Mailman + postfix + amavisd-new HOWTO
by Fil <fil AT rezo.net>
8/04/2004 - This is a first draft. Comments are welcome. This file is released under the GNU Free Documentation License (FDL, see below).
INTRODUCTION: Installing the antispam/antivirus amavisd-new on a mailing-list server poses a serious performance issue: when the server sends out thousands of emails to the mailing-list subscribers, some of these subscribers return bounce messages, which can number in the hundreds and might clog the antivirus daemon if you're not careful.
Here's how we do it on http://listes.rezo.net/
- Before all, make sure you run postfix v2.x, otherwise the FILTER feature will not be here. Configure postfix so that it accepts scanned messages from amavisd-new on localhost:10025
Add to /etc/postfix/master.cf the following lines:
localhost:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000
- Configure amavisd-new the usual way, so that it accepts incoming mail on localhost:10024 (or any other port you choose) and sends it back into the mail queue via localhost:10025; this is very standard, but I guess the settings is as follows, in /etc/amavis/amavis.log:
$inet_socket_port = 10024; @inet_acl = qw( 127.0.0.1 ); $max_servers = 2; # two servers max at the same time
- Define a smtp-amavis service on postfix, so that it can be invoked later:
Add to /etc/postfix/master.cf:
smtp-amavis unix - - n - 2 lmtp -o smtp_data_done_timeout=1200
Note here that the maximum number of processes running in parallel (2) is the same as in the amavisd-new configuration. You can increase both a bit if you experience delays in delivery because of amavis, but that's out of the scope of this HOWTO. 2 is fine for us, with a daily average of 10 emails to check per minute (and a powerful computer).
Test your filter by sending messages locally through SMTP:10024
Configure postfix to send all emails through the filter EXCEPT those messages that are only addressed to a list-bounces address :
Create the address regexp in /etc/postfix/amavis_check (do 'man regexp_table' to get more information):
!/-bounces@(my\.domain\.tld|other\.domain\.net)$/i FILTER smtp-amavis:[127.0.0.1]:10024
Modify /etc/postfix/main.cf to have the check_recipient_access use this regexp table:
smtpd_recipient_restrictions = permit_mynetworks check_client_access hash:$config_directory/access reject_unauth_destination check_recipient_access regexp:$config_directory/amavis_check # other UCE checks here
You're done. Check your log files and enjoy an almost spam- and virus-free server.
Now you can focus on the viruses and politics that kill people in the real world, and read "Global Aids: Myths and Facts" by Alec Irwin and Joyce Millen, published by South End Press.
REFERENCES:
Amavisd-new: http://www.amavis.org/ Mailman: http://www.list.org/ postfix: http://www.postfix.org/
Copyright (c) 2004 PHILIPPE RIVIERE.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts.
This'd be a great thing to have linked in the FAQ (as well as our documentation pages?). Would you be interested in doing this? You can add it yourself (the url is http://www.python.org/cgi-bin/faqw-mm.py and the password is Mailman) or, if you don't have time, I can add it (or a link to it) for you.
Thanks for taking the time to put all this info in a nice compact form.
Terri
This'd be a great thing to have linked in the FAQ (as well as our
Thanks. I've put in in section 6 (integration issues).
There are still some things to check: for example, if you look carefully the regexp I use, it is too simple, as you can send viruses and spam to the address troll@domain.tld by abusing the + delimiter, such as in: troll+-bounces@domain.tld
And I still have no clue if the number of amavis processes is right. Today I sent out 40000 emails, and the pipe was clogged for about 15 minutes. Will try next month with a bit more :-)
If I understand correctly, this FAQ is editable by anyone? So feel free to update and annotate the file, but in that case please email me.
-- Fil
participants (2)
-
Fil
-
Terri Oda