## --------------------------------------------------- ## ## --- Install AMaViS with ClamAV and Spamassassin --- ## ## --------------------------------------------------- ## ## - mx.warenform.de ## - _db_type=pgsql #_db_type=mysql #_db_type='mysql' _db_name='postfix' _db_user='postfix' _db_pass='CbX8vg347Vvm' _db_host='/var/run/postgresql' _db_host='localhost' _quarantine_dir=/var/QUARANTINE ## - !! Don't use doppel quotes (") here !! _quarantine_admin='postmaster\@$mydomain'; ## - ## - END: mx.warenform.de ## - a.mx.oopen.de ## - _ipv4_address=83.223.86.91 _db_type=pgsql #_db_type=mysql #_db_type='mysql' _db_name='postfix' _db_user='postfix' _db_pass='FKt4z55FxMZp' _db_host='/var/run/postgresql' _db_host='localhost' _quarantine_dir=/var/QUARANTINE ## - !! Don't use doppel quotes (") here !! _quarantine_admin='postmaster\@$mydomain'; ## - ## - END: a.mx.oopen.de ## - b.mx.oopen.de ## - _ipv4_address=83.223.86.162 _quarantine_dir=/var/QUARANTINE ## - !! Don't use doppel quotes (") here !! _quarantine_admin='postmaster\@$mydomain'; ## - ## - END: b.mx.oopen.de ## - listserver.so36.net ## - _ipv4_address=83.223.73.213 _quarantine_dir=/var/QUARANTINE ## - !! Don't use doppel quotes (") here !! _quarantine_admin='postmaster\@$mydomain'; ## - ## - END: listserver.so36.net ## - d.mx.oopen.de ## - _ipv4_address=83.223.86.92 _quarantine_dir=/var/QUARANTINE ## - !! Don't use doppel quotes (") here !! _quarantine_admin='postmaster\@$mydomain'; ## - ## - End: d.mx.oopen.de ## - mail.interventionistische-linke.org ## - _ipv4_address=83.223.85.214 _db_type=pgsql #_db_type=mysql #_db_type='mysql' _db_name='postfix' _db_user='postfix' _db_pass='NcXxt7sf7bfV' _db_host='/var/run/postgresql' _db_host='localhost' _quarantine_dir=/var/QUARANTINE ## - !! Don't use doppel quotes (") here !! _quarantine_admin='postmaster\@$mydomain'; ## - ## - END: mail.interventionistische-linke.org ## - mx03.so36.net ## - _ipv4_address=83.223.73.205 _quarantine_dir=/var/QUARANTINE ## - !! Don't use doppel quotes (") here !! _quarantine_admin='postmaster\@$mydomain'; ## - ## - End: mx03.so36.net if [ "$_db_type" = "postgres" -o "$_db_type" = "postgresql" -o "$_db_type" = "pgsql" -o "$_db_type" = "psql" ];then _db_type=Pg fi ## -- wheezy ## - apt-get install apt-listchanges libnet-ldap-perl libauthen-sasl-perl dspam libsnmp-perl ## - Package "dspam" is not yet supported by debian jessie ## - ## - jessie ## - apt-get install apt-listchanges libnet-ldap-perl libauthen-sasl-perl libsnmp-perl ## - prerequisites: AMaViS mit Spamassassin und ClamAV ## - ## - amavis ## - apt-get install amavisd-new ## - Empfohlen: apt-get install cabextract clamav clamav-daemon lhasa libzeromq-perl lzop nomarch p7zip rpm spamassassin unrar ## - spamassassin ## - ## - debian wheezy ## - apt-get install -t wheezy-backports spamassassin razor pyzor libio-socket-ssl-perl \ libdbi-perl libmail-dkim-perl libmail-spf-perl \ libgeo-ipfree-perl libnet-ident-perl \ libio-zlib-perl libio-string-perl \ ftp ncftp less ## - debian jessie ## - apt-get install spamassassin razor pyzor libio-socket-ssl-perl \ libdbi-perl libmail-dkim-perl libmail-spf-perl \ libgeo-ipfree-perl libnet-ident-perl \ libio-zlib-perl libio-string-perl \ ftp ncftp less ## - If MySQL/PostgreSQL was installed from debian package system, install also perl ## - modules "DBI" and DBD::mysql/DBD::Pg from debian package system ## - if [ "$_db_type" = "Pg" -o "$_db_type" = "postgres" ]; then apt-get install libdbd-pgsql libdbd-pg-perl libdbi-perl libdbi-dev else apt-get install libdbd-mysql libdbd-mysql-perl libdbi-perl libdbi-dev fi ## - If MySQL/PostgreSQL was installed from source, install perl modules "DBI" and ## - "DBD::mysql" via cpan ## - cpan -i DBI cpan -i DBD::mysql ## - or cpan -i DBD::Pg ## - Clamav ## - ## - wheezy ## - apt-get install -t stable-updates clamav clamav-base clamav-daemon clamav-docs \ clamav-freshclam libclamunrar6 ## - Jessie ## - apt-get install clamav clamav-base clamav-daemon clamav-docs \ clamav-freshclam libclamunrar7 #apt-get install clamav clamav-base clamav-daemon clamav-docs \ # clamav-freshclam libclamunrar6 ## - It's very important to install the GMP package because it allows ## - freshclam (a ClamAV component) to verify the digital signatures of ## - the virus databases. ## - #apt-get install libgmp3c2 libgmp3-dev apt-get install libgmp-dev libgmp10 /etc/init.d/clamav-daemon stop /etc/init.d/clamav-freshclam stop freshclam /etc/init.d/clamav-daemon start /etc/init.d/clamav-freshclam start ## - User/Group Permissions ## - #usermod -a -G debian-spamd amavis #usermod -a -G amavis debian-spamd ## - add user clamav to group amavis