|‚ < ‚ Day Day Up ‚ > ‚|
Several content-filtering daemons that call SpamAssassin are available for qmail. This section provides a complete sample installation of qmail-scanner, a particularly flexible filter that supports both spam-checking and virus-checking. qmail-scanner is written in Perl and available at http://qmail-scanner. sourceforge .net/. The version used in this section's example is 1.21. Some of qmail-scanner 's features include:
The rest of this chapter details the installation, configuration, and operation of qmail-scanner as an example of a full-scale approach to using SpamAssassin with qmail. qmail-scanner's other functions, such as virus-checking, are mentioned but not covered in detail; read the documentation to learn more about these features.
qmail-scanner is written in Perl and invokes SpamAssassin by running spamc , so you must run spamd to use qmail-scanner. You should set up spamd before you install qmail-scanner. Install SpamAssassin (and your antivirus software) first, then install qmail-scanner. qmail-scanner also requires some other Perl modules, including: Time::HiRes , DB_File , and Sys::Syslog . You can install these Perl modules using CPAN as described in Chapter 2. You must also install the Maildrop software package (http://www.courier-mta.org/download.php), and if you plan to perform virus-checking, TNEF (http://sourceforge.net/projects/tnef/).
Begin the install process by creating a new user account and group for running qmail-scanner; the usual name for both the user and group is qscand . The new user will own qmail-scanner's files, and the user (or group) must have access to SpamAssassin's configuration and database files as well. The user's home directory is traditionally /home/qscand , but you can create it anywhere that fits your system's needs.
qmail-scanner uses several important directories and files in /var/spool/qmailscan . For example, quarantined messages are stored in /var/spool/qmailscan/quarantine , and qmail-scanner logs its operations in /var/spool/qmailscan/qmail-queue.log . The directories /var/spool/qmailscan/tmp and /var/spool/qmailscan/working are temporary directories used for unpacking and processing messages. For optimal performance, these directories should be on a fast disk ‚ even a RAM disk if your operating system supports it and you have enough memory to spare. In contrast, the quarantine directory should never be located on a RAM disk because you will often want to be sure that you can access quarantined files.
Next, download the qmail-scanner source code, unpack it, and build it. You must be root to configure and build qmail-scanner. The qmail-scanner build process uses the familiar configure command to configure and build qmail-scanner's components , which you then install.
To configure qmail-scanner, use the commands shown in Example 7-1. The example also reproduces the output you should expect.
Example 7-1. Building qmail-scanner
$ tar xfz qmail-scanner-1.21.tar.gz $ cd qmail-scanner-1.21 $ su Password: XXXXXXXX # ./configure --install Building Qmail-Scanner 1.21... This script will search your system for the virus scanners it knows about, and will ensure that all external programs qmail-scanner-queue.pl uses are explicitly pathed for performance reasons. It will then generate qmail-scanner-queue.pl - it is up to you to install it correctly. Continue? ([Y]/N) Y /usr/bin/uudecode works as expected on system... The following binaries and scanners were found on your system: mimeunpacker=/usr/local/bin/reformime uudecode=/usr/bin/uudecode unzip=/usr/bin/unzip Content/Virus Scanners installed on your System fprot=/usr/local/bin/f-prot fast_spamassassin=/usr/local/bin/spamc Qmail-Scanner details. log-details=0 fix-mime=2 ignore-eol-check=0 debug=1 notify=psender,nmlvadm redundant-scanning=no email@example.com local-domains='example.com' silent- viruses='klez','bugbear','hybris','yaha','braid','nimda','tanatos','sobig','winevar','pal yh','fizzer','gibe','cailont','lovelorn','swen','dumaru','sober','hawawi','holar- i','mimail','poffer','bagle','worm.galil','mydoom','worm.sco','tanx','novarg','@mm' scanners="fprot_scanner","fast_spamassassin" If that looks correct, I will now generate qmail-scanner-queue.pl for your system... Continue? ([Y]/N) Y Finished. Please read README(.html) and then go over the script to check paths/etc, and then install as you see fit. Remember to copy quarantine-attachments.txt to /var/spool/qmailscan and then run "qmail-scanner-queue.pl -g" to generate DB version. ****** FINAL TEST ****** Please log into an unpriviledged account and run /var/qmail/bin/qmail-scanner-queue.pl -g If you see the error "Can't do setuid", or "Permission denied", then refer to the FAQ. (e.g. "setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g") That's it! To report success: % (echo 'First M. Last'; cat SYSDEF)mail firstname.lastname@example.org Replace First M. Last with your name.
