Subject:
RE: qmail-scanner and ClamAV
From:
"Steve Peace" ####@####.####
Date:
2 Feb 2004 19:21:46 -0000
Message-Id: <004501c3e9c1$bbabe330$d319020a@HSSNB21>
Unfortunately I do not have a web server available to post it to. I am
currently working on setting one up at home, but it is still busted. I
have attached a copy of the draft to this message in plain text. Let me
know what you think.
Thanks,
Steve Peace
-----Original Message-----
From: Emma Jane Hogbin ####@####.####
Sent: Monday, February 02, 2004 1:46 PM
To: ####@####.####
Subject: Re: qmail-scanner and ClamAV
On Mon, Feb 02, 2004 at 01:36:13PM -0500, Steve Peace wrote:
> Where should I submit the draft?
Do you have a web server where you can upload it? Or try attaching a
.TXT
attachment and send it to this list. It should work...
emma
--
Emma Jane Hogbin
[[ 416 417 2868 ][ www.xtrinsic.com ]]
______________________
http://lists.tldp.org/
Qmail-Scanner & ClamAV HowTo
1.) Introduction:
* 1.1 What this document is
* 1.2 What this document is not
* 1.3 Acknowledgments
* 1.4 Copyright
2.) Prerequisites
3.) ClamAV
* 3.1 Installing ClamAV
* 3.2 Testing ClamAV
* 3.3 Updating Defs
* 3.4 Setting up Clamd and Using With Daemontools
4.) qmail-scanner
* 4.1 Installing qmail-scanner
* 4.2 Ownerships
* 4.3 Testing qmail-scanner
5.) Configuring Qmail to use qmail-scanner-queue.pl
* 5.1 changing your tcp rules
* 5.2 increasing your softlimit
6.) Conclusion
7.) Appendix A: Recommended Reading and Other Resources
8.) Appendix B: Scripts
9.) Appendix C: Software
10.) Appendix D: GNU Free Documentation License
1.
Introduction
1.1 What this document is:
This document started out as a way for me to document the procedure and required readings for re-creating the deployment of qmail-scanner and ClamAV for my employers email system. I am not a writer, or a programmer. I am a lowly little systems administrator that got frustrated looking online for all of the information to make qmail-scanner work with ClamAV. This HOWTO will document the steps that I took to get qmail-scanner and ClamAV to work together. Is this the right way to do it? Who knows, it worked for me. There are plenty of snippets of information that I �liberated� from many sources. Please see the Acknowledgments.
1.2 What this document is not:
This document is not a comprehensive source of information for ClamAV, qmail-scanner, qmail, daemontools, Linux, Un*x, FreeBSD, etc. I do not pretend to know everything about everything. Like I said before, this worked for me it may not work for you. If you don�t know how to use a particular OS, tool, or piece of software, THIS HOWTO WILL NOT HELP YOU! I am a firm believer in RTFM. So please make sure that you check out Appendix A before you follow this HOWTO.
1.3 Acknowledgments:
I would like to acknowledge the following people and groups:
* Jason Haar (for qmail-scanner)
* Jesse D. Guardiani (original clamd+daemontools HOWTO)
* The entire ClamAV group (for ClamAV)
* Dan Bernstein (for qmail and daemontools)
* Dave Sill (for lfwq)
* Bruce Guenter (qmailqueue patch)
* Mark Simpson (TNEF unpacker)
1.4 Copyright:
Copyright (c) 2004 Steven R. Peace.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license is included in the section entitled "GNU
Free Documentation License".
This HOWTO is free documentation; you can redistribute it and/or modify it under the terms of the GNU Free Documentation License. This document is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.
