postfix mail filtering with amavisd-milter - works!

Simon Hobson linux at
Thu Jan 31 11:24:06 CET 2013

Jo Rhett wrote:
>First, I found that all of the published recipes for spam containment with postfix are bogus.
> They either create back-scatter, or they drop messages which hit the filter instead of rejecting them
> in the SMTP session like they are supposed to. So if something is a false positive, the far side will never
> know it happened.

Yep, nearly all the howtos etc use after-queue scanning.

>So I've done some testing and work, and I currently have postfix using amavisd-milter as a before-queue
> spam test, which properly rejects spam during the SMTP session. This solves both of the previous
> problems and brings postfix users closer to being a proper mail gateway. I believe very strongly that this
> recipe should replace the existing documentation, to avoid sending new users out to become backscatters.

Yes, it works very nicely. I've been running this setup for a couple of years now. It was made a lot easier when the amavisd-milterpackage appeared in Debian. I agree the setup could do with being made more prominent.
The main downside, as the various docs that discuss it mention, is that you can end up needing significant processing capability to deal with peak influx of email.

I've also added Policyd (aka Cluebringer),, which rather nicely handles per-SASL-login quotas/throttling of outbound traffic (we provide the servers for customers to use as a relay as well). Just last wekk we shoved a customer on that sends bulk mails out to several thousand people at a time, and several times a week - it was nice to see Policyd just throttling them down to a sane message rate rather than swamping the system as happened on the older box I run.

>I'm still working out a few details: namely, how to get the permissions right on the amavisd-milter socket. As soon as that is sorted I'll provide documentation. 
>Hint: there's no mystery here. I installed amavisd-milter as documented and pointed postfix at it :-)

I can't remember now if I had to modify anything, but in the init script in Debian I see it has :
 if [ "$MILTERSOCKETTYPE" = "pipe" ]; then
  if [ "$MILTERSOCKETOWNER" ]; then
  if [ "$MILTERSOCKETMODE" ]; then

And in /etc/default/amavisd-milter it has :
# Set these two options if you want the socket to have
# special permissions (usefull mainly for postfix).

I set this up initially under Debian Squeeze, it's now running Wheezy.

More information about the amavis-users mailing list