• Home
  • Cisco
  • Exchange
  • Linux
  • Navision
  • Network
  • Virtualization
  • Windows
  • About
  •  

    ESVA customization


    ESVA is a pre-built and easily configured email scanning Virtual Appliance (ESVA) that runs on VMware ESX Server. http://www.global-domination.org/ESVA.php

    The central components are Clam antivirus and spam assassin.

    After the basic setup you might want to customize some thing that cannot changed in the wizard or GUI.

    Change the amount of cashed mails:

    – $days_to_keep = 180; in /etc/cron.daily/clean.quarantine

    – define(QUARANTINE_DAYS_TO_KEEP, 180); in /var/www/html/conf.php

    – INTERVAL 180 DAY in /usr/local/bin/mailwatch/tools/db_clean.php

    /etc/cron.daily/clean.quarantine

    $disabled = 0;

    $days_to_keep   = 14;

    The default signature:

    /etc/MailScanner/rules

    – sig.html.rules

    – sig.text.rules

    Blocked filetypes:

    /etc/MailScanner/filename.rules.conf

    Change the max message size:

    In webmin – postfix – “General resource control”.

    An example is to add a zero.

    Max size of a message: 102400000

    Max size of a mailbox: 512000000

    Or in /etc/postfix/main.cf: message_size_limit = 102400000

    For 100 MB

    Remove the “notify for SPAM”.

    In the file: /etc/MailScanner/MailScanner.conf

    Remove notify in the line:  Spam Actions = store notify

    Disable Graylisting for some IP’s
    /etc/sqlgrey/clients_fqdn_whitlist.local
    /etc/sqlgrey/clients_ip_whitelist.local
    /etc/init.d/sqlgrey restart

    Remove the “MailScanner has detected a possible fraud attempt from…”:

    Highlight Phishing Fraud = no

    Remove the opportunity to read the emails in the Webinterface:

    Edit /var/www/html/detail.php

    Go the end and change the “view email” link.

    // echo ”  <TD><A HREF=\”viewmail.php……………..”</A></TD>\n”;

    echo ” <TD>…</TD>\n”;

    Default SPAM score:

    /etc/MailScanner/MailScanner.conf

    Required SpamAssassin Score = 5

    Remove Inline HTML Signature

    In the file: /etc/MailScanner/MailScanner.conf

    # Add the “Inline HTML Signature” or “Inline Text Signature” to the end

    # of uninfected messages?

    # This can also be the filename of a ruleset.

    Sign Clean Messages = no

    Auto Reply – Out of office

    Treat Invalid Watermarks With No Sender as Spam = 2

    Script in the email

    Allow Script Tags = disarm

    Or yes/no

    Office 2010 Fileformats:

    Microsoft Office 2007/2010 documents (.docx, .xlsx etc) seem to be archived XML documents and MailScanner does not like that by default.

    The solution is to put this in filename.rules.conf

    allow   \.xml\.rel$             –       –

    allow   \.rel$                  –       –

    allow   \.docx$                 –       –

    allow   \.xlsx$                 –       –

    allow   \.xml\d*\.rel$          –       –

    allow   \.x\d+\.rel$            –       –

    allow   \.bin$                  –       –

    allow   \.wmf$                  –       –

    allow   \.dat$                  –       –

    Put this just above the “# Deny all other double file extensions..” line

    allow   .doc$                   –       –

    allow   .xls$                   –       –

    And in MailScanner.conf change Maximum Archive Depth to 3

    Maximum Archive Depth = 3

    This makes MailScanner recognize the Office 2007/2010.

    Disable Fuzzyocr:

    Rename /etc/mail/spamassassin/FuzzyOcr.cf to something else.

