Post on 14-Apr-2018
7/29/2019 HowTos_Amavisd - CentOS Wiki
1/15
Tos/Amavisd - CentOS Wiki
//wiki.centos.org/HowTos/Amavisd[11-06-2013 20:46:32]
FrontPage Help Tips and Tricks How To FAQs Events Contribute Newsletter Changelog
HowTos/Amavisd
vcfagundo Preferences Salir
HowTos Amavisd
Amavisd-new, ClamAV and SpamAssassin
Contents
1. Introduction2. Installation
3. Configuration
1. ClamAV
2. Amavisd-new
3. Postfix
4. Other MTA's
4. Testing
5. SELinux
1. CentOS 6
6. Updating1. SpamAssassin
2. ClamAV
7. Links
Nota bene:Notice: This documentation was written for CentOS 5. It may not be accurate for
CentOS 6 or subsequent releases.
1. Introduction
Amavisd-new is a reliable high-performance interface between an email server (MTA) and content
checkers such as virus scanners (ClamAV), and/or SpamAssassin. Amavisd-new supports both
(E)SMTP and LMTP protocols as well as UNIX sockets for communicating with the MTA and content
checkers. In addition, it may also use dedicated helper programs such as the Mail::SpamAssassin Perl
Texto Ttulos
http://wiki.centos.org/FrontPagehttp://wiki.centos.org/Documentationhttp://wiki.centos.org/TipsAndTrickshttp://wiki.centos.org/HowToshttp://wiki.centos.org/FAQhttp://wiki.centos.org/Eventshttp://wiki.centos.org/Contributehttp://wiki.centos.org/Newsletter/Latesthttp://wiki.centos.org/RecentChangeshttp://wiki.centos.org/vcfagundohttp://wiki.centos.org/HowTos/Amavisd?action=userprefshttp://wiki.centos.org/HowTos/Amavisd?action=logout&logout=logouthttp://wiki.centos.org/HowToshttp://wiki.centos.org/HowTos/Amavisd?action=fullsearch&value=linkto%3A%22HowTos/Amavisd%22&context=180http://wiki.centos.org/HowTos/Amavisd?action=fullsearch&value=linkto%3A%22HowTos/Amavisd%22&context=180http://wiki.centos.org/HowTos/Amavisd?action=fullsearch&value=linkto%3A%22HowTos/Amavisd%22&context=180http://wiki.centos.org/HowToshttp://wiki.centos.org/HowTos/Amavisd?action=logout&logout=logouthttp://wiki.centos.org/HowTos/Amavisd?action=userprefshttp://wiki.centos.org/vcfagundohttp://wiki.centos.org/RecentChangeshttp://wiki.centos.org/Newsletter/Latesthttp://wiki.centos.org/Contributehttp://wiki.centos.org/Eventshttp://wiki.centos.org/FAQhttp://wiki.centos.org/HowToshttp://wiki.centos.org/TipsAndTrickshttp://wiki.centos.org/Documentationhttp://wiki.centos.org/FrontPagehttp://wiki.centos.org/FrontPage7/29/2019 HowTos_Amavisd - CentOS Wiki
2/15
Tos/Amavisd - CentOS Wiki
//wiki.centos.org/HowTos/Amavisd[11-06-2013 20:46:32]
module.
Amavisd-new supports a number of MTA's. As the Amavisd-new documentation states, Amavisd-new
works "best with Postfix, fine with dual-sendmail setup and Exim v4, works with sendmail/milter, or with
any MTA as a SMTP relay". This guide was written and tested on Postfix and can be used to
compliment the basic Postfix guide here. Other MTA's may get added later.
We are going to configure Amavisd-new's daemon, amavisd, to accept mail from our MTA, pass it to
ClamAV and SpamAssassin for checking, and then return it back to our MTA for delivery. Amavisd willuse lmtp listening on TCP port 10024 to accept mail from our MTA and then pass it to ClamAV using a
local UNIX socket and SpamAssassin using the Mail::SpamAssassin Perl module. Scanned mail will
then be returned to our MTA using smtp on TCP port 10025 for delivery.
Amavisd-new doesn't have to reside on the same physical server as the MTA, and in high load
environments it is not uncommon to have Amavisd-new, ClamAV and SpamAssassin on a physically
separate server than the MTA.
