-Howto- Postfix sasl spamassassin clamav

[limpo]

Hi,

I just love this little bubba server and have received a lot of good help from people and excito on this forum. Because of this I desided that I wanted to share some of my configs for setting up a mailserver with antivirus, smtp-auth and antispam on bubba. I have gathered different configs that I have found in many different howtos on the Internet.
First of all there are many ways of doing this, I have mine running fine but it might not work well for you and I will not take responsibility for any damage or loss of data this might cause you, be warned but enjoy.

First of all log in to your bubba via ssh, and unmark the following apt sources:

#nano /etc/apt/sources.list

deb http://ftp.se.debian.org/debian/ sarge main
deb http://security.debian.org/ sarge/updates main
deb http://ftp.se.debian.org/debian/ sarge non-free

Do an update:

#apt-get update

Then we install some needed packages:
#apt-get install bzip2 php4-dev postfix-tls libsasl2 libsasl2-modules sasl2-bin make g++ zlib1g-dev

The following will show you how to compile clam antivirus from source, so that you will get the latest version of the engine. There is of course a more easier way by just doing apt-get install clamav. But these packages in apt get old quit quickly.
so

Install from apt:

apt-get install clamav

OR

Install from source:

#------------------------------------------
# Install CLAMAV
#------------------------------------------

#mkdir /tmp/clamav

#cd /tmp/clamav

#wget
wget http://dfn.dl.sourceforge.net/sourcefor ... 0.2.tar.gz

#tar zxvf clamav-0.90.2.tar.gz

#cd clamav-0.90.2

Uninstall -If you installed old version from source

#make uninstall

Now for installing clamav

#groupadd clamav

#useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav

#./configure --enable-experimental -sysconfdir=/etc/clamav

#make

#make install

Edit and remark Example to #Example.
#nano /etc/clamav/clamd.conf

#Example

Edit and remark Example to #Example.
#nano /etc/clamav/freshclam.conf

#Example

Now lets start things automagicly.

#nano /etc/init.d/clamav

Add the following:

#!/bin/sh -e
# Start or stop clamav
#

PATH=/bin:/usr/bin:/sbin:/usr/sbin

case "$1" in

start)
echo -n "Starting Clamav"
/usr/local/sbin/clamd -c /etc/clamav/clamd.conf
;;

stop)
echo -n "Stopping Clamav"
kill -9 `ps ax | grep "/usr/local/sbin/clamd" | grep -v grep | awk '{ print $1 }'`
;;

restart)
$0 stop || true
$0 start
;;

*)
echo "Usage: /etc/init.d/clamav {start|stop|restart}"
exit 1
;;

esac

exit 0

Set the permissions.

#chmod 755 /etc/init.d/clamav

and add it to the default runlevel(run at startup).

#update-rc.d clamav defaults

See to it that the clamd.conf looks like this, to make it communicate with clamsmpt.

#nano /usr/local/etc/clamd.conf

# ------------------------------------------------------------------------------
# SAMPLE CLAMAV CONFIG FILE
# ------------------------------------------------------------------------------

#Example
LogFile /var/log/clamd
LocalSocket /var/run/clamav/clamd
FixStaleSocket yes
User clamv
ScanMail yes

#mkdir /var/run/clamav

#chown clamav:clamav /var/run/clamav

#touch /var/log/clamd

#chmod 666 /var/log/clamd

next we will install clamsmtp it is a really lightweight proxy for clamav it is way faster than just using clamav directly with postfix.

Install clamsmtp from apt

apt-get install clamsmtpd

OR

Install clamsmtp from source

#------------------------------------------
# Install CLAMSMTP
#------------------------------------------

#mkdir /tmp/clamsmtp

#cd /tmp/clamsmtp

#wget http://memberwebs.com/nielsen/software/ ... 1.8.tar.gz

#tar zxvf clamsmtp-1.8.tar.gz

#cd clamsmtp-1.8

#./configure

#make

#make install

#cp doc/clamsmtpd.conf /etc/

/usr/local/sbin/clamsmtpd

#nano /etc/init.d/clamsmtp

#!/bin/sh -e
# Start or stop clamsmtp
#

PATH=/bin:/usr/bin:/sbin:/usr/sbin

case "$1" in

start)
echo -n "Starting Clamsmtp"
/usr/local/sbin/clamsmtpd -f /etc/clamsmtpd.conf
;;

stop)
echo -n "Stopping Clamsmtp"
kill -9 `ps ax | grep "/usr/local/sbin/clamsmtpd -f /etc/clamsmtpd.conf" | grep -v grep | awk '{ print $1 }'`
;;

restart)
$0 stop || true
$0 start
;;

*)
echo "Usage: /etc/init.d/clamsmtp {start|stop|restart}"
exit 1
;;

esac

exit 0

Set the permissions.

