Postfix gateway +Spamassassin + Amavis-new + H+BEDV

linux相關問題與技術

Postfix gateway +Spamassassin + Amavis-new + H+BEDV

文章coper » 週三 6月 30, 2004 12:26 am

源由:敞校是使用mail2000校園免費授權軟體,此版本的Web 介面使用起來相當人性化,速度及效能也相當不錯,但是在阻擋垃圾信件、及郵件防毒方面真的令人相當頭痛,為了解決這個問題有兩個辦法:
一、 完全將mail2000停用,改用postfix、Sendmail、或其它MTA軟體,但是想到還要將帳號重新建立就頭痛。而舊系統中的信件還得告訴同仁們要匯出,得還教他們如何匯出,另外mail2000中的好友通訊錄匯出後也似乎不相容其它WEB介面的通訊錄,因此做罷。
二、 設置一mail gateway 將寄往本網域中的信件通通由mail gateway接收,再做spam、AntiVirus的處置,如果沒有問題再轉往網域內的terminal MTA(終端MTA)即mail2000郵件伺服器。
以下是在網路上所發現的資料,經過一番整理,安裝在RedHat 9上,也能正常使用,提供我的經驗給大家參考。
amavisd-new為一新的amavis perl module,它具有高效能、檢查信件內容(SpamAssasin)、VirusScanners(可結合28種之多的掃毒程式)。它是由perl所寫成的,所以效能有大幅的成長。它可與MTA使用SMTP、LMTP協定來溝通。

接下來我先說明postfix+amavisd-new的流程圖,如下圖



(1)信件由Internet(smtpd)或是由Local(pickup)接收要傳送的信件
(2)信件傳送至cleanup
(3)信件傳送至qmgr
(4)因content_filter的設定,會將信件傳送至smtp-amavis
(5)amavisd-new執行content file及scanvirus的動作
(6)amavisd-new將信件傳送至smtpd 10025(127.0.0.1:10025)
(7)信件傳送至cleanup
(8)信件傳送至qmgr
(9)信件傳送至Internet(smtp)或是Local(local)
(因為我的設置是做gateway所以是以smtp的方式寄出信件。)
安裝環境

RedHat 9.0(2.4.20)
postfix-1.1.11-11
amavisd-new-20030616-p9_rh9_2
H+BEDV
perl-5.8.0-88

安裝H+BEDV
一、 http://www.antivir.de/dateien/antivir/r ... vlxwks.tgz 去下載防毒軟體,基本上使用Linux的任何防毒軟體都可以,因amavis本身不會掃毒,而是信件經過filter時呼叫防毒軟體來掃這個信件。
註:到以上網址下載軟體,若是非商業使用可以有兩個月的授權使用(可設定隨時更新病毒碼),若時間過期,還可再上它的網站註冊一次(一樣是可使用兩個月)
二、 #tar zxvf avlxwks.tgz
三、 #cd antivir-workstation-2.1.1
四、 #./install
五、 它會預設將軟體安裝在 /usr/lib/AntiVir (command line)

