Skip to main content

Reduce SPAM and improve security – Amavis + SpamAssassin + ClamAV + Procmail + PostScreen>90% of mail traffic are actually SPAM….and you will quickly need to implement Spam protection either from global blacklist, or learning algorithm or even check SMTP protocol respect.

The most popular way to block SPAM on your mail server is probably SpamAssassin. It’s a free and Open Source spam filter written in Perl. It will perform a wide range of tests on headers and body text to determine how likely spam will be your mail. You could after make SpamAssassin learn from its mistake (Ham) or endorse its correct decision (SPAM). It’s a powerful too and very flexible. The downside will be its resources footprint as it will scan all our mail to assign a score to them and basically >90% of them will be SPAM.

Others solution exists, more resources efficient, but with others downside tho. It’s the case of using RBL (Real-time Blackhole). It’s a database of known spammy IPs, from Spamhaus for example. You can select the spammy IPs list to block (Some are larger than others). However the downside is you might block legitimate IPs as only 1 domain might actually spam and all the rest on same IP could be legitimate. Or worse, in some cases, Spamhaus and co blocked a full range of IP…

But there is also others way to do it, like with Postscreen. As most of the Spam are sent by Zombies computers and have only a very limited amount of time to deliver their spammy mails before being backlisted, they tend to make compromises in their SMTP protocol implementation, for example, they may speak before their turn or they may ignore responses from SMTP servers and continue sending mail even when the server tells them no to do so, etc… In that case, Postscreen is here to see if they respect the SMTP protocol and if they do, will allow the mail to be delivered.

I think this process is quite efficient and could save a lot of resources as SpamAssassin will not have to scan all the mails, but only the one having passed the first tests from Postscreen. However if rejected, the client will need to resend the mail (Usually spammers don’t) and in this case you can have a long grace period (Several minutes to several hours depending on the client…). For this reason I do not use it but if you are having a heavy load due to spam and spamassassin don’t work enough or use all your resources, it’s a good turnaround. aspect to cover is having an AntiVirus. For linux? you will say? Well first of all, Linux is not perfect (Although it managed much better the authorization and system access than Windows) but you could suffer from some virus. But most important, you may not be the only user that will read mails coming from your server. Either you could offer access to family, friends, … or read your mails on different system including Windows or simply forward a mail to others people. That’s why I think having a proper AntiVirus for your mails is important.

But here again, having an AntiVirus that will scan all your mails to look for viruses will use a significant amount of resources  (30-50mb Ram probably?) and here is where again Postscreen could help, to avoid scanning Spam mails too.

Actually, to make this configuration works, you will also need an additional package, Amavis to buckle the loop:

Postscreen will remove at the earliest stage a significant part of Spam (The one not respecting SMTP protocol implementation) and let them go to Postfix. Amavis will then do the bridge between Postfix and SpamAssassin + ClamAV to check the Spam and Virus and finally Procmail to dispatch all these into the local mailbox. (Note that Sieve in Dovecot could do it too)

So let’s see how to install and configure all this.

PS: I don’t use Postscreen and if you want no delays in your mail, shouldn’t use.


and we will also add some compression tools to be able to scan the archives for viruses too.
Postscreen is part of Postfix and does not require additional package.


  • ClamAV:

Per default, ClamAV will automatically update its database every hour. If you want to update it now, you can run:

Then, to avoid ownership issues during scans from ClamAV and Amavis, we need to add ClamAV and Amavis users to each others’ groups:

  • Amavis:

You will need to make Amavis and Postfix communicate.

In /etc/postfix/, below the line:


to looks like that:

And at the end of the file add:

then in /etc/postfix/, add:

Now you need to configure Amavis directly. In /etc/amavis/conf.d/15-content_filter_mode, make sure the 2 variables

are uncommented. You’re now good to go to SpamAssassin

  • SpamAssassin:

I suggest to create a dedicated user to run spamassassin to better control the process and have dedicated logs.

In root (su) type:

Its configuration file is located in /etc/default/spamassassin. You will need to modify few things to enable SpamAssassin:

and change the following to 1

You will also need to modify the OPTION line to become:

and add a new line with:

Now you need to configure Postfix to use SpamAssassin

At the line:

add below (new line):

then at the end of the file, add:

Finally restart all the services you have touched to.

If any issue happen during the restart, it should tell you what to do. If no issue, you should now be protected from Spam and Viruses.

You can try if it works by sending a fake spam to your mail box. Simply send you an email with the content:

or try with a inoffensive virus from The European Expert Group For IT-Security.

  • Procmail:

You may want to make sure they are store in your Junk box to separate them from your regular inbox. Here is where Procmail enter. (Although Sieve in Dovecot could do the same)

First, you will need to tell postfix to use procmail.

add the following line:

then, we need to config the rules.

From the Dovecot wiki, it states that Procmail seems to have some intermittent delivery problems if you use the system-wide configuration with Maildir style mailboxes. (/etc/procmailrc) and thus should use $HOME/.procmailrc instead.

Hence, to avoid having to configure that at every new email/user we will use the skel system to ensure our .procmailrc is copied to every new user.

In root, create the /etc/skel/.procmailrc file

and copy this simple configuration:

This will route the SPAM in the .Junk folder. (You should be able to subscribe to this folder using your favourite email client like Thunderbird,…)

When you will create a new user, the user will have this .procmailrc in its home and should be able to have it email running directly.

