Postfix disable Amavis

Recently I needed to turn off Amavis / Spamassassin on a server...

The server was running Postfix with DBMail and some custom extensions. Due to a botched FreeBSD PKG update, Spamassassin and Amavis were no longer installed or installable. So I really needed to turn them off as a first step of restoring mail functionality.

 

There's a nice howto about disabling / bypassing Amavis at this url: http://www200.pair.com/mecham/spam/bypassing.html

The problem is it explains 12 cases of how to turn it off for specific cases. There's no single letter about how to just NOT USE IT NOW RIGHT AWAY. For all non-emergency cases, go with the howto, it's the very best I could find.

 

Should you be here for this more urgent case though, just read on.

 

Steps to do simply disable it:

  1. Identify amavis connection errors in the _right_ logfile (I didn't the day before because it was a jailed system)
  2. Notify customer to alert users of increased chance of receiving spam / virus
  3. Stop the leftovers of the broken Amavis setup
  4. in master.cf, disable the call to Amavisd. More trivial setups are just having 2 lines in  main.cf!
  5. check using postconf -n there's no remaining amavisd config
  6. reload/restart postfix (i.e. service postfix reload)
  7. run postsuper -R to rerun all queued messages
  8. watch the log for the amavis errors
  9. since they still occurred, search some more and find dbmail sql hook script referenced in main.cf.
  10. disable that, repeat steps 6,7,8
  11. Start dealing with the actual problem of broken software

 

 

 

What I disabled

 

master.cf
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
smtps     inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
submission inet n       -       n       -       -       smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
[...]
# 
# amavisd-new content filter
# 
# I had to comment all of the following lines!!!
smtp-amavis unix -      -       n       -       -       lmtp
    -o lmtp_data_done_timeout=400
    -o lmtp_send_xforward_command=yes
    -o lmtp_line_length_limit=0
    -o disable_dns_lookups=yes
    -o max_use=20
lo.cal.ip.addr:10025 inet n  -       n     -      -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=lo.cal.ip.addr
    -o mynetworks_style=host
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

 

Notice I did NOT need to change anything in the smtp / lmtp line at start of master.cf!

 

 

If it's configured directly from main.cf, you'll need to disable the following line:

content_filter=smtp-amavis:[127.0.0.1]:10024

 

If its' a more complex multi-tenant setup, you might need to remove the line calling the SQL function to return the right spamfilter instance

main.cf
smtpd_recipient_restrictions =  reject_non_fqdn_recipient,
                                reject_unknown_recipient_domain,
                                permit_mynetworks,
                                permit_inet_interfaces,
                                permit_sasl_authenticated,
                                reject_unauth_destination,
                                reject_unlisted_recipient,
                                check_recipient_access mysql:/usr/local/etc/postfix/sql-access-filter.cf, # <- removed this line
                                permit_auth_destination,
                                reject

 

 

 

I hope this will help you get your services back online!

 

As for the actual amavis fix, I updated my ports tree and manually built all the missing packages so PKG would no further shred through this (not arguing this) horribly dated server. I just think it's not really helpful to have a package manager that destroys the whole box when you're trying to carefully update it :)

 

 

Once you re-enabled also check out the dcc-servers project who are doing a distributed spam hunt!