Best 1

-------

Install Amavis and ClamAV on CentOS 8/RHEL 8 Mail Server-Postfix

Warning: Amavis and ClamAV require a fair amount of RAM. Make sure you have at least 1.3 GB of free RAM on your server before installing Amavis and ClamAV. The whole mail server stack (Postfix, Dovecot, Amavis, ClamAV, SpamAssassin, OpenDKIM, MySQL/MariaDB, PostfixAdmin, and Roundcube Webmail) needs at least 3 GB RAM to run smoothly. If your RAM runs out, you are going to have troubles like mail server going offline or unresponsive.

                 Install Clamav

# install from EPEL

[root@mail ~]#    dnf --enablerepo=epel -y install clamav clamav-update

[root@mail ~]#    vi /etc/freshclam.conf

# line 8: comment out if it enabled

#Example

# update pattern files manually

[root@mail ~]# freshclam

ClamAV update process started at Thu Sep 26 00:45:12 2019

main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)

daily.cvd is up to date (version: 25583, sigs: 1778105, f-level: 63, builder: raynman)

bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)

# scan /home

[root@mail ~]#   clamscan --infected --remove --recursive /home

----------- SCAN SUMMARY -----------

Known viruses: 6334004

Engine version: 0.101.4

Scanned directories: 2

Scanned files: 3

Infected files: 0

Data scanned: 0.00 MB

Data read: 0.00 MB (ratio 0.00:1)

Time: 40.722 sec (0 m 40 s)

# download trial virus

[root@mail ~]# wget http://www.eicar.org/download/eicar.com

[root@mail ~]# clamscan --infected --remove --recursive .

# just detected and removed

./eicar.com: Eicar-Test-Signature FOUND

./eicar.com: Removed.

----------- SCAN SUMMARY -----------

Known viruses: 6334004

Engine version: 0.101.4

Scanned directories: 1

Scanned files: 9

Infected files: 1

Data scanned: 0.01 MB

Data read: 0.00 MB (ratio 2.00:1)

Time: 39.496 sec (0 m 39 s)

--------------------------------------------------------------

Step 1: Install Amavis on CentOS 8/RHEL 8

Amavis is written in Perl. We need to enable the EPEL (Extra Packages for Enterprise Linux) and CodeReady Linux Builder repository on RHEL 8 to install some Perl dependencies for Amavis.

sudo dnf install epel-release -y

sudo subscription-manager repos --enable=codeready-builder-for-rhel-8-x86_64-rpms

On CentOS 8, enable the EPEL (Extra Packages for Enterprise Linux) and PowerTools repository to install Perl dedpendencies for Amavis.

sudo dnf install epel-release -y

sudo dnf config-manager --set-enabled PowerTools

Then install the amavis package.

sudo dnf install amavis -y

dnf --enablerepo=epel,PowerTools -y install amavisd-new clamd perl-Digest-SHA1 perl-IO-stringy

To check the version number, run

amavisd -V

Sample output:

amavisd-new-2.12.0 (20190725)

Viruses are commonly spread as attachments to email messages. Install the following packages for Amavis to extract and scan archive files in email messages such as .7z, .cab, .doc, .exe, .iso, .jar, and .rar files.

sudo dnf -y install arj bzip2 cpio file gzip nomarch spax unrar p7zip unzip zip lrzsz lzip lz4 lzop

Note that if your server doesn’t use a fully-qualified domain name (FQDN) as the hostname, Amavis might fail to start. And the OS hostname might change, so it’s recommended to set a valid hostname directly in the Amavis configuration file.

sudo vi /etc/amavisd/amavisd.conf

Find the following line.

[root@mail ~]#   vi /etc/clamd.d/scan.conf

# line 8: comment out

#Example

# line 14: uncomment

LogFile /var/log/clamd.scan

# line 74: uncomment

PidFile /var/run/clamd.scan/clamd.pid

# line 78: uncomment

TemporaryDirectory /var/tmp

# line 93: uncomment

LocalSocket /var/run/clamd.scan/clamd.sock

[root@mail ~]#  touch /var/log/clamd.scan

[root@mail ~]#  chown clamscan. /var/log/clamd.scan

[root@mail ~]#  systemctl enable --now clamd@scan

If SELinux is enabled, add rules to start Clamav Server like follows.

[root@mail ~]#  restorecon -v /var/log/clamd.scan

[root@mail ~]#  setsebool -P antivirus_can_scan_system on

Configure Amavisd.

