Virtualmin Pro allows you to enable spam and virus scanning on a per-virtual-server basis, and to configure what happens to email classifies as spam or virus-laden. Under the hood, it uses the popular SpamAssassin http://spamassassin.apache.org/ package for spam detection, and ClamAV http://www.clamav.net/ for viruses.

SpamAssassin assigns each message it scans a score indicating how spammy it is, based on the content and servers it was sent from. Typically, anything with a score above 5 is regarded as most likely spam. ClamAV however just compares the message contents with a database of know virus signatures, and reports if any were found or not.

In a typical Virtualmin Pro install, you can enable filtering for a new or existing virtual server by just selecting the Spam filtering enabled? and Virus filtering enabled? checkboxes in the features section of the Create or Edit Virtual Server page.

If they do not appear, make sure that these features are enabled globally on your system. This can be done as follows :

1. Login as root, open the System Settings category on the left menu, and click on Features and Plugins.
2. Check the boxes next to Spam filtering and Virus filtering.
3. Click Save. If you see any error messages about SpamAssassin or ClamAV not being installed, you'll need to install their packages on your system first.

Internally, Virtualmin creates an /etc/procmailrc file that in turn runs a Procmail include file under /etc/webmin/virtual-server/procmail, depending on the domain to which each email received is sent. This then invokes the spamassassin and clamscan commands, then uses their output to decide if email should be delivered to a special folder or deleted.

SpamAsssassin is run with command-line parameters that tell it to use configuration files under /etc/webmin/virtual-server/spam, which can be different for each domain. This way, domain owners can customize their own SpamAssassin rules, spam levels and message modification settings.

By default, email classified as spam as delivered to the ~/Maildir/.spam file under each user's home directory. This shows up as a folder named spam in users' mail clients, and in Usermin. Email that is detected as containing viruses is deleted by default, as virus detection is almost 100% accurate.

However, you can change these destinations on a per-domain basis using Virtualmin. Some users may prefer that spam be deleted outright, or delivered normally so that it can be filtered by their mail clients. To change the delivery rules, the steps to follow are :

1. Login to Virtualmin as root or as the domain owner.
2. Select the domain from the left menu.
3. Open the Server Configuration category, and click on Spam and Virus Delivery.
4. Change the Destination for spam emails and for virus emails to whatever you want.
5. Click Save. The changes will take effect for email delivered from now on.

In Virtualmin versions 3.54 and above, you can select to have email whose virus score is above some threshold deleted instead of being delivered to a spam folder. This can be used to stop the delivery of messages that are obviously spam, saving on disk spam and the bandwidth used to download them.

To delete high-scoring spam, just follow the steps above and set the Delete spam if score is above field to some number like 10.

If you have spam and virus delivery destinations that you want used for all new domains, you can set them as follows :

1. Login to Virtualmin as root.
2. Open the System Settings category on the left menu, and click on Module Config.
3. Select the Spam filtering options section.
4. Change the Default delivery for spam and for viruses to whatever you want.
5. Click Save.

To make changes for all existing domains, use the modify-spam.pl command-line API script.

If Virtualmin is configured to deliver spam to a separate folder for each user, this can end up consuming a lot of disk space and disk quotas. To keep usage down, it is possible have Virtualmin automatically delete users' spam that is more than a certain number of days old, or is taking up more than some amount of disk space.

To set this up for a single domain, the steps to follow are :

1. Select the domain from Virtualmin's left menu.
2. Open the Server Configuration category, and click on Spam and Virus Delivery.
3. In the Automatically delete spam? field, select Yes, if older than and enter a number of days into the adjacent text box. I suggest 5 days, which is more than enough time for users to periodically check their spam folders for false positives.
4. Click Save.

If you prefer to delete based on disk usage, select Yes, when mailbox exceeds instead and enter a maximum size for the spam folder. When this is exceeded, messages will be deleted oldest first until it is smaller than the specified size.

The default setting for new virtual servers can be set on the Module Config page in the Spam filtering options section. To make changes for all existing domains, use the modify-spam.pl command-line API script.

By default, Debian 4.0 (Etch) comes with ClamAV packages that are out of date and buggy. The most common symptom of this is very slow virus scanning, and high CPU load from clamscan or clamd. However, there is a fix - you can update to a newer ClamAV version from the Debian volatile repository, at http://www.debian.org/volatile/

To use the volatile repository, SSH into your system as root and edit /etc/apt/sources.list. At the bottom, add the line :

deb http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free

Then update ClamAV packages with the commands :

apt-get update
apt-get install clamav clamav-base clamav-daemon clamav-freshclam

In the default Virtualmin configuration, each email received is processed with the clamscan command to check if it contains viruses. Unfortunately, this can take anywhere from seconds to minutes to run, particularly on VPS systems that have limited IO bandwidth or CPU resources. Most of this time is spent loading the virus database, which is continually growing as new viruses are found by the ClamAV authors.

