Copyright © 2003-4 Opencomputing Team
This document is licensed under a Creative Commons license.
You are free to copy, distribute, display, perform the work and also make derivative works under the following conditions:
Attribution: You must give the original author credit.
Noncommercial: You may not use this work for commercial purposes.
Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one.
For any reuse or distribution, you must make clear to others the license terms of this work.
Any of these conditions can be waived if you get permission from the copyright holder.
Table of Contents
List of Tables
The OpenProtect Handbook version 1.0 is the official guide to installing and configuring OpenProtect, a complete server side email protection solution. It includes this introduction, the prerequisites to install OpenProtect, where and how to download OpenProtect, how to install OpenProtect, how to verify the working with a test virus/spam, configuring the virus/spam settings, configuring advanced virus/spam settings like per domain, per user settings, how to uninstall or disable OpenProtect, how to troubleshoot/report any problems, and a set of Frequently Asked Questions.
This OpenProtect Handbook version 1.0 was built on 10 September 2004.
Table of Contents
OpenProtect is a complete server side email protection solution.
OpenProtect integrates the following features:
OpenProtect integrates both Kaspersky AV and ClamAV providing double protection from viruses and malware that spread through emails. Take a look at the virusconf section for virus/malware related settings.
Any or all of the Sender(s), recipient(s) or the administrator(s) can be alerted when a spam/virus mail is found.
If one of the several attachments in a mail is infected, the other uninfected attachments will be delivered. Only the infected one will be quarantined and a warning attachment/mail will instead be sent. The warning mails can also be customized.
Antivirus signatures of Kaspersky and ClamAV are updated every 1 hour and if a proxy is used, it is also configured appropriately during the install. If the hourly signature update for the either of Kaspersky or ClamAV fails, an alert mail is sent to the administrator email address.
SpamAssassin rulesets are updated daily, using Rules Du Jours and the status of the update like failure/success and if on success, what rulesets have changed etc are mailed to the administrator email address. If a proxy is used, it is also configured during the install.
OpenProtect provides Spam protection by using SpamAssassin, RBL(Realtime Blackhole List) checks inside SpamAssassin as well doing RBL checks directly. Statistical filtering component of SpamAssassin, called sa-learn can also be used to train false positives and false negatives.
OpenProtect supports whitelisting email addresses. So, mails from these addresses will not be scanned during spam checks. Similarly, blacklisting email addresses is also supported. This helps in reducing the time taken to check even legitimate mails(aka "ham" mails) and also the load on the mail server.
OpenProtect does file name and file type checks on the email attachments using MailScanner. This way, potentially harmful attachment types like scr, pif, msi are blocked. Even if an exe file is renamed to txt and sent, it will be reported as an exe and will be blocked. The filename/filetype checks provide another layer of protection from malware/viruses making it hard for viruses to fool the user into launching harmful programs.
OpenProtect does all the scanning using multiple threads. OpenProtect makes use of dual/quad processors and other such features like HyperThreading for faster scanning using a multi-threaded scanner. When you get more mails, you just increase the no.of threads, and get faster scanning times, provided you have enough processing power. For more information on the scanning speeds on the various platforms, take a look at the performance page. Also watch out for the performance tips given under each of the configuration chapters.
HTML mails can be stripped to text mails, preventing children from being offended by nasties such as pornographic spam. Other scripts found in HTML mails like IFrame, Codebase, Script, Form tags etc can also be stripped from the mail. Take a look at HTML Tags" of the handbook for changing these settings from the default settings.
OpenProtect supports saving the entire mail queue file to the quarantine instead of just the harmful attachment. This way, if a mail is badly needed, even though it has a virus, the administrator can release the mail from the quarantined queue to that particular user.
OpenProtect provides per domain or per user settings for the various configuration options using MailScanner rulesets. For example, virus scanning can only be done on mails originating from one particular user or domain, while mails originating from other user/domains need not be scanned for viruses. For other options and how to write rule sets, take a look at the rulesets and the configuration sections of this handbook.
OpenProtect filters all known Outlook, Outlook Express, Internet Explorer and Eudora security vulnerabilities spread through emails.
OpenProtect also filters other malformed attachments like zip-of-death, a small zip file of around 42 bytes that when unzipped can expand infinitely. If this file is scanned by a virus scanner, the scanner will try to unzip the file until the system goes out of memory or the scanner process is killed.
OpenProtect also filters messages whose body is stored somewhere else on the internet and only a link to it is present in the email, and the remaining part is downloaded separately by the user's email client like Outlook, Outlook Express, Mozilla, Opera, Eudora, Sylpheed,etc.
OpenProtect works with sendmail, postfix, exim and qmail. It integrates to the above MTAs at the queue level, thereby changing only the minimum settings of the MTA and incurring the least overhear in scanning the mails. For example, other antivirus/antispam solutions, say X may require your MTA to listen on port 26 and the incoming mails on port 25 will be received by the product X, which then delivers the cleaned mail to your MTA on port 26. Until the entire mail is scanned and delivered to the MTA on port 26, the solution X will not reply affirmatively to the sender of the mail that the mail has been successfully queued, as this solution X will not have queue management unlike your MTA say sendmail. This also has the disadvantage that you may not be able to MTA-level RBL checks, reverse lookups before accepting the mail, two settings that can reduce spam drastically.
This feature is useful for ISP servers hosting many "virtual" servers each having its own mail queues, so that each "virtual" server is given its specific priority depending upon its target network speed or if you are a paid hosting service provider, different queues for different pay slabs.
Table of Contents
The following are the prerequisites to install OpenProtect:
P III 600 MHZ or better for both virus and spam checks for a mail server handling around 1000 mails per day.
64 MB for running a single thread of OpenProtect and you do not have any other memory hungry services running on your server. Each additional thread takes around 30-40 MB of memory. If you choose to use the SpamAssassin rulesets, it will take another 25-35 MB of RAM for each thread. So, a minimum of 256 MB of system RAM for a mail server with POP3/IMAP/webmail etc will be needed for handling a single thread of OpenProtect without any slowdown in performance.
20 MB of hard disk space to install the package. For the quarantine, you need some more space, that depends upon the no.of virus/spam mails you receive daily. Faster SCSI disks are recommended at least for the mail queue directory, as the majority of the processing time is spent in reading the mail from the disk and then writing the scanned mail back to the disk. SATA or PATA drives with big 8 MB caches also provide good enough performance, if your hardware does not support SCSI.
Linux Kernel 2.2 or Better. Run uname -r to find the current kernel version. The output should look like:
2.6.7-gentoo-r11
Glibc 2.1 or Better. Run /lib/libc.so.6 to find the version installed. The output should look like:
GNU C Library stable release version 2.3.3, by Roland McGrath et al.
Copyright (C) 2004 Free Software Foundation, Inc.
Perl 5.005_3 or Better. Run perl -v to find the version installed. The output should look like:
This is perl, v5.8.4 built for i686-linux Copyright 1987-2004, Larry Wall
GCC 2.95 or Better. Run gcc -v to find the current gcc version. The output should look like:
Thread model: posix
gcc version 3.2.3 20030422 (Gentoo Linux 1.4 3.2.3-r4, propolice)
Sendmail 8.11+/Postfix 1.11+/Exim 3.x+/Qmail 1.03.
