Linux: Filtering Spam And Viruses Without Amavis

By Daniel Miessler on April 12th, 2006: Tagged as Computers | Security | Spam

For anyone who dislikes complex mail configurations on their Linux mail server, I have a solution other than amavis* for filtering your email.

As with most things *nix, there are many ways to go about this; my way uses Maildrop and my .mailfilter file in my home directory. The punchline is that incoming mail to my account gets:

  1. Scanned by Google (Gmail)
  2. Scanned by Spamassassin
  3. Run through ClamAV
  4. Processed by my filtering rules
…and the beauty of it is that, using Debian, this only takes like 5 minutes to setup. And yes, that includes the installation and configuration of Postfix and Courier-Imap. Essentially, all you need is a single apt-get command and some basic configuration of Postfix and Courier-Imap.

apt-get install postfix courier-imap maildrop spamassassin clamav

That’s it for the packages. From there just set up mail as you normally would. Also, don’t forget to add your clamav user:

groupadd clamav useradd -g clamav -s /bin/false clamav

From there just fire up your editor and edit/create your .mailfilter to include the following content: ---------------------------------------------------

# Run all mail through ClamAV if (/usr/bin/clamscan --no-summary --stdout - | grep -c 'FOUND' == 1) { VSCANNER=/usr/bin/clamscan -V VIRUSID=/usr/bin/clamscan --no-summary --stdout - | grep FOUND | cut -d" " -f2 xfilter “reformail -A ‘X-Virus-Checker: $VSCANNER’” xfilter “reformail -A ‘X-Virus-Infected: Yes’” xfilter “reformail -A ‘X-Virus-Identification: $VIRUSID’” to “Maildir/.Infected”; } else { xfilter “reformail -A ‘X-Virus-Checker: $VSCANNER’” xfilter “reformail -A ‘X-Virus-Infected: No’” } # Run all mail through Spamassassin xfilter “/usr/bin/spamc -u $user”

if ( /^X-Spam-Flag: YES/ ) { to “Maildir/.Junk” }

---------------------------------------------------

So the cool thing about this setup for me is that it doesn’t require you to hack up your /etc/postfix/main.cf file or anything. You keep Postfix processing pretty much as normal (with the exception of the mailbox_command = /usr/bin/maildrop addition).

Once you hand delivered mail off to Maildrop, your .mailfilter file handles the rest. Spam, Viruses, and standard filtering based on content. The bits I added above will add headers to virus infected emails saying the version of clamscan you’re running, what the message was infected with, etc. Cool stuff.

Now, I’m sure there are plenty of advantages to using amavis — large environments, more complex configurations, etc. But for me, with just a few users and the need to sanitize and process mail, using this method is most excellent. For me, simplicity is golden.

Anyway, that’s pretty much it. If you have any questions feel free to drop me an email.:





--



2 Comments »

  1. Useful summary. Thanks. Found it while looking for something else, and it turned out to be the answer to the next question I would have asked :-)

    Couple of points though:

    • the “no-summary” and “stdout” parameters need to be prefixed with — not - (two minuses not one)
    • VSCANNER is not defined in the else clause
    • if processing speed is important install clamav-daemon and use “clamdscan” in place of “clamscan”
    • the quote characters you’ve used are incorrect so you can’t just cut and paste the text, you have to edit the quotes in by hand
    • it can go in /etc/maildroprc (with suitable modification to the mailbox used) for system-wide scanning if you want.

    Comment by Pigeon — 8/1/2006 @ 12:19 am

  2. Thanks for posting, man. Nice to have you. :)

    Comment by Daniel — 8/1/2006 @ 12:23 am

RSS Feed For This Post...
This Post's TrackBack URI

Leave a Comment...