PerlStalker's SysAdmin Notes and Tools

Printer Friendly

Courier+amavisd-new

Introduction

I've been using amavis-ng with courier-mta for over a year and for various reasons, I've been unhappy with it. I decided to switch to amavisd-new. This doc describes my setup.

Note: I use FreeBSD. These docs should work for any OS that courier runs on with appropriate changes to paths, etc.

Installation

Needed Perl Modules

This list is from INSTALL in the package.

• Archive::Tar (archivers/p5-Archive-Tar)
• Archive::Zip (archivers/p5-Archive-Zip) (1.09 or later is recommended!)
• Compress::Zlib (archivers/p5-Compress-Zlib)
• Convert::TNEF (converters/p5-Convert-TNEF)
• Convert::UUlib (converters/p5-Convert-UUlib) (stick to the new versions!)
• MIME::Base64 (converters/p5-MIME-Base64)
• MIME::Parser (mail/p5-MIME-Tools) ( the patched MIME-tools by David F. Skoll is recommended over 5.411, as it better handles broken/bad MIME syntax: http://www.mimedefang.org/ -> Download section. The new 6.2xx from http://search.cpan.org/dist/MIME-tools/ also includes these patches, and more.
• Mail::Internet (mail/p5-Mail-Tools) (1.58 or later have workarounds for Perl 5.8.0 bugs)
• Net::Server (net/p5-Net-Server)
• Net::SMTP (net/p5-Net) (use libnet-1.16 or latter for performance)
• Digest::MD5 (security/p5-Digest-MD5)
• IO::Stringy (devel/p5-IO-stringy)
• Time::HiRes (devel/p5-Time-HiRes) (use 1.49 or later, some older cause problems)
• Unix::Syslog (sysutils/p5-Unix-Syslog)
• BerkeleyDB (databases/p5-BerkeleyDB)

Note: amavisd-new has internal support for SpamAssassin via Mail::SpamAssassin. I don't use this because I handle spam filtering with dspam and spamc in a global maildrop filter.

Other Ports

• lang/perl5
• archivers/arc
• archivers/arj
• archivers/freeze
• archivers/lzop
• archivers/zoo

amavisd-new

amavisd-new is written in perl so there is not special compilation needed. However, courier-mta is not supported out-of-the-box. You can work around this in two ways: 1) run amavisd-new is front of courier as an SMTP proxy or 2) apply the included patch to run amavisd-new as a courierfilter. I chose option 2.

FreeBSD has an amavisd-new port but I don't use it because I need to apply the courier patch. (You can make the port use the patch but that's more voodoo than I care to get into.) I downloaded amavisd-new-20040701 from the official site.

Applying the Patch

Note: The courier patch that comes with amavisd-new-20040422 is from an earlier version and doesn't apply cleanly. My updated patch is here. (I sent the patch to the author on 2004-04-27.)

# cd amavisd-new-20040701
# patch < amavisd-new-courier.patch

Installing amavisd-new

# cp amavisd ../../sbin/amavisd
# chown root ../../sbin/amavisd
# chmod 755 ../../sbin/amavisd
# cp amavisd.conf
# cp amavisd.conf ../../etc/amavisd.conf.dist
# cp amavisd.conf ../../etc/amavisd.conf
# chown root ../../etc/amavisd.conf*
# chmod 644 ../../etc/amavisd.conf*

Configuring amavisd-new

amavisd-new looks for its config file in /etc/amavisd.conf by default. I don't like this so I put it in /usr/local/etc/amavisd.conf. If you do this, remember to start amavisd with -c /usr/local/etc/amavisd.conf or change the default location around line 7433 of amavisd.

The config file is almost 1900 lines so I'm not going to go through it line by line. Instead, I'll put up an annotated diff of my config and the sample from the package. Note: I use clamav on my servers. You will need to adjust the virus scanners section to fit your installation.

Note: The lines numbers here refer to the lines in the diff, not the config file and long lines are wrapped.

