# Help with Postfix, Amavis, and Spamassassin?

## ca_grover

did a seach of the forums and found a few useful tips, but I'm still having troubles...

I have followed the instructions at http://freshmeat.net/articles/view/857/ and am able to run the clamspan and spamassassin tests no problem.  However, I'm running into problems with configuring amavis, and getting Postfix running right.  (Postfix runs fine if I remove the config lines indicated in the URL.)

First, the guide indicates I should have an amavis config file (at /etc/amavisd.conf), but this does not exist.  A search of my system using 

```
find / | grep 'amavis'
```

 doesn't reveal any amavisd.conf file.  So, I have to assume I need to create one.  But is the location correct?

Next, the guide indicates the modifications to Postfix's main.cf and master.cf files.  I've done these, and restarted Postfix.  doing an netstat -ln shows that I have port 10025 open, but not port 10024.  As I understand things (which could be wrong), this means my config will not work.

Anyone have any tips or suggestions on these issues?  Thanks.

----------

## SimianRage

Are you using net-mail/amavis or net-mail/amavisd-new? 

/etc/amavisd.conf is part of the amavisd-new package, which uses a daemon (amavisd) instead of a in process filter. 

If you are using the amavis package and you want to configure it with postfix, look at the instructions in /usr/share/doc/amavis-0.3.12/README.postfix.gz (or whatever version of amavis is installed). If you are using amavisd-new, then I don't know why the config file isn't there.

----------

## shad0w

http://lawmonkey.org/anti-spam.html

(how to, its for openbsd... but I got mine working with this doc)

----------

## ca_grover

I'm using net-mail/amavis, not the amvaisd-new.

So, with that in mind, the instructions at the link shad0w posted don't work either. (I had found that link in my previous efforts, and tried to follow them... hence the reason I can't find my amavisd.conf file.

I've tried a few of the online guides, but each one resulted in Postfix not accepting any mail.

I've had to remove my Postfix installation and re-emerge it, as well as courier-imap to get mail functioning again properly. (musta missed something when I was "undoing" my attempts to get amavis running.)  Then discovered the newest version of Postfix needs cyrus-sasl installed.  Had to re-learn how to disable this.  But now that I have a "clean" install, I'll try the instructions in /usr/share/doc/amavis-0.3.12/README.postfix.gz.

Thanks.

----------

## ca_grover

ok, I followed the instructions for Amavis in /usr/share/doc/amavis-0.3.12/README.postfix.gz.

  As soon as I restart postfix (either with postfix reload, or /etc/init.d/postfix stop & start), I cannot send or receive email.

If I comment out the content_filter line, AND the mynetworks=192.168.6.0/8, 127.0.0.0/8 lines, email works again fine.  The required changes have also been made to etc/postfix/master.cf)

Also, if I run "nmap localhost", I don't show port 10025 as being open.

here's the entry in my master.cf file: 

```

#

#       AMAVIS Config

#

vscan     unix  -       n       n       -       10      pipe user=amavis  argv=/usr/sbin/amavis ${sender} ${recipient}

localhost:10025 inet    n       -       n       -       -       smtpd -o content_filter=

```

and here's the pertinent lines in main.cf

```

#mynetworks = 192.168.0.0/8, 127.0.0.0/8

#

#       AMAVIS Config

#

#content_filter = vscan:

```

I'm stumped on this... Thanks for any input

----------

## SimianRage

 *ca_grover wrote:*   

> 
> 
> Also, if I run "nmap localhost", I don't show port 10025 as being open.
> 
> 

 

I don't use nmap much, but when I run "nmap localhost" it I don't show 10025 being open either. Does it scan all ports or just well known ones? Anyway, try 

   telnet localhost 10025

to see if it's listenting. You can also just run "netstat -l" and look for port 10025 as well.

 *Quote:*   

> 
> 
> here's the entry in my master.cf file: 
> 
> ```
> ...