安裝及設定amavisd-new
一、因amavisd-new使用了許多perl的相關套件,因此需事先安裝其它的套件
需安裝以下套件
首先一定要安裝Perl ,在RedHat安裝光碟上就有,安裝一下吧!!PERL需要5.005版本以上,接著就安裝 perl MCPAN 的其它套件。
請使用以下步驟:
[root@xxx root]# perl -MCPAN -e shell
若要安裝 MIME::Words 就在命令列上打上 install MIME::Words 如下列文字。
cpan>install MIME::Words
以下是必需安裝的perl 套件
1. MD5
2. LWP
3. Mail::Internet
4. Archive::Tar
5. Archive::Zip
6. IO::Wrap
7. IO::Stringy
8. Unix::Syslog
9. MIME::Words
10. MIME::Head
11. MIME::Body
12. MIME::Entity
13. MIME::Parser
14. Net::SMTP
15. Net::DNS (when prompted to enable tests, choose no)
16. Net::Ping
17. Net::Server
18. Net::Server::PreForkSimple
19. Convert::TNEF
20. Convert::UUlib
21. MIME::Decoder::Base64
22. MIME::Decoder::Binary
23. MIME::Decoder::Gzip64
24. MIME::Decoder::NBit
25. MIME::Decoder::QuotedPrint
26. MIME::Decoder::UU
27. Time::HiRes
28. Digest::SHA1
29. Digest::Nilsimsa
30. Getopt::Long
31. File::Copy
32. Bit::Vector
33. Date::Calc
註:若你嫌一個個安裝太麻煩可以用以下的安裝方式
install MD5 LWP Mail::Internet Archive::Tar Archive::Zip IO::Wrap IO::Stringy Unix::Syslog MIME::Words MIME::Head MIME::Body MIME::Entity MIME::Parser Net::SMTP Net::DNS Net::Ping Net::Server Net::Server::PreForkSimple Convert::TNEF Convert::UUlib MIME::Decoder::Base64 MIME::Decoder::Binary MIME::Decoder::Gzip64 MIME::Decoder::NBit MIME::Decoder::QuotedPrint MIME::Decoder::UU Time::HiRes Digest::SHA1 Digest::Nilsimsa Getopt::Long File::Copy Bit::Vector Date::Calc 若是有套件相依問題,你也請一併安裝。
接著也請安裝spamassassin
install Mail::SpamAssassin
安裝過程會有點久,請稍待。
另外也可安裝一些套件以檢查郵件中所夾帶的壓縮檔
gzip: Red Hat 9本身有的套件
bzip2: Red Hat 9本身有的套件
nomarch: http://rus.members.beeb.net/nomarch.html
arc: http://teacher.ylps.tp.edu.tw/~coper/am ... 2.i386.rpm
lha: http://www2m.biglobe.ne.jp/~dolphin/lha/prog/
unarj: http://teacher.ylps.tp.edu.tw/~coper/am ... 2.i386.rpm
rar, unrar: http://teacher.ylps.tp.edu.tw/~coper/am ... 5.i386.rpm
zoo: http://teacher.ylps.tp.edu.tw/~coper/am ... 8.i386.rpm
cpio: ftp://ftp.gnu.org/pub/gnu/cpio
lzop: http://www.lzop.org/download/
freeze: ftp://ftp.warwick.ac.uk/pub/compression/

1. 安裝amavisd-new
(1)下載amavisd-new套件 ( http://www.ijs.si/software/amavisd/ )
(2)解壓縮該套件
1. cp amavisd-new-20030314-p1.tar.gz /tmp
2. cd /tmp
3. tar zxvf amavisd-new-20030314-p1.tar.gz
4. cd amavisd-new-20030314
(3)複製執行檔及設定檔至適當位置
1. cp amavisd /usr/local/sbin/
2. chown root /usr/local/sbin/amavisd
3. chmod 755 /usr/local/sbin/amavisd
4. cp amavisd.conf /etc/
5. chown root /etc/amavisd.conf
6. chmod 644 /etc/amavisd.conf
7. cp amavisd_init.sh /etc/rc.d/init.d/amavisd
8. chkconfig --levels 2345 amavisd on (讓level 2345 啟動amavisd)
(4)建立amavisd的使用者及群組
useradd -d /dev/null -s /sbin/nologin amavis

(5)建立amavisd的工作目錄及病毒隔離目錄
mkdir /var/amavis
chown amavis.amavis /var/amavis
chmod 750 /var/amavis

