Guide - Spamassassin F-Prot Mailscanner Installation

I am going to install in the following order;

• Antivirus. For this install I will use f-prot
• MailScanner
• SpamAssassin

Antivirus. Installing 'f-prot AV' software for linux

You may want to check for the latest version of the software (replace the .tar.gz file below if it changes!!)
Latest Version: http://www.f-prot.com/download/getfplinfree.html

cd /usr/local
wget ftp://ftp.f-prot.com/pub/linux/fp-linux-ws-4.3.1.tar.gz
tar zxvf fp-linux-ws-4.3.1.tar.gz
ln -s /usr/local/f-prot/f-prot.sh /usr/local/bin/f-prot
ln -s /usr/local/f-prot/man_pages/f-prot.1 /usr/man/man1/
ln -s /usr/local/f-prot/man_pages/check-updates.pl.8 /usr/man/man8
chmod +x /usr/local/f-prot/f-prot*
chmod +x /usr/local/f-prot/check*
cd /usr/local/f-prot/

MailScanner

Create a working directory for storing stuff

cd /home
mkdir mailscanner
cd mailscanner

You now need the MailScanner file. The one you want is the version for RedHat Linux, currently Version 4.25-11 for RedHat Linux (and other RPM-based Linux distributions)

wget www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.25-11.rpm.tar.gz

This gets the MailScanner file, if you want to check it's there, use

ls -la

You will get a list of the files in the current directory. You should get something like this

[root mailscanner]# ls -la
total 1319
drwxr-xr-x 2 root root 1024 Feb 22 12:13 .
drwxr-xr-x 8 root root 1024 Feb 22 11:50 ..
-rw-r--r-- 1 root root 1341440 Feb 1 16:08 MailScanner-4.25-11.rpm.tar.gz
[root mailscanner]#

This distribution is provided as a tar file. You need to unpack the tar file using a command line

tar zxvf MailScanner-4.25-11.rpm.tar.gz

ls -la
cd MailScanner-4.25-11
./install.sh

This will produce a very large amount of output, as it tries to build and install all the packages that MailScanner uses. Don't worry too much about what it prints out.

If it tells you your copy of the Perl module ExtUtils::MakeMaker is out of date, run this command.

./Update-MakeMaker.sh

If you are having trouble making it install, first check that you only have 1 version of Perl installed. The one that came supplied is in /usr/bin/perl, but you may also have /usr/local/bin/perl. If you have both, you are advised to get rid of any traces of perl under /usr/local.

rm /usr/local/bin/*perl*
rm /usr/local/bin/pod*
rm -r /usr/local/lib/perl5
rm /usr/local/man/man1/perl*

If you get errors about "TokeParser" or the installation of the perl module HTML::Parser fails, then you will need to create 4 dummy files to keep Perl happy. You should do this:

cd /usr/lib/perl5/5.00503/i386-linux/CORE
touch opnames.h
touch perlapi.h
touch utf8.h
touch warnings.h

If you get this

Can't locate object method "rel2abs" via package "File::Spec" at Makefile.PL
line 55.
BEGIN failed--compilation aborted at Makefile.PL line 57.
make: *** No targets specified and no makefile found.  Stop.
make: *** No rule to make target `install'.  Stop.

Then do this

wget http://search.cpan.org/CPAN/authors/id/R/RB/RBS/File-Spec-0.82.tar.gz
tar zxvf File-Spec-0.82.tar.gz
cd File-Spec-0.82
perl Makefile.PL
make
make test
make install
cd ..

Now we run ./Update-MakeMaker.sh again and then ./install.sh

./Update-MakeMaker.sh
./install.sh

As I said above, this will produce a very large amount of output, as it tries to build and install all the packages that MailScanner uses. Don't worry too much about what it prints out. The last thing it will do is install the tnef package, followed by MailScanner itself. It will then print a few instructions for you showing the commands needed to start MailScanner running.

Ignore these instructions totally and follow on below!

We have to change a couple of things first

pico -w /etc/mail/sendmail.cf

Search for "QueueDirectory" and change the line to
O QueueDirectory=/var/spool/mqueue

Move any remaining queue files into the updated queue directory

cd /var/spool
mv /var/spool/mqueue/q*/* /var/spool/mqueue
mv /var/spool/mqueue.in/ /home/spool/
ln -s ../../home/spool/mqueue.in /var/spool/mqueue.in

rmdir /var/spool/mqueue/q*

Now we want to edit the MailScanner Configuration file, also have a look at Configuration file options

pico /etc/MailScanner/MailScanner.conf

Search through for these and replace (some of these may have been changed already!!)

Virus Scanners      = none
to
Virus Scanners      = f-prot

Search for "Outgoing Queue Dir" and change the line to

Outgoing Queue Dir = /var/spool/mqueue

OK, nearly there. Now we want to stop sendmail and start MailScanner and make sure it stays that way in the event of a reboot.

/etc/rc.d/init.d/MailScanner stop

I usually have to give that command about 3 times to make sure it has properly stopped, to check that it has stopped, use

ps auxw | grep -i mail

It should give an output like

root     23633  0.0  0.3  1360  496 pts/1    S    00:13   0:00 grep -i mail

You may even have to give that command twice. Once you are sure it has stopped, issue the following commands

chkconfig sendmail off
chkconfig --level 2345 MailScanner on

Lets start it all up

/etc/rc.d/init.d/MailScanner start

To check that it's OK, use the same command as above that you used to check it had stopped

ps auxw | grep -i mail

It should produce an output like this:

root     23790  0.0  0.9  2492 1176 ?        S    00:16   0:00 sendmail: accepting connections
root     23793  0.0  0.9  2492 1180 ?        S    00:16   0:00 /usr/sbin/sendmail -q15m
root     23802  0.0  6.4  9472 8236 ?        S    00:16   0:00 perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/Ma
root     23803  0.2  6.9 10120 8876 ?        S    00:16   0:00 perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/Ma
root     23809  0.2  6.9 10120 8876 ?        S    00:16   0:00 perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/Ma
root     23833  0.2  6.9 10120 8876 ?        S    00:17   0:00 perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/Ma
root     23843  0.2  6.9 10120 8876 ?        S    00:17   0:00 perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/Ma
root     23848  0.3  6.9 10120 8876 ?        S    00:17   0:00 perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/Ma
root     23933  0.0  0.4  1364  512 pts/1    S    00:19   0:00 grep -i mail

Please note that you might not have as many MailScanner processes as shown in the sample output, as it may still be forking off its child processes at that point (there's a 10 second delay between starting each one).

If you want, you can look at the maillog to see it actually running

tail -f -n100 /var/log/maillog

You should see an output similar to this where you can also see that the f-prot autoupdate script is working which runs every hour.

Feb 23 00:01:00 raq4i3 update.virus.scanners: Found f-prot installed
Feb 23 00:01:00 raq4i3 update.virus.scanners: Updating f-prot
Feb 23 00:01:01 raq4i3 F-Prot autoupdate[23036]: F-Prot successfully updated.
Feb 23 00:13:12 raq4i3 MailScanner[21677]: MailScanner child caught a SIGHUP
Feb 23 00:13:12 raq4i3 MailScanner[21713]: MailScanner child caught a SIGHUP
Feb 23 00:13:12 raq4i3 MailScanner[21684]: MailScanner child caught a SIGHUP
Feb 23 00:13:12 raq4i3 MailScanner[21718]: MailScanner child caught a SIGHUP
Feb 23 00:13:12 raq4i3 MailScanner[21689]: MailScanner child caught a SIGHUP
Feb 23 00:16:38 raq4i3 sendmail[23786]: alias database /etc/mail/aliases rebuilt by admin
Feb 23 00:16:38 raq4i3 sendmail[23786]: /etc/mail/aliases: 17 aliases, longest 10 bytes, 189 bytes total
Feb 23 00:16:38 raq4i3 sendmail[23786]: alias database /etc/mail/aliases.majordomo rebuilt by admin
Feb 23 00:16:38 raq4i3 sendmail[23786]: /etc/mail/aliases.majordomo: 12 aliases, longest 69 bytes, 519 bytes total
Feb 23 00:16:38 raq4i3 sendmail[23790]: starting daemon (8.10.2): SMTP
Feb 23 00:16:38 raq4i3 sendmail[23793]: starting daemon (8.10.2): queueing@00:15:00
Feb 23 00:16:41 raq4i3 MailScanner[23803]: MailScanner
Feb 23 00:16:41 raq4i3 MailScanner[23803]: MailScanner E-Mail Virus Scanner version 4.25-11 starting...
Feb 23 00:16:41 raq4i3 MailScanner[23803]: Using locktype = flock
Feb 23 00:16:51 raq4i3 MailScanner[23809]: MailScanner
Feb 23 00:16:51 raq4i3 MailScanner[23809]: MailScanner E-Mail Virus Scanner version 4.25-11 starting...
Feb 23 00:16:51 raq4i3 MailScanner[23809]: Using locktype = flock
Feb 23 00:17:01 raq4i3 MailScanner[23833]: MailScanner
Feb 23 00:17:01 raq4i3 MailScanner[23833]: MailScanner E-Mail Virus Scanner version 4.25-11 starting...
Feb 23 00:17:01 raq4i3 MailScanner[23833]: Using locktype = flock
Feb 23 00:17:11 raq4i3 MailScanner[23843]: MailScanner
Feb 23 00:17:11 raq4i3 MailScanner[23843]: MailScanner E-Mail Virus Scanner version 4.25-11 starting...
Feb 23 00:17:11 raq4i3 MailScanner[23843]: Using locktype = flock
Feb 23 00:17:21 raq4i3 MailScanner[23848]: MailScanner
Feb 23 00:17:21 raq4i3 MailScanner[23848]: MailScanner E-Mail Virus Scanner version 4.25-11 starting...
Feb 23 00:17:21 raq4i3 MailScanner[23848]: Using locktype = flock

