Question for Chirpy - Mailscanner/Clamav

[knipper]

Hey Jonathan, (read so many of your posts it seems like I know ya!)

About a month ago I installed mailscanner/clamAV from a forum found elsewhere and never got it to work correctly. I then used the Layer1 install and then I had used your update for mailscanner found here and it worked great.

Well, due to too many undocumented changes from me (Thats what I get for working late night ) and then going from a stable to a current build I broke a bunch of stuff.

SOOoooooo Basically I had to format the disk and start from scratch. (This is not yet a production server!)

Now my question for you... there are so many threads about mailscanner/clamAV I'm no longer sure what to follow.

I'd like to make sure I get the most up-to-date mailscanner, ClamAV, etc. and make sure everything is correct (such as using Clammodule instead of AV.)

I was going to start by installing the layer1 version again, do your upgrade again.... but here's where I get lost....

I want to upgrade to the newest ClamAV, (or clammodule??) and am unsure how to upgrade this.

And... if there are any extra changes needed because of the newer exim fix. (which is why I went to current and broke my setup previously)

I don't need a detailed how-to.... if you could just point me to the correct threads/posts on how to do these things, or post a short list here that would be great.

I'm sure several people would be glad to have a new updated all in one spot resource! :D

Thanks in advance!

 

[chirpy]

Hi,

No problem

Here's what I do on new servers:

1. Install layer1 mailscanner

2. Upgrade clamav to the latest version simply by:

wget http://heanet.dl.sourceforge.net/sourceforge/clamav/clamav-0.71.tar.gz
tar -xzf clamav-0.71.tar.gz
cd clamav-0.71
./configure
make
make install

3. Upgrade mailscanner using my HOWTO thread (I keep it up to date)

4. To overcome the problem you probably had before: WHM > Exim Configuration Editor > Switch to Advanced Mode > put the following line in the first textarea:

queue_only_override = false

Then scroll to the bottom and hit Save.

5. For Mail::ClamAV

/scripts/perlinstaller Mail::ClamAV

You might get some errors stating that other required perl modules are missing. Just install those too using:

/scripts/perlinstaller <module>

One example will probably be Inline::C, so just do

/scripts/perlinstaller Inline::C

Keep going until Mail::ClamAV will install

Then modify /usr/mailscanner/etc/MailScanner.conf and change the directive:

Virus Scanners = clamav

to:

Virus Scanners = clamavmodule

The stop and start MailScanner:
killall MailScanner
(check that all the MailScanner processes have died):
/usr/mailscanner/bin/check_mailscanner

tail -f /var/log/maillog to make sure MailScanner comes up OK.

Finally, send yourself the EICAR test virus http://www.eicar.org/anti_virus_test_file.htm and make sure it is detected.

Any problems, click on the link in my signature for a package where we can do all this for you

 

[knipper]

PERFECT!

That's exactly what I needed. I'll do this later tonight or in the AM.

I'll post and let you (and others) know how it goes.

Thanks again! :D

 

[knipper]

Worked great!

Thanks for the updated items. Everything went in with no problems at all.

I was able to install layer1 mailscanner,
Follow your upgrade...
Upgrade ClamAV, etc. You were correct... the only missing perl module was the Inline::C

and I got everything tested with no problems delivering mail, and no virus' coming through.

One question though...

What does this step do exactly?

4. To overcome the problem you probably had before: WHM > Exim Configuration Editor > Switch to Advanced Mode > put the following line in the first textarea:

queue_only_override = false

Then scroll to the bottom and hit Save.

Thanks again.

 

[chirpy]

That option prevents users who have privilege from overriding the option queue_only, like the root account, when sending emails locally. This is because MailScanner splits the exim functionality in two (one for delivery and one for sending) mail from CRON jobs, for example, can end up being lost if that option is not in place.

Glad it all went OK :D

 

[Cash]

Hi, i m newbie.
b4 i read this thread.
I was install the mailscan follow the guide from
http://www.hostinglife.com/security/mailscan.php

May I know after i done the installation, is it only function the scan mail ? it does not delete the virus , right?

after i done the steps follow from
http://www.hostinglife.com/security/mailscan.php ,
which steps i need continue to do to optimize my server mail AV?

thank you.

 

[chirpy]

Hi,

Well it should be scanning for viruses and removing the actual infected files as the cPanel distribution comes with ClamAV. However you do need to do two things:

1. You need to upgrade MailScanner to the latest version and there is a HOWTO here:
http://forums.cpanel.net/showthread.php?s=&threadid=21290

2. You need to upgrade to the latest ClamAV and make the changes according to my first post in this thread (note: there's a newer version of ClamAv now - 0.72)

 

[Cash]

Greeting:

Hi. ^_^

After I install the mailscan. I do receive a lot of "Warning: E-mail viruses detected" emails...

Is it just a remider and the virus has been clean?

Regarding to MailScanner.conf,
If I chamne "Delever Cleaned Messages = No"
is it mean the virus mails will not deliver to user ?
after i change, do i need restart mailscan?

