Had an existing Postfix configurationup and running. Notes for bringing up the same available at https://www.sandeeprao.net/configuring-secure-mail-server-using-postfix-with-dovecot-spamassasin-postgrey-and-opendkim/
As I could add more vCPU and RAM to the VM, thought of adding anti-virus check on receipt of mails. As I had already configured amavis + spamassassin it was pretty straight forward, install the required clamav packages along with packages to handle compressed/packaged files
$apt install -y clamav clamav-daemon arj cabextract cpio lzop p7zip unrar-free rpm
Need to amend amavis configurations to perofrm antivirus checks. Either we can uncomment the commented configurations in /etc/amavis/conf.d/15-content_filter_mode (which I did not do) or add
@bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
to /etc/amavis/conf.d/50-user – which I did. After adding the contents were
use strict;
$smtp_connection_cache_on_demand = 0;
$smtp_connection_cache_enable = 0;
$max_servers = 4;
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
$remove_existing_spam_headers = 1;
$sa_spam_report_header = 1
$sa_tag_level_deflt = 2.9;
$sa_tag2_level_deflt = 2.9;
$sa_kill_level_deflt = 5.0;
$sa_dsn_cutoff_level = 2.9;
$final_virus_destiny = D_BOUNCE;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_BOUNCE;
$undecipherable_subject_tag=undef;
@lookup_sql_dsn = (
['DBI:mysql:database=postfix;host=127.0.0.1;port=3306',
'postfix',
'postfix']);
$sql_select_policy = 'SELECT domain FROM domains WHERE CONCAT("@",domain) IN (%k)';
1;
To avoid permission issues during runtime corss add users to the groups
usermod -a -G clamav amavis usermod -a -G amavis clamav
Updated the amavis configuration in /etc/postfix/master.cf as follows
amavis unix - - n - 4 smtp -o smtp_send_xforward_command=yes -o smtp_tls_security_level=none -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes -o max_use=20
Also updated the pickup configuration in /etc/postfix/master.cf as follows (added two lines)
pickup fifo n - - 60 1 pickup -o content_filter= -o receive_override_options=no_header_body_checks
Finally restarted the services
systemctl restart amavis systemctl restart postfix
Send a mail with EICAR (virus pattern) attachment to verify if it is filtered, the simplest way I found was to have a test mail sent from http://www.aleph-tec.com/eicar/index.php
Yet another otpion was at https://docs.libraesva.com/email-security-tester/
Note : Logging of VIRUS detected, bouncing etc not enabled. So Check your mail headers to verify if it works. Necessary headers would be added.