#chmod 755 /etc/init.d/clamsmtp

and add it to the default runlevel(run on boot).

#update-rc.d clamsmtp defaults

Create config file.

#nano /etc/clamsmtpd.conf


# ------------------------------------------------------------------------------
# SAMPLE CLAMSMTPD CONFIG FILE
# ------------------------------------------------------------------------------
OutAddress: 10026
Listen: 127.0.0.1:10025
ClamAddress : /var/run/clamav/clamd
Quarantine: on
user: clamav
VirusAction: /usr/local/sbin/virus_action.sh

#nano /usr/local/sbin/virus_action.sh

#!/usr/bin/perl

$FROM = 'ClamSMTP <clamsmtp@example.com>'; # ????????
$TO = $ENV{RECIPIENTS}; # ????????
$MAILER = '/usr/sbin/sendmail -t';

open(F, $ENV{EMAIL}) or die;
@mail = <F>;
close(F);

$msg = <<EOM;
From: $FROM
To: $TO
Subject: Virus ($ENV{VIRUS}) From <$ENV{SENDER}>

A virus ($ENV{VIRUS}) was found.

The email sender:
$ENV{SENDER}

The email recipients:
$ENV{RECIPIENTS}

The message has been quarantined as:
EOM

open(F, "|$MAILER") or die "$MAILER: $!";
print F $msg;
foreach (@mail) { print F " $_"; }
print F ".\n";
close(F);

unlink($ENV{EMAIL});

#chmod 755 /usr/local/sbin/virus_action.sh

#nano /etc/postfix/main.cf

content_filter = scan:127.0.0.1:10025
receive_override_options = no_address_mappings

#nano /etc/postfix/master.cf

# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

Install spamassassin from apt

apt-get install spamassassin

OR

Install spamassassin from source.

#------------------------------------------
# Install SPAMASSASSIN
#------------------------------------------

#cd /tmp

#wget http://ftp.solace.miun.se/pub/apache/sp ... 1.8.tar.gz

#tar zxvf Mail-spamassassin-3.1.8.tar.gz

#cd Mail-SpamAssassin-3.1.8

There are a couple of required modules for spamassassin, install those and if you feel that you need to add functionality to spamassassin just add respective modules.

#cpan install Digest::SHA1

REQUIRED module missing: Digest::SHA1
REQUIRED module missing: HTML::Parser
optional module missing: Net::DNS
optional module missing: Mail::SPF::Query
optional module missing: IP::Country
optional module missing: Razor2
optional module missing: Net::Ident
optional module missing: IO::Socket::INET6
optional module missing: IO::Socket::SSL
optional module missing: LWP::UserAgent
optional module missing: HTTP::Date
optional module missing: Archive::Tar
optional module missing: IO::Zlib

#perl ./Makefile.pl

#make

#make install

#nano /etc/init.d/spamassassin


#!/bin/sh -e
# Start or stop spamd
#

PATH=/bin:/usr/bin:/sbin:/usr/sbin

case "$1" in

start)
echo -n "Starting spamd"
/usr/bin/spamd --create-prefs --max-children 5 --helper-home-dir -x --virtual-config-dir=/home/spamassassin &
;;

stop)
echo -n "Stopping spamd"
kill -9 `ps ax | grep "/usr/bin/spamd" | grep -v grep | awk '{ print $1 }'`
;;

restart)
$0 stop || true
$0 start
;;

*)
echo "Usage: /etc/init.d/spamassassin {start|stop|restart}"
exit 1
;;

esac

exit 0


Set the permissions.

#chmod 755 /etc/init.d/spamassassin

and add it to the default runlevel.

