Différences

Ci-dessous, les différences entre deux révisions de la page.

--- tutoriaux:install-email-server:install-email-server-part-8 [2023/01/06 16:41] – supprimée - modification externe (Unknown date) 127.0.0.1
+++ tutoriaux:install-email-server:install-email-server-part-8 [2024/07/06 01:17] (Version actuelle) – frater
@@ Ligne 1: / Ligne 1: @@
+====== Part 8 - Setting Up Amavis and ClamAV ======
+In this article, I will show you how to use **Amavis** and **ClamAV** to scan viruses in email messages.
+**Amavis** (A Mail Virus Scanner) is a high-performance interface between a message transfer agent (MTA) such as **Postfix** and content filters. A content filter is a program that scans the headers and body of an email message, and usually takes some action based on what it finds. The most common examples are **ClamAV virus scanner** and **SpamAssassin**.
+Amavis speaks standard SMTP protocol and can also use the Sendmail milter interface. It’s commonly used for
+  * virus-scanning by integrating with ClamAV (Clam AntiVirus)
+  * spam-checking by integrating with SpamAssassin
+  * DKIM signing and verification. (Actually, I prefer to use OpenDKIM for DKIM signing and verification.)
+===== Prerequisites =====
+You should have completed at least [[tutoriaux:install-email-server:install-email-server-part-1|part 1 (Postfix SMTP server)]] and [[tutoriaux:install-email-server:install-email-server-part-2|part 2 (Dovecot IMAP server)]] of the Debian mail server from scratch tutorial series.
+Note that if you used iRedMail or Modoboa to set up your mail server, then Amavis and ClamAV are already installed and configured, so you don’t need to follow this tutorial.
+<WRAP round alert>
+Warning: Amavis and ClamAV require a fair amount of RAM. Make sure you have at least 1.5 GB free RAM on your server before installing Amavis and ClamAV. The whole mail server stack (Postfix, Dovecot, Amavis, ClamAV, SpamAssassin, OpenDKIM, MySQL/MariaDB, PostfixAdmin, and Roundcube Webmail) needs at least 3 GB RAM to run smoothly. If your RAM runs out, you are going to have troubles like mail server going offline or unresponsive.
+</WRAP>
+===== Install Amavis on Debian =====
+Amvis is available from the default Debian repository, so run the following command to install it.
+<code bash>sudo apt install amavisd-new -y</code>
+Once installed, it automatically starts. You can check its status with:
+<code bash>systemctl status amavis</code>
+Output:
+<code bash>
+● amavis.service - Interface between MTA and virus scanner/content filters
+     Loaded: loaded (/lib/systemd/system/amavis.service; enabled; vendor preset: enabled)
+     Active: active (running) since Tue 2022-08-30 07:13:49 CEST; 2h 2min ago
+       Docs: http://www.ijs.si/software/amavisd/#doc
+   Main PID: 3027845 (/usr/sbin/amavi)
+      Tasks: 6 (limit: 19172)
+     Memory: 331.7M
+        CPU: 9.167s
+     CGroup: /system.slice/amavis.service
+             ├─3027845 /usr/sbin/amavisd-new (master)
+             ├─3027858 /usr/sbin/amavisd-new (ch1-avail)
+             ├─3027859 /usr/sbin/amavisd-new (ch1-avail)
+             ├─3027860 /usr/sbin/amavisd-new (ch1-avail)
+             ├─3027861 /usr/sbin/amavisd-new (ch1-avail)
+             └─3027862 /usr/sbin/amavisd-new (virgin child)
+</code>
+If it’s not running, you can start it with:
+<code bash>sudo systemctl start amavis</code>
+Enable auto-start at boot time.
