An alternative to DrWeb?

[albans]

DrWeb made several problems on my server with Plesk8. So, I was thinking of an alternative to it (and something cheaper).

What do you think of:
- clamAV
- 4PSA Clean server
in plesk8 environment?

__________________
Internet Services - Plesk Hosting
Plesk Administration: Guides (fr)

 

[atomicturtle]

Im pretty impressed with clamav, the frequently get A/V sigs out the door before the commercial vendors these days.

 

[albans]

I noticed that clamAV is in your rpms for 7.5.4.
Do you have any experience with it in Plesk8 (FC2)?

 

[atomicturtle]

Not personally, however I have had a few testers tell me it works the same on 8.0

 

[poke]

I will of course, add in 4PSA Clean Server for psa..

http://www.jbwebhosting.com/4psa.html

 

[albans]

I tried to install ClamAV via your repository (atomic!) for PSA-8...

I did it as follow:
yum install clamav
yum install clamd
yum install qmail-scanner

Then I got an error message:
----------------------------------------
install: cannot stat `qmail-scanner-queue.pl': No such file or directory
setuidgid: fatal: unable to run /var/qmail/bin/qmail-scanner-queue.pl: file does not exist
setuidgid: fatal: unable to run /var/qmail/bin/qmail-scanner-queue.pl: file does not exist
chmod: cannot access `/var/qmail/bin/qmail-scanner-queue.pl': No such file or directory
Installed: qmail-scanner 1:1.25-9.rhfc2.art.noarch
Dep Installed: tnef 1.2.1-1.rhfc2.art.i386 maildrop 1.8.1-2.rhfc2.art.i386 perl-suidperl 3:5.8.3-18.1.i386 daemontools 0.76-1.rhfc2.art.i386
----------------------------------------

I was then unable to send/receive mail. So I removed qmail-scanner via YUM and it worked again.

But how can I make qmail-scanner work?

 

[albans]

Forget about my problems, I could install everything following those commands:

-----------------------------------------------------
yum remove psa-spamassassin
yum install qmail-scanner
yum install clamd
yum install spamassassin
/usr/bin/qmail-scanner-reconfigure
-----------------------------------------------------

And everything's fine when looking at the headers...

I just have one dream now: is it possible to still have PSA spamassassin and ClamAV? As I really liked to manage PSA spamassin via the plesk interface...

Thanks.

 

[atomicturtle]

yes you can have both, installing qmail-scanner doesnt disable it, it just adds another layer to the system. So worst case, you're scanning spam twice (once in the queue via q-s, and once in the users mailbox, with psa-SA). On the plus side one advantage that q-s gives you is it also scans outbound messages, a nice saftey net if someone starts spamming through your box.

 

[albans]

Okay, thanks, I could simply do it like that:
-----------------------------------------------------
Before installing qmail-scanner:
-----------------------------------------------------
1. remove dr web:
# rpm -e drweb drweb-qmail
2. remove psa spamassassin
[Note: not necessary but this solved the first error I had]
# yum remove psa-spamassassin
-----------------------------------------------------
Install qmail-scanner/clamav/spamassassin
-----------------------------------------------------
# yum install qmail-scanner
# yum install clamd
# yum install spamassassin
# yum install psa-spamassassin
# /usr/bin/qmail-scanner-reconfigure
-----------------------------------------------------

Then everything's working (clamAV reject mails with viruses and x-spam entry shows up spamassassin in the mail's header) and the Plesk admin works to administrate PSA Spamassassin.

So, Scott, thanks a lot for your rpms!

But just one question: do I really need to remove psa-spamassassin before installing qmail-scanner? I would like to keep the bayesian lists and all the defined settings on another server...

 

[atomicturtle]

You dont have to remove psa-spamassassin, no. Its OK to run both, the only disadvantage is that you'll be scanning messages twice.

 

[albans]

