Want Linux

Basic spam and antivirus email server.

This guide helps you configure IMAP, POP, SMTP, and Anti-Spam and an anti-virus server for your company using Ubuntu Linux.

$ sudo apt-get install spamassassin amavis postfix-policyd-spf-perl fuzzyocr clamav clamav-daemon clamav-freshclam libsasl2 libsasl2-modules courier-imap courier-pop

It doesn’t matter what configuration you choose for postfix, and you don’t need web based configuration for courier.

Configure spamassassin

I configure my spamassassin without a Bayes filter it never works properly for me, and it seems to give me more false positives. I use uribl, and Fuzzy OCR for images. This usually works good enough for me. I also add custom rules from sare. I use saupdate to keep them updated.

Install openprotect updates.

# Run “sa-update” once to download the default SA rules from the channel “updates.spamassassin.org”. This should enable SA find all its rules files under the “/var/lib/spamassassin” directory from now onwards.
#

Have gnupg installed, if you wish to check the channel files against our signature.
#

Run the command gpg –keyserver pgp.mit.edu –recv-keys BDE9DC10 to import our public key from the mit keyserver. The output should look like:

gpg: requesting key BDE9DC10 from hkp server pgp.mit.edu
gpg: key BDE9DC10: public key “Opencomputing Technologies (Key to sign all files from openprotect.com) ” imported
gpg: Total number processed: 1
gpg: imported: 1
# Now, export our key alone from root’s public key ring by running the command
gpg –armor -o pub.gpg –export BDE9DC10
The public key has been saved to the file pub.gpg now.

# Import the public key into sa-update’s trusted public keys by running
sa-update –import pub.gpg
#

Another way to import our public key is get the gpg file and import it manually using sa-update and gpg. The commands are
wget http://saupdates.openprotect.com/pub.gpg.
Now, import by running the command
sa-update –import pub.gpg which should return without any error or output messages.
This isn’t the preferred way, as the gpg file could be corrupted or tampered with, if our server is hacked.
# Now schedule daily downloads of rules from this channel using cron using the command

I like to cron the /usr/local/bin/saupdate.sh every night during my down time. Please click the link to look at my spamassassin update script.

$ crontab -e

0 1 * * * /usr/local/bin/saupdate.sh >/dev/null 2>&1

This script will update the spamassassin rules, and the saupdates_openprotect_com rules also.

Change your local.cf file in /etc/spamassassin.
Here is my local.cf file

I add a uribl.cf to my /etc/spamassassin directory.
Here is my uribl.cf file

I also change my /etc/spamassassin/FuzzyOcr.cf file.
Here is my FuzzyOcr.cf file

Now that spamassassin is setup lets configure amavisd-new.

Configuring Amavisd-new

The configuration directory for amavisd-new is /etc/amavis/conf.d. We will be editing the 50-user file, 20-debian_defaults, and 15-av_scanners.

I like to use 5 for a good starting point for my memory, and cpu. You can take this up, and down as needed, but 5 is a good start.

$ echo $max_servers = ’5′; >> 50-user

$ vi 15-av_scanners

I comment everything out in the file but the two clamav scanners. One being the daemon, and one being the clamd process. One being in the @av_scanners, and one in the @av_scanners_backup. Just add # in front of everything else. If your lazy like me I just copy stuff. Here is my
15-av_scanners amavis example configuration.

@av_scanners = (

### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# NOTE: remember to add the clamav user to the amavis group, and
# to properly set clamd to init supplementary groups
# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],

@av_scanners_backup = (

### http://www.clamav.net/ – backs up clamd or Mail::ClamAV
['ClamAV-clamscan', 'clamscan',
"--stdout --disable-summary -r --tempdir=$TEMPBASE {}",
[0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

I make sure I have the following settings in the /etc/amavis/conf.d/20-debian_defaults. Use your favorite editor and make sure to change these options.

