content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: finish amavis section
This commit is contained in:
parent
039ce26466
commit
a758d1f370
1 changed files with 191 additions and 0 deletions
|
@ -1234,6 +1234,197 @@ Install Amavis and enable the service:
|
|||
# rc-update add amavisd default
|
||||
# rc-service amavisd start
|
||||
|
||||
## Amavis and Postfix
|
||||
|
||||
Let's set up Amavis as an SMTP proxy. Edit your Postfix config at `/etc/postfix/main.cf`, and add the following to the
|
||||
end of the file:
|
||||
|
||||
```conf
|
||||
# amavis filtering
|
||||
# gets overridden by submission & smtps services in master.cf:
|
||||
content_filter = smtp-amavis:[127.0.0.1]:10024
|
||||
# delays postfix connection to content filter until entire email message has arrived
|
||||
smtpd_proxy_options = speed_adjust
|
||||
```
|
||||
|
||||
Amavis listens on port 10024 by default, so this tells Postfix to use Amavis as a content filter.
|
||||
|
||||
Now edit `/etc/postfix/master.cf` and add the following lines:
|
||||
|
||||
```conf
|
||||
smtp-amavis unix - - n - 2 smtp
|
||||
-o syslog_name=postfix/amavis
|
||||
-o smtp_data_done_timeout=1200
|
||||
-o smtp_send_xforward_command=yes
|
||||
-o smtp_dns_support_level=disabled
|
||||
-o max_use=20
|
||||
-o smtp_tls_security_level=none
|
||||
|
||||
127.0.0.1:10025 inet n - n - - smtpd
|
||||
-o syslog_name=postfix/10025
|
||||
-o content_filter=
|
||||
-o mynetworks_style=host
|
||||
-o mynetworks=127.0.0.0/8
|
||||
-o local_recipient_maps=
|
||||
-o relay_recipient_maps=
|
||||
-o strict_rfc821_envelopes=yes
|
||||
-o smtp_tls_security_level=none
|
||||
-o smtpd_tls_security_level=none
|
||||
-o smtpd_restriction_classes=
|
||||
-o smtpd_delay_reject=no
|
||||
-o smtpd_client_restrictions=permit_mynetworks,reject
|
||||
-o smtpd_helo_restrictions=
|
||||
-o smtpd_sender_restrictions=
|
||||
-o smtpd_recipient_restrictions=permit_mynetworks,reject
|
||||
-o smtpd_end_of_data_restrictions=
|
||||
-o smtpd_error_sleep_time=0
|
||||
-o smtpd_soft_error_limit=1001
|
||||
-o smtpd_hard_error_limit=1000
|
||||
-o smtpd_client_connection_count_limit=0
|
||||
-o smtpd_client_connection_rate_limit=0
|
||||
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
|
||||
```
|
||||
|
||||
The first block tells Postfix to send emails to Amavis, and the second block tells Postfix to run an extra smtpd daemon
|
||||
on port 10025 to receive emails back from Amavis. Restart Postfix for the changes to take effect:
|
||||
|
||||
# rc-service postfix restart
|
||||
|
||||
It's good practice to use a different port for email submissions from authenticated users. Let's use port 10026 for
|
||||
this. Edit `/etc/amavisd.conf` and set `$inet_socket_port` to:
|
||||
|
||||
```conf
|
||||
$inet_socket_port = [10024,10026];
|
||||
```
|
||||
|
||||
to listen on multiple TCP ports.
|
||||
|
||||
We'll set the policy to `ORIGINATING` for port 10026 in the same Amavis config file:
|
||||
|
||||
```conf
|
||||
$interface_policy{'10026'} = 'ORIGINATING';
|
||||
```
|
||||
|
||||
Then define the `ORIGINATING` policy by adding the following lines:
|
||||
|
||||
```conf
|
||||
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
|
||||
originating => 1, # declare that mail was submitted by our smtp client
|
||||
allow_disclaimers => 1, # enables disclaimer insertion if available
|
||||
# notify administrator of locally originating malware
|
||||
virus_admin_maps => ["virusalert\@$mydomain"],
|
||||
spam_admin_maps => ["virusalert\@$mydomain"],
|
||||
warnbadhsender => 1,
|
||||
# force MTA conversion to 7-bit (e.g. before DKIM signing)
|
||||
smtpd_discard_ehlo_keywords => ['8BITMIME'],
|
||||
bypass_banned_checks_maps => [1], # allow sending any file names and types
|
||||
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
|
||||
};
|
||||
```
|
||||
|
||||
Note that this is configured to send virus alerts to `virusalert@domain.com`. This should be a real email address, not
|
||||
an alias, because ClamAV bypasses Postfix and sends emails straight to Dovecot, which doesn't have access to Postfix
|
||||
aliases.