+<code bash>sudo systemctl enable amavis</code>
+By default, it listen on 127.0.0.1:10024, as can be seen with:
+<code bash>sudo netstat -lnpt | grep amavis</code>
+Sample output:
+<code bash>
+tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      3027845/amavisd-new
+</code>
+And it runs as the amavis user. To check the version number, run
+<code bash>amavisd-new -V</code>
+Sample output:
+<code>amavisd-new-2.11.1 (20181009)</code>
+To check the logs of Amavis, you can run
+<code bash>sudo journalctl -eu amavis</code>
+Viruses are commonly spread as attachments to email messages. Install the following packages for Amavis to extract and scan archive files in email messages such as ''.7z'', ''.cab'', ''.doc'', ''.exe'', ''.iso'', ''.jar'', and ''.rar'' files.
+<code bash>sudo apt install arj bzip2 cabextract cpio rpm2cpio file gzip lhasa nomarch pax rar unrar p7zip-full unzip zip lrzip lzip liblz4-tool lzop unrar-free</code>
+Note that if your server doesn’t use a fully-qualified domain name (FQDN) as the hostname, Amavis might fail to start. And the OS hostname might change, so it’s recommended to set a valid hostname directly in the Amavis configuration file.
+<code bash>sudo nano /etc/amavis/conf.d/05-node_id</code>
+Find the following line.
+<code>
+#$myhostname = "mail.example.com";
+</code>
+Remove the comment character (#) and change mail.example.com to your real hostname.
+<code>$myhostname = "mail.example.com";</code>
+Save and close the file. Restart Amavis for the changes to take effect.
+<code bash>sudo systemctl restart amavis</code>
+===== Integrate Postfix SMTP Server With Amavis =====
+Amavisd-new works as an SMTP proxy. Email is fed to it through SMTP, processed, and fed back to the MTA through a new SMTP connection.
+Edit the Postfix main configuration file.
+<code bash>sudo nano /etc/postfix/main.cf</code>
+Add the following line at the end of the file. This tells Postfix to turn on content filtering by sending every incoming email message to Amavis, which listens on //127.0.0.1:10024//.
+<code ini>content_filter = smtp-amavis:[127.0.0.1]:10024</code>
+Also, add the following line.
+<code ini>smtpd_proxy_options = speed_adjust</code>
+This will delay Postfix connection to content filter until the entire email message has been received, which can prevent content filters from wasting time and resources for slow SMTP clients.
+Save and close the file. Then edit the ''master.cf'' file.
+<code>sudo nano /etc/postfix/master.cf</code>
+Add the following lines at the end of the file. This instructs Postfix to use a special SMTP client component called ''smtp-amavis'' to deliver email messages to Amavis. Please allow at least one whitespace character (tab or spacebar) before each ''-o''. In postfix configurations, a preceding whitespace character means that this line is continuation of the previous line.
+<code ini>
+smtp-amavis   unix   -   -   n   -   2   smtp
+    -o syslog_name=postfix/amavis
+    -o smtp_data_done_timeout=1200
+    -o smtp_send_xforward_command=yes
+    -o disable_dns_lookups=yes
+    -o max_use=20
+    -o smtp_tls_security_level=none
+</code>
+Then add the following lines at the end of the file. This tells Postfix to run an additional smtpd daemon listening on ''127.0.0.1:10025'' to receive email messages back from Amavis.
+<code ini>
+.0.0.1:10025   inet   n    -     n     -     -    smtpd
+    -o syslog_name=postfix/10025
+    -o content_filter=
+    -o mynetworks_style=host
+    -o mynetworks=127.0.0.0/8
+    -o local_recipient_maps=
+    -o relay_recipient_maps=
+    -o strict_rfc821_envelopes=yes
+    -o smtp_tls_security_level=none
+    -o smtpd_tls_security_level=none
+    -o smtpd_restriction_classes=
+    -o smtpd_delay_reject=no
+    -o smtpd_client_restrictions=permit_mynetworks,reject
+    -o smtpd_helo_restrictions=
+    -o smtpd_sender_restrictions=
+    -o smtpd_recipient_restrictions=permit_mynetworks,reject
+    -o smtpd_end_of_data_restrictions=
+    -o smtpd_error_sleep_time=0
+    -o smtpd_soft_error_limit=1001
+    -o smtpd_hard_error_limit=1000
+    -o smtpd_client_connection_count_limit=0
+    -o smtpd_client_connection_rate_limit=0
+    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
+</code>
+Save and close the file. Restart Postfix for the changes to take effect.
