■debian stretchにpostfixとclamav、Spamassassinをamavisで連携してみる。
$ sudo apt-get installl -y lsb-release
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 9.1 (stretch)
Release: 9.1
Codename: stretch
■基本的には以下とそのリンクで設定したのと同じウイルス対策とスパム対策を行う。
squeezeのclamavとpostfix連携(amavis)
http://d.hatena.ne.jp/labunix/20120430
spamassassinでヘッダ情報に「X-Spam」を追加する
http://d.hatena.ne.jp/labunix/20120501
■postfixの導入
$ sudo apt-get install -y postfix
$ sudo dpkg-reconfigure postfix
■mailコマンドでメール送受信確認
$ sudo apt-get install -y bsd-mailx
$ echo "Test Mail" | mail -s "test" `whoami`@`hostname -f`
$ mail
Mail version 8.1.2 01/15/2001. Type ? for help.
"/var/mail/labunix": 1 message 1 unread
>U 1 labunix@vm-stretc Mon Aug 7 23:59 18/538 test
&
Message 1:
From labunix@vm-stretch Mon Aug 7 23:59:55 2017
X-Original-To: labunix@vm-stretch
To: labunix@vm-stretch
Subject: test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Date: Mon, 7 Aug 2017 23:59:55 +0900 (JST)
From: labunix@vm-stretch (labunix)
Test Mail
& q
Saved 1 message in /home/labunix/mbox
■clamavの導入、proxy経由での定義ファイル更新
$ sudo apt-get install -y clamav-daemon
$ sudo cut -c 29- /var/log/clamav/freshclam.log
--------------------------------------
freshclam daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
ClamAV update process started at Tue Aug 8 00:07:47 2017
$ echo 'HTTPProxyServer 172.31.31.60
HTTPProxyPort 8080' | sudo tee -a /etc/clamav/freshclam.conf
HTTPProxyServer 172.31.31.60
HTTPProxyPort 8080
$ grep Mirror /etc/clamav/freshclam.conf
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
$ awk '/Mirror/{print "host "$2}' /etc/clamav/freshclam.conf | sh
db.local.clamav.net is an alias for db.jp.clamav.net.
db.jp.clamav.net has address 219.94.128.99
db.jp.clamav.net has address 203.212.42.128
db.jp.clamav.net has address 218.44.253.75
db.jp.clamav.net has address 120.29.176.126
db.jp.clamav.net has address 27.96.54.66
db.jp.clamav.net has address 203.178.137.175
database.clamav.net is an alias for db.local.clamav.net.
db.local.clamav.net is an alias for db.jp.clamav.net.
db.jp.clamav.net has address 203.178.137.175
db.jp.clamav.net has address 218.44.253.75
db.jp.clamav.net has address 203.212.42.128
db.jp.clamav.net has address 219.94.128.99
db.jp.clamav.net has address 27.96.54.66
db.jp.clamav.net has address 120.29.176.126
$ sudo systemctl status clamav-freshclam.service; \
sudo systemctl stop clamav-freshclam.service && \
sudo freshclam && \
sudo systemctl start clamav-freshclam.service && \
sudo systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Tue 2017-08-08 00:13:10 JST; 6min ago
Docs: man:freshclam(1)
man:freshclam.conf(5)
http://www.clamav.net/lang/en/doc/
Process: 4583 ExecStart=/usr/bin/freshclam -d --foreground=true (code=exited, status=0/SUCCESS)
Main PID: 4583 (code=exited, status=0/SUCCESS)
8月 08 00:11:54 vm-stretch freshclam[4583]: Trying host db.local.clamav.net (203.212.42.128)...
8月 08 00:12:24 vm-stretch freshclam[4583]: nonblock_connect: connect timing out (30 secs)
8月 08 00:12:24 vm-stretch freshclam[4583]: Can't connect to port 80 of host db.local.clamav.net (IP: 203.212.42.128)
8月 08 00:12:24 vm-stretch freshclam[4583]: Trying host db.local.clamav.net (218.44.253.75)...
