SquidGuard is a URL redirector used to use blacklists with the proxysoftware Squid. There are two big advantages to squidguard: it is fast and it is free.
Simscan
Primary tabs
Revised to use a fork of Simscan, as Inter7 hasn't updated Simscan since 2007. The fork has a variety of fixes for DSPAM.
RipMIME
In order to scan attachments, SimScan requires RipMIME to be installed:
cd /extra/src
wget http://www.pldaniels.com/ripmime/ripmime-1.4.0.10.tar.gz
tar zxf ripmime-1.4.0.10.tar.gz
cd ripmime-1.4.0.10There's a permissions issue with 1.4.0.9 than can be solved with a patch:
wget http://www.tjc.fi/dist/ripmime-1.4.0.9-permissions.patch
patch < ripmime-1.4.0.9-permissions.patchThen build and install ripMIME
make
make installSimScan installation
At the time of writing, the current version of SimScan was 1.4. Download and unpack the source code. This is a fork of the original Simcan 1.4.0 with bugfixes and changes to DSPAM support.
cd /extra/src
wget -O simscan-master.zip https://github.com/ManChicken1911/simscan/archive/master.zip
unzip simscan-master.zip
cd simscan-masterThere's a couple patches by John Simpson to fix a few issues with SimScan. Download and apply them:
## Combined patch does not apply to this forked simscan
## Fails on the ClamAV patch
#wget http://qmail.jms1.net/simscan/simscan-1.4.0-combined.3.patch
#patch < simscan-1.4.0-combined.3.patch Downloaded the separate patches:
wget https://qmail.jms1.net/simscan/simscan-1.4.0-clamav.3.patch Bug is this patch - doesn't find daily.cvd in configure file - patch looking for daily.cvd and main.cvd in simscanmk.c:
patch < simscan-1.4.0-clamav.3.patch
wget https://qmail.jms1.net/simscan/simscan-1.4.0-umask.patch
patch < simscan-1.4.0-umask.patch
wget https://qmail.jms1.net/simscan/simscan-1.4.0-debug.patch
patch < simscan-1.4.0-debug.patch
simscan.c in the fork had a line removed from the dspam args that prevented it from being called correctly. Modify it by line 1151 to add the dspamc argument:
dspam_args[i++] = "dspamc";
dspam_args[i++] = "--stdout";
dspam_args[i++] = "--client";
dspam_args[i++] = "--feature=noise";
dspam_args[i++] = "--deliver=innocent";Create a user and group for SimScan to run as:
groupadd simscan
useradd -g simscan -s /bin/false -c "SimScan Content Filter" simscanCreate a "go" file to hold the configuration options (in case we need to recall them later). Then, put the following into that file:
- Spamassassin
#!/bin/sh
./configure \
--enable-user=simscan \
--enable-clamav=y \
--enable-clamdscan=/usr/local/bin/clamdscan \
--enable-custom-smtp-reject=y \
--enable-attach=y \
--enable-received=y \
--enable-per-domain=y \
--enable-ripmime=/usr/local/bin/ripmime \
--enable-spam=y \
--enable-spamc=/usr/bin/spamc \
--enable-spam-hits=10 \
--enable-spam-passthru - dspam
#!/bin/sh
./configure \
--enable-user=simscan \
--enable-clamav=y \
--enable-clamdscan=/usr/local/bin/clamdscan \
--enable-custom-smtp-reject=y \
--enable-attach=y \
--enable-received=y \
--enable-per-domain=y \
--enable-ripmime=/usr/local/bin/ripmime \
--enable-dspam=y \
--enable-dspam-user=y \
--enable-dspam-args="--deliver=innocent --debug"
Make "go" executable and then run it to configure SimScan:
chmod ugo+x go
./goIf it compiles ok, make and install the programs:
make
make install-stripIn order for ClamAV to be able to work with the temp files in /var/qmail/simscan, we need to make some permission changes and add clamav to the simscan group:
chgrp simscan /var/qmail/simscan
chmod g+s /var/qmail/simscan
usermod -a -G simscan clamavThe AllowSupplementaryGroups option in /usr/local/etc/clamd.conf must also be set and ClamAV restarted:
AllowSupplementaryGroups yes
svc -t /service/clamavAttachment Blocking
ssattach is ignored when Simscan is compiled with --enable-per-domain. Create a text file, /var/qmail/control/ssattach, that contains a list of the attachment types that you want to block. The following list is a good start but might need to be modified to suit your particular needs:
.ade
.adp
.bas
.bat
.chm
.cmd
.com
.cpl
.crt
.exe
.hlp
.hta
.inf
.ins
.isp
.js
.jse
.lnk
.mdb
.mde
.msc
.msi
.msp
.mst
.pcd
.pif
.reg
.scr
.sct
.shb
.shs
.url
.vb
.vbe
.vbs
.wsc
.wsf
.wsh/var/qmail/control/simcontrol
By compiling with --enable-per-domain=y, we can fine-tune scanning on a domain or email address basis. Create the control file /var/qmail/control/simcontrol and put in it a default entry:
:clam=yes,spam=yes,spam_hits=10A couple other examples for a domain or an email address would look like:
postmaster@example.com:clam=yes,spam=no,attach=.txt:.com
example.com:clam=no,spam=yes,attach=.mp3Once you've created the file, create the necessary CDB file:
/var/qmail/bin/simscanmkSMTP run script
Edit your SMTP service's run script (eg. /service/smtp-external/run) to enable Simscan by uncommenting the relevant lines:
QMAILQUEUE="$VQ/bin/simscan"update-simscan
still need to update this for John Simpson's clamav patch...
In order to have the message headers indicate the correct version of ClamAVs database, simscan's version database needs to be updated when Freshclam updates the definitions. John Simpson has provide a nice program that does that.
cd /extra/src
wget http://qmail.jms1.net/simscan/update-simscan.c
gcc -s -o /usr/local/sbin/update-simscan update-simscan.c
chown root:simscan /usr/local/sbin/update-simscan
chmod 4110 /usr/local/sbin/update-simscanAdjust /usr/local/etc/freshclam.conf to run update-simscan when it updates the definitions and allow supplementary group access:
OnUpdateExecute /usr/local/sbin/update-simscan
AllowSupplementaryGroups yesThen restart FreshClam to load the change:
svc -t /service/freshclamOther Patches
http://article.gmane.org/gmane.mail.qmail.simscan/3585
http://comments.gmane.org/gmane.mail.qmail.simscan/3896
- Log in to post comments
Credits
Various bits of code, scripts, and procedures were put together with information from John Simpson's qmail.jms1.net website. It's an excellent resource on managing and setting up a Qmail server.