+<code bash>sudo systemctl restart postfix</code>
+===== Integrate Amavis with ClamAV =====
+Now that Postfix can pass incoming emails to Amavis, we need to install the ClamAV virus scanner and integrate it with Amavis, so incoming emails can be scanned by ClamAV.
+Install ClamAV on Debian.
+<code bash>sudo apt install clamav clamav-daemon</code>
+There will be two systemd services installed by ClamAV:
+  * ''clamav-daemon.service'': the Clam AntiVirus userspace daemon
+  * ''clamav-freshclam.service'': the ClamAV virus database updater
+First, check the status of ''clamav-freshclam.service''.
+<code bash>systemctl status clamav-freshclam</code>
+{{ tutoriaux:debian-email:debian-clamav-db-update-service.png |}}
+As you can see, it’s active (running) and uses 4.5M RAM on my mail server. Then check the journal/log.
+<code bash>sudo journalctl -eu clamav-freshclam</code>
+{{ tutoriaux:debian-email:debian-clamav-db-update.png |}}
+<WRAP round info>
+Hint: If the above command doesn’t quit immediately, press the Q key to make it quit.
+</WRAP>
+We can see that ''freshclam'' downloaded 3 virus databases. CVD stands for ClamAV Virus Database.
+  * daily.cvd
+  * main.cvd
+  * bytecode.cvd
+If your instance complain that <code>^Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl.</code> Check the status of clamav-daemon.service.
+<code bash>systemctl status clamav-daemon</code>
+As you can see, it failed to start because a condition wasn’t met. In the /lib/systemd/system/clamav-daemon.service file, there are two conditions:
+<code ini>
+ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
+ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}
+</code>
+The ''clamav-daemon.service'' failed to start because main.cvd and daily.cvd were not downloaded yet when it starts. So we just need to restart this service.
+<code bash>sudo systemctl restart clamav-daemon</code>
+Now it should be running. By the way, it uses 1.2GB of RAM on my mail server. If your mail server doesn’t have enough RAM left, the service will fail.
+<code bash>systemctl status clamav-daemon.service</code>
+{{ tutoriaux:debian-email:debian-clamav-antivirus.png |}}
+The ''clamav-freshclam.service'' will check ClamAV virus database updates once per hour.
+Now we need to turn on virus-checking in Amavis.
+<code bash>sudo nano /etc/amavis/conf.d/15-content_filter_mode</code>
+Uncomment the following lines to enable virus-checking.
+<code python>
+#@bypass_virus_checks_maps = (
+#      \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+</code>
+Save and close the file. There are lots of antivirus scanners in the ''/etc/amavis/conf.d/15-av_scanners'' file. ClamAV is the default. Amavis will call ClamAV via the ''/var/run/clamav/clamd.ctl'' Unix socket. We need to add user ''clamav'' to the ''amavis'' group.
+<code bash>sudo adduser clamav amavis</code>
+Then restart Amavis and ClamAV daemon for the changes to take effect.
+<code bash>sudo systemctl restart amavis clamav-daemon</code>
+Check the logs.
+<code bash>sudo journalctl -eu amavis</code>
+You can see that Amavis is now using ClamAV to scan viruses.
+{{ tutoriaux:debian-email:debian-amavis-using-two-av.png |}}
+Now if you send an email from other mail servers like Gmail to your own mail server and check the email headers, you can find a line like below, which indicates this email has been scanned by Amavis.
+<code>X-Virus-Scanned: Debian amavisd-new at nox-rhea.org</code>
+You should also check the mail log (''/var/log/mail.log'') to find if there are any errors.
