qmail + spamassassin + clamav quick reference

Last modified January 16, 2008 8:44:28 AM EST. 16831. Questions, comments? Email mark at rauros. Like this guide? Link to it!

Author: Mark (mark at rauros dot net)
Special Thanks: Carlos (rockwithme.org)
Special Thanks: Mike (atomos13.com)

This document is meant to help people get qmail up and running with spamassassin set to tag messages and clam antivirus to kill viruses. Hopefully, it will address the little quirks of setup that occur but are for some reason left out of guides.

• Install qmail: Life with qmail has great instructions.
  
  
• Install Perl: This usually comes preinstalled with a distribution of Linux.
  
  
• Install SpamAssassin
  
  1. Either use CPAN:
     • perl -MCPAN -e shell

     • o conf prerequisites_policy ask
     • install Mail::SpamAssassin
     • quit
  2. Or, install from source. Just download the latest tar file, extract it, change to the new directory, and then:
     • perl Makefile.PL
     • make

     • make install
  Now, use your favorite text editor to configure the spam daemon. Edit /etc/mail/spamassassin/local.cf. If you're not sure of what options you need (or what the options are), feel free to skip making changes to the config file. Just use the defaults. Otherwise, use the following:
  
  • perldoc Mail::SpamAssassin::Conf
  Put the following line in your init (i.e. bootup) script:
  /usr/bin/spamd -d
  On my system, I typically put it in /etc/rc.d/rc.local. If you're not going to be restarting any time soon, execute it manually as root. You may also be interested in my simple script for controlling spamd. It's a hacked-up, simplified version of qmailctl.
  
  
• Installing ClamAV
  
  • Be sure to make the user and group clamav will execute as before you ./configure ClamAV:
    • groupadd clamav
    • useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
    
    
  • Get ClamAV from SourceForge. Their homepage is clamav.net. Uncompress it and install it; it's your standard ./configure && make && make install.
    
    
  • Now you have to set up ClamAV. You'll need to set up both clamd, the ClamAV daemon (/usr/local/etc/clamd.conf) and freshclam, the daemon which updates ClamAV's definitions (/usr/local/etc/freshclam.conf). All you really have to do is comment out the "Example" line in each conf file, but I would read through the entire conf. There are lots of options for ClamAV that will probably be a big help. If you don't comment out the "Example" line, both clamd and freshclam will squawk and not start.
    
    
  • Now let's set up the ClamAV virus definition auto-updater, freshclam:
    • touch /var/log/clam-update.log
    • chmod 600 /var/log/clam-update.log
    • chown clamav:clamav /var/log/clam-update.log
    Now add the following to your init script:
    /usr/local/bin/freshclam -d -c 2 -l /var/log/clam-update.log
    The last line executes freshclam as a daemon and tells it to update the ClamAV virus definitions twice daily. If you don't plan on rebooting anytime soon, execute this line manually now as root, as well.
    
    
  • Put the following entry into your init script:
    /usr/local/sbin/clamd
    If you don't plan on restarting anytime soon, execute it manually as root, as well.
    
    
• Install qmail-scanner (st patch)
  
  This is a patched version of the original qmail-scanner that allows for quarantining and deleting/rejecting spam. You can go with the standard qmail-scanner if you don't require those options, but understand that from this point forward, this guide will assume you're using qmail-scanner (st patch). If you don't use qmail-scanner (st patch), remove the options --sa-quarantine, --sa-delete, and --sa-reject from the configuration line ahead, otherwise your configuration will fail.
  
  First, create the user and group qmail-scanner will run as:
  • groupadd qscand
  • useradd -g qscand -s /bin/false -c "Qmail-Scanner Account" qscand
  Now use the following configuration options:
  • ./configure --admin postmaster --domain yourdomain.com --notify psender,admin --local-domains yourdomain.com --silent-viruses auto --unzip 1 --add-dscr-hdrs 1 --archive 0 --redundant no --log-details yes --log-crypto 0 --fix-mime 1 --sa-quarantine 0.1 --sa-delete 5.0 --sa-reject 0 --sa-subject "SPAM:: " --scanners "fast_spamassassin,clamdscan" --skip-setuid-test --install 1
  Note: You have to change yourdomain.com to your domain name, though over time I've found that you don't really need to add multiple domains if you host lots of them on your server. This version of qmail-scanner also quarantines spam as well as viruses - you should check the qmail-scanner (st patch) configure options page for details on how it all works.
  
  
• Making qmail-scanner-queue.pl work
  
  • Things get a little hairy making qmail-scanner work correctly. Due to setuid issues with Perl (on some distributions, notoriously Redhat), you need to use a C program to wrap qmail-scanner-queue.pl. This program is included with qmail-scanner - it's in the contrib directory of the unpacked source. Change the directory to the unpacked source and do:
    • cd contrib
    • make
    • cp qmail-scanner-queue /var/qmail/bin/
    
    
  • Now you'll have two new executables in /var/qmail/bin/ - qmail-scanner-queue.pl and qmail-scanner-queue. Execute the following commands**:
    • cd /var/qmail/bin
    • chmod 6755 qmail-scanner-queue
    • chmod 0755 qmail-scanner-queue.pl
    • chown qscand:qscand qmail-scanner-queue*
    
    
  • Test it by executing the command
    • ./qmail-scanner-queue -z
    • ./qmail-scanner-queue -v
    If this outputs version information for qmail-scanner, you know the wrapper is working (plus you can confirm qmail-scanner picked up all of the right scanners).
    
    
  • Provided the last step was successful, we have just a few more steps to take:
    • chown -R qscand:qscand /var/spool/qscan/
    Check in /var/spool/qscan/ and make sure all the files are owned by the user qscand and group qscand. If they aren't, ensure that they are. qmail-scanner will not work if any of the files it accesses are not owned by qscand, and all of your e-mail will remain in limbo.
    
    
  • Now you need to tell qmail to use the scanner to process incoming mail. There are many possibilities as to how you may configure your tcp rules file. The example here simply instructs qmail to process all mail, local and remote. Do this by editing your /etc/tcp.smtp file and change the file to read
    127.:allow,RELAYCLIENT=""
    :allow,QS_SPAMASSASSIN="yes",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"
    This will scan all mail going through the server, with the exception of any mail directly originating from the local machine. You may have your own needs to meet in regards to qmail's setup - it's up to you. Explaining the syntax of the qmail's tcp rules file is well outside the scope of this document (read: I don't understand it either, plus I'm too lazy to figure it out), so if you're interested, it's up to you!
    
    
  • Reload the qmail rules file:
    • qmailctl cdb
    
    
• Restart qmail
  • qmailctl restart
  I found that I needed to crank up the softlimit in /var/qmail/supervise/qmail-smtpd/run to 30MB (30000000). You'll need to adjust yours to handle the extra memory requirements of ClamAV and SpamAssassin and then restart tcpserver:
  • killall tcpserver
  • tcpserver
  Cranking the softlimit too high will open you up to other vulnerabilities, however, so it's important to not just turn it up to the maximum system limit and just leave it there. I recently had several mail servers start to exhibit bizarre behaviors because updates coming down from freshclam made my previous softlimit, 15MB, too low. If the server starts acting up, the first thing I would check is whether or not it's has enough memory and then making sure everything has the right permissions.
  
  

---



• Extra qmail goodies:
  
  • Coming: A guide for setting up Courier-IMAP with simple user authentication!
  • qmail-autoresponder by Bruce Guenter: for vacation messages
  • qmHandle by Christopher Chan: a tool for managing your queue
  • Training your SpamAssassin bayesian filter with IMAP!
  • How to check the mail in your quarantine:
    This one is easy. You already have the user "qscand" since you needed it for qmail-scanner to work. Now, you're just going to make it easy to check the quarantine from any mail reader.
    • mkdir /home/qscand/
    • ln -s /var/spool/qscan/quarantine /home/qscand/Maildir
    • chown -R qscand:qscand /home/qscand
    • passwd qscand
    Now, you'll be able to log in with the username qscand and check the quarantined mails.
    
    
  • How to make qmail a virus and spam scrubbing SMTP-route for multiple domains!
  • Updating the qmail users/assign file easily - add the following to your /var/qmail/bin/qmailctl script:
      usr)
        /var/qmail/bin/qmail-pw2u < /etc/passwd > /var/qmail/users/assign
        echo "Getting user listing from /etc/passwd ..."
        /var/qmail/bin/qmail-newu
        echo "New user(s) added to qmail."
        ;;
    If you're feeling particularly fancy, go further down and add the update to the help output. (or, download my modified version)
  
  

** I got feedback that changing the mode to 6755 on qmail-scanner-queue does not successfully set the sticky bit on Cent OS (and possibly on other operating systems). Check to make sure that the permissions on the file are correct:

[/var/qmail/bin]$ ls -al qmail-scanner-queue
-rwsr-sr-x qscand qscand qmail-scanner-queue

Note the octal permissions highlighted above - yours should look the same. If changing the mode to 6755 did not work, the alternative is to instead use:

# chmod +s qmail-scanner-queue

This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.