Please make sure that your MTA is correctly installed and configured by sending a test mail from your server to an external address and sending a test mail from an external address to your server. After making sure that these mails are received properly, proceed with this guide to install OpenProtect. Too many times, it is the MTA misconfiguration that causes most of the trouble. So, save yourself some precious moments by following the above step.
Table of Contents
Download the latest OpenProtect package. You can find the current stable version on the OpenProtect demo page. For example, at the time of writing this document, the current stable version is 5.0.1.7. Change to the /tmp directory and download the package using wget.
cd /tmp
wget http://www.openprotect.com/openprotect-5.0.1.8.tar.gz
You can also use any other directory to download the packages, just substitute /tmp with your one. If you wish to use Kaspersky AV along with OpenProtect, download the package for Kaspersky AV.
wget http://www.openprotect.com/kav.tar.gz
Note that, if you want to demo OpenProtect with Kaspersky AV, you have to get a trial key from us.
Please download the file http://openprotect.com/rfp.txt and send it to email@openprotect.com with your mail server configuration filled into rfp.txt.
We will mail you a trial key to you. Save the key file to your mail server, preferably in the same directory where you downloaded openprotect.tar.gz and kav.tar.gz say /tmp/. If you have already purchased a full license of Kaspersky AV from us, you should have received a .key file from us. Copy this file to your mail server, preferably to the same directory(/tmp here), where OpenProtect was downloaded.
Untar the openprotect-5.0.1.7.tar.gz.
tar zxvf openprotect-5.0.1.8.tar.gz
The above command will untar OpenProtect into the openprotect directory.
If you have downloaded Kaspersky AV(KAV), untar the KAV package too.
tar zxvf kav.tar.gz
The above command will untar KAV into the openprotect directory.
If you have an existing installation of OpenProtect, uninstall it by following the uninstall section of this handbook. Continue with the instructions below, if this is a fresh install or you have uninstalled the previous installation of OpenProtect.
Change to the openprotect directory.
cd openprotect
Run the "openprotect-install" script in that directory and answer the questions the installer asks.
./openprotect-install
Is your machine architecture based on i386 like 386,486,Pentium, P II, P III, P IV, Xeon, K6-2/3, K7(Athlon/Duron), K8(Opteron/Athlon FX/Athlon 64)? [Y/n] :
Press Y or y or <Enter>, if your architecture is included in the list to continue with the installation. If not, press "N" or "n" to exit the installation.
If your GCC, glibc, perl, and kernel versions are above the minimum supported versions, the installer will continue to the installation of ClamAV.
If zlib is already installed and the installed zlib is older than the one shipped with the openprotect version you have downloaded, the installer will update the zlib library. If the zlib library is not already installed, the zlib library shipped with OpenProtect will be installed. zlib is a library needed by ClamAV for scanning zip, gzip and other compressed files.
Shall I install ClamAV-0.75.1. If you have already installed ClamAV, and want to use that version, press N or n. If ClamAV is not already installed and you don't want to use ClamAV as one of the virus scanners, press N or n. Pressing Y or y or <Enter> will install ClamAV-0.75.1 (Yes/no):
Pressing N or n will use the already installed ClamAV, if there is one, else ClamAV will not be used as a Virus Scanner. Pressing Y or y or <Enter> will install the ClamAV that is shipped with OpenProtect.If ClamAV installation fails and an older version is installed already, it will be used. Else, ClamAV will not be used as a Virus Scanner.
After the ClamAV installation, the installer will then proceed to install all the perl modules necessary for MailScanner, the glue code that integrates your MTA say sendmail with Kaspersky, ClamAV and SpamAssassin.
If you have perl 5.8 or above, you will be asked during the installation of HTML-Parser, whether to compile and install HTML-Parser with support for UNICODE. Press <Enter> for the following question.
Do you want decoding on unicode entities? [no]
Installer then proceeds to install SpamAssassin.
Do you want to install SpamAssassin-2.64(Y/n):
Press Y or y or <Enter> to install SpamAssassin and its associated perl modules and use it. Pressing any other key skips the installation of SpamAssassin and its associated perl modules.
During the installation of Net-DNS, a requisite module for SpamAssassin, you will be asked whether to enable DNS tests using live internet servers. This question will not be asked, if perl detects that you are not directly connected to the internet.
You appear to be directly connected to the Internet. I have some tests
that try to query live nameservers.
Do you want to enable these tests? [y]
Press N or n here, as testing of perl modules is disabled during the install.
During the install of SpamAssassin, you will asked the email address that appears in the user report. This email address is not used in OpenProtect.
What email address or URL should be used in the suspected-spam report
text for users who want more information on your filter installation?
(In particular, ISPs should change this to a local Postmaster contact)
default text: [the administrator of that system]
Press <Enter> here, as OpenProtect uses SpamAssassin internally and does not use this email address to send the warning reports. The next question that is asked during SpamAssassin installation is:
Run Razor v2 tests (these may fail due to network problems)? (y/n) [n]
Press N or n or <Enter> here, as testing of perl modules is disabled during the install.
If you have previously installed and uninstalled OpenProtect, you can copy the configuration files from the previous installation, before continuing with the installation.
Backup of a previous installation found at /var/openprotect-backup. Can the configuration files under /var/openprotect-backup/etc/MailScanner be copied to /etc/MailScanner(Y/n):If you have previously installed openprotect and uninstalled it, then you can restore all the configuration files to /etc/MailScanner from the backed up /var/openprotect-backup/ directory. If this is a fresh installation, then this question will not be asked. The only file not restored is /etc/MailScanner/MailScanner.conf, which may contain different configuration options between two versions of MailScanner.
Press Y or y or <Enter> to restore the rulesets. Now, you should manually set the options for rulesets, whitelists, blacklists etc inside /etc/MailScanner/MailScanner.conf. If you press any other key, then the configuration files will not be restored.
If you chose to install SpamAssassin, you will be asked whether to schedule daily updates of SpamAssassin rulesets, which help in catching newer types of spam.
Do you want to periodically update the SpamAssassin rulesets including Backhair, Antidrug, Bigevil, Chickenpox, SA-blacklist, TripWire and Sare . These rulesets may sometimes label some legitimate mails as spam. Updating them daily takes around 3 MB of download and slows down Spam checking to some 10-15%. If you're running a high volume mail server with already high load average without using SpamAssassin rulesets, you should answer NO here, else press Y or ENTER. Do you want to use these rulesets:(Y/n):Please note that these rulesets reduce the spam checking speed by some 10-15%. Also, they increase the memory used by each MailScanner thread by around 15-30 MB. And, there is the network usage of 3-4 MB downloaded daily. If these requirements are within your limits and you need better accuracy with SpamAssassin, then these rulesets are for you. If you need the fastest spam checking possible, answer N or n here. Else, press Y or y or <Enter>.
The installer then asks the MTA you use.
Enter the MTA you use[sendmail/postfix/exim/qmail]:
Enter the appropriate MTA name you use. If your MTA is not one among the above, enter other to stop the installation.
Click on your MTA below to continue with your MTA specific settings:
Enter sendmail, if you use sendmail as your MTA. Now, the installer will ask you questions specific to your sendmail configuration.
Next, you will be asked the sendmail queue directory.
