![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
yesthattomThis morning I was getting hundreds of the latest virus email. So I decided to install a server-based virus scanner on whatexit.org.
Rather than do extensive research, I installed what we use at work: postfix + Amavis-new + NAI's McAfee "command-line virus scanner for Solaris". I already use postfix, so how difficult could it be?
I was surprised how easy it was, even on Solaris. (The most difficult part, Amavis-new, installs on FreeBSD by doing "cd /usr/ports/security/amavisd-new && make install" and does all the Perl CPAN modules for you. Since there is no equiv. on Solaris, I was nervous. It turned out not to be so bad.)
What do each of these pieces do?
Postfix (http://www.postfix.org) is a replacement for Sendmail that, as most of you know, I'm quite in love with. I was a beta tester when it was still an unnamed project. It's now grown quite the following. The 2.x releases have added content filtering. You can configure it and say, "Hey, for every message that comes through the system, run this program on it. Watch the program to see if it tells you to REJECT, HOLD, or PASS the message." Since they've added this feature, adding spam filters and virus checkers has gotten much easier.
amavis-new is, well, the second generation of amavis. (I hope the next release isn't called "amavis-new-new". Why are people in the open source community so afraid to call things 2.0 when forking a tree from the original author? Anyway...) Amavis-new takes a mail message and splits it out into the individual attachments. If any of the attachments are ZIPs, tars, etc. the file is split out into its component pieces. It then runs external spam-checkers, virus-checkers, and (potentially) other programs on each component. If any of them are flagged as spam or virus-infected, Amavis-new will take actions. It can insert headers to indicate the results (so your users can use mail filters to decide what to do), it can put the message in a quarantine area, it can reply to the message with a message (this is NOT recommended), or it can silently delete the message. You can set up different policies for spam vs. viruses (in fact, you have to). Amavis-new is written in perl, is runs as a daemon so you only pay the startup penalty once.
NAI's McAfee "command-line virus scanner for Solaris" is a real product. As part of the pro-Microsoft conspiracy they don't admit it unless you know exactly what to ask for. Luckily, I found it by going to
http://www.nai.com then "Try Products" then scroll down to "McAfee VirusScan Command Line Scanner for Solaris". Ok, that wasn't too difficult. The install script is very well-written. In fact, if you install it somewhere besides the default, it offers to make symlinks so that it appears in the default location just in case. Very nice. Oh, and I have a script that updates the virus dictionary (.dat file) that it uses. It downloads the README.txt, parses it to find out the current DAT-xxxx.zip filename, and gets that file. If the file is newer than then current one, it installs it. Pretty cool. I have a free 30-day licence, which doesn't seem to be enforced in software. In a month I'll see how much money I have and purchase a licence.
How do the pieces fit together?
Amavis is a daemon that lists on port 10024 of 127.0.0.1. It receives email via SMTP or LMTP and queues it. It then processes the message, and sends the new message out to whatever is listening on port 10025.
Postfix is configured to send all messages to port 10024, and listen on port 10025 for the results. Pretty cool, huh?
The change to postfix is 2 lines added to /etc/postfix/master.cf and the addition of "content_filter = smtp-amavis:[127.0.0.1]:10024" to /etc/postfix/main.cf. If something goes wrong you can remove that one line in main.cf to let email through untouched.
I added a cron job to run my update_dat script every day, and I created an /etc/rc3.d/S99amavisd script to start the daemon.
In the first 5 minutes of using this new system it trapped 10 (TEN!!) virus-infected emails. TEN!!
I'm sorry I delayed this long in setting up this all up. It runs really well, doesn't slow things down too much, and is very effective. Every UNIX mail server should be running this stuff.
Rather than do extensive research, I installed what we use at work: postfix + Amavis-new + NAI's McAfee "command-line virus scanner for Solaris". I already use postfix, so how difficult could it be?
