Secure Spam/Virus filtering system with Debian and MailScanner

Posted by ugob on Wed 29 Jun 2005 at 20:46

Despite the fact that I have more experience with RedHat, I configured a Spam/Virus filtering system on Debian recently and I thought I should share some knowledge with the community.

My package of choice is MailScanner (and its friends) and I thought I could offer some guidance to people who whish to configure a similar system. MailScanner is a very powerful, scalable and robust, open-source e-mail security package. It processes more than 500 million e-mail messages every day, and is used in more than 20,000 sites around the world.

MailScanner scans all e-mail for viruses, spam and attacks against security vulnerabilities. It is not tied to any particular virus scanner, but can be used with any combination of 14 different virus scanners, allowing sites to choose the "best of breed" virus scanner. (http://www.mailscanner.info)

I'll base this article on Sarge, as it was just released and include a rather recent version of the tools we need. The server was running Postfix, so this is the MTA I'll use here as well.

The first thing to do is to make sure your system is up to date, using apt or aptitude. Then, the fun begins:

• Make sure your MTA (postfix) is configured properly for your needs
• Stop the MTA (/etc/init.d/postfix stop)
• Install the packages:
  • aptitude install mailscanner clamav dcc-client pyzor razor spamassassin
• Answer the questions the best you can. It shouldn't be too hard and you can always re-configure those settings later if needed
• Install bitdefender (free)
  • wget ftp://ftp.bitdefender.com/pub/linux/free/bitdefender-console/en/BitDefender-Console-Antivirus-7.0.1-3.linux-gcc3x.i586.deb
  • dpkg -i BitDefender-Console-Antivirus-7.0.1-3.linux-gcc3x.i586.deb
• Run 'freshclam' to update the virus definition for clamav.
• Run 'bdc --update' to update the virus definitions for bitdefender
• Run 'pyzor discover' and 'razor-client discover' to update pyzor's and razor's servers list
• A few tricks are needed since we're using postfix as MTA:
  • mkdir /var/spool/MailScanner/spamassassin
  • chown postfix:postfix /var/spool/MailScanner/spamassassin
  • chown postfix:postfix /var/spool/MailScanner/spamassassin
• Make a copy of your MailScanner.conf file
  • cd /etc/MailScanner
  • cp MailScanner.conf MailScanner.conf.dist
• Edit your MailScanner.conf file to make sure you set those parameters:
  • Run As User = postfix
  • Run As Group = postfix
  • Incoming Queue Dir = /var/spool/postfix/hold
  • Outgoing Queue Dir = /var/spool/postfix/incoming
  • MTA = postfix
  • Virus Scanners = clamav bitdefender
• Make a copy of your main.cf file
  • cd /etc/postfix/
  • cp main.cf main.cf.dist
• Edit your main.cf to add this line
  • header_checks = regexp:/etc/postfix/header_checks
• Create a file /etc/postfix/header_checks with only this in it:
  • /^Received:/ HOLD

For the curious, this tells postfix to accept incoming mail and put it in the hold queue. Then, MailScanner takes the messages there, process them, and then put it back into the incoming queue, so that postfix can deliver them to the recipients .

• In the file /etc/default/mailscanner, make sure this parameter is at 1:
  • run_mailscanner=1
• You can now start the system
  • /etc/init.d/mailscanner start
  • /etc/init.d/postfix start
• Check your logs for errors 'tail -f /var/log/mail.log'
• You can now configure MailScanner by editing /etc/MailScanner/MailScanner.conf
• Want stats? The simplest reporting packages to install on Sarge is Vispan - http://www.while.homeunix.net/

There, you now have a mail filtering system. Every e-mail is scanned by 2 virus engines, by MailScanner for HTML and other vulnerabilities, and by SpamAssassin to filter out spam.

Is it finished yet?

Not really. MailScanner is very powerfull and complex, so you have to learn about what you can do with it and how. The first step is to read MailScanner.conf and do some tests. Also, e-mail security is an ever-evolving topic so you must update your system often, and try to find the more recent version of software. Debian Volatile can help with that, or sometimes you may be better compiling from source.

Then, there is a wiki where you can get a lot of information. I suggest you start by reading the MAQ page (which I inciendally created and maintain), and then go in the documentation section for more in-depth tricks.

BTW, MailScanner can work with Exim, Sendmail, Qmail and Zmailer as well.

If you have any questions, you'll find that the MailScanner mailing list is very helpfull.

Finally, please let me know if you find an error in this procedure and I'd appreciate to have any feedback on this article.

Ugo

This article can be found online at the Debian Administration website at the following bookmarkable URL (along with associated comments):

• http://www.debian-administration.org/article/Secure_Spam/Virus_filtering_system_with_Debian_and_MailScanner

This article is copyright 2005 ugob - please ask for permission to republish or translate.