postfix logo Postfix-jp
- AMaViS + Sophos Anti-Virus Install Record
Modified: 19 May, 2002 [Japanese Page]


Home > AMaViS + Sophos Anti-Virus Install Record


This is a translation of my document in Japanese.


Introduction

This is my setup record of Postfix with virus scanner, which is triggered by a Postfix-jp ML archive.

I used Sophos Anti-virus (SAV) for UNIX as a virus scan software. The software provides 30-days trial period.

Virus scanning software that search only data in file systems can't detect virus in MIME-encoded/uuencoded mails. Therefore, an interface will be required to decode attached file and hand it to the scanner.

For the purpose, I used the Postfix-friendly software, AMaViS as an interface of Postfix and SAV. This is distributed in terms of GNU GPL.


Before Installation

This procedure assume to install Postfix Release-20010228 PL04 on FreeBSD 4.3. For other environment, you should read and change a file name etc. according to environment.

Downloaded archives are in /tmp/src.

To expand archives, you should install unzip or an equivalent before installation.

# on top of the command line is expresses super-user's command, and % is user's one. Some commands are csh built-ins, so bsh users will need to replace them with suitable commands.


Installation of Sophos Anti-Virus for UNIX

Download of the archive

From the download page, get Sophos Anti-Virus for your platform (I got "Sophos Anti-Virus for FreeBSD (ELF format), freebsd.elf.tar.Z") and latest virus identity (IDE) files (the latest file was 348_ides.zip on 28/8/2001).

Compile and installation of Sophos Anti-Virus

Extract files from the archive and compile them.

% setenv SRCDIR /tmp/src
% cd ${SRCDIR}
% tar xvzf freebsd.elf.tar.Z
% cd sav-install
% su
# vi /etc/group   # Creating a group, sweep.  Add a following line:
  sweep:*:12346:
# vipw            # Creating a user, sweep.  Add a following line:
  sweep:*:12346:12346::0:0:virus checker:/nonexistent:/sbin/nologin
# rm -f /usr/local/lib/libsavi.*    # For updating, remove old libraries.
# ./install.sh
# less /etc/sav.conf     # Check the contents of sav.conf.
# cd ${SRCDIR}
# mkdir ides
# cd ides
# unzip ../348_ides.zip
# cp *.ide /usr/local/sav

(Only for FreeBSD 4 or later)
# /stand/sysinstall
  Select [Configure] - [Distributions] - [compat3x] and install it.

sweep -v command gives some information recognized IDE files etc.


Installation of AMaViS

There are 2 method to treat AMaViS with Postfix:

Although the former is easy to set-up, it has some problems. Because of using AMaViS as local mail derivery agent, virus scans would not be performed when forwarding mails to another account or third-party program like procmail via .forward, the temporary file for scanning would be placed on a world-writable directory (sticky bit is available), home_mailbox = Maildir/ can' be used, and so on.

With the latter method, the Postfix queue daemon send mails to AMaViS via SMTP, and the Postfix smtpd receive scanned mails from AMaViS, so it has no such problem, but the configuration is little complicated.

Here is a common setup to both method.

In order to use AMaViS-perl, following softwares are required.

And following perl modules are required.

If you install perl modules manually and set up a scanner of incoming/outgoing mails (in other words, in case that you set the `--enable-smtp' option for AMaViS configure command), you'll be required to install

In following automatic procedure, libnet module installation will be done in Bundle::libnet module installation.

You can install these modules automatically using CPAN shell. Execute

# perl -MCPAN -e shell

and type following on the prompt:

  install Unix::Syslog
  install Convert::UUlib
  install Convert::TNEF
  install Compress::Zlib
  install Archive::Tar
  install Archive::Zip
  install G/GB/GBARR/MailTools-1.15.tar.gz
  install MIME::Tools
  install Bundle::libnet

which will install all required modules. If you don't use CPAN shell, extract files from each archive, and execute following command for each module.

# cd module-dir
# perl Makefile.PL
# make
# make test
# make install

For dependency, some modules (MIME-Baes64, IO-stringy, libnet) may need to be installed first.

Aliases file should have a user, virusalert, who is sent mails when a virus is detected.

# vi /etc/aliases   (add a following line)
    virusalert: root

Installation of AMaViS - Scan only receiving mails

Building AMaViS

If you use AMaViS as a filter for MDA (Mail Delivery Agent), you don't need to change the default setting of AMaViS.

Download the source code of AMaViS-Perl from AMaViS Download Page (The latest version on 2001.8.28 was amavis-perl-11.tar.gz)ĄŁ

% setenv SRCDIR /tmp/src
% cd ${SRCDIR}
% tar xvzf amavis-perl-11.tar.gz
% cd amavis-perl-11
% ./configure
% make
% make check
% su
# make install

Using AMaViS like this, you'll need to make the directory for temporary file of virus scan world-writable.

# chmod 1777 /var/amavis /var/virusmails

Postfix Configuration

On Postfix side, configure to use AMaViS as mailbox_command.

# vi /etc/main.cf   (add a following line)
  mailbox_command = /usr/sbin/amavis "$SENDER" "$RECIPIENT"
# postfix reload

That's all for Postfix configuration.

