Debian + exim4 + spamassassin + f-prot HOWTO -------------------------------------------- ////////////////////////////////////////////////////////////////////////////// // If the information in this HOWTO is misleading, inaccurate, unclear // or just plain wrong, please tell me about it! ///////////////////////////////////////////////////////////////////////////// The latest version of this HOWTO can be found at: http://www.clues.ltd.uk/howto/debian-sa-fprot-HOWTO.txt This howto assumes: - You are running Debian and are on the "unstable" branch. - You have installed exim4 and set it up for your needs. - You have a suitable licence for F-Prot. Where lines of text have been wrapped for clarity, I've used the usual '\' indicator. Spamassassin ------------ You can set up spamassassin with exim4 so that it either tags spam as it passes through the mail server, or that it rejects mail that is considered to be spam. This howto assumes the latter, though the method of installation is identical in both cases. You will need to install the following packages: spamassassin spamc exim-deamon-heavy The latter should cleanly install over any other exim4 setup. You also need to install Marc Merlin's sa-exim package available here: http://marc.merlins.org/linux/exim/files/debian/sa-exim_3.1-2_i386.deb Once installed, you need to configure your system to start spamd on boot. There's lot of ways of doing this, I did so by hooking it in to the network startup scripts. In your 'up' script for whichever interface the mail server is listening on simply add the line '/usr/sbin/spamd -d'. This works for me because I only have one network card in this particular box. Adding it to your init.d may be a better option. Next you will need to tailor /etc/exim4/sa-exim.conf to your needs. Key variables to be aware of are: SAEximDebug - You most likely want this set to '1' until things are working. SAteergrube - You probably don't want this set. If you don't know what teergrubing is then you _definitely_ don't want this set. SApermreject - This is the threshold value at which spam will be rejected. By default, exim4 will now be running as the user 'Debian-exim'. If you want exim-sa to archive copies of any mail rejected then you will need to create and set the right ownership and permissions for the various directories mentioned in sa-exim.conf. Restart exim and check the logs, you should start seeing entries like this as mail comes in: 2004-01-18 07:15:35 1Ai79e-0000Dq-8i F=uzwltcmwto24@melissacam.biz \ H=lsanca1-ar3-4-47-028-040.lsanca1.elnk.dsl.genuity.net [4.47.28.40] \ P=smtp rejected by local_scan(): Rejected: hits=7.5 required=5.0 trigger=5.0 2004-01-18 10:46:29 1AiARo-00015M-IM SA: Action: scanned but message isn't spam: \ hits=0.0 required=5.0 (scanned in 1/1 secs | \ Message-Id: 20040118104629.02DECDC230@postel.clues.ltd.uk). From \ (host=postel.clues.ltd.uk [217.158.168.148]) for martin@hinterlands.org Other than the permissions problem mentioned above this worked "out of the box" for me. The only exception being an error message where the "1/1 secs" message was replaced with "3/3 secs". If you get this then spamd is most likely not running. F-Prot ------ You can plug pretty much any anti-virus package into exim4 via amavis. I've chosen F-Prot because it's a superb piece of software, it works on most platforms and it's very well priced. For some circumstances I understand it's free to use, please be sure you have the right licence for your use. If you have any previous installations of f-prot, amavis, amavis-ng or amavisd-new then purge them and be sure all the config files (/etc/amavis) are deleted. My first attempt to get this working failed due to a dangling symlink and some outdated config files. I am using the non-daemonised version of F-Prot. Amavis has support for both. Debian/unstable has a neat installer for F-Prot, so you need to install these packages: f-prot-installer amavisd-new arj lha zoo unzip lzop unrar cpio bzip2 Once installed, you should update the virus signature files. It's a good idea to have this run out of cron once a day. /usr/lib/f-prot/tools/check-updates Next you'll need to hook F-Prot into exim4. You do this by creating two files: /etc/exim4/conf.d/router/01_exim4-config_amavis /etc/exim4/conf.d/transport/01_exim4-config_amavis boole:/etc/exim4/conf.d# cat