とた日記

_ MTA まわりの設定 失敗編

最近環境が変わり MTA も自分でいじれるようになった、ということと bsfilter の処理が重たいので、上流の MTA 側でなんとかしたいと思い、いろいろ試してみました。Windows 環境はあまり利用しないようにしているつもりなので anti-virus よりも anti-spam が重要なのですが、調べてみると amavisd-new の ports の依存関係で p5-Mail-SpamAssassin がインストールされるので一石二鳥です。

# portinstall security/amavisd-new

とするとデフォルトで MILTER "sendmail milter support" オプションが有効になっていますが、私は Postfix を使っているので外しました。依存関係のビルドが進んでいき p5-Mail-SpamAssassin のところでも OPTIONS があるのですが、ここではデフォルトのままにしておきました。しばらくするとインストールが終わります。

*******************************************************************
 To use amavisd-new, you need to install at least one virus scanner.
 The following virus scanners are available in the FreeBSD ports
 collection:
  
 /usr/ports/security/vscan      McAfee VirusScan
 /usr/ports/security/clamav     Clam Antivirus
 /usr/ports/security/f-prot     F-Prot Antivirus
 /usr/ports/security/drweb      DrWeb antivirus suite
  
 Enable amavisd-new in /etc/rc.conf with the following line:
  
    amavisd_enable="YES"
  
 If you want to use the amavis sendmail milter interface,
 you need the following additional line in /etc/rc.conf
  
    amavis_milter_enable="YES"
  
 Configuration templates are available in /usr/local/etc
 as amavisd.conf-dist, amavisd.conf-sample and amavisd.conf-default.
 Documentation is available in /usr/local/share/doc/amavisd-new.
*******************************************************************

と言われるので security/clamav をインストールすることにして /etc/rc.conf に

amavisd_enable="YES"

を追記します。設定フィルは

# diff -u /usr/local/etc/amavisd.conf{-dist,}
--- /usr/local/etc/amavisd.conf-dist    Mon Apr  3 22:23:07 2006
+++ /usr/local/etc/amavisd.conf Mon Apr  3 22:29:26 2006
@@ -17,7 +17,7 @@
 $daemon_user  = 'vscan';     # (no default;  customary: vscan or amavis)
 $daemon_group = 'vscan';     # (no default;  customary: vscan or amavis)
 
-$mydomain = 'example.com';   # a convenient default for other settings
+$mydomain = 'rtfm.jp';   # a convenient default for other settings
 
 $MYHOME   = '/var/amavis';   # a convenient default for other settings
 $TEMPBASE = "$MYHOME/tmp";   # working directory, needs to be created manually
@@ -96,8 +96,8 @@
 
 # $myhostname = 'host.example.com';  # must be a fully-qualified domain name!
 
-# $notify_method  = 'smtp:[127.0.0.1]:10025';
-# $forward_method = 'smtp:[127.0.0.1]:10025';  # set to undef with milter!
+$notify_method  = 'smtp:[xxx.yyy.zzz.www]:10025';
+$forward_method = 'smtp:[xxx.yyy.zzz.www]:10025';  # set to undef with milter!
 
 # $final_virus_destiny      = D_DISCARD;
 # $final_banned_destiny     = D_BOUNCE;
@@ -285,14 +285,14 @@
 # ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
 # ['Sophos SAVI', \&sophos_savi ],
 
-# ### http://www.clamav.net/
-# ['ClamAV-clamd',
-#   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
-#   qr/\bOK$/, qr/\bFOUND$/,
-#   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
-# # NOTE: the easiest is to run clamd under the same user as amavisd; match the
-# # socket name (LocalSocket) in clamav.conf to the socket name in this entry
-# # When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],
+### http://www.clamav.net/
+['ClamAV-clamd',
+  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
+  qr/\bOK$/, qr/\bFOUND$/,
+  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
+# NOTE: the easiest is to run clamd under the same user as amavisd; match the
+# socket name (LocalSocket) in clamav.conf to the socket name in this entry
+# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],
 
 # ### http://www.clamav.net/ and CPAN  (memory-hungry! clamd is preferred)
 # ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/],

取り敢えずこんなかんじにしました。

$virus_admin               = "virusalert\@$mydomain";  # notifications recip.
 
