This is intended as a step-by-step guide to setting up an anti-spam e-mail gateway utilizing some of the most effective tools available.  While these instructions may be adapted to other configurations, they are written for a Debian Linux installation.  We use pre-compiled distribution packages where possible - so we can't offer help with compilation for those programs.

We have made every effort to ensure the accuracy and completeness of this instructions.  If you have any difficulty or confusion, please contact us with questions or recommendations.  Likewise, if you found this page help - please let us know!

Prerequisites - proper DNS configuration for both your internal network and your published external domain.  Without this, nothing works.  You must have valid A, PTR, and MX records for your internal e-mail server and your new gateway.

The packages referenced below are from the Debian "unstable" repository.  Debian is known for several features - cutting edge updates are NOT part of Debian's reputation.  Debian concentrates on stability - one of things that makes it excellent as a server platform.  Packages in the "unstable" area are not a comment on the code quality or reliability - only that it has not gone through the extensive testing and installation cycles that the Debian "stable" releases go through.  A program that is considered "stable" by its authors may be in Debian's "unstable" area for over a year!  Therefore, to install the programs listed below and utilize as many as possible of their current features, you will need to select the "unstable" versions from Debian.

Comments below are enclosed in {} - the braces and comments should NOT be entered into a configuration files!

Step 1 - Postfix Installation.  Install the latest versions of the postfix and postfix-pcre packages.

Step 2 - Postfix Base Configuration.  Important settings in /etc/postfix/main.cf (and leave the rest alone!):

• myhostname = {external Internet name of gateway}
• myorigin = /etc/mailname {and /etc/mailname should contain your external domain name}
• mydestination = {comma separated list of domains this gateway will accept e-mail for.  This should include the localhost names, your external hostname, external domainname, and internal hostname, but NOT the internal domainname (that should be on your internal e-mail server, not the gateway).}
• mynetworks = {space separated list of subnets that are permitted to connect to this gateway and bypass the postfix filters.  Normally includes the local subnet and your internal subnet.}
• relay_domains = {comma separated list of external and internal domainnames that this host will forward mail for.  Normally includes your external Internet domain and your internal domain}

Example main.cf settings:
    myhostname = mail.amfes.com
    myorigin = /etc/mailname  {/etc/mailname contains amfes.com}
    mydestination = mail.amfes.com, amfes.com, gateway.amfes.local, localhost.amfes.local, localhost
    mynetworks = 127.0.0.0/8 192.168.0.0/24
    relay_domains = amfes.com, amfes.local

Now we need to add some restrictions.  We'll get fancier later, we'll start with the basics now.  Add the following lines to /etc/postfix/main.cf - and make sure you only have one instance of each parameter.

strict_rfc821_envelopes = yes
smtpd_helo_required = yes
smtpd_client_restrictions = permit_mynetworks, reject_unauth_pipelining
smtpd_helo_restrictions = permit_mynetworks, permit
smtpd_sender_restrictions = permit_mynetworks, permit
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, permit
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining

These checks enforce a very minimum standard level.  The most important entry is the smtpd_recipient_restrictions = reject_unauth_destination.  This blocks attempts to send mail through this server from clients not listed in the relay_domains parameter.  Without this line - you have an "open-relay" - which WILL result in spammers happily using your server to send their junk and WILL result in you being listed in various blacklists.  So make sure this line is set.

Now start Postfix and check your logs - postfix should startup without errors - otherwise there is a problem that needs fixing.  Do not proceed until Postfix operates properly at this level.

If the logs are clear and a process check shows postfix is running then try sending a message from inside your network to an Internet address.

Now we'll add another layer - anti-virus protection using Amavisd-new and ClamAV.  Amavisd-new is a multi-function program - it performs some basic anti-spam and anti-virus work internally, and it provides a link to other programs that do not have an SMTP interface.

Installing these is a snap on Debian.

To install Amavisd-new, oddly enough, install the Amavisd-new package.  If you look, you will see a number of additional amavis* packages.  One or two of these have some useful support tools, like amavis-stats - but most of them are older versions - don't install these.  Unless you know what you're doing - accept the defaults and recommendations of the installer.  Now it's time to make some changes to the configuration file - /etc/amavis/amavisd.conf:

• $mydomain = {internal domainname};
• $forward_method = 'smtp:127.0.0.1:10025';
• $notify_method = $forward_method;

That's it.  $mydomain should be obvious - the $forwardmethod and $notifymethod tell amavis how to both pass on acceptable mail and how to submit notifications.  

Now we have a functioning e-mail gateway with anti-virus protection.  Time to start blocking spam.  You can actually eliminate a substantial amount of junk mail by using some of Postfix's built-in filters - but some of these can cause "good" mail to be blocked as well.  This is due to the unfortunate tendency of Internet mail servers to be misconfigured.  The original "golden rule" of the Internet was, "be conservative in what you send, liberal in what you accept" (not meant to be a political commentary).  The problem with this is spammers have taken advantage of this open policy to facilitate their business.  At this time, the vast majority of junk mail comes from misconfigured servers.  Setting your e-mail gateway to only accept mail from properly configured remote server and clients can eliminate a HUGE amount of junk - with the side-effect of showing you which of your desired e-mail sources are also misconfigured.  If you want to implement some of these policies, you need to be prepared for an investment of time - and some complaints.

The other way of reducing spam is by content-filters.  While there are quite a few alternatives available - one has stood apart recently for its performance.  Introducing . . . dspam.

Dspam is a command-line utility - it accepts a mail message as a parameter, processes it, and then sends it using the local server's mail submission command.  On a Postfix server, this mean the sendmail compatibility command.  Amavisd-new currently does not have an interface

[ Home ] [ Up ] [ Next ]

Please see the contact page if you have questions or comments about this web site.
Copyright © 2003 AM Fire & Electronic Services, Inc.
Last modified: 06/29/06