| View previous topic :: View next topic |
| Author |
Message |
Cataclysm
n00b
Joined: 11 Sep 2003
Posts: 31
|
 Posted: Fri Sep 12, 2003 11:51 pm Post subject: How To setup exim + exiscan-acl + SpamAssassin + clamav +... |
 |
|
How To setup exim + exiscan-acl + SpamAssassin + clamav + courier-imapd
This HowTo describes how to setup exim 4.22 with the exiscan-acl patch, SpamAssassin and clamav for content-scanning and courier-imapd for reading mail with an imap-ready mailclient. The whole set of programs is intended for being used as a mailserver on a routerbox, but configs can easily be modified to work in any other environment you need.
Let's start by editing /etc/make.conf to add/update some USE-Flags:
- If you have "mbox" in your USE, remove it!
- Add "exiscan-acl" and "maildir" to USE
- You may want to add "ldap", "berkdb", "mysql", "pam" and "nls" for support of there features in courier-imapd
- You may want to add "tcpd", "ssl", "mysql", "ldap", "pam", "lmtp" and "ipv6" for support of these features in exim
- Replace "mysql" with "postgres", or just add it, if you need postgres-support
I, personaly, have all of the USE-Flags shown above, except "postgres", in my USE 
Now emerge all the needed programs:
# emerge exim
# emerge clamav
# emerge Mail-SpamAssassin
# emerge courier-imap
This might trigger a long list of packages to emerge, depending on your current system-config. Note that you have to re-emerge exim if you added or removed any USE-flag! If emerge complains about another MTA blocking exim, you have to unmerge it (using emerge --unmerge <mta>) before emerging exim.
Don't start anything yet, these is much to configure beforce doing so.
Let's go on to the configuration
EXIM:
"/etc/exim/exim.conf":
| Code: | ######################################################################
# Runtime configuration file for Exim #
######################################################################
# This is a default configuration file which will operate correctly in
# uncomplicated installations. Please see the manual for a complete list
# of all the runtime configuration options that can be included in a
# configuration file. There are many more than are mentioned here. The
# manual is in the file doc/spec.txt in the Exim distribution as a plain
# ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available
# from the Exim ftp sites. The manual is also online at the Exim web sites.
# This file is divided into several parts, all but the first of which are
# headed by a line starting with the word "begin". Only those parts that
# are required need to be present. Blank lines, and lines starting with #
# are ignored.
########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########
# #
# Whenever you change Exim's configuration file, you *must* remember to #
# HUP the Exim daemon, because it will not pick up the new configuration #
# until you do. However, any other Exim processes that are started, for #
# example, a process started by an MUA in order to send a message, will #
# see the new configuration as soon as it is in place. #
# #
# You do not need to HUP the daemon for changes in auxiliary files that #
# are referenced from this file. They are read every time they are used. #
# #
# It is usually a good idea to test a new configuration for syntactic #
# correctness before installing it (for example, by running the command #
# "exim -C /config/file.new -bV"). #
# #
########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########
######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
# Specify your host's canonical name here. This should normally be the fully
# qualified "official" name of your host. If this option is not set, the
# uname() function is called to obtain the name. In many cases this does
# the right thing and you need not set anything explicitly.
# primary_hostname =
# The next three settings create two lists of domains and one list of hosts.
# These lists are referred to later in this configuration using the syntax
# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
# are all colon-separated lists:
# YOU HAVE TO EDIT THIS BLOCK TO SUIT YOUR NEED!!
domainlist local_domains = @ : firestarter.shnet.org : finalfrontier.d2g.com : final-frontier.ath.cx : final-frontier.homelinux.net : final-frontier.homelinux.com : final-frontier.homelinux.org : final-frontier.homeunix.org : localhost
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1 : 192.168.25.0/24
# Most straightforward access control requirements can be obtained by
# appropriate settings of the above options. In more complicated situations, you
# may need to modify the Access Control List (ACL) which appears later in this
# file.
# The first setting specifies your local domains, for example:
#
# domainlist local_domains = my.first.domain : my.second.domain
#
# You can use "@" to mean "the name of the local host", as in the default
# setting above. This is the name that is specified by primary_hostname,
# as specified above (or defaulted). If you do not want to do any local
# deliveries, remove the "@" from the setting above. If you want to accept mail
# addressed to your host's literal IP address, for example, mail addressed to
# "user@[192.168.23.44]", you can add "@[]" as an item in the local domains
# list. You also need to uncomment "allow_domain_literals" below. This is not
# recommended for today's Internet.
# The second setting specifies domains for which your host is an incoming relay.
# If you are not doing any relaying, you should leave the list empty. However,
# if your host is an MX backup or gateway of some kind for some domains, you
# must set relay_to_domains to match those domains. For example:
#
# domainlist relay_to_domains = *.myco.com : my.friend.org
#
# This will allow any host to relay through your host to those domains.
# See the section of the manual entitled "Control of relaying" for more
# information.
# The third setting specifies hosts that can use your host as an outgoing relay
# to any other host on the Internet. Such a setting commonly refers to a
# complete local network as well as the localhost. For example:
#
# hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16
#
# The "/16" is a bit mask (CIDR notation), not a number of hosts. Note that you
# have to include 127.0.0.1 if you want to allow processes on your host to send
# SMTP mail by using the loopback address. A number of MUAs use this method of
# sending mail.
# All three of these lists may contain many different kinds of item, including
# wildcarded names, regular expressions, and file lookups. See the reference
# manual for details. The lists above are used in the access control list for
# incoming messages. The name of this ACL is defined here:
acl_smtp_rcpt = acl_check_rcpt
# You should not change that setting until you understand how ACLs work.
# The following ACL entry is used if you want to do content scanning with the
# exiscan-acl patch. When you uncomment this line, you must also review the
# acl_check_content entry in the ACL section further below.
acl_smtp_data = acl_check_content
# This configuration variable defines the virus scanner that is used with
# the 'malware' ACL condition of the exiscan acl-patch. If you do not use
# virus scanning, leave it commented. Please read doc/exiscan-acl-readme.txt
# for a list of supported scanners.
# av_scanner = sophie:/var/run/sophie
# av_scanner = cmdline:/usr/bin/antivir -v -z -allfiles -noboot -s -tmp %s:ALERT:\[(.+)\]
av_scanner = clamd:/tmp/clamd
# The following setting is only needed if you use the 'spam' ACL condition
# of the exiscan-acl patch. It specifies on which host and port the SpamAssassin
# "spamd" daemon is listening. If you do not use this condition, or you use
# the default of "127.0.0.1 783", you can omit this option.
spamd_address = 127.0.0.1 783
# Specify the domain you want to be added to all unqualified addresses
# here. An unqualified address is one that does not contain an "@" character
# followed by a domain. For example, "caesar@rome.example" is a fully qualified
# address, but the string "caesar" (i.e. just a login name) is an unqualified
# email address. Unqualified addresses are accepted only from local callers by
# default. See the recipient_unqualified_hosts option if you want to permit
# unqualified addresses from remote sources. If this option is not set, the
# primary_hostname value is used for qualification.
# qualify_domain =
# If you want unqualified recipient addresses to be qualified with a different
# domain to unqualified sender addresses, specify the recipient domain here.
# If this option is not set, the qualify_domain value is used.
# qualify_recipient =
# The following line must be uncommented if you want Exim to recognize
# addresses of the form "user@[10.11.12.13]" that is, with a "domain literal"
# (an IP address) instead of a named domain. The RFCs still require this form,
# but it makes little sense to permit mail to be sent to specific hosts by
# their IP address in the modern Internet. This ancient format has been used
# by those seeking to abuse hosts by using them for unwanted relaying. If you
# really do want to support domain literals, uncomment the following line, and
# see also the "domain_literal" router below.
# allow_domain_literals
# No deliveries will ever be run under the uids of these users (a colon-
# separated list). An attempt to do so causes a panic error to be logged, and
# the delivery to be deferred. This is a paranoic safety catch. Note that the
# default setting means you cannot deliver mail addressed to root as if it
# were a normal user. This isn't usually a problem, as most sites have an alias
# for root that redirects such mail to a human administrator.
never_users = root
# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.
host_lookup = *
# The settings below, which are actually the same as the defaults in the
# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
# calls. You can limit the hosts to which these calls are made, and/or change
# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls
# are disabled. RFC 1413 calls are cheap and can provide useful information
# for tracing problem messages, but some hosts and firewalls have problems
# with them. This can result in a timeout instead of an immediate refused
# connection, leading to delays on starting up an SMTP session.
rfc1413_hosts = *
rfc1413_query_timeout = 30s
# By default, Exim expects all envelope addresses to be fully qualified, that
# is, they must contain both a local part and a domain. If you want to accept
# unqualified addresses (just a local part) from certain hosts, you can specify
# these hosts by setting one or both of
#
# sender_unqualified_hosts =
# recipient_unqualified_hosts =
#
# to control sender and recipient addresses, respectively. When this is done,
# unqualified addresses are qualified using the settings of qualify_domain
# and/or qualify_recipient (see above).
# If you want Exim to support the "percent hack" for certain domains,
# uncomment the following line and provide a list of domains. The "percent
# hack" is the feature by which mail addressed to x%y@z (where z is one of
# the domains listed) is locally rerouted to x@y and sent on. If z is not one
# of the "percent hack" domains, x%y is treated as an ordinary local part. This
# hack is rarely needed nowadays; you should not enable it unless you are sure
# that you really need it.
#
# percent_hack_domains =
#
# As well as setting this option you will also need to remove the test
# for local parts containing % in the ACL definition below.
# When Exim can neither deliver a message nor return it to sender, it "freezes"
# the delivery error message (aka "bounce message"). There are also other
# circumstances in which messages get frozen. They will stay on the queue for
# ever unless one of the following options is set.
# This option unfreezes frozen bounce messages after two days, tries
# once more to deliver them, and ignores any delivery failures.
ignore_bounce_errors_after = 2d
# This option cancels (removes) frozen messages that are older than a week.
timeout_frozen_after = 7d
smtp_accept_queue_per_connection = 1000
smtp_accept_max_per_connection = 10000
extract_addresses_remove_arguments = false
tls_certificate = /etc/exim/rsa.cert
tls_privatekey = /etc/exim/rsa.key
tls_dhparam = /etc/exim/dh.key
tls_advertise_hosts=*
# Add verbose received-header:
received_header_text = Received: \
${if def:sender_fullhost {from ${sender_fullhost}\
${if def:sender_ident {(${sender_ident})}}}\
{${if def:sender_ident {from ${sender_ident} }}}}\
by ${primary_hostname}\
${if def:received_protocol {with ${received_protocol}}}\
${if def:tls_cipher {(tls_cipher ${tls_cipher})}}\
${if def:tls_peerdn {(tls_peerdn ${tls_peerdn})}}\
(Exim ${version_number} #${compile_number} (Gentoo Linux 1.4))\
id ${message_id}
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
begin acl
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
acl_check_rcpt:
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.
accept hosts = :
# Deny if the local part contains @ or % or / or | or !. These are rarely
# found in genuine local parts, but are often tried by people looking to
# circumvent relaying restrictions.
# Also deny if the local part starts with a dot. Empty components aren't
# strictly legal in RFC 2822, but Exim allows them because this is common.
# However, actually starting with a dot may cause trouble if the local part
# is used as a file name (e.g. for a mailing list).
deny local_parts = ^.*[@%!/|] : ^\\.
# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.
accept local_parts = postmaster
domains = +local_domains
# Deny unless the sender address can be verified.
require verify = sender
#############################################################################
# There are no checks on DNS "black" lists because the domains that contain
# these lists are changing all the time. However, here are two examples of
# how you could get Exim to perform a DNS black list lookup at this point.
# The first one denies, while the second just warns.
#
# deny message = rejected because $sender_host_address is in a black list at
$dnslist_domain\n$dnslist_text
# dnslists = black.list.example
#
# warn message = X-Warning: $sender_host_address is in a black list at $dnslist_domain
# log_message = found in $dnslist_domain
# dnslists = black.list.example
#############################################################################
# Accept if the address is in a local domain, but only if the recipient can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
# access (if tests below it fail).
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
# Accept if the address is in a domain for which we are relaying, but again,
# only if the recipient can be verified.
accept domains = +relay_to_domains
endpass
message = unrouteable address
verify = recipient
# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.
# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. Recipient verification is omitted here, because in many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should probably
# add recipient verification here.
accept hosts = +relay_from_hosts
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.
accept authenticated = *
# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.
deny message = relay not permitted
# This access control list is used for content scanning with the exiscan-acl
# patch. You must also uncomment the entry for acl_smtp_data (scroll up),
# otherwise the ACL will not be used. IMPORTANT: the default entries here
# should be treated as EXAMPLES. You MUST read the file doc/exiscan-acl-spec.txt
# to fully understand what you are doing ...
acl_check_content:
# First unpack MIME containers and reject serious errors.
deny message = This message contains a MIME error ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
# Reject typically wormish file extensions. There is almost no
# sense in sending such files by email.
deny message = This message contains an unwanted file extension ($found_extension)
demime = scr:vbs:bat:lnk:pif
# Reject virus infested messages.
deny message = This message contains malware ($malware_name)
demime = *
malware = *
# Add X-Scanned Header
warn message = X-Antivirus-Scanned: Clean
# Reject messages containing "viagra" in all kinds of whitespace/case combinations
# WARNING: this is an example !
deny message = This message matches a blacklisted regular expression ($regex_match_string)
regex = [Vv] *[Ii] *[Aa] *[Gg] *[Rr] *[Aa]
# Always add X-Spam-Score and X-Spam-Report headers, using SA system-wide settings
# (user "nobody"), no matter if over threshold or not.
warn message = X-Spam-Score: $spam_score ($spam_bar)
spam = nobody:true
warn message = X-Spam-Report: $spam_report
spam = nobody:true
# Add X-Spam-Flag if spam is over system-wide threshold
warn message = X-Spam-Flag: YES
spam = nobody
# Reject spam messages with score over 10, using an extra condition.
deny message = This message scored $spam_score points. Congratulations!
spam = nobody:true
condition = ${if >{$spam_score_int}{100}{1}{0}}
# finally accept all the rest
accept
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
# An address is passed to each router in turn until it is accepted. #
######################################################################
begin routers
# This router routes to remote hosts over SMTP by explicit IP address,
# when an email address is given in "domain literal" form, for example,
# <user@[192.168.35.64]>. The RFCs require this facility. However, it is
# little-known these days, and has been exploited by evil people seeking
# to abuse SMTP relays. Consequently it is commented out in the default
# configuration. If you uncomment this router, you also need to uncomment
# allow_domain_literals above, so that Exim can recognize the syntax of
# domain literal addresses.
# domain_literal:
# driver = ipliteral
# domains = ! +local_domains
# transport = remote_smtp
# This router routes addresses that are not in local domains by doing a DNS
# lookup on the domain name. Any domain that resolves to 0.0.0.0 or to a
# loopback interface address (127.0.0.0/8) is treated as if it had no DNS
# entry. Note that 0.0.0.0 is the same as 0.0.0.0/32, which is commonly treated
# as the local host inside the network stack. It is not 0.0.0.0/0, the default
# route. If the DNS lookup fails, no further routers are tried because of
# the no_more setting, and consequently the address is unrouteable.
#dnslookup:
# driver = dnslookup
# domains = ! +local_domains
# transport = remote_smtp
# ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
# no_more
# Router to send all outgoing mail to a smart-host using smtp-auth
send_to_relay:
