Blogging Knowledge Base

Install and Configure Email Filter Appliance (E.F.A): 2026

16/12/2025
by About the Editorial Staff
10 min read

Email is still the backbone of everyday business communication, but it’s also one of the easiest doors for spam, phishing, malware, and data leaks to slip through. If you’ve ever dealt with an inbox flooded with junk emails, fake login alerts, or suspicious attachments, you already know how costly and distracting unfiltered email traffic can be. That’s exactly where an Email Filter Appliance (E.F.A) steps in, not as a “nice-to-have” tool, but as a critical security layer for modern email systems.

An Email Filter Appliance works quietly in the background, inspecting every incoming and outgoing message before it ever reaches your mail server or users. From blocking spam and phishing attempts to scanning attachments for malware and enforcing email policies, an E.F.A helps organizations maintain clean, secure, and reliable email communication. However, installing and configuring one correctly is where many administrators struggle. A small misconfiguration can lead to blocked legitimate emails or worse, security gaps that attackers can exploit.

This step-by-step guide is written for system administrators, IT professionals, and even beginners who want a clear, practical understanding of how to install and configure an Email Filter Appliance in 2026. Instead of overwhelming you with theory, this guide focuses on real-world steps, best practices, and common mistakes to avoid.

So you can confidently deploy an E.F.A that actually works the way it should. Whether you’re setting it up for the first time or refining an existing email security setup, this guide will walk you through the process in a simple, human, and hands-on way.

What Is E.F.A and Why Use It as Your Email Gateway?

Email Filter Appliance (E.F.A) is an open-source email security gateway that sits in front of your mail server (on-premises or cloud) to block spam, phishing, and malware.

Under the hood it typically uses Postfix (MTA), Amavis, SpamAssassin, ClamAV, policy/greylisting, DKIM/DMARC, and a quarantine portal to reduce junk mail and protect users.

Install and Configure Email Filter Appliance

Deployed correctly, E.F.A improves delivery, filters malicious content, enforces TLS, and provides visibility over inbound/outbound flows. It’s a cost-effective anti-spam appliance alternative that you manage and customize to your risk profile.

Planning and Prerequisites (2026 Best Practices)

Before you install and configure Email Filter Appliance (E.F.A), align network, DNS, and server requirements. This prevents mail loops and delivery failures.

Core Requirements

  • Server/VM: 2–4 vCPU, 8–16 GB RAM, 80–200 GB SSD. More for high volume.
  • OS: RHEL-compatible (e.g., AlmaLinux/Rocky) if you’re building from packages; otherwise use the official E.F.A image/installer.
  • Network: Static public IP and resolvable FQDN (e.g., efa.yourdomain.com) with reverse DNS.
  • DNS: MX record to E.F.A, SPF include/allow for your outbound path, DKIM and DMARC for your domain.
  • Firewall: Allow TCP 25 (SMTP), 443 (admin/portal), 80 (HTTP/ACME), 587/Submission if required.
  • NTP/Time: Accurate time sync (NTP/chrony) to avoid TLS/DKIM failures.

Topology Choices

  • Inbound only: Internet → E.F.A → Your mail platform (Microsoft 365, Google Workspace, or on‑prem Exchange).
  • Full gateway: Internet ⇆ E.F.A ⇆ Your mail platform (scan inbound and relay outbound).
  • Redundancy: Two E.F.A nodes behind anycast or with MX priority.

Step-by-Step: Install E.F.A (Two Proven Paths)

Option A – Install from the Official E.F.A Image

  • Download the latest E.F.A ISO/OVA from the official project.
  • Create a new VM with recommended resources and attach the image.
  • Boot the installer, accept license, choose disk, set root password, and assign network with a static IP.
  • Reboot and note the web UI URL (HTTPS on your FQDN or IP).

This path gives you a curated, integrated stack with the E.F.A management UI, quarantine portal, and sensible defaults out of the box.

Option B – Build on a RHEL-Compatible Minimal Server

If you prefer a manual build for tighter control, install a minimal OS, then add the core components. This mirrors how E.F.A assembles Postfix, Amavis, SpamAssassin, ClamAV, OpenDKIM, and policy services. Example bootstrap:

# 1) Base OS prep (AlmaLinux/Rocky minimal)
sudo dnf -y update
sudo dnf -y install epel-release
sudo dnf -y install vim git curl wget unzip chrony policycoreutils-python-utils firewalld

# 2) Hostname and time
sudo hostnamectl set-hostname efa.yourdomain.com
sudo systemctl enable --now chronyd

# 3) SMTP stack
sudo dnf -y install postfix amavisd-new spamassassin clamav clamav-update opendkim opendkim-tools

# 4) Enable services
sudo systemctl enable --now postfix amavisd opendkim
sudo systemctl enable --now clamd@scan || true
sudo freshclam || true

# 5) Firewall
sudo systemctl enable --now firewalld
sudo firewall-cmd --permanent --add-service=smtp
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --reload

Then wire Postfix to Amavis/SpamAssassin/ClamAV and OpenDKIM. E.F.A’s official build handles this for you, but manual admins may prefer explicit configs (examples below).

Initial Web Setup and Hardening

  • Access https://efa.yourdomain.com and change default admin credentials immediately.
  • Set system timezone, NTP, and alert email.
  • Add your relay domains (the domains E.F.A will accept) and internal mail servers (hosts E.F.A will forward mail to).
  • Configure outbound smarthost (if you relay outbound mail via M365/GWS/ISP).
  • Switch on quarantine digest (daily/weekly) for users to release/whitelist safely.

DNS: MX, SPF, DKIM, and DMARC

Correct DNS determines delivery success and authentication alignment. Follow this order: MX → SPF → DKIM → DMARC.

MX Record

yourdomain.com.    3600    IN    MX    10 efa.yourdomain.com.
efa.yourdomain.com. 3600   IN    A     203.0.113.10

SPF Record

Include E.F.A (if it sends) and your provider (e.g., M365/GWS). Keep SPF under 10 DNS lookups.

yourdomain.com. 3600 IN TXT "v=spf1 ip4:203.0.113.10 include:spf.protection.outlook.com ~all"

DKIM Keys and DNS

Generate a DKIM key on E.F.A and publish the DNS TXT record. Typical commands (adjust paths for your build):

# Generate 2048-bit DKIM key for selector "mail2026" and domain yourdomain.com
sudo mkdir -p /etc/opendkim/keys/yourdomain.com
cd /etc/opendkim/keys/yourdomain.com
sudo opendkim-genkey -b 2048 -s mail2026 -d yourdomain.com
sudo chown opendkim:opendkim mail2026.private
# Show DNS TXT content
cat mail2026.txt

Publish the TXT under mail2026._domainkey.yourdomain.com, then add mapping:

# /etc/opendkim/KeyTable
mail2026._domainkey.yourdomain.com yourdomain.com:mail2026:/etc/opendkim/keys/yourdomain.com/mail2026.private

# /etc/opendkim/SigningTable
*@yourdomain.com mail2026._domainkey.yourdomain.com

# /etc/opendkim/TrustedHosts
127.0.0.1
localhost
203.0.113.10

Restart OpenDKIM and Postfix:

sudo systemctl restart opendkim postfix

DMARC Policy

Start relaxed (p=none) while monitoring, then enforce (quarantine/reject) as alignment stabilizes.

_dmarc.yourdomain.com. 3600 IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; fo=1; sp=none; aspf=r; adkim=r"

Postfix Integration (Inbound and Outbound)

Core Postfix-to-Amavis Wiring

# /etc/postfix/main.cf (key excerpts)
myhostname = efa.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
mydestination = localhost
relay_domains = yourdomain.com
mynetworks = 127.0.0.0/8 [::1]/128
smtpd_banner = $myhostname ESMTP
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_cert_file = /etc/ssl/certs/efa.crt
smtpd_tls_key_file  = /etc/ssl/private/efa.key
content_filter = smtp-amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

# RBLs (use responsibly)
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_pipelining,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    permit
# /etc/postfix/master.cf (amavis pipes)
smtp-amavis unix -  -  -  -  2  smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20

127.0.0.1:10025 inet n  -  n  -  -  smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8
  -o strict_rfc821_envelopes=yes

Reload Postfix after changes:

sudo postfix check && sudo systemctl reload postfix

Outbound Smarthost (Optional)

# /etc/postfix/main.cf
relayhost = [smtp.office365.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_loglevel = 1

# /etc/postfix/sasl_passwd
[smtp.office365.com]:587 user@yourdomain.com:app_password_or_secret

sudo postmap /etc/postfix/sasl_passwd
sudo chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
sudo systemctl reload postfix

Security and Policy Tuning

TLS Certificates with Let’s Encrypt

sudo dnf -y install certbot
sudo certbot certonly --standalone -d efa.yourdomain.com --agree-tos -m admin@yourdomain.com --non-interactive
# Point Postfix to fullchain/key and reload after renew
sudo crontab -e
# Add:
# 0 3 * * * certbot renew --quiet && systemctl reload postfix

SpamAssassin, ClamAV, and Greylisting

  • Spam thresholds: Lower required_score for stricter spam detection; whitelist/blacklist trusted senders.
  • Updates: Enable sa-update and freshclam via cron for rules and signature freshness.
  • Greylisting: Effective against bot spam; exclude large providers to reduce delays.
# Example SpamAssassin local config: /etc/mail/spamassassin/local.cf
required_score 4.0
rewrite_header Subject *****SPAM*****
report_safe 0
bayes_auto_learn 1

