Secure a Plesk Hosted Email Account using SpamAssassin, ClamAV and Amavis

So, you’re the proud owner of a Plesk-hosted email server. Everything is nice and peachy until you receive the first SPAM (and that will not take long, we’re certain about that). What do you do? Start securing it, of course. In addition to ready-made solutions such as the Plesk Email Security, there is also the possibility of manual setup. Let us show you how.

We’ll look at one of the most frequent cases of mail hosted on Ubuntu, with PostFix activated (default constellation). The here-proposed combination in this article relies on an anti-spam solution (SpamAssassin) – antivirus (ClamAV), synced via Amavis which also acts as a content filter.

Let’s get to work.

First of all, let’s begin with installing all three, with useful appendices:

sudo apt-get install amavisd-new spamassassin clamav-daemon

optional packages for better spam detection:

sudo apt-get install libnet-dns-perl libmail-spf-perl pyzor razor

and these packages to enable better scanning of any attached archive files:

sudo apt-get install arj bzip2 cabextract cpio file gzip lha nomarch pax rar unrar unzip unzoo zip zoo

Step One: Configure SpamAssassin

Apache SpamAssassin provides sysadmins with the most used filter to classify email and block unsolicited bulk email (also known as … spam). For this purpose, it uses a scoring framework and plug-ins to integrate a wide set of heuristic and statistical analysis tests on email headers and body text.

Amavis is its own spamassassin-daemon (using the SpamAssassin libraries), so configuring or starting SpamAssassin is not necessary. You can increase the spam detection rate with SpamAssassin by enabling razor and pyzor. This does not make the object of this blog post, so, let’s continue to…

Step Two: Configure ClamAV

ClamAV® is the open-source standard for mail gateway scanning software. It includes a multi-threaded scanner daemon, command-line utilities for on-demand file scanning, as well as automatic signature updates. Its versatility translates into support for multiple file formats, file and archive unpacking, as well as multiple signature languages.

In the majority of cases, the default behavior of ClamAV will cover all antivirus needs – a daemon (clamd) process is launched and signatures are fetched daily. Advanced ClamAV configuration options are available via the configuration files in /etc/clamav.

In order for ClamAV to have access to scan files, simply add the clamav user to the amavis group and the other way around, as follows:

sudo adduser clamav amavis
sudo adduser amavis clamav

In general, virus scanning results in a rather high memory consumption. It’s worth noting that especially when run on small cloud instances, VPS or routers, memory consumption-related concerns may arise. Mind that you should have at least 4GB RAM memory available on the server.

We need an interface between Postfix and our anti-spam and anti-virus tools. For this purpose, we will use amavisd-new. Amavis is a Perl-written interface between mailer (MTA) and content checkers, optimal for Postfix.

Step Three: Configure Amavis

First of all, edit the configuration file in /etc/amavis/ to activate spam and antivirus detection:

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

#
# Default antivirus checking mode
# Uncomment the two lines below to enable it
#

@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

#
# Default SPAM checking mode
# Uncomment the two lines below to enable it
#

@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1; # insure a defined return

Newly configured Amavis must be restarted:

sudo /etc/init.d/amavis restart

Then, have a look at…

Step Four: Postfix Integration

In the Postfix configuration file /etc/postfix/main.cf, add the content_filter configuration variable. This instructs Postfix to pass messages to Amavis at a given IP address and port:

content_filter = smtp-amavis:[127.0.0.1]:10024

Run the following postconf command as root. Because of the preceding sudo command, this adds the content_filter specification line above to main.cf:

sudo postconf -e "content_filter = smtp-amavis:[127.0.0.1]:10024"

You can also choose to manually edit main.cf yourself to add the content_filter line.

Then, edit /etc/postfix/master.cf to add the following to the end of the file:

smtp-amavis unix - - - - 2 smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20

127.0.0.1:10025 inet n - - - - smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

To prevent spam-reporting generated messages from being classified as spam, add the following two lines directly below the “pickup” transport service:

  -o content_filter=
  -o receive_override_options=no_header_body_checks

Almost there. Reload Postfix to enable content filtering with spam and virus detection:

sudo /etc/init.d/postfix reload

Before We Say “Ready!”, Let’s Check Our Setup

The simplest way to do it is the empirical method: send regular emails from another email address and observe if it gets delivered. One can also have a look at the server mail log for possible issues.

The default location of mail logs depends on your linux/unix system, but the most common locations are:

/var/log/maillog
/var/log/mail.log
/var/adm/maillog
/var/adm/syslog/mail.log

If it’s not there, look in /etc/syslog.conf, try to find mail.* -/var/log/maillog

Once you’ve found the right path to the mail logs on your system, use the following command to see the latest entry in the file:

tail -f /var/log/maillog (replace path with your log file path)"

sendmail writes logs to the mail facility of syslog. Therefore, which file it gets written to depends on how syslog was configured.

If your system uses syslog-ng (instead of the more “traditional” syslog), then you’ll have to look up your syslog-ng.conf file. You should find something like this:

# This files are the log come from the mail subsystem. # destination mail { file("/var/log/mail.log"); }; destination maillog { file("/var/log/maillog"); }; destination mailinfo { file("/var/log/mail.info"); }; destination mailwarn { file("/var/log/mail.warn"); }; destination mailerr { file("/var/log/mail.err"); };

Last but not least, test the spam protection by using the following GTUBE anti-spam test string. Simply send an email to your mail address with the string below in the content body.

Here is the GTUBE string (simply copy & paste it):

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

If you’ve done everything right, the email will be classified as spam!

If you want to test the anti-virus functionality, then you should use the EICAR malware test file as an attachment. Get the test file from the official project page.

And… Ready.

This tutorial will help you enable basic protection for your emails. For advanced features and an optimized configuration out of the box, try the Plesk Email Security extension.

Try This Professional Alternative

Plesk email security is a professional solution for server admins to protect user mailboxes from ever-increasing cyber threats and deflecting damage to their business. Mailboxes can be secured with zero effort – no manual configuration or CLI adjustments for open-source tools.

No need to mess with the command line – simply let the extension do the job for you. Besides the proper installation and configuration of all associated components, the extension provides an easy to use graphical user-interface directly within Plesk. You can modify server-wide and individual anti-spam settings with one click (like, for example, changing the spam score or updating white/blacklists).