2. Installation
Amavisd-new and ClamAV were installed from the RPMForge repository. To enable the RPMForge
repository, please see the RPMForge instructions.
SpamAssassin is part of the CentOS base repository, but RPMForge carries a more current version of
it. You should consider using the version from RPMForge. To do so (especially if you use the priorities
plugin for yum), add the following to the [base] and the [updates] sections of your
/ etc/ yum. r epos. d/ Cent OS- Base. r epo file:
[ base]
excl ude=spamassass*
. . .
[ updat es]
excl ude=spamassass*
. . .
First, install amavisd-new, clamav and spamassassin packages:
yum - - enabl erepo=r pmf orge, r pmf orge- ext r as i nst al l amavi sd- new cl amav cl amav- devel cl amd
spamassassi n
This will likely also install a bunch of dependencies including various perl modules and archive
packages. If all went well, two new users, amavis and clamav should have been installed onto the
http://wiki.centos.org/HowTos/postfixhttp://wiki.centos.org/Repositories/RPMForgehttp://wiki.centos.org/PackageManagement/Yum/Prioritieshttp://wiki.centos.org/PackageManagement/Yum/Prioritieshttp://wiki.centos.org/PackageManagement/Yum/Prioritieshttp://wiki.centos.org/PackageManagement/Yum/Prioritieshttp://wiki.centos.org/Repositories/RPMForgehttp://wiki.centos.org/HowTos/postfix7/29/2019 HowTos_Amavisd - CentOS Wiki
3/15
Tos/Amavisd - CentOS Wiki
//wiki.centos.org/HowTos/Amavisd[11-06-2013 20:46:32]
system:
# cat / etc/ passwd | gr ep "amavi s\ | cl amav"
cl amav: x: 101: 102: Cl am Ant i Vi r us Checker : / var / cl amav: / sbi n/ nol ogi n
amavi s: x: 102: 103: Amavi s emai l scan user : / var / amavi s: / bi n/ sh
In addition, the clamav user should automatically have been added to the amavis group:
# groups cl amav
cl amav : cl amav amavi s
If not, you can manually add clamav to the amavis group:
gpasswd - a cl amav amavi s
Finally, three new services should have been added to the system
# chkconf i g - - l i st | gr ep "amavi sd\ | cl amd\ | spamassassi n"
amavi sd 0: off 1: off 2: on 3: on 4: on 5: on 6: of f
cl amd 0: of f 1: of f 2: on 3: on 4: on 5: on 6: off
spamassassi n 0: of f 1: of f 2: of f 3: of f 4: of f 5: of f 6: of f
The spamassassin service, which starts spamd, can be set to off as Amavisd-new doesn't actually use
the spamassassin daemon (spamd) but rather loads spamassassin as a module.
3. Configuration
SpamAssassin actually requires no special configuration to work with Amavisd-new and will work out of
the box. This does not mean that you cannot configure it via / et c/ mai l / spamassassi n/ l ocal . cf, or your
own cf-files in that directory.
3.1. ClamAV
7/29/2019 HowTos_Amavisd - CentOS Wiki
4/15
Tos/Amavisd - CentOS Wiki
//wiki.centos.org/HowTos/Amavisd[11-06-2013 20:46:32]
ClamAV's configuration is stored in /etc/clamd.conf. We must edit /etc/clamd.conf to tell ClamAV that
Amavisd-new will communicate using a local UNIX socket rather than a tcp socket, and where to find
that socket. Edit the LocalSocket setting and comment out the TCPSocket like so:
### / et c/ cl amd. conf
#
# Set t he Local Socket f or cl am
# Note t hi s *MUST* match t hat set i n / etc/ amavi sd. conf
#
Local Socket / var / r un/ cl amav/ cl amd. sock
#
# Comment out t he TCPSocket set t i ng:
# TCPSocket 3310
3.2. Amavisd-new
Amavisd-new keeps it's configuration settings in /etc/amavisd.conf.
Due to the power and flexibility of Amavisd-new, there is actually quite a lot to look at, so we'll cover
some of the more important settings a few at a time.
