For our Blog Visitor only Get Additional 3 Month Free + 10% OFF on TriAnnual Plan YSBLOG10
Grab the Deal
Youdesign-ai-website-builder-wp

Install and Configure Email Filter Appliance (E.F.A) in 2026

Sanjeet Chauhan 8 min read

To install and configure Email Filter Appliance (E.F.A), deploy the E.F.A image/ISO on a Linux compatible VM, assign a static public IP and rDNS, run the setup wizard, add your accepted domains, set your internal mail server as the relay/destination, update policies (SpamAssassin/ClamAV), and publish correct DNS (MX, SPF, DKIM, DMARC) for production mail flow.

This step by step guide shows how to install and configure Email Filter Appliance (E.F.A) in 2026, from planning and deployment to DNS, routing, security, and policy tuning. Whether you’re replacing an aging gateway or hardening a new mail stack, this tutorial makes E.F.A a proven open source spam and virus filter, production ready.

What is E.F.A and How it Works?

Email Filter Appliance (E.F.A) is an open source email security gateway built around Postfix (MTA) with filtering engines such as MailScanner, SpamAssassin, and ClamAV, plus a web UI (MailWatch) for quarantine and reports.

Install and Configure Email Filter Appliance

It sits between the internet and your mail server (Microsoft Exchange, M365 hybrid, Zimbra, Postfix/Dovecot), scanning inbound and outbound messages for spam, phishing, and malware.

  • Inbound: Internet → E.F.A (filter) → Your mail server
  • Outbound: Your mail server → E.F.A (policy) → Internet/Smart host
  • Key features: RBLs/URIBLs, SPF/DKIM/DMARC checks, antivirus, quarantine, greylisting, rate limiting

Prerequisites and Planning (2026 Ready)

Before you deploy E.F.A, plan for network, DNS, OS lifecycle, and mail routing. This avoids loops, deliverability issues, and weak security posture.

Hardware/VM Requirements

  • 2–4 vCPU, 4–8 GB RAM for 500–2,000 users (scale up with load)
  • 60–120 GB SSD storage (log retention/quarantine volume dependent)
  • 1x NIC, static IPv4; IPv6 if your mail environment supports it

Network & DNS

  • Static public IP with reverse DNS (PTR) mapping to a valid hostname (e.g., mailgw.example.com)
  • Firewall: allow TCP 25 (SMTP), 465/587 (if providing secured submission), 80/443 (ACME/Let’s Encrypt and UI)
  • Time sync (NTP) and accurate time zone for DKIM/DMARC validity

Operating System & Image

Download the latest stable E.F.A build/ISO from the official project site or mirror. Verify checksums and read the current release notes. If the build targets an older Enterprise Linux base, place the VM behind a firewall, apply all security updates, and plan for future migration when the project releases a newer base.

Mail Flow Design

  • Inbound: Internet → E.F.A → Internal mail server(s)
  • Outbound: Internal mail server(s) → E.F.A → Internet or ISP smart host
  • Recipient validation: LDAP/AD or local list to reject unknown users at SMTP time

Step-by-Step Installation

1) Prepare the VM

  • Create a new VM on Proxmox, VMware, Hyper-V, or KVM
  • Attach the E.F.A ISO/OVA and a 60–120 GB virtual disk
  • Assign static IP, gateway, DNS resolvers; reserve the IP in your router/DHCP

2) Install the OS/E.F.A Base

Boot from the ISO and follow the installer prompts. Use a strong root/admin password, set the proper timezone, and configure disk partitioning with room for logs and quarantine. After installation, reboot and log in via console or SSH.

# Set a fully qualified hostname
hostnamectl set-hostname mailgw.example.com

# Configure static IP (example; adapt to your distro tooling)
nmcli con mod eth0 ipv4.addresses 203.0.113.25/29
nmcli con mod eth0 ipv4.gateway 203.0.113.29
nmcli con mod eth0 ipv4.dns "1.1.1.1 9.9.9.9"
nmcli con mod eth0 ipv4.method manual
nmcli con up eth0

# Update packages
yum update -y || dnf upgrade -y

3) Run the E.F.A Bootstrap/Wizard

  • Accept the license and initialize required components (Postfix, MailScanner, SpamAssassin, ClamAV, MailWatch)
  • Set admin credentials for the web UI
  • Enter system hostname and primary domain
  • Enable automatic updates and signatures for antivirus/antispam

4) Verify Services

systemctl status postfix
systemctl status mailscanner
systemctl status clamd
systemctl status httpd  # or nginx, depending on build
spamassassin -V         # confirm SA version

Initial Web UI Configuration

Access https://mailgw.example.com/ (or the IP) and log in with the admin account created earlier. Navigate the dashboard to finish baseline policies.

