spamassassin, clamav, exim4 configure thanks to: http://edin.no-ip.com/

Exim4 + ClamAV + SpamAssassin + Greylistd on Debian etch mini-HOWTO

Submitted by hswong3i on Thu, 2008-03-06 18:47

What if you hope to have ClamAV and SpamAssassin with your Debian Exim4, but don't really hope for a complete virtual hosting email system with vexim? You may follow this simple guideline and set them up within 15min :)

Install required packages

You may need something else but I am not sure right now. Please correct me if package missed: apt-getupdate apt-get install exim4-daemon-heavy spamassassin clamav-daemon clamav-freshclam clamav-testfiles greylistd

Configure SpamAssassin

In case of Debian, SpamAssassin is disable by default, so you will need to activate it by editing/etc/default/spamassassin: # Change to one to enable spamd ENABLED=1

Configure Greylistd

That is very handy for Debian. Just simply run the following command and you will get it done: greylistd-setup-exim4 add

Configure ClamAV

For ClamAV that will be a bit more complicated. I will suggest you have a look about/usr/share/doc/clamav/README.Debian.gz before start. First of all, ClamAV will not able to scan the Exim4 mail spool according to directory privilege: dc:~# ls -lad /var/spool/exim4/ drwxr-x--- 5 Debian-exim Debian-exim 4096 2008-03-06 07:35 /var/spool/exim4/ So we will add user clamav to group Debian-exim, and change the directory privilege accordingly: adduser clamav Debian-exim chmod -Rf g+w /var/spool/exim4 chmod -Rf g+s /var/spool/exim4 Next, let's check if /etc/clamav/clamd.conf contain the following line, or else set and active it: AllowSupplementaryGroups true After restart ClamAV, the scan action should be fine:/etc/init.d/clamav-daemon restart

Configure Exim4

To activate ClamAV scan for Exim4, you will need to handle to part. You will need to tell Exim4 where is the unix socket for ClamAV. Edit /etc/exim4/exim4.conf.template, search and change the following line (edit/etc/exim4/conf.d/main/02_exim4-config_options if split config is being used): av_scanner =clamd:/var/run/clamav/clamd.ctl Next, search this section and change as below (edit/etc/exim4/conf.d/acl/40_exim4-config_check_data if split config is being used): # Deny if the message contains malware. Before enabling this check, you # must install a virus scanner and set the av_scanner option in the # main configuration. # # exim4-daemon-heavy must be used for this section to work. # deny message = This message was detected as possible malware ($malware_name). demime = * malware = * For SpamAssassin, search the following line and uncomment it (edit/etc/exim4/conf.d/main/02_exim4-config_options if split config is being used): spamd_address = 127.0.0.1783 Then Search the following section and uncomment as below (edit /etc/exim4/conf.d/acl/40_exim4-config_check_data if split config is being used): # Add headers to a message if it is judged to be spam. Before enabling this, # you must install SpamAssassin. You also need to set the spamd_address # option in the main configuration. # # exim4-daemon-heavy must be used for this section to work. # # Please note that this is only suiteable as an example. There are # multiple issues with this configuration method. For example, if you go # this way, you'll give your spamassassin daemon write access to the # entire exim spool which might be a security issue in case of a # spamassassin exploit. # # See the exim docs and the exim wiki for more suitable examples. # warn spam = Debian-exim:true message = X-Spam-Flag: YES\n\ X-Spam-Score: $spam_score\n\ X-Spam-Level: $spam_bar\n\ X-Spam-Report: $spam_report

Don't use Debian's default message: Thunderbird will not recognize it! Read Thunderbird:Help Documentation:Dealing with Junk E-mail for more information.

Save all changes, and reactivate Exim4 setup: dpkg-reconfigure exim4-config

Some simple test

To test ClamAV, send yourself a email with ONLY the following line within body:X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* You email client should prompt you an error message and block your mail delivery. To test SpamAssassin, send yourself an email with ONLY the following line within body: XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34XAfter mail delivery, when you check the received email source code, you should have similar message within header. If you are using Thunderbird and enable junk filtering within your mail account setup, this message will even move to "Junk" folder directly: X-Spam-Flag: YES X-Spam-Score: 1000.0 X-Spam-Level:+++++++++++++++++++++++++++++++++++++++++++++++++++ X-Spam-Report: Spam detection software, running on the system "mail.example.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X [...] Content analysis details: (1000.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP 1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email 1.4 AWL AWL: From: address is in the auto white-list