Qmail-Scanner is a very versatile tool for linux which allows you to scan any email that passes your system with various brands of virus scanners, including the open source ClamAV. Alongside the more thorough scan and possibility to audit content, I find the archiving feature very useful.
One particularly useful bit of qmail-scanner is that you don’t need to recompile qmail for patching, which can be a mamoth task on PLESK run systems (specifically VPSes in Virtuozzo)
For this installation, I am on a fresh install of CentOS 5.2 on a PLESK 8.6 VPS server, and assumes that qmail is installed and working properly.
I’d love to hear how compatable this How-To is. I tried doing this on a Fedora 7 PLESK 8.2 (and upgraded to 8.6) dedicated but it didn’t work out due to conflict between courier and maildrop during installation. I gave up as F7 isn’t even supported by Fedora, so if you still use it, think of an upgrade first … a good hosting provider should give you the option to upgrade.
Firstly we must install the atomic yum repository. Run this command :
wget -q -O – http://www.atomicorp.com/installers/atomic.sh | sh
And it should install it for you. All this does is creat yum .repo files in your /etc/yum.repos.d/ directory for atomic and plesk (gives you the option during install). For manual installation instructions please visit http://www.atomicrocketturtle.com .
Firstly, it’s probably a good idea to shut down your mail server for a bit. Do it using plesk via command interface like so
/usr/local/psa/bin/service ––stop smtp
/usr/local/psa/bin/service ––stop mail
/usr/local/psa/bin/service ––stop spamassassin
/usr/local/psa/bin/service ––stop drweb
Firstly we erase drweb antivirus and the psa-spamassassin from the system. These will be replaced by clamav and the normal spamassassin. Sadly this will mean losing some interactivity in PLESK (8.6 downwards, but probably in later versions too) as you can’t configure regular spamassassin via the web interface. Fortunately, once you get that working well it’s probably something best left alone anyway…
yum erase drweb-qmail psa-spamassassin
Now we install the various packages needed for qmail-scanner and to operate. Some of the following packages may already be on your system (perl libraries were on the test CentOS VPS I used)
yum install daemontools perl-Archive-Tar perl-HTML-Parser perl-IO-Socket-INET6 perl-IO-Socket-SSL perl-IO-Zlib perl-Socket6
Next we install the virus and spam protection
yum install clamd spamassassin razor-agents dcc pyzor tnef
Then we finish with an install of qmail-scanner
yum install qmail-scanner
This is where I ran into problems with Fedora 7. You may run into problems here where maildrop confilcts with courrier… I didn’t see the point trying to fix a problem which may be due to an old unsupported OS… if anyone does run into this problem I’d be interested to know.
That’s the installation out of the way, now let’s continue with configuration…
Starting with clamav, we need to set some permissions up first.
chown -R qscand:qscand /var/log/clamav /var/run/clamav /var/clamav
You need to edit the file /etc/freshclam.conf so that the line “DatabaseOwner clamav” becomes “DatabaseOwner qscand”. This can be done using vi, or I prefer using WinSCP for file editing via shell.
Create the log file for freshclam and assign it appropriate permissions:
chown qscand:qscand /var/log/clamav/freshclam.log
Hopefully it shouldn’t give any errors. It might give errors the first time, but try running it twice and the errors should go. You should see something like this:
ClamAV update process started at Fri Jan 16 20:22:47 2009
main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven)
daily.cvd is up to date (version: 8872, sigs: 51302, f-level: 38, builder: ccordes)
If it doesn’t, the errors are usually fairly intuitive.
Also, if you have logrotate installed on your system, you may want to check the settings of the clamav entry, since it may create new logs under owner clamav, which will then create permission problems for you. Go to /etc/logrotate.d and verify the files starting with clamav and freshclam and make sure there is a line that looks like this:
create 644 qscand qscand
It may be you’ll find an entry like that but with clamav instead of qscand. Make sure you edit these so it looks like the line above.
Now we add fresclam to the crontab so that you get regularly updated and protected against the latest viruses. You can do this on the PLESK scheduler, or run this:
Add the following to it:
25 1 * * * /usr/bin/freshclam –quiet -l /var/log/clamav/freshclam.log
Finally, start clamav, check that it runs, and set it so that it runs on system startup. I tell it to restart as some OSes may already have it on, but if it’s not don’t worry, stopping the service will fail but it will start up properly.
service clamd restart
service clamd status
chkconfig clamd on
Spamassassin is farily easy. Just restart it like with clamav and verify it’s running and will start on start up.
service spamassassin restart
service spamassassin status
chkconfig spamassassin on
Qmail-scanner will take care of itself, so just run the following two commands :
chmod u+s /var/qmail/bin/qmail-scanner-queue.pl
The second command gives permissions to a file which sometimes chucks a wobbly if not set.
This bit is purely optional. I do it for convenience, because it really annoys me having remember loads of folder locations for logs. All I do here is add some shortcuts to the /var/log folder, which just makes plain sense to keep logs there ( logs in a log folder… genius why didn’t anyone else think of that sooner!? )
ln -s /usr/local/psa/var/log/maillog /var/log/qmail
ln -s /var/spool/qscan/qmail-queue.log /var/log/qmail-scanner
All we need to do now is start qmail, courrier and we’re good to go!
/usr/local/psa/bin/service ––start smtp
/usr/local/psa/bin/service ––start mail
That’s it! Send yourself a test mail and see how it goes! More posts with tips on customising your new email server installation coming soon!
DISCLAIMER : Please note that this information comes with no guarantees, and it’s recommended you test your installations somewhere first, or at least back your data up if you’re feeling brave!