How to Use Sagator, an Antivirus/Antispam Gateway, to Protect Your Mail Server

We read of virus infections (new ones come out all the time) and are somehow affected by spam mail on a daily basis. While there are plenty of free and commercial solutions (available as client applications) for both nuisances, system administrators need to have a strategy for dealing with these threats well before they reach the users’ mailboxes.

SAGATOR - An Antiviriurs/Antispam Protection for Mail Server
SAGATOR – An Antiviriurs/Antispam Protection for Mail Server

One of such strategies is as setting up an antivirus / antispam gateway. You can think of this tool as an intermediate layer (or filter) between the outside world and your inside network as far as email content is concerned.

In addition, if you think of it, it is much easier to install and maintain a single piece of software in a single machine (the mail server) than it is to do the same on several machines individually.

In this article we will introduce you to Sagator, an antivirus/anti-spam gateway for Linux mail servers written in Python. Among other things, Sagator provides database logging, use statistics, and daily reports for users. That said, let’s get started.

Installing Sagator and Postfix Mail Server

To install Sagator in CentOS/RHEL 7, download and install the following RPM packages. The latest beta release (7) includes support and fixes for systemd – that is why we prefer to install it using this method instead of downloading the package from the repositories.

# rpm -Uvh https://www.salstar.sk/pub/sagator/epel/testing/7/i386/sagator-core-1.3.2-0.beta7.el7.noarch.rpm
# rpm -Uvh https://www.salstar.sk/pub/sagator/epel/testing/7/i386/sagator-1.3.2-0.beta7.el7.noarch.rpm

If you are performing this installation on a fresh server, please note that several other packages need to be installed as dependencies, among which we can mention Postfix, ClamAV, and SpamAssassin.

Additionally, you may want to also install Rrdtool, an utility to create and display day / week / month / year graphics of total / clean / virus / spam number of emails.

These graphics will be available in /var/www/html/sagator once the service and its dependencies are fully functional.

# yum install epel-release
# yum install postfix spamassassin clamav clamav-scanner clamav-scanner-systemd clamav-data clamav-update rrdtool

This is not a surprise as we will need a mail server, and antivirus / antispam software Sagator can hook up to. In addition, we may need to install the mailx package, which provides MUA (Mail User Agent, also known as Email Agent) functionalities.

In Debian and Ubuntu, you will need to install Sagator from a precompiled .deb package, which you can download from here and install as follows:

Debian Jessie:

# wget https://www.salstar.sk/pub/sagator/debian/pool/jessie/testing/sagator-base_1.3.2-0.beta7_all.deb 
# wget https://www.salstar.sk/pub/sagator/debian/pool/jessie/testing/sagator_1.3.2-0.beta7_all.deb 
# dpkg -i sagator-base_1.3.2-0.beta7_all.deb
# dpkg -i sagator_1.3.2-0.beta7_all.deb 

Ubuntu Trusty:

# wget https://www.salstar.sk/pub/sagator/ubuntu/pool/trusty/testing/sagator-base_1.3.2-0.beta7_all.deb 
# wget https://www.salstar.sk/pub/sagator/ubuntu/pool/trusty/testing/sagator_1.3.2-0.beta7_all.deb 
# sudo dpkg -i sagator-base_1.3.2-0.beta7_all.deb
# sudo dpkg -i sagator_1.3.2-0.beta7_all.deb

As it was the case with CentOS, you will need to install and configure the mail server, SpamAssassin, and ClamAV packages:

# aptitude install postfix spamassassin clamav clamav-daemon -y

Don’t forget to use sudo in Ubuntu.

Next, regardless of the distribution, you will need to update the virus definition before starting ClamAV. Before doing it, edit /etc/clamd.d/scan.conf and /etc/freshclam.conf and delete the following line:

Example

Also, in /etc/clamd.d/scan.conf, make sure the following line is uncommented:

LocalSocket /var/run/clamd.scan/clamd.sock

Finally, do

# freshclam

And start / enable ClamAV, SpamAssassin, and Sagator:

# systemctl start clamd@scan
# systemctl start spamassassin
# systemctl start sagator
# systemctl enable clamd@scan
# systemctl enable spamassassin
# systemctl enable sagator

You may want to check the Sagator log to make sure the service started correctly:

# systemctl status -l sagator

or for more details,

# tail -f /var/spool/vscan/var/log/sagator/sagator.log

The above commands are illustrated in the following image:

Check Sagator Status and Logs
Check Sagator Status and Logs

Configuring Sagator in Linux

The main configuration file is located at /etc/sagator.conf. Let’s have a look at the minimum set of directives we need to set in order for Sagator to operate properly:

Step 1 – We will be using Sagator inside a chroot, so make sure the following line is uncommented:

CHROOT = '/var/spool/vscan'

Step 2 – Make sure the LOGFILE directive matches the following value:

LOGFILE = CHROOT + '/var/log/sagator/sagator.log'

Step 3 – Choose an antivirus that will be integrated with Sagator. To do so, make sure the lines highlighted in the image below are uncommented:

Configure Sagator
Configure Sagator

While you are free to choose from a wide variety of antivirus solutions, ClamAV provides higher performance and stability. Although we will use ClamAV in this guide, please keep in mind that the configuration file includes the instructions to hook Sagator to other antivirus / antispam solutions.

When you’re done, run

# sagator --test

To check the configuration file. No output is a good thing! Otherwise, address whatever errors are found before proceeding.