First up, we can disable either virus or spam checking by uncommenting the following lines (by default,
both virus and spam checking is enabled as the lines are commented out):
### / etc/ amavi sd. conf :
#
# To di sabl e vi r us or spam checks, uncomment t he f ol l owi ng:
#
# @bypass_vi r us_checks_maps = ( 1) ; # cont r ol s runni ng of ant i - vi r us code
# @bypass_ spam_checks_maps = ( 1) ; # cont r ol s r unni ng of ant i - spam code
# $bypass_decode_par t s = 1; # cont r ol s r unni ng of decoders & dearchi vers
Next, note to following lines although no change is required:
$max_server s = 2; # num of pr e- f orked chi l dr en ( 2. . 30 i s common) , - m
$daemon_user = "amavi s" ; # ( no def aul t ; cust omary: vscan or amavi s) , - u
$daemon_group = "amavi s" ; # ( no def aul t ; cust omary: vscan or amavi s) , - g
. . .
$i net _socket _port = 10024; # l i st en on t hi s l ocal TCP port ( s)
. . .
# $not i f y_method = ' smt p: [ 127. 0. 0. 1] : 10025' ;
# $f orward_method = ' smt p: [ 127. 0. 0. 1] : 10025' ; # set t o undef wi t h mi l t er!
7/29/2019 HowTos_Amavisd - CentOS Wiki
5/15
Tos/Amavisd - CentOS Wiki
//wiki.centos.org/HowTos/Amavisd[11-06-2013 20:46:32]
$max_servers sets the number of concurrent Amavisd-new processes and must match the number
set in /etc/postfix/master.cf "maxproc" column for the amavisfeed service (see configuration of Postfix
below).
$daemon_userand $daemon_group should match the user and group, respectively, under which
Amavisd-new will run.
$inet_socket_port defines the tcp port over which Amavisd-new will accept connections from Postfix.
$notify_method and $forward_method define the reinjection path of mail from Amavisd-new back
into Postfix.
The following settings must be edited (in the case of $mydomain and $myhostname) and
uncommented (remove the leading #):
$mydomai n = ' exampl e. com' ; # Edi t : a conveni ent def aul t f or other set t i ngs$MYHOME = ' / var / amavi s' ; # Uncomment : a conveni ent def aul t f or ot her
set t i ngs , - H
$hel per s_home = "$MYHOME/ var " ; # Uncomment : wor ki ng di r ect or y f or SpamAssassi n,
- S
$l ock_f i l e = "$MYHOME/ var / amavi sd. l ock"; # Uncomment , - L
$pi d_f i l e = "$MYHOME/ var / amavi sd. pi d"; # Uncomment , - P
$myhost name = ' mai l . exampl e. com' ; # Uncomment & Edi t : must be a f ul l y- qual i f i ed
domai n name!
Next up are some SpamAssassin settings which override the default SpamAssassin settings:
$sa_t ag_l evel _def l t = 2. 0; # add spam i nf o header s i f at, or above t hat
l evel
$sa_t ag2_l evel _def l t = 6. 2; # add ' spam det ect ed' header s at t hat l evel
$sa_ki l l _ l evel _def l t = 6. 9; # t r i ggers spam evasi ve acti ons ( e. g. bl ocks
mai l )
$sa_dsn_cutof f _l evel = 10; # spam l evel beyond whi ch a DSN i s not sent
# $sa_quarant i ne_cut of f _l evel = 25; # spam l evel beyond whi ch quarant i ne i s of f
$penpal s_bonus_score = 8; # ( no ef f ect wi t hout a @st orage_sql _dsn
database)
$penpal s_t hr eshol d_hi gh = $sa_ki l l _l evel _def l t ; # don' t waste t i me on hi spam
$sa_mai l _body_si ze_l i mi t = 400*1024; # don' t waste t i me on SA i f mai l i s l arger
$sa_l ocal _t est s_onl y = 0; # onl y t est s whi ch do not r equi r e i nt er net
access?
None of these need to be changed, but it's worthwhile being aware of them as this is the most
convenient place to tweak spam thresholds.
7/29/2019 HowTos_Amavisd - CentOS Wiki
6/15
Tos/Amavisd - CentOS Wiki
//wiki.centos.org/HowTos/Amavisd[11-06-2013 20:46:32]
$sa_tag_level_deflt is the level at which Amavisd-new will write spam info headers such as X-Spam-
Flag, X-Spam-Score and X-Spam-Status. If you would always like header info to be written to all
messages, set this value to -999.
