Postfix with Cyrus, Clamav and Spamassassin


Niels - December 31, 2005
Heads up!    This post was written 15 years ago.

This is a quick howto on how to get it all running. Most of the software used is a lot more powerful than this howto suggests. Once you have it all up and running make sure to spend some time checking out the full potential of your setup.

Get all the packages:

Include

deb http://ftp2.de.debian.org/
debian-volatile sarge/volatile main

in your /etc/apt/sources.list to make sure you get updates on the clamav engine (and not just the virus data as provided by freshclam).

apt-get install postfix clamav clamav-base clamav-daemon clamav-freshclam amavisd-new spamassassin spamc razor pyzor cyrus21-admin cyrus21-common cyrus21-imapd cyrus21-pop3d

The amavis package recommends a lot of tools like unzip, unrar, etc. It’s best to install all of them; using dselect might be helpful here.

Clamav

Clamav will run fine without changing any settings. To make sure Clamav plays nicely with Amavis add the clamav user to the amavis group in /etc/group:

postfix:x:104:
postdrop:x:105:
mysql:x:106:
clamav:x:107:
amavis:x:108:clamav

You can do this by typing:

adduser clamav amavis

Spamassassin

Switch user to amavis:

peen:~# su - amavis

Then run the commands required to enable Razor to be used by Spamassassin:

[email protected]:~$ razor-admin -create
[email protected]:~$ razor-admin -register
Register successful. Identity stored in /var/lib/amavis/.razor/
identity-ruu0K-KHfE

Also enable Pyzor:

[email protected]:~$ pyzor discover
downloading servers from http://pyzor.sourceforge.net/cgi-bin/
inform-servers-0-3-x

Create/edit /etc/spamassassin/local.cf. Mine is very simple:

report_safe 0
skip_rbl_checks 1

I turn off rbl checks in spamassassin as I will have postfix do this instead; see below. No other changes are required.

By default spamassassin is disabled on Debian. Make sure to edit /etc/default/spamassassin and start it:

peen:~# /etc/init.d/spamassassin start
Starting SpamAssassin Mail Filter Daemon: spamd.

Amavis

/etc/amavis/amavisd.conf requires a few configuration changes. Please find the settings quoted below and adjust them to match your setup.

…
$mydomain = ‘peen.net’;
…
$forward_method = ’smtp:127.0.0.1:10025′;
$notify_method = $forward_method;
…
@local_domains_acl = ( “.$mydomain”, “.localhost” );
…
$inet_socket_port = 10024;
…

Also make sure you turn on spamassassin support by removing this line:

@bypass_spam_checks_acl = qw( . );

The rest of the defaults are fine. Now restart amavis:

peen:~# /etc/init.d/amavis restart
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.

And do a tail on your syslog to make sure it detects Clamav and Spamassassin:

peen:~# tail -4 /var/log/syslog
Dec 1 11:42:38 peen amavis[15613]: Using internal av scanner code for (primary) Clam Antivirus-clamd
Dec 1 11:42:38 peen amavis[15613]: Found secondary av scanner Clam Antivirus – clamscan at /usr/bin/clamscan
Dec 1 11:42:38 peen amavis[15613]: SpamControl: initializing Mail::SpamAssassin
Dec 1 11:42:39 peen amavis[15613]: SpamControl: done

Cyrus

The default Cyrus configuration will work for us. We do however need to set sasl passwords and create mailboxes:

peen:~# saslpasswd2 cyrus
Password:
Again (for verification):
peen:~# saslpasswd2 niels
Password:
Again (for verification):

The cyrus user is used for administering Cyrus. The niels user is, well, me. Now create the mailbox for niels:

peen:~# su – cyrus
[email protected]:~$ cyradm localhost
IMAP Password:
localhost.localdomain> cm user.niels
localhost.localdomain> exit

Postfix

Finally we’ll need Postfix to actuall get this thing going. We need to add quite a bit to /etc/postfix/master.cf to make sure Postfix can communicate with Amavis:

…
smtp-amavis unix – – n – 2 smtp
-o smtp_data_done_timeout=1200

127.0.0.1:10025 inet n – n – – smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000

Then we edit /etc/postfix/main.cf to accept email for our domain, do rbl checks, send email to Amavis and deliver it to Cyrus:

smtpd_banner = peen.net ESMTP
biff = no

append_dot_mydomain = no

myhostname = xxx-xxx-xxx-xxx.solcon.nl
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = peen.net, localhost.localdomain, localhost.localdomain, localhost
mynetworks = 127.0.0.0/8, 192.168.2.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mailbox_transport=
lmtp:unix:/var/run/cyrus/socket/lmtp
content_filter = smtp-amavis:[127.0.0.1]:10024

smtpd_helo_required = yes
disable_vrfy_command = yes

smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client relays.ordb.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit

smtpd_data_restrictions =
reject_unauth_pipelining,
permit

Now restart postfix and you’re ready to receive email!

peen:~# /etc/init.d/postfix restart
Stopping mail transport agent: Postfix.
Starting mail transport agent: Postfix.