6.12. Mailman + postfix + amavisd-new HOWTO (anti-spam)

2004-04-08 - This is a first draft. Comments are welcome. This file is released under the GNU Free Documentation License (FDL, see below).

2004-06-28 - See also the amavisd-new page at http://www.ijs.si/software/amavisd/, and the various "HowTo" documents and other information available, further down the page at http://www.ijs.si/software/amavisd/#doc.

2004-07-14 - Note that this example uses the postfix "after-queue content filter" technique. See http://www.postfix.org/FILTER_README.html. This means that you have to accept the spam, process is through amavisd-new & SpamAssassin, and if the message is to be rejected, then the MTA (or amavisd) has to generate a bounce back to the envelope sender address. An alternative method is to use the postfix "before-queue content filter" technique (see http://www.postfix.org/SMTPD_PROXY_README.html) , a.k.a., "smtpd proxy". The after-queue method is more scalable and more robust in the face of high loads, but has the problem that you're left trying to bounce garbage once you've accepted it. The before-queue method is less scalable and easier to get into situations where you effectively cause a DoS attack on yourself when loaded, but rejects the spam outright so that the sending machine has to try to deal with any bounce. This is generally considered to be better behaviour, so that your server is more secure against being abused as a "joe-job" amplifier.

2004-09-13 - Alt.: reinject mail via port 10025

INTRODUCTION: Installing the antispam/antivirus amavisd-new on a mailing-list server poses a serious performance issue: when the server sends out thousands of emails to the mailing-list subscribers, some of these subscribers return bounce messages, which can number in the hundreds and might clog the antivirus daemon if you're not careful.

Here's how we do it on http://listes.rezo.net/

1) Before all, make sure you run postfix v2.x, otherwise the FILTER feature will not be here. Configure postfix so that it accepts scanned messages from amavisd-new on localhost:10025

Add to /etc/postfix/master.cf the following lines:

    localhost:10025 inet n  -       n       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000

2) Configure amavisd-new the usual way, so that it accepts incoming mail on localhost:10024 (or any other port you choose) and sends it back into the mail queue via localhost:10025; this is very standard, but I guess the settings is as follows, in /etc/amavis/amavis.log:

    $inet_socket_port = 10024;
    @inet_acl = qw( 127.0.0.1 );
    $max_servers  =  2; # two servers max at the same time

3) Define a smtp-amavis service on postfix, so that it can be invoked later:

Add to /etc/postfix/master.cf:

    smtp-amavis unix -      -       n       -       2       lmtp
        -o smtp_data_done_timeout=1200

Note here that the maximum number of processes running in parallel (2) is the same as in the amavisd-new configuration. You can increase both a bit if you experience delays in delivery because of amavis, but that's out of the scope of this HOWTO. 2 is fine for us, with a daily average of 10 emails to check per minute (and a powerful computer).

4) Test your filter by sending messages locally through SMTP:10024

5) Configure postfix to send all emails through the filter EXCEPT those messages that are only addressed to a list-bounces address :

Create the address regexp in /etc/postfix/amavis_check (do 'man regexp_table' to get more information):

    !/-bounces@(my\.domain\.tld|other\.domain\.net)$/i
        FILTER smtp-amavis:[127.0.0.1]:10024

Modify /etc/postfix/main.cf to have the check_recipient_access use this regexp table:

    smtpd_recipient_restrictions = permit_mynetworks
        check_client_access hash:$config_directory/access
        reject_unauth_destination
        check_recipient_access regexp:$config_directory/amavis_check
        # other UCE checks here

An alternative could be to place this line into mm_cfg.py:

    SMTPPORT = 10025

This way Mailman will use the same port as amavisd-new when returning scanned mail to Postfix.

6) You're done. Check your log files and enjoy an almost spam- and virus-free server.

7) Now you can focus on the viruses and politics that kill people in the real world, and read "Global Aids: Myths and Facts" by Alec Irwin and Joyce Millen, published by South End Press.

REFERENCES:

  AMaViS:          http://www.amavis.org/
  amavisd-new:     http://www.ijs.si/software/amavisd/
  Mailman:         http://www.list.org/
  postfix:         http://www.postfix.org/

        Copyright (c) 2004 PHILIPPE RIVIERE.
        Permission is granted to copy, distribute and/or modify this document
        under the terms of the GNU Free Documentation License, Version 1.2
        or any later version published by the Free Software Foundation;
        with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
        Texts.

        Updated references to amavisd-new home page by Brad Knowles.
        Added notes at the top for after-queue versus before-queue content
        filtering methods, and reasons for choosing one over the other.

Converted from the Mailman FAQ Wizard

This is one of many Frequently Asked Questions.

MailmanWiki: DOC/Mailman + postfix + amavisd-new HOWTO (anti-spam) (last edited 2015-03-04 04:56:04 by msapiro)