Updated Spam/Virus controls for OS X Server
These instructions have been successfully followed and tested on the following OSXS Versions10.2.6, 10.2.8, 10.3.0, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.4-DEV
With so many Articles out there, it's hard to find one that contains all of the instructions required to do an install without problems so I have put this together in the hopes that it makes the installation as easy and painless as possible.
This is an updated version of Joel's Article and was used as the starting point for what I hope includes all of the required installation instructions and related information.
Updated 12/20/2004
The use of fink to install modules and libraries has not been considered due the non-canonical locations that software is stored.
These instructions work if they are followed as described, the author warrants no merchantability or fitness for a particular purpose and is not meant to be educational material for those who do not understand the instructions as they are provided.
- - Introduction and Prerequisites
- - Getting the archives
- - Unpacking the archives
- - Building BerkeleyDB
- - Building gmp
- - Building ClamAV
- - Installing amavisd-new with SpamAssassin
- - Installing the Startup Item
- - (Optional) Installing the Log Roll Item
- - Introduction and Prerequisites
- - Getting the archives
- - Unpacking the archives
- - Building BerkeleyDB
- - Building gmp
- - Building ClamAV
- - Installing amavisd-new with SpamAssassin
- - Installing the Startup Item
- - (Optional) Installing the Log Roll Item
This article covers using amavisd to provide spam and virus controls to Postfix. This method will provide server-wide spam and virus filters for all incoming and outgoing mail. It's a very robust system and can be easily configured to provide a number of different site-specific options for your users. However, combating unwanted e-mail is an ongoing war and not just a single engagement. This article will describe a good beginning to a full-featured mail system, but you should not stop here.
This process works as a content filter for postfix. This means that Postfix will receive the e-mail and then pass it off, using an SMTP connection to port 10024 on the local machine, to amavisd before doing any actual processing of it. Amavisd will then run the mail through ClamAV, for virus detection, and then SpamAssassin, for spam detection. If the e-mail passes both sets of tests amavisd will then return the e-mail to Postfix by using an SMTP connection to port 10025 on the local machine. At this point Postfix will then deliver the mail to the POP/IMAP server that you are using.
If you are using OS X 10.2 you'll need to first upgrade your installation of Perl to 5.8 or higher.
I opted to build Perl from source just to see what was involved and it's a fairly complex install so I wont be going into details on it's install process.
If you don't want to build Perl from source, you can grab an installer from Aron Faby's site at
http://www.serverlogistics.com/downloads-jag.php#perl.Also note that if you have Perl support enabled in Apache under Mac OS X Server 10.2.x, you must disable it, as Faby’s Perl 5.8 is not compatible with Apple’s supplied Perl modules.
Download the Perl updater and double-click to install.
Examine the Macintosh.tar.gz tarball included with amavisd-new and ClamAV for updated files and installation instruction, these files will be updated to correspond with it's released version as required.
The files included in the Macintosh tarball provide a way to start the service without logging in as well as a way to manually start, stop and reload the service and include a 'log-rolling' option that is easy to implement.
Setting up the user/group. (10.3.x can use method a or b)
a).
% sudo dscl localhost -create /NetInfo/root/Groups/mailtransport
% sudo dscl localhost -create /NetInfo/root/Groups/mailtransport gid 30
% sudo dscl localhost -create /NetInfo/root/Users/mailtransport
% sudo dscl localhost -create /NetInfo/root/Users/mailtransport uid 30
% sudo dscl localhost -create /NetInfo/root/Users/mailtransport gid 30
% sudo dscl localhost -create /NetInfo/root/Users/mailtransport shell /bin/tcsh
% sudo dscl localhost -create /NetInfo/root/Users/mailtransport home /tmp
% sudo dscl localhost -create /NetInfo/root/Users/mailtransport passwd "*"b). (10.2.x only)
% sudo niutil -create . /groups/mailtransport
% sudo niutil -createprop . /groups/mailtransport gid 30
% sudo niutil -create . /users/mailtransport
% sudo niutil -createprop . /users/mailtransport uid 30
% sudo niutil -createprop . /users/mailtransport gid 30
% sudo niutil -createprop . /users/mailtransport shell /bin/tcsh
% sudo niutil -createprop . /users/mailtransport home /tmp
% sudo niutil -createprop . /users/mailtransport passwd "*"Setting up the folders.
% sudo mkdir /var/amavis
% sudo mkdir /var/amavis/tmp
% sudo mkdir /var/amavis/db
% sudo chown -R mailtransport:mailtransport /var/amavis
% sudo chmod -R 750 /var/amavis
% sudo mkdir /var/virusmails
% sudo chown mailtransport:mailtransport /var/virusmails
% sudo chmod 750 /var/virusmails
% sudo touch /var/amavis/whitelist_sender
% sudo mkdir /var/clamav
% sudo chown mailtransport:mailtransport /var/clamav
% sudo chmod 0750 /var/clamav
% sudo mkdir /var/log/mailtransport
% sudo touch /var/log/mailtransport/clamd.log
% sudo touch /var/log/mailtransport/freshclam.log
% sudo chmod 0644 /var/log/mailtransport/clamd.log
% sudo chmod 0644 /var/log/mailtransport/freshclam.log
% sudo chown mailtransport /var/log/mailtransport/clamd.log
% sudo chown mailtransport /var/log/mailtransport/freshclam.logDownload amavisd-new, ClamAV, db (BerkeleyDB), gmp.
