Spam & Virus filtering in a FreeBSD jail
Spam & Virus filtering in a FreeBSD jail
Ruben de Groot, 11-6-2004
This howto describes how to setup basic Spam and Virus filtering in a
FreeBSD jail using Sendmail, Spamassassin and Clamav. The main concerns
here are performance and maintainability. This document does not cover
the making of a jail. That's well covered in the jail(8) manpage.
Basic tools
Starting with a virgin jail we install the two basic tools needed to
administer a FreeBSD installation.
# pkg_add -r cvsup-without-gui
# pkg_add -r portinstall
Now edit the file /usr/share/examples/cvsup/ports-supfile, look for the
line:
*default host=CHANGE_THIS.FreeBSD.org
Change the hostname into that of a mirror close to you. In the
Netherlands, for example, you would use something like
cvsup.nl.freebsd.org. Now you can install the latest version of the
portstree, simply by issuing the command
# cvsup /usr/share/examples/cvsup/ports-supfile
Installing the filters
After the above steps, installing the spam- and virusfilters is very
straightforward:
# portinstall mail/spamass-milter
# portinstall -M WITH_MILTER=yes security/clamav
When all goes well, 5 new startup scripts will have been dropped into
the /usr/local/etc/rc.d directory:
clamav-clamd.sh
clamav-freshclam.sh
clamav-milter.sh
spamass-milter.sh
spamd.sh
These scripts depend on certain variables, read from /etc/rc.conf. Add
these variables to this file, substituting www.xxx.yyy.zzz with the IP
address of your jail (this is necessary, while spamd normally only
trusts connections from 127.0.0.1)
spamd_enable="YES"
spamd_flags="-a -c -d -A www.xxx.yyy.zzz -r /var/run/spamd.pid"
spamass_milter_enable="YES"
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
clamav_milter_enable="YES"
clamav_milter_flags="-C -N -q"
Configuration of Spamassassin
By default, Spamassassin uses only one configuration file, located at
/usr/local/etc/mail/spamassassin/local.cf. Copying the local.cf.sample
file that came with the installation will get you a default
configuration. Read the file for various tweaks and knobs you might want
to use or the excellent documentation provided by the command
# perldoc Mail::SpamAssassin::Conf
Spamassassin can be easily extended with custom rulesets;
just dropping *.cf files in the above mentioned directory will
provide extra functionality. A good starting place for finding custom
rulesets is this
website.
Configuration of Clamav
There's not a whole lot to configure for clamav. Most tweakable knobs are
in the /usr/local/etc/clamav.conf configuration file. And there's a
manpage clamav.conf(5) explaining them in detail.
Some options you might want to look at and change from their default
settings are "LogSyslog" and "LogFacility LOG_MAIL" (enable those two!),
"StreamSaveToDisk" (dito) and the "Clamuko*" options (disable, this is
highly experimental and only works on linux anyways).
Configuration of Sendmail
Now all you have to do is make sendmail aware of the two "milters" is
has to run its mail through. To do this, first go to the /etc/mail
directory. Copy the freebsd.mc file to <your-host-name>.mc and edit last
file. After the last FEATURE line, but before the MAILER lines, insert
the following:
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, T=C:15m;S:4m;R:4m;E:10m')
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, T=S:4m;R:4m')
Type make && make install && make restart to let sendmail
pick up these configuration changes.
