# A Guide Or A How-To

## eltech

Is there a guide or a how to on getting the following to work on a GENTOO system

-qmail

-vpopmail

-qmail-pop3d

-qmail-scanner

-AN ANTIVIRUS HERE?   :Laughing: 

i have installed clamd, and it seems to do nothing.. am not sure i have the concept of how linux antivirus scanners work ..

i need it simply because i myself got hit with a wakup(virus) while at home reading mail on my kid's machine (windows)

i also have some clients whom i allow relay access and they use outlook aswell

thanks ..

----------

## OdinsDream

 *eltech wrote:*   

> Is there a guide or a how to on getting the following to work on a GENTOO system
> 
> -qmail
> 
> -vpopmail
> ...

 

eltech, I installed the qmail stuff you mention by simply emerging qmail-pop3d. I had to have "ssl" in my USE variable, but other than that, the items installed wonderfully.

Have you run into complications?

As far as viruses go, can you post a link to a virus that might harm your gentoo system? Or do you mean a passthrough scanner to operate at the mail-server level for your clients?

----------

## eltech

Ok ..

i was home.. downloading mail .. using imap cause i cant use pop3 cause i have vpopmail and i dont know how to access pop3 mail, but anyway ..

i downloaded an email and it contained the WORM_KLEZ virus ..

it did not infect my Gentoo box, but the comp at home got caught while using outlook .. it was in a *.jpg file ..

so what i am thinking is that qmail-scanner will scan attachments for viruses using a antivirus application (clamd)?

i am not sure how it all works, but i cant have a client get a virus because i have no security set up ..

hope you understand now  :Smile: 

PS: I also hear that a qmail-queue patch is needed .. i did not see anything in the ebuild(not like am an expert). ???

----------

## Jimbow

The qmail install was a breeze for me too.   I do remember though that there were some instructions printed to the screen at the end of the emerge.   If you missed these you can probably find them in the ebuild file.

An emerge -S virus gives the following: 

```
 # emerge -S virus

[ Results for search key : virus ]

[ Applications found : 6 ]

*  net-mail/vlnx

      Latest version available: 416e

      Latest version installed: [ Not Installed ]

      Size of downloaded files: 8,101 kB

      Homepage:    http://www.mcafeeb2b.com/

      Description: McAfee VirusScanner for Unix/Linux(Shareware)

*  net-mail/pop3vscan

      Latest version available: 0.4

      Latest version installed: [ Not Installed ]

      Size of downloaded files: 131 kB

      Homepage:    http://pop3vscan.sf.net/

      Description: A transparent POP3-Proxy with virus-scanning capabilities.

*  net-mail/f-prot

      Latest version available: 3.12c

      Latest version installed: [ Not Installed ]

      Size of downloaded files: 1,848 kB

      Homepage:    http://www.f-prot.com/

      Description: Frisk Software's f-prot virus scanner

*  net-mail/amavis

      Latest version available: 0.3.12

      Latest version installed: [ Not Installed ]

      Size of downloaded files: 311 kB

      Homepage:    http://www.amavis.org

      Description: A perl module which integrates virus scanning software with your MTA

*  net-mail/clamav

      Latest version available: 0.60

      Latest version installed: [ Not Installed ]

      Size of downloaded files: 994 kB

      Homepage:    http://clamav.elektrapro.com

      Description: Clam Anti-Virus Scanner

*  net-mail/qmail-scanner

      Latest version available: 1.16-r1

      Latest version installed: [ Not Installed ]

      Size of downloaded files: 114 kB

      Homepage:    http://qmail-scanner.sourceforge.net/

      Description: E-Mail virus scanner for qmail.
```

----------

## eltech

ok .. so Gentoo has AV in the portage tree and when trying to emerge 'qmail-scanner'

```
emerge -p qmail-scanner

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild  N   ] net-mail/clamav-0.60  

[ebuild  N   ] app-arch/unzip-5.50-r2  

[ebuild  N   ] net-mail/tnef-1.2.1  

[ebuild  N   ] dev-perl/Time-HiRes-1.47  

[ebuild  N   ] dev-perl/DB_File-1.803-r2  

[ebuild  N   ] net-mail/maildrop-1.5.3  

[ebuild  N   ] net-mail/qmail-scanner-1.16-r1  

```

so now the next question is how hard is clamv to configure? perl?

