What is SPF, ClamAV, Amavisd-new and Spamassassin?

The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery. More precisely, the current version of SPF — called SPFv1 or SPF Classic — protects the envelope sender address, which is used for the delivery of messages.

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.

Amavisd-new is a high-performance interface between mailer (MTA) and content checkers: virus scanners, and/or SpamAssassin. It is written in Perl for maintainability, without paying a significant price for speed. It talks to MTA via (E)SMTP or LMTP, or by using helper programs. Best with Postfix, fine with dual-sendmail setup and Exim v4, works with sendmail/milter, or with any MTA as a SMTP relay. For Courier and qmail MTA integration there is a patch in the distributed package.

SpamAssassin is a computer program released under the Apache License 2.0 used for e-mail spam filtering based on content-matching rules. SpamAssassin uses a variety of spam-detection techniques, including DNS-based and checksum-based spam detection, Bayesian filtering, external programs, blacklists and online databases.

I assume you already have postfix, postfixadmin, courier-authlib, courier-imap, squirellmail up and running in your server. If you still don't have postfix up and running, you can install it from this URL http://forum.wowtutorial.org/index.php?showtopic=401

We will using Freebsd 7 Port to install all packages.
First, we need to login into the server and su with root password.

Install Amavisd-new

#cd /usr/ports/security/amavisd-new
#make config
#make install clean

This will automatically install all dependency such as : MYSQL,SASL,RAR,SPAMASSASSIN,PERL MODULE ... etc..

Install Clam AV

As Root user

#cd /usr/ports/security/clamav
#make config
#make install clean

Make config clam av will automatically install any dependency such as
ARC, ARJ, LHA, UNZOO and UNRAR..

Configure Clamd.conf

#cd /usr/local/etc/
#pico clamd.conf

## uncomment or modify these line below :
LogSyslog yes
LogFacility LOG_MAIL
LogVerbose yes
DatabaseDirectory /var/db/clamav
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket yes
StreamMaxLength 20M
User vscan 
AllowSupplementaryGroups yes
ScanELF yes
ScanPDF yes
ScanMail yes
PhishingSignatures yes

Configure Freshclam.conf

#cd /usr/local/etc/
#pico freshclam.conf

## add or modify these few line below :
DatabaseDirectory /var/db/clamav
DatabaseOwner vscan
AllowSupplementaryGroups yes
DatabaseMirror database.clamav.net
DatabaseMirror db.CN.clamav.net
NotifyClamd /usr/local/etc/clamd.conf

Change Directory permission to vscan

#cd /var/db
#chown -R vscan:vscan clamav

#cd /var/run
#chown -R vscan:vscan clamav

#cd /var/log
#chown -R vscan:vscan clamav

1.4 Setting a crontab for Freshclam

#crontab -e
37 * * * * /usr/local/bin/freshclam

Configure amavisd.conf

#cd /usr/local/etc
#cp amavisd.conf-default amavisd.conf
#pico amavisd.conf

## edit or uncomment these line below :
$max_servers = 2;            # num of pre-forked children (2..30 is common), -m
$daemon_user  = 'vscan';     # (no default;  customary: vscan or amavis), -u
$daemon_group = 'vscan';     # (no default;  customary: vscan or amavis), -g

$mydomain = 'server.wowtutorial.org';   # a convenient default for other settings

#@local_domains_maps = ( [".$mydomain"] );  # list of all local domains
@local_domains_maps = ( ".$mydomain" );
@local_domains_acl = ( ".$mydomain" );

@av_scanners = (

## uncomment these line below :
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

## leave all default config untouch.

Debug amavisd

#/usr/local/sbin/amavisd debug
.....
## you need to make sure 3 module loaded ##
/usr/local/sbin/amavisd[17650]: ANTI-VIRUS code      loaded
/usr/local/sbin/amavisd[17650]: ANTI-SPAM code       loaded
/usr/local/sbin/amavisd[17650]: ANTI-SPAM-SA code    loaded
.....

If everything goes well we can start amavisd without debug option.

Configure Spamassassin

We don't need to install spamassassin again because when we install amavisd-new it's automatically install spamassassin as amavisd dependency. so we just need to configure it.

#cd /usr/local/etc/mail/spamassassin/
#pico local.cf
required_hits 10.0
report_safe 1
rewrite_header Subject [SPAM]
required_hits 10.0
rewrite_subject 1
use_bayes 1
bayes_auto_learn 1
skip_rbl_checks 1
use_razor2 0
use_pyzor 0
ok_locales all

Install SPF Policy

#cd /usr/ports/mail/postfix-policyd-spf
#make install clean

Modify postfix main.cf and master.cf to support amavisd-new

#cd /usr/local/etc/postfix
#pico main.cf
....
....

## add these line below in the end of the config :
## these will added RBL/SBL, SPF and Security access

# Security Options
disable_vrfy_command = yes
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_helo_required = yes
spf_explanation = "%{h} [%{i}] is not allowed to send mail for %{s}"

#====================SASL========================
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_invalid_hostname,
   reject_non_fqdn_hostname,
   reject_unknown_sender_domain,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
   reject_unauth_pipelining,
   reject_unauth_destination,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client sbl-xbl.spamhaus.org,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client sbl.spamhaus.org,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client dul.dnsbl.sorbs.net,
   reject_rbl_client rbl.brasilrbl.com.br,
   reject_rhsbl_client rhsbl.brasilrbl.com.br,
   check_policy_service unix:private/policy,
   permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd
smtpd_banner=$myhostname ESMTP "server.wowtutorial.org"

smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/ssl/smtpd.pem
smtpd_tls_CAfile = /etc/ssl/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

## this line below is for communicate with amavisd-new port
content_filter = smtp-amavis:[127.0.0.1]:10024

Configure master.cf

#cd /usr/local/etc/postfix
#pico master.cf

smtp-amavis unix -      -       n     -       2  smtp
   -o smtp_data_done_timeout=1200
   -o disable_dns_lookups=yes

127.0.0.1:10025 inet n  -       n     -       -  smtpd
   -o content_filter=
   -o local_recipient_maps=  
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks=127.0.0.0/8
   -o strict_rfc821_envelopes=yes
#
smtp      inet  n       -       n       -       -       smtpd
## this line below is for SPF
policy  unix  -       n       n       -       -       spawn
user=nobody argv=/usr/local/sbin/postfix-policyd-spf[/code]

Setting all services and daemon in rc.local

#pico /etc/rc.local

## add few lines below into rc.local
/usr/local/sbin/amavisd
/usr/local/sbin/clamd
/usr/local/bin/spamd -d

Starting up all services

#/usr/local/sbin/postfix restart
#/usr/local/sbin/amavisd
#/usr/local/sbin/clamd
#/usr/local/bin/spamd -d

View Maillog

#tail -f /var/log/maillog or tail -f /var/log/debug.log

This is very usefull to help you troubleshoot if your mail is not working.