Difference between revisions of "HowTos/Amavisd"
m (→Queue settings) |
PatSuwalski (Talk | contribs) m (SPAM Removal) |
||
(84 intermediate revisions by 16 users not shown) | |||
Line 1: | Line 1: | ||
− | + | [[Scalix Wiki]] -> [[How-Tos]] -> '''Amavisd''' | |
− | + | == It's easier than it looks! == | |
+ | |||
+ | Through efforts to make this HOWTO both comprehensive & well-structured it has grown to be outwardly rather large. | ||
+ | |||
+ | Don't be deceived - the actual amount of work involved following the instructions is actually rather small & even Linux beginners should be able to have a working setup within an hour. | ||
+ | |||
+ | == Why Amavisd-New? == | ||
+ | |||
+ | *Large user community | ||
+ | *Centralised configuration | ||
+ | *Ability to apply site-wide rules | ||
+ | *Works with all major UNIX/Linux MTAs | ||
+ | |||
+ | == About this HOWTO == | ||
This HOWTO details a setup that uses amavisd-new to do both '''spam & virus scanning''' & should be followed '''in place''' of the following procedures: | This HOWTO details a setup that uses amavisd-new to do both '''spam & virus scanning''' & should be followed '''in place''' of the following procedures: | ||
Line 13: | Line 26: | ||
== Test platforms == | == Test platforms == | ||
− | * Fedora Core 4 | + | * <s>Fedora Core 4</s> <!-- Fedora Core 4 is no longer supported --> |
* CentOS 4 | * CentOS 4 | ||
* SuSE OSS 10.0 | * SuSE OSS 10.0 | ||
+ | |||
+ | * CentOS 5 | ||
== Before you start == | == Before you start == | ||
Line 23: | Line 38: | ||
'''DO NOT install the amavisd-new-milter RPM''' - see [[#Installing amavisd-milter|'''Installing amavisd-milter''']]. | '''DO NOT install the amavisd-new-milter RPM''' - see [[#Installing amavisd-milter|'''Installing amavisd-milter''']]. | ||
− | == | + | == Prerequisites == |
− | Please note that in both cases the packages below have various dependencies which your package manager should take care of | + | Please note that in both cases the packages below have various dependencies which your package manager should take care of. You may need to add/enable extra repositories to obtain some of the packages. |
+ | |||
+ | Just to make it clear for those, like me, that for some odd reason completely missed the point of this section. The following packages must be installed correctly before you continue. | ||
=== Redhat/CentOS/Fedora RPMs === | === Redhat/CentOS/Fedora RPMs === | ||
− | *amavisd-new | + | *amavisd-new (not the same as amavisd-new-milter) |
*spamassassin | *spamassassin | ||
Line 40: | Line 57: | ||
*gcc | *gcc | ||
+ | |||
+ | One good place to find Fredora/RedHat RPMs: http://apt.sw.be/ | ||
+ | |||
+ | ==== CentOS 5 Example ==== | ||
+ | |||
+ | Install prerequisites: | ||
+ | yum install amavisd-new spamassassin clamd sendmail-cf sendmail-devel gcc | ||
+ | |||
+ | CentOS does not have amavisd-new and clamd. To fix this, install RPMforge Repository: | ||
+ | rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm | ||
+ | |||
+ | Install amavisd-new and clamd: | ||
+ | yum install amavisd-new clamd | ||
+ | |||
+ | Note: RPMforge also has an update for the spamassassin package. | ||
=== SuSE RPMs === | === SuSE RPMs === | ||
Line 65: | Line 97: | ||
./configure && make && sudo make install | ./configure && make && sudo make install | ||
− | Assuming you | + | Assuming you ran the commands above, the binary will be installed in /usr/local/sbin |
'''''NB:''' Startup scripts must be installed separately'' - see [[#Initscripts/Sysconfig files for amavisd-milter|'''Initscripts/Sysconfig files for amavisd-milter''']]. | '''''NB:''' Startup scripts must be installed separately'' - see [[#Initscripts/Sysconfig files for amavisd-milter|'''Initscripts/Sysconfig files for amavisd-milter''']]. | ||
+ | |||
+ | If you getting this error: "error:required milter library and header not found" It is because you did not install sendmail-devel and probably also glazed over the prereq section. Install all the prereqs and then continue. | ||
+ | |||
+ | ====CentOS 5 Example==== | ||
+ | Install [http://sourceforge.net/project/showfiles.php?group_id=138169 amavisd-milter] | ||
+ | # run the following not as root | ||
+ | wget http://voxel.dl.sourceforge.net/sourceforge/amavisd-milter/amavisd-milter-1.3.1.tar.gz | ||
+ | sudo yum install sendmail-devl # installed with prerequisites | ||
+ | tar -zvxf amavisd-milter-1.3.1.tar.gz ; cd amavisd-milter-1.3.1 | ||
+ | ./configure && make && sudo make install | ||
+ | |||
+ | Install amavisd-milter sysconfig script: | ||
+ | wget http://users.on.net/~hilton/amavisd-milter-sysconfig.txt | ||
+ | mv amavisd-milter-sysconfig.txt /etc/sysconfig/amavisd-milter | ||
+ | |||
+ | Install amavisd-milter init.d script: | ||
+ | wget http://users.on.net/~hilton/amavisd-milter-init.d.txt | ||
+ | mv amavisd-milter-init.d.txt /etc/init.d/amavisd-milter | ||
+ | chmod u+x /etc/init.d/amavisd-milter | ||
+ | chkconfig --add amavisd-milter | ||
== Configuring amavisd-new == | == Configuring amavisd-new == | ||
