Howto Tutorials (EN) | UNBLOG Tutorials

In this tutorial you learn how to install Amavis with Postfix on Debian 12 and Ubuntu 22.04.

AMaViS stands for A MAil Virus Scanner and is a server-side virus scanner that is used on Unix/Linux mail servers like Postfix. The function has now been expanded to include a spam filter.

Install Amavis Postfix ClamAV SpamAssassin

Firt of all, elevate to root with ‘su -‘ or ‘sudo su -‘ and install Amavis-new with Postfix and the additional packages on Debian 12 or Ubuntu 22.04.

$ apt -y update
$ apt -y install clamav-daemon amavisd-new spamassassin postfix

Get Amavis ready

Next enable the antivirus checking mode and the SPAM checking mode.

$ vi /etc/amavis/conf.d/15-content_filter_mode

# uncomment to enable virus scanning
@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

# uncomment to enable spam checking
@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

Add your own domain name to the mailname for amavis configuration.

$ echo 'example.tld' > /etc/mailname

Get Postfix ready

Now add the smtp amavis content filter to postfix main configuration.

$ vi /etc/postfix/main.cf
# add to the end
content_filter=smtp-amavis:[127.0.0.1]:10024

Add the amavis content filter to postfix master configuration.

$ vi /etc/postfix/master.cf

# add to the end
smtp-amavis unix  -    -    n    -    2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet  n    -    n    -    - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000

Add service users to group clamav and amavis.

$ usermod -a -G clamav amavis
$ usermod -a -G amavis clamav

Restart clamav-daemon, amavis, spamd and postfix to take changes.

$ systemctl restart clamav-daemon spamd amavis postfix

You have now installed Amavis with Postfix and SpamAssassin on Debian or Ubuntu and there is nothing else to do. It is worth checking the settings to tweak spam thresholds.

Amavis and Postfix install tweak on Debian

Check out the configuration files and documentation include example files here through installing Amavis on Debian or Ubuntu.

$ ls -Al /etc/amavis/conf.d
-rw-r--r-- 1 root root  1610 Feb 23  2023 01-debian
-rw-r--r-- 1 root root   927 Jan 16 21:52 05-domain_id
-rw-r--r-- 1 root root   429 Feb 23  2023 05-node_id
-rw-r--r-- 1 root root 20791 Feb 23  2023 15-av_scanners
-rw-r--r-- 1 root root   713 Jan 17 15:13 15-content_filter_mode
-rw-r--r-- 1 root root  9542 Jan 18 15:11 20-debian_defaults
-rw-r--r-- 1 root root   573 Feb 23  2023 25-amavis_helpers
-rw-r--r-- 1 root root  2130 Feb 23  2023 30-template_localization
-rw-r--r-- 1 root root  1076 Jan 18 15:07 50-user

Note. if you’re not familiar with Vim, use your favorite editor such as Nano.

Set headers X-Spam-Flag X-Spam-Status

$sa_tag_level_deflt is the level at which Amavisd-new will write spam info headers such as X-Spam-Flag, X-Spam-Score and X-Spam-Status. If you would always like header info to be written to all messages, set this value to -999.

$ vi /etc/amavis/conf.d/50-user

$sa_tag_level_deflt  = -999;

Place your configuration directives here in this file. It’s worthwhile being aware of them as this is the most convenient place to tweak spam thresholds. The Amavis setting must be applied after each adjusting.

$ amavisd reload

How does Amavis and Postfix work?

Let’s check Amavis and Postfix services whether they up and running.

$ systemctl status clamav-daemon spamd amavis postfix

Amavisd listen on localhost port 10024 and Postfix (master) listen on port 10025, also spamd (perl) listen on port 783.

$ netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:8899          0.0.0.0:*               LISTEN      2895/opendkim
tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN      6227/perl
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      4208/master
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      7250/amavisd (maste
tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN      4208/master
tcp6       0      0 ::1:783                 :::*                    LISTEN      6227/perl
tcp6       0      0 ::1:10024               :::*                    LISTEN      7250/amavisd (maste
udp        0      0 0.0.0.0:49041           0.0.0.0:*                           7268/amavisd (ch1-a
udp        0      0 0.0.0.0:34142           0.0.0.0:*                           7269/amavisd (ch1-a

Now test that the amavisd service is listening on localhost:10024 using telnet.

$ telnet localhost 10024
Trying ::1...
Connected to localhost.
Escape character is.
220 [::1] ESMTP amavis service ready
ehlo localhost
250-[::1]
250-VRFY
250-PIPELINING
250-SIZE
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SMTPUTF8
250-DSN
250 XFORWARD NAME ADDR PORT PROTO HELO IDENT SOURCE
quit
221 2.0.0 [::1] amavis closing transmission channel
Connection closed by foreign host.

If everything is working then you should see a successful connection similar to above.

Next to test the postfix smtpd is listening on 127.0.0.1:10025.

$ telnet 127.0.0.1 10025
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is.
220 mail.example.tld ESMTP Postfix (Debian/GNU)
ehlo localhost
250-mail.example.tld
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
quit
221 2.0.0 Bye
Connection closed by foreign host.

Again we should see a successful connection as shown above.

Now it’s time to send an email preferably to yourself.

$ echo "Subject: hello" | sendmail myself@example.tld

These action can be tracked in mail.log so you should see Passed CLEAN.