#update-rc.d spamassassin defaults

Remove the remark on rewrite_header_subject.
#nano /etc/mail/spamassassin/local.cf

rewrite_header Subject *****SPAM*****

The following is for fixing error with auto learn, when spamc runs as user nobody with no home to store whitelists.

#mkdir /home/spamassassin

#chown nobody /home/spamassassin

modules for sa-update

#cpan install Net::DNS

#cpan isntall Archive::Tar

#apt-get install gnupg

Run and update spamassassin rule set.

#sa-update -D

#nano /etc/postfix/master.cf

smtp inet n - n - - smtpd
-o content_filter=spamassassin

#Spamassassin
spamassassin unix - n n - - pipe
user=nobody argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}

The following install of eaccelerator i optional, this will give you some perfomance boost in php. Supposedly 10 times more, but I dont know havent benchmarkt.

#------------------------------------------
# Install eACCELERATOR
#------------------------------------------

Download eAccelerator source package to /root folder and extract it

#cd /tmp

#wget http://prdownloads.sourceforge.net/eacc ... 2?download

#tar jxvf eaccelerator-0.9.4.tar.bz2

#cd eaccelerator-0.9.4

Running phpize creates config file which is needed in make.

#/usr/bin/phpize

#./configure -with-eaccelerator-userid

#make

#make install

After this installation completed.

Edit file /etc/php4/apache2/php.ini and add following lines:

#nano /etc/php4/apache2/php.ini

extension="eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"

Create temporary folder to eAccelerator

#mkdir /tmp/eaccelerator

#chmod 0777 /tmp/eaccelerator

Restart apache and you're finished with the eAccelerator configuration

#/etc/init.d/apache2 restart

Testing Your installation

Create test.php file with following lines on it:

<?php
eaccelerator();
?>

Testing php
Create phptest.php

<?php
phpinfo();
?>

If you have eAccelerator info shown on that page, accelerator is working

#------------------------------------------
# Install MIME_HEADER_CHECKS
#------------------------------------------

Rejecting unwanted files, viruses and worms, fast way

#nano /etc/postfix/main.cf

mime_header_checks = regexp:/etc/postfix/mime_header_checks

#nano /etc/postfix/mime_header_checks

/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(exe|lnk|cpl|asd|hlp|ocx|reg|bat|c[ho]m|cmd|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|xl))"?\s*$/
REJECT Attachment type not allowed. File "$2" has the unacceptable extension "$3"

#------------------------------------------
# Install SASLAUTH
#------------------------------------------

#nano /etc/default/saslauthd

START=yes

PARAMS="-m /var/spool/postfix/var/run/saslauthd"

#nano /etc/init.d/postfix

edit /etc/init.d/postfix on line 43 or so, add “etc/sasldb2"

FILES="etc/localtime etc/services etc/resolv.conf etc/hosts etc/sasldb2 \

This way, postfix will copy sasldb2 on startup to the chroot directory

#mkdir -p /var/spool/postfix/var/run/saslauthd
#chown -R root.sasl /var/spool/postfix/var/run/saslauthd

#mkdir /etc/postfix/sasl
#cd /etc/postfix/sasl
#nano smtpd.conf

pwcheck_method: saslauthd

#nano /etc/postfix/main.cf

mynetworks = 127.0.0.0/8
smtpd_tls_auth_only = no //If everything works change to yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes

Add to current smtpd_recipient_restrictions

smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_unauth_pipelining
reject_invalid_hostname
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_rbl_client list.dsbl.org
reject_rbl_client relays.ordb.org
reject_rbl_client dnsbl.njabl.org
reject_rbl_client dnsbl.sorbs.net
reject_rbl_client bl.spamcop.net

smtpd_reject_unlisted_sender = yes

Testing sasl functionality

#perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'

e.g.

#perl -MMIME::Base64 -e 'print encode_base64("jimmy\0jimmy\0real-secret");'

#amltbXkAamltbXkAcmVhbC1zZWNyZXQ=

jimmy@reptile:~$ telnet jimmy.test.com 25
Trying 1.2.3.4...
Connected to jimmy.test.com
Escape character is '^]'.
220 kitana.test.com at ESMTP Mailserver
ehlo reptile.test.com
250-kitana.jimmy.test.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
AUTH PLAIN amltbXkAamltbXkAcmVhbC1zZWNyZXQ=
235 Authentication successful

Installing postgrey is option, It will reduce spam dramatically but will eat ram and cpu usage.