− | The config file for amavisd-new is fairly huge, but don't be put off as most of the values can safely stay at the defaults. The critical ones to add/edit/uncomment/comment are: | + | The config file for amavisd-new (/etc/amavisd.conf) is fairly huge, but don't be put off as most of the values can safely stay at the defaults. The critical ones to add/edit/uncomment/comment are: |
$protocol = "AM.PDP"; # Use AM.PDP protocol. | $protocol = "AM.PDP"; # Use AM.PDP protocol. | ||
Line 83: | Line 135: | ||
$forward_method = undef; #must be set like this with sendmail milter. | $forward_method = undef; #must be set like this with sendmail milter. | ||
− | $mydomain= | + | $mydomain = "example.com" #Your domain |
− | $myhostname= | + | $myhostname = "cosmo.example.com"; #The FQDN of the Scalix host |
− | $ | + | $virus_admin = "root\@$mydomain"; #NDR recipient if virus found |
− | $ | + | $mailfrom_notify_admin = "virusalert\@$mydomain"; #NDR --> admin sender |
− | + | ||
− | This lines below control how amavisd-new will respond to the spam scores from SA. I set the first to | + | This lines below control how amavisd-new will respond to the spam scores from SA. I set the first to '-9999' so that effectively, the info headers are always added even if the message is deemed 'ham' (if your box is heavily-loaded you'll probably want to change this after debugging). The second sets the 'is spam' score, above which SA will add the 'X-Spam-Status: Yes' header & (optionally) rewrite the subject line, prepending whatever you define with $sa_spam_subject_tag. You'll probably want to leave the next three commented to prevent amavisd-new doing anything extreme with mail until you're comfortable with the setup. Set the last to undef if you want to leave subject lines alone for spam mail. |
− | $sa_tag_level_deflt = | + | $sa_tag_level_deflt = -9999; # add spam info headers if at, or above that level |
$sa_tag2_level_deflt = 3.4; # add 'spam detected' headers at that level | $sa_tag2_level_deflt = 3.4; # add 'spam detected' headers at that level | ||
Line 115: | Line 167: | ||
In a nutshell, you probably want whatever you have in /etc/mail/local-host-names to be included in @local_domains_maps. | In a nutshell, you probably want whatever you have in /etc/mail/local-host-names to be included in @local_domains_maps. | ||
− | Finally, uncomment the code near the bottom that tells amavis to use the clamd daemon and edit the value '''/var/run/clamav/clamd''' to read '''/var/run/clamav/clamd.sock''' (matching the value in /etc/ | + | Finally, uncomment the code near the bottom that tells amavis to use the clamd daemon and edit the value '''/var/run/clamav/clamd''' to read '''/var/run/clamav/clamd.sock''' (matching the value in /etc/clamd.conf) |
### http://www.clamav.net/ | ### http://www.clamav.net/ | ||
Line 126: | Line 178: | ||
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], | qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], | ||
+ | |||
+ | |||
+ | ===CentOS 5 Example=== | ||
+ | Install amavisd-new spamassassin: | ||
+ | yum install amavisd-new # installed with prerequisites | ||
+ | |||
+ | Configure amavis-new (/etc/amavisd.conf). | ||
+ | cp /etc/amavisd.conf /etc/amavisd.conf.orig | ||
+ | vi /etc/amavisd.conf | ||
+ | |||
+ | Summary of changes placed at top of amavisd.conf: | ||
+ | <pre> | ||
+ | ############################## | ||
+ | |||
+ | # ADDED: (new line added here) | ||
+ | $protocol = "AM.PDP"; # Use AM.PDP protocol. | ||
+ | $notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}'; | ||
+ | $forward_method = undef; #must be set like this with sendmail milter. | ||
+ | $myhostname = "mail.example.com"; #The FQDN of the Scalix host | ||
+ | $sa_spam_subject_tag = '***SPAM*** '; # Prepended to the subject line if defined. | ||
+ | |||
+ | # CHANGED: (line commented out below and changed here) | ||
+ | $mydomain = 'example.com'; # a convenient default for other settings | ||
+ | $sa_tag_level_deflt = -9999; # add spam info headers if at, or above that level | ||
+ | $sa_tag2_level_deflt = 3.4; # add 'spam detected' headers at that level | ||
+ | $virus_admin = "root\@$mydomain"; # notifications recip. | ||
+ | # uncommented "['ClamAV-clamd'," + 3 lines (see below) | ||
+ | |||
+ | # DELETED: (line commented out below) | ||
+ | #$inet_socket_port = 10024; # listen on this local TCP port(s) | ||
+ | |||
+ | ############################## | ||
+ | </pre> | ||
== Initscripts/Sysconfig files for amavisd == | == Initscripts/Sysconfig files for amavisd == | ||
Line 135: | Line 220: | ||
== Initscripts/Sysconfig files for amavisd-milter == | == Initscripts/Sysconfig files for amavisd-milter == | ||
− | === Sysconfig Script ( | + | === Sysconfig Script (required for all platforms) === |
− | [http://www.redcircleit.com/public/scripts/amavisd-milter-sysconfig.txt '''Download here'''] & copy to: '''/etc/sysconfig/amavisd-milter'''. | + | [http://www.redcircleit.com/public/scripts/amavisd-milter-sysconfig.txt '''Download here'''] or from this new location [http://users.on.net/~hilton/amavisd-milter-sysconfig.txt '''here'''] & copy to: '''/etc/sysconfig/amavisd-milter'''. |
Be sure to read this file & edit if necessary (the comments in the file provide all the required information). | Be sure to read this file & edit if necessary (the comments in the file provide all the required information). | ||
Line 143: | Line 228: | ||
=== Init Script (Redhat/CentOS/Fedora) === | === Init Script (Redhat/CentOS/Fedora) === | ||
− | [http://www.redcircleit.com/public/scripts/amavisd-milter-init-rh.txt '''Download here'''], copy to: '''/etc/init.d/amavisd-milter''' & do: | + | [http://www.redcircleit.com/public/scripts/amavisd-milter-init-rh.txt '''Download here'''] or this new location [http://users.on.net/~hilton/amavisd-milter-init.d.txt '''here'''], copy to: '''/etc/init.d/amavisd-milter''', make executable & do: |
sudo chkconfig --add amavisd-milter | sudo chkconfig --add amavisd-milter | ||
Line 149: | Line 234: | ||
=== Init Script (SuSE) === | === Init Script (SuSE) === | ||
− | [http://www.redcircleit.com/public/scripts/amavisd-milter-init-suse.txt '''Download here'''], copy to: '''/etc/init.d/amavisd-milter''' & do: | + | [http://www.redcircleit.com/public/scripts/amavisd-milter-init-suse.txt '''Download here'''], copy to: '''/etc/init.d/amavisd-milter''', make executable & do: |
sudo chkconfig --add amavisd-milter | sudo chkconfig --add amavisd-milter | ||
+ | |||
+ | This script needs the following to be added to the info section: ### END INIT INFO. Otherwise, the chkconfig won't work and fail with this error: insserv: script amavisd-milter is broken: missing end of LSB comment. (opensuse 10.2) | ||
== Configuring sendmail == | == Configuring sendmail == | ||
− | |||
− | |||
=== Redhat/CentOS/Fedora === | === Redhat/CentOS/Fedora === | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
==== Milter settings ==== | ==== Milter settings ==== | ||
− | + | Add the following two lines at the end of /etc/mail/sendmail.mc: (backup sendmail.cf & sendmail.mc first) | |
− | + | ||
define(`MILTER', 1)dnl | define(`MILTER', 1)dnl | ||
− | |||
INPUT_MAIL_FILTER(`milter-amavis', `S=local:/var/amavis/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m')dnl | INPUT_MAIL_FILTER(`milter-amavis', `S=local:/var/amavis/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m')dnl | ||
Line 185: | Line 260: | ||
sudo omsendin | sudo omsendin | ||
− | === | + | ==== Other settings ==== |
− | + | Virus notification mails are deferred to avoid the the milter being called twice. This means that if amavisd catches an infected mail the '$virusadmin' user won't be sent the notification until the queue is next run, which by default is every 1h. Therefore, edit '''/etc/sysconfig/sendmail''' & set the queue runner to a suitably low value for debugging, e.g. | |
− | + | QUEUE=1m | |
− | + | ||
− | + | ||
Note that common values for QUEUE are between 15-60m & RFC 1123 section 5.3.1.1 recommends that it be at least 30 minutes. | Note that common values for QUEUE are between 15-60m & RFC 1123 section 5.3.1.1 recommends that it be at least 30 minutes. | ||
+ | |||
+ | For the purposes of sending notification mails Amavisd-new sets its sender address to the value set in the config file, e.g. '''virusalert@example.com'''. To avoid an authentication warning from sendmail each time a notification is sent, the amavis user must be made a member of sendmail's trusted-users, by adding '''amavis''' to '''/etc/mail/trusted-users'''. | ||
+ | |||
+ | === SuSE === | ||
==== Milter settings ==== | ==== Milter settings ==== | ||
Line 202: | Line 279: | ||
# On the other hand if you've already customised sendmail using YaST then you might be better off editing sendmail.cf directly - the edits are very similar to those detailed in the SA integration TechNote [STN 126747]. | # On the other hand if you've already customised sendmail using YaST then you might be better off editing sendmail.cf directly - the edits are very similar to those detailed in the SA integration TechNote [STN 126747]. | ||
− | ==== Option 1 - using /etc/mail/linux.mc ==== | + | ===== Option 1 - using /etc/mail/linux.mc ===== |
Firstly, in /etc/sysconfig/mail set: | Firstly, in /etc/sysconfig/mail set: | ||
Line 208: | Line 285: | ||
MAIL_CREATE_CONFIG="no" | MAIL_CREATE_CONFIG="no" | ||
− | Backup /etc/sendmail.cf & /etc/mail/linux.mc & edit /etc/linux.mc, adding the following two lines at the end of the file: | + | Backup /etc/sendmail.cf & /etc/mail/linux.mc & edit /etc/mail/linux.mc, adding the following two lines at the end of the file: |
define(`MILTER', 1)dnl | define(`MILTER', 1)dnl | ||
Line 224: | Line 301: | ||
sudo omsendin | sudo omsendin | ||
− | ==== Option 2 - editing /etc/sendmail. | + | ===== Option 2 - editing /etc/sendmail.cf directly ===== |
Backup your sendmail.cf and make the following changes: | Backup your sendmail.cf and make the following changes: | ||
Line 236: | Line 313: | ||
O InputMailFilters=milter-amavis | O InputMailFilters=milter-amavis | ||
− | Underneath | + | Underneath this insert: |
+ | # Milter options | ||
+ | #O Milter.LogLevel | ||
O Milter.macros.connect=j, _, {daemon_name}, {if_name}, {if_addr} | O Milter.macros.connect=j, _, {daemon_name}, {if_name}, {if_addr} | ||
O Milter.macros.helo={tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer} | O Milter.macros.helo={tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer} | ||
Line 249: | Line 328: | ||
There's no need to run omsendin after editing sendmail.cf directly. | There's no need to run omsendin after editing sendmail.cf directly. | ||
+ | |||
+ | ==== Other settings ==== | ||
+ | |||
+ | Virus notification mails are deferred to avoid the the milter being called twice. This means that if amavisd catches an infected mail the '$virusadmin' user won't be sent the notification until the queue is next run, which by default is every 30m. Therefore, edit '''/etc/sysconfig/sendmail''' & set the queue runner to a suitably low value for debugging, so you end up with something like: | ||
+ | |||
+ | SENDMAIL_ARGS="-L sendmail -Am -bd -q1m -om" | ||
+ | |||
+ | Note that common values for QUEUE are between 15-60m & RFC 1123 section 5.3.1.1 recommends that it be at least 30 minutes. | ||
+ | |||
+ | For the purposes of sending notification mails Amavisd-new sets its sender address to the value set in the config file, e.g. '''virusalert@example.com'''. To avoid an authentication warning from sendmail each time a notification is sent, the '''vscan''' user should belong to sendmail's trusted-users. Check that YaST hasn't already done this for you by doing: | ||
+ | |||
+ | grep vscan /etc/sendmail.cf | ||
+ | |||
+ | Which should produce a line like: | ||
+ | |||
+ | Tmdom vscan wwwrun root uucp daemon mail | ||
+ | |||
+ | Otherwise add '''vscan''' to '''/etc/mail/trusted-users'''. | ||
+ | |||
+ | |||
+ | END SUSE SECTION | ||
== Configuring clamd == | == Configuring clamd == | ||
Line 264: | Line 364: | ||
sudo usermod -A vscan clamav | sudo usermod -A vscan clamav | ||
− | Then, edit /etc/ | + | Then, edit /etc/clamd.conf, [un]commenting or changing: |
LocalSocket /var/run/clamav/clamd.sock #Must match value in /etc/amavisd.conf | LocalSocket /var/run/clamav/clamd.sock #Must match value in /etc/amavisd.conf | ||
Line 284: | Line 384: | ||
== Configuring Scalix == | == Configuring Scalix == | ||
− | Backup /var/opt/scalix/sys/smtpd.cfg and add the following line to the end: | + | Backup /var/opt/scalix/??/s/sys/smtpd.cfg and add the following line to the end of the first section (before [SUBMIT]): |
SMTPFILTER=TRUE | SMTPFILTER=TRUE | ||
+ | |||
+ | NOTE: Do not confuse this line with SMTPMILTER | ||
== Starting it all up == | == Starting it all up == | ||
Line 309: | Line 411: | ||
Tail /var/log/maillog and try sending clean, virus and spam mails e.g. | Tail /var/log/maillog and try sending clean, virus and spam mails e.g. | ||
+ | |||
+ | clean.txt: | ||
+ | Hello World! | ||
+ | |||
+ | eicar.sig: | ||
+ | X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* | ||
+ | |||
+ | gtube.txt: | ||
+ | XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X | ||
mail -s test me@example.com < clean.txt | mail -s test me@example.com < clean.txt | ||
Line 326: | Line 437: | ||
== Support == | == Support == | ||
− | + | While this isn't an 'officially supported' configuration, it is almost identical to the Scalix/Spamass-milter setup (as detailed in the Tech Note) in the way it interfaces with Scalix/Sendmail & so should be reasonably 'supportable'. I'm pretty active on the community form, at least for the moment, so will do what I can to keep this document updated & help with issues. | |
== Pimping Spamassassin == | == Pimping Spamassassin == | ||
Line 332: | Line 443: | ||
I would say that adding dcc, pyzor & razor are essential to good detection rates. Packages are available for most distros & there's plenty of info out there on setting them up. | I would say that adding dcc, pyzor & razor are essential to good detection rates. Packages are available for most distros & there's plenty of info out there on setting them up. | ||
− | I also recommend looking at 'Rules du Jour' from the Spamassassin Rules Emporium - a collection of nifty extra rules that will further boost your detection rate & | + | I also recommend looking at 'Rules du Jour' from the Spamassassin Rules Emporium - a collection of nifty extra rules that will further boost your detection rate & come with an update script that can be run as a cronjob. |
http://www.exit0.us/index.php?pagename=RulesDuJour | http://www.exit0.us/index.php?pagename=RulesDuJour | ||
http://www.rulesemporium.com/index.html | http://www.rulesemporium.com/index.html | ||
+ | |||
+ | == Changing communication to use SMTPMILTER == | ||
+ | |||
+ | ''This is a first draft of the MILTER changes needed - once someone's tested it and [http://www.scalix.com/forums/viewtopic.php?f=2&t=15916&p=65536' reported back] we can deal with making a proper "from-scratch" howto'' | ||
+ | |||
+ | The SMTPFILTER mechanism for intercepting mail and passing it to amavisd-new has been deprecated, and will at some point lose support. | ||
+ | |||
+ | For this reason, you need to change over to using the new and improved SMTPMILTER interface which communicated via a local unix socket. | ||
+ | |||
+ | Luckily, its a simple change, as long as you have a currently working amavisd-new setup per the instructions above. | ||
+ | |||
