最近公司的 mail sever 突然當機,我用 sendmail + procmail + spamassassin 架的
最後查到是因為同時進來太多的信造成 perl 執行了 300多個,記憶體被吃光造成當機
看來 spamassassin 太操主機了,所以我上網找了一個比較簡單的過濾廣告信方案
Enhancing E-Mail Security With Procmail : the E-mail Sanitizer
=> 不用錢的伺服器端郵件掃毒軟體:Sanitizer
Sendmail + Procmail + Sanitizer 之安裝步驟
1) 請注意:以下步驟皆是於FreeBSD平台測試過的結果,若您的平台為Linux,請留心檔案系統的差異
2) 以下做法若有錯誤,敬請不吝指正。^_^
一、
下載檔案:sendmail.8.12.6.tar.gz、procmail-3.22.tar.gz、procmail-sanitizer.tar.gz
(以上三個檔案請自行連接至原始官方網站查看是否有最新版本提供下載)
二、原始官方網站:
1) sendmail:http://www.sen....org (目前最新版:8.12.6)
※ 如果要安裝8.12以後的版本,記得要先建立smmsp、mailnull這兩個帳號,;不過,如果您的FreeBSD是4.6以後的版本,恭喜您,因為系統預設的sendmail是8.12.3版,早已建立這兩個帳號了。
smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/sbin/nologin
2) procmail:http://www.pro....org (目前最新版:3.22)
3) sanitizer:http://www.impsec.org/email-to...security.html (目前最新版:1.136;procmail-sanitizer.tar.gz、html-trap.procmail.nomacroscan.gz)
三、把三個source檔放在 /tmp下,當然您也可以放在其它自己認為較適當的目錄下
四、安裝procmail
cd /tmp
tar zxvf procmail-3.22.tar.gz
cd procmail-3.22/
vi src/authenticate.c
找到 #define MAILSPOOLDIR "/var/spool/mail/" 這一行
把它改成 #define MAILSPOOLDIR "/var/mail/" (這是針對FreeBSD改的,如果是Linux就不必改了)
改完後儲存authenticate.c
make install
五、安裝sendmail
cd /tmp
tar zxvf sendmail.8.12.6.tar.gz
cd sendmail-8.12.6/
./Build
make install
#如果不想昇級sendmail,可省略以上步驟,但是還是得把和系統同版本的sendmail之 source抓回來tar開,以便進行cf檔的製作。
製作sendmail.cf設定檔
cd /tmp/sendmail-8.12.6/cf/cf/
cp generic-bsd4.4.mc MYCF.mc
# (Linux系統請改用 generic-linux.mc)
cd ../feature
cat local_procmail.m4 >> ../cf/MYCF.mc
cat access_db.m4 >> ../cf/MYCF.mc
cat delay_checks.m4 >> ../cf/MYCF.mc
cat virtusertable.m4 >> ../cf/MYCF.mc
cat blacklist_recipients.m4 >> ../cf/MYCF.mc
cd ../cf
# 在執行下列指令前記得先編輯MYCF.cf,把MAILER(local)dnl這一行搬到procmail區塊之後,以免編譯MYCF.cf檔時出錯。
sh Build MYCF.cf
cp MYCF.cf /etc/mail/sendmail.cf
cd /etc/mail
vi sendmail.cf
找到 Mlocal, P=/usr/local/bin/procmail,
將它改成 Mlocal, P=/usr/bin/procmail,
因為8.10系列以後的sendmail其所有的設定檔皆預設放於/etc/mail下
所以您原來若有 8.9.x的access及aliases檔,可將它們由/etc copy至/etc/mail 下
然後 cd /etc/mail
makemap hash access.db < access
makemap hash virtusertable.db < virtusertable
newaliases
touch local-host-names
vi local-host-names
加入mail server所有的nick name(主機的alias name);
如果主機只有一個DN,此檔的內容可以是空的。
格式如下:
xxxx.tc.edu.tw (xxxx為貴校的DN)
mail.xxxx.tc.edu.tw
重新啟動sendmail
ps aux|grep sendmail找到其PID
kill -HUP PID
如果上述重新啟動不正常,就直接kill -9 其PID,
然後 /usr/sbin/sendmail -bd -q30m
六、安裝sanitizer
mkdir /etc/procmail;chown root.wheel /etc/procmail;chmod 755 /etc/procmail
cp /tmp/procmail-sanitizer.tar.gz /etc/procmail/
cd /etc/procmail
tar zxvf procmail-sanitizer.tar.gz
chown root.wheel ./*;chmod 644 ./*
cd /etc
touch procmailrc(製作procmail的公用設定檔)
vi procmailrc
(敝校 procmailrc內容如下,如果想要有更多的設定或想研究其環境參數可至
http://www.impsec.org/email-tools...iguration.html參考
或至http://www.spconnect.com/m...info/esa-l訂閱MailList向全世界的網管
人員討教、交換心得、參考他人對mail security的做法。)
################################
MAILDIR=/var/mail
MANGLE_EXTENSIONS='vbs|exe'
