FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 12-03-2011, 06:52 PM
Grant
 
Default clamav and spamassassin

I haven't set up any antivirus measures on my Gentoo systems so I
think I should. Is clamav run as a scheduled filesystem scanner on
each system and as an email scanner on the mail server all that's
necessary?

I'm currently greylisting email to prevent spam from getting through.
It catches a lot, but more and more gets through. I'm not using any
mailfilters now and If I set up a clamav mailfilter I think I may as
well set up a spamassassin mailfilter to take the place of
greylisting. Is this the best guide for clamav and spamassassin:

http://www.gentoo.org/doc/en/mailfilter-guide.xml

Could I run into any problems with clamav or spamassassin that might
make we wish I hadn't implemented them?

- Grant
 
Old 12-03-2011, 09:54 PM
Michael Orlitzky
 
Default clamav and spamassassin

On 12/03/2011 02:52 PM, Grant wrote:

I haven't set up any antivirus measures on my Gentoo systems so I
think I should. Is clamav run as a scheduled filesystem scanner on
each system and as an email scanner on the mail server all that's
necessary?


Nobody (as far as I know?) scans linux filesystems unless there's a
legal requirement or the files might wind up on a Windows box.




I'm currently greylisting email to prevent spam from getting through.
It catches a lot, but more and more gets through. I'm not using any
mailfilters now and If I set up a clamav mailfilter I think I may as
well set up a spamassassin mailfilter to take the place of
greylisting. Is this the best guide for clamav and spamassassin:


SpamAssassin shouldn't take the place of greylisting; they reject
different stuff. Keep the greylisting unless the delays bother you, but
use postscreen to do it (see below).




http://www.gentoo.org/doc/en/mailfilter-guide.xml

Could I run into any problems with clamav or spamassassin that might
make we wish I hadn't implemented them?


Yeah. The first is false positives. The second, related problem is that
you'll have to manage a quarantine unless you stick amavisd-new in front
of the postfix queue.


It's in that respect that the tutorial is outdated; otherwise, it looks
good (I just skimmed it).


There is great benefit to the before-queue setup: mail will never
disappear. Senders either get a rejection, or the mail is delivered.
With the after-queue setup, you can no longer reject or else you'll be
backscattering. So, you either deliver the spam, or you quarantine it
(very bad if it's a false positive).


The downside is that you use more resources: one amavisd-new per
connection. However, the addition of postscreen to postfix has largely
ameliorated this. Since postscreen rejects most of the junk, amavis only
gets started for smtpd sessions that are likely to succeed.


The easiest way to migrate is through incremental improvement. We used
to use a system like the one in that guide. I enabled postscreen over
the course of a week, and retired postgrey, which we had been using for
greylisting. Once that was working properly, I simply dropped the
content_filter in favor of smtpd_proxy_filter to move amavis in front of
the queue.
 
Old 12-03-2011, 11:59 PM
Grant
 
Default clamav and spamassassin

>> I haven't set up any antivirus measures on my Gentoo systems so I
>> think I should. *Is clamav run as a scheduled filesystem scanner on
>> each system and as an email scanner on the mail server all that's
>> necessary?
>
>
> Nobody (as far as I know?) scans linux filesystems unless there's a legal
> requirement or the files might wind up on a Windows box.

Very cool. I found out clamscan and avgfree scan the filesystem so I
thought I should set it up, but if it's not necessary I won't bother.
All of my mail users are on Gentoo so do I need to bother having
clamav scan my incoming mail?

>> I'm currently greylisting email to prevent spam from getting through.
>> It catches a lot, but more and more gets through. *I'm not using any
>> mailfilters now and If I set up a clamav mailfilter I think I may as
>> well set up a spamassassin mailfilter to take the place of
>> greylisting. *Is this the best guide for clamav and spamassassin:
>
>
> SpamAssassin shouldn't take the place of greylisting; they reject different
> stuff. Keep the greylisting unless the delays bother you, but use postscreen
> to do it (see below).

I just did some reading on postscreen but it doesn't sound like a
greylister. Should I use postscreen in addition to postgrey, or are
they substitutes for each other?

>> http://www.gentoo.org/doc/en/mailfilter-guide.xml
>>
>> Could I run into any problems with clamav or spamassassin that might
>> make we wish I hadn't implemented them?
>
>
> Yeah. The first is false positives. The second, related problem is that
> you'll have to manage a quarantine unless you stick amavisd-new in front of
> the postfix queue.

Now that sounds like a hassle. Greylisting leaves me with about 50/50
spam/legit mail and maybe incorporating postscreen I'll do even
better. Deleting spam in my inbox might be easier than dealing with
false positives and managing a quarantine.

- Grant


> It's in that respect that the tutorial is outdated; otherwise, it looks good
> (I just skimmed it).
>
> There is great benefit to the before-queue setup: mail will never disappear.
> Senders either get a rejection, or the mail is delivered. With the
> after-queue setup, you can no longer reject or else you'll be
> backscattering. So, you either deliver the spam, or you quarantine it (very
> bad if it's a false positive).
>
> The downside is that you use more resources: one amavisd-new per connection.
> However, the addition of postscreen to postfix has largely ameliorated this.
> Since postscreen rejects most of the junk, amavis only gets started for
> smtpd sessions that are likely to succeed.
>
> The easiest way to migrate is through incremental improvement. We used to
> use a system like the one in that guide. I enabled postscreen over the
> course of a week, and retired postgrey, which we had been using for
> greylisting. Once that was working properly, I simply dropped the
> content_filter in favor of smtpd_proxy_filter to move amavis in front of the
> queue.
 
Old 12-04-2011, 12:35 AM
Michael Orlitzky
 
Default clamav and spamassassin

On 12/03/2011 07:59 PM, Grant wrote:

I haven't set up any antivirus measures on my Gentoo systems so I
think I should. Is clamav run as a scheduled filesystem scanner on
each system and as an email scanner on the mail server all that's
necessary?



Nobody (as far as I know?) scans linux filesystems unless there's a legal
requirement or the files might wind up on a Windows box.


Very cool. I found out clamscan and avgfree scan the filesystem so I
thought I should set it up, but if it's not necessary I won't bother.
All of my mail users are on Gentoo so do I need to bother having
clamav scan my incoming mail?


Well, they aren't going to get infected with anything, but ClamAV could
still keep the virus message (which is obviously unwanted) out of their
inbox. There are also some third-party signatures[1] for ClamAV that
catch scam/phishing mail.




I'm currently greylisting email to prevent spam from getting through.
It catches a lot, but more and more gets through. I'm not using any
mailfilters now and If I set up a clamav mailfilter I think I may as
well set up a spamassassin mailfilter to take the place of
greylisting. Is this the best guide for clamav and spamassassin:



SpamAssassin shouldn't take the place of greylisting; they reject different
stuff. Keep the greylisting unless the delays bother you, but use postscreen
to do it (see below).


I just did some reading on postscreen but it doesn't sound like a
greylister. Should I use postscreen in addition to postgrey, or are
they substitutes for each other?



Postscreen isn't a greylist daemon per se, but it has the same effect if
you enable the "deep protocol" tests. Once it gets past the initial
greeting (into the "deep" stages), postscreen can no longer hand off the
session to a real smtpd. So, even if the client passes all of the tests,
postscreen will send it a "4xx try again." That's essentially greylisting.


Postscreen, like Postgrey, keeps a database of good clients, so you
shouldn't lose any functionality there. This is what makes the
aforementioned 4xx strategy work: when the client reconnects, it
bypasses postscreen entirely and goes to a real smtpd.


I would make the switch when you have some free time. Postscreen is part
of postfix, so it removes one dependency from your mail system. It also
adds a couple of nice anti-spam features for free. And, if you ever
decide to implement Amavis, postscreen makes the before-queue setup viable.




http://www.gentoo.org/doc/en/mailfilter-guide.xml

Could I run into any problems with clamav or spamassassin that might
make we wish I hadn't implemented them?



Yeah. The first is false positives. The second, related problem is that
you'll have to manage a quarantine unless you stick amavisd-new in front of
the postfix queue.


Now that sounds like a hassle. Greylisting leaves me with about 50/50
spam/legit mail and maybe incorporating postscreen I'll do even
better. Deleting spam in my inbox might be easier than dealing with
false positives and managing a quarantine.


You should be able to do a lot better than that with just postscreen and
postfix. If you try to implement postscreen, post your main.cf over on
postfix-users for review. The built-in restrictions combined with a few
RBLs should get you well below 50/50.


Plus, if you still get too much spam, you'll already have postscreen in
place and that will make adding amavisd-new that much easier.



[1] http://www.sanesecurity.com/
 
Old 12-04-2011, 12:57 AM
Grant
 
Default clamav and spamassassin

>> Very cool. *I found out clamscan and avgfree scan the filesystem so I
>> thought I should set it up, but if it's not necessary I won't bother.
>> All of my mail users are on Gentoo so do I need to bother having
>> clamav scan my incoming mail?
>
>
> Well, they aren't going to get infected with anything, but ClamAV could
> still keep the virus message (which is obviously unwanted) out of their
> inbox. There are also some third-party signatures[1] for ClamAV that catch
> scam/phishing mail.

There is info on Linux viruses here:

http://en.wikipedia.org/wiki/Linux_malware

I shouldn't be concerned about that?

>> I just did some reading on postscreen but it doesn't sound like a
>> greylister. *Should I use postscreen in addition to postgrey, or are
>> they substitutes for each other?
>>
>
> Postscreen isn't a greylist daemon per se, but it has the same effect if you
> enable the "deep protocol" tests. Once it gets past the initial greeting
> (into the "deep" stages), postscreen can no longer hand off the session to a
> real smtpd. So, even if the client passes all of the tests, postscreen will
> send it a "4xx try again." That's essentially greylisting.

Got it. Sounds like postscreen is the successor to postgrey. I will
set that up ASAP.

Thanks,
Grant
 
Old 12-04-2011, 12:59 AM
Pandu Poluan
 
Default clamav and spamassassin

On Dec 4, 2011 5:58 AM, "Michael Orlitzky" <michael@orlitzky.com> wrote:

>

> On 12/03/2011 02:52 PM, Grant wrote:

>>

>> I haven't set up any antivirus measures on my Gentoo systems so I

>> think I should. *Is clamav run as a scheduled filesystem scanner on

>> each system and as an email scanner on the mail server all that's

>> necessary?

>

>

> Nobody (as far as I know?) scans linux filesystems unless there's a legal requirement or the files might wind up on a Windows box.

>

>

>

>> I'm currently greylisting email to prevent spam from getting through.

>> It catches a lot, but more and more gets through. *I'm not using any

>> mailfilters now and If I set up a clamav mailfilter I think I may as

>> well set up a spamassassin mailfilter to take the place of

>> greylisting. *Is this the best guide for clamav and spamassassin:

>

>

> SpamAssassin shouldn't take the place of greylisting; they reject different stuff. Keep the greylisting unless the delays bother you, but use postscreen to do it (see below).

>

>

>

>> http://www.gentoo.org/doc/en/mailfilter-guide.xml

>>

>> Could I run into any problems with clamav or spamassassin that might

>> make we wish I hadn't implemented them?

>

>

> Yeah. The first is false positives. The second, related problem is that you'll have to manage a quarantine unless you stick amavisd-new in front of the postfix queue.

>

> It's in that respect that the tutorial is outdated; otherwise, it looks good (I just skimmed it).

>

> There is great benefit to the before-queue setup: mail will never disappear. Senders either get a rejection, or the mail is delivered. With the after-queue setup, you can no longer reject or else you'll be backscattering. So, you either deliver the spam, or you quarantine it (very bad if it's a false positive).


>

> The downside is that you use more resources: one amavisd-new per connection. However, the addition of postscreen to postfix has largely ameliorated this. Since postscreen rejects most of the junk, amavis only gets started for smtpd sessions that are likely to succeed.


>

> The easiest way to migrate is through incremental improvement. We used to use a system like the one in that guide. I enabled postscreen over the course of a week, and retired postgrey, which we had been using for greylisting. Once that was working properly, I simply dropped the content_filter in favor of smtpd_proxy_filter to move amavis in front of the queue.


>


This is new information to me. If you're subscribed to Gentoo-server, you'll know that I am in the process of setting up a mailfiltering gateway for my company.


Any resources on this "postscreen" facility? sounds like a very nice thing to implement.


Rgds,
 
Old 12-04-2011, 01:10 AM
Michael Orlitzky
 
Default clamav and spamassassin

On 12/03/2011 08:57 PM, Grant wrote:

Very cool. I found out clamscan and avgfree scan the filesystem so I
thought I should set it up, but if it's not necessary I won't bother.
All of my mail users are on Gentoo so do I need to bother having
clamav scan my incoming mail?



Well, they aren't going to get infected with anything, but ClamAV could
still keep the virus message (which is obviously unwanted) out of their
inbox. There are also some third-party signatures[1] for ClamAV that catch
scam/phishing mail.


There is info on Linux viruses here:

http://en.wikipedia.org/wiki/Linux_malware

I shouldn't be concerned about that?



The "big" risk (although still negligible) is that someone will mail
your users an executable that does something bad. But, you would have to
save it under /home, chmod +x it, and then run it manually for it to be
dangerous.


If you use portage to install packages, you should not ever need to
chmod +x anything. It's a big red flag and normal users don't even need
to know how to do it.


Mount /home noexec for extra safety.

