This HowTo assumes that you have Plesk and Qmail already installed, configured and working.
Mission
We want to modify a standard Plesk installation to protect some users/some domains (possibly all of them) with an anti-virus. Additionally we want to add greylisting for some (possibly all) domains.
To meet our goals, we are going to install two new software on our system, alongside with the libraries required by them:
- Spamdyke: http://www.spamdyke.org (for greylisting)
- Simscan: http://www.inter7.com/?page=simscan (for scanning e-mail attachments)
WARNING: Spamdyke does NOT support pop3-before-smtp and the author has no intention to implement it ATM, so if you follow this HowTo you’ll lose the pop3-before-smtp functionality.
Although this HowTo only explains how to use ClamAV, it’s easy to adapt these instructions to use any anti-virus supported by simscan (e.g. Trophie)
Although this HowTo only describes how to enable greylisting using Spamdyke, there are many other effective anti-spam techniques available in Spamdyke, please refer to the official Spamdyke documentation to find out more about them.
Preparing Simscan
Simscan is a simple program by Inter7 that enables the qmail smtpd service to reject viruses, spam, and block attachments during the SMTP conversation. It requires the pcre library, which you can usually available as a package for your favourite distribution. Here is how to install the pcre library and the relative header files under:
Debian:
|
1 |
apt-get install libpcre3 libpcre3-dev |
and RedHat/CentOS:
|
1 |
yum install pcre pcre-devel |
In order to do attachment blocking, Simscan also requires ripMIME, a library by PLDaniels Software.
|
1 2 3 4 5 |
# cd ripmime-4.0.7/ # make # make install |
Preparing ClamAV
Find clamd.conf, open it and change “User clamav” to “User simscan”
Determine the path to sigtool and clamdscan, by running:
|
1 2 |
$ whereis clamdscan $ whereis sigtool |
Installing simscan
|
1 2 3 |
# groupadd -g 88 simscan # useradd -u 88 -g simscan -s /sbin/nologin -d /var/qmail/simscan -M simscan |
Download simscan source from http://www.inter7.com/?page=simscan, extract the archive and compile it with the following commands:
|
1 2 3 4 5 |
# tar xvzf simscan-1.4.0.tar.gz # cd simscan-1.4.0 # ./configure --enable-user=simscan --enable-clamav --enable-clamdscan=CLAMPATH/clamdscan --enable-sigtool=CLAMPATH/sigtool --enable-custom-smtp-reject=y --enable-per-domain=y --enable-attach --enable-quarantinedir=/var/qmail/quarantine --enable-qmaildir=/var/qmail --enable-workdir=/var/qmail/simscan --enable-received=y --enable-controldir=/var/qmail/control --enable-dropmsg=n --enable-regex=y |
Replace CLAMPATH with the path to sigtool and clamdscan. If you installed ClamAV from sources and you chose the default PREFIX location, this would be /usr/local/bin/clamdscan and /usr/local/bin/sigtool.
|
1 2 3 |
# make # make install-strip |
Create the directory /var/qmail/quarantine and make it writable by simscan:
|
1 2 3 |
# mkdir /var/qmail/quarantine # chown simscan:simscan /var/qmail/quarantine |
Create the file /var/qmail/control/simcontrol with the following line:
|
1 |
:clam=yes |
If you want to block attachments based on extension (e.g. .com, .bat, .exe) you can modify the line above like this:
|
1 |
:clam=yes,attach=bat,attach=.com:.bat:.exe |
If you want to virus scan only e-mail traffic of certain domains or accounts, you can put the following inside /var/qmail/control/simcontrol:
|
1 2 3 4 5 |
safedomain.com:clam=yes safeaccount@unsafedomain.com:clam=yes :clam=no |
Or if you want to scan all e-mail traffic except the one for a certain domain or account, you can use:
|
1 2 3 4 5 |
unsafedomain:clam=no unsafeaccount@safedomain.com:clam=no :clam=yes |
After creating /var/qmail/control/simcontrol, remember to run:
|
1 2 3 |
# /var/qmail/bin/simscanmk -g # /var/qmail/bin/simscanmk |
You should run simscanmk -g on a regular basis, so that information about the anti-virus definition file in use is known to simscan.
