Printers optimize

Virus scanning with Qmail

Concerned about spreading e-mail viruses with Linux? Scare up a scanning agent. Vincent Danen shows you how to install AMaViS under Qmail in this Daily Drill Down.

There’s no quicker way to ruin your day than to let your e-mail server propagate viruses. Fortunately, there are several tools available to help ensure your Linux servers refrain from doing just that.

In previous Daily Drill Downs, I described the Qmail e-mail server ("An overview of Qmail, part 1: Installing Qmail" and "An overview of Qmail, part 2: Configuring Qmail") as an alternative to the postfix and sendmail mail servers. Qmail is a high-capacity, scalable mail solution that runs under Linux and other UNIX variants. It can be used as a single-user MTA solution or as a full-blown enterprise mail system.

With the proliferation of e-mail viruses, many ISP and company-run mail server administrators are reviewing filter attachments and scan options that exist at the mail-server level. While Linux virus scanners are not as numerous as those for Windows, there are commercial virus-scanning solutions available. Integrating the virus scanner into Qmail at the queuing level can be a challenge, but the end result is a server that scans for viruses on every incoming and outgoing message.

In this Daily Drill Down, I will show you how to install the AMaViS wrapper program based on the usage of the Sophos Anti-Virus solution, but you may choose to use a different virus scanner. I’ll also discuss other Linux virus-scanning options.

Choosing a virus scanner
Removing viruses before the offending message is even delivered to a client system minimizes the risk that it will be spread. So even if Outlook users tend to open and run every virus that hits their system, by including a wrapper program with an antivirus solution in Qmail, you can reduce infections in your enterprise. If every mail server on the Internet scanned for viruses at a server level, the spread of such viruses would greatly decrease.

Configuring the wrapper script to run the antivirus program on Qmail is the easy part. The more challenging activity is finding an appropriate antivirus solution. With the selection of scanners varying significantly in price, it would probably be best if you research and sample as many of them as you can before settling on a solution. The most expensive may not necessarily be the best for your needs, and the cheapest may actually work better. Another important factor to keep in mind is the speed of the scanning. If the scanner takes two seconds to scan an e-mail and your site has high traffic, you may encounter a significant slowdown in your e-mail processing time. This is another reason you will want to experiment with the different scanners before making the final decision.

Author's note
You may also want to invest in additional system horsepower. Qmail itself doesn’t require anything fancy, but scanning each message that enters and exits a system can have a big impact on performance.

Sophos, the virus scanner I will use in this example, has probably the best customer technical support system out of any of the vendors, and the cost involved is more for the support than for anything else. However, it’s also perhaps the most expensive virus-scanning solution available. When inquiring about Sophos, I was quoted a price for a single server license of almost $1,500 for a one-year license. You can download Sophos Anti-Virus from its Web site for evaluation purposes. The file you will need is linux.intel.libc6.tar.Z, which is for Linux Intel systems running glibc2.1 or higher.

There are other solutions, though. Computer Associates has its own virus scanner called InoculateIT that works for many operating systems, including Linux. You can grab the file, inoctar.LINUX.Z, from this site. For more information on InoculateIT, visit the Computer Associates site. InoculateIT for Linux and UNIX is freely available, and you can use it without cost. You will need to agree to the displayed license the first time you run the program, so you will want to make sure you run it once before you implement it using AMaViS.

F-Secure Inc. also has a virus scanner called F-Secure AV, which can be used with AMaViS. To test this product, you need to contact F-Secure Inc. with a request for an evaluation copy, as no trial version is available. The latest version of F-Secure AV is 5.21 for Windows, but there is no 5.x version of F-Secure AV for Linux. You can order an evaluation CD for the Linux Workstation and Server Version 4.09, though. A single F-Secure AV license for Linux is $125, and you can purchase workstation licenses for five, 10, 25, or more workstations. You can get more information on F-Secure from its site.

The VFind Security ToolKit from CyberSoft is also available for Linux systems. It prices out at $695 with a maintenance fee of $139/year for updates over the Internet. There is not an evaluation version, but it sounds promising. CyberSoft supports the widest range of UNIX systems out of any other vendor.

Another antivirus option is the Kaspersky Labs Anti-Virus (AVP) package. It works as both a scanner that you can plug into AMaViS and a daemon that monitors your system for viruses in real-time mode. It is available for $560, which includes a one-year license for a single server.

Yet another option is H+BEDV AntiVir/X. This scanner can be used for free in a noncommercial environment. To obtain your free license, send an e-mail with your name and address and mention that you want to use AntiVir/X exclusively on your personal system. You will then receive a license via e-mail. There is a version for Linux servers and another for e-mail servers. Either version will work with AMaViS.

You can also use VirusScan from Network Associates, formerly McAfee. The trial version can be used freely for 30 days, but then it must be registered. You will need to fill out some personal information before downloading the evaluation version.

Author's note
To integrate the virus scanner at the mail level, you will need a wrapper program to do the actual work. One that I’ve found to work amazingly well is AMaViS. There are others, such as Qmail-scanner, but AMaViS is the easiest to set up and works well without requiring you to patch Qmail. AMaViS also works with other popular mail server packages such as sendmail, postfix, and exim. I used AMaViS in my example of how to install and use a wrapper program.

Installing AMaViS
Before proceeding with the wrapper program installation, you should first install a virus scanner. I will explain how to install the AMaViS wrapper program based on the assumption that you are using Sophos Anti-Virus and have already installed it into the /usr/local directory tree, which is the default install location for Sophos Sweep.

