bzerk




Spam & Virus filtering in a FreeBSD jail
Spam & Virus filtering in a FreeBSD jail
Ruben de Groot, 11-6-2004

This howto describes how to setup basic Spam and Virus filtering in a FreeBSD jail using Sendmail, Spamassassin and Clamav. The main concerns here are performance and maintainability. This document does not cover the making of a jail. That's well covered in the jail(8) manpage.

Basic tools
Starting with a virgin jail we install the two basic tools needed to administer a FreeBSD installation.
   # pkg_add -r cvsup-without-gui
   # pkg_add -r portinstall
Now edit the file /usr/share/examples/cvsup/ports-supfile, look for the line:
   *default host=CHANGE_THIS.FreeBSD.org
Change the hostname into that of a mirror close to you. In the Netherlands, for example, you would use something like cvsup.nl.freebsd.org. Now you can install the latest version of the portstree, simply by issuing the command
   # cvsup /usr/share/examples/cvsup/ports-supfile
Installing the filters
After the above steps, installing the spam- and virusfilters is very straightforward:
   # portinstall mail/spamass-milter
   # portinstall -M WITH_MILTER=yes security/clamav
When all goes well, 5 new startup scripts will have been dropped into the /usr/local/etc/rc.d directory:
   clamav-clamd.sh
   clamav-freshclam.sh
   clamav-milter.sh
   spamass-milter.sh
   spamd.sh
These scripts depend on certain variables, read from /etc/rc.conf. Add these variables to this file, substituting www.xxx.yyy.zzz with the IP address of your jail (this is necessary, while spamd normally only trusts connections from 127.0.0.1)
   spamd_enable="YES"
   spamd_flags="-a -c -d -A www.xxx.yyy.zzz -r /var/run/spamd.pid"
   spamass_milter_enable="YES"
   clamav_clamd_enable="YES"
   clamav_freshclam_enable="YES"
   clamav_milter_enable="YES"
   clamav_milter_flags="-C -N -q"
Configuration of Spamassassin
By default, Spamassassin uses only one configuration file, located at /usr/local/etc/mail/spamassassin/local.cf. Copying the local.cf.sample file that came with the installation will get you a default configuration. Read the file for various tweaks and knobs you might want to use or the excellent documentation provided by the command
   # perldoc Mail::SpamAssassin::Conf
Spamassassin can be easily extended with custom rulesets; just dropping *.cf files in the above mentioned directory will provide extra functionality. A good starting place for finding custom rulesets is this website.

Configuration of Clamav
There's not a whole lot to configure for clamav. Most tweakable knobs are in the /usr/local/etc/clamav.conf configuration file. And there's a manpage clamav.conf(5) explaining them in detail.
Some options you might want to look at and change from their default settings are "LogSyslog" and "LogFacility LOG_MAIL" (enable those two!), "StreamSaveToDisk" (dito) and the "Clamuko*" options (disable, this is highly experimental and only works on linux anyways).

Configuration of Sendmail
Now all you have to do is make sendmail aware of the two "milters" is has to run its mail through. To do this, first go to the /etc/mail directory. Copy the freebsd.mc file to <your-host-name>.mc and edit last file. After the last FEATURE line, but before the MAILER lines, insert the following:
   INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, T=C:15m;S:4m;R:4m;E:10m')
   INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, T=S:4m;R:4m')
Type make && make install && make restart to let sendmail pick up these configuration changes.