If you will recall, when we compiled qmail earlier in this
installation, we applied a patch to qmail called "qmailqueue.patch".
This patch allows qmail to be configured to run with a substitute
queuing mechanism. That's exactly what were about to do here. We're
going to tell qmail to use Qmail-Scanner as the queuing mechanism.
Qmail-scanner is going to allow us to integrate Clam Antivirus and
SpamAssassin into our qmail server's mail queue. Once qmail-scanner is
installed, there will be a master script that is filled with
configuration options that help you to tailor the functionality of Clam
Antivirus and SpamAssassin to your needs. To expand the number of
configuration options, we are also going to apply a patch to
qmail-scanner. For this patch, we will be using Mark Teel's qms-analog
patch. Qms-analog incorporated the widely used qmail-scanner-st patch
but it also adds some cool reporting functionality as well which we
will utilize later in this installation guide. So let's get on it!
cd /downloads/qmailrocks
Unpack qmail-scanner...
tar zxvf qmail-scanner-1.25.tgz
Now unpack qms-analog...
tar zxvf qms-analog-0.4.4.tar.gz
Install qms-analog itself. This will come in handy in the next step
when we install Qmailanalog.
cd qms-analog-0.4.4
make all
Next, we copy needed qms-analog files to the qmail-scanner source
directory...
cp qmail-scanner-1.25-st-qms-20050618.patch /downloads/qmailrocks/qmail-scanner-1.25/
cp /downloads/qmailrocks/scripts/qms-config-script-cwrapper /downloads/qmailrocks/qmail-scanner-1.25/
Now, let's apply the qms-analog patch...
cd /downloads/qmailrocks/qmail-scanner-1.25
chmod 755 qms-config-script-cwrapper
patch -p1 < qmail-scanner-1.25-st-qms-20050618.patch
Now continue with the qmail-scanner installation...
groupadd qscand
useradd -g qscand -c "Qmail-Scanner Account" -s /bin/false qscand
Now we will configure qmail-scanner and install it. Ordinarily, you
would run the ./configure script to configure and install
qmail-scanner. However, Mark Teel has donated a handy little config
script that does most of the work for you.This script is called
"qms-config-script" and, if you look above, you should have already
copied this config script into the qmail-scanner source directory.
By default, Slackware is setup to NOT allow setuid. Therefore, we'll
start off with instructions based on a server that does not allow
setuid. However, if you know for a fact that your server has been setup
for setuid functionality, the redhat installation instructions for
qmail-scanner should suffice.
So let's do it...
cd /downloads/qmailrocks/qmail-scanner-1.25/contrib
make install
Now we will customize the qmail-scanner configuration script...
cd /downloads/qmailrocks/qmail-scanner-1.25
vi qms-config-script-cwrapper
You will notice several fields that need to be customized to fit your
needs. Let's have a look. I've highlighted the fields you should
customize in RED
#!/bin/sh
if [ "$1" != "install" ]; then
INSTALL=
else
INSTALL="--install"
fi
./configure --domain yourdomain.com \
--admin postmaster \
--local-domains "yourdomain.com,yourotherdomain.com" \
--add-dscr-hdrs yes \
--dscr-hdrs-text "X-Antivirus-MYDOMAIN" \
--ignore-eol-check yes \
--sa-quarantine 0 \
--sa-delete 0 \
--sa-reject no \
--sa-delta 0 \
--sa-alt yes \
--sa-debug yes \
--sa-report yes \
--notify admin \
--skip-setuid-test \
"$INSTALL"
Now save and exit out of the config file. That was easy, wasn't it.
And now we will run a test config for qmail-scanner...
./qms-config-script-cwrapper
Answer YES to all questions. If you get no errors, you can then run the
script in "install" mode and this will install qmail-scanner on your
server. If you do get errors, check out these troubleshooting tips.
./qms-config-script-cwrapper install
Again, answer YES to all questions. If you get no errors, you can then
run the script in "install" mode and this will install qmail-scanner on
your server. If you do get errors, check out these troubleshooting tips.
vi /var/qmail/bin/qmail-scanner-queue.pl
Then change the first line of /var/qmail/bin/qmail-scanner-queue.pl
to "#!/usr/bin/perl (in other words, remove the "-T" from the perl
call.)
chmod 0755 /var/qmail/bin/qmail-scanner-queue.pl
And now all that's left for qmail-scanner is to initiate the version
file and the perlscanner database...
First, we'll initialize the version file. This command also helps to
keep your server's /var/spool/qmailscan folder clear of rogue files
that can develop when SMTP sessions are dropped. You may want to stick
this command into your server's crontab and run it once a day. You'll
see more on this in the "maintaining your qmail server" step near the
end of this tutorial.. So let's run it...
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z
And now we will generate a new perlscanner database for qmailp-scanner.
For future reference, it's a good idea to run this next command
whenever you upgrade qmail-scanner. You'll see more on this in the
"maintaining your qmail server" step near the end of this tutorial. So
let's do i t...
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g
A successful database build should produce the following output:
perlscanner: generate new DB file from /var/spool/qmailscan/quarantine-attachments.txt
perlscanner: total of 9 entries.
And now one final ownership check...
chown -R qscand:qscand /var/spool/qmailscan
Woohoo, qmail-scanner is installed! Now it's time to tie qmail-scanner into qmail itself.
vi /var/qmail/supervise/qmail-smtpd/run
To instruct Qmail to use Qmail-Scanner as the alternative queuing
mechanism, we add the following line to the SMTP "run" script right
under the first line (#!/bin/sh):
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue" export QMAILQUEUE
..and we change the "softlimit" in that same script...
change softlimit to 40000000
Note: It is absolutely vital that you change the "Softlimit" setting in
this script. If you don't, qmail may fail to deliver mail!!!
So now the qmail-smtp/run file should look like this:
#!/bin/sh
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue" export QMAILQUEUE
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z
"$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open
relay"
exit 1
fi
exec /usr/local/bin/softlimit -m 40000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c
"$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/var/qmail/bin/qmail-smtpd your_domain.com \
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1
Once you've got the qmail-smtpd file modified, save the changes and
exit from the file. Now we will finalize the qmail-scanner installation
by going over some post-install configuration options. After that,
we'll fire everything up and take qmail-scanner for a test drive!.
To activate all the changes we just made, we're going to have to
completely stop and restart qmail...
Stop it...
qmailctl stop
and start it...
qmailctl start
And a quick check of the qmail processes, just to be safe..
qmailctl stat
Now it's time to test the whole damn thing to see if Qmail-Scanner,
Spamassassin and Clam AV are all working correctly. Fortunately,
Qmail-Scanner comes with it's own testing script that does a fantastic
job. So let's test it!
cd /downloads/qmailrocks/qmail-scanner-1.25/contrib
chmod 755 test_installation.sh
setuidgid qscand ./test_installation.sh -doit
A successful test should produce the following output. 2 messages
should be quarantined by Clam Antivirus in /var/spool/quarantine/new
and 2 messages should be set to whatever mailbox you specified in the
Qmail-scanner configuration script. Don't worry if you don't get virus
notification emails. The normal notification emails that get sent out
upon virus detection usually don't work during the test.
setting QMAILQUEUE to /var/qmail/bin/qmail-scanner-queue.pl for this
test...
Sending standard test message - no viruses...
done!
Sending eicar test virus - should be caught by perlscanner module...
done!
Sending eicar test virus with altered filename - should only be caught
by commercial anti-virus modules (if you have any)...
Sending bad spam message for anti-spam testing - In case you are using
SpamAssassin...
Done!
Finished test. Now go and check Email for postmaster@mydomain.com
If you get 2 messages in your inbox and you see 2 messages in the
quarantine folder, it's time to crack open a cold one! You've
successfully installed all 3 packages! Woohoo!
- Helpful Hints -
Post Install configuration tips for Qmail-Scanner
Although Qmail-Scanner should work pretty much "out of the box" so to
speak, you can make some customizations to it's configuration by
editing the qmail-scanner-queue.pl script located at
/var/qmail/bin/qmail-scanner-queue.pl. The qmail-scanner-queue.pl
script controls a lot of the functionality of both Clam AV and
Spamassassin. Check it out for yourself and you will see that there are
quite a few items you have control over. I wouldn't recommend touching
most of them. In fact, the only setting that I changed in mine is in
the Spamassassin section:
Can I have Spamassassin tag suspected spam with a custom subject line?
Yes. Edit the /var/qmail/bin/qmail-scanner-queue.pl file and find the
following line:
my $spamc_subject=``;
Now type a custom spam subject. This subject line will be added to any
mails that Spamassassin tags as suspected spam. Here's an example:
my $spamc_subject=`Hi, I'm Spam`;
The "spamc_subject" setting determines what message Spamassassin will
append to the "subject" of e-mails which it deems as SPAM.
Can I delete e-mails that Spamassassin labels as spam?
Yes. Edit the /var/qmail/bin/qmail-scanner-queue.pl l file and find the
following line:
my $sa_delete='0';
Now replace the '0' with a number that represents how far above your
SpamAssassin "required_hits" variable that Qmail-scanner should start
deleting messages at. For example, if you SpamAssassin required_hits
variable is set to "5" and you set the "sa_delete" variable to "1.0",
then any message that has a spam score of 1.0 over the "5" mark would
be deleted. In other words, any mail with a score of 6 or more would be
trashed automatically. So for this example, you would change the
"sa_delete" variable as follows:
my $sa_delete='1.0';
Is is safe to tell qmail-scanner to delete e-mails that SpamAssassin
marks as spam?
Spamassassin has been tested to have up to a 99% accuracy rating in
terms of detecting real spam and leaving legitimate e-mail alone. I've
been using it for over a year now and have never gotten a false
positive. Therefore, I feel safe in telling it to just delete the stuff.
There are a host of other Spam and Virus handling directives that can
be customized with the qmail-scanner.pl file. You can check out the
qmail-scanner patch website at
http://xoomer.virgilio.it/j.toribio/qmail-scanner/ for all the details.
Other than that, I left my qmail-scanner-queue.pl script as is.
Summary of functionality:
If you've gotten to this point, you should have Clam Anti-Virus,
Spamassassin and Qmail-Scanner all working together. When a messages
comes into the server, Qmail-Scanner takes the message and pipes it out
to both Clam Anti-Virus and Spamassassin. If the message contains a
virus, Clam AV quarantines it a /var/spool/qmailscan/quarantine and
then send a notification e-mail to whoever you specified in the
Qmail-Scanner installation. If the message does not contain a virus, it
is then scanned by Spamassassin. Depending on the score that
Spamassassin assigns to the message and whether or not that score
breaks the SPAM threshold set by you in the
/var/qmail/.spamassassin/user_prefs file, Spamassassin will either let
the message go unaltered to its destination or it will tag the message
as SPAM. If the message is tagged as SPAM, it will still arrive at its
destination, but with an altered "subject" that will signal to the
recipient that this was tagged as SPAM. The text that gets appended to
the "subject" of the e-mail is set in the
/var/qmail/bin/qmail-scanner-queue.pl file. (For example: If you set
qmail-scanner-queue.pl to tag all SPAM with "HI, I'M SPAM!", mail
tagged as such will be delivered to the recipient with "HI, I'M SPAM"
added to the subject. Once the message is tagged, the recipient can
then configure his/her mail client to deal with those tagged message in
whatever manner he/she sees fit. Alternatively, you can tell
Spamassassin to delete all suspected spam messages (like I do). You can
find directions for this in the "Hints" box above.
|
