This site is now 100% read-only, and retired.

Antivirus and Antispam setup with Exim4

Posted by anurag on Wed 21 Mar 2007 at 12:04

Last week, due to disk failure, we had to reinstall a server. This old workhorse has been serving numerous domains for the past 4 years and needed urgent maintenance. I made sure that I noted all the steps involved in implementing an Antispam & Antivirus filtering capable mail server when setting it up from scratch, and this article is the result.

Install Debian 'Sarge'


1. Get Debian GNU/Linux 3.1 'Sarge'

Of course, first of all get Debian 'Sarge' running on the server. Though, everything detailed here also works with 'Woody' 'Sarge' is recommended, and Etch will soon replace that.

Additional Packages

2. Install the following packages from the Debian repositories via apt-get:

# apt-get install exim4-daemon-heavy
# apt-get install clamav-daemon
# apt-get install sa-exim
# apt-get install spamassassin spamc

After the packages have been installed, we need to make changes to the configuration files.

Spamassasssin Configuration

3. /etc/default/spamassassin Change the parameter ENABLED to:

ENABLED=1

Exim's group configuration

4. /etc/group Add clamav user into Debian-exim's group. This will allow clamav-daemon to read/write into directories owned by Exim4. Exim4 needs to demime the attachments and store them into a temporary directory and ask clamav-daemon to scan it.

Debian-exim:x:102:clamav

SA-Exim configuration

5. /etc/exim4/sa-exim.conf Locate these lines:

### 
SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{127.0.0.1}} {!eq {$h_X-SA-Do-Not-Run:}{Yes}} } {1}{0}}
#Remove or comment out the following line to enable sa-exim
SAEximRunCond: 0
###

Then change SAEximRunCond to:

SAEximRunCond: 1

Exim4 Configuration files

6. Configuring Exim4's configuration files.

Make sure that Exim4 is using "split" configuration files (i.e. multiple files inside /etc/exim4/conf.d/* ) Now locate these configuration files and make following changes.

Customising reject messages in Exim4

7. /etc/exim4/conf.d/acl/40_exim4-config_check_data

At the end of the file, just before "accept" statement, add following lines.

# Deny viruses.
deny message = Message contains malware or a virus ($malware_name).
log_message = $sender_host_address tried sending $malware_name
demime = *
malware = *

Clamav configuration for Exim4

8. /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs

At the starting of the file somewhere add this line:

av_scanner = clamd:/var/run/clamav/clamd.ctl

Restart Exim4

9. Restart the Exim4 daemon

# /etc/init.d/exim4 restart

Keep a watch on Exim4's log files especially "paniclog", as it processes mails. Error messages are pretty much self explanotary and you may by able to fix them.

best luck, Anurag

 

 


Re: Antivirus and Antispam setup with Exim4
Posted by cortana (62.31.xx.xx) on Wed 21 Mar 2007 at 12:42
Is sa-exim really necessary? I have been using -daemon-heavy on sarge with clamd and spamd without it... I always thought it was a holdover from the days before content filtering ACLs were integrated into Exim itself.

[ Parent ]

Re: Antivirus and Antispam setup with Exim4
Posted by anurag (59.181.xx.xx) on Wed 21 Mar 2007 at 13:03
Yes, sa-exim is good to have and does the job very well. Please do install sa-exim, enable it and notice the difference yourself :)

--
Anurag

[ Parent ]

Re: Antivirus and Antispam setup with Exim4
Posted by Anonymous (82.152.xx.xx) on Wed 28 Mar 2007 at 00:03
You say, in response to being asked if sa-exim is necessary now that Spamassassin may be called from ACLs, "Yes, sa-exim is good to have and does the job very well. Please do install sa-exim, enable it and notice the difference yourself :)"

What does sa-exim do that a "spam =" ACL doesn't?