mkdir /var/virusmails
chown amavis.amavis /var/virusmails
chmod 750 /var/virusmails
(6)將$TEMPBASE設定為剛剛建立的工作目錄,如下
$TEMPBASE = "/var/amavis"
(7)將$QUARANTINEDIR設定為剛剛建立的病毒隔離目錄
$QUARANTINEDIR = '/var/virusmails';
(8)設定轉送已檢查過的郵件傳送目的地,並設定通知方法為$forward_method
$forward_method = 'smtp:127.0.0.1:10025';
$notify_method = $forward_method;
設定amavisd-new所listen的ip、port以及允許relay的host ip
$inet_socket_bind = '127.0.0.1';
$inet_socket_port = 10024;
@inet_acl = qw( 127.0.0.1 );
(9)設定virus、banned、spam的處理方法
D_PASS:不做任何處理,直接傳送給收件者。
D_DISCARD:信件不會傳送給寄件者及收件者。
D_BOUNCE:不傳送給收件者,除了定義在$viruses_that_fake_sender_re病毒名稱外的信件,amavisd-new皆會傳送DSN訊息給寄件者。
D_REJECT:不傳送給收件者,寄件者會收拒絕傳送的訊息。
$final_virus_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
$final_spam_destiny = D_REJECT; # (defaults to D_REJECT)
(10)另外依機器等級可增減以下數值
$max_servers = 20;
$max_requests = 100;
$child_timeout=5*60;
$virus_admin = "administrator\@$mydomain"; (若是當 mail gateway ,請將變數內容改成你的terminal mail server 如 $virus_admin=”coper\@ylps.tp.edu.tw”)
$spam_admin = "administrator\@$mydomain";
$mailfrom_notify_admin = "administrator\@$mydomain";
$mailfrom_notify_recip = "administrator\@$mydomain";
$mailfrom_notify_spamadmin = "administrator\@$mydomain";
註:請記得要加上脫逸符號 \ 。
安裝Postfix的部份我就不在這裡敘述了
(1)首先請先修改/etc/postfix/master.cf,增加以下敘述
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
localhost:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o mynetwork=127.0.0.0/8
-o relay_recipient_maps=
(2)設定/etc/postfix/main.cf
請新增或是修改以下敘述,如下:
content_filter = smtp-amavis:[127.0.0.1]:10024

接下來就來設定轉信的設定了,這裏有兩個部份需要處理:
一、DNS 的部份:請將寄往網域的信的MX記錄指向mail gateway 的那台主機,若是還有其它以mail主機為信件名稱請加入MX記錄指向mail gateway 那台主機,這樣所有的信就會先寄向mail gateway 主機再由它來轉信。至於內部寄往外部的信,我是沒有設定需經由mail gateway ,這部分還需要再kk文獻
二、 設定postfix 的部份:
1. 修改 /etc/postfix/main.cf 中的設定(必需設定以下的兩項才可轉信,其餘部份請參考其它資料,不贅述)
relay_domains = mymail.ylps.tp.edu.tw mail.ylps.tp.edu.tw ylps.tp.edu.tw
加入以下這行
transport_maps = hash:/etc/postfix/transport
2. 編輯transport
#vi /etc/postfix/transport
在最後加入以下幾行
mymail.ylps.tp.edu.tw smtp:[mymail.ylps.tp.edu.tw]
ylps.tp.edu.tw smtp:[mymail.ylps.tp.edu.tw]

這裏告訴postfix 若是收到外部的信件它是寄往usrname@mymail.ylps.tp.edu.tw請使用smtp協定將它轉往 mymail.ylps.tp.edu.tw (這就是你的 終端mail server)
若是還有其它終端mail server請依此設定。
第二行是依網域的方式設定的。
完成後存檔
3. postmap /etc/postfix/transport 之後就會建立一個transport.db的檔案了。

4. 重新啟動postfix
# service postfix restart OR
# /etc/rc.d/init.d/postfix restart
啟動amavisd
#service amavisd start OR
#/etc/rc.d/init.d/amavisd start

測試
#cd /tmp/amavisdxxxxxx/testmessages
# $ sendmail -i your-address@example.com < sample-virus-simple.txt

此時請去看/var/log/maillog,訊息應該如下:
Jun 30 00:04:53 firewall 6月 30 00:04:52 amavis[10853]: Found primary av scanner H+BEDV AntiVir or CentralCommand Vexira Antivirus at /usr/sbin/antivir
Jun 30 00:04:53 firewall 6月 30 00:04:52 amavis[10853]: Found secondary av scanner Trend Micro FileScanner at /etc/iscan/vscan
Jun 30 00:04:53 firewall 6月 30 00:04:52 amavis[10853]: SpamControl: initializing Mail::SpamAssassin
Jun 30 00:04:57 firewall 6月 30 00:04:57 amavis[10853]: SpamControl: done
表示spam 及防毒都有跑起來了,這是請利用市網寄一封信到學校的信箱看看,若有看到信的話就應該成功了。


引用: zoob (vincent@myunix.adsldns.org)
Postfix: The Definitive Guide
Fairly-Secure Anti-SPAM Gateway Using OpenBSD, Postfix,Amavisd-new, SpamAssassin, Razor and DCC By Scott Vintinner
一點心得,給大家參考,若有問題歡迎一起研究、討論
coper@mymail.ylps.tp.edu.tw

