A quick how-to on installing Amavis Clamav and Spamassassin on Centos 4.2 with Postfix

A quick how-to on Amavis and clamav with spamassassin

• On my box, I have a running postfix mail server, secured as not an open-relay
• I am running centos 4.2

---

• Adding DAG repo

To install amavis and clamav, we need to add dag repositories since the packages mentioned are not available on the centos base repositories.To do this, we have to create a file named /etc/yum.repos.d/dag.repo and have it contain the following lines:

[dag]
name=Dag-RHEL-Yum
baseurl=http://dag.linux.iastate.edu/dag/redhat/el$releasever/en/$basearch/dag
http://www.mirrorservice.org/sites/apt.sw.be/redhat/el$releasever/en/$basearch/dag
http://mirrors.ircam.fr/pub/dag/redhat/el$releasever/en/$basearch/dag
http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
enabled=1
gpgcheck=1

Ok, after doing that, we need to import dag rpm-gpg-key with the command below:

rpm --import http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt

• Now we are ready to install.

Do it as root with the command below.

yum install amavisd-new clamav clamd

and also

yum install perl-Archive-Tar.noarch

I dunno but it is supposed to be considered as dependency during install since if its not install, you will encounter problem on running "amavis debug"

• After the installation:

Create a /var/log/amavis.log to be owned by amavis user and group with the command below.

touch /var/log/amavis.log && chown amavis.amavis /var/log/amavis.log

Next, we have to edit the file /etc/amavis.conf, then set the $domain and $hostname to our own value and then uncomment the following:

$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail
$notify_method = $forward_method; # where to submit notifications

Disable virus quarantines: change the value of $QUARANTINEDIR the line:

$QUARANTINEDIR = undef;

If we dont want our system to notify those senders that we did not accept their email attachement or we found out that their email has virus, uncomment the ff: below.

# $final_virus_destiny = D_DISCARD;
# $final_banned_destiny = D_BOUNCE;
# $final_spam_destiny = D_BOUNCE;
# $final_bad_header_destiny = D_PASS;

Next, find and uncomment the Clam AV section. Comment out all virus scanners you are not using:

### http://www.clamav.net/
['Clam Antivirus-clamd',
\&ask_daemon, ["CONTSCAN { }\n", "/var/run/clamav/clamd.ctl"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Make sure amavis is not currently running, do the command:

/etc/init.d/amavis stop

then do the command

amavis debug

( if you found error, then troubleshoot)

Start amavis now:

/etc/init.d/amavis start

Try to

telnet 127.0.0.1 10024

and you should get the response below showing that amavis has been running.

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready

Next, configure Postfix to use Amavisd-new, which will now function as an SMTP proxy server. Add this to the end of /etc/postfix/master.cf:

smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o strict_rfc821_envelopes=yes

Then add this line to /etc/postfix/main.cf:

content_filter = smtp-amavis:[127.0.0.1]:10024

then restart postfix by the command below:

/etc/init.d/postfix restart

Now open /etc/clamav.conf and /etc/amavisd.conf, and make sure that amavisd.conf references the LocalSocket file:

## /etc/clamav/clamav.conf
LocalSocket /var/run/clamav/clamd.ctl
----------------------------------------
## /etc/amavis/amavisd.conf
### http://www.clamav.net/
['Clam Antivirus-clamd',
\&ask_daemon, ["CONTSCAN { }\n", "/var/run/clamav/clamd.ctl"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Note:
It might happen that /var/run/clamav/clamd.ctl does not exist and when you will try to start clamd, it won't start since it did'nt find that file or does not have the right to create or use the file so we can do the command:

touch /var/run/clamav/clamd.ctl

and then

chown amavis.amavis /var/run/clamav/clamd.ctl

Now we need to change some lines on clamd.conf and freshclam.conf..see below:

#/etc/clamd.conf
User amavis #orig user is clamav

Also change some default settings below

# Path to a local socket file the daemon will listen on.
# Default: disabled
LocalSocket /var/run/clamav/clamd.sock
#note, the default is that LocaSocket was commented so have to uncomment it
#Below, the default is that TCPSocket has no comment so you have to comment it
#because if you forget to comment that line, when you restart Clamav, the error would be
#Starting Clam AntiVirus Daemon: ERROR: You can select one mode only (local/TCP).
# TCP port address.
# Default: disabled
#TCPSocket 3310

#/etc/freshclam
DatabaseOwner amavis #orig is clamav

Now try to chown some clamav folder to amavis.amavis

LogFile /var/log/clamav/clamav.log
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/clamav/

Finally, hunt down any files belonging to Clam AV in /etc/logrotate.d/.


For example:

/etc/logrotate.d/clamav
/etc/logrotate.d/freshclam

The filenames may vary. Inside each file, find this line:

create 640 clamav adm
Change it to:
create 640 clamav amavis

Save the changes and reload clamav and that's it! You can now check the maillog of by the command:

tail -f /var/log/maillog

You can also try to check if CLAMV anti-virus really functioning. Try to create a file in you name test.com ( do this inside your linux box ) paste the line of characters below without the quotes.

"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* "

This is the eicar anti-virus test file. Email this file as attachement to the user on that box or from that box to outside and you will see messages something like below, saying that it did detected this file as a sort of infected file.

log file below:

Feb 20 10:24:22 pacland amavis[3786]: (03786-06) Blocked INFECTED
(Eicar-Test-Signature), <> -> , Message-ID:
<20060220022421.ga25880@test.net>, mail_id: qvSy9GYSCarX,
Hits: -, 614 ms
Feb 20 10:24:22 pacland postfix/smtp[25890]: C564C4A665:
to=, relay=127.0.0.1[127.0.0.1], delay=1,
status=sent (250 2.7.1 Ok, discarded, id=03786-06 - VIRUS: Eicar-Test-Signature)

If you find this in your log files, it means that the installation has been functioning well basically.

• Installing and configuring spamassassin

On Centos, "yum install spamassassin.i386 or check if might be already installed. After the installation, edit /etc/amavis.conf

Uncomment and set

$final_spam_destiny = D_PASS; # (defaults to D_REJECT)

D_PASS allow the message to be delivered to the recipient and let the recipient decide what to do.
D_DISCARD will drop the message at smtp level, avoiding extra usage of bandwidth. Set the following:

$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = -999; # triggers spam evasive actions
# string to prepend to Subject header field when message exceeds tag2 level
$sa_spam_subject_tag = '***SPAM*** ';

Then chown the spamassassin folders and files, as root, do the command.

chown -R amavis:amavis /usr/share/spamassassin

Now, to test your system if it really filters spam, at least basically, try to email a certain account on the host that has been installed with spamassassin with a message that contains "penis enlargement, viagra" and I'm sure it will be block as spam.

Then restart amavis-new

/etc/init.d/amavisd restart

check this out -/spamassassin autoconfigurator/-

---/CHEERS!/---