iTools - A Beginners Guide - Spam & Virus Scanning

A lot has been said & many have tried to prevent junk email, (or 'spam' as it's become known), from being dropped into your email inbox, but at this point, we're unfortunately no closer to slowing the spread of spam & the growing number of email-borne viruses which are now inflicting themselves upon hapless users. While by & large, the viruses don't cause any grief to Macintosh users, they still have nuisance value owing to the fact that you've most likely downloaded them from time to time with the rest of your email.

Fortunately, as server administrators (which you almost certainly are if you're reading this), you can add some snazzy bits & pieces to your iTools setup, plus edit the odd config file to enable you to firstly ward off spam to a certain extent, as well as scan & block virus ridden email from reaching your users. Users of Tenon's Post.Office package are already covered with one of the packages we're going to add, Spam Assassin, a brilliant & very effective tool for spam removal.

First off, we're looking here at a system which is running Mac OSX 10.3.x 'client' edition, with iTools & the inbuilt Postfix mail server which iTools helps you configure. There are minor differences with Mac OSX Server that you may need to take into account, but most of this should work under an OSX server environment as well - there's a link to an OSX Server specific tutorial at the end. The steps described here outline creating a site-wide filtering system. Personally, I just reject all spam & virus email on my systems, but you may have other ideas that you want to do once you have this running.

Now, I'm making an assumption here that you already have a working iTools server & that you've already configured Postfix with your various users to be a working mail server. If you haven't already gotten that far, then you're wasting your time & you need to head back to the iTools manual & get it up & happy before continuing on.

If you haven't already got RBL blocking working on your server, take a look at another guide I wrote on adding RBL blocking to your iTools system - it's a great line of defense, but it's certainly not as heavy-duty or encompassing as the setup we're going to add into the pipeline here.

There are 3 packages we need to add in to get our content filtering & scanning working:

Amavis-New, Spam Assassin & ClamAV, all open source & all very effective & which are well supported open source software. Now you can already guess that Spam Assassin is the anti-spam component by it's name & that ClamAV is the anti-virus scanner, but to have the pair tied into our incoming mail chain, we need Amavis-New. It's a sort of 'conduit' that accepts the email after Postfix hands it to Amavis-New & it in turn offloads it temporarily to both ClamAV & Spam Assassin, returning it to Amavis-New, which then decides on the fate of the email (deliver it back to Postfix for final processing, reject it or whatever you want, depending on how you have your system set up).

The first step in our chain is to get Postfix to listen on an additional port - this new port will only be for local communication between Amavis-New & Postfix, so you'll want to choose a port that's firstly, not in use & secondly, not available to any outside communication. the default suggested is 10025, so we'll stick with that for this guide's purposes - now make sure your firewall doesn't allow any inbound network traffic for that port. By the way, all the commands here have been run as the root user, so if you don't have the root account enabled, you'll need to add sudo in front of any commands.

As with RBL blocking, it's a relatively easy task - go into the terminal & navigate here:

Then, the file we need to edit is called master.cf (please make a backup so that if something goes wrong, you can simply replace the file if something goes wrong - cp master.cf master.cf.backup at your command line will do it), so load it up with your text editor (I like Pico)

Now, add these lines to your master.cf file, at the end (cut & paste them if you like):

smtp-amavis unix - - y - 2 smtp
-o smtp_data_done_timeout=1200
127.0.0.1:10025 inet n - y - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000

Do a Control-X to exit pico & save the file - then head into iTools & restart your mail server, or just enter postfix reload at the command line. Something you need to do before going any further here is to make sure you can contact your mail server on it's new port by entering this on the command line:

# telnet 127.0.0.1 10025
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server.yourdomain.com ESMTP Postfix

Before heading on, if you don't get a connection when you attempt to perform that telnet command, don't go any further until you have the problem sorted out, or it's tears before bedtime later on. The most likely cause is that there's a typo or an extra space somewhere, but if you download the Amavis-New package, there's a pretty good ReadMe file on Postfix setup, so check that out when you download it.

You're most likely wondering why we use the 127.0.0.1 IP address rather than the IP address. the reason is that it's an added security precaution, as no other machine should have access to this port, so the way to ensure this is that the local address, which is very hard to fake indeed, is the only way to contact that particular port. It's through this new port that Amavis-New will supply Postfix with scanned & filtered email.

From here, we also need to have Apple's developer tools installed, so if you don't (always a good idea anway for your server needs), head off & find, then install the developers tools from the CD which came with Mac OSX 10.3.x you'll be needing this in our next step, as you need to actually build some things from scratch.

We're now heading into setting up ClamAV, so we firstly need to head off to the ClamAV website to download the latest version. I always try to grab the source tarball (usually identified by a .tar.gz suffix) - drop it into an appropriate directory for latest reference & expand it using something like this:

Just before we build ClamAV, we need to create a user for it, under which it will run. Nobody will able to log into the system as this user, which is just an added security precaution. It's not particularly complicated, so follow these steps:

# niutil -create . /users/clamav
# niutil -createprop . /users/clamav uid 26
# niutil -createprop . /users/clamav gid 26
# niutil -createprop . /users/clamav shell /bin/tcsh
# niutil -createprop . /users/clamav home /tmp
# niutil -createprop . /users/clamav passwd "*"
# niutil -create . /groups/clamav
# niutil -createprop . /groups/clamav gid 26

Those last 2 steps have created a group which is also called clamav & it will run under this user & group, as you've most likely already guessed. Now back to actually making ClamAV from the source code:

Now some people have come across problems during this step, usually on older Mac OSX versions, but certainly with the latest 10.3.x developer tools, I didn't have any issues there.

