Pkg exim4 users - Jan 2006 - Simple ClamAV Setup (Howto)

Here are the steps I took to get the ClamAV working on my Debian/testing
box for whatever it is worth to the user list.

Install the ClamAV stuff:

apt-get update
apt-get install clamav clamav-base clamav-daemon clamav-freshclam
     libclamav1

I am not using the split exim configuration file:
So I made a new file...

vi /etc/exim4/exim4.conf.localmacros

and add the following lines to it:

CHECK_DATA_LOCAL_ACL_FILE=/etc/exim4/acl_clamav.conf
local_scan_path=/usr/lib/exim4/local_scan/sa-exim.so
av_scanner = clamd:/var/run/clamav/clamd.ctl

Now the file line tells the system to include acl_clamav.conf
so you need to create it...

vi /etc/exim4/acl_clamav.conf

and add the following lines to it:

#Clam av hooks
deny  message = This message contains a virus: ($malware_name) please
scan your system.
        demime = *
        malware = *

Restart you exim4.

/etc/init.d/exim4 restart


Anytime you install something with Debian, you want to check out the
/usr/share/doc/<application_name>/README.Debian
So, for example with the ClamAV stuff you want to do this to see the
information included:

zless /usr/share/doc/clamav-freshclam/README.Debian.gz

Note: this assumes you have less installed. If not, you can get it with:
 apt-get install less

Thanks.
-- 

respectfully, Joseph
--------------------

On Mon, Jan 02, 2006 at 02:33:19PM -0500, Joseph wrote:
> CHECK_DATA_LOCAL_ACL_FILE=/etc/exim4/acl_clamav.conf
> local_scan_path=/usr/lib/exim4/local_scan/sa-exim.so
> av_scanner = clamd:/var/run/clamav/clamd.ctl
the local_scan_path is a different thing. You are talking clamav here,
not spamassassin. And it is still unclear to me what sa-exim does
better than exim''s built-in spam filter. Can you say why you decided
against using exim''s built-in spamassassin interface in favor of
sa-exim, which is a third-party project?

Thanks for helping with the docs. In the future. Can you please
explain what your directions actually do? Giving a HOWTO without
telling the reader _what_ you are doing and _why_ will increase the
support burden when the system breaks.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

i''m a user of sa-exim also, and i adopted it at the time because it
provided a way to reject email at smtp time rather than rejecting it
once the server had already accepted the email from the sender.
by rejecting email at smtp time, the spam sender hopefully thinks the
address is no longer valid and will always be rejected.  if they ever
edit their lists to remove dead addresses, then mine should eventually
fall off their lists.
at the time, i think that was the only way to do that (reject spam at
smtp time).  does exim support that feature now?  i for one wouldn''t
mind removing an extra package if exim provides for this now.
-fred

Marc Haber wrote:
>On Mon, Jan 02, 2006 at 02:33:19PM -0500, Joseph wrote:
>  
>>CHECK_DATA_LOCAL_ACL_FILE=/etc/exim4/acl_clamav.conf
>>local_scan_path=/usr/lib/exim4/local_scan/sa-exim.so
>>av_scanner = clamd:/var/run/clamav/clamd.ctl
>>    
>
>the local_scan_path is a different thing. You are talking clamav here,
>not spamassassin. And it is still unclear to me what sa-exim does
>better than exim''s built-in spam filter. Can you say why you
decided
>against using exim''s built-in spamassassin interface in favor of
>sa-exim, which is a third-party project?
>
>Thanks for helping with the docs. In the future. Can you please
>explain what your directions actually do? Giving a HOWTO without
>telling the reader _what_ you are doing and _why_ will increase the
>support burden when the system breaks.
>
>Greetings
>Marc
>
>  

-- 
_______ chosen by the Nechung Oracle Program [ http://gruntose.com/ ] _______

Love and scandal are the best sweeteners of tea.  -- Henry Fielding

_____________ not necessarily my opinions, not necessarily not. _____________

On Mon, Jan 02, 2006 at 03:47:18PM -0500, Fred T. Hamster
wrote:
> i''m a user of sa-exim also, and i adopted it at the time because
it
> provided a way to reject email at smtp time rather than rejecting it
> once the server had already accepted the email from the sender.
> by rejecting email at smtp time, the spam sender hopefully thinks the
> address is no longer valid and will always be rejected.  if they ever
> edit their lists to remove dead addresses, then mine should eventually
> fall off their lists.
> at the time, i think that was the only way to do that (reject spam at
> smtp time).  does exim support that feature now?  i for one
wouldn''t
> mind removing an extra package if exim provides for this now.
> -fred
exiscan has existed quite for a long time, and has been integrated
into exim proper with version 4.50. The Debian exim4 packages had
exiscan patched in since version 4.22-2 dated August 2003.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Marc Haber wrote:
> On Mon, Jan 02, 2006 at 03:47:18PM -0500, Fred T. Hamster wrote:
> 
>>i''m a user of sa-exim also, and i adopted it at the time
because it
>>provided a way to reject email at smtp time rather than rejecting it
>>once the server had already accepted the email from the sender.
>>by rejecting email at smtp time, the spam sender hopefully thinks the
>>address is no longer valid and will always be rejected.  if they ever
>>edit their lists to remove dead addresses, then mine should eventually
>>fall off their lists.
>>at the time, i think that was the only way to do that (reject spam at
>>smtp time).  does exim support that feature now?  i for one
wouldn''t
>>mind removing an extra package if exim provides for this now.
>>-fred
> 
> 
> exiscan has existed quite for a long time, and has been integrated
> into exim proper with version 4.50. The Debian exim4 packages had
> exiscan patched in since version 4.22-2 dated August 2003.
Does exiscan reject than at smtp time?

