Complete Virtual Mail Server/Installing Amavisd and SpamAssasin

Introduction
Spam is becoming more and more an issue on the internet and a robust and solid solution is required. There are payed services for even more spam protection but should not be required and will not be discussed in this HOWTO.

First line of defense, Postfix
Postfix in itself offers some basic means to block spam. Using the variable in  it is possible to use public DNS blacklists. There are 3 popular and common free ones, Spamhaus, Abuseat and Spamcop. Using them with postfix is very simple.

Introduction
Spam handling can be done either on a secondary (internal) server or on the same server. In both situations e-mail will be sent through postfix twice, as postfix will be running two instances of the smtp service, albeit on different ports. When mail is first received by postfix on port 465 or 25 it is handed off directly to amavisd-new who will be listening on port 10024. Amavis then hands the mail off to spamassassin and later clamav. Once the message has passed all checks it is re-injected into postfix, but this time on the alternative smtp port 10025 where it delivers it normally.

Installation
Amavis should have been installed already, if not, emerge it.

Configuration
Amavisd offers an enormous amount of options and going over all them will take some time. The configuration file however is well documented and divided into clear sections. Each section will be examined as needed. Only options that will be changed will be mentioned to cut down the text for readability.

Section I - Essential daemon and MTA settings
For this example amavisd will be running on host foo but this could be any other host as well, amavisd does not require to run on the same host as postfix. Also the domain used is only used to identify the server itself with, not the domains amavisd will be scanning.

Section II - MTA specific
Postfix does not use the amavisd socket. If amavisd is used on a different server then postfix, this section can be closer examined to match the required setup. The configuration file lists some examples.

Section III - Logging
Logging is set to some additional verbosity. In the end of this section it will be reverted to some quiet informative settings.

Section IV - Notifications/DSN, bounce/reject/discard/pass, quarantine
This is a large section that covers a lot. The configuration file offers a great deal of documentation and should be consulted as such. Also searching on the internet can help for options not understood. In this setup quarantine will only be used for virusses, banned destinations. Spam and bad headers will be marked as spam but still delivered. Also there will be a lot of virusses and spam entering the system. Unless required, notification mails of such is disabled. Quarantined messages are stored by default in. It is possible however to split the various quarantines, however amavis does not create sub-directories itself.

Section V - Per-recipient and per-sender handling, whitelisting, etc.
The only entry done here now will be to change the envelope to add address extensions to spam. This will allow for messages to be delivered as spam to the user.

Section VI - Resource limits
This section is mostly about unarchiver resource usage, to prevent mailbombs from hogging down system resources. The defaults should suffice for pretty much anyone.

Section VII - External programs, virus scanners
ClamAV will be used solely in this setup. Other AV Scanners can be tied in easily but will not be covered. Spamassasin is also drawn in here. For debugging alone it is recommended to always add spam info headers. But leaving them in at all times will not hurt either.

Section VIII - Debugging
If the logging parameters do not give enough feedback on why things are gone wrong, amavisd can be started in debug mode by adding the debug parameter. In order to get debug results from Spamasssin a flag needs to be set.

Section IX - Policy banks (dynamic policy switching)
Luckily the last section does not need to be modified.

Testing
Running will start amavisd and check whether everything is setup correctly. After a few seconds it is ok to hit ctrl-c and examine the output. It should be noted, that ClamAV and Spamassasin are still only in their default configurations.

Spam Assassin
Spam Assassin has improved over the years, but also requires more configuration to keep it up to date.

Installation
Spam Assassin should have been installed already, if not, it should be emerged.

Configuration
Spam Assassin configuration consists of several files. The first to be looked at is. To lessen the burden on Spam Assassin and the users, it is assumed anybody on the internal network is trusted and not a spammer. This of course will not protect against internal infected machines and thus depends on the network setup.

This should have configured Spam Assassin properly.

Updating
Spam Assassin offers an update channel, updates.spamassassin.org there is a second channel that will also be used, saupdates.openprotect.com. OpenProtect collects the recommended rules from SARE - SpamAssassin Rules Emporium and condenses them into an update. Spam Assassin comes with the tool so updates can be fully automated. Spam Assassin updates can be done by using the --nogpg flag to ignore gpg keys, but should really only be done as a last resort. Adding the spamassassin GPG key is a simple 2 step process.

Then, needs to be initialized by running it with the default channel.

Using the -D flag runs in debug mode and thus any obvious errors can be spotted. As with the default channel, the openprotect channel gpg key needs to be added to.

Once the key is imported it is possible to use the OpenProtect channel securely.

After updates have been completed they need to be compiled for Spam Assassin to be usable.

If manually updating works satisfactory all the updating steps should be put in a daily cronjob.

ClamAV
Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways.

Installation
ClamAV should have been installed already, if not, it should be emerged.

Configuration
As ClamAV was configured to be run in daemonized mode it needs to be setup correctly as such. Also clamd needs to be able to access amavis and thus it should be added to the amavis group. Even though it is not required to have ClamAV on the same host, it is however recommended as there is a performance price. Naturally it really depends on other factors such as resource usage and processed mail.

Then a few settings need to be changed or at least verified in.

Next starting clamd from the init scripts may produce an error message about an outdated virus database. This is normal, as the virus database has not yet been updated. Freshclam takes care of that actually and is started before clamd is.

Looking at the file may reveal any configuration errors.

If everything is well clamd can be added to the start-up runlevels.

Updating
ClamAV comes with Freshclam which gets always started before clamd. Freshclam updates the virus database twice per day and should suffice for anyone.

Postfix to Amavis
Now that Amavis, Spam Assassin and ClamAV are working together, it is time to redirect postfix to amavis and back to postfix. Postfix will still be listening on port 25 (and 465) but will forward all received mail on these ports to amavis on port 10024. Once processed amavis re-injects mail into postfix on port 10025 where postfix will deliver the message normally. For this to work, a new service will be added to postix called amavis that will use the smtp command. DNS lookups will be disabled to save on overhead, since the mail is traveling internally only anyway. Also will the default smtp service be replaced with one that will deliver to amavis.

With the new services configured, postfix needs to be restarted to take effect.

Testing
A first test should be by sending regular mail, first locally then remotely to testuser@example.com. After the message has arrived check the headers. Mail Headers After the normal message went through, it is time to send a message which should be guaranteed be triggered as SPAM. There is a string which will guaranteed be marked as spam, thus sending a message with the string should put the message nicely into the quarantine. Message body Depending on the setup the mail is either marked and deliverd to the mailbox or quarantined in.

Cleanup
Once everything is working as intended, reduce debugging output again.