Try AntibodyMX antispam antivirus mail filtering for free!
Debian + exim4 + spamassassin + f-prot HOWTO
--------------------------------------------

//////////////////////////////////////////////////////////////////////////////
//
//   If the information in this HOWTO is misleading, inaccurate, unclear
//   or just plain wrong, please tell me about it!
//
//   If you're struggling to set up your own anti-spam and anti-virus
//   mail server then perhaps you'd like to try our new service?
//   See http://www.antibodymx.net/ for details.
//
//////////////////////////////////////////////////////////////////////////////

The latest version of this HOWTO can be found at:
http://www.clues.ltd.uk/howto/debian-sa-fprot-HOWTO.html


This howto assumes:

	- You are running Debian and are on the "unstable" branch.
	- You have installed exim4 and set it up for your needs.
	- You have a suitable licence for F-Prot.

Where lines of text have been wrapped for clarity, I've used the usual '\'
indicator.


Spamassassin
------------

You can set up spamassassin with exim4 so that it either tags spam as it passes
through the mail server, or that it rejects mail that is considered to be spam.
This howto assumes the latter, though the method of installation is identical
in both cases.

You will need to install the following packages:

	spamassassin
	spamc
	exim-deamon-heavy

The latter should cleanly install over any other exim4 setup.  You also need to
install Marc Merlin's sa-exim package available here:

	http://marc.merlins.org/linux/exim/files/debian/sa-exim_3.1-2_i386.deb

Once installed, you need to configure your system to start spamd on boot.
There's lot of ways of doing this, I did so by hooking it in to the network
startup scripts. In your 'up' script for whichever interface the mail server is
listening on simply add the line '/usr/sbin/spamd -d'.  This works for me
because I only have one network card in this particular box.  Adding it to your
init.d may be a better option.

Next you will need to tailor /etc/exim4/sa-exim.conf to your needs.  Key
variables to be aware of are:

SAEximDebug - You most likely want this set to '1' until things are working.

SAteergrube - You probably don't want this set. If you don't know what
teergrubing is then you _definitely_ don't want this set.

SApermreject - This is the threshold value at which spam will be rejected.


By default, exim4 will now be running as the user 'Debian-exim'.  If you want
exim-sa to archive copies of any mail rejected then you will need to create and
set the right ownership and permissions for the various directories mentioned
in sa-exim.conf.

Restart exim and check the logs, you should start seeing entries like this as
mail comes in:

2004-01-18 07:15:35 1Ai79e-0000Dq-8i F=uzwltcmwto24@melissacam.biz \
H=lsanca1-ar3-4-47-028-040.lsanca1.elnk.dsl.genuity.net [4.47.28.40] \
P=smtp rejected by local_scan(): Rejected: hits=7.5 required=5.0 trigger=5.0

2004-01-18 10:46:29 1AiARo-00015M-IM SA: Action: scanned but message isn't spam: \
hits=0.0 required=5.0 (scanned in 1/1 secs | \
Message-Id: 20040118104629.02DECDC230@postel.clues.ltd.uk). From < root@clues.ltd.uk> \
(host=postel.clues.ltd.uk [217.158.168.148]) for martin@hinterlands.org

Other than the permissions problem mentioned above this worked "out of the box"
for me.  The only exception being an error message where the "1/1 secs" message
was replaced with "3/3 secs".  If you get this then spamd is most likely not
running.


F-Prot
------

You can plug pretty much any anti-virus package into exim4 via amavis. I've
chosen F-Prot because it's a superb piece of software, it works on most
platforms and it's very well priced.  For some circumstances I understand it's
free to use, please be sure you have the right licence for your use.

If you have any previous installations of f-prot, amavis, amavis-ng or
amavisd-new then purge them and be sure all the config files (/etc/amavis) are
deleted. My first attempt to get this working failed due to a dangling symlink
and some outdated config files.

I am using the non-daemonised version of F-Prot. Amavis has support for both.

Debian/unstable has a neat installer for F-Prot, so you need to install these
packages:

	f-prot-installer
	amavisd-new
	arj
	lha
	zoo
	unzip
	lzop
	unrar
	cpio
	bzip2

Once installed, you should update the virus signature files.  It's a good idea
to have this run out of cron once a day.

	/usr/lib/f-prot/tools/check-updates

Next you'll need to hook F-Prot into exim4. You do this by creating two files:

/etc/exim4/conf.d/router/01_exim4-config_amavis
/etc/exim4/conf.d/transport/01_exim4-config_amavis

boole:/etc/exim4/conf.d# cat router/01_exim4-config_amavis
amavis:
	driver = manualroute
	condition = "${if eq {$interface_port}{10025} {0}{1}}"
	# if scanning incoming mails, uncomment the following line and
	# change local_domains accordingly
	domains = +local_domains
	transport = amavis
	route_list = "* localhost byname"
	self = send
	
boole:/etc/exim4/conf.d# cat transport/01_exim4-config_amavis
amavis:
	driver = smtp
	port = 10024
	allow_localhost

Next you'll need to tweak /etc/amavis/amavisd.conf.  Key variables to look out
for are:

$mydomain = "example.com"
$forward_method = 'smtp:127.0.0.1:10025';  
$notify_method = $forward_method;

You'll find these last two in the 'EXIM V4' section and default to the right
values anyway. There are also a few information lines you may wish to change,
these will become obvious from the message generated by amavis as it's running.

