I use MailScanner to scan emails for viruses, spam, phishing, malware, and other attacks against security vulnerabilities. Under the hood, MailScanner uses ClamAV(clamd) for virus scan, and uses Spamassassin to scan for spams.
MailWatch is the web UI frontend to manage MailScanner. I can manage qurantine and generate reports easily right in the web browser.
ClamAV
Clam AV can be load in 3 different mode. Here is the explaination:
clamscan
: most expensive CPU-wise, but involves no extra setup. This just executes the clamscan command-line tool. This causes the signature database to be re-read for each object scanned and can be pretty CPU intensive compared to the others.clamav module
: less expensive than clamscan CPU-wise, but needs the Mail::ClamAV perl module. This method loads a copy of the libclamav scanner library into MailScanner and keeps it resident, using it to perform scans without needing to re-read the signature libraries, etc. It can be somewhat touchy about what versions of Mail::ClamAV work with various versions of clamav.clamd
: less expensive than clamscan CPU-wise, but needs clamd running and is relatively new code. This causes MailScanner to connect to clamd’s socket and use that for scanning. Since clamd is already resident, there’s no need to re-read signatures. Since it’s using clamd, which comes with clamav, there’s no real version-compatibility problems like with the module, at least in theory
So I decide to run ClamAV as a daemon (clamd) for better performance.
ClamAVInstallation
Install ClamAV:
yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd |
ClamAV will need unrar, it can be installed from rpmforge repository, so:
cd /usr/local/src/ |
After install unrar, I disabled rpmforge repo:
sed -i 's/enabled = 1/enabled = 0/g' /etc/yum.repos.d/rpmforge.repo |
freshclam
freshclam
will update the virus signature database. To enable it and update:
sed -i -e 's/^Example/#Example/' /etc/freshclam.conf |
Also edit /etc/sysconfig/freshclam
, comment out this line as:
#FRESHCLAM_DELAY=disabled-warn # REMOVE ME |
The MailScanner will call /usr/local/bin/freshclam
to update the database, so make the proper link:
ln -s /usr/bin/freshclam /usr/local/bin/freshclam |
clamd daemon
Enable clamd by editing /etc/clamd.d/scan.conf
like this:
# Example |
Create the log file:
touch /var/log/clamd.scan |
Now enable and start the service:
systemctl enable clamd@scan |
Test clamd service
I download a virus file (Eicar Test) and send to ClamAV
# cd /tmp |
Spamassassin
Install Spamassassin”
yum install spamassassin |
Update database:
sa-update |
Enable snd start Spamassassin:
systemctl enable spamassassin |
MailScanner
MailScanner work like this:
- As instructed, Postfix holds the mail upon receipt.
- MailScanner swoops in and scans the email in queue.
- MailScanner re queues the email and hands it over back to Postfix.
- Postfix processes the email as necessary and delivers the mail to recipient.
Install MailScanner
First stop and disable postfix. We will use MailScanner in the future.
systemctl stop postfix |
Download MailScanner and install:
cd /usr/local/src/ |
Start the installation. Answer Y to all questions except these three(they have been took care in the previous steps):
Do you want to install a Mail Transfer Agent (MTA)? |
Do you want to install or update Spamassassin? |
Do you want to install or update Clam AV during this installation process? |
MailScanner Configuration
Edit /etc/MailScanner/MailScanner.conf
%org-name% = mydomain |
Correct a permission to allow write for group clamscan:
chmod -R 770 /var/spool/MailScanner/incoming/ |
Edit /etc/MailScanner/spam.assassin.prefs.conf
envelope_sender_header X-mydomain-MailScanner-From |
Edit /etc/MailScanner/virus.scanners.conf
clamd /bin/false /usr |
clamd permission
When clamd scan emails, I want pass --fdpass
to it, so it won’t have permssion issue:
mv /usr/bin/clamdscan /usr/bin/clamdscan-cmd |
Now create a new file /usr/bin/clamdscan
#!/bin/bash |
Make it executable:
chmod +x /usr/bin/clamdscan |
Postfix hold queue
Let postfix hold all mails for scan, add line at bottom of /etc/postfix/header_checks
/^Received:/ HOLD |
Enable header check in Postfix, edit /etc/postfix/main.cf
, uncomment this line 548:
header_checks = regexp:/etc/postfix/header_checks |
Check MailScanner configration to see if there is any error:
MailScanner --lint |
Spamassassin Plugins
With plugins, Spamassassin can detect spam and bulk email better with online resources.
First, I need open some ports on iptables needed by DCC, pyzor and razor. Add these rules to /etc/sysconfig/iptables
in the INPUT chain and reload iptables
:
### razor DCC pyzor ### |
Edit /etc/mail/spamassassin/mailscanner.cf
# paths to utilities |
Enable these in spamassassin. Edit /etc/mail/spamassassin/v310.pre
loadplugin Mail::SpamAssassin::Plugin::DCC |
DCC
Install DCC
yum install sendmail-milter |
Test
cdcc info |
Pyzor
Add a line in /etc/mail/spamassassin/local.cf
pyzor_options --homedir /etc/mail/spamassassin/.pyzor |
Install Pyzor:
rpm -Uvh ftp://mirror.switch.ch/pool/4/mirror/fedora/linux/releases/22/Everything/x86_64/os/Packages/p/pyzor-0.5.0-10.fc21.noarch.rpm |
Test
spamassassin -t -D pyzor < /usr/share/doc/spamassassin-3.4.0/sample-spam.txt |
Razor
mkdir /etc/mail/spamassassin/razor |
Edit /etc/mail/spamassassin/razor/razor-agent.conf
razorhome = /etc/mail/spamassassin/razor |
Test Razor2
spamassassin -t -D razor2 < /usr/share/doc/spamassassin-3.4.0/sample-spam.txt |
Test
Check MailScanner configration again:
MailScanner --lint |
Also check for SpamAssassin:
spamassassin -D --lint |
Now restart services and check maillog to see if any error
systemctl restart clamd@scan |
Now I can send some spam test email then check the maillog to see if it has need catched. Here are some test site:
[http://www.emailsecuritycheck.net/]
[https://www.mail-tester.com/]
MailWatch
Download code
cd /usr/local/src |
MariaDB database
Create a database with downloaded sql file:
cd /usr/local/src/1.2.0 |
Create a DB user:
# mysql -uroot -p |
Admin user
Create an Admin user gao:
# mysql mailscanner -umailwatch -pMWpassword |
Configure MailWatch
Move the mailscanner directory to the web server’s root
cp -r /usr/local/src/1.2.0/mailscanner /var/www/html/. |
Copy /var/www/html/mailscanner/conf.php.example
to conf.php
then edit the database setting:
define('DB_TYPE', 'mysql'); |
Now stop MailScanner
systemctl stop MailScanner |
Edit /etc/MailScanner/MailScanner.conf
Always Looked Up Last = &MailWatchLogging |
Copy Perl module to CustomFunctions
cp /usr/local/src/1.2.0/MailScanner_perl_scripts/SQLBlackWhiteList.pm /usr/share/MailScanner/MailScanner/CustomFunctions/ |
Edit /usr/share/MailScanner/MailScanner/CustomFunctions/SQLBlackWhiteList.pm
sub CreateList { |
Edit /usr/share/MailScanner/MailScanner/CustomFunctions/MailWatch.pm
# Modify this as necessary for your configuration |
I also installed a perl module Encoding::FixLatin
in CPAN:
# cpan |
Start MailScanner again, check /var/log/maillog
for any error.
Nginx configuration
Create a new nginx virtual host configration file /etc/nginx/conf.d/mailwatch.conf
server { |
Mail queue
Configure mail queue directory:
chown -R postfix:nginx /var/spool/postfix/hold |
Test
Restart Nginx:
systemctl restart nginx |
Now it’s time to go to https://mailwatch.mydomain.com/
Login as admin user “gao” with password “mwpassword”
Go to http://www.emailsecuritycheck.net/ and send myself some spam and virus, check MailWatch to see the result.
SpamAssassin Bayes
SpamAssassin Bayes can try to identify spam (or ham) by learning tokens. Here I configrue it with MailWatch installed.
Edit /etc/MailScanner/spam.assassin.prefs.conf
bayes_path /etc/MailScanner/bayes/bayes |
Create the ‘new’ bayes directory, make the directory owned by the same group as the web server user and make the directory setgid:
mkdir /etc/MailScanner/bayes |
Since I already some spam mails in quarantine, so I force a sa-learn
sa-learn --spam /var/spool/MailScanner/quarantine/20160420 |
After this I see few files have been generated in bayes home directory:
# ll /etc/MailScanner/bayes/ |
Test to see bayes work
spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint |
shoud see these lines:
Mar 11 21:20:27.020 [6494] dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks |
It can also be verified in MailWatch in “Tools/Link” –> “Spamassassin Bayes Database Info”
Now restart Spamassassin and MailScanner and check maillog.
Quick links:
- Part 1: LEMP
- Part 2: Postfix and Dovecot
- Part 3: MailScanner and MailWatch
- Part 4: SPF, DKIM and DMARC
- Part 5: Roundcube Webmail
- Part 6: Afterthoughts