$sa_tag2_level_deflt sets the level at which spam is tagged in the subject line of the message.
$sa_kill_level_deflt sets the level at which Amavisd-new will block the message and quarantine it.
This is useful as SpamAssassin doesn't do this by default.
$sa_dsn_cutoff_level is the level at which delivery failure notices are no longer sent to the sender. As
most spam sender addresses are forged anyway, it makes sense not to send failure notices in
response to obvious spam as you're only contributing to the problem of backscatter.
$sa_quarantine_cutoff_level is the level at which spam isn't even quarantined. By default it is
commented out meaning all spam will be quarantined.
Next up are some email addresses for notifications to be sent:
$vi r us_admi n = "vi r usal er t \ @$mydomai n"; # noti f i cat i ons r eci p.
$mai l f r om_not i f y_admi n = "vi r usal ert \ @$mydomai n"; # not i f i cat i ons sender
$mai l f r om_not i f y_reci p = "vi r usal ert \ @$mydomai n"; # noti f i cat i ons sender
$mai l f r om_not i f y_spamadmi n = "spam. pol i ce\ @$mydomai n"; # not i f i cat i ons sender
You will probably want to set these to "postmaster\@$mydomain" or some other address you would
rather receive spam notifications.
Finally, we need to uncomment the section for ClamAV like so:
### ht t p: / / www. cl amav. net /
[ ' Cl amAV- cl amd' ,
\ &ask_daemon, [ "CONTSCAN {}\ n", " / var/ r un/ cl amav/ cl amd. sock"] ,
qr / \ bOK$/ , qr / \ bFOUND$/ ,
qr / . *?: ( ?! I nf ected Ar chi ve) ( . *) FOUND$/ ] ,
# # NOTE: r un cl amd under t he same user as amavi sd, or r un i t under i t s own
# # ui d such as cl amav, add user cl amav to t he amavi s group, and t hen add
# # Al l owSuppl ement ar yGr oups t o cl amd. conf ;
# # NOTE: mat ch socket name ( Local Socket ) i n cl amav. conf t o t he socket name i n
# # t hi s ent r y; when r unni ng chrooted one may pref er socket " $MYHOME/ cl amd".
Note that the "/var/run/clamav/clamd.sock" setting must match the "LocalSocket
/var/run/clamav/clamd.sock" we made earlier in /etc/clamd.conf.
3.3. Postfix
7/29/2019 HowTos_Amavisd - CentOS Wiki
7/15
Tos/Amavisd - CentOS Wiki
//wiki.centos.org/HowTos/Amavisd[11-06-2013 20:46:32]
Next we need to configure the services in Postfix (/etc/postfix/master.cf) to allow mail to be passed to
Amavisd-new for filtering and then reinjected back into Postfix.
First we will configure the Amavisd-new service to accept mail From Postfix. Amavisd-new supports
both lmtp and smtp, and in this instance we have chosen to use the lmtp protocol. (FIXME: I'm not
aware of any reasons for choosing one protocol over the other so selected to use lmtp on the basis
that having local delivery to Amavisd-new show up in the logs as "lmtp" makes the log files somewhat
easier to read).
Open /etc/postfix/master.cf and add the following service called "amavisfeed":
# ==========================================================================
# ser vi ce t ype pr i vat e unpr i v chroot wakeup maxproc command + ar gs
# ( yes) ( yes) ( yes) ( never ) ( 100)
# ==========================================================================
amavi sf eed uni x - - n - 2 l mt p
- o l mt p_data_done_t i meout =1200
- o l mt p_send_xf or war d_command=yes
- o di sabl e_dns_l ookups=yes
- o max_use=20
Note that the number (2) in the "maxproc" column must match the $max_servers setting in
/etc/amavisd.conf. For a detailed description of the options, see the Amavisd-new documentation
(/usr/share/doc/amavisd-new-2.5.4/README.postfix.html).