You may also wish to move F-Prot from the "secondary" list of AV options to the
primary.  It'll still work even if you don't, but you'll get an additional
complaint from amavis.

Start amavis (/etc/init.d/amavis start) and take a look at /var/log/syslog.
If things are working as normal, you'll see a long message like this:


Jan 17 19:24:51 boole amavis[31461]: starting.  amavisd-new at \
boole.clues.ltd.uk amavisd-new-20030616-p5, Unicode aware, LANG=C
Jan 17 19:24:51 boole amavis[31461]: Perl version               5.008002
Jan 17 19:24:51 boole amavis[31461]: Module Amavis::Conf        1.15
Jan 17 19:24:51 boole amavis[31461]: Module Archive::Tar        1.03
Jan 17 19:24:51 boole amavis[31461]: Module Archive::Zip        1.05
Jan 17 19:24:51 boole amavis[31461]: Module Compress::Zlib      1.16
Jan 17 19:24:51 boole amavis[31461]: Module Convert::TNEF       0.17
Jan 17 19:24:51 boole amavis[31461]: Module Convert::UUlib      1.0
Jan 17 19:24:51 boole amavis[31461]: Module MIME::Entity        5.404
Jan 17 19:24:51 boole amavis[31461]: Module MIME::Parser        5.406
Jan 17 19:24:51 boole amavis[31461]: Module MIME::Tools         5.411
Jan 17 19:24:51 boole amavis[31461]: Module Mail::Header        1.59
Jan 17 19:24:51 boole amavis[31461]: Module Mail::Internet      1.59
Jan 17 19:24:51 boole amavis[31461]: Module Net::Cmd            2.24
Jan 17 19:24:51 boole amavis[31461]: Module Net::SMTP           2.26
Jan 17 19:24:51 boole amavis[31461]: Module Net::Server         0.85
Jan 17 19:24:51 boole amavis[31461]: Module Time::HiRes         1.52
Jan 17 19:24:51 boole amavis[31461]: Module Unix::Syslog        0.100
Jan 17 19:24:51 boole amavis[31462]: Found $file       at /usr/bin/file
Jan 17 19:24:51 boole amavis[31462]: Found $arc        at /usr/bin/nomarch
Jan 17 19:24:51 boole amavis[31462]: Found $gzip       at /bin/gzip
Jan 17 19:24:51 boole amavis[31462]: Found $bzip2      at /usr/bin/bzip2
Jan 17 19:24:51 boole amavis[31462]: Found $lzop       at /bin/lzop
Jan 17 19:24:51 boole amavis[31462]: Found $lha        at /usr/bin/lha
Jan 17 19:24:51 boole amavis[31462]: Found $unarj      at /usr/bin/arj
Jan 17 19:24:51 boole amavis[31462]: Found $uncompress at /bin/uncompress
Jan 17 19:24:51 boole amavis[31462]: No $unfreeze,     not using it
Jan 17 19:24:51 boole amavis[31462]: Found $unrar      at /usr/bin/unrar
Jan 17 19:24:51 boole amavis[31462]: Found $zoo        at /usr/bin/zoo
Jan 17 19:24:51 boole amavis[31462]: Found $cpio       at /bin/cpio
Jan 17 19:24:51 boole amavis[31462]: Found primary av scanner \
FRISK F-Prot Antivirus at /usr/bin/f-prot

Test that amavis is accepting connections on the local port.

boole:~# telnet localhost 10024
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready

Lastly, edit /etc/exim4/update-exim4.conf.conf and change the
dc_local_interfaces line to be:

dc_local_interfaces='0.0.0.0.25 : 127.0.0.1.10025'

Reconfigure exim by running 'dpkg-reconfigure exim4-config' and you should now
be ready to run.  Restart exim and check that there were no complaints in the
log files.  If not then you can now test that the anti-virus hook is working.

Create an EICAR test file, instructions here:

http://www.eicar.org/anti_virus_test_file.htm

Mail it to yourself, preferably from an external account.  If all is well, you
should see a log entry like this:

Jan 17 18:47:02 boole amavis[31338]: (31338-01) INFECTED (EICAR_Test_File), \
< root@clues.ltd.uk> -> < martin@hinterlands.org>, \
quarantine virus-20040117-184700-31338-01, \ 
Message-ID: < 20040117184700.270B8DC230@postel.clues.ltd.uk>, Hits: -


------------------------
Copyright (c) 2004, Martin A. Brooks martin@clues.ltd.uk, Clues Ltd.

Permission is granted to copy, distribute and/or modify this document under the
terms of the GNU Free Documentation License, Version 1.1 or any later version
published by the Free Software Foundation.
Try AntibodyMX antispam antivirus mail filtering for free!