Mailgraph on antivirus / antispam mail relay

The last couple of days I have tinkered with a new antivirus / antispam server at work. Its foundation is a Debian Sarge running Postfix, Spamassassin, ClamAV through Amavis-ng (Amavis is installed from current unstable) and of top if it all mailgraph.

All packages was taken from the stable Debian release - Sarge, except of amavis-ng which does not exist in Sarge. This package was instead downloaded from unstable… fortunately it had no dependencies from unstable what so ever.

The documentation on the Spamassassin homepage is great which is just the opposite for amavis-ng which seems non-exsisting. The configuration file shipped with Debian makes up for the lack of documentation. It seems that amavis-ng should be a (more modular) reimplementation of amavisd-new. Even though people on the mailinglists recommend amavisd-new :-D

I have a serious problem keeping my hands off the bleeding edge stuff so I couldn’t resist installing amavis-ng. I have tried using it before, but at that time I couldn’t make it fork (it became a serious bottleneck). I’m not saying that it didn’t work, it might as well hav been me. Though I cannot seem to find the difference from my previous installation and my new one. Anyway it seems to fork correctly in this new installation and to test the virus filter I recommend this web site

The reason why I write this entry is because I made some changes to mailgrap to make it work the way I wanted. Read on to see what (small) changes I made.

• First I changed the startup script to be able to use 2 log files (one for emails and one for virus). Code for /etc/init.d/mailgraph:

  #!/bin/sh
  
  MAILGRAPH_CONFIG="/etc/default/mailgraph"
  NAME="mailgraph"
  DAEMON="/usr/sbin/mailgraph.pl"
  PID_FILE="/var/run/mailgraph.pid"
  PID_VIRUS_FILE="/var/run/mailgraph_virus.pid"
  RRD_DIR="/var/lib/mailgraph"
  IGNORE_OPTION=""
  
  if [ -f $MAILGRAPH_CONFIG ]; then
    . $MAILGRAPH_CONFIG
  else
    exit 0
  fi
  
  test -x /usr/sbin/mailgraph.pl || exit 0
  
  if [ "$IGNORE_LOCALHOST" = "true" ]; then
    IGNORE_OPTION="--ignore-localhost"
  fi
  
  case "$1" in
    start)
      echo -n "Starting Postfix Mail Statistics: $NAME"
      if [ -f $VIRUS_LOG ]; then
        start-stop-daemon -S -q -b -p $PID_FILE -x $DAEMON -- --only-mail-rrd -l $MAIL_LOG -d --daemon_rrd=$RRD_DIR $IGNORE_OPTION
        start-stop-daemon -S -q -b -p $PID_VIRUS_FILE -x $DAEMON -- --daemon-pid=$PID_VIRUS_FILE --only-virus-rrd -l $VIRUS_LOG -d --daemon_rrd=$RRD_DIR $IGNORE_OPTION
      else
        start-stop-daemon -S -q -b -p $PID_FILE -x $DAEMON -- -l $MAIL_LOG -d --daemon_rrd=$RRD_DIR $IGNORE_OPTION
      fi
      echo "."
      ;;
    stop)
      echo -n "Stopping Postfix Mail Statistics: $NAME"
      if [ -f $PID_FILE ]; then
        kill `cat $PID_FILE`
        rm $PID_FILE
      fi
      if [ -f $PID_VIRUS_FILE ]; then
        kill `cat $PID_VIRUS_FILE`
        rm $PID_VIRUS_FILE
      fi
      echo "."
      ;;
    restart)
      $0 stop
      $0 start
      ;;
    force-reload)
      $0 restart
      ;;
    *)
      echo "Usage: $0 start|stop|restart|force-reload"
      exit 1
      ;;
  esac
  

  Remember to define the virus log file in /etc/default/mailgraph ;-)

• Second I modified the mailgraph.pl code because I didn’t recognize the output from Amavis (ClamAV):

  Jul 25 20:04:59 gargoyle amavis[18319]: CLAMD found: Jul 25 20:04:59 gargoyle amavis[18319]: Eicar-Test-Signature Jul 25 20:04:59 gargoyle amavis[18319]: AMAVIS::MTA::SMTP: Dropping message (Message-ID: )

  It might be because I use amavis-ng, I dunno. But I found a line to put into /usr/sbin/mailgraph.pl. Around line 596 within the amavis case put this:

  ...
  elsif($tqext =~ /^\CLAMD found\b/) {
      event($time, 'virus');
  }
  ...