站長新書 站長開講 首頁 最新文章 站長著作及審校 FreeBSD 筆記 Linux 筆記 Windows 筆記 虛擬化筆記 網管人雜誌 遊山玩水 關於本站
站長新書 VMware vSphere ICM 團購開跑了!!

Postfix-配合 MailScanner ClamAV SpamAssassin 達成 Anti-Virus Anti-SPAM

前言

根據統計 2004 年在網路上 Mail 流量約有 85% 以上為廣告信、病毒信,架設郵件伺服器雖然很簡單除了注意不要被當作 [Mail Relay] 跳板之外,但若要阻檔不請自來的廣告信、病毒信卻很困難,這也是近年來網管人員頭痛的問題許多廠商也看中這個商機紛紛推出許多阻擋廣告信及病毒信的 Box,但其實在 [FreeBSD] 及其他相關 Open Source 上要阻擋病毒和廣告郵件可以很容易且不需花費任何費用。

本次實作為利用 [MailScanner] 當作郵件閘道 (Mail Gateway) 將郵件內容 (含附加檔案) 進行分析掃瞄,判斷是否屬於已知病毒感染或是廣告郵件並針對信件屬性進行不同處理 (包含郵件主旨標示或刪除),以下則是相關套件任務說明:

實作環境

安裝及設定

ClamAV 部份 (郵件防毒)

步驟1.安裝 ClamAV 套件

切換至 Ports Tree 路徑安裝 ClamAV 套件,此次實作安裝時請勾選 MILTER 項目

 #cd /usr/ports/security/clamav                   //切換至安裝路徑
 #make install clean                              //安裝套件並清除安裝過程中所產生不必要的檔案

勾選 MILTER 項目

MailScanner 部份

步驟1.安裝 MailScanner 套件

切換至 Ports Tree 路徑安裝 MailScanner 套件

 #cd /usr/ports/mail/mailscanner                  //切換至安裝路徑
 #make install                                    //安裝套件
 #make initial-config                             //安裝(建立)相關設定檔 (適用於第一次安裝)

步驟2.修改 Postfix 設定檔 (main.cf)

修改 Postfix 設定檔 (main.cf),關於詳細 Postfix 安裝及設定請參考站內文章 Postfix-配合 SASLv1 達成 SMTP Auth

 #vi /usr/local/etc/postfix/main.cf               //修改 Postfix 設定檔
 #header_checks = regexp:/usr/local/etc/postfix/header_checks     //預設值
 header_checks = regexp:/usr/local/etc/postfix/header_checks      //修改後,移除註解符號

編輯 header_checks 內容如下

 #vi header_checks                                //編輯此檔內容如下
 /^Received:/ HOLD                                //通知 Postifx 將訊息移至 HOLD Queue

步驟3.修改 MailScanner 設定檔 (mailscanner.conf)

修改 MailScanner 設定檔 mailscanner.conf 內容如下

 #vi /usr/local/etc/MailScanner/mailscanner.conf  //修改設定檔內容如下
 #Run As User =                                   //預設值
 Run As User = postfix                            //修改後,移除註解並填入 postfix
 #Run As Group =                                  //預設值
 Run As Group = postfix                           //修改後,移除註解並填入 postfix 
 #Incoming Queue Dir = /var/spool/mqueue.in       //預設值
 Incoming Queue Dir = /var/spool/postfix/hold     //修改後,移除註解並填入郵件接收 (暫存) 路徑
 #Outgoing Queue Dir = /var/spool/mqueue          //預設值
 Outgoing Queue Dir = /var/spool/postfix/incoming //修改後,移除註解並填入郵件傳送區路徑
 #MTA = sendmail                                  //預設值
 MTA = postfix                                    //修改後,移除註解並填入 postfix
 #Virus Scanners = none                           //預設值
 Virus Scanners = clamav                          //修改後,移除註解並填入用來掃毒的軟體名稱 clamav
 #Use SpamAssassin = no                           //預設值
 Use SpamAssassin = yes                           //修改後,移除註解並修改為 yes

步驟4.建立 MailScanner 相關資料夾

建立之後 MailScanner 存放相關郵件的資料夾

 #mkdir /var/spool/MailScanner                    //建立 MailScanner 存放相關郵件
 #mkdir /var/spool/MailScanner/incoming           //建立 MailScanner-mrtg 存放掃瞄郵件資料夾
 #mkdir /var/spool/MailScanner/quarantine         //建立 MailScanner-mrtg 存放病毒信郵件資料夾 (病毒信隔離區)
 #touch /usr/local/etc/MailScanner/rules/bounce.rules      //新增此一空檔案 (否則後續會出現錯誤訊息)

建立相關資料夾完成後請修改資料夾的權限 owner:group 為 Postfix 以便之後 Postfix 服務能讀取及寫入相關資料夾

 #chown -R postfix:postfix  /var/spool/MailSacnner

MailScanner-MRTG 部份

步驟1.安裝 MailScanner-MRTG 套件

切換至 Ports Tree 路徑安裝 MailScanner-MRTG 套件

 #cd /usr/ports/mail/mailscanner-mrtg             //切換至安裝路徑
 #make install clean                              //安裝套件並清除安裝過程中所產生不必要的檔案

步驟2.修改 MailScanner-MRTG 設定檔

在修改 MailScanner-MRTG 設定檔 mailscanner-mrtg.conf、mailscanner-mrtg.cfg 以前,我們可複製範例檔案後再進行修改,而 mailscanner-mrtg.cfg 設定內容與與般 MRTG 設定檔內容相同故不在多作敘述,關於 MRTG 設定檔可參考站內文章 MRTG-主機網卡流量統計

 #cd /usr/local/etc/mailscanner-mrtg              //切換至 mailscanner-mrtg 設定檔目錄
 #cp mailscanner-mrtg.conf.sample mailscanner-mrtg.conf   //複製預設檔來修改
 #cp mailscanner-mrtg.cfg.sample mailscanner-mrtg.cfg     //複製預設檔來修改
 #chmod 644 mailscanner-mrtg.conf                 //更改預設權限為可修改
 #chmod 644 mailscanner-mrtg.cfg                  //更改預設權限為可修改
 #vi mailscanner-mrtg.conf                        //修改內容如下
 #MTA = sendmail                                  //預設值
 MTA = postfix                                    //修改後,指定 MTA 為 Postfix
 Incoming Queue Dir = /var/spool/mqueue.in        //預設值,採用 Sendmail
 Incoming Queue Dir = /var/spool/postfix/hold     //修改後,採用 Postfix
 Outgoing Queue Dir = /var/spool/mqueue           //預設值,採用 Sendmail
 Outgoing Queue Dir = /var/spool/postfix/incoming //修改後,採用 Postfix
 Interfaces to Monitor = fxp0                     //預設值
 Interfaces to Monitor = em0                      //修改後,修改為目前網卡名稱
 #vi /usr/local/etc/apache/httpd.conf             //修改 Apache 設定檔內容如下
 #MailScanner Setting
 Alias /mailscanner-mrtg/ "/usr/local/www/mailscanner-mrtg/"

SpamAssassin 部份

步驟1.安裝 SpamAssassin 套件

切換至 Ports Tree 路徑安裝 SpamAssassin 套件

 #cd /usr/ports/mail/p5-Mail-SpamAssassin         //切換至安裝路徑
 #make install clean                              //安裝套件並清除安裝過程中所產生不必要的檔案

修改 /etc/rc.conf

修改 /etc/rc.conf 以便系統重新開機時能帶起相關服務

 #vi /etc/rc.conf                                 //修改內容如下
 sendmail_enable="NONE"                           //關閉 Sendmail 服務
 postfix_enable="YES"                             //啟動 Postfix 服務
 clamav_clamd_enable="YES"                        //啟動 ClamAV 服務
 clamav_freshclam_enable="YES"                    //啟動 ClamAV 更新病毒碼服務
 mailscanner_enable="YES"                         //啟動 MailScanner 服務

啟動相關服務

鍵入下列指令重新啟動相關服務

 #/usr/local/etc/rc.d/apache.sh restart           //重新啟動 Apache 服務
 #/usr/local/etc/rc.d/postfix.sh restart          //重新啟動 Postfix 服務
 #/usr/local/etc/rc.d/mailscanner.sh start        //啟動 MailScanner 服務
 #/usr/local/etc/rc.d/clamav-freshclam.sh start   //啟動 ClamAV 服務

產生 MailScanner-MRTG 流量圖

相關服務啟動成功開始運作後,我們可鍵入如下指令來產生 MailScanner-MRTG 流量圖

 #/usr/local/bin/mrtg /usr/local/etc/mailscanner-mrtg/mailscanner-mrtg.cfg     //流量產生圖檔

產生 MailScanner-MRTG 流量圖成功後修改排程來定期更新流量圖表 (此次實作為每 10 分鐘更新流量圖)

 #crontab -e                                      //修改排程 (每 10 分鐘更新一次)
 */10 * * * * /usr/local/bin/mrtg /usr/local/etc/mailscanner-mrtg/mailscanner-mrtg.cfg

ClamAV 更新病毒碼

您可透過執行下列指令或 clamav-freshclam.sh 來更新 ClamAV 的病毒碼

 #/usr/local/bin/freshclam                        //更新病毒碼
 ClamAV update process started at Tue Jul 13 13:56:36 2004 Reading CVD header (main.cvd): OK main.cvd is up to date 
 (version: 24, sigs: 21793, f-level: 2, builder: tomek)
 Reading CVD header (daily.cvd): OK daily.cvd is up to date (version: 402, sigs: 845, f-level: 2, builder: trog)

下列為查看詳細的 ClamAV 病毒碼更新狀況

 #less /var/log/clamav/freshclam.log              //查看 ClamAV 更新病毒碼訊息

測試阻擋病毒信機制 (Anti-Virus)

成功載入 ClamAV 之後,利用手動輸入病毒信範例郵件內容測試系統的偵測病毒信機制是否成功運作

 #telnet localhost 25                             //測試連結 SMTP 服務
 Trying ::1...
 telnet: connect to address ::1: Connection refused
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 220 dmz.weithenn.idv.tw ESMTP Postfix
 mail from:weithenn@weithenn.com                 //寄件者郵件 (此行為自行輸入)
 250 Ok
 rcpt to:weithenn@weithenn.org                   //收件者郵件 (此行為自行輸入)
 250 Ok
 data                                            //郵件 (此行為自行輸入)
 354 End data with <CR><LF>.<CR><LF>
 Subject:Virus test                              //郵件主旨 (此行為自行輸入)
 X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*         //郵件內容 (此行為自行輸入)
 .
 250 Ok: queued as 3EAAE40B1                     //3EAAE40B1 代表發現 Virus
 quit                                            //離開 (此行為自行輸入)
 221 Bye
 Connection closed by foreign host.

用 Outlook Expree 收到剛才測試的病毒信 (主旨為 Virus Test) 如下圖所示

病毒信測試 (英文回報)

查看剛才的測試病毒信 (主旨為 Virus Test) 郵件內容為如下訊息,說明 ClamAV 發現此郵件為病毒信並把該病毒信轉到病毒信隔離區去

 At Tue Jul 13 14:51:01 2004 the virus scanner said: ClamAV: msg-41609-17.txt contains Eicar-Test-Signature
 Note to Help Desk: Look on the yoursite MailScanner in  /var/spool/MailScanner/quarantine/20040713 (message 3EAAE40B1).

查看 maillog 發現病毒信時訊息如下,也是發現郵件為病毒信後把該病毒信轉到病毒信隔離區去

 #tail /var/log/maillog
 MailScanner[70576]: Content Checks: Detected HTML-specific exploits in 311D74127
 MailScanner[70576]: Content Checks: Found 1 problems
 MailScanner[70576]: Content Checks: Detected and will disarm HTML message in 311D74127
 MailScanner[70576]: Saved infected "msg-70576-15.html" to /var/spool/MailScanner/quarantine/20040714/311D74127
 MailScanner[70576]: Requeue: 311D74127 to 9F3A44201
 MailScanner[70576]: Silent: Delivered 1 messages containing silent viruses

預設系統病毒信回報訊息語係為英文,若欲更改可將翻譯後檔案放置於 /usr/local/share/MailScanner/reports/tw 後並修改 MailScanner 設定檔即可。

 #vi /usr/local/etc/MailScanner/MailScanner.conf          //更改內容如下
 #%report-dir% = /usr/local/share/MailScanner/reports/en  //預設值,語係為英文
 %report-dir% = /usr/local/share/MailScanner/reports/tw   //修改後,指定讀取自行翻譯的中文訊息

用 Outlook Expree 收到剛才測試的病毒信 (主旨為 Virus Test) 如下圖所示,顯示您自行翻譯的中文訊息

病毒信測試 (中文回報)

查看剛才的測試病毒信 (主旨為 Virus Test) 郵件內容為如下訊息,說明 ClamAV 發現此郵件為病毒信並把該病毒信轉到病毒信隔離區去

 Thu Jul 15 11:56:19 2004 病毒偵測報告:   ClamAV: msg-96270-3.txt contains Eicar-Test-Signature
 求助問題: 檢查 MailScanner 機器的  /var/spool/MailScanner/quarantine/20040715 (編號 EA195422F).

測試阻擋廣告信機制 (Anti-SPAM)

鍵入如下指令將測試用廣告信寄給使用者 weithenn 測試系統的阻擋廣告信機制是否成功運作

 #/usr/local/sbin/sendmail weithenn < /usr/local/share/doc/p5-Mail-SpamAssassin/sample-spam.txt 

使用 Outlook Expree 收信後即可發現 MailScanner 將判定為廣告信的郵件在主旨加上 {SPAM?} 標籤如下圖所示

判定為廣告信

我們也可透過 maillog 來瞭解當系統偵測到廣告郵件時 Log 的關鍵字

 #tail /var/log/maillog
 MailScanner[55602]: Spam Checks: Found 1 spam messages

建立白名單 (White List):

當 MailScanner 不小心將合作廠商、好友、電子報...等,誤判為廣告信時您可將對方的 Mail Address 加入白名單中,即可避免誤判的情況再度發生

 #vi /usr/local/etc/MailScanner/spam.assassin.prefs.conf    //修改設定檔內容如下
 whitelist_from  weithenn@msn.com                           //白名單 Mail Address

參考

[::: Official Home Page for MailScanner - Anti-Virus and Anti-Spam Filter :::]

[ mailscanner-mrtg - Extensive Monitoring for MailScanner]

[ Postfix在中國 - howto-mailscanner]

[ MailScanner]

[ MailScanner Installation Guide - Postfix]

[OHaHa's 學習心得-MailScanner + ClamAV + Spamassassin -1]

[OHaHa's 學習心得-MailScanner + ClamAV + Spamassassin -2]

[SpamAssassin Configuration Generator]

Me FAQ

Q1.Error in configuration file line 115, directory /var/spool/MailScanner/incoming?

Error Meaage:

啟動 MailScanner 服務後查看 maillog 發現如下錯誤訊息

 #tail /var/log/maillog
 MailScanner[41160]: MailScanner E-Mail Virus Scanner version 4.31.6  starting...
 MailScanner[41160]: Could not read directory /var/spool/MailScanner/incoming
 MailScanner[41160]: Error in configuration file line 115, directory  /var/spool/MailScanner/incoming for incomingworkdir does not exist (or is not readable)

Ans:

原因為修改 MailScanner 設定檔 mailscanner.conf 時設定 incoming 資料夾名稱時打錯字造成,修改後即可。

Q2.Error in configuration file line 119, directory /var/spool/MailScanner/quarantine?

Error Meaage:

啟動 MailScanner 服務後查看 maillog 發現如下錯誤訊息

 #tail /var/log/maillog
 MailScanner E-Mail Virus Scanner version 4.31.6 starting...
 MailScanner[41606]: Could not read directory /var/spool/MailScanner/quarantine
 MailScanner[41606]: Error in configuration file line 119, directory /var/spool/MailScanner/quarantine for quarantinedir does not exist (or is not readable)

Ans:

原因為修改 MailScanner 設定檔 mailscanner.conf 時設定 quarantine 資料夾名稱時打錯字造成,修改後即可。

Q3.You need to set the "SpamAssassin User State Dir"?

Error Meaage:

啟動 MailScanner 服務後查看 maillog 發現如下錯誤訊息

 #tail /var/log/maillog
 MailScanner[41609]: User's home directory /var/spool/postfix is not writable
 MailScanner[41609]: You need to set the "SpamAssassin User State Dir" to a  directory that the "Run As User" can write to

Ans:

將 /var/spool/postfix 目錄 owner 及 group 設定為 postfix 使服務能順利讀取即可。

 #chown -R postfix:postfix  /var/spool/postfix

Q4.Messages found but no hashed queue directories.?

Error Meaage:

查看 maillog 發現如下錯誤訊息

 #tail /var/log/maillog
 Jul 13 15:54:13 mail MailScanner[43478]: Messages found but no hashed queue directories. Please enable hashed queues for incoming and deferred with
 a depth of 1 or 2. See the Postfix documentation for hash_queue_names and  hash_queue_depth

Ans:

請修改 Postfix 設定檔如入如下內容即可

 #vi main.cf             //加入如下內容
 #MailScanner
 hash_queue_depth = 1
 hash_queue_names = incoming,active,deferred,bounce,defer,flush,hold

Q5.Cannot open ruleset file?

Error Meaage:

查看 maillog 發現如下錯誤訊息

 #tail /var/log/maillog
 Jul 21 14:51:18 MailScanner[79941]: Cannot open ruleset file  /usr/local/etc/MailScanner/rules/bounce.rules, No such file or directory

Ans:

請新增此一空檔案 (未新增檔案將造成無法收件)

 #touch /usr/local/etc/MailScanner/rules/bounce.rules
Go To Oddmuse OrgGo To FreeBSD OrgCreative Commons 2.5 Taiwansitestates.com