ESET Mail Security

russianmiserableΑσφάλεια

13 Ιουν 2012 (πριν από 5 χρόνια και 5 μήνες)

757 εμφανίσεις

ESET
MAIL SECURITY
Installation Manual and User Guide
(i ntended for product versi on 4.0 and hi gher)
Li nux, BSD and Sol ari s
ESET
MAIL SECURITY
Copyright ©2012 by ESET, spol. s r. o.
ESET Mail Security was developed by ESET, spol. s r. o.
For more information visit www.eset.com.
All rights reserved. No part of this documentation may be reproduced,
stored in a retrieval system or transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, scanning, or
otherwise without permission in writing from the author.
ESET, spol. s r. o. reserves the right to change any of the described
application software without prior notice.
Worldwide Customer Support: www.eset.com/support
REV. 5/14/2012
Contents
..................................................................3
1.
Introduction
.........................................................................................3
Mai n functi onal i ty1.1
.........................................................................................3
Key features of the system1.2
..................................................................5
2.
Terminology and abbreviations
..................................................................6
3.
System requirements
..................................................................7
4.
Installation
..................................................................8
5.
Architecture Overview
..................................................................10
6.
Integration with Email Messaging System
.........................................................................................11
Bi -di recti onal emai l message scanni ng i n MTA6.1
.........................................................................................11
Scanni ng of i nbound emai l messages6.2
.........................................................................................11
Scanni ng of outbound emai l messages6.3
.........................................................................................11
Scanni ng of emai l messages downl oaded from
POP3/IMAP server
6.4
.........................................................................................12
Al ternati ve methods of content fi l teri ng6.5
...........................................................................12
Scanning email messages in CommuniGate Pro
using esets_cgp
6.5.1
...........................................................................13
Scanning email messages using AMaViS
6.5.2
...........................................................................14
Scanning email messages using Novell GroupWise
6.5.3
..................................................................15
7.
Important ESET Mail Security mechanisms
.........................................................................................15
Handl e Object Pol i cy7.1
.........................................................................................15
User Speci fi c Confi gurati on7.2
.........................................................................................16
Bl ackl i st and Whi tel i st7.3
.........................................................................................16
Anti -Spam control7.4
...........................................................................17
SpamCatcher settings
7.4.1
.........................................................................................20
Sampl es Submi ssi on System7.5
.........................................................................................20
Schedul er7.6
.........................................................................................21
Web Interface7.7
...........................................................................22
License management
7.7.1
...........................................................................22
SMTP+Postfix configuration example
7.7.2
...........................................................................24
Scheduler
7.7.3
...........................................................................25
Statistics
7.7.4
.........................................................................................25
Remote Admi ni strati on7.8
...........................................................................26
Remote Administration usage example
7.8.1
.........................................................................................28
Loggi ng7.9
..................................................................29
8.
ESET Security system update
.........................................................................................29
ESETS update uti l i ty8.1
.........................................................................................29
ESETS update process descri pti on8.2
.........................................................................................29
ESETS mi rror http daemon8.3
..................................................................30
9.
Let us know
..................................................................31
10.
Appendix A. ESETS setup and
configuration
.........................................................................................31
Setti ng ESETS for MTA Postfi x10.1
.........................................................................................32
Setti ng ESETS for MTA Sendmai l10.2
.........................................................................................32
Setti ng ESETS for MTA Qmai l10.3
.........................................................................................33
Setti ng ESETS for MTA Exi m versi on 310.4
.........................................................................................33
Setti ng ESETS for MTA Exi m versi on 410.5
.........................................................................................34
Setti ng ESETS for MTA ZMai l er10.6
.........................................................................................34
Setti ng ESETS for MTA Novel l GroupWi se10.7
.........................................................................................35
Setti ng ESETS for outbound emai l message scanni ng10.8
.........................................................................................35
Setti ng ESETS for scanni ng of POP3 communi cati on10.9
.........................................................................................36
Setti ng ESETS for scanni ng of IMAP communi cati on10.10
..................................................................37
11.
Appendix B. PHP License
3
1. Introduction
Thank you for usi ng ESET Mai l Securi ty - the premi er securi ty system for the Li nux, BSD and Sol ari s OS. ESET's state-of-the-art
scanni ng engi ne has unsurpassed scanni ng speed and detecti on rates combi ned wi th a very smal l footpri nt that makes i t the
i deal choi ce for any Li nux, BSD and Sol ari s OS server.
1.1 Main functionality
Post Office Protocol filter (POP3)
The POP3 fi l ter scans communi cati on between POP3 cl i ents and servers for vi ruses.
Simple Mail Transfer Protocol filter (SMTP)
The SMTP fi l ter scans communi cati on between SMTP cl i ents and servers for vi ruses. Addi ti onal l y, i t can al so serve as a content
fi l ter for the Postfi x MTA.
Internet Message Access Protocol filter (IMAP)
The IMAP fi l ter scans communi cati on between IMAP cl i ents and servers for vi ruses.
Sendmail content filter
The Sendmai l content fi l ter accesses mai l messages processed by MTA Sendmai l and scans them for vi ruses. It exami nes and
modi fi es content and meta-i nformati on of messages. If an i nfecti on cannot be removed from an emai l message, the message wi l l
be rejected.
External filter plugin for Communigate Pro
The CGP modul e i s an external fi l ter pl ugi n for Communi Gate Pro. It reads emai l fi l enames from stdi n, then requests a scan by
ESETS daemon and fi nal l y returns a status. It exami nes (but does not modi fy) emai l content and bl ocks messages wi th
i nfi l trati ons i n the emai l body.
PIPE module
The PIPE i s a si mpl e emai l scanner, that reads emai l from the standard (stdi n) i nput, then requests an ESETS daemon scan. In
case content i s accepted, i t i s submi tted to the standard (stdout) output.
1.2 Key features of the system
Advanced engine algorithms
The ESET anti vi rus scanni ng engi ne al gori thms provi de the hi ghest detecti on rate and the fastest scanni ng ti mes.
Multi-processing
ESET Mai l Securi ty i s devel oped to run on si ngl e- as wel l as mul ti -processor uni ts.
Advanced Heuristics
ESET Mai l Securi ty i ncl udes uni que advanced heuri sti cs for Wi n32 worms, backdoor i nfecti ons and other forms of mal ware.
Built-In features
Bui l t-i n archi vers unpack archi ved objects wi thout requi ri ng any external programs.
Speed and efficiency
To i ncrease the speed and effi ci ency of the system, ESET Mai l Securi ty's archi tecture i s based on the runni ng daemon (resi dent
program) where al l scanni ng requests are sent.
Enhanced security
Al l executi ve daemons (except esets_dac) run under a non-pri vi l eged user account to enhance securi ty.
Selective configuration
The system supports sel ecti ve confi gurati on based on the user or cl i ent/server.
4
Multiple logging levels
Mul ti pl e l oggi ng l evel s can be confi gured to get i nformati on about system acti vi ty and i nfi l trati ons.
Web interface
Confi gurati on, admi ni strati on and l i cense management are offered through an i ntui ti ve and user-fri endl y web i nterface.
Remote administration
The system supports ESET Remote Admi ni strator for management i n l arge computer networks.
No external libraries
The ESET Mai l Securi ty i nstal l ati on does not requi re external l i brari es or programs except for LIBC.
User-specified notification
The system can be confi gured to noti fy speci fi c users i n the event of a detected i nfi l trati on or other i mportant events.
Low system requirements
To run effi ci entl y, ESET Mai l Securi ty requi res just 250MB of hard-di sk space and 256MB of RAM. It runs smoothl y under the 2.6.x
Li nux OS kernel versi ons as wel l as under 5.x, 6.x FreeBSD OS kernel versi ons.
Performance and scalability
From l ower-powered, smal l offi ce servers to enterpri se-cl ass ISP servers wi th thousands of users, ESET Mai l Securi ty del i vers the
performance and scal abi l i ty you expect from a UNIX based sol uti on, i n addi ti on to the unequal ed securi ty of ESET securi ty
products.
5
2. Terminology and abbreviations
In thi s secti on, we wi l l revi ew the terms and abbrevi ati ons used i n thi s document. Note that a bol dface font i s reserved for
product component names and al so for newl y defi ned terms and abbrevi ati ons. Terms and abbrevi ati ons defi ned i n thi s chapter
are expanded upon l ater i n thi s document.
ESETS
ESET Security i s a standard acronym for al l securi ty products devel oped by ESET, spol. s r. o. for Li nux, BSD and Sol ari s operati ng
systems. It i s al so the name of the software package contai ni ng the products.
ESETS daemon
The mai n ESETS system control and scanni ng daemon: esets_daemon.
