Antivirus and Antispam setup with Exim4
Posted by anurag on Wed 21 Mar 2007 at 12:04
Last week, due to disk failure, we had to reinstall a server. This old workhorse has been serving numerous domains for the past 4 years and needed urgent maintenance. I made sure that I noted all the steps involved in implementing an Antispam & Antivirus filtering capable mail server when setting it up from scratch, and this article is the result.
Install Debian 'Sarge'
1. Get Debian GNU/Linux 3.1 'Sarge'
Of course, first of all get Debian 'Sarge' running on the server. Though, everything detailed here also works with 'Woody' 'Sarge' is recommended, and Etch will soon replace that.
Additional Packages
2. Install the following packages from the Debian repositories via apt-get:
# apt-get install exim4-daemon-heavy # apt-get install clamav-daemon # apt-get install sa-exim # apt-get install spamassassin spamc
After the packages have been installed, we need to make changes to the configuration files.
Spamassasssin Configuration
3. /etc/default/spamassassin Change the parameter ENABLED to:
ENABLED=1
Exim's group configuration
4. /etc/group Add clamav user into Debian-exim's group. This will allow clamav-daemon to read/write into directories owned by Exim4. Exim4 needs to demime the attachments and store them into a temporary directory and ask clamav-daemon to scan it.
Debian-exim:x:102:clamav
SA-Exim configuration
5. /etc/exim4/sa-exim.conf Locate these lines:
###
SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{127.0.0.1}} {!eq {$h_X-SA-Do-Not-Run:}{Yes}} } {1}{0}}
#Remove or comment out the following line to enable sa-exim
SAEximRunCond: 0
###
Then change SAEximRunCond to:
SAEximRunCond: 1
Exim4 Configuration files
6. Configuring Exim4's configuration files.
Make sure that Exim4 is using "split" configuration files (i.e. multiple files inside /etc/exim4/conf.d/* ) Now locate these configuration files and make following changes.
Customising reject messages in Exim4
7. /etc/exim4/conf.d/acl/40_exim4-config_check_data
At the end of the file, just before "accept" statement, add following lines.
# Deny viruses. deny message = Message contains malware or a virus ($malware_name). log_message = $sender_host_address tried sending $malware_name demime = * malware = *
Clamav configuration for Exim4
8. /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs
At the starting of the file somewhere add this line:
av_scanner = clamd:/var/run/clamav/clamd.ctl
Restart Exim4
9. Restart the Exim4 daemon
# /etc/init.d/exim4 restart
Keep a watch on Exim4's log files especially "paniclog", as it processes mails. Error messages are pretty much self explanotary and you may by able to fix them.
best luck, Anurag
[ Parent | Reply to this comment ]
--
Anurag
[ Parent | Reply to this comment ]
What does sa-exim do that a "spam =" ACL doesn't?
[ Parent | Reply to this comment ]
while i am no expert in writing exim ACls, but sa-exim sure is very useful if you want to analyse mails for spam and reject them at SMTP time, teergrubing and adaptive greylisting. Ofcourse here i havent made any changes to the default sa-exim configuration.
--
Anurag
[ Parent | Reply to this comment ]
About group configuration, you of course may add user to group by:root# adduser clamav Debian-exim
Bye,
Luke
[ Parent | Reply to this comment ]
It's in sarge too now !
Nicolas BOUTHORS
http://www.nbi.fr/
[ Parent | Reply to this comment ]
Ideally I'd like to have all mail and user information stored in a Postgresql database, together with preferences regarding spam and virus checking.
I started reading the exim documentation, which btw is very well written, but there is just so much of it that I always give up after reading a couple of pages. Also I have found no HowTo anywhere that covers the exact setup I'm after. Maybe someone can point me in the right direction?
[ Parent | Reply to this comment ]
In my attempt to setup a spam-filtering virtual mail hosting setup, i did some fiddling around with Postfix(in which setting up virtual domains is a breeze!) and MySQL. I'm waiting to do another virtual hosting mail server installation somewhere, and document the exact procedures involved in it.
--
Anurag
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
> database, together with preferences regarding spam and virus checking.
Do you mean storing the emails themselves in a database, or just storing the "mail information"? I do both. To store the emails the best known application is dbmail; if you're very brave you could try my own effort, Decimail.