   1: --- amavisd.conf-sample	Thu Aug 12 10:51:41 2004
   2: +++ amavisd.conf	Thu Aug 12 15:23:07 2004
   3: @@ -58,24 +58,25 @@
   4:  # More refined control is available with each individual setting further down.
   5:  # $MYHOME is not used directly by the program. No trailing slash!
   6:  #$MYHOME = '/var/lib/amavis';   # (default is '/var/amavis')
   7: +$MYHOME = '/var/amavis';

/var/amavis needs to be writable by the user you run courier as.

   9:  # $mydomain serves as a quick default for some other configuration settings.
  10:  # More refined control is available with each individual setting further down.
  11:  # $mydomain is never used directly by the program.
  12: -$mydomain = 'example.com';      # (no useful default)
  13: +$mydomain = 'amigo.net';      # (no useful default)
  14:  
  15:  # $myhostname = 'host.example.com';  # fqdn of this host, default by uname(3)
  16:  
  17:  # Set the user and group to which the daemon will change if started as root
  18:  # (otherwise just keeps the UID unchanged, and these settings have no effect):
  19: -$daemon_user  = 'vscan';	# (no default;  customary: vscan or amavis)
  20: -$daemon_group = 'sweep';	# (no default;  customary: vscan or amavis)
  21: +#$daemon_user  = 'vscan';	# (no default;  customary: vscan or amavis)
  22: +#$daemon_group = 'sweep';	# (no default;  customary: vscan or amavis)
  23:  
  24:  # Runtime working directory (cwd), and a place where
  25:  # temporary directories for unpacking mail are created.
  26:  # (no trailing slash, may be a scratch file system)
  27: -$TEMPBASE = $MYHOME;	        # (must be set if other config vars use is)
  28: -#$TEMPBASE = "$MYHOME/tmp";     # prefer to keep home dir /var/amavis clean?
  29: +#$TEMPBASE = $MYHOME;	        # (must be set if other config vars use is)
  30: +$TEMPBASE = "$MYHOME/tmp";     # prefer to keep home dir /var/amavis clean?
  31:  
  32:  #$db_home = "$MYHOME/db";	# DB databases directory, default "$MYHOME/db"
  33:  
  34: @@ -135,11 +136,11 @@
  35:  #$notify_method = $forward_method;
  36:  
  37:  # COURIER using courierfilter
  38: -#$forward_method = undef;  # no explicit forwarding, Courier does it itself
  39: -#$notify_method = 'pipe:flags=q argv=perl -e
    : $pid=fork();if($pid==-1){exit(75)}elsif($pid==0){exec(@ARGV)}else{exit(0)}
    : /usr/sbin/sendmail -f ${sender} -- ${recipient}';
  40: +$forward_method = undef;  # no explicit forwarding, Courier does it itself
  41: +$notify_method = 'pipe:flags=q argv=perl -e
    : $pid=fork();if($pid==-1){exit(75)}elsif($pid==0){exec(@ARGV)}else{exit(0)}
    : /usr/sbin/sendmail -f ${sender} -- ${recipient}';
  42:  # Only set $courierfilter_shutdown to 1 if you are using courierfilter to
  43:  # control the startup and shutdown of amavis
  44: -#$courierfilter_shutdown = 1; # (default 0)
  45: +$courierfilter_shutdown = 1; # (default 0)
  46:  
  47:  # prefer to collect mail for forwarding as BSMTP files?
  48:  #$forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp";
  49: @@ -151,8 +152,8 @@
  50:  # feeding amavisd, e.g. with Postfix the 'Max procs' field in the
  51:  # master.cf file, like the '2' in the:  smtp-amavis unix - - n - 2 smtp
  52:  #
  53: -$max_servers  =  2;   # number of pre-forked children          (default 2)
  54: -$max_requests = 10;   # retire a child after that many accepts (default 10)
  55: +$max_servers  = 75;   # number of pre-forked children          (default 2)
  56: +$max_requests = 20;   # retire a child after that many accepts (default 10)

Feel free to tweak $max_servers and $max_requeststo work best for your system.