ESETS base directory
The di rectory where ESETS l oadabl e modul es contai ni ng the vi rus si gnature database are stored. The abbrevi ati on @BASEDIR@
wi l l be used for future references to thi s di rectory. The @BASEDIR@ val ue (dependi ng on the operati ng system) i s l i sted bel ow:
Linux: /var/opt/eset/esets/lib
FreeBSD: /var/lib/esets
NetBSD: /var/lib/esets
Solaris: /var/opt/esets/lib
ESETS configuration directory
The di rectory where al l fi l es rel ated to the ESET Mai l Securi ty confi gurati on are stored. The abbrevi ati on @ETCDIR@ wi l l be used
for future references to thi s di rectory. The @ETCDIR@ val ue (dependi ng on the operati ng system) i s l i sted bel ow:
Linux: /etc/opt/eset/esets
FreeBSD: /usr/local/etc/esets
NetBSD: /usr/pkg/etc/esets
Solaris: /etc/opt/esets
ESETS configuration file
Mai n ESET Mai l Securi ty confi gurati on fi l e. The absol ute path of the fi l e i s as fol l ows:
@ETCDIR@/esets.cfg
ESETS binary files directory
The di rectory where the rel evant ESET Mai l Securi ty bi nary fi l es are stored. The abbrevi ati on @BINDIR@ wi l l be used for future
references to thi s di rectory. The @BINDIR@ val ue (dependi ng on the operati ng system) i s l i sted bel ow:
Linux: /opt/eset/esets/bin
FreeBSD: /usr/local/bin
NetBSD: /usr/pkg/bin
Solaris: /opt/esets/bin
ESETS system binary files directory
The di rectory where the rel evant ESET Mai l Securi ty system bi nary fi l es are stored. The abbrevi ati on @SBINDIR@ wi l l be used for
future references to thi s di rectory. The @SBINDIR@ val ue (dependi ng on the operati ng system) i s l i sted bel ow:
Linux: /opt/eset/esets/sbin
FreeBSD: /usr/local/sbin
NetBSD: /usr/pkg/sbin
Solaris: /opt/esets/sbin
ESETS object files directory
The di rectory where the rel evant ESET Mai l Securi ty object fi l es and l i brari es are stored. The abbrevi ati on @LIBDIR@ wi l l be used
for future references to thi s di rectory. The @LIBDIR@ val ue (dependi ng on the operati ng system) i s l i sted bel ow:
Linux: /opt/eset/esets/lib
FreeBSD: /usr/local/lib/esets
NetBSD: /usr/pkg/lib/esets
Solaris: /opt/esets/lib
6
3. System requirements
The fol l owi ng hardware requi rements must be met before the i nstal l ati on process i n order to run ESET Mai l Securi ty properl y:
250MB of hard-di sk space
256MB of RAM
gl i bc 2.3.6 or hi gher
2.6.x Li nux OS kernel versi ons
ESET Mai l Securi ty shoul d work on most recent and frequentl y used open-source Li nux di stri buti ons i f the above cri teri a are met.
The fol l owi ng Li nux di stri buti ons (x86/x64) are offi ci al l y supported:
Red Hat Enterpri se Li nux
SUSE Li nux Enterpri se
ESET Mai l Securi ty wi l l al so run on the fol l owi ng operati ng systems (but onl y x86, 32-bi t):
NetBSD 4
FreeBSD 6, 7 and 8
SUN Sol ari s 10
7
4. Installation
After purchasi ng ESET Mai l Securi ty, you wi l l recei ve your authori zati on data (username, password and l i cense key). Thi s data i s
necessary for both i denti fyi ng you as our customer and al l owi ng you to downl oad updates for ESET Mai l Securi ty. The username/
password data i s al so requi red for downl oadi ng the i ni ti al i nstal l ati on package from our web si te. ESET Mai l Securi ty i s
di stri buted as a bi nary fi l e:
esets.i386.ext.bin
In the bi nary fi l e shown above, ‘ext’ i s a Li nux, BSD and Sol ari s OS di stri buti on dependent suffi x, i.e., ‘deb’ for Debi an, ‘rpm’ for
RedHat and SuSE, ‘tgz’ for other Li nux OS di stri buti ons, ‘fbs7.tgz’ for FreeBSD 7.x, ‘fbs8.tgz’ for FreeBSD 8.x, ‘nbs4.tgz’ for NetBSD
4.xx and ‘sol 10.pkg.gz‘ for Sol ari s 10.
To i nstal l or upgrade the product, use the fol l owi ng command:
sh ./esets.i386.ext.bin
to di spl ay the product’s User Li cense Acceptance Agreement. Once you have confi rmed the Acceptance Agreement, the i nstal l ati on
package i s pl aced i nto the current worki ng di rectory and rel evant i nformati on regardi ng the package’s i nstal l ati on, un-
i nstal l ati on or upgrade i s di spl ayed onscreen.
Once the package i s i nstal l ed, you can veri fy that the mai n ESETS servi ce i s runni ng by usi ng the fol l owi ng command:
Li nux OS:
ps -C esets_daemon
BSD OS:
ps -ax | grep esets_daemon
Sol ari s:
ps -A | grep esets_daemon
After pressi ng ENTER, you shoul d see the fol l owi ng (or si mi l ar) message:
PID TTY TIME CMD
2226 ? 00:00:00 esets_daemon
2229 ? 00:00:00 esets_daemon
At l east two ESETS daemon processes are runni ng i n the background. The fi rst PID represents the process and threads manager of
the system. The other represents the ESETS scanni ng process.
8
5. Architecture Overview
Once ESET Mai l Securi ty i s successful l y i nstal l ed, you shoul d become fami l i ar wi th i ts archi tecture.
Figure 4-1. Structure of ESET Mail Security.
The structure of ESET Mai l Securi ty i s shown i n Fi gure 4-1. The system i s compri sed of the fol l owi ng parts:
CORE
The core of ESET Mai l Securi ty i s the ESETS daemon (esets_daemon). The daemon uses ESETS API l i brary l i besets.so and ESETS
l oadi ng modul es em00X_xx.dat to provi de base system tasks such as scanni ng, mai ntenance of the agent daemon processes,
mai ntenance of the sampl es submi ssi on system, l oggi ng, noti fi cati on, etc. Pl ease refer to the esets_daemon(8) man page for
detai l s.
AGENTS
The purpose of ESETS agent modul es i s to i ntegrate ESETS wi th the Li nux, BSD and Sol ari s server envi ronment.
UTILITIES
The uti l i ty modul es provi de si mpl e and effecti ve system management. They are responsi bl e for system tasks such as l i cense
management, quaranti ne management, system setup and update.
CONFIGURATION
Proper confi gurati on i s the most i mportant aspect of your securi ty system; the remai nder of thi s chapter i s dedi cated to
expl ai ni ng al l rel ated components. A thorough understandi ng of the esets.cfg fi l e i s al so hi ghl y recommended, as thi s fi l e
contai ns i nformati on essenti al to the confi gurati on of ESET Mai l Securi ty.
After the product i s successful l y i nstal l ed, al l i ts confi gurati on components are stored i n the ESETS confi gurati on di rectory. The
di rectory consi sts of the fol l owi ng fi l es:
@ETCDIR@/esets.cfg
Thi s i s the most i mportant confi gurati on fi l e, as i t control s al l major aspects of the product’s functi onal i ty. The esets.cfg fi l e i s
made up of several secti ons, each of whi ch contai ns vari ous parameters. The fi l e contai ns one gl obal and several “agent“
secti ons, wi th al l secti on names encl osed i n square brackets. Parameters i n the gl obal secti on are used to defi ne confi gurati on
opti ons for the ESETS daemon as wel l as defaul t val ues for the ESETS scanni ng engi ne confi gurati on. Parameters i n agent secti ons
are used to defi ne confi gurati on opti ons of modul es used to i ntercept vari ous data fl ow types i n the computer and/or i ts
nei ghborhood, and prepare i t for scanni ng. Note that i n addi ti on to the vari ous parameters used for system confi gurati on, there
are al so rul es governi ng the organi zati on of the fi l e. For detai l ed i nformati on on the most effecti ve way to organi ze thi s fi l e,
pl ease refer to the esets.cfg(5) and esets_daemon(8) man pages, as wel l as rel evant agents' man page.
@ETCDIR@/certs
Thi s di rectory i s used to store the certi fi cates used by the ESETS web i nterface for authenti cati on. Pl ease see the esets_wwwi(8)
9
man page for detai l s.
@ETCDIR@/license
Thi s di rectory i s used to store the product(s) l i cense key(s) you have acqui red from your vendor. Note that the ESETS daemon wi l l
check onl y thi s di rectory for a val i d l i cense key, unl ess the ‘license_dir’ parameter i n the ESETS confi gurati on fi l e i s redefi ned.
@ETCDIR@/scripts/license_warning_script
If enabl ed by the ESETS confi gurati on fi l e parameter ‘license_warn_enabled’, thi s scri pt wi l l be executed 30 days (once per day)
before product l i cense expi rati on, sendi ng an emai l noti fi cati on about the expi rati on status to the system admi ni strator.
@ETCDIR@/scripts/daemon_notification_script
If enabl ed by the ESETS confi gurati on fi l e parameter ‘exec_script’, thi s scri pt i s executed i n the event of a detected i nfi l trati on by
the anti vi rus system. It i s used to send emai l noti fi cati on about the event to the system admi ni strator.
10
6. Integration with Email Messaging System
Thi s chapter descri bes the i ntegrati on of ESET Mai l Securi ty wi th a vari ety of known emai l messagi ng systems. It i s extremel y
i mportant to understand the basi c pri nci pl es of an emai l messagi ng system (see fi gure 5-1) and how ESET Mai l Securi ty
i ntegrates wi th i t.
Figure 5-1. Scheme of UNIX OS email messaging system.
MTA - Mail Transport Agent
A program (e.g., sendmai l, postfi x, qmai l, exi m, etc.) that enabl es the transfer of emai l messages between l ocal and remote
domai ns.
MDA - Mail Delivery Agent
A program (e.g., mai l drop, procmai l, del i ver, l ocal.mai l, etc.) that enabl es the del i very of l ocal l y addressed emai l messages i nto
parti cul ar mai l boxes.
MUA - Mail User Agent
A program (e.g., Mi crosoft Outl ook, Mozi l l a Thunderbi rd, Eudora, etc.) that provi des access to and management of emai l
messages, such as readi ng, composi ng, pri nti ng, etc.
MAILBOX
A fi l e or fi l e structure on a di sk servi ng as the storage space for emai l messages.