Firewall, SELinux, and SSH Hardening

  • Firewalld: Only expose 25/80/443 (and 587 if needed).
  • SELinux: Keep enforcing; add proper contexts for certificates/keys.
  • SSH: Disable password auth; use keys and fail2ban to rate-limit brute-force.
# Fail2ban quick start
sudo dnf -y install fail2ban
sudo systemctl enable --now fail2ban
sudo bash -c 'cat >/etc/fail2ban/jail.d/sshd.local <<EOF
[sshd]
enabled = true
bantime = 3600
findtime = 600
maxretry = 5
EOF'
sudo systemctl restart fail2ban

Integration Scenarios

Microsoft 365 (Exchange Online)

  • Inbound: Point MX to E.F.A → configure E.F.A to relay to your tenant’s inbound connector (yourdomain.mail.protection.outlook.com).
  • Outbound: Create a connector in M365 to accept mail from E.F.A’s public IP and relay to the Internet; set E.F.A relayhost to smtp.office365.com:587 with auth.
  • Authentication: Keep SPF including M365; DKIM signing can be done at E.F.A or M365, but avoid double signing.

Google Workspace

  • Inbound: MX → E.F.A → Google SMTP (aspmx.l.google.com and backups).
  • Outbound: Authorize E.F.A’s IP in Google admin for SMTP relay or use authenticated submission.
  • DKIM: Choose a single signing point to simplify DMARC alignment.

Monitoring, Backups, and Maintenance

  • Logs: /var/log/maillog, /var/log/maillog-*, journalctl -u postfix/amavisd/opendkim.
  • Metrics: Track queue size, rejection rates, spam hit ratio, and resource usage.
  • Backups: Capture Postfix configs, DKIM keys, SpamAssassin custom rules, and E.F.A database/quarantine as per your RPO/RTO.
  • Updates: Regular OS and package updates; test in staging if mission-critical.

Testing and Troubleshooting

  • Functional: Send a test from an external mailbox; verify headers (SPF, DKIM, DMARC) and spam score.
  • Malware/Spam: Use EICAR (malware test) and GTUBE string for SpamAssassin to confirm detections.
  • TLS: Check starttls readiness with modern TLS checks; confirm no weak ciphers are enabled.
# Quick diagnostics
postconf -n
postqueue -p
mailq
tail -f /var/log/maillog
journalctl -u postfix -u amavisd -u opendkim --no-pager

High Availability and Scalability

  • Active/Active: Deploy two E.F.A nodes; publish two MX records with equal priority or put them behind a TCP load balancer that supports SMTP.
  • Data consistency: Sync policies and DKIM keys via configuration management.
  • Scale-up: Increase cores/RAM, optimize SpamAssassin rules, and tune Postfix concurrency for large volumes.

Common Mistakes to Avoid

  • MX mispointing or missing reverse DNS causing delivery drops.
  • SPF too strict (or too many DNS lookups) resulting in softfails.
  • Double DKIM signing (E.F.A plus cloud platform) breaking DMARC alignment.
  • Open relay risk by misusing mynetworks/relay_domains.
  • Neglecting certificate renewal leading to TLS failures.

When to Choose Managed Help?

If you prefer a hands-off, hardened deployment, QloudHost can design, deploy, and manage your E.F.A gateway end to end, covering DNS, TLS, DKIM/DMARC, policies, monitoring, backups, and 24×7 incident response. This is ideal for regulated industries or teams without dedicated email security engineers.

FAQs

Is E.F.A compatible with Microsoft 365 and Google Workspace in 2026?

Yes. E.F.A works as an inbound gateway in front of M365/Google Workspace and can relay outbound mail through them. Configure connectors and SPF/DKIM/DMARC carefully, avoid double signing, and ensure your E.F.A IPs are authorized in the cloud platform.

What ports must be open for E.F.A?

Open TCP 25 inbound for SMTP, 80 for ACME/HTTP (optional), and 443 for the admin/quarantine portal. If using submission for outbound, open 587 outbound. Restrict SSH and other services to management networks only.

How do I reduce false positives without letting spam through?

Start with moderate SpamAssassin scores, enable bayesian auto-learn, add reputable DNSBLs, and use quarantine digests so users can release/whitelist. Review top senders flagged as spam and tune rules incrementally rather than making large threshold jumps.

Should DKIM be signed by E.F.A or by my cloud mail provider?

Pick one signer per domain to simplify DMARC alignment. If E.F.A relays outbound directly to the Internet, sign at E.F.A. If you always relay via M365/GWS, consider signing at the cloud provider and disable E.F.A signing for those domains.

How do I safely test malware and spam detection?

Use known-safe test signatures: EICAR for antivirus and GTUBE for SpamAssassin. Never use real malware. Send test emails from an external mailbox and verify E.F.A’s logs, quarantine behavior, and scores before going live.

Conclusion

With a solid plan, clean DNS, and careful policy tuning, you can install and configure Email Filter Appliance (E.F.A) to deliver enterprise-grade filtering in 2026.

Follow the steps above, validate with test messages, and iterate. If you want turnkey deployment and ongoing management, QloudHost is ready to help.

You may also like

Leave a Comment