[ Parent ]

Re: Antivirus and Antispam setup with Exim4
Posted by anurag (59.181.xx.xx) on Wed 28 Mar 2007 at 07:31
hi!

while i am no expert in writing exim ACls, but sa-exim sure is very useful if you want to analyse mails for spam and reject them at SMTP time, teergrubing and adaptive greylisting. Ofcourse here i havent made any changes to the default sa-exim configuration.

--
Anurag

[ Parent ]

Re: Antivirus and Antispam setup with Exim4
Posted by shufla (83.12.xx.xx) on Wed 21 Mar 2007 at 13:53

About group configuration, you of course may add user to group by:
root# adduser clamav Debian-exim

Bye,
Luke

[ Parent ]

Re: Antivirus and Antispam setup with Exim4
Posted by Anonymous (62.23.xx.xx) on Thu 22 Mar 2007 at 12:28
If you are into spam protection you should realy get a look at dspam. It's fabulously efficient (no false negative/false positive for several months).

It's in sarge too now !

Nicolas BOUTHORS
http://www.nbi.fr/

[ Parent ]

More advanced setup?
Posted by superbrose (87.196.xx.xx) on Fri 23 Mar 2007 at 14:02
I like your little article, but one thing I've been meaning to figure out for a long time now is how to set up my mail server so that it supports only secure POP/SMTP access (SSL or similar) and multiple user mailboxes, even though there should be no corresponding system users.

Ideally I'd like to have all mail and user information stored in a Postgresql database, together with preferences regarding spam and virus checking.

I started reading the exim documentation, which btw is very well written, but there is just so much of it that I always give up after reading a couple of pages. Also I have found no HowTo anywhere that covers the exact setup I'm after. Maybe someone can point me in the right direction?

[ Parent ]

Re: More advanced setup?
Posted by anurag (219.64.xx.xx) on Fri 23 Mar 2007 at 17:52
I totally agree with you there. Exim4's documentation looks so detailed that i got lost reading it and could hardly understand.

In my attempt to setup a spam-filtering virtual mail hosting setup, i did some fiddling around with Postfix(in which setting up virtual domains is a breeze!) and MySQL. I'm waiting to do another virtual hosting mail server installation somewhere, and document the exact procedures involved in it.

--
Anurag

[ Parent ]

Re: More advanced setup?
Posted by superbrose (87.196.xx.xx) on Fri 23 Mar 2007 at 18:33
Sounds good, please let me know once you have climbed that mountain!

[ Parent ]

Re: More advanced setup?
Posted by Anonymous (62.253.xx.xx) on Thu 29 Mar 2007 at 14:21
> Ideally I'd like to have all mail and user information stored in a Postgresql
> database, together with preferences regarding spam and virus checking.

Do you mean storing the emails themselves in a database, or just storing the "mail information"? I do both. To store the emails the best known application is dbmail; if you're very brave you could try my own effort, Decimail.

It is possible to run arbitary PostgreSQL queries from exim. For example, I have a PostgreSQL table that lists local addresses that should be discarded (e.g. throw away addresses that I have used once and will now receive only spam) and others that should be heavily filtered. You could probably do something similar to set per-local-user filtering options. In my exim configuration file I access these tables like so:

pgsql_servers = localhost::6789/nameofdatabase/nameofdbuser/
addresslist filter_recipients = pgsql;select email from filter_recipients where
email='${quote_pgsql:${local_part}@${domain}}'
addresslist spam_recipients = pgsql;select email from spam_recipients where
email='${quote_pgsql:${local_part}@${domain}}'

acl_check_rcpt:

...

deny ... recipients = +spam_recipients

warn .... recipients = +filter_recipients
set acl_m0 = 1


acl_check_data:

....

accept condition = ${if def:acl_m0 {0}{1}}

drop message = Rejected by SpamAssassin (score=$spam_score)
spam = nobody:true
condition = ${if >{$spam_score_int}{60}{1}{0}}


> I started reading the exim documentation, which btw is very well written, but
> there is just so much of it that I always give up after reading a couple of
> pages.

