Virus detector for the mail server

Ray Ballisti, last update: 25th August2003

In short: amavisd-new is an interface between message transfer agent (MTA) and one or more content checkers: virus scanners, and/or SpamAssasin ( http://www.spamassassin.org/ ).

Short overview

Content:

AMAVIS and related packages
Interaction with the postfix mailer system
Some remarks

1- AMAVIS and related packages

The new version of the AMAVIS package can be found on URL:

http://www.ijs.si/software/amavisd

The suffix 'si' means Slovenia.
amavisd-new is a high-performance interface between mailer (MTA) and content checkers: virus scanners, and/or SpamAssasin. It is written in Perl for maintainability, without paying a significant price for speed. It talks to MTA via (E)SMTP or LMTP, or by using helper programs. Best with Postfix, fine with dual-sendmail setup and Exim v4, works with sendmail/milter, or with any MTA as a SMTP relay. 'Howto' for qmail available as well.

Documentation can be found in: /usr/pack/amavisd-20030616p4-ds/docs

On our site the infected messages are kept in /var/spool/amavis
Snapshot: 25.08.2003, 15:00:

A new TAG has been created in the template_tree:

for bigbang (server): amavis, postfix20 (new version for the server)
for clients: postfix1999 (old version currently used by the clients)

Remember that /usr/lib/sendmail is a link to /etc/postfix/sendmail which is also a link to /usr/pack/postfix-'version'/bin/sendmail

2- Interaction with the postfix mailer system

Of all the options specified in the Postfix master.cf the one that is essential is the '-o content_filter=' .
Tell Postfix to start forwarding all mail it receives to amavisd-new for content inspection.
To the Postfix main.cf file add a line:
content_filter = smtp-amavis:[127.0.0.1]:10024

The following sketch depict the interaction between postfix and amavis:


      .......................................
      :                Postfix              :
   ----->smtpd \                            :
      :         -pre-cleanup-\       /local---->
   ---->pickup /              -queue-       :
      :             -cleanup-/   |   \smtp----->
      :     bounces/    ^        v          :
      : and locally     |        v          :
      :   forwarded   smtpd  smtp-amavis    :
      :    messages   10025      |          :
      ...........................|...........
                        ^        |
                        |        v
            ............|..............................
            :           |   $inet_socket_port=10024   :
            :           |                             :
            : $forward_method='smtp:127.0.0.1:10025'  :
            : $notify_method ='smtp:127.0.0.1:10025'  :
            :                                         :
            :    amavisd-new                          :
            ...........................................

See the configuration file /etc/postfix/master.cf for more info.

Also /etc/postfix/main.cf:

# virus checker
content_filter = smtp-amavis:[127.0.0.1]:10024

We also use a product from http://www.sophos.com/
In directory /usr/sepp/var/sophos-3.71-wu/ there are files with virus definitions. in a database ( *.vdb files) and updates in *.ide files. This databases are updates each day with a crontab job:

# update sophos virus database
45 6 * * * /usr/pack/sophos-3.71-wu/sophos_update
# restart sophie to load virus database
0  7 * * * /etc/init.d/sophie restart >/dev/null 2>&1

See procedure sophos_update in /usr/pack/sophos-3.71-wu.

Attention:
SOPHOS must be upgraded not later then 3 months after the last one!
Next is pending for October 2003.

The following links have to be updated after the new package has been loaded:

/etc/sav.conf -> /usr/pack/sophos-3.71-wu/sun4u-sun-solaris2.8/etc/sav.conf
/usr/pack/sophie-3.02-ds/sophos -> /usr/pack/sophos-3.71-wu/

3- Some remarks

Check from time to time:

Check that the amavis daemon is listening at port 10024:

-->  $ telnet 127.0.0.1 10024
     Trying 127.0.0.1...
     Connected to 127.0.0.1.
     Escape character is '^]'.

     220 [127.0.0.1] ESMTP amavisd-new service ready

-->  quit

     221 Bye
     Connection closed by foreign host.

Infdected files are written to /var/spool/amavis/virusmails
Temporary directories are created to unpack and check mail:
```
         find $TEMPBASE -type d -name 'amavis-20??????T*' \
         -prune -mtime +1 -exec rm -rf {} \;
```
To be sure that no active one is being deleted, do the check above before the daemon is started.
In our server it is $TEMPBASE=/var/spool/amavis