Enter the queue directory for sendmail[/var/spool/mqueue]:
Enter the full path to the sendmail queue directory. Usually, this is /var/spool/mqueue. Press <Enter>, if the queue directory is the default /var/spool/mqueue or the absolute full path to the sendmail queue directory. Please note that the path should be absolute and should not be a symbolic link to the real queue directory.
You will be asked the user under which sendmail runs.
Enter the user under which sendmail runs[root]:
Enter the user under which the sendmail MTA runs. This is usually the user root.
The installer then proceeds to install Kaspersky AV under the sendmail user.
Installing Kaspersky AV under user root...
Creating the directories and copying the necessary files...
If you have just downloaded an evaluation version, please request a trial key file from email@openprotect.com.
If you have bought an original version, you should have a key file with the extension .key. Please enter the path to the key file:
Enter the absolute full path to the key file. If you have not copied the key file to the mail server already, please do so now. You can also enter the absolute full path to the directory inside which the key file resides.
If a key file is found in that directory, you will a similar output to below:
Key Files Found are:
/tmp/00078FFD.key
If no key file is found in that directory, you will asked again to enter the correct directory or file name.
No key files were found in the directory.
Please enter the path to the key file:
Suppose if you enter a wrong file, say /bin/bash as the file name of the key, you will get an error again as shown below:
Not a valid key file.Should be in the form *.key
Please enter the path to the key file:
You will next be asked the group under which sendmail runs.
Enter the group under which sendmail runs[root]:
Enter the group under which the sendmail MTA runs. This is usually the group root.
Next, you will be asked your organization name.
What is your organization name(Note that this name should be a single word of alpha-numeric characters without any white spaces, periods(.) )[myorg]:Enter your organization name here. This is used to add a header like X-myorg-MailScanner-OpenProtect-Information: which can be used to track whether a mail has been through your mail server and it has been scanned by OpenProtect.
Next, you will be asked the email address of the administrator.
What is the admin's email-id to which the warnings and alerts have to be sent?[admin]:
Enter the email-id to which administrator warnings are sent. This is the email address, to which warnings are sent when a virus or a spam has been found in an email.
Next, you will be asked the email address, from which all virus/spam alerts are sent.
What is the email-id which will be in the from address of all email alerts and warnings?[postmaster]:
Enter the email address which will be in the From: field of the warnings sent to the senders/recipients of viruses/spam/blocked content. To put it in other words, this is the address from which the alert mails regarding a virus/spam/blocked content are sent to the administrator as well as the senders/recipients of such mails.
The installer then asks for the init file for sendmail.
Enter the full pathname of the sendmail init file(eg. '/etc/init.d/sendmail')[/etc/init.d/sendmail]:
If your Linux distribution is based on sysv style init, that is, has its init startup files under /etc/init.d and runlevels under /etc/rc.d/rc[0-6].d (eg RedHat including Fedora, SUSE including SUSE-OpenExchange, Mandrake, Debian), the installer will stop sendmail and start OpenProtect and continue with configuring Antivirus signature updates and SpamAssassin ruleset updates. It will also disable sendmail from the system startup and add OpenProtect to the init runlevels 2-5.
If your Linux distribution is Slackware or Gentoo, then the installer will print the following:
PLEASE STOP SENDMAIL AND START THE OPENPROTECT SERVICE BY RUNNING /etc/init.d/openprotect start DON'T FORGET TO DISABLE SENDMAIL FROM THE STARTUP, AS OPENPROTECT WILL MANAGE SENDMAIL'S INIT STARTUP AND STOP COMMANDS. PRESS <ENTER> TO CONTINUE...
For non-sysv based Linux distributions like Slackware and Gentoo, you should manually stop sendmail and start OpenProtect. Also, you need to disable sendmail and add OpenProtect to the system startup.Sendmail related settings are now complete. Continue with the MTA independent section of the handbook.
Enter postfix, if you use postfix as your MTA. Now, the installer will ask you questions specific to your postfix configuration.
Next, you will be asked the version of postfix MTA you are using.
Enter the postfix version you use[press 1 for 1.x/2 for 2.x, default=1]:
If you use postfix version greater than or equal to 1.11 and less than 2.0, then enter 1 to continue with the installation. If you use postfix version greater than or equal to 2.0, enter 2 to continue with the installation.
You will then be asked the queue directory for postfix.
Enter the queue directory for postfix[/var/spool/postfix]:
Enter the full path to the postfix queue directory. Usually, this is /var/spool/postfix. Press <Enter>, if the spool directory is the default /var/spool/postfix. Please note that the path should be the full absolute path and should not be a symbolic link to the real spool directory.
You will be asked the configuration directory for postfix.
Enter the queue directory for postfix[/var/spool/postfix]:
This is the directory, where the configuration files main.cf and master.cf are located. You can also find out the configuration directory by running postconf | grep config_directory as the root user. The output will look like:
gogo root # postconf | grep config_directory
config_directory = /etc/postfix
Enter the full path to the postfix queue directory. Usually, this is /var/spool/postfix. Press <Enter>, if the spool directory is the default /var/spool/postfix. Please note that the path should be the full absolute path and should not be a symbolic link to the real spool directory.
Next, the user under which postfix is run will be asked.
Enter the user under which postfix runs[postfix]:
Enter the user under which the postfix MTA runs. This is usually the user postfix.
The installer then proceeds to install Kaspersky AV under the postfix user.
Installing Kaspersky AV under user postfix...
Creating the directories and copying the necessary files...
If you have just downloaded an evaluation version, please request a trial key file from email@openprotect.com.
If you have bought an original version, you should have a key file with the extension .key. Please enter the path to the key file:
Enter the absolute full path to the key file. If you have not copied the key file to the mail server already, please do so now. You can also enter the absolute full path to the directory inside which the key file resides.
If a key file is found in that directory, you will a similar output to below:
Key Files Found are:
/tmp/00078FFD.key
If no key file is found in that directory, you will asked again to enter the correct directory or file name.
No key files were found in the directory.
Please enter the path to the key file:
Suppose if you enter a wrong file, say /bin/bash as the file name of the key, you will get an error again as shown below:
Not a valid key file.Should be in the form *.key
Please enter the path to the key file:
Next, the group under which postfix is run will be asked.
Enter the group under which postfix runs[postfix]:
Enter the group under which the postfix MTA runs. This is usually the group postfix.
The installer then asks for the init file for postfix.
Enter the full pathname of the postfix init file (eg. '/etc/init.d/postfix')[/etc/init.d/postfix]:
Enter the absolute full path to the postfix init startup script. It is usually located at /etc/init.d/postfix(for RedHat,Gentoo,Mandrake, Debian, SUSE), or /etc/init.d/rc.postfix(for Slackware).
Next, you will be asked your organization name.
What is your organization name(Note that this name should be a single word of alpha-numeric characters without any white spaces, periods(.) )[myorg]:Enter your organization name here. This is used to add a header like X-myorg-MailScanner-OpenProtect-Information: which can be used to track whether a mail has been through your mail server and it has been scanned by OpenProtect.
Next, you will be asked the email address of the administrator.
What is the admin's email-id to which the warnings and alerts have to be sent?[admin]:
Enter the email-id to which administrator warnings are sent. This is the email address, to which warnings are sent when a virus or a spam has been found in an email.
Next, you will be asked the email address, from which all virus/spam alerts are sent.