Integrating Sagator with Postfix

In order to integrate Sagator with Postfix, make sure the following lines are present in /etc/postfix/main.cf and /etc/postfix/master.cf:

main.cf
mynetworks = 127.0.0.0/8
content_filter = smtp:[127.0.0.1]:27
master.cf
#smtp inet n - n -- smtpd
127.0.0.1:26 inet n - n - 30 smtpd
-o content_filter=
-o myhostname=localhost
-o local_recipient_maps=  -o relay_recipient_maps=
-o mynetworks=127.0.0.0/8  -o mynetworks_style=host
-o smtpd_restriction_classes=  -o smtpd_client_restrictions=
-o smtpd_helo_restrictions=  -o smtpd_sender_restrictions=
-o smtpd_data_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_use_tls=no

Then restart postfix and make sure it’s enabled to start automatically on boot:

# systemctl restart postfix
# systemctl enable postfix

We can now proceed with testing.

Testing Sagator

To test Sagator, send an email from user root to user gacanepa with the following body. This is nothing more and nothing less than the standard GTUBE (Generic Test for Unsolicited Bulk Email) provided by SpamAssassin, as shown in the image below:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
Testing Sagator
Testing Sagator

Now let’s see what happens when a virus is sent as an attachment. In the following example we will use the EICAR test (refer to this Wikipedia entry for more details):

# wget http://www.eicar.org/download/eicar.com
# mail -a eicar.com gacanepa

Then check the log:

# tail -f /var/spool/vscan/var/log/sagator/sagator.log
Check Mail Logs for Virus
Check Mail Logs for Virus

Rejected emails are then delivered back to the sender with the corresponding notice:

Rejected Mail Returned to Sender
Rejected Mail Returned to Sender

What’s so good about this? As you can see, spam and viruses never actually make it to the destination mail server and the users’ mailboxes, but they are dropped or rejected at the gateway level.

As we mentioned before, the graphs are available at http://<server ip or hostname>/sagator:

Sagator Mail Statistics
Sagator Mail Statistics

Summary

In this article we have explained how to install and configure Sagator, an antivirus / antispam gateway which integrates seamlessly with and protects your mail server.

For more information and further functionality (there is much more to this incredible software than we can adequately cover in a single article!), you may want to refer to the project’s website at http://www.salstar.sk/sagator.

As always, don’t hesitate to drop us a line using the comment form below if you have any questions or comments.

Special thanks to Jan ONDREJ (SAL), the developer of Sagator, for his outstanding support while I was writing this article.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Gabriel Cánepa
Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

12 Comments

Leave a Reply
  1. What is the point of installing Sagator when you can simply use Spamassassing (and also ClamAV) by themselves?

    What’s the advantage of adding yet another component into the mix?

    Thanks!

    Reply
  2. My end solution was to use ScrolloutF1. It’s a Debian flavor and has a downloadable iso that you load as a second machine, either vm or physical. My incoming mail goes through Scrollout then to my mail server. I didn’t feel the need to use it for out going. It seems to be working very well.

    You can run outgoing mail through it also but at this point I didn’t feel the need to.

    Just an alternative solution I thought I would share.

    Reply
  3. I tried it in a production server running Slackware. Recompiled from source. Under SCANNERS = [ ….. ] array, it looks that alternatives() is called on with its input parameters, but it is commented out.

    It throws me error when I started sagator. So what I did, I comment out #alternatives( and its matching ), below. In your screenshot, you only show ‘buffer2mbox(CLAMAV)’ commented out.

    Reply
  4. In the master.cf you commented out:

    # smtp inet n - n -- smtpd
    

    This will stop postfix from listening on port 25. Resulting in the machine no longer accepting email coming in on the standard email port and it will no longer receive email from external.
    The master.cf should look more like this:

    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    127.0.0.1:26    inet n - n - 30 smtpd
      -o content_filter=
      -o myhostname=sagator.timmonsclan.ca
      -o local_recipient_maps=
      -o relay_recipient_maps=
      -o mynetworks=127.0.0.0/8
      -o mynetworks_style=host
      -o smtpd_restriction_classes=
      -o smtpd_client_restrictions=
      -o smtpd_helo_restrictions=
      -o smtpd_sender_restrictions=
      -o smtpd_data_restrictions=
      -o smtpd_recipient_restrictions=permit_mynetworks,reject
      -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
      -o smtpd_use_tls=no
    smtp      inet  n       -       n       -       -       smtpd 
    ....
    
    Reply
  5. When I make the changes to the main.cf it shuts email down. As soon as I undo those changes, email works perfectly.

    It seems there is something needed or missing from the config. This is a “real world” email server and I can’t have it down.

    I need some direction to get sagator integrated with postfix and the email flowing properly.

    Any suggestions would be greatly appreciated.

    Reply
  6. This may be a dumb question nut here goes; Should I be able to use Sagator and spamassasin together or chose on or the other?

    I have spamassasin working, but when I try to config Sagator, it stops everything.
    Just need some clarification.
    Thanks.

    Reply
  7. Hello,
    Sorry to my english, i’m french.
    Sagator can not send me the emails received. No error message, it is as if I did not receive it when I send it. Gmail / Live tells me this error message: The recipient server did not accept our requests to connect. Learn more at https://support.google.com/mail/answer/7720 [mail.domain.eu. XXX.XXX.XX.XXX: generic :: failed_precondition: connect error (0): error]
    An idea ? If I remove the changes in postfix, all messages reach me.

    Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.