It is possible to run arbitary PostgreSQL queries from exim. For example, I have a PostgreSQL table that lists local addresses that should be discarded (e.g. throw away addresses that I have used once and will now receive only spam) and others that should be heavily filtered. You could probably do something similar to set per-local-user filtering options. In my exim configuration file I access these tables like so:
pgsql_servers = localhost::6789/nameofdatabase/nameofdbuser/
addresslist filter_recipients = pgsql;select email from filter_recipients where
email='${quote_pgsql:${local_part}@${domain}}'
addresslist spam_recipients = pgsql;select email from spam_recipients where
email='${quote_pgsql:${local_part}@${domain}}'
acl_check_rcpt:
...
deny ... recipients = +spam_recipients
warn .... recipients = +filter_recipients
set acl_m0 = 1
acl_check_data:
....
accept condition = ${if def:acl_m0 {0}{1}}
drop message = Rejected by SpamAssassin (score=$spam_score)
spam = nobody:true
condition = ${if >{$spam_score_int}{60}{1}{0}}
> I started reading the exim documentation, which btw is very well written, but
> there is just so much of it that I always give up after reading a couple of
> pages.
Yes, I know the feeling. The reference is very comprehensive, but it could do with some more tutorial or quick-start stuff, with links into the reference manual for further information. There is an Exim O'Reilly book; maybe that would be a good start? Otherwise, try the mailing list; they have been friendly on the couple of occasions that I have asked questions.
Phil.
[ Parent | Reply to this comment ]
I've had a look at both Decimail and dbmail, and in the end decided to go for dbmail, because I felt not that brave after all.
I just ended up reading the most important sections of the exim documentation and followed bits and bobs from the dbmail site and now have a working configuration, which uses exim (SSL for smtp) + dbmail + postgresql + stunnel (secure POP3) + clamav + spamassassin.
There are definitely ways to improve my spamassassin configuration within exim, and I'm sure the exim configuration can be further tweaked too, but I'll leave it to rest for now.
Hopefully I'll find some time to put all my notes together to help other people with similar demands, but it will be a rather lengthy howto.
Thanks for pointing me in the right direction, and sorry for the late reply!
Ference
[ Parent | Reply to this comment ]
/etc/exim4/conf.d/acl/40_exim4-config_check_data. You should try to use the hooks provided.
# This hook allows you to&nb sp;hook in your own ACLs without ha ving to
# modify this file. If you&n bsp;do it like we suggest, you'll e nd up with
# a small performance penalty&nbs p;since there is an additional file ;being
# accessed. This doesn't happen&n bsp;if you leave the macro unset.
.ifdef CHECK_DATA_LOCAL_ACL_FILE
.include CHECK_DATA_LOCAL_ACL_FILE
.endif
I have /etc/exim4/conf.d/main/00_my_custom_macros (which is a symbolic link to a file located outside of /etc/exim4/conf.d). I did this because upgrading exim4 can be a real pain in the ass. If you modify the true exim4 configs you will be prompted at each upgrade what to do. This has caused me major headaches in the past.
The way I get around this is by putting all my custom changes for exim4 into /etc/exim4/custom-cfg. In that directory I recreate the structure of /etc/exim4/conf.d.
mkdir /etc/exim4/conf.d
cd /etc/exim4/conf.d
mkdir acl auth main router transport&nbs p;
Now I can do all my own stuff without touching the files under /etc/exim4/conf.d. I just create symbolic links back to the right places. The numbering of the files is used when update-exim4.conf --keepcomments is run (I like seeing the comments since it helps debug things). The generated config is located /var/lib/exim4/config.autogenerated by the way.
So back to my example of how I would I have done thing using a /etc/exim4/conf.d/main/00_my_custom_macros file.
ln -s /etc/exim4/custom-cfg/main/my_custom_macros\
/etc/exim4/conf.d/main/00_my_custom_macros
Inside the /etc/exim4/custom-cfg/my_custom_macros file for example I have the hook I want to modify/add.
CHECK_DATA_LOCAL_ACL_FILE = CONFDIR/custom-cfg/acl/chec k_data_local
My personal /etc/exim4/custom-cfg/acl/check_data_local file is full of crap that I didn't want to keep repairing each time I did an apt-get upgrade. For that matter I have multiple files that I created symbolic links to.
You can do this for a lot of items that you are constantly fixing after an upgrade. Take for eximaple /etc/exim4/conf.d/auth/30_exim4-config_examples to enable SSL support you will have to modify or trust your old config when its time to apt-get upgrade. Instead create another file with a higher number and it will be added to the config in the right place.
/etc/exim4/conf.d/auth/40_my_ssl_auth_config.
[ Parent | Reply to this comment ]