+===== Use A Dedicated Port for Email Submissions =====
+ClamAV can scan both incoming and outgoing emails now. Amavis listens on port 10024 for both incoming and outgoing email messages. However, it’s a good practice to use a different port such as 10026 for email submissions from authenticated users. Edit the Amavis configuration file.
+<code bash>sudo nano /etc/amavis/conf.d/50-user</code>
+Custom settings should be added between the use ''strict;'' and ''1;'' line. By default, Amavis only listens on port 10024. Add the following line to make it also listen on port 10026.
+<code python>$inet_socket_port = [10024,10026];</code>
+Then add the following line, which sets the “ORIGINATING” policy for port 10026.
+<code python>$interface_policy{'10026'} = 'ORIGINATING';</code>
+Next, add the following lines, which define the “ORIGINATING” policy.
+<code python>
+$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
+  originating => 1,  # declare that mail was submitted by our smtp client
+  allow_disclaimers => 1,  # enables disclaimer insertion if available
+  # notify administrator of locally originating malware
+  virus_admin_maps => ["virusalert\@$mydomain"],
+  spam_admin_maps  => ["virusalert\@$mydomain"],
+  warnbadhsender   => 1,
+  # force MTA conversion to 7-bit (e.g. before DKIM signing)
+  smtpd_discard_ehlo_keywords => ['8BITMIME'],
+  bypass_banned_checks_maps => [1],  # allow sending any file names and types
+  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
+};
+</code>
+Save and close the file. Restart Amavis.
+<code bash>sudo systemctl restart amavis</code>
+Check its status to see if the restart is successful.
+<code bash>systemctl status amavis</code>
+Next, edit the Postfix master configuration file.
+<code bash>sudo nano /etc/postfix/master.cf</code>
+Add the following line to the ''submission'' service, so emails from authenticated SMTP clients will be passed to Amavis listening on port 10026. This line will override (''-o'') the ''content_filter'' parameter in ''/etc/postfix/main.cf'' file that we just added.
+<code> -o content_filter=smtp-amavis:[127.0.0.1]:10026</code>
+Like this:
+{{ tutoriaux:debian-email:debian-amavis-submission-content-filter.png }}
+If you have enabled the smtps service for Microsoft Outlook users, then you also need to add this line to the smtps service.
+Save and close the file. Restart Postfix for the changes to take effect.
+<code bash>sudo systemctl restart postfix</code>
+Check its status to see if the restart is successful.
+<code bash>systemctl status postfix</code>
+===== Spam Filtering in Amavis =====
+<WRAP round important>
+If you have followed my SpamAssassin tutorial, you don’t need to enable spam-checking in Amavis. If you enable it, each email will be checked twice by SpamAssassin.
+</WRAP>
+To enable spam-checking in Amavis, install SpamAssassin and related packages.
+<code bash>sudo apt install spamassassin libnet-dns-perl libmail-spf-perl pyzor razor</code>
+Edit an Amavis configuration file.
+<code bash>sudo nano /etc/amavis/conf.d/15-content_filter_mode</code>
+Uncomment the following lines to enable spam-checking.
+<code python>
+#@bypass_spam_checks_maps = (
+#   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+</code>
+Save and close the file. Then restart Amavis.
+<code bash>sudo systemctl restart amavis</code>
+===== DKIM in Amavis =====
+Two common pieces of software that can do DKIM signing and verification on Linux are [[tutoriaux:install-email-server:install-email-server-part-4|OpenDKIM]] and Amavis. I prefer to use OpenDKIM because it works better with [[tutoriaux:install-email-server:install-email-server-part-5|OpenDMARC]]. So I won’t explain how to DKIM sign your email in Amavis.
+By default, Amavis can verify the DKIM signature of incoming email messages. If you have OpenDKIM running on your mail server, then you can disable DKIM verification in Amavis.