I was surprised how easy it was, even on Solaris. (The most difficult part, Amavis-new, installs on FreeBSD by doing "cd /usr/ports/security/amavisd-new && make install" and does all the Perl CPAN modules for you. Since there is no equiv. on Solaris, I was nervous. It turned out not to be so bad.)
What do each of these pieces do?
Postfix (http://www.postfix.org) is a replacement for Sendmail that, as most of you know, I'm quite in love with. I was a beta tester when it was still an unnamed project. It's now grown quite the following. The 2.x releases have added content filtering. You can configure it and say, "Hey, for every message that comes through the system, run this program on it. Watch the program to see if it tells you to REJECT, HOLD, or PASS the message." Since they've added this feature, adding spam filters and virus checkers has gotten much easier.
amavis-new is, well, the second generation of amavis. (I hope the next release isn't called "amavis-new-new". Why are people in the open source community so afraid to call things 2.0 when forking a tree from the original author? Anyway...) Amavis-new takes a mail message and splits it out into the individual attachments. If any of the attachments are ZIPs, tars, etc. the file is split out into its component pieces. It then runs external spam-checkers, virus-checkers, and (potentially) other programs on each component. If any of them are flagged as spam or virus-infected, Amavis-new will take actions. It can insert headers to indicate the results (so your users can use mail filters to decide what to do), it can put the message in a quarantine area, it can reply to the message with a message (this is NOT recommended), or it can silently delete the message. You can set up different policies for spam vs. viruses (in fact, you have to). Amavis-new is written in perl, is runs as a daemon so you only pay the startup penalty once.
NAI's McAfee "command-line virus scanner for Solaris" is a real product. As part of the pro-Microsoft conspiracy they don't admit it unless you know exactly what to ask for. Luckily, I found it by going to
http://www.nai.com then "Try Products" then scroll down to "McAfee VirusScan Command Line Scanner for Solaris". Ok, that wasn't too difficult. The install script is very well-written. In fact, if you install it somewhere besides the default, it offers to make symlinks so that it appears in the default location just in case. Very nice. Oh, and I have a script that updates the virus dictionary (.dat file) that it uses. It downloads the README.txt, parses it to find out the current DAT-xxxx.zip filename, and gets that file. If the file is newer than then current one, it installs it. Pretty cool. I have a free 30-day licence, which doesn't seem to be enforced in software. In a month I'll see how much money I have and purchase a licence.
How do the pieces fit together?
Amavis is a daemon that lists on port 10024 of 127.0.0.1. It receives email via SMTP or LMTP and queues it. It then processes the message, and sends the new message out to whatever is listening on port 10025.
Postfix is configured to send all messages to port 10024, and listen on port 10025 for the results. Pretty cool, huh?
The change to postfix is 2 lines added to /etc/postfix/master.cf and the addition of "content_filter = smtp-amavis:[127.0.0.1]:10024" to /etc/postfix/main.cf. If something goes wrong you can remove that one line in main.cf to let email through untouched.
I added a cron job to run my update_dat script every day, and I created an /etc/rc3.d/S99amavisd script to start the daemon.
In the first 5 minutes of using this new system it trapped 10 (TEN!!) virus-infected emails. TEN!!
I'm sorry I delayed this long in setting up this all up. It runs really well, doesn't slow things down too much, and is very effective. Every UNIX mail server should be running this stuff.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
I'll check it out...
Date: 2003-09-20 03:44 pm (UTC)It works reasonably well, except that lately more spams are getting through the filter...one thing I haven't found is a way to use the Bayesian filtering with false-pos and false-neg training stimulus from another box (for reasons to arcane to go into, our home e-mail lands on an MS Exchange Server where our actual inboxes are).
Bayesian filtering is the way to go for actual content filtering (as opposed to true signature-matched virus scanning).
no subject
Date: 2003-09-20 05:59 pm (UTC)O frabjous day! This is exactly what I wanted to hear!
no subject
Date: 2003-09-23 07:48 am (UTC)