Servizio di Posta - controlli antivirus e antispam
Questione di “immagine” e di “pratica” (servizi che è possibile offrire).
Rete “privata” con utenti che si avvalgono delle potenzialita` di un server di posta “interno” e di un proprio “dominio”.
Sistema Operativo della macchina “server”: Debian GNU Linux (“http://www.debian.org”)
Programma server di posta: Exim3 oppure Postfix (“http://www.exim.org” e “http://www.postfix.org”)
Programma antivirus: Clamav (“http://www.clamav.net”)
Programma antispam: Spamassassin (“http://spamassassin.apache.org”)
Programma antispam: Razor (“http://razor.sourceforge.net”)
Programma di collegamento tra i componenti: Amavis (“http://www.ijs.si/software/amavisd”)
Programmi vari per gestire gli archivi: UnZip, arc, bzip2, Unarj, Lha, ...
Tutti i programmi sono installati nelle versioni per Debian GNU Linux (attualmente alla versione “Sarge”) e le indicazioni che seguono si riferiscono a tale modalità diinstallazione.
apt-get install postfix
mittente -> server -> destinatario
mittente -> server -> controlli (virus e spam) -> destinatario (se controlli ok)
apt-get install clamav
Accettare le opzioni di default (in “/etc/clamav/clamd.conf”), tranne:
[...]
# Comunica tramite una porta (più rapido)
TCPSocket 3310
# Se eseguito come “root” consente la scansione anche dei file dell'utente
User root
[...]
apt-get install spamassassin
Verificare in “/etc/default/spamassassin”:
[...]
ENABLED=1
[...]
apt-get install razor
apt-get install amavisd-new
Opzioni principali (in “/etc/amavis/amavisd.conf”):
use strict;
$MYHOME = '/var/lib/amavis'; # (default is '/var/amavis')
$mydomain = 'casa.mia'; # (no useful default)
$daemon_user = 'amavis'; # (no default (undef))
$daemon_group = 'amavis'; # (no default (undef))
$TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean?
$pid_file = "/var/run/amavis/amavisd.pid"; # (default: "$MYHOME/amavisd.pid")
$lock_file = "/var/run/amavis/amavisd.lock"; # (default: "$MYHOME/amavisd.lock")
# set environment variables if you want (no defaults):
$ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory
### Opzioni per il dialogo con il server di posta
# EXIM v3
$forward_method = 'smtp:127.0.0.1:25';
$notify_method = $forward_method;
### Richiesta di risorse del sistema
$max_servers = 2; # number of pre-forked children (default 2)
$max_requests = 10; # retire a child after that many accepts (default 10)
$child_timeout=5*60; # abort child if it does not complete each task in n sec
# (default: 8*60 seconds)
### “Disabilita la disabilitazione” dei controlli antispam
##@bypass_spam_checks_acl = qw( . ); # No default dependency on spamassassin
$relayhost_is_client = 0; # (defaults to false)
$insert_received_line = 1; # behave like MTA: insert 'Received:' header
# (does not apply to sendmail/milter)
# (default is true (1) )
$localhost_name = "amavis";
$unix_socketname = undef; # disable listening on a unix socket
### Aspetta sulla porta 10024 la posta da controllare
$inet_socket_port = 10024; # accept SMTP on this local TCP port
# when MTA is at the same host, use the following (one or the other or both):
$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface
# (default is '127.0.0.1')
@inet_acl = qw( 127.0.0.1 ); # allow SMTP access only from localhost IP
# (default is qw( 127.0.0.1 ) )
$DO_SYSLOG = 0; # (defaults to false)
$LOGFILE = "/var/log/amavis.log"; # (defaults to empty, no log)
$log_level = 2; # (defaults to 0)
$log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], #
[?%o|(?)|<%o>] -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c';
### Usiamo i messaggi in italiano
read_l10n_templates('it_IT', '/etc/amavis');
### Destinazione dei messaggi “incriminati”
### (le opzioni “D_BOUNCE” evitano il cosiddetto “SPAM Collaterale”)
$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)
$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
$final_spam_destiny = D_DISCARD; # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested
$viruses_that_fake_sender_re = new_RE(
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan
qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc
[qr'^(EICAR|Joke\.|Junk\.)'i => 0],
[qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
[qr/.*/ => 1], # true by default (remove or comment-out if undesired)
);
## Destinatario degli avvisi (amministratore)
$virus_admin = "virusalert\@$mydomain"; # due to D_DISCARD default
$spam_admin = "spamalert\@$mydomain";
$mailfrom_notify_admin = "virusalert\@$mydomain";
$mailfrom_notify_recip = "virusalert\@$mydomain";
$mailfrom_to_quarantine = ''; # override sender address with null return path
$QUARANTINEDIR = '/var/lib/amavis/virusmails';
$virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine
$spam_quarantine_to = 'spam-quarantine';
$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: undef)
$X_HEADER_LINE = "by $myversion (Debian) on BruttaBestia at $mydomain";
$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it
$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone
$remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone
$keep_decoded_original_re = new_RE(
qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
);
$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, # some double extensions
qr'[{}]', # curly braces in names (serve as Class ID extensions - CLSID)
qr'.\.(exe|vbs|pif|scr|bat|cmd|com)$'i, # banned extension - basic
# qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
# jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|
# vbe|vbs|wsc|wsf|wsh)$'ix, # banned extension - long
# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
# qr'^\.(zip|lha|tnef|cab)$'i, # banned file(1) types
# qr'^\.exe$'i, # banned file(1) types
# qr'^application/x-msdownload$'i, # banned MIME types
# qr'^application/x-msdos-program$'i,
qr'^message/partial$'i, qr'^message/external-body$'i, # block rfc2046
);
$virus_lovers{lc("postmaster\@$mydomain")} = 1;
$spam_lovers{lc("postmaster\@$mydomain")} = 1;
$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting
$recipient_delimiter = '+'; # (default is '+')
$replace_existing_extension = 1; # (default is false)
$localpart_is_case_sensitive = 0; # (default is false)
map { $whitelist_sender{lc($_)}=1 } (qw(
nobody@cert.org
owner-alert@iss.net
slashdot@slashdot.org
bugtraq@securityfocus.com
NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
security-alerts@linuxsecurity.com
amavis-user-admin@lists.sourceforge.net
razor-users-admin@lists.sourceforge.net
notification-return@lists.sophos.com
mailman-announce-admin@python.org
zope-announce-admin@zope.org
owner-postfix-users@postfix.org
owner-postfix-announce@postfix.org
owner-sendmail-announce@lists.sendmail.org
sendmail-announce-request@lists.sendmail.org
ca+envelope@sendmail.org
owner-technews@postel.ACM.ORG
lvs-users-admin@LinuxVirtualServer.org
ietf-123-owner@loki.ietf.org
cvs-commits-list-admin@gnome.org
rt-users-admin@lists.fsck.com
owner-announce@mnogosearch.org
owner-hackers@ntp.org
owner-bugs@ntp.org
clp-request@comp.nus.edu.sg
surveys-errors@lists.nua.ie
emailNews@genomeweb.com
owner-textbreakingnews@CNNIMAIL12.CNN.COM
yahoo-dev-null@yahoo-inc.com
));
$MAXLEVELS = 14; # (default is undef, no limit)
$MAXFILES = 1500; # (default is undef, no limit)
$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
$MIN_EXPANSION_FACTOR = 5; # times original mail size (must be specified)
$MAX_EXPANSION_FACTOR = 500; # times original mail size (must be specified)
## Definizione dei programmi per gestire gli archivi
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability
$gzip = 'gzip';
$bzip2 = 'bzip2';
$lzop = 'lzop';
$uncompress = ['uncompress', 'gzip -d', 'zcat'];
$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
$arc = ['nomarch', 'arc'];
$unarj = ['arj', 'unarj']; # both can extract, arj is recommended
$unrar = ['rar', 'unrar']; # both can extract, same options
$zoo = 'zoo';
$lha = 'lha';
$cpio = 'cpio'; # comment out if cpio does not support GNU options
### Disattiva la limitazione ai soli controlli antispam locali
##$sa_local_tests_only = 1; # (default: false)
$sa_timeout = 30; # timeout in seconds for a call to SpamAssassin
$sa_mail_body_size_limit = 150*1024; # don't waste time on SA is mail is larger
# (less than 1% of spam is > 64k)
$sa_tag_level_deflt = 4.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.3; # add 'spam detected' headers at that level
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
# at or above that level: bounce/reject/drop,
# quarantine, and adding mail address extension
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent,
# effectively turning D_BOUNCE into D_DISCARD;
# undef disables this feature and is a default;
$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled)
# (only seen when spam is not to be rejected
# and recipient is in local_domains*)
$first_infected_stops_scan = 1; # default is false, all scanners are called
### Verifica dei parametri per i programmi antivirus usati
@av_scanners = (
### http://www.clamav.net/
['Clam Antivirus-clamd',
## \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
## qr/\bOK$/, qr/\bFOUND$/,
## qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
\&ask_daemon, ["CONTSCAN {}\n", '127.0.0.1:3310'],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# NOTE: run clamd under the same user as amavisd; match the socket
# name (LocalSocket) in clamav.conf to the socket name in this entry
# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],
);
### [...]
@av_scanners_backup = (
### http://www.clamav.net/
['Clam Antivirus - clamscan', 'clamscan',
"--stdout --no-summary -r --tempdir=$TEMPBASE --mbox {}", [0], [1],
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
### http://www.f-prot.com/
['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
'-dumb -archive -packed {}', [0,8], [3,6],
qr/Infection: (.+)/ ],
);
[...]
Dopo aver installato e configurato Amavis, si possone seguire le istruzioni dettagliate che accompagnano passo – passo nel completamento del “dialogo” fra i vari tasselli del sistema:
Un esempio da “/usr/share/doc/amavisd-new/README.postfix.gz”
[...]
For the first time it is best to start it interactively and keep it attached to the terminal:
$ /usr/local/sbin/amavisd debug
From another window check that it is listening on a local SMTP port 10024 (default):
--> $ telnet 127.0.0.1 10024
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
--> quit
221 Bye
Connection closed by foreign host.
[...]
2. With a text editor add to the Postfix master.cf file the following two entries, e.g. near the end of the file:
smtp-amavis unix - - y/n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
[...]
3. Do a 'postfix reload', check its log file for any complaints, and test if it is listening on port 10025:
--> $ telnet 127.0.0.1 10025
Trying 127.0.0.1...
Connected to 127.0.0.1.
[...]
Seguendo semplicemente queste istruzioni, si viene condotti “per mano” verso il completamento dell'installazione!
E questo anche se non padroneggia a menadito l'argomento.
[...]
virusalert: postmaster
spamalert: postmaster
amavis: postmaster
[...]
Il programma può essere “istruito” al riconoscimento di nuovi tipi di SPAM fornendoglieli, tramite l'utility “SA-LEARN”:
“/usr/bin/sa-learn --showdots --spam --mbox /tmp/Allena_SpamAssassin”
Il sistema è “una cosa viva”: bisogna controllare che tutto funzioni e prestare attenzione ad eventuali “spie”, in modo analogo ad un'automobile.
Un controllo tramite “mailq” verifica se c'è (e da qanto tempo) della posta che è in attesa di essere spedita. Dalla lettura dei log si può decidere cosa farne: “FLUSH” (forzare l'invio) o “PURGE” (eliminare i messaggi che vengono rifiutati dai server di destinazione perché contenenti errori.