There's a "clean.quarantine" script included as a daily cron job. It is disabled by default. Edit it to see how to enable it. If you edit it, it will not be over-written by later upgrades to MailScanner.

pico -w /etc/cron.daily/clean.quarantine

MailScanner Summary

To find out if your mails are being checked

Each email that is checked will have the following inserted into the Email Header (assuming you do not disable this feature )

   X-MailScanner: Found to be clean
or
   X-MailScanner: Found to be infected
or
   X-MailScanner: Disinfected

To stop/start MailScanner using the command line

/etc/rc.d/init.d/MailScanner stop

This should work reliably now, but will take a few seconds to return. You should then find there are no MailScanner processes running.

ps -auxw | grep -i mail

Once you're happy it has stopped, just restart it with

/etc/rc.d/init.d/MailScanner start

To stop/start MailScanner using the RaQ Control Panel

First we need to make a little change so that when you tick the check box for Email Server in the control panel it's the MailScanner that starts and not the sendmail script.

cd /etc/rc.d/init.d
mv sendmail sendmail.old
chmod a-x sendmail.old
ln -s MailScanner sendmail

Now you can turn the MailScanner on and off using the RaQ control panel. This also fixes the problem caused when a new user or site is added to the RaQ.

SpamAssassin

Many thanks to Julian Field the author of MailScanner for this bit, he sent me his notes when he installed this on one of my other RaQs

Download Mail-SpamAssassin-2.60.tar.gz from www.spamassassin.org into somewhere sensible such as /root or /tmp. I put it in the mailscanner directory I created earlier under /home

If the site is down, search Google for the file and you'll find a copy.

cd /home/mailscanner
wget www.spamassassin.org/released/Mail-SpamAssassin-2.60.tar.gz
perl -MCPAN -e shell

Whenever it asks about manual configuration, say no

cpan> o conf prerequisites_policy ask
cpan> install Time::HiRes
cpan> quit
tar xzf Mail-SpamAssassin-2.60.tar.gz
cd Mail-SpamAssassin-2.60
perl Makefile.PL
make

You may now get some errors about pod2text. If you do, then do this command

ln -s /usr/bin/pod2man /usr/bin/pod2text
make
make test

This will fail horribly due to lack of Pod/Usage.pm, so now do this (remember whenever it asks about manual configuration, say no)

perl -MCPAN -e shell
cpan> o conf prerequisites_policy ask
cpan> install Pod::Usage
cpan> quit

Now to try the tests again

make test
make install

You now have installed SpamAssassin. The next step is to configure it and MailScanner.

pico -w /etc/MailScanner/MailScanner.conf

Change the setting for "Required SpamAssassin Score" to more than 5 as that generates quite a few false alarms. Julian's recommended value is 9.
I personally recommend 5 :-)
It's advised to set "Log Spam = yes" to start with.
You will of course need "Use SpamAssassin = yes".
If you don't have a very fast link, increase "SpamAssassin Timeout" to nearer 20.

Then just stop and start MailScanner using the above commands - To stop/start MailScanner