Postfix-jp | ||
- AMaViS + Sophos Anti-Virus Install Record | ||
Modified: 19 May, 2002 | [Japanese Page] |
Home > AMaViS + Sophos Anti-Virus Install Record
This is a translation of my document in Japanese.
This is my setup record of Postfix with virus scanner, which is triggered by a Postfix-jp ML archive.
I used Sophos Anti-virus (SAV) for UNIX as a virus scan software. The software provides 30-days trial period.
Virus scanning software that search only data in file systems can't detect virus in MIME-encoded/uuencoded mails. Therefore, an interface will be required to decode attached file and hand it to the scanner.
For the purpose, I used the Postfix-friendly software, AMaViS as an interface of Postfix and SAV. This is distributed in terms of GNU GPL.
This procedure assume to install Postfix Release-20010228 PL04 on FreeBSD 4.3. For other environment, you should read and change a file name etc. according to environment.
Downloaded archives are in /tmp/src.
To expand archives, you should install unzip or an equivalent before installation.
# on top of the command line is expresses super-user's command, and % is user's one. Some commands are csh built-ins, so bsh users will need to replace them with suitable commands.
From the download page, get Sophos Anti-Virus for your platform (I got "Sophos Anti-Virus for FreeBSD (ELF format), freebsd.elf.tar.Z") and latest virus identity (IDE) files (the latest file was 348_ides.zip on 28/8/2001).
Extract files from the archive and compile them.
% setenv SRCDIR /tmp/src % cd ${SRCDIR} % tar xvzf freebsd.elf.tar.Z % cd sav-install % su # vi /etc/group # Creating a group, sweep. Add a following line: sweep:*:12346: # vipw # Creating a user, sweep. Add a following line: sweep:*:12346:12346::0:0:virus checker:/nonexistent:/sbin/nologin # rm -f /usr/local/lib/libsavi.* # For updating, remove old libraries. # ./install.sh # less /etc/sav.conf # Check the contents of sav.conf. # cd ${SRCDIR} # mkdir ides # cd ides # unzip ../348_ides.zip # cp *.ide /usr/local/sav (Only for FreeBSD 4 or later) # /stand/sysinstall Select [Configure] - [Distributions] - [compat3x] and install it.
sweep -v command gives some information recognized IDE files etc.
There are 2 method to treat AMaViS with Postfix:
Although the former is easy to set-up, it has some problems. Because of using AMaViS as local mail derivery agent, virus scans would not be performed when forwarding mails to another account or third-party program like procmail via .forward, the temporary file for scanning would be placed on a world-writable directory (sticky bit is available), home_mailbox = Maildir/ can' be used, and so on.
With the latter method, the Postfix queue daemon send mails to AMaViS via SMTP, and the Postfix smtpd receive scanned mails from AMaViS, so it has no such problem, but the configuration is little complicated.
Here is a common setup to both method.
In order to use AMaViS-perl, following softwares are required.
And following perl modules are required.
If you install perl modules manually and set up a scanner of incoming/outgoing mails (in other words, in case that you set the `--enable-smtp' option for AMaViS configure command), you'll be required to install
In following automatic procedure, libnet module installation will be done in Bundle::libnet module installation.
You can install these modules automatically using CPAN shell. Execute
# perl -MCPAN -e shell
and type following on the prompt:
install Unix::Syslog install Convert::UUlib install Convert::TNEF install Compress::Zlib install Archive::Tar install Archive::Zip install G/GB/GBARR/MailTools-1.15.tar.gz install MIME::Tools install Bundle::libnet
which will install all required modules. If you don't use CPAN shell, extract files from each archive, and execute following command for each module.
# cd module-dir # perl Makefile.PL # make # make test # make install
For dependency, some modules (MIME-Baes64, IO-stringy, libnet) may need to be installed first.
Aliases file should have a user, virusalert, who is sent mails when a virus is detected.
# vi /etc/aliases (add a following line) virusalert: root
If you use AMaViS as a filter for MDA (Mail Delivery Agent), you don't need to change the default setting of AMaViS.
Download the source code of AMaViS-Perl from AMaViS Download Page (The latest version on 2001.8.28 was amavis-perl-11.tar.gz)ĄŁ
% setenv SRCDIR /tmp/src % cd ${SRCDIR} % tar xvzf amavis-perl-11.tar.gz % cd amavis-perl-11 % ./configure % make % make check % su # make install
Using AMaViS like this, you'll need to make the directory for temporary file of virus scan world-writable.
# chmod 1777 /var/amavis /var/virusmails
On Postfix side, configure to use AMaViS as mailbox_command.
# vi /etc/main.cf (add a following line) mailbox_command = /usr/sbin/amavis "$SENDER" "$RECIPIENT" # postfix reload
That's all for Postfix configuration.