  58:  $child_timeout=5*60;  # abort child if it does not complete each task in n sec
  59:                        # (default: 8*60 seconds)
  60: @@ -168,7 +169,7 @@
  61:  # and see further down what these two lookup lists really mean.
  62:  #
  63:  # @bypass_virus_checks_maps = (1);  # uncomment to DISABLE anti-virus code
  64: -# @bypass_spam_checks_maps  = (1);  # uncomment to DISABLE anti-spam code
  65: +@bypass_spam_checks_maps  = (1);  # uncomment to DISABLE anti-spam code

Turn off spam filtering.

  67:  # Any setting can be changed with a new assignment, so make sure
  68:  # you do not unintentionally override these settings further down!
  69: @@ -201,23 +202,23 @@
  70:  # Section II - MTA specific (defaults should be ok)
  71:  #
  72:  
  73: -#$insert_received_line = 1;       # behave like MTA: insert 'Received:' header
  74: +$insert_received_line = 0;        # behave like MTA: insert 'Received:' header
  75:  			          # (does not apply to sendmail/milter)
  76:  			          # (default is true)
  77:  
  78:  # AMAVIS-CLIENT AND COURIER PROTOCOL INPUT SETTINGS (e.g. with sendmail milter)
  79:  #   (used with amavis helper clients like amavis-milter.c and amavis.c,
  80:  #   NOT needed for Postfix or Exim or dual-sendmail - keep it undefined.
  81: -$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket
  82: -#$unix_socketname = "/var/lib/courier/allfilters/amavisd"; # Courier socket
  83: -#$protocol = 'COURIER';           # uncomment if using Courier
  84: +#$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket
  85: +$unix_socketname = "/var/spool/courier/allfilters/amavisd"; # Courier socket
  86: +$protocol = 'COURIER';           # uncomment if using Courier
  87:  #$unix_socketname = undef;        # disable listening on a unix socket
  88:                                    # (default is undef, i.e. disabled)
  89:                                    # (usual setting is $MYHOME/amavisd.sock)

$unix_socket is the socket used by courier to talk to amavisd and can be in either filters/ or allfilters/. See courierfilter(8) for the differences. You also need to set $protocol to 'COURIER' so that amavisd and courier are able to communicate.

  91:  # SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...)
  92:  #   (used when MTA is configured to pass mail to amavisd via SMTP or LMTP)
  93: -$inet_socket_port = 10024;        # accept SMTP on this local TCP port
  94: +#$inet_socket_port = 10024;        # accept SMTP on this local TCP port
  95:                                    # (default is undef, i.e. disabled)
  96:  # multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028];
  97:  
  98: @@ -276,7 +277,7 @@
  99:  
 100:  # true (e.g. 1) => syslog;  false (e.g. 0) => logging to file
 101:  $DO_SYSLOG = 1;                   # (defaults to false)
 102: -#$SYSLOG_LEVEL = 'user.info';     # (facility.priority, default 'mail.info')
 103: +$SYSLOG_LEVEL = 'mail.info';     # (facility.priority, default 'mail.info')
 104:  
 105:  # Log file (if not using syslog)
 106:  $LOGFILE = "$MYHOME/amavis.log";  # (defaults to empty, no log)
 107: @@ -288,7 +289,7 @@
 108:  # 3: server, client
 109:  # 4: decompose parts
 110:  # 5: more debug details
 111: -$log_level = 2;		  # (defaults to 0)
 112: +$log_level = 0;		  # (defaults to 0)

You may want to turn $log_level all the way up while you are testing.

