Email Security – Qmail with Spamassassin, Clamav, Qmail-scanner

Posted on November 25, 2010

0



0. Specification of the test enviroment

0.1 Softwares

Tested Operating Systems 1. OpenSUSE 11.0
2. Fedora 9
Kernel versions Linux linux-jnwt 2.6.25.20-0.1-pae #1 SMP 2008-12-12 20:30:38 +0100 i686 i686 i386 GNU/Linux
Mail server netqmail-1.06.tar.gz
ucspi-tcp-0.88.tar.gz
daemontools-0.76.tar.gz
AntiVirus clamav-0.94.2.tar.gz
Spamfilter Mail-SpamAssassin-3.2.5.tar.gz
Mail scanner qmail-scanner-2.05.tgz
maildrop-2.0.4.tar.bz2
DNS djbdns-1.05.tar.gz

In my test the folder for all downloaded files was /usr/local/src/. Exception the daemontools that is in /package.
This is not a detailed documentation, that means you should read install guides as well.
Generally all package has a file called INSTALL or README. That makes your life and people you would ask easier.
I used wget to download all the packages, but I was behind a proxy (that required no AUTH)
As the first step I had to setup wget to use proxy.

Wget setup:

http_proxy = http://x.y.v.z:3128/
ftp_proxy = http:// x.y.v.z:3128/
use_proxy = on

0.2 Setup access to the Mail Gateway

IP Address: <IP> <Mask>
DF GW: <IP>
Username:  …
Password: …

Change the ssh port to something different, I always use port 66623 for all my servers, hosts.
(Don’t believe it and choose what you want over 1024)

linux-jnwt:/ # vi /etc/ssh/sshd_config
Port 66623

1. Qmail Installation with Maildir

RTFM I used can be found here: http://www.lifewithqmail.org/lwq.html
If you want to say goodbye for qmail here is a quick howto DELETE QMAIL: http://whatislinux.net/how-do-i-compleetly-remove-qmail

1.1 Requirements

You should read them carefully:

http://www.lifewithqmail.org/lwq.html#preparation
http://www.lifewithqmail.org/lwq.html#system-requirements

1.2 Download sourcecode for qmail and stuff

linux@linux-jnwt:~> su
linux-jnwt:/home/linux # umask 022
linux-jnwt:/home/linux # mkdir -p /usr/local/src
linux-jnwt:/home/linux # cd /usr/local/src
linux-jnwt:/usr/local/src # wget http://www.qmail.org/netqmail-1.06.tar.gz
linux-jnwt:/usr/local/src # wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
linux-jnwt:/usr/local/src # mkdir -p /package
linux-jnwt:/usr/local/src # cd /package
linux-jnwt:/package # wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
linux-jnwt:/package # chmod 1755 /package

1.3 Extract sourcecodes

linux-jnwt:/package # cd /usr/local/src
linux-jnwt:/usr/local/src # gunzip netqmail-1.06.tar.gz
linux-jnwt:/usr/local/src # tar xpf netqmail-1.06.tar
linux-jnwt:/usr/local/src # gunzip ucspi-tcp-0.88.tar.gz
linux-jnwt:/usr/local/src # tar xpf ucspi-tcp-0.88.tar
linux-jnwt:/usr/local/src # cd /package
linux-jnwt:/package # gunzip daemontools-0.76.tar.gz
linux-jnwt:/package # tar xpf daemontools-0.76.tar

1.4 Create folder for qmail

linux-jnwt:/package # mkdir /var/qmail

1.5 Create required users and groups

For these users should we allow the following shells, as they will never login and so on…

/false – http://www.manpagez.com/man/1/false/
/nologin – http://www.manpagez.com/man/8/nologin/
/true – http://www.manpagez.com/man/1/true/

With Opensuse I used /sbin/nologin.

linux-jnwt:/usr/local/src/netqmail-1.06 # export PATH=$PATH:/usr/sbin:/sbin
linux-jnwt:/package # cd /usr/local/src/netqmail-1.06
linux-jnwt:/usr/local/src/netqmail-1.06 # cp INSTALL.ids IDS
linux-jnwt:/usr/local/src/netqmail-1.06 # vi IDS
groupadd nofiles
useradd -g nofiles -d /var/qmail/alias alias -s /sbin/nologin
useradd -g nofiles -d /var/qmail qmaild -s /sbin/nologin
useradd -g nofiles -d /var/qmail qmaill -s /sbin/nologin
useradd -g nofiles -d /var/qmail qmailp -s /sbin/nologin
groupadd qmail
useradd -g qmail -d /var/qmail qmailq -s /sbin/nologin
useradd -g qmail -d /var/qmail qmailr -s /sbin/nologin
useradd -g qmail -d /var/qmail qmails -s /sbin/nologin
linux-jnwt:/usr/local/src/netqmail-1.06 # chmod 700 IDS
linux-jnwt:/usr/local/src/netqmail-1.06 # ./IDS

1.6 Download and add patches and compile Netqmail

Qmail Patches I used:

  1. Validrcptto: http://qmail.jms1.net/patches/validrcptto.cdb.shtml
  2. Djbdns: http://cr.yp.to/djbdns.html

Have you read the links?

There is a lot of patches available apart from those 2 I choosed:
http://qmail.internet-trendsetting.de/top.html#addons

1.6.1 Djbdns install

linux-jnwt:/ # cd /usr/local/src/
linux-jnwt:/usr/local/src # wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
linux-jnwt:/usr/local/src # gunzip djbdns-1.05.tar
linux-jnwt:/usr/local/src # tar -xf djbdns-1.05.tar
linux-jnwt:/usr/local/src # cd djbdns-1.05
linux-jnwt:/usr/local/src/djbdns-1.05 # echo gcc -O2 -include /usr/include/errno.h > conf-cc
linux-jnwt:/usr/local/src/djbdns-1.05 # make
linux-jnwt:/usr/local/src/djbdns-1.05 # make setup check —> install the djbdns programs under /usr/local
linux-jnwt:/usr/local/src/djbdns-1.05 # cd..

1.6.2 Validrcptto install

As you have red the links I mentioned this validrcptto allows mails only if the recipient is known. All recipient can be held in a database locally, saving time to ask every time the User Directory. There is a lot of possibilities to collect mail recipients. We can download it from LDAP server or from local system or from a text file and so on… Here I use a local user collection and text file method.

Requirements:
– Query, download and build perl modules from CPAN sites:
perl-CPAN.i386
– GNU tool which simplifies the build process for users:
make.i386 : A GNU tool which simplifies the build process for users [My version 3.81-12.fc9]
– GNU Compiler Collection:
gcc.i386 : Various compilers (C, C++, Objective-C, Java, …) [My version 4.3.0-8]

linux-jnwt:/usr/local/src # wget http://qmail.jms1.net/patches/netqmail-1.05-validrcptto.cdb.patch
linux-jnwt:/usr/local/src # cp netqmail-1.05-validrcptto.cdb.patch /usr/local/src/netqmail-1.06
linux-jnwt:/usr/local/src # cd /usr/local/src/netqmail-1.06
linux-jnwt:/usr/local/src/netqmail-1.06 # patch < ../netqmail-1.05-validrcptto.cdb.patch
patching file Makefile
patching file qmail-smtpd.c
linux-jnwt:/home/linux # cd /usr/local/src
linux-jnwt:/usr/local/src # wget http://cr.yp.to/cdb/cdb-0.75.tar.gz
linux-jnwt:/usr/local/src # tar xvzf cdb-0.75.tar.gz
linux-jnwt:/usr/local/src # cd cdb-0.75/
linux-jnwt:/usr/local/src/cdb-0.75 # make
./compile cdb.c

When we got a problem:
linux-jnwt:/usr/local/src/cdb-0.75 # vi error.h
Before:
extern int errno;
After:
/* extern int errno; */
#include <errno.h>
linux-jnwt:/usr/local/src/cdb-0.75 # make
./compile cdb.c

linux-jnwt:/usr/local/src/cdb-0.75 # make setup check
./install
./instcheck
linux-jnwt:/usr/local/src/cdb-0.75 # perl -MCPAN -e shell
cpan[1]> install CDB_File
cpan[2]> exit

Create validrcptto.cdb DataBase from local users (on this Linux System):