8月 08 00:12:55 vm-stretch freshclam[4583]: nonblock_connect: connect timing out (30 secs)
8月 08 00:12:55 vm-stretch freshclam[4583]: Can't connect to port 80 of host db.local.clamav.net (IP: 218.44.253.75)
8月 08 00:12:55 vm-stretch freshclam[4583]: Trying host db.local.clamav.net (27.96.54.66)...
8月 08 00:13:10 vm-stretch systemd[1]: Stopping ClamAV virus database updater...
8月 08 00:13:10 vm-stretch freshclam[4583]: Update process terminated
8月 08 00:13:10 vm-stretch systemd[1]: Stopped ClamAV virus database updater.
Connecting via 172.31.31.60
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Connecting via 172.31.31.60
Downloading daily.cvd [100%]
daily.cvd updated (version: 23641, sigs: 1742169, f-level: 63, builder: neo)
Connecting via 172.31.31.60
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 308, sigs: 66, f-level: 63, builder: anvilleg)
Database updated (6308484 signatures) from db.local.clamav.net
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl: No such file or directory
● clamav-freshclam.service - ClamAV virus database updater
Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2017-08-08 00:34:41 JST; 36ms ago
Docs: man:freshclam(1)
man:freshclam.conf(5)
http://www.clamav.net/lang/en/doc/
Main PID: 4856 (freshclam)
Tasks: 1 (limit: 19660)
CGroup: /system.slice/clamav-freshclam.service
└─4856 /usr/bin/freshclam -d --foreground=true
8月 08 00:34:41 vm-stretch systemd[1]: Started ClamAV virus database updater.
■定義ファイル(シグニチャ)の確認
$ ls -l /var/lib/clamav/*.cvd
-rw-r--r-- 1 clamav clamav 146868 8月 8 00:34 /var/lib/clamav/bytecode.cvd
-rw-r--r-- 1 clamav clamav 41902934 8月 8 00:34 /var/lib/clamav/daily.cvd
-rw-r--r-- 1 clamav clamav 117892267 8月 8 00:25 /var/lib/clamav/main.cvd
$ for list in /var/lib/clamav/*;do echo "$list";done | awk '{print "sigtool -i "$1}' | sh
File: /var/lib/clamav/bytecode.cvd
Build time: 31 Jul 2017 12:16 -0400
Version: 308
Signatures: 66
Functionality level: 63
Builder: anvilleg
MD5: 4fac76cc32cb55a4d431a442a01aaf48
Digital signature: u0sKczCnS/QDBqYroUIJ9hWAbATBu9dQUzJeorWvqug28CSdEFqOkUqNw0+0lRP9cw3gnTlG9v81L02OnJkYY0elH0P5QDjVkfb6koUql7LO/Os5UJs4bozohPB1AupJs9YlD6K373jVqWMIvuJf+JEe4+egGiQinLoNsNNaSkj
Verification OK.
File: /var/lib/clamav/daily.cvd
Build time: 06 Aug 2017 20:31 -0400
Version: 23641
Signatures: 1742169
Functionality level: 63
Builder: neo
MD5: a65d971bbcb9678445acee3fd71fdbb5
Digital signature: i2KtY3+m4Olr1LkzZX2EhvLT4vopMwL4VX6x0OHEJtSiDohcS5Ht1duuPwHl1KV3xXQ5ZIvp5/o4zLjs78d/UynQHI+pqIbefa18kDCXmNcaejBBkb7Uhmxu18hokP563fNZuA0BO6uTVzzTUlf3eaabSPUq+o4/2GYeQ1VGIBg
Verification OK.
File: /var/lib/clamav/main.cvd
Build time: 07 Jun 2017 17:38 -0400
Version: 58
Signatures: 4566249
Functionality level: 60
Builder: sigmgr
MD5: 57462fd73f1cfdb356b9dca66da2b732
Digital signature: KWRdhTG+Own6ohh0wn5+vqg1d8ULKCxxxQeKuSA155B3ijxBKgf+bV3IXPcmZrIBUDn1xi8FmyvB63UieykwN/Avq5mTjHIVO8zFnC7wVF7dhdcEYn9Nt+Pmk/HXXx0voylYkidvgZmrxI8jx4a/Re6n3hHQJoCZrkHM15GER8j
Verification OK.
$ sigtool -l | awk '/Eicar/{print}'
Eicar-Signature.{}
Win.Trojan.Eicar-1
Eicar-Test-Signature
Eicar-Test-Signature
Txt.Ransomware.Eicar-2
Win.Ransomware.Eicar-3
Eicar-Test-Signature
Eicar-Test-Signature
Eicar-Test-Signature
Eicar-Test-Signature
Eicar-Test-Signature
Win.Trojan.Eicartest-1
Eicar-Test-Signature
Eicar-Test-Signature
Eicar-Test-Signature
Eicar-Test-Signature
Eicar-Test-Signature
■毎時cronで自動更新するよう設定、初回は手動実行
$ echo "/var/log/clam-update.log" | awk '{print "sudo touch "$1;print "sudo chmod 644 "$1;print "sudo chown clamav "$1}' | sh
$ echo "sudo -u clamav $(whereis -b freshclam | awk '{print $NF}') --quiet -l /var/log/clam-update.log" | \
sudo tee -a /etc/cron.hourly/freshclam; \
sudo chmod +x /etc/cron.hourly/freshclam
sudo -u clamav /usr/bin/freshclam --quiet -l /var/log/clam-update.log
$ sudo /etc/cron.hourly/freshclam
$ sudo tail -f /var/log/clam-update.log
Tue Aug 8 00:49:07 2017 -> --------------------------------------
Tue Aug 8 00:49:07 2017 -> ClamAV update process started at Tue Aug 8 00:49:07 2017
Tue Aug 8 00:49:07 2017 -> Connecting via 172.31.31.60
Tue Aug 8 00:49:07 2017 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Tue Aug 8 00:49:07 2017 -> Connecting via 172.31.31.60
Tue Aug 8 00:49:07 2017 -> daily.cvd is up to date (version: 23641, sigs: 1742169, f-level: 63, builder: neo)
Tue Aug 8 00:49:07 2017 -> Connecting via 172.31.31.60
Tue Aug 8 00:49:07 2017 -> bytecode.cvd is up to date (version: 308, sigs: 66, f-level: 63, builder: anvilleg)
■手動でのEICARテストウイルスの検出と削除
$ cd /tmp;sudo wget http://www.eicar.org/download/eicar_com.zip
$ clamscan -r /tmp/
/tmp/eicar_com.zip: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6302820
Engine version: 0.99.2
Scanned directories: 6
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 14.278 sec (0 m 14 s)
$ sudo clamscan -r --remove=yes /tmp/
/tmp/eicar_com.zip: Eicar-Test-Signature FOUND
/tmp/eicar_com.zip: Removed.