    Restart Mailscanner

    Disable SPAM and or AV scan

    /etc/MailScanner/MailScanner.conf

    Spam Checks = no

    Use SpamAssassin = no

    Virus Scanning = no

    In MailScanner.conf
    Spam Checks = /etc/MailScanner/rules/spam.check.rules

    In spam.check.rules:
    FromOrTo:     domain.com      no
    FromOrTo:       default   yes

    Enable Remote ssh login

    /etc/ssh/sshd_config

    PermitRootLogin yes

    Restart sshd

    If running virtual, ESVA might loose time

    Make a file in: /etc/cron.daily

    #!/bin/sh

    #

    /usr/sbin/ntpdate 195.184.96.2

    date +”%D %r `echo Cron completed`” >> /var/log/cron_job.log

    chmod +x ntp.cron

    Remember RAM!

    Do you see this error in the maillog:

    “too big for available disk space in /var/spool/MailScanner/incoming, skipping it”

    Mailscanner is using this directory temporality to unpack files before scanning.

    By default ESVA have 1024 MB of RAM. Half of that size is used to the RAM-based filesystem.

    Maybe 512 MB for unpacking is to small.

    See FSTAB and change the size here

    tmpfs /dev/shm tmpfs defaults,size=1024m

    The easy way (if you have RAM enough), is to just give ESVA more RAM.

    Allow EXE in zipped attachments

    /etc/MailScanner/archives.filename.rules.conf

    allow \.exe$ Windows/DOS Executable

    /etc/MailScanner/archives.filetype.rules.conf

    #deny executable No executables

    Remember to update resolv.conf

    If this file does not contain a IP of an vallid DNS, you might get this error in the log: “Recipient address rejected: Domain not found”

    This is an exaple with openDNS

    /etc/resolv.conf

    search localdom.local

    nameserver 208.67.222.222

    Block destination email address
    /etc/postfix/recipient_access
    Example:
    refund_of_tax@testdom.com REJECT
    skatdk@testdom.com REJECT

    postmap /etc/postfix/recipient_access

    Remember to add the file to postfix’s Main.cf:
    Example:
    smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_policy_service inet:127.0.0.1:2501, check_recipient_access hash:/etc/postfix/recipient_access

    Show ClamAV version
    /usr/sbin/clamd -V

    Remove mails from queue
    List queue: mailq
    Remove specific email: postsuper -d -3EFE828621

    Exchange – Duplicate deliver
    If you release a message that already have been delivered, it will not end up in the mailbox.
    You can see what email that have “hit” this rule/functionality in the “EMC –> email tracking or powershell
    Get-MessageTrackingLog -EventId DUPLICATEDELIVER

    Block email baced on subject – postfix
    main.cf
    header_checks = regexp:/etc/postfix/header_checks

    header_checks
    /^Subject: Spam subject/ DISCARD

    Restart postfix

    Block email baced on subject – Mailscanner
    /etc/MailScanner/mcp
    Eksample:
    header P2 Subject =~ /new Message/i
    describe P2 Banned Subject
    score P2 10

    header P3 Subject =~ /new2 for you/i
    describe P3 Banned Subject
    score P3 10

    Disable ahbl.org
    /var/lib/spamassassin/3.004000/updates_spamassassin_org/20_dnsbl_tests.cf
    # another domain-based blacklist
    #header DNS_FROM_AHBL_RHSBL eval:check_rbl_envfrom(‘ahbl’, ‘rhsbl.ahbl.org.’)
    #describe DNS_FROM_AHBL_RHSBL Envelope sender listed in dnsbl.ahbl.org
    #tflags DNS_FROM_AHBL_RHSBL net
    #reuse DNS_FROM_AHBL_RHSBL

    Throttling too many connections from new source
    edit:
    /etc/sqlgrey/sqlgrey.conf
    connect_src_throttle = 5
    0 = Disable

    /etc/init.d/sqlgrey restart

    Allow password protected ZIP from one or more email/domains
    Allow Password-Protected Archives = no
    to:
    Allow Password-Protected Archives = %rules-dir%/pp.archives.rules
    pp.archives.rules:
    FromOrTo: test@mydomain.com yes
    FromOrTo: mydomain2.com yes
    FromOrTo: default no

    MailScanner restart