Install qmail-scanner
qmail-scanner is an alternate queuing system for qmail.
Qmail-scanner is going to allow us to integrate Clam Antivirus and SpamAssassin into our qmail server's mail queue. Once qmail-scanner is installed, there will be a master script that is filled with configuration options that help you to tailor the functionality of Clam Antivirus and SpamAssassin to your needs.
We have patched qmail source to support it on step 2 and we have implemented it on step 10. It's now time to install it ;-)
More info about qmail-scanner can be found here and explanation about the used patched version here
All the configuration options can be found here
tar zxvf q-s-2.11st-20130319.tgz
cd /downloads/qmail-scanner-2.11st/contrib
cc -o qmail-scanner-queue qmail-scanner-queue.c
mv /downloads/qmail-scanner-2.11st/contrib/qmail-scanner-queue /var/qmail/bin/qmail-scanner-queue
chown qscand:qscand /var/qmail/bin/qmail-scanner-queue
chmod 6755 /var/qmail/bin/qmail-scanner-queue
cd /downloads/qmail-scanner-2.11st/
./configure --admin postmaster --domain your_domain --local-domains "your_domain" --sa-quarantine 5 --ignore-eol-check yes --add-dscr-hdrs yes --notify psender,admin --sa-report yes --fix-mime 1 --unzip 1 --archive 0 --silent-viruses auto --redundant no --log-crypto 0
./configure --admin postmaster --domain your_domain --local-domains "your_domain" --sa-quarantine 5 --ignore-eol-check yes --add-dscr-hdrs yes --notify psender,admin --sa-report yes --fix-mime 1 --unzip 1 --archive 0 --silent-viruses auto --redundant no --log-crypto 0 --install yes
ln -s /var/spool/qscan /var/log/qmail/qscan
Let's test it ... First swich to a non-privilegied user account
/var/qmail/bin/qmail-scanner-queue.pl -g
You should have an answer like this:
perlscanner: total of 35 entries.
Switch back to root account:
Add it in the logrotation system
chmod 644 /etc/logrotate.d/qmail-scanner
Launch qmail
qmailctl stat
You should see something like that:
/service/qmail-send: up (pid 17762) 63 seconds
/service/qmail-send/log: up (pid 17763) 63 seconds
/service/qmail-smtpd: up (pid 18500) 63 seconds
/service/qmail-smtpd/log: up (pid 17767) 63 seconds
/service/qmail-smtpdssl: up (pid 18496) 63 seconds
/service/qmail-smtpdssl/log: up (pid 17773) 63 seconds
messages in queue: 0
messages in queue but not yet preprocessed: 0
If you notice than some service stays at 1 second, check the corresponding log to debug it
tail /var/log/qmail/qmail-smtpd/current
tail /var/log/qmail/qmail-smtpdssl/current
Test combinaison of qmail-scanner, spamassassin and clamav
chmod 755 test_installation.sh
./test_installation.sh -doit
You should have an answer like this
done!
Sending eicar test virus - should be caught by perlscanner module... 2/4
done!
Sending eicar test virus with altered filename - should only be caught by commercial anti-virus modules (if you have any)... 3/4
done!
Sending bad spam message for anti-spam testing - In case you are using SpamAssassin... 4/4
If you have enabled $sa_quarantine, $sa_delete or $sa_reject the
spam-message wont't arrive to the recipients. But if you have enabled
(good idea!) 'minidebug' or 'debug' you should check
/var/spool/qscan/qmail-queue.log (or where ever you have the log).
Done!
Finished test. Now go and check Email sent to postmaster@domain.tld and/or the log..
Check the first statistics
You should have an answer like this
1 Virus Eicar-Test-Signature
1 Spam quarantined
1 Policy blocked
OPTIONAL : You can receive daily statistics
chmod 755 /etc/cron.daily/qmailscanner-report
Users comments
Fresh install of Debian 7.5 Wheezy
Lots of issues all due to the suidperl. How I got it to finally work here, I have NO clue, I've been at this for a number of hours.
Once I went to the ./configure line, I ended up having to create the following directory:
/var/spool/qscan
in order to copy the quarantine-events.txt file.
Hello,
I recently upgraded spamassassin to version 3.4.0
Having difficulty getting qmailscanner to recognize the upgrade.