#------------------------------------------
# Install POSTGREY
#------------------------------------------

##Sudo apt-get install postgrey
##sudo nano /etc/postfix/main.cf

##smtpd_recipient_restrictions =
## permit_sasl_authenticated,
## permit_mynetworks,
## check_relay_domains,
## check_policy_service inet:127.0.0.1:60000

#------------------------------------------
# Install POSTFIX CA/CERTS
#------------------------------------------

##sudo nano /etc/postfix/main.cf

##smtpd_use_tls=yes
##smtpd_tls_auth_only=yes
##smtpd_tls_cert_file=/etc/postfix/cert/postfix.cert
##smtpd_tls_key_file=/etc/postfix/cert/postfix.key

##mkdir /etc/postfix/cert
##cd /etc/postfix/cert
##sudo openssl req -new -outform PEM -out postfix.cert -newkey rsa:2048 -nodes -keyout
##postfix.key -keyform PEM -days 3065 -x509

or

#mkdir /etc/postfix/cert
#cd /etc/postfix/cert

Create HOME-CA

#/usr/lib/ssl/misc/CA.pl -newca

Create an unpassworded private key for host bubba and create an unsigned public key certificate.

#openssl req -new -nodes -keyout bubba-key.pem -out bubba-req.pem -days 365

Sign the public key certificate for host bubba with the Certification Authority private key that we created a few steps ago.

#openssl ca -out bubba-cert.pem -infiles bubba-req.pem

#cp demoCA/cacert.pem bubba-key.pem bubba-cert.pem /etc/postfix/cert
#chmod 644 /etc/postfix/cert/bubba-cert.pem /etc/postfix/cert/cacert.pem
#chmod 400 /etc/postfix/cert/bubba-key.pem

#nano /etc/postfix/main.cf

smtp_tls_CAfile = /etc/postfix/cert/cacert.pem
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem
smtpd_tls_cert_file = /etc/postfix/cert/bubba-cert.pem
smtpd_tls_key_file = /etc/postfix/cert/bubba-key.pem
smtpd_tls_received_header = yes
tls_random_source = dev:/dev/urandom
smtpd_use_tls = yes

#------------------------------------------
# Install DOVECOT/CERT
#------------------------------------------

#cd /etc/dovecot
#nano dovecot.conf

protocols = imap imaps
ssl_cert_file = /etc/dovecot/imapcert.cert
ssl_key_file = /etc/dovecot/imapkey.key

#openssl req -new -outform PEM -out imapcert.cert -newkey rsa:2048 -nodes -keyout
imapkey.key -keyform PEM -days 3065 -x509

#chmod 644 /etc/dovecot/imapcert.cert
#chmod 400 /etc/dovecot/imapkey.key

the following is a script for training the ham and spam rules of spamassasin. when you recieive a ham or spam just mail it to spam@yourdomain or notspam@yourdomain.
#------------------------------------------
# Install SPAM/NOTSPAM USERS/SCRIPTS
#------------------------------------------

#adduser --disabled-login spam
#adduser --disabled-login notspam

#nano /bin/delnotspam:

#!/bin/bash
cd /home/notspam/Mail/new
rm *

#nano /bin/delspam:

#!/bin/bash
cd /home/spam/Mail/new
rm *

#chmod 755 /bin/delnotspam
#chmod 755 /bin/delspam

#------------------------------------------
# Install CRONTAB -E
#------------------------------------------

#crontab -e
10 12 * * * /usr/bin/sa-learn --ham /home/notspam/Mail/new >> /var/log/sa-train.log | echo "Ham done: $(date)" >> /var/log/sa-train.log
* * * 0 * /bin/delnotspam

40 12 * * * /usr/bin/sa-learn --spam /home/spam/Mail/new >> /var/log/sa-train.log | echo "Spam done: $(date)" >>/var/log/sa-train.log
* * * 0 * /bin/delspam

#Update virusdatabase
* 22 * * * /usr/local/bin/freshclam

#run a virus check, is extremlly slow.
* 23 * * * /usr/local/bin/clamscan / -r -i -l /var/log/clamscan.log

