Spam and Virus Controls with Postfix
31 August 2003—Updated 17 October 2003
This is an adaptation of our article on getting spam and virus controls into Exim. The methodology is pretty much the same, with the obvious exception of configuring the MTA.
As with Exim, you will need to first upgrade your installation of Perl to 5.8. You can grab this from Aaron Faby’s site. Download the Perl updater and double-click to install. It’s important to note, since this is an article aimed at Mac OS X Server 10.3, that Perl 5.8 is already installed in 10.3—so you won’t need to do this step. Also note that if you have Perl support enabled in Apache under Mac OS X Server 10.2.x, you must disable it, as Faby’s Perl 5.8 is not compatible with Apple’s supplied Perl modules.
Now that you have Perl installed, we can concentrate on getting the anti-virus part up and running. We’re going to use a ClamAV, a free virus scanner that runs well on Mac OS X. However, you are free to use one of a number of command line virus scanners that the Amavis system supports.
Before we can get into downloading and compiling ClamAV, we need to create a user for clamav, the av scanner. We’ll do this from the command line using niutil. Although you are more then welcome to do this through Workgroup Manager, or even the accounts pane in System Preferences, just remember to make the password “*” so that no one can log into the system as this user.
sudo niutil -create . /users/clamav sudo niutil -createprop . /users/clamav uid 26 sudo niutil -createprop . /users/clamav gid 26 sudo niutil -createprop . /users/clamav shell /bin/tcsh sudo niutil -createprop . /users/clamav home /tmp sudo niutil -createprop . /users/clamav passwd "*"
Now to finish up and add the group into which we put the clamav user:
sudo niutil -create . /groups/clamav sudo niutil -createprop . /groups/clamav gid 26
Now you can download ClamAV and compile it. Version .60 was the latest at the time this article was written, but please check the site to see if it has been updated recently.
curl -O http://clamav.elektrapro.com/stable/clamav-0.60.tar.gz gnutar -xzvf clamav-0.60.tar.gz cd clamav-0.60 ./configure make sudo make install cd ..
If, after the ./configure step, you run into errors try this
sudo ranlib /usr/lib/libbz2.a
and then redo the ./configure step.
Now we need to put the clamav binaries somewhere that we can get to them easily. By default they are installed in /usr/local/bin/, but that isn’t in our path. So we’ll symlink them to /usr/bin.
sudo ln /usr/local/bin/clamscan /usr/bin/ sudo ln /usr/local/bin/freshclam /usr/bin/ rehash
Now for the moment of truth. Run the clamscan command against the folder that contains the ClamAV source. There’s a virus or five in there and if you’ve done everything correctly you will see them come up in the scan.
clamscan -r -l scan.txt clamav-0.60
Finally we can set up the log files that clamav needs and start up freshclam, which will download the latest virus files from the developer’s site twice a day.
sudo touch /var/log/clam-update.log sudo chmod 644 /var/log/clam-update.log sudo chown clamav /var/log/clam-update.log sudo freshclam -d -c 2 -l /var/log/clam-update.log
Now you are done with ClamAV, so we can move on to the glue that gets the virus and spam utilities to play well with Postfix. Again, we’ll grab the latest version as of the writing of this article. Amavis is set up to act as a mini-SMTP server. Postfix will deliver the e-mail to Amavis, which will do the appropriate scans on it. Then Amavis will send the e-mail back to Postfix, which will then finish the delivery to the local user.
curl -O http://www.ijs.si/software/amavisd/amavisd-new-20030616-p2.tar.gz gnutar -xzvf amavisd-new-20030616-p2.tar.gz cd amavisd-new-20030616
There’s a little bit of trickiness in which we then need to engage. The “file” command in Linux behaves a little differently then the one in Mac OS X. Since Amavis is entirely comprised of Perl code, we can do a little bit of editing to add a small sed routine that makes file in Mac OS X output the same info that the command does on other systems. Note that the next command is all on one line. It reads in the amavisd file, makes the one change, and outputs it to a new file called amavisd.new.
sed 's/$file -b $filename/$file $filename \| sed -n “s\/\^\[[:alnum:]]\*:\/\/p” /' amavisd > amavisd.new
Now to overwrite the old with the new.
mv amavisd.new amavisd
Amavisd needs its config file and binaries in the right places and some space to work on the e-mail. So, being the nice admins that we, are we’ll do this.
sudo cp amavisd.conf /etc/ sudo chown root /etc/amavisd.conf sudo chmod 644 /etc/amavisd.conf sudo cp amavisd /usr/bin/ sudo chown root /usr/bin/amavisd sudo chmod 755 /usr/bin/amavisd sudo mkdir /var/amavis sudo chown clamav:clamav /var/amavis sudo chmod 750 /var/amavis sudo mkdir /var/virusmails sudo chown clamav:clamav /var/virusmails sudo chmod 750 /var/virusmails sudo touch /var/amavis/whitelist_sender
Before we can get it up and running we need to edit the amavisd config file. You can do this with vi, emacs, pico, TextEdit, etc.—pretty much whatever you want to. The file is /etc/amavisd.conf and you need to change the user and group that amavis runs as to “clamav” You’ll also want to take a look at where the spam and virus notifications go. This file defines the spam and virus policies on your mail server. Let me say that again to make sure you understand. This file determines all of your spam and virus policies. As such you really should spend some time looking it over so that you don’t embarrass yourself later.
Now we need to get some Perl modules installed. CPAN makes this easy, but we will have to force one or two of them to go. I haven’t come across any problems with this in testing, but do keep an eye on things. Also, when you are installing these Perl modules you may run across dependencies that you don’t have installed yet. Please respond in the affirmative when it asks you if you want them installed too.
sudo perl -MCPAN -e shell
Now you are in the CPAN system. You will then type in the next three commands, which will install the modules.
install Archive::Tar Archive::Zip Compress::Zlib Convert::UUlib MIME::Base64 \ MIME::Parser Mail::Internet Net::Server Digest::MD5 IO::Stringy Time::HiRes \ Unix::Syslog Digest::SHA1 Mail::SpamAssassin force install Convert::TNEF force install Net::SMTP
If at any time you get asked about not having the required dependent modules, you should allow perl to add them to the list of things to install. This just makes sure that your kit is all ok. Finally, exit out of CPAN.
quit
Now a quick test to see if this all works. We’re going to switch to the “clamav” user and then start up amavisd in the debug mode.
sudo su clamav amavisd debug
If all works well you’ll see a lot of log information finished up with “Parent ready for children.” That lets you know that you are good to go. Leave this window open with amavisd running so we can do some testing with it in a bit.
Almost done, we just need to edit the Postfix files. If you don’t have Postfix up and running already, stop what you are doing and read through our articles on doing that. Otherwise you can continue and make changes to the two Postfix config files.
First you need to add the following line to /etc/postfix/main.cf; it will tell Postfix to run amavisd as a content filter before delivery.
content_filter=smtp-amavis:[127.0.0.1]:10024
Now add the following to /etc/postfix/master.cf:
smtp-amavis unix - - y - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= -o local_recipient_maps= -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o mynetworks=127.0.0.0/8
Whew, pretty much there. Now just to start everything up.
First fire off Postfix.
sudo postfix start
Then if you don’t still have the amavisd window up and running, you can run amavisd in the background:
su clamav -c amavisd
Now put some mail through Postfix. Perhaps some e-mails from support@microsoft.com that you may have received recently. Or maybe some offers from kind souls in Africa that found you through the Internet and think you can help them with their million dollar problems.
If you see the spam and virii being stopped, things are going well. Take a look again at the amavisd config file and make sure the settings are what you want.
If you want all of this to get started at boot you’ll need to set a startup item for ClamAV and Amavis. You can either add these two commands to an existing startup item or roll your own.
su clamav -c amavisd freshclam -d -c 2 -1 /var/log/clam-update.log