SquidGuard is a URL redirector used to use blacklists with the proxysoftware Squid. There are two big advantages to squidguard: it is fast and it is free.
Simscan
Primary tabs
Revised to use a fork of Simscan, as Inter7 hasn't updated Simscan since 2007. The fork has a variety of fixes for DSPAM.
RipMIME
In order to scan attachments, SimScan requires RipMIME to be installed:
cd /extra/src
wget http://www.pldaniels.com/ripmime/ripmime-1.4.0.10.tar.gz
tar zxf ripmime-1.4.0.10.tar.gz
cd ripmime-1.4.0.10
There's a permissions issue with 1.4.0.9 than can be solved with a patch:
wget http://www.tjc.fi/dist/ripmime-1.4.0.9-permissions.patch
patch < ripmime-1.4.0.9-permissions.patch
Then build and install ripMIME
make
make install
SimScan installation
At the time of writing, the current version of SimScan was 1.4. Download and unpack the source code. This is a fork of the original Simcan 1.4.0 with bugfixes and changes to DSPAM support.
cd /extra/src
wget -O simscan-master.zip https://github.com/ManChicken1911/simscan/archive/master.zip
unzip simscan-master.zip
cd simscan-master
There's a couple patches by John Simpson to fix a few issues with SimScan. Download and apply them:
## Combined patch does not apply to this forked simscan
## Fails on the ClamAV patch
#wget http://qmail.jms1.net/simscan/simscan-1.4.0-combined.3.patch
#patch < simscan-1.4.0-combined.3.patch
Downloaded the separate patches:
wget https://qmail.jms1.net/simscan/simscan-1.4.0-clamav.3.patch
Bug is this patch - doesn't find daily.cvd in configure file - patch looking for daily.cvd
and main.cvd
in simscanmk.c
:
patch < simscan-1.4.0-clamav.3.patch
wget https://qmail.jms1.net/simscan/simscan-1.4.0-umask.patch
patch < simscan-1.4.0-umask.patch
wget https://qmail.jms1.net/simscan/simscan-1.4.0-debug.patch
patch < simscan-1.4.0-debug.patch
simscan.c
in the fork had a line removed from the dspam args that prevented it from being called correctly. Modify it by line 1151 to add the dspamc argument:
dspam_args[i++] = "dspamc";
dspam_args[i++] = "--stdout";
dspam_args[i++] = "--client";
dspam_args[i++] = "--feature=noise";
dspam_args[i++] = "--deliver=innocent";
Create a user and group for SimScan to run as:
groupadd simscan
useradd -g simscan -s /bin/false -c "SimScan Content Filter" simscan
Create a "go" file to hold the configuration options (in case we need to recall them later). Then, put the following into that file:
- Spamassassin
#!/bin/sh
./configure \
--enable-user=simscan \
--enable-clamav=y \
--enable-clamdscan=/usr/local/bin/clamdscan \
--enable-custom-smtp-reject=y \
--enable-attach=y \
--enable-received=y \
--enable-per-domain=y \
--enable-ripmime=/usr/local/bin/ripmime \
--enable-spam=y \
--enable-spamc=/usr/bin/spamc \
--enable-spam-hits=10 \
--enable-spam-passthru - dspam
#!/bin/sh
./configure \
--enable-user=simscan \
--enable-clamav=y \
--enable-clamdscan=/usr/local/bin/clamdscan \
--enable-custom-smtp-reject=y \
--enable-attach=y \
--enable-received=y \
--enable-per-domain=y \
--enable-ripmime=/usr/local/bin/ripmime \
--enable-dspam=y \
--enable-dspam-user=y \
--enable-dspam-args="--deliver=innocent --debug"
Make "go" executable and then run it to configure SimScan:
chmod ugo+x go
./go
If it compiles ok, make and install the programs:
make
make install-strip
In order for ClamAV to be able to work with the temp files in /var/qmail/simscan
, we need to make some permission changes and add clamav to the simscan group:
chgrp simscan /var/qmail/simscan
chmod g+s /var/qmail/simscan
usermod -a -G simscan clamav
The AllowSupplementaryGroups
option in /usr/local/etc/clamd.conf
must also be set and ClamAV restarted:
AllowSupplementaryGroups yes
svc -t /service/clamav
Attachment Blocking
ssattach
is ignored when Simscan is compiled with --enable-per-domain
. Create a text file, /var/qmail/control/ssattach
, that contains a list of the attachment types that you want to block. The following list is a good start but might need to be modified to suit your particular needs:
.ade
.adp
.bas
.bat
.chm
.cmd
.com
.cpl
.crt
.exe
.hlp
.hta
.inf
.ins
.isp
.js
.jse
.lnk
.mdb
.mde
.msc
.msi
.msp
.mst
.pcd
.pif
.reg
.scr
.sct
.shb
.shs
.url
.vb
.vbe
.vbs
.wsc
.wsf
.wsh
/var/qmail/control/simcontrol
By compiling with --enable-per-domain=y
, we can fine-tune scanning on a domain or email address basis. Create the control file /var/qmail/control/simcontrol
and put in it a default entry:
:clam=yes,spam=yes,spam_hits=10
A couple other examples for a domain or an email address would look like:
postmaster@example.com:clam=yes,spam=no,attach=.txt:.com
example.com:clam=no,spam=yes,attach=.mp3
Once you've created the file, create the necessary CDB file:
/var/qmail/bin/simscanmk
SMTP run script
Edit your SMTP service's run script (eg. /service/smtp-external/run
) to enable Simscan by uncommenting the relevant lines:
QMAILQUEUE="$VQ/bin/simscan"
update-simscan
still need to update this for John Simpson's clamav patch...
In order to have the message headers indicate the correct version of ClamAVs database, simscan's version database needs to be updated when Freshclam updates the definitions. John Simpson has provide a nice program that does that.
cd /extra/src
wget http://qmail.jms1.net/simscan/update-simscan.c
gcc -s -o /usr/local/sbin/update-simscan update-simscan.c
chown root:simscan /usr/local/sbin/update-simscan
chmod 4110 /usr/local/sbin/update-simscan
Adjust /usr/local/etc/freshclam.conf
to run update-simscan when it updates the definitions and allow supplementary group access:
OnUpdateExecute /usr/local/sbin/update-simscan
AllowSupplementaryGroups yes
Then restart FreshClam to load the change:
svc -t /service/freshclam
Other Patches
http://article.gmane.org/gmane.mail.qmail.simscan/3585
http://comments.gmane.org/gmane.mail.qmail.simscan/3896
- Log in to post comments
Credits
Various bits of code, scripts, and procedures were put together with information from John Simpson's qmail.jms1.net website. It's an excellent resource on managing and setting up a Qmail server.