I noticed a strange entry in the maillogs...
---------------------------------------------------
Apr 20 16:55:22 server spamd[3622]: spamd: got connection over /tmp/spamd_full.sock
Apr 20 16:55:22 server spamd[3622]: spamd: using default config for mail@server: /var/qmail/mailnames/domain/name/.spamassassin/user_prefs
Apr 20 16:55:22 server spamd[3622]: config: failed to parse line, skipping: rewrite_subject_1
Apr 20 16:55:22 server spamd[3622]: config: failed to parse line, skipping: subject_tag_*****SPAM*****
Apr 20 16:55:22 server spamd[3622]: spamd: processing message <000001c664b5$48ceac00$0100007f@localhost> for mail@server:110
Apr 20 16:55:22 server qmail-scanner[8182]: Clear:RC:0(219.154.32.138): 2.076821 9539 [email protected] mail@server What_IS_0EM_Software_And_Why_D0_You_Care? <000001c664b5$48ceac00$0100007f@localhost> 1145544921.8205-1.server.ch:7518 1145544921.8205-0.server.ch:797 orig-server.ch11455449207228182:9539
Apr 20 16:55:23 server spamd[3622]: Can't locate Mail/SPF/Query.pm in @INC (@INC contains: ../lib /mnt/dar/tmp/spamassassin-root//usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/5.8.3/i386-linux-thread-multi /usr/lib/perl5/5.8.3 /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl) at /usr/lib/perl5/vendor_perl/5.8.3/Mail/SpamAssassin/Pl
Apr 20 16:55:25 server spamd[3622]: spamd: identified spam (19.9/7.0) for mail@server:110 in 2.5 seconds, 9846 bytes.
Apr 20 16:55:25 server spamd[3622]: spamd: result: Y 19 - HTML_MESSAGE,NO_DNS_FOR_FROM,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_WHOIS_INVALID,RCVD_IN_XBL,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL scantime=2.5,size=9846,user=mail@server,uid=110,required_score=7.0,rhost=localhost,raddr=127.0.0.1,rport=/tmp/spamd_full.sock,mid=<000001c664b5$48ceac00$0100007f@localhost>,autolearn=spam
Apr 20 16:55:25 server spamd[20080]: prefork: child states: II
---------------------------------------------------

So, two things:
- Why is happening the error "failed to parse line" twice for "subject_tag_*****SPAM*****" and "rewrite_subject_1"?

- What is the "Can't locate Mail/SPF/Query.pm" message? What is it used for?
Found the answer:
http://www.akadia.com/services/spf.html


And finally, where can I configure which policy I want to use or not for qmail-queue => for example, the Win_Ext policy bloqued every file with two win32 extensions (like "something.doc.rtf")?
Found something interessant in this file:
/var/qmail/bin/qmail-scanner-queue.pl

And one more question:
Is it possible to install qmail-scanner and clamd without installing spamassassin? As there're some dependencies between spamassassin and qmail-scanner... Just in order to use only psa-spamassassin.

 

[atomicturtle]

qmail-scanner configs can be done from /var/qmail/bin/qmail-scanner-queue.pl
and /var/spool/qmailscan/

spamassassin - has SPF deps that break on some distros in my build environment. Its a harmless error, just means those checks arent working. Its on my bug list.

 

[albans]

I tried to modify the qmail-scanner-queue.pl but I'm not able to activate the notification to sender and admin.

Then I tried to modify the /usr/bin/qmail-scanner-reconfigure file, to add in the "configure" line a "--notify all" (and also --admin "support" --domain "mydomain.ch")... I then sent me an EICAR virus, and no notification, also tried with a doubled extension file (".doc.rtf")...
I can find both entry in the quarantine.log.

How to activate the notification?

 

[maurits]

qmail-scanner+clamav=great! But now Spamassassin

I found this thread looking for the cause of hundreds of error messages sent to me by DrWeb, and I was immediately convinced. I ditched DrWeb, installed qmail-scanner, clamav and SpamAssassin. The antivirus part works perfectly, the spam part does almost.

I have used SpamAssassin previously on other (non-Plesk) systems and know reasonably well how it works, but now I'm a bit baffled by the number of files with config options and the fact that some config files apparantly need to be parsed and then write out new config files, overwriting the changes I apparantly made in the wrong place. For example, after I already set up everything working properly, SpamAssassin suddenly disappeared out of my mail headers at some point and I found out that the spamc-definition in /etc/qmail-scanner.ini was empty, and I couldn't think why. Fortunately, after running all the configuration parsers, it returned there without me having added it manually, which is good or it'd probably disappear again.

Anyway, I'm hoping someone can help me with these specific questions, in a Plesk+Qmail-scanner+Clam+SA setup as above:

1. It looks like no network checks are enabled. SA enables them by default, so where are they disabled? (And where can I enable Bayes checks when the database is filled enough?)

2. I was checking whether Bayes had done enough learning, but when running sa-learn --dump it can't seem to find a database. It's looking in ~root/.spamassassin (a folder that actually exists but it empty). What user does spamc run as in this setup and where does it store this stuff? Can Bayes be used at all?

It would also help if someone could point me to clear documentation (or just explain) about which config file to edit and which config files are generated from what other files, and by what tool. I found out most of this by accident.

Oh, before I forget, I'm in Plesk 8.2 (I can see this thread is a bit old..)

Thanks

Maurits.

 

[maurits]

Ok I figured out some of this for myself.. the user directory is /var/spool/qscan, and indeed there is the bayes database.

Now for the network tests, judging from the logs these tests ARE carried out, but looking at how much spam gets through and how low the scores are (compared to an ancient spamassassin on an old server I'm still using), it would seem that those checks don't actually score any points. Indeed sa-learn says that the score set is 0 (meaning network checks are disabled). What do I need to change?

Maurits.