This HOWTO was contributed by Shannon Lekas (Shannon.lekas@flyingmug.com).
This document is fairly rough...and done post install... hopefully I didn't miss anything. The system is RedHat 7.3 with up2date run consistently (including kernel updates). I am running Sophos sweep as a virus scanner but the amavis package listed below supports about 11 different scanners. This document assumes you already have postfix running and you already have sophos installed. I would suggest using a wget command in a script that runs from cron to get the new sophos IDE files once a week or more. These are the packages I needed to do the Install. I do not want to host these rpm's but I have them on a cd and if someone wants to host it I will ftp/email them to you. Alternately you can just search for the exact name below in http://www.google.com/ and you will find most of them on rpmfind.net and some others on random sites.
amavisd-postfix-20010714-3rm.i386.rpm perl-Convert-UUlib-0.212-1.noarch.rpm arc-5.21e-4.i386.rpm perl-IO-stringy-2.108-1.i386.rpm perl-MailTools-1.50-1.noarch.rpm db3x-3.2.9-4.i386.rpm perl-MIME-tools-5.411-2.noarch.rpm lha-1.14i-4.2rm.i386.rpm perl-TimeDate-1.10-14.i386.rpm ncompress-4.2.4-1cl.i386.rpm perl-Unix-Syslog-0.98-1.noarch.rpm perl-Archive-Tar-0.22-10.i386.rpm unarj-2.43-10.i386.rpm perl-Archive-Zip-1.00-1.i386.rpm unrar-2.71-1.1rm.i386.rpm perl-Compress-Zlib-1.16-1.i386.rpm xbin-2.3-4.i386.rpm perl-Convert-TNEF-0.17-1.noarch.rpm zoo-2.10-7.i386.rpm
Once you have downloaded all the packages begin to install them installing the amavis rpm last (if you don't you will get dependency errors).
$rpm -Uvh packagename.rpm
Note there are other packages needed, but these were all I was lacking. If you have trouble contact me and I will send you an rpm -qa extract to compare against my system (Shannon.lekas@flyingmug.com). Be sure to run up2date after you are done installing and some of the Redhat built rpms will be updated. Finally install the Amavis rpm.
$rpm -Uvh amavisd-postfix-20010714-3rm.i386.rpm
You should have no errors at this point. Note if you get a %pre-scriplet error% there is an easy solution... that took FOREVER TO FIGURE OUT!!! Open linuxconfig and change the UID of whatever users has UID of 77. The amavis rpm creates a user called vscan and if UID 77 is already utilized the rpm will fail. After you change the UID the RPM will install without issue. Now execute this command. Now execute this command.
$Service amavisd start
This will start the daemonized version of amavis that the rpm installed. Note that this rpm package already installed the vscan user with a default shell of failed. This will prevent anyone from logging into a telnet session or console with this ID.
Next modify amavisd.conf file.
$vi /etc/amavisd.conf
You will notice that the config files says
# amavisd (snapshot-20010714) was configured for use with: # ALL
This means that you will not have to recompile amavis to work with the various antivirus scanners. Like I mentioned before I use sweep. So I removed the entry in the HBEV path "/usr/bin/antivirus" and changed it to ""
# H+BEDV AntiVir $antivir = "";
Next I inserted the path to my sophos antivirus binary.
# Sophos Anti Virus (sweep) $sophos = "/usr/local/bin/sweep"; $sophos_ide = "/usr/local/sav";
If you have installed sophos in a different directory or the IDE files in a different directory make the appropriate change. The key here is to make sure that all antivirus scanners have a "" in the path except the scanner you want to use.
Now I would suggest changing the logging so you know whats happening.
$DO_SYSLOG = "yes"; # Directory to put log entries (if not using syslog) $LOGDIR = "/var/spool/vscan/amavis"; $LOGFILE = "amavis.log"; # 0: default - startup/exit/failure messages # 1: args passed from client # 2: virus scanner output # 3: server client # 4: decompose parts $log_level = 4;
Setting syslog = yes means the amavis log entries will be in /var/log/messages. You can open a second ssh session to the box and execute the command to watch what happens.
$tail -f /var/log/messages
Setting the log_level = 4 means you will get very detailed log messages.
Once you have made these changes execute the following
$service amavisd restart
you will see the new logging take effect in the /var/log/messages file as your tailing it.
Now on to postfix.....
We have to get the mail from postfix to amavis and sweep. This took some time for me to figure out...and this may not be perfect but it works....if someone has a better suggestion for this please send and email to me.
$vi /etc/postfix/main.cf
Add the following lines to the bottom of the file.
content_filter = vscan:[127.0.0.1]:10025
This will tell postfix to do a content filter using the user vscan on the localhost port 10025.
Save and Exit.
Now edit the Master.cf file
$vi /etc/postfix/master.cf
Add the following two lines at the bottom of the file.
vscan unix - n n - 10 pipe user=vscan argv=/usr/sbin/amavis ${sender} ${recipient}
localhost:10025 inet n - n - - smtpd -o content_filter=
Save and Exit.
Execute the command
$postfix reload
postfix will refresh its settings and you will be ready to go at this point. If you are tailing the maillog file you will see the refresh.
$tail -f /var/log/maillog
You can now send an email to yourself and you will see an entry in the maillog file where the mail was received. Then you will see and entry where the mail is relayed to the amavis transport. At this point you will see and entry in the /var/log/messages file that says sweep is scanning and then pass the file back to postfix for delivery.
If you go to http://www.eicar.com/ and download the test virus and email it to yourself you will see the /var/log/messages file output a line that says virus found. At that point a warning email will be generated.
Things to note. I run a comprehensive body checks on my server as well. I do this to prevent unnecessary processing by the virus scanner. For example. I do not allow raw executables to be mailed on my server. Ie, .exe, .com, .vbs etc. Body checks happens before inbound or outbound mail is virus scanned. So if a virus does come through and it's a simple executable body checks will kick it back saying this attachment type is not allowed on the server. Contact me if you want a copy of my body_checks file. Ie. The file never has to make it to the virus scanner and waste processing cycles.
Hope this helps.
Shannon