Linux 电子邮件防毒: ClamAV + Sendmail
本文要介绍的 Linux 的 E-Mail 防毒主要由两个套件组成: clamav 与 clamav-milter。
其中“clamav”是防毒软件、“clamav-milter”是 clamav 用来与 sendmail 整合的扫毒程式。
安装 ClamAV 相关套件
yum install clamav clamav-milter
安装完之后,它会新增一个名为“clamav”的用户,用它来执行 ClamAV 的相关程式,请不要觉得奇怪就把这个用户给删了。
启动服务:
chkconfig clamd on chkconfig clamav-milter on service clamd start service clamav-milter start
第一次启动 clamd 出现如下的错误讯息不用害怕:
service clamd start Starting Clam AntiVirus Daemon: LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days! *** LibClamAV Warning: *** Please update it as soon as possible. *** LibClamAV Warning: **************************************************
这表示病毒数据库很旧,执行下列指令更新即可:
freshclam
数据库也会每天自动更新,更新的指令写在“/etc/cron.daily/freshclam”。
结合 sendmail 防毒
编辑 /etc/mail/sendmail.mc,在最后加入:
INPUT_MAIL_FILTER(`clmilter', `S=local:/var/clamav/clmilter.socket, F=, T=S:4m;R:4m')dnl define(`confINPUT_MAIL_FILTERS', `clmilter')
接着要重制 sendmail.cf:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
重新启动 sendmail:
service sendmail restart
如果上面都没发生任何错误,那 E-Mail 防毒就完成了。
错误处理
如果在重新启动 sendmail 时出现如下的错误讯息:
WARNING: Xclmilter: local socket name /var/clamav/clmilter.socket missing
这个错误是因为 sendmail 在启动时找不到 ClamAV 的 Socket。解决方法很简单,请查看“/etc/clamav-milter.conf”,找到 MilterSocket unix: 参数,后面接的就是 Socket 的正确路径了 (例如: MilterSocket unix:/var/clamav/clmilter.socket)。把路径置换到刚刚加入 sendmail.mc 的 S=local: 后面的参数,接着一样重制 sendmail.cf:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
重新启动 sendmail:
service sendmail restart
发现病毒的处理方式
ClamAV 默认是将病毒放到隔离区,如果修改处理方式,请编辑“/etc/clamav-milter.conf”,搜寻并修改 OnInfected 参数,可设为下列五种参数:
- Accept -> 允许寄送,就像没发生什么事情一样 (不建议使用)
- Reject -> 退回给寄件者
- Defer -> Return a temporary failure message (4xx) to the peer (不懂使用这个参数的效果)
- Blackhole -> 直接删除信件,不做其它回应
- Quarantine -> 把信件放到隔离区 (默认)
修改完必须重新启动 clamav-milter:
service clamav-milter restart
如何测试病毒邮件
要如何测试 E-Mail 的防毒是否有效?!只要寄一封信到服务器的收件者,在邮件的内文加入这一行文字:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
查看 Server 上的 Log 档:“/var/log/maillog”,依 OnInfected 的设定可看到这些记录...
当 OnInfected 设为“Reject”时:
Nov 12 18:34:46 mail sendmail[20581]: tACAYk0L020581: from=<[email protected]>, size=436, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=[127.0.0.1] Nov 12 18:34:46 mail sendmail[20581]: tACAYk0L020581: Milter: data, reject=554 5.7.1 Command rejected Nov 12 18:34:46 mail sendmail[20581]: tACAYk0L020581: to=<[email protected]>, delay=00:00:00, pri=30436, stat=Command rejected
当 OnInfected 设为“Blackhole”时:
Nov 12 18:43:05 mail sendmail[21387]: tACAh53o021387: from=<[email protected]>, size=437, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=[127.0.0.1] Nov 12 18:43:05 mail sendmail[21387]: tACAh53o021387: Milter: data, discard Nov 12 18:43:05 mail sendmail[21387]: tACAh53o021387: discarded
当 OnInfected 设为“Defer”时:
Nov 12 19:24:53 mail sendmail[32350]: tACDOr8O032350: from=<[email protected]>, size=400, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=[127.0.0.1] Nov 12 19:24:53 mail sendmail[32350]: tACDOr8O032350: Milter: data, reject=451 4.3.2 Please try again later Nov 12 19:24:53 mail sendmail[32350]: tACDOr8O032350: to=<[email protected]>, delay=00:00:00, pri=30400, stat=Please try again later
当 OnInfected 为默认的“Quarantine”:
Nov 12 18:20:47 mail sendmail[20871]: tACAblgl020871: from=<[email protected]>, size=436, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=[127.0.0.1] Nov 12 18:20:47 mail sendmail[20871]: tACAblgl020871: milter=clmilter, quarantine=quarantined by clamav-milter
当 OnInfected 设为“Quarantine”时,中毒的档案会放到隔离区,不过这个隔离区是在“/var/spool/mqueue”。你可以执行 mailq -qQ 查看有多少档案被隔离:
mailq -qQ /var/spool/mqueue (3 requests) -----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient----------- tAC9hg4M015066 69 Thu Nov 12 17:43 <[email protected]> QUARANTINE: quarantined by clamav-milter <[email protected]> tACAblgl020871 69 Thu Nov 12 18:20 <[email protected]> QUARANTINE: quarantined by clamav-milter <[email protected]> tACAr3aP022084 70 Thu Nov 12 18:53 <[email protected]> QUARANTINE: quarantined by clamav-milter <[email protected]> Total requests: 3
写在最后
为什么还要多这一段“写在最后”呢?
因为,虽然很简单的就装好了 ClamAV,但是用一阵子你可能会发现,ClamAV 似乎...根本...好像...扫不到病毒!!
就我所知,ClamAV 能扫到的病毒只有约 50%,甚至可能更低!!
所以,如果你中过毒、知道电脑病毒的可怕,那就不要铁齿...电脑上的防毒软件还是再装一套吧!!
No comments yet.