Clam AV and MailScanner mini HOWTO for Solaris and Linux

by Steve Ochani http://www.steveo.us

v 1.2 Updated July 13th, 2004

 

This document is intended for people looking to setup a free open source virus and spam protection solution on their e-mail servers running Sendmail.

Prerequisites

Knowledge of how to build and install programs on Solaris or Linux. You will need a system that can build and install programs with gcc (I used version 3.1) and PERL along with Clam AV, Mailscanner and lots of PERL modules which I have listed later. Also you will need GMP.

1. The first thing you have to do on Solaris 8 is install (or build yourself and install) PERL built with gcc. I downloaded perl_s-5.8.3-sol8-sparc-local.gz from www.sunfreeware.com. Before installing it I renamed the PERL that comes with Solaris to perl.sun. The reason for installing the gcc built PERL is because later on you will need to build and install some PERL modules which will need the compiler that PERL is built with, the PERL that comes with SUN Solaris is built with their compiler and most people don't use that.

2. Download, build and install GMP (GNU MP library.) I used version 4.1.2. On Solaris 8 with a 64 bit processor I set the environment variable ABI to 32 before running configure. That's "export abi=32" if you're using bash.

4. Download, build and install the following PERL modules. These can be all found from http://www.cpan.org. These are the versions I used.

HTML-Tagset-3.03
HTML-Parser-3.35
IO-stringy-2.109
MailTools-1.60
MIME-tools-5.411
Net-CIDR-0.09
Convert-TNEF-0.17
Compress-Zlib-1.33
Archive-Zip-1.09

5. Download Clam AV (I used version .68-1.) Before building, add a group called clamav and add a user clamav with a false shell. On Solaris 8 this can be done as

groupadd clamav

useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav

Gunzip and untar clamav, run configure as such

./configure --sysconfdir=/etc

Then "make" and "make install"

After a successful build and install run "freshclam" which will update the virus definitions. After which run a test scan on the test subdirectory. You should get output such as this.

[root@newton clamav-0.68-1]# clamscan test
test/test1: ClamAV-Test-Signature FOUND
test/README: OK
test/rarfail.rar: RAR module failure.
test/rarfail.rar: OK
test/debugm.c: OK
test/test1.bz2: ClamAV-Test-Signature FOUND
test/test2.zip: ClamAV-Test-Signature FOUND
test/test3.rar: ClamAV-Test-Signature FOUND
test/test2.badext: ClamAV-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 20514
Scanned directories: 1
Scanned files: 8
Infected files: 5
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 3.000 sec (0 m 3 s)

Note: You SHOULD get the failure notice on rarfail.rar.

6. Now to setup MailScanner (currently I'm using version 4.28.6-1). Download, gunzip it then untar it into /opt. Then make a symbolic link to MailScanner. For ex.

cd /opt

ln -s MailScanner-4.28.6/ MailScanner

Now setup the directories MailScanner will need 

cd /var/spool/
mkdir mqueue.in
chown root:bin mqueue.in/
chmod o-r,o-x mqueue.in/
mkdir /var/spool/MailScanner
mkdir /var/spool/MailScanner/incoming
mkdir /var/spool/MailScanner/quarantine

Now edit /opt/MailScanner/etc/MailScanner.conf. I set or changed the following (these are all my personal preferences).

set %org-name%
Incoming Work Group = clamav
Incoming Work Permissions = 0640
File Command = /usr/bin/file (took out the # in front of /usr/bin/file)

Virus Scanners = clamav # changed from none
Silent Viruses = HTML-IFrame # All-Viruses
Allow Password-Protected Archives = yes # from no
Notify Senders Of Viruses = yes # from no
Virus Subject Text = {Virus} # took out the ?
Filename Subject Text = {Filename} # took out the ?
Notices Include Full Headers = yes # from no
 

In the file /opt/MailScanner/etc/filename.rules.conf I allowed exe files and in the file opt/MailScanner/etc/filetype.rules.conf I allowed everything/all files. Note: Just because you allow for example exe files in the filename.rules.conf doesn't mean that MailScanner will allow virus infected exe files through. It will still perform virus checks on the files you are allowing in filenames.rules.conf.

7. Now setup sendmail. First thing I did on Solaris 8 is deleted /etc/rc2.d/S88sendmail because it wasn't a symlink to /etc/init.d/sendmail. After deleting it i made it a symlink, so for ex.

cd /etc/rc2.d
rm S88sendmail
ln -s ../init.d/sendmail S88sendmail

Then edit /etc/init.d/sendmail

I commented out the line

/usr/lib/sendmail $MODE -q$QUEUEINTERVAL $OPTIONS &

and put in the following

/usr/lib/sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in
/usr/lib/sendmail -q15m &
/opt/MailScanner/bin/check_mailscanner

Now you can stop and restart sendmail which will also start mailscanner.

If you want to test your setup by sending a virus, use the eicar test virus from http://www.eicar.org/anti_virus_test_file.htm

Note: I did not enable SpamAssassin because I found the default setting of mail checking against spam black list servers to catch 99% of spam going through my servers.

Note for Solaris users: Installing any sendmail patches will overwrite your sendmail config file and your /etc/init.d/sendmail file, so it's a good idea to back those files up!

Reference sites

http://www.clamav.net

http://www.mailscanner.info

http://www.cpan.org

http://www.swox.com/gmp

http://www.sunfreeware.com