These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/Configure Amavisd

Classnotes | UNIX03 | RecentChanges | Preferences

/etc/amavis/amavisd.conf

We now want to configure Amavisd. Recall tha the main configuration file is in /etc/amavis/amavisd.conf under Debian, but /etc/amavisd.conf if installed from source. 

 use strict;
 $MYHOME = '/var/lib/amavis';
 $mydomain = 'domain.com';
 $daemon_user = 'amavis';
 $daemon_group = 'amavis';
 $daemon_chroot_dir = $MYHOME; 
 $QUARANTINEDIR = "$MYHOME/quarantine";
 $TEMPBASE = "$MYHOME/tmp";
 $ENV{TMPDIR} = $TEMPBASE;
 $helpers_home = $MYHOME;
 $forward_method = 'smtp:127.0.0.1:10025'; 
 $notify_method = $forward_method; 
 $inet_socket_port = 10024;
 $inet_socket_bind = '127.0.0.1';
 @inet_acl = qw( 127.0.0.1 ); 
 @bypass_virus_checks_acl = qw( . );
 @local_domains_acl = ( ".$mydomain" );
 $DO_SYSLOG = 1; # (1 = syslog, 0 = logfile)
 $LOGFILE = "$MYHOME/amavis.log";
 $log_level = 5; # (0-5)
 $hdrfrom_notify_sender = 'SpamAssassin <helpdesk@domain.com>';
 $notify_spam_sender_templ =
   read_text("$MYHOME/notify_spam_sender.txt");
 $final_spam_destiny = D_PASS;
 read_hash(\%whitelist_sender, '/var/lib/amavis/whitelist');
 read_hash(\%blacklist_sender, '/var/lib/amavis/blacklist');
 read_hash(\%spam_lovers, '/var/lib/amavis/spam_lovers');
 #defending against mail bombs
 $MAXLEVELS = 14;
 $MAXFILES = 1500;
 $MIN_EXPANSION_QUOTA = 100*1024;
 $MAX_EXPANSION_QUOTA = 300*1024*1024;
 $MIN_EXPANSION_FACTOR = 5;
 $MAX_EXPANSION_FACTOR = 500;
 $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
 #$banned_filename_re = new_RE();
 $file = 'file';
 $arc = ['nomarch', 'arc'];
 $gzip = 'gzip';
 $bzip2 = 'bzip2';
 $uncompress = ['uncompress', 'gzip -d', 'zcat'];
 $lha = 'lha';
 $unarj = 'unarj';
 $unrar = 'unrar';
 $zoo = 'zoo';
 # SpamAssassin settings
 $sa_local_tests_only = 0; 
 $sa_auto_whitelist = 1;
 $sa_mail_body_size_limit = 64*1024; # 64KB
 $sa_tag_level_deflt = 3.0;
 $sa_tag2_level_deflt = 6.3;
 $sa_kill_level_deflt = $sa_tag2_level_deflt;
 $sa_spam_subject_tag = '***SPAM*** ';
 $sa_debug = 1; # comment this line out to turn off debugging
 1; # insure a defined return

Some notes to take into consideration with regard to this configuration:

  • Debugging : Debugging is set rather high. This is recommended for the initial setup and testing of our system, however could become a security problem if not set lower.
  • Bouncing versus Passing : The two options for dealing with spam-tagged email is either to bounce it back to the spammer or pass it through the system. We have selected pass so that we can see our tests and verify things are working. You will have to evaluate on a case-by-case basis which setting you want to enable.
  • Spam Tag Level : Here it is set rather high (to 6.3). Depending upon how paranoid you are about spam versus false-positives, you will likely want to adjust this down or up. 6.3, IMHO, is a bit too high to be of much use as it tends to capture only the most flagrant cases.

We also may need to install some of the compression programs mentioned here in order to ensure that they will exist when and if Amavisd needs them. On our Debian systems we can simply apt-get all of them (and we will need to apt-get "zoo", "unarj" and "unrar").

Create the Directories used by Amavisd

Next we need to create the directories used by amavisd: 

 # mkdir /var/lib/amavis/tmp
 # chown amavis:amavis /var/lib/amavis/tmp
 # chmod 750 /var/lib/amavis/tmp 
 # mkdir /var/lib/amavis/quarantine
 # chown amavis:amavis /var/lib/amavis/quarantine 
 # chmod 750 /var/lib/amavis/quarantine

Place Needed Files in chroot Jail

Now we want to do everything needed to run amavisd-new in a chroot jail (you can skip this step if you want, but just make sure you comment out the $daemon_chroot_dir setting in the amavisd.conf file with a #). Please note that I'd advise you to do these steps since it makes your system more secure.

Note that all the commands in this numbered section assume that you are in the /var/lib/amavis directory: 

 # cd /var/lib/amavis

Make the default root folders: 

 # mkdir -p etc dev tmp var/run
 # mkdir -p usr/bin usr/share/zoneinfo usr/lib usr/libexec

Make the spamassassin config folders: 

 # mkdir -p usr/share/spamassassin etc/spamassassin

Setup a dev/null device: 

 # mknod dev/null c 2 2

Setup a symbolic link so the chrooted process can refer to /var/amavisd and still get the files in /var/amavisd (which would then be /) 

 # mkdir -p var/lib
 # ln -s  /   var/lib/amavis

Copy some files we need from /usr/local/bin into our chroot /var/amavisd/usr/local/bin directory 

 # cp /usr/bin/file usr/bin 
 # cp /bin/gzip usr/bin
 # cp /usr/bin/bzip2 usr/bin
 # cp /usr/bin/zoo usr/bin
 # cp /usr/bin/unrar usr/bin
 # cp /usr/bin/unarj usr/bin
 # cp /usr/bin/lha usr/bin

Copy the configuration files for our system to our chroot etc directory. Please note that if you ever make any changes in the originals you will need to copy them again to this directory. 