+ | Before you enable themilter however, have a read of this section of the [[TB/TB-2008-04-CTASAV#Supported_MILTER_features|Scalix AntiSpam and Scalix ZeroHour AntiVirus Technical Bulletin]] to understand what the parameters are in the config change below. | ||
+ | |||
+ | Then, its a simple matter of changing your smtpd.conf file as follows - note this is an excerpt showing the changed/added lines, not the whole file! | ||
+ | |||
+ | <code>'''/var/opt/scalix/ml/s/sys/smtpd.conf'''</code> | ||
+ | |||
+ | <pre> | ||
+ | #SMTPFILTER=TRUE | ||
+ | |||
+ | # master switch to enable milter support (default off) | ||
+ | SMTPMILTER=TRUE | ||
+ | |||
+ | # list of milters to call sequentially (default none) | ||
+ | #INPUT_MAIL_FILTER=('CTmilter', 'S=local:~/temp/CTmilter_socket, F=T, T=C:300s;S:10s;R:10s;E:300s') | ||
+ | |||
+ | INPUT_MAIL_FILTER=('amavisd-milter', 'S=local:/var/amavis/amavisd-milter.sock, F=T, T=C:300s;S:20s;R:20s;E:300s') | ||
+ | </pre> | ||
+ | |||
+ | This presumes that /var/amavis/amavisd-milter.sock exists - you need to check your systems configuration of amavisd and amavisd-milter as above in this howto to verify that. My system is running on Centos5 so may be different from yours. | ||
+ | |||
+ | Next you need to change the sendmail configuration to not use the input filter: | ||
+ | |||
+ | <code>'''/etc/mail/sendmail.mc'''</code> | ||
+ | |||
+ | You need to remove the FILTER config from the bottom of sendmail.mc, as its no longer needed. With the milter, Scalix will route mail to the milter as part of the input path. The lines you need to '''remove''' from sendmail.mc are: | ||
+ | |||
+ | <pre> | ||
+ | define(`MILTER', 1)dnl | ||
+ | INPUT_MAIL_FILTER(`milter-amavis', `S=local:/var/amavis/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m')dnl | ||
+ | </pre> | ||
+ | |||
+ | The only line scalix needs in the bottom of sendmail.mc is: | ||
+ | |||
+ | <pre> | ||
+ | MAILER(scalix)dnl | ||
+ | </pre> | ||
+ | |||
+ | To make it work, you need to recompile sendmail.cf using: | ||
+ | |||
+ | <code>m4 sendmail.mc > sendmail.cf</code> | ||
+ | |||
+ | And voila - now sendmail just passes incoming mail to scalix, and scalix calls the amavisd-milter socket. At that point, all handling of spamassassin and clamd is down to your amavisd configuration. So, its time to restart the various services and feed in some test messages to watch headers and make sure its all working. | ||
+ | |||
== Credits == | == Credits == | ||
Big thanks to '''STrRedWolf''' for the Scalix/Amavisd-New (using Postfix) HOWTO which enabled me to get a working mailscanning setup up & running in the first place! Whilst the postfix setup still has some advantages (easy integration with Mailguard for one) I hope that this HOWTO will give most users the goodness of amavisd without having to use an additional MTA. | Big thanks to '''STrRedWolf''' for the Scalix/Amavisd-New (using Postfix) HOWTO which enabled me to get a working mailscanning setup up & running in the first place! Whilst the postfix setup still has some advantages (easy integration with Mailguard for one) I hope that this HOWTO will give most users the goodness of amavisd without having to use an additional MTA. |
Latest revision as of 15:36, 20 March 2012
Scalix Wiki -> How-Tos -> Amavisd
Contents
- 1 It's easier than it looks!
- 2 Why Amavisd-New?
- 3 About this HOWTO
- 4 Test platforms
- 5 Before you start
- 6 Prerequisites
- 7 Installing amavisd-milter
- 8 Configuring amavisd-new
- 9 Initscripts/Sysconfig files for amavisd
- 10 Initscripts/Sysconfig files for amavisd-milter
- 11 Configuring sendmail
- 12 Configuring clamd
- 13 Configuring Scalix
- 14 Starting it all up
- 15 Debugging
- 16 Support
- 17 Pimping Spamassassin
- 18 Changing communication to use SMTPMILTER
- 19 Credits
It's easier than it looks!
Through efforts to make this HOWTO both comprehensive & well-structured it has grown to be outwardly rather large.
Don't be deceived - the actual amount of work involved following the instructions is actually rather small & even Linux beginners should be able to have a working setup within an hour.
Why Amavisd-New?
- Large user community
- Centralised configuration
- Ability to apply site-wide rules
- Works with all major UNIX/Linux MTAs
About this HOWTO
This HOWTO details a setup that uses amavisd-new to do both spam & virus scanning & should be followed in place of the following procedures:
- Scalix Knowledgebase: ScalixReady - SpamAssassin in a Scalix Environment (126747) [RH/FC]
- Scalix Knowledgebase: Configuring SpamAssassin on SuSE Systems (165119) [SuSE]
- Scalix Administration Guide Chapter 18: Virus & Spam Protection (Configuring Scalix Virus Protection)
Test platforms
-
Fedora Core 4
- CentOS 4
- SuSE OSS 10.0
- CentOS 5
Before you start
DO NOT install the amavisd-new-milter RPM - see Installing amavisd-milter.
Prerequisites
Please note that in both cases the packages below have various dependencies which your package manager should take care of. You may need to add/enable extra repositories to obtain some of the packages.
Just to make it clear for those, like me, that for some odd reason completely missed the point of this section. The following packages must be installed correctly before you continue.
