Postfix + AntiVir + Amavisd-new 在Red Hat Linux 9 上的安装
出处:www.thismail.org 作者:易人居士 时间:2006-10-25 17:29:00
Amavisd-new是邮件代理伺服器(MTA)和防毒软件之间的中介程式,搭配其他病毒扫描软件,如Clam Antivirus、AntiVir等,就可以让邮件伺服器过滤含有病毒的邮件。
这套软件的安装比较复杂,因为防毒的需要,涉及到其他很多的模块,类似Rar 、Zip等等,在装Amavisd-new前一定要装好它们。
下面分别列出。
一、外部的程式
arc-5.21e-6.i386.rpm
arj-3.10-0.1.i386.rpm
freeze-2.5.0-7.i386.rpm
nomarch-1.3-1mdk.i586.rpm
unarj-2.65-3.9.i386.rpm
unrar-3.2.3-2.9.i386.rpm
unzoo-4.4-2.i386.rpm
zoo-2.10-11.9.i386.rpm
在安装这些模块之前,可以用rpm -ihv来查询一下,你的Linux下面有没有自帶的,如果有,那最好不过了,可以跳过它来安装接下来模块。
如果没有,可以到这个网址上面去下载它的rpm包,网址:http://dag.wieers.com/packages/,下载之后,直接安装它。也可以直接到它们自己的官方网站上下载。
因为compress没有rpm包,只能下载它的tar ball安装档案,所以跟其他的套件的安装方式不同,这里对它进行说明一下:
# wget ftp://ftp.warwick.ac.uk/pub/compression/compress-4.0.1.tar.gz
解压缩到/usr/local/src/compress(你也可以把它解压到你想要的目录里面或者你的~目录里,由你自己选择,这里以 /usr/local/src/compress 为例,没有什么特别的用意,纯属个人喜欢问题)
# mkdir /usr/local/src/compress
# tar -zxvf compress-4.0.1.tar.gz -C /usr/local/src/compress
# cd /usr/local/src/compress
# make
# make install
Ok安装完成。
假设你把以上所需套件都安装全了,我们接着往下进行Clamav相关套件的安装。
二、AntiVir的安装
安装antivir-workstation-pers.tar.gz
# wget http://free-av.com/personal/en/unix/antivir-workstation-pers.tar.gz
# tar -zxvf antivir-workstation-pers.tar.gz
# cd antivir-workstation-pers-2.1.4-20
# ./install
=======================================================
Starting AntiVir MailGate 2.0.3-25 installation...
Before installing this software, you must agree to the terms
of the license. Press to view the license.
The copyright to this software is owned by
H+BEDV Datentechnik GmbH
Tjark Auerbach; Managing Director
查看授权说明可以要按几次空格按键(略)
Do you agree to the license terms? [n] y (输入y键,并按回车按键)
creating /usr/lib/AntiVir ... done
1) installing AntiVir Engine
checking for existing /etc/antivir.conf ... not found
copying bin/antivir to /usr/lib/AntiVir/ ... done
NOTICE: This system has a prelinker. Prelinking the
antivir binary will not work correctly. Either
disable prelinking or add /usr/lib/AntiVir as an
excluded prelink path.
For example, add '-b /usr/lib/AntiVir'
to /etc/prelink.conf
copying vdf/antivir.vdf to /usr/lib/AntiVir/ ... done
copying etc/antivir.conf to /etc/ ... done
Enter the path to your key file: [HBEDV.KEY] (默认注册文件,按回车键)
copying HBEDV.KEY to /usr/lib/AntiVir/hbedv.key ... done
copying script/configantivir to /usr/lib/AntiVir/ ... done
linking /usr/bin/antivir to /usr/lib/AntiVir/antivir ... done
installation of AntiVir Engine complete
2) installing automatic internet updater
An automatic internet updater is available with version 2.0.3-25 of
AntiVir MailGate. This is a daemon that will run in the background
and automatically check for updates (internet access is required).
You may also manually check for updates using:
antivir --update
You do not need to install the automatic internet updater in order
to manually check for updates. Please read the README file for more
information on updates and how they can best suit you.
