Setting up Postfix with spam and virus filtering (FreeBSD)

postfix-spam-and-virus-filtering.md

Assumptions

• Actual users on local system, not virtual users.
• FreeBSD (at least v10)

Installation

• postfix
• dovecot2 (not version 1 as local delivery, LDA, doesn't appear to work correctly with postfix)
• sieve support for dovecot2 (in FreeBSD the package is called pigeonhole)
• spamassassin
• amavisd-new
• clamav

> pkg install postfix dovecot2 spamassassin amavisd-new clamav dovecot-pigeonhole

Download spam and virus definitions (and create crontab tasks to run these, as correct user)

> sa-update
> freshclam
> crontab -e # write crontab

Setup postfix

Tell postfix to use local filter and deliver via dovecot LDA (so that we can move spam to Junk folder), in postfix/main.cf:

# amavisd-new filtering
content_filter = smtp-amavis:[127.0.0.1]:10024

# use dovecot for local delivery so that we can move spam files to the junk folder (via the sieve)
mailbox_command = /usr/local/libexec/dovecot/dovecot-lda

postfix/master.cf:

# amavisd-new filtering
smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Setup Dovecot to deliver spam to Junk folder

End of dovecot/conf.d/15-lda.conf change to:

...
plugin {
        sieve = /usr/local/etc/dovecot/dovecot.sieve
}

protocol lda {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins sieve
}

Create file to use sieve to move marked emails:

/usr/local/etc/dovecot/dovecot.sieve:

if header :contains "X-Spam-Flag" "YES" {
 fileinto :create "Junk";
 stop;
}

Notes

• spamd is not needed, amavisd-new loads the perl library into memory itself, and so having spamassassin run in spamd is actually just wasteful
• mailbox_command should be used instead of mailbox_transport, the latter seems only to be necessary with virtual users

Resources

• http://www.allaboutspam.com/email-server-test/
• http://wiki.dovecot.org/LDA/Postfix
• http://serverfault.com/questions/764641/spamassassin-dovecot-and-postfix-move-spam-to-folder
• https://wiki.centos.org/HowTos/Amavisd

TODO

Set up spamassassin to learn what is spam:

• https://github.com/miniwark/miniwark-howtos/wiki/Site-wide-bayesian-filtering-&-Roundcube-webmail

Hi!

I have this in main.cf
virtual_transport = dovecot
and this in master.cf:

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}

I have no idea how this would be different from mailbox_command though. Maybe its just a shorthand for the same thing..

I'm using FreeBSD 11.1-RELEASE #0 and had to do some modifications.
dovecot.sieve:

require ["fileinto"];
if header :contains "X-Spam-Flag" "YES" {
fileinto "Junk";
stop;
}

15-lda.conf:

plugin {
sieve_user_log=~/.dovecot.sieve.log
sieve_global_path = /var/lib/dovecot/sieve/default.sieve
sieve_dir = ~/sieve
sieve_global_dir = /var/lib/dovecot/sieve/
}

And I used https://easyengine.io/tutorials/mail/server/sieve-filtering/ to get it working. One also needs to configure amavisd.conf to actually use clamav.