Setting Up Amavis and ClamAV on CentOS 8/RHEL 8 Mail Server

tech / By

This is part 10 of the CentOS 8/RHEL 8 series of training manuals, starting from scratch. In this article I will show you how to use Amavis and ClamAV to scan for viruses in email messages.

Amavis (Mail Virus Scanner) is a high-quality interface between a mail agent (MTA) such as Postfix and content filters. A content filter is a program that analyzes the headers and body of an email message and generally performs certain actions based on the information found. The best-known examples of content filters are the ClamAV and SpamAssassin virus scanners.

Amavis talks about the standard SMTP protocol and can also use the Sendmail milking interface. Usually used for

  • Virus analysis through integration with ClamAV (Clam AntiVirus)
  • Spam detection through integration of SpamAssassin
  • Signature and DKIM examination. (Actually, I prefer to use OpenDKIM to sign and check DKIM)

Requirements

You must have completed at least Part 1 (Postfix SMTP server) and Part 2 (Dovecot IMAP server) of the CentOS 8/RHEL 8 course sequence from scratch. Note that if you are using iRedMail or Modoboa to configure your mail server, Amavis and ClamAV are already installed and configured so you do not need to follow this manual.

Look out! Look out! Amavis and ClamAV need a considerable amount of RAM. Before installing Amavis and ClamAV, make sure your server has at least 1.3 GB of free RAM. All mail servers (Postfix, Dovecot, Amavis, ClamAV, SpamAssassin, OpenDKIM, MySQL/MariaDB, PostfixAdmin and Roundcube Webmail) require at least 3 GB of RAM to function properly. If your memory is low, you will have problems such as shutting down the mail server or not responding.

Step 1: Installing Amavis on CentOS 8/RHEL 8

Amavis is written on a pearl. We need to enable EPEL (additional packages for Enterprise Linux) and the CodeReady Linux Builder repository on RHEL 8 to install some Perl dependencies for Amavis.

Install sudo dnf epel-release

sudo subo-manager repos –enable=codeready-builder-for-rhel-8-x86_64-rpms

Enable CentOS 8 EPEL (additional packages for Enterprise Linux) and the PowerTools repository to install Perl addresses for Amavis.

sudo dnf install epel-release -y
sudo dnf config-manager – PowerTools installed

Then install the Amavis package.

install sudo dnf amavis -y

To check the version number, do the following

surprising difference -V

Taking samples:

a new version 2.12.0 (20190725)

Viruses are usually distributed as attachments to e-mail messages. Install the following packages to enable Amavis to extract and analyze email archive files such as .7z, .cab, .doc, .exe, .iso, .jar and .rar.

sudo dnf -y install arj bzip2 cpio file gzip nomarch spax unrar p7zip unzip zip lrzsz lz4 lzop

Note that Amavis may not start if your server does not use the Fully Qualified Domain Name (FQDN) as the host name. The host name of the operating system may change, so it is recommended to enter the correct host name directly into the Amavis configuration file.

ship-nano / etc. / Amavisd. / Amavisd.conf.

Find the next line.

domain = ‘example.com’; # useful default setting for other parameters.

It is also advisable to change the default value of the middle domain to your own domain name.

$mydomain = ‘linuxbabe.com’; # useful default for other parameters.

Then find the next line.

# $myhostname = ‘host.example.com’; # there must be a full domain name!

Remove the first character of the comment (#) and replace host.example.com with the host name of your mail server as shown below.

$myhostname = ‘mail.linuxbabe.com’; # there must be a full domain name!

