content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: finish amavis section

This commit is contained in:
revsuine 2024-11-23 03:52:28 +00:00
parent 039ce26466
commit a758d1f370
Signed by: revsuine
GPG key ID: 3F257B68F5BC9339

View file

@ -1234,6 +1234,197 @@ Install Amavis and enable the service:
# rc-update add amavisd default
# rc-service amavisd start
## Amavis and Postfix
Let's set up Amavis as an SMTP proxy. Edit your Postfix config at `/etc/postfix/main.cf`, and add the following to the
end of the file:
```conf
# amavis filtering
# gets overridden by submission & smtps services in master.cf:
content_filter = smtp-amavis:[127.0.0.1]:10024
# delays postfix connection to content filter until entire email message has arrived
smtpd_proxy_options = speed_adjust
```
Amavis listens on port 10024 by default, so this tells Postfix to use Amavis as a content filter.
Now edit `/etc/postfix/master.cf` and add the following lines:
```conf
smtp-amavis unix - - n - 2 smtp
-o syslog_name=postfix/amavis
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o smtp_dns_support_level=disabled
-o max_use=20
-o smtp_tls_security_level=none
127.0.0.1:10025 inet n - n - - smtpd
-o syslog_name=postfix/10025
-o content_filter=
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8
-o local_recipient_maps=
-o relay_recipient_maps=
-o strict_rfc821_envelopes=yes
-o smtp_tls_security_level=none
-o smtpd_tls_security_level=none
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_end_of_data_restrictions=
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
```
The first block tells Postfix to send emails to Amavis, and the second block tells Postfix to run an extra smtpd daemon
on port 10025 to receive emails back from Amavis. Restart Postfix for the changes to take effect:
# rc-service postfix restart
It's good practice to use a different port for email submissions from authenticated users. Let's use port 10026 for
this. Edit `/etc/amavisd.conf` and set `$inet_socket_port` to:
```conf
$inet_socket_port = [10024,10026];
```
to listen on multiple TCP ports.
We'll set the policy to `ORIGINATING` for port 10026 in the same Amavis config file:
```conf
$interface_policy{'10026'} = 'ORIGINATING';
```
Then define the `ORIGINATING` policy by adding the following lines:
```conf
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 1, # enables disclaimer insertion if available
# notify administrator of locally originating malware
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 1,
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1], # allow sending any file names and types
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
};
```
Note that this is configured to send virus alerts to `virusalert@domain.com`. This should be a real email address, not
an alias, because ClamAV bypasses Postfix and sends emails straight to Dovecot, which doesn't have access to Postfix
aliases.
Restart Amavis for the change to take effect:
# rc-service amavisd restart
Edit `/etc/postfix/master.cf` now and add the following to the `submission` and `smtps` services:
```conf
# emails from authenticated SMTP clients will be passed to Amavis listening
# on port 10026:
-o content_filter=smtp-amavis:[127.0.0.1]:10026
```
Restart Postfix again for the changes to take effect:
# rc-service postfix restart
## Amavis and ClamAV
Install ClamAV and enable its daemon:
# apk add clamav clamav-daemon
# rc-update add clamd default
# rc-service clamd start
Enable virus-checking in Amavis by editing `/etc/amavisd.conf` and setting `@bypass_virus_checks_maps` to the
following:
```conf
# enable virus checking
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
```
Add `clamav` to the `amavis` group:
# adduser clamav amavis
Restart the amavisd and clamd daemons:
# rc-service amavisd restart
# rc-service clamd restart
## Amavis and SpamAssassin
Install SpamAssassin:
# apk add spamassassin
You may also want to install `spamassassin-doc`.
Let's configure SpamAssassin. SpamAssassin is configured at `/etc/mail/spamassassin/local.cf`. You may want to
configure the `required_score` option, which defaults to `5.0`. This is the spam score required for an email to be
marked spam. `5.0` is a sensible default, but you can adjust this if you find that your spam filter needs to be more or
less aggressive.
You can also set options like `rewrite_header` to rewrite headers of a message marked spam, e.g.
```conf
rewrite_header Subject [SPAM]
```
prepends `[SPAM]` to the subject line of a spam message.
Enable the service:
# rc-update add spamd default
# rc-service spamd start
Enable spam filtering by setting `@bypass_spam_checks_maps` in your `/etc/amavisd.conf`:
```conf
# enable spam filtering
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, $bypass_spam_checks_re);
```
Restart Amavis:
# rc-service amavisd restart
Now let's test your spam filter. Send yourself an email containing the following string somewhere in the body:
```
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
```
You should see the email arrive with the following headers:
```
X-Spam-Flag: YES
X-Spam-Score: 999.802
X-Spam-Level: ****************************************************************
X-Spam-Status: Yes, score=999.802 tagged_above=2 required=6.2
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, GTUBE=1000, NO_RECEIVED=-0.001, NO_RELAYS=-0.001,
TVD_SPACE_RATIO=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001,
URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
```
# Miscellaneous suggestions
You may want to get your domain whitelisted on [dnswl.org](https://www.dnswl.org/), an email whitelist service where