When installing AMaViS, you can either install the older AMaViS 0.2.1 or go with the newer AMaViS-Perl program. AMaViS-Perl is simply a rewrite of AMaViS in Perl, which includes some new features and performance improvements. To begin, decide which version you are going to use and download the appropriate file: amavis-0.2.1.tar.gz for the older AMaViS or amavis-perl-11.tar.gz for the new AMaViS-Perl. Either option works well.

The configurable options for either AMaViS or AMaViS-Perl are different, so we will take a look at AMaViS first. Prior to installing AMaViS, you must first install the tnef program. Once that is installed, you can use this to unpack and configure AMaViS for Qmail.

This tells AMaViS that you want to enable Qmail support and disable syslog logging, which is the default when you select the Qmail MTA. You also want to use /var/amavis/virusmail as the directory in which to quarantine viruses and install man pages in /usr/man so they are globally accessible. You also want to install AMaViS in the /usr/local directory tree to match your virus scanner installation location. You are also telling AMaViS that the Sophos IDE files are stored in /usr/local/lib, which is the default location for Sophos Sweep to install its identity files.

If you want to use AMaViS-Perl, the instructions are slightly different, requiring a few additional programs and Perl modules. You will need to install the ARC archiver package and the zoo archiver. You will also need the LHa archiver. You will need to install the unrar program, which unpacks RAR archives. (Remember that these programs are not necessary if you use the older AMaViS program.)

You must also make sure you have the correct Perl modules available on the system. You will need the following Perl modules: IO::Stringy, Syslog, MailTools, MIME::Base64, MIME::tools, Convert::UUlib, Convert::TNEF, Compress::Zlib, Archive::Tar, Archive::Zip, and libnet. All of these modules can be found on CPAN. If you have the CPAN module installed, you can install the modules using the CPAN shell by launching:
perl -MCPAN -e shell

Then you can tell it to install any missing modules by using:
install Unix::Syslog
install Convert:Uulib
install Convert::TNEF
install Compress::Zlib
install Archive::Tar
install Archive::Zip
install G/GB/GBARR/MailTools-1.15.tar.gz
install MIME::Tools
install Bundle::libnet
exit


This will compile and install the required Perl modules on your system. Some vendors ship many of these modules as RPM packages, but if this is not the case, you will have to download and manually install them or use the CPAN shell to do so. On the Linux-Mandrake 8.0 system on which I am installing this, I only had to install UNIX::Syslog, Convert::UUlib, Convert::Zlib, Convert::TNEF, Archive::Tar, and Archive::Zip; the other modules were already installed.

Once you have installed the archivers and Perl modules, you will be able to configure AMaViS-Perl by using this code.

The configure program in AMaViS-Perl has a few more intelligent defaults. For instance, you do not need to specify the Sophos Sweep IDE directory, as it will find it on its own. The only difference here is pointing to the Perl binary file with the "--with-perl'' option.

Regardless of which version of AMaViS you are installing, you should then be able to execute:
Make
make install


AMaViS and AMaViS-Perl both install slightly differently. Let's take a look at AMaViS-Perl first. It will create the chosen directories for you and give them proper permissions. All you need to do now is integrate the sole file created by the install, /usr/local/sbin/amavis, into your Qmail system. The AMaViS program replaces the /var/qmail/bin/qmail-queue program, so execute these commands as root:
cd /var/qmail/bin
mv qmail-queue qmail-queue-real
cp /usr/local/bin/amavis qmail-queue
chown qmailq.qmail qmail-queue
chmod 4711 qmail-queue


If you are going to use the AMaViS 0.2.1 program, however, you will need to do a couple of different things. Instead of generating a /usr/local/sbin/amavis program, a /usr/local/sbin/scanmails program will be installed. This must be integrated into Qmail to replace qmail-local and qmail-remote. As root, execute the following commands:
cd /var/qmail/bin
mv qmail-local qmail-local-real
mv qmail-remote qmail-remote-real
ln -s /usr/local/sbin/scanmails qmail-local
ln -s /usr/local/sbin/scanmails qmail-remote


After this is done, you must restart Qmail, regardless of whether you use AMaViS or AMaViS-Perl. Try sending a message to yourself, just to make sure that Qmail is delivering and receiving mails properly.

Both AMaViS and AMaViS-Perl should work fine after installation. I have found that AMaViS is faster than AMaViS-Perl and perhaps a little more reliable. On a glibc 2.2 system, there were problems with Perl being unable to allocate enough memory, and thus incoming messages were deferred, while outgoing messages were properly processed. I have no idea why this happened, considering the test machine had 512 MB of physical RAM. Using AMaViS 0.2.1, I did not encounter this problem. The other advantage of using AMaViS over AMaViS-Perl is you don’t need to install a lot of additional software that may prove ridiculous. I mean, really, how many people use ARC or LHa archives these days? If you've never heard of them before today, my point is proven. They are old and ancient archivers, predecessors of archivers like PKZIP and ARJ.

Conclusion
Although few viruses target Linux specifically, including a virus scanner at the mail-server level is a good idea. It protects your mail server, and it protects your clients. If you use Linux for your own workstation or desktop, you probably don't need to worry about Linux viruses, as they are few and far between. There are more Trojans and rootkits for Linux than viruses. However, as Linux enjoys an increase in popularity, there is a distinct possibility that more Linux viruses will crop up in the future. Thus, finding a good antivirus solution for your workstation may become a necessity.

For those who want to protect their own home LAN from viruses, using Qmail with a cheap or free virus scanner like VirusScan or AntiVir/X might be appropriate, as they are good scanners at a lower cost. For the more expensive packages, you tend to pay more for the support and updates provided, but the high cost is probably more than any home user would want to bear for an antiviral solution.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

0 comments