The emai l server recei ves data communi cati on usi ng SMTP (Si mpl e Mai l Transfer Protocol ) communi cati on. The recei ved
message i s transferred by MTA ei ther to another remote emai l messagi ng system or i s del i vered usi ng l ocal MDA i nto a
parti cul ar MAILBOX. In most cases, each l ocal network user owns a MAILBOX l ocated on the server. Note that i t i s the
responsi bi l i ty of the user’s l ocal MUA to provi de the functi on of downl oadi ng and correctl y i nterpreti ng the message at the
user’s computer. When retri evi ng data from MAILBOX, the MUA typi cal l y uses POP3 (Post Offi ce Protocol ) or IMAP (Internet
Message Access Protocol ) to communi cate wi th the MTA. The SMTP protocol i s used to send data to the Internet.
The ESETS operati ng pri nci pl e i s based on data communi cati on i ntercepti on and scanni ng at the vari ous phases of i ts transfer.
The i ntercepti on l ocati ons are marked i n fi gure 5-1 by symbol s S1, S2, S3 and S4.
S1 - Bi -di recti onal emai l message scanni ng, i.e. content fi l teri ng i n MTA.
S2 - Scanni ng of i nbound emai l messages, i.e. messages wi th a target address whi ch i s l ocated i nsi de the l ocal domai n.
S3 - Scanni ng of outbound emai l messages, i.e. messages bound to a remote Internet domai n.
S4 - Scanni ng of emai l messages bei ng downl oaded from POP3/IMAP server.
The remai nder of thi s chapter revi ews methods for i ntegrati ng ESETS wi th a vari ety of supported messagi ng systems.
11
6.1 Bi-directional email message scanning in MTA
Bi -di recti onal emai l message scanni ng mode al l ows the user to scan i nbound and outbound emai l messages wi th the same
i mpl ementati on al gori thm. The bi -di recti onal content fi l ter method i s MTA dependent. ESET Mai l Securi ty comes wi th fi ve content
fi l ters that are bui l t for the most common MTA programs, such as MTA Sendmai l, Postfi x, Exi m, QMai l and ZMai l er and
GroupWi se Internet Agent (GWIA).
Check that your MTA i s properl y confi gured and runni ng. Then, confi gure ESET Mai l Securi ty for bi -di recti onal emai l message
scanni ng by runni ng the fol l owi ng scri pt:
@SBINDIR@/esets_setup
Sel ect MTA and content fi l ter i nstal l opti ons. The ESETS modul e bei ng used i s al so di spl ayed.
Note that the i nstal l er backs up al l modi fi ed confi gurati on fi l es and can di spl ay every command that i t wi l l execute after your
approval. The backup confi gurati on fi l es shoul d be rei mpl emented after uni nstal l i ng. Detai l ed steps for al l possi bl e scenari os
are descri bed i n appendi x A
of thi s documentati on.
6.2 Scanning of inbound email messages
Inbound emai l message scanni ng i s performed duri ng message transfer between MTA and MDA. Incomi ng emai l s are i ntercepted
by the esets_mda modul e, scanned by the ESETS daemon and del i vered to MAILBOX usi ng the ori gi nal MDA. As shown i n fi gure 5-
1, vi rus scanni ng can be enabl ed by setti ng the proper confi gurati on of MTA and the esets_mda modul e. ESET Mai l Securi ty
supports most common MTA programs, such as MTA Sendmai l, Postfi x, Exi m, QMai l and ZMai l er. ESETS supports any MDA. In
parti cul ar, the fol l owi ng MDAs were tested: procmai l, mai l drop, del i ver and l ocal.mai l.
Check that your MTA i s properl y confi gured usi ng the ori gi nal MDA and that the MTA i s runni ng. Then confi gure ESET Mai l
Securi ty for i nbound emai l message scanni ng by runni ng the fol l owi ng scri pt:
@SBINDIR@/esets_setup
Sel ect MDA and i nbound i nstal l opti ons. The ESETS modul e used i s al so di spl ayed.
Note that the i nstal l er backs up al l modi fi ed confi gurati on fi l es and can di spl ay every command that i t wi l l execute after your
approval. The backup confi gurati on fi l es shoul d be rei mpl emented after uni nstal l i ng. Detai l ed steps for al l possi bl e scenari os
are descri bed i n the appendi x A
of thi s documentati on.
6.3 Scanning of outbound email messages
Outbound emai l message scanni ng i s performed duri ng the transfer of emai l messages between the l ocal MUA and the MTA.
Confi gure ESET Mai l Securi ty for outbound emai l message scanni ng by runni ng the fol l owi ng scri pt:
@SBINDIR@/esets_setup
Sel ect the SMTP i nstal l opti on. Thi s wi l l set the esets_smtp modul e to l i sten on a predefi ned port and redi rect appl i cabl e IP
packets. Check the newl y added fi rewal l rul e to see i f any changes are necessary.
Note that the i nstal l er backs up al l modi fi ed confi gurati on fi l es and can di spl ay every command that i t wi l l execute after your
approval. The backup confi gurati on fi l es shoul d be rei mpl emented after uni nstal l i ng. Detai l ed steps for al l possi bl e scenari os
are descri bed i n appendi x A
of thi s documentati on.
6.4 Scanning of email messages downloaded from POP3/IMAP server
POP3/IMAP messages scanni ng i s performed duri ng message transfer between MAILBOX and MUA. Al l emai l s requested by
POP3/IMAP cl i ents are i ntercepted by the esets_pop3 (or esets_imap) agent modul e and scanned by the ESETS daemon for
i nfi l trati ons. ESET Mai l Securi ty supports most common MUA programs, such as Mi crosoft Outl ook, Evol uti on, Mozi l l a
Thunderbi rd and others. Note that there i s restri cti on i n ESET Mai l Securi ty functi onal i ty when emai l s are downl oaded by Mozi l l a
Thunderbi rd usi ng IMAP communi cati on protocol. An emai l i n thi s case i s requested and downl oaded part by part and bui l t
di rectl y by Mozi l l a Thunderbi rd. For thi s reason i t i s not possi bl e to wri te proper i nformati on about the i nfi l trati ons found i nto
the header and body of the emai l and thus the functi onal i ty i s deacti vated for thi s MUA.
To confi gure ESET Mai l Securi ty to scan emai l messages downl oaded from POP3 or IMAP server, run the fol l owi ng scri pt:
@SBINDIR@/esets_setup
Sel ect the POP3 or IMAP i nstal l opti on. Thi s wi l l set the gi ven ESETS modul e to l i sten on a predefi ned port and redi rect appl i cabl e
IP packets. Check the newl y added fi rewal l rul e to see i f any changes are necessary.
Note that the i nstal l er backs up al l modi fi ed confi gurati on fi l es and can di spl ay every command that i t wi l l execute after your
12
approval. The backup confi gurati on fi l es shoul d be rei mpl emented after uni nstal l i ng. Detai l ed steps for al l possi bl e scenari os
are descri bed i n appendi x A
of thi s documentati on.
6.5 Alternative methods of content filtering
6.5.1 Scanning email messages in CommuniGate Pro using esets_cgp
Communi Gate Pro i s the powerful and rel i abl e Uni fi ed Communi cati ons server and esets_cgp i s used for content fi l teri ng
(anti vi rus and anti spam fi l teri ng).
Esets_cgp onl y al l ows i ncomi ng emai l message scanni ng. Esets_cgp does not al l ow scanned emai l message modi fi cati on and
deni es ESETS access to cl ean or del ete i nfected emai l attachments. As a resul t, the ESETS footnote wi th l og and status dependent
header fi el ds wi l l not be wri tten i nto the emai l message. Al so, esets_cgp does not provi de mai l sender/reci pi ent i nformati on. Due
to thi s, user speci fi c confi gurati ons are unavai l abl e and advanced mai l handl i ng features (accept, defer, di scard, reject) are
l i mi ted.
Integrating the antivirus Plugin with CommuniGate Pro
Pl ease see the Vi rusScan secti on of the Communi Gate Pro manual.
Open the General page i n the Settings secti on of the WebAdmi n Interface and cl i ck the Helpers l i nk. In panel Content Filtering
create new fi l ter wi th fol l owed val ues:
Figure 5-2. Setting of Content Filtering.
Next, open the Mai l page i n the Settings secti on of the WebAdmi n Interface, cl i ck the Rules l i nk and add a new rul e as fol l ows:
13
Figure 5-3. Rule Settings.
6.5.2 Scanning email messages using AMaViS
AMaVi S (A Mai l Vi rus Scanner) i s a tool that i nterfaces your MTA wi th several anti vi rus scanners. It supports vari ous MTAs and
comes i n three branches: amavis, amavisd and amavisd-new. Onl y the amavi sd-new branch i s supported. AMaVi S cooperates
wi th ESET Mai l Securi ty by usi ng esets_cli. Before expl ai ni ng the AMaVi S confi gurati ons, the i mpact of the ESET Mai l Securi ty
functi onal i ty method i s descri bed. AMaVi S does not al l ow scanned emai l message modi fi cati on and deni es ESETS access to cl ean
or del ete i nfected emai l attachments. As a resul t, the ESETS footnote wi th l og and status dependent header fi el ds wi l l not be
wri tten i nto the emai l message. Al so, AMaVi S does not provi de mai l sender/reci pi ent i nformati on. Due to thi s, user speci fi c
confi gurati ons are unavai l abl e and advanced mai l handl i ng features (accept, defer, di scard, reject) are l i mi ted for esets_cli.
Lastl y, AMaVi S onl y scans fi l es; i t cannot use the ESETS anti spam engi ne.
