How To Combat Viruses Using Your Postfix Configuration

Want to support HowtoForge? Become a subscriber!
 
Submitted by todgerme (Contact Author) (Forums) on Thu, 2006-09-07 23:43. :: Postfix

How To Combat Viruses Using Your Postfix Configuration

In this guide you will learn how to tweak the HowtoForge mail guide for  Postfix (+Auth SMTP + Quota), http://www.howtoforge.com/virtual_postfix_mysql_quota_courier, setup to give better Virus protection.  Sadly this always comes at a price as you will see later on....

The Falko HowtoForge guide is great starter for a default Postfix installation but if you want to achieve business grade antivirus we need to do a few small things so that there is less chance of the latest greatest script kiddie invention getting through.

In the Postfix guide, Amavis and ClamAV are installed from Debian stable.  Debian Sarge is just far too old.  Having played with the new Amavis-new 2.4.2, it's changed significantly in the Debian package where /etc/amavis/amavisd.conf has been completely replaced, so we are going to leave amavis-new alone and just leave it from Debian sarge stable.  However ClamAV is a little outdated so we are going to take a fresh copy from testing. 

 Edit /etc/apt/sources.list and take your Debian sources to testing:

vi /etc/apt/sources.list

deb ftp://ftp.uk.debian.org/debian/ testing main

apt-get update

apt-get install clamav clamav-daemon

Don't forget to take your Debian sources back to stable afterwards:

Edit /etc/apt/sources.list:

vi /etc/apt/sources.list

deb ftp://ftp.uk.debian.org/debian/ stable main

apt-get update

This updates the Clamav engine to 0.88 and should offer better Virus detection. It is possible to take the Clamav to the latest release using the Volatile branch of Debian but I've had a few bad experiences so it's better to error on the side of caution. 

Next we want to increase the Virus scanners that Amavis calls after Postfix hands to the mail to Amavis.  This guide will look at configuring 2.

F-Prot - Free for private use and comes witha handy Debian installer.

cd /usr/src

wget http://http.us.debian.org/debian/pool/contrib/f/f-prot-installer/f-prot-installer_0.5.22_i386.deb

apt-get install libwww-perl liburi-perl libhtml-parser-perl libhtml-tree-perl libhtml-tagset-perl

dpkg i f-prot-installer_0.5.22_i386.deb

Follow the onscreen installer, which goes off and downloads the latest distro of F-Prot while-u-wait.

Unlike Clamav which uses Freshclam, F-Prot doesn't use a daemonised program to keep itself up-to-date instead we need to enable the updater program via the Debian crons.

Edit /etc/cron.d/f-prot-installer and uncomment the 2 cronjob lines for the virus and program updates:

vi /etc/cron.d/f-prot-installer

27 4,16 * * * root if [ -x /usr/lib/f-prot/tools/check-updates ]; then /usr/lib/f-prot/tools/check-updates -cron; fi
#
# Uncomment to check for new version of program once a week
# 
00 12 * * 1 root if [ -x /usr/sbin/update-f-prot ]; then /usr/sbin/update-f-prot -i; fi 

Finally we want to enable F-prot in our Amavis configuration so edit /etc/amavis/amavisd.conf and search for @av_scanners.  We want to add a new scanner into this array so it should look something like the follow after the edit:

vi /etc/amavis/amavisd.conf

@av_scanners = (

### http://www.clamav.net/
['Clam Antivirus-clamd',
 \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
 qr/\bOK$/, qr/\bFOUND$/,
 qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# NOTE: run clamd under the same user as amavisd; match the socket
# name (LocalSocket) in clamav.conf to the socket name in this entry
# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],


### F-Prot http://www.f-prot.com
['FRISK F-Prot Antivirus', ['f-prot','/usr/lib/f-prot/f-prot.sh'],
   '-dumb -archive -packed {}', [0,8], [3,6],
   qr/Infection: (.+)|\s+contains\s+(.+)$/ ],
   
);