What is the email-id which will be in the from address of all email alerts and warnings?[postmaster]:
Enter the email address which will be in the From: field of the warnings sent to the senders/recipients of viruses/spam/blocked content. To put it in other words, this is the address from which the alert mails regarding a virus/spam/blocked content are sent to the administrator as well as the senders/recipients of such mails.
With the above questions, Postfix related settings are now complete. Continue with the MTA independent section of the handbook.
Enter exim, if you use exim as your MTA. Now, the installer will ask you questions specific to your exim configuration.
Next, you will be asked the path to the exim configuration file.
Enter the path to exim conf file[/usr/exim/configure]:
Enter the path to the exim configuration file. This is usually /usr/exim/configure if you have installed exim from source and /etc/exim/exim.conf if you have installed exim from your distribution supplied file ie from rpm(on RedHat, Mandrake, SUSE), deb(on Debian), tgz(on Slackware), ebuild(On Gentoo) etc.
You will next be asked the path to the exim binary.
Enter the path to exim binary[/usr/exim/bin/exim]:
Enter the path to the exim binary. Note that this should be the full absolute path to the exim program not a relative path or a symbolic link.
You will then be asked the queue directory for exim.
Enter the queue directory for exim[/var/spool/exim]:
Enter the full, absolute path to the exim queue directory. Note that this should be the full absolute path to the exim program not a relative path or a symbolic link.
Next, you will be asked the version of exim MTA you are using.
Enter the major version number of exim you have
[3 (if you have 3.x) or 4 (if you have 4.x)]:
Enter the type of exim you use. Press 4 for all versions above 4.0. Press 3 for 3.x versions.
Next, the user under which exim is run will be asked.
Enter the user under which exim runs[exim]:
Enter the user under which exim runs. This is usually exim.
The installer then proceeds to install Kaspersky AV under the exim user.
Installing Kaspersky AV under user exim...
Creating the directories and copying the necessary files...
If you have just downloaded an evaluation version, please request a trial key file from email@openprotect.com
If you have bought an original version, you should have a key file with the extension .key
Please enter the path to the key file:
Enter the absolute full path to the key file. If you have not copied the key file to the mail server already, please do so now. You can also enter the absolute full path to the directory inside which the key file resides.
If a key file is found in that directory, you will a similar output to below:
Key Files Found are:
/tmp/00078FFD.key
If no key file is found in that directory, you will asked again to enter the correct directory or file name.
No key files were found in the directory.
Please enter the path to the key file:
Suppose if you enter a wrong file, say /bin/bash as the file name of the key, you will get an error again as shown below:
Not a valid key file.Should be in the form *.key
Please enter the path to the key file:
Next, the group under which exim is run will be asked.
Enter the group under which exim runs[exim]:
Enter the group under which exim runs. This is also usually exim.
Next, you will be asked your organization name.
What is your organization name(Note that this name should be a single word of alpha-numeric characters without any white spaces, periods(.) )[myorg]:Enter your organization name here. This is used to add a header like X-myorg-MailScanner-OpenProtect-Information: which can be used to track whether a mail has been through your mail server and it has been scanned by OpenProtect.
Next, you will be asked the email address of the administrator.
What is the admin's email-id to which the warnings and alerts have to be sent?[admin]:
Enter the email-id to which administrator warnings are sent. This is the email address, to which warnings are sent when a virus or a spam has been found in an email.
Next, you will be asked the email address, from which all virus/spam alerts are sent.
What is the email-id which will be in the from address of all email alerts and warnings?[postmaster]:
Enter the email address which will be in the From: field of the warnings sent to the senders/recipients of viruses/spam/blocked content. To put it in other words, this is the address from which the alert mails regarding a virus/spam/blocked content are sent to the administrator as well as the senders/recipients of such mails.
The installer then asks for the init file for exim.
Enter the full pathname of the exim init file (eg. '/etc/init.d/exim')[/etc/init.d/exim]:
If your Linux distribution is based on sysv style init, that is, has its init startup files under /etc/init.d and runlevels under /etc/rc.d/rc[0-6].d (eg RedHat including Fedora, SUSE including SUSE-OpenExchange, Mandrake, Debian), the installer will stop exim and start OpenProtect and continue with configuring Antivirus signature updates and SpamAssassin ruleset updates. It will also disable exim from the system startup and add OpenProtect to the init runlevels 2-5.
If your Linux distribution is Slackware or Gentoo, then the installer will print the following:
PLEASE STOP EXIM AND START THE OPENPROTECT SERVICE BY RUNNING /etc/init.d/openprotect start DON'T FORGET TO DISABLE EXIM FROM THE STARTUP, AS OPENPROTECT WILL MANAGE EXIM'S INIT STARTUP AND STOP COMMANDS. PRESS <ENTER> TO CONTINUE...
For non-sysv based Linux distributions like Slackware and Gentoo, you should manually stop sendmail and start OpenProtect. Also, you need to disable sendmail and add OpenProtect to the system startup.Exim related settings are now complete. Continue with the MTA independent section of the handbook.
Enter qmail, if you use qmail as your MTA. Now, the installer will ask you questions specific to your qmail configuration.
You will be asked the user under which qmail runs.
Enter the user under which qmail runs[qmailq]:
Enter the user under which the qmail MTA runs. This is usually the user qmailq.
Each qmail process usually runs as a different user, for example qmail-send as qmails, qmail-clean as qmailq, qmail-rspawn as qmailr. So, you can find out the exact user to give here by running the command ls -ld /var/qmail/queue/:
drwxr-x--- 11 qmailq qmail 264 Sep 2 22:35 /var/qmail/queue/
So, the owner(the third column in the above output) of the /var/qmail/queue is qmailq. Replace /var/qmail/queue with your own queue directory and get the corresponding user name here. Enter that user name to the above question.
The installer then proceeds to install Kaspersky AV under the qmail user.
Installing Kaspersky AV under user qmailq...
Creating the directories and copying the necessary files...
If you have just downloaded an evaluation version, please request a trial key file from email@openprotect.com
If you have bought an original version, you should have a key file with the extension .key
Please enter the path to the key file:
Enter the absolute full path to the key file. If you have not copied the key file to the mail server already, please do so now. You can also enter the absolute full path to the directory inside which the key file resides.
If a key file is found in that directory, you will a similar output to below:
Key Files Found are:
/tmp/00078FFD.key
If no key file is found in that directory, you will asked again to enter the correct directory or file name.
No key files were found in the directory.
Please enter the path to the key file:
Suppose if you enter a wrong file, say /bin/bash as the file name of the key, you will get an error again as shown below:
Not a valid key file.Should be in the form *.key
Please enter the path to the key file:
You will next be asked the group under which qmail runs.
Enter the group under which qmail runs[qmail]:
Enter the group under which the qmail MTA runs. This is usually the group qmail.
You can find out the exact group to give here by running the command ls -ld /var/qmail/queue/:
drwxr-x--- 11 qmailq qmail 264 Sep 2 22:35 /var/qmail/queue/
So, the group(the fourth column in the above output) of the /var/qmail/queue is qmail. Replace /var/qmail/queue with your own queue directory and get the corresponding group name here. Enter that group name to the above question.
Next, you will be asked the qmail binary directory, where the qmail-queue binary is located.
Enter the bin directory for qmail [/var/qmail/bin]:
Enter the bin directory for qmail. This is usually /var/qmail/bin.
