This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: Security

Two open source email virus scanners for Linux

By Joseph Quigley on August 27, 2007 (9:00:00 PM)

Share    Print    Comments   

If Linux is hardly affected by viruses, why do system administrators use anti-virus software on their Linux email servers? Because an anti-virus scanner on a mail server can serve as another level of defense for Microsoft Windows desktop users. Linux provides several server-based anti-virus applications, most of which can be configured to interact with a variety of messaging servers. Many use the actively developed ClamAV open source virus toolkit on the back end; others work with proprietary or commercial scanners. In this article we'll compare MailScanner and Anomy Sanitizer on a Sendmail messaging server.

Before you install an anti-virus scanner on your server, you should install ClamAV. You can get it up and running from scratch in about 10 minutes. Most Linux distributions' clamd.conf files are already configured to scan mail. Also, quite conveniently, most distros' ClamAV configurations are set to check for virus signature updates several times a day. ClamAV even has several SMTP scanners for sysadmins who want to make sure their users aren't sending anything infected.

Once you have the anti-virus toolkit in place, you can configure your message filtering program. MailScanner is one of the most popular email filters. It protects users against both viruses and spam. It hooks into other programs to perform its duties. Recent versions also have anti-phishing measures included to prevent users from clicking on obfuscated URLs.

Installing MailScanner on most Linux systems is simple. Most Linux distros have it in their package repositories, and there are no special tricks required to get the Perl program to install from source.

After installing MailScanner, you must customize it for your personal needs. Edit the verbose and well documented /etc/MailScanner/MailScanner.conf file. MailScanner's "hostname" appears in messages to users if a virus is detected; change it to the name of the host on which the program is running in the %org-name% variable. Change the "Incoming Work Group" variable to "clamav" so that you don't have to change ClamAV's permissions (since they're already configured to use the clamav user group). Next, make sure that "File Command" points to /usr/bin/file and isn't commented out. MailScanner needs to use the file command to determine what types of files to block or allow through. For instance, you may choose to block .exe files but allowing .dmg files, depending on your needs. If you want to notify the sender that they have sent a virus, change "Notify Senders Of Viruses" from "no" to "yes." (I suggest you leave it at "no"; the culprit behind most spam is not the person whose name is in the sender field.) While you're at it, you can also change the notification message's subject.

MailScanner can be set to either allow or reject files, based on their extensions and/or file types in /etc/MailScanner/filetype.rules.conf. It can also allow files to pass through or reject them based on their names (useful for blocking certain viruses or worms that always have the same attachment name). It has some fairly strict rules as to syntax. It requires fields to be separated by tabs, but it does allow regular expressions.

Although I was unable to find a graphical configuration tool, the well-documented config file and the documentation on MailScanner's Web site provide more than enough resources to tweak the scanner to your needs.

MailScanner's wiki reports that a 3GHz Dual Xeon server with 2GB of RAM can process up to 1.4 million messages per day -- plenty for most organizations. The wiki has many more examples of how the software performs, especially on slower hardware. Other than a GUI configuration tool, there is little that could be improved in MailScanner.

Anomy Sanitizer

Then there's Anomy Sanitizer, a small mail scanner that does not waste system resources (such as the CPU and RAM) because it treats its input as a stream, without using the hard drive at all (if it's configured well). Although MailScanner also treats its input as a stream, it requires a fast hard drive to perform well under a heavy load.

Anomy Sanitizer installation from source is straightforward. Sanitizer on Ubuntu did not seem to come with an INIT script, and I could not find one for either Gentoo or openSUSE. Because of the lack of an INIT script on various Linux distros, many sysadmins running those distros will need to create their own. The documentation on the Sanitizer Web site suggests the use of the procmail mail processing suite as an "intermediate layer between sendmail and the sanitizer." After configuring procmail, using Sanitizer is far easier and safer than "hard-wiring" sendmail to use Sanitizer directly.

Finding documentation on Sanitizer's config file was not easy; I spent considerable time figuring out how to set up a useful filter with only a few examples.

The first step to getting Sanitizer to scan mail is to configure Sanitizer itself. A minimal configuration can be found on Sanitizer's Web site. After configuring Sanitizer, be sure to include the config file's path as a command-line argument when running it. I placed mine in /etc/sanitizer.conf and ran sanitizer /etc/sanitizer.conf.

