Servizio di Posta - controlli antivirus e antispam

(in ambiente Debian GNU/Linux)


Questione di “immagine” e di “pratica” (servizi che è possibile offrire).


Rete “privata” con utenti che si avvalgono delle potenzialita` di un server di posta “interno” e di un proprio “dominio”.

Sistema Operativo della macchina “server”: Debian GNU Linux (“http://www.debian.org”)

Programma server di posta: Exim3 oppure Postfix (“http://www.exim.org” e “http://www.postfix.org”)

Programma antivirus: Clamav (“http://www.clamav.net”)

Programma antispam: Spamassassin (“http://spamassassin.apache.org”)

Programma antispam: Razor (“http://razor.sourceforge.net”)

Programma di collegamento tra i componenti: Amavis (“http://www.ijs.si/software/amavisd”)

Programmi vari per gestire gli archivi: UnZip, arc, bzip2, Unarj, Lha, ...


Tutti i programmi sono installati nelle versioni per Debian GNU Linux (attualmente alla versione “Sarge”) e le indicazioni che seguono si riferiscono a tale modalità diinstallazione.


apt-get install postfix


mittente -> server -> destinatario


mittente -> server -> controlli (virus e spam) -> destinatario (se controlli ok)


apt-get install clamav

Accettare le opzioni di default (in “/etc/clamav/clamd.conf”), tranne:

[...]

# Comunica tramite una porta (più rapido)

TCPSocket 3310

# Se eseguito come “root” consente la scansione anche dei file dell'utente

User root

[...]


apt-get install spamassassin

Verificare in “/etc/default/spamassassin”:

[...]

ENABLED=1

[...]


apt-get install razor


apt-get install amavisd-new

Opzioni principali (in “/etc/amavis/amavisd.conf”):

use strict;

$MYHOME = '/var/lib/amavis';   # (default is '/var/amavis')

$mydomain = 'casa.mia';      # (no useful default)

$daemon_user  = 'amavis';	# (no default (undef))
$daemon_group = 'amavis';	# (no default (undef))

$TEMPBASE = "$MYHOME/tmp";     # prefer to keep home dir /var/amavis clean?

$pid_file  = "/var/run/amavis/amavisd.pid";  # (default: "$MYHOME/amavisd.pid")
$lock_file = "/var/run/amavis/amavisd.lock"; # (default: "$MYHOME/amavisd.lock")

# set environment variables if you want (no defaults):
$ENV{TMPDIR} = $TEMPBASE;       # wise to set TMPDIR, but not obligatory


### Opzioni per il dialogo con il server di posta

# EXIM v3 
$forward_method = 'smtp:127.0.0.1:25';
$notify_method = $forward_method;

### Richiesta di risorse del sistema

$max_servers  =  2;   # number of pre-forked children          (default 2)
$max_requests = 10;   # retire a child after that many accepts (default 10)

$child_timeout=5*60;  # abort child if it does not complete each task in n sec
                      # (default: 8*60 seconds)

### “Disabilita la disabilitazione” dei controlli antispam

##@bypass_spam_checks_acl  = qw( . );    # No default dependency on spamassassin


$relayhost_is_client = 0;         # (defaults to false)

$insert_received_line = 1;        # behave like MTA: insert 'Received:' header
			          # (does not apply to sendmail/milter)
			          # (default is true (1) )

$localhost_name = "amavis";

$unix_socketname = undef;         # disable listening on a unix socket

### Aspetta sulla porta 10024 la posta da controllare

$inet_socket_port = 10024;        # accept SMTP on this local TCP port

# when MTA is at the same host, use the following (one or the other or both):
$inet_socket_bind = '127.0.0.1';  # limit socket bind to loopback interface
                                  # (default is '127.0.0.1')
@inet_acl = qw( 127.0.0.1 );      # allow SMTP access only from localhost IP
                                  # (default is qw( 127.0.0.1 ) )


$DO_SYSLOG = 0;                 # (defaults to false)
$LOGFILE = "/var/log/amavis.log";  # (defaults to empty, no log)
$log_level = 2;		# (defaults to 0)


$log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], #
[?%o|(?)|<%o>] -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c';

### Usiamo i messaggi in italiano

read_l10n_templates('it_IT', '/etc/amavis');

### Destinazione dei messaggi “incriminati”

### (le opzioni “D_BOUNCE” evitano il cosiddetto “SPAM Collaterale”)

$final_virus_destiny      = D_DISCARD; # (defaults to D_BOUNCE)
$final_banned_destiny     = D_BOUNCE;  # (defaults to D_BOUNCE)
$final_spam_destiny       = D_DISCARD;  # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested


$viruses_that_fake_sender_re = new_RE(
  qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
  qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
  qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
  qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
  qr'@mm|@MM',    # mass mailing viruses as labeled by f-prot and uvscan
  qr'Worm'i,      # worms as labeled by ClamAV, Kaspersky, etc
  [qr'^(EICAR|Joke\.|Junk\.)'i         => 0],
  [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i  => 0],
  [qr/.*/ => 1],  # true by default  (remove or comment-out if undesired)
);

## Destinatario degli avvisi (amministratore)

$virus_admin = "virusalert\@$mydomain";		# due to D_DISCARD default
$spam_admin = "spamalert\@$mydomain";


$mailfrom_notify_admin     = "virusalert\@$mydomain";
$mailfrom_notify_recip     = "virusalert\@$mydomain";
$mailfrom_to_quarantine = '';   # override sender address with null return path

$QUARANTINEDIR = '/var/lib/amavis/virusmails';

$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine
$spam_quarantine_to = 'spam-quarantine';


$X_HEADER_TAG = 'X-Virus-Scanned';	# (default: undef)
$X_HEADER_LINE = "by $myversion (Debian) on BruttaBestia at $mydomain";

$undecipherable_subject_tag = '***UNCHECKED*** ';  # undef disables it

$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone
$remove_existing_spam_headers = 0;     # leave existing X-Spam* headers alone

$keep_decoded_original_re = new_RE(
  qr'^MAIL-UNDECIPHERABLE$',  # retain full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
);


$banned_filename_re = new_RE(
#  qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
   qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, # some double extensions
   qr'[{}]',     # curly braces in names (serve as Class ID extensions - CLSID)
   qr'.\.(exe|vbs|pif|scr|bat|cmd|com)$'i,           # banned extension - basic
#  qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
#         jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|
#         vbe|vbs|wsc|wsf|wsh)$'ix,                  # banned extension - long
#  qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
#  qr'^\.(zip|lha|tnef|cab)$'i,                      # banned file(1) types
#  qr'^\.exe$'i,                                     # banned file(1) types
#  qr'^application/x-msdownload$'i,                  # banned MIME types
#  qr'^application/x-msdos-program$'i,
   qr'^message/partial$'i, qr'^message/external-body$'i, # block rfc2046
);


$virus_lovers{lc("postmaster\@$mydomain")} = 1;
$spam_lovers{lc("postmaster\@$mydomain")} = 1;

$sql_select_white_black_list = undef;  # undef disables SQL white/blacklisting

$recipient_delimiter = '+';		# (default is '+')

$replace_existing_extension = 1;	# (default is false)

$localpart_is_case_sensitive = 0;	# (default is false)

map { $whitelist_sender{lc($_)}=1 } (qw(
  nobody@cert.org
  owner-alert@iss.net
  slashdot@slashdot.org
  bugtraq@securityfocus.com
  NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
  security-alerts@linuxsecurity.com
  amavis-user-admin@lists.sourceforge.net
  razor-users-admin@lists.sourceforge.net
  notification-return@lists.sophos.com
  mailman-announce-admin@python.org
  zope-announce-admin@zope.org
  owner-postfix-users@postfix.org
  owner-postfix-announce@postfix.org
  owner-sendmail-announce@lists.sendmail.org
  sendmail-announce-request@lists.sendmail.org
  ca+envelope@sendmail.org
  owner-technews@postel.ACM.ORG
  lvs-users-admin@LinuxVirtualServer.org
  ietf-123-owner@loki.ietf.org
  cvs-commits-list-admin@gnome.org
  rt-users-admin@lists.fsck.com
  owner-announce@mnogosearch.org
  owner-hackers@ntp.org
  owner-bugs@ntp.org
  clp-request@comp.nus.edu.sg
  surveys-errors@lists.nua.ie
  emailNews@genomeweb.com
  owner-textbreakingnews@CNNIMAIL12.CNN.COM
  yahoo-dev-null@yahoo-inc.com
));


$MAXLEVELS = 14;		# (default is undef, no limit)
$MAXFILES = 1500;		# (default is undef, no limit)
$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not enforced)
$MIN_EXPANSION_FACTOR =   5;  # times original mail size  (must be specified)
$MAX_EXPANSION_FACTOR = 500;  # times original mail size  (must be specified)

## Definizione dei programmi per gestire gli archivi

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';

$file   = 'file';   # file(1) utility; use 3.41 or later to avoid vulnerability

$gzip   = 'gzip';
$bzip2  = 'bzip2';
$lzop   = 'lzop';
$uncompress = ['uncompress', 'gzip -d', 'zcat'];
$unfreeze   = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
$arc        = ['nomarch', 'arc'];
$unarj      = ['arj', 'unarj'];  # both can extract, arj is recommended
$unrar      = ['rar', 'unrar'];  # both can extract, same options
$zoo    = 'zoo';
$lha    = 'lha';
$cpio   = 'cpio';   # comment out if cpio does not support GNU options

