This is another one of those articles I write mainly so I can reference it later to help me remember how I got something working, but if it helps someone else trying to get Amavis, ClamAV, and SpamAssassin working with Postfix on Fedora, then great!
I’ve got a server running Fedora 12 that I don’t want to upgrade yet (the current Fedora is 14 as of the date of this article). I handle a fair amount of incoming mail on this box, and I have Postfix configured to block all the incoming mail coming from non RFC-compliant SMTP servers, servers relaying through dynamic IP addresses, and servers on popular DNS blacklists. These three measures successfully block more than 98% of all incoming spam.
In an attempt to eat into that last 2%, I decided to add some server-side SPAM scanning on the server. And as long as I’m going through the effort to do that, I figured it was very little additional effort to also scan incoming messages for viruses at the same time.
The current “holy trinity” of anti-SPAM and virus tools are:
- SpamAssassin: a widely used and highly configurable SPAM checking program.
- Clam AntiVirus (aka ClamAV): an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats.
- Amavisd-new: a high-performance interface between mailers (like Postfix) and content checkers (like ClamAV and SpamAssassin). It essentially links Postfix with external content checking applications.
I came across this article at Fedora Unity and used it as my guide starting at Step 5 (I also ignored the grey listing steps). I was able to get everything working almost perfectly. The only thing I needed to add to get things working properly was explained in this article – I needed to manually create and set permissions on a directory for the clamd.pid file.
Configuration files locations were:
- Amavis-new: /etc/amavisd/amavisd.conf
- SpamAssassin: /etc/mail/spamassassin/local.cf
- ClamAV: /etc/clam.d/amavis.conf (yep – that’s not a typo)
- FreshClam: /etc/sysconfig/freshclam and /etc/freshclam.conf
I also chose to use DCC in SpamAssassin, so I needed to download and compile DCC from here, as well as enable it as explained here.
Here’s my current SpamAssassin local.cf file:
required_score 4.0 report_safe 0 rewrite_header Subject [SPAM] use_bayes 1 bayes_ignore_header 0 bayes_auto_learn 1 skip_rbl_checks 0 use_razor2 1 use_dcc 1 dcc_path /usr/local/bin/dccproc use_pyzor 1 whitelist_from *@mypersonaldomain.com # Custom Rules urirhssub URIBL_BLACK multi.uribl.com. A 2 body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK') describe URIBL_BLACK Contains an URL listed in the URIBL blacklist tflags URIBL_BLACK net score URIBL_BLACK 3.0 urirhssub URIBL_GREY multi.uribl.com. A 4 body URIBL_GREY eval:check_uridnsbl('URIBL_GREY') describe URIBL_GREY Contains an URL listed in the URIBL greylist tflags URIBL_GREY net score URIBL_GREY 0.25
and here are the important sections of my amavisd.conf file:
$sa_tag_level_deflt = '-9999'; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 4.0; # add 'spam detected' headers at that level $sa_kill_level_deflt = 15.0; # triggers spam evasive actions (e.g. blocks mail) $sa_dsn_cutoff_level = 15.0; # spam level beyond which a DSN is not sent
Anyone else using this post should adjust these values based on their preferences. You may want higher or lower thresholds for spam marking, blocking, etc.
Amavis-new with OpenDKIM and Postfix
If you’re running OpenDKIM and Amavis-new through Postfix on the same server (and you probably should), then in order to prevent OpenDKIM from signing your messages twice, you’ll need to add the no_milters option to one of the sections you added to Postfix’s master.cf file when setting up Amavis-new. Find the section:
127.0.0.1:10025 inet n - n - - smtpd
and add no_milters at the end of the receive_override_options line, so that it looks like this:
Then restart Postfix and Amavis-new.