詳細pdf 檔:
http://teacher.ylps.tp.edu.tw/~coper/amavisd/postfix.pdf
coper
 

postfix 阻擋垃圾信件補遺

文章coper » 週三 6月 30, 2004 12:38 am

你也可在main.cf 中加入以下幾行以阻擋spam信件
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_invalid_hostname
reject_unknown_sender_domain
reject_unknown_hostname
reject_unknown_client
coper
 

文章訪客 » 週三 6月 30, 2004 1:32 am

拋個問題:
因為 amavis 不是架在本機上, 如果不循正規管道,也就是寄信時沒有先問 DNS MX record 將信發給前端的 mail exchanger 才到真正的 mail server , 是不是就跳過 scan 囉!
病毒發的信很多是不依常理來發的哦!
這和利用市網提供的掃毒服務是一樣的,會有漏網之魚
另一個問題則是您已提出的,校內發的信如何 scan
依您目前的做法,其實和直接使用市網的掃毒服務是差不多效果的
訪客
 

在網路上看到的文章,給各位參考一下,但正沒有時間翻。

文章guest » 週三 6月 30, 2004 7:15 am

At the end of 2001, a rapidly increasing number of email worms were using malformed emails to spread. Popular mail clients, such as Outlook and Outlook Express, are perfectly able to decode damaged or invalid messages containing attachments. However, we realised that a lot of content security programs, such as email virus scanners, were not scanning such attachments at all - because they were not RFC-compliant.


RFC stands for 'Request for Comments' - a set of technical and organizational notes about the Internet which cover many aspects of computer networking, and many of which represent Internet standards, either by practical use or by agreement. For example, they explain how SMTP (Simple Mail Transfer Protocol) or MIME (Multipurpose Internet Mail Extensions) must be implemented and how they work, so that software based on these standards is interoperable. The RFCs can be found at http://www.ietf.org/rfc.html.


Early in 2002 email security problems attracted the interest of the security community. Many methods by which a content scanner can be bypassed were published, yet still many security programs were unable to find attachments in messages whose formatting was a little out of the ordinary.


As partial fixes, anti-virus companies added detection for known viruses using this method as they were transferred as EML files (in RFC 822 format). However, without analysing the problem properly and trying to fix it in their SMTP/MIME parser, any subsequent viruses using the same vulnerabilities to hide themselves would not be detected.


It was reasonable to think that there may be more problems which were as yet undiscovered. A little investigation and experimenting showed that there were indeed several more ways in which a virus could get past email scanners.


During February and March 2002 we (Andreas Marx and Mark Ackermans) discussed possible ways in which these known and a lot of unknown email scanner vulnerabilities could be solved in mail content security software within an acceptable length of time. It was from these discussions that the idea of the malformed email project came about. We enlisted the support of Virus Bulletin and embarked on the project
guest
 

terminal mail server 上設定防火牆

文章coper » 週三 6月 30, 2004 8:24 am

如果在terminal mail server 上設定防火牆,只允許來自mail gateway 的主機進來(port 25),我想應該可以擋掉跳過MX 記錄的mail 吧!!
coper
 

利用iptables 解決了以前的兩個問題。

文章coper » 週一 12月 20, 2004 12:40 am

一、寄出信件後病毒掃瞄的問題?
寄出信件後,交由iptables 將封包改向,指向mail gate,然後再將信件寄出,
指令如下:
iptables -t nat -A PREROUTING -i eth0 -s 192.82.1.6(你的mail 2000主機) -p tcp --dport 25 -j DNAT --to 192.82.1.254:25(mail gateway)
註:我將mail gateway 和iptables 放在同一部主機,若是不同主機且在DMZ下其設定可能有所不同,因為要考慮封包MASQUERADE的問題。
二、跳過dns 的mx 而直接將信寄往 mail 主機上(terminal) , 可以在 mail 主機上(terminal)設定防火牆,阻止非mail gateway 寄來的郵件(iptables -A INPUT -s ! 192.82.1.254(mail gatway) -p 25 DENY)
我想這樣應該可以決解以前的問題了。
coper
 

修正資料

文章coper » 週一 12月 20, 2004 12:47 am

(iptables -A INPUT -s ! 192.82.1.254(mail gatway) -p 25 -j DROP)
coper
 


回到 linux技術討論

誰在線上

正在瀏覽這個版面的使用者:沒有註冊會員 和 0 位訪客

cron