postfix logo Postfix-jp
- Postfix - AMaViS - Sweep HOWTO
Modified: 25 Oct., 2002 [Japanese Page]


Home > Postfix - AMaViS - Sweep HOWTO


This HOWTO was contributed by Shannon Lekas (Shannon.lekas-at-flyingmug.com).


This document is fairly rough...and done post install... hopefully I didn't miss anything. The system is RedHat 7.3 with up2date run consistently (including kernel updates). I am running Sophos sweep as a virus scanner but the amavis package listed below supports about 11 different scanners. This document assumes you already have postfix running and you already have sophos installed. I would suggest using a wget command in a script that runs from cron to get the new sophos IDE files once a week or more. These are the packages I needed to do the Install. I do not want to host these rpm's but I have them on a cd and if someone wants to host it I will ftp/email them to you. Alternately you can just search for the exact name below in www.google.com and you will find most of them on rpmfind.net and some others on random sites.

amavisd-postfix-20010714-3rm.i386.rpm  
perl-Convert-UUlib-0.212-1.noarch.rpm
arc-5.21e-4.i386.rpm                   
perl-IO-stringy-2.108-1.i386.rpm
perl-MailTools-1.50-1.noarch.rpm
db3x-3.2.9-4.i386.rpm                  
perl-MIME-tools-5.411-2.noarch.rpm
lha-1.14i-4.2rm.i386.rpm               
perl-TimeDate-1.10-14.i386.rpm
ncompress-4.2.4-1cl.i386.rpm           
perl-Unix-Syslog-0.98-1.noarch.rpm
perl-Archive-Tar-0.22-10.i386.rpm      
unarj-2.43-10.i386.rpm
perl-Archive-Zip-1.00-1.i386.rpm       
unrar-2.71-1.1rm.i386.rpm
perl-Compress-Zlib-1.16-1.i386.rpm    
xbin-2.3-4.i386.rpm
perl-Convert-TNEF-0.17-1.noarch.rpm    
zoo-2.10-7.i386.rpm

Once you have downloaded all the packages begin to install them installing the amavis rpm last (if you don't you will get dependency errors).

$rpm -Uvh packagename.rpm

Note there are other packages needed, but these were all I was lacking. If you have trouble contact me and I will send you an rpm -qa extract to compare against my system (Shannon.lekas-at-flyingmug.com). Be sure to run up2date after you are done installing and some of the Redhat built rpms will be updated. Finally install the Amavis rpm.

$rpm -Uvh amavisd-postfix-20010714-3rm.i386.rpm

You should have no errors at this point. Note if you get a %pre-scriplet error% there is an easy solution... that took FOREVER TO FIGURE OUT!!! Open linuxconfig and change the UID of whatever users has UID of 77. The amavis rpm creates a user called vscan and if UID 77 is already utilized the rpm will fail. After you change the UID the RPM will install without issue. Now execute this command.

$Service amavisd start

This will start the daemonized version of amavis that the rpm installed. Note that this rpm package already installed the vscan user with a default shell of failed. This will prevent anyone from logging into a telnet session or console with this ID.

Next modify amavisd.conf file.

$vi /etc/amavisd.conf

You will notice that the config files says

# amavisd (snapshot-20010714) was configured for use with:
# ALL

This means that you will not have to recompile amavis to work with the various antivirus scanners. Like I mentioned before I use sweep. So I removed the entry in the HBEV path "/usr/bin/antivirus" and changed it to ""

# H+BEDV AntiVir
$antivir = "";

Next I inserted the path to my sophos antivirus binary.

# Sophos Anti Virus (sweep)
$sophos = "/usr/local/bin/sweep";
$sophos_ide = "/usr/local/sav";

If you have installed sophos in a different directory or the IDE files in a different directory make the appropriate change. The key here is to make sure that all antivirus scanners have a "" in the path except the scanner you want to use.

Now I would suggest changing the logging so you know whats happening.

$DO_SYSLOG = "yes";

# Directory to put log entries (if not using syslog)
$LOGDIR = "/var/spool/vscan/amavis";
$LOGFILE = "amavis.log";

# 0: default - startup/exit/failure messages
# 1: args passed from client
# 2: virus scanner output
# 3: server client
# 4: decompose parts
$log_level = 4;

Setting syslog = yes means the amavis log entries will be in /var/log/messages. You can open a second ssh session to the box and execute the command to watch what happens.

$tail -f /var/log/messages

Setting the log_level = 4 means you will get very detailed log messages.

Once you have made these changes execute the following

$service amavisd restart

you will see the new logging take effect in the /var/log/messages file as your tailing it.

Now on to postfix.....

We have to get the mail from postfix to amavis and sweep. This took some time for me to figure out...and this may not be perfect but it works....if someone has a better suggestion for this please send and email to me.

$vi /etc/postfix/main.cf

Add the following lines to the bottom of the file.

content_filter = vscan:[127.0.0.1]:10025

This will tell postfix to do a content filter using the user vscan on the localhost port 10025.

Save and Exit.

Now edit the Master.cf file

$vi /etc/postfix/master.cf

Add the following two lines at the bottom of the file.

vscan            unix  -  n  n  -  10  pipe user=vscan argv=/usr/sbin/amavis ${sender} ${recipient}

localhost:10025  inet  n  -  n  -  -   smtpd -o content_filter=

Save and Exit.

Execute the command

$postfix reload

postfix will refresh its settings and you will be ready to go at this point. If you are tailing the maillog file you will see the refresh.

$tail -f /var/log/maillog

You can now send an email to yourself and you will see an entry in the maillog file where the mail was received. Then you will see and entry where the mail is relayed to the amavis transport. At this point you will see and entry in the /var/log/messages file that says sweep is scanning and then pass the file back to postfix for delivery.

If you go to www.eicar.com and download the test virus and email it to yourself you will see the /var/log/messages file output a line that says virus found. At that point a warning email will be generated.

Things to note. I run a comprehensive body checks on my server as well. I do this to prevent unnecessary processing by the virus scanner. For example. I do not allow raw executables to be mailed on my server. Ie, .exe, .com, .vbs etc. Body checks happens before inbound or outbound mail is virus scanned. So if a virus does come through and it's a simple executable body checks will kick it back saying this attachment type is not allowed on the server. Contact me if you want a copy of my body_checks file. Ie. The file never has to make it to the virus scanner and waste processing cycles.

Hope this helps.

Shannon