"Fossies" - the Fresh Open Source Software Archive

Member "amavisd-new-2.11.1/README_FILES/README.sendmail" (24 Apr 2005, 12224 Bytes) of package /linux/misc/amavisd-new-2.11.1.tar.bz2:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 ===============================================================================
    2 NOTE:
    3   this file is rather old and not well maintained.
    4 
    5   A recommended sendmail setup is described in file README.sendmail-dual,
    6   which describes a dual-MTA setup. The sendmail milter setup as described
    7   in README.milter works as well, but with some functionality limitations.
    8 ===============================================================================
    9 
   10 
   11 AMaViS & sendmail
   12 *****************
   13 
   14 Scanning only incoming mail
   15 ---------------------------
   16 
   17 The amavis script is designed to be used in the sendmail.cf configuration
   18 file in a similar way to how tcpd is used in /etc/inetd.conf.
   19 
   20 Amavis helper program receives sender ($f) and recipients ($u) from the
   21 command line, and the other arguments after '--' should be the original
   22 local delivery agent with original arguments.  Amavis will run the original
   23 command after scanning for viruses if mail is clean.
   24 
   25 As most people generate sendmail.cf from a m4 file (we assume sendmail.mc),
   26 you should add the following just before the MAILER definitions:
   27 
   28 MODIFY_MAILER_FLAGS(`LOCAL',`-r')dnl
   29 define(`LOCAL_MAILER_ARGS',`amavis $f $u --' LOCAL_MAILER_PATH `-d $u')dnl
   30 define(`LOCAL_MAILER_PATH',`/usr/local/sbin/amavis')dnl
   31 
   32 The resulting Mlocal mailer entry could look like:
   33 
   34 Mlocal,	P=/usr/local/sbin/amavis, F=lsDFMAw5:/|@qPmn9S,
   35 	S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
   36 	T=DNS/RFC822/X-Unix, U=root:amavis,
   37 	A=amavis $f $u -- /usr/libexec/mail.local -d $u
   38 
   39 The user and group may be specified with the U option to the mailer.
   40 The group name in 'U=root:amavis' should match the chosen group name
   41 of the daemon amavisd(-new).
   42 
   43 This setup is probably the trickiest of them all to get right
   44 because of the conflicting daemon UID and file permission requirements
   45 of the different components in play. The amavisd daemon should not be
   46 running as root for security reasons, whereas the mail.local LDA needs
   47 privileges to access user mailboxes. Running amavis helper program
   48 as root:amavis retains root privileges for the helper program, while
   49 still alowing amavisd daemon process to access the temporary directory
   50 in the same group, even if not running as root.
   51 
   52 
   53 Scanning incoming/outgoing and relayed mail
   54 -------------------------------------------
   55 
   56   The concept for scanning incoming/outgoing and relayed mail is
   57 different from the concept described in the AMaViS documentation.
   58 If you are running a newer version of sendmail (8.10.0 or better),
   59 we recommend to use the milter API. See README.milter for details.
   60 
   61   We use two different setups (.cf files) for sendmail, one is the original
   62 configuration, the second has a different Queue-Directory, another status
   63 file and most important a changed Rule Set 0 and the Mailer Definition AMaViS,
   64 so that AMaViS is always called first. If no virus is detected, we pass
   65 the mail to sendmail again, but advise it to use the original configuration.
   66 
   67   Note: I assume that sendmail.cf is in /etc - on your system it may be
   68 in /etc/mail
   69 
   70   Setting it up in easy 5 steps (without the m4 way)
   71 (please *read* the example configuration section below, too!):
   72 
   73 Step 1: Copy your /etc/sendmail.cf file to /etc/sendmail.orig.cf
   74 Step 2: Change sendmail.cf manually
   75 
   76 a) open /etc/sendmail.cf in your favorite editor
   77 
   78 b) change the queue directory, i.e. to
   79 O QueueDirectory=/var/spool/mqamavis
   80 
   81 c) change the status file, i.e. to
   82 O StatusFile=/var/log/amavis.st
   83 
   84 d) change rule set 0 to
   85 R$*		$: $>Parse0 $1		initial parsing
   86 R<@>		$#local $: <@>		special case error msgs
   87 R$*		$: $>98 $1		handle local hacks
   88 R$*		$#amavis $:$1
   89 #R$*		$: $>Parse1 $1		final parsing
   90 
   91 Be careful of tabs, so here's the code again, instead of [tab] press
   92 the tab key :-)
   93 
   94 R$*[tab][tab]$: $>Parse0 $1[tab][tab]initial parsing
   95 R<@>[tab][tab]$#local $: <@>[tab][tab]special case error msgs
   96 R$*[tab][tab]$: $>98 $1[tab][tab]handle local hacks
   97 R$*[tab][tab]$#amavis $:$1
   98 #R$*[tab][tab]$: $>Parse1 $1[tab][tab]final parsing
   99 
  100 Add the new mailer definition:
  101 Mamavis,	P=/usr/sbin/amavis, F=nmlsACDFMS5:/|@qhP, S=0, R=0,
  102 		T=DNS/RFC822/X-Unix, U=amavis:amavis,
  103 		A=amavis $f $u
  104 
  105 [Step 3, with older amavis: do a ./configure --enable-relay --enable-sendmail,
  106  make and make install (you may add some more flags to configure)]
  107 
  108 Step 3, with amavisd-new: change the settings of $forward_method and
  109 $notify_method in /etc/amavisd.conf:
  110   $forward_method= 'pipe:flags=q argv=/usr/sbin/sendmail -i -f ${sender} -- ${recipient}';
  111   $notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -i -f ${sender} -- ${recipient}';
  112 
  113 Step 4: Create /var/spool/mqamavis with the same permissions as
  114 /var/spool/mqueue but owner and group should be amavis
  115 
  116 Step 5: Restart sendmail, i.e. killall -HUP sendmail or with SuSE Linux
  117 rcsendmail restart
  118 
  119 
  120 
  121   Setting it up in easy 7 steps - doing it the m4 way
  122   (please *read* the example configuration section below, too!)
  123 
  124 Step 1: Copy your /etc/sendmail.cf file to /etc/sendmail.orig.cf
  125 Step 2: Copy the provided doc/amavis.m4 file to /usr/share/sendmail/mailer
  126         (this is the location for a SuSE Linux system ... please have a
  127          look at your .mc file for the "include" macro. It tells you
  128          in which path your sendmail m4 stuff is located. Don't forget
  129          to put amavis.m4 into the mailer/ directory and not the m4/ dir)
  130 Step 3: Copy your .mc file, used for generating sendmail.cf, to amavis.mc
  131 Step 4: Change amavis.mc
  132 
  133 a) in front of the OSTYPE definition, add
  134 define(`QUEUE_DIR',`/var/spool/mqamavis')dnl
  135 define(`STATUS_FILE',`/var/log/amavis.st')dnl
  136 
  137 b) add the amavis mailer to the MAILER definitions
  138 MAILER(`amavis')dnl
  139 
  140 [Step 5, with older amavis: do a ./configure --enable-relay --enable-sendmail,
  141  make and make install (you may add some more flags to configure) ]
  142 
  143 Step 5, with amavisd-new: change the settings of $forward_method and
  144 $notify_method in /etc/amavisd.conf:
  145   $forward_method= 'pipe:flags=q argv=/usr/sbin/sendmail -i -f ${sender} -- ${recipient}';
  146   $notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -i -f ${sender} -- ${recipient}';