2024-01-17T16:00:57.552234+01:00 mail amavis[7269]: (07269-01) Passed CLEAN {RelayedInbound}, [127.0.0.1] <root@mail.example.tld> -> <myself@example.tld>, Message-ID: <20240117150056.7C599807BB@mail.example.tld>, mail_id: auFXC0ferXjU, Hits: 2.106, size: 674, queued_as: 7493F807B5, dkim_sd=example.tld:example.tld, 943 ms

Now we can test if everything is working by sending special strings to test the scanning. To do this, download the test-messages and run the command to extract the sample test messages.

$ perl -pe 's/./chr(ord($&)^255)/sge' <sample.tar.gz.compl | zcat | tar xvf -

Use these two commands to send a sample spam and virus message.

$ sendmail -i myself@example.tld < sample-spam-GTUBE-junk.txt
$ sendmail -i myself@example.tld < sample-virus-simple.txt

Please replace “myself@example.tld” with your actual address. Check your /var/log/mail.log for the scan result from amavis and you should see something like “Passed SPAMMY” or “Blocked INFECTED (Eicar-Test-Signature)”. You can now verify your settings match your delivery expectations.

Task of AMaViS-New

AMaViS is not a virus scanner in the true sense, but rather software that was developed to integrate virus scanners into mail servers. It provides a standard interface between the Mail Transfer Agents (MTA) and the content filters so that manufacturers of mail servers and antivirus programs do not have to constantly develop new interfaces. For example, it is compatible with Postfix, sendmail or Exim. Antivirus programs that work with Amavis include AntiVir Unix, ClamAV and many more. The newer amavisd-new also offers the option of integrating SpamAssassin and other filter programs.

Base64 allows to convert binary data to text and text to binary data, here in PowerShell. Base64 encoding is a process of converting binary data into an ASCII string format.

The Base64 format converts data (mainly images) into characters, originally with a set of 64 characters (name origin), which can be found in any ISO 8859-1 (also known as Latin-1) character set and can therefore be displayed anywhere. Or to put it another way: An image becomes HTML code, because Base64 has now become the HTML standard and is therefore used for Internet objects, especially for inline graphics.

Further more Base64 encoding is also commonly used across mail systems to send email attachments, as SMTP in its original form was only designed to transport 7-bit ASCII characters. Encoding an attachment as Base64 before sending and then decoding it upon receipt ensures that older SMTP servers do not interfere with the attachment.

Convert Text to Base64 in PowerShell

The following function Set-Base64 allows to convert a text to Base64 in PowerShell. The Get-Base64 function ensures conversion back to human readable text.

Function Set-Base64
{
	param (
	[String]$arg
	)
	$textout = [System.Text.Encoding]::UTF8.GetBytes($arg)
	[Convert]::ToBase64String($textout)
}

Function Get-Base64
{
	param (
	[String]$arg
	)
	$textout = [Convert]::FromBase64String($arg)
	[System.Text.Encoding]::UTF8.GetString($textout)
}

Note. If you add these functions under your %userprofile%\Documents\WindowsPowerShell path to the file Microsoft.PowerShell_profile.ps1, the two commands will be available for execution in your PowerShell.

Convert Base64 Code to Text

In PowerShell, Set-Base64 converts the text to Base64 encoding, Get-Base64 decoding back to human readable text.

PS C:\> Set-Base64 "this is a text converted to base64 encoding"
dGhpcyBpcyBhIHRleHQgY29udmVydGVkIHRvIGJhc2U2NCBlbmNvZGluZw==

PS C:\> Get-Base64 dGhpcyBpcyBhIHRleHQgY29udmVydGVkIHRvIGJhc2U2NCBlbmNvZGluZw==
this is a text converted to base64 encoding

The Base64 encoding and decoding in PowerShell then looks like this.

Convert Text to Base64 and back in PowerShell

Convert binary file to Base64 in PowerShell

Files and images can be converted to Base64 text using the PowerShell cmdlet Get-Content with the -Encoding Byte and -Raw parameters.

[convert]::ToBase64String((get-content -Path C:\temp\image.png -encoding byte -Raw))

The -Raw parameter ensures that the file is read in its entirety and not line by line. -Encoding Byte tells PowerShell that it is a binary file.

Image conversion to Base64 Text locally

Convert image.png to Base64, use the PowerShell convert command with parameters, the Base64 encoded text is written to the image.txt file.

[convert]::ToBase64String((get-content -Path C:\temp\image.png -encoding byte -Raw)) > C:\temp\image.txt

How do you know Base64 Encoding is doing?

Let’s take another example with the image file bluebox.png these you can download to your computer, just convert the small 10×10 pixel graphic to Base64 encoding using this command line in your PowerShell.

[convert]::ToBase64String((get-content -Path C:\temp\bluebox.png -encoding byte -Raw)) > C:\temp\img.txt

Next, create an html file with the content as shown below,

<div>
  <p>A blue box</p>
  <img src="data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKCAIAAAACUFjqAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAYSURBVChTY2RQ+8+AGzBBaRxgZEozMAAAbOYBOV4WE6YAAAAASUVORK5CYII=" alt="Blue box" />
</div>

Insert the content from the file C:\temp\img.txt, place the Base64 between <img src="data:image/png;base64,code here" alt="Bluebox"/>

Double-click the html file you just created. If you’ve done everything right, a small blue box will shown in your browser.

Addendum

Base64 is not an encryption method. It is simply an encoding method used to convert binary data into a human-readable form. It does not provide security or privacy of data.

Base64 encodes binary data by converting it into a string of ASCII characters. This is useful when transferring binary data to environments that only support text data, such as email systems.

UNBLOG Tutorials

Category Archives: Howto Tutorials (EN)

Amavis Install for Postfix on Debian 12 Ubuntu 22.04