Now, a new qmail-queue binary will be compiled and installed within the /var/qmail/bin directory and the original will be backed up as /var/qmail/bin/qmail-queue.original.
Backing up the original qmail-queue file...
Next, the no.of directories(conf-split) in the mess directory will be asked.
Enter the no.of directories(conf-split) in the mess directory for qmail[23]:
You can find out the no.of directories under /var/qmail/mess by running the command ls -ld /var/qmail/queue/mess/* | wc -l, for which the output will look like:
gogo / # ls -ld /var/qmail/queue/mess/* | wc -l
23
This is usually 23. In this case, you should enter 23 or whatever prime number you see in this output.
Next, the no.of directories(conf-split) in the todo directory will be asked.
Enter the no.of directories in the todo/intd directory for qmail(if only you have applied the big todo patch, otherwise it is 1 for default)[1]:You can find out the no.of directories under /var/qmail/intd by running ls -ld /var/qmail/queue/todo/* | wc -l, for which the output look like:
gogo qinstall-bash-0.5 # ls -ld /var/qmail/queue/todo/* | wc -l
ls: /var/qmail/queue/todo/*: No such file or directory
If you have not applies the bigtodo patch, you will get the above response. In this case, you should enter 1 as the no.of directories in the todo/intd directory. If you have applied the bigtodo patch, you will get the following response:
gogo qinstall-bash-0.5 # ls -ld /var/qmail/queue/todo/* | wc -l
23
In this case, you should enter 23 or whatever prime number you see in this output.
Next, you will be asked your organization name.
What is your organization name(Note that this name should be a single word of alpha-numeric characters without any white spaces, periods(.) )[myorg]:Enter your organization name here. This is used to add a header like X-myorg-MailScanner-OpenProtect-Information: which can be used to track whether a mail has been through your mail server and it has been scanned by OpenProtect.
Next, you will be asked the email address of the administrator.
What is the admin's email-id to which the warnings and alerts have to be sent?[admin]:
Enter the email-id to which administrator warnings are sent. This is the email address, to which warnings are sent when a virus or a spam has been found in an email.
Next, you will be asked the email address, from which all virus/spam alerts are sent.
What is the email-id which will be in the from address of all email alerts and warnings?[postmaster]:
Enter the email address which will be in the From: field of the warnings sent to the senders/recipients of viruses/spam/blocked content. To put it in other words, this is the address from which the alert mails regarding a virus/spam/blocked content are sent to the administrator as well as the senders/recipients of such mails.
Qmail related settings are now complete. The installer will now start OpenProtect and continue with the configuration of MTA independent settings like antivirus/antispam signature updates.
Do not forget to add OpenProtect to the system startup. However, unlike other MTAs, OpenProtect does not manage the qmail startup/shutdown. For information about the rest of the installation, continue with the MTA independent section of the handbook.
Next, the installer proceeds with installing nail, a mail client which can send mails directly to a smtp server. An alert mail is sent using nail, if hourly updates of Kaspersky AV or ClamAV fails. Alert mails are also sent daily to send the status of the SpamAssassin rulesets update, whether the update was successful or not and if successful, which rulesets have been updated, which rulesets have not changed etc.
Alert mails are sent to the administrator email address given above. After installing nail, the installer proceeds to configure the SMTP server through which the alert mails to the administrator are sent.
Enter the IP address of your smtp server, to which the update failures should be mailed(localhost):
Enter the name of the SMTP server (eg mail.example.com) or its IP address (eg 127.0.0.1). This is usually localhost or 127.0.0.1, which is the same server on which OpenProtect is installed.
The installer then proceeds to configure the proxy settings, if you use a http_proxy to reach the internet.
Do you use a proxy server to reach the internet?(y/N):
Press <Enter> or n or N to skip using a proxy server. If you use a proxy server to reach the internet, press Y or y. The proxy information will be used to update the Antivirus signatures and SpamAssassin rulesets.
The installer then proceeds to configure the username to be used with the proxy. You will not be asked the username, if you answered N to the above question.
Enter the username to be used with the proxy(press <Enter> if no username is required):
Enter the username to be used with your proxy server. Press <Enter>, if no username/password pair is needed to be given to the proxy server.
The installer then proceeds to configure the password to be used with the proxy. You will not be asked the password, if you gave an empty username to the above question.
Enter the password to be used with the proxy(press <Enter> if no password is required):
Enter the password for the username given above. If you gave an empty username to the above question, no password will be asked.
The installer then proceeds to configure the IP address of the proxy server.
Enter the server name(eg proxy.example.com) or IP address(eg 192.168.0.1) of the proxy:
Enter the name of the proxy (eg proxy.example.com) or its IP address (eg 192.168.0.1).
The installer then proceeds to configure the port of the proxy server.
Enter the port number of the proxy(3128):
Enter the port number of the proxy (eg 3128). The default is 3128.
The installation is complete now. Antivirus signatures for Kaspersky AV and ClamAV will be updated now, followed by SpamAssassin rulesets. Antivirus updates are scheduled every 1 hour, while SpamAssassin rulesets are updated every 1 day. If an AV update fails, a warning mail is sent using nail to the administrator email address through the smtp server set above. Report of the changes in the SpamAssassin rulesets is also mailed to the administrator email address after the daily update is complete.
Table of Contents
You can do the following tests to make sure that openprotect is working correctly:
Send a test mail from your linux server to your email address, say admin using the mail program.
gogo / # mail admin
Subject: test mail plain
test mail plain
.
Cc:
gogo / #
After scanning, the mail received looks like this:
From root@gogo.opencompt.com Sat Aug 28 19:40:03 2004
Return-Path: <root@gogo.opencompt.com>
Delivered-To: admin@gogo.opencompt.com
Received: from gogo (unknown [127.0.0.1])
by gogo (Postfix) with ESMTP id EC9F5B612
for <admin@gogo>; Sat, 28 Aug 2004 19:39:53 +0530 (IST)
Received: (from root@localhost)
by gogo (8.12.8/8.12.8/Submit) id i7SE9rfa006296
for admin; Sat, 28 Aug 2004 19:39:53 +0530
Date: Sat, 28 Aug 2004 19:39:53 +0530
From: root <root@gogo.opencompt.com>
Message-Id: <200408281409.i7SE9rfa006296@gogo>
To: admin@gogo.opencompt.com
Subject: test mail plain
MIME-Version: 1.0
X-myorg-MailScanner-OpenProtect-Information: Please contact the ISP for more information
X-myorg-MailScanner-OpenProtect: Found to be clean
X-MailScanner-OpenProtect-MCPCheck:
X-myorg-MailScanner-OpenProtect-SpamScore: s
X-MailScanner-OpenProtect-From: root@gogo.opencompt.com
test mail plain
--
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.