As with qmail-spamc , ensure that qmail-smtpd has enough memory available to allow it to run qmail-scanner-queue.pl , any virus checkers you have configured, and spamc . Edit /var/qmail/supervise/qmail-smtpd/run and modify the -m and/or -a arguments of softlimit to increate the number of bytes available to qmail-smtpd and its child processes to an amount sufficient to allow all of the processes to execute completely on a large message.
To enable qmail-scanner, edit /etc/tcp.smtp . Add or modify lines such as those shown in bold:
127.:allow,RELAYCLIENT="" 192.168.:allow,RELAYCLIENT="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl " 10.:allow,RELAYCLIENT="",QS_SPAMASSASSIN="on",QMAILQUEUE="/var/qmail/bin/qmail- scanner-queue.pl " :allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl "
When you invoke qmail-scanner with qmail's RELAYCLIENT variable set, as in the line for connections from the 192.168/16 network, only virus-checking is performed, unless you also include QS_SPAMASSASSIN="on ", as in the line for connections from the 10/8 network. When you invoke it without setting RELAYCLIENT , as in the line for default connections, both virus-checking and spam-checking are performed.
Be sure to run /var/qmail/bin/ qmailctl cdb after updating /etc/tcp.smtp .
The first time you install qmail-scanner, you must direct it to initialize its databases. As the qscand user, run these commands:
$ /var/qmail/bin/qmail-scanner-queue.pl -z $ /var/qmail/bin/qmail-scanner-queue.pl -g perlscanner: generate new DB file from /var/spool/qmailscan/quarantine-attachments.txt perlscanner: total of 9 entries.
7.4.3 Basic Operations
qmail-scanner comes with a shell script called test_installation.sh that can be used to exercise an installation. Example 7-2 shows how to run the script, along with its output.
Example 7-2. Testing qmail-scanner
# cd contrib # QMAILQUEUE="/var/qmai/bin/qmail-scanner-queue.pl" ./test_installation.sh -doit Sending standard test message - no viruses... done! Sending eicar test virus - should be caught by perlscanner module... done! Sending eicar test virus with altered filename - should only be caught by commercial anti-virus modules (if you have any)... Sending bad spam message for anti-spam testing - In case you are using SpamAssassin... Done! Finished test. Now go and check Email for root
If qmail-scanner's spam-checking is operating properly, root (or the user that receives root 's email) should receive a non-spam message like this:
From MAILER-DAEMON Tue Mar 23 05:03:28 2004 From: Qmail-Scanner Test <email@example.com> Received: from by example.com by uid 0 with qmail-scanner-1.21 (f-prot: 3.11/. spamassassin: 2.63. Clear:RC:1(127.0.0.1):SA:0(0.0/5.0): . Processed in 5.577981 secs); 23 Mar 2004 05:03:28 -0000 To: Root Account <firstname.lastname@example.org> Subject: Qmail-Scanner test (1/4): inoffensive message Date: 23 Mar 2004 05:03:22 -0000 Delivered-To: email@example.com X-Spam-Status: No, hits=0.0 required=5.0 Message 1/4 This is a test message. It should arrive unaffected.
The same user should also receive a spam message like this:
From MAILER-DAEMON Tue Mar 23 05:03:41 2004 Received: from by example.com by uid 0 with qmail-scanner-1.21 (f-prot: 3.11/. spamassassin: 2.63. Clear:RC:1(127.0.0.1):SA:1(16.7/5.0): . Processed in 5.129358 secs); 23 Mar 2004 05:03:40 -0000 X-Spam-Status: Yes, hits=16.7 required=5.0 X-Spam-Level: ++++++++++++++++ Delivery-Date: Mon, 19 Feb 2001 13:57:29 +0000 Delivered-To: firstname.lastname@example.org Received: from webnote.net (mail.webnote.net [18.104.22.168]) by mail.netnoteinc.com (Postfix) with ESMTP id 09C18114095 for <email@example.com>; Mon, 19 Feb 2001 13:57:29 +0000 (GMT) Received: from netsvr.Internet (USR-157-050.dr.cgocable.ca [22.214.171.124] (may +be forged)) by webnote.net (8.9.3/8.9.3) with ESMTP id IAA29903 for <firstname.lastname@example.org>; Sun, 18 Feb 2001 08:28:16 GMT From: email@example.com Received: from R00UqS18S (max1-45.losangeles.corecomm.net [126.96.36.199]) by +netsvr.Internet with SMTP (Microsoft Exchange Internet Mail Service Version +5.5.2653.13) id 1429NTL5; Sun, 18 Feb 2001 03:26:12 -0500 DATE: 18 Feb 01 12:29:13 AM Message-ID: <9PS291LhupY> Subject: Qmail-Scanner anti-spam test (4/4): checking SpamAssassin [if present] +(There yours for FREE!) To: undisclosed-recipients: ; Congratulations! You have been selected to receive 2 FREE 2 Day VIP Passes to Universal Studios! Click here http://188.8.131.52 As an added bonus you will also be registered to receive vacations discounted 25%- 75%! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ This mailing is done by an independent marketing co. We apologize if this message has reached you in error. Save the Planet, Save the Trees! Advertise via E mail. No wasted paper! Delete with one simple keystroke! Less refuse in our Dumps! This is the new way of the new millennium To be removed please reply back with the word "remove" in the subject line. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Note the bold lines in the messages. These are headers demonstrating that the messages were processed by qmail-scanner, and in the case of the spam message, that qmail-scanner can recognize spam.
