How to Protect Mail Boxes against Spam and Viruses

Secure a Plesk Hosted Email Account using SpamAssassin, ClamAV and Amavis

So, you’re the proud owner of a Plesk-hosted email server. Everything is nice and peachy until you receive the first SPAM (and that will not take long, we’re certain about that). What do you do? Start securing it, of course. In addition to ready-made solutions such as the Plesk Email Security, there is also the possibility of manual setup. Let us show you how.

We’ll look at one of the most frequent cases of mail hosted on Ubuntu, with PostFix activated (default constellation). The here-proposed combination in this article relies on an anti-spam solution (SpamAssassin) – antivirus (ClamAV), synced via Amavis which also acts as a content filter.

Let’s get to work.

First of all, let’s begin with installing all three, with useful appendices:

sudo apt-get install amavisd-new spamassassin clamav-daemon

optional packages for better spam detection:

sudo apt-get install libnet-dns-perl libmail-spf-perl pyzor razor

and these packages to enable better scanning of any attached archive files:

sudo apt-get install arj bzip2 cabextract cpio file gzip lha nomarch pax rar unrar unzip unzoo zip zoo

Step One: Configure SpamAssassin

Apache SpamAssassin provides sysadmins with the most used filter to classify email and block unsolicited bulk email (also known as … spam). For this purpose, it uses a scoring framework and plug-ins to integrate a wide set of heuristic and statistical analysis tests on email headers and body text.

Amavis is its own spamassassin-daemon (using the SpamAssassin libraries), so configuring or starting SpamAssassin is not necessary. You can increase the spam detection rate with SpamAssassin by enabling razor and pyzor. This does not make the object of this blog post, so, let’s continue to…

Step Two: Configure ClamAV

ClamAV® is the open-source standard for mail gateway scanning software. It includes a multi-threaded scanner daemon, command-line utilities for on-demand file scanning, as well as automatic signature updates. Its versatility translates into support for multiple file formats, file and archive unpacking, as well as multiple signature languages.

In the majority of cases, the default behavior of ClamAV will cover all antivirus needs – a daemon (clamd) process is launched and signatures are fetched daily. Advanced ClamAV configuration options are available via the configuration files in /etc/clamav.

In order for ClamAV to have access to scan files, simply add the clamav user to the amavis group and the other way around, as follows:

sudo adduser clamav amavis
sudo adduser amavis clamav

In general, virus scanning results in a rather high memory consumption. It’s worth noting that especially when run on small cloud instances, VPS or routers, memory consumption-related concerns may arise. Mind that you should have at least 4GB RAM memory available on the server.

We need an interface between Postfix and our anti-spam and anti-virus tools. For this purpose, we will use amavisd-new. Amavis is a Perl-written interface between mailer (MTA) and content checkers, optimal for Postfix.

Step Three: Configure Amavis

First of all, edit the configuration file in /etc/amavis/ to activate spam and antivirus detection:

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

#
# Default antivirus checking mode
# Uncomment the two lines below to enable it
#

@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

#
# Default SPAM checking mode
# Uncomment the two lines below to enable it
#

@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1; # insure a defined return

Newly configured Amavis must be restarted:

sudo /etc/init.d/amavis restart

Then, have a look at…

Step Four: Postfix Integration

In the Postfix configuration file /etc/postfix/main.cf, add the content_filter configuration variable. This instructs Postfix to pass messages to Amavis at a given IP address and port:

content_filter = smtp-amavis:[127.0.0.1]:10024

Run the following postconf command as root. Because of the preceding sudo command, this adds the content_filter specification line above to main.cf:

sudo postconf -e "content_filter = smtp-amavis:[127.0.0.1]:10024"

You can also choose to manually edit main.cf yourself to add the content_filter line.

Then, edit /etc/postfix/master.cf to add the following to the end of the file:

smtp-amavis unix - - - - 2 smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20

127.0.0.1:10025 inet n - - - - smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

To prevent spam-reporting generated messages from being classified as spam, add the following two lines directly below the “pickup” transport service:

  -o content_filter=
  -o receive_override_options=no_header_body_checks

Almost there. Reload Postfix to enable content filtering with spam and virus detection:

sudo /etc/init.d/postfix reload

Before We Say “Ready!”, Let’s Check Our Setup

The simplest way to do it is the empirical method: send regular emails from another email address and observe if it gets delivered. One can also have a look at the server mail log for possible issues.

The default location of mail logs depends on your linux/unix system, but the most common locations are:

/var/log/maillog
/var/log/mail.log
/var/adm/maillog
/var/adm/syslog/mail.log

If it’s not there, look in /etc/syslog.conf, try to find mail.* -/var/log/maillog

Once you’ve found the right path to the mail logs on your system, use the following command to see the latest entry in the file:

tail -f /var/log/maillog (replace path with your log file path)"

sendmail writes logs to the mail facility of syslog. Therefore, which file it gets written to depends on how syslog was configured.