Source Link:
http://qmail.jms1.net/scripts/mkvalidrcptto.shtml

linux-jnwt:/usr/local/src # cd /usr/local/bin
linux-jnwt:/usr/local/bin # wget http://qmail.jms1.net/scripts/mkvalidrcptto
linux-jnwt:/usr/local/bin # chmod 755 mkvalidrcptto
linux-jnwt:/usr/local/bin # perl -c /usr/local/bin/mkvalidrcptto
/usr/local/bin/mkvalidrcptto syntax OK
linux-jnwt:/usr/local/bin # less /usr/local/bin/mkvalidrcptto à That should you read not just run…
linux-jnwt:/usr/local/bin # mkvalidrcptto -c validrcptto.cdb
linux-jnwt:/usr/local/bin # mv validrcptto.cdb /var/qmail/control/

Create validrcptto.cdb DataBase from txt file:

linux-jnwt:/usr/local/bin # cd /var/qmail/control
linux-jnwt:/usr/local/bin # wget http://qmail.jms1.net/scripts/adexport-go
linux-jnwt:/usr/local/bin # wget http://qmail.jms1.net/scripts/adexport.txt
linux-jnwt:/usr/local/bin # mv adexport-go adexport-go.sh
linux-jnwt:/usr/local/bin # mv adexport.txt adexport.pl
linux-jnwt:/usr/local/bin # chmod 755 adexport*
linux-jnwt:/usr/local/bin # vi adexport-go.sh
2 changes I have used:
1.
#./adexport.pl | grep -v ‘^systemmailbox{‘ | sort > validrcptto.new
2.
#mv validrcptto.new validrcptto.txt
cp validrcptto.new validrcptto.txt
linux-jnwt:/usr/local/bin # vi validrcptto.new
…Here I have adde users / recipients/.
linux-jnwt:/usr/local/bin # sh adexport-go.sh

1.6.3 Compile Netqmail

linux-jnwt:/home/linux # cd /usr/local/src/netqmail-1.06/
linux-jnwt:/usr/local/src/netqmail-1.06 # make setup check
linux-jnwt:/usr/local/src/netqmail-1.06 # ./config-fast linux-jnwt.testmailsrv.de

1.7 Patch and compile ucspi-tcp

linux-jnwt:/ # cd /usr/local/src/ucspi-tcp-0.88
linux-jnwt:/usr/local/src/ucspi-tcp-0.88 # patch < /usr/local/src/netqmail-1.06/other-patches/ucspi-tcp-0.88.errno.patch
linux-jnwt:/usr/local/src/ucspi-tcp-0.88 # make
linux-jnwt:/usr/local/src/ucspi-tcp-0.88 # make setup check

1.8 Patch and compile daemontools

linux-jnwt:/ # cd /package/admin/daemontools-0.76
linux-jnwt:/package/admin/daemontools-0.76 # cd src
linux-jnwt:/package/admin/daemontools-0.76 # patch < /usr/local/src/netqmail-1.06/other-patches/daemontools-0.76.errno.patch
linux-jnwt:/package/admin/daemontools-0.76 # cd ..
linux-jnwt:/package/admin/ # package/install

Here should we use “ps -ef | grep svscan” or “ps waux | grep svscan” to check if svscan runs.

With Fedora it is not so easy:

linux-jnwt:/usr/local/src/netqmail-1.06 # less /etc/inittab
SV:123456:respawn:/command/svscanboot
Fedora does not use currently inittab. That should be placed in event.d folder:
# vi /etc/event.d/daemontools
# daemontools
start on runlevel 2
start on runlevel 3
start on runlevel 4
start on runlevel 5
stop on shutdown
respawn
exec /command/svscanboot
# initctl start daemontools
For me that was strange, because clamd was always duplicated. I do not use it now and need to troubleshoot…

1.9 Start your Qmail

1.9.1 The Boot-Scripts

Qmail-Boot-Script:

linux-jnwt:/ # vi /var/qmail/rc
#!/bin/sh
# Using stdout for logging
# Using control/defaultdelivery from qmail-local to deliver messages by default
exec env – PATH=”/var/qmail/bin:$PATH” \
qmail-start “`cat /var/qmail/control/defaultdelivery`”
linux-jnwt:/ # chmod 755 /var/qmail/rc
linux-jnwt:/ # mkdir /var/log/qmail
linux-jnwt:/ # echo ./Maildir/ >/var/qmail/control/defaultdelivery

1.9.2 Systemstart files

1.9.2.1 The qmailctl-Script

linux-jnwt:/ # vi /var/qmail/bin/qmailctl
#!/bin/sh
#
# For Red Hat chkconfig
# chkconfig: – 80 30
# description: the qmail MTA
#
PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
export PATH
#
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
#
case “$1” in
start)
echo “Starting qmail”
if svok /service/qmail-send ; then
svc -u /service/qmail-send /service/qmail-send/log
else
echo “qmail-send supervise not running”
fi
if svok /service/qmail-smtpd ; then
svc -u /service/qmail-smtpd /service/qmail-smtpd/log
else
echo “qmail-smtpd supervise not running”
fi
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/qmail
fi
;;
stop)
echo “Stopping qmail…”
echo ”  qmail-smtpd”
svc -d /service/qmail-smtpd /service/qmail-smtpd/log
echo ”  qmail-send”
svc -d /service/qmail-send /service/qmail-send/log
if [ -f /var/lock/subsys/qmail ]; then
rm /var/lock/subsys/qmail
fi
;;
stat)
svstat /service/qmail-send
svstat /service/qmail-send/log
svstat /service/qmail-smtpd
svstat /service/qmail-smtpd/log
qmail-qstat
;;
doqueue|alrm|flush)
echo “Flushing timeout table and sending ALRM signal to qmail-send.”
/var/qmail/bin/qmail-tcpok
svc -a /service/qmail-send
;;
queue)
qmail-qstat
qmail-qread
;;
reload|hup)
echo “Sending HUP signal to qmail-send.”
svc -h /service/qmail-send
;;
pause)
echo “Pausing qmail-send”
svc -p /service/qmail-send
echo “Pausing qmail-smtpd”
svc -p /service/qmail-smtpd
;;
cont)
echo “Continuing qmail-send”
svc -c /service/qmail-send
echo “Continuing qmail-smtpd”
svc -c /service/qmail-smtpd
;;
restart)
echo “Restarting qmail:”
echo “* Stopping qmail-smtpd.”
svc -d /service/qmail-smtpd /service/qmail-smtpd/log
echo “* Sending qmail-send SIGTERM and restarting.”
svc -t /service/qmail-send /service/qmail-send/log
echo “* Restarting qmail-smtpd.”
svc -u /service/qmail-smtpd /service/qmail-smtpd/log
;;
cdb)
tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
chmod 644 /etc/tcp.smtp.cdb
echo “Reloaded /etc/tcp.smtp.”
;;
help)
cat <<HELP
stop — stops mail service (smtp connections refused, nothing goes out)
start — starts mail service (smtp connection accepted, mail can go out)
pause — temporarily stops mail service (connections accepted, nothing leaves)
cont — continues paused mail service
stat — displays status of mail service
cdb — rebuild the tcpserver cdb file for smtp
restart — stops and restarts smtp, sends qmail-send a TERM & restarts it
doqueue — schedules queued messages for immediate delivery
reload — sends qmail-send HUP, rereading locals and virtualdomains
queue — shows status of queue
alrm — same as doqueue
flush — same as doqueue
hup — same as reload
HELP
;;
*)
echo “Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queue|help}”
exit 1
;;
esacexit 0 

linux-jnwt:/ # chmod 755 /var/qmail/bin/qmailctl
linux-jnwt:/ # ln -s /var/qmail/bin/qmailctl /usr/bin

1.9.2.2 The supervise-Scripts

linux-jnwt:/ # mkdir -p /var/qmail/supervise/qmail-send/log
linux-jnwt:/ # mkdir -p /var/qmail/supervise/qmail-smtpd/log
linux-jnwt:/ # vi /var/qmail/supervise/qmail-send/run
#!/bin/sh
exec /var/qmail/rc
linux-jnwt:/ # vi /var/qmail/supervise/qmail-send/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail
linux-jnwt:/ # vi /var/qmail/supervise/qmail-smtpd/run
#!/bin/shQMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me` 

if [ -z “$QMAILDUID” -o -z “$NOFILESGID” -o -z “$MAXSMTPD” -o -z “$LOCAL” ];
then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ];
then
echo “No /var/qmail/control/rcpthosts!”
echo “Refusing to start SMTP listener because it’ll create an open relay”
exit 1
fi

exec /usr/local/bin/softlimit -m 2000000 \
/usr/local/bin/tcpserver -v -R -l “$LOCAL” -x /etc/tcp.smtp.cdb -c “$MAXSMTPD” \
-u “$QMAILDUID” -g “$NOFILESGID” 0 smtp /var/qmail/bin/qmail-smtpd 2>&1

linux-jnwt:/ # echo 20 > /var/qmail/control/concurrencyincoming
linux-jnwt:/ # chmod 644 /var/qmail/control/concurrencyincoming
linux-jnwt:/ # vi /var/qmail/supervise/qmail-smtpd/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/smtpd
linux-jnwt:/ # chmod 755 /var/qmail/supervise/qmail-send/run
linux-jnwt:/ # chmod 755 /var/qmail/supervise/qmail-send/log/run
linux-jnwt:/ # chmod 755 /var/qmail/supervise/qmail-smtpd/run
linux-jnwt:/ # chmod 755 /var/qmail/supervise/qmail-smtpd/log/run
linux-jnwt:/ # mkdir -p /var/log/qmail/smtpd
linux-jnwt:/ # chown qmaill /var/log/qmail /var/log/qmail/smtpd
linux-jnwt:/ # ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /service

The /service folder will be created when daemontools is installed.

1.9.2.3 SMTP access-control

linux-jnwt:/ # echo ‘127.:allow,RELAYCLIENT=””‘ >>/etc/tcp.smtp
linux-jnwt:/ # qmailctl cdb

1.9.3 Stop and delete installed MTA

Here has to be tested that we do not have any app listening on tcp port 25. If so find it and kill it. If not so step forward.

linux-jnwt:/ # netstat -a | grep smtp
linux-jnwt:/ # mv /usr/lib/sendmail /usr/lib/sendmail.old
# Error messages can be ignored
linux-jnwt:/ # mv /usr/sbin/sendmail /usr/sbin/sendmail.old
# Error messages can be ignored
linux-jnwt:/ # chmod 0 /usr/lib/sendmail.old /usr/sbin/sendmail.old
# Error messages can be ignored
linux-jnwt:/ # ln -s /var/qmail/bin/sendmail /usr/lib
linux-jnwt:/ # ln -s /var/qmail/bin/sendmail /usr/sbin

1.9.4 Create Systemaliases

linux-jnwt:/ # echo example@example.com > /var/qmail/alias/.qmail-root
linux-jnwt:/ # echo example@example.com > /var/qmail/alias/.qmail-postmaster
linux-jnwt:/ # ln -s .qmail-postmaster /var/qmail/alias/.qmail-mailer-daemon
linux-jnwt:/ # chmod 644 /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-postmaster

If you need more info about aliases see INSTALL.alias.

1.9.5 Start Qmail

linux-jnwt:/ # qmailctl start

1.10 Test the Installation

linux-jnwt:/ # qmailctl stat
linux-jnwt:/ # cd /usr/local/src
linux-jnwt:/usr/local/src # wget http://lifewithqmail.org/inst_check
linux-jnwt:/usr/local/src # sh inst_check
linux-jnwt:/usr/local/src # ps -efl | grep “service errors” | grep -v grep

2. Use Mutt with “/Maildir”

(Mutt user manual: http://www.mutt.org/doc/manual/manual-2.html)

Information for Maildir folder creation:
qmail-local can deliver mail to maildir mailboxes, but it can’t create them.
Maildir mailboxes should be created with the maildirmake program that comes with qmail. E.g., “maildirmake ~/Maildir”. Be sure to run maildirmake as the owner of the maildir, not as root. Your useradd or adduser command might support a “skeleton” directory, e.g. /etc/skel, where you can create a maildir that will be copied for all new users.

3 Qmail-scanner mit Spamassassin und Clamav

3.1 Clamav

Requirements:

Link I used :

http://www.clamav.net/doc/latest/html/node10.html

–          GNU tool which simplifies the build process for users:

make.i386 : A GNU tool which simplifies the build process for users [My version 3.81-12.fc9]

–          GNU Compiler Collection:

gcc.i386 : Various compilers (C, C++, Objective-C, Java, …) [My version 4.3.0-8]

–          The zlib compression and decompression library:

zlib.i386 : The zlib compression and decompression library [My version 1.2.3-18.fc9]
zlib-devel.i386 : Header files and libraries for Zlib development [My version 1.2.3-18.fc9]

–          GNU Multiple Precision Arithmetic Library:

gmp.i386 : A GNU arbitrary precision library [My version 4.2.2-7.fc9]

–          A unit test framework for C:

check.i386 : A unit test framework for C [My version 0.9.6-1.fc9]

–          The clamav user and group (actually we will use qscand, avoid this if you can.):

[root@myweb-lp clamav-0.94.2]# /usr/sbin/groupadd clamav
[root@myweb-lp clamav-0.94.2]# /usr/sbin/useradd -g clamav -s /bin/false -c “Clam AntiVirus” clamav

I found a document on clamav and qmail-scanner that is hmmm, helped me a bit, but lead me sometimes in wrong directions (maybe my fault):
http://tldp.org/HOWTO/Qmail-ClamAV-HOWTO/x120.html

3.1.1 Clamav installation

linux-jnwt:/usr/local/src # groupadd clamav
linux-jnwt:/usr/local/src # useradd clamav -g clamav -c “Clam Antivirus” -s /bin/false
linux-jnwt:/usr/local/src # tar -xvzf clamav-0.94.2.tar.gz
linux-jnwt:/usr/local/src # cd clamav-0.94.2
linux-jnwt:/usr/local/src/clamav-0.94.2 # ./configure
linux-jnwt:/usr/local/src/clamav-0.94.2 # make
linux-jnwt:/usr/local/src/clamav-0.94.2 # make install
linux-jnwt:/usr/local/src/clamav-0.94.2 # cd ..

3.1.2 Clamav configuration

In clamav config file use whatever you want. I will use whatever I want.

linux-jnwt:/usr/local/src # cp /usr/local/etc/clamd.conf /usr/local/etc/clamd.conf_orig
linux-jnwt:/usr/local/src # vi /usr/local/etc/clamd.conf
Example –> DELETE!
LogFileUnlock yes
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/lib/clamav -> Default Virus DB dir: /usr/local/share/clamav/ 

LocalSocket /tmp/clamd.socket
User qscand
ScanOLE2 yes
ScanPDF yes
ScanMail yes
PhishingSignatures yes
PhishingScanURLs yes
ScanHTML yes
ScanArchive yes

Add qscand user and group:

linux-jnwt:/usr/local/src/ # groupadd qscand
linux-jnwt:/usr/local/src/ # useradd -g qscand -c “Qmail Scanner” -s /bin/false qscand
-> Create folder for Database:
linux-jnwt:/usr/local/src # mkdir –p /var/lib/clamav
linux-jnwt:/usr/local/src # chown qscand:qscand /var/lib/clamav
-> ClamAV folder for PID file (pid file will be created by ClamAV daemon):
linux-jnwt:/usr/local/src # mkdir /var/run/clamav
linux-jnwt:/usr/local/src # chown qscand:qscand /var/run/clamav

3.1.3 Clam test

Clamav Test:

linux-jnwt:/usr/local/src # clamscan -r -l scan.txt clamav-0.94.2
clamscan: error while loading shared libraries: libclamav.so.5: cannot open shared object file: No such file or directory
# In this case run an ldconfig
linux-jnwt:/usr/local/src # ldconfig

ClamavD Test:

linux-jnwt:/usr/local/src # clamd
linux-jnwt:/usr/local/src # clamdscan -l scan3.txt clamav-0.94.2