Then we must define a dedicated service to reinject mail back into Postfix. For this we add an smtp
service listening on localhost (127.0.0.1) tcp port 10025 (the default setting in /etc/amavisd.conf) to/etc/postfix/master.cf:
# ==========================================================================
# ser vi ce t ype pr i vat e unpr i v chroot wakeup maxproc command + ar gs
# ( yes) ( yes) ( yes) ( never ) ( 100)
# ==========================================================================
127. 0. 0. 1: 10025 i net n - n - - smt pd
- o content_ f i l te r=
- o smt pd_del ay_r ej ect =no
- o smt pd_cl i ent _r estr i ct i ons=permi t _mynet works, r ej ect
- o smt pd_hel o_r est r i cti ons=
- o smt pd_sender_r estr i ct i ons=
- o smt pd_r eci pi ent _r estr i ct i ons=per mi t _mynet works, r ej ect
- o smt pd_dat a_r est r i cti ons=r ej ect_unaut h_pi pel i ni ng
- o smt pd_end_of _dat a_rest r i ct i ons=
- o smt pd_r est r i cti on_cl asses=
- o mynetworks=127. 0. 0. 0/ 8
- o s mt pd_er r or_ sl eep_t i me=0
- o smt pd_sof t _err or_l i mi t =1001
- o smt pd_hard_er r or_ l i mi t =1000
7/29/2019 HowTos_Amavisd - CentOS Wiki
8/15
Tos/Amavisd - CentOS Wiki
//wiki.centos.org/HowTos/Amavisd[11-06-2013 20:46:32]
- o smt pd_cl i ent _connect i on_count _l i mi t =0
- o smt pd_cl i ent _connect i on_r ate_l i mi t =0
- o
r ecei ve_over r i de_opt i ons=no_header _body_checks, no_unknown_reci pi ent _checks, no_mi l t ers, no_addre
ss_mappi ngs
- o l ocal _header_r ewri t e_cl i ent s=
- o smt pd_mi l t ers=
- o l ocal _r eci pi ent _maps=
- o r el ay_r eci pi ent _maps=
For a detailed description of the options, see the Amavisd-new documentation
(/usr/share/doc/amavisd-new-2.5.4/README.postfix.html).
After making changes to /etc/postfix/master.cf, we must reload postfix for the changes to take effect:
postf i x re l oad
At this point it might be wise to test the Amavisd-new and Postfix daemons are listening correctly (see
the Testing section below).
Once everything is in place and working, the final step is to enable message filtering in Postfix by
adding the following setting to /etc/postfix/main.cf:
cont ent _f i l t er=amavi sf eed: [ 127. 0. 0. 1] : 10024
and reload postfix for the changes to take effect:
postf i x re l oad
and watch your mail logs.
tai l - f / var / l og/ mai l l og
3.4. Other MTA's
7/29/2019 HowTos_Amavisd - CentOS Wiki
9/15
Tos/Amavisd - CentOS Wiki
//wiki.centos.org/HowTos/Amavisd[11-06-2013 20:46:32]
Amavisd-new can be configured with other MTA's besides Postfix. README docs for other MTA's can
be found here:
http://www.ijs.si/software/amavisd/#doc
If anyone would like to contribute section's on configuring other MTA's they should see the How To
Contribute page here:
http://wiki.centos.org/HowToContribute
4. Testing
Now would be a good time to test that the services we've defined are working as expected.
First, start the clamd and amavisd services:
# servi ce cl amd st art
St art i ng Cl am Ant i Vi r us Daemon: [ OK ]
# servi ce amavi sd st art
St art i ng Mai l Vi r us Scanner ( amavi sd) : [ OK ]
Now test that the amavisd service is listening on 127.0.0.1:10024 using telnet:
$ t el net l ocal host 10024
Tr yi ng 127. 0. 0. 1. . .
Connect ed t o l ocal host. l ocal domai n ( 127. 0. 0. 1) .
Escape charact er i s ' ] ' .
220 [127. 0. 0. 1] ESMTP amavi sd- new ser vi ce r eady
ehl o l ocal host
250- [ 127. 0. 0. 1]
250- VRFY
250- PI PELI NI NG
250- SI ZE
250- ENHANCEDSTATUSCODES
250- 8BI TMI ME
250- DSN
250 XFORWARD NAME ADDR PROTO HELO
qui t
221 2. 0. 0 [ 127. 0. 0. 1] amavi sd- new cl osi ng t r ansmi ssi on channel
Connect i on cl osed by f orei gn host.