Yes, I know the feeling. The reference is very comprehensive, but it could do with some more tutorial or quick-start stuff, with links into the reference manual for further information. There is an Exim O'Reilly book; maybe that would be a good start? Otherwise, try the mailing list; they have been friendly on the couple of occasions that I have asked questions.


Phil.

[ Parent ]

Re: More advanced setup?
Posted by superbrose (87.196.xx.xx) on Wed 16 May 2007 at 18:06
Thanks a lot, Phil.

I've had a look at both Decimail and dbmail, and in the end decided to go for dbmail, because I felt not that brave after all.

I just ended up reading the most important sections of the exim documentation and followed bits and bobs from the dbmail site and now have a working configuration, which uses exim (SSL for smtp) + dbmail + postgresql + stunnel (secure POP3) + clamav + spamassassin.

There are definitely ways to improve my spamassassin configuration within exim, and I'm sure the exim configuration can be further tweaked too, but I'll leave it to rest for now.

Hopefully I'll find some time to put all my notes together to help other people with similar demands, but it will be a rather lengthy howto.

Thanks for pointing me in the right direction, and sorry for the late reply!

Ference

[ Parent ]

Re: Antivirus and Antispam setup with Exim4
Posted by Aaton (12.152.xx.xx) on Tue 17 Apr 2007 at 00:31
I see your modifying /etc/exim4/conf.d/acl/40_exim4-config_check_data. You should try to use the hooks provided.


  # This hook allows you to&nb sp;hook in your own ACLs without ha ving to
  # modify this file. If you&n bsp;do it like we suggest, you'll e nd up with
  # a small performance penalty&nbs p;since there is an additional file  ;being
  # accessed. This doesn't happen&n bsp;if you leave the macro unset.
  .ifdef CHECK_DATA_LOCAL_ACL_FILE
  .include CHECK_DATA_LOCAL_ACL_FILE
  .endif

I have /etc/exim4/conf.d/main/00_my_custom_macros (which is a symbolic link to a file located outside of /etc/exim4/conf.d). I did this because upgrading exim4 can be a real pain in the ass. If you modify the true exim4 configs you will be prompted at each upgrade what to do. This has caused me major headaches in the past.

The way I get around this is by putting all my custom changes for exim4 into /etc/exim4/custom-cfg. In that directory I recreate the structure of /etc/exim4/conf.d.


mkdir /etc/exim4/conf.d
cd /etc/exim4/conf.d
mkdir acl auth main router transport&nbs p;

Now I can do all my own stuff without touching the files under /etc/exim4/conf.d. I just create symbolic links back to the right places. The numbering of the files is used when update-exim4.conf --keepcomments is run (I like seeing the comments since it helps debug things). The generated config is located /var/lib/exim4/config.autogenerated by the way.

So back to my example of how I would I have done thing using a /etc/exim4/conf.d/main/00_my_custom_macros file.


ln -s /etc/exim4/custom-cfg/main/my_custom_macros\
/etc/exim4/conf.d/main/00_my_custom_macros

Inside the /etc/exim4/custom-cfg/my_custom_macros file for example I have the hook I want to modify/add.


CHECK_DATA_LOCAL_ACL_FILE = CONFDIR/custom-cfg/acl/chec k_data_local

My personal /etc/exim4/custom-cfg/acl/check_data_local file is full of crap that I didn't want to keep repairing each time I did an apt-get upgrade. For that matter I have multiple files that I created symbolic links to.

You can do this for a lot of items that you are constantly fixing after an upgrade. Take for eximaple /etc/exim4/conf.d/auth/30_exim4-config_examples to enable SSL support you will have to modify or trust your old config when its time to apt-get upgrade. Instead create another file with a higher number and it will be added to the config in the right place.

/etc/exim4/conf.d/auth/40_my_ssl_auth_config.

[ Parent ]