+<code bash>sudo nano /etc/amavis/conf.d/21-ubuntu_defaults</code>
+Find the following line and change 1 to 0, so Amavis won’t verify DKIM signatures.
+<code python>$enable_dkim_verification = 1;</code>
+Save and close the file. Then restart Amavis.
+<code bash>sudo systemctl restart amavis</code>
+When receiving incoming emails, Postfix will call OpenDKIM via the sendmail milter interface to verify DKIM signatures, then pass the email to Amavis for virus-checking. When sending outgoing emails, Postfix will call OpenDKIM to sign the emails, then pass them to Amavis for virus-checking.
+===== Improving Amavis Performance =====
+By default, Amavis runs 2 processes. If you see the following lines in the mail log (''/var/log/mail.log''), it means Amavis can’t process emails fast enough.
+<code>
+postfix/qmgr[1619188]: warning: mail for [127.0.0.1]:10024 is using up 4001 of 4008 active queue entries
+postfix/qmgr[1619188]: warning: you may need to reduce smtp-amavis connect and helo timeouts
+postfix/qmgr[1619188]: warning: so that Postfix quickly skips unavailable hosts
+postfix/qmgr[1619188]: warning: you may need to increase the main.cf minimal_backoff_time and maximal_backoff_time
+postfix/qmgr[1619188]: warning: so that Postfix wastes less time on undeliverable mail
+postfix/qmgr[1619188]: warning: you may need to increase the master.cf smtp-amavis process limit
+postfix/qmgr[1619188]: warning: please avoid flushing the whole queue when you have
+postfix/qmgr[1619188]: warning: lots of deferred mail, that is bad for performance
+</code>
+To improve performance, edit Amavis configuration file.
+<code bash>sudo nano /etc/amavis/conf.d/50-user</code>
+Add the following line in the file between the use ''strict;'' and ''1;'' line. This will make Amavis run 4 processes. If you have 10 CPU cores, you can change 4 to 10. Note that running more than 10 Amavis processes has little effect on performance.
+<code python>
+$max_servers = 4;
+</code>
+Save and close the file. Then edit the Postifx master configuration file.
+<code bash>sudo nano /etc/postfix/master.cf</code>
+Find the ''smtp-amavis'' service definition, and change the process limit from 2 to 4.
+<code ini>
+smtp-amavis   unix   -   -   n   -   4   smtp
+    -o syslog_name=postfix/amavis
+    -o smtp_data_done_timeout=1200
+    -o smtp_send_xforward_command=yes
+    -o disable_dns_lookups=yes
+    -o max_use=20
+    -o smtp_tls_security_level=none
+</code>
+Save and close the file. Then restart Amavis and Postfix for the changes to take effect.
+<code bash>sudo systemctl restart amavis postfix</code>
+Now run the following command. You should see that there are 4 Amavis processes now.
+<code bash>sudo amavisd-nanny</code>
+{{ tutoriaux:debian-email:debian-amavisd-nanny.png }}
+Press Ctrl+C to stop amavisd-nanny.
+===== PostGrey : Postfix Greylisting Policy Server  =====
+When a request for delivery of a mail is received by Postfix via SMTP, the triplet CLIENT_IP / SENDER / RECIPIENT is built. If it is the first time that this triplet is seen, or if the triplet was first seen, less than 5 minutes ago, then the mail gets rejected with a temporary error. Hopefully spammers or viruses will not try again later, as it is however required per RFC.
+==== Installation ====
+<code bash>sudo apt install postgrey</code>
+the package is self installing, you have noting to change to the postfix's configuration files.
+==== Configuration ====
+''postgrey'' is, out-of-the-box working (by replying to unknown sender to retry sending later (usually 5 minutes).
+You may want to "whitelist" sender or destination email (by white listing you're **NOT** applying any delay or retry policies).