  • Add accepted/local domains (example.com, example.org)
  • Set destination mail server(s) for inbound routing (e.g., exchange.internal:25)
  • Enable quarantine and notifications; configure digest schedules
  • Choose and enable DNSBLs/URIBLs carefully (avoid over aggressive lists)
  • Set maximum message size and attachment policies

Publish DNS: MX, SPF, DKIM, DMARC, and rDNS

Correct DNS is non negotiable for deliverability. Point MX to E.F.A, validate sending identity with SPF/DKIM, and enforce DMARC policy.

1) MX Record

; In your public DNS zone
@     3600  IN  MX   10 mailgw.example.com.
mailgw 3600  IN  A    203.0.113.25

2) SPF Record

; Authorize E.F.A's IP and any other legitimate senders
@ 3600 IN TXT "v=spf1 ip4:203.0.113.25 include:_spf.your-saas-mailer.com -all"

3) DKIM Key and DNS

Generate a DKIM keypair on E.F.A or your downstream mail server (keep private key on the signer). Publish the public key in DNS:

; Example selector "m365" or "efa"
m365._domainkey 3600 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B...IDAQAB"

4) DMARC Policy

_dmarc 3600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-aggregate@example.com; ruf=mailto:dmarc-forensic@example.com; adkim=s; aspf=s; pct=100"

5) Reverse DNS (PTR)

Ask your ISP/cloud provider to set the PTR of 203.0.113.25 to mailgw.example.com. HELO/EHLO must match a forward confirmed reverse DNS for best reputation.

Configure Inbound and Outbound Routing

Inbound (Internet → E.F.A → Mail Server)

  • Set your internal mail server as the destination/relay in E.F.A (host:port)
  • Enable recipient verification (VRFY/RCPT) via LDAP/AD to reject invalid users at SMTP time
  • Test by sending a message from an external mailbox and verify logs/quarantine

Outbound (Mail Server → E.F.A → Internet)

  • Point your internal mail server’s smart host to E.F.A (mailgw.example.com:25 or 587)
  • In E.F.A, set permitted sender IPs or SMTP AUTH for outbound
  • If your ISP requires a relay, configure E.F.A to route outbound via that smart host with credentials
# Example Postfix outbound on your internal mail server
relayhost = [mailgw.example.com]:25
smtp_tls_security_level = may

Enable Directory/LDAP Recipient Validation

Validating recipients against AD/LDAP blocks invalid addresses early, cutting spam and saving CPU.

  • Configure LDAP server (ldaps://dc1.example.com:636)
  • Bind DN: CN=ldap-reader,OU=Service,DC=example,DC=com
  • Base DN: DC=example,DC=com
  • Filter: search for proxyAddresses/mail attributes
(|(mail=%s)(proxyAddresses=smtp:%s)(proxyAddresses=SMTP:%s))

Tune Spam and Virus Policies

  • Enable ClamAV with frequent signature updates
  • Turn on sane RBLs/URIBLs: Spamhaus (Data Query Service), Abuse.ch, etc.
  • Greylisting: useful for small orgs; evaluate impact for high volume mail
  • Quarantine thresholds: set low false positive rate; notify users with daily digests
  • Use custom rules for brand impersonation, executable attachments, and language based patterns
# /etc/mail/spamassassin/local.cf (example)
required_score 5.0
rewrite_header Subject ***** SPAM *****
report_contact security@example.com
use_bayes 1
bayes_auto_learn 1

# Raise score for executable attachments
header   EXE_ATTACH Content-Type =~ /application\/(x-msdownload|x-exe|x-dosexec)/i
score    EXE_ATTACH 3.5
describe EXE_ATTACH Executable attachment type detected

TLS, Certificates, and Secure SMTP

Use valid certificates for SMTP and the admin UI to prevent downgrade and MITM risks. Automate renewal with Let’s Encrypt if possible.

# Install certbot (example; adjust for your distro)
yum install -y certbot || dnf install -y certbot
certbot certonly --standalone -d mailgw.example.com --agree-tos -m admin@example.com --non-interactive

# Postfix TLS settings
postconf -e "smtpd_tls_cert_file=/etc/letsencrypt/live/mailgw.example.com/fullchain.pem"
postconf -e "smtpd_tls_key_file=/etc/letsencrypt/live/mailgw.example.com/privkey.pem"
postconf -e "smtpd_tls_security_level=may"
postconf -e "smtp_tls_security_level=may"
systemctl reload postfix

Optionally publish MTA-STS and TLS-RPT to enforce modern SMTP security and get reports.