 # cp /etc/protocols etc
 # cp /etc/services etc
 # cp /etc/hosts etc
 # cp /etc/magic etc 
 # cp /etc/resolv.conf etc
 # cp /etc/group etc
 # cp /etc/passwd etc

Copy the SpamAssassin files we need to our chroot directory 

 # cp /etc/spamassassin/local.cf etc/spamassassin/
 # cp -r /usr/share/spamassassin usr/share

Set strict permissions. Note that amavisd must own its home directory (/var/lib/amavis) otherwise it will generate permissions errors. 

 # chown -R root.amavis etc dev tmp usr var
 # chown -R amavis:amavis .spamassassin .razor quarantine var/dcc 
 # chmod 1777 tmp
 # chmod 666 dev/null

Edit Amavisd

Since we will be running Amavisd in chroot jail, Amavisd will still need to have access to certain Perl modules which will not be inside that jail. This means editing the Amavisd Perl script to ensure that all necessary modules will be included before Amavisd enters into it's chroot jail.

Edit the /usr/sbin/amavisd-new file to add the following line at the bottom of the fetch modules list. This will make sure that these modules get pre-compiled. Reminder: since the file is read-only you'll need to use :w! to save your changes. Look for the sub fetch_modules around line 100, and the modules list a couple lines later. (In vi, type :set number to see the line numbers). 

 Net::DNS::RR::MX Net::DNS::RR::NS Net::DNS::RR::A Net::Ping
 Net::DNS::RR::CNAME Net::DNS::RR::SOA
 Mail::SpamAssassin::PerMsgLearner? bytes

Basically amavisd pre-compiles all the modules it needs so that once it is chrooted it won't need access to any of the perl files. Without these changes, you will get an error message like: Can't locate auto/POSIX/setgid.al or Can't locate Net/DNS/RR/MX.pm when you try to run amavisd in chroot mode. (If you notice there is a pattern here, so if you see any different messages like this, you should be able to just add them to the list--just substitute :: for / in the name and remove the final extension).

Create list and bounced message files

Create our whitelist, blacklist and spam_lovers files. These files are lists with 1 email address or domain per line (in lower case), of recipients and senders that we want to treat specially. Senders in the blacklist file are automatically marked as SPAM. Senders in the whitelist file are never marked as SPAM. Recipients in the spam_lovers are basically your users that want to opt-out of the spam blocking system. 
 # touch /var/lib/amavis/blacklist
 # touch /var/lib/amavis/whitelist
 # touch /var/lib/amavis/spam_lovers

You will want to add spam@mta1.domain.com into the spam_lovers textfile. This way all the spam your users send to your bayesian learner won't be blocked. You can also add the notspam address. 

 # echo spam@mta1.domain.com >> /var/lib/amavis/spam_lovers
 # echo notspam@mta1.domain.com >> /var/lib/amavis/spam_lovers

Create the message that we want to send to the spammers when we use D_BOUNCE to bounce the message back to them. Even uf you are not bouncing mail back, you will need this file to exist. Just create and edit the following file: /var/lib/amavis/notify_spam_sender.txt 

 From: SpamAssassin <helpdesk@domain.com>
 Subject: **Message you sent blocked by our SPAM filter**
 [? %m |#|In-Reply-To: %m]
 Message-ID: <SS%n@%h> 


 Your message to: %R
has triggered our SpamAssassin SPAM filters and has been rejected. The email you sent with the following subject has NOT BEEN DELIVERED: 

 Subject: %j

Our company uses a set of email filters to help block the delivery of unsolicited commercial email, otherwise known as SPAM. For more information on SPAM, please visit http://spam.abuse.net.

If you believe that you have received this message in error, please accept our sincere apologies. We ask that you please reply to this email message. When we receive your reply, we will add your email address to our whitelist of approved senders so that in the future we can avoid making this mistake again. Please note that this is a manual process and is only done during business hours.

The report below will help you determine why your message was flagged as SPAM. If you continue to have problems, please contact our Helpdesk at 800-555-1212.

Thank you very much,

Postmaster 

 SpamAssassin report:
 [%A
 ]
Make sure you include a blank line as the first line in the file.

Test Amavisd

To test your Amavisd configuration, start the program with the debug option 
 # clear
 # /usr/sbin/amavisd-new debug

use CTRL-C to exit.

Setup Postfix and test whole system

Enable Amavisd in the Postfix configuration file by uncommentin the content filter line. Then add be sure that Amavisd is running at boot time (if you installed from RPM or DEB, this should be the case. If you installed from source, then you will have to add a script to startup like we did last time).

Start up Postfix and Amavisd 

 # postfix stop
 # postfix start 
 # /usr/sbin/amavisd-new debug

Now we want to test the system and verify that messages are getting scanned. SpamAssassin includes with it two sample files that contain either SPAM or non-SPAM triggers. Depending on how you installed SpamAssassin, you will have to discover where they went. Locate them, and get a new Xterm so that we can pass them into our mail system. 

 # cat sample-spam.txt | mail root
 # cat sample-nonspam.txt | mail root

Watch the Amavisd debugging window and observe the settings.

Then, view the mail spool file for root in /var/mail/root and see that these files have been processed by our system. Each should contain information in their headers pertaining to their SpamAssassin score. Note that if you left the minimum hits required setting above to 6.3, then neither will classify as spam (the sample-spam.txt file classifies at around 3.5)


Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited October 4, 2003 9:25 pm (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.