Author Topic: Spam / Virus Filtering  (Read 11680 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Spam / Virus Filtering
« on: August 18, 2015, 03:30:33 AM »
Out-of-the-box, there are a few issues with Amavisd and Clamav default setup.

Amavisd is not adding X-SPAM headers to any domains other than default:

@local_domains_maps = ( [".$mydomain"] );

Suggest to add the following to /etc/amavisd.conf during "Postfix Configuration Rebuild" when AntiVirus/AntiSpam is enabled so all mail domains have X-spam headers added:

@lookup_sql_dsn = (
    ['DBI:mysql:database=postfix;host=127.0.0.1;port=3306', 'postfix', 'postfix_password']
);

$sql_select_policy =  'SELECT "Y" AS local FROM domain WHERE CONCAT("@", domain) IN (%k)';

and install required modules:

yum -y install perl-DBI perl-DBD-MySQL

Clamd is running as the wrong user ('clam') and cannot access /var/amavis/tmp/, so Amavis falls back to backup scanner (clamscan):

Aug 17 14:04:39 a amavis[19181]: (19181-01) (!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/amavis/tmp/amavis-20150817T140439-19181-kCt7U2oy/parts: lstat() failed: Permission denied. ERROR\n"
Aug 17 14:04:39 a amavis[19181]: (19181-01) (!)ClamAV-clamd av-scanner FAILED: CODE(0x2706420) unexpected , output="/var/amavis/tmp/amavis-20150817T140439-19181-kCt7U2oy/parts: lstat() failed: Permission denied. ERROR\n" at (eval 115) line 897.
Aug 17 14:04:39 a amavis[19181]: (19181-01) (!)WARN: all primary virus scanners failed, considering backups

so 'clamscan' still satisfies virus scanning, but then why run Clamd?  First, need to change 'User' mapping in /etc/clamd.conf:

User clamav

and directory permissions:

chown clamav:clamav -R /var/run/clamav/
chown clamav:clamav -R /var/lib/clamav/
chown clamav:clamav -R /var/log/clamav/

set clamav user's home directory (default /var/clamav):

usermod -d /var/lib/clamav -m clamav

and update /etc/freshclam.conf:

DatabaseDirectory /var/lib/clamav

Now freshclam can update correct database files and Clamd works correctly with Amavis.  Recommend developers add the above to "Postfix Configuration Rebuild" process.

Finally, there is no need to run Spamd for Amavis and waste resources.  Amavis loads SpamAssassin perl module and works fine w/o Spamd running.

« Last Edit: August 19, 2015, 02:29:31 AM by emtty »

Offline
*
Re: Spam / Virus Filtering
« Reply #1 on: August 18, 2015, 05:20:35 AM »
Also, feeding spam/ham via sa-learn really improves SA accuracy... below is a shell script that could be activated via a cron job (or on-demand from CWP admin panel) when AntiVirus/AntiSpam is enabled and an additional AutoLearn Spam/Ham option is enabled.  Directories /var/tmp/sa-learn/spam and /var/tmp/sa-learn/ham (or whatever suits CWP hierarchy) need to be created to temporarily store spam/ham Emails.  Comments inline:

Code: [Select]
#!/bin/bash

# exec from cron daily

# mkdir -p /var/tmp/sa-learn/spam
# mkdir -p /var/tmp/sa-learn/ham

# move junk older than 7 days
find /var/vmail/*/*/.{Spam,spam,Junk,junk}/{cur,new} -type f -mtime +7 -exec mv {} /var/tmp/sa-learn/spam/ \; > /dev/null 2>&1

# copy ham 14 days old from cur INBOX folder                               
find /var/vmail/*/*/cur -type f -mtime 14 -exec cp {} /var/tmp/sa-learn/ham/ \; > /dev/null 2>&1

### Spamassassin Bayes Learning
### if run as root, set dbpath
/usr/bin/sa-learn --dbpath /var/amavis/.spamassassin/ --no-sync --spam /var/tmp/sa-learn/spam/ > /dev/null 2>&1
/usr/bin/sa-learn --dbpath /var/amavis/.spamassassin/ --no-sync --ham /var/tmp/sa-learn/ham/ > /dev/null 2>&1

# sync
/usr/bin/sa-learn --dbpath /var/amavis/.spamassassin/ --sync > /dev/null 2>&1

# make sure permissions are sane
chown -R amavis:amavis /var/amavis/.spamassassin/ > /dev/null 2>&1

rm -f /var/tmp/sa-learn/{spam,ham}/* > /dev/null 2>&1

Offline
*
Re: Spam / Virus Filtering
« Reply #2 on: September 07, 2015, 12:48:32 PM »
thx emtty, for that. I plane to swithc to CentOS Webpanel and try to read a lot and learn about structure and how problems will solved how fast for thes good open source app.

So - What do the developer say about that? Is it a bug and will fixed in version xy??, or should anyone fix it self? I think wrong configuration and permissions are big problems and should solve by an upgrade.