1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Free antivirus scanning using clamav+exim (amongst other fancy things & instructions)

Discussion in 'Plesk for Linux - 8.x and Older' started by yurtesen, Apr 21, 2006.

  1. yurtesen

    yurtesen Guest

    0
     
    NOTICE: Use this information on your own risk!

    Hello,

    One of my friend thought drweb is very expensive and he was using plesk and wanted to change to clamav. But we thought qmail-scanner is clumsy. So we decided to have an innovative solution :). I just thought this information can be helpful to you all who uses plesk so here it is...

    The information applies to FreeBSD however with little change anybody can use it on Linux also.

    Also you must use your imagination a little bit :) I didnt have time to write all the details.

    How it works is:

    Exim receives the mail. Exim checks if the domain exists and the user exists before accepting e-mail. Then after doing fancy mail scanning etc. forwards to qmail of plesk. Seems like the operation is done twice but qmail uses almost no resources in any case so.

    Also SMTP Auth etc. works fine with this configuration.

    Now, once exim is in place, you can do all kinds of fancy stuff like ratelimiting etc. use RBLs from there if you want.

    I also figured out that qmail wasnt checking if the user was existing or not before accepting mail. With my exim configuration, exim doesnt accept mail for users who doesnt exist, saving bandwidth and queue space.

    Thanks,
    Evren

    First go to /usr/ports/security/clamav and install it

    Then go to /usr/ports/mail/exim

    Use make install with the following options (unless you need something more)

    make install WITH_MYSQL=yes WITH_MYSQL_VER=41 WITHOUT_OLD_DEMIME=yes WITHOUT_IPV6=yes WITHOUT_PAM=yes WITHOUT_AUTH_CRAM_MD5=yes WITHOUT_AUTH_SPA=yes WITHOUT_MAILDIR=yes WITHOUT_MAILSTORE=yes WITHOUT_MBX=yes WITHOUT_CDB=yes WITHOUT_DNSDB=yes WITHOUT_DSEARCH=yes WITHOUT_LSEARCH=yes WITHOUT_NIS=yes WITHOUT_PASSWD=yes WITHOUT_LMTP=yes WITH_CONTENT_SCAN=yes

    Unfortunately we need the mysql client library from ports since for some weird reason I
    couldnt compile it with the includes in psa/mysql directory... Just let it install it, it wont harm a thing.

    Copy this to /usr/local/etc/exim and make necessary settings if you want TLS
    /usr/local/psa/qmail/control/servercert.pem

    Some configuration directives you might find very useful: You have to figure out yourself to where to put these though :) Ididnt want to put my whole conf file here since it has millions of other not related stuff too...


    # MySQL connection parameters
    hide mysql_servers = 127.0.0.1/psa/exim/mypassword



    #Clamd with socket
    av_scanner = clamd:/var/run/clamav/clamd



    domainlist relay_to_domains = ${lookup mysql{SELECT A.name FROM `domains` A, `DomainServices` B \
    WHERE B.dom_id = A.id AND A.status = 0 AND B.type = 'mail' AND \
    B.status = 0 AND A.name = '$domain'}}



    # Accept if the address is in a domain for which we are an incoming relay,
    # but again, only if the recipient can be verified.

    accept domains = +relay_to_domains
    endpass
    message = 511 sorry, no mailbox here by that name (#5.1.1)
    condition = ${if =={1}{${lookup mysql{SELECT count(A.id) FROM `accounts` A, mail B, domains C \
    WHERE B.account_id = A.id AND B.dom_id= C.id AND CONCAT(B.mail_name, '@', C.name) \
    = '$local_part@$domain'}}} }





    qmail_manual_route:
    driver = manualroute
    domains = +relay_to_domains
    transport = qmail_smtp
    route_data = 127.0.0.1
    self = send