If everything is working then you should see a successful connection similar to above.
http://www.ijs.si/software/amavisd/#dochttp://wiki.centos.org/HowToContributehttp://wiki.centos.org/HowToContributehttp://www.ijs.si/software/amavisd/#doc7/29/2019 HowTos_Amavisd - CentOS Wiki
10/15
Tos/Amavisd - CentOS Wiki
//wiki.centos.org/HowTos/Amavisd[11-06-2013 20:46:32]
Next to test the Postfix smtpd is listening on 127.0.0.1:10025:
$ t el net l ocal host 10025
Tr yi ng 127. 0. 0. 1. . .
Connect ed t o l ocal host. l ocal domai n ( 127. 0. 0. 1) .
Escape charact er i s ' ] ' .
220 mai l . exampl e. com ESMTP Post f i x
ehl o l ocal host
250- mai l . exampl e. com
250- PI PELI NI NG
250- SI ZE 20480000
250- VRFY
250- ETRN
250- STARTTLS
250- ENHANCEDSTATUSCODES
250- 8BI TMI ME
250 DSN
qui t
221 2. 0. 0 Bye
Connect i on cl osed by f orei gn host.
Again we should see a successful connection as shown above. Now we can test if everything is
working by sending special strings to test the scanning.
GTUBE (Generic Test for Unsolicited Bulk Email) string for testing SpamAssassin.
EICAR string for testing ClamAV.
Change directory to /usr/share/doc/amavisd-new-2.5.4/test-messages, and run:
per l - pe ' s/ . / chr ( or d( $&) 255) / sge'
7/29/2019 HowTos_Amavisd - CentOS Wiki
11/15
Tos/Amavisd - CentOS Wiki
//wiki.centos.org/HowTos/Amavisd[11-06-2013 20:46:32]
expectations.
5. SELinux
One workaround for SELinux issues is to temporarily use permissive rather than enforcing mode
in / et c/sel i nux/ conf i g . Such an approach has the added benefit of placing the needed information
in the SELinux audit logs, which may be found in /var/log/audit/ . For more information, see this article
about SELinux
When SELinux is enabled and in enforcing mode, some additional policies are required for amavisd
and ClamAV. The following SELinux policy modules were determined by running the
amavisd/ClamAV/SpamAssassin setup described herein on CentOS 5 (fully updated) with SELinux in
permissive mode and running AVC error logs through audit2allow as described in the SELinux HowTo.
We are going to create two custom SELinux policy modules, amavisdlocal and clamlocal for amavisd
and ClamAV, respectively (SpamAssassin does not require a custom SELinux policy). Cut and paste
the following code and save to amavisdlocal.te and clamlocal.te, respectively:
modul e amavi sdl ocal 1. 0;
r equi r e {
type traceroute_port_t;
t ype pgpkeyserver_ por t _t ;
t ype amavi s_var _l i b_t ;
t ype amavi s_t ;t ype cl ockspeed_por t _t ;
cl ass udp_socket name_bi nd;
cl ass l nk_fi l e { read creat e unl i nk get at t r };
}
#============= amavi s_t ==============
al l ow amavi s_t cl ockspeed_por t _t : udp_socket name_bi nd;
al l ow amavi s_t pgpkeyserver_ por t _t : udp_socket name_bi nd;
al l ow amavi s_t t r acer out e_port _t : udp_socket name_bi nd;