When a non virus-infected mail is sent, following logs are recorded on /var/log/maillog:
Aug 28 17:23:07 localhost amavis[55685]: starting. amavis perl-11 Sat Aug 25 23 :40:10 JST 2001 Aug 28 17:23:08 localhost amavis[55685]: do_exit:400 - ending execution with 0 Aug 28 17:23:08 localhost postfix/local[55683]: BCE053F49: to=<ike@localhost. localdomain>, relay=local, delay=3, status=sent ("|/usr/sbin/amavis "$SENDER" "$RECIPIENT"")
When the scanner find a virus-infected mail, logs are recorded on /var/log/maillog as follows:
Aug 28 14:15:43 localhost amavis[55025]: starting. amavis perl-11 Sat Aug 25 23 :40:10 JST 2001 Aug 28 14:15:44 localhost amavis[55025]: Virus found - quarantined as virus-2001 0828-141544-55025
And the system will send an alert mail to the original sender like this:
From: postmaster@localhost.localdomain To: ike@localhost.localdomain Subject: VIRUS IN YOUR MAIL Date: Tue, 28 Aug 2001 20:37:21 JST V I R U S A L E R T Our viruschecker found the 'W32/Sircam-A' virus(es) in your email to the following recipient(s): -> ike@localhost.localdomain Please check your system for viruses, or ask your system administrator to do so. For your reference, here are the headers from your email: ------------------------- BEGIN HEADERS ----------------------------- (snip)
and to virusalert like this:
From: postmaster@localhost.localdomain To: virusalert@localhost.localdomain Subject: FOUND VIRUS IN MAIL from ike@localhost.localdomain Date: Tue, 28 Aug 2001 20:37:21 JST A virus was found in an email from: ike@localhost.localdomain The message was addressed to: -> ike@localhost.localdomain The message has been quarantined as: /var/virusmails/virus-20010828-203721-56119 Here is the output of the scanner: >>> Virus 'W32/Sircam-A' found in file /var/amavis/amavis-02133168/parts/msg-561 19-1.com Here are the headers: ------------------------- BEGIN HEADERS ----------------------------- (snip)
By default, the system sends no mail to the original recipient. If you need to, add --with-warnrecip=yes option to ./configure command.
The README.postfix file in the AMaViS archive describes 2 method to scan both incoming and outgoing mails.
The former has some problems: 2 different Postfix with different configurations are required, the scanner can't scan locally posted mails without SMTP (port 25), and mail log analyzer may be confuzed by logs from 2 Postfix systems.
Although the latter has no such a problem, if someone connects to port 10025 (by default) directly and talk SMTP, the mail can be bypassed. Therefore, you'll need to block the access from the other host to port 10025.
I'll introduce the second method, to use contents_filter. If you are interested in the formar one, see using amavis with postfix (by Sato-san, in Japanese) or README.postfix file in the AMaViS archive.
In this method, you'll need to give some options to the ./configure command. If you change default AMaViS user, vscan, or the default SMTP port sending scanned mails to, 10025, --with-amavis-user=USER or --with-smtp-port=PORT option for ./configure is required in addition to the following example:
% setenv SRCDIR /tmp/src % cd ${SRCDIR} % tar xvzf amavis-perl-11.tar.gz % cd amavis-perl-11 % ./configure --enable-smtp --enable-postfix
At this point, check the configuration result starting with:
** Configuration summary for amavis perl-11 2001-04-07
If it contains the line:
Enable SMTP: no
the libnet module (not Bundle::libnet) may have not been installed. If so, install the module referring the description of module installation and configure it again.
% make % make check % su # vipw # Add user vscan. vscan:*:12347:65534::0:0:virus checker:/nonexistent:/sbin/nologin # make install
Don't make /var/amavis and /var/virusmails directories world-writable in this setting.
% ls -ld /var/amavis /var/virusmails drwx------ 2 vscan wheel 512 8/28 21:23 /var/amavis/ drwx------ 2 vscan wheel 512 8/28 21:23 /var/virusmails/
On Postfix side, the configuration for using contents_filter is required. See the FILTER_README file in Postfix archive for details.
# vi /etc/postfix/main.cf (Add a following line) content_filter = vscan: # vi /etc/postfix/master.cf (Add following lines. Don't remove the space for continuation.) vscan unix - n n - 10 pipe user=vscan argv=/usr/sbin/amavis ${sender} ${recipient} localhost:10025 inet n - n - - smtpd -o content_filter= # postfix reload
When a mail is found to be infected by a virus, logs same as scan only receiving mail is recorded in /var/log/maillog, and alert mails are sent to the mail sender and the server administrator (virusalert).