----------- SCAN SUMMARY -----------
Known viruses: 6302820
Engine version: 0.99.2
Scanned directories: 6
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 14.169 sec (0 m 14 s)
■毎時ウイルスチェック、初回のチェック
$ echo "/var/log/clamscan_summary.log $(whereis -b clamscan | awk '{print $NF}') /etc/cron.hourly/clamscancheck" | \
awk '{print "sudo test -f "$1" || sudo touch "$1";"; \
print "echo \""$2" --infected --remove --recursive /tmp -l "$1"\" | sudo tee "$3";"; \
print "sudo chmod +x "$3}' | sh
/usr/bin/clamscan --infected --remove --recursive /tmp -l /var/log/clamscan_summary.log
$ sudo /etc/cron.hourly/clamscancheck
----------- SCAN SUMMARY -----------
Known viruses: 6302820
Engine version: 0.99.2
Scanned directories: 6
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 14.314 sec (0 m 14 s)
$ sudo tail -f /var/log/clamscan_summary.log
----------- SCAN SUMMARY -----------
Known viruses: 6302820
Engine version: 0.99.2
Scanned directories: 6
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 14.314 sec (0 m 14 s)
■メールドメイン名を設定する。
FQDNで無いとamavisd-newインストールに失敗するので。
$ sudo sysctl kernel.hostname
kernel.hostname = vm-stretch
$ sudo sysctl kernel.hostname=vm-stretch.localdomain
kernel.hostname = vm-stretch.localdomain
$ sudo sysctl kernel.hostname
kernel.hostname = vm-stretch.localdomain
$ sudo dpkg-reconfigure postfix
■amavisd-newと連携する。
$ test -f /etc/mailname || echo "$(hostname -f)" | sudo tee /etc/mailname > /dev/null
$ sudo apt-get install -y amavisd-new
$ sudo adduser clamav amavis
$ sudo netstat -anpt | grep 10024
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 7049/amavisd-new (m
tcp6 0 0 ::1:10024 :::* LISTEN 7049/amavisd-new (m
$ sudo cp -pi /etc/postfix/main.cf /etc/postfix/main.cf.`date '+%Y%m%d'`
$ sudo postconf -e "soft_bounce = yes"
$ tail -30 /etc/postfix/master.cf
amavisfeed unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o lmtp_tls_note_starttls_offer=no
amavisfeed unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o smtp_tls_note_starttls_offer=no
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o relay_recipient_maps=
$ sudo postconf -e "content_filter=amavisfeed:[127.0.0.1]:10024"
$ sudo postfix check && sudo systemctl reload postfix
■EICARテストメールをmailコマンドで送信
$ sudo apt-get install -y sharutils
$ cd /tmp;sudo wget http://www.eicar.org/download/eicar_com.zip
$ uuencode eicar_com.zip "this is eicar virus.zip" | mail -s "eicar virus" `whoami`@`hostname -f`
$ grep -A 3 "BANNED CONTENTS ALERT" /var/spool/mail/labunix
BANNED CONTENTS ALERT
Our content checker found
banned name: .dat,eicar.com
$ mail
Mail version 8.1.2 01/15/2001. Type ? for help.
"/var/mail/labunix": 1 message 1 new
>N 1 postmaster@vm-str Tue Aug 8 01:32 115/4286 BANNED contents from you (.dat,eicar.com)
$ sudo awk '/eicar/' /var/log/mail.log | cut -c 28-
amavis[7060]: (07060-02) Blocked BANNED (.dat,eicar.com) {BouncedInbound,Quarantined}, [127.0.0.1] <labunix@vm-stretch.localdomain> -> <labunix@vm-stretch.localdomain>, quarantine: t/banned-thxqFRBWtyg2, Message-ID: <20170807163423.3D4ADA081F@vm-stretch>, mail_id: thxqFRBWtyg2, Hits: -, size: 714, 160 ms
■MXやAレコードを引かない環境なので、以下を追加。
$ grep -B 1 disable /etc/postfix/master.cf
-o lmtp_tls_note_starttls_offer=no
-o disable_dns_lookups=yes
--
-o smtp_tls_note_starttls_offer=no
-o disable_dns_lookups=yes
$ sudo postfix check && sudo systemctl reload postfix
■「Scanner detecting a virus」となるように以下を変更。
$ echo "#変更前";grep -B 5 -A 1 "bypass_virus_checks_maps" /etc/amavis/conf.d/15-content_filter_mode | grep -v "^\$"
$ echo "#変更後";grep -B 5 -A 1 "bypass_virus_checks_maps" /etc/amavis/conf.d/15-content_filter_mode | grep -v "^\$"
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
$ sudo systemctl restart amavis
$ sudo postfix check && sudo systemctl reload postfix
$ uuencode eicar_com.zip "this is eicar virus.zip" | mail -s "eicar virus" `whoami`@`hostname -f`
$ sudo grep virus /var/spool/mail/*
/var/spool/mail/root:A virus was found: Eicar-Test-Signature
/var/spool/mail/root:Scanner detecting a virus: ClamAV-clamscan
/var/spool/mail/root:Subject: eicar virus
/var/spool/mail/root:The message has been quarantined as: j/virus-jLnMc5q6RKS1
/var/spool/mail/root:Subject: eicar virus
■スパムチェック機能を追加
$ sudo apt-get install -y spamassassin
$ grep -B 1 ENABLED /etc/default/spamassassin
--
ENABLED=0
$ sudo sed -i 's/ENABLED=0/ENABLED=1/' /etc/default/spamassassin
■判定条件を追加。
$ sudo cat /etc/procmailrc
LOGFILE=$HOME/procmail.log
LOCKFILE=$HOME/.lockfile
MAILDIR=$HOME/
0fw
*!^X-Spam.*
|spamassassin
0
* ^X-Spam-Status: Yes
$MAILDIR/spam/
■amavisd-newのスパム対策連携
$ echo "#変更前";grep -B 5 -A 1 "bypass_spam_checks_maps" /etc/amavis/conf.d/15-content_filter_mode | grep -v "^\$"
$ echo "#変更後";grep -B 5 -A 1 "bypass_spam_checks_maps" /etc/amavis/conf.d/15-content_filter_mode | grep -v "^\$"
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
$ sudo systemctl restart amavis
$ sudo postfix check && sudo systemctl reload postfix
$ sudo systemctl restart spamassassin.service
■スパム判定のしきい値チェック、設定チェック
$ sudo find /etc/spamassassin/ -type f -exec grep -i score {} \;
score D_SENT_BY_DEBCONF -5.0
score D_SENT_BY_AFBACKUP -5.0
score D_SENT_BY_APTLC -5.0
score D_SENT_BY_ANACRON -5.0
score D_SENT_BY_CRON -5.0
$ test "`sudo spamassassin --lint 2>&1 | wc -l`" -eq "0" && echo "ok"
ok
■アップデート
自動アップデートタイミングは、毎日。
$ sudo sa-update -D --updatedir /tmp/update && echo "ok"
$ grep sa-update /etc/cron*/*
/etc/cron.daily/spamassassin:test -x /usr/bin/sa-update || exit 0
/etc/cron.daily/spamassassin: if [ -d /etc/spamassassin/sa-update-hooks.d ]; then
/etc/cron.daily/spamassassin: run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d
/etc/cron.daily/spamassassin: --exec /usr/bin/sa-update -- \
/etc/cron.daily/spamassassin: --gpghomedir /var/lib/spamassassin/sa-update-keys 2>&1
/etc/cron.daily/spamassassin: echo "sa-update failed for unknown reasons" 1>&2
■サンプルファイルでテスト
$ sudo apt-get install -y procmail
$ sudo dpkg-reconfigure postfix
$ echo spam | awk '{print "test -d "$1"|| sudo mkdir "$1;print "sudo chown labunix:labunix "$1}' | sh
$ sudo systemctl restart amavis
$ sudo postfix check && sudo systemctl reload postfix
$ sudo systemctl restart spamassassin.service
$ uuencode /usr/share/doc/spamassassin/examples/sample-spam.txt "spam.txt" | \
mail -s "spam" `whoami`@`hostname -f`
$ sudo grep ^X-[VS] /var/spool/mail/*
/var/spool/mail/labunix:X-Virus-Scanned: Debian amavisd-new at vm-stretch.localdomain
/var/spool/mail/labunix:X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
/var/spool/mail/labunix:X-Spam-Level:
/var/spool/mail/labunix:X-Spam-Status: No, score=1.0 required=5.0 tests=ALL_TRUSTED,DKIM_ADSP_NXDOMAIN,
/var/spool/mail/labunix:X-Virus-Scanned: Debian amavisd-new at vm-stretch.localdomain
■サービスを登録する。
$ sudo systemctl enable spamassassin.service
$ sudo systemctl enable amavis
$ sudo systemctl enable postfix
$ sudo systemctl enable clamav-freshclam.service
