Protecting mail server from spam and viruses

Preparation

Comprehensive tools are available in ispmanager to protect mailboxes from spam and viruses. Install the required components via the mail server.

• Exim —  mail server that processes and sends mail.
• Greylisting — spam filtering method that temporarily rejects emails from unknown senders.
• SpamAssassin — powerful spam filter that analyzes the contents of emails and assigns them a spam probability score based on various rules and characteristics.
• ClamAV — antivirus scanner that checks incoming emails for malware.

Greylisting

A mail server rejects an email and asks the sender to try again in a few minutes. Reliable servers try again, while spammers do not. In ispmanager, greylisting is implemented using postgrey.

A whitelist contains addresses and domains which emails are accepted immediately without rejection.

To create a new rule:

1. Go to the Mail section →  Spam protection.
2. Navigate to Whitelist (Greylisting) → Create rule.
3. In the Sender field, enter an IP address, email, or domain name.
   If you specify a domain name, there will be no Greylisting check for all mailboxes of that domain.
4. Click Create.

The whitelist is stored: for Red Hat-like OSes in/etc/postfix/postgrey_whitelist_clients, for Debian-like OSes in /etc/postgrey/whitelist_clients.

Whitelisting

The built-in Exim tools allow to customize lists of allowed senders to secure and filter incoming mail.

The whitelist contains addresses and domains that are always allowed to send mail to your mail server. If a sender is on the list, their message will be accepted by the server without additional checks.

To create a new rule:

1. Go to the Mail section  →  Spam protection.
2. Navigate to Whitelist  →  Create rule.
3. In the Sender field, enter an IP address, email, or domain name.
   If you specify a domain name, all emails from mailboxes of that domain will be accepted without additional checks.
4. Click Create.

The whitelist is stored: for Red Hat-like OSes in /etc/exim/whitelist, for Debian-like OSes in /etc/exim4/whitelist.

Blacklisting

The built-in Exim tools allow to configure banned sender lists to secure and filter incoming mail.

The blacklist contains addresses and domains that are automatically rejected. If a sender is on the list, their message will not be accepted by the server.

To create a new rule:

1. Go to the Mail section →  Spam protection.
2. Navigate to Blacklist →  Create rule.
3.  In the Sender field, enter an IP address, email, or domain name  .
   If you specify a domain name, all emails from mailboxes of that domain will be rejected by the mail server.
4. Click Create.

The blacklist is stored: for Red Hat-like OSes in /etc/exim/blacklist, for Debian-like OSes in /etc/exim4/blacklist.

DNSBL

DNSBL (DNS blacklist) — lists of domains and IP addresses that are used to fight spam. Exim checks if the sender mail domain is in the DNSBL lists. If the mail domain is present in the lists, the mail is rejected.

To create a new rule:

1. Go to the Mail section →  Spam protection.
2. Navigate to
   DNSBL → Create domain.
3. In the DNSBL domain field, specify the URL of the blacklist.
4. Click Create.

The DNSBLs list is stored: for Red Hat-like OSes in /etc/exim/dnsbllist, for Debian-like OSes in /etc/exim4/dnsbllist.

Message Limit

The built-in Exim tools allow to set the maximum number of emails that can be sent from a mailbox per hour for each user. If the limit is exceeded, mail sending stops and an error message is displayed in the user's mail client.

If the mail client continues attempts to send emails after exceeding the limit, the blocking time increases. Resending will be possible after the sending speed falls below the limit. Details of the ratelimits mechanism are described in the official Exim documentation.

To create a limit:

1. Go to the Mail section →  Spam protection.
2. Navigate to  Mailbox limits.
3. In the Mail limit field, specify the number of message limit per hour.
   If you specify the value 0 or 1, no emails will be sent.
   
   
4. Click Create.

The message limit is stored: for Red Hat-like OSes in /etc/exim/ratelimits, for Debian-like OSes in /etc/exim4/ratelimits.

SpamAssassin

SpamAssassin analyzes the contents of all emails arriving to the mail server. After the analysis, emails are marked with spam danger level indicators.

You can configure filters in your mail client ещ take into account the results of SpamAssassin analysis. 

The following is an example configuration for Mozilla Thunderbird:

1. Go to Tools → Email filters.
2. Select a mailbox in Filter for.
3. Click on Add.
4. Enter a Filter name.
5. Set up the filter.
   Details

   1. Click on Subject and select Configure in the drop-down list.
      
   2. Enter «X-Spam-Level»‎ in the New email header field.
   3. Select Contains in the condition type.
      
   4. Select the spam level. The filter will be applied after the level is exceeded. You can use  1 to 10 symbols «*»‎. The recommended level is 7 — «*******»‎.
      

   5. Click OK.

SpamAssassin settings are stored in /etc/mail/spamassassassin/local.cf. The main parameters:

• required_score — if this score is exceeded, SpamAssassin marks an email as spam. The minimum value is 0, the maximum value is 100. The default value is 5.
• rewrite_header — header that is added to the «Subject» field if an email is defined as spam.
• report_contact — email for contact. Is added to the spam report.

ClamAV

ClamAV is an antivirus that checks incoming email. Emails with infected files are rejected. 

For mail

To enable the antivirus:

1. Go to the Mail section →  Mail domains.
2. Select the mail domain which you want to enable ClamAV scanning for and click  .
3. Check the box for Enable virus scanning.
4. Save the changes.
5. Make sure that the ClamAV icon appears next to the email domain:

For sites

ClamAV can be also used as an antivirus for sites. Though it's possible, we do not recommend. 

To configure ClamAV as an antivirus:

1. Go to the File manager section and check the boxes for the desired files and folders.
2. In the drop-down menu  select Scan for viruses.
3. Specify when the scan should be performed:
   • Now.
   • Check periodically —  the Cron scheduler configuration window will be displayed. Specify a convenient time to start the scan.
4. Save the changes.

Mail verification procedure

By default, the control panel performs the following operations:

• checks that a sender address is on the ClamAv whitelist. At this stage, the email is not accepted or rejected based on the results of the check, the result will be used in the ClamAV and SpamAssassin checks.
• checks that a sender address is on the the Exim whitelist. If it is on the list, the email is accepted.
• checks that a sender address is on the the Exim blacklist.  If it is on the list, the email is rejected.
• checks that a sender address is on the the DNSBL. If it is on the list, the email is rejected.
• checks run with the postgrey (Greylisting) utility. If the sender address is on the list (Greylisting), the email is not checked.

ClamAV and SpamAssassin:

• If the email is not in the ClamAV whitelist and is larger than 2 MB, then ClamAV virus scanning is performed.
• SpamAssassin verification. If the email size is larger than 10 Kb and the rating is low (depending on the settings), the message is rejected.

DKIM check.