# Postfix, Amavis AND spamassassin

## Endolf

Hi

  recently moving over to gentoo from redhat, under redhat i'm using postfix with amavis-new to run it through f-prot and spamassass. I love emerge now  :Smile: , so i want to try something that gentoo has ebuilds for. I have postfix and amavis with f-prot running happily, but i can't add a filter for spamassassin as (if i remeber rightly) postfix can't cope?, some of the mail i receive via my smtp server is incomming to my domain, but destined for other mailboxs off site, so i can't do anything with procmail, but i still want to vscan and spam filter his mails, any ideas?

Cheers

Jeremy

----------

## kashani

http://advosys.ca/papers/postfix-filtering.html

I've got 3 very happy installs of the above using Gentoo, spamassassin, and Postfix 1.x. I haven't tried it under 2.x, but from checking the docs I doubt you'd have a problem under 2.x

kashani

----------

## Endolf

Hi

  just thought i'd post this so anyone searching in future (like me the next time i have to do it  :Razz: ) can see how it's done

at the bottom of /etc/postfix/main.cf add 

```
content_filter = filter:

soft_bounce = yes

```

at the bottom of /etc/postfix/master.cf add

```
localhost:10025  inet  n  -  y  -  -   smtpd -o content_filter=

filter    unix  -   n   n   -   -   pipe

  user=filter argv=/usr/local/filter/filter.sh -f ${sender} -- ${recipient}

```

create a filter group

create a filter user in said group

create /usr/local/filter

in it create filter.sh

```

#!/bin/sh

#

# filter.sh

#

# Simple filter to plug Anomy Sanitizer and SpamAssassin

# into the Postfix MTA

#

# From http://advosys.ca/papers/postfix-filtering.html

# Advosys Consulting Inc., Ottawa

#

# For use with:

#    Postfix 20010228 or later

#    Anomy Sanitizer revision 1.49 or later

#    SpamAssassin 2.42 or later

#

# Note: Modify the file locations to match your particular

#       server and installation of SpamAssassin.

# File locations:

# (CHANGE AS REQUIRED TO MATCH YOUR SERVER)

INSPECT_DIR=/var/spool/filter

SENDMAIL=/usr/sbin/sendmail

ANOMY=/usr/local/anomy

ANOMY_CONF=/usr/local/anomy/anomy.conf

SPAMASSASSIN=/usr/bin/spamassassin

AMAVIS=/usr/sbin/amavis

export ANOMY

# Exit codes from <sysexits.h>

EX_TEMPFAIL=75

EX_UNAVAILABLE=69

cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }

# Clean up when done or when aborting.

trap "rm -f in.$$; rm -f out.$$" 0 1 2 3 15

#cat | $SPAMASSASSIN -x | $ANOMY/bin/sanitizer.pl \

#   $ANOMY_CONF 2>>/tmp/anomy.log > out.$$ || \

#   { echo Message content rejected; exit $EX_UNAVAILABLE; }

cat | $SPAMASSASSIN -x > out.$$ || \

   { echo Message content rejected; exit $EX_UNAVAILABLE; }

#$SENDMAIL "$@" < out.$$

$AMAVIS $2 $4 < out.$$

exit $?

```

(filter.sh is stolen and *modifiled* from kashani, see his post for details)

make sure filter can run this script, i've made amavis suid too (as amavis user) as amavis needs to run as amavis. restart postfix and try it, i think thats all, i'll post back if anyone says it doesn't work.

HTH

Jeremy

----------

## cPF

I just wanted to note that there is a more simple solution (?) for people who want to just filter mail delivered locally to a user's maildir or whatever... I thought filtering outbound mail is waste of time in a "secure" LAN

First of all, you could use fetchmail with procmail as the mailer, or as i did use procmail as the local mailer for Postfix. Here's a short description:

```
emerge procmail Mail-SpamAssassin

untar/gunzip http://mailtools.anomy.net/ release to /opt/
```

/etc/postfix/main.cf:

```
mailbox_command = /usr/bin/procmail
```

/etc/procmailrc: made it not suid root and added. I haven't had issues with this change(?).

```
DEFAULT=$HOME/.maildir/

VERBOSE=off

DROPPRIVS=on

SPAMFOLDER=$HOME/.maildir/.spam/

:0 fw

| /opt/anomy/bin/sanitizer.pl /opt/anomy/anomy.conf

:0 fw

| /usr/bin/spamassassin -x

:0:

* ^X-Spam-Status: Yes

$SPAMFOLDER

```

I had to make those spam folders manually like:

```
maildirmake ~/.maildir/.spam
```

