[AMaViSd-new + Clam Anti Virus for Postfix 2.x]

freeなlicenseであるAnti Virusの導入を行います。
検討の結果、AMaViSd-new と Clam Anti Virus の組合わせで決めました。
理由は、AMaViS-perl に比べて、AMaViSd-newがPostfixに素直に対応していることと、設定の分かり易さが要因かな?
(AMaViSd-ngも検討したけど、spamassassinとの兼ね合いもあってってことで)

前段処理 Postfix+pop before smtp


=== Install Clam Anti Virus ===

cd /usr/ports/security/clamav
make clean
make
make install
make clean

cd /usr/local/etc

ee clamav.conf

-----------------------------------
LogFile /var/log/clamav/clamd.log
LogFileMaxSize 2M
LogTime
LogSyslog
LogVerbose
PidFile /var/run/clamav/clamd.pid
LocalSocket /var/run/clamav/clamd
StreamSaveToDisk
MaxDirectoryRecursion 15
User clamav
AllowSupplementaryGroups
ScanMail
ScanArchive
ArchiveMaxFileSize 10M
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
ClamukoScanOnOpen
ClamukoScanOnClose
ClamukoScanOnExec
ClamukoIncludePath /home
ClamukoMaxFileSize 1M
ClamukoScanArchive
-----------------------------------

============== Install AMaVISd-new ===============

cd /usr/ports/security/amavisd-new/
make clean
make
make install
make clean

cd /usr/local/etc
cp amavisd.conf-dist amavisd.conf

ee amavisd.conf

-------------------------------------------
use strict;

# Section I - Essential daemon and MTA settings

$MYHOME = '/var/amavis'; # (default is '/var/amavis')
$mydomain = 'hogehoge.tld'; # (no useful default)
$daemon_user = 'vscan'; # (no default; customary: vscan or amavis)
$daemon_group = 'vscan'; # (no default; customary: vscan or amavis)
$TEMPBASE = $MYHOME; # (must be set if other config vars use is)
#$TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean?
$ENV{TMPDIR} = $TEMPBASE; # wise, but usually not necessary
$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail
$notify_method = $forward_method; # where to submit notifications
$max_servers = 2; # number of pre-forked children (default 2)
$max_requests = 10; # retire a child after that many accepts (default 10)
$child_timeout=5*60; # abort child if it does not complete each task in n sec
@local_domains_acl = ( ".$mydomain" ); # $mydomain and its subdomains

# Section II - MTA specific (defaults should be ok)

$insert_received_line = 0; # behave like MTA: insert 'Received:' header
$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket
$inet_socket_port = 10024; # accept SMTP on this local TCP port
@inet_acl = qw( 127.0.0.1 ); # allow SMTP access only from localhost IP

# Section III - Logging

$DO_SYSLOG = 0; # (defaults to false)
$LOGFILE = "/var/log/amavis/amavis.log"; # (defaults to empty, no log)
$log_level = 0; # (defaults to 0)
$log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], #
<%o> -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c';

# Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine

$final_virus_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
$final_spam_destiny = D_PASS; # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested
$viruses_that_fake_sender_re = new_RE(
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse'i,
[qr'^(EICAR\.COM|Joke\.|Junk\.)'i => 0],
[qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
# [qr/.*/ => 1], # true by default?
);
$mailfrom_notify_admin = "virusalert\@$mydomain";
$mailfrom_notify_recip = "virusalert\@$mydomain";
$mailfrom_notify_spamadmin = "spam.police\@$mydomain";
$mailfrom_to_quarantine = undef; # original sender if undef, or set explicitly
$QUARANTINEDIR = '/var/virusmails';
$spam_quarantine_to = 'spam-quarantine';
$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: undef)
$X_HEADER_LINE = "by amavisd-new + Clam-Anti-Virus at who.$mydomain";
$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone
$remove_existing_spam_headers = 1; # remove existing spam headers if
$keep_decoded_original_re = new_RE(
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
);
$banned_filename_re = new_RE(
qr'\.[a-zA-Z][a-zA-Z0-9]{0,3}\.(vbs|pif|scr|bat|com|exe|dll)$'i, # double extension
# qr'.\.(exe|vbs|pif|scr|bat|com)$'i, # banned extension - basic
# qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
# jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|
# vbe|vbs|wsc|wsf|wsh)$'ix, # banned extension - long
# qr'^\.(exe|zip|lha|tnef)$'i, # banned file(1) types
# qr'^application/x-msdownload$'i, # banned MIME types
# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046
);

