Difference between revisions of "HowTos/Amavisd"
m (→Introduction) |
m (→Configuring amavisd-new) |
||
| Line 79: | Line 79: | ||
| − | This lines below control how amavisd-new will respond to the spam scores from SA. I set the first to undef so that the info headers are always added even if the message is deemed 'ham' (if your box is heavily-loaded you'll probably want to change this after debugging). The second sets the 'is spam' score, above which SA will add the 'X-Spam-Status: Yes' | + | This lines below control how amavisd-new will respond to the spam scores from SA. I set the first to undef so that the info headers are always added even if the message is deemed 'ham' (if your box is heavily-loaded you'll probably want to change this after debugging). The second sets the 'is spam' score, above which SA will add the 'X-Spam-Status: Yes' header & (optionally) rewrite the subject line, prepending whatever you define with $sa_spam_subject_tag. You'll probably want to leave the next three commented to prevent amavisd-new doing anything extreme with mail until you're comfortable with the setup. Set the last to undef if you want to leave subject lines alone for spam mail. |
Revision as of 12:06, 18 May 2006
Contents
Introduction
This HOWTO details a setup that uses amavisd-new to do both spam & virus scanning.
It should be followed in place of both the clamd integration steps in the admin guide & the Spamassassin Tech Note.
I decided to use amavisd-new with Scalix partly because I already had a fair bit of experience using it, but also because I like the way it keeps configuration for both virus & spam filtering largely under one roof & away from Scalix. It also, in my opinion, gives more-readily comprehensible control of spam/virus actions (reject, quarantine, etc).
Whilst this isn't an 'officially supported' configuration, it is almost identical to the Scalix/Spamass-milter setup (as detailed in the Tech Note) in the way it interfaces with Scalix/Sendmail & so should be reasonably 'supportable'.
Scalix version tested: CE
Test platforms: FC-4, CentOS 4.
Prerequesites
You'll obviously need the amavisd-new package, plus spamassassin & clamd to do the spam/virus detection if you haven't already got them.
The gcc & sendmail-devel packages are required to compile amavisd-milter.
NB: Once amavisd-new & clamd are installed check that the clamav user has been made a member of the amavis group (it needn't be its primary group):
groups clamav
And if not add it with something like:
sudo gpasswd -a clamav amavis
Installing amavisd-milter
Firstly, DO NOT install the amavisd-new-milter binary package - despite the 'new' tag this is a different, older version that lacks the ability to add anything other than a hard-coded 'virus scanned by amavisd-new-milter' to the message headers. As a consequence of this it's pretty useless if you want to sort messages into Spam folders downstream.
As far as I'm aware there's no binary package available for amavisd-milter but it's an quick & easy compile, just grab the source from :http://sourceforge.net/project/showfiles.php?group_id=138169 and do the usual:
cd /usr/local/src && tar xvzf /path/to/amavisd-milter-1.x.x.tar.gz
cd amavisd-milter-1.x.x
./configure && make && sudo make install
Assuming you compiled in /usr/local/src and ran the commands above, the binary will be installed in /usr/local/sbin
Configuring amavisd-new
The config file for amavisd-new is fairly huge, but don't be put off as most of the values can safely stay at the defaults. The critical ones to add/edit/uncomment/comment are:
$protocol = "AM.PDP"; # Use AM.PDP protocol.
$unix_socketname = "$MYHOME/amavisd.sock"; # uncomment when using sendmail milter.
#$inet_socket_port = 10024; #comment out with milter.
$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}';
$forward_method = undef; #must be set like this with sendmail milter.
$mydomain='example.com #Your domain e.g. example.com
$myhostname='cosmo.example.com #The FQDN of the Scalix host
$virusadmin='virusalert\@$mydomain #The person who should receive the NDR if virus found
$virusadmin='virusalert\@$mydomain #The sender address for the mails above
This lines below control how amavisd-new will respond to the spam scores from SA. I set the first to undef so that the info headers are always added even if the message is deemed 'ham' (if your box is heavily-loaded you'll probably want to change this after debugging). The second sets the 'is spam' score, above which SA will add the 'X-Spam-Status: Yes' header & (optionally) rewrite the subject line, prepending whatever you define with $sa_spam_subject_tag. You'll probably want to leave the next three commented to prevent amavisd-new doing anything extreme with mail until you're comfortable with the setup. Set the last to undef if you want to leave subject lines alone for spam mail.
$sa_tag_level_deflt = undef; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 3.4; # add 'spam detected' headers at that level
#sa_kill_level_deflt = 6.31; # triggers spam evasive actions
#sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent
#$sa_quarantine_cutoff_level = 20; # spam level beyond which quarantine is off
$sa_spam_subject_tag = '[SPAM] '; # Prepended to the subject line if defined.