As explained in the first part of this tutorial, to create a new user: (In root)

A long tutorial but you should now have access to a secure mail system.

A New CAPTCHA Approach

If you want to use Postscreen to have an additional layer of Spam protection, you can follow below tutorial:

  • Postscreen:

In your /etc/postfix/, add a section for Postscreen as following:

Few explanation:


When a client connect to Postscreen, it will start to communicate by sending a first banner “Please wait to be seated” and 6 seconds later, the remaining information on the SMTP identity. According to SMTP protocol, the client needs to wait to receive the entire banner. Spam bots will probably not wait (as they are configured to send as many mails as possible) and Postscreen will not accept its mail.


Initially, before the ESMTP (Extended SMTP), the protocol was half-duplex, mining the server and client needed to send 1 command at a time and wait for the answer of the other. Enabling this option will indicate to the client that he needs to send 1 command at the time as Postscreen “does not” support ESMTP. Here again, most probably Spam bots will not respect that and send the entire set of commands directly.


This test is a simple filter that block the commands CONNECT, GET and POST, used by spam bots when they use proxies. This filter is actually already implemented in Postfix (Since version 2.2) but having at the upstream should help reduce the load on the smtp daemon.


This test is still very simple but a lot of Spam bots don’t respect it….in the SMTP protocol implementation, each line should finish by <CR><LF> for “Carriage Return & Line Feed”. But a lot of zombies only use the <LF> at the end of their line.

Obviously many more options exists and you should read the official documentation to learn more.

Then you need to modify the /etc/postfix/ to enable Postscreen and allow him to route the validated mails to smtpd.(In root)

and replace the line


and then restart postfix

However you will receive mails with a delay from few minutes (5mn from Hotmail and 20mn from Gmail based on my previous test) to few hours depending on the client side….that’s why I don’t use Postscreen in fact.

Mail Server – Postfix + Dovecot with TLS/SSL awaited howto, Postfix is probably the most popular mail server and is usually coupled with Dovecot or Courier and in some cases, with Anti SPAM and Anti Virus. (We will see that in another article)

My previous tutorial on how to setup a mail server was based on Courier-imap, but as Dovecot became more and more popular, I had to give it a try !

Both mail systems are good but they have their own plus and minus from my experience and reading:

Courier Dovecot
+ Extremely reliable

+ Trashmail box automatically expunged

+ Powerful maildrop

+ Low memory footprint

+ Good IMAP performance through indexing

+ Highly configurable

– Larger memory footpring – Trashmail box not automatically expunged

These are obviously only my observations and I know they actually found some turnaround to their minuses.

As I’m a big IMAP user and usually never delete my mail, indexing is a big plus for me and I wanted to give it a shot, this is why I’ve migrated to Dovecot.

The tutorial below will be for a Postfix + Dovecot for IMAP with SSL security. The user management will be based on users created on the system. (No SQL database or text file as it will be for few users only)


Debian comes with the default MTA (Mail Transfer Agent) called Exim which will not be useful anymore as we will replace it with Postfix.

then you will need to select a type of configuration, just choose “Internet Site”


and you will need to type your System mail name. I suggest you to create a dedicated sub domain and to use it here, in my case it will be

Doing so allow you to be ready adding server mails or changing more easily.


We will assume, you want to create an email account for your regular Debian or Ubuntu user. We will see later in this guide how to create new users.


You can generate your own self-signed certificate by running the following command:

(In Root)

This will create a pairs of key and certificates based on RSA encryption 2048 bit.

You will need to enter some info such as:

You will use these 2 key in Postfix conf and Dovecot conf.


The main configuration file of Postfix is located as /etc/postfix/ I suggest you to remove all its content and to replace by this one:

Obviously replace by your own domain name and same thing for TLS certificate and key you have just created.

Then, you need to modify the master file to do the bridge with Dovecot and allow sending mails.

and replace the #submission part by this one:


You may want to set some aliases, meaning if we send an email to root@yourdomain or webmaster@yourdomain, to make sure mails will drop into your account. If you want to make some changes, you can modify the file /etc/aliases.

Basically it says, mailer-daemon will be redirected to postmaster user (You may not have a real user called postmaster), never mind, it also says postmaster will be redirected to root and root to “MYSUER!!”. Just make sure this user suits your needs.

As it suits my need, I didn’t change anything there. But if you make any changes, don’t forget to update the configuration with the command:


Now you need to configure Dovecot through the file /etc/dovecot/dovecot.conf. Here again I suggest you to remove everything and use mine. (The original file contains a lot of links to sub conf file located in /etc/dovecot/conf.d

and replace with:

You will need to change ssl certificate location. (Last part of the file)

And finally, restart Postfix and Dovecot to update all your changes

Users Management:

In the case you want to create a new email box for a dedicated user, you can simply create a new user on your system and mails will work immediately.

In root, type:

The /sbin/nologin option will prevent the user from logging in to your server via ssh.

And that’s all at this stage.

You should now have a working email setting that you could try with Thunderbird for example. Thunderbird should recognize the server setting and you will be using STARTTLS for both IMAP and SMTP.

The next tutorial will cover how to add SPAM protection and Virus Scanning (Although Linux is well protected against viruses, you may still want to add an antivirus scan for your Windows users or when you will be accessing your mails from a Windows system.)

EDIT: The next tutorial is ready:

Reduce SPAM and improve security – Amavis + SpamAssassin + ClamAV + Procmail + PostScreen