Slowness running clamscan can cause email delivery to be delayed by several minutes, during which messages stay in the Postfix mail queue. It can also lead to high CPU load on the system, which then slows down other services like Apache or MySQL.

Fortunately, there is a fix - the clamd server process, which loads the virus database just once and then stays running. When email arrives, the clamdscan command connects to it, passes over the message to be scanned, then reads back the results. This typically only takes a seconds, even on a system with limited resources.

If your system is receiving a large amount of email, I recommend the use of clamd. It probably isn't worth running on a system used primarily as a web server though, as it consumes about 64M of RAM at all times.

To enable the use of the ClamAV server process, follow these steps :

1. Login to Virtualmin as root.
2. Open the Email Messages category on the left menu, and click on Spam and Virus Scanning.
3. At the bottom of the page you should see a button labelled Enable ClamAV Server - click it. If the button isn't visible, this means that Virtualmin doesn't know how to configure clamd on your operating system, and you will need to do it manually.
4. After clicking, check the messages that appear to make sure that no errors were reported. If all went well, return to the Spam and Virus Scanning page.
5. Change the Virus scanning program to Server scanner (clamdscan) , and click Save.

Virtualmin will check if clamd and clamdscan are working properly, and if so configure all virtual servers to use it for virus classification from now on.

If Virtualmin reports that the clamscan command is not working on your system, here are some things to try :

• Run freshclam to download the virus database. On some systems, the standard ClamAV packages do not include any virus data files, so clamscan cannot run.
• Remove the Example line from /etc/freshclam.conf. On some systems this line exists by default, to intentionally prevent freshclam from running!
• Make sure that the virus database path in /etc/clamd.conf matches the directory updated by freshclam. If not, clamd will not start due to the lack of data files.

SpamAssassin and ClamAV can use up a lot of CPU time, which on a system that receives a lot of email can significantly slow down email processing. However, it is possible to move some of this load to a separate system, by making use of spamd and clamd, the SpamAssassin and ClamAV server processes.

These can be run on one or two other systems on your network, and Virtualmin on the master system that actually receives email configured to offload scanning to them.

In the instructions below, serverip is the IP address of the system that will be running spamd, and virtualminip is the IP of the Virtualmin machine.

1. Login to the system you want to run spamd on as root
2. Install SpamAssassin with :

   yum install spamassassin

3. Edit the file /etc/sysconfig/spamassassin and add the following to the SPAMDOPTIONS line :

   -i serverip -A virtualmin-ip

   An example file would look like :

   # Options to spamd
   SPAMDOPTIONS="-d -c -m5 -H -i 193.9.101.242 -A 193.9.101.104"

4. Run the following commands to start spamd :

   /etc/init.d/spamassassin restart
   chkconfig spamassassin on

1. Login to the system you want to run spamd on as root
2. Install SpamAssassin with :

   apt-get install spamassassin

3. Edit the file /etc/default/spamassassin , and change the line ENABLED=0 to ENABLED=1.
4. In the same file, add the following to the OPTIONS line :

   -i serverip -A virtualmin-ip

   An example completed line would look like :

   OPTIONS="--create-prefs --max-children 5 --helper-home-dir -i 193.9.101.120 -A 193.9.101.104"

5. Run the following commands to start spamd :

   /etc/init.d/spamassassin restart
   update-rc.d -f spamassassin defaults

Once spamd is running on the remote system, you can configure Virtualmin to use it as follows. Note that this will prevent domains and mailboxes from having their own SpamAssassin rules, unless you setup spam to fetch them from a MySQL or LDAP database .

1. Login to Virtualmin as root, and go to Email Messages → Spam and Virus Scanning.
2. Change the SpamAssassin client program menu to spamc.
3. Set the Server host for spamc to the IP address of the remote server you setup above.
4. Click Save.

Now try sending email to a mailbox in one of the domains with spam filtering enabled on your Virtualmin server, and check if SpamAssassin X-Spam headers are added. If not, check /var/log/mail* on both the Virtualmin and spam scanning systems for error messages, and /var/log/procmail.log.