Save the file and close it. We can launch Amavis now.

sudo systemctl start amavisd

Activate automatic start during charging.

sudo systemctl enable amavisd

Check his condition:

Amavisd system status

Taking samples:

amavisd.service – Amavis mail content checker
Downloaded: downloaded (/usr/lib/system/amavisd.dienst; enabled; provider setting: disabled)
Active: active (in progress) by Thu 2020-11-19 01:21:26 EST; 8s ago
Documented: http://www.ice.si/software/amavisd/#doc
Main PID: 18782 (/usr/sbin/amavi)
Tasks: 3 (restriction: 12502)
Memory : 149,5M
CGroup: /system.slice/amavisd.service
├─18782 /usr/sbin/amavisd (master)
├─18806 /usr/sbin/amavisd (virgin child)
└─18807 /usr/sbin/amavisd (virgin child).

Here’s a hint: If the above command is not executed immediately, press Q.

As you can see, Amavis is on the move. If this doesn’t work, you can check the logs (sudo journalctl -eu amavisd).

Amavisd sounds 127.0.0.1:10024 as you can see in the example:

sudo ss -lnpt | grep amavi

And he works like an Amavis user.

Step 2: Postfix SMTP server integration with Amavis.

Amavis works like an SMTP proxy. E-mails are sent via SMTP, processed and sent back to the ATM via a new SMTP connection.

Run the following command, telling Postfix to enable content filtering by sending each incoming email message to Amavis listening 127.0.0.1:10024

sudo postconf -e content_filter = smtp-amavis : [127.0.0.1]:10024

Also execute the following command. This slows the postfix connection to the content filter until all email is received, which can prevent the content filter from wasting time and resources on slow SMTP clients.

sudo postconf -e smtpd_proxy_options = speed_adjust

Then edit the master.cf file.

sudo nano /etc/postfix/master.cf

Add the following lines to the end of the file. This forces Postfix to use a special SMTP client component called smtp-amavis to deliver email messages to Amavis. Please provide at least one space (tab or space) for each -o. In postfixed configurations, a preceding space means that this string is an extension of the previous string.

smtp-amavis unix – – n – 2 smtp
-o syslog_name=postfix/amavis
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disabled_dns_lookups=yes
-o max_use=20
-o smtp_tls_security_level=not.

Then add the following lines to the end of the file. This requires Postfix to run an additional smtpd daemon that listens to 127.0.0.1:10025 to receive email messages from Amavis.

127.0.0.1:10025 inet n – n – smtpd-o syslog_name=postfix/10025-o content_filter=-o mynetworks_style=host-o mynetworks=127.0.0.0.0/8-o local_recipient_maps=-o relay_recipient_maps=-o strict_rfc821_envelopes=yeso-o smtp_tls_security_level=not-o smtpd_tls_security_level=no-o smtpd_restriction_classes=-o smtpd_delay_reject=no-o smtpd_client_restrictions=permit_mynetworks,reject-o smtpd_helo_restrictions=-o smtpd_sender_restrictions=-o smtpd_recipient_restrictions=permit_mynetworks,Reject o smtpd_end_of_data_restrictions=-o smtpd_error_sleep_time=0-o smtpd_soft_error_limit=1001-o smtpd_hard_error_limit=1000-o smtpd_hard_error_limit=1000o smtpd_hard_error_limit=1000-o smtpd_hard_error_limit=1000-o smtpd_hard_error_limit=1000-o smtpd_hard_error_limit=1000-o smtpd_hard_error_limit.o smtpd_hard_error_error_limit=1000-o smtpd_client_connection_rate_limit=0-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

Save the file and close it. Restart the postfix to make the changes take effect.

sudo systemctl Restart Postfix

Step 3: Integration of Amavis with ClamAV

Now that Postfix can forward incoming emails from Amavis, we need to install a ClamAV virus scanner and integrate it into Amavis so that incoming emails can be scanned by ClamAV.

Installing ClamAV on CentOS 8/RHEL 8

sudo dnf install clamav-lib clamav-data clamav update -y

Two ClamAV system services have been installed:

  • [email protected] : Clam AntiVirus, the demon of the user space
  • clamav-freshclam.service : ClamAV virus database update program

Start with the fresh mussel service.

sudo systemctl start clamav-freshclam.service

Activate automatic start during charging.

sudo systemctl enables clamav-freshclam.service

Check the status.

