Using MailScanner with Qmail

(How to configure MailScanner to work with Qmail)


Version

Number

date

author

comments

0.1

15/03/04

Vicente Jimenez Aguilar

Quick, quick! I wanna be the first!

0.2

15/03/04

Vicente Jimenez Aguilar

Minor corrections.

0.3

16/03/04

Tim McQuaid

English corrections.

0.4

05/04/04

Tim McQuaid / Vicente

More english corrections (what a bad english!).



You can always find the lastest version of this document at:

http://www.v1ce.net/maildocs/MailScanner-Qmail.html (HTML version)

http://www.v1ce.net/maildocs/MailScanner-Qmail.pdf (PDF version)

Introduction

After the last spread of worms viruses on the internet that use the SMTP protocol directly, those which fake sender and those which generate destination randomly (or both), my Qmail mail server gives a rate of a thousand infected mails per day without counting the "bounce bounced" error messages that Qmail reports.

So I need an antivirus for my mail server in order not to answer faked sources and for my users and I to avoid receive a lot of infected mails. Looking around the internet, I spotted an interesting open source and free antivirus ClamAV (http://www.clamav.net/) and I installed it on my system. The problem is that any antivirus that we can use, needs an interface program to work with our mail server. I first tried AMaViS (http://www.AMaViS.org/), specifically AMaViS-ng. After compiling a wrapper for the SUID problem with Perl scripts, fixing the memory requirement in the startup scripts and installing some missing perl modules, I ended up with a library problem that I have no idea how to solve. So I looked back on the Internet for other options.

Specifically for Qmail there is Qmail-Scanner (http://qmail-scanner.sourceforge.net/), with more functionality than AMaViS but I also found MailScanner (http://www.mailscanner.info), and I fell in love. I didn't even try to install Qmail-Scanner. I wanted MailScanner to be in my system. But, after reading the list of supported MTA, horror of horrors! Sendmail, Postfix, Exim, ZMailer, but no mention of Qmail! Luckily there's some mention of a preliminary Qmail support in the changelog file, but there's no information at all on how to get it to work. For that reason, I could only follow the code (thanks it's being open source) and try to figure out the correct configuration.

Start

First, you need to have a working mail transfer agent (MTA). In this HowTo, we'll asume that you have a working Qmail. If you need more information about Qmail visit the original site http://cr.yp.to/qmail.html and the extensive http://www.qmail.org/. For a good start and installation guide visit http://www.lifewithqmail.org/ .

This document supposes that your Qmail instalation directory is /var/qmail/ and that you have at last one working antivirus also (ClamAV for my system).

Download MailScanner

Download the latest version of MailScanner. Support for Qmail start with version 4.27.7 if you have an older version, you don't have the MailScanner::Qmail.pm and MailScanner::QMDiskStore Perl modules needed to work correctly with Qmail. Actually, there's only a beta support for the Qmail MTA.

Install MailScanner

Install as documented (http://www.sng.ecs.soton.ac.uk/mailscanner/install/) on /opt/MailScanner/

Install special qmail-queue

In the docs/qmail subdirectory of the distribution you can find a zip file named qmail-queue.zip. Unzip it and you have the adapted qmail-queue and it's source code. I copied the executable to /var/qmail/bin with the name qmail-queue.in (because it puts mail in a directory named queue.in), rename the original qmail-queue as qmail-queue.orig and made qmail-queue a symbolic link just to permit a quick switch between both versions until I have MailScanner completly working. Pay special atention to copy the permisions from the original qmail-queue program.

chown qmailq.qmail qmail-queue.in && chmod 4711 qmail-queue.in

Create needed directories

create /var/qmail/queue.in directory with intd, mess, pid, and todo subdirectories (I don't know if it can work with less). I also create another level of hash subdirectory (like in the original mess directory) because I don't know if qmail-queue can create them. Change ownership to qmailq user and qmail group:

chown -r qmailq.qmail /var/ qmail/queue.in

Thise are the directories that the special version of qmail-queue use.

create /var/spool/MailScanner/incoming and /var/spool/MailScanner/quarantine directories and change ownership to qmailq user and qmail group.

Edit ConfigDefs.pl

Edit /opt/MailScanner/lib/MailScanner/ConfigDefs.pl

under [Simple,Number]

add a line:

qmailhashdirectorynumber 23 # The outgoing Queue Directory Hash Number

with the correct number of hash subdirectories that your Qmail queue uses.

Edit MailScanner.conf

Edit the /opt/MailScanner/etc/MailScanner.conf:

Don't forget to change the %org-name% parameter!



Run As User = qmailq

Run As Group = qmail

# Those privileges are needed to mess with the queue of the Qmail MTA.



Incoming Queue Dir = /var/qmail/queue.in/mess

# This is where the special version of qmail-queue included with MailScanner

# put the incoming mails.



Outgoing Queue Dir = /var/qmail/queue/mess

# This is the usual path to store mail for qmail-send process delivery.



# Set Hash Directories value (conf-split) for Qmail

Qmail Hash Directory Number = 23

# This number must be equal to the number of subdirectories that you find in /var/qmail/queue/mess.



MTA = qmail

# very important! Needed to require the correct Qmail Perl modules:

# MailScanner::Qmail.pm and MailScanner::QMDiskStore.



Running

Execute MailScanner after checking the configuration and that's all!

I hope this document helps you.

Problems

Thanks to

Julian Field for creating the great mail scanner MailScanner (http://www.mailscanner.info).

opencomputing (http://www.opencompt.com/) for creating Openprotect (http://opencomputing.sourceforge.net/) and for their adaptation of MailScanner to Qmail. Patching qmail-queue and writing of MailScanner::Qmail.pm and MailScanner::QMDiskStore Perl modules.

Tim McQuaid for trying to teach me some english ;)


No illegal software were used to write this document. Made with OpenOffice 1.1 (http://www.openoffice.org)