 

Your config looks ok to me. I initially was using amavis, then I switched to amavisd-new. But it was working with amavis, so if it helps here are my configs.

master.cf

```

# amavis virus scan interface

vscan     unix  -       n       n       -       10      pipe

  user=amavis argv=/usr/sbin/amavis ${sender} ${recipient}

# amavisd virus scan interface

smtp-amavis unix -  -   n -   2  smtp

  -o smtp_data_done_timeout=1200

  -o disable_dns_lookups=yes

# daemon that amavis/amavisd pass mail to for local delivery

127.0.0.1:10025 inet n  -  n -  -  smtpd

  -o content_filter=

  -o local_recipient_maps=

  -o relay_recipient_maps=

  -o myhostname=somehost.somedomain

  -o smtpd_restriction_classes=

  -o smtpd_helo_restrictions=

  -o smtpd_client_restrictions=

  -o smtpd_sender_restrictions=

  -o smtpd_recipient_restrictions=permit_mynetworks,reject

  -o mynetworks=127.0.0.0/8

  -o strict_rfc821_envelopes=yes
```

main.cf

```

# Anti-virus control

#content_filter = vscan:

content_filter = smtp-amavis:[127.0.0.1]:10024

```

To use amavis I would just enable the vscan content filter instead of the smtp-amavis one.

----------

## robochan

You might check out this article. It's Debian oriented, but perhaps it might be of some help.

----------

## BackSeat

 *ca_grover wrote:*   

> 
> 
> ```
> 
> #mynetworks = 192.168.0.0/8, 127.0.0.0/8
> ...

 

Those five lines are all commented out...

BS

----------

## ca_grover

Thanks SimbianRage and robochan.  It looks as though I might have better luck with amavisd-new.  I'll emerge it later this week and give it a go.

With regards to nmap, SimbianRage was right - it doesn't get reported, but I can telnet to the port.  (I didn't know nmap was not a full portscanner).  But, I still run into the same problem... Once I uncomment the content_filter line, and reload postfix, my server stops processing incoming or outgoing mail.  (i.e. I don't receive any mail that I send to myself from outside my network, or mail I send from within my network never gets delivered.)  The moment I comment out the line, and reload postfix again, all the messages I tried to send/receive  while it was uncommented suddenly get delivered.

So, I think later this week I will un-emerge Amavis, and then emerge amavisd-new.  I can't see how it would hurt anything... (fingers crossed).

Thanks again for the tips.

----------

## ca_grover

I've done an emerge -C amavis, then emerged amavisd-new.  Next I matched my postfix config files to SimianRage's.  The moment I reload Postfix, I loose port 25 on the server.  If I comment out the content_filter line in main.cf, then reload again, Port 25 is available...

In the short term I'm going to assume I've missed a step in my rush to try this out.  I'll be going over the posted links in detail tomorrow (need sleep tonight).  However, I'm wondering if i have a configuration problem somewhere else.  If I'm dropping port 25 when I activate amavisd, could it be that my network config has a problem?  (I do have an outstanding ARP issue I haven't been able to resolve, but it doesn't affect Postfix on my internal network, or sending to my server from an external source.)

Thanks once again for any tips.

----------

## SimianRage

Did you start the amavisd service (/etc/init.d/amavisd), and assuming you're configuring postfix to use port 10024 for amavisd and 10025 for postfix make sure /etc/amavisd.conf has these 2 lines:

```

# SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...)

#   (used when MTA is configured to pass mail to amavisd via SMTP or LMTP)

$inet_socket_port = 10024;        # accept SMTP on this local TCP port

                                  # (default is undef, i.e. disabled)

# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4

# (set host and port number as required; host can be specified

# as IP address or DNS name (A or CNAME, but MX is ignored)

$forward_method = 'smtp:127.0.0.1:10025';  # where to forward checked mail

```

I can't remember if these were configured by default already or if I had to make the changes.[/code]

----------

## BlinkEye

tried that too but i still get the "mail transport unavailable".

i get 

```
warning: connect to transport vscan: Connection refused
```

too, i know somethings wrong but i don't know what and why. i'm using the same configs as provided everywhere...

