Qmail-Scanner and ClamAV HowTo
How To ClamAV
What is ClamAV?
From the ClamAV website:
"Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. Most importantly, the virus database is kept up to date."
Installing ClamAV
Download the ClamAV source at http://www.clamav.net. As of the writing of this HOWTO, the latest version is 0.65.
#tar -xvzf clamav-0.65.tar.gz |
Testing
As long as make and make install have finished without errors, you are now ready to test your installation (If you did experience errors, please review the ClamAV documentation that was included in the tar ball. You may also try the ClamAV website for some helpful tips). To test your installation type:
#clamscan -r -l scan.txt clamav-0.65 |
Clamscan should find a test virus (This is NOT a real virus) in the clamav-0.65/test directory and log it to the scan.txt log file.
Now you need to configure the ClamAV daemon, clamd, for testing.
#vi /usr/local/etc/clamav.conf |
Comment out "Example" line in clamav.conf and save.
#clamdscan -l scan.txt clamav-0.65 |
This should provide output that is similar to the clamscan command you entered above.
Updating Defs
Now we need to update our virus definitions. Clamscan includes a utility, freshclam, to take care of this. Freshclam automatically changes from root to the clamav user that you created during the installation. First, create a log file that freshclam can log to.
#touch /var/log/clam-update.log |
Now start freshclam:
#freshclam -d -c 6 -l /var/log/clam-update.log |
This checks for a new virus definition database six (6) times a day. Check the /var/log/clam-update.log file. It should look something like this:
----------------------------------------------------------------------------------------------------- |
Now add the freshclam -d -c 6 -l /var/log/clam-update.log to your startup scripts.
You can also setup a cronjob to update the Defs every 6 hours, if you like.
#vi /etc/crontab |
0 6 * * * root /usr/local/bin/clamscan |
Setting up Clamd and Using With Daemontools
Edit /etc/clamd.conf and make the following changes.
#vi /etc/clamd.conf |
Uncomment "LogSyslog" |
Uncomment "StreamSaveToDisk" |
Uncomment "MaxThreads" and change value to "30" |
Uncomment "User" and change value to "qscand" |
Uncomment "Foreground" |
Uncomment "ScanMail" |
Create the clamav directory.
#mkdir -p /usr/local/clamav/bin |
Now create a startup/shutdown script for clamd. Copy and paste the script shown below. This script was written by Jesse D. Guardiani.
|
Make clamdctl an executable and link to path:
#chmod 755 /usr/local/clamav/bin/clamdctl |
#chown clamav /usr/local/clamav/bin/clamdctl |
#ln -s /usr/local/clamav/bin/clamdctl /usr/local/bin |
To start clamd backup, do the following
#clamdctl start
How To Qmail-Scanner
What Is Qmail-Scanner?
From the Qmail-Scanner website: "Qmail-Scanner is an addon that enables a qmail email server to scan all gateway-ed email for certain characteristics (i.e. a content scanner). It is typically used for its anti-virus protection functions, in which case it is used in conjunction with commercial virus scanners, but also enables a site (at a server/site level) to react to email that contains specific strings in particular headers, or particular attachment filenames or types (e.g. *.VBS attachments). It also can be used as an archiving tool for auditing or backup purposes. Qmail-Scanner is integrated into the mail server at a lower level than some other Unix-based virus scanners, resulting in better performance. It is capable of scanning not only locally sent/received email, but also email that crosses the server in a relay capacity."
Installing Qmail-Scanner Prerequisites
Maildrop
What is Maildrop:
From the maildrop web site:
"maildrop is the mail filter/mail delivery agent that's used by the Courier Mail Server."
You will not be using Maildrop or the Courier Mail Server for this installation. However, Qmail-Scanner requires reformmime, which is included in Maildrop. This is the only reason Maildrop is mentioned in this HOWTO.
Download and unpack the latest version of Maildrop. Please read the INSTALL file included in the tar ball.
#./configure |
#make |
#make install-strip |
#make install-man |
Perl Modules
Time::HiRes Perl module:
From the README file in the tar ball:
Time::HiRes module: High resolution time, sleep, and alarm. "Implement usleep, ualarm, and gettimeofday for Perl, as well as wrappers to implement time, sleep, and alarm that know about non-integral seconds."
DB_File Perl module:
From the README file in the tar ball:
"DB_File is a module which allows Perl programs to make use of the facilities provided by Berkeley DB version 1. (DB_File can be built version 2, 3 or 4 of Berkeley DB, but it will only support the 1.x features),"
Download Time::HiRes and DB_File Perl Modules. The modules can be obtained at www.cpan.org (See Appendix C). There is a HOWTO there as well that will explain the installation procedure of Perl modules. Once again, please read the instructions included in the tar balls and review the README information before installing.
Mark Simpson's TNEF Unpacker
What is TNEF Unpacker:
This utility unpacks ms-tnef type MIME attachments. For a better explanation of MIME type attachments, please review http://www.ietf.org/rfc/rfc1521.txt?number=1521 .
Download the package, and uncompress the tar ball. As with the Maildrop install, you should read the INSTALL file included in the tar ball.
#./configure |
#./make check |
#./make install |
Patching qmail
If you have not already done so, please install Bruce Guenter?s QMAILQUEUE patch.
To patch qmail, download the patch to your qmail source directory.
#patch -p1 |
#./make setup check |
Installing Qmail-Scanner
We are now ready to install Qmail-Scanner. Download the latest source of Qmail-Scanner. As of the writing of this HOWTO, it is 1.20.
Create a user for Qmail-Scanner to run as.
#groupadd qscand |
#useradd qscand -g qscand -c "qmail scanner" -s /nonexistent |
Unpack the tar ball and change to the Qmail-Scanner directory.
#tar -zxvf qmail-scanner-1.20.tar.gz |
#cd qmail-scanner-1.20 |
Run Configure to autodetect what software is installed on your system. Review the output to make sure it is correct. It should look similar to this:
#./configure |
Now type:
# ./configure ?install |
This installs qmail-scanner-queue.pl and creates the necessary directory structures. You should see similar messages as before. Once again, read the output of the script to make sure everything is correct. If it is press ENTER to install Qmail-scanner.
If qmail has been installed successfully, qmail-scanner-queue.pl should now be installed. You should see qmail-scanner-queue.pl in /var/qmail/bin.
#ls /var/qmail/bin |
/var/qmail/bin/qmail-scanner-queue.pl |
Ownership
In order for Qmail-Scanner to be able to use ClamAV, some of the ClamAV ownerships must be changed. If you recall, we made a clamav user to run ClamAV, and then changed the permissions so only the clamav user could run it. Now we need to provide the qscand user privledges to use ClamAV First, change the ownership of the clamd supervise directories.
#chown -R qscand /usr/local/clamav/supervise |
Now change the ownership of the ClamAV log file:
#chown -R qscand /var/log/clamd |
Testing
Now test Qmail-Scanner:
#./contrib./test_instaltion.sh -doit |
Sending standard test message - no viruses...done! |
Sending eicar test virus - should be caught by perlscanner module... |
Sending eicar test virus with altered filename - should only be caught |
Now check the e-mail for your postmaster alias account.
You should now have 4 email messages in your postmaster?s mailbox
If you do not have the 4 messages in the postmaster's mailbox, then: Verify that you are checking the proper mailbox.
Re-execute the configure script for qmail-scanner-queue.pl. Verify that the 'virus-admin' from the script output is the same as your qmail postmaster alias.
Check qmail to see if the messages are in the queue. If they are try issuing a 'qmailctl' flush command to force delivery.
Configuring qmail to Use qmail-scanner-queue.pl
Changing Your Tcp Rules
Once everything is installed, configured, and successfully tested, configure qmail to utilize Qmail-Scanner and ClamAV. If you have followed the instructions found in Dave Sills Life With qmail (see Appendix A: Reading Resources), you should have a tcp.smtp file in your /etc directory. You must edit tcp.smtp file to include the QMAILQUEUE variable.
|
IMP NOTE :- Many Sites show :allow.QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
which is wrong and the correct one is :allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
As you can see, we use qmail-queue for all local deliveries by setting the QMAILQUEUE variable to be the original qmail-queue. We then changed the local subnet mail deliveries to use qmail-scanner-queue.pl. This causes all local subnet SMTP traffic to be scanned by Qmail-Scanner and ClamAV. The last line of this file scans all inbound emails.
After adding the QMAILQUEUE variables, you must rebuild the cdb file for Qmail.
Increasing Your Softlimit
If you try to send an email message, you will most likely receive an error from your client. The error message will say something that includes this:
451 qq temporary problem (#4.3.0) |
If you followed Life with qmail, you then have a memory limit set in the /var/qmail/supervise/qmail-smtpd/run file. Look for the line that contains softlimit. It should look similar to this:
exec /usr/local/bin/softlimit -m 2000000 \ |
That's it U r Done with the Installation !!
Now Qmail-Scanner and ClamAV will run succesfully !!!!