3.1.4 Clamav with Daemontools

Link I used :
http://qmail.jms1.net/clamav/daemontools.shtml

The clamdctl Script:
Link I used:
http ://tldp.org/HOWTO/Qmail-ClamAV-HOWTO/x142.html

linux-jnwt:/ # vi /usr/local/bin/clamdctl
#!/bin/sh 

PATH=/usr/local/clamav/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH
case “$1” in
start)
echo “Starting clamd and log”
if svok /service/clamd ; then
svc -u /service/clamd /service/clamd/log
else
echo clamd supervise not running
fi
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/clamd
fi
;;
stop)
echo “Stopping clamd and log…”
echo ”  clamd”
svc -d /service/clamd
svc -d /service/clamd/log
if [ -f /var/lock/subsys/clamd ]; then
rm /var/lock/subsys/clamd
fi
;;
stat)
svstat /service/clamd
svstat /service/clamd/log
;;
restart)
echo “Restarting clamd:”
echo “* Stopping clamd.”
svc -d /service/clamd
svc -d /service/clamd/log
echo “* Sending clamd SIGTERM and restarting.”
svc -t /service/clamd
svc -t /service/clamd/log
echo “* Restarting clamd.”
svc -u /service/clamd
svc -u /service/clamd/log
;;
hup)
echo “Sending HUP signal to clamd.”
svc -h /service/clamd
svc -h /service/clamd/log
;;
help)
cat <<HELP
stop — stops clamd service (smtp connections refused, nothing goes out)
start — starts clamd service (smtp connection accepted, mail can go out)
stat — displays status of clamd service
restart — stops and restarts the clamd service
hup — same as reload
HELP
;;
*)
echo “Usage: $0 {start|stop|stat|restart|hup|help}”
exit 1
;;
esac

exit 0
linux-jnwt:/home/linux # chmod 755 /usr/local/bin/clamdctl

Die Supervise-Skripts für Clamav:

Links I used:
http://tldp.org/HOWTO/Qmail-ClamAV-HOWTO/x142.html
http://qmail.jms1.net/clamav/daemontools.shtml

linux-jnwt:/home/linux # mkdir -p /var/clamav/supervise/clamd/log
linux-jnwt:/home/linux # cd /var/clamav/supervise/clamd/
linux-jnwt:/var/clamav/supervise/clamd # vi /var/clamav/supervise/clamd/run
#!/bin/sh
exec /usr/local/bin/setuidgid qscand /usr/local/sbin/clamd 2>&1
linux-jnwt:/var/clamav/supervise/clamd # chmod 755 /var/clamav/supervise/clamd/run
linux-jnwt:/var/clamav/supervise/clamd # cd log
linux-jnwt:/var/clamav/supervise/clamd/log # vi /var/clamav/supervise/clamd/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qscand /usr/local/bin/multilog  t /var/log/clamd
linux-jnwt:/var/clamav/supervise/clamd/log # chmod 755 /var/clamav/supervise/clamd/log/run
linux-jnwt:/var/clamav/supervise/clamd # mkdir /var/log/clamd
linux-jnwt:/var/clamav/supervise/clamd # chown qscand:qscand /var/log/clamd
linux-jnwt:/usr/local/src # ln -s /var/clamav/supervise/clamd /service

Start Clamav manually:

linux-jnwt:/home/linux # svc -u /service/clamd
or use
linux-jnwt:/home/linux # clamdctl start

3.2 Freshclam

3.2.1 Freshclam configuration

Feel the freedom here as well. What I used is only a few things.

linux-jnwt:/usr/local/src # cd /usr/local/etc/
linux-jnwt:/usr/local/src # cp freshclam.conf freshclam.conf_orig
linux-jnwt:/usr/local/src # vi /usr/local/etc/freshclam.conf
#Example
DatabaseDirectory /var/lib/clamav
UpdateLogFile /var/log/freshclam.log
LogFileMaxSize 10M
LogTime yes
LogVerbose yes
DatabaseOwner qscand
DatabaseMirror db.de.clamav.net
DatabaseMirror database.clamav.net
MaxAttempts 3
Checks 12
NotifyClamd /usr/local/etc/clamd.conf
PidFile /var/run/freshclam/freshclam.pid
AllowSupplementaryGroups yes
DNSDatabaseInfo current.cvd.clamav.net
OnUpdateExecute /usr/local/sbin/freshclam-good
OnErrorExecute /usr/local/sbin/freshclam-bad- create Freshclam log file: 

linux-jnwt:/usr/local/src # touch /var/log/freshclam.log
linux-jnwt:/usr/local/src # chmod 600 /var/log/freshclam.log
linux-jnwt:/usr/local/src # chown qscand:qscand /var/log/freshclam.log

create folder for Freshclam PID file (pid will be created by Freshclam):

linux-jnwt:/usr/local/src # mkdir /var/run/freshclam
linux-jnwt:/usr/local/src # chown qscand:qscand /var/run/freshclam

– create a script for Clamav version update for Qmail-scanner

linux-jnwt:/home/linux # vi /usr/local/sbin/freshclam-good

#!/bin/sh
#
# freshclam-good
#
# if you want to be notified whenever the virus
# definitions are updated, add some code here to
# send yourself an email or whatever.
# update qmail-scanner and simscan version files.

if [ -e /var/qmail/bin/qmail-scanner-queue.pl ]
then
/var/qmail/bin/qmail-scanner-queue.pl -z
fi

exit 0

linux-jnwt:/home/linux # chmod 755 /usr/local/sbin/freshclam-good
Create script for Clamav failed update for Qmail-scanner
linux-jnwt:/usr/local/bin # vi /usr/local/sbin/freshclam-bad
#!/bin/sh
#
# freshclam-bad
#
# if you want to be notified whenever there is a
# problem updating the virus definitions, add some
# code here to send yourself an email or whatever.
#
# email notification to mail or phone
PATH=”/usr/bin:/bin:/var/qmail/bin”

cat <<EOF | qmail-inject
From: linux1@linux-jnwt.testqmail.de
#To: Phone <1234567890@cell.carrier.xyz>
To: linux@linux-jnwt.testqmail.de
Subject: freshclam error
The freshclam program has encountered an error.
EOF

exit 0

linux-jnwt:/usr/local/bin # chmod 755 /usr/local/sbin/freshclam-bad

3.2.2 Freshclam test

linux-jnwt:/usr/local/src # freshclam –u qscand
linux-jnwt:/usr/local/src # less /var/log/ freshclam.log

Freshclam configuration in crontab:

Add a cron job with the following command. In the following example what times wil the freshclam will be used?
If you do not know:

http://en.wikipedia.org/wiki/Cron#Fields

linux-jnwt:/usr/local/src # vi /etc/crontab
0 * * * * /usr/local/bin/freshclam -u qscand –quiet

Info:
-u USER          run as USER
–quiet             only output error messages

3.3 Spamassassin

(http://wiki.apache.org/spamassassin/IntegratedInQmailWithQmailScanner)

If you already installed spamassasin, check this:

linux-jnwt:/home/linux # perldoc Mail::SpamAssassin::Conf

Folder for *.cf Datei (the rules):

The following folders holds the rules of spamassassin

/usr/share/spamassassin/
/usr/local/share/spamassassin/

Examples.:
10_default_prefs.cf
20_advance_fee.cf
20_body_tests.cf
20_compensate.cf
20_dnsbl_tests.cf
20_drugs.cf
20_dynrdns.cf

You will check them as soon as you got an operating mail gateway and you check your spam log files. There sou will see a value for all mail. Definetly you then want to know what values are used if special rules are matched.

Here is the configuration files for Spamassassin:

/etc/mail/spamassassin/
z.B.:

init.pre – Here used the ‘rewrite_header’ and ‘ifplugin’ with ‘uridnsbl_skip_domain’ for Opensuse und novell domainnames.

linux-jnwt:/ # more /etc/mail/spamassassin/init.pre |grep -v “^$\|^#”

loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
loadplugin Mail::SpamAssassin::Plugin::Hashcash
loadplugin Mail::SpamAssassin::Plugin::SPF

local.cf – other commands for local.cf can be found here: „perldoc Mail::SpamAssassin::Conf“
v310.pre – Here will be loaded other plugins like dkim…
v312.pre – Here will be loaded other plugins AFAIK
v320.pre – Here will be loaded other plugins AFAIK

From those three directories, SpamAssassin will first read files ending in “.pre” in lexical order and then it will read files ending in “.cf” in lexical order (most files begin with two numbers to make the sorting order obvious).

