FEATURE The story so far: Over the last two weeks, I've explained how you can set up a mail server to provide you with POP3 and IMAP services, for your own email, with some basic filtering of inbound connections, and the ability to connect to it and send emails from just about anywhere. This week, it's time to add more serious mail filtering tools to provide better protection against spam and viruses.
This week, we're adding proper virus and spam filtering
Before we get stuck into the configuration, a little word of explanation. There are various ways in which filtering can be implemented in Postfix and other MTAs. Here we're going to use what's referred to as 'before queue' filtering, which means that it's done before your mail server accepts a message.
That's important, because if your server says it's received a message ok, it should really accept it and make sure it gets to the right person. If there's a problem then the sender should know, subject to some sanity checks, so you don't bombard innocent people whose address happens to be in the headers of spam, for instance.
It listens in the background on the server. In Postfix, it's set up using an SMTP proxy filter, so when a connection is accepted all the data is passed to the proxy, which unpacks the message, scans it and works out if it should be allowed. If it is, then it's passed on to the Postfix queue via a loopback connection, and if not, the rejection is reported to the sending system with a message like
554 5.7.0 Reject, id=30475-02 - spam
If you followed the instructions last time round, you'll have Amavisd-new already installed on your system, and with it SpamAssassin and ClamAV. If not, add it using the pkg_add command. The main configuration file is /etc/amavisd.conf, but before we start tinkering with that, a word about chroot.
If you've followed the steps so far, you have a server running Postfix with Dovecot IMAP/POP3 and greylisting
With chroot, Amavis, and its ancillaries like ClamAV, will be restricted to a specific folder, typically /var/amavisd. This is more a way of limiting the potential scope of any exploits than a security tool in its own right, and a carefully set up environment will add degree some extra protection.
However, there are a lot of ancillary files you have to copy, and specific folders and directories to create. It can be a little fiddly, especially if you've not done it before. So, in the interests of brevity, I'm going to do an initial Amavis configuration here that doesn't use chroot.
Over on my own website, I've posted a script that will create all the necessary folders and copy the appropriate files for you, assuming you're using OpenBSD 5.7 and the same versions of everything as are used here.
You can change over to a chroot setup fairly easily once you're sure the filtering is working properly, if you wish.