ESVA customization
June 9th, 2009ESVA is a pre-built and easily configured email scanning Virtual Appliance (ESVA) that runs on VMware ESX Server. http://www.global-domination.org/ESVA.php
The central components are Clam antivirus and spam assassin.
After the basic setup you might want to customize some thing that cannot changed in the wizard or GUI.
Change the amount of cashed mails:
– $days_to_keep = 180; in /etc/cron.daily/clean.quarantine
– define(QUARANTINE_DAYS_TO_KEEP, 180); in /var/www/html/conf.php
– INTERVAL 180 DAY in /usr/local/bin/mailwatch/tools/db_clean.php
/etc/cron.daily/clean.quarantine
$disabled = 0;
$days_to_keep  = 14;
The default signature:
/etc/MailScanner/rules
– sig.html.rules
– sig.text.rules
Blocked filetypes:
/etc/MailScanner/filename.rules.conf
Change the max message size:
In webmin – postfix –Â “General resource control”.
An example is to add a zero.
Max size of a message: 102400000
Max size of a mailbox: 512000000
Or in /etc/postfix/main.cf: message_size_limit = 102400000
For 100 MB
Remove the “notify for SPAM”.
In the file: /etc/MailScanner/MailScanner.conf
Remove notify in the line:Â Spam Actions = store notify
Disable Graylisting for some IP’s
/etc/sqlgrey/clients_fqdn_whitlist.local
/etc/sqlgrey/clients_ip_whitelist.local
/etc/init.d/sqlgrey restart
Remove the “MailScanner has detected a possible fraud attempt from…”:
Highlight Phishing Fraud = no
Remove the opportunity to read the emails in the Webinterface:
Edit /var/www/html/detail.php
Go the end and change the “view email” link.
// echo ” <TD><A HREF=\”viewmail.php……………..”</A></TD>\n”;
echo ” <TD>…</TD>\n”;
Default SPAM score:
/etc/MailScanner/MailScanner.conf
Required SpamAssassin Score = 5
Remove Inline HTML Signature
In the file: /etc/MailScanner/MailScanner.conf
# Add the “Inline HTML Signature” or “Inline Text Signature” to the end
# of uninfected messages?
# This can also be the filename of a ruleset.
Sign Clean Messages = no
Auto Reply – Out of office
Treat Invalid Watermarks With No Sender as Spam = 2
Script in the email
Allow Script Tags = disarm
Or yes/no
Office 2010 Fileformats:
Microsoft Office 2007/2010 documents (.docx, .xlsx etc) seem to be archived XML documents and MailScanner does not like that by default.
The solution is to put this in filename.rules.conf
allow  \.xml\.rel$            –      –
allow  \.rel$                 –      –
allow  \.docx$                –      –
allow  \.xlsx$                –      –
allow  \.xml\d*\.rel$         –      –
allow  \.x\d+\.rel$           –      –
allow  \.bin$                 –      –
allow  \.wmf$                 –      –
allow  \.dat$                 –      –
Put this just above the â# Deny all other double file extensions..â line
allow  .doc$                  –      –
allow  .xls$                  –      –
And in MailScanner.conf change Maximum Archive Depth to 3
Maximum Archive Depth = 3
This makes MailScanner recognize the Office 2007/2010.
Disable Fuzzyocr:
Rename /etc/mail/spamassassin/FuzzyOcr.cf to something else.
Restart Mailscanner
Disable SPAM and or AV scan
/etc/MailScanner/MailScanner.conf
Spam Checks = no
Use SpamAssassin = no
Virus Scanning = no
—
In MailScanner.conf
Spam Checks = /etc/MailScanner/rules/spam.check.rules
In spam.check.rules:
FromOrTo:    domain.com     no
FromOrTo:      default  yes
Enable Remote ssh login
/etc/ssh/sshd_config
PermitRootLogin yes
Restart sshd
If running virtual, ESVA might loose time
Make a file in: /etc/cron.daily
—
#!/bin/sh
#
/usr/sbin/ntpdate 195.184.96.2
date +”%D %r `echo Cron completed`” >> /var/log/cron_job.log
—
chmod +x ntp.cron
Remember RAM!
Do you see this error in the maillog:
“too big for available disk space in /var/spool/MailScanner/incoming, skipping it”
Mailscanner is using this directory temporality to unpack files before scanning.
By default ESVA have 1024 MB of RAM. Half of that size is used to the RAM-based filesystem.
Maybe 512 MB for unpacking is to small.
See FSTAB and change the size here
tmpfs /dev/shm tmpfs defaults,size=1024m
The easy way (if you have RAM enough), is to just give ESVA more RAM.
Allow EXE in zipped attachments
/etc/MailScanner/archives.filename.rules.conf
allow \.exe$ Windows/DOS Executable
/etc/MailScanner/archives.filetype.rules.conf
#deny executable No executables
Remember to update resolv.conf
If this file does not contain a IP of an vallid DNS, you might get this error in the log: “Recipient address rejected: Domain not found”
This is an exaple with openDNS
/etc/resolv.conf
search localdom.local
nameserver 208.67.222.222
Block destination email address
/etc/postfix/recipient_access
Example:
refund_of_tax@testdom.com REJECT
skatdk@testdom.com REJECT
postmap /etc/postfix/recipient_access
Remember to add the file to postfix’s Main.cf:
Example:
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_policy_service inet:127.0.0.1:2501, check_recipient_access hash:/etc/postfix/recipient_access
Show ClamAV version
/usr/sbin/clamd -V
Remove mails from queue
List queue: mailq
Remove specific email: postsuper -d -3EFE828621
Exchange – Duplicate deliver
If you release a message that already have been delivered, it will not end up in the mailbox.
You can see what email that have “hit” this rule/functionality in the “EMC –> email tracking or powershell
Get-MessageTrackingLog -EventId DUPLICATEDELIVER
Block email baced on subject – postfix
main.cf
header_checks = regexp:/etc/postfix/header_checks
header_checks
/^Subject: Spam subject/ DISCARD
Restart postfix
Block email baced on subject – Mailscanner
/etc/MailScanner/mcp
Eksample:
header P2 Subject =~ /new Message/i
describe P2 Banned Subject
score P2 10
header P3 Subject =~ /new2 for you/i
describe P3 Banned Subject
score P3 10
Disable ahbl.org
/var/lib/spamassassin/3.004000/updates_spamassassin_org/20_dnsbl_tests.cf
# another domain-based blacklist
#header DNS_FROM_AHBL_RHSBL eval:check_rbl_envfrom(‘ahbl’, ‘rhsbl.ahbl.org.’)
#describe DNS_FROM_AHBL_RHSBL Envelope sender listed in dnsbl.ahbl.org
#tflags DNS_FROM_AHBL_RHSBL net
#reuse DNS_FROM_AHBL_RHSBL
Throttling too many connections from new source
edit:
/etc/sqlgrey/sqlgrey.conf
connect_src_throttle = 5
0 = Disable
/etc/init.d/sqlgrey restart
Allow password protected ZIP from one or more email/domains
Allow Password-Protected Archives = no
to:
Allow Password-Protected Archives = %rules-dir%/pp.archives.rules
pp.archives.rules:
FromOrTo: test@mydomain.com yes
FromOrTo: mydomain2.com yes
FromOrTo: default no
MailScanner restart