Thursday, March 29, 2007

HowTo Qmail-Scanner and ClamAV

Qmail-Scanner and ClamAV HowTo



How To ClamAV


What is ClamAV?

From the ClamAV website:

"Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. Most importantly, the virus database is kept up to date."



Installing ClamAV

Download the ClamAV source at http://www.clamav.net. As of the writing of this HOWTO, the latest version is 0.65.

#tar -xvzf clamav-0.65.tar.gz
#cd clamav-0.65 #groupadd clamav
#useradd clamav -g clamav -c "Clam AntiVirus" -s /nonexistent .
#/configure
#make
#make install
#cd ..

Testing

As long as make and make install have finished without errors, you are now ready to test your installation (If you did experience errors, please review the ClamAV documentation that was included in the tar ball. You may also try the ClamAV website for some helpful tips). To test your installation type:

#clamscan -r -l scan.txt clamav-0.65

Clamscan should find a test virus (This is NOT a real virus) in the clamav-0.65/test directory and log it to the scan.txt log file.

Now you need to configure the ClamAV daemon, clamd, for testing.

#vi /usr/local/etc/clamav.conf

Comment out "Example" line in clamav.conf and save.

#clamdscan -l scan.txt clamav-0.65

This should provide output that is similar to the clamscan command you entered above.


Updating Defs

Now we need to update our virus definitions. Clamscan includes a utility, freshclam, to take care of this. Freshclam automatically changes from root to the clamav user that you created during the installation. First, create a log file that freshclam can log to.

#touch /var/log/clam-update.log
#chmod 600 /var/log/clamupdate.log
#chown clamav /var/log/clamupdate.log

Now start freshclam:

#freshclam -d -c 6 -l /var/log/clam-update.log

This checks for a new virus definition database six (6) times a day. Check the /var/log/clam-update.log file. It should look something like this:

-----------------------------------------------------------------------------------------------------
ClamAV update process started at Wed Jan 28 17:49:48 2004
main.cvd is up to date (version: 19, sigs: 19987, f-level: 1, builder: ddm)
daily.cvd updated (version: 111, sigs: 597, f-level: 1, builder: tomek)
Database updated (20584 signatures) from database.clamav.net (81.4.91.185).
-----------------------------------------------------------------------------------------------------

Now add the freshclam -d -c 6 -l /var/log/clam-update.log to your startup scripts.

You can also setup a cronjob to update the Defs every 6 hours, if you like.

#vi /etc/crontab
   
0 6 * * * root /usr/local/bin/clamscan


Setting up Clamd and Using With Daemontools

Edit /etc/clamd.conf and make the following changes.

#vi /etc/clamd.conf
Uncomment "LogSyslog"
Uncomment "StreamSaveToDisk"
Uncomment "MaxThreads" and change value to "30"
Uncomment "User" and change value to "qscand"
Uncomment "Foreground"
Uncomment "ScanMail"

Create the clamav directory.

#mkdir -p /usr/local/clamav/bin

Now create a startup/shutdown script for clamd. Copy and paste the script shown below. This script was written by Jesse D. Guardiani.

   
#vi /usr/local/clamav/bin/clamdctl

#!/bin/sh

# For Red Hat chkconfig
# chkconfig: - 80 30
# description: the ClamAV clamd daemon

PATH=/usr/local/clamav/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH

case "$1" in
start)
  echo "Starting clamd"
  if svok /service/clamd ; then
    svc -u /service/clamd
  else
    echo clamd supervise not running
  fi
  if [ -d /var/lock/subsys ]; then
    touch /var/lock/subsys/clamd
  fi
  ;;
stop)
  echo "Stopping clamd..."
  echo "  clamd"
  svc -d /service/clamd
  if [ -f /var/lock/subsys/clamd ]; then
    rm /var/lock/subsys/clamd
  fi
  ;;
stat)
  svstat /service/clamd
  svstat /service/clamd/log
  ;;
restart)
  echo "Restarting clamd:"
  echo "* Stopping clamd."
  svc -d /service/clamd
  echo "* Sending clamd SIGTERM and restarting."
  svc -t /service/clamd
  echo "* Restarting clamd."
  svc -u /service/clamd
  ;;
hup)
  echo "Sending HUP signal to clamd."
  svc -h /service/clamd
  ;;
help)
  cat <

Make clamdctl an executable and link to path:

#chmod 755 /usr/local/clamav/bin/clamdctl
#chown clamav /usr/local/clamav/bin/clamdctl
#ln -s /usr/local/clamav/bin/clamdctl /usr/local/bin

To start clamd backup, do the following
#clamdctl start

How To Qmail-Scanner


What Is Qmail-Scanner?