in order to giv clamav the needed ## - rights to e-mails ## - ## - Notice !! ## - UNTIL debia wheezy take also care, that option "AllowSupplementaryGroups true" is set ## - (/etc/clamav/clamd.conf) ## - ## - Do NOT set this option on debian jessie or later ## - f [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi usermod -a -G amavis clamav /etc/init.d/clamav-daemon restart /etc/init.d/clamav-freshclam restart ## --------------- ## ## --- AMaViS --- ## ## --------------- ## ## - load some decoders ## apt-get install tnef zoo cabextract freeze lzop rpm alien \ tar pax rar unrar p7zip-full zip unzip ripole arj cpio arc \ bzip2 binutils nomarch p7zip-rar p7zip unrar-free lhasa \ libzeromq-perl ## - Debian wheezy - lha is not available on debian wheezy ## - apt-get install apt-listchanges libnet-ldap-perl \ libauthen-sasl-perl dspam libsnmp-perl ## - Debian jessie - dspam is no longer supported ## - apt-get install apt-listchanges libnet-ldap-perl \ libauthen-sasl-perl libsnmp-perl lhasa libdigest-sha-perl ## - Install via cpan ## - ## - Digest::SHA1 ## - Encode::Detect ## - Net::Patricia apt-get install g++ cpan -i CPAN cpan -i Digest::SHA1 cpan -i Digest::SHA2 cpan -i Digest::SHA256 cpan -i Encode::Detect cpan -i Net::Patricia ## - Quarantine Directories ## - mkdir -p ${_quarantine_dir}/{spam,virus,banned,bad-headers,spammy} chown -R amavis:amavis $_quarantine_dir chmod 750 $_quarantine_dir chmod 750 ${_quarantine_dir}/{spam,virus,banned,bad-headers,spammy} ## - configure amavis in /etc/amavis/conf.d ## - ## - write all changes and customization to a seperate ## - file named "50-user", which will load at end of ## - configuration and overwrites the (debian)-default values ## - cp /etc/amavis/conf.d/50-user ~/etc_amavis_conf.d_50-user.ORIG ## - write file /etc/amavis/conf.d/50-user ## - cat > /etc/amavis/conf.d/50-user < [1], # bypass_header_checks_maps => [1], # final_spam_destiny => D_PASS, # $final_bad_header_destiny = D_PASS, #}; ## - 7 instances seems to be a good value. ## - \$max_servers = 7; ## - overrides settings in 01-debian ## - \$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat']; #disabled (non-free, no security support) \$unrar = ['rar', 'unrar']; #disabled (non-free, no security support) \$lha = 'lha'; #disabled (non-free, no security support) \$tnef = 'tnef'; ## - overrides settings in 15-content_filter_mode ## - ## - Default antivirus checking mode ## - @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); ## - Default SPAM checking mode ## - @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); ## - overrides settings in 20-debian_defaults ## - \$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine) \$final_banned_destiny = D_DISCARD; # D_REJECT when front-end MTA #\$final_spam_destiny = D_DISCARD; \$final_spam_destiny = D_BOUNCE; #\$final_bad_header_destiny = D_PASS; # False-positive prone (for spam) \$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level \$sa_tag2_level_deflt = 5.1; # add 'spam detected' headers at that level ## - user / domain specific settings ## - example for \$sa_tag2_level_deflt: ## - #\$sa_tag2_level_deflt = { # # oopen.de # 'oopen.de'=>'2.1', # 'ckubu@oopen.de'=>'2.2', # 'argus@oopen.de'=>'2.3', # # k8h.de # 'k8h.de'=>'6.5', # # default # '.'=>'5.1' #}; \$sa_kill_level_deflt = 10.31; # reject/bounce/discard/pass #\$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent ## - We will inform the sender about bouncing his mail with a DSN (Delivery ## - StatusNotification). That DSN message will no be send, if the spamvalue ## - exceeds the value of sa_dsn_cutoff_level ## - \$sa_dsn_cutoff_level = 20; ## - change the default server response if mail was blocked ## - because of spam. ## - ## - results in (is an example): ## - : host 127.0.0.1[127.0.0.1] said: 554 5.7.0 Reject, Mailserver ## - at a.mx.oopen.de: identified as SPAM - (in reply to end of DATA command) ## - %smtp_reason_by_ccat = ( CC_SPAM, "Mailserver at \$myhostname: identified as SPAM - %x" ); \$sa_spam_subject_tag = undef; #\$sa_spam_subject_tag = '***SPAM*** '; ## - QUARANTINE ## - \$QUARANTINEDIR = "$_quarantine_dir"; \$quarantine_subdir_levels = 0; ## - don't store mails in quarantine directory ## - #\$virus_quarantine_method = undef; #\$spam_quarantine_method = undef; #\$banned_files_quarantine_method = undef; #\$bad_header_quarantine_method = undef; ## - store mails in quarantine directory ## - \$virus_quarantine_method = 'local:virus/virus-%m'; \$spam_quarantine_method = 'local:spam/spam-%m.gz'; \$banned_files_quarantine_method = 'local:banned/banned-%m'; \$bad_header_quarantine_method = 'local:bad-headers/badh-%m'; \$clean_quarantine_method = undef; \$archive_quarantine_method = undef; #\$virus_admin ="$_quarantine_admin"; #\$spam_admin = "$_quarantine_admin"; #\$banned_admin = "$_quarantine_admin"; #\$bad_header_admin = "$_quarantine_admin"; \$virus_admin = undef; \$spam_admin = undef; \$banned_admin = undef; \$bad_header_admin = undef; # Pass SPAMMY but quarantine and inform admin # \$quarantine_to_maps_by_ccat{+CC_SPAMMY} = \\@spam_quarantine_to_maps ; \$quarantine_method_by_ccat{+CC_SPAMMY} = 'local:spammy/spammy-%m.gz' ; \$final_destiny_by_ccat{+CC_SPAMMY} = D_PASS ; \$admin_maps_by_ccat{+CC_SPAMMY} = sub { ca('spam_admin_maps') }; # Bypass spam checking fro trusted networks using mynetworks # # list of trusted IPs: # # - b.mx.oopen.de (83.223.86.162 [2a01:30:1fff:a::162]) # #\@mynetworks = qw( 127.0.0.0/8 [::1] 83.223.86.162 [2a01:30:1fff:a::162] ); # #\$policy_bank{'MYNETS'} = { # clients in @mynetworks # bypass_spam_checks_maps => [1], # don't spam-check internal mail # bypass_header_checks_maps => [1], # don't header-check internal mail # final_spam_destiny => D_PASS, # final_bad_header_destiny => D_PASS, # #remove_existing_x_scanned_headers => undef, # #remove_existing_spam_headers => undef, #}; #\$remove_existing_x_scanned_headers = 0; #\$remove_existing_spam_headers = 0; # allow all mail from local IPs: #\$policy_bank{'MYNETS'} = { # clients in @mynetworks # bypass_spam_checks_maps => [1], # don't spam-check internal mail # bypass_header_checks_maps => [1], # don't header-check internal mail # final_spam_destiny => D_PASS, # final_bad_header_destiny => D_PASS, #}; ## - Amavisd-New scans all mail passing through it for viruses, but will ## - only hand mail for local delivery off to SA for checking - you tell ## - it which domains are local using the @local_domains_maps variable, ## - which by default is set to the value of $mydomain & its subdomains: ## - #@local_domains_maps = ( [".$mydomain"] ); ## - get rid of "Open Relay" warnings in amavis logfile. ## - \$interface_policy{'10024'} = 'ORIGINATING'; \$policy_bank{'ORIGINATING'} = { originating => 1, # declare that mail was submitted by our smtp client }; ## - If you get am error like: ## - ## - amavis[9766]: () (!)DENIED ACCESS from IP $_ipv4_address, policy bank 'ORIGINATING' ## - ## - you must add your ip address to @inet_acl ## - #@inet_acl = qw( 127.0.0.1 [::1] $_ipv4_address ); #\$inet_socket_bind = undef; EOF if [ "$_db_type" = "Pg" ]; then cat >> /etc/amavis/conf.d/50-user <> /etc/amavis/conf.d/50-user <> /etc/amavis/conf.d/50-user < syslog; false (e.g. 0) => logging to file \$DO_SYSLOG = 1; # (defaults to 0) \$syslog_ident = 'amavis'; # Syslog ident string (defaults to 'amavis') #\$syslog_facility = 'mail'; # Syslog facility as a string \$syslog_facility = 'local0'; # Syslog facility as a string # e.g.: mail, daemon, user, local0, ... local7, ... \$syslog_priority = 'debug'; # Syslog base (minimal) priority as a string, # choose from: emerg, alert, crit, err, warning, notice, info, # debug # Log file (if not using syslog) #\$LOGFILE = "/var/log/amavis.log"; # (defaults to empty, no log) #NOTE: levels are not strictly observed and are somewhat arbitrary # 0: startup/exit/failure messages, viruses detected # 1: args passed from client, some more interesting messages # 2: virus scanner output, timing # 3: server, client # 4: decompose parts # 5: more debug details \$log_level = 1; # (defaults to 0), -d ## - amavis add a tag "***UNCHECKED***" if mail was not ## - checked. to get rid of that tag add: ## - \$undecipherable_subject_tag = undef; ## - get rid of warning messages to postmaster if content is unchecked (that occurs ## - i.e. if mail is encrypted ## - delete \$admin_maps_by_ccat{&CC_UNCHECKED}; ## - Replace "localhost" in the mailheader ## - \$localhost_name = "amavis.`hostname -f`"; ## - DKIM ## - #\$enable_dkim_verification = 1; # enable DKIM signatures verification #\$enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key #dkim_key('oopen.de', 'main', '/etc/amavis/dkim/dkim-key.pem'); #dkim_key('mbr-berlin.de', 'main', '/etc/amavis/dkim/dkim-key.pem'); #dkim_key ... #\@dkim_signature_options_bysender_maps = ( # { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } ); #------------ Do not modify anything below this line ------------- 1; # ensure a defined return EOF chmod 644 /etc/amavis/conf.d/50-user ## - Notice: ## - you can realise domain or email-address specific spam levels. to do so ## - change at /etc/amavis/conf.d/50-user the directive "$sa_tag2_level_deflt" ## - ## - for example set: ## - ## - $sa_tag2_level_deflt = { ## - # warenform.com ## - 'warenform.com'=>'2.1', ## - 'chris@warenform.com'=>'2.2', ## - 'christian@warenform.com'=>'2.3', ## - # asap-log.com ## - 'asap-log.com'=>'6.5', ## - # jongleur-till.de ## - 'jongleur-till.de'=>'6.5', ## - # default ## - '.'=>'5.31' ## - }; ## - Configure syslogd matching the configuration od amavisd ## - cat << EOF > /etc/rsyslog.d/amavis.conf ## - amavis ## - local0.* -/var/log/amavis.log & ~ EOF /etc/init.d/rsyslog restart ## - forward emails to amavis using "Pre-Queue" Option smtpd_proxy_filter ## - ## - edit /etc/postfix/master.cf and add flags for "smtpd_proxy_filter" (to ## - forward to amavis service on localhost port 10024) and for "content_filter" ## - (to avoid rechecking by "Post-Queue" content_filter) to smtp service ## - ## - smtp inet n - - - - smtpd ## - -o smtpd_proxy_filter=127.0.0.1:10024 ## - -o content_filter= ## - ## - take care, that, in case NOT to reject, amavis fowards the mail to the ## - MTA (Postfix) for delivering. To avoid loops in checking, install a ## - (Postfix) smtpd service on a local Port (10025) without checking anymore ## - ## - to do this edit /etc/postfix/master.cf and add service: ## - ## - localhost:10025 inet n - - - - smtpd ## - -o content_filter= ## - -o smtpd_proxy_filter= ## - -o smtpd_authorized_xforward_hosts=127.0.0.0/8 ## - -o smtpd_client_restrictions= ## - -o smtpd_helo_restrictions= ## - -o smtpd_sender_restrictions= ## - -o smtpd_recipient_restrictions=permit_mynetworks,reject ## - -o smtpd_data_restrictions= ## - -o mynetworks=127.0.0.0/8,<$_ipv4_address/32> ## - -o receive_override_options=no_unknown_recipient_checks ## - vim /etc/postfix/master.cf ## - install logrotate-script for amavis ## - cat < /etc/logrotate.d/amavis /var/log/amavis.log { daily start 0 rotate 7 missingok compress delaycompress notifempty create 644 amavis amavis copytruncate } EOF touch /var/log/amavis.log chmod 644 /var/log/amavis.log chown amavis:amavis /var/log/amavis.log /etc/init.d/amavis restart /etc/init.d/postfix stop /etc/init.d/postfix start ## - Add a crontab to cleanup the quarantine folder ## - crontab -l > /tmp/tmp_crontab cat << EOF >> /tmp/tmp_crontab # - Remove old quarantined messages (>30 days). # - # - Spam 0 3 * * * find ${_quarantine_dir}/spam -type f -name "spam-*" -mtime +30 -exec rm {} \; # - Spammy 0 3 * * * find /var/QUARANTINE/spammy -type f -name "spammy-*" -mtime +30 -exec rm {} \; # - Virus 0 3 * * * find ${_quarantine_dir}/virus -type f -name "virus-*" -mtime +30 -exec rm {} \; # - Banned files 0 3 * * * find ${_quarantine_dir}/banned -type f -name "banned-*" -mtime +30 -exec rm {} \; # - Bad headers 0 3 * * * find ${_quarantine_dir}/bad-headers -type f -name "badh-*" -mtime +30 -exec rm {} \; EOF crontab /tmp/tmp_crontab rm /tmp/tmp_crontab ## -------------- ## ## --- ClamAV --- ## ## -------------- ## ## - i prefer to install clamav ( and the update daemon freshclam from ## - debian packages, because of better possibilities to update the programm ## - application. this is useful only if these packages are actual. so i ## - add the following entry to file /etc/apt/sources.list: ## - ## ClamAV ## - http://volatile.debian.org/debian-volatile lenny/volatile main contrib non-free ## ## - Add cronjob for updating clamav packages ## - ## - 03 0 * * * /usr/bin/apt-get update > /dev/null ; PATH=/bin:/sbin:/usr/bin:/usr/sbin /usr/bin/apt-get -y install clamav clamav-base clamav-docs clamav-daemon clamav-freshclam > /dev/null ## - crontab -l > /tmp/tmp_crontab echo "" >> /tmp/tmp_crontab echo "# - update virus database and software ( clamav)" >> /tmp/tmp_crontab echo "# -" >> /tmp/tmp_crontab echo "03 0 * * * /usr/bin/apt-get update > /dev/null ; PATH=/bin:/sbin:/usr/bin:/usr/sbin /usr/bin/apt-get -y install -t stable-updates clamav clamav-base clamav-docs clamav-daemon clamav-freshclam > /dev/null" >> /tmp/tmp_crontab crontab /tmp/tmp_crontab rm /tmp/tmp_crontab ## - ClamAV Unofficial Signatures ## - ## - Use ClamAV Unofficial Signatures Updater: ## - https://github.com/extremeshok/clamav-unofficial-sigs/releases ## - ## - See readme file: ## - https://github.com/extremeshok/clamav-unofficial-sigs ## - apt-get install socat cpan -i IO::Socket::UNIX cd /tmp git clone https://github.com/extremeshok/clamav-unofficial-sigs.git cd clamav-unofficial-sigs cp clamav-unofficial-sigs.sh /usr/local/sbin/ chmod 755 /usr/local/sbin/clamav-unofficial-sigs.sh mkdir /var/log/clamav-unofficial-sigs mkdir /etc/clamav-unofficial-sigs cp config/* /etc/clamav-unofficial-sigs/ cd /etc/clamav-unofficial-sigs/ ## - For Debian Wheezy (Debian 7) ## - cp /etc/clamav-unofficial-sigs/os.debian7.conf /etc/clamav-unofficial-sigs/os.conf ## - Edit /etc/clamav-unofficial-sigs/os.conf and make changes if needed ## - ## - Maybe the following changes are needed: ## - clam_user="clamav" ## - clam_group="clamav" ## - ## - clamd_pid="/var/run/clamav/clamd.pid" ## - ## - clamd_socket="/var/run/clamav/clamd.ctl" ## - perl -i -n -p -e "s#^([ ]*\ *)(clam_user=.*)#\#\#\1\2\nclam_user=\"clamav\"#" /etc/clamav-unofficial-sigs/os.conf perl -i -n -p -e "s#^([ ]*\ *)(clam_group=.*)#\#\#\1\2\nclam_group=\"clamav\"#" /etc/clamav-unofficial-sigs/os.conf perl -i -n -p -e "s#^([ ]*\ *)(clamd_pid=.*)#\#\#\1\2\nclamd_pid=\"/var/run/clamav/clamd.pid\"#" \ /etc/clamav-unofficial-sigs/os.conf perl -i -n -p -e "s#^([ ]*\#?\ *)(clamd_socket=.*)#\#\#\1\2\nclamd_socket=\"/var/run/clamav/clamd.ctl\"#" \ /etc/clamav-unofficial-sigs/os.conf ## - For Debian Jessie (Debian 8) ## - cp /etc/clamav-unofficial-sigs/os.debian8.conf /etc/clamav-unofficial-sigs/os.conf ## - Edit /etc/clamav-unofficial-sigs/os.conf and make changes if needed ## - ## - Maybe the following changes are needed: ## - clamd_pid="/var/run/clamav/clamd.pid" ## - ## - clamd_restart_opt="systemctl restart clamav-daemon" ## - clamd_reload_opt="systemctl reload clamav-daemon ## - ## - clamd_socket="/var/run/clamav/clamd.ctl" ## - perl -i -n -p -e "s#^([ ]*\ *)(clamd_pid=.*)#\#\#\1\2\nclamd_pid=\"/var/run/clamav/clamd.pid\"#" \ /etc/clamav-unofficial-sigs/os.conf perl -i -n -p -e "s#^([ ]*\#?\ *)(clamd_restart_opt=.*)#\#\#\1\2\nclamd_restart_opt=\"systemctl restart clamav-daemon\"\nclamd_reload_opt=\"systemctl reload clamav-daemon\"#" \ /etc/clamav-unofficial-sigs/os.conf perl -i -n -p -e "s#^([ ]*\#?\ *)(clamd_socket=.*)#\#\#\1\2\nclamd_socket=\"/var/run/clamav/clamd.ctl\"#" \ /etc/clamav-unofficial-sigs/os.conf ## - Edit /etc/clamav-unofficial-sigs/user.conf ## - ## - Disable Yara-Rule Project because of a lot of "false positive" matches, ## - for example some pgp/gpg mails matches the Rules: ## - ## - Javascript_exploi~d_obfuscation.yar: possible_includes_base64_packed_functions ## - ## - The following change is required: ## - user_configuration_complete="yes" ## - perl -i -n -p -e "s#^([ ]*\#\#*\ *)(user_configuration_complete=.*)#\#\# - Disable Yara-Rule set, because (some?) pgp mails where blocked.\n\#\# -\nyararulesproject_enabled=\"no\"\n\n\n\1\2#" \ /etc/clamav-unofficial-sigs/user.conf perl -i -n -p -e "s#^([ ]*\#\#*\ *)(user_configuration_complete=.*)#\#\#\1\2\nuser_configuration_complete=\"yes\"#" \ /etc/clamav-unofficial-sigs/user.conf ## - Maybe you want include "MalwarePatrol Free/Delayed" or ## - "SecuriteInfo Free/Delayed" list support. Both are not enabled by default, ## - and for both you have to sign up for an account. Free accounts are ## - available. ## - ## - See Readme.md file for further instructions. ## - ## - Only if Systemd is used (as in debian 8) ## - cp /tmp/clamav-unofficial-sigs/systemd/* /etc/systemd/ /usr/local/sbin/clamav-unofficial-sigs.sh --install-cron /usr/local/sbin/clamav-unofficial-sigs.sh --install-logrotate /usr/local/sbin/clamav-unofficial-sigs.sh --install-man ## - First Usage ## - ## - Run the script once as your superuser to set all the permissions and create the relevant directories ## - ## - Notice! ## - Don't forget to oopen TCP Port 873 and TCP Port 443 ## - /usr/local/sbin/clamav-unofficial-sigs.sh cd rm -rf /tmp/clamav-unofficial-sigs ## -------------------- ## ## --- Spamassassin --- ## ## -------------------- ## apt-get install libimage-info-perl libnet-cidr-lite-perl \ libdbd-pgsql libgeo-ip-perl geoip-bin libgeoip-dev geoip-database apt-get install re2c ## - Pyzor configuration ## - ## - Here we supply the hostname of the Pyzor server to Pyzor (for both the ## - 'root' and 'amavis' users). This will create a .pyzor directory in both ## - user's home directories, and place the server's hostname in a 'servers' file ## - therein: pyzor discover su amavis -c 'pyzor discover' ## -Test the pyzor server for a response: pyzor ping su amavis -c 'pyzor ping' ## - Pyzor Ping should show 'OK'. If not, then it's possible your firewall is ## - blocking udp replies from 82.94.255.100 or 188.40.77.236 (public.pyzor.org ## - port 24441), or the server may simply be slow to respond (often the case). ## - I suggest you subscribe to ## - http://lists.sourceforge.net/lists/listinfo/pyzor-announce. ## - Download a sample spam file. For testing purpose you can feed it to spamassassin: ## - ## - # cp /root/sample-spam.txt /tmp ## - # cd /tmp ## - # su amavis -c 'spamassassin -D /tmp/tmp_crontab echo "" >> /tmp/tmp_crontab echo "# - update razor2" >> /tmp/tmp_crontab echo "# -" >> /tmp/tmp_crontab echo "33 0 * * * su amavis -lc '/usr/bin/razor-admin -discover'" >> /tmp/tmp_crontab crontab /tmp/tmp_crontab rm /tmp/tmp_crontab ## - SpamAssassin's main configuration file: ## - vim /etc/spamassassin/local.cf ## - insert/replace the lines ## - ## - # let the body of mails untouched.. ## - # ## - report_safe 0 ## - ## - ## - ## - Possibly optional, possibly not: ## - ## - Depending on your setup, it might be necessary to explicitly set internal_networks ## - ## - and trusted_networks. The trust path tells spamassassin which clients are not trusted. ## - ## - If you are using SpamAssassin version 3.2 or newer, do not include the 127/8 ## - ## - networks shown below. They are automatically included. ## - ## - See http://wiki.apache.org/spamassassin/TrustPath and this thread: ## - ## - ## - # explicitly set our internal_networks (might be the same or similar to mynetworks) ## - clear_internal_networks ## - #internal_networks 178.63.63.151/32 ## - #internal_networks 2a01:4f8:121:c5::2/128 ## - # don't add internal_networks to trusted_networks, but possibly other computers/networks whose mail we trust ## - clear_trusted_networks ## - #- add mx03.so36.net to our trusted networks. ## - trusted_networks 83.223.73.205 ## - trusted_networks 2a01:30:1fff:fd00::205 ## - #- add b.mx.oopen.de to our trusted networks. ## - trusted_networks 83.223.86.162 ## - trusted_networks 2a01:30:1fff:a::162 ## - ## - lock_method flock ## - ## - required_score 5.1 ## - ## - ## - use_bayes 1 ## - bayes_path /var/lib/amavis/.spamassassin/bayes ## - ## - whitelist_from admin@oopen.de ## - ## - bayes_auto_learn 1 ## - bayes_auto_learn_threshold_spam 15.0 ## - #bayes_auto_learn_threshold_spam 10.0 ## - bayes_auto_learn_threshold_nonspam -0.5 ## - ## - ## - NOTE: Since there is a script that runs each day to --force-expire old ## - ## - Bayes tokens "/etc/cron.daily/amavisd-new" (make sure there is if ## - ## - you use this setting!), we can set: ## - ## - ## - bayes_auto_expire 0 ## - ## - ## - Optional: ## - ## - Some people believe auto-whitelist is more of a liability than an asset: ## - use_auto_whitelist 1 ## - auto_whitelist_path /var/lib/amavis/.spamassassin/auto-whitelist ## - ## - ## - Optional: ## - ## - We will normally have DNS available: ## - dns_available yes ## - ## - ## - # Enable or disable network checks ## - skip_rbl_checks 1 ## - use_razor2 1 ## - razor_timeout 8 ## - ## - ##use_dcc 1 ## - ##dcc_home /var/dcc ## - ## - use_pyzor 1 ## - #pyzor_timeout 8 ## - ## - # Mail using locales used in these country codes will not be marked ## - # as being possibly spam in a foreign language. ## - ok_locales all ## - ## - add_header spam Flag _YESNOCAPS_ ## - ## - edit /etc/spamassassin/v310.pre ## - ## - enable auto-whitelist checks ## - loadplugin Mail::SpamAssassin::Plugin::AWL ## - ## - enable language guesser ## - loadplugin Mail::SpamAssassin::Plugin::TextCat ## - vim /etc/spamassassin/v310.pre ## - enable nightly cronjob for spamassassin ## - ## - edit /etc/default/spamassassin and set: ## - CRON=1 ## - perl -i -n -p -e "s#^([ ]*\#?\ *)(CRON\ *=.*)#\#\#\1\2\nCRON=1#" \ /etc/default/spamassassin ## - add a cronjob for cleaning up bayes ## - crontab -l > /tmp/tmp_crontab echo "" >> /tmp/tmp_crontab echo "# - cleanup sa bayes for espired entries" >> /tmp/tmp_crontab echo "# -" >> /tmp/tmp_crontab echo '33 3 * * * su amavis -lc "/usr/bin/sa-learn --sync >/dev/null" ; su amavis -lc "/usr/bin/sa-learn --sync --force-expire >/dev/null"' >> /tmp/tmp_crontab crontab /tmp/tmp_crontab rm /tmp/tmp_crontab sa-update ## - !! Notice !! ## - if su clamav -c 'spamassassin --lint' failed ( with warn ## - message "warn: Use of uninitialized value $type in numeric..") ## - reading "/etc/spamassassin/local.cf": razor_timeout 8, have a look ## - at SpamAssassin/Plugin/Razor2.pm line 118: ## - ## - type => $Mail::SpamAssassin::Conf::CONF_TYPE_DURATIION, ## - ## - Should be: ## - ## - type => $Mail::SpamAssassin::Conf::CONF_TYPE_DURATION, ## - ## - see also: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7018 ## - perl -i -n -p -e "s/CONF_TYPE_DURATIION/CONF_TYPE_DURATION/" /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm sa-compile cd /tmp su amavis -c 'spamassassin --lint' ## - it's important, that all completes without error ## - /etc/init.d/amavis restart ## - SpamAssassin Rules ## - ## - updates.spamassassin.org is used automatically ## - and you have to do nothing, because "sa-update" ## - has done the update from updates.spamassassin.org. install ## - a cronjob for doing this periodically. for better understanding, ## - do this ## - first get a gpgkey from updates.spamassassin.org, in order only ## - getting signed update rules cd /etc/spamassassin wget http://spamassassin.apache.org/updates/GPG.KEY sa-update --import GPG.KEY rm GPG.KEY ## - create keyfile and add a line for the key-id ## - ## - you can also get the key-id by typing ## - gpg --home /etc/spamassassin/sa-update-keys -kv ## - echo "5244EC45" > /etc/spamassassin/sa_keys ## - create a channel file and add a line with the url ## - echo "updates.spamassassin.org" > /etc/spamassassin/sa_channel ## - now you can update: ## - sa-update --channelfile /etc/spamassassin/sa_channel --gpgkeyfile /etc/spamassassin/sa_keys ## - Spamassassin Rules from Heinlein Support ## - sa-update --nogpg --channel spamassassin.heinlein-support.de ## - There are hundreds of SpamAssassin rules that help decide what is spam ## - and what is not. Additional rules are available from 3rd parties. I add ## - the safest set of rules from http://www.rulesemporium.com/ which I ## - obtain from another source at http://saupdates.openprotect.com/: ## - ## - !! OUTDATED !! #cd /etc/spamassassin #wget http://saupdates.openprotect.com/pub.gpg #sa-update --import pub.gpg #rm pub.gpg #echo "BDE9DC10" >> /etc/spamassassin/sa_keys #echo "saupdates.openprotect.com" >> /etc/spamassassin/sa_channel ## - Spamassassin Rule from eXtreme SHOCK ## - ## - Maintained and provided by https://eXtremeSHOK.com ## - cd /tmp git clone https://github.com/extremeshok/spamassassin-extremeshok_fromreplyto cd spamassassin-extremeshok_fromreplyto mkdir /etc/mail/spamassassin/plugins/ cp plugins/* /etc/mail/spamassassin/plugins/ cp 01_extremeshok_fromreplyto.cf /etc/mail/spamassassin/01_extremeshok_fromreplyto.cf cd rm -rf /tmp/spamassassin-extremeshok_fromreplyto ## - check the rule. if all is fine there is no output ## - spamassassin --lint ## - or check with debug mode ## - spamassassin -D --lint ## - create a update-script using sa.update ## - mkdir -p /root/bin cat > /root/bin/sa-update.sh < 1 ]]; then echo "problem with sa-update" fi sa-update --allowplugins --channelfile /etc/spamassassin/sa_channel --gpgkeyfile /etc/spamassassin/sa_keys code2=\$? if [[ \$code2 > 1 ]]; then echo "problem with sa-update using channelfile.." fi ## - Get rules from heinlein-support.de ## - ## - see: ## - https://www.heinlein-support.de/blog/news/aktuelle-spamassassin-regeln-von-heinlein-support/ ## - sa-update --nogpg --channel spamassassin.heinlein-support.de code3=\$? if [[ \$code3 > 1 ]]; then echo "problem with sa-update using channel spamassassin.heinlein-support.de.." fi if [[ \`expr \$code1 + \$code2 + \$code3\` < 4 ]]; then spamassassin --lint code4=\$? if [[ \$code4 = 0 ]]; then #svc -h /service/spamd #/etc/init.d/spamassassin restart > /dev/null /etc/init.d/amavis restart >/dev/null else echo "spamassassin failed to lint" fi fi # Fixup perms -- group and other should be able to read and execute, # but never write. Works around sa-compile's failure to obey umask. if [ -d /var/lib/spamassassin ]; then chown -R debian-spamd:debian-spamd /var/lib/spamassassin chmod -R go-w,go+rX /var/lib/spamassassin chmod 700 /var/lib/spamassassin/sa-update-keys chmod 600 /var/lib/spamassassin/sa-update-keys/* fi if [ -d /var/lib/amavis ]; then chown -R amavis:amavis /var/lib/amavis fi EOF chmod 755 /root/bin/sa-update.sh ## - add a cronjob for spamassassin updates ## - crontab -l > /tmp/tmp_crontab echo "" >> /tmp/tmp_crontab echo "# - update spamassassin rules" >> /tmp/tmp_crontab echo "# -" >> /tmp/tmp_crontab echo "33 1 * * * /root/bin/sa-update.sh" >> /tmp/tmp_crontab crontab /tmp/tmp_crontab rm /tmp/tmp_crontab ## - Since we have the Mail::DKIM Perl module installed, we can optionally ## - enable the SpamAssassin DKIM plugin: ## - ## - uncomment the plugin: ## - loadplugin Mail::SpamAssassin::Plugin::DKIM vim /etc/spamassassin/v312.pre ## - Save and exit the file, then run --lint: su amavis -c 'spamassassin --lint' ## - With SpamAssassin version 3.2 or newer, we can optionally compile ## - some body rules so they execute faster. Start by running sa-compile ## - for the first time and check for errors: ## - sa-compile ## - If it looks like it didn't crash, enable plugin ## - Mail::SpamAssassin::Plugin::Rule2XSBody ## - vim /etc/spamassassin/v320.pre ## - uncomment the line: ## - # loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody ## - ## - Save and exit the file, then run --lint: su amavis -c 'spamassassin --lint' ## - create a update-script that will run sa-compile ## - mkdir -p /root/bin/ cat > /root/bin/sa-compile.sh < /dev/null 2>&1 fi code1=\$? if [[ \$code1 > 0 ]]; then echo "problem with sa-compile, turning off Rule2XSBody plugin" sed -i 's/loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody/#loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody/' /etc/spamassassin/v320.pre test -x /usr/sbin/amavisd-new || exit 0 /etc/init.d/amavis restart >/dev/null else sed -i 's/#\ *loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody/loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody/' /etc/spamassassin/v320.pre test -x /usr/sbin/amavisd-new || exit 0 /etc/init.d/amavis restart >/dev/null fi # Fixup perms -- group and other should be able to read and execute, # but never write. Works around sa-compile's failure to obey umask. if [ -d /var/lib/spamassassin ]; then chown -R debian-spamd:debian-spamd /var/lib/spamassassin chmod -R go-w,go+rX /var/lib/spamassassin chmod 700 /var/lib/spamassassin/sa-update-keys chmod 600 /var/lib/spamassassin/sa-update-keys/* fi if [ -d /var/lib/amavis ]; then chown -R amavis:amavis /var/lib/amavis fi EOF chmod 755 /root/bin/sa-compile.sh ## - add a cronjob for compiling rules ## - crontab -l > /tmp/tmp_crontab echo "" >> /tmp/tmp_crontab echo "# - compiling rules (SpamAssassin)" >> /tmp/tmp_crontab echo "# -" >> /tmp/tmp_crontab echo "53 0 * * * /root/bin/sa-compile.sh" >> /tmp/tmp_crontab crontab /tmp/tmp_crontab rm /tmp/tmp_crontab ## - Install DCC ## - ## - DCC is available from the Debian archives, but we will get it from the ## - author and compile it from the source code. Installing it from source ## - is a good exercise and we have better control over how it installs. ## - Installing from source allows us to customize the installation for use ## - with amavisd-new. Note that as of version 1.3.0 of DCC ## - http://www.commtouch.com/ has exclusive marketing rights for DCC. If you ## - resell anti-spam solutions that use DCC and you do not provide your DCC ## - data to the public, you will need to pay for DCC. Please read the license. ## - cd /usr/local/src mkdir -p dcc cd dcc wget http://www.dcc-servers.net/dcc/source/dcc-dccproc.tar.Z tar xzvf dcc-dccproc.tar.Z ## - Change to the dcc subdirectory by using the [tab] key command ## - completion shortcut as shown, then ./configure: cd dcc-dccproc- [tab][enter] ## - configure and install ## - ./configure --with-uid=amavis && make && make install ## - Update file ownership: chown -R amavis:amavis /var/dcc ## - Test our installation with: cdcc info ## - We should get 'requests ok' from the servers (but 'not answering' ## - from 127.0.0.1 is expected). ## - The instructions say to run cron-dccd each day to clean things up, so we will do that. ## - ## - add a cronjob for cleaning up dcc ## - crontab -l > /tmp/tmp_crontab echo "" >> /tmp/tmp_crontab echo "# - cleaning up dcc (Distributed Checksum Clearinghouses)" >> /tmp/tmp_crontab echo "# -" >> /tmp/tmp_crontab echo "13 1 * * * /var/dcc/libexec/cron-dccd" >> /tmp/tmp_crontab crontab /tmp/tmp_crontab rm /tmp/tmp_crontab ## - enable dccifd: ## - ## - edit /etc/spamassassin/v310.pre ## - uncomment the plugin: ## - loadplugin Mail::SpamAssassin::Plugin::DCC vim /etc/spamassassin/v310.pre ## - edit /etc/spamassassin/local.cf ## - ## - add/uncomment: ## - use_dcc 1 ## - dcc_home /var/dcc ## - vim /etc/spamassassin/local.cf ## - edit /var/dcc/dcc_conf ## - vim /var/dcc/dcc_conf ## - and change ## - DCCIFD_ENABLE=off ## - to: ## - DCCIFD_ENABLE=on ## - ## - Then change: ## - DBCLEAN_LOGDAYS=14 ## - to: ## - DBCLEAN_LOGDAYS=1 ##- ## -save and exit. ## - ## - ## - If you choose to allow logging, cron-dccd should delete old log files ## - ## - when it runs. Keep your eye on the files that accumulate in the ## - ## - /var/dcc/log directory. It's your choice, but I personally don't want to ## - ## - monitor the DCC logs, so I turn off logging altogether by deleting the ## - ## - log directory and commenting out the logdir entry in dcc_conf: ## - ## - ## - rm -r /var/dcc/log ## - vim /var/dcc/dcc_conf ## - and comment out: ## - DCCIFD_LOGDIR="$DCCM_LOGDIR" ## - We will use a supplied script (rcDCC) to automatically ## - start dccifd when we boot up: ## - cp /var/dcc/libexec/rcDCC /etc/init.d/adcc # update-rc.d adcc defaults # or within systemd systemctl enable adcc /etc/init.d/adcc start ## - Now test it with SpamAssassin: su amavis -c 'spamassassin -D < /tmp/sample-spam.txt' ## - Now test that SpamAssassin finds dccifd: ## - su amavis -c 'spamassassin -D dcc &1 | grep dccifd ## - You should see: dbg: dcc: dccifd got response: ## - [15744] dbg: dcc: dccifd default local socket chosen: /var/dcc/dccifd ## - [15744] dbg: dcc: connecting to a local socket /var/dcc/dccifd ## - [15744] dbg: dcc: dccifd got response: X-DCC-EATSERVER-Metrics: vserver08 1166; Body=many Fuz1=many Fuz2=many rm /tmp/sample-spam.txt