Installing Spamdyke
Download the latest tarball from http://www.spamdyke.org/download.html and extract the sources:
|
1 2 3 4 5 6 7 8 9 |
# tar xvzf spamdyke-4.0.4.tar.gz # cd spamdyke-4.0.4/spamdyke # ./configure # make # cp spamdyke /usr/local/bin/ |
Create the configuration file /etc/spamdyke.conf with the following content:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
log-level=info local-domains-file=/var/qmail/control/rcpthosts max-recipients=20 idle-timeout-secs=60 graylist-dir=/var/qmail/spamdyke/greylist graylist-min-secs=300 graylist-max-secs=1814400 sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders sender-whitelist-file=/var/qmail/spamdyke/whitelist_senders recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients smtp-auth-level=observe smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true smtp-auth-command=/var/qmail/bin/cmd5checkpw /bin/true ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip rdns-whitelist-file=/var/qmail/spamdyke/whitelist_rdns ip-whitelist-file=/var/qmail/spamdyke/whitelist_ip greeting-delay-secs=2 graylist-exception-ip-file=/var/qmail/spamdyke/never_greylist tls-certificate-file=/var/qmail/control/servercert.pem tls-level=smtp local-domains-file=/var/qmail/control/rcpthosts graylist-level=always ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/blacklist_keywords |
If you want to use spamdyke also on smtps (SMTP over SSL), create the configuration file /etc/spamdyke-smtps.conf with the following content:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
log-level=info local-domains-file=/var/qmail/control/rcpthosts max-recipients=20 idle-timeout-secs=60 graylist-dir=/var/qmail/spamdyke/greylist graylist-min-secs=300 graylist-max-secs=1814400 sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders sender-whitelist-file=/var/qmail/spamdyke/whitelist_senders recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients smtp-auth-level=observe smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true smtp-auth-command=/var/qmail/bin/cmd5checkpw /bin/true ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip rdns-whitelist-file=/var/qmail/spamdyke/whitelist_rdns ip-whitelist-file=/var/qmail/spamdyke/whitelist_ip greeting-delay-secs=2 graylist-exception-ip-file=/var/qmail/spamdyke/never_greylist tls-certificate-file=/var/qmail/control/servercert.pem tls-level=smtps local-domains-file=/var/qmail/control/rcpthosts graylist-level=always ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/blacklist_keywords |
Create the directories and configuration files required by spamdyke with the correct permissions, like this:
|
1 2 3 4 5 6 7 8 9 |
# mkdir -p /var/qmail/spamdyke/greylist # touch /var/qmail/spamdyke/blacklist_ip /var/qmail/spamdyke/blacklist_recipients /var/qmail/spamdyke/whitelist_ip /var/qmail/spamdyke/blacklist_keywords /var/qmail/spamdyke/blacklist_senders /var/qmail/spamdyke/whitelist_senders /var/qmail/spamdyke/whitelist_rdns /var/qmail/spamdyke/never_greylist # cd /var/qmail/spamdyke/greylist/ # for i in /var/qmail/mailnames/*; do mkdir $i; done chown -R qmaild:nofiles /var/qmail/spamdyke |
Whenever a new domain is added to Plesk, we must create a new directory for the domain in /var/qmail/spamdyke/greylist/ . Until such a directory is created, greylisting will be disabled for that domain.
We can tell Plesk to create this directory for us for every new domain by creating the file /usr/local/psa/bin/create_greylist_folder.sh with the following content:
|
1 2 3 4 5 6 7 |
<em>#!/bin/bash mkdir /var/qmail/spamdyke/greylist/$1 chown qmaild:nofiles /var/qmail/spamdyke/greylist/$1 exit</em> |
Then log on Plesk as admin and go to Server –>Event Manager –> Add New Event Handler, choose the event “Domain Created”, select priority “Normal (50)”, select “root” user and write the following in the “Command” textarea:
|
1 |
/usr/local/psa/bin/create_greylist_folder.sh <new_domain_name> |
Patching and compiling qmail
The qmail version shipped by Plesk (package: psa-qmail) is heavily patched and modified. If you try to install your own version of qmail, most likely you’ll break Plesk. Fortunately Parallels (the company behind the development of Plesk) makes available for download the whole set of patches from their Knowledge Base: http://kb.parallels.com/article_22_1161_en.html
In order to compile it, you’ll need to install the domainkeys package, available from http://domainkeys.sourceforge.net
Unfortunately simply applying these patches and trying to compile qmail doesn’t work. You’ll get lot of errors. Instructions on how to circumvent these problems are available at http://www.ridwan.net/plesk8.1+simscan.html#qmail or you can keep on reading if you want an easier solution.
simscan interacts with qmail to scan e-mail attachments and reject them if they are infected. By default the rejection message will be generic and identical for all malware. If you want to have the malware name in the rejection message you have to patch qmail additionally with the file qmail-queue-custom-error.patch available in the contrib/ directory inside simscan sources.
To make the process easier I’ve put together a big patch (more than 13k lines! ouch!) against qmail-1.03 that includes the patches for Plesk 8.6 and the custom error patch for simscan plus all the fixes to avoid compilation problems: qmail-1.03-with-plesk-8.6.diff
Refer to Plesk KB and simscan package for the copyright.of the code contained in this patch.
Here are the installation instructions:
First install domainkeys:
|
1 2 3 4 5 6 |
# tar xvzf libdomainkeys-0.69.tar.gz # cd libdomainkeys-0.69 # echo "-lresolv" > dns.lib # make # cp libdomainskeys.a /usr/local/lib/ # cp domainkeys.h /usr/local/include/ |
Then download, patch, and install qmail:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# wget http://www.qmail.org/qmail-1.03.tar.gz # tar xvzf qmail-1.03.tar.gz # cd qmail-1.03 # patch -p1 <qmail-1.03-with-plesk-8.6.diff # make WITH_QMAILQUEUE_PATCH=yes # cp /var/qmail/bin/qmail-smtpd /var/qmail/bin/qmail-smtpd.orig # cp -f qmail-smtpd /var/qmail/bin/qmail-smtpd |
Finally configure xinetd to run simscan and spamdyke before calling qmail-smtpd. Modify the file /etc/xinetd.d/smtp_psa to look like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
service smtp { socket_type = stream protocol = tcp wait = no disable = no user = root instances = 50 env = SMTPAUTH=1 QMAILQUEUE=/var/qmail/bin/simscan server = /var/qmail/bin/tcp-env server_args = -Rt0 /var/qmail/bin/relaylock /usr/local/bin/spamdyke -f /etc/spamdyke.conf /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true} |
Also modify /etc/xinetd.d/smtps_psa to look like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
service smtps { socket_type = stream protocol = tcp wait = no disable = no user = root instances = 50 env = SMTPAUTH=1 QMAILQUEUE=/var/qmail/bin/simscan server = /var/qmail/bin/tcp-env server_args = -Rt0 /var/qmail/bin/relaylock /usr/local/bin/spamdyke -f /etc/spamdyke-smtps.conf /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true } |
Restart xinetd and you are done:
|
1 |
/etc/init.d/xinetd restart |
Feel free to contact me if any of the links in this document don’t work, or the patches don’t apply cleanly.
Thanks to:
- http://www.ridwan.net/plesk8.1+simscan.html
- Other people from the Plesk forum