You will see that the test mail has been scanned successfully and delivered and a signature stating that This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean is attached to the plain mail. And the maillog(usually /var/log/maillog or /var/log/mail.log) would be:
Aug 28 19:39:53 gogo postfix/smtpd[6300]: connect from unknown[127.0.0.1]
Aug 28 19:39:53 gogo postfix/smtpd[6300]: EC9F5B612: client=unknown[127.0.0.1]
Aug 28 19:39:54 gogo postfix/cleanup[6301]: EC9F5B612: message-id=<200408281409.i7SE9rfa006296@gogo>
Aug 28 19:39:54 gogo sendmail[6296]: i7SE9rfa006296: to=admin, ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30036, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as EC9F5B612)
Aug 28 19:39:54 gogo postfix/nqmgr[6168]: EC9F5B612: from=<root@gogo.opencompt.com>, size=474, nrcpt=1 (queue active)
Aug 28 19:39:54 gogo postfix/smtpd[6300]: disconnect from unknown[127.0.0.1]
Aug 28 19:39:54 gogo postfix/nqmgr[6168]: EC9F5B612: to=<admin@gogo.opencompt.com>, relay=none, delay=1, status=deferred (deferred transport)
Aug 28 19:39:55 gogo MailScanner[6266]: New Batch: Scanning 1 messages, 634 bytes
Aug 28 19:39:55 gogo MailScanner[6266]: MCP Checks: Starting
Aug 28 19:40:01 gogo MailScanner[6266]: Virus and Content Scanning: Starting
Aug 28 19:40:03 gogo MailScanner[6266]: Requeue: EC9F5B612 to 68568B617
Aug 28 19:40:03 gogo MailScanner[6266]: Uninfected: Delivered 1 messages
Aug 28 19:40:03 gogo postfix/nqmgr[6243]: 68568B617: from=<root@gogo.opencompt.com>, size=925, nrcpt=1 (queue active)
Aug 28 19:40:03 gogo postfix/local[6324]: 68568B617: to=<admin@gogo.opencompt.com>, relay=local, delay=10, status=sent (mailbox)
You will see in the above log that the message is deferred and that the message was uninfected and delivered.
Send a test eicar virus from your linux server to your email address, say user1 by running mail user1 < /etc/MailScanner/testmessages/sample-virus-simple.txt. Replace user1 with your own valid username. And the received mail to user1 looks like:
From root@gogo.opencompt.com Sat Aug 28 19:48:16 2004
Return-Path: <root@gogo.opencompt.com>
Delivered-To: user1@gogo.opencompt.com
Received: from gogo (unknown [127.0.0.1])
by gogo (Postfix) with ESMTP id 91A8BB617
for <user1@gogo>; Sat, 28 Aug 2004 19:48:05 +0530 (IST)
Received: (from root@localhost)
by gogo (8.12.8/8.12.8/Submit) id i7SEI5ox006337
for user1; Sat, 28 Aug 2004 19:48:05 +0530
Date: Sat, 28 Aug 2004 19:48:05 +0530
From: root <root@gogo.opencompt.com>
Message-Id: <200408281418.i7SEI5ox006337@gogo>
To: user1@gogo.opencompt.com
X-myorg-MailScanner-OpenProtect-Information: Please contact the ISP for more information
X-myorg-MailScanner-OpenProtect: Found to be infected
X-MailScanner-OpenProtect-MCPCheck:
X-myorg-MailScanner-OpenProtect-SpamScore: s
X-MailScanner-OpenProtect-From: root@gogo.opencompt.com
Subject: {Virus?}
Warning: This message has had one or more attachments removed
Warning: (the entire message, msg-6268-2.txt).
Warning: Please read the "myorg-Attachment-Warning.txt" attachment(s) for more information.
This is a message from the OpenProtect E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "the entire message"
was believed to be infected by a virus and has been replaced by this warning
message.
If you wish to receive a copy of the *infected* attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.
At Sat Aug 28 19:48:15 2004 the virus scanner said:
msg-6268-2.txt contains Eicar-Test-Signature
msg-6268-2.txt INFECTED EICAR-Test-File
Note to Help Desk: Look on OpenProtect at myorg in /var/spool/MailScanner/quarantine/20040828 (message 91A8BB617).
--
Postmaster
OpenProtect
Email Virus Scanner
www.openprotect.com
The received mail has an attachment warning replacing the original virus attached to it. An alert mail is also sent to the administrator email address that looks like this:
From admin@gogo.opencompt.com Sat Aug 28 19:48:24 2004
Return-Path: <admin@gogo.opencompt.com>
Delivered-To: user1@gogo.opencompt.com
Received: from gogo (unknown [127.0.0.1])
by gogo (Postfix) with ESMTP id C6D20B625
for <admin@gogo>; Sat, 28 Aug 2004 19:48:16 +0530 (IST)
Received: (from postfix@localhost)
by gogo (8.12.8/8.12.8/Submit) id i7SEIGdd006364;
Sat, 28 Aug 2004 19:48:16 +0530
Date: Sat, 28 Aug 2004 19:48:16 +0530
Message-Id: <200408281418.i7SEIGdd006364@gogo>
X-Authentication-Warning: gogo: postfix set sender to admin using -f
From: "OpenProtect" <postmaster@gogo.opencompt.com>
To: admin@gogo.opencompt.com
Subject: Virus Detected
MIME-Version: 1.0
X-myorg-MailScanner-OpenProtect-Information: Please contact the ISP for more information
X-myorg-MailScanner-OpenProtect: Found to be clean
X-MailScanner-OpenProtect-MCPCheck:
X-myorg-MailScanner-OpenProtect-SpamScore: s
X-MailScanner-OpenProtect-From: admin@gogo.opencompt.com
The following e-mails were found to have:Virus Detected
Sender: root@gogo.opencompt.com
IP Address: 127.0.0.1
Recipient: user1@gogo.opencompt.com
Subject:
MessageID: 91A8BB617
Report: msg-6268-2.txt contains Eicar-Test-Signature
/var/spool/MailScanner/incoming/6268/91A8BB617/msg-6268-2.txt INFECTED EICAR-Test-File
Report: msg-6268-1.txt contains Eicar-Test-Signature
--
OpenProtect
Server Side E-Mail Protection
www.opencompt.com
--
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.
