Versions Compared

Old Version 5

changes.mady.by.user ASF Infrabot

Saved on

compared with

New Version 6

changes.mady.by.user ASF Infrabot

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: missing edit-log entry for this revision

...

http://www.ijs.si/software/amavisd/#faq-spam

http://www.xmission.com/~jmcrc/index.html

This document describes the configuration for sitewide use of SpamAssassin with Amavis and Razor. The distribution used is SuSE Linux 9.0. If you use something else, some options may be different. For example Amavis may run as user amavis, not vscan and the path to the Amavis spool directory may be
/var/amavis not /var/spool/amavis

Postfix Configuration

...

Wiki Markup
This section describes how to configure Postfix to use amavisd-new as an after-queue content filter (see the \[http://www.postfix.org/FILTER_README.html FILTER_README file\] that comes with your version of Postfix).

First, a few services must be defined in master.cf. The first service will setup an extra SMTP listener on a different port (10025 in this example). It will be used for the reinjection of mail back into Postfix. By unsetting the content_filter parameter, content filtering will be disabled for incoming mail on this port. This avoids loops.

No Format

127.0.0.1:10025	inet	n	-	y	-	-	smtpd
	-o content_filter=
	-o

/etc/postfix/master.cf:

Add these lines to the end of the file

No Format

smtp-amavis	unix	-	-	y	-	2	smtp
	-o smtp_data_done_timeout=1200
	-o disable_dns_lookups=yes

127.0.0.1:10025	inet	n	-	y	-	-	smtpd
	-o content_filter=
	-o local_recipient_maps=
	-o relay_recipient_maps=
	-o smtpd_restriction_classes=
	-o smtpd_helo_restrictions=
	-o smtpd_sender_restrictions=
	-o smtpd_recipient_restrictions=permit_mynetworks,reject
	-o mynetworks=127.0.0.0/8
	-o strict_rfc821_envelopes=yes

After that, the master.cf file should look like this

No Format

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      fifo  n       -       y       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       nqmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp

smtp-amavis	unix	-	-	y	-	2	smtp
	-o smtp_data_done_timeout=1200
	-o disable_dns_lookups=yes

127.0.0.1:10025	inet	n	-	y	-	-	smtpd
	-o content_filter=
	-o local_recipient_maps=
	-o relay_recipient_maps=
	-o smtpd_restriction_classes=
	-o smtpd_helo_restrictions=
	-o smtpd_sender_restrictions=
	-o smtpd_recipient_restrictions=permit_mynetworks,reject
	-o mynetworks=127.0.0.0/8
	-o strict_rfc821_envelopes=yes

/etc/postfix/main.cf:

  • myorigin - domain mail from this machine appears to come from.

postconf -e "myorigin = domain1.com"

Replace domain1.com with your actual domain.

  • myhostname - the fully-qualified domain name ("FQDN") of the machine running the Postfix system.

postconf -e "myhostname = spamfilter.domain1.com"

  • mydestination - specifies for which domains this machine will accept mail
    (from the outside, i.e., from the Internet). You want to list here ONLY
    domains that you are responsible for which you are responsible for accepting mail.
    Separate them with commas.

postconf -e "mydestination = domain1.com, domain2.com"

  • mynetworks - the machines I trust, and will relay mail for, to any destination.
    Generally, this is set to my LAN, or just one, or a few trusted internal mail servers.
    This is an important one to get right, or else you can become an "open relay".
    In other words, your box could accept and forward mail to domains for which it has
    no business doing so. Being an "open relay" is a serious issue, and can cause you to get
    "blacklisted" by various Internet anti-spam lists, among other problems.

postconf -e "mynetworks = x.x.x.x/32"

(where x.x.x.x is the IP address of a specific machine)

If you will be dealing with multiple internal mail servers, and/or want to allow several machines
and/or subnets to relay through this server (carefull!!), just add them to this parameter in CIDR format,
like this:

postconf -e "mynetworks = 172.20.32.5/32, 10.0.0.0/16, 172.20.16.0/8"

(the above will allow the machine 172.20.32.5, and any machines that have an IP address starting
with 10.0, or 172.20.16, to relay smtp mail through this box)

  • biff - we won't use biff notifications

postconf -e "biff = no"

  • smtpd_banner - what this server calls itself, when talking with other mail servers

postconf -e "smtpd_banner = mail.domain1.com"

  • message_size_limit - maximum size email that postfix will let in the "front door"

postconf -e "message_size_limit = 1000000000"

(The above allows emails up to 1GB)

  • local_transport - give an error message for local delivery attempts.

postconf -e "local_transport = no local mail delivery"

  • local_recipient_maps - don't try to determine valid email recipients

In our situation, the postfix server will have no idea if we have a bob@domain1.com or a
jsmith@domain2.com, etc. It doesn't have any such lists to check against!
We could fix this, but it is far easier to just ignore this problem.
If mail comes in to a recipient that I don't have, postfix will process it and
transport it on to the internal mail server, which will promptly reject it and will
attempt to do the NDR (non-delivery report) to the stated sender email address.
There are other potential solutions here, but I will only cover this simple configuration,
which works fine. So we'll just set this value to nothing:

postconf -e "local_recipient_maps = "

/etc/postfix/transport

Postfix will check the transport file for redirection or relaying of mail addressed to particular domains. In our case, all inbound mail will be relayed on to other mail servers:

Wiki Markup
{{domain1.com   smtp:\[x.x.x.x\]}}

Wiki Markup
{{domain2.com   smtp:\[y.y.y.y\]}}

(DO include the brackets on these lines!)
*These lines tell postfix to transport any mail addressed to recipients in domain#.com to the mail servers at the IP address(es) specified (i.e. your internal mail server(s), using the smtp protocol. The format is exacting, get every symbol correct and leave some white space between the domains and the "smtp" part.

After that run the command:

postmap /etc/postfix/transport

...

The second service added is not strictly necessary, but is a good idea to have. It defines a service to use when sending the mail into amavisd-new. The "2" in the seventh column is the maximum number of processes of this type. Do not set this number too high, and make sure it is equal to the maximum number of amavisd-new processes (set in amavis.conf).

No Format

smtp-amavis	unix	-	-	y	-	2	smtp
	-o smtp_data_done_timeout=1200
	-o disable_dns_lookups=yes

Finally, we must configure Postfix to actually use our content filter. This is done with the content_filter parameter which we add to main.cf. We configure Postfix to use our newly defined smtp-amavis service and to connect to a certain host and certain port. Obviously, the port set here must be the port amavisd-new is listening to.

No Format

content_filter = smtp-amavis:[localhost]:10026

In this case, amavisd-new is running on the same host as Postfix, but it can be any host. With brackets surrounding the hostname, MX lookups of the hostname are suppressed. They are also necessary when specifying bare IP addresses instead of a hostname. MX records in DNS can be used to create simple load-balancing and fallback configurations.

Wiki Markup
This simple setup will cause address rewriting both before and after the content filter. For most configurations this is only unnecessary, but configurations with virtual aliases of the form a \-> a,b will cause duplicate mail to be delivered. Virtual rewriting must be turned off either before or after the content filter. How this is done is, again, documented in the \[http://www.postfix.org/FILTER_README.html FILTER_README file\] of your Postfix.

Amavis configuration

Amavis is just used for spam detection, not virus protection. See the options below.

...