Home // Postfix Guides // Amavisd-New

Amavisd-New

The intent of this guide is to provide a step by step set of instructions on how to set Postfix up with Amavisd-new, SpamAssassin, Razor2, DCC, and our spam filters as described in other sections of this guide. Note that this guide assumes that you have already installed the wget program, and that you are using Postfix version 2.0 or greater. Many of the items discussed here will work fine with 1.x, but you might run into trouble.

The first thing to do is take care of all of the installations and support files. When compiling your version of Postfix, you will want to build in whatever options that you want to be available. We usually choose TLS/SSL, PCRE, and SASL2 for most implementations. Once you have Postfix installed, follow the standard make & make install process. Once Postfix is installed, the easiest way to get your configuration file (main.cf) inline with how we like to do things is to run the following commands:

cd /etc/postfix
grep -v “#” main.cf >main.local
wget http://www.posluns.com/files/main.cf

You can now look in main.local, and see what specific settings will be needed for your system. These are most often simply the path locations for Postfix required files. Edit main.cf, and change any lines that are different from what is in main.local, and make sure to change the settings for myhostname, mydomain, and myorigin to whatever is appropriate to your system. You will also probably want to either remove the restriction classes and their respective entries from smtpd_recipient_restrictions, or follow the instructions in the Restriction Classes guide.

You will need to tell postfix how to send messages to Amavisd-new. That can be done by adding the following lines to main.cf, and changing the amavis.domain.com to the hostname of your server. Note that the smtpd_proxy_timeout value can be raised a bit if you’re under higher load. We usually like to start with about 100s, with 200s being a safe value, and 300s being overkill most of the time. You will be able to determine what is best for your system over a few days at normal load.

smtpd_proxy_filter = 127.0.0.1:10024
smtpd_proxy_timeout = 200s
smtpd_proxy_ehlo = amavis.domain.com
recipient_delimiter = +

Note that if you used our main.cf file as instructed above, this information will already be in there, and you will just need to change the “domain.com” to your own domain name.

The next thing to do is to clean up the /etc/postfix directory. I like doing this by creating a directory called /etc/postfix/maps and moving all the map files (canonical, virtual, transport, and the others) to there. Remember that once the files are there, you will need to run postmap on each of them that you intend to use, and you can’t run postmap until you’re set the main.cf settings above.

One important file to create is /etc/postfix/maps/relay_domains (which we usually symbolic link to /etc/postfix/maps/hosted_domains). This file will contain a list of domains that you want to accept mail for on your system. The format of this file is as follows:

# Postfix hosted_domains / relay_domains file
posluns.com #posluns.com – Jeff’s domain

Now create /etc/postfix/mynetworks which you will use to list the IP addresses of completely trusted systems that will be allowed to relay through your mail server. You can also do this within main.cf, but it is usually a good idea to keep configuration details separate so as not to confuse anything (part of the theory behind the security principle of separation of duties).

Now, execute the following commands:

cd /etc/postfix/maps
wget http://www.posluns.com/files/access
wget http://www.posluns.com/files/bad_domains
wget http://www.posluns.com/files/body_checks
wget http://www.posluns.com/files/header_checks
wget http://www.posluns.com/files/mime_header_checks
wget http://www.posluns.com/files/verify_domain
wget http://www.posluns.com/files/verify_helo
wget http://www.posluns.com/files/verify_sender

You may not use all of these files, but it can’t hurt to keep a copy of them to either use a a reference or for later configurations.

Now that you have most of the requisite Postfix files, it is time to edit the master.cf file. You will want to add a re-injection listener for each additional process that will be used to filter your incoming email. Typically, you will have Amavisd-new running (as described later in this guide), which includes both SpamAssassin and AntiVirus software. In the configuration we are setting up as part of this guide, we will create one re-injection listener by adding the following to the end of /etc/postfix/master.cf.

127.0.0.1:10025 inet n – n – 100 smtpd

-o content_filter=
-o smtpd_proxy_filter=
-o myhostname=av.domain.com
-o smtpd_banner=av.domain.com
-o mynetworks=127.0.0.0/8
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o local_recipient_maps=
-o receive_override_options=no_unknown_recipient_checks
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

Remember to change domain.com to your domain name for the re-injection listeners. What we’ve now done is set up a re-injection listener for Amavisd-new services on port 10025.

