$geturl = $_SERVER['SERVER_NAME'] ?>
15 - qmail-scanner w/qms-analog
If you will recall, when we compiled qmail earlier in this installation, we applied a patch to qmail called "qmailqueue.patch". This patch allows qmail to be configured to run with a substitute queuing mechanism. That's exactly what were about to do here. We're going to tell qmail to use Qmail-Scanner as the queuing mechanism. Qmail-scanner is going to allow us to integrate Clam Antivirus and SpamAssassin into our qmail server's mail queue. Once qmail-scanner is installed, there will be a master script that is filled with configuration options that help you to tailor the functionality of Clam Antivirus and SpamAssassin to your needs. To expand the number of configuration options, we are also going to apply a patch to qmail-scanner. For this patch, we will be using Mark Teel's qms-analog patch. Qms-analog incorporated the widely used qmail-scanner-st patch but it also adds some cool reporting functionality as well which we will utilize later in this installation guide. So let's get on it!
tar zxvf qmail-scanner-1.25.tgz
Now unpack qms-analog...
tar zxvf qms-analog-0.4.2.tar.gz
Install qms-analog itself. This will come in handy in the next step when we install Qmailanalog.
Next, we copy needed qms-analog files to the qmail-scanner source directory...
cp qmail-scanner-1.25-st-qms-YYYYMMDD.patch /downloads/qmailrocks/qmail-scanner-1.25/
Now, let's apply the qms-analog patch...
patch -p1 < qmail-scanner-1.25-st-qms-YYYYMMDD.patch
Now we will configure qmail-scanner and install it. Ordinarily, you would run the ./configure script to configure and install qmail-scanner. However, Mark Teel has donated a handy little config script that does most of the work for you.This script is called "qms-config-script" and, if you look above, you should have already copied this config script into the qmail-scanner source directory.
How you go about configuring and installing qmail-scanner from this point on depends on how you server's installation of Perl is configured. For the purposes of this installation, there are 2 Perl setups.
1. Perl is configured to allow for setuid functions.
2. Perl is not configured for setuid functionality and, in fact, does not permit it.
We'll start off with the configuration step for a server that allows setuid. However, if you run into setuid errors, you can jump to a set of instructions for servers that do not allow setuid functionality.
So let's do it...
First, you need to configure the script for your needs...
You will notice several fields that need to be customized to fit your needs. Let's have a look. I've highlighted the fields you should customize in RED
if [ "$1" != "install" ]; then
./configure --domain yourdomain.com \
Now save and exit out of the config file. That was easy, wasn't it.
And now we will run a test config for qmail-scanner...
chmod 755 qms-config
Answer YES to all questions. If you get no errors, you can then run the script in "install" mode and this will install qmail-scanner on your server.
If you didn't get any errors on the test run above, then you should be ok to run the "real" installation script below. So let's do it...
Again, answer YES to all questions. If you get no errors, you can then run the script in "install" mode and this will install qmail-scanner on your server. If you do get errors, check out these troubleshooting tips.
And now all that's left for qmail-scanner is to initiate the version file and the perlscanner database...
First, we'll initialize the version file. This command also helps to keep your server's /var/spool/qmailscan folder clear of rogue files that can develop when SMTP sessions are dropped. You may want to stick this command into your server's crontab and run it once a day. You'll see more on this in the "maintaining your qmail server" step near the end of this tutorial.. So let's run it...
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z
And now we will generate a new perlscanner database for qmailp-scanner. For future reference, it's a good idea to run this next command whenever you upgrade qmail-scanner. You'll see more on this in the "maintaining your qmail server" step near the end of this tutorial. So let's do i t...
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g
A successful database build should produce the following output:
generate new DB file from /var/spool/qmailscan/quarantine-attachments.txt
And now one final ownership check...
chown -R qscand:qscand /var/spool/qmailscan
Woohoo, qmail-scanner is installed! Now it's time to tie qmail-scanner into qmail itself.
To instruct Qmail to use Qmail-Scanner as the alternative queuing mechanism, we add the following line to the SMTP "run" script right under the first line (#!/bin/sh):
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" ; export QMAILQUEUE
..and we change the "softlimit" in that same script...
change softlimit to 40000000
Note: It is absolutely vital that you change the "Softlimit" setting in this script. If you don't, qmail may fail to deliver mail!!!
So now the qmail-smtp/run file should look like this:
Once you've got the qmail-smtpd file modified, save the changes and exit from the file. Now we will finalize the qmail-scanner installation by going over some post-install configuration options. After that, we'll fire everything up and take qmail-scanner for a test drive!
and start it...
And a quick check of the qmail processes, just to be safe..
Now it's time to test the whole damn thing to see if Qmail-Scanner, Spamassassin and Clam AV are all working correctly. Fortunately, Qmail-Scanner comes with it's own testing script that does a fantastic job. So let's test it!
chmod 755 test_installation.sh
A successful test should produce the following output. 2 messages should be quarantined by Clam Antivirus in /var/spool/quarantine/new and 2 messages should be set to whatever mailbox you specified in the Qmail-scanner configuration script. Don't worry if you don't get virus notification emails. The normal notification emails that get sent out upon virus detection usually don't work during the test.
setting QMAILQUEUE to /var/qmail/bin/qmail-scanner-queue.pl for this test...
standard test message - no viruses...
eicar test virus - should be caught by perlscanner module...
Sending eicar test virus with altered filename - should only be caught by commercial anti-virus modules (if you have any)...
bad spam message for anti-spam testing - In case you are using SpamAssassin...
Finished test. Now go and check Email for email@example.com
If you get 2 messages in your inbox and you see 2 messages in the quarantine folder, it's time to crack open a cold one! You've successfully installed all 3 packages! Woohoo!
Summary of functionality:
If you've gotten to this point, you should have Clam Anti-Virus, Spamassassin and Qmail-Scanner all working together. When a messages comes into the server, Qmail-Scanner takes the message and pipes it out to both Clam Anti-Virus and Spamassassin. If the message contains a virus, Clam AV quarantines it a /var/spool/qmailscan/quarantine and then send a notification e-mail to whoever you specified in the Qmail-Scanner installation. If the message does not contain a virus, it is then scanned by Spamassassin. Depending on the score that Spamassassin assigns to the message and whether or not that score breaks the SPAM threshold set by you in the /var/qmail/.spamassassin/user_prefs file, Spamassassin will either let the message go unaltered to its destination or it will tag the message as SPAM. If the message is tagged as SPAM, it will still arrive at its destination, but with an altered "subject" that will signal to the recipient that this was tagged as SPAM. The text that gets appended to the "subject" of the e-mail is set in the /var/qmail/bin/qmail-scanner-queue.pl file. (For example: If you set qmail-scanner-queue.pl to tag all SPAM with "HI, I'M SPAM!", mail tagged as such will be delivered to the recipient with "HI, I'M SPAM" added to the subject. Once the message is tagged, the recipient can then configure his/her mail client to deal with those tagged message in whatever manner he/she sees fit. Alternatively, you can tell Spamassassin to delete all suspected spam messages (like I do). You can find directions for this in the "Hints" box above.