Taki ng i nto account these drawbacks, content fi l teri ng usi ng AMaVi S i s recommended onl y i f the system admi ni strator does not
requi re the features di scussed above.
amavisd-new configuration
To i nstal l the product wi th amavisd-new, unpack and i nstal l the source amavi sd-new-2.x.y.tgz i n your i nstal l ati on di rectory. Next,
confi gure the product wi th the newl y i nstal l ed amavisd-new. To do thi s, del ete the cl ause for ‘ESET Software ESETS’ and then
repl ace the cl ause for ‘ESET Software ESETS - Cl i ent/Server Versi on’ i n the fi l e ‘amavi sd.conf’ wi th the fol l owi ng one:
### http://www.eset.com/
['ESET Software ESETS Command Line Interface',
'@BINDIR@/esets_cli', '{}',
[0], [1, 2, 3], qr/virus="([^"]+)"/ ],
You may need to i nstal l addi ti onal Perl modul es Archi ve-Tar, Archi ve-Zi p, Berkel eyDB, Compress-Zl i b, Convert-TNEF, Convert-
UUl i b, IO-stri ngy, Mai l Tool s, MIME-Base64, MIME-tool s, Net-Server and Uni x-Sysl og from:
www.cpan.org/modules
The procedure to i nstal l i s as fol l ows:
perl Makefile.PL; make; make install
After confi gurati on, pl ease fol l ow the recommendati ons for confi guri ng amavisd-new i n the README.mta l ocated i n the Amavi sd-
new di rectory accordi ng your mai l server.
14
6.5.3 Scanning email messages using Novell GroupWise
Novel l GroupWi se i s a messagi ng and col l aborati ve software pl atform that al so supports emai l management. The pl atform
consi sts of the cl i ent and server software, avai l abl e for vari ous pl atforms (i.e. Li nux).
The modul e esets_gwia onl y al l ows the scanni ng of i ncomi ng emai l messages. For del i veri ng emai l messages to cl i ents
i mmedi atel y, the fol l owi ng GroupWi se agent di rectori es must have set the same paths:
Conversi on Di rectory
SMTP Queues Di rectory
SMTP Servi ce Queues Di rectory
To perform thi s, open the Novell ConsoleOne, navi gate to NDS > ESET-NDSTREE > eset > domain > GWIA > Propertiers > Server
Directories Settings and set the parti cul ar parameters. There i s an exampl e domai n cal l ed eset featured i n our case. Then restart
the GroupWi se agent:
/etc/init.d/grpwise restart
Figure 5-4. Novell ConcoleOne module settings.
To confi gure ESET Mai l Securi ty to scan emai l messages downl oaded from Novel l GroupWi se server, run the fol l owi ng scri pt:
@SBINDIR@/esets_setup
Sel ect the MTA i nstal l opti on. Thi s wi l l confi gure the GWIA (Novel l GroupWi se Internet Agent) and the esets_gwia modul e
parameters and di rectori es, where emai l queues (fi l es) are bei ng scanned and watched.
Note that the i nstal l er i s performi ng a backup of al l modi fi ed confi gurati on fi l es and can di spl ay every command that i t wi l l
execute after your approval. The backup confi gurati on fi l es shoul d be rei mpl emented after uni nstal l i ng. Detai l ed confi gurati on
i s descri bed i n appendi x A
of thi s documentati on.
15
7. Important ESET Mail Security mechanisms
7.1 Handle Object Policy
The Handl e Object Pol i cy (see fi gure 6-1) mechani sm provi des fi l teri ng for scanned objects based on thei r status. Thi s
functi onal i ty i s based on the fol l owi ng confi gurati on opti ons:
acti on_av
acti on_av_i nfected
acti on_av_notscanned
acti on_av_del eted
For detai l ed i nformati on on these opti ons, pl ease refer to the esets.cfg(5) man page.
Figure 6-1. Scheme of Handle Object Policy mechanism.
Every processed object i s fi rst handl ed accordi ng to the confi gurati on of the ‘action_av‘ opti on. If thi s opti on i s set to ‘accept’ (or
‘defer’, ‘discard’, ‘reject’) the object i s accepted (or deferred, di scarded, rejected). If the opti on i s set to ‘scan’ the object i s scanned
for vi rus i nfi l trati ons, and i f the ‘av_clean_mode’ opti on i s set to ‘yes’, the object i s al so cl eaned. In addi ti on, the confi gurati on
opti ons ‘action_av_infected’, ‘action_av_notscanned’ and ‘action_av_deleted’ are taken i nto account to further eval uate object
handl i ng. If an ‘accept’ acti on has been taken as a resul t of these three acti on opti ons, the object i s accepted. Otherwi se, the
object i s bl ocked.
7.2 User Specific Configuration
The purpose of the User Speci fi c Confi gurati on mechani sm i s to provi de a hi gher degree of customi zati on and functi onal i ty. It
al l ows the system admi ni strator to defi ne ESETS anti vi rus scanner parameters based on the user who i s accessi ng fi l e system
objects.
A detai l ed descri pti on of thi s functi onal i ty can be found i n the esets.cfg(5) man page. In thi s secti on we wi l l provi de onl y a short
exampl e of a user-speci fi c confi gurati on.
Here, the esets_smtp modul e i s used as a content fi l ter for MTA Postfi x. The functi onal i ty of thi s modul e i s based on the [smtp]
secti on i n the ESETS confi gurati on fi l e (esets.cfg). See bel ow:
16
[smtp]
agent_enabled = yes
listen_addr = "localhost"
listen_port = 2526
server_addr = "localhost"
server_port = 2525
action_av = "scan"
To provi de i ndi vi dual parameter setti ngs, defi ne a ‘user_config’ parameter wi th the path to the speci al confi gurati on fi l e where
the i ndi vi dual setti ng wi l l be stored. In the exampl e bel ow, we create a reference to the speci al confi gurati on fi l e
‘esets_smtp_spec.cfg’, whi ch i s l ocated i n the ESETS confi gurati on di rectory. See bel ow:
[smtp]
agent_enabled = yes
listen_addr = "localhost"
listen_port = 2526
server_addr = "localhost"
server_port = 2525
action_av = "scan"
user_config = "esets_smtp_spec.cfg"
Once the speci al confi gurati on fi l e i s referenced from wi thi n the [smtp] secti on, create the ‘esets_smtp_spec.cfg’ fi l e i n the ESETS
confi gurati on di rectory and add the appropri ate i ndi vi dual setti ngs. The ‘esets_smtp_spec.cfg’ fi l e shoul d l ook l i ke thi s:
[rcptuser@rcptdomain.com]
action_av = "reject"
Note that the secti on header i denti fi es the reci pi ent for whi ch the i ndi vi dual setti ngs have been created, and the secti on body
contai ns i ndi vi dual parameters for thi s reci pi ent. Thi s confi gurati on wi l l al l ow al l other users attempti ng to access the fi l e-
system to be processed normal l y. Al l fi l e system objects accessed by other users wi l l be scanned for i nfi l trati ons, except for the
user rcptuser@rcptdomai n.com, whose access wi l l be rejected (bl ocked).
7.3 Blacklist and Whitelist
In the fol l owi ng exampl e we demonstrate bl ackl i st and whi tel i st creati on for the esets_smtp content fi l ter for MTA Postfi x
confi gurati on. Note that the confi gurati on descri bed i n the previ ous secti on i s used for thi s purpose.
To create a bl ackl i st used by esets_smtp, create the fol l owi ng group secti on wi thi n the speci al confi gurati on fi l e
‘esets_smtp_spec.cfg’, i ntroduced i n the previ ous secti on. See bel ow:
[black-list]
action_av = "reject"
Next, add the SMTP server to the ‘bl ack-l i st’ group. To do thi s, the fol l owi ng speci al secti on must be created:
[|sndrname1@sndrdomain1.com]
parent_id = "black-list"
In the exampl e above, ‘sndrname1@sndrdomain1.com’ i s the emai l address of the sender added to the ‘bl ack-l i st’. Al l emai l
messages sent from thi s address wi l l now be rejected. When creati ng the ‘whi te-l i st’ used by esets_smtp, i t i s necessary to create
the fol l owi ng group secti on i n the speci al confi gurati on fi l e ‘esets_smtp_spec.cfg’. See bel ow:
[white-list]
action_av = "accept"
action_as = "accept"
Addi ng the sender’s emai l address to the l i st i s sel f-expl anatory.
The ‘|’ character i s pl aced i n front of the header name of the speci al secti on for the sender address and i s not pl aced there for
the reci pi ent address. For i nformati on regardi ng the speci al header name syntax, refer to the man page of the appropri ate ESETS
agent modul e. For esets_smtp, refer to the esets_smtp(1) man page.
7.4 Anti-Spam control
The anti -spam system fi l ters spam messages, usi ng dynami c eval uati on of the data fl ow of the emai l del i very process.
To el i mi nate spam, ESET Mai l Securi ty uses the anti -spam control mechani sm. Thi s mechani sm can be enabl ed usi ng the
‘action_as’ parameter. For a ful l descri pti on of the parameter refer to the esets.cfg(5) man page. Note that anti -spam scanni ng can
onl y be used for emai l objects. Due to thi s, thi s functi onal i ty i s rel evant onl y for the fol l owi ng modul es: esets_i map, esets_mda,
esets_pi pe, esets_pop3, esets_smtp, esets_smfi and esets_cgp.
Once anti -spam i s enabl ed i n any of the confi gurati on secti ons, the anti -spam scanni ng engi ne i ni ti al i zes duri ng the mai n
scanni ng daemon start-up. Duri ng thi s process, appropri ate anti -spam support modul es are l oaded from the anti -spam cache
17
di rectory.
Regul ar updates of the anti -spam database can be admi ni stered usi ng tasks i n Schedul er
. Anti -spam functi onal i ty can al so be
confi gured usi ng the fol l owi ng confi gurati on fi l e:
@ETCDIR@/anti-spam/spamcatcher.conf
Note: SpamCatcher i s a tool for spam detecti on. It tracks al l emai l communi cati on on i ts own server and moni tors messages
rejected by users. It eval uates thi s and vari ous other data to determi ne whi ch emai l i s l i kel y to contai n spam and sends users a
probabi l i ty score for every message they recei ve. It al l ows you to create your own rul es for i denti fyi ng and bl ackl i sti ng spam.