al l ow amavi s_t amavi s_var _l i b_t : l nk_f i l e { r ead creat e unl i nk get att r };
modul e cl aml ocal 1. 0;
r equi r e {
t ype pr oc_t ;
type var_t;
http://wiki.centos.org/HowTos/SELinuxhttp://wiki.centos.org/SpamAssassinhttp://wiki.centos.org/HowTos/SELinuxhttp://wiki.centos.org/HowTos/SELinuxhttp://wiki.centos.org/SpamAssassinhttp://wiki.centos.org/SpamAssassinhttp://wiki.centos.org/HowTos/SELinuxhttp://wiki.centos.org/SpamAssassinhttp://wiki.centos.org/HowTos/SELinux7/29/2019 HowTos_Amavisd - CentOS Wiki
12/15
Tos/Amavisd - CentOS Wiki
//wiki.centos.org/HowTos/Amavisd[11-06-2013 20:46:32]
t ype sysct l _ker nel _t ;
t ype cl amd_t ;
c l ass f i l e { read getatt r };
cl ass di r { r ead sear ch };
}
#============= cl amd_t ==============
al l ow cl amd_t pr oc_t: f i l e { r ead get at t r };
al l ow cl amd_t sysctl _kernel _t : di r sear ch;
al l ow cl amd_t sysctl _kernel _t : f i l e read;
al l ow cl amd_t var _t : di r r ead;
al l ow cl amd_t var_t : f i l e { r ead get at t r };
Now build and load the amavisdlocal module:
# checkmodul e - M - m - o amavi sdl ocal . mod amavi sdl ocal . t e
checkmodul e: l oadi ng pol i cy conf i gur ati on f r om amavi sdl ocal . t e
checkmodul e: pol i cy conf i gur ati on l oaded
checkmodul e: wr i t i ng bi nary repr esent ati on ( ver si on 6) t o amavi sdl ocal . mod
# semodul e_package - o amavi sdl ocal . pp - m amavi sdl ocal . mod
# semodul e - i amavi sdl ocal . pp
and repeat for clamlocal:
# checkmodul e - M - m - o cl aml ocal . mod cl aml ocal . t e
checkmodul e: l oadi ng pol i cy conf i gur ati on f r om cl aml ocal . t e
checkmodul e: pol i cy conf i gur ati on l oaded
checkmodul e: wr i t i ng bi nary repr esent ati on ( ver si on 6) t o cl aml ocal . mod
# semodul e_package - o cl aml ocal . pp - m cl aml ocal . mod
# semodul e - i cl aml ocal . pp
Finally, check that our custom local SELinux policy modules are loaded:
# semodul e - l
amavi s 1. 1. 0
amavi sdl ocal 1. 0
ccs 1. 0. 0
cl amav 1. 1. 0
cl aml ocal 1. 0
dcc 1. 1. 0
evol ut i on 1. 1. 0
7/29/2019 HowTos_Amavisd - CentOS Wiki
13/15
Tos/Amavisd - CentOS Wiki
//wiki.centos.org/HowTos/Amavisd[11-06-2013 20:46:32]
i scs i d 1. 0. 0
mozi l l a 1. 1. 0
mpl ayer 1. 1. 0
nagi os 1. 1. 0
oddj ob 1. 0. 1
pcscd 1. 0. 0
postgr ey 1. 0
pyzor 1. 1. 0
razor 1. 1. 0
r i cci 1. 0. 0
smar t mon 1. 1. 0
5.1. CentOS 6
For CentOS 6, additional steps are required. Thanks to Harald Oehlmann in
http://lists.centos.org/pipermail/centos-docs/2012-October/004994.html
Amavis is storing the message body and all attachements (subfolder "parts") in a subfolder of
"/var/amavis/tmp". The virus scanner is scanning those files and writes its result in files in this folder.
Virus Scanner action on this folder is stopped by SELinux, resulting in errors like "(!)run_av (ClamAV-
clamscan) FAILED" in "/var/log/mail".