# MANGLE_EXTENSIONS 砍殺病毒的迷思,例如:test.pot被改成test.60276DEFANGED-pot了!!!
VERBOSE=off
PATH=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/ucb:/etc:/usr/openwin/bin:/usr/dt/bin:/usr/ccs/bin/
SHELL=/bin/sh
PMDIR=$HOME/.procmail
POISONED_EXECUTABLES=/etc/procmail/poisoned-files
SECURITY_NOTIFY="postmaster, security-dude"
SECURITY_NOTIFY_VERBOSE="virus-checker"
SECURITY_NOTIFY_SENDER=/etc/procmail/sanitizer-security-policy.txt
SECRET="CHANGE THIS"
POISONED_SCORE=25
SCORE_HISTORY=/var/log/macro-scanner-scores
DROPPRIVS=YES
LOGFILE=/var/log/procmail.log
NL=""
LOGABSTRACT=no
SECURITY_QUARANTINE=/var/log/sanitizer.log
INCLUDERC=/etc/procmail/html-trap.procmail
#INCLUDERC=/etc/procmail/html-trap.procmail.nomacroscan
POISONED_EXECUTABLES=
SECURITY_NOTIFY=
SECURITY_NOTIFY_VERBOSE=
SECURITY_NOTIFY_SENDER=
SECURITY_QUARANTINE=
SECRET=
##################################################
接下來製作記錄檔(若學校的信件流量很大,下列前二個檔膨脹的速度非常快喔,
可以在/etc/newsyslog.conf中設定讓系統定時壓縮、備份、刪除記錄檔)
touch /var/log/sanitizer.log;chmod 622 /var/log/sanitizer.log
touch /var/log/procmail.log;chmod 622 /var/log/procmail.log
touch /var/log/macro-scanner-scores;chmod 622 /var/log/macro-scanner-scores
touch /etc/procmail/sanitizer-security-policy.txt
因為procmail+sanitizer若過濾到有問題的信(通常是含毒的),會寄通知給以下三個帳號
postmaster、security-dude、virus-checker(這三個帳號是剛剛在/etc/procmailrc檔中指定的,如果覺得不好記,也可改成您喜歡的拼法)
其中postmaster是/etc/mail/aliases中預設的aliases帳號,另兩個就要手動修改/etc/mail/aliases檔把它們加上了
我在敝校的aliases加上:
postmaster:mis(這一行系統預設是postmaster: root)
virus-checker:mis
security-dude:mis
修改好後,記得在/etc/mail 下 newaliases 指令,更新aliases.db
這樣我們只要收mis的信就可以了。(當然您也可以指定成其它貴校的合法帳號)
