Preventing SSH Dictionary Attacks With DenyHosts

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited: 02/07/2006

In this HowTo I will show how to install and configure DenyHosts. DenyHosts is a tool that observes login attempts to SSH, and if it finds failed login attempts again and again from the same IP address, DenyHosts blocks further login attempts from that IP address by putting it into /etc/hosts.deny. DenyHosts can be run by cron or as a daemon. In this tutorial I will run DenyHosts as a daemon.

From the DenyHosts web site:

“DenyHosts is a script intended to be run by Linux system administrators to help thwart ssh server attacks.

If you’ve ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc…) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn’t it be better to automatically prevent that attacker from continuing to gain entry into your system?

DenyHosts attempts to address the above… ”

This tutorial is based on a Debian Sarge system, however, it should apply to other distributions with almost no modifications.

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Installation

DenyHosts is written in Python, therefore we must install Python and also the Python development files first:

apt-get install python python2.3-dev python2.3

Then we download and install DenyHosts like this:

cd /tmp
wget http://mesh.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.0.tar.gz
tar xvfz DenyHosts-2.0.tar.gz
cd DenyHosts-2.0
python setup.py install

This installs DenyHosts to /usr/share/denyhosts.

2 Configuration

Now we have to create the DenyHosts configuration file /usr/share/denyhosts/denyhosts.cfg. We can use the sample configuration file /usr/share/denyhosts/denyhosts.cfg-dist for this:

cd /usr/share/denyhosts
cp denyhosts.cfg-dist denyhosts.cfg

Then we must edit denyhosts.cfg with our favourite editor such as vi, for example. Mine looks like this:

 ############ THESE SETTINGS ARE REQUIRED ############

########################################################################## SECURE_LOG: the log file that contains sshd logging info# if you are not sure, grep "sshd:" /var/log/*## The file to process can be overridden with the --file command line# argument## Redhat or Fedora Core:#SECURE_LOG = /var/log/secure## Mandrake, FreeBSD or OpenBSD:SECURE_LOG = /var/log/auth.log## SuSE:#SECURE_LOG = /var/log/messages#########################################################################

######################################################################### HOSTS_DENY: the file which contains restricted host access information## Most operating systems:HOSTS_DENY = /etc/hosts.deny## Some BSD (FreeBSD) Unixes:#HOSTS_DENY = /etc/hosts.allow## Another possibility (also see the next option):#HOSTS_DENY = /etc/hosts.evil#######################################################################

######################################################################### PURGE_DENY: removed HOSTS_DENY entries that are older than this time# when DenyHosts is invoked with the --purge flag##format is: i[dhwmy]#Where 'i' is an integer (eg. 7)#'m' = minutes#'h' = hours#'d' = days#'w' = weeks#'y' = years## never purge:PURGE_DENY =## purge entries older than 1 week#PURGE_DENY = 1w## purge entries older than 5 days#PURGE_DENY = 5d#######################################################################

######################################################################## BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY## man 5 hosts_access for details## eg. sshd: 127.0.0.1# will block sshd logins from 127.0.0.1## To block all services for the offending host:#BLOCK_SERVICE = ALL# To block only sshd:BLOCK_SERVICE= sshd# To only record the offending host and nothing else (if using# an auxilary file to list the hosts).Refer to:# http://denyhosts.sourceforge.net/faq.html#aux#BLOCK_SERVICE =########################################################################

######################################################################### DENY_THRESHOLD_INVALID: block each host after the number of failed login# attempts has exceeded this value.This value applies to invalid# user login attempts (eg. non-existent user accounts)#DENY_THRESHOLD_INVALID = 5########################################################################

######################################################################### DENY_THRESHOLD_VALID: block each host after the number of failed# login attempts has exceeded this value.This value applies to valid# user login attempts (eg. user accounts that exist in /etc/passwd) except# for the "root" user#DENY_THRESHOLD_VALID = 10########################################################################

######################################################################### DENY_THRESHOLD_ROOT: block each host after the number of failed# login attempts has exceeded this value.This value applies to# "root" user login attempts only.#DENY_THRESHOLD_ROOT = 5########################################################################

######################################################################### WORK_DIR: the path that DenyHosts will use for writing data to# (it will be created if it does not already exist).## Note: it is recommended that you use an absolute pathname# for this value (eg. /home/foo/denyhosts/data)#WORK_DIR = /usr/share/denyhosts/data########################################################################

######################################################################### SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS## SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO# If set to YES, if a suspicious login attempt results from an allowed-host# then it is considered suspicious.If this is NO, then suspicious logins# from allowed-hosts will not be reported.All suspicious logins from# ip addresses that are not in allowed-hosts will always be reported.#SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES######################################################################

######################################################################## HOSTNAME_LOOKUP## HOSTNAME_LOOKUP=YES|NO# If set to YES, for each IP address that is reported by Denyhosts,# the corresponding hostname will be looked up and reported as well# (if available).#HOSTNAME_LOOKUP=YES#######################################################################

######################################################################## LOCK_FILE## LOCK_FILE=/path/denyhosts# If this file exists when DenyHosts is run, then DenyHosts will exit# immediately.Otherwise, this file will be created upon invocation# and deleted upon exit.This ensures that only one instance is# running at a time.## Redhat/Fedora:#LOCK_FILE = /var/lock/subsys/denyhosts## DebianLOCK_FILE = /var/run/denyhosts.pid## Misc#LOCK_FILE = /tmp/denyhosts.lock#######################################################################

 ############ THESE SETTINGS ARE OPTIONAL ############

######################################################################### ADMIN_EMAIL: if you would like to receive emails regarding newly# restricted hosts and suspicious logins, set this address to# match your email address.If you do not want to receive these reports# leave this field blank (or run with the --noemail option)#ADMIN_EMAIL =########################################################################

########################################################################SMTP_HOST = localhostSMTP_PORT = 25SMTP_FROM = DenyHosts <nobody@localhost>SMTP_SUBJECT = DenyHosts Report#SMTP_USERNAME=foo#SMTP_PASSWORD=bar########################################################################

######################################################################## ALLOWED_HOSTS_HOSTNAME_LOOKUP## ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,# the hostname will be looked up.If your versions of tcp_wrappers# and sshd sometimes log hostnames in addition to ip addresses# then you may wish to specify this option.##ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO#######################################################################

######################################################################## AGE_RESET_VALID: Specifies the period of time between failed login# attempts that, when exceeded will result in the failed count for# this host to be reset to 0.This value applies to login attempts# to all valid users (those within /etc/passwd) with the# exception of root.If not defined, this count will never# be reset.## See the comments in the PURGE_DENY section (above)# for details on specifying this value or for complete details# refer to:http://denyhosts.sourceforge.net/faq.html#timespec#AGE_RESET_VALID=5d#######################################################################

######################################################################## AGE_RESET_ROOT: Specifies the period of time between failed login# attempts that, when exceeded will result in the failed count for# this host to be reset to 0.This value applies to all login# attempts to the "root" user account.If not defined,# this count will never be reset.## See the comments in the PURGE_DENY section (above)# for details on specifying this value or for complete details# refer to:http://denyhosts.sourceforge.net/faq.html#timespec#AGE_RESET_ROOT=25d#######################################################################

######################################################################## AGE_RESET_INVALID: Specifies the period of time between failed login# attempts that, when exceeded will result in the failed count for# this host to be reset to 0.This value applies to login attempts# made to any invalid username (those that do not appear# in /etc/passwd).If not defined, count will never be reset.## See the comments in the PURGE_DENY section (above)# for details on specifying this value or for complete details# refer to:http://denyhosts.sourceforge.net/faq.html#timespec#AGE_RESET_INVALID=10d#######################################################################

######################################################################## PLUGIN_DENY: If set, this value should point to an executable# program that will be invoked when a host is added to the# HOSTS_DENY file.This executable will be passed the host# that will be added as it's only argument.##PLUGIN_DENY=/usr/bin/true#######################################################################

######################################################################## PLUGIN_PURGE: If set, this value should point to an executable# program that will be invoked when a host is removed from the# HOSTS_DENY file.This executable will be passed the host# that is to be purged as it's only argument.##PLUGIN_PURGE=/usr/bin/true#######################################################################

######################################################################## USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain# a regular expression that can be used to identify additional# hackers for your particular ssh configuration.This functionality# extends the built-in regular expressions that DenyHosts uses.# This parameter can be specified multiple times.# See this faq entry for more details:#http://denyhosts.sf.net/faq.html#userdef_regex##USERDEF_FAILED_ENTRY_REGEX=########################################################################

 ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE##########

######################################################################### DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)# this is the logfile that DenyHosts uses to report it's status.# To disable logging, leave blank.(default is: /var/log/denyhosts)#DAEMON_LOG = /var/log/denyhosts## disable logging:#DAEMON_LOG =#######################################################################

######################################################################### DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode# (--daemon flag) this specifies the timestamp format of# the DAEMON_LOG messages (default is the ISO8061 format:# ie. 2005-07-22 10:38:01,745)## for possible values for this parameter refer to: man strftime## Jan 1 13:05:59#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S## Jan 1 01:05:59#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S#######################################################################

######################################################################### DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode# (--daemon flag) this specifies the message format of each logged# entry.By default the following format is used:## %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s## Where the "%(asctime)s" portion is expanded to the format# defined by DAEMON_LOG_TIME_FORMAT## This string is passed to python's logging.Formatter contstuctor.# For details on the possible format types please refer to:# http://docs.python.org/lib/node357.html## This is the default:#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s########################################################################

######################################################################### DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)# this is the amount of time DenyHosts will sleep between polling# the SECURE_LOG.See the comments in the PURGE_DENY section (above)# for details on specifying this value or for complete details# refer to:http://denyhosts.sourceforge.net/faq.html#timespec##DAEMON_SLEEP = 30s########################################################################

######################################################################### DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,# run the purge mechanism to expire old entries in HOSTS_DENY# This has no effect if PURGE_DENY is blank.#DAEMON_PURGE = 1h########################################################################

 ######### THESE SETTINGS ARE SPECIFIC TO ########## ######### DAEMON SYNCHRONIZATION ##########

######################################################################### Synchronization mode allows the DenyHosts daemon the ability# to periodically send and receive denied host data such that# DenyHosts daemons worldwide can automatically inform one# another regarding banned hosts. This mode is disabled by# default, you must uncomment SYNC_SERVER to enable this mode.## for more information, please refer to:#http:/denyhosts.sourceforge.net/faq.html#sync########################################################################

######################################################################### SYNC_SERVER: The central server that communicates with DenyHost# daemons.Currently, denyhosts.net is the only available server# however, in the future, it may be possible for organizations to# install their own server for internal network synchronization## To disable synchronization (the default), do nothing.## To enable synchronization, you must uncomment the following line:#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911########################################################################

######################################################################### SYNC_INTERVAL: the interval of time to perform synchronizations if# SYNC_SERVER has been uncommented.The default is 1 hour.##SYNC_INTERVAL = 1h########################################################################

######################################################################### SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have# been denied?This option only applies if SYNC_SERVER has# been uncommented.##SYNC_UPLOAD = no## the default:#SYNC_UPLOAD = yes########################################################################

######################################################################### SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have# been denied by others?This option only applies if SYNC_SERVER has# been uncommented.##SYNC_DOWNLOAD = no## the default:#SYNC_DOWNLOAD = yes########################################################################