From ragno@scuole.bo.it Mon May 16 15:15:57 2005
Received: from amavis by mandrake.isicm.bo.it with scanned-ok (Exim 3.36 #1 (Debian))
id 1DXfRt-0007OW-00; Mon, 16 May 2005 15:15:57 +0200
Received: from mandrake.isicm.bo.it ([127.0.0.1])
by localhost (mandrake [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 27645-06; Mon, 16 May 2005 15:15:50 +0200 (CEST)
Received: from lothar.isicm.bo.it [192.168.8.1]
by mandrake.isicm.bo.it with esmtp (Exim 3.36 #1 (Debian))
id 1DXfRm-0007OQ-00; Mon, 16 May 2005 15:15:50 +0200
Received: from host70-250.pool80180.interbusiness.it (stpcqgfvq.it) [80.180.250.70]
by lothar.isicm.bo.it with smtp (Exim 3.36 #1 (Debian))
id 1DXfRi-0002EU-00; Mon, 16 May 2005 15:15:46 +0200
From: ragno@scuole.bo.it
To: vitto@keynes.scuole.bo.it
Date: Mon, 16 May 2005 13:11:08 GMT
Subject: Dresden Bombing Is To Be Regretted Enormously
Return-Path: <scuole.pr@csa.scuole.bo.it>
Received: from lothar.isicm.bo.it [192.168.8.1]
by mandrake.isicm.bo.it with esmtp (Exim 3.36 #1 (Debian))
id 1DYiTe-0002w3-00; Thu, 19 May 2005 12:42:06 +0200
Received: from host230-231.pool8533.interbusiness.it (keynes.scuole.bo.it) [85.33.231.230]
by lothar.isicm.bo.it with esmtp (Exim 3.36 #1 (Debian))
id 1DYiTb-00080x-00; Thu, 19 May 2005 12:42:03 +0200
From: scuole.pr@csa.scuole.bo.it
To: ceve@keynes.scuole.bo.it
Subject: Hi
Date: Thu, 19 May 2005 12:42:02 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0004_00005C2A.00007CEC"
X-Priority: 1
X-MSMail-Priority: High
Message-Id: <E1DYiTb-00080x-00@lothar.isicm.bo.it>
Return-Path: <gianca@keynes.scuole.bo.it>
Received: from lothar.isicm.bo.it [192.168.8.1] (mail)
by mandrake.isicm.bo.it with esmtp (Exim 3.36 #1 (Debian))
id 1D21v9-0007ZZ-00; Fri, 18 Feb 2005 07:47:23 +0100
Received: from a-pg7-3.tin.it (LIBERATO.com) [212.216.252.2]
by lothar.isicm.bo.it with smtp (Exim 3.36 #1 (Debian))
id 1D21uf-0005Tj-00; Fri, 18 Feb 2005 07:46:54 +0100
Date: Fri, 18 Feb 2005 07:52:22 +0100
To: "Stagni" <stagni@keynes.scuole.bo.it>
From: "Gianca" <gianca@keynes.scuole.bo.it>
Subject: You are made active
Message-ID: <trlcsmhqhsricugbtyp@keynes.scuole.bo.it>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------yufzbcuofugrktnbqrvo"
VIRUS ALERT
Il sistema di scansione ha rilevato un problema
in una email presumibilmente inviate da Lei
-> (<scuole.bo@csa.scuole.bo.it>),
per il seguente destinatario:
-> boic839001@istruzione.it
La consegna del messaggio non e' potuta avvenire
Di seguito i riferimenti della e-Mail inviata:
------------------------- BEGIN HEADERS -----------------------------
Return-Path: <scuole.bo@csa.scuole.bo.it>
Received: from sala?insegnanti.org (host230-231.pool8533.interbusiness.it [85.33.231.230])
by bolino.trampi.mpi.it (Mail Service) with SMTP id B883048295E
for <boic839001@istruzione.it>; Thu, 12 May 2005 12:07:37 -0400 (EDT)
Date: Thu, 12 May 2005 12:07:29 +0100
To: "Boic" <boic839001@istruzione.it>
From: "Scuole.bo" <scuole.bo@csa.scuole.bo.it>
Subject: Re:
Message-ID: <rjjxkchqclpekzqrdvy@istruzione.it>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------slvigwnqjbrrukanoslp"
-------------------------- END HEADERS ------------------------------
[...]
% Information related to '85.33.231.224 - 85.33.231.231'
inetnum: 85.33.231.224 - 85.33.231.231
netname: COMUNEDIMONGHIDORO
descr: COMUNEDIMONGHIDORO
country: IT
admin-c: CS2943-RIPE
tech-c: CS2944-RIPE
status: ASSIGNED PA
mnt-by: INTERB-MNT
source: RIPE # Filtered
[...]
Con queste indicazioni, si può segnalare l'attività di SPAM o VIRUS al provider che ha in gestione l'indirizzo IP “incriminato”, il quale è in grado di risalire all'utente effettivo.
Un grazie di cuore ai “ragazzi” di Debian GNU Linux (“http://www.debian.org”) che con il loro oscuro lavoro volontario fanno vivere questo meraviglioso progetto “anomalo”. Si consiglia di visitare il sito web per conoscere le mille ramificazioni nel campo “educational”, “sociale” e (perché no?) “business.