2. Prerequisites
You should already have a working qmail server with deamontools installed. Your server will also need:
ClamAV Prerequisites:
* Zlib and zlib-devel packages
* Gcc compiler (2.9x or 3.x)
* Bzip2 library (recommended)
Qmail-scanner Prerequisites:
* Qmail 1.03
* Reformmime from Maildrop 1.3.8+
* Perl 5.005_03+
* Perl module Time::HiRes
* Perl module DB_File
* Perl module Sys::Syslog
* Mark Simpson�s TNEF Unpacker
* Bruce Guenter�s QMAILQUEUE patch
3. ClamAV
3.1 Installing ClanAV
Download the ClamAV source at http://www.clamav.net. As of the writing of this HOWTO, the latest version is 0.65.
tar -xvzf clamav-0.65.tar.gz
cd clamav-0.65
groupadd clamav
useradd clamav -g clamav -c "Clam AntiVirus" -s /nonexistent
./configure
make
make install
cd ..
3.2 Testing
As long as make and make install has finished without errors, you are now ready to test your installation. To test your installation type:
$clamscan �r �l scan.txt clamav-0.65
clamscan should find a test virus (Don�t worry it�s not real ) in the clamav-0.65/test directory and log it to the scan.txt log file.
Now you need to configure the ClamAV daemon, clamd, for testing.
vi /usr/local/etc/clamav.conf
Comment out "Example" line in clamav.conf and save.
$clamdscan �l scan.txt clamav-0.65
This should provide output that is similar to the clamscan command you entered above.
3.3 Updating Defs
Now we need to update our virus definitions. Clamscan includes a utility, freshclam , to take care of this. Freshclam will automatically change from root to the clamav user that you created during the installation. First we need to create a log file that freshclam can log to.
#touch /var/log/clam-update.log
#chmod 600 /var/log/clamupdate.log
#chown clamav /var/log/clamupdate.log
Now start freshclam:
#freshclam �d �c 6 �l /var/log/clam-update.log
This will check for a new virus definition database 6 times a day. Check the /var/log/clam-update.log file. It should look something like this:
-----------------------------------------------------------------------------------------------------
ClamAV update process started at Wed Jan 28 17:49:48 2004
main.cvd is up to date (version: 19, sigs: 19987, f-level: 1, builder: ddm)
daily.cvd updated (version: 111, sigs: 597, f-level: 1, builder: tomek)
Database updated (20584 signatures) from database.clamav.net (81.4.91.185).
-----------------------------------------------------------------------------------------------------
Now just add the freshclam �d �c 6 �l /var/log/clam-update.log to your startup scripts.
If you want, you can also setup a cronjob to update the Defs every 6 hours.
Vi /etc/crontab
0 6 * * * root /usr/local/bin/clamscan
3.4 Setting up Clamd and Using With Daemontools
Edit /etc/clamd.conf
#vi /etc/clamd.conf
Uncomment "LogSyslog"
Uncomment "StreamSaveToDisk"
Uncomment "MaxThreads" and change value to "30"
Uncomment "User" and change value to "qscand"
Uncomment "Foreground"
Uncomment "ScanMail"
Create the clamav directory
#mkdir -p /usr/local/clamav/bin
Now create a startup/shutdown script for clamd. You can copy and paste this script that was written by Jesse D. Guardiani.
vi /usr/local/clamav/bin/clamdctl
#!/bin/sh
# For Red Hat chkconfig
# chkconfig: - 80 30
# description: the ClamAV clamd daemon
PATH=/usr/local/clamav/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH
case "$1" in
start)
echo "Starting clamd"
if svok /service/clamd ; then
svc -u /service/clamd
else
echo clamd supervise not running
fi
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/clamd
fi
;;
stop)
echo "Stopping clamd..."
echo " clamd"
svc -d /service/clamd
if [ -f /var/lock/subsys/clamd ]; then
rm /var/lock/subsys/clamd
fi
;;
stat)
svstat /service/clamd
svstat /service/clamd/log
;;
restart)
echo "Restarting clamd:"
echo "* Stopping clamd."
svc -d /service/clamd
echo "* Sending clamd SIGTERM and restarting."
svc -t /service/clamd
echo "* Restarting clamd."
svc -u /service/clamd
;;
hup)
echo "Sending HUP signal to clamd."