Thank you.

 

[chirpy]

Yes, Yes and Yes

 

[arhs]

When I run the ./configure

I get this error at end:


ERROR: User "clamav" (and/or group "clamav") doesn't exist. Please create it. You can omit this check with the --disable-clamav option.

 

[chirpy]

Do this first:

useradd clamav

 

[arhs]

Do this first:

useradd clamav

Thanks I just installed the CLAM AV , I haven't installed any of the perl modules, do I need to install them ?

 

[chirpy]

You will need to install the perl modules if you want to use the much quicker and more efficient clamavmodule. You can do so using the following two lines:

/scripts/perlinstaller Net::CIDR Archive::Zip Compress::Zlib Convert::BinHex Inline::C
/scripts/perlinstaller Mail::ClamAV

You can then modify your MailScanner.conf to use clamavmodule as explained in the previous post.

 

[ShAwNz]

Hi

Thanks for the information, did it and change the Virus Scanners in MailScanner.conf to clamavmodule. Then i noticed in /usr/mailscanner/etc/virus.scanners.conf has this

clamavmodule /bin/false /tmp


May i know if im doing it correctly ?

 

[chirpy]

That's fine. Clamavmodule uses aperl module (clearly) so doesn't need the information of other scanners in that file.

A word of caution. There is a bug in Mail::ClamAV v0.12 working with ClamAV 0.80 which the author is working on (i.e. it doesn't work!). I would recommend switching back to just clamav in the meantime. It looks like ClamAV 0.80 is much quicker and resource efficient anyway, so not using the perl module isn't such a hit now.

 

[damainman]

offtopic:

Chirpy,

Considering that Cpanel stated using mailscanner might break cpanel, do you still advise in using this? I was running mailscanner for awhile, about when you first posted your howto. However after many posts it seems cpanel will never support mailscanner, and they even stated it might break cpanel.

For that reason i tried using the exiscan package, but starting receiving the unix stale errors that alot of people have been getting lately. So i decided to use clamavconnector since it was created by cpanel, but started receiving smtp timeout errors.

Mailscanner has really been the only product that effectively worked with no errors, and does exactly what its suppose to do. So right now i got no system in place, because the only one that actually works is not supported by cpanel.

But back to my question, do you still suggest using mailscanner even after what cpanel stated? I'm looking into long-term, and wouldn't want to work to maintain mailscanner and one day have my email in cpanel break and reconfigure the servers to use clamavconnector or something. I don't feel comfortable switching back and forth between products.

 

[chirpy]

Well, it certainly doesn't break cPanel. I'm using it on all my other servers and am regularly installing MailScanner using my script on other people's servers for them. I would definitely recommend its continued use. I agree that the solutions cPanel themselves provide fall way short of the mark, and the age old cry that MailScanner uses too many server resources just is not the case anymore. I can configure it for someones server with as little as 256mb or RAM without problems (you just limit the number of child processes and tune the configuration file properly - which I do with my script).

ClamAV has is also much quicker and less memory hungry now since 0.80 was released. I intend to continue to support it in the cPanel environment until such time as cPanel decide to implement a proper and effective spam blocking and virus scanning solution.

I am annoyed when cPanel has put in the work to include MailScanner recognition in their script and continue to do so, but then bring in cPanel Pro which now intentionally breaks it[*]. But that's simply to workaround by running a /scripts/postupcp script that runs /scripts/mailscanner and restarts exim.


[*]Intentional, because I've asked them to make the same change to that as they have for exim4 script, but have so far declined to add the one line necessary to the cPanel Pro script.

 

[cPanelBilly]

Well, it certainly doesn't break cPanel. I'm using it on all my other servers and am regularly installing MailScanner using my script on other people's servers for them. I would definitely recommend its continued use. I agree that the solutions cPanel themselves provide fall way short of the mark, and the age old cry that MailScanner uses too many server resources just is not the case anymore. I can configure it for someones server with as little as 256mb or RAM without problems (you just limit the number of child processes and tune the configuration file properly - which I do with my script).

ClamAV has is also much quicker and less memory hungry now since 0.80 was released. I intend to continue to support it in the cPanel environment until such time as cPanel decide to implement a proper and effective spam blocking and virus scanning solution.

I am annoyed when cPanel has put in the work to include MailScanner recognition in their script and continue to do so, but then bring in cPanel Pro which now intentionally breaks it[*]. But that's simply to workaround by running a /scripts/postupcp script that runs /scripts/mailscanner and restarts exim.


[*]Intentional, because I've asked them to make the same change to that as they have for exim4 script, but have so far declined to add the one line necessary to the cPanel Pro script.

Do you have a ticket # or bug ID for this request?

 

[chirpy]

Yup, two in fact:
http://bugzilla.cpanel.net/show_bug.cgi?id=1336
http://bugzilla.cpanel.net/show_bug.cgi?id=1338