Unlike MailScanner, which is slightly bound by hard drive speed, Sanitizer's performance increases with CPU speed. There is one downside to the way Sanitizer works though. Due to the overhead of starting Perl and compiling the parser, very small messages -- around 2KB or less -- will slow down the server. Large messages cause a large amount of memory consumption when Sanitizer is invoked by procmail. Sanitizer's Web site implies that turning Sanitizer into a daemon will avoid the startup and compilation times of Perl completely. At approximately 0.10 seconds per message, a 500MHz Pentium III server can process about 864,000 mesages per day.

Conclusions

MailScanner is far easier to get running on a mail server than Sanitizer. Most of the configuration files are already preconfigured to work upon installation and they are well-documented either with man pages or by comments in the config files. On the other hand, Sanitizer is great for older and slower systems that lack fast hard drives.

There are numerous mail filters and scanners, such as Qmail-scanner and Inflex, but MailScanner is one of the simplest, and Sanitizer one of the smallest. By combining MailScanner and ClamAV on a fast modern server, a sysadmin can protect Windows users from viruses arriving by email.

Share    Print    Comments   

Comments

on Two open source email virus scanners for Linux

Note: Comments are owned by the poster. We are not responsible for their content.

Two open source email virus scanners for Linux

Posted by: Anonymous [ip: 66.122.165.195] on August 28, 2007 01:32 AM
sub-tablet PC..cell phone I've seen articles or adds of pci cards that have embeded internet connectivity that use linux. With the linux and java based cell phones and sub tablet sized pcs I wonder.. a live cd or dvd or a for pay and/or open source service connected to a pc via a separate line that at a chosen intervals dose a security monitoring automated or live. Allowing enough agragate use to apply profesional security services like large host companies.The dvd would be an optimatly designed stand allone minimalist system making smaller less expensive pcs into a fire wall. There could be a connectivity feture that allowed profesional security monitoring via a separate perhaps more secure land line. Something a small bussiness mite be interested in not having to be as conversant in computers. Also many things in life are good or bad depending on who is using them and for what perpose. These smaller computing units mite be valued as a spliter and/or universal connector providing modularity to more expensive systems that would and as well concentrate on new connectivity rather than maintain legecy. By connecting everything to a spliter the system and its i/o could be objectified as an added level of system integrity. The connectors would be passive undetectable yet provide a store forward capability for annalysis to see if your system is responding properly. I read similar features are being concidered as part of mother-boards yet any things that is a part of the system being potentialy compromised mite also become suspect. Also I would like to see the hyper transport inter board connectivity more genneralized so a flexable jumper could inter connect any two hyper-tranport sockets or pci-e allowing multipel mother board stacking for cluster building despite the effecacy of the 1u multipossesor systems, for high bandwidth board to board interconnectivity.l

#

Two open source email virus scanners for Linux

Posted by: Anonymous [ip: 10.128.1.46] on August 28, 2007 05:54 AM

Just a tip:



MailScanner picks up files from an incoming area; copies them to a processing area; and upon accepting a message will place it in an outgoing area.
You can speed up MailScanner by using a RAM disk for the processing of data.

MailScanner is written in such a way that the Incoming file won't be removed until it has completely finished processing of it, so using a RAM disk is safe.

In my case on a Debian system I just needed to add the following to my /etc/fstab file:


<code>
tmpfs /var/spool/MailScanner/incoming tmpfs defaults,mode=750,uid=102,gid=102 0 0
</code>

Where uid/gid 102 is the user id/group id of the user that runs the SMTP server (exim in my case).

#

Two open source email virus scanners for Linux

Posted by: Anonymous [ip: 152.78.64.25] on August 28, 2007 11:21 AM
If you want a great GUI management system for MailScanner, look no further than MailWatch!

#

Two open source mail scanners for Linux

Posted by: Anonymous [ip: 121.73.29.18] on August 28, 2007 08:26 PM
Your title is not what your article is about ... you are writing about mail scanners and not virus scanners, you lost a lot of points for that. You should mention that besides virus scanning mailscanner can do spam filtering, blacklisting, filetype blocking, phishing blocking, etc. Its a comprehensive mail scanner, virus checking is only part of it. You should also have mentioned that it works with most MTAs including Exim and Postfix. A description of how you can plugin many different anti virus engines to work with mailscanner as well as other software like spamassassin, vipuls razor, ddc.

