A bad side effect of email has been the rapid spread of viruses and spam, both of which are illegal in one form or another these days. However, this doesn't stop virus writers or spam moguls from doing what they do. This means that it's up to our mail server to protect our users from such things.
Luckily, great applications can help us in our fight against spam and viruses. For spam protection we will, of course, be using SpamAssassin. For virus protection, we will be using Qmail-Scanner and ClamAV.
SpamAssassin is a lifesaver in my daily life. Every day, it catches about 48 messages before they hit my inbox. Because I don't send a message to the recipients, I'm not sure how many viruses are stopped by Qmail-Scanner, but I'm sure more than a few have been rejected.
SpamAssassin is available for most Linux distributions. If you can't find a
package for your distribution, you must install from the source. You can find
more information in SpamAssassin's
INSTALL file. You will most likely also want to install Razor, which SpamAssassin can also
use. Debian users can
apt-get the package
After you have SpamAssassin up and running, you need to create some
rules and edit your domain's .qmail files. First, let's create a
procmail file with our spam recipes. Please remember that any recipes in this
file are global for the entire virtual domain. Also, I use a program called safecat to properly place messages into my Maildir folders.
# The user's home directory VHOME=`/var/lib/vpopmail/bin/vuserinfo -d $EXT@$HOST` # Path to the safecat utility SAFECAT=/usr/bin/safecat # What folder you want spam to go to SPAMHOME=$VHOME/Maildir/.Spam # Create spam folders SPAM_CREATE=`/var/lib/vpopmail/bin/spam.sh $VHOME` # Run SpamAssassin :0fw | spamassassin # Move spam to where it belongs :0w * ^X-Spam-Status: Yes | $SAFECAT $SPAMHOME/tmp $SPAMHOME/new # Deliver good mail :0w | /var/lib/vpopmail/bin/vdelivermail '' bounce-no-mailbox
procmail wizard, but this file works for me without any major
problems. I use the call to
spam.sh to check and see if the spam
directory exists. If it doesn't, I create it. I've reproduced the script
#!/bin/sh if [ ! -d $1/Maildir/.Spam ] then /usr/bin/maildirmake $1/Maildir/.Spam chown -R vpopmail.vchkpw $1/Maildir/.Spam fi
Now that your
procmailrc is all set up and working, you can
enable it in your .qmail files. To do this, you need to go to your
virtual domain directory and change a line in the .qmail-default
bash$ cd /var/lib/vpopmail/domains/example1.com
Open .qmail-default in your favorite editor and delete the only
line in there. Replace it with
| preline procmail -p -m ./procmailrc. Once that is done, send yourself a test email. View all headers in your favorite MUA and you should see something like
X-Spam-Status: No, hits=-2.8 required=5.0 tests=BAYES_10,FROM_EGROUPS,GROUPS_YAHOO_1,HTML_20_30,TONER version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (126.96.36.199-2003-05-19-exp)
You will notice that my spam level is set to 5.0. If you are running an ISP
or have a lot of users who get business-type email, you may wish to raise this.
The magic number appears to be somewhere between 7 and 8.5. To change your
settings, open up /var/lib/vpopmail/.spamassassin/user_prefs and
required_hits variable appropriately. You can also
change the individual scores for each test SpamAssassin checks. First, look
over the list of tests
and then simply add the alternate scores to
Before you attempt to install Qmail-Scanner, you must have compiled your Qmail with Bruce Guenter's QMAILQUEUE patch. If you don't have this installed, then you won't be able to run Qmail-Scanner, which means that you can't use ClamAV.
Before you install Qmail-Scanner, you need to install ClamAV. However, it should be noted that Qmail-Scanner supports a wide range of antivirus software and that you do not need to use ClamAV. It seems that, at the time of this writing, the ClamAV site is down; however, I was able to find Debian packages without any problems. A quick search on Google turned up RPM packages as well.
After you have verified that everything is ready to go, download and
bash$ ./configure \ --bindir=/usr/sbin --notify="sender,recips" bash$ ./configure \ --bindir=/usr/sbin --notify="sender,recips" --install
./configure is to verify that Qmail-Scanner finds your antivirus
software, while the second one actually installs the software. Once you have
the software installed, you need to tell Qmail to use it. This requires editing
your TCP server rules. On Debian, this file is /etc/tcp.smtp, but
it may be /etc/tcpserver/smtp.rules on other systems. It should look
something like the following:
After you have edited the file you will need to rebuild your SMTP access database with the following command:
bash$ tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp bash$ chmod 644 /etc/tcp.smtp*
For more information on relaying, you will definitely want to check out Life with Qmail's relaying section. If you compiled Qmail with the SMTP-AUTH patch, then you will not have to worry about this, because each time a user sends an email his MUA will send authentication as well.
You will need to restart Qmail now. After you have restarted Qmail, send yourself a test message. You should see the following in your headers:
X-Qmail-Scanner-Mail-From: email@example.com via bubba X-Qmail-Scanner: 1.16 (Clear:. Processed in 0.873544 secs)
That's it! Now all incoming and outgoing mail will be scanned for viruses. You may optionally choose to have Qmail-Scanner invoke SpamAssassin as well. I didn't do this because I wanted control over what happened to the spam after it was detected.
If you've followed this entire series, you should have a mail server that
supports IMAP and POP3, as well as a web front end. Not only that, but you have
virtual domains and a web interface to manage users (if you installed
qmailadmin). To make things better, all incoming email is scanned for spam and
Sometimes it's not easy to integrate open source solutions into a large system that addresses all of your needs, but I think the mail server outlined in these articles covers just about everything.
Joe Stump is the Lead Architect for Digg where he spends his time partitioning data, creating internal services, and ensuring the code frameworks are in working order.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.