Index

Tutorial: An alternative to amavis

Jasper Slits

Layout copyright © 2002,2003,2004 Christoph Haas

Copyright © 2005 Jasper Slits

Revision History
$Rev: 16 $$Date$

Abstract

This tutorial provides an alternative to amavisd-new based set ups for anti-virus and spam filtering.

I wanted to have a light-weight set up and avoid amavis because I do not like it, too much settings etc.

After looking at Freshmeat I noticed clamsmtp which was at version 0.4 at the time I started using it. From the homepage: "ClamSMTP aims to be lightweight, reliable, and simple rather than have a myriad of options. It's written in C without major dependencies."

The current version in the Debian repository is the latest release of clamsmtp: 1.4.1

Table of Contents

Getting started
Step 1: Installing maildrop
Step 2: Configuration of Postfix
Step 3: Configuration of clamsmtp
Step 4: Populating the whitelist
Step 5: Modifying maildroprc
References
Thanks


Getting started

The tutorial is based on the work by Chris Haas and I strongly recommend you have a working Postfix set up before you start here.
The tutorial for installing up maildrop from source can be found here.

Packages you really need:
  • clamsmtp
  • clamav
  • clamav-freshclam
  • maildrop
  • courier-authlib
[Important]
As of now (June 25th 2005), the current package of 'maildrop' in Debian Sid is 1.5.3, which is outdated. A recent maildrop can be found in experimental but you need other packages too. It might break your current set up, if you're using courier-imap and/or courier-pop.

Step 1: Installing maildrop


Installing the dependencies first... 
wget http://debian.concepts.nl/debian/pool/main/c/courier/courier-base_0.50.0-0.1_i386.deb
wget http://debian.concepts.nl/debian/pool/main/c/courier-authlib/courier-authlib_0.56-0.5_i386.deb
wget http://debian.concepts.nl/debian/pool/main/c/courier-authlib/courier-authlib-mysql_0.56-0.5_i386.de
wget http://debian.concepts.nl/debian/pool/main/m/maildrop/maildrop_1.8.1-2_i386.deb
Install the packages in the same order as you downloaded them. Beware of dependency problems (all solvable).

The big difference with previous maildrops is the integration of a shared authentication backend. Courier-authlib eliminates the need for a maildropmysqlconfig.cf file.
Also this version of maildrop supports quota in a nice way: 
[root@malochia:~]# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
43D82783B734     9090 Sun Jun 26 08:47:39  sender@domain.org
            (temporary failure. Command output: maildrop: maildir over quota.)
                                         info@somedomain.org
Prior to 1.8.0 overquota mails were bounced rather than queued up.

To test maildrop delivery use: 
echo "some random data" > /tmp/randomfile
su - vmail
maildrop -d valid@user.tld -V 10 < /tmp/randomfile
In case of problems: Use courierauthtest or 'strace' and look for 'Permission denied' and alike messages.

Step 2: Configuration of Postfix


Required changes to /etc/postfix/master.cf: 


# AV scan filter (used by content_filter) clamsmtp
scan      unix  -       -       n       -       16      smtp
        -o smtp_send_xforward_command=yes
            
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet  n -       n       -       16      smtpd
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
         -o mynetworks=127.0.0.0/8
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
            
maildrop  unix  -       n       n       -       -       pipe 
  flags=DRhu user=vmail:vmail argv=/usr/bin/maildrop -d ${recipient}


In /etc/postfix/main.cf: 
# Use the scan transport as defined in master.cf as a content-filter
content_filter = scan:127.0.0.1:10024

# Deliver all mail to the maildrop transport as defined in master.cf
virtual_transport = maildrop
local_transport = maildrop

maildrop_destination_recipient_limit = 1

Step 3: Configuration of clamsmtp


In /etc/clamsmtpd.conf: 
OutAddress: 10026
Listen: 127.0.0.1:10024
ClamAddress: /var/run/clamav/clamd.ctl
TempDirectory: /var/spool/clamsmtp

The OutAddress must match the setting in master.cf and the Listen address must match the setting in main.cf


After clamsmtp is started you see in /var/log/mail.log lines like this in case of a virus-free message: 
Mar 28 19:10:49 servername clamsmtpd: 1000EA: from=sender@domain.tld,to=recipient@domain.tld, status=CLEAN

Infected mail will be discarded and the recipient will not be notified: 
Mar 25 17:42:32 servername clamsmtpd: 108501: from=support_ref_0236020@regions.com, to=recipient@domain.tld,status=VIRUS:HTML.Phishing.Bank-1
Mar 25 17:42:32 servername postfix/smtp[9602]: 564757853969: to=, relay=127.0.0.1[127.0.0.1], delay=32, status=sent (250 Virus Detected; Discarded Email)

Step 4: Populating the whitelist

There are several ways to use Spamassassin, but as a maildrop advocate I prefer the use of maildrop with spamc/spamd and a whitelist. First, the whitelist is implemented in maildrop to avoid invoking spamassassin and is based on the sender. The file /etc/maildrop/from_whitelist.dat contains regular expressions with e-mail addresses: 
.*@(ebay|microsoft|webshots|hallmark|novell|mundo-perdido|localhost|dell).com
email@adres.tld

The same can be done for recipient based whitelisting. It's not possible to have per-user whitelists. You can whitelist here all domains you receive mail for. Might be good to make it dynamic though it'll probably kill the effiency

Step 5: Modifying maildroprc


The /etc/maildroprc is the global filter file and it will be read for each delivery.
As maildrop is invoked each time using the pipe command from Postfix, changes to maildroprc come into effect instantly.

Relevant section from /etc/maildroprc 
# Do not call SA when the sender is in the whitelist.
if (/^From: *!.*/ && lookup(getaddr($MATCH2),"/etc/maildrop/from_whitelist.dat"))
{
   log "Spam: sender found in whitelist"
   to $HOME
}

# Avoid scanning of large emails
if ( $SIZE < 50000 )
{
            # -f -> do not bail out when spamd is down
            # -u amavis unprivileged account
        exception {
                xfilter "/usr/bin/spamc -f -u amavis"
        }
}

# Count amount of * to determine where to deliver mail
if (/^X-Spam-Status: Yes, score=*!.* !.*/)
{
        if ( $MATCH2 > 5 )
         {
         # Log original recipient in /var/vmail/maildrop.log 
         log "To  : $LOGNAME"
         to /var/vmail/spambox
         }
         else
        {
            # Tagged as spam but not exceed the treshhold value of 5
         to $HOME
         }
}
else
{
   # Not whitelisted and no spam
to $HOME
}

References

More information about the software discussed can be found here:

Thanks

Credits where credits are due:

  • Chris Haas

Last change: $Id: howto.html 16 2005-06-26 14:04:02Z jasper $