 114:  # Customizable template for the most interesting log file entry (e.g. with
 115:  # $log_level=0) (take care to properly quote Perl special characters like '\')
 116: @@ -410,9 +411,9 @@
 117:  #            session, as the mail has already been enqueued. Do not use with
 118:  #            Courier.
 119:  
 120: -$final_virus_destiny      = D_BOUNCE;  # (defaults to D_DISCARD)
 121: -$final_banned_destiny     = D_BOUNCE;  # (defaults to D_BOUNCE)
 122: -$final_spam_destiny       = D_BOUNCE;  # (defaults to D_BOUNCE)
 123: +$final_virus_destiny      = D_REJECT;  # (defaults to D_DISCARD)
 124: +$final_banned_destiny     = D_REJECT;  # (defaults to D_BOUNCE)
 125: +$final_spam_destiny       = D_REJECT;  # (defaults to D_BOUNCE)
 126:  $final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested
 127:  
 128:  # Alternatives to consider for spam:
 129: @@ -485,9 +486,9 @@
 130:  #
 131:  #   Empty or undef lookup disables virus admin notifications.
 132:  
 133: -$virus_admin = "virusalert\@$mydomain";
 134: +# $virus_admin = "virusalert\@$mydomain";
 135:  # $virus_admin = 'virus-admin@example.com';
 136: -# $virus_admin = undef;   # do not send virus admin notifications (default)
 137: +$virus_admin = undef;   # do not send virus admin notifications (default)

I don't want to see the admin notices. You may want to.

 138:  #
 139:  #@virus_admin_maps = (    # by-sender maps
 140:  #  {'not.example.com'=>'', '.'=>'virusalert@example.com'},
 141: @@ -520,9 +521,9 @@
 142:  #   (admin and recip sender addresses default to a null return path)
 143:  #   If using strings in double quotes, don't forget to quote @, i.e. \@
 144:  #
 145: -$mailfrom_notify_admin     = "virusalert\@$mydomain";
 146: -$mailfrom_notify_recip     = "virusalert\@$mydomain";
 147: -$mailfrom_notify_spamadmin = "spam.police\@$mydomain";
 148: +$mailfrom_notify_admin     = "postmaster\@$mydomain";
 149: +$mailfrom_notify_recip     = "postmaster\@$mydomain";
 150: +$mailfrom_notify_spamadmin = "postmaster\@$mydomain";
 151:  
 152:  # 'From' HEADER FIELD for sender and admin notifications.
 153:  # This should be a replyable address, see rfc1894. Not to be confused
 154: @@ -550,7 +551,7 @@
 155:  #   or a directory (no trailing slash)
 156:  #   (the default value is undef, meaning no quarantine)
 157:  #
 158: -$QUARANTINEDIR = '/var/virusmails';
 159: +#$QUARANTINEDIR = '/var/virusmails';
 160:  
 161:  #$virus_quarantine_method        = 'local:virus-%i-%n';    # default
 162:  #$spam_quarantine_method         = 'local:spam-%b-%i-%n';  # default
 163: @@ -625,7 +626,7 @@
 164:  
 165:  # (default values are: virus-quarantine, banned-quarantine, spam-quarantine)
 166:  
 167: -$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine
 168: +#$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine
 169:  #$virus_quarantine_to = 'infected@';           # forward to MTA for delivery
 170:  #$virus_quarantine_to = "virus-quarantine\@$mydomain";   # similar
 171:  #$virus_quarantine_to = 'virus-quarantine@example.com';  # similar
 172: @@ -639,9 +640,9 @@
 173:  #);
 174:  
 175:  # similar for banned names and bad headers and spam (set to undef to disable)
 176: -$banned_quarantine_to     = 'banned-quarantine';     # local quarantine
 177: -$bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine
 178: -$spam_quarantine_to       = 'spam-quarantine';       # local quarantine
 179: +$banned_quarantine_to     = undef;     # local quarantine
 180: +$bad_header_quarantine_to = undef; # local quarantine
 181: +$spam_quarantine_to       = undef;       # local quarantine
 182:  
 183:  # or to a mailbox:
 184:  #$spam_quarantine_to = "spam-quarantine\@$mydomain";

We don't quarantine infected email at Amigo.Net. Adjust these values if you want to quarantine the messages.