driver = manualroute
domains = ! +local_domains
transport = remote_smtp
route_list = * your.smart.host.some.where
# The remaining routers handle addresses in the local domain(s).
# This router handles aliasing using a linearly searched alias file with the
# name /etc/mail/aliases. When this configuration is installed automatically,
# the name gets inserted into this file from whatever is set in Exim's
# build-time configuration. The default path is the traditional /etc/aliases.
# If you install this configuration by hand, you need to specify the correct
# path in the "data" setting below.
#
##### NB You must ensure that the alias file exists. It used to be the case
##### NB that every Unix had that file, because it was the Sendmail default.
##### NB These days, there are systems that don't have it. Your aliases
##### NB file should at least contain an alias for "postmaster".
#
# If any of your aliases expand to pipes or files, you will need to set
# up a user and a group for these deliveries to run under. You can do
# this by uncommenting the "user" option below (changing the user name
# as appropriate) and adding a "group" option if necessary. Alternatively, you
# can specify "user" on the transports that are used. Note that the transports
# listed below are the same as are used for .forward files; you might want
# to set up different ones for pipe and file deliveries from aliases.
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/mail/aliases}}
# user = exim
file_transport = address_file
pipe_transport = address_pipe
# This router handles forwarding using traditional .forward files in users'
# home directories. If you want it also to allow mail filtering when a forward
# file starts with the string "# Exim filter", uncomment the "allow_filter"
# option.
# The no_verify setting means that this router is skipped when Exim is
# verifying addresses. Similarly, no_expn means that this router is skipped if
# Exim is processing an EXPN command.
# The check_ancestor option means that if the forward file generates an
# address that is an ancestor of the current one, the current one gets
# passed on instead. This covers the case where A is aliased to B and B
# has a .forward file pointing to A.
# The three transports specified at the end are those that are used when
# forwarding generates a direct delivery to a file, or to a pipe, or sets
# up an auto-reply, respectively.
userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
allow_filter
directory_transport = address_directory
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
# This router matches local user mailboxes. If the router fails, the error
# message is "Unknown user".
localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
######################################################################
# A transport is used only when referenced from a router that successfully
# handles an address.
begin transports
# This transport is used for delivering messages over SMTP connections.
remote_smtp:
driver = smtp
hosts_require_auth=*
# Transport for outgoing smtp-auth
remote_tlssmtp:
driver = smtp
hosts_require_tls=*
hosts_require_auth=*
# auth_over_tls_hosts = *
# Modified standard local_delivery, now using maildir instead of mailbox format.
local_delivery:
driver = appendfile
# file = /var/mail/$local_part
directory = /home/$local_part/.maildir
maildir_format
delivery_date_add
envelope_to_add
return_path_add
# group = mail
# mode = 0660
# This transport is used for handling pipe deliveries generated by alias or
# .forward files. If the pipe generates any standard output, it is returned
# to the sender of the message as a delivery error. Set return_fail_output
# instead of return_output if you want this to happen only when the pipe fails
# to complete normally. You can set different transports for aliases and
# forwards if you want to - see the references to address_pipe in the routers
# section above.
address_pipe:
driver = pipe
return_output
# This transport is used for handling deliveries directly to files that are
# generated by aliasing or forwarding.
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
# This transport is user for handling deliveries directly to directories that are
# generated by aliasing or forwarding.
address_directory:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
maildir_format
# This transport is used for handling autoreplies generated by the filtering
# option of the userforward router.
address_reply:
driver = autoreply
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 6 hours until 4 days have passed since the first
# failed delivery.
# Domain Error Retries
# ------ ----- -------
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
# There are no rewriting specifications in this default configuration file.
begin rewrite
# Rewrite outgoing email to Cataclysm@final-frontier.org
cat@*firestarter.shnet.org somebody@foo-bar.org Fq
# Comment: changed the above line so that nobody will use my email-address by accident :)
# Rewrite all incoming mails on all domains to one single user: cat
*@final-frontier.org cat TQ
*@final-frontier.ath.cx cat TQ
*@final-frontier.homelinux.net cat TQ
*@final-frontier.homelinux.org cat TQ
*@final-frontier.homelinux.com cat TQ
*@final-frontier.homeunix.org cat TQ
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
# There are no authenticator specifications in this default configuration file.
begin authenticators
# Plaintext-authenticator for basic relay security
# Replace myuser with your username on your smart-host, and mypassword with your password.
fixed_plain:
driver = plaintext
public_name = PLAIN
client_send = ^myuser^mypassword
######################################################################
# CONFIGURATION FOR local_scan() #
######################################################################
# If you have built Exim to include a local_scan() function that contains
# tables for private options, you can define those options here. Remember to
# uncomment the "begin" line. It is commented by default because it provokes
# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS
# set in the Local/Makefile.
# begin local_scan
# End of Exim configuration file |
I think the config file is fairly well commented. Now you have to generate a hostkey to use tls with exim.
# cd /etc/exim/
# openssl req -new -x509 -days 365 -nodes -out rsa.cert -keyout rsa.key
# openssl dhparam -out dh.key 1024
These filenames are already configured in the above exim.conf .
CLAMAV:
"/etc/clamav.conf":
| Code: | ##
## Example config file for the Clam AV daemon
## Please read the clamav.conf(5) manual before editing this file.
##
# Comment or remove the line below.
#Example
# Uncomment this option to enable logging.
# LogFile must be writable for the user running the daemon.
# Full path is required.
LogFile /var/log/clamd.log
# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option). That's why you shouldn't uncomment
# this option.
#LogFileUnlock
# Maximal size of the log file. Default is 1 Mb.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers.
#LogFileMaxSize 2M
# Log time with an each message.
LogTime
# Use system logger (can work together with LogFile).
#LogSyslog
# Enable verbose logging.
LogVerbose
# This option allows you to save the process identifier of the listening
# daemon (main thread).
PidFile /var/run/clamd.pid
# Path to a directory containing .db files.
# Default is the hardcoded directory (mostly /usr/local/share/clamav,
# it depends on installation options).
#DataDirectory /var/lib/clamav
# The daemon works in local or network mode. Currently the local mode is
# recommended for security reasons.
# Path to the local socket. The daemon doesn't change the mode of the
# created file (portability reasons). You may want to create it in a directory
# which is only accessible for a user running daemon.
LocalSocket /tmp/clamd
# TCP port address.
#TCPSocket 3310
#TCPSocket 784
# Maximum length the queue of pending connections may grow to.
# Default is 15.
#MaxConnectionQueueLength 30
# When activated, input stream (see STREAM command) will be saved to disk before
# scanning - this allows scanning within archives.
StreamSaveToDisk
# Close the connection if this limit is exceeded.
#StreamMaxLength 10M
# Maximal number of a threads running at the same time.
# Default is 5, and it should be sufficient for a typical workstation.
# You may need to increase threads number for a server machine.
#MaxThreads 10
# Thread (scanner - single task) will be stopped after this time (seconds).
# Default is 180. Value of 0 disables the timeout. SECURITY HINT: Increase the
# timeout instead of disabling it.
#ThreadTimeout 500
# Maximal depth the directories are scanned at.
MaxDirectoryRecursion 15
# Follow a directory symlinks.
# SECURITY HINT: You should have enabled directory recursion limit to
# avoid potential problems.
#FollowDirectorySymlinks
# Follow regular file symlinks.
#FollowFileSymlinks
# Do internal checks (eg. check the integrity of the database structures)
# By default clamd checks itself every 3600 seconds (1 hour).
#SelfCheck 600
# Run as selected user (clamd must be started by root).
# By default it doesn't drop privileges.
#User clamav
# Initialize the supplementary group access (for all groups in /etc/group
# user is added in. clamd must be started by root).
#AllowSupplementaryGroups
# Don't fork into background. Useful in debugging.
#Foreground
##
## Mail support
##
# Uncomment this option if you are planning to scan mail files.
ScanMail
##
## Archive support
##
# Comment this line to disable scanning of the archives.
ScanArchive
# Options below protect your system against Denial of Service attacks
# with archive bombs.
# Files in archives larger than this limit won't be scanned.
# Value of 0 disables the limit.
# WARNING: Due to the unrarlib implementation, whole files (one by one) in RAR
# archives are decompressed to the memory. That's why never disable
# this limit (but you may increase it of course!)
ArchiveMaxFileSize 10M
# Archives are scanned recursively - e.g. if Zip archive contains RAR file,
# the RAR file will be decompressed, too (but only if recursion limit is set
# at least to 1). With this option you may set the recursion level.
# Value of 0 disables the limit.
ArchiveMaxRecursion 5
# Number of files to be scanned within archive.
# Value of 0 disables the limit.
ArchiveMaxFiles 1000
# Use slower decompression algorithm which uses less memory. This option
# affects bzip2 decompressor only.
#ArchiveLimitMemoryUsage
##
## Clamuko settings
## WARNING: This is experimental software. It is very likely it will hang
## up your system !!!
##
# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.
#ClamukoScanOnLine
# Set access mask for Clamuko.
ClamukoScanOnOpen
ClamukoScanOnClose
ClamukoScanOnExec
# Set the include paths (all files in them will be scanned). You can have
# multiple ClamukoIncludePath options, but each directory must be added
# in a seperate option. All subdirectories are scanned, too.
ClamukoIncludePath /home
#ClamukoIncludePath /students
# Set the exclude paths. All subdirectories are also excluded.
#ClamukoExcludePath /home/guru
# Limit the file size to be scanned (probably you don't want to scan your movie
# files ;))
# Value of 0 disables the limit. 1 Mb should be fine.
ClamukoMaxFileSize 1M
# Enable archive support. It uses the limits from clamd section.
# (This option doesn't depend on ScanArchive, you can have archive support
# in clamd disabled).
ClamukoScanArchive |
I don't think that you have to modify this file. Just replace your default-config with it.
SPAMASSASSIN:
"/etc/mail/spamassassin/local.cf":
| Code: | # This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
###########################################################################
#
# rewrite_subject 0
# report_safe 1
# trusted_networks 212.17.35.
# SpamAssassin config file for version 2.5x
# generated by http://www.yrex.com/spam/spamconfig.php (version 1.01)
# How many hits before a message is considered spam.
required_hits 5.0
# Whether to change the subject of suspected spam
rewrite_subject 0
# Text to prepend to subject if rewrite_subject is used
subject_tag *****SPAM*****
# Encapsulate spam in an attachment
report_safe 1
# Use terse version of the spam report
use_terse_report 0
# Enable the Bayes system
use_bayes 1
# Enable Bayes auto-learning
auto_learn 1
# Enable or disable network checks
skip_rbl_checks 0
use_razor2 1
use_dcc 1
use_pyzor 1
# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_languages all
# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_locales all |
This file was generated by the config-tool at http://www.yrex.com/spam/spamconfig.php
COURIER-IMAP:
I did not change ANY configuration for courier-imapd - I just fired it up and it was working
Note that there is some problem with current portage, blocking courier-imapd from being successfully emerged. I had to do it manualy with "ebuild /usr/portage/net-mail/courier-imap/courier-imap-2.1.1.ebuild merge", because just emerging it stopped for me with a sandbox access violation (Bug #28532). Maybe this is fixed in portage the time you read this
Starting all programs:
Execute these commands in the following order:
# /etc/init.d/clamd start
# /etc/init.d/spamd start
# /etc/init.d/exim start
# /etc/init.d/courier-imapd start
Look out for any errors that might appear. If no errors show up, you're done! Congratulations. Test your installation by sending yourself a mail. Look at the headers of the received mail if there is a spam-report, and if it looks reasonable.
Now you can add all services to the default runlevel:
# rc-update add clamd default
# rc-update add spamd default
# rc-update add exim default
# rc-update add courier-imapd default
That's it!
Setting up .forward to filter incoming email:
Edit the file called ".forward" in your user's homedir. Here is my .forward as an example:
"/home/cat/.forward":
| Code: | # Exim filter
if $header_from: matches MailingList@exhedra.com or
$sender_address matches MailingList@planet-source-code.com
then
save .maildir/.Newsletter.PlanetSourceCode/
endif
if $header_to: contains "linux-kernel@vger.kernel.org" or
$header_cc: contains "linux-kernel@vger.kernel.org" or
$header_to: contains "linux-kernel@vger.redhat.com" or
$header_cc: contains "linux-kernel@vger.redhat.com"
then
save .maildir/.MailingLists.Linux-Kernel/
endif
if $header_to: contains "bugtraq@securityfocus.com" or
$header_cc: contains "bugtraq@securityfocus.com"
then
save .maildir/.MailingLists.Bugtraq/
endif
if $header_to: matches members@gmx.net or
$header_from: matches delphiforums@email-publisher.com or
$header_from: matches webmaster@surf4euros.info or
$header_from: matches webmaster@surf4ads.com or
$header_from: matches nl1@adrom.net or
$header_from: matches gratis2000@netnewsabo.de or
$header_from: matches 4riyveuxou@aol.com or
$header_from: matches jocelynespinoza_ha@online.nsk.su or
$header_from: matches jxxwr85u@yahoo.com or
$header_from: matches 02dkbgx64@yahoo.com or
$header_from: matches w53gwkst@excite.com or
$header_from: matches office@all-for-free.com
then
seen finish
endif |
You see, many mails are "save"d elsewhere than the normal inbox. In Courier's IMAP hierarchy, directories beneath the root are dot directories. In addition, all subdirectories are denoted by periods, not additional forward slashes. So, lists/Debian/User/ is actually .Lists.Debian.User/ on disk and should be referred to in Exim filters as "save .maildir/.Lists.Debian.User/" for things to be saved the way you expect. The trailing forward slash is IMPORTANT for maildir to work! The last block with "seen finish" simply sends the mail to /dev/null
Please refer to the exim_filter docs for more detailed information about .forward filtering.
Okay, I think that's all. Hope that this is of some help for anybody
Feel free to email me at cat@final-frontier.ath.cx if you have any questions about this HowTo.
Greets, Dennis.
P.S.: Excuse me for my bad english, I'm from germany - but I tried my best  |
|
| Back to top |
|
 |
Lovechild
Advocate
Joined: 17 May 2002
Posts: 2858
Location: Århus, Denmark
|
| Posted: Sat Sep 13, 2003 8:38 am Post subject: |
|
|
The subject title is a bit confusing - why do I need this ?
Content filtering email proxy as a user, or is this meant for industry deployment - I'm not quite sure. |
|
| Back to top |
|
|
Cataclysm
n00b
Joined: 11 Sep 2003
Posts: 31
|
| Posted: Sat Sep 13, 2003 12:13 pm Post subject: |
|
|
My examples are from a small mailserver for private use, but you can modify it for use on bigger mailservers easily.
It's just a way to show how this bunch of programs CAN be setup, because it's not that easy if you have to do it from scratch. |
|
| Back to top |
|
|
smouge
n00b
Joined: 22 Jan 2003
Posts: 66
Location: Oosterhout, the Netherlands
|
| Posted: Mon Sep 15, 2003 1:30 pm Post subject: |
|
|
Thanks for your post.
I'm considering switching from qmail to exim, I think your info will help me.
_________________
Can't think about anything funny to place here |
|
| Back to top |
|
|
Cataclysm
n00b
Joined: 11 Sep 2003
Posts: 31
|
| Posted: Mon Sep 15, 2003 5:51 pm Post subject: |
|
|
| Please let me know, if there are any errors in the guide, or any improvement you may find |
|
| Back to top |
|
|
Giorgio
Tux's lil' helper
Joined: 18 Jan 2003
Posts: 77
Location: Milano, Italy
|
| Posted: Mon Sep 15, 2003 8:36 pm Post subject: |
|
|
I don't know what I did wrong.. but using imap all goes well, if I use imapd-ssl (port 993) login is alway failed. 
ps. good tutorial anyway 
_________________
app-portage/genlop
A nice emerge.log parser |
|
| Back to top |
|
|
Cataclysm
n00b
Joined: 11 Sep 2003
Posts: 31
|
| Posted: Mon Sep 15, 2003 10:03 pm Post subject: |
|
|
You need to generate an imap-ssl-hostkey and then you have to fire up the courier-imapd-ssl.
# nano /etc/courier-imap/imapd.cnf
Change settings according to your system.
# mkimapdcert
Makes the required hostkeys.
# /etc/init.d/courier-imapd-ssl
Fires up the server. Now try if it works, if yes:
# rc-update add courier-imapd-ssl default
That's it! Have fun.
After that you will have to import your selft-generated ssl-certificate into windows (if you use windows-clients), to let them not complain about your unknown key, but that's another chapter |
|
| Back to top |
|
|
Giorgio
Tux's lil' helper
Joined: 18 Jan 2003
Posts: 77
Location: Milano, Italy
|
| Posted: Tue Sep 16, 2003 11:17 am Post subject: |
|
|
Now it works. 
Thanks again.
_________________
app-portage/genlop
A nice emerge.log parser |
|
| Back to top |
|
|
timmy
n00b
Joined: 24 May 2002
Posts: 56
Location: Bath, UK
|
| Posted: Thu Sep 18, 2003 12:43 pm Post subject: |
|
|
I have almost the same setup, the only difference being that I'm using f-prot rather than clamav.
How do you go about updating the virus definition files in clamav? f-prot comes with an update script you can put in your crontab. I'm not sure how effective f-prot is, as I've not received a virus since I've been using it.
I'm also considering changing my imap server; I can't seem to get it to accept STARTTLS on port 143 (993 works fine), and my P800 smartphone needs the STARTTLS thing.
I'm very happy with exim, exiscan-acl and spamassassin
Tim |
|
| Back to top |
|
|
Cataclysm
n00b
Joined: 11 Sep 2003
Posts: 31
|
| Posted: Thu Sep 18, 2003 1:19 pm Post subject: |
|
|
| timmy wrote: | | How do you go about updating the virus definition files in clamav? |
clamav comes with an auto-updater, running in the background, checking each 12 hours for new patterns I'm quite happy with clamav. |
|
| Back to top |
|
|
timmy
n00b
Joined: 24 May 2002
Posts: 56
Location: Bath, UK
|
| Posted: Fri Sep 19, 2003 5:21 pm Post subject: |
|
|
I'm happy to report that f-prot picked up and blocked all the copies of W32/Swen.A@mm sent to me today, so I guess I'll be sticking with it...
On a different note, I wonder whether you shoud add the following to your /etc/mail/spamassassin/local.cf file?:
| Code: | score RCVD_IN_OSIRUSOFT_COM 0
score X_OSIRU_DUL 0
score X_OSIRU_DUL_FH 0
score X_OSIRU_OPEN_RELAY 0
score X_OSIRU_SPAMWARE_SITE 0
score X_OSIRU_SPAM_SRC 0 |
I'm not sure what the current situation with osirusoft is... |
|
| Back to top |
|
|
Ladius
n00b
Joined: 23 Jan 2003
Posts: 39
Location: California, USA
|
| Posted: Sun Sep 21, 2003 5:38 am Post subject: Update for this |
|
|
Just a pointing out the obvious update for the clamd section.
Might want to put in a note to edit the /etc/conf.d/clamd file:
| Code: |
# Config file for /etc/init.d/clamd
START_CLAMD=no
CLAMD_OPTS=""
CLAMD_LOG=""
START_FRESHCLAM=yes
FRESHCLAM_OPTS="-d -c 2"
FRESHCLAM_LOG="/var/log/clam-update.log"
|
should be changed to
| Code: |
# Config file for /etc/init.d/clamd
START_CLAMD=yes
CLAMD_OPTS=""
CLAMD_LOG=""
START_FRESHCLAM=yes
FRESHCLAM_OPTS="-d -c 2"
FRESHCLAM_LOG="/var/log/clam-update.log"
|
Without the changing "START_CLAMD=" from "no" to "yes" clamd won't start and any attempts to receive mail on the system will be given a temporary errror of 451 (which most good mail servers understand to be try me later joe maybe the admin has fixed me). |
|
| Back to top |
|
|
Cataclysm
n00b
Joined: 11 Sep 2003
Posts: 31
|
| Posted: Sun Sep 21, 2003 10:26 am Post subject: |
|
|
| Thank you, Ladius, I must have missed that out. |
|
| Back to top |
|
|
d33d0
n00b
Joined: 22 Apr 2003
Posts: 24
Location: Hamburg / Germany
|
| Posted: Sat Oct 18, 2003 12:03 pm Post subject: exim usefull as proxy? |
|
|
Hi,
I would like to setup a mail proxy, to filter spam and protect the "real" mailserver against the "bad internet".. The server should take new mails, filter for spam and forward all mails to a backend mailserver.
Is exim + spammassassin the first choice? |
|
| Back to top |
|
|
Cataclysm
n00b
Joined: 11 Sep 2003
Posts: 31
|
| Posted: Sat Oct 18, 2003 5:18 pm Post subject: |
|
|
d33d0, I don't know if exim is the first choice - but I know, that it is possible.
Some scratch ideas on that:
In /etc/exim/exim.conf:
| Code: | | domainlist relay_to_domains = your.domain |
This ensures that mail to your inner MTA are allowed from everywhere.
Make sure that the proxy-MTA does NOT have your mail-domain in local_domains! Put the following in the routers-config of exim BEFORE dnslookup or your mail-relay:
| Code: | send_to_my_real_mailserver:
driver = manualroute
domains = +relay_to_domains
transport = remote_smtp
route_list = * your.inner.mail.server |
Hope that helps a bit... |
|
| Back to top |
|
|
Cataclysm
n00b
Joined: 11 Sep 2003
Posts: 31
|
| Posted: Sat Oct 18, 2003 5:30 pm Post subject: SMTP-Auth for inbound connections |
|
|
Thanks and regards for the following go to Vinay Malkani, he send it to me by email.
| Quote: | Smtp-auth (based on actual user logins) for inbound connections was extremely simple. I thought you might want to add it to your guide.
First create /etc/pam.d/exim (probably created for you when you emerged exim)
This file should read as follows:
--------BEGIN CODE-----------
# You may need to remove the "md5"
auth required pam_unix.so shadow md5
account required pam_unix.so
-------END CODE-------------
Next add to to your exim.conf file the following items
1.
---------BEGIN CODE--------
exim_user = root // add this to the top of the file
---------END CODE-------------
2. in the authenticators section add:
----------BEGIN CODE--------
plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if pam{$2:$3}{1}{0}}"
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if pam{$1:$2}{1}{0}}"
server_set_id = $1
--------END CODE-----------------
and thats it
|
|
|
| Back to top |
|
|
kannX
Tux's lil' helper
Joined: 21 Jul 2002
Posts: 76
|
| Posted: Sun Oct 19, 2003 5:01 pm Post subject: |
|
|
Thanks for that great HowTo
if you use fetchmail to grab mails from external pop/imap accounts don't forget to start fetchmail with the option or you'll get a mail bounce that will blow your machine up |
|
| Back to top |
|
|
paul_zm
n00b
Joined: 01 Jan 2004
Posts: 13
Location: Woudenberg
|
| Posted: Thu Jan 01, 2004 1:14 pm Post subject: |
|
|
Thanx for the great howto. It helped me a lot.