There's still something left to do though for ClamAV to do it's job properly. Because of the way the default installation works, the path isn't correct, so do these couple of commands in the temrinal:

Then for the last one, we need to add a new command to your system so you can type simply clamscan for things to work properly - it's already in your system, but we need to load it up:

Now your system will work properly. There are a couple of things we need to do though for your virus definitions to stay up to date. We need your system to download the latest virus definitions at least once a day, but for piece of mind, you want it more than that, so these commands will do the trick for you:

# touch /var/log/clam-update.log
# chmod 644 /var/log/clam-update.log
# chown clamav /var/log/clam-update.log
# freshclam -d -c 2 -l /var/log/clam-update.log

That last line will pull down the latest virus database a couple of times a day. My own system grabs these automatically, even after a system restart, but you'll most likely want to add a Startup item to your system so your system will load up. I create my Startup items with Webmin remotely, but you can take a look at Apple's website for some hints on this.

Theoretically, your server should now be able to scan straight off - there is a new clamscan command, so if you want, you can scan your whole server for any stray viruses by just entering clamscan at the command line.

In any event, we're now going to go grab Amavis-New, so head off the the website & download the latest version. You can expand the tarball to a suitable location on your server with something like:

There's a bit of a minor problem with OSX & Amavis-New tht has to be sorted before doing anything else. Into the terminal, you need to enter this command, which is a single command, all on the one line:

# sed 's/$file -b $filename/$file $filename \| sed -n "s\/\^\[[:alnum:]]\*:\/\/p" /' amavisd > amavisd.new

After that's been done, we need to replace the old file (which we've just created a new one of, with:

To get the new amavisd daemon into it's appropriate location, you're going to want it running in a particular directory, so we need to copy it into a suitable place:

You may have a different spot you wish to run it from, but you'll need to edit some stuff if you want that to happen. To enable amavisd to run, we need to navigate to the directory we just copied it to & edit the permissions & ownership:

Now, you want to copy the appropriate .conf file to it's correct location & of course, set it's permissons, so navigate back to the tarball directory & enter:

# cp amavisd.conf /etc/
# chown root /etc/amavisd.conf
# chmod 644 /etc/amavisd.conf

There's also a few directories we need to add for the various parts of amavisd to put spam or viruses in should you so choose:

# mkdir /var/amavis
# chown clamav:clamav /var/amavis
# chmod 750 /var/amavis
# mkdir /var/virusmails
# chown clamav:clamav /var/virusmails
# chmod 750 /var/virusmails
# touch /var/amavis/whitelist_sender

The last thing we need to do for Amavis-New itself to get working is to edit the .conf file we copied across earlier on - you'll need to read the file carefully right through to ensure that you change the things properly, but a couple of important bits & pieces are the user & group, so:

$daemon_user = 'vscan'; # (no default; customary: vscan or amavis)
$daemon_group = 'sweep'; # (no default; customary: vscan or amavis)

Then, change firstly the comain line to your own domain & the user/group lines to our newly added user that we made earlier:

$daemon_user = 'clamav'; # (no default; customary: vscan or amavis)
$daemon_group = 'clamav'; # (no default; customary: vscan or amavis)

I'm not entirely sure if Amavis-New will work without editing this line, but on my system, it was necessary. Remove the hash mark so it looks like this one:

While the rest of the file is pretty much okay as a default setup, the final editing for this file is done in section IV, which starts off with Notifications - the particular lines to look at are:

$final_virus_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
$final_spam_destiny = D_REJECT; # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested

These settings are well explained in the .conf file, so read up on them & decide which you'd like to have set on your system. Don't forget to save the file before you exit.

Last but not least for Amavis-New to work, we need to add some Perl modules to the system. There's a few here & these commands are all on one line as before:

install Archive::Tar Archive::Zip Compress::Zlib Convert::UUlib MIME::Base64 \ MIME::Parser Mail::Internet Net::Server Digest::MD5 IO::Stringy Time::HiRes \ Unix::Syslog Digest::SHA1 Mail::SpamAssassin

Those last couple we had to force, have apparently given errors - I struck no problems using this method, but your mileage may vary as they say.

At last, we're ready to fire up amavisd & check that it's accepting a connection, so:

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready

Simply type quit when you see that, because things are just about set & we're now really on the home stretch, with just one more thing to do to have our system running & that's edit our Postfix main.cf file to send inbound email off to amavisd to be scanned.

That will add the line to the main.cf file for you & you can issue this to have everything running (always assuming that you have a working Postfix mailserver on your system):

Or alternatively, restart the mailserver from your iTools admin. That's pretty much it - take a look at your mail logs to see that things are indeed working as you'd like - if things aren't working & you want to temporarily disably Amavis-New, simply remove that last line we added to Postfix' main.cf file using a text editor & redo the postfix reload step again - things will be back to normal on the mail server front.

I hope this helps you reduce the amount of rubbish & viruses on your system. Through a great number of sites & mailing lists I visited, I was able to put all this together & get it working, plus reading the appropriate ReadMe files within the packages I downloaded. A reference for Mac OSX Server users, visit the article on Postfix at the AFP548 website.

Additionally, you can also later set up Spam Assassin preferences for each user with Procmail, so what Spam does get through that's not wanted, can be made even more aggressive to filter yet more spam away for particular users. Good luck with your system.

------------------------------------

Terry Allen runs the current version of Tenon's iTools along with a variety of different software & scripts. He has been using Tenon's products since the days of Mac OS9 & WebTen. You can visit some of his sites at http://heard.com.au or http://itavservices.com

iTools - A Beginners guide - Spam & Virus Scanning