$mailfrom_notify_admin     = "virusalert\@$mydomain";  # notifications sender
$mailfrom_notify_recip     = "virusalert\@$mydomain";  # notifications sender
$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender

という記述があったので

# diff -u /etc/mail/aliases{.orig,}
--- /etc/mail/aliases.orig      Wed Mar  1 08:47:42 2006
+++ /etc/mail/aliases   Tue Apr  4 00:36:11 2006
(snip)
@@ -43,6 +45,8 @@
 tty:   root
 usenet: news
 uucp:  root
+virusalert:    root
+spam.police:   root
  
 # Well-known aliases -- these should be filled in!
 # manager:
(snip)
# newaliases

としておきました。次に clamav のインストールです。

# portinstall security/clamav

オプションがありますがデフォルトでインストールしました。/etc/rc.conf に

clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"

を追加して、設定ファイルを修正します。が、/usr/local/etc/clamd.conf は何もせずに大丈夫そうです。

# diff -u /usr/local/etc/freshclam.conf{.default,}
--- /usr/local/etc/freshclam.conf.default       Mon Apr  3 22:58:07 2006
+++ /usr/local/etc/freshclam.conf       Mon Apr  3 23:11:43 2006
@@ -52,7 +52,7 @@
 # Uncomment the following line and replace XY with your country
 # code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
 # Default: There is no default, which results in an error when running freshclam
-#DatabaseMirror db.XY.clamav.net
+DatabaseMirror db.jp.clamav.net
  
 # database.clamav.net is a round-robin record which points to our most
 # reliable mirrors. It's used as a fall back in case db.XY.clamav.net is

としました。あとは README.postfix を参考にして

# diff -u master.cf{.orig,}
--- master.cf.orig      Mon Mar 27 22:45:14 2006
+++ master.cf   Tue Apr  4 00:56:39 2006
@@ -77,3 +77,17 @@
   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
 bsmtp     unix  -       n       n       -       -       pipe
   flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
+smtp-amavis     unix    -       -       n       -       2       smtp
+        -o smtp_data_done_timeout=1200
+        -o disable_dns_lookups=yes
+localhost:10025 inet    n       -       n       -       -       smtpd
+        -o content_filter=
+        -o local_recipient_maps=
+        -o relay_recipient_maps=
+        -o smtpd_restriction_classes=
+        -o smtpd_client_restrictions=
+        -o smtpd_helo_restrictions=
+        -o smtpd_sender_restrictions=
+        -o smtpd_recipient_restrictions=permit_mynetworks,reject
+        -o mynetworks=xxx.yyy.zzz.www/32
+        -o strict_rfc821_envelopes=yes

# diff -u main.cf{.orig,}
--- main.cf.orig        Mon Mar 27 22:45:20 2006
+++ main.cf     Tue Apr  4 01:00:14 2006
@@ -642,3 +652,6 @@
 # readme_directory: The location of the Postfix README files.
 #
 readme_directory = no
+#
+#
+content_filter=smtp-amavis:[xxx.yyy.zzz.www]:10024

としておしまい。あとは

# /etc/rc.d/amavisd start
Starting amavisd.
# /usr/local/etc/rc.d/clamav-clamd.sh start
Starting clamav_clamd.
# /usr/local/etc/rc.d/clamav-freshclam.sh start
Starting clamav_freshclam.
# postfix reload
postfix/postfix-script: refreshing the Postfix mail system

として起動。あれ？なんかうまくいってなさげ。。。また次回。参考

• http://d.hatena.ne.jp/stealthinu/20060110/p2
• http://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix
• http://www.voyager.gr.jp/~sampei/freebsd/amavis.html
• http://www.kobitosan.net/postfix/origdocs/install-sav.html
• http://www.kncn.net/blog/item/502
• http://www.aconus.com/~oyaji/suse9.3/amavisd-new_antivir_suse9.3.htm