Hundreds of rul es can be used to eval uate spam score and bl ock the i ncomi ng spam.
The @ETCDIR@/anti-spam/ di rectory contai ns a number of di fferent confi gurati ons stored i n fi l es, that can be used to
customi ze the anti -spam engi ne. If you wi sh to start usi ng a parti cul ar confi gurati on, repl ace the defaul t anti -spam
confi gurati on stored i n ‘spamcatcher.conf’ wi th any of the avai l abl e confi gurati on fi l es and then rel oad the ESETS daemon.
spamcatcher.conf
Is a defaul t confi gurati on fi l e, that contai ns opti mal confi gurati on recommended for typi cal server envi ronment.
To di spl ay di fferences between any of the fi l es i n the anti -spam di rectory, use the diff command. For exampl e, i f you wi sh to
compare the spamcatcher.conf and the spamcatcher.conf.accurate fi l es use the fol l owi ng command:
diff spamcatcher.conf spamcatcher.conf.accurate
spamcatcher.conf.accurate
Bayesi an Word Token anal ysi s (i.e. spam fi l teri ng usi ng Bayesi an Anal ysi s) i s enabl ed. It i mproves accuracy, but uses more
memory and can therefore take sl i ghtl y more ti me to fi ni sh than other methods.
The l i mi t of the number of domai ns queri ed agai nst the DNS Bl ock Li st server (DNSBL) i s i ncreased (the ‘dnsbl_max_domains’
opti on). DNSBLs are most often used to publ i sh addresses of computers or networks l i nked to spammi ng.
Sender Policy Framework (SDK) wi th l i ve DNS queri es wi l l be performed.
The val ue of the ‘spam_threshold’ parameter i s i ncreased. Messages wi th spam scores equal to or hi gher than thi s val ue wi l l
be rejected.
The SpamCompiler versi on 4 i s enabl ed.
spamcatcher.conf.fast
The number of domai ns queri ed agai nst the DNS Bl ock Li st server i s reduced.
The opti on ‘target_throughput’ al l owi ng you to speci fy throughput i n messages per second i s enabl ed.
Cpu usage duri ng rul e fi l e updates i s reduced by i ncreasi ng the si ze of on-di sk cache fi l es.
TTL's (Ti me to l i ve) for i nternal DNS and Li veFeed caches are enabl ed.
spamcatcher.conf.no_livefeed
The ‘livefeed’ opti on speci fi es whi ch server i s queri ed for Li veFeed
requests. Thi s opti on i s di sabl ed i n thi s confi gurati on fi l e.
The i nternal cache for DNS requests i s di sabl ed.
7.4.1 SpamCatcher settings
The spamcatcher.conf confi gurati on fi l e al l ows you to modi fy several addi ti onal setti ngs that are not avai l abl e i n the ESETS
confugrati on fi l e. The setti ngs i n spamcatcher.conf are transparentl y structured and descri bed:
Name – parameter name
Arguments – val ues the parameter can be assi gned and thei r syntax
Default – defaul t parameter val ue
Description – detai l ed parameter descri pti on
Bl ank l i nes and l i nes begi nni ng wi th # are omi tted.
A list of the most important settings in spamcatcher.conf
Parameter name
Details
approved_ip_list
Li st of approved IP addresses. You can speci fy IPs that shoul d be approved, i.e., i f the fi rst non-i gnored
IP i n Recei ved headers matches any address i n thi s l i st, the message scores 0 and no other checks are
made.
blocked_ip_list
Li st of bl ocked IP addresses. You can speci fy IPs that shoul d be bl ocked, i.e., i f any non-i gnored IP i n
Recei ved headers matches the address i n thi s l i st, the message scores 100 and no other checks are
made.
18
ignored_ip_list
Li st of i gnored IP addresses. You can speci fy IPs that shoul d be i gnored duri ng Real -ti me Bl ackhol e Li st
(RBL) checks. You shoul d i ncl ude al l i nternal IP addresses wi thi n the fi rewal l not di rectl y accessi bl e
from the Internet. Doi ng so prevents unnecessary checks and hel ps i denti fy actual connecti ng IP
addresses. Internal IP addresses are al ready ski pped by the engi ne (192.168.x.y and 10.x).
rbl_list
Li st of Real ti me Bl ackhol e servers to be used when eval uati ng messages. The RBL request checks for
presence of a speci fi c IP address on a gi ven RBL server. Subject to these checks are IP addresses i n the
Recei ved: secti ons i n the mai l header.
The entry format i s as fol l ows:
rbl_list=server:response:offset,server2:response2:offset2,...
The meani ng of the parameters are expl ai ned bel ow:
server
RBL server name
response
RBL server response i f the IP address was found (standard responses are 127.0.0.2, 127.0.0.3,
127.0.0.4., etc.). Thi s parameter i s opti onal, and i f not set, al l answers wi l l be consi dered.
offset
Val ue from 0 to 100. Infl uences overal l spam score. Standard val ue i s 100, i.e. i n case of a posi ti ve
check the message i s assi gned the spam score of 100 and i s eval uated as spam. Negati ve val ues
l ower the overal l spam score of a message.
Exampl e 1:
rbl_list=ent.adbl.org
RBL check i s performed usi ng the ent.adbl.org server. If the check i s posi ti ve, the message wi l l be
assi gned a standard offset of 100 and marked as spam.
Exampl e 2:
rbl_list=ent.adbl.org::60
RBL check i s performed usi ng the ent.adbl.org server. If the check i s posi ti ve, the message wi l l be
assi gned an offset of 60 whi ch i ncreases i ts overal l spam score.
Exampl e 3:
rbl_list=bx9.dbl.com::85, list.dnb.org:127.0.0.4:35, req.gsender.org::-75
RBL check i s performed usi ng the defi ned servers (from l eft to ri ght). In case of a posi ti ve check on
bx9.dbl.com the offset of 85 wi l l be added. If the check on list.dnb.org wi l l be posi ti ve gi vi ng a
response of 127.0.0.4 offset of 35 wi l l be used. The offset wi l l not be appl i ed i n cases of answers other
than 127.0.0.4. If a check i s posi ti ve on req.gsender.org the spam score wi l l be decreased by 75
poi nt (negati ve val ue).
rbl_max_ips
Maxi mum IP addresses that can be sent to RBL server check. Total number of RBL requests i s the total
amount of IP addresses i n the Recei ved: secti ons i n the emai l header (up to the set l i mi t i n
‘rbl _maxcheck_i ps’) mul ti pl i ed by the number of RBL servers set i n the ‘rbl _l i st’. The val ue of 0 means
there i s no l i mi t to the maxi mum number of IP addresses that can be checked.
Thi s parameter i s appl i ed onl y i f the ‘rbl _l i st’ opti on i s enabl ed (i.e. contai ns a mi ni mum of 1 server).
approved_domain_list
Is a l i st of domai ns and IP addresses i n the emai l body, that are to be consi dered as al l owed. Do not
use to whi tel i st emai l s by sender's domai n!
blocked_domain_list
Is a l i st domai ns and IP addresses i n the emai l body, that are to be consi dered as permanentl y
bl ocked. Thi s i s not a bl ackl i st of sender's addresses!
ignored_domain_list
Li st of domai ns i n the emai l body, that are to be permanentl y excl uded from DNSBL checks and i gnored.
dnsbl_list
Li st of DNSBL (DNS-based Bl ackhol e Li st) servers to be used i n checks of domai ns and IP addresses i n
the emai l body.
Format of entry i s as fol l ows:
dnsbl_list=server:response:offset,server2:response2:offset2,...
Meani ng parameters used:
server
DNSBL server name
response
DNSBL server response i f IP address/domai n was found (standard responses are 127.0.0.2,
127.0.0.3, 127.0.0.4., etc.). Thi s parameter i s opti onal, and i f not set, al l answers wi l l be consi dered.
offset
19
Val ue from 0 to 100. Infl uences overal l spam score. Standard val ue i s 100, i.e. i n case of a posi ti ve
check the message i s assi gned the spam score of 100 and i s eval uated as spam. Negati ve val ues
l ower the overal l spam score of a message.
DNSBL checks can have negati ve i nfl uence on server performance due to the fact that every domai n/IP
address from the message body i s checked agai nst al l defi ned DNSBL servers and every si ngl e check
requi res processi ng a DNS server request. You can reduce the i mpact on system resources by depl oyi ng
a DNS cache server for thi s purpose. For the same reason the non-routabl e IP addresses (10.x.x.x,
127.x.x.x, 192.168.x.x) are al so omi tted from DNSBL checks.
Exampl e 1:
dnsbl_list=ent.adbl.org
DNSBL check i s performed agai nst the ent.adbl.org server. If there i s a posi ti ve, the message wi l l be
assi gned the defaul t offset 100 (i t wi l l be marked as spam).
Exampl e 2:
dnsbl_list=ent.adbl.org::60
DNSBL check i s performed usi ng the ent.adbl.org server. If the check i s posi ti ve, the message wi l l be
assi gned an offset of 60 whi ch i ncreases i ts overal l spam score.