_smtp._tls 3600 IN TXT "v=TLSRPTv1; rua=mailto:tlsrpt@example.com"

High Availability, Backup, and Updates

  • HA: Deploy two E.F.A nodes behind a TCP load balancer or DNS based load with equal MX priorities; share policy via config management
  • Avoid secondary MX with weaker filtering, it invites spam bypass
  • Back up: MailWatch DB, Postfix/MailScanner/SpamAssassin configs, DKIM keys, and custom rules
  • Patch cadence: OS updates weekly; signature/rules daily; E.F.A releases per project guidance

Monitoring and Logs

  • MailWatch dashboard: top senders, rejected counts, quarantine trends
  • System logs: /var/log/maillog, /var/log/maillog.1, web server logs
  • Alerting: integrate with Syslog/SIEM and email alerts for service failures
  • Rate limits: watch for compromised accounts blasting outbound spam
tail -f /var/log/maillog | egrep -i "reject|blocked|error|clam|spam"

Troubleshooting Common Issues

  • Mail loop: MX points to E.F.A but E.F.A relays back to itself. Fix destination host to your internal mail server IP/hostname.
  • Cannot send outbound: Blocked on port 25 by ISP/cloud. Use 587 to an authenticated smart host or request port 25 unblocking.
  • DKIM fails: Wrong selector or stale key. Regenerate and republish DNS; verify alignment with From domain.
  • High false positives: Lower SpamAssassin scores, whitelist trusted senders, tune RBLs, leverage per user training.
  • Greylisting delays: Disable for VIP domains or enable auto whitelist for reputable senders.

Security Hardening Checklist

  • Restrict SSH to management IPs; key based auth only
  • Fail2ban or equivalent on SMTP and web UI
  • Disable unused services and default accounts
  • Set HELO/EHLO to FCrDNS matching hostname
  • Block known bad countries/networks if appropriate
  • Enable DMARC enforcement (p=quarantine or p=reject) after monitoring

Run E.F.A on YouStable (Optional)

If you need clean IP reputation, rDNS setup, and guaranteed ports, deploy E.F.A on a YouStable VPS or Dedicated Server. Our managed firewall, 24×7 monitoring, and SLA backed networking help you keep mail deliverability high while you focus on policy, not plumbing.

End to End Validation Checklist

  • Inbound: External test email arrives; spam is tagged or quarantined
  • Outbound: Test message passes SPF, DKIM, and DMARC alignment
  • DNS: MX/SPF/DKIM/DMARC/PTR verified via MXToolbox or open source tools
  • TLS: STARTTLS offered; modern ciphers; TLS-RPT delivered
  • Recipient validation: Nonexistent user rejected at RCPT TO
  • Reports: Daily quarantine digests and dashboard statistics visible

FAQs

Is E.F.A still a good choice in 2026?

Yes, E.F.A remains a practical, open source email security gateway when properly maintained. Ensure you run the latest community supported build, apply OS and signature updates, and harden the VM. If you need commercial support or clustering, compare with alternatives like Proxmox Mail Gateway or cloud email security services.

What ports must be open for E.F.A?

Open TCP 25 for SMTP, 80/443 for ACME and the web UI, and optionally 465/587 if you provide secure submission. Restrict SSH (22) to management IPs only. Outbound 25/80/443 are required for sending mail and fetching updates.

Do I point MX to E.F.A or my mail server?

Point MX to E.F.A. E.F.A then relays clean mail to your internal server. This ensures all inbound mail is scanned before delivery, improving security and reducing load on your mailbox servers.

How do I prevent false positives?

Start with conservative SpamAssassin scores (e.g., 5.0), enable per user whitelists, and fine tune RBL usage. Monitor quarantines, release and train ham/spam, and adjust custom rules. Review language and attachment filters to avoid blocking legitimate workflows.

Should I run a secondary MX?

Avoid a weaker secondary MX; spammers often target it. If you need redundancy, deploy two E.F.A nodes behind a load balancer or use equal priority MX records with identical filtering and policies to prevent bypass.

With the steps above, you can install and configure Email Filter Appliance (E.F.A) confidently in 2026. Build on this baseline with continuous monitoring, rule tuning, and secure operations to maintain top tier deliverability and protection against evolving email threats.

Share via:

Sanjeet Chauhan

Sanjeet Chauhan is a blogger & SEO expert, dedicated to helping websites grow organically. He shares practical strategies, actionable tips, and insights to boost traffic, improve rankings, & maximize online presence.

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Articles

Scroll to Top