Would you like to install the automatic internet updater? [n] (按回车键)
automatic internet updater will NOT be installed
3) installing main program
copying doc/avmailgate_de.pdf to /usr/lib/AntiVir/ ... done
copying bin/avgated to /usr/lib/AntiVir/ ... done
copying bin/avgatefwd to /usr/lib/AntiVir/ ... done
copying script/avq to /usr/lib/AntiVir/ ... done
copying script/rc.avgate.redhat to /usr/lib/AntiVir/avmailgate ... done
creating /usr/lib/AntiVir/templates ... done
copying doc/MANUAL to /usr/lib/AntiVir/MANUAL.avmailgate ... done
copying etc/avmailgate.ignore to /etc/ ... done
copying etc/avmailgate.scan to /etc/ ... done
copying etc/avmailgate.warn to /etc/ ... done
creating /var/spool/avmailgate ... done
creating /var/spool/avmailgate/incoming ... done
creating /var/spool/avmailgate/outgoing ... done
creating /var/spool/avmailgate/rejected ... done
Enter the path where the manual pages will be located:
[/usr/share/man]:(照默认路径,按回车键)
copying doc/man/avmailgate.conf.5 to /usr/share/man/man5/ ... done
copying doc/man/avmailgate.8 to /usr/share/man/man8/ ... done
Would you like AvMailGate to start automatically? [y] (按回车键)
setting up startup script ... done
installation of main program complete
4) installing GUI (+ SMC support)
Note: The AntiVir Security Management Center (SMC) requires this
feature, even if you do not intend to use the GUI.
This product comes with a GUI that allows you to monitor realtime
activity, view logs, and configure the product. This tool is optional
(not required) for the product to run.
The GUI requires Java 1.4.0 or higher.
Would you like to install the GUI (+ SMC support)? [n] (按回车键)
checking for existing /etc/avmailgate.conf ... not found
copying etc/avmailgate.conf to /etc/ ... done
GUI will NOT be installed
Note: It is highly recommended that you perform an update now to
ensure up-to-date protection. This can be done by running:
antivir --update
Be sure to read the README file for additional information.
Thank you for your interest in AntiVir MailGate.
=======================================================
创建 amavis 用户和 amavis 组
# /usr/sbin/adduser -s /bin/false -c "Amavis User" -d /var/amavis amavis
# chown –R amavis:amavis /usr/lib/AntiVir
三、Perl相关套件的安装
Amavisd-new对Perl的依赖程度相当高,因为它本身大部份都是用Perl写成的包括它的执行档,透过它所需要的Perl模组就可以很清楚地知道了。
官方网站列出它所需的Perl模组,如下:
Archive::Tar (Archive-Tar-x.xx)
Archive::Zip (Archive-Zip-x.xx) (1.14 or later should be used!)
Compress::Zlib (Compress-Zlib-x.xx)
Convert::TNEF (Convert-TNEF-x.xx)
Convert::UUlib (Convert-UUlib-x.xxx) (stick to the new versions!)
MIME::Base64 (MIME-Base64-x.xx)
MIME::Parser (MIME-Tools-x.xxxx) (latest version from CPAN - currently 5.415)
Mail::Internet (MailTools-1.58 or later have workarounds for Perl 5.8.0 bugs)
Net::Server (Net-Server-x.xx)
Net::SMTP (libnet-x.xx) (use libnet-1.16 or latter for performance)
Digest::MD5 (Digest-MD5-x.xx)
IO::Stringy (IO-stringy-x.xxx)
Time::HiRes (Time-HiRes-x.xx) (use 1.49 or later, some older cause problems)
Unix::Syslog (Unix-Syslog-x.xxx)
BerkeleyDB with bdb library 3.2 or later (4.2 or later preferred)
这些是基本的模组,也就是说安装Amavisd-new前必需安装以下的Perl模组,少一个都不行。
我们可以透过Perl的CPAN方式来进行安装,先在终端机视窗里执行下面这条指令。