The maillog looks like this:
Aug 28 19:48:05 gogo postfix/smtpd[6341]: connect from unknown[127.0.0.1]
Aug 28 19:48:05 gogo postfix/smtpd[6341]: 91A8BB617: client=unknown[127.0.0.1]
Aug 28 19:48:05 gogo postfix/cleanup[6342]: 91A8BB617: message-id=<200408281418.i7SEI5ox006337@gogo>
Aug 28 19:48:05 gogo sendmail[6337]: i7SEI5ox006337: to=user1, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30008, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as 91A8BB617)
Aug 28 19:48:05 gogo postfix/nqmgr[6168]: 91A8BB617: from=<root@gogo.opencompt.com>, size=609, nrcpt=1 (queue active)
Aug 28 19:48:05 gogo postfix/smtpd[6341]: disconnect from unknown[127.0.0.1]
Aug 28 19:48:05 gogo postfix/nqmgr[6168]: 91A8BB617: to=<user1@gogo.opencompt.com>, relay=none, delay=0, status=deferred (deferred transport)
Aug 28 19:48:07 gogo MailScanner[6268]: New Batch: Scanning 1 messages, 766 bytes
Aug 28 19:48:07 gogo MailScanner[6268]: MCP Checks: Starting
Aug 28 19:48:14 gogo MailScanner[6268]: Virus and Content Scanning: Starting
Aug 28 19:48:15 gogo MailScanner[6268]: /var/spool/MailScanner/incoming/6268/./91A8BB617/msg-6268-1.txt: Eicar-Test-Signature FOUND
Aug 28 19:48:15 gogo MailScanner[6268]: /var/spool/MailScanner/incoming/6268/./91A8BB617/msg-6268-2.txt: Eicar-Test-Signature FOUND
Aug 28 19:48:15 gogo MailScanner[6268]: Virus Scanning: ClamAV found 2 infections
Aug 28 19:48:15 gogo MailScanner[6268]: /var/spool/MailScanner/incoming/6268/91A8BB617/msg-6268-2.txt INFECTED EICAR-Test-File
Aug 28 19:48:15 gogo MailScanner[6268]: Virus Scanning: Kaspersky found 1 infections
Aug 28 19:48:15 gogo MailScanner[6268]: Infected message 91A8BB617 came from 127.0.0.1
Aug 28 19:48:15 gogo MailScanner[6268]: Virus Scanning: Found 1 viruses
Aug 28 19:48:15 gogo MailScanner[6268]: Saved infected "msg-6268-2.txt" to /var/spool/MailScanner/quarantine/20040828/91A8BB617
Aug 28 19:48:15 gogo MailScanner[6268]: Saved infected "msg-6268-1.txt" to /var/spool/MailScanner/quarantine/20040828/91A8BB617
Aug 28 19:48:16 gogo MailScanner[6268]: Requeue: 91A8BB617 to 244C4B623
Aug 28 19:48:16 gogo postfix/nqmgr[6243]: 244C4B623: from=<root@gogo.opencompt.com>, size=1794, nrcpt=1 (queue active)
Aug 28 19:48:16 gogo MailScanner[6268]: Silent: Delivered 1 messages containing silent viruses
Aug 28 19:48:16 gogo postfix/local[6368]: 244C4B623: to=<user1@gogo.opencompt.com>, relay=local, delay=11, status=sent (mailbox)
Aug 28 19:48:16 gogo sendmail[6364]: i7SEIGdd006364: Authentication-Warning: gogo: postfix set sender to admin using -f
Aug 28 19:48:16 gogo sendmail[6364]: i7SEIGdd006364: from=admin, size=533, class=0, nrcpts=1, msgid=<200408281418.i7SEIGdd006364@gogo>, relay=user1@localhost
Aug 28 19:48:16 gogo postfix/smtpd[6341]: warning: 127.0.0.1: hostname localhost verification failed: Host not found, try again
Aug 28 19:48:16 gogo postfix/smtpd[6341]: connect from unknown[127.0.0.1]
Aug 28 19:48:16 gogo postfix/smtpd[6341]: C6D20B625: client=unknown[127.0.0.1]
Aug 28 19:48:16 gogo postfix/cleanup[6342]: C6D20B625: message-id=<200408281418.i7SEIGdd006364@gogo>
Aug 28 19:48:16 gogo sendmail[6364]: i7SEIGdd006364: to=admin, ctladdr=admin (501/501), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30068, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as C6D20B625)
Aug 28 19:48:16 gogo postfix/nqmgr[6168]: C6D20B625: from=<admin@gogo.opencompt.com>, size=1015, nrcpt=1 (queue active)
Aug 28 19:48:16 gogo postfix/nqmgr[6168]: C6D20B625: to=<admin@gogo.opencompt.com>, relay=none, delay=0, status=deferred (deferred transport)
Aug 28 19:48:16 gogo postfix/smtpd[6341]: disconnect from unknown[127.0.0.1]
Aug 28 19:48:16 gogo MailScanner[6268]: Notices: Warned about 1 messages
Aug 28 19:48:16 gogo MailScanner[6268]: New Batch: Scanning 1 messages, 1177 bytes
Aug 28 19:48:16 gogo MailScanner[6268]: MCP Checks: Starting
Aug 28 19:48:23 gogo MailScanner[6268]: Virus and Content Scanning: Starting
Aug 28 19:48:24 gogo MailScanner[6268]: Requeue: C6D20B625 to 4BD43B61C
Aug 28 19:48:24 gogo MailScanner[6268]: Uninfected: Delivered 1 messages
Aug 28 19:48:24 gogo postfix/nqmgr[6243]: 4BD43B61C: from=<admin@gogo.opencompt.com>, size=1467, nrcpt=1 (queue active)
Aug 28 19:48:24 gogo postfix/local[6368]: 4BD43B61C: to=<admin@gogo.opencompt.com>, relay=local, delay=8, status=sent (mailbox)
You can see from the logs that a virus has been caught by both ClamAV and Kaspersky and a warning mail has been sent to the administrator email address(admin@gogo.opencompt.com here) and the user receives a cleaned email which warns that an attachment containing a virus was found and has been removed.
Send a test spam mail from your linux server to your email address, say admin by running mail admin < /etc/MailScanner/testmessages/sample-spam-GTUBE-junk.txt. Replace admin with your own valid username. And the received mail to admin looks like:
From root@gogo.opencompt.com Sat Aug 28 20:11:18 2004
Return-Path: <root@gogo.opencompt.com>
Delivered-To: admin@gogo.opencompt.com
Received: from gogo (unknown [127.0.0.1])
by gogo (Postfix) with ESMTP id 2B9E3B623
for <admin@gogo>; Sat, 28 Aug 2004 20:11:09 +0530 (IST)
Received: (from root@localhost)
by gogo (8.12.8/8.12.8/Submit) id i7SEf805006396
for admin; Sat, 28 Aug 2004 20:11:08 +0530
Date: Sat, 28 Aug 2004 20:11:08 +0530
From: root <root@gogo.opencompt.com>
Message-Id: <200408281441.i7SEf805006396@gogo>
To: admin@gogo.opencompt.com
MIME-Version: 1.0
X-myorg-MailScanner-OpenProtect-Information: Please contact the ISP for more information
X-myorg-MailScanner-OpenProtect: Found to be clean
X-MailScanner-OpenProtect-MCPCheck:
X-myorg-MailScanner-OpenProtect-SpamCheck: spam,
SpamAssassin (score=1001.105, required 3, GTUBE 1000.00,
NO_DNS_FOR_FROM 1.10)
X-myorg-MailScanner-OpenProtect-SpamScore: ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss
X-MailScanner-OpenProtect-From: root@gogo.opencompt.com
Subject: {Spam?}
Subject: Test spam mail (GTUBE)
Message-ID: <GTUBE1.1010101@example.net>
Date: Wed, 23 Jul 2003 23:30:00 +0200
From: Sender <sender@example.net>
To: Recipient <recipient@example.net>
Precedence: junk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
This is the GTUBE, the
Generic
Test for
Unsolicited
Bulk
Email
If your spam filter supports it, the GTUBE provides a test by which you
can verify that the filter is installed correctly and is detecting incoming
spam. You can send yourself a test mail containing the following string of
characters (in upper case and with no white spaces and line breaks):
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
You should send this test mail from an account outside of your network.
--
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.