Finally restart Amavis for the changes to take effect: 

/etc/init.d/amavis restart 

Moving swiftly on, now we are going to enable McAfee UVScan - sadly this isn't free for general purpose and you must purchase a license to use for more than the evaluation period.

cd /usr/src

wget http://download.nai.com/products/evaluation/virusscan/english/cmdline/linux/v5.10/vlp4510e.tar.Z

tar zxvf  vlp4510e.tar.Z

./install-uvscan

Accept all the defaults except avoid the lengthly full filesystem scan at the end of the installtion proceedure.  At this point if you have a license you can dump it into the program directory normally installed under /usr/local/uvscan.

Next we grab an the NAI updater from http://www.brijn.nu/Programming/ (it seems McAfee can't be bothered distributing one)

cd /usr/src

wget http://www.brijn.nu/Programming/nai/naiupdt-0.5.tar.gz

tar zxvf  naiupdt-0.5.tar.gz

./naiupdt.pl

Next up is to place the updater into the system cron so that it runs atleast once per day, edit /etc/crontab:

vi /etc/crontab

15 8,15 * * *  root /usr/src/naiupdt-0.5/naiupdt.pl >> /dev/null

Next we need to edit the Amavis configuration and add UVScan into the mix so edit /etc/amavis/amavisd.conf and find once again @av_scanners and change the array in the file so it looks something like this for all 3 AV scanners:

@av_scanners = (

### http://www.clamav.net/
['Clam Antivirus-clamd',
 \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
 qr/\bOK$/, qr/\bFOUND$/,
 qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# NOTE: run clamd under the same user as amavisd; match the socket
# name (LocalSocket) in clamav.conf to the socket name in this entry
# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],

### http://www.nai.com/
['NAI McAfee AntiVirus (uvscan)', '/usr/local/uvscan/uvscan',
   '--secure -rv --mime --summary --noboot - {}', [0], [13],
   qr/(?x) Found (?:
     \ the\ (.+)\ (?:virus|trojan)  |
	 \ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
	 :\ (.+)\ NOT\ a\ virus)/,
],

### F-Prot http://www.f-prot.com
['FRISK F-Prot Antivirus', ['f-prot','/usr/lib/f-prot/f-prot.sh'],
   '-dumb -archive -packed {}', [0,8], [3,6],
   qr/Infection: (.+)|\s+contains\s+(.+)$/ ],
   
);

Restart Amavis for the changes to take effect:

/etc/init.d/amavis restart

Finally send some mail through your system to check it's all working and check the Amavis log, be sure to enable logging in the Amavis configuration if you haven't already done so and you should see something like this:

Sep  7 23:29:57 domain.net amavisd-new[11023]: (11023-08) TIMING [total 617 ms] - SMTP EHLO: 1 (0%), SMTP pre-MAIL: 0 (0%), SMTP pre-DATA-flush: 1 (0%), SMTP DA
TA: 39 (6%), body hash: 0 (0%), lookup_sql: 1 (0%), mime_decode: 8 (1%), get-file-type: 8 (1%), get-file-type: 7 (1%), decompose_part: 1 (0%), decompose_part: 0 (0%),
parts: 0 (0%), AV-scan-1: 4 (1%), AV-scan-2: 323 (52%), AV-scan-3: 171 (28%), fwd-connect: 4 (1%), fwd-mail-from: 0 (0%), fwd-rcpt-to: 2 (0%), write-header: 2 (0%), fw
d-data: 0 (0%), fwd-data-end: 41 (7%), fwd-rundown: 1 (0%), unlink-2-files: 2 (0%), rundown: 0 (0%)

You will notice that there are 3 AV scans taking place and it gives the approximate percentage of how long each process took.  It seems by far Clam (AV-scan-1) is the fastest in my tests followed by F-Prot (AV-scan-3) with UVScan (AV-scan-2) trailling behind in third place.  Obviously if you find your mail setup getting hit hard by so many scanners installed, all you need to do is disable them in the amavis configuration file.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.