######################################################################### SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this paramter# filters the returned hosts to those that have been blocked this many# times by others.That is, if set to 1, then if a single DenyHosts# server has denied an ip address then you will receive the denied host.##SYNC_DOWNLOAD_THRESHOLD = 10## the default:#SYNC_DOWNLOAD_THRESHOLD = 3########################################################################

Make sure you set SECURE_LOG and LOCK_FILE to the correct values for your distribution! For Debian, these are:

SECURE_LOG = /var/log/auth.log
LOCK_FILE = /var/run/denyhosts.pid

As we want to run DenyHosts as a daemon, we need the daemon control script /usr/share/denyhosts/daemon-control. Again, we can use the sample script /usr/share/denyhosts/daemon-control-dist to create the needed file:

cp daemon-control-dist daemon-control

Edit /usr/share/denyhosts/daemon-control and make sure you set the correct values for DENYHOSTS_BIN, DENYHOSTS_LOCK, and DENYHOSTS_CFG. For Debian, these are:

DENYHOSTS_BIN = “/usr/bin/denyhosts.py”
DENYHOSTS_LOCK = “/var/run/denyhosts.pid”
DENYHOSTS_CFG = “/usr/share/denyhosts/denyhosts.cfg”

So my /usr/share/denyhosts/daemon-control file looks like this:

#!/usr/bin/env python# denyhosts Bring up/down the DenyHosts daemon## chkconfig: 2345 98 02# description: Activates/Deactivates the#DenyHosts daemon to block ssh attempts################################################

################################################### Edit these to suit your configuration ###################################################

DENYHOSTS_BIN = "/usr/bin/denyhosts.py"DENYHOSTS_LOCK= "/var/run/denyhosts.pid"DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg"

################################################### Do not edit below ###################################################

import os, sys, signal, time

STATE_NOT_RUNNING = -1STATE_LOCK_EXISTS = -2

def usage():print "Usage: %s {start [args...] | stop | restart [args...] | status | debug | condrestart [args...] }" % sys.argv[0]printprint "For a list of valid 'args' refer to:"print "$ denyhosts.py --help"printsys.exit(0)

def getpid():try:fp = open(DENYHOSTS_LOCK, "r")pid = int(fp.readline().rstrip())fp.close()except Exception, e:return STATE_NOT_RUNNING

if os.access(os.path.join("/proc", str(pid)), os.F_OK):return pidelse:return STATE_LOCK_EXISTS

def start(*args):cmd = "%s --daemon " % DENYHOSTS_BINif args: cmd += ' '.join(args)

print "starting DenyHosts: ", cmd

os.system(cmd)

def stop():pid = getpid()if pid >= 0:os.kill(pid, signal.SIGTERM)print "sent DenyHosts SIGTERM"else:print "DenyHosts is not running"

def debug():pid = getpid()if pid >= 0:os.kill(pid, signal.SIGUSR1)print "sent DenyHosts SIGUSR1"else:print "DenyHosts is not running"

def status():pid = getpid()if pid == STATE_LOCK_EXISTS:print "%s exists but DenyHosts is not running" % DENYHOSTS_LOCKelif pid == STATE_NOT_RUNNING:print "Denyhosts is not running"else:print "DenyHosts is running with pid = %d" % pid

def condrestart(*args):pid = getpid()if pid >= 0:restart(*args)

def restart(*args):stop()time.sleep(1)start(*args)

if __name__ == '__main__':cases = {'start': start, 'stop':stop, 'debug': debug, 'status':status, 'condrestart': condrestart, 'restart': restart}

try:args = sys.argv[2:]except:args = []

try:option = sys.argv[1]

if option in ('start', 'restart', 'condrestart'):if '--config' not in args and '-c' not in args:args.append("--config=%s" % DENYHOSTS_CFG)

cmd = cases[option]apply(cmd, args)except:usage()

Next we have to make that file executable:

chown root daemon-control
chmod 700 daemon-control

Afterwards, we create the system bootup links for DenyHosts do that it is started automatically when the system is booted:

cd /etc/init.d
ln -s /usr/share/denyhosts/daemon-control denyhosts
update-rc.d denyhosts defaults

Finally, we start DenyHosts:

/etc/init.d/denyhosts start

DenyHosts logs to /var/log/denyhosts, if you are interested in the logs. The SSH daemon logs to /var/log/auth.log on Debian. You can watch both logs and try to log in with an invalid user or with a valid user and incorrect password, etc. via SSH and see what happens. After you have crossed the threshold of incorrect login attempts, the IP address from which you tried to connect should get listed in /etc/hosts.deny, like this:

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.#See the manual pages hosts_access(5), hosts_options(5)#and /usr/doc/netbase/portmapper.txt.gz## Example:ALL: some.host.name, .some.domain# ALL EXCEPT in.fingerd: other.host.name, .other.domain## If you're going to protect the portmapper use the name "portmap" for the# daemon name. Remember that you can only use the keyword "ALL" and IP# addresses (NOT host or domain names) for the portmapper. See portmap(8)# and /usr/doc/portmap/portmapper.txt.gz for further information.## The PARANOID wildcard matches any host whose name does not match its# address.

# You may wish to enable this to ensure any programs that don't# validate looked up hostnames still leave understandable logs. In past# versions of Debian this has been the default.# ALL: PARANOIDsshd: 192.168.0.203

This means that the system with the IP address 192.168.0.203 cannot connect anymore using SSH.

You can specify if/when IP addresses are removed again from /etc/hosts.deny – have a look at the PURGE_DENY variable in /usr/share/denyhosts/denyhosts.cfg.You must start DenyHosts with the –purge option to make the PURGE_DENY variable effective, like this:

/etc/init.d/denyhosts start –purge

However, you can also remove IP addresses manually from there, and as soon as they have got removed, these IP addresses can try to log in again via SSH.

Links

• DenyHosts: http://denyhosts.sourceforge.net

3.3Apache Tomcat 5.5

I have not tried the bundled Apache Tomcat in the CentOS 5 Repository, I went ahead and downloaded it anyway from the tomcat.apache.org site:

cd /opt

wget http://apache.cyberuse.com/tomcat/tomcat-5/v5.5.27/bin/apache-tomcat-5.5.27.tar.gz

tar xzf apache-tomcat-5.5.27.tar.gz

mv apache-tomcat-5.5.27 tomcat

Start the Tomcat Daemon and send it to the background:

/opt/tomcat/bin/startup.sh &

Append it to the rc.local file to start at boot time:

echo “/opt/tomcat/bin/startup.sh &” >> /etc/rc.local

 

3.4Apache Ant 1.7

I have gone ahead and downloaded the source for apache ant too as I want to keep everything consistent and so it doesn`t break the CentOS installation.With this technique however, you can easily remove all the exported directories and delete the applications directory and install the stock rpmsupplied with CentOS later if you like.

cd /opt

wget http://apache.promopeddler.com/ant/binaries/apache-ant-1.7.1-bin.tar.gz

tar xzf apache-ant-1.7.1-bin.tar.gz

mv apache-ant-1.7.1 ant

echo “export ANT_HOME=/opt/ant” >> /etc/rc.local

export ANT_HOME=/opt/ant

 

4. Downloading and Installing OpenBravo 2.4

I am using OpenBravo 2.4 because this Howto was tested and declared working. However, there is a new release 2.5 which I have not tested and so you can try atyour won RISK.

cd /tmp

Download the installation binary from SourceForge:

wget http://surfnet.dl.sourceforge.net/sourceforge/openbravo/OpenbravoERP_2.40-linux-installer.bin

Make it executable:

chmod +x OpenbravoERP_2.40-linux-installer.bin

Run the installer:

./OpenbravoERP_2.40-linux-installer.bin

A text based installer will guide you through the installation. First press a few times ENTER to read the single parts of the license agreement. Type in yes at the end if you agree with it:

Do you accept this license? [y/n]: <– y

Before the installation begins you’ll be asked a few questions – answer them as follows:

Please specify the directory where Openbravo ERP will be installed

[/opt/OpenbravoERP]: <– ENTER

Please specify a directory for the Openbravo ERP attachments

[/opt/OpenbravoERP/AppsOpenbravo/attachments]: <– ENTER

Installation mode

Please select the installation mode you wish to perform

[1] Complete

The database and the application server in the same computer

[2] Distributed

The database and the application server in different computers

Please choose an option [1] : <– ENTER

Please select the installation type you wish to perform

[1] Standard

Installs the database and sets up the application server.

Recommended.

[2] Development

Installs the database and and sets up the application server

through a compilation process.

Recommended for developers.

Please choose an option [1] : <– ENTER

Please specify the directory where the JDK is located

[/opt/java]: <– ENTER

Please specify the location where the Ant executable is located

[/opt/ant/bin/ant]: <– ENTER

Please specify the directory where Tomcat is located.

In case of having Tomcat split into 2 directories, select the one containing the webapps directory

[/opt/tomcat]: <– ENTER

Please select a database

[1] PostgreSQL

[2] Oracle

Please choose an option [1] : <– ENTER

Please specify the directory where the binaries of the PostgreSQL installation are located (psql, pg_restore, vacuumdb)

[/usr/bin]: <– ENTER

Please enter the IP address of the PostgreSQL database

Database host [localhost]: <– ENTER

Please enter the port of the PostgreSQL database

Database port [5432]: <– ENTER

Enter the password for your “postgres” administrator user

Password : <– testpassword

Retype password : <– testpassword

Please enter the name of the PostgreSQL database

Database name [openbravo]: <– ENTER

Please enter a username for the Openbravo ERP PostgreSQL database

Username [tad]: <– admin

Please enter a password for the new database user

Password : <– adminpassword (a password of your choice)

Retype password : <– adminpassword

Enter a context name.

This is used in the URL to access Openbravo ERP:

http://<ip_address>:<port>/context_name

Context name [openbravo]: <– openbravoerp

Please select the preferred date and time formats

Date format

Date format

[1] DD MM YYYY

[2] MM DD YYYY

[3] YYYY MM DD

Please choose an option [1] : <– ENTER

Date separator

[1] -

[2] /

[3] .

[4] :

Please choose an option [2] : <– ENTER

Time format

[1] 12h

[2] 24h

Please choose an option [2] : <– ENTER

Time separator

[1] :

[2] .

Please choose an option [1] : <– ENTER

Should the installer populate the database with demo data?

[Y/n]: Y <– ENTER

Setup is now ready to begin installing Openbravo ERP on your computer.

Do you want to continue? [Y/n]: Y <– ENTER

The installation will take a few minutes, so please be patient:

Please wait while Setup installs Openbravo ERP on your computer.

Installing

0% ______________ 50% ______________ 100%

#########################################

—————————————————————————-

Setup has finished installing Openbravo ERP on your computer.

 

5. Testing the Waters

If everything up to this point is successful, then you have won!  You can access Openbravo at http://www.example.com:8080/openbravoerp or http://192.168.1.1:8080/openbravoerp. 

Log in with the username Openbravo and the password openbravo.

Note: I have decided not to post any screen shot of this as this has been tested and declared working. If you need more information, you can use the links provided below as reference.

 

6. Links

Openbravo: http://www.openbravo.com/

Centos: http://www.centos.org

 PostgreSQL 8.3: http://yum.pgsqlrpms.org

How To Install Openbravo ERP On CentOS 5.2

This howto describes how to set up Openbravo ERP (enterprise management system) on CentOS 5.2 using PostgreSQL 8.3. Openbravo is an open source ERP solution designed specifically for the SME (small to midsize firm). Developed in a web based environment, it includes many robust functionalities which are considered part of the extended ERP: procurement and warehouse management, project and service management, production management, and financial management.

