Postfix, Amavis, SpamAssassin, dspam and ClamAV working together on Mac OSX (Leopard)

paddyNov 03,2007

mail

paddy's blog
Login to post comments

After my recent upgrade to Leopard, I decided to upgrade my mail system which includes Fetchmail, Postfix, Amavis (SpamAssassin, dspam, DCC, Razor, ClamAV) and Courier-IMAP.

I use Fetchmail to go and collect mails from ISPs left, right and centre for all the Users defined on the PC. Fetchmail delivers the mail locally to Postfix, which filters it through Amavis (SpamAssassin, dspam, DCC, Razor and ClamAV) for spam and virus checks. All good mails are delivered locally to my Maildir, and Courier-IMAP is then used to access the mails by Apple Mail and SquirrelMail.

Courier-IMAP

The version of Courier-IMAP available from MacPorts, broke on Macs - there was a problem with the file descriptors. I decided to go and get the latest version directly from the Courier-IMAP web site.

This would not compile as it complained about some missing symbols (_rfc1035_default_resolver). A check on a rather popular search engine, provided the solution

RANLIB="ranlib -c"

export RANLIB

./configure --with-authpwd=YES --without-authuserdb --without-authcram --enable-unicode --disable-root-check

Courier-IMAP compiled and installed - and worked.

Postfix

Postfix comes installed on Mac OSX but needs a little configuration to work with Amavis. At the minumum, main.cf needs the following

content_filter = smtp-amavis:[127.0.0.1]:10024

strict_rfc821_envelopes = yes

The master.cf file, also needs something like the following

127.0.0.1:10025   inet  n       -       n       -       -       smtpd

        -o content_filter=

        -o local_recipient_maps=

        -o relay_recipient_maps=

        -o smtpd_helo_restrictions=

        -o smtpd_restriction_classes=

        -o smtpd_client_restrictions=permit_mynetworks,reject

        -o smtpd_sender_restrictions=

        -o smtpd_recipient_restrictions=permit_mynetworks,reject

        -o mynetworks=127.0.0.0/8,192.168.1.0/24

        -o strict_rfc821_envelopes=yes

        -o smtpd_error_sleep_time=0

        -o smtpd_soft_error_limit=1001

smtp-amavis unix -      -       n       -       2       smtp 

        -o smtp_data_done_timeout=1200 

        -o smtp_never_send_ehlo=yes

        -o disable_dns_lookups=yes 

        -o smtp_send_xforward_command=yes

        -o fallback_relay=localhost:10025

This instructs Postfix to filter content through Amavis that is sitting on port 10025.

Amavis

I went through the read-me files and installed/upgraded the Perl required modules

perl -MCPAN -e shell

 install Archive::Zip

 install Compress::Zlib

 install Convert::TNEF

 install Convert::UUlib

 install MIME::Base64

 install MIME::Parser

 install Mail::Internet

 install Net::Server

 install Digest::MD5

 install IO::Stringy

 install Time::HiRes

 install Unix::Syslog

 install BerkeleyDB

One of the Perl modules is SpamAssassin - so no great problems there

perl -MCPAN -e shell

 install Mail::SpamAssassin

 install Authen::SASL

ClamAV

At the time of writing, the most recent version of the ClamAV engine on Fink was 0.88 - while 0.91.2 was available on the web site. So I removed the Fink version, downloaded the source, configured and compiled.

The configure script needs to be updated to remove the nidump command and replace it with the dscl command.
* line 25245: replace @/usr/bin/nidump passwd .@ with @/usr/bin/dscl . -list /Users@
* line 25246: replace @/usr/bin/nidump group .@ with @/usr/bin/dscl . -list /Groups@

Only then will the configure script work correctly

./configure --with-user=_clamav --with-group=_clamav

As the ClamAV virus scanning engine evolves, the source code should be downloaded again, and re-compiled. By subscribing to the clamav-announce mailing list you can keep abreast of the latest releases.

Freshclam

Freshclam, a ClamAV daemon to automatically update virus signatures, is configured to update the virus signature files every few hours. Once Freshclam runs, it notifies the ClamAV daemon, which in turn, reloads itself using the new signatures.

Integration

I ended up with one problem though, Amavis is started as the _amavisd user, and the ClamAV daemon is started and the _clamd user - I was gettings access denied while both process tried to access the same socket with different user/group allocations. This is easily resolved by adding the line into the clamd.conf file

AllowSupplementalGroups yes

Also, either the _amavisd user should be in the _clamav group, or the _clamav user should be in the _amavisd group. In Mac OSX this is not as simple to do as you might think. NetInfo is gone - leaving the dscl command line tool.

dscl 

 change /Local/Default/Users/_clamav UniqueID 260 82

 change /Local/Default/Users/_clamav PrimaryGroupID 260 82

 append /Local/Default/Groups/_amavisd GroupMembership _clamav

 append /Local/Default/Groups/_clamav GroupMembership _amavisd

I changed the UniqueID of the _clamav user to match that of /etc/passwd.

DCC

The DCC or Distributed Checksum Clearinghouse is an anti-spam content filter that runs on a variety of operating systems. By disabling dccm, I remove the dependency on sendmail milter.

./configure --disable-sys-inst --disable-dccm

make install

The next thing is to update the SpamAssassin *init.pre* script to

loadplugin Mail::SpamAssassin::Plugin::DCC

As dccproc is run under the auspices of Amavis, dccproc needs to run to have a setuid of root to access, among other things, the /var/dcc files, so:

chmod +s dccproc

Razor

Razor is a distributed, collaborative, spam detection and filtering network. Through user contribution, Razor establishes a distributed and constantly updating catalogue of spam in propagation that is consulted by email clients to filter out known spam.

First, I needed to make sure the that the prerequisites were met, so

perl -MCPAN -e shell

 install Time::HiRes

 install Digest::SHA1

 install MIME::Base64

 install Test::Simple

 install Test::Harness

 install Getopt::Long

 install File::Copy

 install URI::Escape

Once I have the prerequisites,

perl Makefile.PL

make

make test

make install

Finally, I needed to update the SpamAssassin *init.pre* script to

loadplugin Mail::SpamAssassin::Plugin::Razor2

dspam

dspam is a scalable and open-source content-based spam filter designed for multi-user enterprise systems.

With the Amavis config file updated to point to the dspam binary
$dspam = '/usr/local/bin/dspam';
Amavis loads with dspam enabled.

./configure  --with-storage-driver=mysql_drv --enable-daemon --enable-clamav --with-mysql-includes=/usr/local/mysql/include --with-mysql-libraries=/usr/local/mysql/lib --enable-preferences-extension --without-local-delivery-agent --without-quarantine-agent --enable-debug --enable-shared=NO --with-dspam-home-owner=_amavisd --with-dspam-home-group=_amavisd --with-dspam-owner=_amavisd --with-dspam-group=_amavisd

I needed to add _amavisd to the mail group to allow the dspam deamon running as _amavisd access to the files with group mail have read/write access.

dscl 

 append /Local/Default/Groups/mail GroupMembership _amavisd

I used @dspam --debug --daemon@ to test if I had the dspam.conf configured correctly. My biggest glaring mistake was to forget to uncomment the mySQL socket. Once that was done, the daemon started correctly.

Results

Postfix passes all messages to Amavis for spam and virus checking. Amavis quarantines those messages deemed to be spam or contain a virus. All remaining messages are delivered to each users Maildir. With the Maildir, Courier-IMAP provides access to the mails - using either imap or imaps.

So far today, I have not had any spam in my inbox - I have had normal messages though;-) - so e-mail is working.

The dspam now adds something like the following to each message

        X-Dspam-Result:         Innocent

        X-Dspam-Confidence:     0.9899

        X-Dspam-Probability:    0.0000

        X-Dspam-Signature:      472e2e3f332176955413031

        X-Dspam-Factors:        27,

        X-Virus-Scanned:        amavisd-new at my.domain.name