could someone post hist /etc/amavisd.conf file with the following command so we/i might compare?

```
grep -v "^#" /etc/amavisd.conf
```

----------

## SimianRage

egrep -v '^\s*$|^\ *#' /etc/amavisd.conf

```

use strict;

$MYHOME = '/var/run/amavis';   # (default is '/var/amavis')

$mydomain = 'somedomain.somewhere';      # (no useful default)

$daemon_user = 'amavis';        # (no default;  customary: vscan or amavis)

$daemon_group = 'amavis';       # (no default;  customary: vscan or amavis)

$TEMPBASE = $MYHOME;            # (must be set if other config vars use is)

$ENV{TMPDIR} = $TEMPBASE;       # wise to set TMPDIR, but not obligatory

$max_servers  =  2;   # number of pre-forked children          (default 2)

$max_requests = 10;   # retire a child after that many accepts (default 10)

$child_timeout=5*60;  # abort child if it does not complete each task in n sec

@local_domains_acl = ( ".$mydomain" );  # $mydomain and its subdomains

                                  # (does not apply to sendmail/milter)

                                  # (default is true)

$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket

$inet_socket_port = 10024;        # accept SMTP on this local TCP port

@inet_acl = qw( 127.0.0.1 );      # allow SMTP access only from localhost IP

$DO_SYSLOG = 1;                   # (defaults to false)

$LOGFILE = "$MYHOME/amavis.log";  # (defaults to empty, no log)

$log_level = 2;           # (defaults to 0)

$log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], #

<%o> -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c';

$final_virus_destiny      = D_BOUNCE;  # (defaults to D_BOUNCE)

$final_banned_destiny     = D_BOUNCE;  # (defaults to D_BOUNCE)

$final_spam_destiny       = D_REJECT;  # (defaults to D_REJECT)

$final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested

$viruses_that_fake_sender_re = new_RE(

  qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,

  qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,

  qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,

  qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,

  qr'@mm|@MM',    # mass mailing viruses as labeled by f-prot and uvscan

  qr'Worm'i,      # worms as labeled by ClamAV, Kaspersky, etc

  [qr'^(EICAR|Joke\.|Junk\.)'i         => 0],

  [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i  => 0],

  [qr/.*/ => 1],  # true by default  (remove or comment-out if undesired)

);

$virus_admin = "virusalert\@$mydomain";

$mailfrom_notify_admin     = "virusalert\@$mydomain";

$mailfrom_notify_recip     = "virusalert\@$mydomain";

$mailfrom_notify_spamadmin = "spam.police\@$mydomain";

$mailfrom_to_quarantine = '';   # override sender address with null return path

$QUARANTINEDIR = '/var/virusmails';

$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine

$spam_quarantine_to = 'spam-quarantine';

$X_HEADER_TAG = 'X-Virus-Scanned';      # (default: undef)

$X_HEADER_LINE = "by amavisd-new at $mydomain";

$undecipherable_subject_tag = '***UNCHECKED*** ';  # undef disables it

$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone

                                        # (defaults to false)

$remove_existing_spam_headers  = 1;     # remove existing spam headers if

                                        # spam scanning is enabled (default)

$keep_decoded_original_re = new_RE(

  qr'^MAIL-UNDECIPHERABLE$',  # retain full mail if it contains undecipherables

  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,

);

$banned_filename_re = new_RE(

   qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, # double extension

   qr'^\.exe$'i,                                     # banned file(1) types

   qr'^application/x-msdownload$'i,                  # banned MIME types

   qr'^application/x-msdos-program$'i,

);

$sql_select_white_black_list = undef;  # undef disables SQL white/blacklisting

$recipient_delimiter = '+';             # (default is '+')

$localpart_is_case_sensitive = 0;       # (default is false)

$blacklist_sender_re = new_RE(

    qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,

    qr'^(investments|lose_weight_today|market.alert|money2you|MyGreenCard)@'i,

    qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,

    qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,

    qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,

    qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,

);

map { $whitelist_sender{lc($_)}=1 } (qw(

  nobody@cert.org

  owner-alert@iss.net

  slashdot@slashdot.org

  bugtraq@securityfocus.com

  NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

  security-alerts@linuxsecurity.com

  amavis-user-admin@lists.sourceforge.net

  notification-return@lists.sophos.com

  mailman-announce-admin@python.org

  owner-postfix-users@postfix.org

  owner-postfix-announce@postfix.org

  owner-sendmail-announce@Lists.Sendmail.ORG

  owner-technews@postel.ACM.ORG

  lvs-users-admin@LinuxVirtualServer.org

  ietf-123-owner@loki.ietf.org

  cvs-commits-list-admin@gnome.org

  rt-users-admin@lists.fsck.com

  clp-request@comp.nus.edu.sg

  surveys-errors@lists.nua.ie

  emailNews@genomeweb.com

  owner-textbreakingnews@CNNIMAIL12.CNN.COM

  yahoo-dev-null@yahoo-inc.com

  returns.groups.yahoo.com

));

$MAXLEVELS = 14;                # (default is undef, no limit)

$MAXFILES = 1500;               # (default is undef, no limit)

$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)

$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not enforced)

$MIN_EXPANSION_FACTOR =   5;  # times original mail size  (must be specified)

$MAX_EXPANSION_FACTOR = 500;  # times original mail size  (must be specified)

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';

$file   = 'file';   # file(1) utility; use 3.41 or later to avoid vulnerability

$gzip   = 'gzip';

$bzip2  = 'bzip2';

$lzop   = 'lzop';

$uncompress = ['uncompress', 'gzip -d', 'zcat'];

$unfreeze   = ['unfreeze', 'freeze -d', 'melt', 'fcat'];

$arc        = ['nomarch', 'arc'];

$unarj      = ['arj', 'unarj'];  # both can extract, arj is recommended

$unrar      = ['rar', 'unrar'];  # both can extract, same options

$zoo    = 'zoo';

$lha    = 'lha';

$cpio   = 'cpio';   # comment out if cpio does not support GNU options

$sa_local_tests_only = 1;   # (default: false)

$sa_timeout = 30;           # timeout in seconds for a call to SpamAssassin

                            # (default is 30 seconds, undef disables it)

$sa_mail_body_size_limit = 150*1024; # don't waste time on SA if mail is larger

                            # (less than 1% of spam is > 64k)

                            # default: undef, no limitations

$sa_tag_level_deflt  = 3.0; # add spam info headers if at, or above that level

$sa_tag2_level_deflt = 6.3; # add 'spam detected' headers at that level

$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions

                            # at or above that level: bounce/reject/drop,

                            # quarantine, and adding mail address extension

$sa_dsn_cutoff_level = 10;  # spam level beyond which a DSN is not sent,

                             # (only seen when spam is not to be rejected

                             # and recipient is in local_domains*)

@av_scanners = (

  ['KasperskyLab AVP - aveclient',

    ['/usr/local/share/kav/bin/aveclient','/opt/kav/bin/aveclient','aveclient'],

    '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\bINFECTED\b/,

    qr/INFECTED (.+)/,

  ],

  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],

    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?

    qr/infected: (.+)/,

    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},

    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},

  ],

  ['KasperskyLab AVPDaemonClient',

    [ '/opt/AVP/kavdaemon',       'kavdaemon',

      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',

      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',

      '/opt/AVP/avpdc', 'avpdc' ],

    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ],

  ['H+BEDV AntiVir or CentralCommand Vexira Antivirus',

    ['antivir','vexira'],

    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,

    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |

         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],

  ['Command AntiVirus for Linux', 'csav',

    '-all -archive -packed {}', [50], [51,52,53],