The easiest way to setup clamd is to use Virtualmin's built-in support for configuring it. The steps to do this are :

1. Install Virtualmin GPL or Pro on the system to be used for running clamd. You don't need to create any domains, or run any other servers like MySQL or Postfix.
2. Login to the new Virtualmin, and go to Email Messages → Spam and Virus Scanning.
3. Click the Enable ClamAV Server button.
4. SSH into the system as root, and edit the file /etc/clamd.conf and make sure the line TCPSocket 3310 exists and is not commented out.
5. Also make sure the line TCPAddr 127.0.0.1 does not exist or is commented out.
6. Run the command /etc/init.d/clamd-virtualmin restart or /etc/init.d/clamd restart to apply the configuration changes.

Unfortunately, the executables provided as part of the ClamAV package do not seem to support connecting to a remote server. However, the clamd-stream-client program can do this, and can be used by Virtualmin versions 3.63 and later. You can download it from : https://sourceforge.net/projects/clamd-stream-cl/

Once you have the clamd-stream-client-1.3.tar.gz file on your Virtualmin system, it can be compiled and installed with the commands :

tar xvzf clamd-stream-client-1.3.tar.gz
cd clamd-stream-client-1.3
./configure
make
make install

You can now configure Virtualmin 3.63 or later to use it as follows :

1. Login to Virtualmin as root, and go to Email Messages → Spam and Virus Scanning.
2. Change the Virus scanning program to Remote server scanner
3. In the Server host for clamd-stream-client field, enter the hostname of the system running Clamd that you setup in the previous section.
4. Click Save.

Assuming that clamd-stream-client works and can contact the remote system, it will be enabled and used for virus scanning for all domains.

Sometimes email to users that really should be considered spam is missed by SpamAssassin, and other times valid email is mis-classifies as spam. To correct this, SpamAssassin can be trained by submitting to it messages that really should be considered spam or non-spam.

For mailbox users who read email via Usermin, this is easy - there are buttons for submitting one or many emails to SpamAssassin for learning. However, this is not available for users who download and read email via a separate client like Outlook or Thunderbird.

Fortunately, Virtualmin 3.64 introduced a solution - email addresses in each domain like spamtrap@example.com and hamtrap@example.com, to which spam and non-spam email can be forwarded. Messages to this addresses will be processed hourly by Virtualmin and added to the SpamAsssassin learning databases for their senders.

For an existing virtual server, these special addresses can be enabled as follows :

1. Select the domain from the left menu, open the Server Configuration category and click on Spam and Virus Delivery.
2. Change the Create spamtrap and hamtrap email aliases? option to Yes, and click Save.

Alternately, you can enable these addresses for all existing virtual servers by SSHing into the system as root and running the command :

  virtualmin modify-spam --all-domains --spamtrap

If you want the spamtrap and hamtrap addresses created for all new virtual servers, do the following :

1. Login to Virtualmin as root, open the System Settings menu and click on Server Templates.
2. Click on the Default Settings template, then select Spam filtering from the menu.
3. Change the Create spamtrap and hamtrap aliases? option to Yes, then click Save.

Virtualmin is best able to pass email to SpamAssassin for learning if it is sent to the spamtrap address as an attachment, rather than just by forwarding a quoted message. In most mail clients, this is done by selecting one or more emails from the mail list and then forwarding them all at once. This way the entire contents of the spam is preserved.

Virtualmin can be configured to add the From: addresses from spam submitted to it to the domain's SpamAssassin blacklist. Similarly, it can add the addresses of senders whose email is being incorrectly classified as spam to the domain's whitelist.

To enable these features, do the following :

1. Login to Virtualmin as root', open the System Settings menu and click on Module Config.
2. Select the Spam filtering options category, and change one or both of the Add senders of spam sent to spamtrap to blacklist? or Add senders of non-spam sent to hamtrap to whitelist? to Domain level.
3. Click Save. Spam and Ham submitted from now on will update the blacklists and/or whitelists.

Automatic additional to the blacklist is a risky feature to enable though, as forged email from attackers who are not users of your domains can be sent to the spamtrap address and thus add potentially valid addresses to the blacklist.

Greylisting is a method for reducing spam by temporarily rejecting email from a remote mail server the first time it attempts to connect. Real mail servers will queue the message and re-try it a few minutes later, at which time your mail server will accept the message. However, spammers don't generally run real mailservers or re-try, so their messages will never be delivered.

Greylisting can be enabled in Virtualmin as follows :

• Install Postgrey by SSHing into your system as root and running the commands :

  yum install postgrey || apt-get install postgrey
  /etc/init.d/postgrey start

• Login as root , open the Email Messages category and click on Email Greylisting.
• Click on Enable Greylisting to activate it.

Once enabled, you can use the Email Greylisting page to view and edit remote mail servers and local recipients who are excluded from greylisting and always get their mail delivered immediately.

You can turn off greylisting at any time by clicking the Disable Greylisting button on the same page.