From the Qmail-Scanner website: "Qmail-Scanner is an addon that enables a qmail email server to scan all gateway-ed email for certain characteristics (i.e. a content scanner). It is typically used for its anti-virus protection functions, in which case it is used in conjunction with commercial virus scanners, but also enables a site (at a server/site level) to react to email that contains specific strings in particular headers, or particular attachment filenames or types (e.g. *.VBS attachments). It also can be used as an archiving tool for auditing or backup purposes. Qmail-Scanner is integrated into the mail server at a lower level than some other Unix-based virus scanners, resulting in better performance. It is capable of scanning not only locally sent/received email, but also email that crosses the server in a relay capacity."


Installing Qmail-Scanner Prerequisites

Maildrop

What is Maildrop:

From the maildrop web site:

"maildrop is the mail filter/mail delivery agent that's used by the Courier Mail Server."

You will not be using Maildrop or the Courier Mail Server for this installation. However, Qmail-Scanner requires reformmime, which is included in Maildrop. This is the only reason Maildrop is mentioned in this HOWTO.

Download and unpack the latest version of Maildrop. Please read the INSTALL file included in the tar ball.

#./configure
#make
#make install-strip
#make install-man

Perl Modules

Time::HiRes Perl module:

From the README file in the tar ball:

Time::HiRes module: High resolution time, sleep, and alarm. "Implement usleep, ualarm, and gettimeofday for Perl, as well as wrappers to implement time, sleep, and alarm that know about non-integral seconds."

DB_File Perl module:

From the README file in the tar ball:

"DB_File is a module which allows Perl programs to make use of the facilities provided by Berkeley DB version 1. (DB_File can be built version 2, 3 or 4 of Berkeley DB, but it will only support the 1.x features),"

Download Time::HiRes and DB_File Perl Modules. The modules can be obtained at www.cpan.org (See Appendix C). There is a HOWTO there as well that will explain the installation procedure of Perl modules. Once again, please read the instructions included in the tar balls and review the README information before installing.

Mark Simpson's TNEF Unpacker

What is TNEF Unpacker:

This utility unpacks ms-tnef type MIME attachments. For a better explanation of MIME type attachments, please review http://www.ietf.org/rfc/rfc1521.txt?number=1521 .

Download the package, and uncompress the tar ball. As with the Maildrop install, you should read the INSTALL file included in the tar ball.

#./configure
#./make check
#./make install

Patching qmail

If you have not already done so, please install Bruce Guenter?s QMAILQUEUE patch.

To patch qmail, download the patch to your qmail source directory.

#patch -p1
#./make setup check

Installing Qmail-Scanner

We are now ready to install Qmail-Scanner. Download the latest source of Qmail-Scanner. As of the writing of this HOWTO, it is 1.20.

Create a user for Qmail-Scanner to run as.

#groupadd qscand
#useradd qscand -g qscand -c "qmail scanner" -s /nonexistent

Unpack the tar ball and change to the Qmail-Scanner directory.

#tar -zxvf qmail-scanner-1.20.tar.gz
#cd qmail-scanner-1.20

Run Configure to autodetect what software is installed on your system. Review the output to make sure it is correct. It should look similar to this:

#./configure

This script will search your system for the virus scanners it knows
about, and will ensure that all external programs
qmail-scanner-queue.pl uses are explicitly pathed for performance
reasons.

It will then generate qmail-scanner-queue.pl - it is up to you to install it
correctly.

Continue? ([Y]/N) 

Found tnef on your system! That means we'll be able to decode stupid
M$ attachments :-)


The following binaries and scanners were found on your system:

mimeunpacker=/usr/local/bin/reformime
unzip=/usr/bin/unzip
tnef=/usr/local/bin/tnef

Content/Virus Scanners installed on your System

clamuko=/usr/local/bin/clamdscan (which means clamscan won't be used as clamdscan is better)

Qmail-Scanner details.

log-details=0
fix-mime=1
debug=1
notify=sender,admin
redundant-scanning=no
virus-admin=root@mail  --substitute you domain here
local-domains='mail' --substitute your domain here
silent-viruses='klez','bugbear','hybris','yaha','braid','nimda','tanatos','sobig','winevar','palyh','fizzer','gibe','
cailont','lovelorn','swen','dumaru','sober','hawaii','holar-i'
scanners="clamuko_scanner"

If that looks correct, I will now generate qmail-scanner-queue.pl
for your system...
Continue? ([Y]/N)

Now type:

# ./configure ?install

This installs qmail-scanner-queue.pl and creates the necessary directory structures. You should see similar messages as before. Once again, read the output of the script to make sure everything is correct. If it is press ENTER to install Qmail-scanner.