$sa_spam_subject_tag = ‘***SPAM*** ‘;
$sa_tag_level_deflt = -999.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31; # add ‘spam detected’ headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent

$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine)
$final_banned_destiny = D_DISCARD; # D_REJECT when front-end MTA
$final_spam_destiny = D_DISCARD;

You also need to add clamav to the amavis group as follows

$ sudo usermod -G amavis clamav

There is also an option in this file that sets the listen port to 10024. Just remember that.

That should be all you have to do with amavisd-new. Now on to postfix.

Configuring postfix

I want to just let you know that I have never configured postfix-policyd-spf-perl but I am highly accomplished at postfix so it can’t be that difficult.

Configure /etc/postfix/main.cf Click on the link for my example postfix configuration for the main.cf file.

This file has a billion options, and for the course of this config going through ever option is out of the scope of this article. I just want you to look at the following sections.

smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client sbl-xbl.spamhaus.org
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client dsn.rfc-ignorant.org,
reject_rbl_client dnsbl.ahbl.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client spam.spamrats.com,
check_policy_service unix:private/policy-spf,
reject_unauth_destination
local_destination_concurrency_limit = 5
virtual_alias_maps = hash:/etc/postfix/virtual
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtpd_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
home_mailbox = Maildir/

These section allow for the recipient restrictions, and concurrency limit for the amavis process. It also has the files for aliases, and virtual aliases. That is how I like to run my servers. I have also allowed Maildir delivery, and sasl auth options.

You will now need to configure your /etc/postfix/master.cf. Please look at my example postfix configuration for the master.cf. There are a few options you want to make sure you set in the file for email to go from amavis, and back to postfix.

This allows for emails to be processed by amavis, and when the email com backs through it doesn’t get processed again by postfix checks.
smtp inet n – – – – smtpd
-o content_filter=smtp:localhost:10024

127.0.0.1:10025 inet n – – – 50 smtpd
-o content_filter=
# -o local_recipient_maps=
# -o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

You will need this in the bottom of the master.cf file for the spf rule checks.

policy-spf unix – n n – – spawn
user=nobody argv=/usr/sbin/postfix-policyd-spf-perl

Once you have completed this you can add a email address, and user or 5.

Adding a user a user for email and setting the password. Notice I set the shell to /bin/false so the user cannot login to the unix side of the machine.

$ sudo useradd -c “webmaster for wantlinux.net” -g users -s /bin/false -d /home/mail/webmaster webmaster
$ sudo passwd webmaster
Enter new UNIX password:
Retype new UNIX password:

Adding an email address.

$ vi /etc/postfix/virtual
webmaster@wantlinux.net webmaster
whateveryourwant@wantlinux.net(TAB)USERNAME
createagroup@wantlinux.net(TAB)USERNAME, USERNAME

Save the file.

Postmap the virtual file so it is a hash.

$ cd /etc/postfix
$ sudo postmap virtual

This should have created a file virtual.db.

Configuring sasl

It is pretty easy so let me make this complicated. Just install this config or copy this and put it in a file.

pwcheck_method: authdaemond
log_level: 3
mech_list: PLAIN LOGIN
authdaemond_path:/var/run/courier/authdaemon/socket

You will also want to change permissions on the /var/run/courier/authdaemon to 755 like so.
$ sudo chmod 755 /var/run/courier/authdaemon

I also change /etc/init.d/courier-authdaemon.

$ vi /etc/init.d/courier-authdaemon

add run_dir=”/var/run/courier/authdaemon” below daemonscript=”${sbindir}/authdaemond”.
and chmod 755 ${run_dir} below chown daemon:daemon ${run_dir} /var/run/courier.

Save the file, and you should be good to go for a courier configurations.

Configuring Courier

The default configuration files should be good for a basic setup.

Now that we have spamassassin, amavis, postfix, courier, and sasl all setup we just need to restart the services.

$ sudo /etc/init.d/postfix restart
$ sudo /etc/init.d/amavis restart
$ sudo /etc/init.d/courier-authdaemon restart
$ sudo /etc/init.d/courier-imap restart
$ sudo /etc/init.d/courier-pop restart

Your email server should be working. If you want to test look at my sending email with telnet tutorial HERE