### Disattiva la limitazione ai soli controlli antispam locali

##$sa_local_tests_only = 1;   # (default: false)

$sa_timeout = 30;           # timeout in seconds for a call to SpamAssassin

$sa_mail_body_size_limit = 150*1024;  # don't waste time on SA is mail is larger
			    # (less than 1% of spam is > 64k)

$sa_tag_level_deflt  = 4.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.3; # add 'spam detected' headers at that level
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
                           # at or above that level: bounce/reject/drop,
                           # quarantine, and adding mail address extension

$sa_dsn_cutoff_level = 10;  # spam level beyond which a DSN is not sent,
                            # effectively turning D_BOUNCE into D_DISCARD;
                            # undef disables this feature and is a default;


$sa_spam_subject_tag = '***SPAM*** ';	# (defaults to undef, disabled)
			     # (only seen when spam is not to be rejected
			     # and recipient is in local_domains*)

$first_infected_stops_scan = 1;  # default is false, all scanners are called

### Verifica dei parametri per i programmi antivirus usati

@av_scanners = (

### http://www.clamav.net/
['Clam Antivirus-clamd',
##  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
##  qr/\bOK$/, qr/\bFOUND$/,
##  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
  \&ask_daemon, ["CONTSCAN {}\n", '127.0.0.1:3310'],
  qr/\bOK$/, qr/\bFOUND$/,
  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# NOTE: run clamd under the same user as amavisd;  match the socket
# name (LocalSocket) in clamav.conf to the socket name in this entry
# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],

);

### [...]

@av_scanners_backup = (

  ### http://www.clamav.net/
  ['Clam Antivirus - clamscan', 'clamscan',
    "--stdout --no-summary -r --tempdir=$TEMPBASE --mbox {}", [0], [1],
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

  ### http://www.f-prot.com/
  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
    '-dumb -archive -packed {}', [0,8], [3,6],
    qr/Infection: (.+)/ ],

);

[...]


Dopo aver installato e configurato Amavis, si possone seguire le istruzioni dettagliate che accompagnano passo – passo nel completamento del “dialogo” fra i vari tasselli del sistema:

Un esempio da “/usr/share/doc/amavisd-new/README.postfix.gz”

[...]

For the first time it is best to start it interactively and keep it attached to the terminal:

$ /usr/local/sbin/amavisd debug

From another window check that it is listening on a local SMTP port 10024 (default):

--> $ telnet 127.0.0.1 10024

Trying 127.0.0.1...

Connected to 127.0.0.1.

Escape character is '^]'.

220 [127.0.0.1] ESMTP amavisd-new service ready

--> quit

221 Bye

Connection closed by foreign host.

[...]

2. With a text editor add to the Postfix master.cf file the following two entries, e.g. near the end of the file:

smtp-amavis unix - - y/n - 2 smtp

-o smtp_data_done_timeout=1200

-o smtp_send_xforward_command=yes

-o disable_dns_lookups=yes

[...]

3. Do a 'postfix reload', check its log file for any complaints, and test if it is listening on port 10025:

--> $ telnet 127.0.0.1 10025

Trying 127.0.0.1...

Connected to 127.0.0.1.

[...]

Seguendo semplicemente queste istruzioni, si viene condotti “per mano” verso il completamento dell'installazione!

E questo anche se non padroneggia a menadito l'argomento.


[...]

virusalert: postmaster

spamalert: postmaster

amavis: postmaster

[...]


Il programma può essere “istruito” al riconoscimento di nuovi tipi di SPAM fornendoglieli, tramite l'utility “SA-LEARN”:

/usr/bin/sa-learn --showdots --spam --mbox /tmp/Allena_SpamAssassin”



Il sistema è “una cosa viva”: bisogna controllare che tutto funzioni e prestare attenzione ad eventuali “spie”, in modo analogo ad un'automobile.


Un controllo tramite “mailq” verifica se c'è (e da qanto tempo) della posta che è in attesa di essere spedita. Dalla lettura dei log si può decidere cosa farne: “FLUSH” (forzare l'invio) o “PURGE” (eliminare i messaggi che vengono rifiutati dai server di destinazione perché contenenti errori.