If qmail has been installed successfully, qmail-scanner-queue.pl should now be installed. You should see qmail-scanner-queue.pl in /var/qmail/bin.

#ls /var/qmail/bin
/var/qmail/bin/qmail-scanner-queue.pl



Ownership

In order for Qmail-Scanner to be able to use ClamAV, some of the ClamAV ownerships must be changed. If you recall, we made a clamav user to run ClamAV, and then changed the permissions so only the clamav user could run it. Now we need to provide the qscand user privledges to use ClamAV First, change the ownership of the clamd supervise directories.

#chown -R qscand /usr/local/clamav/supervise

Now change the ownership of the ClamAV log file:

#chown -R qscand /var/log/clamd


Testing

Now test Qmail-Scanner:

#./contrib./test_instaltion.sh -doit
Sending standard test message - no viruses...done!
Sending eicar test virus - should be caught by perlscanner module...
    done!
Sending eicar test virus with altered filename - should only be caught
    by commercial anti-virus modules (if you have any)...

Now check the e-mail for your postmaster alias account.

You should now have 4 email messages in your postmaster?s mailbox

If you do not have the 4 messages in the postmaster's mailbox, then: Verify that you are checking the proper mailbox.

Re-execute the configure script for qmail-scanner-queue.pl. Verify that the 'virus-admin' from the script output is the same as your qmail postmaster alias.

Check qmail to see if the messages are in the queue. If they are try issuing a 'qmailctl' flush command to force delivery.


Configuring qmail to Use qmail-scanner-queue.pl


Changing Your Tcp Rules

Once everything is installed, configured, and successfully tested, configure qmail to utilize Qmail-Scanner and ClamAV. If you have followed the instructions found in Dave Sills Life With qmail (see Appendix A: Reading Resources), you should have a tcp.smtp file in your /etc directory. You must edit tcp.smtp file to include the QMAILQUEUE variable.

 
#vi /etc/tcp.smtp

127.:allow,RELAYCLIENT="",QMAILQUEUE="/var/qmail/bin/qmail-queue"
10.:allow,RELAYCLIENT="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"


IMP NOTE :- Many Sites show 

:allow.QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"

which is wrong and the correct one is 

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"

As you can see, we use qmail-queue for all local deliveries by setting the QMAILQUEUE variable to be the original qmail-queue. We then changed the local subnet mail deliveries to use qmail-scanner-queue.pl. This causes all local subnet SMTP traffic to be scanned by Qmail-Scanner and ClamAV. The last line of this file scans all inbound emails.

After adding the QMAILQUEUE variables, you must rebuild the cdb file for Qmail.


Increasing Your Softlimit

If you try to send an email message, you will most likely receive an error from your client. The error message will say something that includes this:

451 qq temporary problem (#4.3.0)

If you followed Life with qmail, you then have a memory limit set in the /var/qmail/supervise/qmail-smtpd/run file. Look for the line that contains softlimit. It should look similar to this:

exec /usr/local/bin/softlimit -m 2000000 \



That's it U r Done with the Installation !!

Now Qmail-Scanner and ClamAV will run succesfully !!!!
Posted by at

9 comments:

Anonymous said...

[url=http://www.cheapcanadagooseparkas.ca]canada goose expedition[/url] Ring tops which emerged in 1965 were used to correct this.. [url=http://www.busesbitermi.com]beats by dre[/url] Fsluiw
[url=http://www.christianlouboutindiscountsale.co.uk]christian louboutin outlet[/url] [url=http://www.ogrelarp.com]Canada Goose deutschland[/url] Hokpjt [url=http://www.pandorajewelryukonsale.co.uk]pandora jewellery[/url]

December 23, 2012 at 3:41 AM
Anonymous said...

http://www.cheapcanadagooseparkas.ca Since high school, Shelia has been chasing her definition of the good life - it's left her with no home, no man, and no money. [url=http://www.busesbitermi.com]beats by dre[/url] Fukeni
[url=http://www.christianlouboutindiscountsale.co.uk]christian louboutin outlet uk[/url] [url=http://www.ogrelarp.com]Canada Goose Parka[/url] Hqzcav [url=http://www.pandorajewelryukonsale.co.uk]pandora bracelet charms[/url]

December 23, 2012 at 10:21 AM
Anonymous said...