svc -h /service/clamd
;;
help)
cat <<HELP
stop -- stops clamd service (smtp connections refused, nothing goes out)
start -- starts clamd service (smtp connection accepted, mail can go out)
stat -- displays status of clamd service
restart -- stops and restarts the clamd service
hup -- same as reload
HELP
;;
*)
echo "Usage: $0 {start|stop|stat|restart|hup|help}"
exit 1
;;
esac
exit 0
Make clamdctl an executable and link to path:
chmod 755 /usr/local/clamav/bin/clamdctl
chown clamav /usr/local/clamav/bin/clamdctl
ln -s /usr/local/clamav/bin/clamdctl /usr/local/bin
Create the supervise directories for the clamd service:
mkdir -p /usr/local/clamav/supervise/clamd/log
Now you must create the /usr/local/clamav/supervise/clamd/run file, or just copy this one that was created by Jesse D. Guardiani:
vi /usr/local/clamav/supervise/clamd/run
#!/bin/sh
#
# --------------------------------------------------
# run
#
# Purpose - Start the clamd daemon/service.
#
# Author - Jesse D. Guardiani
# Created - 09/10/03
# Modified - 09/25/03
# --------------------------------------------------
# This script is designed to be run under DJB's
# daemontools package.
#
# ChangeLog
# ---------
#
# 09/25/03 - JDG
# --------------
# - Changed clamd user to qscand in compliance with
# the change to qmail-scanner-1.20rc3
#
# 09/10/03 - JDG
# --------------
# - Created
# --------------------------------------------------
# Copyright (C) 2003 WingNET Internet Services
# Contact: Jesse D. Guardiani (jesse at wingnet dot net)
# --------------------------------------------------
lockfile="/tmp/clamd" # Location of clamd lock file
path_to_clamd="/usr/local/sbin/clamd"
# Location of the clamd binary
BAD_EXIT_CODE=1 # The exit code we use to announce that something bad has happened
# The following pipeline is designed to return the pid of each
# clamd process currently running.
get_clam_pids_pipeline=`ps -ax | grep -E "${path_to_clamd}\$" | grep -v grep | awk '{print $1}'`
# --------------------------------------------------
# Generic helper functions
# --------------------------------------------------
# Basic return code error message function
die_rcode() {
EXIT_CODE=$1
ERROR_MSG=$2
if [ $EXIT_CODE -ne '0' ]; then
echo "$ERROR_MSG" 1>&2
echo "Exiting!" 1>&2
exit "$BAD_EXIT_CODE"
fi
}
# --------------------------------------------------
# Main
# --------------------------------------------------
ps_clamd=""
ps_clamd="$get_clam_pids_pipeline"
if [ -n "$ps_clamd" ]; then
pid_count="0"
for pid in $ps_clamd
do
pid_count=`expr $pid_count + 1`
done
die_rcode $BAD_EXIT_CODE "Error: $pid_count clamd process(es) already running!"
fi
if [ -e "$lockfile" ]; then
rm "$lockfile"
exit_code="$?"
die_rcode $exit_code "Error: 'rm $lockfile' call failed."
fi
exec /usr/local/bin/setuidgid qscand $path_to_clamd
# --
# END /usr/local/clamav/supervise/clamd/run file.
# --
Create the /usr/local/clamav/supervise/calmd/log/run file:
#vi /usr/local/clamav/supervise/calmd/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qscand /usr/local/bin/multilog t /var/log/clamd
Make the run files executable:
chmod 755 /usr/local/clamav/supervise/clamd/run
chmod 755 /usr/local/clamav/supervise/clamd/log/run
Then set up the log directories:
mkdir -p /var/log/clamd
chown qscand /var/log/clamd
Finally, link the supervise directory into /service:
ln -s /usr/local/clamav/supervise/clamd /service
* Note: The clamd script will start automatically shortly
after these links are created. If you don't want it running
yet, do the following:
#clamdctl stop
To start clamd backup, do the following
#clamdctl start
4. Qmail-Scanner
4.1 Installing Qmail-Scanner
Download and unpack the latest version of Maildrop. Do not worry you will not be using Maildrop. You only need reformmime, which is included in Maildrop. Please read the instructions included in the tar ball on how to install it.
Download Time::HiRes and DB_File Perl Modules. The modules can be obtained at www.cpan.org. There is a HOWTO there as well that will explain the installation procedure of Perl modules. Once again, please read the instructions included in the tar ball before installing.
Download and install Mark Simpson�s TNEF unpacker. Just like before, read the instructions included in the tarball.
If you have not already done so, please install Bruce Guenter�s QMAILQUEUE patch.
Create a user for qmail-scanner to run as.
#groupadd clamav
#useradd clamav -g clamav -c "Clam AntiVirus" -s /nonexistent
Phew, that�s a lot of stuff to do. Now after all of that, we are ready to install qmail-scanner. Download the latest source of qmail-scanner. As of the writing of this howto, it is 1.20.
Unpack the tar ball and change to the qmail-scanner directory.
#tar �zxvf qmail-scanner-1.20.tar.gz
#cd qmail-scanner-1.20
Run Configure to autodetect what software is installed on your system. Review the output to make sure it is correct. It should look similar to this:
#./configure
This script will search your system for the virus scanners it knows
about, and will ensure that all external programs
qmail-scanner-queue.pl uses are explicitly pathed for performance
reasons.
It will then generate qmail-scanner-queue.pl - it is up to you to install it
correctly.
Continue? ([Y]/N) <PRESS ENTER>
Found tnef on your system! That means we'll be able to decode stupid
M$ attachments :-)
The following binaries and scanners were found on your system:
mimeunpacker=/usr/local/bin/reformime
unzip=/usr/bin/unzip
tnef=/usr/local/bin/tnef
Content/Virus Scanners installed on your System
clamuko=/usr/local/bin/clamdscan (which means clamscan won't be used as clamdscan is better)
Qmail-Scanner details.
log-details=0
fix-mime=1
debug=1
notify=sender,admin
redundant-scanning=no
virus-admin=root@mail --substitute you domain here
local-domains='mail' �substitue your domain here
silent-viruses='klez','bugbear','hybris','yaha','braid','nimda','tanatos','sobig','winevar','palyh','fizzer','gibe','
cailont','lovelorn','swen','dumaru','sober','hawaii','holar-i'
scanners="clamuko_scanner"
If that looks correct, I will now generate qmail-scanner-queue.pl
for your system...
Continue? ([Y]/N)<PRESS ENTER>
Now type:
# ./configure �install
This will actually install qmail-scanner-queue.pl and create the necessary directory structures. You should see similar messages as before. Once again, read the output of the script to make sure everything is correct. If it is <PRESS ENTER> to install qmail-scanner.
If everything went according to plan, qmail-scanner-queue.pl should now be installed. You should see qmail-scanner-queue.pl in /var/qmail/bin.
#ls /var/qmail/bin
/var/qmail/bin/qmail-scanner-queue.pl
4.2 Ownership
In order for qmail-scan to be able to use ClamAV, some of the ClamAV ownerships must be changed. If you remember, we made a clamav user to run ClamAV, and then changed the permissions so that only that user can run it. Now we need to setup the qscand user rights to use it.
First you need to change the ownership of the clamd supervise directories.
#chown -R qscand /usr/local/clamav/supervise
Now change the ownership of the ClamAV log file:
#chown �R qscand /var/log/clamd
4.3 Testing
Now to test qmail-scanner.
#./contrib./test_instaltion.sh �doit
Sending standard test message - no viruses...
done!
Sending eicar test virus - should be caught by perlscanner module...
done!
Sending eicar test virus with altered filename - should only be caught by commercial anti-virus modules (if you have any)...
Sending bad spam message for anti-spam testing - In case you are using SpamAssassin...
Done!
Now go and check Email for postmaster@mail.
You should now have 4 email messages in your postmater�s mailbox.
5. Configuring Qmail to use qmail-scanner-queue.pl
5.1 Changing your tcp rules
Now that everything is installed, configured, and successfully tested, it is now time to configure qmail to utilize qmail-scanner and ClamAV. If you have followed Dave Sills Life With Qmail, you should have a tcp.smtp file in your /etc directory. You must edit tcp.smtp file to include the QMAILQUEUE variable.
#vi /etc/tcp.smtp
127.:allow,RELAYCLIENT=��,QMAILQUEUE=�/var/qmail/bin/qmail-queue�
10.:allow,RELAYCLIENT=��,QMAILQUEUE=�/var/qmail/bin/qmail-scanner-queue.pl�
:allow.QMAILQUEUE=�/var/qmail/bin/qmail-scanner-queue.pl�
As you can see, we use qmail-queue for all local deliveries by setting the QMAILQUEUE variable to be the original qmail-queue. We then changed all of the local subnet mail deliveries to use qmail-scanner-queue.pl. This will cause all local subnet SMTP traffic to be scanned by qmail-scanner and ClamAV. The last line will scan all inbound emails.
After adding the QMAILQUEUE variables, you must rebuild the cdb file for qmail.
#qmailctl cdb
5.2 increasing your softlimit
Now comes the tricky part. If you try to send an email message, you will most likely receive an error from your client. The error will say something that includes this:
451 qq temporary problem (#4.3.0)
If you followed Life with qmail, you then have a memory limit set in the /var/qmail/supervise/qmail-smtpd/run file. Look for the line that contains softlimit. It should look similar to this:
exec /usr/local/bvin/softlimit �m 2000000 \
This example sets the memory limit for qmail-smtpd to 2M. After all of your changes qmail-smtpd is now running the entire Perl interpreter, and ClamAV. 2M will never be enough.
Each system is different, and has different requirements. It will take some experimenting on your part to find the correct value for the softlimit of your system. Do not just set softlimit to some high value! That is a big no-no, and you will be asking for trouble if you do. YOU HAVE BEEN WARNED!! To find the minimal value for your system, I recommend the following steps:
* Increase softlimit by 1M
* #qmailctl restart
* Send a message
* Repeat until you can successfully send an email.
Once you have found the minimum, I would recommend increasing that by 1.5M, just to be safe for those days that your email server has a heavy load.
After that just create a daily cronjob that runs /var/qmail/bin/qmail-scan-queue.pl �z to cleanup any dropped SMTP sessions that may be lying around in /var/spool/qmailscan.
Appendix A:
Recommended Reading and Other Resources
Life with qmail written by Dave Sills http://www.lifewithqmail.org
Qmail FAQ Written by D.J. Bernstein http://cr.yp.to/qmail/faq
SMTP: Simple Mail Transfer Protocol written by Dan Bernsteien http://cr.yp.to/smtp.html
Daemontools FAQ written by D.J. Bernstein http://cr.yp.to/daemontools/faq
ClamAV FAQ http://www.clamav.net/faq.html#pagestart
ClamAV User Manual Written by Thomasz Kojm http://www.clamav.net/doc
Qmail-Scanner: Content Scanner for Qmail written by Jason Haar http://qmail-scanner.sourceforge.net
Qmail-Scanner FAQ http://qmail-scanner.sourceforge.net/FAQ.php
Clamd+daemontools howto written by Jesse D. Guardiani http://clamav.elektrapro.com/doc/clamd_supervised/clamd-daemontools-guide.txt
Qmail mailing list archive http:// http://www-archive.ornl.gov:8000/
Qmail-scanner list archive http://sourceforge.net/mailarchive/forum.php?forum=qmail-scanner-general
ClamAV users list archive http://news.gmane.org/gmane.comp.security.virus.clamav.user
ClamAV Virus DB list archive http://news.gmane.org/gmane.comp.security.virus.clamav.virusdb
Appendix B:
Scripts
These are the scripts contained in this how to. I did not write them. They were created by Jesse D. Guardiani, and can be found in his clamd+daemontools HOWTO.
Clamdctl
#!/bin/sh
# For Red Hat chkconfig
# chkconfig: - 80 30
# description: the ClamAV clamd daemon
PATH=/usr/local/clamav/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH
case "$1" in
start)
echo "Starting clamd"
if svok /service/clamd ; then
svc -u /service/clamd
else
echo clamd supervise not running
fi
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/clamd
fi
;;
stop)
echo "Stopping clamd..."
echo " clamd"
svc -d /service/clamd
if [ -f /var/lock/subsys/clamd ]; then
rm /var/lock/subsys/clamd
fi
;;
stat)
svstat /service/clamd
svstat /service/clamd/log
;;
restart)
echo "Restarting clamd:"
echo "* Stopping clamd."
svc -d /service/clamd
echo "* Sending clamd SIGTERM and restarting."
svc -t /service/clamd
echo "* Restarting clamd."
svc -u /service/clamd
;;
hup)
echo "Sending HUP signal to clamd."
svc -h /service/clamd
;;
help)
cat <<HELP
stop -- stops clamd service (smtp connections refused, nothing goes out)
start -- starts clamd service (smtp connection accepted, mail can go out)
stat -- displays status of clamd service
restart -- stops and restarts the clamd service
hup -- same as reload
HELP
;;
*)
echo "Usage: $0 {start|stop|stat|restart|hup|help}"
exit 1
;;
esac
exit 0
/usr/local/clamav/supervise/clamd/run
#!/bin/sh
#
# --------------------------------------------------
# run
#
# Purpose - Start the clamd daemon/service.
#
# Author - Jesse D. Guardiani
# Created - 09/10/03
# Modified - 09/25/03
# --------------------------------------------------
# This script is designed to be run under DJB's
# daemontools package.
#
# ChangeLog
# ---------
#
# 09/25/03 - JDG
# --------------
# - Changed clamd user to qscand in compliance with
# the change to qmail-scanner-1.20rc3
#
# 09/10/03 - JDG
# --------------
# - Created
# --------------------------------------------------
# Copyright (C) 2003 WingNET Internet Services
# Contact: Jesse D. Guardiani (jesse at wingnet dot net)
# --------------------------------------------------
lockfile="/tmp/clamd" # Location of clamd lock file
path_to_clamd="/usr/local/sbin/clamd"
# Location of the clamd binary
BAD_EXIT_CODE=1 # The exit code we use to announce that something bad has happened
# The following pipeline is designed to return the pid of each
# clamd process currently running.
get_clam_pids_pipeline=`ps -ax | grep -E "${path_to_clamd}\$" | grep -v grep | awk '{print $1}'`
# --------------------------------------------------
# Generic helper functions
# --------------------------------------------------
# Basic return code error message function
die_rcode() {
EXIT_CODE=$1
ERROR_MSG=$2
if [ $EXIT_CODE -ne '0' ]; then
echo "$ERROR_MSG" 1>&2
echo "Exiting!" 1>&2
exit "$BAD_EXIT_CODE"
fi
}
# --------------------------------------------------
# Main
# --------------------------------------------------
ps_clamd=""
ps_clamd="$get_clam_pids_pipeline"
if [ -n "$ps_clamd" ]; then
pid_count="0"
for pid in $ps_clamd
do
pid_count=`expr $pid_count + 1`
done
die_rcode $BAD_EXIT_CODE "Error: $pid_count clamd process(es) already running!"
fi
if [ -e "$lockfile" ]; then
rm "$lockfile"
exit_code="$?"
die_rcode $exit_code "Error: 'rm $lockfile' call failed."
fi
exec /usr/local/bin/setuidgid qscand $path_to_clamd
# --
# END /usr/local/clamav/supervise/clamd/run file.
# --
/usr/local/clamav/supervise/clamd/run
#!/bin/sh
exec /usr/local/bin/setuidgid qscand /usr/local/bin/multilog t /var/log/clamd
Appendix C:
Software
Qmail � http://www.qmail.org/netqmail-1.05.tar.gz
Daemontools � ftp://cr.yp.to/daemontools/daemontools-0.76.tar.gz
ClamAV � http://prodownloads.sourceforge.net/clamav/clamav-0.65.tar.gz
QMAILQUEUE patch � http://www.qmail.org/top.html#qmailqueue
MailDrop � http://download.sourceforge.net/courier
Time::HiRes � http://search.cpan.org/search?module=Time::HiRes
DB_File � http://search.cpan.org/search?module=DB_File
TNEF unpacker � http://sourcforge.net/projects/tnef
Qmail-scanner � http://prodownloads.sourceforge.net/qmail-scanner/qmail-scanner-1.20.tgz?download
Appendix D: GNU Free Documentation License