You can see that the received mail has the Subject: {Spam?}. You can use this as a filter in your mail client(Mozilla/Outlook/Opera/Eudora/Outlook Express/Evolution/Sylpheed) to move mails with this subject to be moved to a spam folder in your POP3 or IMAP account. Also, in the maillog, you will see:
Aug 28 20:11:09 gogo postfix/smtpd[6400]: connect from unknown[127.0.0.1]
Aug 28 20:11:09 gogo postfix/smtpd[6400]: 2B9E3B623: client=unknown[127.0.0.1]
Aug 28 20:11:09 gogo postfix/cleanup[6401]: 2B9E3B623: message-id=<200408281441.i7SEf805006396@gogo>
Aug 28 20:11:09 gogo sendmail[6396]: i7SEf805006396: to=admin, ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30008, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as 2B9E3B623)
Aug 28 20:11:09 gogo postfix/nqmgr[6168]: 2B9E3B623: from=<root@gogo.opencompt.com>, size=1247, nrcpt=1 (queue active)
Aug 28 20:11:09 gogo postfix/smtpd[6400]: disconnect from unknown[127.0.0.1]
Aug 28 20:11:09 gogo postfix/nqmgr[6168]: 2B9E3B623: to=<admin@gogo.opencompt.com>, relay=none, delay=0, status=deferred (deferred transport)
Aug 28 20:11:10 gogo MailScanner[6253]: New Batch: Scanning 1 messages, 1404 bytes
Aug 28 20:11:10 gogo MailScanner[6253]: MCP Checks: Starting
Aug 28 20:11:16 gogo MailScanner[6253]: Spam Checks: Found 1 spam messages
Aug 28 20:11:16 gogo MailScanner[6253]: Virus and Content Scanning: Starting
Aug 28 20:11:18 gogo MailScanner[6253]: Requeue: 2B9E3B623 to DB2B0B61E
Aug 28 20:11:18 gogo MailScanner[6253]: Uninfected: Delivered 1 messages
Aug 28 20:11:18 gogo postfix/nqmgr[6243]: DB2B0B61E: from=<root@gogo.opencompt.com>, size=1908, nrcpt=1 (queue active)
Aug 28 20:11:18 gogo postfix/local[6424]: DB2B0B61E: to=<admin@gogo.opencompt.com>, relay=local, delay=9, status=sent (mailbox)
You can see from the logs that it Found 1 spam messages and the uninfected mail has been delivered.
With the above 3 tests, the verification of the setup is complete. If you do not get similar output from the above 3 tests(plain, virus, spam), look for any warning or error messages in the maillog.
Table of Contents
You can learn how to configure the basic virus, spam and other related settings here. All the default settings can be found in /etc/MailScanner/MailScanner.conf and can be changed to a valid value as explained below for each the settings. After changing any of the settings, you should activate the setting by running openprotect restart.
You can configure the maximum no.of threads(or children) by changing the default setting listed above in /etc/MailScanner/MailScanner.conf.
If you are running on a server with more than 1 CPU, or you have a high mail load (and/or slow DNS lookups) then you should see better performance if you increase this figure. If you are running on a small system with limited RAM, you should note that each child takes around 50-75 MB of RAM. Also see Max Unscanned Bytes Per Scan for increasing scanning speed without increasing the no.of children.
You can configure how often (in seconds) should each children check the incoming mail queue for new messages by changing the Queue Scan Interval in /etc/MailScanner/MailScanner.conf. Change the default:
If you have a quiet mail server, you might want to increase this value so it causes less load on your server, at the cost of slightly increasing the time taken for an average message to be processed. But, if you have a very busy server, you can set this to a low value. The default value of "5" seconds is quite enough for small to moderate load systems. If you want more aggressive settings, you can set it to "1" seconds.
MailScanner handles messages in batches for efficiency. Messages are added to a batch (in strict date order) from the incoming queue directory, one at a time, until one of the Max Unscanned Bytes Per Scan, Max Unsafe Bytes Per Scan, Max Unscanned Messages Per Scan, Max Unsafe Messages Per Scan is reached or the queue is empty. Then this batch is scanned as a whole, so that I/O based processing is processed as fast as possible. This method of scanning a batch of messages is faster than scanning each and every message individually, wherein I/O reads and writes are random, thereby increasing the latency and decreasing the throughput.
This setting limits the total size of messages per batch for which no virus scanning is done (i.e. Virus Scanning = no), but Spam checks are still done for these messages. The above default of "100000000" limits each children(or thread) to scan a maximum of "100000000" or approximately 100 MB of messages per each pass of the incoming mail queue.
This setting limits the total size of messages per batch for which both virus scanning (i.e. Virus Scanning = yes), and Spam checks are done. The above default of "50000000" limits each children(or thread) to scan a maximum of "50000000" or approximately 50 MB of messages per each pass of the incoming mail queue.
This setting limits the total number of messages per batch for which no virus scanning (i.e. Virus Scanning = no) is done, but only Spam checks are done. The above default of "30" limits each children(or thread) to scan a maximum of 30 messages per each pass of the incoming mail queue.
This setting limits the total number of messages per batch for which both virus scanning (i.e. Virus Scanning = yes) and Spam checks are done. The above default of "30" limits each children(or thread) to scan a maximum of 30 messages per each pass of the incoming mail queue.
If more messages are found in the queue than this, then switch to an "accelerated" mode of processing messages. This will cause it to stop scanning messages in strict date order, but in the order it finds them in the queue. If your queue is bigger than this size a lot of the time, then some messages could be greatly delayed. So treat this option as "in emergency only".
The maximum number of attachments allowed in a message before it is considered to be an error, the message is quarantined/deleted and an alert mail is sent to the administrator/recipient/sender. Note that, some email systems, if bouncing a message between 2 addresses repeatedly, add information about each bounce as an attachment, creating a message with thousands of attachments in just a few minutes. This can slow down or even stop MailScanner as it uses all available memory to unpack these thousands of attachments.
TNEF is primarily used by Microsoft programs such as Outlook and Outlook express, when mails are formatted/sent in RTF(Rich Text Format). Attachments are all put together in one WINMAIL.DAT file. Set this to "yes", if you want to do filename or filetype checks. If you set this to "no", then the filenames within the TNEF attachment will not be checked against the filename rules.
Rich Text Format(RTF) attachments produced by some versions of Microsoft Outlook cannot be completely decoded at present. Setting this option to yes allows compatibility with the behavior of earlier versions where these attachments were still delivered. This would introduce the slight chance of a virus getting through in the segment of the attachment that could not be decoded, but the setting may be necessary if you have a large number of Microsoft Outlook users who are troubled by the new behaviour.
If you intend to use the external "tnef" program, set the "TNEF Expander" option to "/path/to/tnef --maxsize=N", where N is the maximum size of a TNEF attachment, above which "tnef" program does not open the attachment. It helps protect against Denial Of Service attacks in TNEF files. You can also use the Perl Convert::TNEF module for this purpose by setting "TNEF Expander = internal". Note that OpenProtect installs a copy of the external TNEF program at /usr/bin/tnef, so using default values is sufficient in most cases. If you face any problems in scanning TNEF attachments, you can use the "internal" option, but make sure you have installed the Perl Convert::TNEF module.
The maximum length of time (in seconds) the TNEF Expander is allowed to run for disassembling one attachment. If diassembling a TNEF attachment takes more time than this, the attachment filename/filetype checks are not done. Note this does not affect filename/filetype checks of MIME/Uuencode/Base64/Quoted-Printable/Binhex/yEnc and other types of attachment formats.
The absolute path where the file command is installed. This is used for checking the content type of files, regardless of their filename. To disable Filetype checking, set this value to blank "" .
The maximum length of time the file command is allowed to run for one batch of messages (in seconds).