Redhat/CentOS/Fedora RPMs
- amavisd-new (not the same as amavisd-new-milter)
- spamassassin
- clamd
- sendmail-cf
- sendmail-devel
- gcc
One good place to find Fredora/RedHat RPMs: http://apt.sw.be/
CentOS 5 Example
Install prerequisites:
yum install amavisd-new spamassassin clamd sendmail-cf sendmail-devel gcc
CentOS does not have amavisd-new and clamd. To fix this, install RPMforge Repository:
rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
Install amavisd-new and clamd:
yum install amavisd-new clamd
Note: RPMforge also has an update for the spamassassin package.
SuSE RPMs
- amavisd-new
- spamassassin
- clamav
- sendmail-devel
- gcc
Installing amavisd-milter
Firstly, DO NOT install the amavisd-new-milter RPM - despite the 'new' tag this is a different, older version that lacks the ability to add anything other than a hard-coded 'virus scanned by amavisd-new-milter' to the message headers. As a consequence of this it's pretty useless if you want to sort messages into Spam folders downstream.
As far as I'm aware there's no binary package available for amavisd-milter but it's an quick & easy compile, just grab the source and do :
cd /usr/local/src && tar xvzf /path/to/amavisd-milter-1.x.x.tar.gz cd amavisd-milter-1.x.x ./configure && make && sudo make install
Assuming you ran the commands above, the binary will be installed in /usr/local/sbin
NB: Startup scripts must be installed separately - see Initscripts/Sysconfig files for amavisd-milter.
If you getting this error: "error:required milter library and header not found" It is because you did not install sendmail-devel and probably also glazed over the prereq section. Install all the prereqs and then continue.
CentOS 5 Example
Install amavisd-milter
# run the following not as root wget http://voxel.dl.sourceforge.net/sourceforge/amavisd-milter/amavisd-milter-1.3.1.tar.gz sudo yum install sendmail-devl # installed with prerequisites tar -zvxf amavisd-milter-1.3.1.tar.gz ; cd amavisd-milter-1.3.1 ./configure && make && sudo make install
Install amavisd-milter sysconfig script:
wget http://users.on.net/~hilton/amavisd-milter-sysconfig.txt mv amavisd-milter-sysconfig.txt /etc/sysconfig/amavisd-milter
Install amavisd-milter init.d script:
wget http://users.on.net/~hilton/amavisd-milter-init.d.txt mv amavisd-milter-init.d.txt /etc/init.d/amavisd-milter chmod u+x /etc/init.d/amavisd-milter chkconfig --add amavisd-milter
Configuring amavisd-new
The config file for amavisd-new (/etc/amavisd.conf) is fairly huge, but don't be put off as most of the values can safely stay at the defaults. The critical ones to add/edit/uncomment/comment are:
$protocol = "AM.PDP"; # Use AM.PDP protocol. $unix_socketname = "$MYHOME/amavisd.sock"; # uncomment when using milter. #$inet_socket_port = 10024; #comment out with milter. $notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}'; $forward_method = undef; #must be set like this with sendmail milter. $mydomain = "example.com" #Your domain $myhostname = "cosmo.example.com"; #The FQDN of the Scalix host $virus_admin = "root\@$mydomain"; #NDR recipient if virus found $mailfrom_notify_admin = "virusalert\@$mydomain"; #NDR --> admin sender
This lines below control how amavisd-new will respond to the spam scores from SA. I set the first to '-9999' so that effectively, the info headers are always added even if the message is deemed 'ham' (if your box is heavily-loaded you'll probably want to change this after debugging). The second sets the 'is spam' score, above which SA will add the 'X-Spam-Status: Yes' header & (optionally) rewrite the subject line, prepending whatever you define with $sa_spam_subject_tag. You'll probably want to leave the next three commented to prevent amavisd-new doing anything extreme with mail until you're comfortable with the setup. Set the last to undef if you want to leave subject lines alone for spam mail.
$sa_tag_level_deflt = -9999; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 3.4; # add 'spam detected' headers at that level #sa_kill_level_deflt = 6.31; # triggers spam evasive actions #sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent #$sa_quarantine_cutoff_level = 20; # spam level beyond which quarantine is off $sa_spam_subject_tag = '[SPAM] '; # Prepended to the subject line if defined.
Amavisd-New scans all mail passing through it for viruses, but will only hand mail for local delivery off to SA for checking - you tell it which domains are local using the @local_domains_maps variable, which by default is set to the value of $mydomain & its subdomains:
@local_domains_maps = ( [".$mydomain"] );
You can add additional domains in a variety of ways (see the docs), eg:
@local_domains_maps = ( [".$mydomain", ".foo.com"] );
In a nutshell, you probably want whatever you have in /etc/mail/local-host-names to be included in @local_domains_maps.
Finally, uncomment the code near the bottom that tells amavis to use the clamd daemon and edit the value /var/run/clamav/clamd to read /var/run/clamav/clamd.sock (matching the value in /etc/clamd.conf)
### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
CentOS 5 Example
Install amavisd-new spamassassin:
yum install amavisd-new # installed with prerequisites
Configure amavis-new (/etc/amavisd.conf).