This is a follow up of Falko`s Wonderful “How To Install Openbravo ERP On Ubuntu 8.10″.

I do not issue any guarantee that this will work for you!

 

 1. Preliminary Note

 This howto assumes you have freshly installed CentOS system along with the following.

 a) Hostname:- server1.example.com

 b) Server IP:- 192.168.1.1

 You must have root privileges to run most of the actions described in this Howto.

 

2. Setup DNS

yum install bind bind-utils

#nano /etc/named.conf

options
{ directory	"/var/named"; dump-file	"data/cache_dump.db"; statistics-file"data/named_stats.txt"; memstatistics-file"data/named_mem_stats.txt"; forwarders {ISP_DNS_IP;};
};
zone "example.com" IN {type master;file "forward.zone";
};

#nano /var/named/forward.zone

$TTL 3h
@	IN	SOA	server1	muffycompoqm.gmail.com. (	1	; Serial Number	15m	; Refresh Rate	30m	; Retry Interval	1h	; Expire Delay	2h )	; Negative Cache TTL
@	IN	NS	server1
@	IN	A	192.168.1.1
server1	IN	A	192.168.1.1
www	IN	CNAME	server1.example.com.
ftp	IN	CNAME server1.example.com.

#nano /etc/resolv.conf

search example.com
nameserver 127.0.0.1

#chkconfig –levels 35 named on

#service named start

 

3. Installing Openbravo Dependencies

3.1Postgresql 8.3

Exclude Postgresql from the CentOS base repository as OpenBravo uses Postgresql 8.3 which is not included in the base repository.

#nano /etc/yum.repos.d/CentOS-Base.repo

Add to the bottom of the file:

exclude=postgresql*

Download and install the RPMs from http://yum.pgsqlrpms.org:

wget http://yum.pgsqlrpms.org/reporpms/8.3/pgdg-centos-8.3-6.noarch.rpm

rpm -ivh pgdg-centos-8.3-6.noarch.rpm

yum install postgresql postgresql-server

Afterwards we have to set the PostgreSQL admin password:

sed -i ‘s/ident sameuser$/trust/’ /etc/postgresql/8.3/main/pg_hba.conf

service postgresql start

chkconfig –levels 35 postgresql on

Open a PostgreSQL shell and alter the postgres user role:

psql -U postgres

alter role postgres with password ‘testpassword’;\q

sed -i ‘s/trust$/md5/’ /etc/postgresql/8.3/main/pg_hba.conf

service postgresql reload

service postgresql restart

 

3.2 Sun Java JDK 1.6

You will have to download Java 1.6 JDK from http://java.sun.com/javase/downloads/index.jsp.

cp jdk-6u13-linux-i586.bin.bin /opt

cd /opt

sh jdk-6u13-linux-i586.bin.bin –unpack

mv jdk1-* java

echo “export JAVA_HOME=/opt/java” >> /etc/rc.local

export JAVA_HOME=/opt/java

Specify a name for the new virtual machine (e.g. Windows XP Desktop) and select the location where the virtual machine will be created. You can select a local folder, but VMware Converter will display a warning if the destination folder is on the system that is going to be converted. A better idea is to select a network folder, for example the Virtual Machines folder on the system where VMware Server is installed (e.g. your new Linux desktop). This also has the benefit that you don’t have to copy the virtual machine to another folder/system after the conversion since the virtual machine is already in place.

Select Workstation 5.x, VMware Server, VMware Player for Type of virtual machine to create and click on Next:

If the destination folder is password-protected, you have to specify a username and password:

Next you can make some choices regarding the Disk Space Allocation. Usually Allow virtual disk files to grow is a good choice:

VMware Converter checks some settings:

Next specify some network settings for the virtual machine. Usually Bridge is the best choice:

Afterwards you can do some customizations, but it’s not necessary. Then click on Next:

Check all settings again, and if they are ok, click on Finish:

The conversion begins. This can take some minutes, so please be patient. If you check the destination folder at the same time (for example the Virtual Machines folder on our VMware Server system), you will notice that a new directory with the name of the virtual machine (e.g. Windows XP Desktop) has been created, and in it the virtual machine is being created:

This is how it looks after the completed conversion:

To check the details of the conversion, you can click on the Task Progress tab:

 

4 Start Your Virtual Machine

Now go to the system where VMware Server is installed, e.g. your Linux desktop or some other Windows desktop. (You can find guides for installing VMware Server on Debian Sarge and Ubuntu Dapper Drake here:

• Debian Sarge: http://www.tusforyou.com/debian_sarge_vmware_server_howto
• Ubuntu Dapper Drake: http://www.tusforyou.com/ubuntu_vmware_server

.)

Then import the Windows XP Desktop virtual machine into your VMware Server as described here: http://www.tusforyou.com/import_vmware_images

Afterwards start it. If all goes well, your old Windows desktop should come up in VMware Server:

 

5 Links

• VMware: http://www.vmware.com
• VMware Converter: http://www.vmware.com/products/converter
• VMware Server: http://www.vmware.com/products/server
• VMware Player: http://www.vmware.com/products/player

3 Convert Your Windows Desktop Into A Virtual Machine

Now start VMware Converter (it will start automatically if you have chosen Run VMware Converter now. at the end of the VMware Converter installlation).

We don’t need to add licenses as VMware Converter’s Starter Mode offers all we need (and in Starter Mode VMware Converter is free). Therefore we click on Continue in Starter Mode:

The VMware Converter interface opens. Please click on Import Machine:

The VMware Converter wizard starts. Click on Next:

Click on Next again:

Choose Physical computer as the source:

We want to convert the local machine, therefore we select This local machine and click on Next:

Select the volumes that you want to convert. Normally the default values are ok:

Click on Next:

I want to run the virtual machine in VMware Server, therefore I select VMware standalone virtual machine (Workstation or VMware Server):

Convert Physical Windows Systems Into Virtual Machines To Be Run On A Linux Desktop

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 02/13/2007

This article shows how you can convert a physical Windows system (XP, 2003, 2000, NT4 SP4+) into a VMware virtual machine with the free VMware Converter Starter. The resulting virtual machine can be run in the free VMware Player and VMware Server, and also in VMware Workstation and other VMware products. Vmware Converter comes in handy if you want to switch to a Linux desktop, but feel the need to run your old Windows desktop from time to time. By converting your Windows desktop into a virtual machine, you can run it under VMware Server/Player, etc. on your Linux desktop.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

In this article I will convert a Windows XP desktop into a virtual machine. Afterwards I will start the virtual machine in VMware Server.

(You can find guides for installing VMware Server on Debian Sarge and Ubuntu Dapper Drake here:

• Debian Sarge: http://www.tusforyou.com/debian_sarge_vmware_server_howto
• Ubuntu Dapper Drake: http://www.tusforyou.com/ubuntu_vmware_server

.)

 

2 Install VMware Converter

First download VMware Converter from http://www.vmware.com/products/converter to your Windows system (the one that you want to convert into a virtual machine) and start the installation by double-clicking on the downloaded file.

Accept the license agreement and click on Next:

Select a destination folder for the installation (normally you can accept the default value):

Choose Typical when asked for the setup type:

Click on Install to begin the installation:

VMware Converter is being installed:

After the installation, click Finish. If you like to start VMware Converter now, please check Run VMware Converter now.:

You should now find a VMware Converter icon on your desktop:

18 Installing SquirrelMail

SquirrelMail is a webmail interface that will let your users send and receive emails in a browser. This chapter shows how to install it and adjust it to our setup so that users can even change their email account password from the SquirrelMail interface.

To install SquirrelMail, we run:

yum install squirrelmail php-pear-DB

Afterwards we restart Apache:

/etc/init.d/httpd restart

SquirrelMail comes with some pre-installed plugins, unfortunately none of them is capable of letting us change our email password in our MySQL database. But there’s the Change SQL Password plugin which we can install manually:

cd /usr/share/squirrelmail/plugins
wget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fchange_sqlpass-3.3-1.2.tar.gz
tar xvfz change_sqlpass-3.3-1.2.tar.gz
cd change_sqlpass
cp config.php.sample config.php

Now we must edit config.php and adjust it to our setup. Please adjust the $csp_dsn, $lookup_password_query, $password_update_queries, $password_encryption, $csp_salt_static, and $csp_delimiter variables as follows and comment out $csp_salt_query:

vi config.php

[...]
$csp_dsn = 'mysql://mail_admin:mail_admin_password@localhost/mail';
[...]
$lookup_password_query = 'SELECT count(*) FROM users WHERE email = "%1" AND password = %4';
[...]
$password_update_queries = array('UPDATE users SET password = %4 WHERE email = "%1"');
[...]
$password_encryption = 'MYSQLENCRYPT';
[...]
$csp_salt_static = 'LEFT(password, 2)';
[...]
//$csp_salt_query = 'SELECT salt FROM users WHERE username = "%1"';
[...]
$csp_delimiter = '@';
[...]

The complete file looks as follows:

<?php/** * SquirrelMail Change SQL Password Plugin * Copyright (C) 2001-2002 Tyler Akins * 2002 Thijs Kinkhorst <kink@users.sourceforge.net> * 2002-2005 Paul Lesneiwski <paul@openguild.net> * This program is licensed under GPL. See COPYING for details * * @package plugins * @subpackage Change SQL Password * */// Global Variables, don't touch these unless you want to break the plugin//global $csp_dsn, $password_update_queries, $lookup_password_query, $force_change_password_check_query, $password_encryption, $csp_salt_query, $csp_salt_static, $csp_secure_port, $csp_non_standard_http_port, $csp_delimiter, $csp_debug, $min_password_length, $max_password_length, $include_digit_in_password, $include_uppercase_letter_in_password, $include_lowercase_letter_in_password, $include_nonalphanumeric_in_password; // csp_dsn//// Theoretically, any SQL database supported by Pear should be supported// here.The DSN (data source name) must contain the information needed// to connect to your database backend. A MySQL example is included below.// For more details about DSN syntax and list of supported database types,// please see:// http://pear.php.net/manual/en/package.database.db.intro-dsn.php////$csp_dsn = 'mysql://user:password@localhost/email_users';$csp_dsn = 'mysql://mail_admin:mail_admin_password@localhost/mail';// lookup_password_query//// This plugin will always verify the user's old password// against their login password, but an extra check can also// be done against the database for more security if you// desire.If you do not need the extra password check,// make sure this setting is empty.//// This is a query that returns a positive value if a user// and password pair are found in the database.//// This query should return one value (one row, one column), the// value being ideally a one or a zero, simply indicating that// the user/password pair does in fact exist in the database.//// %1 in this query will be replaced with the full username//(including domain), such as "jose@example.com"// %2 in this query will be replaced with the username (without//any domain portion), such as "jose"// %3 in this query will be replaced with the domain name,//such as "example.com"// %4 in this query will be replaced with the current (old)//password in whatever encryption format is needed per other//plugin configuration settings (Note that the syntax of//the password will be provided depending on your encryption//choices, so you NEVER need to provide quotes around this//value in the query here.)// %5 in this query will be replaced with the current (old)//password in unencrypted plain text.If you do not use any//password encryption, %4 and %5 will be the same values,//except %4 will have double quotes around it and %5 will not.////$lookup_password_query = '';// TERRIBLE SECURITY: $lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND plain_password = "%5"';//$lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND crypt_password = %4';$lookup_password_query = 'SELECT count(*) FROM users WHERE email = "%1" AND password = %4';// password_update_queries//// An array of SQL queries that will all be executed// whenever a password change attempt is made.//// Any number of queries may be included here.// The queries will be executed in the order given here.//// %1 in all queries will be replaced with the full username//(including domain), such as "jose@example.com"// %2 in all queries will be replaced with the username (without//any domain portion), such as "jose"// %3 in all queries will be replaced with the domain name,//such as "example.com"// %4 in all queries will be replaced with the new password//in whatever encryption format is needed per other//plugin configuration settings (Note that the syntax of//the password will be provided depending on your//encryption choices, so you NEVER need to provide quotes//around this value in the queries here.)// %5 in all queries will be replaced with the new password//in unencrypted plain text - BEWARE!If you do not use//any password encryption, %4 and %5 will be the same//values, except %4 will have double quotes around it//and %5 will not.//
// $password_update_queries = array(
//'UPDATE users SET crypt_password = %4 WHERE username = "%1"',
//'UPDATE user_flags SET force_change_pwd = 0 WHERE username = "%1"',
//'UPDATE users SET crypt_password = %4, force_change_pwd = 0 WHERE username = "%1"',
// );$password_update_queries = array('UPDATE users SET password = %4 WHERE email = "%1"');// force_change_password_check_query//// A query that checks for a flag that indicates if a user// should be forced to change their password.This query// should return one value (one row, one column) which is// zero if the user does NOT need to change their password,// or one if the user should be forced to change it now.//// This setting should be an empty string if you do not wish// to enable this functionality.//// %1 in this query will be replaced with the full username//(including domain), such as "jose@example.com"// %2 in this query will be replaced with the username (without//any domain portion), such as "jose"// %3 in this query will be replaced with the domain name,//such as "example.com"////$force_change_password_check_query = 'SELECT IF(force_change_pwd = "yes", 1, 0) FROM users WHERE username = "%1"';//$force_change_password_check_query = 'SELECT force_change_pwd FROM users WHERE username = "%1"';$force_change_password_check_query = ''; // password_encryption//// What encryption method do you use to store passwords// in your database?Please use one of the following,// exactly as you see it://// NONEPasswords are stored as plain text only// MYSQLPWDPasswords are stored using the MySQL password() function// MYSQLENCRYPTPasswords are stored using the MySQL encrypt() function// PHPCRYPTPasswords are stored using the PHP crypt() function// MD5CRYPTPasswords are stored using encrypted MD5 algorithm// MD5 Passwords are stored as MD5 hash////$password_encryption = 'MYSQLPWD';$password_encryption = 'MYSQLENCRYPT';// csp_salt_query// csp_salt_static//// Encryption types that need a salt need to know where to get// that salt.If you have a constant, known salt value, you// should define it in $csp_salt_static.Otherwise, leave that// value empty and define a value for the $csp_salt_query.//// Leave both values empty if you do not need (or use) salts// to encrypt your passwords.//// The query should return one value (one row, one column) which// is the salt value for the current user's password.This// query is ignored if $csp_salt_static is anything but empty.//// %1 in this query will be replaced with the full username//(including domain), such as "jose@example.com"// %2 in this query will be replaced with the username (without//any domain portion), such as "jose"// %3 in this query will be replaced with the domain name,//such as "example.com"////$csp_salt_static = 'LEFT(crypt_password, 2)';//$csp_salt_static = '"a4"';// use this format with MYSQLENCRYPT//$csp_salt_static = '$2$blowsomefish$';// use this format with PHPCRYPT//$csp_salt_static = '';$csp_salt_static = 'LEFT(password, 2)'; //$csp_salt_query = 'SELECT SUBSTRING_INDEX(crypt_password, '$', 1) FROM users WHERE username = "%1"';//$csp_salt_query = 'SELECT SUBSTRING(crypt_password, (LENGTH(SUBSTRING_INDEX(crypt_password, '$', 2)) + 2)) FROM users WHERE username = "%1"';//$csp_salt_query = 'SELECT salt FROM users WHERE username = "%1"';//$csp_salt_query = ''; // csp_secure_port//// You may ensure that SSL encryption is used during password// change by setting this to the port that your HTTPS is served// on (443 is typical).Set to zero if you do not wish to force// an HTTPS connection when users are changing their passwords.//// You may override this value for certain domains, users, or// service levels through the Virtual Host Login (vlogin) plugin// by setting a value(s) for $vlogin_csp_secure_port in the vlogin// configuration.//$csp_secure_port = 0;//$csp_secure_port = 443; // csp_non_standard_http_port//// If you serve standard HTTP web requests on a non-standard// port (anything other than port 80), you should specify that// port number here.Set to zero otherwise.//// You may override this value for certain domains, users, or// service levels through the Virtual Host Login (vlogin) plugin// by setting a value(s) for $vlogin_csp_non_standard_http_port// in the vlogin configuration.////$csp_non_standard_http_port = 8080;$csp_non_standard_http_port = 0; // min_password_length// max_password_length// include_digit_in_password// include_uppercase_letter_in_password// include_lowercase_letter_in_password// include_nonalphanumeric_in_password//// You can set the minimum and maximum password lengths that// you accept or leave those settings as zero to indicate that// no limit should be applied.//// Turn on any of the other settings here to check that the// new password contains at least one digit, upper case letter,// lower case letter and/or one non-alphanumeric character.//$min_password_length = 6;$max_password_length = 0;$include_digit_in_password = 0;$include_uppercase_letter_in_password = 0;$include_lowercase_letter_in_password = 0;$include_nonalphanumeric_in_password = 0; // csp_delimiter//// if your system has usernames with something other than// an "@" sign separating the user and domain portion,// specify that character here////$csp_delimiter = '|';$csp_delimiter = '@'; // debug mode//$csp_debug = 0;?>

The Change SQL Password plugin also depends on the Compatibility plugin which we install as follows:

cd /usr/share/squirrelmail/plugins
wget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fcompatibility-2.0.15-1.0.tar.gz
tar xvfz compatibility-2.0.15-1.0.tar.gz

Now we must go into the SquirrelMail configuration and tell SquirrelMail that we use Courier as our POP3 and IMAP server and enable the Change SQL Password and the Compatibility plugins:

/usr/share/squirrelmail/config/conf.pl

You’ll see the following menu. Navigate through it as indicated:

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Main Menu –
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color off
S   Save data
Q   Quit

Command >> <– D

SquirrelMail Configuration : Read: config.php
———————————————————
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don’t work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
    bincimap    = Binc IMAP server
    courier     = Courier IMAP server
    cyrus       = Cyrus IMAP server
    dovecot     = Dovecot Secure IMAP server
    exchange    = Microsoft Exchange IMAP server
    hmailserver = hMailServer
    macosx      = Mac OS X Mailserver
    mercury32   = Mercury/32
    uw          = University of Washington’s IMAP server

    quit        = Do not change anything
Command >> <– courier

              imap_server_type = courier
         default_folder_prefix = INBOX.
                  trash_folder = Trash
                   sent_folder = Sent
                  draft_folder = Drafts
            show_prefix_option = false
          default_sub_of_inbox = false
show_contain_subfolders_option = false
            optional_delimiter = .
                 delete_folder = true

Press any key to continue… <– press some key

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Main Menu –
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color off
S   Save data
Q   Quit

Command >> <– 8

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Plugins
  Installed Plugins
    1. delete_move_next
    2. squirrelspell
    3. newmail

  Available Plugins:
    4. administrator
    5. bug_report
    6. calendar
    7. change_sqlpass
    8. compatibility
    9. demo
    10. filters
    11. fortune
    12. info
    13. listcommands
    14. mail_fetch
    15. message_details
    16. sent_subfolders
    17. spamcop
    18. test
    19. translate

R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit

Command >> <– 8 (or whatever number the compatibility plugin has – it’s needed by the change_sqlpass plugin)

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Plugins
  Installed Plugins
    1. delete_move_next
    2. squirrelspell
    3. newmail
    4. compatibility

  Available Plugins:
    5. administrator
    6. bug_report
    7. calendar
    8. change_sqlpass
    9. demo
    10. filters
    11. fortune
    12. info
    13. listcommands
    14. mail_fetch
    15. message_details
    16. sent_subfolders
    17. spamcop
    18. test
    19. translate

R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit

Command >> <– 8 (the number of the change_sqlpass plugin)

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Plugins
  Installed Plugins
    1. delete_move_next
    2. squirrelspell
    3. newmail
    4. compatibility
    5. change_sqlpass

  Available Plugins:
    6. administrator
    7. bug_report
    8. calendar
    9. demo
    10. filters
    11. fortune
    12. info
    13. listcommands
    14. mail_fetch
    15. message_details
    16. sent_subfolders
    17. spamcop
    18. test
    19. translate

R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit

Command >> <– S

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Plugins
  Installed Plugins
    1. delete_move_next
    2. squirrelspell
    3. newmail
    4. compatibility
    5. change_sqlpass

  Available Plugins:
    6. administrator
    7. bug_report
    8. calendar
    9. demo
    10. filters
    11. fortune
    12. info
    13. listcommands
    14. mail_fetch
    15. message_details
    16. sent_subfolders
    17. spamcop
    18. test
    19. translate

R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit

Command >> S

Data saved in config.php
Press enter to continue… <– ENTER

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Plugins
  Installed Plugins
    1. delete_move_next
    2. squirrelspell
    3. newmail
    4. compatibility
    5. change_sqlpass

  Available Plugins:
    6. administrator
    7. bug_report
    8. calendar
    9. demo
    10. filters
    11. fortune
    12. info
    13. listcommands
    14. mail_fetch
    15. message_details
    16. sent_subfolders
    17. spamcop
    18. test
    19. translate

R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit

Command >> <– Q

One last thing we need to do is modify the file /etc/squirrelmail/config_local.php and comment out the $default_folder_prefix variable – if you don’t do this, you will see the following error message in SquirrelMail after you’ve logged in: Query: CREATE “Sent” Reason Given: Invalid mailbox name.

vi /etc/squirrelmail/config_local.php

<?php/*** Local config overrides.** You can override the config.php settings here.* Don't do it unless you know what you're doing.* Use standard PHP syntax, see config.php for examples.** @copyright &copy; 2002-2006 The SquirrelMail Project Team* @license http://opensource.org/licenses/gpl-license.php GNU Public License* @version $Id: config_local.php,v 1.2 2006/07/11 03:33:47 wtogami Exp $* @package squirrelmail* @subpackage config*///$default_folder_prefix= '';
?>

Now you can type in http://server1.example.com/webmail or http://192.168.0.100/webmail in your browser to access SquirrelMail.

Log in with your email address (e.g. sales@example.com) and your password:

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

You should find the welcome email in your inbox:

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

To change your password, go to Options and then select Change Password:

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Type in your current password and then your new password twice:

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

After you’ve changed the password, you will have to immediately log in again with the new password:

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

 

19 References

Tutorial: ISP-style Email Service with Debian-Sarge and Postfix 2.1: http://workaround.org/articles/ispmail-sarge/

Postfix + Quota: http://vhcs.net/new/modules/newbb/viewtopic.php?topic_id=3496&forum=17

Mail Passwords Encrypted using saslauthd: http://www.syscp.de/docs/public/contrib/cryptedmailpws

 

20 Links

• Postfix MTA: http://www.postfix.org/
• Postfix Quota Patch: http://web.onda.com.br/nadal/
• phpMyAdmin: http://www.phpmyadmin.net/
• SquirrelMail: http://www.squirrelmail.org/
• Fedora: http://fedoraproject.org/

13 Install Razor, Pyzor And DCC And Configure SpamAssassin

Razor, Pyzor and DCC are spamfilters that use a collaborative filtering network. To install Razor and Pyzor, run

yum install perl-Razor-Agent pyzor

Then initialize both services:

chmod -R a+rX /usr/share/doc/pyzor-0.5.0 /usr/bin/pyzor /usr/bin/pyzord
chmod -R a+rX /usr/lib/python2.6/site-packages/pyzor
su -m amavis -c ‘pyzor –homedir /var/spool/amavisd discover’
su -m amavis -c ‘razor-admin -home=/var/spool/amavisd -create’
su -m amavis -c ‘razor-admin -home=/var/spool/amavisd -register’

Then we install DCC as follows:

cd /tmp
wget http://www.dcc-servers.net/dcc/source/dcc-dccproc.tar.Z
tar xzvf dcc-dccproc.tar.Z
cd dcc-dccproc-1.3.116
./configure –with-uid=amavis
make
make install
chown -R amavis:amavis /var/dcc
ln -s /var/dcc/libexec/dccifd /usr/local/bin/dccifd

Now we have to tell SpamAssassin to use these three programs. Edit/etc/mail/spamassassin/local.cf so that it looks like this:

vi /etc/mail/spamassassin/local.cf

# These values can be overridden by editing ~/.spamassassin/user_prefs.cf
# (see spamassassin(1) for details)# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.#required_hits 5
#report_safe 0
#rewrite_header Subject [SPAM]# dcc
use_dcc 1
dcc_path /usr/local/bin/dccproc#pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor#razor
use_razor2 1
razor_config /var/spool/amavisd/razor-agent.conf#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1

Then we must enable the DCC plugin in SpamAssassin. Open /etc/mail/spamassassin/v310.pre and uncomment the loadplugin Mail::SpamAssassin::Plugin::DCC line:

vi /etc/mail/spamassassin/v310.pre

[...]
# DCC - perform DCC message checks.
#
# DCC is disabled here because it is not open source.See the DCC
# license for more details.
#
loadplugin Mail::SpamAssassin::Plugin::DCC
[...]

You can check your SpamAssassin configuration by executing:

spamassassin –lint

It shouldn’t show any errors.

Run

/etc/init.d/amavisd restart

afterwards.

Now we update our SpamAssassin rulesets as follows:

sa-update –no-gpg

We create a cron job so that the rulesets will be updated regularly. Run

crontab -e

to open the cron job editor. Create the following cron job:

23 4 */2 * * /usr/bin/sa-update --no-gpg &> /dev/null

This will update the rulesets every second day at 4.23h.

 

14 Quota Exceedance Notifications

If you want to get notifications about all the email accounts that are over quota, then create the file /usr/local/sbin/quota_notify:

cd /usr/local/sbin/
vi quota_notify

#!/usr/bin/perl -w# Author <jps@tntmax.com>
#
# This script assumes that virtual_mailbox_base in defined
# in postfix's main.cf file. This directory is assumed to contain
# directories which themselves contain your virtual user's maildirs.
# For example:
#
# -----------/
#|
#|
#home/vmail/domains/
#||
#||
#example.com/foo.com/
# |
# |
# -----------------
# | | |
# | | |
# user1/ user2/user3/
# |
# |
#maildirsize
#use strict;my $POSTFIX_CF = "/etc/postfix/main.cf";
my $MAILPROG = "/usr/sbin/sendmail -t";
my $WARNPERCENT = 80;
my @POSTMASTERS = ('postmaster@domain.tld');
my $CONAME = 'My Company';
my $COADDR = 'postmaster@domain.tld';
my $SUADDR = 'postmaster@domain.tld';
my $MAIL_REPORT = 1;
my $MAIL_WARNING = 1;#get virtual mailbox base from postfix config
open(PCF, "< $POSTFIX_CF") or die $!;
my $mboxBase;
while (<PCF>) {next unless /virtual_mailbox_base\s*=\s*(.*)\s*/;$mboxBase = $1;
}
close(PCF);#assume one level of subdirectories for domain names
my @domains;
opendir(DIR, $mboxBase) or die $!;
while (defined(my $name = readdir(DIR))) {next if $name =~ /^\.\.?$/;#skip '.' and '..'next unless (-d "$mboxBase/$name");push(@domains, $name);
}
closedir(DIR);
#iterate through domains for username/maildirsize files
my @users;
chdir($mboxBase);
foreach my $domain (@domains) { opendir(DIR, $domain) or die $!; while (defined(my $name = readdir(DIR))) {next if $name =~ /^\.\.?$/;#skip '.' and '..'next unless (-d "$domain/$name"); push(@users, {"$name\@$domain" => "$mboxBase/$domain/$name"}); }
}
closedir(DIR);#get user quotas and percent used
my (%lusers, $report);
foreach my $href (@users) {foreach my $user (keys %$href) { my $quotafile = "$href->{$user}/maildirsize"; next unless (-f $quotafile); open(QF, "< $quotafile") or die $!; my ($firstln, $quota, $used); while (<QF>) {my $line = $_; if (! $firstln) {$firstln = 1;die "Error: corrupt quotafile $quotafile" unless ($line =~ /^(\d+)S/);$quota = $1; last if (! $quota); next;}die "Error: corrupt quotafile $quotafile" unless ($line =~ /\s*(-?\d+)/);$used += $1; } close(QF); next if (! $used); my $percent = int($used / $quota * 100); $lusers{$user} = $percent unless not $percent;}
}#send a report to the postmasters
if ($MAIL_REPORT) {open(MAIL, "| $MAILPROG");select(MAIL);map {print "To: $_\n"} @POSTMASTERS;print "From: $COADDR\n";print "Subject: Daily Quota Report.\n";print "DAILY QUOTA REPORT:\n\n";print "----------------------------------------------\n";print "| % USAGE |ACCOUNT NAME|\n";print "----------------------------------------------\n";foreach my $luser ( sort { $lusers{$b} <=> $lusers{$a} } keys %lusers ) { printf("| %3d | %32s |\n", $lusers{$luser}, $luser); print "---------------------------------------------\n";} print "\n--\n"; print "$CONAME\n"; close(MAIL);
}#email a warning to people over quota
if ($MAIL_WARNING) { foreach my $luser (keys (%lusers)) {next unless $lusers{$luser} >= $WARNPERCENT; # skip those under quotaopen(MAIL, "| $MAILPROG");select(MAIL);print "To: $luser\n"; map {print "BCC: $_\n"} @POSTMASTERS;print "From: $SUADDR\n";print "Subject: WARNING: Your mailbox is $lusers{$luser}% full.\n";print "Reply-to: $SUADDR\n";print "Your mailbox: $luser is $lusers{$luser}% full.\n\n";print "Once your e-mail box has exceeded your monthly storage quota\n"; print "your monthly billing will be automatically adjusted.\n"; print "Please consider deleting e-mail and emptying your trash folder to clear some space.\n\n";print "Contact <$SUADDR> for further assistance.\n\n";print "Thank You.\n\n";print "--\n";print "$CONAME\n";close(MAIL); }
}

Make sure that you adjust the variables at the top (especially the postmaster@domain.tld email address).

We must make the file executable:

chmod 755 quota_notify

Run

crontab -e

to create a cron job for that script:

0 0 * * * /usr/local/sbin/quota_notify &> /dev/null

 

15 Test Postfix

To see if Postfix is ready for SMTP-AUTH and TLS, run

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH PLAIN LOGIN

everything is fine.

[root@server1 sbin]# telnet localhost 25
Trying ::1…
Connected to localhost.
Escape character is ‘^]’.
220 server1.example.com ESMTP Postfix
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@server1 sbin]#

Type

quit

to return to the system’s shell.

 

16 Populate The Database And Test

To populate the database you can use the MySQL shell:

mysql -u root -p

USE mail;

At least you have to create entries in the tables domains and users:

INSERT INTO `domains` (`domain`) VALUES (‘example.com’);
INSERT INTO `users` (`email`, `password`, `quota`) VALUES (‘sales@example.com’, ENCRYPT(‘secret’), 10485760);

(Please take care you use the ENCRYPT syntax in the second INSERT statement in order to encrypt the password!)

If you want to make entries in the other two tables, that would look like this:

INSERT INTO `forwardings` (`source`, `destination`) VALUES (‘info@example.com’, ‘sales@example.com’);
INSERT INTO `transport` (`domain`, `transport`) VALUES (‘example.com’, ‘smtp:mail.example.com’);

To leave the MySQL shell, type

quit;

For most people it is easier if they have a graphical front-end to MySQL; therefore you can also use phpMyAdmin (in this example under http://192.168.0.100/phpMyAdmin/ or http://server1.example.com/phpMyAdmin/) to administrate the mail database. Again, when you create a user, go sure that you use the ENCRYPT function to encrypt the password:

I do not think I have to explain the domains and users table further.

The forwardings table can have entries like the following:

source destination   info@example.com sales@example.com Redirects emails for info@example.com to sales@example.com @example.com thomas@example.com Creates a Catch-All account for thomas@example.com. All emails to example.com will arrive at thomas@example.com, except those that exist in the users table (i.e., if sales@example.com exists in the users table, mails to sales@example.com will still arrive at sales@example.com). @example.com @anotherdomain.tld This redirects all emails to example.com to the same user at anotherdomain.tld. E.g., emails to thomas@example.com will be forwarded to thomas@anotherdomain.tld. info@example.com sales@example.com, billing@anotherdomain.tld Forward emails for info@example.com to two or more email addresses. All listed email addresses under destination receive a copy of the email.

The transport table can have entries like these:

domain transport   example.com : Delivers emails for example.com locally. This is as if this record would not exist in this table at all. example.com smtp:mail.anotherdomain.tld Delivers all emails for example.com via smtp to the server mail.anotherdomain.com. example.com smtp:mail.anotherdomain.tld:2025 Delivers all emails for example.com via smtp to the server mail.anotherdomain.com, but on port 2025, not 25 which is the default port for smtp. example.com

smtp:[1.2.3.4]
smtp:[1.2.3.4]:2025
smtp:[mail.anotherdomain.tld]

The square brackets prevent Postfix from doing lookups of the MX DNS record for the address in square brackets. Makes sense for IP addresses. .example.com smtp:mail.anotherdomain.tld Mail for any subdomain of example.com is delivered to mail.anotherdomain.tld. * smtp:mail.anotherdomain.tld All emails are delivered to mail.anotherdomain.tld. joe@example.com smtp:mail.anotherdomain.tld Emails for joe@example.com are delivered to mail.anotherdomain.tld.

See

man transport

for more details.

Please keep in mind that the order of entries in the transport table is important! The entries will be followed from the top to the bottom.

Important: Postfix uses a caching mechanism for the transports, therefore it might take a while until you changes in the transport table take effect. If you want them to take effect immediately, run

postfix reload

after you have made your changes in the transport table.

 

17 Send A Welcome Email For Creating Maildir

When you create a new email account and try to fetch emails from it (with POP3/IMAP) you will probably get error messages saying that the Maildir doesn’t exist. The Maildir is created automatically when the first email arrives for the new account. Therefore it’s a good idea to send a welcome email to a new account.

First, we install the mailx package:

yum install mailx

To send a welcome email to sales@example.com, we do this:

mailx sales@example.com

You will be prompted for the subject. Type in the subject (e.g. Welcome), then press ENTER, and in the next line type your message. When the message is finished, press ENTER again so that you are in a new line, then press CTRL+D:

[root@server1 ~]# mailx sales@example.com
Subject: Welcome <– ENTER
Welcome! Have fun with your new mail account. <– ENTER
<– CTRL+D
EOT
[root@server1 ~]#

12 Install Amavisd-new, SpamAssassin And ClamAV

To install amavisd-new, spamassassin and clamav, run the following command:

yum install amavisd-new spamassassin clamav clamav-data clamav-server clamav-update unzip bzip2

Now we must edit /etc/amavisd/amavisd.conf.

vi /etc/amavisd/amavisd.conf

In this file we change five places:

1) Change

$mydomain = 'example.com'; # a convenient default for other settings

to

$mydomain = 'localhost';
#$mydomain = 'example.com'; # a convenient default for other settings

2) Change

$sa_tag_level_deflt= 2.0;# add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.2;# add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.9;# triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent

to

$sa_tag_level_deflt= 2.0;# add spam info headers if at, or above that level
$sa_tag2_level_deflt = 4.0;# add 'spam detected' headers at that level
$sa_kill_level_deflt = $sa_tag2_level_deflt;# triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent#$sa_tag_level_deflt= 2.0;# add spam info headers if at, or above that level
#$sa_tag2_level_deflt = 6.2;# add 'spam detected' headers at that level
#$sa_kill_level_deflt = 6.9;# triggers spam evasive actions (e.g. blocks mail)
#$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent

(Of course, you can adjust the spam scores to your liking.)

3) Change

# @lookup_sql_dsn =
# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
# ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
# @storage_sql_dsn = @lookup_sql_dsn;# none, same, or separate database

to

# @lookup_sql_dsn =
# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
# ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
# @storage_sql_dsn = @lookup_sql_dsn;# none, same, or separate database@lookup_sql_dsn =( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'mail_admin', 'mail_admin_password'] );$sql_select_policy = 'SELECT "Y" as local FROM domains WHERE CONCAT("@",domain) IN (%k)';$sql_select_white_black_list = undef;# undef disables SQL white/blacklisting$recipient_delimiter = '+';# (default is '+')$replace_existing_extension = 1;# (default is false)$localpart_is_case_sensitive = 0;# (default is false)

(Make sure you fill in the correct database details!)

4) Change

# $recipient_delimiter = '+';# undef disables address extensions altogether
# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+

to

$recipient_delimiter = undef;# undef disables address extensions altogether
# $recipient_delimiter = '+';# undef disables address extensions altogether
# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+

5) Change

$final_virus_destiny= D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_DISCARD;
$final_bad_header_destiny = D_BOUNCE;

to

$final_virus_destiny= D_REJECT;
$final_banned_destiny = D_REJECT;
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_PASS;#$final_virus_destiny= D_DISCARD;
#$final_banned_destiny = D_BOUNCE;
#$final_spam_destiny = D_DISCARD;
#$final_bad_header_destiny = D_BOUNCE;

(Of course, it’s up to you to decide what should happen with spam and viruses. I decide to accept spam (D_PASS) so that Spam can be filtered in my email client with a simple filter rule (based on the subject that gets rewritten by amavisd-new if it thinks a mail is spam). The allowed actions (D_PASS, D_DISCARD, D_BOUNCE, and D_REJECT) are explained here: http://www.ijs.si/software/amavisd/amavisd-new-docs.html#actions)

After my changes, /etc/amavisd/amavisd.conf looks like this:

use strict;# a minimalistic configuration file for amavisd-new with all necessary settings
#
# see amavisd.conf-default for a list of all variables with their defaults;
# see amavisd.conf-sample for a traditional-style commented file;
# for more details see documentation in INSTALL, README_FILES/*
# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
# COMMONLY ADJUSTED SETTINGS:# @bypass_virus_checks_maps = (1);# controls running of anti-virus code
# @bypass_spam_checks_maps= (1);# controls running of anti-spam code
# $bypass_decode_parts = 1; # controls running of decoders&dearchivers$max_servers = 2;# num of pre-forked children (2..30 is common), -m
$daemon_user= 'amavis'; # (no default;customary: vscan or amavis), -u
$daemon_group = 'amavis'; # (no default;customary: vscan or amavis), -g$mydomain = 'localhost';
#$mydomain = 'example.com'; # a convenient default for other settings$MYHOME = '/var/spool/amavisd'; # a convenient default for other settings, -H
$TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE;# environment variable TMPDIR, used by SA, etc.
$QUARANTINEDIR = undef;# -Q
# $quarantine_subdir_levels = 1;# add level of subdirs to disperse quarantine
# $release_format = 'resend'; # 'attach', 'plain', 'resend'
# $report_format= 'arf';# 'attach', 'plain', 'resend', 'arf'# $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R$db_home = "$MYHOME/db";# dir for bdb nanny/cache/snmp databases, -D
# $helpers_home = "$MYHOME/var";# working directory for SpamAssassin, -S
$lock_file = "/var/run/amavisd/amavisd.lock";# -L
$pid_file= "/var/run/amavisd/amavisd.pid"; # -P
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually$log_level = 0;# verbosity 0..5, -d
$log_recip_templ = undef;# disable by-recipient level-0 log entries
$DO_SYSLOG = 1;# log via syslogd (preferred)
$syslog_facility = 'mail'; # Syslog facility as a string# e.g.: mail, daemon, user, local0, ... local7
$syslog_priority = 'debug';# Syslog base (minimal) priority as a string,# choose from: emerg, alert, crit, err, warning, notice, info, debug$enable_db = 1;# enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;# enable use of libdb-based cache if $enable_db=1
$nanny_details_level = 2;# nanny verbosity: 1: traditional, 2: detailed
$enable_dkim_verification = 1;# enable DKIM signatures verification
$enable_dkim_signing = 1;# load DKIM signing code, keys defined by dkim_key@local_domains_maps = ( [".$mydomain"] );# list of all local domains@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );$unix_socketname = "$MYHOME/amavisd.sock";# amavisd-release or amavis-milter# option(s) -p overrides $inet_socket_port and $unix_socketname$inet_socket_port = 10024; # listen on this local TCP port(s)
# $inet_socket_port = [10024,10026];# listen on multiple TCP ports$policy_bank{'MYNETS'} = { # mail originating from @mynetworks originating => 1,# is true in MYNETS by default, but let's make it explicit os_fingerprint_method => undef,# don't query p0f for internal clients
};# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10026) for filtering
$interface_policy{'10026'} = 'ORIGINATING';$policy_bank{'ORIGINATING'} = {# mail supposedly originating from our users originating => 1,# declare that mail was submitted by our smtp client allow_disclaimers => 1,# enables disclaimer insertion if available # notify administrator of locally originating malware virus_admin_maps => ["virusalert\@$mydomain"], spam_admin_maps=> ["virusalert\@$mydomain"], warnbadhsender => 1, # forward to a smtpd service providing DKIM signing service forward_method => 'smtp:[127.0.0.1]:10027', # force MTA conversion to 7-bit (e.g. before DKIM signing) smtpd_discard_ehlo_keywords => ['8BITMIME'], bypass_banned_checks_maps => [1],# allow sending any file names and types terminate_dsn_on_notify_success => 0,# don't remove NOTIFY=SUCCESS option
};$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c
# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'):
$policy_bank{'AM.PDP-SOCK'} = { protocol => 'AM.PDP', auth_required_release => 0,# do not require secret_id for amavisd-release
};$sa_tag_level_deflt= 2.0;# add spam info headers if at, or above that level
$sa_tag2_level_deflt = 4.0;# add 'spam detected' headers at that level
$sa_kill_level_deflt = $sa_tag2_level_deflt;# triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent#$sa_tag_level_deflt= 2.0;# add spam info headers if at, or above that level
#$sa_tag2_level_deflt = 6.2;# add 'spam detected' headers at that level
#$sa_kill_level_deflt = 6.9;# triggers spam evasive actions (e.g. blocks mail)
#$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
$penpals_bonus_score = 8;# (no effect without a @storage_sql_dsn database)
$penpals_threshold_high = $sa_kill_level_deflt;# don't waste time on hi spam
$bounce_killer_score = 100;# spam score points to add for joe-jobbed bounces$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;# only tests which do not require internet access?# @lookup_sql_dsn =
# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
# ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
# @storage_sql_dsn = @lookup_sql_dsn;# none, same, or separate database@lookup_sql_dsn =( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'mail_admin', 'mail_admin_password'] );$sql_select_policy = 'SELECT "Y" as local FROM domains WHERE CONCAT("@",domain) IN (%k)';$sql_select_white_black_list = undef;# undef disables SQL white/blacklisting$recipient_delimiter = '+';# (default is '+')$replace_existing_extension = 1;# (default is false)$localpart_is_case_sensitive = 0;# (default is false)# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
# defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)$virus_admin = undef;# notifications recip.$mailfrom_notify_admin = undef;# notifications sender
$mailfrom_notify_recip = undef;# notifications sender
$mailfrom_notify_spamadmin = undef;# notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef@addr_extension_virus_maps= ('virus');
@addr_extension_banned_maps = ('banned');
@addr_extension_spam_maps = ('spam');
@addr_extension_bad_header_maps = ('badh');
$recipient_delimiter = undef;# undef disables address extensions altogether
# $recipient_delimiter = '+';# undef disables address extensions altogether
# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
# $dspam = 'dspam';$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA =100*1024;# bytes(default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024;# bytes(default undef, not enforced)$sa_spam_subject_tag = '***SPAM*** ';
$defang_virus= 1;# MIME-wrap passed infected mail
$defang_banned = 1;# MIME-wrap passed mail containing banned name
# for defanging bad headers only turn on certain minor contents categories:
$defang_by_ccat{+CC_BADH.",3"} = 1;# NUL or CR character in header
$defang_by_ccat{+CC_BADH.",5"} = 1;# header line longer than 998 characters
$defang_by_ccat{+CC_BADH.",6"} = 1;# header field syntax error
# OTHER MORE COMMON SETTINGS (defaults may suffice):# $myhostname = 'host.example.com';# must be a fully-qualified domain name!# $notify_method= 'smtp:[127.0.0.1]:10025';
# $forward_method = 'smtp:[127.0.0.1]:10025';# set to undef with milter!$final_virus_destiny= D_REJECT;
$final_banned_destiny = D_REJECT;
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_PASS;#$final_virus_destiny= D_DISCARD;
#$final_banned_destiny = D_BOUNCE;
#$final_spam_destiny = D_DISCARD;
#$final_bad_header_destiny = D_BOUNCE;
# $bad_header_quarantine_method = undef;# $os_fingerprint_method = 'p0f:*:2345';# to query p0f-analyzer.pl## hierarchy by which a final setting is chosen:
## policy bank (based on port or IP address) -> *_by_ccat
## *_by_ccat (based on mail contents) -> *_maps
## *_maps (based on recipient address) -> final configuration value
# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all)# $warnbadhsender,
# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps)
#
# @bypass_virus_checks_maps, @bypass_spam_checks_maps,
# @bypass_banned_checks_maps, @bypass_header_checks_maps,
#
# @virus_lovers_maps, @spam_lovers_maps,
# @banned_files_lovers_maps, @bad_header_lovers_maps,
#
# @blacklist_sender_maps, @score_sender_maps,
#
# $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to,
# $bad_header_quarantine_to, $spam_quarantine_to,
#
# $defang_bad_header, $defang_undecipherable, $defang_spam
# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS@keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data', # don't trust Archive::Zip
));
# for $banned_namepath_re (a new-style of banned table) see amavisd.conf-sample$banned_filename_re = new_RE(### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$',# is or contains any undecipherable components qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary
# qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
# [ qr'^\.(gz|bz2)$' => 0 ],# allow any in gzip or bzip2 [ qr'^\.(rpm|cpio|tar)$' => 0 ],# allow any in Unix-type archivesqr'.\.(pif|scr)$'i, # banned extensions - rudimentary
# qr'^\.zip$',# block zip type### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],# allow any within these archivesqr'^application/x-msdownload$'i,# block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i,# qr'^message/partial$'i, # rfc2046 MIME type
# qr'^message/external-body$'i, # rfc2046 MIME type# qr'^(application/x-msmetafile|image/x-wmf)$'i,# Windows Metafile MIME type
# qr'^\.wmf$',# Windows Metafile file(1) type# block certain double extensions in filenames qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict
# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, looseqr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic
# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
#inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
#ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
#wmf|wsc|wsf|wsh)$'ix,# banned ext - long
# qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename
# qr'^\.ani$',# banned animated cursor file(1) type# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,# banned extension - WinZip vulnerab.
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING@score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed# ## per-recipient personal tables(NOTE: positive: black, negative: white)
# 'user1@example.com'=> [{'bla-mobile.press@example.com' => 10.0}],
# 'user3@example.com'=> [{'.ebay.com' => -3.0}],
# 'user4@example.com'=> [{'cleargreen@cleargreen.com' => -7.0,
# '.cleargreen.com' => -5.0}],## site-wide opinions about senders (the '.' matches any recipient) '.' => [# the _first_ matching sender determines the score boost new_RE(# regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i=> 5.0], [qr'^(your_friend|greatoffers)@'i=> 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i=> 5.0],),#read_hash("/var/amavis/sender_scores_sitewide"), { # a hash-type lookup table (associative array)'nobody@cert.org'=> -3.0,'cert-advisory@us-cert.gov'=> -3.0,'owner-alert@iss.net'=> -3.0,'slashdot@slashdot.org'=> -3.0,'securityfocus.com'=> -3.0,'ntbugtraq@listserv.ntbugtraq.com' => -3.0,'security-alerts@linuxsecurity.com'=> -3.0,'mailman-announce-admin@python.org'=> -3.0,'amavis-user-admin@lists.sourceforge.net'=> -3.0,'amavis-user-bounces@lists.sourceforge.net' => -3.0,'spamassassin.apache.org'=> -3.0,'notification-return@lists.sophos.com' => -3.0,'owner-postfix-users@postfix.org'=> -3.0,'owner-postfix-announce@postfix.org' => -3.0,'owner-sendmail-announce@lists.sendmail.org' => -3.0,'sendmail-announce-request@lists.sendmail.org' => -3.0,'donotreply@sendmail.org'=> -3.0,'ca+envelope@sendmail.org' => -3.0,'noreply@freshmeat.net'=> -3.0,'owner-technews@postel.acm.org'=> -3.0,'ietf-123-owner@loki.ietf.org' => -3.0,'cvs-commits-list-admin@gnome.org' => -3.0,'rt-users-admin@lists.fsck.com'=> -3.0,'clp-request@comp.nus.edu.sg'=> -3.0,'surveys-errors@lists.nua.ie'=> -3.0,'emailnews@genomeweb.com'=> -5.0,'yahoo-dev-null@yahoo-inc.com' => -3.0,'returns.groups.yahoo.com' => -3.0,'clusternews@linuxnetworx.com' => -3.0,lc('lvs-users-admin@LinuxVirtualServer.org')=> -3.0,lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, # soft-blacklisting (positive score)'sender@example.net' =>3.0,'.example.net' =>1.0, }, ],# end of site-wide tables
});
@decoders = ( ['mail', \&do_mime_decode], ['asc',\&do_ascii], ['uue',\&do_ascii], ['hqx',\&do_ascii], ['ync',\&do_ascii], ['F',\&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], ['Z',\&do_uncompress, ['uncompress','gzip -d','zcat'] ], ['gz', \&do_uncompress,'gzip -d'], ['gz', \&do_gunzip], ['bz2',\&do_uncompress,'bzip2 -d'], ['lzo',\&do_uncompress,'lzop -d'], ['rpm',\&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ], ['tar',\&do_pax_cpio, ['pax','gcpio','cpio'] ], ['deb',\&do_ar,'ar'],
# ['a',\&do_ar,'ar'],# unpacking .a seems an overkill ['zip',\&do_unzip], ['7z', \&do_7zip, ['7zr','7za','7z'] ], ['rar',\&do_unrar,['rar','unrar'] ], ['arj',\&do_unarj,['arj','unarj'] ], ['arc',\&do_arc,['nomarch','arc'] ], ['zoo',\&do_zoo,['zoo','unzoo'] ], ['lha',\&do_lha, 'lha'],
# ['doc',\&do_ole, 'ripole'], ['cab',\&do_cabextract,'cabextract'], ['tnef', \&do_tnef_ext,'tnef'], ['tnef', \&do_tnef],
# ['sit',\&do_unstuff, 'unstuff'],# broken/unsafe decoder ['exe',\&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
);
@av_scanners = (# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)
# ['Sophie',
# \&ask_daemon, ["{}/\n", '/var/run/sophie'],
# qr/(?x)^ 0+ ( : | [00\r\n]* $)/m,qr/(?x)^ 1 ( : | [00\r\n]* $)/m,
# qr/(?x)^ [-+]? \d+ : (.*?) [00\r\n]* $/m ],# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
# ['Sophos SAVI', \&sophos_savi ],# ### http://www.clamav.net/
['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/spool/amavisd/clamd.sock"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
# # NOTE: run clamd under the same user as amavisd, or run it under its own
# # uid such as clamav, add user clamav to the amavis group, and then add
# # AllowSupplementaryGroups to clamd.conf;
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
# # this entry; when running chrooted one may prefer socket "$MYHOME/clamd".# ### http://www.clamav.net/ and CPAN(memory-hungry! clamd is preferred)
# # note that Mail::ClamAV requires perl to be build with threading!
# ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/m ],# ### http://www.openantivirus.org/
# ['OpenAntiVirus ScannerDaemon (OAV)',
# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],
# qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ],# ### http://www.vanja.com/tools/trophie/
# ['Trophie',
# \&ask_daemon, ["{}/\n", '/var/run/trophie'],
# qr/(?x)^ 0+ ( : | [00\r\n]* $)/m,qr/(?x)^ 1 ( : | [00\r\n]* $)/m,
# qr/(?x)^ [-+]? \d+ : (.*?) [00\r\n]* $/m ],# ### http://www.grisoft.com/
# ['AVG Anti-Virus',
# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'],
# qr/^200/m, qr/^403/m, qr/^403 .*?: ([^\r\n]+)/m ],# ### http://www.f-prot.com/
# ['F-Prot fpscand',# F-PROT Antivirus for BSD/Linux/Solaris, version 6
# \&ask_daemon,
# ["SCAN FILE {}/*\n", '127.0.0.1:10200'],
# qr/^(0|8|64) /m,
# qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m,
# qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ],# ### http://www.f-prot.com/
# ['F-Prot f-protd',# old version
# \&ask_daemon,
# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
# ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202',
#'127.0.0.1:10203', '127.0.0.1:10204'] ],
# qr/(?i)<summary[^>]*>clean<\/summary>/m,
# qr/(?i)<summary[^>]*>infected<\/summary>/m,
# qr/(?i)<name>(.+)<\/name>/m ],# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/
# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later
# [pack('N',1).# DRWEBD_SCAN_CMD
#pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
#pack('N', # path length
#length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")).
#'{}/*'. # path
#pack('N',0).# content size
#pack('N',0),
#'/var/drweb/run/drwebd.sock',
## '/var/amavis/var/run/drwebd.sock', # suitable for chroot
## '/usr/local/drweb/run/drwebd.sock',# FreeBSD drweb ports default
## '127.0.0.1:3000',# or over an inet socket
# ],
# qr/\A\x00[\x10\x11][\x00\x10]\x00/sm,# IS_CLEAN,EVAL_KEY; SKIPPED
# qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF
# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm,
# ],
# # NOTE: If using amavis-milter, change length to:
# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx").### http://www.kaspersky.com/(kav4mailservers) ['KasperskyLab AVP - aveclient', ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient','/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'], '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m, qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m, ], # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious, # currupted or protected archives are to be handled### http://www.kaspersky.com/ ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],# any use for -A -K ? qr/infected: (.+)/m, sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ],### The kavdaemon and AVPDaemonClient have been removed from Kasperky ### products and replaced by aveserver and aveclient ['KasperskyLab AVPDaemonClient', [ '/opt/AVP/kavdaemon', 'kavdaemon', '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', '/opt/AVP/AvpTeamDream','AvpTeamDream', '/opt/AVP/avpdc', 'avpdc' ], "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ], # change the startup-script in /etc/init.d/kavd to: # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) # adjusting /var/amavis above to match your $TEMPBASE. # The '-f=/var/amavis' is needed if not running it as root, so it # can find, read, and write its pid file, etc., see 'man kavdaemon'. # defUnix.prf: there must be an entry "*/var/amavis" (or whatever # directory $TEMPBASE specifies) in the 'Names=' section. # cd /opt/AVP/DaemonClients; configure; cd Sample; make # cp AvpDaemonClient /opt/AVP/ # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"### http://www.centralcommand.com/ ['CentralCommand Vexira (new) vascan', ['vascan','/usr/lib/Vexira/vascan'], "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". "--log=/var/log/vascan.log {}", [0,3], [1,2,5], qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ], # Adjust the path of the binary and the virus database as needed. # 'vascan' does not allow to have the temp directory to be the same as # the quarantine directory, and the quarantine option can not be disabled. # If $QUARANTINEDIR is not used, then another directory must be specified # to appease 'vascan'. Move status 3 to the second list if password # protected files are to be considered infected.### http://www.avira.com/ ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus ['Avira AntiVir', ['antivir','vexira'], '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m, qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |(?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ], # NOTE: if you only have a demo version, remove -z and add 214, as in: #'--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,### http://www.commandsoftware.com/ ['Command AntiVirus for Linux', 'csav', '-all -archive -packed {}', [50], [51,52,53], qr/Infection: (.+)/m ],### http://www.symantec.com/ ['Symantec CarrierScan via Symantec CommandLineScanner', 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', qr/^Files Infected:\s+0$/m, qr/^Infected\b/m, qr/^(?:Info|Virus Name):\s+(.+)/m ],### http://www.symantec.com/ ['Symantec AntiVirus Scan Engine', 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', [0], qr/^Infected\b/m, qr/^(?:Info|Virus Name):\s+(.+)/m ], # NOTE: check options and patterns to see which entry better applies# ### http://www.f-secure.com/products/anti-virus/version 4.65
#['F-Secure Antivirus for Linux servers',
# ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
# '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '.
# '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8],
# qr/(?:infection|Infected|Suspected): (.+)/m ],### http://www.f-secure.com/products/anti-virus/version 5.52['F-Secure Antivirus for Linux servers', ['/opt/f-secure/fsav/bin/fsav', 'fsav'], '--virus-action1=report --archive=yes --auto=yes '. '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8], qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ], # NOTE: internal archive handling may be switched off by '--archive=no' # to prevent fsav from exiting with status 9 on broken archives# ### http://www.avast.com/
# ['avast! Antivirus daemon',
# \&ask_daemon,# greets with 220, terminate with QUIT
# ["SCAN {}1512QUIT1512", '/var/run/avast4/mailscanner.sock'],
# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t([^[ \t1512]+)/m ],# ### http://www.avast.com/
# ['avast! Antivirus - Client/Server Version', 'avastlite',
# '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1],
# qr/\t\[L\]\t([^[ \t1512]+)/m ],['CAI InoculateIT', 'inocucmd',# retired product '-sec -nex {}', [0], [100], qr/was infected by virus (.+)/m ], # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html### http://www3.ca.com/Solutions/Product.asp?ID=156(ex InoculateIT) ['CAI eTrust Antivirus', 'etrust-wrapper', '-arc -nex -spm h {}', [0], [101], qr/is infected by virus: (.+)/m ], # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783### http://mks.com.pl/english.html ['MkS_Vir for Linux (beta)', ['mks32','mks'], '-s {}/*', [0], [1,2], qr/--[ \t]*(.+)/m ],### http://mks.com.pl/english.html ['MkS_Vir daemon', 'mksscan', '-s -q {}', [0], [1..7], qr/^... (\S+)/m ],# ### http://www.nod32.com/,version v2.52 (old)
# ['ESET NOD32 for Linux Mail servers',
# ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
#'--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '.
#'-w -a --action-on-infected=accept --action-on-uncleanable=accept '.
#'--action-on-notscanned=accept {}',
# [0,3], [1,2], qr/virus="([^"]+)"/m ],# ### http://www.eset.com/, version v2.7 (old)
# ['ESET NOD32 Linux Mail Server - command line interface',
# ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
# '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ],# ### http://www.eset.com/, version 2.71.12
# ['ESET Software ESETS Command Line Interface',
# ['/usr/bin/esets_cli', 'esets_cli'],
# '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ],### http://www.eset.com/, version 3.0 ['ESET Software ESETS Command Line Interface', ['/usr/bin/esets_cli', 'esets_cli'], '--subdir {}', [0], [1,2,3], qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],## http://www.nod32.com/,NOD32LFS version 2.5 and above ['ESET NOD32 for Linux File servers', ['/opt/eset/nod32/sbin/nod32','nod32'], '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '. '-w -a --action=1 -b {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/m ],# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31
# ['ESET Software NOD32 Client/Server (NOD32SS)',
# \&ask_daemon2,# greets with 200, persistent, terminate with QUIT
# ["SCAN {}/*\r\n", '127.0.0.1:8448' ],
# qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ],### http://www.norman.com/products_nvc.shtml ['Norman Virus Control v5 / Linux', 'nvcc', '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], qr/(?i).* virus in .* -> \'(.+)\'/m ],### http://www.pandasoftware.com/ ['Panda CommandLineSecure 9 for Linux', ['/opt/pavcl/usr/bin/pavcl','pavcl'], '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}', qr/Number of files infected[ .]*: 0+(?!\d)/m, qr/Number of files infected[ .]*: 0*[1-9]/m, qr/Found virus :\s*(\S+)/m ], # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr' # before starting amavisd - the bases are then loaded only once at startup. # To reload bases in a signature update script: # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr # Please review other options of pavcl, for example: #-nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies# ### http://www.pandasoftware.com/
# ['Panda Antivirus for Linux', ['pavcl'],
# '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}',
# [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0],
# qr/Found virus :\s*(\S+)/m ],# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
# Check your RAV license terms before fiddling with the following two lines!
# ['GeCAD RAV AntiVirus 8', 'ravav',
# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ],
# # NOTE: the command line switches changed with scan engine 8.5 !
# # (btw, assigning stdin to /dev/null causes RAV to fail)### http://www.nai.com/ ['NAI McAfee AntiVirus (uvscan)', 'uvscan', '--secure -rv --mime --summary --noboot - {}', [0], [13], qr/(?x) Found (?: \ the\ (.+)\ (?:virus|trojan)| \ (?:virus|trojan)\ or\ variant\ ([^ ]+)| :\ (.+)\ NOT\ a\ virus)/m, # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, # sub {delete $ENV{LD_PRELOAD}}, ], # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 # and then clear it when finished to avoid confusing anything else. # NOTE2: to treat encrypted files as viruses replace the [13] with: #qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/### http://www.virusbuster.hu/en/ ['VirusBuster', ['vbuster', 'vbengcl'], "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], qr/: '(.*)' - Virus/m ], # VirusBuster Ltd. does not support the daemon version for the workstation # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of # binaries, some parameters AND return codes have changed (from 3 to 1). # See also the new Vexira entry 'vascan' which is possibly related.# ### http://www.virusbuster.hu/en/
# ['VirusBuster (Client + Daemon)', 'vbengd',
# '-f -log scandir {}', [0], [3],
# qr/Virus found = (.*);/m ],
# # HINT: for an infected file it always returns 3,
# # although the man-page tells a different story### http://www.cyber.com/ ['CyberSoft VFind', 'vfind', '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m, # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, ],### http://www.avast.com/ ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ],### http://www.ikarus-software.com/ ['Ikarus AntiVirus for Linux', 'ikarus', '{}', [0], [40], qr/Signature (.+) found/m ],### http://www.bitdefender.com/ ['BitDefender', 'bdscan',# new version '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m, qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m, qr/(?:suspected|infected)\s*:\s*(.*)(?:33|$)/m ],### http://www.bitdefender.com/ ['BitDefender', 'bdc',# old version '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m, qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m, qr/(?:suspected|infected): (.*)(?:33|$)/m ], # consider also: --all --nowarn --alev=15 --flev=15.The --all argument may # not apply to your version of bdc, check documentation and see 'bdc --help'### ArcaVir for Linux and Unix http://www.arcabit.pl/ ['ArcaVir for Linux', ['arcacmd','arcacmd.static'], '-v 1 -summary 0 -s {}', [0], [1,2], qr/(?:VIR|WIR):[ \t]*(.+)/m ],# ### a generic SMTP-client interface to a SMTP-based virus scanner
# ['av_smtp', \&ask_av_smtp,
# ['{}', 'smtp:[127.0.0.1]:5525', 'dummy@localhost'],
# qr/^2/, qr/^5/, qr/^\s*(.*?)\s*$/m ],# ['File::Scan', sub {Amavis::AV::ask_av(sub{
# use File::Scan; my($fn)=@_;
# my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0);
# my($vname) = $f->scan($fn);
# $f->error ? (2,"Error: ".$f->error)
# : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) },
# ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ],# ### fully-fledged checker for JPEG marker segments of invalid length
# ['check-jpeg',
# sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) },
# ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ],
# # NOTE: place file JpegTester.pm somewhere where Perl can find it,
# # for example in /usr/local/lib/perl5/site_perl);
@av_scanners_backup = (### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],### http://www.f-prot.com/ - backs up F-Prot Daemon, V6 ['F-PROT Antivirus for UNIX', ['fpscan'], '--report --mount --adware {}',# consider: --applications -s 4 -u 3 -z 10 [0,8,64],[1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3], qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ],### http://www.f-prot.com/ - backs up F-Prot Daemon (old) ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], '-dumb -archive -packed {}', [0,8], [3,6], # or: [0], [3,6,8], qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ],### http://www.trendmicro.com/ - backs up Trophie ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD ['drweb - DrWeb Antivirus',# security LHA hole in Dr.Web 4.33 and earlier ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], '-path={} -al -go -ot -cn -upn -ok-', [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ], ### http://www.kaspersky.com/['Kaspersky Antivirus v5.5',['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner', '/opt/kav/5.5/kav4unix/bin/kavscanner', '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],'-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
#sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
#sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},],# Commented out because the name 'sweep' clashes with Debian and FreeBSD
# package/port of an audio editor. Make sure the correct 'sweep' is found
# in the path when enabling.
#
# ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl
# ['Sophos Anti Virus (sweep)', 'sweep',
# '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
# '--no-reset-atime {}',
# [0,2], qr/Virus .*? found/m,
# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
# ],
# # other options to consider: -idedir=/usr/local/sav# Always succeeds and considers mail clean.
# Potentially useful when all other scanners fail and it is desirable
# to let mail continue to flow with no virus checking (when uncommented).
# ['always-clean', sub {0}],);
1;# insure a defined return value

