Running Simscan

In general, a user should follow the README and INSTALL files provided by the simscan tarball. Also the information on the Qmail Wiki is most helpful. The below is a section of issues of which the user should be aware.

Configuring Simscan to Support ClamAV 0.9x

With the move to 0.9, ClamAV moved away from their traditional clamav virus defintion (CVD) file format. This causes a problem if the "--enabled-received" option is enabled. The default configure script looks for the file daily.cvd, which does not exist in the .9x series. To get around this problem, make the following change to the configure script.

Find this line...
if test -f "$f/daily.cvd"

Change it to...
if test -d "$f/daily.inc" || test -f "$f/daily.cvd"

This change allows simscan to use "--enabled-received" with all versions of ClamAV.

John Simpson released a patch which solves the configure script issue. It also solves the problem of simscanmk -g being able to pull the main and daily version numbers for the enable-received headers.

Simscan and ClamAV

Clamav needs the ability to operate on the files simscan creates inside /var/qmail/simscan. Unfortunately the default configuration for /var/qmail/simscan sets the ownership to simscan.root. To give clamav, the appropriate access, three things need to happen:

  1. Change the group ownership of /var/qmail/simscan to simscan
  2. Set the sticky bit on /var/qmail/simscan so the files and directories are group owned by simscan.
  3. Add the clamav user to the simscan group.

The following commands will make the changes.

# chgrp simscan /var/qmail/simscan
# chmod g+s /var/qmail/simscan
# usermod -G -a simscan clamav

Lastly, the AllowSupplementaryGroups directive must be set to "Yes" in the clamd.conf.

If you recompile and reinstall simscan, you need to rerun the second command. This is due to the Makefile, setting the permission of /var/qmail/simscan to 0750.

Simscan and p0f

The latest development releases of simscan includes support for p0f. P0f is a passive operating system (OS) fingerprinting tool. It allows you to determine the OS of the connecting by the differences in how they implement networking protocols. Simscan uses this to block a random 85% of the SMTP connections from Windows machines. There is no other check performed, if p0f returns a server as running Windows, the machine has an 85% chance of simscan blocking the connection with a permanent (5xx) error. The reasoning behind this is hacked Windows machines account for a large portion of the machines sending spam.

If you do not want this functionality implemented, you need to pass the environmental variable "NOP0FCHECK=1" either through your qmail-smtpd run script or through smtp.cdb. If you see the following error message, "simscan: connect error 2", this is due to simscan attempting to contact p0f and it can not. The above environmental variable solves this error.

Testing Simscan

Before you add simscan to your qmail-smtpd run script and/or smtp.cdb file, you might want to test it first. To test simscan, create a file similar to the one below called "mail.txt". Be sure to substitute appropriate email addresses.

From: sender@domain.xyz
To: recipent@domain.xyz
Subject: Testing Simscan

Testing simscan

Next send the message using qmail-inject with the following command.

# QMAILQUEUE=/var/qmail/bin/simscan SIMSCAN_DEBUG=2 NOP0FCHECK=1 /var/qmail/bin/qmail-inject < mail.txt

This command sends the message to qmail with the appropriate environmental variables set. The debug output will notify you of any errors.

Updating simversions.cdb

The simversions.cdb file contains the version number of all the scanners used by simscan. This includes spamassassin, clamav and the clamav database. When manually updating a package (i.e. spamassassin), simversions.cdb can be updated with the following command.

# /var/qmail/bin/simscanmk -g

However for regular, automated updates this presents a problem. An update may occur at a rate to often for a user to manually update simversions.cdb. The qmail wiki recommends running an hourly cron job. This has the problem of the version being out of date, if only for an hour. A better solution is to create an entry in /etc/sudoers allowing the clamav user to run the following command.

# sudo /var/qmail/bin/simscanmk -g

Then set the OnUpdate directive in freshclam.conf to call the above command. This approach may be modified to call a named service similar to qmail-updater or making a setuid wrapper for a script calling the above command. John Simpson provides a wrapper, update-simscan which does just this.

2007-09-03 Clarified the setting of the AllowSupplementaryGroups directive in clamd.conf. Thanks to Bill Olson.

2007-07-31 Added links to John Simpson's simscan patch and update-simscan.

2007-07-31 Added section about testing simscan from the command line.

2007-07-31 Added portion about reinstalling simscan. The setGID bit needs to be reset on the /var/qmail/simscan directory.

[Valid HTML 4.01 Trans] Validated by HTML Validator (based on Tidy) Copyright 2006-2008 Patrick R. McDonald <marlowe@antagonism.org> (GPG key)
This document last modified Thursday, 05-Jun-2008 09:24:07 PDT