Do the following to allow this interface with clam-av:
- - se_cl amav_amavi s. t e- -# *** HaO 2012- 09- 30: add rul e t o al l ow cl amav to access amavi s f i l es
# and wr i t es back ok f i l e and may creat e temp f ol der
modul e c l amscanamavi s 1. 0;
r equi r e {
t ype cl amscan_t ;
t ype amavi s_var _l i b_t ;
cl ass f i l e {get att r r ead open wr i t e creat e unl i nk};
cl ass di r {sear ch r ead get att r open wr i t e add_name cr eate
set at t r r emove_name r mdi r };
}
al l ow cl amscan_t amavi s_var _l i b_t : f i l e {get att r r ead open wr i t e creat e
unl i nk};al l ow cl amscan_t amavi s_var _l i b_t : di r {search r ead get at t r open wr i t e
add_name cr eate set at t r r emove_name r mdi r };
And then
checkmodul e - M - m - o se_cl amav_amavi s. mod se_cl amav_amavi s. t e
semodul e_package - o se_cl amav_amavi s. pp - m se_cl amav_amavi s. mod
semodul e - i se_cl amav_amavi s. pp
http://lists.centos.org/pipermail/centos-docs/2012-October/004994.htmlhttp://lists.centos.org/pipermail/centos-docs/2012-October/004994.html7/29/2019 HowTos_Amavisd - CentOS Wiki
14/15
Tos/Amavisd - CentOS Wiki
//wiki.centos.org/HowTos/Amavisd[11-06-2013 20:46:32]
6. Updating
6.1. SpamAssassin
Spam is rapidly changing, and new rules are often written in response. With sa-update, those rules
can quickly (potentially within minutes) be distributed and the new spam caught. Please read about
sa-update before continuing. To enable automatic updates, open up /etc/cron.d/sa-update in your
favorite editor and uncomment the cron line so it looks like this:
10 4 * * * r oot / usr / share/spamassassi n/ sa- updat e. cron 2>&1 | t ee - a / var / l og/ sa- update. l og
Save and exit. This cron job will run at 4:10AM everyday.
6.2. ClamAV
ClamAV uses freshclam to update the virus definitions. They are automatically updated with the
/etc/cron.daily/freshclam cron script. No actions need to be taken. You can verify that your updates are
being completed by looking at your /var/log/clamav/freshclam.log log file.
7. Links
Amavisd-new is supplied with extensive documentation installed to /usr/share/doc/amavisd-new-2.5.4/
and the reader is referred to /usr/share/doc/amavisd-new-2.5.4/README.postfix.html in particular. An
online version is also available here: http://www.ijs.si/software/amavisd/README.postfix.html
http://www.linuxjournal.com/article/7778
http://www200.pair.com/mecham/spam/clamav-redhat-amavis.html
http://www200.pair.com/mecham/spam/clamav-amavisd-new.html
...
http://wiki.apache.org/spamassassin/RuleUpdateshttp://www.ijs.si/software/amavisd/README.postfix.htmlhttp://www.linuxjournal.com/article/7778http://www200.pair.com/mecham/spam/clamav-redhat-amavis.htmlhttp://www200.pair.com/mecham/spam/clamav-amavisd-new.htmlhttp://www200.pair.com/mecham/spam/clamav-amavisd-new.htmlhttp://www200.pair.com/mecham/spam/clamav-redhat-amavis.htmlhttp://www.linuxjournal.com/article/7778http://www.ijs.si/software/amavisd/README.postfix.htmlhttp://wiki.apache.org/spamassassin/RuleUpdates7/29/2019 HowTos_Amavisd - CentOS Wiki
15/15
Tos/Amavisd - CentOS Wiki
HowTos/Amavisd (ltima edicin 2013-01-04 18:05:38 efectuada por NedSlider)
FrontPage Help Tips and Tricks How To FAQs Events Contribute Newsletter Changelog
HowTos/Amavisd
This wiki is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License.
http://wiki.centos.org/NedSliderhttp://wiki.centos.org/FrontPagehttp://wiki.centos.org/Documentationhttp://wiki.centos.org/TipsAndTrickshttp://wiki.centos.org/HowToshttp://wiki.centos.org/FAQhttp://wiki.centos.org/Eventshttp://wiki.centos.org/Contributehttp://wiki.centos.org/Newsletter/Latesthttp://wiki.centos.org/RecentChangeshttp://creativecommons.org/licenses/by-sa/3.0/http://creativecommons.org/licenses/by-sa/3.0/http://creativecommons.org/licenses/by-sa/3.0/http://creativecommons.org/licenses/by-sa/3.0/http://creativecommons.org/licenses/by-sa/3.0/http://creativecommons.org/licenses/by-sa/3.0/http://wiki.centos.org/RecentChangeshttp://wiki.centos.org/Newsletter/Latesthttp://wiki.centos.org/Contributehttp://wiki.centos.org/Eventshttp://wiki.centos.org/FAQhttp://wiki.centos.org/HowToshttp://wiki.centos.org/TipsAndTrickshttp://wiki.centos.org/Documentationhttp://wiki.centos.org/FrontPagehttp://wiki.centos.org/NedSlider