    qr/Infection: (.+)/ ],

  ['Symantec CarrierScan via Symantec CommandLineScanner',

    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',

    qr/^Files Infected:\s+0$/, qr/^Infected\b/,

    qr/^(?:Info|Virus Name):\s+(.+)/ ],

  ['Symantec AntiVirus Scan Engine',

    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',

    [0], qr/^Infected\b/,

    qr/^(?:Info|Virus Name):\s+(.+)/ ],

  ['drweb - DrWeb Antivirus',

    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],

    '-path={} -al -go -ot -cn -upn -ok-',

    [0,32], [1,33], qr' infected (?:with|by)(?: virus)? (.*)$'],

  ['F-Secure Antivirus', 'fsav',

    '--dumb --archive {}', [0], [3,8],

    qr/(?:infection|Infected): (.+)/ ],

  ['CAI InoculateIT', 'inocucmd',

    '-sec -nex {}', [0], [100],

    qr/was infected by virus (.+)/ ],

  ['MkS_Vir for Linux (beta)', ['mks32','mks'],

    '-s {}/*', [0], [1,2],

    qr/--[ \t]*(.+)/ ],

  ['MkS_Vir daemon',

    'mksscan', '-s -q {}', [0], [1..7],

    qr/^... (\S+)/ ],

  ['ESET Software NOD32', 'nod32',

    '-all -subdir+ {}', [0], [1,2],

    qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ],

  ['ESET Software NOD32 - Client/Server Version', 'nod32cli',

    '-a -r -d recurse --heur standard {}', [0], [10,11],

    qr/^\S+\s+infected:\s+(.+)/ ],

  ['Norman Virus Control v5 / Linux', 'nvccmd',

    '-c -l:0 -s -u {}', [0], [1],

    qr/(?i).* virus in .* -> \'(.+)\'/ ],

  ['Panda Antivirus for Linux', ['pavcl'],

    '-aut -aex -heu -cmp -nbr -nor -nso -eng {}',

    qr/Number of files infected[ .]*: 0(?!\d)/,

    qr/Number of files infected[ .]*: 0*[1-9]/,

    qr/Found virus :\s*(\S+)/ ],

  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',

    '--secure -rv --mime --summary --noboot - {}', [0], [13],

    qr/(?x) Found (?:

        \ the\ (.+)\ (?:virus|trojan)  |

        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |

        :\ (.+)\ NOT\ a\ virus)/,

  ],

  ['VirusBuster', ['vbuster', 'vbengcl'],

    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],

    qr/: '(.*)' - Virus/ ],

  ['CyberSoft VFind', 'vfind',

    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,

  ],

  ['Ikarus AntiVirus for Linux', 'ikarus',

    '{}', [0], [40], qr/Signature (.+) found/ ],

  ['BitDefender', 'bdc',

    '--all --arc {}', qr/^Infected files *:0(?!\d)/,

    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,

    qr/(?:suspected|infected): (.*)\033/ ],

);

@av_scanners_backup = (

  ['Clam Antivirus - clamscan', 'clamscan',

    '--stdout --disable-summary -r {}', [0], [1],

    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],

    '-dumb -archive -packed {}', [0,8], [3,6],

    qr/Infection: (.+)/ ],

  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],

    '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],

  ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'],

    '-i1 -xp {}', [0,10,15], [5,20,21,25],

    qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,

    sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},

    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},

  ],

);

1;  # insure a defined return

```

What exactly do you have in your main.cf for the content_filter value?[/code]

----------

## BlinkEye

i tried the two suggestion thrown around: 

```
content_filter = vscan:
```

and

```
content_filter = smtp-amavis:[127.0.0.1]:10024
```

but as i tried every solution posted in this forum for the master.cf file and it didn't work out i guess my amavisd.conf is wrong. damn, i just see i removed the config file as it wasn't working for a hole day and i even had to re-emerge postfix because i got the same error messages after i removed amavisd-new (don't know why, queued up some mail probably and i didn't know where to look for). so, if you'd give me the approppriate lines of your master.cf and main.cf i'll try again (this time i'll not forget to stop cron to fetch mails from other accounts!)

----------

## SimianRage

Just look at the 6th post in this thread (2nd by me) - those should be the relevant config values from master.cf and main.cf. For the amavisd set up just ignore the vscan stuff - that was for using the inline amavis program.

----------