The following line is analogous to /etc/mail/local-host-names in as far which messages amavisd-new will hand off to spamassassin for checking (all mail is virus scanned). By default it will be set the the value of '$mydomain':
@local_domains_maps = ( [".$mydomain"] );
But you can add additional domains in a variety of ways, eg:
@local_domains_maps = ( [".$mydomain", ".foo.com"] );
See the documentation for more details.
Finally, uncomment the code near the bottom that tells amavis to use the clamd daemon and edit the value /var/run/clamav/clamd to read /var/run/clamav/clamd.sock (matching the value in /etc/clamav.conf)
### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
Initscripts/Sysconfig files for amavisd & amavisd-milter
Since originally posting the combined amavisd/milter script/config I've observed that yum has a tendency to stomp on any customised init. scripts when upgrading, so I've separated the milter stuff off into a separate script/config.
NB: Before using the scripts below, check that the amavisd scripts installed by your package manager don't already contain the code necessary to start the milter:
http://www.redcircleit.com/public/scripts/amavisd-milter-init.txt
http://www.redcircleit.com/public/scripts/amavisd-milter-sysconfig.txt
Copy these to /etc/init.d/amavisd-milter & /etc/sysconfig/amavsid-milter respectively & do:
sudo chkconfig --add amavisd-milter
The standalone amavisd script/config (with the milter stuff removed) is here for completeness but I recommend sticking with the ones installed by your package manager.
http://www.redcircleit.com/public/scripts/amavisd-init.txt
http://www.redcircleit.com/public/scripts/amavisd-sysconfig.txt
If you need them copy to /etc/init.d/amavisd & /etc/sysconfig/amavsid respectively & do:
sudo chkconfig --add amavisd
Configuring sendmail
Backup sendmail.cf & sendmail.mc & then edit sendmail.mc, adding the following two lines at the end of the file:
define(`MILTER', 1)dnl
INPUT_MAIL_FILTER(`milter-amavis', `S=local:/var/amavis/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m')dnl
NB: The suggested lines in the amavisd-milter manpage seem a bit broken!
Rebuild sendmail.cf and run omsendin to reinsert the Scalix mods:
sudo sh -c "m4 sendmail.mc > sendmail.cf"
sudo omsendin
NB: Virus notification mails are deferred to avoid the the milter being called twice. This means that if amavisd catches an infected mail the '$virusadmin' user won't be sent the notification until the queue is next run, which by default is every hour. Therefore, edit /etc/sysconfig/sendmail & set the queue runner to a reasonably low value at least for debugging, e.g.
QUEUE=1m
Configuring clamd
NB: Did you ensure that the clamav user is a member of the amavis group?
Firstly, edit /etc/clamav.conf, [un]commenting or changing:
LocalSocket /var/run/clamav/clamd.sock #Must match value in /etc/amavisd.conf
#TCPSocket 3310 #Only use one connection method or clamd won't start.
AllowSupplementaryGroups #Avoids a raft of permission issues!
FixStaleSocket
Then edit /etc/freshclam.conf
UpdateLogFile /var/log/clamav/freshclam.log
PidFile /var/clamav/freshclam.pid
NotifyClamd
Configuring Scalix
Backup /var/opt/sys/smtpd.cfg and add the following line to the end:
SMTPFILTER=TRUE
Starting it all up
Start spamassassin: sudo service spamassassin start
Start clamd: sudo service clamd start
Start amavisd-milter: sudo service amavisd-milter start
Start amavisd: sudo service amavisd start
Restart sendmail: sudo service sendmail restart
Restart the Scalix SMTP Relay: sudo omoff -d0 smtpd && sudo omon smtpd
Debugging
Tail /var/log/maillog and try sending clean, virus and spam mails e.g.
mail -s test me@example.com < clean.txt
mail -s test me@example.com < eicar.sig
mail -s test me@example.com < gtube.txt
Check the headers of your received mails & the mailbox your virus notifications go to & debug.
There's lots of useful information here, particularly concerning SA integration.:
http://www.ijs.si/software/amavisd/
NB: If you encounter any permission errors when debugging, DO NOT attempt to solve them by changing the permissions on /var/amavis away from 0750 - for security reasons milters insist that the work directory is not world-readable or group-writable.
Credits
One final note: big thanks to STrRedWolf for the Scalix/Amavisd-New (using Postfix) HOWTO which enabled me to get a working mailscanning setup up & running in the first place! Whilst the postfix setup still has some advantages (easy integration with Mailguard for one) I hope that this HOWTO will give most users the goodness of amavisd without having to use an additional MTA.