[root@mail ~]#   vi /etc/amavisd/amavisd.conf

# line 23: change to the own domain name

$mydomain = 'worldcm.net';

# line 155: uncomment and change to the own hostname

$myhostname = 'mail.worldcm.net';

# line 157,158: uncomment

$notify_method = 'smtp:[127.0.0.1]:10025';

$forward_method = 'smtp:[127.0.0.1]:10025';

[root@mail ~]#   systemctl enable --now amavisd

                         systemctl start amavisd

                         systemctl status amavisd

As you can see, Amavis is running. If it’s not running, you can check the logs with (sudo journalctl -eu amavisd).

Amavisd listens on 127.0.0.1:10024, as can be seen with:

sudo ss -lnpt | grep amavi

Configure Postfix.

[root@mail ~]#   vi /etc/postfix/main.cf

# add follows to the end

content_filter=smtp-amavis:[127.0.0.1]:10024

[root@mail ~]#   vi /etc/postfix/master.cf

# add follows to the end

smtp-amavis unix -    -    n    -    2 smtp

    -o smtp_data_done_timeout=1200

    -o smtp_send_xforward_command=yes

    -o disable_dns_lookups=yes

127.0.0.1:10025 inet n    -    n    -    - smtpd

    -o content_filter=

    -o local_recipient_maps=

    -o relay_recipient_maps=

    -o smtpd_restriction_classes=

    -o smtpd_client_restrictions=

    -o smtpd_helo_restrictions=

    -o smtpd_sender_restrictions=

    -o smtpd_recipient_restrictions=permit_mynetworks,reject

    -o mynetworks=127.0.0.0/8

    -o strict_rfc821_envelopes=yes

    -o smtpd_error_sleep_time=0

    -o smtpd_soft_error_limit=1001

    -o smtpd_hard_error_limit=1000

[root@mail ~]#   systemctl restart postfix

OR         

Step 2: Integrate Postfix SMTP Server With Amavis

Amavis works as an SMTP proxy. Email is fed to it through SMTP, processed, and fed back to the MTA through a new SMTP connection.

Run the following command, which tells Postfix to turn on content filtering by sending every incoming email message to Amavis, which listens on 127.0.0.1:10024.

sudo postconf -e "content_filter = smtp-amavis:[127.0.0.1]:10024"

Also, run the following command. This will delay Postfix connection to content filter until the entire email message has been received, which can prevent content filters from wasting time and resources for slow SMTP clients.

sudo postconf -e "smtpd_proxy_options = speed_adjust"

Then edit the master.cf file.

sudo vi /etc/postfix/master.cf

Add the following lines at the end of the file. This instructs Postfix to use a special SMTP client component called smtp-amavis to deliver email messages to Amavis. Please allow at least one whitespace character (tab or spacebar) before each -o. In postfix configurations, a preceding whitespace character means that this line is continuation of the previous line.

smtp-amavis   unix   -   -   n   -   2   smtp     -o syslog_name=postfix/amavis     -o smtp_data_done_timeout=1200     -o smtp_send_xforward_command=yes     -o disable_dns_lookups=yes     -o max_use=20     -o smtp_tls_security_level=none

Then add the following lines at the end of the file. This tells Postfix to run an additional smtpd daemon listening on 127.0.0.1:10025 to receive email messages back from Amavis.

127.0.0.1:10025   inet   n    -     n     -     -    smtpd     -o syslog_name=postfix/10025     -o content_filter=     -o mynetworks_style=host     -o mynetworks=127.0.0.0/8     -o local_recipient_maps=     -o relay_recipient_maps=     -o strict_rfc821_envelopes=yes     -o smtp_tls_security_level=none     -o smtpd_tls_security_level=none     -o smtpd_restriction_classes=     -o smtpd_delay_reject=no     -o smtpd_client_restrictions=permit_mynetworks,reject     -o smtpd_helo_restrictions=     -o smtpd_sender_restrictions=     -o smtpd_recipient_restrictions=permit_mynetworks,reject     -o smtpd_end_of_data_restrictions=     -o smtpd_error_sleep_time=0     -o smtpd_soft_error_limit=1001     -o smtpd_hard_error_limit=1000     -o smtpd_client_connection_count_limit=0     -o smtpd_client_connection_rate_limit=0     -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

Save and close the file. Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

Step 3: Integrate Amavis with ClamAV

Now that Postfix can pass incoming emails to Amavis, we need to install the ClamAV virus scanner and integrate it with Amavis, so incoming emails can be scanned by ClamAV.

Install ClamAV on CentOS 8/RHEL 8.

sudo dnf install clamav clamav-lib clamav-data clamav-update -y

There will be two systemd services installed by ClamAV:

• • clamd@amavisd.service: the Clam AntiVirus userspace daemon

  • clamav-freshclam.service: the ClamAV virus database updater

First, start the clamav-freshclam.service.

sudo systemctl start clamav-freshclam.service

Enable auto-start at boot time.

sudo systemctl enable clamav-freshclam.service

Check the status.

systemctl status clamav-freshclam

As you can see, it’s active (running) and uses 27.8 RAM on my mail server. Then check the journal/log.

sudo journalctl -eu clamav-freshclam

Hint: If the above command doesn’t quit immediately, press the Q key to make it quit.