[url=http://www.cheapcanadagooseparkas.ca]canada goose[/url] Plenty of home improvement stores and websites have these products for your yard. [url=http://www.busesbitermi.com]beats by dre[/url] Zkxrsd
[url=http://www.christianlouboutindiscountsale.co.uk]christian louboutin shoe sale[/url] [url=http://www.ogrelarp.com]http://www.ogrelarp.com[/url] Kmkevl [url=http://www.pandorajewelryukonsale.co.uk]pandora bracelet charms[/url]

December 23, 2012 at 5:01 PM
Anonymous said...

[url=http://www.cheapcanadagooseparkas.ca]canada goose citadel[/url] They have metamorphosed from a way to identify casualties of war to being a popular teenage fashion accessory. [url=http://www.busesbitermi.com]dr dre beats heartbeats cheap[/url] Fvzrwc
[url=http://www.christianlouboutindiscountsale.co.uk]christian louboutin outlet[/url] [url=http://www.ogrelarp.com]http://www.ogrelarp.com[/url] Irqlil [url=http://www.pandorajewelryukonsale.co.uk]pandora store[/url]

December 23, 2012 at 11:51 PM
Anonymous said...

[url=http://www.cheapcanadagooseparkas.ca]canada goose store online [/url] The more information you have, the less is the possibility of being duped.. [url=http://www.busesbitermi.com]dr dre beats heartbeats cheap[/url] Ojrwhk
[url=http://www.christianlouboutindiscountsale.co.uk]christian louboutin shoes[/url] [url=http://www.ogrelarp.com]http://www.ogrelarp.com[/url] Lckewi [url=http://www.pandorajewelryukonsale.co.uk]pandora Sale[/url]

December 24, 2012 at 6:12 AM
Anonymous said...

http://www.cheapcanadagooseparkas.ca There are thousands of new styles and ways that you can adapt. [url=http://www.busesbitermi.com]dr dre beats heartbeats cheap[/url] Zfhptq
http://www.christianlouboutindiscountsale.co.uk [url=http://www.ogrelarp.com]Canada Goose[/url] Hntmrp [url=http://www.pandorajewelryukonsale.co.uk]pandora outlet[/url]

December 24, 2012 at 12:46 PM
Anonymous said...

[url=http://www.cheapcanadagooseparkas.ca]canada goose expedition[/url] Now the proud owner of his own fashion brand, Ford has carved out a niche as a stylish innovator who is important to pop culture because he's responsible for making so many celebrities look good.. [url=http://www.busesbitermi.com]dr dre beats cheap[/url] Aobsgh
[url=http://www.christianlouboutindiscountsale.co.uk]christian louboutin[/url] [url=http://www.ogrelarp.com]Canada Goose Parka[/url] Bpweai [url=http://www.pandorajewelryukonsale.co.uk]pandora jewellery[/url]

December 24, 2012 at 7:25 PM
Anonymous said...

[url=http://www.cheapcanadagooseparkas.ca]canada goose chilliwack[/url] With the hybrid income plan, the more control you have, the lower the floor will be.. [url=http://www.busesbitermi.com]beats by dre[/url] Upcspg
[url=http://www.christianlouboutindiscountsale.co.uk]christian louboutin shoes[/url] [url=http://www.ogrelarp.com]Canada Goose deutschland[/url] Myvmjx [url=http://www.pandorajewelryukonsale.co.uk]pandora outlet[/url]

December 25, 2012 at 1:59 AM
Anonymous said...

[url=http://www.cheapcanadagooseparkas.ca]kensington canada goose parka[/url] For many years now, EyeMasters has been servicing the eye care needs of residents in several different states, including Arizona, Louisiana, Missouri and Texas among others for many years now. [url=http://www.busesbitermi.com]dr dre beats heartbeats cheap[/url] Mqutns
[url=http://www.christianlouboutindiscountsale.co.uk]christian louboutin outlet online[/url] [url=http://www.ogrelarp.com]Canada Goose Jacken[/url] Zngimx [url=http://www.pandorajewelryukonsale.co.uk]pandora bracelets[/url]

December 25, 2012 at 8:20 AM

Post a Comment

Subscribe to: Post Comments (Atom)