Note that antivirus wouldn't help anyway if your users are going to do
whatever the email says without question =)
 
Old 12-04-2011, 01:17 AM
Michael Orlitzky
 
Default clamav and spamassassin

On 12/03/2011 08:59 PM, Pandu Poluan wrote:



This is new information to me. If you're subscribed to Gentoo-server,
you'll know that I am in the process of setting up a mailfiltering
gateway for my company.

Any resources on this "postscreen" facility? sounds like a very nice
thing to implement.

Rgds,



Postscreen is just part of Postfix; it's a separate daemon added in the
latest version.


This is the official README:

http://www.postfix.org/POSTSCREEN_README.html

and the configuration parameters are documented in the usual place:

http://www.postfix.org/postconf.5.html


Here's the entirety of my main.cf postscreen section for reference. I've
deemed these safe, but you shouldn't enable them without reading what
they do!



#
# Postscreen settings
#

postscreen_greet_action = enforce

postscreen_dnsbl_sites =
psbl.surriel.com,
bl.spamcop.net,
zen.spamhaus.org,
b.barracudacentral.org

postscreen_dnsbl_threshold = 1
postscreen_dnsbl_action = enforce


##
## Deep protocol tests
##

postscreen_pipelining_enable = yes
postscreen_pipelining_action = enforce

postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_action = enforce

postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = enforce
 
Old 12-04-2011, 01:48 AM
Pandu Poluan
 
Default clamav and spamassassin

On Dec 4, 2011 9:21 AM, "Michael Orlitzky" <michael@orlitzky.com> wrote:

>

> On 12/03/2011 08:59 PM, Pandu Poluan wrote:

>>

>>

>>

>> This is new information to me. If you're subscribed to Gentoo-server,

>> you'll know that I am in the process of setting up a mailfiltering

>> gateway for my company.

>>

>> Any resources on this "postscreen" facility? sounds like a very nice

>> thing to implement.

>>

>> Rgds,

>>

>

> Postscreen is just part of Postfix; it's a separate daemon added in the latest version.

>

> This is the official README:

>

> *http://www.postfix.org/POSTSCREEN_README.html

>

> and the configuration parameters are documented in the usual place:

>

> *http://www.postfix.org/postconf.5.html

>

>

> Here's the entirety of my main.cf postscreen section for reference. I've deemed these safe, but you shouldn't enable them without reading what they do!

>

>

> #

> # Postscreen settings

> #

>

> postscreen_greet_action = enforce

>

> postscreen_dnsbl_sites =

> * * * *psbl.surriel.com,

> * * * *bl.spamcop.net,

> * * * *zen.spamhaus.org,

> * * * *b.barracudacentral.org

>

> postscreen_dnsbl_threshold = 1

> postscreen_dnsbl_action = enforce

>

>

> ##

> ## Deep protocol tests

> ##

>

> postscreen_pipelining_enable = yes

> postscreen_pipelining_action = enforce

>

> postscreen_non_smtp_command_enable = yes

> postscreen_non_smtp_command_action = enforce

>

> postscreen_bare_newline_enable = yes

> postscreen_bare_newline_action = enforce

>


Thanks! Very helpful resources.


You mentioned amavisd-new. What's their relationship? I mean, if I deploy postscreen, how will it affect amavisd-new?


TIA


Rgds,
 
Old 12-04-2011, 02:06 AM
Michael Orlitzky
 
Default clamav and spamassassin

On 12/03/2011 09:48 PM, Pandu Poluan wrote:



Thanks! Very helpful resources.

You mentioned amavisd-new. What's their relationship? I mean, if I
deploy postscreen, how will it affect amavisd-new?



Postscreen sits in front of smtpd, and handles all incoming connections.
It hands the "good" connections off to the real smtpd daemon.
Amavisd-new (in both before/after-queue configurations) interacts with
the real smtpd, so postscreen doesn't directly affect it at all.


What was I talking about?

With amavisd-new, a before-queue filter is generally nicer, because you
can reject spam, notifying the sender, rather than discarding it or
backscattering. But, amavisd-new is a hog, and with a before-queue
filter, an amavis process gets used every time ANY connection is made.
Since 95% of your connections will be crap (that is a technical term),
you waste tons of resources creating/killing amavisd-new processes for
botnets and other scum that will be rejected quickly.


On a busy server, it will kill you.

Postscreen only passes the "good" connections to a real smtpd, so with
postscreen running, new amavis processes only get used for those good
connections. If postscreen can get reject 90% of the incoming
connections, you'll use an order of magnitude less resources doing
before-queue filtering than you would without postscreen.


So, in essence, postscreen is what allows you to run the before-queue
filter with comparable resources to the after-queue filter.
 

Thread Tools




All times are GMT. The time now is 04:02 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org