----------

## Jimbow

I would just do the emerge, follow the instructions and then ask questions if that doesn't work.

----------

## eltech

I did emerge it ..

i performed this

```
* 

 * NOTICE:

 * Set QMAILQUEUE=/var/qmail/bin/qmail-scanner-queue.pl

 * in your /etc/tcp.smtp file to activate qmail-scanner.

 * 
```

looks like this..

doesnt seem that qmail-scanner is running ..

there a way to start it?

```
:allow,QMAILQUEUE=/var/qmail/bin/qmail-scanner-queue.pl  
```

correct?

----------

## eltech

it i working .. sorry bout that

'/var/spool/qmailscann/'

i just tail'd the log and its working.. now the file to edit is quarantine-attachments.txt correct?

----------

## whizr

Well I am trying to setup an email server using qmail, vpopmail, courier-smtp w/ssl, qmail-scanner, spamassassin, clamav, and squirrelmail.

now... I have everything working except clam... /var/spool/qmailscan/quarantine.log says it scanned the email and found eicar, but won't remove the email. or send any notice. I am sure this is something I have overlooked but I can't seem to find the solution, please help.

here is the log output:

Wed, 13 Jul 2005 18:49:41 PDT           root@xxx    Qmail-Scanner viral test (3/4): checking non-perlscanner AV...  Eicar-Test-Signature clamdscan: 0.86.1/977. spamassassin: 3.0.4. perlscan: 1.25st.

/var/spool/qmailscan/qmail-queue.log:

...

Wed, 13 Jul 2005 18:49:40 PDT:6347: unsetting QMAILQUEUE env var

Wed, 13 Jul 2005 18:49:40 PDT:6347: g_e_h: return-path is "", recips is "root@xxx"

Wed, 13 Jul 2005 18:49:40 PDT:6347: from=Qmail-Scanner Test <xxx@xxx>,subj=Qmail-Scanner viral test (3/4): checking n

on-perlscanner AV..., x-qmail-scanner-message-id=<20050714014940.6346.qmail@xxx> via local process 6347

Wed, 13 Jul 2005 18:49:40 PDT:6347: ini_sc: start scanning

Wed, 13 Jul 2005 18:49:40 PDT:6347: ini_sc: recursively scan the directory /var/spool/qmailscan/tmp/BRAIN11213057807186347/

Wed, 13 Jul 2005 18:49:40 PDT:6347: scanloop: starting scan of directory "/var/spool/qmailscan/tmp/BRAIN11213057807186347"...

Wed, 13 Jul 2005 18:49:40 PDT:6347: scanloop: scanner=clamdscan_scanner,plain_text_msg=0

Wed, 13 Jul 2005 18:49:40 PDT:6347: clamdscan: starting scan of directory "/var/spool/qmailscan/tmp/BRAIN11213057807186347"...

Wed, 13 Jul 2005 18:49:40 PDT:6347: run /usr/bin/clamdscan --no-summary  /var/spool/qmailscan/tmp/BRAIN11213057807186347 2>&1

Wed, 13 Jul 2005 18:49:41 PDT:6347: --output of clamdscan was:

/var/spool/qmailscan/tmp/BRAIN11213057807186347/textfile0: Empty file

/var/spool/qmailscan/tmp/BRAIN11213057807186347/textfile1: OK

/var/spool/qmailscan/tmp/BRAIN11213057807186347/sneaky.txt: Eicar-Test-Signature FOUND

--

Wed, 13 Jul 2005 18:49:41 PDT:6347: There be a virus! (Eicar-Test-Signature)

Wed, 13 Jul 2005 18:49:41 PDT:6347: clamdscan: finished scan of dir "/var/spool/qmailscan/tmp/BRAIN11213057807186347" in 0.702992 secs

Wed, 13 Jul 2005 18:49:41 PDT:6347: scanloop: finished scan of "/var/spool/qmailscan/tmp/BRAIN11213057807186347"...

Wed, 13 Jul 2005 18:49:41 PDT:6347: ini_sc: scanning message took 0.703648 seconds

Wed, 13 Jul 2005 18:49:41 PDT:6347: unsetting TCPREMOTEIP env var

Wed, 13 Jul 2005 18:49:41 PDT:6347: e_v_r: quarantine  msg to /var/spool/qmailscan/quarantine/new/BRAIN11213057807186347

Wed, 13 Jul 2005 18:49:41 PDT:6347: w_v_r: writing quarantine log report of: Wed, 13 Jul 2005 18:49:41 PDT              root@xxx    Qma

il-Scanner viral test (3/4): checking non-perlscanner AV...     Eicar-Test-Signature    clamdscan: 0.86.1/977. spamassassin: 3.0.4. perlscan: 1.25s

t.

Wed, 13 Jul 2005 18:49:41 PDT:6347: e_v_r: email_quarantine_report took 0.001129 seconds to execute

Wed, 13 Jul 2005 18:49:41 PDT:6347: qmail-scanner: CLAMDSCAN:Eicar-Test-Signature:RC:1(127.0.0.1):      0.716457        1253    <>      root@cc-wir

eless.net       Qmail-Scanner viral test (3/4): checking non-perlscanner AV...  <20050714014940.6346.qmail@xxx>       BRAIN112130

57807186347-unpacked:1253

Wed, 13 Jul 2005 18:49:41 PDT:6347: cleanup: /bin/rm -rf /var/spool/qmailscan/tmp/BRAIN11213057807186347/ /var/spool/qmailscan/working/new/BRAIN112

13057807186347

Wed, 13 Jul 2005 18:49:41 PDT:6347: --- all finished. Total of 0.719837 secs

----------

## Headrush

http://www.gentoo.org/doc/en/qmail-howto.xml

----------

## whizr

 *Headrush wrote:*   

> http://www.gentoo.org/doc/en/qmail-howto.xml

 

thats where i started...

thanks though.

----------

## magic919

Did it not add a header?  Something like X-Virus-Status: Yes, perhaps?  I've seen ClamAV do that via SA.

----------

## whizr

 *magic919 wrote:*   

> Did it not add a header?  Something like X-Virus-Status: Yes, perhaps?  I've seen ClamAV do that via SA.

 

the header gets stamped just fine... but it still won't remove the mail. spamassassin does just fine (after a little tweaking: my $sa_delete_site='2' :Wink: . would the problem be in the qmail-scanner-queue.pl? or in a clam?.conf? 

email test header:

Received: (qmail 7928 invoked by uid 0); 14 Jul 2005 09:49:05 -0700

Received: from 127.0.0.1 by BRAIN (envelope-from <>, uid 0) with qmail-scanner-1.25st

     (clamdscan: 0.86.1/977. spamassassin: 3.0.4. perlscan: 1.25st.

     Clear:RC:1(127.0.0.1):SA:0(-1.8/6.0):.

     Processed in 0.825997 secs); 14 Jul 2005 16:49:05 -0000

X-Spam-Status: No, hits=-1.8 required=6.0

Date: 14 Jul 2005 09:49:04 -0700

hope im on the right track

----------

## magic919

 *Quote:*   

> hope im on the right track

 

I think you are.  My understanding is that ClamAV likes to identify files rather than remove.  I'd run a Procmail recipe and divert the messages to a 'virus' folder.  Then you can run a cron job to nuke them.  Or just send then straight to /dev/null with Procmail.  (Change permissions on /dev/null for this to work)

----------

## whizr

 *magic919 wrote:*   

>  *Quote:*   hope im on the right track 
> 
> I think you are.  My understanding is that ClamAV likes to identify files rather than remove.  I'd run a Procmail recipe and divert the messages to a 'virus' folder.  Then you can run a cron job to nuke them.  Or just send then straight to /dev/null with Procmail.  (Change permissions on /dev/null for this to work)

 

im using qmail right now... would the clam setting likely be in the qmail-scanner-queue.pl? i did find a setting for cmdline options... ill try that (didn't work), but im still not getting any notification of virus activity

----------