From ragno@scuole.bo.it Mon May 16 15:15:57 2005

Received: from amavis by mandrake.isicm.bo.it with scanned-ok (Exim 3.36 #1 (Debian))

id 1DXfRt-0007OW-00; Mon, 16 May 2005 15:15:57 +0200

Received: from mandrake.isicm.bo.it ([127.0.0.1])

by localhost (mandrake [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id 27645-06; Mon, 16 May 2005 15:15:50 +0200 (CEST)

Received: from lothar.isicm.bo.it [192.168.8.1]

by mandrake.isicm.bo.it with esmtp (Exim 3.36 #1 (Debian))

id 1DXfRm-0007OQ-00; Mon, 16 May 2005 15:15:50 +0200

Received: from host70-250.pool80180.interbusiness.it (stpcqgfvq.it) [80.180.250.70]

by lothar.isicm.bo.it with smtp (Exim 3.36 #1 (Debian))

id 1DXfRi-0002EU-00; Mon, 16 May 2005 15:15:46 +0200

From: ragno@scuole.bo.it

To: vitto@keynes.scuole.bo.it

Date: Mon, 16 May 2005 13:11:08 GMT

Subject: Dresden Bombing Is To Be Regretted Enormously

Return-Path: <scuole.pr@csa.scuole.bo.it>

Received: from lothar.isicm.bo.it [192.168.8.1]

by mandrake.isicm.bo.it with esmtp (Exim 3.36 #1 (Debian))

id 1DYiTe-0002w3-00; Thu, 19 May 2005 12:42:06 +0200

Received: from host230-231.pool8533.interbusiness.it (keynes.scuole.bo.it) [85.33.231.230]

by lothar.isicm.bo.it with esmtp (Exim 3.36 #1 (Debian))

id 1DYiTb-00080x-00; Thu, 19 May 2005 12:42:03 +0200

From: scuole.pr@csa.scuole.bo.it

To: ceve@keynes.scuole.bo.it

Subject: Hi

Date: Thu, 19 May 2005 12:42:02 +0200

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0004_00005C2A.00007CEC"

X-Priority: 1

X-MSMail-Priority: High

Message-Id: <E1DYiTb-00080x-00@lothar.isicm.bo.it>

Return-Path: <gianca@keynes.scuole.bo.it>

Received: from lothar.isicm.bo.it [192.168.8.1] (mail)

by mandrake.isicm.bo.it with esmtp (Exim 3.36 #1 (Debian))

id 1D21v9-0007ZZ-00; Fri, 18 Feb 2005 07:47:23 +0100

Received: from a-pg7-3.tin.it (LIBERATO.com) [212.216.252.2]

by lothar.isicm.bo.it with smtp (Exim 3.36 #1 (Debian))

id 1D21uf-0005Tj-00; Fri, 18 Feb 2005 07:46:54 +0100

Date: Fri, 18 Feb 2005 07:52:22 +0100

To: "Stagni" <stagni@keynes.scuole.bo.it>

From: "Gianca" <gianca@keynes.scuole.bo.it>

Subject: You are made active

Message-ID: <trlcsmhqhsricugbtyp@keynes.scuole.bo.it>

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="--------yufzbcuofugrktnbqrvo"


VIRUS ALERT

Il sistema di scansione ha rilevato un problema

in una email presumibilmente inviate da Lei

-> (<scuole.bo@csa.scuole.bo.it>),

per il seguente destinatario:

-> boic839001@istruzione.it

La consegna del messaggio non e' potuta avvenire

Di seguito i riferimenti della e-Mail inviata:

------------------------- BEGIN HEADERS -----------------------------

Return-Path: <scuole.bo@csa.scuole.bo.it>

Received: from sala?insegnanti.org (host230-231.pool8533.interbusiness.it [85.33.231.230])

by bolino.trampi.mpi.it (Mail Service) with SMTP id B883048295E

for <boic839001@istruzione.it>; Thu, 12 May 2005 12:07:37 -0400 (EDT)

Date: Thu, 12 May 2005 12:07:29 +0100

To: "Boic" <boic839001@istruzione.it>

From: "Scuole.bo" <scuole.bo@csa.scuole.bo.it>

Subject: Re:

Message-ID: <rjjxkchqclpekzqrdvy@istruzione.it>

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="--------slvigwnqjbrrukanoslp"

-------------------------- END HEADERS ------------------------------



[...]

% Information related to '85.33.231.224 - 85.33.231.231'

inetnum: 85.33.231.224 - 85.33.231.231

netname: COMUNEDIMONGHIDORO

descr: COMUNEDIMONGHIDORO

country: IT

admin-c: CS2943-RIPE

tech-c: CS2944-RIPE

status: ASSIGNED PA

mnt-by: INTERB-MNT

source: RIPE # Filtered

[...]

Con queste indicazioni, si può segnalare l'attività di SPAM o VIRUS al provider che ha in gestione l'indirizzo IP “incriminato”, il quale è in grado di risalire all'utente effettivo.


Un grazie di cuore ai “ragazzi” di Debian GNU Linux (“http://www.debian.org”) che con il loro oscuro lavoro volontario fanno vivere questo meraviglioso progetto “anomalo”. Si consiglia di visitare il sito web per conoscere le mille ramificazioni nel campo “educational”, “sociale” e (perché no?) “business.
img
 img
Valid XHTML 1.0 Transitional