FreeBSD – Postfix: ClamSMTP, Clamav, Spamassassin

Открываю небольшой цикл заметок про postfix. Почему postfix – долго выбирал MTA для нужд компании (не провайдера) и по удобству/гибкости/надежности остановился на postfix.
Cобственно первая статься – защищаем postfix от спама и вирусов.

Для начала считаем что у нас postfix стоит и работает.
Устанавливаим и настраиваем Clamav (Не забываем обновлять порты) .

# cd /usr/ports/security/clamav
# make install clean

Далее настраиваем Clamav – /usr/local/etc/clamd.conf

##
## config file for the Clam AV daemon
##

LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime yes
LogSyslog yes
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/db/clamav
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket yes
User clamav
AllowSupplementaryGroups yes
TCPSocket 3310
TCPAddr 127.0.0.1
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
ScanPDF yes
ScanPE yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
ScanMail yes
ScanArchive yes
ArchiveBlockEncrypted no
#ArchiveMaxFileSize 5M

Кидаем в загрузку и запускаем:

# echo 'clamav_clamd_enable="YES"' >> /etc/rc.conf
# /usr/local/etc/rc.d/clamav-clamd start

Далее необходимо обновить базы – для этого настраиваем /usr/local/etc/freshclam.conf

##
## config file for freshclam
##
DatabaseDirectory /var/db/clamav
UpdateLogFile /var/log/clamav/freshclam.log
PidFile /var/run/clamav/freshclam.pid
DatabaseOwner clamav
AllowSupplementaryGroups yes
DatabaseMirror db.ru.clamav.net
Checks 24
NotifyClamd /usr/local/etc/clamd.conf

Запускаем и прописываем в крон для ежедневного запуска обновления в 23:45:

# /usr/local/bin/freshclam
# crontab -e
45 23 * * * /usr/local/bin/freshclam

Все Clamav настроен и работает. Теперь производим настройку и установку Spamassassin.
Установим из портов:

# cd /usr/ports/mail/p5-Mail-SpamAssassin
# make install clean

Ставим в загрузку

# echo 'spamd_enable="YES"' >> /etc/rc.conf

и настраиваем /usr/local/etc/mail/spamassassin/local.cf

rewrite_header Subject *****SPAM*****
report_safe 1
required_score 7.0
use_bayes 1
bayes_auto_learn 1
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status

и запускаем

/usr/local/etc/rc.d/sa-spamd start

Осталось настроить ClamSMTP. Ставим из портов:

# cd /usr/ports/security/clamsmtp
# make install clean

Далее настраиваем /usr/local/etc/clamsmtpd.conf :

#
# config file for clamsmtpd
#

# The address to send scanned mail to.
# This option is required unless TransparentProxy is enabled
OutAddress: 10026

# The maximum number of connection allowed at once.
# Be sure that clamd can also handle this many connections
#MaxConnections: 64

# Amount of time (in seconds) to wait on network IO
#TimeOut: 180

# Keep Alives (ie: NOOP's to server)
#KeepAlives: 0

# Send XCLIENT commands to receiving server
#XClient: off

# Address to listen on (defaults to all local addresses on port 10025)
#Listen: 0.0.0.0:10025
Listen: 127.0.0.1:10025

# The address clamd is listening on
#ClamAddress: /var/run/clamav/clamd
ClamAddress: /var/run/clamav/clamd.sock

# A header to add to all scanned email
Header: X-Virus-Scanned: ClamAV Scanned

# Directory for temporary files
TempDirectory: /tmp

# What to do when we see a virus (use 'bounce' or 'pass' or 'drop'
Action: drop

# Whether or not to keep virus files
Quarantine: on

# Enable transparent proxy support
#TransparentProxy: off

# User to switch to
User: clamav

# Virus actions: There's an option to run a script every time a virus is found.
# !IMPORTANT! This can open a hole in your server's security big enough to drive
# farm vehicles through. Be sure you know what you're doing. !IMPORTANT!
#VirusAction: /path/to/some/script.sh

Вносим в rc.conf и и запускаем

# echo clamsmtpd_enable="YES"' >> /etc/rc.conf
# /usr/local/etc/rc.d/clamsmtpd start

Теперь вносим изменения в настройки postfix, по умолчанию они находятся в /usr/local/etc/postfix

main.cf:
content_filter = scan:[127.0.0.1]:10025
receive_override_options = no_address_mappings

master.cf
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no

# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

# Check spam
smtp inet n - n - - smtpd
-o content_filter=spam:dummy

spam unix - n n - - pipe
flags=R user=virtual argv=/usr/local/bin/spamc -u virtual -e /usr/sbin/sendmail -f $sender $recipient

Осталось протестировать. Необходимо вставить в тело письма тестовые сигнатуры

Для определения вируса:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Для определения спама:
Subject: Relax, be happy
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

Вот и все – все работает.