I give your essay on mailscanners a C
[Modified by: Anonymous on December 09, 2007 02:17 PM]

#

Re: Wrong Title

Posted by: Anonymous [ip: 69.19.14.27] on August 29, 2007 06:52 AM
Thanks for pointing that out. I had originally planned to write about virus scanners but I found out that there weren't too many open source server side I changed the scope of the article but forgot to change the title.

#

Mailscanner is unsafe with postfix

Posted by: Anonymous [ip: 82.227.97.166] on August 29, 2007 10:41 AM
Mailscanner uses undocumented features of the mail server queue system (at least on Postfix). It's known to corrupt emails, especially on loaded servers. Some configurations can work out, but there's no guarantee and Postfix developers turn down any support request involving Mailscanner.
There are clean interfaces in most mail servers for email filters, Mailscanner chose to ignore them and its users can pay the price.

#

Re: Mailscanner is unsafe with postfix

Posted by: Anonymous [ip: 194.14.216.2] on August 29, 2007 04:08 PM
This is a myth with a grain of truth. MailScanner _used to be_ unsafe with Postfix, but is so no longer.
We could have a nice civil debate on this matter, but for that to happen... You'd have to start by orienting yourself on the current state of the Postfix/MailScanner integration.
I've successfully used the combination for several years, and since swithing to the HOLD method has had no corruption... Since a few months back there is also working support for the outlandish (IMO) milter support of Postfix 2.3/2.4 ... without any risk of corruption.
The only truth in the myth is that the Postfix developer community will not handle problems occuring on a MailScanner/Postfix system. The MailScanner community will.

#

Re(1): Mailscanner is unsafe with postfix

Posted by: Anonymous [ip: 207.206.196.52] on September 13, 2007 01:05 AM
I couldn't have said it better myself! The days where this was a possibility with Postfix are long gone now. I use a MailScanner/Postfix configuration to filter mail for a hosted MS Exchange cluster that is loaded with many, many businesses' email. Not a single problem with delivery! It's rock solid.

#

Re(1): Mailscanner is unsafe with postfix

Posted by: Anonymous [ip: 121.120.104.100] on October 11, 2007 10:59 AM
We are using MailScanner with Postfix and we don't hit with any problem. The concept of using HOLD and queue it it very safe and we love it because with any problem with MailScanner the email still in the holding queue.

OSCC is pushing the installation of MailScanner, postfix and others ready made customization to government agencies around Malaysia using RPM and YUM. The project and package called MySpamGuard. Our pilot project with 20 agencies is a success and we will continue pushing to others agencies.

http://myspamguard.oscc.org.my/

#

MailScanner rocks

Posted by: Anonymous [ip: 202.135.248.10] on August 30, 2007 04:10 AM
I use mailscanner for several years now, and it rocks. Never had any problem, until a harddisk failure. ;P

#

Two open source email virus scanners for Linux

Posted by: sekar on August 30, 2007 08:20 AM
how to download this source rpm

#

Two open source email virus scanners for Linux

Posted by: Anonymous [ip: 70.79.6.149] on August 30, 2007 06:54 PM
Couldn’t agree more…integrating clamAV and mailscanner is an excellent way to eliminate viruses and spam before they reach your mail server. Mailscanner’s command line interface can be a little daunting, however its’ flexibility and reliability far outweigh the lack of GUI configuration. About a year ago we added multiple virus scanners to mailscanner. Ever since the modification we had no viruses and very little spam. If you must have a GUI (sigh) there is a commercial product that integrates mailscanner and ClamAV called DefenderMX.

#

Two open source email virus scanners for Linux

Posted by: Anonymous [ip: 125.168.53.37] on September 05, 2007 06:14 AM
If you use webmin then there is a module for mailscanner, bit out of date though. I use mailwatch too, very usefull.

BTW install of mailscanner is great just to watch in action, installs all the perl modules for you. Just one command, ./install.sh


Steve

#

Mailscanner + milter-sender + sendmail + postgresql + clamAV = nospam or viruses

Posted by: Anonymous [ip: 71.168.54.20] on November 10, 2007 04:54 PM
We've used the above combo for at least 4 years now. Milter-sender really helps to reduce the load on the system by implementing call backs and grey listing before the message is even queued to disk.

#

Two open source email virus scanners for Linux

Posted by: Anonymous [ip: 216.140.92.5] on November 16, 2007 10:45 AM
to check

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya