Michael W. Lucas
Most of what arrives at my mail servers is unwanted: viruses, spam, and executable garbage. Even if you're running something other than Windows on the desktop, the sudden appearance of a new virus can overwhelm your inbox. If you're an administrator, your users likely aren't as reliable about not clicking on attachments as we'd all like. Combined with the flood of spam and random garbage, putting a mail server on the Internet without filtering is like covering yourself with barbecue sauce and breaking into the Charity Home for Badgers with Rabies. Decent spam and virus protection measures can save you a lot of time and effort.
While the systems I use for this article are FreeBSD, the tools and techniques will work on any UNIX-like operating system running modern Sendmail.
Many commercial vendors provide garbage mail protection for Sendmail, but if I go around buying software then I'm never going to be able to afford that 17" laptop. Instead, I use MIMEDefang for generic content handling, SpamAssassin to identify unwanted bulk mail, and ClamAV to reject viruses. This combination eliminates almost all unwanted mail, while letting the good stuff through.
Sendmail(8) provides a
milter (or mail filter) API for
third-party programs. This means that it's fairly straightforward to add
functionality to Sendmail with very little overhead. We can attach MIMEDefang
to Sendmail via
milter. MIMEDefang can call both SpamAssassin and ClamAV. To
make this work, however, you must install and configure the various programs in
the correct order.
Install the ClamAV Antivirus Scanner
Install ClamAV from /usr/ports/security/clamav by running
make install. Do not run
make clean yet! The
work subdirectory contains some sample viruses that we'll use to confirm that the program works correctly. The port will install the main virus scanner,
clamd(8), a command-line console
preliminary virus signature database, and an assortment of documentation and
ancillary programs. Under normal operation, the
scanner should be running at all times. Other programs can send files to
clamd(8) to learn if they are infected.
clamd from the command line. Though it requires
configuration, we'll be able to test it before doing our custom setup. While
you're still in the port directory, use the console command to scan the
subdirectory for viruses.
# clamscan -r -l testoutput.txt
-r recursively scans the current directory and the
clamscan to log the output to the text file
testoutput.txt. When you run this command,
will check every file under the current directory for viruses and print out its
status. A condensed version of the results, containing only the path to the
infected files and a list of statistics, will appear in the logfile. For
ClamAV 0.65, this test should discover five infected files.
Now, let's configure ClamAV to cooperate with MIMEDefang. The main
configuration file is /usr/local/etc/clamav.conf. Many of the
settings are tweakable as you desire. See the
page for all of the options. The most important change is that you should set
the user to mailnull, the same user that Sendmail and MIMEDefang
#User clamav User mailnull
By changing this setting, you also need to change the permissions on the various directories to which ClamAV writes.
# chown -R mailnull:mailnull /var/run/clamav/ # chown -R mailnull:mailnull /var/log/clamav/
Now that you have a basic virus scanner, you can update your virus
definitions. Virus definitions are maintained by volunteers from around the
world. When a major new virus hits, you can expect to see a definition
available within hours. As I write this, the ClamAV database has signatures
for 10,131 popular viruses. First, run
root to confirm that your software can successfully contact one of
the virus signature mirrors and download the latest definitions. You should
see the program check the freshness of main.cvd and
daily.cvd before returning to the command line.
Once you know the update process works, enable the
daemon to check for updates. There is one minor complication, however;
freshclam runs as clamav and
as mailnull, so by default you won't be able to write
freshclam reports in the
clamav log directory. While
you can muck around with file and directory ownership or change the user that
freshclam runs as, the simplest thing to do is put your
freshclam log elsewhere. When you're done, your
/etc/rc.conf should have the following new lines:
clamav_clamd_enable="YES" clamav_freshclam_enable="YES" clamav_freshclam_flags="--checks=1 --datadir=/usr/local/share/clamav \ --daemon-notify=/usr/local/etc/clamav.conf --log=/var/log/freshclam.log"
The next time you reboot, the system will start the ClamAV virus scanner and
updater. You might need to
touch /var/log/freshclam.log and
chown clamav:clamav /var/log/freshclam.log if
freshclam(8) has trouble starting.
Integrating ClamAV with MIMEDefang
By default, ClamAV puts its UNIX socket in
/var/run/clamav/clamd. MIMEDefang expects to find it in
/var/spool/MIMEDefang/clamd.sock. One or the other must change.
If you do not change the socket, you will see errors in the mail log where
MIMEDefang cannot communicate with the virus scanner. I consistently change
ClamAV to use the MIMEDefang location, simply because it doesn't make any
difference to the programs, but it's easier for me to remember. Change this in
the clamav.conf file under the
Once you change this in the configuration, however, ClamAV will not run until you've installed MIMEDefang. Despite advances in computing technology, placing sockets in nonexistent directories still presents difficulties.
SpamAssassin is perhaps the most celebrated piece of anti-spam software. It's a Perl package that uses pattern-matching to assign each piece of email a score. Key phrases, such as "Make money fast" and "Work from home," will increase the mail's score, as will bogus headers and an origination IP of a known spam source. You can set your mail client to delete or filter mail that has a score above your preferred limit.
Install SpamAssassin from /usr/ports/mail/p5-Mail-SpamAssassin.
As SpamAssassin is managed as part of MIMEDefang, we don't need to configure SpamAssassin itself; its configuration has been assimilated into MIMEDefang. Proceed directly to installing MIMEDefang.
Pages: 1, 2