+Edit the two files in ''/etc/postgey/'' directory
+    * ''whitelist_clients'' is for whitelisting the sender's hostname
+    * ''whitelist_reciepients'' is for not applying **ANY** delay nor retry to specific destination (internal) email.
+==== examples ====
+<code sshconfig whitelist_recipients>
+# postgrey whitelist for mail recipients
+# --------------------------------------
+# put this file in /etc/postgrey or specify its path with --whitelist-recipients=xxx
+# do not delay mail to :
+postmaster@
+abuse@
+</code>
+<code sshconfig whitelist_clients>
+# postgrey whitelist for mail client hostnames
+# --------------------------------------------
+# put this file in /etc/postgrey or specify its path with --whitelist-clients=xxx
+#
+# postgrey version: 1.36, build date: 2015-09-01
+# Debian-specific additions
+# I *know* they run real mail queues, so greylisting only creates bigger load for them.
+debconf.org
+debian.org
+spi-inc.org
+# you may also add IPs
+.1.1.1
+# or regex expressions:
+/^mail\d+\.telekom\.de$/
+</code>
+===== Skip Virus-Checking for Your Newsletters =====
+If you use your mail server to send newsletters, and you enable Amavis and ClamAV, then lots of CPU and RAM resources will be used for virus-checking when you send newsletters to your subscribers. It could make your mail server unresponsive. You can skip virus-checking for your newsletters by using the method below.
+Edit the Postfix master configuration file.
+<code bash>sudo nano /etc/postfix/master.cf</code>
+Add the following lines at the beginning of this file. This will enable ''smtpd'' on port 2525 of the localhost and it can accept client connections initiated from the same server. If there’s another process listening on port 2525, you can change 127.0.0.1:2525 to something else, like 127.0.0.1:2552. Note that the ''content_filter'' parameter is set to ''none'', which means emails won’t be scanned by ClamAV.
+<code ini>
+.0.0.1:2525      inet  n       -       -       -       1       smtpd
+  -o syslog_name=postfix/2525
+  -o postscreen_greet_action=ignore
+  -o content_filter=
+</code>
+Then add the following lines at the end of this file. Replace 12.34.56.78 with the mail server’s public IP address. This will create another Postfix submission daemon listening on port 10587. This is for client connections from another server.
+<code ini>
+.34.56.78:10587     inet     n    -    y    -    -    smtpd
+  -o syslog_name=postfix/10587
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_tls_wrappermode=no
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
+  -o smtpd_sasl_type=dovecot
+  -o smtpd_sasl_path=private/auth
+  -o content_filter=
+</code>
+Save and close the file. Then Restart postfix.
+<code bash>sudo systemctl restart postfix</code>
+If your newsletter application runs on the mail server, then specify ''127.0.0.1:2525'' as the SMTP host, without SMTP authentication. If your newsletter application runs on a different server, then specify ''12.34.56.78:10587'' as the SMTP host, with SMTP authentication.
+===== Troubleshooting =====
+If your Postfix SMTP server can’t send outgoing emails, and you find the following error message in the mail log (''/var/log/mail.log''),
+<code>
+relay=none, delay=239, delays=239/0.04/0/0, dsn=4.3.0, status=deferred (server unavailable or unable to receive mail)
+</code>
+it could be that amavis is not running, so you need to check its status:
+<code bash>sudo systemctl status amavis</code>
+You can restart it with:
+<code bash>sudo systemctl restart amavis</code>
+Another cause for this error is that you are enforcing TLS connection for Postfix when sending outgoing emails with the following setting in the ''/etc/postfix/main.cf'' file.
+<code>smtp_tls_security_level = enforce</code>
+Since Postfix can’t establish TLS connection to Amavis, so the email is deferred. You should use the following setting.
+<code>smtp_tls_security_level = may</code>
+Then restart Postfix.
+{{page>install-email-server-footer}}

Nox-Rhea WiKi

Outils pour utilisateurs

Outils du site

Différences

Outils de la page