When a non virus-infected mail is sent, following logs are recorded on /var/log/maillog:

Aug 28 17:23:07 localhost amavis[55685]: starting.  amavis perl-11 Sat Aug 25 23
:40:10 JST 2001
Aug 28 17:23:08 localhost amavis[55685]: do_exit:400 - ending execution with 0
Aug 28 17:23:08 localhost postfix/local[55683]: BCE053F49: to=<ike@localhost.
localdomain>, relay=local, delay=3, status=sent ("|/usr/sbin/amavis "$SENDER"
 "$RECIPIENT"")

When the scanner find a virus-infected mail, logs are recorded on /var/log/maillog as follows:

Aug 28 14:15:43 localhost amavis[55025]: starting.  amavis perl-11 Sat Aug 25 23
:40:10 JST 2001
Aug 28 14:15:44 localhost amavis[55025]: Virus found - quarantined as virus-2001
0828-141544-55025

And the system will send an alert mail to the original sender like this:

    From: postmaster@localhost.localdomain
    To: ike@localhost.localdomain
    Subject: VIRUS IN YOUR MAIL
    Date: Tue, 28 Aug 2001 20:37:21 JST

                            V I R U S  A L E R T

    Our viruschecker found the

            'W32/Sircam-A'

    virus(es) in your email to the following recipient(s):

    -> ike@localhost.localdomain

    Please check your system for viruses, or ask your system administrator
    to do so.

    For your reference, here are the headers from your email:

    ------------------------- BEGIN HEADERS -----------------------------
    (snip)

and to virusalert like this:

    From: postmaster@localhost.localdomain
    To: virusalert@localhost.localdomain
    Subject: FOUND VIRUS IN MAIL from ike@localhost.localdomain
    Date: Tue, 28 Aug 2001 20:37:21 JST

    A virus was found in an email from:

    ike@localhost.localdomain

    The message was addressed to: 

    -> ike@localhost.localdomain

    The message has been quarantined as:

    /var/virusmails/virus-20010828-203721-56119

    Here is the output of the scanner:

    >>> Virus 'W32/Sircam-A' found in file /var/amavis/amavis-02133168/parts/msg-561
    19-1.com


    Here are the headers:

    ------------------------- BEGIN HEADERS -----------------------------
    (snip)

By default, the system sends no mail to the original recipient. If you need to, add --with-warnrecip=yes option to ./configure command.


Installation of AMaViS - Scan incoming/outgoing mails

The README.postfix file in the AMaViS archive describes 2 method to scan both incoming and outgoing mails.

The former has some problems: 2 different Postfix with different configurations are required, the scanner can't scan locally posted mails without SMTP (port 25), and mail log analyzer may be confuzed by logs from 2 Postfix systems.

Although the latter has no such a problem, if someone connects to port 10025 (by default) directly and talk SMTP, the mail can be bypassed. Therefore, you'll need to block the access from the other host to port 10025.

I'll introduce the second method, to use contents_filter. If you are interested in the formar one, see using amavis with postfix (by Sato-san, in Japanese) or README.postfix file in the AMaViS archive.

Building AMaViS

In this method, you'll need to give some options to the ./configure command. If you change default AMaViS user, vscan, or the default SMTP port sending scanned mails to, 10025, --with-amavis-user=USER or --with-smtp-port=PORT option for ./configure is required in addition to the following example:

% setenv SRCDIR /tmp/src
% cd ${SRCDIR}
% tar xvzf amavis-perl-11.tar.gz
% cd amavis-perl-11
% ./configure --enable-smtp --enable-postfix

At this point, check the configuration result starting with:

** Configuration summary for amavis perl-11 2001-04-07

If it contains the line:

Enable SMTP: no

the libnet module (not Bundle::libnet) may have not been installed. If so, install the module referring the description of module installation and configure it again.

% make
% make check
% su
# vipw      # Add user vscan.
  vscan:*:12347:65534::0:0:virus checker:/nonexistent:/sbin/nologin
# make install

Don't make /var/amavis and /var/virusmails directories world-writable in this setting.

% ls -ld /var/amavis /var/virusmails
drwx------  2 vscan  wheel  512   8/28 21:23 /var/amavis/
drwx------  2 vscan  wheel  512   8/28 21:23 /var/virusmails/

Postfix Configuration

On Postfix side, the configuration for using contents_filter is required. See the FILTER_README file in Postfix archive for details.

# vi /etc/postfix/main.cf   (Add a following line)
    content_filter = vscan:
# vi /etc/postfix/master.cf   (Add following lines.  Don't remove the space for continuation.)
    vscan    unix  -   n   n   -   10  pipe user=vscan
       argv=/usr/sbin/amavis ${sender} ${recipient}
    localhost:10025        inet    n   -   n   -   -   smtpd
       -o content_filter=
# postfix reload

When a mail is found to be infected by a virus, logs same as scan only receiving mail is recorded in /var/log/maillog, and alert mails are sent to the mail sender and the server administrator (virusalert).


Related Links



ike@kobitosan.net