cp /etc/amavisd.conf /etc/amavisd.conf.orig vi /etc/amavisd.conf
Summary of changes placed at top of amavisd.conf:
############################## # ADDED: (new line added here) $protocol = "AM.PDP"; # Use AM.PDP protocol. $notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}'; $forward_method = undef; #must be set like this with sendmail milter. $myhostname = "mail.example.com"; #The FQDN of the Scalix host $sa_spam_subject_tag = '***SPAM*** '; # Prepended to the subject line if defined. # CHANGED: (line commented out below and changed here) $mydomain = 'example.com'; # a convenient default for other settings $sa_tag_level_deflt = -9999; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 3.4; # add 'spam detected' headers at that level $virus_admin = "root\@$mydomain"; # notifications recip. # uncommented "['ClamAV-clamd'," + 3 lines (see below) # DELETED: (line commented out below) #$inet_socket_port = 10024; # listen on this local TCP port(s) ##############################
Initscripts/Sysconfig files for amavisd
Amavisd-new will come with its own init/sysconfig scripts, which may possibly include code to start the old milter (amavisd-new-milter). Make sure this is disabled to avoid any confusion, for example on SuSE ensure that in /etc/sysconfig/amavis AMAVIS_SENDMAIL_MILTER is set to no, ie:
AMAVIS_SENDMAIL_MILTER="no"
Initscripts/Sysconfig files for amavisd-milter
Sysconfig Script (required for all platforms)
Download here or from this new location here & copy to: /etc/sysconfig/amavisd-milter.
Be sure to read this file & edit if necessary (the comments in the file provide all the required information).
Init Script (Redhat/CentOS/Fedora)
Download here or this new location here, copy to: /etc/init.d/amavisd-milter, make executable & do:
sudo chkconfig --add amavisd-milter
Init Script (SuSE)
Download here, copy to: /etc/init.d/amavisd-milter, make executable & do:
sudo chkconfig --add amavisd-milter
This script needs the following to be added to the info section: ### END INIT INFO. Otherwise, the chkconfig won't work and fail with this error: insserv: script amavisd-milter is broken: missing end of LSB comment. (opensuse 10.2)
Configuring sendmail
Redhat/CentOS/Fedora
Milter settings
Add the following two lines at the end of /etc/mail/sendmail.mc: (backup sendmail.cf & sendmail.mc first)
define(`MILTER', 1)dnl INPUT_MAIL_FILTER(`milter-amavis', `S=local:/var/amavis/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m')dnl
NB: The suggested lines in the amavisd-milter manpage seem a bit broken!
Rebuild sendmail.cf:
sudo sh -c "m4 sendmail.mc > sendmail.cf"
Run omsendin to reinsert the Scalix mods:
sudo omsendin
Other settings
Virus notification mails are deferred to avoid the the milter being called twice. This means that if amavisd catches an infected mail the '$virusadmin' user won't be sent the notification until the queue is next run, which by default is every 1h. Therefore, edit /etc/sysconfig/sendmail & set the queue runner to a suitably low value for debugging, e.g.
QUEUE=1m
Note that common values for QUEUE are between 15-60m & RFC 1123 section 5.3.1.1 recommends that it be at least 30 minutes.
For the purposes of sending notification mails Amavisd-new sets its sender address to the value set in the config file, e.g. virusalert@example.com. To avoid an authentication warning from sendmail each time a notification is sent, the amavis user must be made a member of sendmail's trusted-users, by adding amavis to /etc/mail/trusted-users.
SuSE
Milter settings
With SuSE you have two options:
- For a new installation IMO it would be best to disable YaST configuration of sendmail & use an *mc file instead - you'll avoid editing sendmail.cf directly & use techniques that are applicable to all modern *nixes.
- On the other hand if you've already customised sendmail using YaST then you might be better off editing sendmail.cf directly - the edits are very similar to those detailed in the SA integration TechNote [STN 126747].
Option 1 - using /etc/mail/linux.mc
Firstly, in /etc/sysconfig/mail set:
MAIL_CREATE_CONFIG="no"
Backup /etc/sendmail.cf & /etc/mail/linux.mc & edit /etc/mail/linux.mc, adding the following two lines at the end of the file:
define(`MILTER', 1)dnl INPUT_MAIL_FILTER(`milter-amavis', `S=local:/var/amavis/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m')dnl
NB: The suggested lines in the amavisd-milter manpage seem a bit broken!
Rebuild sendmail.cf:
sudo sh -c "m4 /etc/mail/linux.mc > /etc/sendmail.cf"
Run omsendin to reinsert the Scalix mods:
sudo omsendin
Option 2 - editing /etc/sendmail.cf directly
Backup your sendmail.cf and make the following changes:
Find the line:
#O InputMailFilters
Change to:
O InputMailFilters=milter-amavis
Underneath this insert:
# Milter options #O Milter.LogLevel O Milter.macros.connect=j, _, {daemon_name}, {if_name}, {if_addr} O Milter.macros.helo={tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer} O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr} O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host}, {rcpt_addr} O Milter.macros.eom={msg_id}
Under MAIL FILTER DEFINITIONS insert:
Xmilter-amavis, S=local:/var/spool/amavis/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m
There's no need to run omsendin after editing sendmail.cf directly.
Other settings
Virus notification mails are deferred to avoid the the milter being called twice. This means that if amavisd catches an infected mail the '$virusadmin' user won't be sent the notification until the queue is next run, which by default is every 30m. Therefore, edit /etc/sysconfig/sendmail & set the queue runner to a suitably low value for debugging, so you end up with something like:
SENDMAIL_ARGS="-L sendmail -Am -bd -q1m -om"
Note that common values for QUEUE are between 15-60m & RFC 1123 section 5.3.1.1 recommends that it be at least 30 minutes.
For the purposes of sending notification mails Amavisd-new sets its sender address to the value set in the config file, e.g. virusalert@example.com. To avoid an authentication warning from sendmail each time a notification is sent, the vscan user should belong to sendmail's trusted-users. Check that YaST hasn't already done this for you by doing:
grep vscan /etc/sendmail.cf
Which should produce a line like:
Tmdom vscan wwwrun root uucp daemon mail
Otherwise add vscan to /etc/mail/trusted-users.