# wget http://search.cpan.org/CPAN/authors/id/G/GA/GAAS/Digest-1.13.tar.gz
# tar zxvf Digest-1.13.tar.gz
# cd Digest-1.13
# perl Makefile.PL
# make
# make install
# wget http://search.cpan.org/CPAN/authors/id/G/GA/GAAS/Digest-MD5-2.33.tar.gz
# tar zxvf Digest-MD5-2.33.tar.gz
# cd Digest-MD5-2.33
# export LC_ALL=C
# echo ${LC_ALL}
C
# perl Makefile.PL
# make
# make install
# wget http://search.cpan.org/CPAN/authors/id/J/JH/JHI/Time-HiRes-1.82.tar.gz
# tar zxvf Time-HiRes-1.82.tar.gz
# cd Time-HiRes-1.82
# perl Makefile.PL
# make
# make install
# /usr/bin/perl -MCPAN -e shell ## 在安装前确定你的系统语言不是UTF-8
Warning [/etc/inputrc line 11]:
Invalid variable `mark-symlinked-directories'
cpan shell -- CPAN exploration and modules installation (v1.7601)
ReadLine support enabled
cpan>
而后安装以上所列出来的模块
cpan> install Archive::Tar
cpan> install Archive::Zip
cpan> install Compress::Zlib ( 系统已安装,可忽略 )
cpan> install Convert::TNEF
cpan> install Convert::UUlib
cpan> install MIME::Base64 ( 系统已安装,可忽略 )
cpan> install MIME::Parser ( 系统已安装,可忽略 )
cpan> install Mail::Internet ( 系统已安装,可忽略 )
cpan> install Net::Server
cpan> install Net::SMTP
cpan> install Digest::MD5 ( 系统已安装,可忽略 )
cpan> install IO::Stringy ( 系统已安装,可忽略 )
cpan> install Time::HiRes ( 系统已安装,可忽略 )
cpan> install Unix::Syslog
cpan> install BerkeleyDB
cpan> install Digest::SHA1
============ 可选安装项 ======================
cpan> install DB_File
cpan> install Net::DNS
cpan> install Mail::SPF::Query
cpan> install IP::Country
cpan> install Razor2
cpan> install Net::Ident
cpan> install IO::Socket::INET6
cpan> install IO::Socket::SSL
cpan> install DBI
============ 可选安装项 ======================
cpan> install Mail::SpamAssassin
cpan> exit
四、安装与设定Amavisd-new
在安装完需要的套件之后,我们就可以安装Amavisd-new了。
首先在http://www.ijs.si/software/amavisd/#download这里下载最新版的Amavisd-new,我这里用的版本是2.3.3,
所以我下载下来的档案是amavisd-new-2.3.3.tar.gz。
我把它解压到了/usr/local/src/,解压前它自动在/usr/local/src里面创建了一个叫做amavisd-new-2.3.3的文件夹,
所有解压出来的文件都放在里面了。
# tar xzvf amavisd-new-2.3.3.tar.gz
接着在它的家目录里,建立四个子目录,在配置Amavisd-new时需要用到它们:
# mkdir /var/amavis/tmp /var/amavis/var /var/amavis/db /var/amavis/home
为了系统与套件的安全性,不能让那些普通用户去读写/var/amavis,需要把/var/amavis设定为只有amavis拥有读写权限,
也就是把/var/amavis的拥有者设为amavis即可,执行如下的命令:
# chown -R amavis:amavis /var/amavis
# chmod -R 750 /var/amavis
假设你现在不在/usr/local/src/amavisd-new-2.3.3下面,我们用下面的命令进到里面去:
# cd /usr/local/src/amavisd-new-2.3.3
把里面的amavisd档案复制到/usr/local/sbin里面
# cp amavisd /usr/local/sbin/
并且为了提高它的安全性,需要设为只有超级管理员才可以读取它,因为这个档案是用Perl写成的,可以用一般的文字编辑器浏览它。
# chown root /usr/local/sbin/amavisd
赋给它可执行的属性
# chmod 755 /usr/local/sbin/amavisd
把Amavisd-new的配置文件amavisd.conf复制到/etc下面,以方便套件在运行时载入它。
# cp amavisd.conf /etc/
把/etc/amavisd.conf的拥有者设为root
# chown root /etc/amavisd.conf
改变它的文件属性
# chmod 644 /etc/amavisd.conf
创建一个文件夹,用于在amavisd扫描到病毒时,把感染病毒的邮件放进去进行隔离;它也可以用来存贮垃圾邮件。
# mkdir /var/virusmails
改变 /var/virusmails的拥有者
# chown amavis:amavis /var/virusmails
改变 /var/virusmails的属性
# chmod 750 /var/virusmails
现在我们现再来编辑amavisd-new的配置文件,用你习惯的文字编辑器打开
# vi /etc/amavisd.conf
======================================================
$max_servers = 8;
$daemon_user = 'amavis';
$daemon_group = 'amavis';
$mydomain = 'test.com'; 设置域名
$MYHOME = '/var/amavis';
$TEMPBASE = "$MYHOME/tmp";
$QUARANTINEDIR = '/var/virusmails';
$db_home = "$MYHOME/db";
$helpers_home = "$MYHOME/var";
$pid_file = "$MYHOME/var/amavisd.pid";
$lock_file = "$MYHOME/var/amavisd.lock";
$inet_socket_port = 10024;
$sa_spam_subject_tag = '***SPAM*** ';