qmail-scanner uses /var/spool/qmailscan as a working directory and quarantine area for viruses. By default, qmail-scanner's operations are logged to the /var/spool/qmailscan/qmail-queue.log file, which should be added to your log rotation schedule. Errors are also reported to qmail's log files.
When an SMTP session is dropped partway, temporary files may remain in /var/spool/qmailscan . These messages can be cleared out by running /var/qmail/bin/qmail-scanner-queue.pl -z . Set up a cron job to execute this command once a day to delete older files in this directory.
7.4.4 Per-User Spam Preferences
qmail-scanner invokes spamc with the -u recipient argument when a message has a single recipient. Accordingly, in this case, per-user spam-checking preferences (either from users' .spamassassin/user_prefs files or from an SQL or LDAP database if spamd is so configured) will be applied when qmail-scanner checks messages. When a message has multiple recipients, qmail-scanner uses the default preferences.
Although there is no way to configure qmail to force senders to send messages with one recipient at a time, qmail itself always breaks up a multirecipient message when it is sending and sends copies of the message to single recipients. Ron Culler pointed out in a December 2003 message to the qmail-scanner-general mailing list that one way to ensure that every message has only a single recipient is to run a pair of qmail gateways. The first gateway receives messages from the Internet and can perform some general scanning (e.g., refusing viruses) before forwarding messages on to the second gateway for spam-checking. Because the first qmail server will always split up multirecipient messages before sending them, the second qmail server will always receive messages with a single recipient and can apply per-user spam preferences.
7.4.5 Sitewide Bayesian Filtering
You can easily add sitewide Bayesian filtering to qmail-scanner. Use the usual SpamAssassin use_bayes and bayes_path directives in local.cf , and ensure that the spamd user has permission to create the databases in the directory named in bayes_path .
7.4.6 Sitewide Autowhitelisting
Adding autowhitelisting is just as easy. Add the usual SpamAssassin auto_whitelist_path directive to local.cf , and if you're using SpamAssassin 2.63, invoke spamd with the --auto-whitelist option (which is unnecessary in SpamAssassin 3.0). As with the Bayesian databases, the spamd user must have permission to create the autowhitelist database and read and write to it.
7.4.7 Routing Email Through the Gateway
Once you have qmail and qmail-scanner receiving messages for the local host and performing SpamAssassin checks on them, you can start accepting email for your domain and routing it to an internal mail server after spam-checking. Figure 7-3 illustrates this topology.
Figure 7-3. Spam-checking gateway topology
The following sections describe the changes you need to make to implement the topology shown in Figure 7-3.
184.108.40.206 qmail changes
To configure qmail to relay incoming mail for example.com to internal.example.com , add the following line to /var/qmail/control/rcpthosts :
Then, create the /var/qmail/control/ smtproutes file, and add either:
or, if mail.example.com can look up an (internal) MX record for example.com that points to internal.example.com (and possibly other internal mail servers), you could use
220.127.116.11 Routing changes
Mail from the Internet for example.com should be sent to the spam-checking gateway mail.example.com . Add a DNS MX record for the example.com domain that points to mail.example.com .
Once received by mail.example.com , messages will be spam-checked and should then be relayed to internal.example.com by qmail. No DNS records for internal.example.com need be published to the Internet, but it's necessary that mail.example.com can resolve internal.example.com .
18.104.22.168 Internal server configuration
Once the external mail gateway is in place, you can configure the internal mail server to accept SMTP connections only from the gateway (for incoming Internet mail). If you don't have a separate server for outgoing mail, the internal mail server should also accept SMTP connections from hosts on the internal network. These restrictions are usually enforced by limiting access to TCP port 25 using a host-based firewall or a packet-filtering router.
|‚ < ‚ Day Day Up ‚ > ‚|