content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: finish amavis section

2024-11-23 03:52:28 +00:00 · 2024-11-23 03:52:28 +00:00 · a758d1f370
commit a758d1f370
parent 039ce26466
1 changed files with 191 additions and 0 deletions
--- a/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md
+++ b/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md
@ -1234,6 +1234,197 @@ Install Amavis and enable the service:
    # rc-update add amavisd default
    # rc-service amavisd start
 ## Amavis and Postfix
 Let's set up Amavis as an SMTP proxy. Edit your Postfix config at `/etc/postfix/main.cf`, and add the following to the
 end of the file:
 ```conf
 # amavis filtering
 # gets overridden by submission & smtps services in master.cf:
 content_filter = smtp-amavis:[127.0.0.1]:10024
 # delays postfix connection to content filter until entire email message has arrived
 smtpd_proxy_options = speed_adjust
 ```
 Amavis listens on port 10024 by default, so this tells Postfix to use Amavis as a content filter.
 Now edit `/etc/postfix/master.cf` and add the following lines:
 ```conf
 smtp-amavis   unix -     -       n       -       2       smtp
  -o syslog_name=postfix/amavis
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o smtp_dns_support_level=disabled
  -o max_use=20
  -o smtp_tls_security_level=none
 127.0.0.1:10025   inet   n    -     n     -     -    smtpd
  -o syslog_name=postfix/10025
  -o content_filter=
  -o mynetworks_style=host
  -o mynetworks=127.0.0.0/8
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o strict_rfc821_envelopes=yes
  -o smtp_tls_security_level=none
  -o smtpd_tls_security_level=none
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_end_of_data_restrictions=
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
 ```
 The first block tells Postfix to send emails to Amavis, and the second block tells Postfix to run an extra smtpd daemon
 on port 10025 to receive emails back from Amavis. Restart Postfix for the changes to take effect:
    # rc-service postfix restart
 It's good practice to use a different port for email submissions from authenticated users. Let's use port 10026 for
 this. Edit `/etc/amavisd.conf` and set `$inet_socket_port` to:
 ```conf
 $inet_socket_port = [10024,10026];
 ```
 to listen on multiple TCP ports.
 We'll set the policy to `ORIGINATING` for port 10026 in the same Amavis config file:
 ```conf
 $interface_policy{'10026'} = 'ORIGINATING';
 ```
 Then define the `ORIGINATING` policy by adding the following lines:
 ```conf
 $policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["virusalert\@$mydomain"],
  spam_admin_maps  => ["virusalert\@$mydomain"],
  warnbadhsender   => 1,
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and types
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
 };
 ```
 Note that this is configured to send virus alerts to `virusalert@domain.com`. This should be a real email address, not
 an alias, because ClamAV bypasses Postfix and sends emails straight to Dovecot, which doesn't have access to Postfix
 aliases.
 Restart Amavis for the change to take effect:
    # rc-service amavisd restart
 Edit `/etc/postfix/master.cf` now and add the following to the `submission` and `smtps` services:
 ```conf
  # emails from authenticated SMTP clients will be passed to Amavis listening
  # on port 10026:
  -o content_filter=smtp-amavis:[127.0.0.1]:10026
 ```
 Restart Postfix again for the changes to take effect:
    # rc-service postfix restart
 ## Amavis and ClamAV
 Install ClamAV and enable its daemon:
    # apk add clamav clamav-daemon
    # rc-update add clamd default
    # rc-service clamd start
 Enable virus-checking in Amavis by editing `/etc/amavisd.conf` and setting `@bypass_virus_checks_maps` to the
 following:
 ```conf
 # enable virus checking
@bypass_virus_checks_maps = (
    \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
 ```
 Add `clamav` to the `amavis` group:
    # adduser clamav amavis
 Restart the amavisd and clamd daemons:
    # rc-service amavisd restart
    # rc-service clamd restart
 ## Amavis and SpamAssassin
 Install SpamAssassin:
    # apk add spamassassin
 You may also want to install `spamassassin-doc`.
 Let's configure SpamAssassin. SpamAssassin is configured at `/etc/mail/spamassassin/local.cf`. You may want to
 configure the `required_score` option, which defaults to `5.0`. This is the spam score required for an email to be
 marked spam. `5.0` is a sensible default, but you can adjust this if you find that your spam filter needs to be more or
 less aggressive.
 You can also set options like `rewrite_header` to rewrite headers of a message marked spam, e.g.
 ```conf
 rewrite_header Subject [SPAM]
 ```
 prepends `[SPAM]` to the subject line of a spam message.
 Enable the service:
    # rc-update add spamd default
    # rc-service spamd start
 Enable spam filtering by setting `@bypass_spam_checks_maps` in your `/etc/amavisd.conf`:
 ```conf
 # enable spam filtering
@bypass_spam_checks_maps = (
    \%bypass_spam_checks, \@bypass_spam_checks_acl, $bypass_spam_checks_re);
 ```
 Restart Amavis:
    # rc-service amavisd restart
 Now let's test your spam filter. Send yourself an email containing the following string somewhere in the body:
 ```
 XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
 ```
 You should see the email arrive with the following headers:
 ```
 X-Spam-Flag: YES
 X-Spam-Score: 999.802
 X-Spam-Level: ****************************************************************
 X-Spam-Status: Yes, score=999.802 tagged_above=2 required=6.2
 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1, GTUBE=1000, NO_RECEIVED=-0.001, NO_RELAYS=-0.001,
 TVD_SPACE_RATIO=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001,
 URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
 ```
 # Miscellaneous suggestions
 You may want to get your domain whitelisted on [dnswl.org](https://www.dnswl.org/), an email whitelist service where