 185: @@ -658,13 +659,13 @@
 186:  
 187:  
 188:  # Add X-Virus-Scanned header field to mail?
 189: -$X_HEADER_TAG = 'X-Virus-Scanned';	# (default: undef)
 190: +$X_HEADER_TAG = undef;	# (default: undef)
 191:  # Leave empty to add no header field	# (default: undef)
 192: -$X_HEADER_LINE = "by amavisd-new at $mydomain";
 193: +$X_HEADER_LINE = undef;
 194:  
 195:  # a string to prepend to Subject (for local recipients only) if mail could
 196:  # not be decoded or checked entirely, e.g. due to password-protected archives
 197: -$undecipherable_subject_tag = '***UNCHECKED*** ';  # undef disables it
 198: +#$undecipherable_subject_tag = '***UNCHECKED*** ';  # undef disables it
 199:  
 200:  # MIME defanging wraps the entire original mail in a MIME container of type
 201:  # 'Content-type: multipart/mixed', where the first part is a text/plain with
 202: @@ -673,8 +674,8 @@
 203:  # Defanging is only done when enabled (selectively by malware type)
 204:  # and the malware is allowed to pass (*_lovers or *_destiny=D_PASS)
 205:  #
 206: -$defang_virus  = 1;  # default is false: don't modify mail body
 207: -$defang_banned = 1;  # default is false: don't modify mail body
 208: +$defang_virus  = 0;  # default is false: don't modify mail body
 209: +$defang_banned = 0;  # default is false: don't modify mail body
 210:  # $defang_bad_header     = 1;  # default is false: don't modify mail body
 211:  # $defang_undecipherable = 1;  # default is false: don't modify mail body
 212:  # $defang_spam = 1;  # default is false: don't modify mail body

courierfilters are not allowed to change the content of messages they process so you have to turn off all the options that try to change the message.

 213: @@ -748,11 +749,11 @@
 214:  # qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
 215:  
 216:    # block certain double extensions anywhere in the base name
 217: -  qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i,
 218: +  qr'\.[^./]*\.(vbs|pif|scr|bat|cmd|com|dll)$'i,
 219:  
 220:  # qr'[{}]',      # curly braces in names (serve as Class ID extensions - CLSID)
 221:  
 222: -  qr'^application/x-msdownload$'i,                  # block these MIME types
 223: +#  qr'^application/x-msdownload$'i,                  # block these MIME types
 224:    qr'^application/x-msdos-program$'i,
 225:  
 226:  # qr'^message/partial$'i, qr'^message/external-body$'i, # block rfc2046
 227: @@ -761,13 +762,13 @@
 228:    [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow anything in Unix archives
 229:  # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow anything within such archives
 230:  
 231: -  qr'.\.(exe|vbs|pif|scr|bat|cmd|com)$'i, # banned extension - basic
 232: +  qr'.\.(vbs|pif|scr|bat|cmd|com)$'i, # banned extension - basic
 233:  # qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
 234:  #        jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|
 235:  #        vbe|vbs|wsc|wsf|wsh)$'ix,        # banned extension - long
 236:  # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.
 237:  
 238: -  qr'^\.(exe-ms)$',                       # banned file(1) types
 239: +#  qr'^\.(exe-ms)$',                       # banned file(1) types
 240:  # qr'^\.(exe|lha|tnef|cab)$',             # banned file(1) types
 241:  );
 242:  # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
 243: @@ -796,7 +797,7 @@
 244:  $banned_namepath_re = new_RE(
 245:  
 246:    # block these MIME types
 247: -  qr'(?#NO X-MSDOWNLOAD)   ^(.*\t)? M=application/x-msdownload   (\t.*)? $'xmi,
 248: +#  qr'(?#NO X-MSDOWNLOAD)   ^(.*\t)? M=application/x-msdownload   (\t.*)? $'xmi,
 249:    qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi,
 250:  
 251:  # # block rfc2046 MIME types
 252: @@ -845,7 +846,7 @@
 253:  
 254:    # banned filename extensions (in declared names) anywhere - basic
 255:    qr'(?# BLOCK COMMON NAME EXENSIONS )
 256: -     ^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|bat|com) (\t.*)? $'xmi,
 257: +     ^ (.*\t)? N= [^\t\n]* \. (vbs|pif|scr|bat|com) (\t.*)? $'xmi,
 258:  
 259:  # # banned filename extensions (in declared names) anywhere - long
 260:  # qr'(?# BLOCK MORE NAME EXTENSIONS )
 261: @@ -858,8 +859,8 @@
 262:  # qr'(?# BLOCK WinZip VULNERABILITY EXENSIONS )
 263:  #    ^ (.*\t)? N= [^\t\n]* \. (mim|b64|bhx|hqx|xxe|uu|uue) (\t.*)? $'xmi,
 264:  
 265: -  qr'(?# BLOCK Microsoft EXECUTABLES )
 266: -     ^ (.*\t)? T=(exe-ms) (\t.*)? $'xm,            # banned file(1) type
 267: +#  qr'(?# BLOCK Microsoft EXECUTABLES )
 268: +#     ^ (.*\t)? T=(exe-ms) (\t.*)? $'xm,            # banned file(1) type
 269:  
 270:  # qr'(?# BLOCK ANY EXECUTABLE )
 271:  #    ^ (.*\t)? T=exe (\t.*)? $'xm,                 # banned file(1) type

