February 26, 2019 Roberto Puzzanghera32 comments
Simscan is a simple program that enables the qmail smtpd service to reject viruses, spam, and block attachments during the SMTP conversation so the processing load on the email system is kept to a minimum.
ripMIME's primary purpose is to extract attachments out of a MIME encoded email packages. It is used by
simscan. It is a recommended package.
cd /usr/local/src wget https://pldaniels.com/ripmime/ripmime-18.104.22.168.tar.gz tar xzf ripmime-22.214.171.124.tar.gz cd ripmime-126.96.36.199 chown -R root.root . make make install
For more informations about the patch applied, see the J.Simpson site linked above. The applied patch includes a bug fix by Bob Greco (more info here).
cd /usr/local/src wget https://notes.sagredo.eu/files/qmail/tar/simscan-1.4.0_cleaned.tar.gz wget https://notes.sagredo.eu/files/qmail/patches/simscan/simscan-1.4.0-20190226.patch tar xzf simscan-1.4.0.tar.gz cd simscan-1.4.0 chown -R root.root . patch < ../simscan-1.4.0-20190226.patch ./configure \ --enable-user=clamav \ --enable-clamav=y \ --enable-spam=y \ --enable-spam-passthru=y \ --enable-spam-hits=9.5 \ --enable-per-domain=y \ --enable-ripmime \ --enable-attach=y \ --enable-custom-smtp-reject=y \ --enable-spamc-user=y \ --enable-received=y make make install-strip
Take a look to the README file for an explanation of all the configuration options. Concerning spam, I want to reject via smtp the spam with a score greater than 9.5 and pass to the user the spam below this score.
--enable-per-domain=y|n Turn on per domain based checking.
--enable-spam=y|n Turn on spam scanning. default no.
--enable-spam-passthru=y|n Pass spam email thru or reject. Default: disable (reject)
--enable-spam-hits=number Reject spam above this hit level. Default 10.0
--enable-custom-smtp-reject=y Turns custom smtp reject messages on and off. When enabled simscan will place the virus name in the reject message if a virus is detected. Requires the qmail-queue-custom-error.patch. Enabling dropmsg disables this option (more info here http://www.qmailwiki.org/index.php/Simscan/README#How_SMTP_rejection_works).
--enable-spamc-user=y Mandatory option if you want to allow the spamassassin user preferences via SQL.
--enable-received=y Add a Received: line to the message, showing the runned scanners and some stats (you have to patch simscan)
Please refer to this page (http://www.qmailwiki.org/index.php/Simscan/README#How_SMTP_rejection_works) to understand how the smtp rejection works with simscan. This guide shortly remainds that:
For virus rejection, the message contains the name of the virus such as :
Your email was rejected because it contains the Worm.Bagle.AU virus
For spam rejection, the message is more generic, merely stating that the message was rejected because it was considered spam :
Your email is considered spam (53.5 spam-hits)
For attachment rejection, the message contains the name of the attachment :
Your email was rejected because it contains a bad attachment: trojan.exe
Let's assume that spamassassin is configured with a spam level of 5.0, so that hits above this score are labeled as spam.
Of course, soon or later, spamassassin will label as junk an important email for a customer of yours, and we will never want to reject such a message. On the other hand there will be a score level, say 9.5, above which we can absolutely trust in spamassassin response and let simscan reject those emails without storing them in the user's mailbox.
Therefore we will configure simscan/spamassassin in order to:
To accomplish this create a simcontrol like the following:
cat > /var/qmail/control/simcontrol << __EOF__ :clam=yes,spam=yes,spam_hits=9.5,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif __EOF__
Remember to update simcontrol.cdb every time you modify simcontrol
# update simcontrol.cdb /var/qmail/bin/simscanmk
echo ':allow,CHKUSER_WRONGRCPTLIMIT="3",QMAILQUEUE="/var/qmail/bin/simscan"' >> ~vpopmail/etc/tcp.smtp qmailctl cdb
Now simscan/chkuser will close the smtp communication after 3 wrong recipient. You may want to add an instruction like CHKUSER_RCPTLIMIT="50" to limit to the number of recipient per SMTP connection. To be honest, these are settings chkuser (not simscan).
You can setup rules for a specific user, a specific domain and a default rule as follows:
cat > /var/qmail/control/simcontrol << __EOF__ email@example.com:clam=yes,spam=no,attach=.txt:.com example.com:clam=no,spam=yes,attach=.mp3 :clam=yes,spam=yes,spam_hits=9.5,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif __EOF__
If you want to enable DKIM you have to modify the simscan configuration accordingly as explained in the DKIM page.
The patch applayed will add a line like this to the header:
Received: by simscan 1.4.0 ppid: 5613, pid: 5684, t: 0.7355s scanners: attach: 1.4.0 clamav: 0.98.4/m:55/d:19599 spam: 3.4.0
You have to update the
simscan's database if you want to get the current versions of
# /var/qmail/bin/simscanmk -g simscan versions cdb file built. /var/qmail/control/simversions.cdb
Since the update has to be done each time you refresh the virus database, you have to adjust you
freshclam configutation as follows.
First of all let's download and install the program that will do the update:
wget --no-check-certificate https://qmail.jms1.net/simscan/update-simscan.c gcc -s -o /usr/local/sbin/update-simscan update-simscan.c chown root:clamav /usr/local/sbin/update-simscan chmod 4110 /usr/local/sbin/update-simscan
Now modify the
freshclam configuration file in order to run the
update-simscan executable each time the database is changed. You have to edit the file /usr/local/etc/freshclam.conf and modify it in this way:
/var/qmail/simscanon a ramdisk
simscan's information page, John Simpson suggests to mount the work directory of simscan on a ramdisk, in order to speed up the process of file load from the disk.
It is sufficient to mount that directory in this way in your
none on /var/qmail/simscan type tmpfs (nodev,noexec,noatime,uid=1010,gid=1004,mode=2750)
Be aware that you have to adjust the
gid to the actual
clamav user and group numbers respectively.
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver mariadb mediawiki mozilla mysql owncloud patches php proftpd qmail qmailadmin rbl roundcube rsync sieve simscan slackware spamassassin ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin