Anti-Virus with Sendmail

rainren

转自：http://www2.defcon1.org/html/Sof ... tware_articles.html

Anti-Virus with Sendmail and FBSD
       
       

  This is a very nice add on for ISPs or someone that wants to safeguard all email coming into their system from viruses.  The following article will walk you through installing and setting up several programs, to get this project done.
       
       

  Some of the files that you are going to need are files for AMaViS - A Mail Virus Scanner, and UVScan, the actual Anti-Virus Program.  The AmaViS acts as a sendmail+Antivirus intergration utility program.  Both of these programs work together to perform the virus check.  I will include the files that I used in this articles for downloads, But please note, that you might want to goto the web site and see if they have updated this files, and download the newest version for improvements, and bugs, etc...

  www.amavis.org    and   www.nai.com/asp_set/buy_try/try/products_evals.asp

NOTE:
  Also, please use this program at your own risk, as running this program, WILL increase your processor load on the machine, as it has to scan each and every mail packet coming into your machine.  Thus on a very large and busy mail server it will elevate the load quite a bit, so consider this your Pre-Warning...
       
       

amavis-0.2.1.tar
vbsd412e.tar.Z
       
       

First step I would recommend that you install the following ports in the /usr/ports/archievers
   arc
   lha
   rar
   pkzip
   unzip
   unarj
   unrar
   zip
   zoo

The reason for this, is if your email has any files compressed, your machine needs to be able to open the files to virus check all attachments, without having these archivers, then its a little hard for it to check the files.

  Installing UVScan :
            gunzip vbsd412e.tar.Z
            tar -xvf vbsd412e.tar

  Then to do the installation of the software do the following :
            ./install-uvscan

  It will ask you a series of questions, on where to install the software to ext on your machine, once its done it will then want to virus check your machine.  Once this is complete the program is now installed.  Your now ready to goto the next step of the installation of your virus checker.


Installing Amavis
  Before we continue, lets make a copy of our sendmail.cf file, so that just incase we do anything stupid, we can still copy back the old sendmail.cf file, and get our sendmail working again.
cd /etc
cp sendmail.cf sendmail.cf.old

Next Step:
cp the amavis-0.2.1.tar to /usr/local
tar -xvf  amavis-0.2.1.tar
cd amavis-0.2.1
then to install the program do  ./configure
make
make install


Installing MetaMail :
  You need to now go compile the metamail port in the following dir.
        /usr/ports/mail/metamail
            make all install clean

Installing ProcMail :
  You need to now go compile the metamail port in the following dir.
        /usr/ports/mail/procmail
            make all install clean


Modifying /etc/sendmail.cf manually

In your sendmail configuration file (usually /etc/sendmail.cf) the local mail delivery agent needs to be changed (typically this is one of procmail, deliver or mail)
Find the line that begins with Mlocal and change the call for the program which resides after the "=" directive. This has also to be changed after the "A=" directive:
For example:

      Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@SPfhn, S=10/30, R=20/40,
      T=DNS/RFC822/X-Unix,
      A=procmail -Y -a $h -d $u

changes to:

      #Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@SPfhn, S=10/30, R=20/40,
      # T=DNS/RFC822/X-Unix,
      # A=procmail -Y -a $h -d $u

      Mlocal, P=/usr/sbin/scanmails, F=lsDFMAw5:/|@SPfhn, S=10/30, R=20/40,
      T=DNS/RFC822/X-Unix,
      A=scanmails -Y -a $h -d $u

Please have a look at the FAQ or BUGS if this leads to a malfunction.

Note: If you prefer the m4 technique to configure sendmail, please read below.

Test Installation

So, how do you test if your installation has been successful? Don't ask me to send a wild virus ;-). Instead, create a file called eicar.com with the following contents:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FIL E!$H+H*

(The file should end up being 69 bytes long). As an alternative, feel free to download the file at: http://www.eicar.org/download/eicar.com
This should be recognized as a test pattern. It is NOT a virus, just a test pattern that triggers the alert. Use this file in your mail. Try sending it as binhex, tar'ed, gzip'ed, uuencoded, etc.