#update spamassassin rules
* 20 * * * /usr/bin/sa-update -D


Done!

test your system with:
Spam:
http://spamassassin.apache.org/gtube/
Virus:
http://www.eicar.org/anti_virus_test_file.htm
Openrelay:
http://www.abuse.net/relay.html


This should give you a working system, but I might have forgotten something.
This setup will force smpt auth when users send mail(relay) out publically, unfortunatelly it will allow local users to still send mail internally without smtp auth, this could be used to send fake(forged) mails internally.
If you know how to fix this PLEASE leave suggestions.
One solution is to get iptables working and block all ports except 25, and use a webmail interface, then local forged mails should not work.
You will also get a virus and spamfiltering server.

/limpo

[johannes]

Great, thanks! It's very appreciated that you share knowledge!

[Aitch]

Wow limpo, that's a very full installation you have there.

There has been some discussion on this forum about SpamAssassin being too heavy for the Bubba, do you have any feedback on performance, memory usage, etc with your setup?

/H

[limpo]

Hi, Aitch

I have not done any extensive testing, but I feel that the performance is not bad even with spamassassin, of course I guess this depends on how many modules in spamassassin you have activated(advanced spam filtering techniques/phyzor/e.t.c).
What Is perfomance hitting is if you are using clamav right on postfix or or using a content scanner like mailscanner, this will take more than 1m for mail to pass all checks. But with clamsmtp which uses less virus checks on mails will only take from 5-20 sec depending on the current workload on bubba.

You can performce test postfix with smtp-source/smtp-sink:

example:

smtp-source -c -l 50 -m 5 -f test@example.org -t aaa@bbb.org -S Test -M www.example.org mx.bbb.org

-c Display a running counter
-l length: Send length bytes as message payload.
-m message_count: Send the specified number of messages (default: 1).
-f from
-t to
-S subject
-M myhostname

I guess one could make a small benchmark test shell script with time and run smtp-source to se how long each delivered mail takes.

/limpo

[dstutt]

Hi Aitch,

great set of instructions. I've installed the clamav and clamsmtp parts on my bubba server and all seems to be working great.

I couldn't get your virus_action.sh to work for me (although I didn't try too hard I must admit). I used one from the clamsmtp site instead - although it does require formail which can be found in the procmail package (http://memberwebs.com/nielsen/software/ ... p/scripts/)

I've reproduced it here in case anyone else wants to try an alternative (replace the MAILTO email address for the recipient of virus alerts):

Code: Select all

#!/bin/sh
#
# v0.3 (2005-01-13)
#
# Simple VirusAction script to get virus alerts via email from ClamSMTP.
# Depends on formail binary.
#
# Olivier Beyssac <ob@r14.freenix.org>
#
# Thanks to Colin McKinnon <colin@mms3.com> for the ``cat -v'' patch
#

# Email address to send alerts to
MAILTO=desired_username_to_field_mails@localhost

# formail should be in PATH
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

LINE="-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-"

(echo "Virus name:     $VIRUS"
 echo "Sender:         $SENDER"
 echo "Recipient(s):   $RECIPIENTS"
 echo "SMTP client:    $CLIENT"
 echo "SMTP server:    $SERVER"
 echo
 if [ "x$EMAIL" != "x" ] && [ -f $EMAIL ]
 then
        echo "Quarantined to: $EMAIL"
        echo
        echo Headers follow:
        echo $LINE
        formail -X "" < $EMAIL
        echo $LINE
 fi
) | cat -v | mail -s "$VIRUS found on $SERVER" $MAILTO

DS

[DanielM]

Just like to notice that I've followed the instructions to install spamassassin on my Bubba. It worked with some (small) modifications, don't know if this is because I use etch or what (or maybe because I didn't download any source but just issued apt-get install spamassassin?). But anyway I thought it would be good for other to know.

Firstly I didn't have to create any /etc/init.d/spamassassin, it was already there (guess this is thanks to using the debian package).

Secondly I had to install some more packages, libexpat1-dev and spamc.

Well, that was about that. Thanks for a good guide!

Oh, another thing. I came to the conclusion that spamassassin wasn't of much use if I got the spam in my inbox anyway, so I've played around for a bit with sieve, filtering the spam into another box. Really nice! I think I'll write a new howto on that...

/Daniel