    # This transport delivers mails to qmail running at port 24

    qmail_smtp:
    driver = smtp
    port = 24




    # esmtpa authentication
    plain:
    driver = plaintext
    public_name = PLAIN
    server_prompts = :
    server_condition = "${if and { \
    {!eq{$2}{}} \
    {!eq{$3}{}} \
    {eq{$3}{${lookup mysql{SELECT A.password FROM `accounts` A, mail B, domains C \
    WHERE B.account_id = A.id AND B.mail_name='${local_part:$2}' \
    AND B.dom_id= C.id AND C.name = '${domain:$2}'}{$value}fail}}} \
    } {yes}{no}}"
    server_set_id = $2

    login:
    driver = plaintext
    public_name = LOGIN
    server_prompts = Username:: : Password::
    server_condition = "${if and { \
    {!eq{$1}{}} \
    {!eq{$2}{}} \
    {eq{$2}{${lookup mysql{SELECT A.password FROM `accounts` A, mail B, domains C \
    WHERE B.account_id = A.id AND B.mail_name='${local_part:$1}' \
    AND B.dom_id= C.id AND C.name = '${domain:$1}'}{$value}fail}}} \
    } {yes}{no}}"
    server_set_id = $1




    Set the above stuff to exim configure file where needed :)


    go to /etc/inetd.conf and disable smtp and smtps
    change smtp to qmail (for example)
    go to /etc/services and find 24/tcp and change # to qmail (must be same as in inetd.conf)
    go to /etc/hosts.allow and insert these before allowing all:

    tcp-env : localhost 127.0.0.1 : allow
    tcp-env : ALL : deny


    SQL statements needed to create the exim client user:

    GRANT USAGE ON * . * TO 'exim'@'localhost' IDENTIFIED BY 'exim001' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 ;
    GRANT SELECT (`id` , `password` ) ON `psa`.`accounts` TO 'exim'@'localhost';
    GRANT SELECT (`mail_name` , `account_id` , `dom_id` ) ON `psa`.`mail` TO 'exim'@'localhost';
    GRANT SELECT (`id` , `name`, `status` ) ON `psa`.`domains` TO 'exim'@'localhost';


    If I am not forgetting anything, you should be ready to go :)

    Be careful if the lines are wrapped or something...might not be a nice suprise. You can test exim locally without even running it before enabling. Check exim documents for how to do this.

    Any comments are welcome :)

    Evren
     
  2. meminaydin

    meminaydin Guest

    0
     
    exim user's permissions

    GRANT USAGE ON * . * TO 'exim'@'localhost' IDENTIFIED BY 'exim001' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 ;
    GRANT SELECT (`id` , `password` ) ON `psa`.`accounts` TO 'exim'@'localhost';
    GRANT SELECT (`mail_name` , `account_id` , `dom_id` ) ON `psa`.`mail` TO 'exim'@'localhost';
    GRANT SELECT (`id` , `name`, `status` ) ON `psa`.`domains` TO 'exim'@'localhost';
    GRANT SELECT (`dom_id` , `status`, `type` ) ON `psa`.`DomainServices` TO 'exim'@'localhost';
     
  3. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Along these same lines, I made a Anti-Spam/Anti-virus toaster called "Project Gamera". Basically lets you set up a dedicated application layer firewall type box with "yum install project-gamera". Currently Ive got packages for RH9, FC1/2/3/4, and CentOS/RHEL 3 and 4.
     
  4. yurtesen

    yurtesen Guest

    0
     
    I think the difference would be that you have to set the domains manually in rcpthosts manually per your documentation
    http://www.atomicrocketturtle.com/m...ns&file=index&req=viewarticle&artid=20&page=1
    mostly manual operation... not very usable for dynamically changing environments.

    This exim configuration dynamically adapts to the added/removed domains and adds the functionality that I wont receive e-mail for a user which doesnt exist.(exim also caches this information) I see all the time spammers trying to send e-mails to nonexistent accounts. If my server was to accept these, then it would create bounces etc. Also I can do clustering and even smtp auth from any server for example. Also this solution does not require a dedicated box. Can run along with plesk almost no modifications.

