How to set up Clam Antivirus, SpamAssassin and MailScanner on Ubuntu mail server

I had originally written this tutorial for xmodulo.com.
Antivirus and anti-spam protection are the among the most important security features for a mail server.
Unix/Linux based mail servers are typically invulnerable to malware and viruses, and there is a very slim chance that the server itself may get infected. On the other hand, the operating system of an end user device may not always be so secured. We certainly do not want our mail server to accept or distribute malware embedded emails. So setting up antivirus software on a mail server is a must.
Anti spam filters will inspect every incoming and outgoing mail for patterns of spamming. For example, spam mails usually contain a large number of recipients. Also, reverse DNS query for the domain in a spam mail does not always provide proper answers. If the spam filter software finds any mail that could be spam, it blocks the mail. This helps retaining the reputation of the mail server, as well as prevents the IP address of the mail server from being blacklisted.
In this tutorial, we will be looking at how to secure our mail server on Ubuntu by setting up:
  • Clam Antivirus: open-source antivirus engine.
  • SpamAssassin: e-mail spam filtering engine.
  • MailScanner [version_4.74.16-1]: uses antivirus and anti-spam engines to scan inbound and outbound emails.
This tutorial is version specific. As of this writing, MailScanner is not available in the Ubuntu repository. So we will be using the MailScanner .deb package instead. Unfortunately, the dependency packages required for the latest version of MailScanner [4.79.11-2.2] are not available in the Ubuntu repository either. However, the dependency packages for version 4.74.16-1 are available. Thus, we will be using MailScanner [4.79.16-1] .deb package in this tutorial. Ubuntu 12.04 is used for testing.
For those of you who are interested in setting it up on CentOS, refer to this tutorial instead.

Installing Dependencies on Ubuntu

Before starting doing anything on Ubuntu, the first thing to do is be to install all the necessary dependencies. The list of dependencies is long, but luckily it can be done using one command.
# apt-get install gcc g++ cpp zlib1g-dev libgmp3-dev perl bzip2 zip make patch automake libhtml-template-perl linux-headers-`uname -r` build-essential libnewt-dev libusb-dev libconvert-tnef-perl libdbd-sqlite3-perl libfilesys-df-perl libmailtools-perl libmime-tools-perl libmime-perl libnet-cidr-perl libsys-syslog-perl libio-stringy-perl libfile-temp-perl libole-storage-lite-perl libarchive-zip-perl libole-storage-lite-perl libdigest-sha-perl

Installing Clam Antivirus and SpamAssassin

Now that the dependencies are installed, Clam Antivirus and SpamAssassin can be installed using apt-get.
# apt-get install clamav clamav-daemon spamassassin
SpamAssassin has to be enabled, and then started:
# vim /etc/default/spamassassin
ENABLED=1
# service spamassassin restart
After the packages are installed, they can be updated using the following commands.
# freshclam ; sa-update

Installing MailScanner

After all the software that MailScanner depends on has been installed, we will download the .deb package for MailScanner version 4.74 and install it.
# wget http://mirrors.kernel.org/ubuntu/pool/universe/m/mailscanner/mailscanner_4.74.16-1_all.deb
# dpkg -i mailscanner_4.74.16-1_all.deb

Configuring MailScanner

Now it is time to adjust the parameters of MailScanner.
First of all, the directory for SpamAssassin is created and permission for that directory is adjusted.
# mkdir /var/spool/MailScanner/spamassassin
# chown postfix /var/spool/MailScanner/spamassassin
The configuration file /etc/MailScanner/MailScanner.conf is backed up, and then modified as followed.
# vim /etc/MailScanner/MailScanner.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
%org-name% = test Ubuntu mail server
%org-long-name% = Your Organization Name Here
%web-site% = www.your-organisation.com
 
Run As User = postfix
Run As Group = postfix
 
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
 
MTA = postfix
 
Virus Scanners = clamav
 
Spam List = SBL+XBL
## please check /etc/MailScanner/spam.lists.conf for more details ##
 