Unfortuatly, I am forced to allow .exe and Windows executable through because we have a group of realtors that use some software that sends forms as programs and, of course, I can't get them to wrap the files in an archive.

 272: @@ -938,7 +939,7 @@
 273:  # The following example disables spam checking altogether,
 274:  # since it matches any recipient e-mail address (any address
 275:  # is a subdomain of the top-level root DNS domain):
 276: -#   @bypass_spam_checks_maps = (1);
 277: +   @bypass_spam_checks_maps = (1);
 278:  

Turn off all spam checks.

 285: -# ### http://www.clamav.net/
 286: -# ['ClamAV-clamd',
 287: +### http://www.clamav.net/
 288: +['ClamAV-clamd',
 289:  #   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
 290: -#   qr/\bOK$/, qr/\bFOUND$/,
 291: -#   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
 292: -# # NOTE: run clamd under the same user as amavisd;  match the socket
 293: -# # name (LocalSocket) in clamav.conf to the socket name in this entry
 294: -# # When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],
 295: +  \&ask_daemon, ["CONTSCAN {}\n", "127.0.0.1:3310"],   
 296: +  qr/\bOK$/, qr/\bFOUND$/,
 297: +  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
 298: +# NOTE: run clamd under the same user as amavisd;  match the socket
 299: +# name (LocalSocket) in clamav.conf to the socket name in this entry
 300: +# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],

Turn on scanning with clamd. Note: I'm talking to clamd on 3310/tcp. You can configure amavisd-new to talk to clamd on a unix socket if you want.

 304: @@ -1775,7 +1777,7 @@
 305:  # # other options to consider: -mime -oe -idedir=/usr/local/sav
 306:  
 307:  # always succeeds (uncomment to consider mail clean if all other scanners fail)
 308: -# ['always-clean', sub {0}],
 309: +['always-clean', sub {0}],

I want to allow mail if, for some reason, all the other scanners fail.

Enabling amavisd-new in Courier.

Now that amavisd-new is ready, we need to make it work with courier. README.courier has some good notes on getting things setup. I use the 'Courier Startup/Shutdown Mode' option.

ln -s /usr/local/sbin/amavisd /usr/local/etc/courier/filters/active/amavisd

You're done. Happy scanning.

Useful Scripts

• amavis-maildrop
• AMAVIS.pm.diff
• amavisd-courierfilter
• amavisd-new-20040422-courier.patch