router/01_exim4-config_amavis amavis: driver = manualroute condition = "${if eq {$interface_port}{10025} {0}{1}}" # if scanning incoming mails, uncomment the following line and # change local_domains accordingly domains = +local_domains transport = amavis route_list = "* localhost byname" self = send boole:/etc/exim4/conf.d# cat transport/01_exim4-config_amavis amavis: driver = smtp port = 10024 allow_localhost Next you'll need to tweak /etc/amavis/amavisd.conf. Key variables to look out for are: $mydomain = "example.com" $forward_method = 'smtp:127.0.0.1:10025'; $notify_method = $forward_method; You'll find these last two in the 'EXIM V4' section and default to the right values anyway. There are also a few information lines you may wish to change, these will become obvious from the message generated by amavis as it's running. You may also wish to move F-Prot from the "secondary" list of AV options to the primary. It'll still work even if you don't, but you'll get an additional complaint from amavis. Start amavis (/etc/init.d/amavis start) and take a look at /var/log/syslog. If things are working as normal, you'll see a long message like this: Jan 17 19:24:51 boole amavis[31461]: starting. amavisd-new at \ boole.clues.ltd.uk amavisd-new-20030616-p5, Unicode aware, LANG=C Jan 17 19:24:51 boole amavis[31461]: Perl version 5.008002 Jan 17 19:24:51 boole amavis[31461]: Module Amavis::Conf 1.15 Jan 17 19:24:51 boole amavis[31461]: Module Archive::Tar 1.03 Jan 17 19:24:51 boole amavis[31461]: Module Archive::Zip 1.05 Jan 17 19:24:51 boole amavis[31461]: Module Compress::Zlib 1.16 Jan 17 19:24:51 boole amavis[31461]: Module Convert::TNEF 0.17 Jan 17 19:24:51 boole amavis[31461]: Module Convert::UUlib 1.0 Jan 17 19:24:51 boole amavis[31461]: Module MIME::Entity 5.404 Jan 17 19:24:51 boole amavis[31461]: Module MIME::Parser 5.406 Jan 17 19:24:51 boole amavis[31461]: Module MIME::Tools 5.411 Jan 17 19:24:51 boole amavis[31461]: Module Mail::Header 1.59 Jan 17 19:24:51 boole amavis[31461]: Module Mail::Internet 1.59 Jan 17 19:24:51 boole amavis[31461]: Module Net::Cmd 2.24 Jan 17 19:24:51 boole amavis[31461]: Module Net::SMTP 2.26 Jan 17 19:24:51 boole amavis[31461]: Module Net::Server 0.85 Jan 17 19:24:51 boole amavis[31461]: Module Time::HiRes 1.52 Jan 17 19:24:51 boole amavis[31461]: Module Unix::Syslog 0.100 Jan 17 19:24:51 boole amavis[31462]: Found $file at /usr/bin/file Jan 17 19:24:51 boole amavis[31462]: Found $arc at /usr/bin/nomarch Jan 17 19:24:51 boole amavis[31462]: Found $gzip at /bin/gzip Jan 17 19:24:51 boole amavis[31462]: Found $bzip2 at /usr/bin/bzip2 Jan 17 19:24:51 boole amavis[31462]: Found $lzop at /bin/lzop Jan 17 19:24:51 boole amavis[31462]: Found $lha at /usr/bin/lha Jan 17 19:24:51 boole amavis[31462]: Found $unarj at /usr/bin/arj Jan 17 19:24:51 boole amavis[31462]: Found $uncompress at /bin/uncompress Jan 17 19:24:51 boole amavis[31462]: No $unfreeze, not using it Jan 17 19:24:51 boole amavis[31462]: Found $unrar at /usr/bin/unrar Jan 17 19:24:51 boole amavis[31462]: Found $zoo at /usr/bin/zoo Jan 17 19:24:51 boole amavis[31462]: Found $cpio at /bin/cpio Jan 17 19:24:51 boole amavis[31462]: Found primary av scanner \ FRISK F-Prot Antivirus at /usr/bin/f-prot Test that amavis is accepting connections on the local port. boole:~# telnet localhost 10024 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 [127.0.0.1] ESMTP amavisd-new service ready Lastly, edit /etc/exim4/update-exim4.conf.conf and change the dc_local_interfaces line to be: dc_local_interfaces='0.0.0.0.25 : 127.0.0.1.10025' Reconfigure exim by running 'dpkg-reconfigure exim4-config' and you should now be ready to run. Restart exim and check that there were no complaints in the log files. If not then you can now test that the anti-virus hook is working. Create an EICAR test file, instructions here: http://www.eicar.org/anti_virus_test_file.htm Mail it to yourself, preferably from an external account. If all is well, you should see a log entry like this: Jan 17 18:47:02 boole amavis[31338]: (31338-01) INFECTED (EICAR_Test_File), \ -> , \ quarantine virus-20040117-184700-31338-01, \ Message-ID: <20040117184700.270B8DC230@postel.clues.ltd.uk>, Hits: - ------------------------ Copyright (c) 2004, Martin A. Brooks , Clues Ltd. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation.