Install ClamAV on FreeBSD 14.2 and link it with Amavis against Postfix.
ClamAV is anti-virus software.
We will proceed on the assumption that you have already implemented Postfix.
Before proceeding, update the Ports Collection.
1. ClamAV
1.1 Install
|
1 |
# pkg install -y clamav |
clamav version check
|
1 2 |
# pkg version -v | grep clamav clamav-1.4.1_2,1 < needs updating (index has 1.4.1_4,1) |
1.2 Configuration File Editing
①Edit clamd.conf
Run ClamAV as root user
|
1 2 3 4 5 6 7 8 9 10 11 |
# chmod 640 /usr/local/etc/clamd.conf # vi /usr/local/etc/clamd.conf Line 35 : Uncomment #LogTime yes LogTime yes Line 233 : Comment out User clamav #User clamav |
➁Edit freshclam.conf
Settings about virus pattern files
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# chmod 640 /usr/local/etc/freshclam.conf # vi /usr/local/etc/freshclam.conf Line 62 : change DatabaseOwner clamav ↓ DatabaseOwner root Line 78 : Mirror site change #DatabaseMirror database.clamav.net DatabaseMirror db.jp.clamav.net Line 121 : Uncomment #Checks 24 Checks 24 |
1.3 Virus database update
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# freshclam ClamAV update process started at Sun Dec 8 10:08:08 2024 daily database available for download (remote version: 27480) Time: 2.2s, ETA: 0.0s [========================>] 61.35MiB/61.35MiB Testing database: '/var/db/clamav/tmp.acb7c3ec44/clamav-cba48d88597028bc3e26efa593949abb.tmp-daily.cvd' ... Database test passed. daily.cvd updated (version: 27480, sigs: 2069181, f-level: 90, builder: raynman) main database available for download (remote version: 62) Time: 5.2s, ETA: 0.0s [========================>] 162.58MiB/162.58MiB Testing database: '/var/db/clamav/tmp.acb7c3ec44/clamav-0edf9c47f9d307811cc45c932716367a.tmp-main.cvd' ... Database test passed. main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr) bytecode database available for download (remote version: 335) Time: 0.1s, ETA: 0.0s [========================>] 282.94KiB/282.94KiB Testing database: '/var/db/clamav/tmp.acb7c3ec44/clamav-9fc754056c77ee85bf61e795c03316c3.tmp-bytecode.cvd' ... Database test passed. bytecode.cvd updated (version: 335, sigs: 86, f-level: 90, builder: raynman) WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.sock: No such file or directory |
1.4 ClamAV start
ClamAV auto-start configuration
|
1 2 3 4 |
# vi /etc/rc.conf Add the following clamav_clamd_enable="YES" clamav_freshclam_enable="YES" |
start
|
1 2 3 4 5 |
# /usr/local/etc/rc.d/clamav_clamd start Starting clamav_clamd. # /usr/local/etc/rc.d/clamav_freshclam start Starting clamav_freshclam. |
1.5 manual virus check
To manually check for viruses, do the following(Scanning range is /home/)
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# clamscan --infected --remove --recursive -r /home ----------- SCAN SUMMARY ----------- Known viruses: 8700973 Engine version: 1.4.1 Scanned directories: 15 Scanned files: 19 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 31.778 sec (0 m 31 s) Start Date: 2024:12:08 10:28:58 End Date: 2024:12:08 10:29:29 |
1.6 automatic virus scanning
• Scanning range is /home/.
• Output scan results to /var/log/clamav.log
• Automatic deletion of detected viruses
• Executed daily
Create an execution script with the above conditions
①Creation of virus storage directory
|
1 |
# mkdir -p /var/lib/clamav/virus |
➁Shell Script Creation
|
1 2 3 4 5 6 7 8 |
# vi /etc/clamscan.sh Describe the following information #!/bin/sh # clamscan script CLAMSCAN='/usr/local/bin/clamscan' echo "clamscan start "`date '+%Y%m%d'` $CLAMSCAN --log=/var/log/clamav/clamav.log -i --move=/var/lib/clamav/virus/ -r /home |
Grant execution permissions to scripts
|
1 |
# chmod 755 /etc/clamscan.sh |
Register in cron to be executed at 0:00 AM
|
1 2 3 |
# crontab -e Description of the following contents 0 0 * * * /etc/clamscan.sh > /dev/null 2>&1 |
Run the following as a test
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# /etc/clamscan.sh clamscan start 20241208 ----------- SCAN SUMMARY ----------- Known viruses: 8700973 Engine version: 1.4.1 Scanned directories: 15 Scanned files: 19 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 28.636 sec (0 m 28 s) Start Date: 2024:12:08 10:30:42 End Date: 2024:12:08 10:31:11 |
If you look at /var/log/clamav/clamav.log, you will see the same log as above
|
1 |
# cat /var/log/clamav/clamav.log |
2. Amavis
Install Amavis, which links ClamAV and Postfix
2.1 Install
|
1 2 |
# cd /usr/ports/security/amavisd-new # make config |
The option settings are as follows
SPAMASSASIN should be included.
|
1 |
# make install clean |
IPv6 is not required, so remove the item.
Otherwise, proceed with defaults.
2.2 Configuration File Editing
Edit amavisd.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# vi /usr/local/etc/amavisd.conf Line 13 : Uncomment # @bypass_spam_checks_maps = (1); @bypass_spam_checks_maps = (1); Line 23: Change to your own domain name $mydomain = '<domain name>'; Line 156 : Change to own host name # $myhostname = 'host.example.com'; $myhostname = 'mail.<domain name>'; #自ホスト名に変更 Line 158-159 : Uncomment # $notify_method = 'smtp:[127.0.0.1]:10025'; # $forward_method = 'smtp:[127.0.0.1]:10025'; ↓ $notify_method = 'smtp:[127.0.0.1]:10025'; $forward_method = 'smtp:[127.0.0.1]:10025'; Line 387-390 : Uncomment # ### http://www.clamav.net/ # ['ClamAV-clamd', # \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"], # qr/\bOK$/m, qr/\bFOUND$/m, # qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], ↓ ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], |
2.3 Amavis Auto-Startup Configuration
|
1 2 3 |
# vi /etc/rc.conf Add the following description amavisd_enable="YES" |
Amavis start
|
1 |
# /usr/local/etc/rc.d/amavisd start |
2.4 Postfix Configuration
①Edit main.cf
|
1 2 3 4 |
# vi /usr/local/etc/postfix/main.cf #Add to the last line # Filter configuration content_filter = smtp-amavis:[127.0.0.1]:10024 |
➁Edit master.cf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
# vi /usr/local/etc/postfix/master.cf #Add to the last line # Amavis configuration smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks |
3. Anti-Spam with SpamAssassin
3.1 SpamAssassin Install
If you did not select spamassassin as an option when you installed Amavis, install it as follows
|
1 2 |
# cd /usr/ports/mail/spamassassin # make install clean |
|
1 |
# chmod 644 /usr/local/etc/mail/spamassassin/v310.pre |
3.2 Configuration File Editing
|
1 2 3 4 |
# vi /usr/local/etc/mail/spamassassin/v310.pre Line 24 : Uncomment (enable TextCat) loadplugin Mail::SpamAssassin::Plugin::DCC |
3.3 Spamassassin start
|
1 2 3 4 |
# vi /etc/rc.conf Additional description below spamd_enable="YES" |
|
1 2 3 |
# sa-update # /usr/local/etc/rc.d/sa-spamd start Starting spamd. |
3.4 SpamassAssin Update
Create an update script
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# vi /etc/periodic/daily/620.spamassassin Fill in the following information #!/bin/sh PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin cd /usr/local/etc/mail/spamassassin wget -q https://github.com/kittyfreak/spamassassin_user_prefs/archive/refs/heads/main.zip [ $? -ne 0 ] && exit unzip main.zip >/dev/null 2>&1 [ $? -ne 0 ] && exit rm -f main.zip mv spamassassin_user_prefs-main/user_prefs . rm -rf spamassassin_user_prefs-main cp user_prefs local.cf cat << EOF >> local.cf report_safe 0 rewrite_header Subject ***SPAM*** EOF /usr/local/etc/rc.d/sa-spamd restart > /dev/null |
Grant execution rights to scripts
|
1 |
# chmod 755 /etc/periodic/daily/620.spamassassin |
When the script is executed, a local.cff is created for the date and time of execution
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
# pkg install wget # /etc/periodic/daily/620.spamassassin # ls -l /usr/local/etc/mail/spamassassin total 529 -rw-r--r-- 1 root wheel 1649 Dec 8 10:59 init.pre -rw-r--r-- 1 root wheel 1649 Dec 8 10:59 init.pre.sample -rw-r--r-- 1 root wheel 500636 Dec 8 11:03 local.cf -rw-r--r-- 1 root wheel 3218 Dec 8 10:59 local.cf.sample drwx------ 2 root wheel 6 Dec 8 11:02 sa-update-keys -rw-r--r-- 1 root wheel 500588 Apr 30 2023 user_prefs -rw-r--r-- 1 root wheel 2266 Dec 8 11:01 v310.pre -rw-r--r-- 1 root wheel 2267 Dec 8 10:59 v310.pre.sample -rw-r--r-- 1 root wheel 1168 Dec 8 10:59 v312.pre -rw-r--r-- 1 root wheel 1168 Dec 8 10:59 v312.pre.sample -rw-r--r-- 1 root wheel 2416 Dec 8 10:59 v320.pre -rw-r--r-- 1 root wheel 2416 Dec 8 10:59 v320.pre.sample -rw-r--r-- 1 root wheel 1237 Dec 8 10:59 v330.pre -rw-r--r-- 1 root wheel 1237 Dec 8 10:59 v330.pre.sample -rw-r--r-- 1 root wheel 1020 Dec 8 10:59 v340.pre -rw-r--r-- 1 root wheel 1020 Dec 8 10:59 v340.pre.sample -rw-r--r-- 1 root wheel 1315 Dec 8 10:59 v341.pre -rw-r--r-- 1 root wheel 1315 Dec 8 10:59 v341.pre.sample -rw-r--r-- 1 root wheel 1519 Dec 8 10:59 v342.pre -rw-r--r-- 1 root wheel 1519 Dec 8 10:59 v342.pre.sample -rw-r--r-- 1 root wheel 1266 Dec 8 10:59 v343.pre -rw-r--r-- 1 root wheel 1266 Dec 8 10:59 v343.pre.sample -rw-r--r-- 1 root wheel 1484 Dec 8 10:59 v400.pre -rw-r--r-- 1 root wheel 1484 Dec 8 10:59 v400.pre.sample -rw-r--r-- 1 root wheel 1118 Dec 8 10:59 v401.pre -rw-r--r-- 1 root wheel 1118 Dec 8 10:59 v401.pre.sample |
3.5 postfix restart
|
1 2 3 |
# /usr/local/etc/rc.d/postfix restart postfix/postfix-script: stopping the Postfix mail system postfix/postfix-script: starting the Postfix mail system |
3.6 Spam mailbox creation
When using IMAP in this case
①Create spam mailboxes for existing users
Let's assume the existing user is huong
|
1 2 3 4 5 |
# bash # mkdir -p /home/huong/Maildir/.spam/{cur,new,tmp} # chmod -R 700 /home/huong/Maildir/.spam # chown -R huong:huong /home/huong/Maildir/.spam # sh |
➁Create spam mailboxes for additional users
|
1 2 3 4 |
# chsh -s /bin/bash # mkdir -p /usr/share/skel/Maildir/.spam/{cur,new,tmp} # chmod -R 700 /usr/share/skel/Maildir/.spam # chsh -s /bin/sh |
3.7 Edit procmailrc (for IMAP)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# vi /usr/local/etc/procmailrc Fill in the following SHELL=/bin/sh PATH=/bin:/usr/bin:/usr/local/bin DROPPRIVS=yes MAILDIR=$HOME/Maildir DEFAULT=$MAILDIR/ SPAM=$MAILDIR/.spam/ #LOGFILE=$MAILDIR/procmail.log :0 * ^Subject:.*=\?[Ii][Ss][Oo]-2022-[Jj][Pp]\?[Bb]\?GyRCTCQ\+NUJ6OS05cCIo /dev/null # Start spamassassin if "X-Spam-***" is not in the header :0fw *!^X-Spam.* |spamassassin # If the header has "X-Spam-Status: Yes", it is stored in the ".spam" directory. :0 *^X-Spam-Status: Yes $SPAM |
3.8 Spam Mail Learning
Create spam email learning scripts
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# vi /etc/periodic/daily/620.sa-learn Fill in the following #!/bin/sh # Learning spam folder as spam /usr/local/bin/sa-learn --spam /home/*/Maildir/.spam/cur # Maildir folder learned as normal mail /usr/local/bin/sa-learn --ham /home/*/Maildir/cur # Uncomment the following to delete the spam folder #/bin/rm -f /home/*/Maildir/.spam/cur/* |
3.9 Spam Mail Sending Test
When I send a blank email to myself in Thunderbird, the following message appears in the header of the received email
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: xxxxx@korodes.com
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on Lepard
X-Spam-Level: **
X-Spam-Status: No, score=2.3 required=13.0 tests=ALL_TRUSTED,
CONTENT_TYPE_PRESENT,EMPTY_MESSAGE autolearn=no autolearn_force=no
version=4.0.1
X-Original-To: xxxxx@korodes.com
Delivered-To: xxxxx@korodes.com
Received: from lepard (localhost [127.0.0.1])
by mail.korodes.com (Postfix) with ESMTP id 6DC012925C
for xxxxx@korodes.com; Sun, 08 Dec 2024 11:12:47 +0900 (JST)
X-Virus-Scanned: amavisd-new at korodes.com
Received: from mail.korodes.com ([127.0.0.1])
by lepard (mail.korodes.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 1bDaORJjFXRY for huong@korodes.com;
Sun, 8 Dec 2024 11:12:47 +0900 (JST)
Received: from [192.168.11.45] (buffalo.setup [192.168.11.1])
by mail.korodes.com (Postfix) with ESMTPSA id 513342928D
for xxxxx@korodes.com; Sun, 08 Dec 2024 11:12:47 +0900 (JST)
Message-ID: fc19537b-dd11-427c-b2a4-4f58035fb755@korodes.com
Date: Sun, 8 Dec 2024 11:12:46 +0900
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: huong xxxxx@korodes.com
Content-Language: en-US
To: xxxxx@korodes.com
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject:
Fill in the following in the body of the message in Thunderbird and send it to yourself.
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
The following message appears in the header of an incoming e-mail
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on Lepard
X-Spam-Flag: YES
X-Spam-Level: ********************************************************************************
X-Spam-Status: Yes, score=1001.8 required=13.0 tests=ALL_TRUSTED,
CONTENT_TYPE_PRESENT,GTUBE,HTML_MESSAGE,MPART_ALT_DIFF,
MULTIPART_ALTERNATIVE autolearn=no autolearn_force=no version=4.0.1
X-Spam-Report:
* 0.1 ALL_TRUSTED Passed through trusted hosts only via SMTP
* -0.1 CONTENT_TYPE_PRESENT exists:Content-Type
* 0.1 MULTIPART_ALTERNATIVE Multipart/alternative
* 1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email
* 0.7 MPART_ALT_DIFF BODY: HTML and text parts are different
* 1.0 HTML_MESSAGE BODY: HTML included in message