最後,我們只要重新啟動一次sendmail讓procmail讀入/etc/procmailrc的設定就OK了。
#### Poisoned Files list:毒藥檔設成這樣,您覺得還有什麼檔案可以夾呢?
*.asd
*.bat
*.chm
*.cil
*.cmd
*.com
*.dll
*.exe
*.hlp
*.hta
*.js
*.lnk
*.nws
*.ocx
*.pif
*.reg
*.scr
*.sh[bs]
*.vb
*.vb[se]
*.ws[cfh]
*.[a-z][a-z][a-z0-9].exe
*.[a-z][a-z][a-z0-9]\s+.exe
*.[a-z][a-z].(?=[a-z0-9]+$)(?!(doc$|rtf$|xls$))
*.[a-z][a-z]\s+.(?=[a-z0-9]+$)(?!(doc$|rtf$|xls$))
*.[a-z][a-z][a-z0-9].(?=[a-z0-9]+$)(?!(doc$|rtf$|xls$))
*.[a-z][a-z][a-z0-9]\s+.(?=[a-z0-9]+$)(?!(doc$|rtf$|xls$))
*\s+.exe
[0-9]+-i386-update.exe
.*romeo.exe
alyssa?s?here?.exe
amateurs.exe
anal.exe
anna.exe
anniv.doc
anti_cih.exe
anti_terrorism.exe
antivirus.exe
ants[0-9]+set.exe
aol4free.com
asian.exe
atchim.exe
avp[0-9].[0-9].exe
avp_updates.exe
babylonia.exe
badass.exe
bar.exe
binladen_bra[sz]il.exe
black.exe
blancheneige.exe
blonde.exe
boys.exe
buhh.exe
celebrity?rape.exe
cheerleader.exe
chocolate.exe
christmas.exe
comical_story.doc
common.exe
compu_ma.exe
creative.exe
cum.exe
cumshot.exe
*demo*.exe
disk.exe
doctor.exe
doggy.exe
dwarf4you.exe
emanuel.exe
enanito?fisgon.exe
enano.exe
enano?porno.exe
euro.exe
famous.exe
files.exe
fist-f?cking.exe
gay.exe
girls.exe
happy[0-9]+.exe
hardcore.exe
honey.exe
horny.exe
hot.exe
hottest.exe
i-watch-u.exe
ibmls.exe
ie[0-9]+.exe
images_zipped.exe
*install*.exe
invoice.exe
javascript.exe
jesus.exe
joke.exe
kinky.exe
leather.exe
led.exe
lesbians.exe
list.doc
lovers.exe
luckey.exe
masyanya.exe
matcher.exe
messy.exe
missworld.exe
misworld.exe
mkcompat.exe
mmsn_offline.htm
ms[0-9-]+.exe
mwld.exe
mwrld.exe
nakedwife.exe
navidad.exe
ntkrnl.exe
oains.exe
oral.exe
orgy.exe
*password.exe
*patch*.exe
path.xls
photos17.exe
picture.exe
pippo.exe
pleasure.exe
porkis.exe
pretty?park.exe
prettypark.exe
q[0-9][0-9][0-9]+.exe
qi_test.exe
quake4demo.exe
raquel?darian.exe
readme.exe
rede.exe
romeo.exe
sado.exe
sample.exe
seicho_no_ie.exe
serialz.hlp
*setup*.exe
sex.exe
sexy.exe
shake.exe
si.exe
slut.exe
sm.exe
sodomized.exe
softwarekey.exe
sslpatch.exe
story.doc
suck.exe
sulfnbk.exe
suppl.doc
surprise!.exe
suzete.exe
tattoo.exe
teens.exe
tettona.exe
teuro.exe
*update*.exe
*upgrade*.exe
userconf.exe
virgins.exe
whatever.exe
wtc.exe
x-mas.exe
xena.exe
xuxa.exe
xxxpic*.exe
y2kcount.exe
yahoo.exe
yawsetup.exe
zacker.exe
zipped_files.exe
?.exe
轉貼自
http://w3.tceb.edu.tw/study/networ...tizerSetup.txt不過因為他會自動解壓縮 zip 及 rar 去判斷是否有病毒附檔名,那也會佔用很多主機資源,反正現在每台兩電都有防毒軟體,所以我就把那個功能關掉,另外因為 office 的病毒我也不用去過濾,所以我改用 html-trap.procmail.nomacroscan
我參考了官網的說明
http://www.impsec.org/email-tools...iguration.html以下是我的設定檔,希望有興趣的朋友可以一起研究
################################
MAILDIR=/var/mail
MANGLE_EXTENSIONS='vbs|exe'
# MANGLE_EXTENSIONS 砍殺病毒的迷思,例如:test.pot被改成test.60276DEFANGED-pot了!!!
VERBOSE=off
PATH=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/ucb:/etc:/usr/openwin/bin:/usr/dt/bin:/usr/ccs/bin/
SHELL=/bin/sh
PMDIR=$HOME/.procmail
POISONED_EXECUTABLES=/etc/procmail/poisoned-files
SECURITY_NOTIFY="postmaster, security-dude"
SECURITY_NOTIFY_VERBOSE="virus-checker"
SECURITY_NOTIFY_SENDER=/etc/procmail/sanitizer-security-policy.txt
SECRET="CHANGE THIS"
POISONED_SCORE=25
SCORE_HISTORY=/var/log/macro-scanner-scores
DROPPRIVS=YES
LOGFILE=/var/log/procmail.log
NL=""
LOGABSTRACT=no
SECURITY_QUARANTINE=/var/log/sanitizer.log
DISABLE_RAR_SCAN=YES
DISABLE_ZIP_SCAN=YES
DISABLE_JPEG_SCAN=YE
#INCLUDERC=/etc/procmail/html-trap.procmail
INCLUDERC=/etc/procmail/html-trap.procmail.nomacroscan
POISONED_EXECUTABLES=
SECURITY_NOTIFY=
SECURITY_NOTIFY_VERBOSE=
SECURITY_NOTIFY_SENDER=
SECURITY_QUARANTINE=
SECRET=
##################################################