# Section V - Per-recipient and per-sender handling, whitelisting, etc.

$virus_lovers{lc("postmaster\@$mydomain")} = 1;
$spam_lovers{lc("postmaster\@$mydomain")} = 1;
$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting
$recipient_delimiter = '+'; # (default is '+')
$localpart_is_case_sensitive = 0; # (default is false)
$blacklist_sender_re = new_RE(
qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,
qr'^(investments|lose_weight_today|market.alert|money2you|MyGreenCard)@'i,
qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,
qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,
qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,
qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
);

map { $whitelist_sender{lc($_)}=1 } (qw(
ushi@buta.jp
# ホワイトリスト:素通ししてOKなmail addressを列記する。
tanuki@kitsune.biz
));

# Section VI - Resource limits

$MAXLEVELS = 14; # (default is undef, no limit)
$MAXFILES = 1500; # (default is undef, no limit)
$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
$MIN_EXPANSION_FACTOR = 5; # times original mail size (must be specified)
$MAX_EXPANSION_FACTOR = 500; # times original mail size (must be specified)

# Section VII - External programs, virus scanners

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability
$gzip = 'gzip';
$bzip2 = 'bzip2';
$lzop = 'lzop';
$uncompress = ['uncompress', 'gzip -d', 'zcat'];
$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
$arc = ['nomarch', 'arc'];
$unarj = ['arj', 'unarj']; # both can extract, same options
$unrar = ['rar', 'unrar']; # both can extract, same options
$zoo = 'zoo';
$lha = 'lha';
$cpio = 'cpio'; # comment out if cpio does not support GNU options
$sa_local_tests_only = 1; # (default: false)
$sa_mail_body_size_limit = 150*1024; # don't waste time on SA if mail is larger
$sa_tag_level_deflt = 3.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.3; # add 'spam detected' headers at that level
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions

@av_scanners = (
['Clam Antivirus-clamd',
\&ask_daemon, ["CONTSCAN {}\n", '/var/run/clamav/clamd'],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

@av_scanners_backup = (
);

# Section VIII - Debugging

1; # insure a defined return
-------------------------------------------

cd /var/log
mkdir amavis
chown vscan:vscan amavis
cd amavis
touch amavis.log
chown vscan amavis.log
cd /var
chown -R vscan:clamav amavis


=== change Postfix's config files ===

これは、 README.postfix を読むべし。(sauceに付いてます)

cd /usr/local/etc/postfix

ee master.cf
----------------------------------------
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-----------------------------------------

ee main.cf
-----------------------------------------
content_filter = smtp-amavis:[127.0.0.1]:10024
-----------------------------------------

ee /etc/rc.conf
-----------------------------------------
#clam AV + AMaVIS
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
amavisd_enable="YES"
-----------------------------------------


で、ひとまず終了。
再起動 shutdown -r now をかます。



JUNK:
amavis-perl + clamAVの場合(未検証)

AMaViS-perlは、依存するものが多いので
/usr/ports/security/amavis-perl で、
make patch
cd work/amavis-perl-11

clamav-0.53.tar.gz っていう古いverを拾ってきて、展開。
(今のには入ってない)
clamav-0.53/support/amavis/clamavis.patch を ./に持ってきて、

patch -p1 < clamavis.patch
find . -exec touch 01010000 {} \;

./configure --with-virusdir=/var/spool/quarantine
--with-runtime-dir=/var/log/amavis
--with-logdir=/var/log/amavis
--enable-smtp
--prefix=/usr/local
--enable-postfix
--with-amavisuser=vscan
--disable-x-header
--with-warnsender=no

make
make check
make install

cd /var
chown -R vscan.vscan amavis virusmails
chmod 700 amavis virusmails
chown vscan /var/log/amavis

--
To configure postfix, you have to do later:

* add

content_filter = vscan:

to /usr/local/etc/postfix/main.cf

* add

vscan unix - n n - 10 pipe user=vscan
argv=/usr/local/sbin/amavis ${sender} ${recipient}
localhost:10025 inet n - n - - smtpd
-o content_filter=

to /etc/postfix/master.cf.
--

postfix stop
postfix start


Go Top!