$notify_method = $forward_method;
$forward_method = 'smtp:127.0.0.1:10025';
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_DISCARD;
$final_spam_destiny = D_DISCARD;
( D_DISCARD表示丢弃,D_BOUNCE表示后来弹回信息, D_REJECT表示阻止,D_PASS表示允许通过 )
到现在为止,这个程式安装的差不多了,现在可以执行它来看看测试信息。
# /usr/local/sbin/amavisd debug
也可以指定执行程式的用户执行程式,如下面指令:
# /usr/local/sbin/amavisd -u amavis debug
Apr 12 20:20:12 mail.js.act-cn.com /usr/sbin/amavisd[3911]: starting. /usr/sbin/amavisd at mail.js.act-cn.com amavisd-new-2.2.1 (20041222), Unicode aware, LANG=zh_TW.UTF-8
Apr 12 20:20:12 mail.js.act-cn.com /usr/sbin/amavisd[3911]: user=, EUID: 0 (0); group=, EGID: 0 10 6 4 3 2 1 0 (0 10 6 4 3 2 1 0)
Apr 12 20:20:12 mail.js.act-cn.com /usr/sbin/amavisd[3911]: Perl version 5.008005
Apr 12 20:20:12 mail.js.act-cn.com /usr/sbin/amavisd[3911]: INFO: no optional modules: Razor2::Client
Apr 12 20:20:12 mail.js.act-cn.com /usr/sbin/amavisd[3911]: Net::Server: 2005/04/12-20:20:12 Amavis (type Net::Server::PreForkSimple) starting! pid(3911)
Apr 12 20:20:12 mail.js.act-cn.com /usr/sbin/amavisd[3911]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1
Apr 12 20:20:12 mail.js.act-cn.com /usr/sbin/amavisd[3911]: Net::Server: Setting gid to "507 507"
Apr 12 20:20:12 mail.js.act-cn.com /usr/sbin/amavisd[3911]: Net::Server: Setting uid to "507"
Apr 12 20:20:12 mail.js.act-cn.com /usr/sbin/amavisd[3911]: Net::Server: Setting up serialization via flock
..............
..............
..............
Apr 12 20:20:17 mail.js.act-cn.com /usr/sbin/amavisd[3912]: Net::Server: Child Preforked (3912)
Apr 12 20:20:17 mail.js.act-cn.com /usr/sbin/amavisd[3913]: Net::Server: Child Preforked (3913)
Apr 12 20:20:17 mail.js.act-cn.com /usr/sbin/amavisd[3911]: Net::Server: Parent ready for children.
Apr 12 20:20:17 mail.js.act-cn.com /usr/sbin/amavisd[3912]: TIMING [total 113 ms] - bdb-open: 113 (100%), rundown: 0 (0%)
Apr 12 20:20:17 mail.js.act-cn.com /usr/sbin/amavisd[3913]: TIMING [total 96 ms] - bdb-open: 96 (100%), rundown: 0 (0%)
出现以上最后面两句信息时,一般来说表示套件安装成功。
=============== 给 amavis 打补丁 =============================
# cd /usr/local/src/amavisd-new-2.3.3
# patch -p0 patching file amavisd
patching file amavisd.conf-sample
amavisd-new-courier.patch 这个补丁的作用是,stop amavis时关闭uvsan。如果不打补丁,当amavis stop后,10024没有被释放,再次启动amavis会提示你有程序正在使用10024端口。
========================================================
启动amavis
# /usr/local/sbin/amavisd –u amavis start
用下面的指令来测试:
#telnet 127 .0.0.1 10024
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
如果你的终端机里面出现以上信息,那你的这个套件就安装成功了。
五、配置Postfix与Amavisd-new,实现过滤病毒邮件。
用编辑器打开你postfix的master.cf档案,在最后加入下面的语句,你最好用复制的方法,下面的语句贴到你的master.cf档案里,以减小手动输入时产生的错误,
语句如下:
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=40
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
保存配置文件,退出编辑器,而后再编辑postfix的另外一个配置文件main.cf,在里面增加一句指令,这句指令如下:
content_filter=smtp-amavis:[127.0.0.1]:10024
重新载入postfix的配置文件
#/etc/init.d/postfix reload.
执行如下的测试指令
#telnet 127.0.0.1 10025
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 yourhost.example.com ESMTP Postfix
--> quit
221 Bye
Connection closed by foreign host.
如果出现了上面的信息就表示程式配置成功,可以使用它了。
如果你还想进一步测式看看你的邮件伺服器是否真的会通过amavisd-new来扫描病毒,就需要执行下面的测试。
测试病毒扫描
使用其他邮件系统用户给该系统的用户发送邮件,包含以下内容:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
如果这个用户能够收到有病度提示的邮件说明病毒过滤已经成功!