Integrating a virus scanner into a mail server
|
ClamAV
All major Linux distributions have either ClamAV/AMaViS installation packages or at least allow adding repositories from which to extract these packages. In Ubuntu, you can simply use
$ sudo apt-get install clamav
Steer clear of installing from the source code. Distributions often use specifically patched kernels and libraries that don't necessarily get along with non-native versions of software. On Debian and its derivates (e.g., Ubuntu, Knoppix, Raspian, and others) you should install, apart from ClamAV, the ClamAV daemon and freshclam. You must first update the signatures through freshclam after installation. It's recommended to run the program regularly with a cron job (Listing 1).
Listing 1
Refreshing Virus List
$ echo "0 4 * * * /usr/bin/freshclam" > cron.txt $ sudo crontab -u root cron.txt
Next, test the virus scanner. Download the harmless EICAR virus signature file (eicar.com.txt ) [4] and test it by entering clamscan eicar.com.txt . If you get the message eicar.com.txt: Eicar-Test-Signature FOUND , the scanner is working correctly. Remember to delete the signature file, or you'll get recurring alarms along the way. ClamTk [5] provides a graphical interface for ClamAV, which can make settings and scan requests a bit easier (Figure 1).
AMaViS
A file- or directory-oriented virus scanner like ClamAV is particularly useful for scanning incoming emails for viruses. AMaViS is specialized for this and works just as easily as other installed virus scanners. AMaViS works over an SMTP port interface compatible with Sendmail, Postfix, Exim, and numerous other SMTP mail transfer agents (MTAs).
In the following section, I'll describe an AMaViS configuration with a Postfix MTA. The snippet of a mail header in Listing 2 shows quite clearly how the scan works. The email first arrives at the mail server, which stores an MX record for the author's mail domain. The server then gets the message using a fetchmail daemon through POP3 from the author's server and passes it on to port 25 (SMTP) to the local Postfix SMTP server. The Postfix daemon forwards all messages arriving on port 25 and port 587 (MSA) to AMaViS over port 10024. MSA (mail submission agent) is a variant of SMTP that uses mandatory authentication, with clear differentiation between local and remote users designed to prevent configuration problems and spam.
Listing 2
Email Header Showing Scan Information
Delivered-To: fritz@fhotz.local Received: from localhost (localhost [127.0.0.1]) by fhserver.fhotz.local (Postfix) with ESMTP id 5BC84420565 for <fritz@fhotz.local>; Tue, 14 Oct 2014 21:36:22 +0200 (CEST) X-Virus-Scanned: amavisd-new at fhotz.local Received: from smtp.efhotz.de ([127.0.0.1]) by localhost (fhserver.fhotz.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Igt25lhcMl0o for <fritz@fhotz.local>; Tue, 14 Oct 2014 21:36:20 +0200 (CEST) Received: from fhserver.fhotz.local (localhost [IPv6:::1]) by fhserver.fhotz.local (Postfix) with ESMTP id 1B71842001B for <fritz@fhotz.local>; Tue, 14 Oct 2014 21:36:20 +0200 (CEST) Received: from pop.1und1.de [212.227.15.178] by fhserver.fhotz.local with POP3 (fetchmail-6.3.26) for <fritz@fhotz.local> (single-drop); Tue, 14 Oct 2014 21:36:20 +0200 (CEST) Received: from mail.linux-new-media.de ([62.245.157.204]) by mx.emig.kundenserver.de (mxeue101) with ESMTP (Nemesis) id 0MarX8-1Xtzkv4C0w-00KN0M for <Friedrich.Hotz@ef-hotz.de>; Tue, 14 Oct 2014 21:34:28 +0200 Received: from localhost (mail.linux-new-media.de [62.245.157.204]) by mail.linux-new-media.de (Postfix) with ESMTP id B432E169D for <Friedrich.Hotz@ef-hotz.de>; Tue, 14 Oct 2014 21:34:27 +0200 (CEST)
After the AMaViS virus scan, the email is further directed to Postfix, this time over port 10025, so that the mail doesn't loop endlessly between Postfix and AMaViS. Finally, the email arrives at the recipient's mailbox.
« Previous 1 2 3 Next »
Buy this article as PDF
Pages: 4
(incl. VAT)