Exampl e 3:
dnsbl_list=bx9.dbl.com::85, list.dnb.org:127.0.0.4:35, req.gsender.org::-75
DNSBL check i s performed usi ng the defi ned servers (from l eft to ri ght). If there i s a posi ti ve check on
bx9.dbl.com, the offset of 85 wi l l be added. If the check on list.dnb.org wi l l be posi ti ve, gi vi ng a
response of 127.0.0.4 an offset of 35 wi l l be used. No offset wi l l be appl i ed i n cases of answers other
than 127.0.0.4. If a check i s posi ti ve on req.gsender.org the spam score wi l l be decreased by 75
poi nts (negati ve val ue).
home_country_list
Li st of countri es, that wi l l be consi dered "home". Messages routed through a country not on thi s l i st
wi l l be eval uated usi ng more stri ct rul es (hi gher spam score wi l l be appl i ed). Entry format for
countri es i s thei r two character code i n compl i ance wi th ISO 3166.
home_language_list
Li st of preferred l anguages – i.e. l anguages that are the most used i n your emai l messages. Such
messages wi l l be eval uated usi ng l ess stri ct rul es (l ower spam score). Entry format for l anguages i s
thei r two character code i n compl i ance wi th ISO 639.
custom_rules_list
Al l ows you to defi ne custom l i sts of rul es and store each l i st to an i ndi vi dual fi l e. Each rul e i s stored
on a separate l i ne i n the fi l e i n the fol l owi ng format:
Phrase, Type, Confidence, CaseSensitivity
Phrase – Any text, must not contai n commas (,).
Type – Can have the fol l owi ng val ues: SPAM, PHISH, BOUNCE, ADULT, FRAUD. If you enter other val ue
that those l i sted above, the SPAM val ue wi l l be used automati cal l y. SPAM defi nes phrases that occur i n
cl assi cal spam messages (offers of goods and servi ces). PHISH are phrases occurri ng i n fraudul ent
messages (phi shi ng), that are ai med at extracti on of confi denti al data (names, passwords, credi t card
numbers, etc.) from users. BOUNCE are phrases used i n automati c server responses - Non-Del i very
Noti fi cati on (used when spoofi ng sender's address). ADULT represents phrases typi cal for messages
offeri ng pornographi c content. FRAUD stands for phrases used i n fraudul ent emai l s (scam) offeri ng
suspi ci ous banki ng operati ons (money transfers vi a your account etc.). A typi cal exampl e of thi s spam
type i s the so-cal l ed Ni geri an spam.
Confidence – Val ue from 0 to 100. Defi nes the probabi l i ty of the phrase to be member of a speci fi c spam
category (l i sted above). If the Type PHISH has the Confi dence 90, there i s a very hi gh probabi l i ty of the
phrase bei ng used i n phi shi ng messages. The hi gher the Confi dence score, the bi gger i mpact i t exerts
on the overal l spam score of the message. The Confi dence val ue of 100 presents a speci al case, where
the message spam score wi l l al so be 100, i.e. message wi l l be marked as 100% spam. Anal ogi cal l y, i f
the val ue i s 0, the message wi l l be marked as not-spam.
CaseSensitivity – val ues 0 or 1. 0 meani ng the phrase i s case i nsensi ti ve. 1 meani ng the phrase i s case
sensi ti ve.
Exampl es:
replica, SPAM, 100, 0
Dear eBay member, PHISH, 90, 1
return to sender, BOUNCE, 80, 0
20
Other settings
enable_spf
Thi s opti on enabl es/di sabl es val i dati on by SPF (Sender Pol i cy Framework). Thi s val i dati on
method checks the publ i c rul es of a domai n - domai n pol i cy to determi ne whether a sender i s
authori zed to send messages from that domai n.
enable_all_spf
Thi s opti on i s to determi ne whether domai ns not on the ‘spf_l i st’ or Mai l shel l fi l e can bypass
the SPF val i dati on. For thi s opti on to work correctl y, the ‘enable_realtime_spf’ parameter must
be set to yes.
enable_realtime_spf
If thi s opti on i s enabl ed, DNS requests wi l l be sent i n real -ti me duri ng SPF val i dati on. Thi s can
negati vel y i nfl uence the performance (del ays duri ng message eval uati on).
spf_list
Thi s opti on al l ows you to assi gn i mportance to a speci fi c SPF entry, thus i nfl uenci ng the
overal l spam score of a message.
spf_*_weight
The asteri sk represents 14 possi bl e SPF val i dati on resul ts (see spamcatcher.conf for more
detai l s). The val ue entered for thi s parameter i s an offset, that i s then appl i ed to the spam
score accordi ng to i ndi vi dual resul t types. If the SPF val i dati on resul ts i s "fai l" the offset from
the ‘spf_fail_weight’ parameter wi l l be appl i ed. Dependi ng on the offset val ue the resul ti ng
spam score i s then i ncreased/decreased.
spf_recursion_depth
Maxi mum nesti ng depth (usi ng the "i ncl ude" mechani sm). The RFC 4408 norm speci fi es thi s
l i mi t to 10 (to prevent Deni al -of-Servi ce), however, some SPF records nowadays do not respect
thi s l i mi t, as more nesti ng l evel s need to be appl i ed to ful l y sati sfy the SPF request.
enable_livefeed_sender_repute
If thi s opti on i s di sabl ed, the SPF i nformati on from Li veFeed
wi l l be i gnored.
7.5 Samples Submission System
The Sampl es submi ssi on system i s an i ntel l i gent ThreatSense.Net technol ogy that col l ects i nfected objects whi ch have been
detected by advanced heuri sti cs and del i vers them to the sampl es submi ssi on system server. Al l vi rus sampl es col l ected by the
sampl e submi ssi on system wi l l be processed by the ESET vi rus l aboratory and i f necessary, added to the ESET vi rus si gnature
database.
Note: Accordi ng to our l i cense agreement, by enabl i ng sampl e submi ssi on system you are agreei ng to al l ow the computer and/or
pl atform on whi ch the esets_daemon i s i nstal l ed to col l ect data (whi ch may i ncl ude personal i nformati on about you and/or the
user of the computer) and sampl es of newl y detected vi ruses or other threats and send them to our vi rus l ab. Thi s feature i s
turned off by defaul t. Al l i nformati on col l ected wi l l be used onl y to anal yze new threats and wi l l not be used for any other
purpose.
In order to acti vate the Sampl es Submi ssi on System, the sampl es submi ssi on system cache must be i ni ti al i zed. Thi s can be
achi eved by enabl i ng the ‘samples_enabled’ opti on i n the [global] secti on of the ESETS confi gurati on fi l e. To al l ow the actual
del i very of sampl es to the ESET vi rus l aboratory servers, the parameter ‘samples_send_period’ must al so be speci fi ed i n the same
secti on.
In addi ti on, users can choose to provi de the ESET vi rus l aboratory team wi th suppl ementary i nformati on usi ng the
‘samples_provider_mail’ confi gurati on opti on. The i nformati on col l ected usi ng thi s opti on wi l l assi st i n provi di ng the ESET team
wi th an overvi ew about a gi ven i nfi l trati on whi ch may be spreadi ng over the Internet.
For more i nformati on on the Sampl es Submi ssi on System, refer to the esets_daemon(8) man page.
7.6 Scheduler
The Schedul er's functi onal i ty i ncl udes runni ng schedul ed tasks at a speci fi ed ti me or on a speci fi c event, managi ng and
l aunchi ng tasks wi th predefi ned confi gurati on and properti es and more. Task confi gurati on and properti es can be used to
i nfl uence l aunch dates and ti mes, but al so to expand the appl i cati on of tasks by i ntroduci ng the use of custom profi l es duri ng
task executi on.
The ‘scheduler_tasks’ opti on i s commented by defaul t, causi ng the defaul t schedul er confi gurati on to be appl i ed. In the ESETS
confi gurati on fi l e al l parameters and tasks are semi col on-separated. Any other semi col ons (and backsl ashes) must be
backsl ash escaped. Each task has 6 parameters and the syntax i s as fol l ows:
i d – Uni que number.
name – Task descri pti on.
fl ags – Speci al fl ags to di sabl e the speci fi ed schedul er task can be set here.
fai l start – Instructs what to do i f task coul d not be run on schedul ed date.
datespec – A regul ar date speci fi cati on wi th 6 (crontab l i ke year-extended) fi el ds, recurrent date or an event name opti on.
command – Can be an absol ute path to a command fol l owed by i ts arguments or a speci al command name wi th the ‘@’ prefi x
21
(e.g. anti -vi rus update: @update).
#scheduler_tasks = "id;name;flags;failstart;datespec;command;id2;name2;...";
The fol l owi ng event names can be used i n pl ace of the datespec opti on:
start – Daemon startup.
startonce – Daemon startup but at most once a day.
engi ne – Successful engi ne update.
l ogi n – Web i nterface l ogon startup.
threat – Threat detected.
notscanned – Not scanned emai l or fi l e.
l i cexp – 30 days before l i cense expi rati on.
To di spl ay the current schedul er confi gurati on, use the Web i nterface
or run the fol l owi ng command:
cat @ETCDIR@/esets.cfg | grep scheduler_tasks
For a ful l descri pti on of Schedul er and i ts parameters refer to the Schedul er secti on of the esets_daemon(8) man page.
7.7 Web Interface
The web i nterface al l ows user-fri endl y confi gurati on, admi ni strati on and l i cense management of ESET Securi ty systems. Thi s
modul e i s a separate agent and must be expl i ci tl y enabl ed. To qui ckl y confi gure the Web Interface, set the fol l owi ng opti ons i n
the ESETS confi gurati on fi l e and restart the ESETS daemon:
[wwwi]
agent_enabled = yes
listen_addr = address
listen_port = port
username = name
password = pass
Repl ace the text i n i tal i cs wi th your own val ues and di rect your browser to ‘https://address:port’ (note the https). Logi n wi th
‘username/password’. Basi c usage i nstructi ons can be found on the hel p page and techni cal detai l s about esets_wwwi can be
found on the esets_wwwi(1) man page.
The web i nterface al l ows you to remotel y access the ESETS daemon and depl oy i t easi l y. Thi s powerful uti l i ty makes i t easy to
read and wri te confi gurati on val ues.
Figure 6-1. ESET Security for Linux - Home screen.
22
The web i nterface wi ndow of ESET Mai l Securi ty i s di vi ded i nto two mai n secti ons. The pri mary wi ndow, that serves to di spl ay the
contents of the sel ected menu opti on and the mai n menu. Thi s hori zontal bar on the top l ets you navi gate between the fol l owi ng
mai n opti ons:
Home – provi des basi c system and ESET product i nformati on
Licenses – i s a l i cense management uti l i ty, see the fol l owi ng chapter
for mode detai l s
Configuration – you can change the ESET Mai l Securi ty system confi gurati on here
Control – al l ows you to run si mpl e tasks and vi ew gl obal stati sti cs
about objects processed by esets_daemon
Help – provi des detai l ed usage i nstructi ons for the ESET Mai l Securi ty web i nterface
Logout – use to end your current sessi on
Important: Make sure you cl i ck the Save changes button after maki ng any changes i n the Configuration secti on of the web
i nterface to save your new setti ngs. To appl y your setti ngs you wi l l need to restart the ESETS daemon by cl i cki ng Apply changes on
the l eft pane.
7.7.1 License management
You can upl oad a new l i cense usi ng the web i nterface, as shown i n Fi gure 6-2.
If you want to di spl ay l i censes i n the consol e, use the fol l owi ng command:
@SBINDIR@/esets_lic --list
If you want to i mport new l i cense fi l es, use the fol l owi ng command:
@SBINDIR@/esets_lic --import *.lic
Figure 6-2. ESET Licenses.
You can enabl e the l i cense noti fi cati on opti on i n the Schedul er
secti on opti ons. If enabl ed, thi s functi onal i ty wi l l noti fy you 30
days pri or to your l i cense expi rati on.
Note: If you have a ful l y functi onal ESET Fi l e/Gateway Securi ty for Li nux, BSD and Sol ari s i nstal l ati on and you wi sh to expand i t
by addi ng ESET Mai l Securi ty, you wi l l need to set your new username and password for ESET Mai l Securi ty ei ther i n the ESETS
confi gurati on fi l e, or i n the web i nterface. Thi s wi l l prevent possi bl e i ssues wi th updates i n ESETS.
7.7.2 SMTP+Postfix configuration example
ESETS can be confi gured i n two ways. In thi s exampl e, we wi l l demonstrate how to use both when confi guri ng the SMTP modul e
,
l eavi ng you the choi ce of your preferred confi gurati on method:
Usi ng the ESETS confi gurati on fi l e:
[smtp]
agent_enabled = yes
listen_addr = "localhost"
listen_port = 2526
server_addr = "localhost"
server_port = 2525
23
Usi ng the web i nterface:
Figure 6-3. ESETS - Configuration > SMTP Agent.
Al ways remember to save your new confi gurati on by cl i cki ng Save changes. To appl y your new changes, cl i ck the Apply changes
button i n the Configuration sections panel.
There are vari ous scanner opti ons you can use to customi ze the scanni ng envi ronment: acti ons, l i mi ts, modi fi cati on masks,
targets. Here i s an exampl e of a two-way fi l ter based on a spam subject prefi x:
[smtp]
action_as = "defer"
as_eml_subject_prefix = "[SPAM]"
Figure 6-4. SMTP Scanner options.
24
7.7.3 Scheduler
You can manage the schedul er tasks ei ther vi a ESET confi gurati on fi l e (see chapter Schedul er
) or usi ng the web i nterface.
Figure 6-5. ESETS - Global > Scheduler.
Cl i ck the checkbox to enabl e/di sabl e a schedul ed task. By defaul t, the fol l owi ng schedul ed tasks are di spl ayed:
Log maintenance – The program automati cal l y del etes ol der l ogs i n order to save hard di sk space. The Schedul er wi l l start
defragmenti ng l ogs. Al l empty l og entri es wi l l be removed duri ng thi s process. Thi s wi l l i mprove the speed when worki ng wi th
l ogs. The i mprovement wi l l be more noti ceabl e i f the l ogs contai n a l arge number of entri es.
Automatic startup file check – Scans memory and runni ng servi ces after a successful update of the vi rus si gnature database.
Regular automatic update – Regul arl y updati ng ESET Mai l Securi ty i s the best method of keepi ng the maxi mum l evel of securi ty on
your computer. See ESETS update uti l i ty
for more i nformati on.
Regular update of AntiSpam modules – The peri od after whi ch ESETS wi l l check for avai l abl e anti spam modul e updates. If you do
not set thi s schedul ed task, ESETS wi l l not regul arl y update i ts anti spam database.
Threat notification – By defaul t, each threat wi l l be l ogged i nto sysl og. In addi ti on, ESETS can be confi gured to run an external
(noti fi cati on) scri pt to noti fy a system admi ni strator vi a emai l about threat detecti on.
License expiration – If enabl ed, thi s functi onal i ty wi l l noti fy you 30 days pri or to your l i cense expi rati on. Thi s task wi l l run the
@ETCDIR@/scripts/license_warning_script shel l scri pt, whi ch sends an emai l to the emai l address of the root user account. The
scri pt can be customi zed to refl ect speci fi c server needs.
25
7.7.4 Statistics
You can vi ew stati sti cs for al l of acti ve ESETS agents here. The Statistics summary refreshes every 10 seconds.
Figure 6-6. ESETS - Control > Statistics.
7.8 Remote Administration
ESETS supports ESET Remote Admi ni strati on for mai l securi ty management i n l arge computer networks. The ESETS Remote
Admi ni strati on Cl i ent i s part of the mai n ESETS daemon and performs the fol l owi ng functi ons:
Communi cates wi th ERA Server and provi des you wi th system i nformati on, confi gurati on, protecti on statuses and several
other features
Al l ows cl i ent confi gurati ons to be vi ewed/modi fi ed usi ng the ESET Confi gurati on Edi tor and i mpl emented wi th the hel p of
confi gurati on tasks
Can perform Update Now tasks
Performs On-demand scans as requested, and submi ts the resul ts back to ERA Server Scan Log
Note: For thi s opti on to be avai l abl e you must have a val i d l i cense for ESET Fi l e Securi ty.
Adds l ogs of notabl e scans performed by the ESETS daemon to Threat Log
Sends al l non-debug messages to Event Log
These functi onal i ti es are not supported:
Fi rewal l Log
Remote Instal l
Figure 6-7. ERA Console tabs.
For more i nformati on, pl ease read the ESET Remote Admi ni strator manual. Thi s manual i s l ocated on our web si te at the
fol l owi ng l i nk:
http://www.eset.com/documentati on
26
7.8.1 Remote Administration usage example
Before commenci ng any remote admi ni strati on process, ensure your system ful fi l l s the three fol l owi ng prerequi si tes:
Runni ng ERA Server
Runni ng ERA Consol e
Enabl e RA Cl i ent i n the ESETS daemon. Ensure that fi rewal l setti ngs do not bl ock traffi c to ERA Server or vi ce versa.
To setup the basi cs, speci fy the address of your ERA Server i n the ‘racl_server_addr’ parameter fi rst. If you are usi ng a password to
access the ERA Consol e password, you must edi t the val ue of the ‘racl_password’ parameter accordi ngl y. Change the val ue of the
‘racl_interval’ parameter to adjust the frequency of connecti ons to ERA Server (i n mi nutes).
You can ei ther use the web i nterface (see al so previ ous chapter) to appl y the new confi gurati on, or you can adjust these
parameters i n the [global] secti on of the ESETS confi gurati on fi l e as fol l ows:
racl_server_addr = "yourServerAddress"
racl_server_port = 2222
racl_password = "yourPassword"
racl_interval = 1
Note: Al l appl i cabl e ESET Remote Admi ni strati on Cl i ent vari abl es are l i sted on the esets_daemon(8) man page.
The ESETS daemon confi gurati on wi l l be rel oaded and RACL wi l l connect to ERA Server. You wi l l be abl e to see a newl y connected
cl i ent i n your ERA Consol e. Press the F5 button (or Menu > View > Refresh) to manual l y refresh the l i st of connected cl i ents.
Figure 6-8. ERA Console.
By usi ng ERA Consol e you can create a confi gurati on task to ESETS daemon from ERA Consol e:
Ri ght-cl i ck the connected Client Name
Navi gate to New Task > Configuration Task > Create...
Expand the Uni x ESET Securi ty tree
For an exampl e of a confi gurati on task by the DAC agent, see bel ow:
27
Figure 6-8. ERA Configuration Editor.
The New Task context menu contai ns On-demand scanni ng opti ons (enabl ed/di sabl ed cl eani ng).
You can sel ect the desi red product that you wi sh to set the task for i n the On-Demand Scan pop-up wi ndow i n the Configuration
Section drop-down menu. Make sure that you sel ect the On-demand Scan task for Unix ESET Security Product opti on (i.e. the
product that i s i nstal l ed on your target workstati on).
Figure 6-9. ERA On-demand scan.
28
7.9 Logging
ESETS provi des system daemon l oggi ng vi a sysl og. Syslog i s a standard for l oggi ng program messages and can be used to l og
system events such as network and securi ty events.
Messages refer to a faci l i ty:
auth, authpriv, daemon, cron, ftp, lpr, kern, mail, ..., local0, ..., local7
Messages are assi gned a pri ori ty/l evel by the sender of the message:
Error, Warning, Summall, Summ, Partall, Part, Info, Debug
Thi s secti on descri bes how to confi gure and read the l oggi ng output of sysl og. The ‘syslog_facility’ opti on (defaul t val ue ‘daemon’)
defi nes the sysl og faci l i ty used for l oggi ng. To modi fy sysl og setti ngs edi t the ESETS confi gurati on fi l e or use the Web i nterface
.