In other words, it will read init.pre first, then 10_default_prefs.cf before 50_scores.cf and 20_body_tests.cf before 20_head_tests.cf. Options in later files will override earlier files.
3.3.1 Spamassassin installation

linux-jnwt:/usr/local/src # tar -xvzf Mail-SpamAssassin-3.2.5.tar.gz

linux-jnwt:/usr/local/src # cd Mail-SpamAssassin-3.2.5

…RTFM?

linux-jnwt:/usr/local/src/Mail-SpamAssassin-3.2.5 # less INSTALL

We need to check Requirement for Perl Modules:

linux-jnwt:/usr/local/src/Mail-SpamAssassin-3.2.5 # perl build/check_dependencies

This is a list of my missing Requirements:
optional module missing: Mail::SPF
optional module missing: Mail::SPF::Query
optional module missing: IP::Country
optional module missing: Razor2
optional module missing: Net::Ident
optional module missing: IO::Socket::INET6
optional module missing: Mail::DomainKeys
optional module missing: Mail::DKIM
optional module missing: Encode::Detect
Informations about all modules can be found here: http://search.cpan.org/
We can install those modules with perl interactive Shell.
Installing Spamassassin and its requirements:

linux-jnwt:/home/linux # perl -MCPAN -e shell

…default values at first usage…

cpan[18]> o conf prerequisites_policy ask
cpan[1]> install Mail::SPF
…YAML missing…
cpan[2]> install YAML
cpan[3]> notest install Mail::SPF::Query —> install with notest if you do not have smtp internat access.
cpan[4]> install IP::Country
cpan[5]> Mail::SpamAssassin::Plugin::Razor2 —> The Installation of Razor2 started Spamassassin Installation, Quit…
cpan[6]> Net::Ident
cpan[7]> IO::Socket::INET6
cpan[8]> Mail::DomainKeys —> Error message:
„ IROBERTS/Crypt-OpenSSL-Random-0.04.tar.gz : make NO“
—> libopenssl-devel-0.9.8g-47.2.i586 Installation required
cpan[9]> exit
linux-jnwt:/usr/local/src/Mail-SpamAssassin-3.2.5 # zypper install libopenssl-devel
linux-jnwt:/usr/local/src/Mail-SpamAssassin-3.2.5 # perl -MCPAN -e shell
cpan[10]> fforce install Crypt::OpenSSL::Random —> Error message:
„ IROBERTS/Crypt-OpenSSL-RSA-0.25.tar.gz : make NO“
—> if Crypt-OpenSSL-Random is ready, then we can install this.
cpan[11]> fforce install Crypt::OpenSSL::RSA
cpan[12]> fforce install Crypt::OpenSSL::Random
cpan[13]> install Mail::DKIM —> Error message:
„t/policy…………………ok 1/12DNS query timeout for _domainkey.messiah.edu“
cpan[14]> fforce notest install Mail::DKIM
cpan[15]> install Encode::Detect
cpan[16]> install Mail::DKIM
cpan[17]> install Mail::SpamAssassin
cpan[18]> quit
linux-jnwt:/usr/local/src/Mail-SpamAssassin-3.2.5 # perl build/check_dependencies
—> Is the clear now or still something missing? J

When I installed spamassassin for Fedora, I just installed it from repo. It is faster, but this way you will not get info about modules, I guess J.

For Fedora:

# yum install spamassasin

3.3.2 Spamassassin configuration

Here you can create your own konf file with your own rules etc.
There is a manual for it at this link:
http://wiki.apache.org/spamassassin/WritingRules

linux-jnwt:/ # vi /etc/mail/spamassassin/local.cf
report_contact example@example
required_hits 5.0
rewrite_header Subject ***Warning! That can be a spam!***
lock_method flock
report_safe 0
use_bayes 1
bayes_auto_learn 1
bayes_learn_to_journal 1
trusted_networks <your networks>
whitelist_from whatavaryouwnat@toavoidspamchecking
blacklist_from whatavaryouwnat@toavoidforwarding
skip_rbl_checks 0
ok_languages en <your language>
ok_locales en <your language>

3.3.3 Spamassassin with Daemontools

The spamdctl script:

linux-jnwt:/ # vi /usr/bin/spamdctl
#!/bin/sh
PATH=/usr/local/clamav/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH
case “$1” in
start)
echo “Starting spamd and log”
if svok /service/spamd ; then
svc -u /service/spamd /service/spamd/log
else
echo spamd supervise not running
fi
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/spamd
fi
;;
stop)
echo “Stopping spamd and log…”
echo ” spamd”
svc -d /service/spamd
svc -d /service/spamd/log
if [ -f /var/lock/subsys/spamd ]; then
rm /var/lock/subsys/spamd
fi
;;
stat)
svstat /service/spamd
svstat /service/spamd/log
;;
restart)
echo “Restarting spamd:”
echo “* Stopping spamd.”
svc -d /service/spamd
svc -d /service/spamd/log
echo “* Sending spamd SIGTERM and restarting.”
svc -t /service/spamd
svc -t /service/spamd/log
echo “* Restarting spamd.”
svc -u /service/spamd
svc -u /service/spamd/log
;;
hup)
echo “Sending HUP signal to spamd.”
svc -h /service/spamd
svc -h /service/spamd/log
;;
help)
cat <<HELP
stop — stops spamd service (smtp connections refused, nothing goes out)
start — starts spamd service (smtp connection accepted, mail can go out)
stat — displays status of spamd service
restart — stops and restarts the spamd service
hup — same as reload
HELP
;;
*)
echo “Usage: $0 {start|stop|stat|restart|hup|help}”
exit 1
;;
esac
exit 0
linux-jnwt:/ # chmod 755 /usr/bin/spamdctl

The Supervise-Scripts for Spamassassin:

linux-jnwt:/ # mkdir -p /var/spamd/supervise/spamd/log
linux-jnwt:/ # vi /var/spamd/supervise/spamd/run
#!/bin/bash
export LANG=de
exec /usr/local/bin/softlimit -m 60000000 /usr/bin/spamd -x -u qscand 2>&1
linux-jnwt:/ # vi /var/spamd/supervise/spamd/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qscand /usr/local/bin/multilog t n20 s16000000 /var/log/spamd
linux-jnwt:/ # chmod 755 /var/spamd/supervise/spamd/log/run
linux-jnwt:/ # chmod 755 /var/spamd/supervise/spamd/run
linux-jnwt:/ # mkdir /var/log/spamd/
linux-jnwt:/ # chown qscand:qscand /var/log/spamd/
linux-jnwt:/ # ln -s /var/spamd/supervise/spamd /service

Start spamassassin manually:

linux-jnwt:/ # svc -u /service/spamd
or
linux-jnwt:/ # spamdctl start

Info for softlimit:
-m membytes
Info for spamd:
-x, –nouser-config Disable user config files
-u username, –username=username Run as username

Check Spamassassin processes:

linux-jnwt:/usr/local/src/qmail_test/qmail-scanner-2.05 # ps axfu | grep spam

3.4 Qmail-Scanner

The official site:
http://qmail-scanner.sourceforge.net/

3.4.1 Requirements for Qmail-scanner

1. Netqmail 1.05 (or qmail-1.03 with Patches)
2. User (and group) used to run Qmail-Scanner: qscand
3. reformime from Maildrop 1.3.8+
4. Perl 5.005_03+
5. Perl modul Time::HiRes
6. Perl modul DB_File
7. Perl modul Sys::Syslog
8. Perl modul MIME::Base64
9. Optional: Mark Simpson’s TNEF unpacker
10. Optional: uudecode
11. Optional: unzip
12. qmail patch: QMAILQUEUE
13. setuid bit von Perl

  1. qmail

This is already ready (Version netqmail-1.06)

  1. User (If you do not have it!)
linux-jnwt:/usr/local/src/ # groupadd qscand
linux-jnwt:/usr/local/src/ # useradd -g qscand -c “Qmail Scanner” -s /bin/false qscand
  1. Reformime from Maildrop 1.3.8+

For Fedora 9 there was a package for Maildrop from repository. For Opensuse there was nothing, I had to use source code.

Requirements for Maildrop:

  • # C++ compiler – A C++ compiler is required.
  • # make – The GNU make is recommended. Solaris’s make is to be avoided. xBSD already has a gmake port, install it and use it (use gmake everywhere this document refers to make).
  • # GDBM/DB – optional.
  • # The PCRE library (http:/www.pcre.org) is required.
linux-jnwt:/home/linux # zipper install gcc-c++
—> I did not have c++ installed, get it now.
linux-jnwt:/home/linux # cd /usr/local/src
linux-jnwt:/usr/local/src # wget http://prdownloads.sourceforge.net/courier/maildrop-2.0.4.tar.bz2
linux-jnwt:/usr/local/src/maildrop-2.0.4 # tar jxvf maildrop-2.0.4.tar.bz2
linux-jnwt:/usr/local/src/maildrop-2.0.4 # cd maildrop-2.0.4/
linux-jnwt:/usr/local/src/maildrop-2.0.4 # less INSTALL
linux-jnwt:/usr/local/src/maildrop-2.0.4 # ./configure
linux-jnwt:/usr/local/src/maildrop-2.0.4 # make
linux-jnwt:/usr/local/src/maildrop-2.0.4 # make install-strip
linux-jnwt:/usr/local/src/maildrop-2.0.4 # make install-man

I run into an error with Maildrop:

linux-jnwt:/usr/local/src/maildrop-2.0.4 # ./configure

checking pcre.h usability… no
checking pcre.h presence… no
checking for pcre.h… no
checking pcre/pcre.h usability… no
checking pcre/pcre.h presence… no
checking for pcre/pcre.h… no
configure: error: pcre.h not found – install PCRE from http://www.pcre.org
—> In this case:
linux-jnwt:/usr/local/src/maildrop-2.0.4 # zypper info pcre-devel

For Fedora:

[root@mylaptop /]# yum search pcre-devel
  1. Perl 5.005_03+

In Suse 11.0 ist es bereits installiert (Version: 5.10.0-37.6)

  1. Time::HiRes Perl Modul:

There is a perl modul checking method that can we use any time.

linux-jnwt:/usr/local/src # perl -M<Module-name here> -e l

linux-jnwt:/usr/local/src # perl -MTime::HiRes -e l

—> If we get an error message, than it is not installed.