If your system uses syslog-ng (instead of the more “traditional” syslog), then you’ll have to look up your syslog-ng.conf file. You should find something like this:

# This files are the log come from the mail subsystem. # destination mail { file("/var/log/mail.log"); }; destination maillog { file("/var/log/maillog"); }; destination mailinfo { file("/var/log/mail.info"); }; destination mailwarn { file("/var/log/mail.warn"); }; destination mailerr { file("/var/log/mail.err"); };

Last but not least, test the spam protection by using the following GTUBE anti-spam test string. Simply send an email to your mail address with the string below in the content body.

Here is the GTUBE string (simply copy & paste it):

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

If you’ve done everything right, the email will be classified as spam!

If you want to test the anti-virus functionality, then you should use the EICAR malware test file as an attachment. Get the test file from the official project page.

And… Ready.

This tutorial will help you enable basic protection for your emails. For advanced features and an optimized configuration out of the box, try the Plesk Email Security extension.

Try This Professional Alternative

Plesk email security is a professional solution for server admins to protect user mailboxes from ever-increasing cyber threats and deflecting damage to their business. Mailboxes can be secured with zero effort – no manual configuration or CLI adjustments for open-source tools.

No need to mess with the command line – simply let the extension do the job for you. Besides the proper installation and configuration of all associated components, the extension provides an easy to use graphical user-interface directly within Plesk. You can modify server-wide and individual anti-spam settings with one click (like, for example, changing the spam score or updating white/blacklists).

A unique feature is the Email Configuration Checker. Plesk Email Security will analyse the server and make recommendations for a good email experience. The test covers DNS records, rDNS, DNSBL, local DNS caching and more.

With Plesk Email Security you’ll add professional features for a competitive price. This includes a full antivirus solution with graphical quarantine management, daily updates of virus and spam signatures, detailed statistics overview about the mail traffic, just to name a few features.

Another highlight is the automatic learning process from action within the email clients. The spam filters improve over time when spam is marked as spam and ham as ham. Thus, the filter will get better in the spam classification and recognizing individual preferences.

How useful was this post?

Click on a heart to rate it!

Average rating 4.7 / 5. Vote count: 3

Oh no, sorry about that!

Let us know how we can do better below

About

Elvis Plesky
Our fun and curious team mascot's always plugged into the latest trends. He's here to share his knowledge and help you solve your tech problems.
    Showing 13 comments
    • Avatar
      Michael
      Reply

      Hallo

      I have Plesk Obsidian on Ubuntu 18.04.
      Spamassassin is already installed via Plesk.
      We have Plesk Antivirus licensed.
      All out-of-the-Plesk-box.

      What is the advantage of installing Amavis on top of that setup?
      Do they interact well, e.g. regarding the personal spam settings?

      Thanks
      Michael

      • Avatar
        Laura from Plesk
        Reply

        Hi Michael!
        If you use the built-in SpamAssassin component, you don’t have to install Amavis because Plesk adds the needed mechanisms automatically.

        We’re planning to switch entirely to the Email Security extension and remove the built-in component in the future, but we’re expecting more feedback from our users.

        Thank you!

    • Avatar
      Ugur
      Reply

      Good job 🙂 Please add for centos

      • Avatar
        Laura from Plesk
        Reply

        Hello! Thanks for your suggestion. Have you tried using one of our feedback channels? Find out how to share your ideas with us here. Our technical team will listen.

    • Avatar
      Saviour
      Reply

      Hello!

      Thanks for the education. I got to step 4 where I had to restart Amavis but had an error that says command not found.

      • Avatar
        Laura from Plesk
        Reply

        Hi Saviour! We’re sorry about that. There was an error in the syntax on step four. Please try again and note that two pieces of indentation are required before -o. Hope this works!

    • Avatar
      Antonio Andina
      Reply

      Please add for centos
      Thank you

    • Avatar
      Ro
      Reply

      CentOS Linux release 7.8 fails at the first command “No package clamav-daemon available”

      • Avatar
        Laura from Plesk
        Reply

        Hi Ro! Plesk Email Security extension automatically configures everything on the server. However, this tutorial is for Ubuntu, not CentOS.

    • Avatar
      koray
      Reply

      I have no configuration file in step 3… there is no folder present /etc/amavisd/
      if I check `sudo service amavis status`
      the service is in fact running…

      • Avatar
        Laura from Plesk
        Reply

        Hi Koray! We’re sorry about that. There was an error in the syntax. Please, try again with the following path: /etc/amavis/. Thanks for the heads-up!

    • Avatar
      Webhosting
      Reply

      Is the Plesk eMail Security only for the admin? The Enduser can’t see any blocked mails or set rules for antispam. I can’t see what’s the benefit of this extension.

    Leave a Comment

    Start typing and press Enter to search