Now, with the exception of a few configuration options in main.cf that you’ll want to look through yourself, postfix should be ready to go. The next thing to do is add the required Perl modules for Amavisd-new / SpamAssassin / Razor / DCC. You can install perl modules manually if you know what you’re doing, but the easiest way to do so would be to use CPAN. CPAN is essentially a package manager for Perl modules (among other things). To start CPAN, it is recommended that you be logged in as root, and type: perl -MCPAN -e shell

If you’ve never used CPAN before, you’ll have to go through a series of configuration options. For most of them, the defaults will be fine, but make sure that your policy for packages that are not installed is set to ASK, and select a good list of sources for your files. Once CPAN is configured, there are a few things that should be installed for good measure. These are not necessarily required, but it would be a good idea to get them (if they’re not already installed). Note that if a package is already installed, you’ll get a message indicating that it is up to date. Also, if you are using one of the later versions of RedHat or Fedora, you might need to change an environment variable before using CPAN. This would be one of:

export LANG=en_US
export LANGVAR=en_US

On the command line, type the following (in order):

install HTTP::Date MD5 LWP Digest::base
install Bundle::CPAN
reload cpan
install Bundle::libnet

Now that your “generally good files to keep updated” have been updated, install the files that will be required for Razor2 and SpamAssassin. Some of these can be installed manually by using the razor-agents-sdk file available from http://razor.sourceforge.net, but it’s easier to just install them all here:

install Net::Ping Net::DNS Time::HiRes Digest::SHA1 Getopt::Long File::Copy Digest::Nilsimsa URI URI::Escape ExtUtils::MakeMaker File::Spec Pod::Usage HTML::Parser Sys::Syslog DBI DB_File Mail::SpamAssassin

Next, you will need the required modules for Amavisd-new. Note that you will need to have BerkeleyDB installed on your system, otherwise the Perl module BerkeleyDB will not install. On most Linux systems, you can install the db4 and db4-devel packages (on Fedora or RHEL just type “up2date db4 db4-devel” from the command line), or you can manually install from source. The Perl module needs the db.h file (among others), so make sure it’s on your system somewhere that will be found by the module.

install Archive::Tar Archive::Zip Compress::Zlib Convert::TNEF Convert::UUlib MIME::Base64 MIME::Parser Mail::Internet Net::Server Net::SMTP Digest::MD5 IO::Stringy Test::Pod Convert::ASN1 Test::Simple Time::HiRes Unix::Syslog Net::LDAP BerkeleyDB

Finally, you can choose to install any of the following. These are the modules that I often find useful for crypto, but aren’t exactly nexessary for this guide. They will however be useful for other guides that use this one as a pre-requisite, so it’s up to you to decide if you want to install them now:

install Crypt::CBC Crypt::Blowfish Crypt::DES Crypt::DES_EDE3 Crypt::DES_EEE3 Crypt::HCE_MD5 Crypt::HCE_SHA Crypt::IDEA Crypt::SSLeay Crypt::TripleDES Crypt::Twofish Crypt::Twofish2 Digest::DMAC Digest::HMAC Digest::HMAC_MD5 Digest::HMAC_SHA1 Digest::MD4 Digest::MD2 Digest::SHA Digest::SHA1 Digest::SHA2 Digest::SHA256 Digest::Tiger Digest::Haval256 Crypt::Rijndael Crypt::Blowfish_PP Crypt::CAST5

All the required modules have now been installed, so we will now set up the configuration files in directories so as to keep everything clean and in one place, and then install the binaries for all the other programs that we will want.

The first thing to do is to create both a user and a group named amavis. You can use another user and group name if you want to, but make sure that they are not used by anything else. Then, execute the following commands as root:

cd /var
mkdir amavis amavis/tmp amavis/quarantine amavis/quarantine/virus amavis/quarantine/spam
chown -R amavis:amavis amavis
chmod -R 775 amavis

Note that all of the Amavisd-new scanning will be performed on /var/amavis/tmp, so in order to speed things up significantly, you can make this directory a ram disk. On most Linux systems, you can just type the following at the command line, or add this to /etc/rc.local file. I usually leave the size of the ram disk at 64 MB, but you can go larger or smaller as per the load on your system. It’s also a good idea to have at least a gigabyte of ram on the system, otherwise you could run into speed issues due to swap being used for amavisd processes.

mount -t tmpfs none /var/amavis/tmp/ -o size=64M
chown amavis:amavis /var/amavis/tmp

You will now want to set up the SpamAssassin configuration file, which is usually located at /etc/mail/spamassassin/local.cf. You can probably erase all the contents of the file, and replace them with the following:

auto_whitelist_path /var/amavis/.spamassassin/auto-whitelist.db Put the auto-whitelist file in the right place.
auto_whitelist_file_mode 0700 Make sure the auto-whitelist file is not readable by other people.
bayes_path /var/amavis/bayes.db Put the bayes database file in the right place.
bayes_file_mode 0700 Make sure the bayes database is not readable by other people.
bayes_use_hapaxes 1 Increase efficiency (and size) of the bayes database.
use_dcc 1 Use dcc.
dcc_timeout 10 Set dcc timeout to 10 seconds.
dcc_add_header 1 Add a mail header for dcc operations.
use_razor2 1 Use Razor2.
razor_timeout 10 Set Razor2 timeout to 10 seconds.
skip_rbl_checks 0 Do not skip RBL checks. Note that you may want to change this on high volume servers.

Next, you need to install Razor2. Download the razor-agents file from http://razor.sourceforge.net, extract it to a temporary directory (/usr/local/src/razor-agents for this example), and install it as root (replacing paths as necessary):

cd /usr/local/src/razor-agents
perl Makefile.PL
make
make test
make install
/usr/local/bin/razor-client
/usr/local/bin/razor-admin -register
chown -R amavis:amavis /root/.razor
mv /root/.razor /var/amavis

Note that if you don’t want to have a username and password automaticaly assigned to your server, or already have a username and password that you would like to use on your new server, then you’ll want to read the installation document for Razor2, and add more flags / options to the /usr/local/bin/razor-admin -register command.

Razor2 should be ready to go now, so the only thing left for this section is to install DCC as per http://www.dcc-servers.net/dcc/Download the latest software, extract to a temporary directory, and run the following. You can place that last line in /etc/rc.local to auto-start dccifd on reboot.

./configure
make
make install
/var/dcc/libexec/dccifd

Next you’re going to have to install Amavisd-new required files. I am not going to go into detail other than to provide the list to where you can get them. You should be able to follow the standard uncompress, ./configure, make, make install process for installing these programs. Note that the list below is copied from the Amavisd-new INSTALL document. If that in any way bothers anyone involved with the Amavisd-new project or violates a license (I read through and didn’t see anything of that nature, but you can never be too careful) then please let me know:

file: ftp://ftp.astron.com/pub/file/
compress: ftp://ftp.warwick.ac.uk/pub/compression/
gzip: http://www.gzip.org/
bzip2: http://sources.redhat.com/bzip2/
nomarch: http://rus.members.beeb.net/nomarch.html
arc: ftp://ftp.kiarchive.ru/pub/unix/arcers/
lha: http://www2m.biglobe.ne.jp/~dolphin/lha/prog/
unarj: ftp://ftp.kiarchive.ru/pub/unix/arcers/
arj: http://testcase.newmail.ru/files/
rar / unrar: http://www.rarsoft.com/ or ftp://ftp.kiarchive.ru/pub/unix/arcers/
zoo: ftp://ftp.kiarchive.ru/pub/unix/arcers/
cpio: ftp://ftp.gnu.org/pub/gnu/cpio
lzop: http://www.lzop.org/download/
freeze: ftp://ftp.warwick.ac.uk/pub/compression/
ClamAV: http://www.clamav.net/

After installing ClamAV, please remeber to either set a cron job for it to update automatically every so often, or use the freshclam daemon. I like to check hourly, but that’s something you should decide for yourself.

The Amavisd-new tarball can be downloaded from http://www.ijs.si/software/amavisd/ and is probably the easiest package to set up that you’re ever downloaded. Untar the package, copy the amavisd.conf file to /etc, and copy the amavisd binary to /usr/local/sbin. Reading the INSTALL document is probably a good idea, just to make sure that there’s nothing else you might want to do. Regarding the amavisd.conf file, there are a few things that need to be changed, but most can be left at default. As an option, you can download our sample amavisd.conf file and change a few items listed below:

  1. $mydomain = ‘domain.com’; #Change domain.com to your domain so that the program will function properly.
  2. $spam_lovers{lc(‘abuse@domain.com’)} = 1; #Change domain.com to your domain so that incoming email to abuse personnel won’t be blocked.
  3. Change / uncomment one of the $spam_quarantine_to = lines to determine how you want spam to be quaranitned.
  4. Change $sa_tag2_level_deflt = 6.0; to whatever number you want to reject SpamAssassin confirmed spam.
  5. Uncomment any additional antivirus software packages that you have installed (in addition to ClamAV).

Note that there are a lot of different antivirus software packages that will work with Amavisd-new, and it is probably a good idea to have two or three running concurrently. I tend to use ClamAV, Vexira, BitDefender, and F-Prot on systems that do not see a very high volume of emails. AntiVirus that operates on command line tends to be a bit slower than by daemon. If you have a very high volume MTA, please make sure that you will be able to support the system load before enabling more than one antivirus.

Amavisd-new can be started by running /usr/local/sbin/amavisd from command line or by using the start script on Linux systems. Adding it to your rc.local file would be a good place to have it auto-start when you reboot your server. Note that the first time that you run Amavisd-new and for the first few hours, you should probably set your logging level (see the amavis.conf file) to 4 or 5. After that, leaving it at 0, 1, or 2 would be acceptable so as not to create too much log data.

Restart Postfix after starting Amavisd-new (using the command line above), and that’s it! You now have Postfix, Amavisd-new, SpamAssassin, and at least one antivirus package working together.

2 Comments

  • Aloha,
    I found this post to be very useful in shortening my time to just get up and running for my own personal email.

    However, I see no Date posted on this guide. Before following such a guide, I like to check to make sure the practices are current, as many old guides are circulated.

    Thank you.

    • Most of these guides are a few years old, though technologically not very much has changed. I used this particular one about six months ago when helping a friend with his server (as it’s been about 5 years since I’ve managed my own mail servers).

Leave a Reply

Your email address will not be published. Required fields are marked *