Would the only thing needed to active it be adding a data acl like this?

# put headers in all messages (no matter if spam or not)
warn  message = X-Spam-Score: $spam_score ($spam_bar)
      spam = nobody:true
warn  message = X-Spam-Report: $spam_report
      spam = nobody:true

# add second subject line with *SPAM* marker when message
# is over threshold
warn  message = Subject: *SPAM* $h_Subject:
      spam = nobody

# reject spam at high scores (> 12)
deny   message = This message scored $spam_score spam points.
       spam = nobody:true
       condition = ${if >{$spam_score_int}{120}{1}{0}}


-- 

respectfully, Joseph
--------------------

On Mon, Jan 02, 2006 at 04:36:18PM -0500, Joseph wrote:
> Does exiscan reject than at smtp time?
It''s an ACL extension, so you can even treat different messages
differently.
> Would the only thing needed to active it be adding a data acl like this?
> 
> # put headers in all messages (no matter if spam or not)
> warn  message = X-Spam-Score: $spam_score ($spam_bar)
>       spam = nobody:true
> warn  message = X-Spam-Report: $spam_report
>       spam = nobody:true
> 
> # add second subject line with *SPAM* marker when message
> # is over threshold
> warn  message = Subject: *SPAM* $h_Subject:
>       spam = nobody
> 
> # reject spam at high scores (> 12)
> deny   message = This message scored $spam_score spam points.
>        spam = nobody:true
>        condition = ${if >{$spam_score_int}{120}{1}{0}}
That doesn''t look too wrong without inspecting your configuration in
detail.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Marc Haber wrote:
> On Mon, Jan 02, 2006 at 04:36:18PM -0500, Joseph wrote:
> 
>>Does exiscan reject than at smtp time?
> 
> 
> It''s an ACL extension, so you can even treat different messages
> differently.
> 
Does this mean that exim will drop the email before it is accepted if it
is spam?
> 
>>Would the only thing needed to active it be adding a data acl like this?
>>
>># put headers in all messages (no matter if spam or not)
>>warn  message = X-Spam-Score: $spam_score ($spam_bar)
>>      spam = nobody:true
>>warn  message = X-Spam-Report: $spam_report
>>      spam = nobody:true
>>
>># add second subject line with *SPAM* marker when message
>># is over threshold
>>warn  message = Subject: *SPAM* $h_Subject:
>>      spam = nobody
>>
>># reject spam at high scores (> 12)
>>deny   message = This message scored $spam_score spam points.
>>       spam = nobody:true
>>       condition = ${if >{$spam_score_int}{120}{1}{0}}
> 
> 
> That doesn''t look too wrong without inspecting your configuration
in
> detail.
> 
Would the above entries be equal than to 4 acl entries?
Or do they work together?

-- 
respectfully, Joseph ==============-                                 
---------------------= **********  =

On Tue, Jan 03, 2006 at 08:05:35AM -0500, Joseph wrote:
> Marc Haber wrote:
> > On Mon, Jan 02, 2006 at 04:36:18PM -0500, Joseph wrote:
> > 
> >>Does exiscan reject than at smtp time?
> > 
> > It''s an ACL extension, so you can even treat different
messages
> > differently.
> 
> Does this mean that exim will drop the email before it is accepted if it
> is spam?
That means that you can do everyhing an ACL can do depending on the
spam scan result.
> >>Would the only thing needed to active it be adding a data acl like
this?
> >>
> >># put headers in all messages (no matter if spam or not)
> >>warn  message = X-Spam-Score: $spam_score ($spam_bar)
> >>      spam = nobody:true
> >>warn  message = X-Spam-Report: $spam_report
> >>      spam = nobody:true
> >>
> >># add second subject line with *SPAM* marker when message
> >># is over threshold
> >>warn  message = Subject: *SPAM* $h_Subject:
> >>      spam = nobody
> >>
> >># reject spam at high scores (> 12)
> >>deny   message = This message scored $spam_score spam points.
> >>       spam = nobody:true
> >>       condition = ${if >{$spam_score_int}{120}{1}{0}}
> > 
> > 
> > That doesn''t look too wrong without inspecting your
configuration in
> > detail.
> 
> Would the above entries be equal than to 4 acl entries?
> Or do they work together?
The first entry puts headers in all messages.
The second entry putys the *SPAM* marker in the subject
The third one rejects spam with a score > 12.

Did you read the comments? Do you know how exim ACLs work? Did you
read the manual?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835