I tried:
# sudo -u qscand /var/qmail/bin/qmail-scanner-queue.pl -z
(no errors)
then
# chown qscand:qscand /var/spool/qscan/qmail-scanner-queue-version.txt
(no errors)
qmailscanner reports the 3.2.4 version of spamassassin in the X-Qmail-Scanner-Diagnostics portion of the received email header.
Suggestions?
For all of those who applied the sudo fix by Antartica for Debian 7, there is a small but yet very important thing to do. You should add to the /etc/sudoers file the following line:
Defaults env_keep +="TCPREMOTEIP TCPREMOTEHOST TCPREMOTEINFO REMOTE_OS REMOTE_COUNTRY QS_SPAMASSASSIN SA_ONLYDELETE_HOST SA_WHITELIST"
The reason behind this is that by default sudo resets the environment variables when executing the command. Thus qmail-scanner cannot recognize the important info regarding the incoming mail and treats everything as coming from localhost, which leads to passing everything without scanning. The above line preserves the important ENV variables for qmail-scanner.
Hope this helps.
Greets,
bstd
Hi Nikolay,
The syslog fix works stopping the console messages. But it still places messages in /var/log/messages.
I've been using an older version wich was logging to /var/log/maillog.
Is it possible to change this behaviour?
Thanks,
Richard
@Keven
open /etc/rsyslog.conf and find the line starting with
*.emerg
add ;user.none right after it:
*.emerg;user.none ......
and the messages will dissapear. For some reason the wrapper does not use the proper syslog facility (eventually).
I install now debian 7 with perl 5.14.2
i tested all with no effect
i write 2 line in /var/qmail/bin/qmail-scanner-queue.pl
1: my $real_uid="qscand";
2: my $effective_uid="qscand";
next i change permissions folders und files /var/spool/qscand
now all work super with no problem
@Antartica, follow your steps, everything is fine. but only one thing make me crazy.
on consol/terminal, I always get system message like this,
"Message from syslogd@host.domain.tld at Sep 25 6:50:28 ...
qmail-scanner-queue.pl: qmail-scanner[23636]: Clear:RC:1(127.0.0.1): ...."
I have no idea, why this happening.
if I comment this code line, "ALL ALL=(qscand) NOPASSWD: /var/qmail/bin/qmail-scanner-queue.pl", then there is no consol message.
anyone has same problem?
Typo in the quick fix, here is what I ran and it worked:
chown qscand:qscand /var/spool/qscan/*
Another tip: if you initialized qmail-scanner-queue.pl with suid and suid wasn't supported, the permissions of
/var/spool/qscand/qmail-scanner-queue-version.txt
could be wrongly generated. They should be qscand:qscand
Quick fix:
# chmod qscad:qscand /var/spool/qscand/*
Warning: malformed code in my previous post (somehow a < has been dropped; the getpwuid call is: getpwuid($<):
===CUT===
$ENV{'PATH'}='/bin:/usr/bin';
$whoami = getpwuid($<) || "unknown";
if($whoami ne "qscand") {
exec("/usr/bin/sudo -u qscand /var/qmail/bin/qmail-scanner-queue.pl") || die;
}
===CUT===
Sorry for the inconvenience.
In Wheezy (Debian 7), doing the "./test_installation.sh -doit" results in the error "qmail-inject: fatal: qq temporary problem (#4.3.0)" mentioned in other posts.
I've finally found a way to make it work.
The problem is that qmail-scanner-queue.pl is executing as "root" and clamav as qscand, so clamav can't chdir into the directory qmail-scanner-queue.pl creates to check viruses.
I tried to fix it using suid and the C wrapper but strangely the error persisted (although when calling the wrapper manually the suid was being honoured :-? ). I uninstalled the C wrapper.
My final solution (that works) is using sudo and modifying qmail-scanner-queue.pl so that it reloads with the correct user using sudo (to be clear: with this approach there is no need for the C wrapper)
So, steps to fix it:
1. Install sudo
# apt-get install sudo
2. Execute "visudo"
# visudo
3. Add the following line
ALL ALL=(qscand) NOPASSWD: /var/qmail/bin/qmail-scanner-queue.pl
4. Save and exit
5. Edit /var/qmail/bin/qmail-scanner-queue.pl
# vi /var/qmail/bin/qmail-scanner-queue.pl
6. Go to line 71
:71
7. Add the following lines
$ENV{'PATH'}='/bin:/usr/bin'; $whoami = getpwuid($) || "unknown"; if($whoami ne "qscand") { exec("/usr/bin/sudo -u qscand /var/qmail/bin/qmail-scanner-queue.pl") || die; }
8. Save and exit (:wq)
Try again the
# cd /downloads/qmail-scanner-2.10st/contrib
# ./test_installation.sh -doit
...and this time it should work :)
NOTE: the step of:
/var/qmail/bin/qmail-scanner-queue.pl -g
has to be changed to
# sudo -u qscand /var/qmail/bin/qmail-scanner-queue.pl -g
as the "reexec" inside the modified qmail-scanner-queue.pl doesn't pass parameters.
Being stupid and having just completed a complete install on Squeeze, I thought it would be okay to start fresh with wheezy, NOT.
Got through almost everything until here, and I have no idea what you mean by using the C wrapper.
"For all the users with setuid issues: check thart you use the C wrapper as QMAILQUEUE"
I looked around and could not find any instructions at all.
For all the users with setuid issues: check thart you use the C wrapper as QMAILQUEUE and check the following URL:
https://www.tnpi.net/internet/mail/toaster/filtering/content/qmail-scanner.shtml (permissions on both qmail-scanner-queue.pl 0750 and qmail-scanner.queue 4755 should be set correct, then the wrapper works perfect on ubuntu 12.04 and debian wheezy!
This could help you if you are facing strange non-delivered mail with attachment : http://blog.gmane.org/gmane.mail.qmail.scanner/month=20121101
@Tokie:
Stesso problema, risolto cosi:
export LANG=en_GB
export LC_ALL=en_GB
export LANGUAGE=en_GB
riavvi la shell ed è tutto ok :)
@Zhay
miss http://qmailrocks.thibs.com/qmail-ucspi.php
done with installing ucspi-ssl :D
rooo@xxx:~# qmailctl stat
/service/qmail-send: up (pid 2365) 397 seconds
/service/qmail-send/log: up (pid 2364) 397 seconds
/service/qmail-smtpd: up (pid 2358) 397 seconds
/service/qmail-smtpd/log: up (pid 2359) 397 seconds
/service/qmail-smtpdssl: up (pid 4740) 1 seconds
/service/qmail-smtpdssl/log: up (pid 2367) 397 seconds
messages in queue: 0
messages in queue but not yet preprocessed: 0
tail /var/log/qmail/qmail-smtpdssl/current
@400000004fb2645f3548a5dc ERROR: sslserver not found in PATH [/var/qmail/bin:/usr/local/bin:/usr/bin:/bin]
installing on lucid 10.04 ... :((
@Radiotrib: So far the only way I have found to get pass the error mentioned by Goofy is to make the clamav daemon run as root. This is far from ideal and I am still searching for another solution. So far I am been looking for roughly 3 weeks and it is driving me mad. I have checked the qmail-scanner mailing list and found someone else with the same issue but there is no solution mention in the email thread.
http://www.mail-archive.com/qmail-scanner-general@lists.sourceforge.net/msg07486.html
Forget my last comment ... most of my issues were being caused by permissions orpblems after I reinstalled over a previous install. Almost all done now except for pyzor ... and another problem which I noted on the relevant page.
I get exactly the same symptoms as Goofy when I try to run the test, but his solution doesn't work at all for me. I'm running on Ubuntu 1.04, and the Perl doesn't support suid any more ,s I have to use the C wrapper ...
I was always used to using softlimit, but that also seems to have evaporated from the qmail world since last time i installed it.
Any advce ?? anyone ??
@Tokie :
Try dpkg-reconfigure locales
Choose the locales you want to install. Choose at least it_IT ISO-8859-1
Then select it_IT ISO-8859-1 as default
Note that I'm not sure of this solution ... but as the author of the patch is italian, I suppose he has an italian translation ;-)
Hi to all,
i'm an italian user and I had the following matter:
root@debian:/downloads/qmail-scanner-2.10st# ./configure --admin postmaster --domain wivagroup.com --local-domains "wivagroup.com" --sa-quarantine 5 --ignore-eol-check yes --add-dscr-hdrs yes --notify psender,admin --sa-report yes --fix-mime 1 --unzip 1 --archive 0 --silent-viruses auto --redundant no --log-crypto 0
Building Qmail-Scanner 2.10st-20111118...
***** NOTE ******
Qmail-Scanner doesn't have language translations for it_IT.UTF-8
root@debian:/downloads/qmail-scanner-2.10st#
I don't have found a solution on internet, so I modify the file configure replacing the en-GB with it_IT.
configure it's too big to past here; if anyone needs the files contact me by email.