    Evren
     
  5. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Bascially PG is a more high-performance implementation of what PSA does natively. The lighter weight version is to use qmail-scanner (yum install qmail-scanner) on a PSA server. I actually had put this together back in PSA 5.0 before Spamassassin and Anti-virus support were added in 7.0.

    It was sort of the natural evolution when you hit really high volume mail environments, and if you keep up with this Exim expirement I think you'll find a need to evolve in the same direction (please do, dont take my comments as negative, I love this kind of PSA tweaking). As a side note I'm running a pair of PG servers to process the mail for a 75,000 user US Government environment, and the boxes got hit by a DDoS attack. 2000 simultanious connection attempts per second, and the boxes were able to handle the attack. I'm no qmail fanboy (PG will use postfix one day), but it has held up really well under a massive load.
     
  6. yurtesen

    yurtesen Guest

    0
     
    Still, the situation is different for a place where domain names are added and removed all the time.

    No doubt qmail is faster compared to exim, but it doesnt have any features at all. With qmail-scanner + clamav I dont think qmail can match with exim + clamav.

    I have a box with 800+ domains and about 15000 users (total). The box is not only smtp box. It also has webmail, pop3, imap, clamav, exim + qmail, mysql etc. Just a simple single processor box, It is an amd athlon64 3500 with 1gb ram and 7k RPM IDE disk.

    I dont receıve 2000 connections per second but I had over 800 exim processes running simultaneously along the other stuff without any performance problems at times. Now I dont think that with virus scanning with qmail-scanner the machine would work faster anyway if I didnt use exim.

    I dont disagree that your qmail setup is probably faster. But most people do not need an F1 car to drive in the city :p If efficiency was so important, people in USA wouldnt be driving any SUVs anyway :p

    Evren
     
  7. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    It depends on if you're using a dedicated AS/AV box, or just the add-on to PSA. In a PSA environment, qmail-scanner is in essence a second mail queue in front of the qmail-queue. So in that regard its a zero-configuration type design, since its just spliced into the same MTA PSA is using. The added bonus is it also scans outbound mail, which has been handy for catching outgoing spam sent from exploitable web apps.

    Back in PSA 5.0 there was no anti-spam system, so you more or less had to add it in to all the individual .qmail files. As youve rightly pointed out, manually having to add in configuration information for busy systems, or a non-technical audience, just isnt practical, so I had to find another way to do it (It helps that Im terribly terribly lazy), hence the qmail-scanner design.

    Moving that up into dedicated App-firewall design, and this one might be useful for you in the future, some of the PG users modified another script I put together for doing automatic Secondary DNS server configuration. http://www.atomicrocketturtle.com/m...ns&file=index&req=viewarticle&artid=17&page=1

    The idea with that is whatever your master server(s) are, in this case a PSA box, would create the configuration files used by some other downstream box, and that gets transfered via a wget. Useful for a lot of applications, slave DNS servers, app-firewalls (web/mail), etc.
     
  8. yurtesen

    yurtesen Guest

    0
     
    update

    I just realized that with this configuration, plesk doesnt count the size information for sent mail amounts anymore.

    The fix is to comment out 1 line so the qmail_manual_route will look like this

    qmail_manual_route:
    driver = manualroute
    # domains = +relay_to_domains
    transport = qmail_smtp
    route_data = 127.0.0.1
    self = send


    Thanks,
    Evren
     
  9. yurtesen

    yurtesen Guest

    0
     
    Is there anybody using these modifications? or if there is an easier way to use antivirus without paying license fees, how do you do that?
     
  10. sosbilisim

    sosbilisim Basic Pleskian

    26
    23%
    Joined:
    May 25, 2007
    Messages:
    55
    Likes Received:
    0
    Hello

    Anyone use this integration ? I have little problem

    Thank You
     
Loading...