The only thing I don't get to work is the subject rewriting.
First I tried to change the local.cf from spamassassin but that didn't show any results. (Probably exim won't look at it.)
Then I tried to look for an exim rule to change the subject but I probably don't use the correct syntax. Does anyone have a rule or filter I can use for that ? |
|
| Back to top |
|
|
Cataclysm
n00b
Joined: 11 Sep 2003
Posts: 31
|
| Posted: Fri Jan 02, 2004 10:38 am Post subject: |
|
|
Yes I have.
You probably got something like this in your exim.conf:
| Code: | warn message = X-Spam-Score: $spam_score ($spam_bar)
spam = nobody:true
condition = ${if >{$spam_score_int}{50}{1}{0}}
warn message = X-Spam-Report: $spam_report
spam = nobody:true
condition = ${if >{$spam_score_int}{50}{1}{0}} |
Just add the following before "accept" and beneath that to exim.conf:
| Code: | warn message = Subject: *** SPAM *** $h_subject
spam = nobody
condition = ${if >{$spam_score_int}{100}{1}{0}} |
$h_subject gets replaced by the original subject. Please adjust the spam-score (100 - stands for 10.0 and above) to your needs. If you want to use the systemwide settings for that score just delete the condition-line.
Have fun! |
|
| Back to top |
|
|
paul_zm
n00b
Joined: 01 Jan 2004
Posts: 13
Location: Woudenberg
|
| Posted: Fri Jan 02, 2004 4:25 pm Post subject: |
|
|
I already tried that one but the "Subject"-rule has already been written when it arrives at the anti-spam section. The result is two subject rules where the first one has priority over the second one (where the second one is the rule with the word SPAM in it).
I think I need a filter of some sort to rewrite the subject rule. |
|
| Back to top |
|
|
Cataclysm
n00b
Joined: 11 Sep 2003
Posts: 31
|
| Posted: Sun Jan 04, 2004 2:03 am Post subject: |
|
|
After a long time of googl'ing I think I found a solution for you. The following comes from an archived message on the exim-users mailinglist:
| Quote: | For the subject tag, we prepare a new subject header in the
ACL, then swap it with the original Subject in the system
filter.
In the DATA ACL, put this:
/* -----------------
warn message = X-New-Subject: *SPAM* $h_subject:
spam = nobody
------------------ */
In the system filter, put this:
/* -----------------
if "${if def:header_X-New-Subject: {there}}" is there
then
headers remove subject
headers add "Subject: $h_X-New-Subject:"
headers remove X-New-Subject
endif
------------------ */ |
The system filter is located at /etc/exim/system_filter.exim. I hope that one works, maybe you could drop in a short report |
|
| Back to top |
|
|
paul_zm
n00b
Joined: 01 Jan 2004
Posts: 13
Location: Woudenberg
|
| Posted: Sun Jan 04, 2004 11:32 am Post subject: |
|
|
He Cataclysm, thank you very very much. It works perfect.
The only extra thing I had to do was adding the following line to the top in my exim.conf to activate the filter:
| Quote: | | system_filter = /etc/exim/system_filter.exim |
It must be possible to do something similar in a .forward file. But I don't use that. |
|
| Back to top |
|
|
matze81
n00b
Joined: 12 Jan 2004
Posts: 20
|
| Posted: Tue Jan 13, 2004 2:25 pm Post subject: |
|
|
Hi there,
i just followed the How-To but after doing all the stuff mentioned there i'm only able to send/receive emails to/from local users. It's also possible to receive emails from "world".
Now my Problem:
When try to send an email to a "world" address i find the following error in the exim_main log and the mail will not arrive:
| Code: |
... R=send_to_relay T=remote_smtp defer (-42): authentication required but server did not advertise AUTH support |
Did someone have a solution for this problem?
with regards
matze |
|
| Back to top |
|
|
Cataclysm
n00b
Joined: 11 Sep 2003
Posts: 31
|
| Posted: Tue Jan 13, 2004 3:17 pm Post subject: |
|
|
You tried to use SMTP-Auth were it is not supported. Configure your smarthost without it.
In /etc/exim/exim.conf:
Change
| Code: | remote_smtp:
driver = smtp
hosts_require_auth=* |
to:
| Code: | remote_smtp:
driver = smtp |
That's it. |
|
| Back to top |
|
|
matze81
n00b
Joined: 12 Jan 2004
Posts: 20
|
| Posted: Tue Jan 13, 2004 5:35 pm Post subject: |
|
|
Hi Cataclysm,
many thanks for your reply.
I tried your suggestions and it works, but only with these settings:
| Code: |
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
# Router to send all outgoing mail to a smart-host using smtp-auth
#send_to_relay:
# driver = manualroute
# domains = ! +local_domains
# transport = remote_smtp
# route_list = * my.dyndns.adress
|
and also not to all host, some reply the following:
| Code: | | SMTP error from remote mailer after end of data: host <hostname> [ip]: 550 rejected: cannot route to sender <matze@localhost> |
thats not the only problem, how you see the address is not rewritten, i don't realy know how to configure this. I think that's why some hosts reject me.
Could please give me some more hints and explain a little bit which these setting, shown above, mean. Perhaps i give you some extra information:
I want to send email from my server, so it should not be routed to another mailserver (sís this the so called smarthost?) which delivers it. i use a dyndns address for my server. The server is connected by a hardware router to the internet and i forwarded the smp, imap, pop and the dns port to the server. are there more ports which i should forward ?!
greetz
matze |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Documentation, Tips & Tricks