|
||||
|
||||
Restart Amavis for the change to take effect:
|
||||
|
||||
# rc-service amavisd restart
|
||||
|
||||
Edit `/etc/postfix/master.cf` now and add the following to the `submission` and `smtps` services:
|
||||
|
||||
```conf
|
||||
# emails from authenticated SMTP clients will be passed to Amavis listening
|
||||
# on port 10026:
|
||||
-o content_filter=smtp-amavis:[127.0.0.1]:10026
|
||||
```
|
||||
|
||||
Restart Postfix again for the changes to take effect:
|
||||
|
||||
# rc-service postfix restart
|
||||
|
||||
## Amavis and ClamAV
|
||||
|
||||
Install ClamAV and enable its daemon:
|
||||
|
||||
# apk add clamav clamav-daemon
|
||||
# rc-update add clamd default
|
||||
# rc-service clamd start
|
||||
|
||||
Enable virus-checking in Amavis by editing `/etc/amavisd.conf` and setting `@bypass_virus_checks_maps` to the
|
||||
following:
|
||||
|
||||
```conf
|
||||
# enable virus checking
|
||||
@bypass_virus_checks_maps = (
|
||||
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
|
||||
```
|
||||
|
||||
Add `clamav` to the `amavis` group:
|
||||
|
||||
# adduser clamav amavis
|
||||
|
||||
Restart the amavisd and clamd daemons:
|
||||
|
||||
# rc-service amavisd restart
|
||||
# rc-service clamd restart
|
||||
|
||||
## Amavis and SpamAssassin
|
||||
|
||||
Install SpamAssassin:
|
||||
|
||||
# apk add spamassassin
|
||||
|
||||
You may also want to install `spamassassin-doc`.
|
||||
|
||||
Let's configure SpamAssassin. SpamAssassin is configured at `/etc/mail/spamassassin/local.cf`. You may want to
|
||||
configure the `required_score` option, which defaults to `5.0`. This is the spam score required for an email to be
|
||||
marked spam. `5.0` is a sensible default, but you can adjust this if you find that your spam filter needs to be more or
|
||||
less aggressive.
|
||||
|
||||
You can also set options like `rewrite_header` to rewrite headers of a message marked spam, e.g.
|
||||
|
||||
```conf
|
||||
rewrite_header Subject [SPAM]
|
||||
```
|
||||
|
||||
prepends `[SPAM]` to the subject line of a spam message.
|
||||
|
||||
Enable the service:
|
||||
|
||||
# rc-update add spamd default
|
||||
# rc-service spamd start
|
||||
|
||||
Enable spam filtering by setting `@bypass_spam_checks_maps` in your `/etc/amavisd.conf`:
|
||||
|
||||
```conf
|
||||
# enable spam filtering
|
||||
@bypass_spam_checks_maps = (
|
||||
\%bypass_spam_checks, \@bypass_spam_checks_acl, $bypass_spam_checks_re);
|
||||
```
|
||||
|
||||
Restart Amavis:
|
||||
|
||||
# rc-service amavisd restart
|
||||
|
||||
Now let's test your spam filter. Send yourself an email containing the following string somewhere in the body:
|
||||
|
||||
```
|
||||
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
|
||||
```
|
||||
|
||||
You should see the email arrive with the following headers:
|
||||
|
||||
```
|
||||
X-Spam-Flag: YES
|
||||
X-Spam-Score: 999.802
|
||||
X-Spam-Level: ****************************************************************
|
||||
X-Spam-Status: Yes, score=999.802 tagged_above=2 required=6.2
|
||||
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
|
||||
DKIM_VALID_EF=-0.1, GTUBE=1000, NO_RECEIVED=-0.001, NO_RELAYS=-0.001,
|
||||
TVD_SPACE_RATIO=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001,
|
||||
URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
|
||||
```
|
||||
|
||||
# Miscellaneous suggestions
|
||||
|
||||
You may want to get your domain whitelisted on [dnswl.org](https://www.dnswl.org/), an email whitelist service where
|
||||
|
|
Loading…
Reference in a new issue