Mail gateway server with amavis on CentOS 8

Thu Dec 17 11:31:20 CET 2020

Hello,

I have been using a mail gateway with postfix/amavis/clamav/spamassassin 
for many years on CentOS 6.

I am now struggling to build a new system on CentOS 8 with the same 
components (and the same configuration) to replace the original one, but 
it is quite different from the original, so I will appreciate your guidance.

(Packages were installed from EPEL.)

I am trying to follow online tutorials, which are different between them 
and differ from my original setup as well, so I am confused.

Some important questions:

1. Originally, I have used amavis as the interface to spamassassin. 
However, current tutorials seem to suggest a direct call of spamassassin 
by postfix using spamass-milter.

Here is an example of such a tutorial:

    https://www.linuxbabe.com/mail-server/amavis-clamav-centos-8-rhel-8

    https://www.linuxbabe.com/redhat/spamassassin-centos-rhel-block-email-spam

So, what is the suggested practice? In my original amavisd.conf (which I 
am now migrating), I had:

    $sa_tag_level_deflt  = -999;
    $sa_tag2_level_deflt = 3.4;
    $sa_kill_level_deflt = 5.2;
    $sa_dsn_cutoff_level = 9;
    $sa_crediblefrom_dsn_cutoff_level = 10;
    $sa_mail_body_size_limit = 400*1024;
    $sa_spam_subject_tag = '* Spam ? * ';

It seems to me architecturally better to use spamassassin from within 
amavis (because amavis remains the main/central control point).

Does this incur a penalty in SA functionality, effectiveness or performance?

2. If I use spamassassin through amavis, how do I enable bayes filtering?

Since $MYHOME = '/var/spool/amavisd', would it be enough to create 
therein a .spamassassin directory (with amavis:amavis owner) and train 
filter?

In my original (CentOS 6) system, I would do:

# su amavis
sh-4.1$
sh-4.1$ sa-learn --dbpath '/var/amavis/var/.spamassassin' --spam 
/var/amavis/reported-spam

In CentOS 8 I would attempt the same (with adjusted paths) but I cannot 
even change user (which is required, since operations and db should be 
owned by amavis:

    # su amavis
    This account is currently not available.

How should I proceed?

Please advise.

3. I think I should enable sa-update. Shouldn't I?

    If the answer is yes, then would it be enough to set:

        SAUPDATE=yes

    in /etc/sysconfig/sa-update

    ...?

How does this work? I don't see any cron job nor any active sa-update 
service. There exists an sa-update service and I can start it:

    systemctl start sa-update

but it cannot get enabled (for auto start with OS); If we try to enable, 
a message states: "The unit files have no installation config" etc..

Yet, in /etc/sysconfig/sa-update, we read about the SAUPDATE=yes 
setting: "Run sa-update even if no daemon is detected".

Does this daemon refer to sa-update (which means that we don't have to 
run it)?

Please help me with the above!

Thanks in advance,
Nick