----------

## klasikahl

When using what Endolf describes:

```

Jun 10 16:05:57 [postfix/smtpd] connect from pit[192.168.1.100]

Jun 10 16:05:57 [postfix/smtpd] C09E6304AB: client=pit[192.168.1.100]

Jun 10 16:05:57 [postfix/cleanup] C09E6304AB: message-id=<200306101605.57798.zack@tehunlose.com>

Jun 10 16:05:57 [postfix/qmgr] C09E6304AB: from=<zack@tehunlose.com>, size=2139, nrcpt=1 (queue active)

Jun 10 16:05:57 [pipe] fatal: pipe_comand: execvp /usr/local/filter/filter.sh: Permission denied

Jun 10 16:05:57 [postfix/smtpd] disconnect from pit[192.168.1.100]

Jun 10 16:05:58 [postfix/pipe] C09E6304AB: to=<zack@klasikahl.com>, relay=filter, delay=1, status=deferred (SOFT BOUNCE - Command died with status 1: "/usr/local/filter/filter.sh")
```

HELP!!! This is very urgent!   :Laughing: 

----------

## Endolf

```
chown postfix /usr/local/filter/filter.sh

chmod 755 /usr/local/filter/filter.sh
```

maybe  :Smile: 

----------

## klasikahl

still no-go

----------

## kashani

Hmmm I managed to do exactly that to myself at the first time I used the link I provided.

It was permission related. I suggest going through the doc and making sure all files, directories, users, etc are exactly as they describe them. I believe I did it to myself when I recreated one file or another. IIRC everything should be owned by the filter user you should have created. Hope that helps.

kashani

----------

## Endolf

try

```
chown filter:filter /usr/local/filter/filter.sh 

chmod 775 /usr/local/filter/filter.sh
```

instead (which is the correct one, I had forgotten that it is run by filter not postfix), make sure the line in master.cf that runs the filter script has user=filter in it.

HTH

Endolf

----------

## klasikahl

Well, I got this all working.

First (and I don't know if this affected anything), I did `chown -R filter:filter /var/amavis`.  Then, I had to comment out the SENDMAIL line in the filter.sh which makes PERFECT sense.  If it were not for the sendmail line, the mail would not make it past the filters!

Regards

----------

## klasikahl

Oh, but amavis still won't work (so I commented it out; I would like it to be working, though).

Here is the log...

```
Jun 21 20:01:41 cerebellum amavisd[19640]: starting.  amavis 0.3.12 Sat Jun  7 11:17:54 MST 2003

Jun 21 20:01:41 cerebellum amavisd[19640]: Virus scanner failure: Clamd - can't connect to daemon

Jun 21 20:01:41 cerebellum amavisd[19640]: mail forwarding failed, retry: Failure to connect to local SMTP port: Connection refused at /usr/sbin/amavis line 565, <GEN0> line 66. (message-id=<20030621195928.13ef95ea.akpm@digeo.com>)

Jun 21 20:01:41 cerebellum amavisd[19640]: do_exit:433 - ending execution with 75

```

----------

## Genone

I also have problems with clamav, the clamd daemon just don't run here. The last 2 lines from strace are:

```
setgroups32(0x1, 0x401be448)            = 0

setgid32(0x1fbupeek: ptrace(PTRACE_PEEKUSER, ... ): Operation not permitted
```

If anybody can confirm this I'll file a bug.

----------

## Slynix

Just wanted to say that I found this method to just make my mail server slower/mails taking more time. So Its not offline and Im using postfix own options to filter mail

----------

## klasikahl

If your mailserver is slowing down, try making /usr/local/filter and /var/spool/filter tmpfs.  That should speed things up.  Also, have a look at that advosys article on postfix filtering.  It covers performance hits later on.

Switching the stuff over to tmpfs sped my mailserver up about 10x.  Just make sure to not mount the tmpfs over files you currently need.  :Wink: 

----------

## klasikahl

 *Genone wrote:*   

> I also have problems with clamav, the clamd daemon just don't run here. The last 2 lines from strace are:
> 
> ```
> setgroups32(0x1, 0x401be448)            = 0
> 
> ...

 

No bug here.  This is working just fine for me.  Appparently, I didn't have clamav.conf set up correctly.  I have not had such ptrace errors, though...

----------

## Genone

This bug annoys me especially as I wanted to write an ebuild for amavisd-new, but without a virus scanner it's difficult to test   :Rolling Eyes: 

----------

## javock

 *cPF wrote:*   

> 
> 
> ```
> emerge procmail Mail-SpamAssassin
> 
> ...

 

Hey there!

How do you make spamassassin learn what's spam and what has been a false possitive?

Thanks!

----------