Bye
I've done this task in another way, I've cutted off the patch bit with antivirus and antispam part.
@Jevgenijus : If you want to avoid it, you just have to comment QMAILQUEUE variable in /etc/service/qmail-smtpd/run
Like an option it could be nice have a choice to make installation without antivirus ant antispam filtering, cause where are sistems who goes after Antispam/antivirus gateways, so nothing to check, all emails are already checked or tagged with some spam flags:)
@Dbrandib : Check page removemta.php for complete procedure on how to remove installed MTA
Solved!!! I have a sendmail running on 25 port. I did not remove it properly. After check processes by netstat -anp |grep LIST I found that process running. I killed it, remove package, restart qmail and now everything is fine.
Regards
Dear all,
after follow all guide I have an error on qmail-smtpd. The error is:
" tcpserver: fatal: unable to bind: address already used"
Any idea?
Regards
@lawrence : I'm currently testing simscan and I plan to make a page about it. My only fear is about the last release date (4 years ago).
I plan to describe dovecot too. As far as I know, the standard Debian package is compiled with the option "--without-vpopmail". I have to decide if I'll described how to recompile the package with vpopmail or if I'll describe with MySQL authentication
I would actually suggest dumping qmail-scanner, and using simscan.
Its a lot faster, and less resource heavy.
Also slots in quite nicely with qmailrocks/jms with minimal changes.
Similar for courier - I use dovecot - again, much easier to install, and use.
@Lawmanlkm
Those links should interrest you :
https://www.antagonism.org/mail/tnefclean-maildrop.shtml
https://www.antagonism.org/mail/policy-qms.shtml
@Lawmanlkm
aptitude install tnef
How to integrate tnef decoder with qmail-scanner in order to prevent winmail.dat?
One step before testing with qmailscan, that is missed is:
/etc/init.d/clamav-daemon restart
/etc/init.d/clamav-freshclam restart
If this two commands are missed:
root@debian:/downloads/qmail-scanner-2.08st/contrib# ./test_installation.sh -doit
Sending standard test message - no viruses... 1/4
qmail-inject: fatal: qq temporary problem (#4.3.0)
Bad error. qmail-inject died
It seems that I needed to restart the system after installing demontools in order for svscan to be started. Alternatively svscan could be startde manually.
This fixed it.
@KFCS It seems you've missed something at this step
On Lucid. When trying to atart/stat qmail, I got:
root@kfcs:/downloads/qmail-scanner-2.08st# qmailctl start
Starting qmail
qmail-send supervise not running
qmail-smtpd supervise not running
qmail-smtpd supervise not running
root@kfcs:/downloads/qmail-scanner-2.08st# qmailctl stat
/service/qmail-send: unable to open supervise/ok: file does not exist
/service/qmail-send/log: unable to open supervise/ok: file does not exist
/service/qmail-smtpd: unable to open supervise/ok: file does not exist
/service/qmail-smtpd/log: unable to open supervise/ok: file does not exist
/service/qmail-smtpdssl: unable to open supervise/ok: file does not exist
/service/qmail-smtpdssl/log: unable to open supervise/ok: file does not exist
messages in queue: 0
messages in queue but not yet preprocessed: 0
root@kfcs:/downloads/qmail-scanner-2.08st#
Hmm, while doing this on LUCID got stuck here for a while...
Complaining when executing ./test_installation.sh -doit about:
qmail-inject: fatal: qq temporary problem (#4.3.0)
Bad error. qmail-inject died
Errors in /var/log/clamav/clamav.log ->
WARNING: lstat() failed on: /var/spool/qscan/tmp/mail<numbers>
Errors in /var/log/qmail/qscan/qmail-queue.log ->
subj='Qmail-Scanner test (1/4): inoffensive message', via local process <number> <data> error_condition: X-Qmail-Scanner-2.08st: clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2
Errors in /var/log/kern/log ->
type=1503 audit(<number>): operation="open" pid=<number> parent=1 profile="/usr/sbin/clamd" requested_mask="r::" denied_mask="r::" fsuid=168 ouid=168 name="/var/spool/qscan/tmp/mail<number>/"
It turns out that the APP-ARMOR profile for clamav is not correct....
By executing "aa-complain /usr/sbin/clamd" the profile is put in complain mode and the command "./test_installation.sh -doit" is doing it's job :-)
@Eric : Thanks for your help. I'm currently (and finally) working on an updated version and all your remarks were really useful