We can see that freshclam downloaded 3 virus databases. CVD stands for ClamAV Virus Database.

• • daily.cvd

  • main.cvd

  • bytecode.cvd

The clamav-freshclam.service will check ClamAV virus database updates once per hour.

Now we can start clamd@amavisd.service.

sudo systemctl start clamd@amavisd.service

Enable auto-start at boot time.

sudo systemctl enable clamd@amavisd.service

Check its status:

systemctl status clamd@amavisd.service

As you can see, it is running. By the way, it uses 1.2G RAM on my mail server. If your mail server doesn’t have enough RAM left, the service will fail.

Open the Amavis configuration file.

# sudo vi /etc/amavisd/amavisd.conf

You can find the following line in this file, which enables virus-checking.

# @bypass_virus_checks_maps = (1);  # controls running of anti-virus code

If you uncomment this line, virus-checking will be disabled.

There are lots of antivirus scanners defined in the @av_scanners section. ClamAV is the default. Amavis will call ClamAV via the /run/clamd.amavisd/clamd.sock Unix socket. ClamAV  and Amvis both run as the amavis user.

Close the file and restart Amavis.

sudo systemctl restart amavisd

Check the logs.

sudo journalctl -eu amavisd

You can see that Amavis is now using ClamAV to scan viruses.

mail.worldcm.net amavis[1233432]: Using primary internal av scanner code for ClamAV-clamd

 mail.worldcm.net amavis[1233432]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan

Now if you send an email from other mail servers like Gmail to your own mail server and check the email headers, you can find a line like below, which indicates this email has been scanned by Amavis.

X-Virus-Scanned: Debian amavisd-new at worldcm.net

You should also check the mail log (/var/log/maillog) to find if there are any errors.

Step 4: Use A Dedicated Port for Email Submissions

ClamAV can scan both incoming and outgoing emails now. Amavis listens on port 10024 for both incoming and outgoing email messages. However, it’s a good practice to use a different port such as 10026 for email submissions from authenticated users.

Edit the Amavis main configuration file.

sudo vi /etc/amavisd/amavisd.conf

Find the following line.

$inet_socket_port = 10024;   # listen on this local TCP port(s)

Add a # character at the beginning to comment it out.

#$inet_socket_port = 10024;   # listen on this local TCP port(s)

Then find the following line.

# $inet_socket_port = [10024,10026]; # listen on multiple TCP ports

Remove the first # character to uncomment it, so Amavisd will also listen on port 10026.

$inet_socket_port = [10024,10026]; # listen on multiple TCP ports

Scrolling down a little bit, you can find the following line, which sets the “ORIGINATING” policy for port 10026.

$interface_policy{'10026'} = 'ORIGINATING';

Then you can find the following lines, which define the “ORIGINATING” policy.

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users

  originating => 1,  # declare that mail was submitted by our smtp client

  allow_disclaimers => 1,  # enables disclaimer insertion if available

  # notify administrator of locally originating malware

  virus_admin_maps => ["virusalert\@$mydomain"],

  spam_admin_maps  => ["virusalert\@$mydomain"],

  warnbadhsender   => 1,

  # forward to a smtpd service providing DKIM signing service

  forward_method => 'smtp:[127.0.0.1]:10027',

  # force MTA conversion to 7-bit (e.g. before DKIM signing)

  smtpd_discard_ehlo_keywords => ['8BITMIME'],

  bypass_banned_checks_maps => [1],  # allow sending any file names and types

  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option

};

In the above lines, you can see that by default Amavis would forward emails to a SMTPD service providing DKIM signing servie. Postfix and OpenDKIM will take care of DKIM signing, so we need to comment out the forward_method directive.

# forward_method => 'smtp:[127.0.0.1]:10027',

Save and close the file. Next, we need to tell SELinux to allow Amavis to use port 10026. Install the following package, which provides the semanage command.

# sudo dnf install policycoreutils-python-utils -y

Then set the port type of 10026 to amavisd_recv_port_t, so Amavis will be able to listen on port 10026.

# sudo semanage port -m -t amavisd_recv_port_t -p tcp 10026

Check port 10026.

sudo semanage port -l | grep 10026

We can see that port 10026 can also be used by Amavisd.

Restart Amavis

sudo systemctl restart amavisd

Check its status to see if the restart is successful.

systemctl status amavisd

-----------