  147 
  148 Step 6: Create /var/spool/mqamavis with the same permissions as
  149 /var/spool/mqueue but owner and group should be amavis
  150 
  151 Step 7: Restart sendmail, i.e. killall -HUP sendmail or with SuSE Linux
  152 rcsendmail restart
  153 
  154 
  155 
  156 Additional information (please read!)
  157 *************************************
  158 
  159 NOTE: If you decided to copy your original sendmail.cf to another
  160 filename than sendmail.orig.cf, you have to specificy the filename
  161 with --with-orig-conf=<filename>
  162 
  163 NOTE: This configuration could be made simpler if /etc/sendmail.cf remained
  164 untouched, and sendmail could be started simply with
  165 sendmail -bd -C/etc/amavis.cf.  But for security reasons, sendmail refuses
  166 the -C flag if started as root. Therefore, we have to patch sendmail.cf
  167 and rename the original file.
  168 
  169 IMPORTANT NOTE: please have closer look at the mailer definition, especially
  170 the F equate (the mailer flags). You may copy the F= stuff out from your
  171 original sendmail.cf file, but be careful! You must not use the f flag.
  172 You may also add the A flag, otherwise "newaliases" will yell "cannot alias
  173 non-local names".
  174 
  175 NOTE: This concept should be considered *experimental*.
  176 
  177 NOTE: If mail is deferred, it may get stuck in the queue (this may happen
  178 if a delivery attemp fails). Calling
  179 /usr/sbin/sendmail -C /etc/sendmail.orig.cf -q via cron is a good idea.
  180 Another solution is to call
  181 /usr/sbin/sendmail -q5m -C /etc/mail/sendmail.orig.cf
  182 In this example, the mail queue is flushed every 5 minutes.
  183 
  184 
  185 EXAMPLE CONFIGURATION (sendmail 8.9.3)
  186 --------------------------------------
  187 
  188 Here's the configuration I use on my SuSE Linux system with sendmail 8.9.3
  189 (for sendmail 8.11 see below).
  190 AMaViS is run as user amavis, group amavis and therfore /var/spool/mqamavis
  191 is owned by amavis:amavis
  192 
  193 /etc/sendmail.cf:
  194 
  195 
  196 * I use the following mailer defintion
  197 Mamavis,        P=/usr/sbin/amavis, F=nmlsACDFMS5:/|@qhP, S=0, R=0,
  198                 T=DNS/RFC822/X-Unix, U=amavis:amavis,
  199                 A=amavis $f $u
  200 
  201 
  202 /etc/sendmail.orig.cf:
  203 * to get rid off the X-Authentification-Warning "Processed by amavis
  204 with -C /etc/sendmail.orig" and "Processed from queue /var/spool/mqueue"
  205 I removed authwarnings from PrivacyOptions, so
  206 O PrivacyOptions=novrfy,noexpn
  207 
  208 NOTE: The "goaway" option is another PrivacyOption. The "goaway" option
  209 implies the "authwarnings" option, so with "goaway" you'll get the
  210 X-Authentification-Warning.
  211 
  212 
  213 /var/spool/mqueue and /var/spool/mqamavis is owned by amavis.
  214 
  215 NOTE: as amavis is run as user amavis, /var/virusmails must be owned
  216 by amavis and you have to specify a location for the AMaViS logfile
  217 that is writable by user amavis, if writing to a log file directly
  218 (not via syslog).
  219 
  220 NOTE: As sendmail will perform most tasks as user amavis now, it may
  221 not be able to read the users .forward file anymore! You may consider
  222 changing the permissions for the home directories, i.e. access rights
  223 for others.
  224 
  225 
  226 EXAMPLE CONFIGURATION (sendmail 8.11)
  227 --------------------------------------
  228 
  229 Here's the configuration I use on my SuSE Linux system with sendmail 8.11.
  230 AMaViS is run as user amavis, group amavis.
  231 
  232 /etc/mail/sendmail.cf:
  233 
  234 
  235 * I use the following mailer defintion
  236 Mamavis,        P=/usr/sbin/amavis, F=nmlsACDFMS5:/|@qhP, S=0, R=0,
  237                 T=DNS/RFC822/X-Unix, U=amavis:amavis,
  238                 A=amavis $f $u
  239 
  240 
  241 Note: The following entry does *NOT* work
  242 Mamavis,        P=/usr/sbin/amavis, F=sDFMAw5:/|@qPfhn9, S=0, R=0,
  243                 T=DNS/RFC822/X-Unix,
  244                 A=amavis $f $u
  245 
  246 Hint: F=C (specifies that @domain has to be added to recipient) is needed
  247 otherwise you'll get an "user unknown" error.