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
## the directory created earlier ##
More information about the configuration file parameters can be found in the official documentation.
Postfix configuration file is modified as well. We will configure Postfix to hold off any mails. MailScanner will swoop in, and check those emails. Then the mails will be handed over to Postfix again for delivery. Here is how the configurations are modified.
# vi /etc/postfix/header_checks
/^Received:/ HOLD
# vim /etc/postfix/main.cf
header_checks = regexp:/etc/postfix/header_checks
MailScanner is enabled by un-commenting the following line.
# vim /etc/default/mailscanner
run_mailscanner=1
Finally, Postfix and MailScanner services are started.
# service postfix restart
# service mailscanner restart

Testing MailScanner

Now that MailScanner has been deployed, we can test its functionality by monitoring the mail log. Let us send a test mail and see what happens.
# tail /var/log/mail.log
Mar  3 02:46:39 ubuntu postfix/smtpd[31616]: connect from localhost[127.0.0.1]
Mar  3 02:46:39 ubuntu postfix/smtpd[31616]: E5F3C44FB1: client=localhost[127.0.0.1], sasl_method=LOGIN, sasl_username=sarmed
Mar  3 02:46:39 ubuntu postfix/cleanup[31620]: E5F3C44FB1: hold: header Received: from [server_ip] (localhost [127.0.0.1])??by ubuntu.example.tst (Postfix) with ESMTPA id E5F3C44FB1??for ; Mon,  3 Mar 2014 02:46:39 +0600 (BDT) from localhost[127.0.0.1]; from= to= proto=ESMTP helo=<[server_ip]>
Mar  3 02:46:39 ubuntu postfix/cleanup[31620]: E5F3C44FB1: message-id=
Mar  3 02:46:40 ubuntu postfix/smtpd[31616]: disconnect from localhost[127.0.0.1]
Mar  3 02:46:40 ubuntu MailScanner[31695]: MailScanner E-Mail Virus Scanner version 4.74.16 starting...
Mar  3 02:46:40 ubuntu MailScanner[31695]: Read 848 hostnames from the phishing whitelist
Mar  3 02:46:40 ubuntu MailScanner[31570]: New Batch: Scanning 1 messages, 2572 bytes
Mar  3 02:46:40 ubuntu MailScanner[31695]: Read 4278 hostnames from the phishing blacklist
Mar  3 02:46:40 ubuntu MailScanner[31695]: Using SpamAssassin results cache
Mar  3 02:46:40 ubuntu MailScanner[31695]: Connected to SpamAssassin cache database
Mar  3 02:46:40 ubuntu MailScanner[31695]: Enabling SpamAssassin auto-whitelist functionality...
Mar  3 02:46:41 ubuntu MailScanner[31695]: Using locktype = flock
Mar  3 02:46:41 ubuntu MailScanner[31570]: Virus and Content Scanning: Starting
Mar  3 02:46:48 ubuntu MailScanner[31570]: Requeue: E5F3C44FB1.283A6 to 13B8344FB3
Mar  3 02:46:48 ubuntu MailScanner[31570]: Uninfected: Delivered 1 messages
Mar  3 02:46:48 ubuntu postfix/qmgr[31519]: 13B8344FB3: from=, size=1879, nrcpt=1 (queue active)
Mar  3 02:46:48 ubuntu postfix/local[31637]: 13B8344FB3: to=, relay=local, delay=8.6, delays=8.6/0/0/0.02, dsn=2.0.0, status=sent (delivered to mailbox)
Mar  3 02:46:48 ubuntu postfix/qmgr[31519]: 13B8344FB3: removed
The summary of the log is provided below.
  • Postfix held the email after the SMTP connection. The email was placed in /var/spool/postfix/hold.
  • MailScanner scanned the email: (1) spam-check from blacklist, (2) spam-check from spamassassin online database, and (3) virus and content scanning.
  • MailScanner changed the queue ID for the email.
  • After the mail was found clean, it was handed over to Postfix with the new queue ID.
  • Postfix delivered the email to destination account.
To sum up, MailScanner integrated with Clam Antivirus and SpamAssassin is a very powerful tool, and is a must for production mail servers. It can fend off exploitation of most existing mail server vulnerabilities. This tutorial covers the minimum configuration for securing a mail server using MailScanner. The parameters of MailScanner, Clam Antivirus and SpamAssassin are highly customizable, and can be modified to meet different requirements.
Hope this helps.

Comments