We read of virus infections (new ones come out all the time) and are somehow affected by spam mail on a daily basis. While there are plenty of free and commercial solutions (available as client applications) for both nuisances, system administrators need to have a strategy for dealing with these threats well before they reach the users’ mailboxes.
One of such strategies is as setting up an antivirus / antispam gateway. You can think of this tool as an intermediate layer (or filter) between the outside world and your inside network as far as email content is concerned.
In addition, if you think of it, it is much easier to install and maintain a single piece of software in a single machine (the mail server) than it is to do the same on several machines individually.
In this article we will introduce you to Sagator, an antivirus/anti-spam gateway for Linux mail servers written in Python. Among other things, Sagator provides database logging, use statistics, and daily reports for users. That said, let’s get started.
Installing Sagator and Postfix Mail Server
To install Sagator in CentOS/RHEL 7, download and install the following RPM packages. The latest beta release (7) includes support and fixes for systemd – that is why we prefer to install it using this method instead of downloading the package from the repositories.
# rpm -Uvh https://www.salstar.sk/pub/sagator/epel/testing/7/i386/sagator-core-1.3.2-0.beta7.el7.noarch.rpm # rpm -Uvh https://www.salstar.sk/pub/sagator/epel/testing/7/i386/sagator-1.3.2-0.beta7.el7.noarch.rpm
Additionally, you may want to also install Rrdtool, an utility to create and display day / week / month / year graphics of total / clean / virus / spam number of emails.
These graphics will be available in /var/www/html/sagator once the service and its dependencies are fully functional.
# yum install epel-release # yum install postfix spamassassin clamav clamav-scanner clamav-scanner-systemd clamav-data clamav-update rrdtool
This is not a surprise as we will need a mail server, and antivirus / antispam software Sagator can hook up to. In addition, we may need to install the mailx package, which provides MUA (Mail User Agent, also known as Email Agent) functionalities.
In Debian and Ubuntu, you will need to install Sagator from a precompiled
.deb package, which you can download from here and install as follows:
# wget https://www.salstar.sk/pub/sagator/debian/pool/jessie/testing/sagator-base_1.3.2-0.beta7_all.deb # wget https://www.salstar.sk/pub/sagator/debian/pool/jessie/testing/sagator_1.3.2-0.beta7_all.deb # dpkg -i sagator-base_1.3.2-0.beta7_all.deb # dpkg -i sagator_1.3.2-0.beta7_all.deb
# wget https://www.salstar.sk/pub/sagator/ubuntu/pool/trusty/testing/sagator-base_1.3.2-0.beta7_all.deb # wget https://www.salstar.sk/pub/sagator/ubuntu/pool/trusty/testing/sagator_1.3.2-0.beta7_all.deb # sudo dpkg -i sagator-base_1.3.2-0.beta7_all.deb # sudo dpkg -i sagator_1.3.2-0.beta7_all.deb
As it was the case with CentOS, you will need to install and configure the mail server, SpamAssassin, and ClamAV packages:
# aptitude install postfix spamassassin clamav clamav-daemon -y
Don’t forget to use sudo in Ubuntu.
Next, regardless of the distribution, you will need to update the virus definition before starting ClamAV. Before doing it, edit /etc/clamd.d/scan.conf and /etc/freshclam.conf and delete the following line:
Also, in /etc/clamd.d/scan.conf, make sure the following line is uncommented:
And start / enable ClamAV, SpamAssassin, and Sagator:
# systemctl start clamd@scan # systemctl start spamassassin # systemctl start sagator # systemctl enable clamd@scan # systemctl enable spamassassin # systemctl enable sagator
You may want to check the Sagator log to make sure the service started correctly:
# systemctl status -l sagator
or for more details,
# tail -f /var/spool/vscan/var/log/sagator/sagator.log
The above commands are illustrated in the following image:
Configuring Sagator in Linux
The main configuration file is located at /etc/sagator.conf. Let’s have a look at the minimum set of directives we need to set in order for Sagator to operate properly:
Step 1 – We will be using Sagator inside a chroot, so make sure the following line is uncommented:
CHROOT = '/var/spool/vscan'
Step 2 – Make sure the LOGFILE directive matches the following value:
LOGFILE = CHROOT + '/var/log/sagator/sagator.log'
Step 3 – Choose an antivirus that will be integrated with Sagator. To do so, make sure the lines highlighted in the image below are uncommented:
While you are free to choose from a wide variety of antivirus solutions, ClamAV provides higher performance and stability. Although we will use ClamAV in this guide, please keep in mind that the configuration file includes the instructions to hook Sagator to other antivirus / antispam solutions.
When you’re done, run
# sagator --test
To check the configuration file. No output is a good thing! Otherwise, address whatever errors are found before proceeding.
Integrating Sagator with Postfix
In order to integrate Sagator with Postfix, make sure the following lines are present in /etc/postfix/main.cf and /etc/postfix/master.cf:
mynetworks = 127.0.0.0/8 content_filter = smtp:[127.0.0.1]:27
#smtp inet n - n -- smtpd 127.0.0.1:26 inet n - n - 30 smtpd -o content_filter= -o myhostname=localhost -o local_recipient_maps= -o relay_recipient_maps= -o mynetworks=127.0.0.0/8 -o mynetworks_style=host -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_data_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_use_tls=no
Then restart postfix and make sure it’s enabled to start automatically on boot:
# systemctl restart postfix # systemctl enable postfix
We can now proceed with testing.
To test Sagator, send an email from user root to user gacanepa with the following body. This is nothing more and nothing less than the standard GTUBE (Generic Test for Unsolicited Bulk Email) provided by SpamAssassin, as shown in the image below:
Now let’s see what happens when a virus is sent as an attachment. In the following example we will use the EICAR test (refer to this Wikipedia entry for more details):
# wget http://www.eicar.org/download/eicar.com # mail -a eicar.com gacanepa
Then check the log:
# tail -f /var/spool/vscan/var/log/sagator/sagator.log
Rejected emails are then delivered back to the sender with the corresponding notice:
What’s so good about this? As you can see, spam and viruses never actually make it to the destination mail server and the users’ mailboxes, but they are dropped or rejected at the gateway level.
As we mentioned before, the graphs are available at
http://<server ip or hostname>/sagator:
In this article we have explained how to install and configure Sagator, an antivirus / antispam gateway which integrates seamlessly with and protects your mail server.
For more information and further functionality (there is much more to this incredible software than we can adequately cover in a single article!), you may want to refer to the project’s website at http://www.salstar.sk/sagator.
As always, don’t hesitate to drop us a line using the comment form below if you have any questions or comments.
Special thanks to Jan ONDREJ (SAL), the developer of Sagator, for his outstanding support while I was writing this article.