Tips for installing Amavis-new, ClamAV, and SpamAssassin using Postfix on Fedora 12 3

This is another one of those articles I write mainly so I can reference it later to help me remember how I got something working, but if it helps someone else trying to get Amavis, ClamAV, and SpamAssassin working with Postfix on Fedora, then great!

I’ve got a server running Fedora 12 that I don’t want to upgrade yet (the current Fedora is 14 as of the date of this article). I handle a fair amount of incoming mail on this box, and I have Postfix configured to block all the incoming mail coming from non RFC-compliant SMTP servers, servers relaying through dynamic IP addresses, and servers on popular DNS blacklists. These three measures successfully block more than 98% of all incoming spam.

In an attempt to eat into that last 2%, I decided to add some server-side SPAM scanning on the server. And as long as I’m going through the effort to do that, I figured it was very little additional effort to also scan incoming messages for viruses at the same time.

The current “holy trinity” of anti-SPAM and virus tools are:

  • SpamAssassin: a widely used and highly configurable SPAM checking program.
  • Clam AntiVirus (aka ClamAV): an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats.
  • Amavisd-new: a high-performance interface between mailers (like Postfix) and content checkers (like ClamAV and SpamAssassin). It essentially links Postfix with external content checking applications.

I came across this article at Fedora Unity and used it as my guide starting at Step 5 (I also ignored the grey listing steps). I was able to get everything working almost perfectly. The only thing I needed to add to get things working properly was explained in this article – I needed to manually create and set permissions on a directory for the file.

Configuration files locations were:

  • Amavis-new: /etc/amavisd/amavisd.conf
  • SpamAssassin: /etc/mail/spamassassin/
  • ClamAV: /etc/clam.d/amavis.conf (yep – that’s not a typo)
  • FreshClam: /etc/sysconfig/freshclam and /etc/freshclam.conf

I also chose to use DCC in SpamAssassin, so I needed to download and compile DCC from here, as well as enable it as explained here.

Here’s my current SpamAssassin file:

required_score          4.0
report_safe             0
rewrite_header          Subject [SPAM]
use_bayes               1
bayes_ignore_header     0
bayes_auto_learn        1
skip_rbl_checks         0
use_razor2              1
use_dcc                 1
dcc_path                /usr/local/bin/dccproc
use_pyzor               1
whitelist_from          *

# Custom Rules
urirhssub       URIBL_BLACK        A   2
body            URIBL_BLACK  eval:check_uridnsbl('URIBL_BLACK')
describe        URIBL_BLACK  Contains an URL listed in the URIBL blacklist
tflags          URIBL_BLACK  net
score           URIBL_BLACK  3.0

urirhssub       URIBL_GREY        A   4
body            URIBL_GREY  eval:check_uridnsbl('URIBL_GREY')
describe        URIBL_GREY  Contains an URL listed in the URIBL greylist
tflags          URIBL_GREY  net
score           URIBL_GREY  0.25

and here are the important sections of my amavisd.conf file:

$sa_tag_level_deflt  = '-9999';  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 4.0;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 15.0;  # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 15.0;   # spam level beyond which a DSN is not sent

Anyone else using this post should adjust these values based on their preferences. You may want higher or lower thresholds for spam marking, blocking, etc.

Amavis-new with OpenDKIM and Postfix

If you’re running OpenDKIM and Amavis-new through Postfix on the same server (and you probably should), then in order to prevent OpenDKIM from signing your messages twice, you’ll need to add the no_milters option to one of the sections you added to Postfix’s file when setting up Amavis-new. Find the section: inet n  -       n       -       -  smtpd

and add no_milters at the end of the receive_override_options line, so that it looks like this:

-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

Then restart Postfix and Amavis-new.