amavisd-new is the program that glues together Postfix and SpamAssassin/ClamAV. Postfix passes the mails to amavisd-new which then invokes SpamAssassin and ClamAV to scan the emails. Please have a look at the Spamassassin and ClamAV settings in /etc/amavisd/amavisd.conf. Of course, you can customize that file a lot more. Feel free to do so, and have a look at the explanations in the original /etc/amavisd/amavisd.conf file!

When we installed ClamAV, a cron job got installed that tries to update the ClamAV virus database every three hours. But this works only if we enable it in /etc/sysconfig/freshclam and /etc/freshclam.conf:

vi /etc/sysconfig/freshclam

Comment out the FRESHCLAM_DELAY line at the end:

## When changing the periodicity of freshclam runs in the crontab,
## this value must be adjusted also. Its value is the timespan between
## two subsequent freshclam runs in minutes. E.g. for the default
##
## | 0 */3 * * *...
##
## crontab line, the value is 180 (minutes).
# FRESHCLAM_MOD=## A predefined value for the delay in seconds. By default, the value is
## calculated by the 'hostid' program. This predefined value guarantees
## constant timespans of 3 hours between two subsequent freshclam runs.
##
## This option accepts two special values:
## 'disabled-warn'...disables the automatic freshclam update and
## gives out a warning
## 'disabled' ...disables the automatic freshclam silently
# FRESHCLAM_DELAY=
### !!!!! REMOVE ME !!!!!!
### REMOVE ME: By default, the freshclam update is disabled to avoid
### REMOVE ME: network access without prior activation
#FRESHCLAM_DELAY=disabled-warn# REMOVE ME

vi /etc/freshclam.conf

Comment out the Example line:

[...]
# Comment or remove the line below.
#Example
[...]

Now let’s create the system startup links for ClamAV and amavisd-new, update ClamAV’s virus signature database, and start both services:

chkconfig –levels 235 amavisd on
chkconfig –levels 235 clamd.amavisd on
/usr/bin/freshclam
/etc/init.d/amavisd start
/etc/init.d/clamd.amavisd start

Now we have to configure Postfix to pipe incoming emails through amavisd-new:

postconf -e ‘content_filter = amavis:[127.0.0.1]:10024′
postconf -e ‘receive_override_options = no_address_mappings’

Afterwards append the following lines to /etc/postfix/master.cf:

vi /etc/postfix/master.cf

[...]
amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_bind_address=127.0.0.1

and restart Postfix:

/etc/init.d/postfix restart