If a module is not isntalled see the link:

http://www.cpan.org/modules/INSTALL.html

linux-jnwt:/home/linux # perl -MCPAN -e shell
…default values at first usage…
cpan[18]> o conf prerequisites_policy ask
cpan[1]> install Time::HiRes
  1. Perl module DB_File —>In my OpenSUSE 11.0 this was installed by default
  2. Perl module Sys::Syslog —>In my OpenSUSE 11.0 this was installed by default.
  3. Perl module MIME::Base64 —>In my OpenSUSE 11.0 this was installed by default.
  4. Optional: Mark Simpson’s TNEF unpacker.
linux-jnwt:/home/linux # zypper install tnef

For Fedora:

[root@mylaptop /]# yum install perl-Convert-TNEF

Installed:
perl-Convert-TNEF.noarch 0:0.17-8.fc9 

Dependencies installed:
perl-Convert-BinHex.noarch 0:1.119-8.fc9 perl-IO-stringy.noarch 0:2.110-8.fc9 perl-MIME-tools.noarch 0:5.426-1.fc9 perl-MailTools.noarch 0:2.03-1.fc9
perl-TimeDate.noarch 1:1.16-8.fc9

– That was great, but we need other than this perl script:
– Official source: http://sourceforge.net/projects/tnef/

[root@mylaptop src]# wget http://downloads.sourceforge.net/tnef/tnef-1.4.5.tar.gz?use_mirror=heanet&filesize=3935273
[root@mylaptop src]# tar -xzvf tnef-1.4.5.tar.gz
[root@mylaptop src]# ./configure
[root@mylaptop src]# make
[root@mylaptop src]# make install

  1. Optional: uudecode —> In my OpenSUSE 11.0 this was installed by default.

Für Fedora:

[root@mylaptop /]# yum search sharutils
  1. Optional: unzip —> In my OpenSUSE 11.0 this was installed by default.
  2. qmail patch: QMAILQUEUE —>This is installed in netqmail 1-06.
  3. Allow setuid for perl (In Opensuse)
linux-jnwt:/usr/local/src/qmail-scanner-2.05 # vi /etc/permissions.local

/usr/bin/sperl5.10.0 root.root 4711

download setuid module for Fedora:

[root@mylaptop /]# yum install perl-suidperl

3.4.2 Qmail-scanner installation

linux-jnwt:/usr/local/src # wget http://prdownloads.sourceforge.net/qmail-scanner/qmail-scanner-2.05.tgz?download
linux-jnwt:/usr/local/src # tar -xvzf qmail-scanner-2.05.tgz
linux-jnwt:/usr/local/src # cd qmail-scanner-2.05/
linux-jnwt:/usr/local/src/qmail-scanner-2.05 #./configure –help
—> Optionen sollte man zuerst nachschauen.
linux-jnwt:/usr/local/src/qmail-scanner-2.05 # ./configure
Building Qmail-Scanner 2.05… 

***** NOTE ******

Qmail-Scanner doesn’t have language translations for de_DE.UTF-8,
– so defaulting to english…
[Hit <RETURN> to continue]
This script will search your system for the virus scanners it knows about, and will ensure that all external programs qmail-scanner-queue.pl uses are explicitly pathed for performancereasons.
Continue? ([Y]/N)

/usr/bin/uudecode works as expected on system…
Found tnef on your system! That means we’ll be able to decode stupid
M$ attachments :-)

The following binaries and scanners were found on your system:
mimeunpacker=/usr/local/bin/reformime
uudecode=/usr/bin/uudecode
tnef=/usr/bin/tnef
Content/Virus Scanners installed on your System
max-scan-size=100000000
clamdscan=/usr/local/bin/clamdscan (which means clamscan won’t be used as clamdscan is better)
fast_spamassassin=/usr/bin/spamc
Qmail-Scanner details.

log-details=syslog
log-crypto=0
fix-mime=2
ignore-eol-check=0
debug=1
notify=psender,nmlvadm
redundant-scanning=yes
sa-maxsize=256000
virus-admin=System Anti-Virus Administrator <linux@linux-jnwt>
local-domains=’linux-jnwt’

silent-viruses=’klez’,’bugbear’,’hybris’,’yaha’,’braid’,’nimda’,’tanatos’,’sobig’,’winevar’,’palyh’,’fizzer’,’gibe’,’cailont’,’lovelorn’,’swen’,’dumaru’,’sober’,’hawawi’,’holar-i’,’mimail’,’poffer’,’bagle’,’worm.galil’,’mydoom’,’worm.sco’,’tanx’,’novarg’,’\@mm’

scanners=”clamdscan”,”fast_spamassassin”

If that looks correct, I will now generate qmail-scanner-queue.pl for your system…
Continue? ([Y]/N)

Testing suid nature of /usr/bin/perl…
Looks OK…
Hit RETURN to create initial directory structure under /var/spool/qscan,
and install qmail-scanner-queue.pl under /var/qmail/bin:
perlscanner: generate new DB file from /var/spool/qscan/quarantine-events.txt
perlscanner: total of 12 entries.

Finished installation of initial directory structure for Qmail-Scanner under /var/spool/qscan and qmail-scanner-queue.pl under /var/qmail/bin.
Finished. Please read README(.html) and then go over the script

(/var/qmail/bin/qmail-scanner-queue.pl) to check paths/etc.
“/var/qmail/bin/qmail-scanner-queue.pl -r” should return some well-known virus
definitions to show that the internal perlscanner component is working.

That’s it!

****** FINAL TEST ******

Please log into an unpriviledged account and run
/var/qmail/bin/qmail-scanner-queue.pl -g

If you see the error “Can’t do setuid”, or “Permission denied”, then refer to the FAQ.

(e.g. “setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g”)

That’s it! To report success:
% (echo ‘First M. Last’; cat SYSDEF)|mail jhaar-s4vstats@crom.trimble.co.nz
Replace First M. Last with your name.

linux-jnwt:/usr/local/src/qmail-scanner-2.05 # ./configure –install
Specify qmail bin folder
… if we have the qmail-scanner-queue.pl already, then a backup will be created:
-rwsr-sr-x 1 qscand qscand 111842 23. Mär 14:03 qmail-scanner-queue.pl
-rwsr-sr-x 1 qscand qscand 111822 23. Mär 13:35 qmail-scanner-queue.pl.old
linux-jnwt:/usr/local/src/qmail_test/qmail-scanner-2.05 #

If qmail-scanner got an error during installation:

http://qmail-scanner.sourceforge.net/FAQ.php
3.4.3 Qmail-scanner test

linux-jnwt:/usr/local/src/qmail_test/qmail-scanner-2.05 # ./contrib/test_installation.sh
linux-jnwt:/usr/local/src/qmail_test/qmail-scanner-2.05 # ./contrib/test_installation.sh -doit

In this test Spamassassin will not scan mails, because test-emails come from local users.

