Protect Linux mail servers with Vexira Antivirus

Use this tutorial to set up Vexira Antivirus for Mail Servers as an SMTP virus scanner on Linux.

Vexira Antivirus for Mail Servers is an SMTP scanner that can check inbound and outbound messages on Linux/UNIX mail servers. Unlike its command line scanner counterpart, the mail antivirus software processes messages in real time. Given the wide number of viruses that are spread through e-mail, the need for such software has become paramount. Recent viruses have shut down mail services for companies of all sizes and affected networks worldwide. Filtering this contaminated mail, which is often destined for non-Linux client operating systems, can generally help keep services up and minimize downtime. Here's a closer look at how the Vexira solution for Linux/UNIX mail servers can be used to address the problem.

Installing and configuring Vexira
Unlike many Linux software packages, Vexira Antivirus for Mail Servers is not free software. Licenses are available starting under $200 and you can download a demo of the software available for 30-day trial.

Vexira supports a number of MTA (Mail Transport Agent) configurations, including Sendmail, Sendmail+milter, Qmail, Postfix, and Exim. By default Vexira will receive mail, scan it for viruses, and then either block the message or forward it to the local MTA. Logging is performed and a message is sent to the postmaster account. Additional messages can also be sent to the sender and intended recipient of the infected mail.

I recommend that you start the evaluation process by downloading the demo. At this point, you will need to decide between two options: MailArmor (for systems with Glibc or Lib5c) or the Vexira Milter package (for use with Sendmail versions 8.10 and above). The Vexira Milter installation is a little different than the MailArmor products, so we'll go over both.

MailArmor install
For MailArmor, extract the contents of the package and run the install script:
tar xpfz vamailarmorLinux-glibc.tgz
cd vexira-mailarmor-

The script will prompt for configuration settings such as the destination for Vexira files and executables. Also, the hosts and networks allowed to relay mail will be entered. Since you're MTA should be preconfigured at this point, these should resemble its relaying settings. If there are any problems later, you may want to verify that your /etc/vamailarmor.acl file is up to date. The script also creates all needed files and directories necessary for Vexira to run.

You will also be prompted to configure the Vexira automatic updater. With this feature you can have the Vexira software automatically update itself, including new virus definitions. This allows you to pretty much install it and forget about it, knowing that updates are added as often as you configure them to run.

You will still need to configure MailArmor to interoperate with your current MTA and test to make sure that it is working correctly.

There are installation help files for Sendmail, Sendmail+milter, Qmail, Postfix, and Exim that list the necessary modifications for each type of installation.

Vexira Milter install
Milter is short for Mail Filter API and was first introduced in Sendmail v8.10. It allows for third-party programs to inspect messages and tell Sendmail whether or not to accept them. Support for Milter will need to be included and installed in the version of Sendmail that you are running in order to use the Vexira Milter module. You can recompile Sendmail with the –DMILTER flag if you don't already have it set up.

Unlike MailArmor, there is no install script that comes with the Vexira Milter package. You will need to create the files and directories manually (unless they already exist from a previous Vexira installation). After unpacking the distribution files, cd into the newly created directory:
tar xpfz vamilterLinux-glibc.tgz
cd vexira-milter-1.0.1

From here you will be able to continue the installation. Read the INSTALL file included with Vexira Milter as it contains specifics on needed directories, files, and permissions. 

To configure Sendmail, add the following two lines to your
Xvamilter, S=inet:3333@localhost, F=R, T=S:10m;R:10m;E:10m
O InputMailFilters=vamilter

These settings can also be generated through with this entry:

This tells Vexira to use the inet protocol on the local host listening on port 3333. The F=T option states that the connection is to be temporarily failed if the filter is unavailable. Note that this creates a dependency on Vexira and this should be kept in mind when troubleshooting future mail issues. The T= flag allows you to set the timeouts associated with using the Vexira Antivirus filter. S:10m gives the timeout for sending data from the MTA to the filter at 10 minutes. R:10m sets the timeout for a reply from the filter to 10 minutes. Finally, E:5m allows for a 5-minute timeout between sending the end-of-message to Vexira and receiving the final acknowledgement. These can be set lower or higher depending on your needs.

To finish, start Vexira Milter and then restart Sendmail:
/usr/sbin/vamilter -p inet:3333@localhost
killall –HUP sendmail [or /etc/init.d/sendmail restart]

The Sendmail+milter configuration works well since Sendmail still handles the incoming/outgoing queue. With the other configurations, Vexira will control the SMTP port and either redirect the accepted message to Sendmail operating on another port or pipe it through with the command: sendmail -oem –oi.

More configuration options
Additional configuration for Vexira can be done through /etc/vamailarmor.conf or /etc/vamilter.conf. Here you can set options like MaxIncomingConnections, MaxRecipientsPerMessage, and MaxMessageSize. You can also configure notifications here. For both the recipient and sender of a message, Vexira can withhold notification, send notification, or send notification if address is local. Plus, the postmaster (mail administrator) can also be configured to receive virus alerts. The flags for the above notifications look like this.

In /etc/vamilter.conf these are handled more simply with VirusAlertToRcpt, VirusAlertToSender, and VirusAlertToPostmaster set with either a YES or NO.

Vexira Mail creates directories under /var/spool/vamailarmor or /var/spool/vamilter for incoming, outgoing, and rejected e-mails. A program called vaq resides in /script under your installation directory and can be used to check these message queues. You can run the script or check the directories manually if there are any problems with mail. You should also be able to check your mail logs (i.e., /var/log/mail.log) for additional information.

Archives can be set to be scanned with the flag ScanInArchive. Additional options are MaxFilesizeInArchive and MaxRecursionDepthInArchive. These allow you to not only specify whether or not to unpack archives included in messages for scanning, but also to determine if a maximum size should be taken into account and how many levels of recursion will be followed. BlockSuspiciousArchive can be used to block messages that exceed the recursion sanity check.

There are plenty of other options that can help you tweak how e-mail is handled. Check the configuration files and be sure to read the included documents and MAN pages. Something like Vexira can be a tremendous help, but as always with any new software, it should be well tested in your environment and extensively documented if and when you deploy it.

Prevention is the key
E-mail is still the transportation mechanism of choice for viruses and worms in today's computing environment. Vexira Antivirus for Mail Servers works to keep infected e-mail from being delivered and offers a level of proactive protection that compliments the necessary desktop and server scanners. In cooperation with the local MTA, messages are scanned and either blocked or delivered. While patches and local antivirus software can fix or even stop a local infection, the best bet is always prevention. For those with Linux/UNIX mail servers, Vexira is an excellent option, especially if you're running Milter on Sendmail 8.10 or above.