The official URLs for these libraries are:
amavisd-new
http://www.ijs.si/software/amavisd/
ClamAV
http://sourceforge.net/projects/clamav/
BerkeleyDB
http://www.sleepycat.com/download/db/
gmp
ftp://ftp.gnu.org/gnu/gmp/
You can choose to download either Gzipped (.gz or .tgz extensions) or Bzipped (.bz2 extension) archives, since the latter are smaller. In any case, I advise to locally compute and compare MD5 checksums, if the distribution home lists them. You do that by executing:
% md5 <filename>With all archives in the same directory, do:
% ls *.gz | xargs -n 1 tar zxvf(I know, xargs is evil). If you downloaded any Bzipped archives, do:
% ls *.bz2 | xargs -n 1 tar jxvf(when done it would be helpful to reduce the folder names without the version numbers)
ex.
% mv ./clamav-0.80 ./clamavNow for a little cleanup.
% sudo rm -r *.gzDon't install BerkeleyDB using an installer package, build it from source using the following instructions
% cd ../db/build_unix
% ../dist/configure --prefix=/usr --mandir=/usr/share/man --sysconfdir=/etc
% make; sudo make install
% cd ../% cd ../gmp
% ./configure --prefix=/usr --mandir=/usr/share/man --sysconfdir=/etc --enable-devel
% make; sudo make install% cd ../clamav
% ./configure --prefix=/usr --mandir=/usr/share/man --sysconfdir=/etc --enable-bigstack --with-user=mailtransport --with-group=mailtransport
% make; sudo make installOpen
/etc/freshclam.conf and make the following changes.("Example" is an actual line to be deleted or commented out)
# Example
UpdateLogFile /var/log/mailtransport/freshclam.log
LogVerbose
PidFile /var/clamav/freshclam.pid
DatabaseOwner mailtransport
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror database.clamav.net
MaxAttempts 5
Checks 24Open
/etc/clamd.conf and make the following changes.("Example" is an actual line to be deleted or commented out)
# Example
LogTime
LogFile /var/log/mailtransport/clamd.log
LogVerbose
PidFile /var/clamav/clamd.pid
LocalSocket /var/clamav/clamd.sock
MaxThreads 20
SelfCheck 1800
User mailtransport% cd ../amavisdNext we need to move the files to their working locations.
% sudo cp amavisd.conf-sample /etc/amavisd.conf/
% sudo chown root /etc/amavisd.conf
% sudo chmod 644 /etc/amavisd.conf
% sudo cp amavisd /usr/bin/
% sudo chown root /usr/bin/amavisd
% sudo chmod 755 /usr/bin/amavisdNow we need to get some perl modules installed. CPAN makes this easy, but we will have to force one or two of them to go. I haven't come across any problems with this in testing, but do keep an eye on things. Also, when you are installing these perl modules you may run across dependencies that you don't have installed yet. Please respond in the affirmative when it asks you if you want them installed too.
% sudo perl -MCPAN -e shellNow you are in the CPAN system. You will then type in the next four commands which will install the modules. Some of these modules may ask if you want to install the dependencies., say
"yes" to this.cpan> install Archive::Tar Archive::Zip BerkeleyDB Compress::Zlib Convert::UUlib Digest::MD5
cpan> install IO::Stringy Mail::ClamAV Mail::Internet Mail::SpamAssassin MIME::Base64 MIME::Parser
cpan> install Net::SMTP Net::Server Time::HiRes Unix::Syslog Digest::SHA1
cpan> force install Convert::TNEF Net::SMTPFinally exit out of CPAN.
cpan> quitIf you experience problems building any of the perl modules, you probably have CPAN configured to not follow dependancies and any module that requires another module to be installed will fail to install, reconfigure your perl to prompt for dependent modules rather than ignore them.
You now need to edit your amavisd config file. You can find it at
/etc/amavisd.conf. This file contains a huge number of options that will pretty much determine your spam and virus policies for your server. You should familiarize yourself with this file so that you get the desired results from this system. It's rather well commented so you shouldn't need to mess with it too much. Although there are a few directives that you will need to change before you are able to launch amavisd.In Section I you'll need to change
$MYHOME to "/var/amavis"$mydomain to your main e-mail domain.$myhostname to your FQDN.$daemon_user should be set to "mailtransport"$daemon_group should be set to "mailtransport"$pid_file to "$MYHOME/amavisd.pid"$lock_file to "$MYHOME/amavisd.lock"$unix_socketname to "$MYHOME/amavisd.sock"Section II and III you can leave alone.
Section IV will require you to make some decisions. This section determines what happens when an e-mail is determined to be a spam or virus e-mail. Here you can specify the notification templates for what your bounce messages say. More importantly you an determine what you'll do with spam and virus e-mails.