4. Sanesecurity Signatures

Requirements:

  1. Curl or Wget {curl >= 7.19.4 recommended} {wget >= 1.11.4 recommended}

a. http://curl.haxx.se/

b. http://www.gnu.org/software/wget/

  1. rsync {Version >= 3.0.5 recommended}

a. http://samba.anu.edu.au/rsync/

  1. gnupg {Version >= 2.0.11 recommended}

a. http://lists.gnupg.org/pipermail/gnupg-announce/2009q1/000287.html

b. http://www.gnupg.org/

  1. clamav {Version >= 0.95 recommended}

a. http://www.clamav.net/

Source:

/usr/local/src/scamp-5.0.5b/README

/usr/local/share/clamav/tmp/sane/readme.txt

http://www.sanesecurity.com

4.1 Sansecurity installation

– Generate gpg keys for actual user:
linux-jnwt: # gpg
gpg: directory `/root/.gnupg’ created
gpg: new configuration file `/root/.gnupg/gpg.conf’ created
gpg: WARNING: options in `/root/.gnupg/gpg.conf’ are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg’ created
gpg: keyring `/root/.gnupg/pubring.gpg’ created
linux-jnwt: # cd /usr/local/src/
linux-jnwt:/usr/local/src # wget http://ftp.seibercom.net/pub/scamp.tar.gz
linux-jnwt:/usr/local/src/scamp # tar -xvzf scamp.tar.gz
linux-jnwt:/usr/local/src # cd scamp-5.*
linux-jnwt:/usr/local/src # less README

Stop Clamav and delete(backup) database:

Stop ClamAV and Spamd and Qmail
linux-jnwt:/usr/local/src # qmailctl stop && svc -d /service/clamd && svc -d /service/spamd
Backup ClamAV Database
linux-jnwt:/usr/local/src # mkdir /var/lib/clamavdbbak
linux-jnwt:/usr/local/src # cd /var/lib/clamav
linux-jnwt:/var/lib/clamav # cp –r * /var/lib/clamavdbbak
linux-jnwt:/var/lib/clamav # rm –r *
linux-jnwt:/var/lib/clamav # cd /usr/local/src/scamp-5*
linux-jnwt:/usr/local/src # scamp.sh
Enter the location of the Clamav Database. It must be a Fully Qualified Path:
/var/lib/clamav
Clamav PID file location:
/var/run/clamav/clamd.pid
Do you want to turn on the random download timer?
It only works when run via CRON. 1=on & 0=off
1
Enter: GROUP ownership of files:
qscand
Enter: USER ownership of files:
qscand
Install the Sanesecurity files: 1=yes & 0=no
1
<Aktualizierung mit rsync durch Zielport 873!>
Install the MSRBL files: 1=yes & 0=no
1
<Aktualizierung mit rsync durch Zielport 873!>
Install the Malware files: 1=yes & 0=no
1
Install the Securiteinfo files: 1=yes & 0=no
1
Reload clamd after update: 1=yes & 0=no

Install the *.ldb files: 1=yes & 0=no
1

Do you want a summary screen printed out when finished?
Enter 1 to display the screen or 0 to skip it.
1

Do you want to create a log file?
Default Location: /var/log/scamp.log
Enter 1 for yes & 0 for no.
1
linux-jnwt:/usr/local/src # scamp.sh
linux-jnwt:/var/lib/clamav/scamp # ls –lat /var/lib/clamav/
linux-jnwt:/var/lib/clamav/scamp # cat /var/log/scamp.log
linux-jnwt:/var/lib/clamav/scamp # less /var/lib/clamav/tmp/sane/readme.txt
linux-jnwt:/var/lib/clamav/scamp # crontab -e
0 4 * * * /usr/local/src/scamp-5.1/scamp.sh 1>/var/lib/clamav/updatesane.log 2>&1

Download with Freshclam the Clamav Database:

linux-jnwt:/var/lib/clamav/scamp # /usr/local/bin/freshclam -u qscand
linux-jnwt:/var/lib/clamav/scamp # cat /var/log/freshclam.log
linux-jnwt:/usr/local/src/clamav-0.94.2 # svc -u /service/spamd && svc -u /service/clamd && qmailctl start
linux-jnwt:/usr/local/src/clamav-0.94.2 # ps axfu | grep spam
linux-jnwt:/usr/local/src/clamav-0.94.2 # ps axfu | grep qmail
linux-jnwt:/usr/local/src/clamav-0.94.2 # ps axfu | grep clam
linux-jnwt:/usr/local/src/clamav-0.94.2 #qlog
linux-jnwt:/usr/local/src/clamav-0.94.2 #spamlog

4.2 Sanesecurity test
We will send 3 e-mails with the following contents to test the new signatures. On official website can be found maybe new test messages.

TEST 1 — Html.Sanesecurity.TestSig_Type3_Bdy
Send a HTML formatted email to yourself with
this text in the BODYof the email:
body_rrg63uhj2ucyeccrux7d83a4qd5ua5vnlgwjp6b6fmpzpobzjabftehuhraxfbyzzzzz
TEST 2 –Email.Sanesecurity.TestSig_Type4_Hdr
Send an email to yourself with this text in the SUBJECT of the email:
rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJAbftehuhRAXFby
TEST 3 — Email.Sanesecurity.TestSig_Type4_Bdy
Send an email to yourself with this text in the BODY of the email:
body_rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZ0ajdjkwjnSSDfsdfsdfnwerd

5. Backup and Restore

The first thing that should be saved is all the configuration files used ba all of our applications.
Qmail:
I followed this link partly:

http://qmail.jms1.net/backup.shtml
All Supervise Scripts:
/var/qmail/supervise/qmail-send/log/run
/var/qmail/supervise/qmail-send/run
/var/qmail/supervise/qmail-smtpd/log/run
/var/qmail/supervise/qmail-smtpd/run
Full /var/qmail/alias/ folder:
/var/qmail/alias/.qmail-abuse -> .qmail-postmaster
/var/qmail/alias/.qmail-mailer-daemon -> .qmail-postmaster
/var/qmail/alias/.qmail-postmaster
/var/qmail/alias/.qmail-root

The SMTP-access control (for tcpserver):

/etc/tcp.smtp
/etc/tcp.smtp.cdb ?Should I ?

Full /var/qmail/control/ folder:

/var/qmail/control/defaultdomain
/var/qmail/control/defaultdelivery
/var/qmail/control/me
/var/qmail/control/locals
/var/qmail/control/plusdomain
/var/qmail/control/concurrencyincoming
/var/qmail/control/rcpthosts
/var/qmail/control/validrcptto.cdb

Clamav and Spamassassin:
– clamd.conf
– freshclam.conf
– Virusdatabase
Spamassassin:

– init.pre
– local.cf

– learnt spams: http://blogama.org/node/12
Daemontools:
– run files
– <xyz>ctl files

6. Administration Guide
6.1 Jobcontrol for repeatedly tasks
The cronjobs can be found in /var/spool/cron/crontabs/root or /var/spool/cron/tabs/root

The crontab commands:

linux-jnwt:/ # crontab –lshows actual cron-table of user.
linux-jnwt:/ # crontab –e – With the $EDITOR variable defined Editor will be the /var/cron/tabs/root-file opened.
linux-jnwt:/ # crontab –rRemove cron-table of user.

6.1.1 Qmail

PATH=/usr/bin:/usr/sbin:/sbin:/bin:/usr/lib/news/bin:/usr/local/bin

<That should be finished sooner or later>

6.1.2 Validrcptto

<That should be finished sooner or later>

6.1.3 Qmail-scanner

PATH=/usr/bin:/usr/sbin:/sbin:/bin:/usr/lib/news/bin:/usr/local/bin

<That should be finished sooner or later>

6.1.4 Clamav

PATH=/usr/bin:/usr/sbin:/sbin:/bin:/usr/lib/news/bin:/usr/local/bin

0 * * * * /usr/local/bin/freshclam 1>/dev/null 2>&1

6.1.5 Sanesecurity

0 4 * * * /var/lib/clamav/scamp/scamp.sh 1> /var/log/clamd/updatesane.log 2>&1

6.1.6 Spamassassin

<That should be finished sooner or later>

6.2 Mailing-lists

If you want to get informations on used applications, then sign in for the following lists.

