
AMAVIS_SENDMAIL_MILTER="no"
Initscripts/Sysconfig files for amavisd-milter
Sysconfig Script (common)
Download:
http://www.redcircleit.com/public/scripts/amavisd-milter-sysconfig.txt
Copy to: /etc/sysconfig/amavisd-milter
Init Script (Redhat/CentOS/Fedora)
Download:
http://www.redcircleit.com/public/scripts/amavisd-milter-init-rh.txt
Copy to: /etc/init.d/amavisd-milter & do:
sudo chkconfig --add amavisd-milter
Init Script (SuSE)
Download:
http://www.redcircleit.com/public/scripts/amavisd-milter-init-suse.txt
Copy to: /etc/init.d/amavisd-milter & do:
sudo chkconfig --add amavisd-milter
Configuring sendmail
Common
Virus notification mails are deferred to avoid the the milter being called twice. This means that if amavisd catches an infected mail the '$virusadmin' user won't be sent the notification until the queue is next run, which by default is every hour. Therefore, edit /etc/sysconfig/sendmail & set the queue runner as follows for debugging, e.g.
QUEUE=1m
Note that common values for QUEUE are between 15-60m & RFC 1123 section 5.3.1.1 recommends that this be at least 30 minutes.
Redhat/CentOS/Fedora
cd to /etc/mail & backup sendmail.cf & sendmail.mc & then edit sendmail.mc, adding the following two lines at the end of the file:
define(`MILTER', 1)dnl INPUT_MAIL_FILTER(`milter-amavis', `S=local:/var/amavis/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m')dnl
NB: The suggested lines in the amavisd-milter manpage seem a bit broken!
Rebuild sendmail.cf:
sudo sh -c "m4 sendmail.mc > sendmail.cf"
Run omsendin to reinsert the Scalix mods:
sudo omsendin
SuSE
Mak sure you have the following line into /etc/sysconfig/mail:
MAIL_CREATE_CONFIG="no"
Backup /etc/sendmail.cf & /etc/mail/linux.mc & edit /etc/linux.mc, adding the following two lines at the end of the file:
define(`MILTER', 1)dnl INPUT_MAIL_FILTER(`milter-amavis', `S=local:/var/amavis/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m')dnl
NB: The suggested lines in the amavisd-milter manpage seem a bit broken!
Rebuild sendmail.cf:
sudo sh -c "m4 /etc/mail/linux.mc > /etc/sendmail.cf"
Run omsendin to reinsert the Scalix mods:
sudo omsendin
Configuring clamd
Firstly, check that during the installation of clamd that the clamav user was made a member of the amavis group (it needn't be its primary group):
groups clamav
And if not add it with something like:
sudo gpasswd -a clamav amavis
Then, edit /etc/clamav.conf, [un]commenting or changing:
LocalSocket /var/run/clamav/clamd.sock #Must match value in /etc/amavisd.conf #TCPSocket 3310 #Only use one connection method or clamd won't start. AllowSupplementaryGroups #Avoids a raft of permission issues! FixStaleSocket
Then edit /etc/freshclam.conf
UpdateLogFile /var/log/clamav/freshclam.log PidFile /var/clamav/freshclam.pid NotifyClamd
Configuring Scalix
Backup /var/opt/scalix/sys/smtpd.cfg and add the following line to the end:
SMTPFILTER=TRUE
Starting it all up
sudo service spamassassin start sudo service clamd start sudo service amavisd-milter start sudo service amavisd start
Restart sendmail:
sudo service sendmail restart
Restart the Scalix SMTP Relay:
sudo omoff -d0 smtpd && sudo omon smtpd
Debugging
Tail /var/log/maillog and try sending clean, virus and spam mails e.g.
mail -s test me@example.com < clean.txt mail -s test me@example.com < eicar.sig mail -s test me@example.com < gtube.txt
Check the headers of your received mails & your virusadmin mailbox, debug.
There's lots of useful information here, particularly concerning SA integration:
http://www.ijs.si/software/amavisd/
NB: If you encounter any permission errors when debugging, DO NOT attempt to solve them by changing the permissions on /var/amavis away from 0750 - for security reasons milters insist that the work directory is not world-readable or group-writable.
Support
Whilst this isn't an 'officially supported' configuration, it is almost identical to the Scalix/Spamass-milter setup (as detailed in the Tech Note) in the way it interfaces with Scalix/Sendmail & so should be reasonably 'supportable'. I'm pretty active on the support forum, at least for the moment, so will do what I can to keep this document updated & help with issues.
Credits
Big thanks to STrRedWolf for the Scalix/Amavisd-New (using Postfix) HOWTO which enabled me to get a working mailscanning setup up & running in the first place! Whilst the postfix setup still has some advantages (easy integration with Mailguard for one) I hope that this HOWTO will give most users the goodness of amavisd without having to use an additional MTA.