END SUSE SECTION
Configuring clamd
Firstly, check that during the installation of clamd that the clamav user was made a member of the amavis (Redhat/CentOS/Fedora) or vscan (SuSE) group:
groups clamav
And if not add it with something like (Redhat/CentOS/Fedora):
sudo usermod -a -G amavis clamav
or (SuSE):
sudo usermod -A vscan clamav
Then, edit /etc/clamd.conf, [un]commenting or changing:
LocalSocket /var/run/clamav/clamd.sock #Must match value in /etc/amavisd.conf #TCPSocket 3310 #Only use one connection method or clamd won't start. AllowSupplementaryGroups #Avoids a raft of permission issues! FixStaleSocket
Then edit /etc/freshclam.conf
UpdateLogFile /var/log/clamav/freshclam.log PidFile /var/clamav/freshclam.pid NotifyClamd
Configuring Scalix
Backup /var/opt/scalix/??/s/sys/smtpd.cfg and add the following line to the end of the first section (before [SUBMIT]):
SMTPFILTER=TRUE
NOTE: Do not confuse this line with SMTPMILTER
Starting it all up
sudo service spamassassin start sudo service clamd start sudo service amavisd-milter start sudo service amavisd start
Restart sendmail:
sudo service sendmail restart
Restart the Scalix SMTP Relay:
sudo omoff -d0 smtpd && sudo omon smtpd
Debugging
Tail /var/log/maillog and try sending clean, virus and spam mails e.g.
clean.txt:
Hello World!
eicar.sig:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
gtube.txt:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
mail -s test me@example.com < clean.txt mail -s test me@example.com < eicar.sig mail -s test me@example.com < gtube.txt
Check the headers of your received mails & your virusadmin mailbox, debug.
There's lots of useful information here, particularly concerning SA integration:
http://www.ijs.si/software/amavisd/
NB: If you encounter any permission errors when debugging, DO NOT attempt to solve them by changing the permissions on /var/amavis away from 0750 - for security reasons milters insist that the work directory is not world-readable or group-writable.
Support
While this isn't an 'officially supported' configuration, it is almost identical to the Scalix/Spamass-milter setup (as detailed in the Tech Note) in the way it interfaces with Scalix/Sendmail & so should be reasonably 'supportable'. I'm pretty active on the community form, at least for the moment, so will do what I can to keep this document updated & help with issues.
Pimping Spamassassin
I would say that adding dcc, pyzor & razor are essential to good detection rates. Packages are available for most distros & there's plenty of info out there on setting them up.
I also recommend looking at 'Rules du Jour' from the Spamassassin Rules Emporium - a collection of nifty extra rules that will further boost your detection rate & come with an update script that can be run as a cronjob.
http://www.exit0.us/index.php?pagename=RulesDuJour
http://www.rulesemporium.com/index.html
Changing communication to use SMTPMILTER
This is a first draft of the MILTER changes needed - once someone's tested it and reported back we can deal with making a proper "from-scratch" howto
The SMTPFILTER mechanism for intercepting mail and passing it to amavisd-new has been deprecated, and will at some point lose support.
For this reason, you need to change over to using the new and improved SMTPMILTER interface which communicated via a local unix socket.
Luckily, its a simple change, as long as you have a currently working amavisd-new setup per the instructions above.
Before you enable themilter however, have a read of this section of the Scalix AntiSpam and Scalix ZeroHour AntiVirus Technical Bulletin to understand what the parameters are in the config change below.
Then, its a simple matter of changing your smtpd.conf file as follows - note this is an excerpt showing the changed/added lines, not the whole file!
/var/opt/scalix/ml/s/sys/smtpd.conf
#SMTPFILTER=TRUE # master switch to enable milter support (default off) SMTPMILTER=TRUE # list of milters to call sequentially (default none) #INPUT_MAIL_FILTER=('CTmilter', 'S=local:~/temp/CTmilter_socket, F=T, T=C:300s;S:10s;R:10s;E:300s') INPUT_MAIL_FILTER=('amavisd-milter', 'S=local:/var/amavis/amavisd-milter.sock, F=T, T=C:300s;S:20s;R:20s;E:300s')
This presumes that /var/amavis/amavisd-milter.sock exists - you need to check your systems configuration of amavisd and amavisd-milter as above in this howto to verify that. My system is running on Centos5 so may be different from yours.
Next you need to change the sendmail configuration to not use the input filter:
/etc/mail/sendmail.mc
You need to remove the FILTER config from the bottom of sendmail.mc, as its no longer needed. With the milter, Scalix will route mail to the milter as part of the input path. The lines you need to remove from sendmail.mc are:
define(`MILTER', 1)dnl INPUT_MAIL_FILTER(`milter-amavis', `S=local:/var/amavis/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m')dnl
The only line scalix needs in the bottom of sendmail.mc is:
MAILER(scalix)dnl
To make it work, you need to recompile sendmail.cf using:
m4 sendmail.mc > sendmail.cf
And voila - now sendmail just passes incoming mail to scalix, and scalix calls the amavisd-milter socket. At that point, all handling of spamassassin and clamd is down to your amavisd configuration. So, its time to restart the various services and feed in some test messages to watch headers and make sure its all working.
Credits
Big thanks to STrRedWolf for the Scalix/Amavisd-New (using Postfix) HOWTO which enabled me to get a working mailscanning setup up & running in the first place! Whilst the postfix setup still has some advantages (easy integration with Mailguard for one) I hope that this HOWTO will give most users the goodness of amavisd without having to use an additional MTA.