The final destiny variables are what you are interested in here. By default amavisd will bounce all spam back to the sender. You may find that this clogs up your mail system attempting to be nice to spammers. If that's the case you can set this to
D_DISCARD which will effectively delete the mail in question.You will also want to set your
$virus_admin and $spam_admin settings where the respective notifications will be sent.The quarantine settings allow you to specify where the spam and virus e-mails will be stored. If you are interested in keeping the e-mails you can direct them to an e-mail address or folder, otherwise you can set these to "
undef" which will delete the mails. If you do keep them, make sure you clean the folder out on a regular basis or else you'll fill your drive up.Section V sets up white and black lists for amavis. Use these to add in any domains that you know are good or bad.
Section VI you can leave alone.
Section VII is where you specify when e-mail is tagged as spam. The sa_tag levels determine when to quarantine spam mails and when to kill them. Also in this section you'll want to uncomment and ammend the clamd section to look something like this when done:
['Clam Antivirus-clamd',
\&ask_daemon, ["CONTSCAN {}n", "/var/clamav/clamd.sock"],
qr/bOK$/, qr/bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],Section VIII and IX you can leave alone.
Now we can edit the Postfix files, first you need to add the following lines to /etc/postfix/main.cf it will tell Postfix to run amavisd as a content filter before delivery.
Once these changes have been made you can save and close this file. Now add the following to /etc/postfix/master.cf:# ===================================================== # amavis-new/ClamAV # ===================================================== # content_filter=smtp-mailtransport:[127.0.0.1]:10024
# # ===================================================== # amavis-new/ClamAV # ===================================================== # smtp-mailtransport unix - - y - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o receive_override_options=no_header_body_checks
Once these changes have been made you can save and close this file.
Move the
"MAILTRANSPORT" folder to "/System/Library/StartupItems/".% sudo mv MAILTRANSPORT /System/Library/StartupItems/
% sudo chown root:admin /System/Library/StartupItems/MAILTRANSPORT/*
% sudo chmod 0755 /System/Library/StartupItems/MAILTRANSPORT/MAILTRANSPORTNote: You can also place the folder in
/Library/StartupItems/Open
/etc/hostconfig with an editor and insert the following line:"MAILTRANSPORT=-YES-"With the flag set to
"-YES-", the service will be enabled at startup.If you wish to disable auto startup at any time, set
"MAILTRANSPORT=-NO-" in /private/etc/hostconfig and it will disable this service and prevent manually starting it.With the service enabled, you can start, stop and reload the service manually at any time from terminal with one of the following commands:
% sudo SystemStarter start "MAILTRANSPORT"
% sudo SystemStarter stop "MAILTRANSPORT"
% sudo SystemStarter restart "MAILTRANSPORT"A safety has been built in preventing you from starting the service if you have disabled it in the
/private/etc/hostconfig file.First we move the mailtransport folder to the periodic folder and create some files.
% cd logroll
% sudo touch /var/log/mailtransport/amavis.log
% sudo chmod 0644 /var/log/mailtransport/amavis.log
% sudo chown mailtransport /var/log/mailtransport/amavis.log
% sudo mv ./mailtransport /etc/periodic/
% chmod 0755 /etc/periodic/mailtransport
% chmod 0755 /etc/periodic/mailtransport/*
% chown root:wheel /etc/periodic/mailtransport
% chown root:wheel /etc/periodic/mailtransport/*Using your favorite editor, edit /etc/crontab and add the following entry:
30 4 * * 0 root periodic mailtransportNext, we need to create a link to this file for periodic to access it with.
% cd /etc
% sudo ln -s periodic/mailtransport/500.mailtransport mailtransport
% sudo touch /var/log/mailtransport/amavis.logMake the following changes to amavisd.conf:
$LOGFILE to "/var/log/mailtransport/amavis.log"$DO_SYSLOG to 0Finally, we need to add our entry into the periodic config file located
at /etc/default/periodic.conf using your favorite editor.
# mailtransport options
# These options are used by periodic(8) itself to determine what to do
# with the output of the sub-programs that are run, and where to send
# that output.
#
mailtransport_output="/var/log/mailtransport.out" # user or /file
mailtransport_show_success="YES" # scripts returning 0
mailtransport_show_info="YES" # scripts returning 1
mailtransport_show_badconfig="NO" # scripts returning 2This step is not required but I like to be able to see my available options so I have also edited
/usr/share/man/man8/periodic.8 and /usr/share/man/cat8/periodic.8.gz to include my added routines.To edit the periodic.8.gz you must first unpack it, I recommend you use BBEdit to edit the file since it has an option to show invisible characters and this file is riddled with them.
After you have made your additions to this file, repack it (gz) and place it back in the
/usr/share/man/cat8 folder and your done.(It will roll the logs once a week and retain the 8 previous weeks of the logs.)
The grand finally is to start the service and restart postfix.
% sudo SystemStarter start "MAILTRANSPORT"
% sudo postfix reloadNOTE:
Additional patch files may be included in the Macintosh archive 'Macintosh.tar.gz' for advanced/modified features, please see included 'README' for related information.