Setting up a mailserver, continued

By | December 15, 2008

In my last article on how to setup a basic mail server in debian using postfix and dovecot, I am now continueing on how to setup some basic spam filters. The reason to split this up, well I was stupid and assumed I wouldn’t need a spam filter yet. But I forgot that I also moved one domain to my new mail server that got 200 spam messages a day.

So now to repair my mistake I am adding the following features to my already existing mail server. To find out how to setup the  mail server itself read my earlier article.

  • Use spamassassin to mark spam in the header
  • Change the mail delivery to dovecot LDA, this is needed for step 3
  • Automatically move marked e-mails to the spam folder of the user

Sounds easy right. Well it should be ;-).

Install spamassassin and set it up in postfix

The first step we will take is installing and setting up the spamassassin tool. First lets install it with the default options from Debian by running:

apt-get install spamassassin
useradd -g spamd -s /bin/false -m -d /home/spamassassin spamd

Next we setup the basics of spamassassin configuration, the file called /etc/spamassassin/

report_safe        0
required_score     2.0

use_bayes          1
bayes_auto_learn   1
use_bayes_rules    1

# Some basic configuration
score DCC_CHECK 4.000
score SPF_FAIL 10.000
score SPF_HELO_FAIL 10.000
score RAZOR2_CHECK 2.500
score BAYES_99 4.300
score BAYES_95 3.500
score BAYES_80 3.000

# Headers to be added for all scanned messages
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
add_header all Level _STARS(*)_
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_

So what we’ve done so far is set spamassassin up to automatically learn from mail it receives and to mark anything with a bayes score over 2 as spam. But we still need to integrate it into postfix to get it to work. Add the following to the postfix configuration (/etc/postfix/

spamassassin unix -     n       n       -       -       pipe
 user=spamd argv=/usr/bin/spamc -f -e
 /usr/sbin/sendmail -oi -f ${sender} ${recipient}

You will also need to change the smtp line in the same file to the following, this will set up spamassassin as a pre delivery filter:

smtp      inet  n     -     -     -     -     smtpd -o content_filter=spamassassin

This will add the spamassassin service as a unix service through a pipe connection. Sounds complicated but it’s really easy it basically uses a binary file to comunicate between postfix and spamassassin. Make sure the user spamd exists and create the folder /usr/bin/spamc with full access to the spamd user. Also edit the file spamassassin to the following:

# /etc/default/spamassassin
# Change to one to enable spamd

# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.
OPTIONS="--create-prefs --max-children 5 --username spamd --helper-home-dir ${SAHOME} -s ${SAHOME}spamd.log"

Make sure to create the directory /var/lib/spamassassin and give spamd full access right to it, otherwise the service might not run properly. Spamassassin is now setup and will start scanning your e-mail. So if all you are interested in is the header being changed to indicate if a message is spam then you are done. If you also wish yo move it to a different folder then continue reading.

Settup Dovecot as LDA (Local Delivery Agent)

Next step is setting up dovecot as the default LDA for postfix. This is needed to let dovecot filter messages into the proper locations. First setup the connection to the between postfix and dovecot by adding the following to the /etc/postfix/

dovecot   unix  -       n       n       -       -       pipe
 flags=DRhu user=dovecot:dovecot
 argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

Please note that we now need to keep track of the fact that dovecot will be the user that is running this part of the mail server. So every file needed, log or configuration and mailboxes related, need to be owned by dovecot:dovecot. I have had issues with files having the wrong owner so it is important! Before activating the postfix connection lets configure dovecot for LDA by editing the /etc/dovecot/dovecot.conf file. Add the following piece of code in the group auth default >> socket listen:

        master {
          path = /var/run/dovecot/auth-master
          user = dovecot
          group= ssl-cert
          mode = 0600

This will setup the authentication service that dovecot will use for delivering the e-mail to the correct user and authenticating users. Also add the following at the bottom of the file to configure the LDA of dovecot:

protocol lda {
  mail_plugins = cmusieve
  sieve_global_path = /etc/dovecot/globalsieverc/global.sieve
  log_path = /var/log/dovecot-delivery_log
  postmaster_address =

plugin {
 sieve = /etc/dovecot/globalsieverc/global.sieve

Again make sure that the user dovecot has full access to both the logfile and the global sieve directory (which you will need to make) :-). The plugin group is just for safety. I don’t know if it is needed but it doesn’t break anything. Also check the dovecot-mysql.conf that you made earlier to make sure that the uid and gid are those of the dovecot user. You can find this out by running:

:> id dovecot

If this is all setup in dovecot restart it by running:

:>/etc/init.d/dovecot force-reload

Now it is time to wrap things up and activate dovecot as the LDA for postfix, edit the file /etc/postfix/ and change the virtual_transport from virtual to dovecot. Last but not least is creating the globe.sieve file.

:> vi /etc/dovecot/globalsieverc/global.sieve

require ["fileinto"];
if anyof (
    header :contains ["X-Spam-Flag"] "Yes"
) {
    fileinto "Spam"; stop;

Now restart postfix and send yourself a test mail. If everything is setup correctly it should be delivered to your mailbox. If not then first check ‘/var/log/’ to gather some information as to what is going on. If this indicates a delivery was attempted but it failed then check ‘/var/log/dovecot-delivery_log’ to find out more.

I hope you have fun using your spam free mail server. If you have any issues let me know, but please include snippets from the log as this will help me help you 😉

Leave a Reply