On Thu, 26 Feb 2004, Michael St. Laurent wrote:
> That's interesting. Would you be willing to share more details of your
> setup and how it all works? Is this MailScanner you're talking about?
>
Sure. Here are the main parts of my setup :
First my script to restart clamd from cron if it should die (pretty
primitive, yes, but it does the job). I run this from cron every 5 min.
It depends on clamd running as user "amavis" (the second grep).
#!/bin/sh
CLAMDRUNNING=`ps aux | grep clamd | grep amavis | wc | awk {'print $1'}`
if [ ${CLAMDRUNNING} -ge 1 ]; then
/usr/bin/date >> /var/log/clamd-test.log
echo "clamd is running" >> /var/log/clamd-test.log
echo >> /var/log/clamd-test.log
else
killall -q clamd # just in case I made a mistake
rm -f /var/amavis/clamd # remove the stale socket, just in case clamd
can't do it itself
rm -f /var/run/clamd.pid # same with the .pid file
/usr/local/sbin/clamd # start clamd up again
/usr/bin/date >> /var/log/clamd-test.log
echo "clamd was dead and had to be restarted" >> /var/log/clamd-test.log
echo >> /var/log/clamd-test.log
fi
Here's my /etc/clamav.conf file :
### clamav.conf start
PidFile /var/run/clamd.pid
LocalSocket /var/amavis/clamd
FixStaleSocket
MaxThreads 25
ThreadTimeout 600
MaxDirectoryRecursion 20
FollowDirectorySymlinks
FollowFileSymlinks
SelfCheck 1200
User amavis
ScanMail
ScanArchive
ScanRAR
ArchiveMaxFileSize 50M
ArchiveMaxRecursion 6
ArchiveMaxFiles 1600
### clamav.conf end
And the interresting bits of my /etc/amavisd.conf :
$daemon_user = 'amavis';
$daemon_group = 'amavis';
$max_servers = 25;
$max_requests = 100;
$child_timeout=8*60;
@av_scanners = (
['Clam Antivirus-clamd',
\&ask_daemon, ["CONTSCAN {}\n", '/var/amavis/clamd'],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);
@av_scanners_backup = (
['Clam Antivirus - clamscan', 'clamscan',
'--stdout --disable-summary -r {}', [0], [1],
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);
Ofcourse I have a lot more settings in there as well. I run several other
scanners other than clam (although clam is the main one), and I also run
spamassassin via amavisd-new and then there's all the policy settings such
as whether to send mail to spam and virus senders etc.. but all that is
purely a matter of policy.
My postfix setup looks like this (a few bits have been stripped out with
<cut> since they are site specific).
My /etc/postfix/master.cf looks like this :
smtp inet n - y - - smtpd
pickup fifo n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr fifo n - y 300 1 qmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
smtp-amavis unix - - y - 25 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - y - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelope=yes
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
And here is my /etc/postfix/main.cf :
alias_database = hash:/etc/postfix/aliases
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[localhost]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 4
default_destination_recipient_limit = 55
default_process_limit = 300
deliver_lock_attempts = 66
fork_attempts = 9
hash_queue_depth = 3
header_checks = regexp:/etc/postfix/header_checks
header_size_limit = 204800
hopcount_limit = 55
in_flow_delay = 2s
initial_destination_concurrency = 2
line_length_limit = 4096
local_recipient_maps =
local_transport = no local mail delivery
mailbox_transport = smtp
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
max_use = 110
maximal_backoff_time = 3600s
maximal_queue_lifetime = 7d
message_size_limit = 50000000
minimal_backoff_time = 300s
mydestination = <cut>
myhostname = <cut>
mynetworks = <cut>
myorigin = <cut>
newaliases_path = /usr/bin/newaliases
qmgr_message_active_limit = 25000
qmgr_message_recipient_limit = 25000
queue_minfree = 10000
queue_run_delay = 300s
readme_directory = no
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_connect_timeout = 66s
smtp_data_done_timeout = 666s
smtp_data_init_timeout = 222s
smtp_data_xfer_timeout = 222s
smtp_helo_timeout = 333s
smtp_mail_timeout = 333s
smtp_quit_timeout = 303s
smtp_rcpt_timeout = 333s
smtp_skip_4xx_greeting = no
smtp_skip_quit_response = no
smtpd_banner = <cut>
smtpd_error_sleep_time = 2s
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_unauth_pipelining, reject_invalid_hostname,
permit_mynetworks
smtpd_recipient_restrictions = reject_unauth_destination, reject_non_fqdn_recipient,
permit_mynetworks
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_invalid_hostname,
reject_unknown_sender_domain
smtpd_soft_error_limit = 6
smtpd_timeout = 333s
soft_bounce = no
transport_maps = hash:/etc/postfix/transport
transport_retry_time = 66s
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
This is a gateway machine. It sits at the edge of the network and recieves
mail for a lot of different domains that then has to go mainly to one
internal server where the users mailboxes are, but a few domains have to
go to other servers. I use the /etc/postfix/transport file for this where
I have a line like this for each domain :
somedomain.example smtp:[internal-mail-server.mylocaldomain.local]
someotherdomain.example smtp:[other-internal-smtp.server.domain.local]
etc...
I list all the internal domains in "mydestination" which lets postfix
reject any mail for domains, that I don't host, right at the front door.
The restrictions I have setup in "smtpd_helo_restrictions",
"smtpd_recipient_restrictions" & "smtpd_sender_restrictions" could be
stricter, but they do a good job of rejecting a lot of junk from obvious
bogus senders etc, and they are not so strict as to reject too much mail
from servers that are legit but just slightly misconfigured. You may want
to use other options, but I've found the above to be a resonable
compromise between rejecting bad stuff/incorrectly configured servers and
actually letting my users get most of their mail.
I have a few additional restrictions set up in /etc/postfix/header_checks
that look like this :
/^Received: .*\.test .*$/ REJECT RFC2606 domains are not allowed
/^Received: .*\.example .*$/ REJECT RFC2606 domains are not allowed
/^Received: .*\.invalid .*$/ REJECT RFC2606 domains are not allowed
/^Received: .*\.localhost .*$/ REJECT RFC2606 domains are not allowed
/^X-Originating-IP:..[a-z].*$/ REJECT Rejected, server seems to send false
X-Originating-IP header
/^X-Originating-IP:.*IP.*$/ REJECT Rejected, server seems to send false
X-Originating-IP header
/^Postmaster@/ OK
Again, that could be a *lot* more strict, but it rejects obvious bogus
stuff while not rejecting any valid mail. clam and spamassassin takes care
of rejecting the bad stuff that gets past this.
Hope that helps you. Feel free to ask if anything is unclear :)
/Jesper Juhl
-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