  1. Qmail

qmail-subscribe@list.cr.yp.to

Other mailinglists:

http://cr.yp.to/lists.html

  1. Clamav

Create account for Clamav Bugzilla Reports:
https://wwws.clamav.net/bugzilla/
Mail Preferences setup!
Create Account for Clamav Announces:
http://lists.clamav.net/mailman/listinfo/clamav-announce
Create Account for Clamav Users:
http://lists.clamav.net/mailman/listinfo/clamav-users
Other Mailinglists:
http://www.clamav.net/support/ml

  1. Sanesecurity

Mailinglist only for Sanesecurity. Signature Announce:

http://www.freelists.org/list/sanesecurity_announce

  1. Spamassassin

http://wiki.apache.org/spamassassin/MailingLists
For Subscription send mail to announce-subscribe@spamassassin.apache.org
For Subscription send mail to users-subscribe@spamassassin.apache.org

  1. Qmail-scanner

Qmail-scanner users:
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
Announce-only:
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-announce
IF any of the links mentioned here is not reachable the should you search (Google) for Mailing List Informations.
6.3 Clamav update

Update von 0.94 -> 0.94.2

Clamav 0.94-2 package download, extract and install:

linux-jnwt:/ # cd /usr/local/src

linux-jnwt:/usr/local/src # wget http://freshmeat.net/redir/clamav/29355/url_tgz/clamav-0.94.2.tar.gz
linux-jnwt:/usr/local/src # tar -xvzf clamav-0.94.2.tar.gz
linux-jnwt:/usr/local/src # cd clamav-0.94.2
linux-jnwt:/usr/local/src # cp /usr/local/etc/clamd.conf /usr/local/etc/clamd.conf.bak
linux-jnwt:/usr/local/src # cp /usr/local/etc/freshclam.conf /usr/local/etc/freshclam.conf.bak
linux-jnwt:/usr/local/src/clamav-0.94.2 # ./configure
linux-jnwt:/usr/local/src/clamav-0.94.2 # make
linux-jnwt:/usr/local/src/clamav-0.94.2 #cd /usr/local/src/clamav-0.94/
linux-jnwt:/usr/local/src/clamav-0.94.2 #qmailctl stop && svc -d /service/clamd && svc -d /service/spamd
linux-jnwt:/usr/local/src/clamav-0.94 # make uninstall
linux-jnwt:/usr/local/src/clamav-0.94.2 #cd /usr/local/src/clamav-0.94.2/
linux-jnwt:/usr/local/src/clamav-0.94.2 # make install

Download with Freshclam dthe new Clamav Database:

linux-jnwt:/var/lib/clamav/scamp # /usr/local/bin/freshclam -u qscand –quiet
linux-jnwt:/var/lib/clamav/scamp # cat /var/log/clam-update.log
linux-jnwt:/usr/local/src/clamav-0.94.2 # svc -u /service/spamd && svc -u /service/clamd && qmailctl start
linux-jnwt:/usr/local/src/clamav-0.94.2 # ps axfu | grep spam
linux-jnwt:/usr/local/src/clamav-0.94.2 # ps axfu | grep qmail
linux-jnwt:/usr/local/src/clamav-0.94.2 # ps axfu | grep clam
linux-jnwt:/usr/local/src/clamav-0.94.2 #qlog
linux-jnwt:/usr/local/src/clamav-0.94.2 #spamlog

6.4 Administration of Spamassassin
6.4.1 Whitelist entry in Spamassassin rule
If you need new domain in white_list:

linux-jnwt:/usr/local/src/clamav-0.94.2 # vi /etc/mail/spamassassin/local.cf

whitelist_from new@domain

linux-jnwt:/usr/local/src/clamav-0.94.2 # svc –d /service/spamd
linux-jnwt:/usr/local/src/clamav-0.94.2 # svc –u /service/spamd
linux-jnwt:/usr/local/src/clamav-0.94.2 # ps axfu | grep spam
linux-jnwt:/usr/local/src/clamav-0.94.2 # ps axfu | grep qmail
linux-jnwt:/usr/local/src/clamav-0.94.2 # ps axfu | grep clam
linux-jnwt:/usr/local/src/clamav-0.94.2 #qlog
linux-jnwt:/usr/local/src/clamav-0.94.2 #spamlog

6.4.2 Tuning Rulescores

Rules description:

http://wiki.apache.org/spamassassin/CategoryRule

Adjust Rulescore:
http://wiki.apache.org/spamassassin/AdjustRuleScore

Example:

2009-03-18 17:27:27.096178500 [2311] info: spamd: processing message (unknown) for xyz@yxzdomain:1002
2009-03-18 17:27:31.865761500 [2311] info: spamd: identified spam (6.7/5.0) for xyz@yxzdomain:1002 in 5.0 seconds, 8422 bytes.
2009-03-18 17:27:32.112578500 [2311] info: spamd: result: Y 6 – BAYES_99,FORGED_MUA_OUTLOOK,HTML_MESSAGE,MISSING_MID,RDNS_NONE scantime=5.0,size=8422,user= xyz@yxzdomain,uid=1002,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=46423,mid=(unknown),bayes=1.000000,autolearn=no,shortcircuit=no

Scores for this example:

1. BAYES_99
1
2. FORGED_MUA_OUTLOOK
root@mx:/# grep FORGED_MUA_OUTLOOK /usr/local/share/spamassassin/50_scores.cf
score FORGED_MUA_OUTLOOK 4.199 4.199 2.963 3.116

3. HTML_MESSAGE
root@mx:/# grep HTML_MESSAGE /usr/local/share/spamassassin/50_scores.cf
score HTML_MESSAGE 0.001

4. MISSING_MID
root@mx:/# grep MISSING_MID /usr/local/share/spamassassin/50_scores.cf
score MISSING_MID 0.001 # n=1 n=2 n=3

5. RDNS_NONE
root@mx:/# grep RDNS_NONE /usr/local/share/spamassassin/50_scores.cf
score RDNS_NONE 0.1

6.5 Logging Administration

6.5.1 Actual logentries

Logfiles for qmail:

linux-jnwt:/ # tree -a /var/log/qmail/
/var/log/qmail/
|– current – qmail-send writes logs here.
|– lock
|– smtpd
| |– current — qmail-smtpd writes logs here.
| |– lock
| `– state
`– state

Logfiles for qmail-scanner:

linux-jnwt:/ # tree /var/spool/qscan/

/var/spool/qscan/

|– archives Here will be logs archived from „/var/spool/qscan/quarantine/spam/new/“
| |– cur and from „/var/spool/qscan/quarantine/viruses/new/“
| |– new
| `– tmp
|– qmail-queue.log – ???
|– qmail-scanner-queue-version.txt
|– quarantine
| |– policy
| | |– cur
| | |– new Here can we found all quarantined mails.
| | | |– linux-jnwt12355704095659658
| | | `– linux-jnwt12355713615659897
| | `– tmp
| |– spam
| | |– cur
| | |– new Here can we found all spams.
| | `– tmp
| `– viruses
| |– cur
| |– new Here can we found all virus-infected mails.
| | |– linux-jnwt12355704115659673
| | `– linux-jnwt12355713625659912
| `– tmp
|– quarantine-events.db
|– quarantine-events.txt
|– quarantine.log – Here is qscand logfile. All emails here mentioned are in
|– tmp /var/spool/qscand/quarantine/…folder.
`– working
|– cur
|– new
`– tmp

Logfiles for Spamassassin:

linux-jnwt:/ # more /var/log/spamd/current SA writes logentries here because of Spamd Supervise Script.
linux-jnwt:/ # more var/log/mail SA writes logs here as well.

Logfiles for Clamav:

linux-jnwt:/ # more /var/log/clamd/current Clamav SA writes here the logs because of Clamav Supervise Script.

Logfiles for DNSCache:

linux-jnwt:/ # more /var/log/dnscache/current

Logfiles for Freshclam:

linux-jnwt:/ # more /var/log/freshclam.log

Logfiles for Sanesecurity:

linux-jnwt:/ # more /var/lib/clamav/updatesane.log

6.5.2 Archiving of emails (quarantined only)

Spammails:

linux-jnwt:/ # vi /var/spool/qscan/zipspams.sh

find /var/spool/qscan/quarantine/spam/new/ > /var/spool/qscan/tmp/spamlist
tar czvf /var/spool/qscan/archives/`date +’%Y%m%d’`.spams.tar.gz –files-from /var/spool/qscan/tmp/spamlist
find /var/spool/qscan/quarantine/spam/new/ | xargs rm

Virusmails:

linux-jnwt:/ # vi /var/spool/qscan/zipviruses.sh

#!/bin/sh
#set -xv
find /var/spool/qscan/quarantine/viruses/new/ > /var/spool/qscan/tmp/viruslist
tar czvf /var/spool/qscan/archives/`date +’%Y%m%d’`.viruses.tar.gz –files-from /var/spool/qscan/tmp/viruslist
find /var/spool/qscan/quarantine/viruses/new/ | xargs rm

6.5.3 Archiving of logs
Logs should be saved from the following applications:

Qmail
Clamav
Freshclam
Qmail-scanner

Advertisements
Posted in: Linux, mail, Security