Condition of fresh mussels

As you can see it is active (running) and uses 27.8 RAM on my mailserver. Then check the logs.

sudo journalctl -eu clamav-freshclam

A way out:

Here’s a hint: If the above command is not completed immediately, press the Q key to terminate the command.

You can view the 3 freshly downloaded virus databases. CVD stands for ClamAV virus database.

  • daily.cvd
  • main.cvd
  • bytecode.cvd

The clamav-freshclam.com service checks every hour for updates to the ClamAV virus database.

We can now start with [email protected].

sudo systemctl start [email protected]

Activate automatic start during charging.

turn on the sudo systemctl at [email protected].

Check his condition:

System status [email protected]

As you can see, it works. By the way, it uses 1.2G RAM on my mail server. If your mail server does not have enough RAM, the service will fail.

Open the Amavis configuration file.

ship-nano / etc. / Amavisd. / Amavisd.conf.

In this file you will find the following line, which you can use to check for viruses

# @bypass_virus_checks_maps = (1); # checks the execution of the antivirus code

If you do not comment on this line, the virus scan is disabled.

The @av_scanners section defines many antivirus scanners. By default, ClamAV is used. Amavis will call ClamAV via /run/clamd.amavis/clamd.sock socket Unix. ClamAV and Amvis both work as Amavis users.

Close the file and restart Amavis.

sudo systemctl restart amavisd

Check the data.

sudo journalctl -eu amavisd

You can see that Amavis is now using ClamAV to scan for viruses.

mail.linuxbabe.com amavis [1233432] : Using the internal Av-scanner Main code for ClamAV-clamd
mail.linuxbabe.com amavis [1233432] : Secondary Av-Scan ClamAV-clam scan found in /usr/bin/clamscan

If you now send mail from other mail servers, such as Gmail, to your own mail server and you check the mail headers, you will find a line like the one below indicating that the mail has been scanned by Amavis.

Virus X has been checked: Debian amavis-new on linuxbabe.com

You will also need to check the tally log (/var/log/maillog) for errors.

Step 4: Use a special port to send email

ClamAV can now scan incoming and outgoing mail. Amavis listens to incoming and outgoing email on port 10024. However, it is a good idea to use a different port, such as 10026, to send emails from authenticated users.

Edit the main file of the Amavis configuration.

ship-nano / etc. / Amavisd. / Amavisd.conf.

Find the next line.

$inet_socket_port = 10024 ; # listen on this (these) local TCP port(s)

Add a # symbol at the beginning to comment on it.

#inet_socket_port = 10024; # listen on this (these) local TCP port(s).

Then find the next line.

# $inet_socket_port = [10024.10026]; # Listen on multiple TCP ports.

Remove the first # symbol so you don’t have to comment on it, so Amavisd can also listen on port 10026.

$inet_socket_port = [10024,10026]; # Listen to multiple TCP ports

With a small scroll down you will find the next line that defines the ORIGINATION policy of port 10026.

$interface_policy{‘10026’} = ‘ORIGIN’;

You will then find the following rules that determine the POLICY OF THE ORIGIN.

$policy_bank{‘ORIGINATING’} = { # mail allegedly submitted by our smtp customer
=> 1, # state that the mail was submitted by our smtp customer
allow_disclaimers => 1, # activate disclaimers if available,
# notifies the malware administrator
virus_admin_maps => [virusalert@$mydomain],
spam_admin_maps => [virusalert@$mydomain],
warningbadhsender => 1,
# sends to the smtpd service, which uses the DKIM signature service
forward_method => ‘smtp :[127.0.0.1]:10027’,
# forced conversion of ATM to 7 bits (eg. for DKIM signing)
smtpd_discard_ehlo_keywords => [‘8BITMIME’],
bypass_banned_checks_maps => [1], # allows sending any file name and type
termination_dsn_on_notify_success => 0, # NOTIFY=SUCCESS Do not delete option
} ;

In the above lines you can see that Amavis by default forwards messages to the SMTPD service provided by the DKIM signature service. Postfix and OpenDKIM will handle the signing of DKIM, so we need to comment on the forward_method policy.

# forward_method => ‘smtp : [127.0.0.1]:10027’,

Save the file and close it. Then we have to tell SELinux that Amavis can use gate 10026. Install the next packet that gives the seed command.

Install sudo dnf policycoreutils-python-utils -y

Then set port type 10026 to amavisd_recv_port_t so Amavis can listen to port 10026.

port -m -t amavisd_recv_port_t -p tcp 10026

Check port 10026.

Connection for data storage -l | handle 10026

We see that gate 10026 can also be used by Amavisd.

Reboot Amavis

sudo systemctl restart amavisd

Check its status to make sure that the restart has taken place.

Amavisd system status

Then edit the main postfix configuration file.

sudo nano /etc/postfix/master.cf

Add the following line to the send service and emails from authenticated SMTP clients will be forwarded to Amavis listening on port 10026. This line overwrites (-o) the content_filter parameter in /etc/postfix/main.cf.

-o content_filter=smtp-amavis:[127.0.0.1]:10026

Here we go:

If you have activated the smtps service for Microsoft Outlook users, you must also add this line to the smtps service.

Save the file and close it. Restart the postfix to make the changes take effect.

sudo systemctl Restart Postfix

Check its status to make sure that the restart has taken place.

Status of the postfix system

Disables spam filtering in Amavis

Spam filtering in Amavis is enabled by default. If you have followed my Spam Assassin training guide, you do not need to include a spam test in Amavis. If you enable this feature, SpamAssassin will check every email.

To disable the spam check in Amavis, edit the Amavis configuration file.

ship-nano / etc. / Amavisd. / Amavisd.conf.

Find the next line.

# @bypass_spam_checks_maps = (1); # checks the execution of the anti-spam code

Delete the first character of the comment (#) to disable the spam check.

@bypass_spam_checks_maps = (1); # checks the execution of the anti-spam code

Save the file and close it. Then restart Amavis.

sudo systemctl restart amavisd

Closure of DKIM to Amavis

Two common software programs that can perform DKIM signing and DKIM authentication on Linux are OpenDKIM and Amavis. I prefer OpenDKIM because it works better with OpenDMARC. So I’m not gonna explain to you how DKIM signed your mail on Amavis.

By default, Amavis enables the DKIM signature and DKIM verification. If you have OpenDKIM on your mail server, you can disable DKIM in Amavis.

ship-nano / etc. / Amavisd. / Amavisd.conf.

Look up the following two lines and change them from 1 to 0, so Amavis does not check DKIM signatures for incoming mail and does not add DKIM signatures for outgoing mail

$enable_dkim_verification = 1; # enable DKIM signature verification
$enable_dkim_signing = 1; # load DKIM signature code, keys defined by dkim_key

Save the file and close it. Then restart Amavis.

sudo systemctl restart amavisd

When incoming mail is received, Postfix calls OpenDKIM via the sendmail milter interface to check the DKIM signatures, after which the mail is forwarded to Amavis for virus scanning. When sending emails, Postfix calls OpenDKIM to sign the email and then sends it to Amavis to check for viruses.

Amavis Performance improvement

Amavis 2 processes start by default. If you see the following lines in the mail log (/var/log/maillog), it means Amavis can’t process the mail fast enough

postfix/qmgr[1619188]: Note: Item for [127.0.0.1]:10024 used up to 4001 of the 4008 entries in the active queue
Postfix/qmgr [1619188]: Disclaimer : You may need to reduce the SMTP notification connection and the Helo
-Postfix/qmgr [1619188] timeouts: Disclaimer : You may need to increase the main value for Postfix to quickly jump to
-Postfix/qmgr hosts [1619188] : Disclaimer : It may be necessary to increase the main value.cf minimum_backoff_time and maximum_backoff_time
postfix/qmgr [1619188]: Warning: so that postfix has less time for not delivering mail until
postfix/qmgr [1619188]: Warning : Undeliverable mail may need to be increased in particular.cf smtp-amavis process limit
mail postfix/qmgr [1619188]: warning: avoid emptying the entire queue when you have
mail postfix/qmgr [1619188]: warning: much late mail is bad for performance.

To improve performance, edit the Amavis configuration file.

ship-nano / etc. / Amavisd. / Amavisd.conf.

Find the next line. By going from 2 to 4, Amavis is forced to perform 4 processes. If you have 10 processor cores, you can change 4 to 10.

$max_servers = 2; # number of preformed children (2…30 – together), -m

Save the file and close it. Then edit the main file of the Postifx configuration.

sudo nano /etc/postfix/master.cf

Find the definition of the SMS notification service and change the process limit from 2 to 4.

smtp-amavis unix – – n – 4 smtp
-o syslog_name=postfix/amavis
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disabled_dns_lookups=yes
-o max_use=20
-o smtp_tls_security_level=not.

Save the file and close it. Then restart Amavis and Postfix to make the changes take effect.

sudo systemctl restart amavisd postfix

Now execute the following command. You should see that there are now four Amavis trials.

a great babysitter

Press Ctrl+C to stop the great babysitter.

Skip the virus check for your newsletter

If you use your mail server to send messages and you have Amavis and ClamAV enabled, many CPU and RAM sources are used to scan for viruses when you send messages to your subscribers. Your email server can then stop responding. You can ignore the virus check for your newsletters by using the following method.

Edit the main postfix configuration file.

sudo nano /etc/postfix/master.cf

Add the following lines to the beginning of this folder. This allows smtpd to be enabled on port 2525 on the local host and accepts client connections initiated by the same server. If there is another listen on port 2525, you can change 127.0.0.1:2525 to something else, for example 127.0.0.1:2552. Note that the content_filter parameter is set to none, which means that messages are not parsed by ClamAV.

127.0.0.1:2525 inet n – – – – – 1 smtpd
-o syslog_name=postfix/2525
-o content_filter=

Then add the following lines at the end of this file. Replace 12.34.56.78 with the public IP address of the mail server. This will create another postfix daemon that will listen on port 10587. These are client connections from another server. The parameter content_filter is also set to zero.

12.34.56.78 :10587 inet n – y – – – smtpd
-o syslog_name=postfix/10587
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=no
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,
-о smtpd_recipient_restrictions=permit_mynetworks,allow_sasl_authenticated,reject
-о smtpd_sasl_type=pigeon fan
-о smtpd_sasl_path=private/auth
-o contents_filter=

Save the file and close it. Then restart the postfix.

sudo systemctl Restart Postfix

If your newsletter application is running on a mail server, enter 127.0.0.1:2525 as SMTP host without SMTP authentication. If your newsletter application is running on another server, enter 12.34.56.78:10587 as SMTP host with SMTP authentication.

Packaging

I hope this guide has helped you configure Amavis and ClamAV on the CentOS 8/RHEL 8 mail server. As always, if you find this message useful, subscribe to our free newsletter for more tips and tricks. Take care of yourself.

Evaluate this training manual.

On second thought: 0 Average : 0]

Related Tags:

centos 7.8 iptables,centos 6 disable firewall,how to enable firewall in centos 7,centos7 6 firewall,firewalld allow ping,linux disable firewall ubuntu,kali linux 2020 firewall,switch off iptables debian,disable firewall debian,disable iptables and use ufw,how to disable firewall in linux redhat 7,how to disable firewall in linux gui,iptables: no config file,how to open port in redhat linux 6,how to disable firewall in linux redhat 6,how to stop iptables permanently in linux,how to disable firewall in linux redhat 8,firewalls on centos,how to disabled firewall in centos