  248 
  249 
  250 /etc/sendmail.orig.cf:
  251 * to get rid off the X-Authentification-Warning "Processed by amavis
  252 with -C /etc/sendmail.orig" and "Processed from queue /var/spool/mqueue"
  253 I removed authwarnings from PrivacyOptions, so
  254 O PrivacyOptions=novrfy,noexpn
  255 
  256 NOTE: The "goaway" option is another PrivacyOption. The "goaway" option
  257 implies the "authwarnings" option, so with "goaway" you'll get the
  258 X-Authentification-Warning.
  259 
  260 
  261 
  262 The Mlocal entry looks like this
  263 Mlocal,    P=/usr/bin/procmail, F=lsDFMAw5:/|@qPfhn9,
  264            S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
  265            T=DNS/RFC822/X-Unix,
  266            A=procmail -Y -a $h -d $u
  267 
  268 (it seems that in the F= flags neiter the "o" nor "S"
  269 must be set ...)
  270 
  271 The permission of /var/spool/mqueue and /var/spool/mqamavis are
  272 the following:
  273 
  274 drwxrwxr-x   2 amavis   root	     1024 Sep  2 16:41 mqamavis
  275 drwxrwxr-x   2 amavis   root         1024 Sep  2 16:41 mqueue
  276 
  277 
  278 As I use procmail als Local Delivery Agent, the setuid-bit
  279 for procmail has to be set! (d'oh ...)
  280 
  281 Note: For some reasons I'm not aware of, the notification messages generated
  282 by amavis are not sent immediately. Two solutions do exist for that
  283 (the latter one is the one I would recommend)
  284 
  285 * calling sendmail -C /etc/mail/sendmail.orig.cf -q via a cron job
  286 
  287 * or (prefered)
  288 change the delivery mode in /etc/mail/sendmail.orig.cf to
  289 # default delivery mode
  290 O DeliveryMode=i
  291 # i       Deliver interactively (synchronously)
  292 
  293 
  294 NOTE: as amavis is run as amavis /var/virusmails must be owned
  295 by amavis and you have to specify a another location for the AMaViS
  296 logfile (normally /var/amavis/amavis.log) to which amavis has
  297 write access to.
  298 
  299 NOTE: As sendmail will perform most tasks as user amavis now, it may
  300 not be able to read the users .forward file anymore! You may consider
  301 changing the permissions for the home directories, i.e. access rights
  302 for others.
  303 
  304 
  305 TODO/BUGS
  306 ---------
  307 * huh? nothing?! that's unbelieveable :-)
  308 
  309 
  310 The author
  311 ----------
  312 This stuff was written and tested by Rainer Link
  313 Rainer Link <link@suse.de>, http://rainer.w3.to/
  314 
  315 
  316 Credits
  317 -------
  318 This stuff is based on a patch from gody@master.slon.net and is itself
  319 based on the concept from Inflex. Thanks to Paul L. Daniels and
  320 (indirectly) to Steve Kehelet via the P.L.Daniels's Inflex scanner.
  321 Thanks to Yan Seiner for the m4 stuff, which our amavis.m4 is based upon.
  322 Section 'Scanning only incoming mail' updated by Mark Martinec.
  323 
  324 
  325 Thanks
  326 ------
  327 Thanks to everyone who reported bugs or problems directly
  328 to me or the AMaViS user mailing list, and provided us/me
  329 with patches or additional information.