E-mail server Spam and AntiVirus

From OptionC

Table of contents

1 Introduction 2 Installation 3 ClamAV 4 SpamAssassin 5 AMaViSd 6 Testing 7 Recommended Reading

Introduction

This is a brief add-on to the page on creating an e-mail server under Debian. It documents how virus-checking and spam-filtering can be added to your e-mail server using AMaViSd, ClamAV and SpamAssassin. Here's how we did it.

Installation

Because ClamAV is being developed far faster than the standard Debian packages would like, we used the volatile repository. Add the following line to your /etc/apt/sources.list:

deb ftp://ftp.uk.debian.org/debian-volatile/ stable/volatile main

The version (as of time of writing) of ClamAV in the regular repositories is 0.84; the version in volatile is 0.87. FreshClam still objects saying that ClamAV is outdated, suggesting that version 0.88 is much better -- probably true, but recompiling the package is outside the scope of this document.

Next perform an update:

# apt-get update

We grabbed the following packages:

# apt-get amavisd-new clamav clamav-daemon spamassassin

This installs all sorts of other stuff, too.

After the installation, the configuration.

ClamAV

We'll start with the ClamAV's configuration because it's quite simple. The problem we face is that PostFix under Debian is run in a chroot jail. As such, the default location for the socket file being used is not reachable by PostFix or any process being run by it.

We solve this by making a change to the configuration file, /etc/clamav/clamd.conf. Replace the LocalSocket line with one that reads:

LocalSocket /var/spool/postfix/var/run/clamav/clamd.ctl

Next, copy the /var/run/clamav directory to /var/spool/postfix/var/run:

cp -dpR /var/run/clamav /var/spool/postfix/var/run

Finally, restart ClamAV:

# /etc/init.d/clamav-daemon restart

Since the changes made only moved the socket, the log messages should continue in /var/log/clamav/clamav.log as usual. Everything else should work fine.

SpamAssassin

The configuration for SpamAssassin is even easier; we didn't do anything.

The only thing that SpamAssassin needs (from a configuration point of view) is training. However, training SpamAssassin is outside the scope of this document.

May we recommend: http://wiki.apache.org/spamassassin/BayesInSpamAssassin

AMaViSd

To configure AMaViSd we made several changes to the /etc/amavisd/amavisd.conf.

$mydomain = 'domain.name';        # This is the "master" domain; handle with care
    # Next line, replace db.domain.com, dbuser and dbpasswd with appropriate values
@lookup_sql_dsn = 
    ( ['DBI:mysql:database=maildb;host=db.domain.com;port=3306', 'dbuser', 'dbpasswd'] );
$final_virus_destiny = D_BOUNCE;
$final_banned_destiny = D_REJECT;
$final_spam_destiny = D_PASS;

Make sure the following lines are commented out:

@bypass_virus_checks_acl = qw( . );
@bypass_spam_checks_acl = qw( . );

There's one further change that needs to be made, and that's to the @av_scanners variable. There's several scanners predefined in the file, and ClamAV was the one that wasn't commented out. However, because of the chroot jail, there needs to be a change made. Find the lines that look like the following:

['Clam Antivirus-clamd',
     \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
     qr/\bOK$/, qr/\bFOUND$/,
     qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

You need to change the /var/run/clamav/clamd.ctl to /var/spool/postfix/var/run/clamav/clamd.ctl to match the change in clamd.conf.

Finally, reload the configuration files:

# /etc/init.d/amavis restart

You should be ready to go.

Testing

In order to test your AntiVirus scanning, there are two approaches: The bad one and the good one.

The bad one is to send yourself a virus. If you're careful and make no mistakes, then you'll be fine.

The good approach is to use one of the Anti-Virus test files from Eicar.org (http://eicar.org/anti_virus_test_file.htm)

Simply send an e-mail with one of the files either attached (in the case of the zip files) or directly in the e-mail (in the case of the text versions). Your mail.log file should give something like:

Jan  1 00:17:34 mail amavis[12226]: (12226-02) INFECTED (Eicar-Test-Signature),
       <blah@src.domain.com> -> <blah@dest.domain.com>, quarantine virus-20060101-001733-12226-02, 
       Message-ID: <20060208235343.AF1761C0A8@mail.dest.domain.com>, Hits: -
Jan  1 00:17:34 mail postfix/qmgr[12206]: C44AF1C0AB: from=<>, size=2098, nrcpt=1 (queue active)
Jan  1 00:17:34 mail postfix/smtp[12278]: AF1761C0A8: to=<blah@dest.domain.com>,
       relay=127.0.0.1[127.0.0.1], delay=1431, status=sent (250 2.7.1 Ok, discarded, 
       id=12226-02 - VIRUS: Eicar-Test-Signature)
Jan  1 00:17:35 mail postfix/cleanup[12288]: ADF801C0AC: message-id=
       <20060208235615.9A3171C0AA@mail.dest.domain.com>
Jan  1 00:17:35 mail postfix/qmgr[12206]: AF1761C0A8: removed

Recommended Reading

• Training SpamAssassin (http://wiki.apache.org/spamassassin/BayesInSpamAssassin)
• Tutorial: ISP-style Email Service with Debian-Sarge and Postfix 2.1 (http://workaround.org/articles/ispmail-sarge/)