Modi fy the val ue of the ‘syslog_class’ parameter to change the l oggi ng cl ass. We recommend you modi fy these setti ngs onl y i f you
are fami l i ar wi th sysl og. For an exampl e sysl og confi gurati on, see bel ow:
syslog_facility = "daemon"
syslog_class = "error:warning:summall"
The name and l ocati on of the l og fi l e depend on your sysl og i nstal l ati on and confi gurati on (e.g. rsysl og, sysl og-ng, etc.). Standard
fi l enames for sysl og output fi l es are for exampl e ‘syslog’, 'daemon.log', etc. To fol l ow sysl og acti vi ty, run one of the fol l owi ng
commands from the consol e:
tail -f /var/log/syslog
tail -100 /var/log/syslog | less
cat /var/log/syslog | grep esets | less
If you enabl e ESET Remote Admi ni strati on, ERA l og entri es ol der than gi ven days by the opti on ‘racl_logs_lifetime’ wi l l be
automati cal l y del eted.
29
8. ESET Security system update
8.1 ESETS update utility
To mai ntai n the effecti veness of ESET Mai l Securi ty, the vi rus si gnature database must be kept up to date. The esets_update uti l i ty
has been devel oped speci fi cal l y for thi s purpose. See the esets_update(8) man page for detai l s. To l aunch an update, the
confi gurati on opti ons ‘av_update_username’ and ‘av_update_password’ must be defi ned i n the [global] secti on of the ESETS
confi gurati on fi l e. In the event that your server accesses the Internet vi a HTTP proxy, the addi ti onal confi gurati on opti ons
‘proxy_addr’, ‘proxy_port’ must be defi ned. If access to the HTTP proxy requi res a username and password, the ‘proxy_username’
and ‘proxy_password’ opti ons must al so be defi ned i n thi s secti on. To i ni ti ate an update, enter the fol l owi ng command:
@SBINDIR@/esets_update
Note: If you have a ful l y functi onal ESET Fi l e/Gateway Securi ty for Li nux, BSD and Sol ari s i nstal l ati on and you wi sh to expand i t
by addi ng ESET Mai l Securi ty, you wi l l need to set your new username and password for ESET Mai l Securi ty ei ther i n the ESETS
confi gurati on fi l e, or i n the web i nterface. Thi s wi l l prevent possi bl e i ssues wi th updates i n ESETS.
To provi de the hi ghest possi bl e securi ty for the end user, the ESET team conti nuousl y col l ects vi rus defi ni ti ons from al l over the
worl d - new patterns are added to the vi rus si gnature database i n very short i nterval s. For thi s reason, we recommend that
updates be i ni ti ated on a regul ar basi s. To be abl e to speci fy the frequency of updates, you need to confi gure the ‘@update’ task
i n the ‘scheduler_tasks’ opti on i n the [global] secti on of the ESETS confi gurati on fi l e. You can al so use the Schedul er
to set the
update frequency. The ESETS daemon must be up and runni ng i n order to successful l y update the vi rus si gnature database.
8.2 ESETS update process description
The update process consi sts of two stages: Fi rst, the precompi l ed update modul es are downl oaded from the ESET server. If the
‘av_mirror_enabled’ opti on i s set to ‘yes’ i n the [global] secti on of the ESETS confi gurati on fi l e, copi es (or mi rror) of these update
modul es are created i n the fol l owi ng di rectory:
@BASEDIR@/mirror
The ‘av_mirror_pcu’ opti on al l ows you to downl oad Program Component Update (PCU) modul es for Wi ndows-based ESET securi ty
products. These modul es can be mi rrored from the ESET server.
Note: Once you set your username, password and l i cense for ESET Mai l Securi ty to downl oad PCU's for ESET NOD32 Anti vi rus /
ESET Smart Securi ty, pl ease contact our Techni cal Support
and request a change, that wi l l enabl e your ESET Mai l Securi ty to
downl oad PCU's for our Wi ndows-based products.
The second stage of the update process i s the compi l ati on of modul es l oadabl e by the ESET Mai l Securi ty scanner from those
stored i n the l ocal mi rror. Typi cal l y, the fol l owi ng ESETS l oadi ng modul es are created: l oader modul e (em000.dat), scanner
modul e (em001.dat), vi rus si gnature database modul e (em002.dat), archi ves support modul e (em003.dat), advanced heuri sti cs
modul e (em004.dat), etc. The modul es are created i n the fol l owi ng di rectory:
@BASEDIR@
Thi s i s the di rectory where the ESETS daemon l oads modul es from and thus can be redefi ned usi ng the ‘base_dir’ opti on i n the
[global] secti on of the ESETS confi gurati on fi l e.
8.3 ESETS mirror http daemon
ESETS mi rror http daemon i s i nstal l ed automati cal l y wi th ESET Mai l Securi ty. The http mi rror daemon needs to be properl y
confi gured to start and enabl e the mi rror.
In the exampl e bel ow esets_mird i s confi gured to l i sten on port 2221 of a computer wi th the l ocal network IP address
192.168.1.10. The fol l owi ng parameters i n the [mird] secti on of the ESETS confi gurati on fi l e need to be speci fi ed:
agent_enabled = yes
listen_addr = "192.168.1.10"
listen_port = 2221
Opti ons ‘listen_port’ and ‘listen_addr’ defi ne the port (defaul t 2221) and address (defaul t: al l l ocal tcp addresses) where the http
server l i stens. If you set the val ue of the ‘auth_mode’ swi tch from 'none' to 'basi c', the mi rror wi l l requi re authenti cati on. The
opti ons ‘username’ and ‘password’ al l ow the admi ni strator to defi ne the l ogi n and password requi red to access the Mi rror.
30
9. Let us know
We hope thi s gui de has provi ded you wi th a thorough understandi ng of the requi rements for ESET Mai l Securi ty i nstal l ati on,
confi gurati on and mai ntenance. However, our goal i s to conti nual l y i mprove the qual i ty and effecti veness of our documentati on.
If you feel that any secti ons i n thi s Gui de are uncl ear or i ncompl ete, pl ease l et us know by contacti ng Customer Care:
http://www.eset.com/support
Or use di rectl y the support form:
http://www.eset.eu/support/form
We are dedi cated to provi de the hi ghest l evel of support and l ook forward to hel pi ng you shoul d you experi ence any probl ems
concerni ng thi s product.
31
10. Appendix A. ESETS setup and configuration
10.1 Setting ESETS for MTA Postfix
Inbound email message scanning
Warning: Thi s i nstal l ati on i s not compati bl e wi th SELi nux. Ei ther di sabl e SELi nux or proceed to the next secti on.
The objecti ve of thi s i nstal l ati on i s to i nsert esets_mda before the ori gi nal Postfi x MDA. The MDA to be used (wi th arguments) i s
set i n the Postfi x parameter ‘mailbox_command’.
Note: If the ‘mai l box_command‘ val ue i s empty, Postfi x al one i s del i veri ng mai l . You must i nstal l and confi gure a real MDA (e.g.
procmai l ) and use that fi rst for the ‘mai l box_command’ and arguments (e.g. /usr/bi n/procmai l -d "$USER"). Rel oad Postfi x and
make sure i t i s del i veri ng mai l accordi ng to your needs. You may then conti nue wi th the ESETS i nstal l ati on.
Take the ful l path to the current Postfi x MDA and set the parameter ‘mda_path’ i n the [mda] secti on of the ESETS confi gurati on fi l e
to:
mda_path = "/usr/bin/procmail"
Restart the ESETS daemon. Then, repl ace the path to the current Postfi x MDA wi th esets_mda path and add -- --
reci pi ent="$RECIPIENT" --sender="$SENDER" to the arguments, as i n the fol l owi ng exampl e:
mailbox_command = @BINDIR@/esets_mda -d "$USER" -- --recipient="$RECIPIENT" --sender="$SENDER"
To re-read the newl y created confi gurati on, rel oad Postfi x.
Bi-directional email message scanning
The objecti ve of thi s i nstal l ati on i s to di vert al l mai l from Postfi x to esets_smtp and get them back to Postfi x. In the [smtp] secti on
of the ESETS confi gurati on fi l e, set the fol l owi ng parameters:
agent_enabled = yes
listen_addr = "localhost"
listen_port = 2526
server_addr = "localhost"
server_port = 2525
Restart the ESETS daemon; esets_smtp wi l l be started and wi l l scan al l SMTP communi cati on accepted on ‘listen_addr:listen_port’
and forward i t to ‘server_addr:server_port’. To di vert al l mai l to esets_smtp set the fol l owi ng i n Postfi x:
content_filter = smtp:[127.0.0.1]:2526
Note: If the ‘content_filter’ parameter al ready has a val ue, do not fol l ow these i nstructi ons. Instead, you must i nsert esets_smtp
(or other ESETS mai l scanni ng modul e) before or after your current ‘content_fi l ter’.
Lastl y, set Postfi x to accept mai l on port 2525 and conti nue processi ng i t. To do thi s, add the fol l owi ng entry to the Postfi x
master.cf fi l e:
localhost:2525 inet n - n - - smtpd
-o content_filter=
-o myhostname=esets.yourdomain.com
-o local_recipient_maps=
-o relay_recipient_maps=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
Repl ace yourdomai n.com wi th your hostname. Make sure al l but the fi rst l i ne i s i ndented. To re-read the newl y created
confi gurati on, rel oad Postfi x.
Note: If you have SELi nux enabl ed, i t wi l l prevent Postfi x from l i steni ng on 2525 (e.g. Fedora Core >= 5), In thi s case, run the
fol l owi ng command:
semanage -a -t smtp_port_t -p tcp 2525
32
10.2 Setting ESETS for MTA Sendmail
Inbound email message scanning
Warning: Thi s i nstal l ati on i s not compati bl e wi th SELi nux. Ei ther di sabl e SELi nux or proceed to the next secti on.
The objecti ve of thi s i nstal l ati on i s to i nsert esets_mda before Sendmai l ’s ori gi nal MDA.
Note: On FreeBSD, Sendmai l may be communi cati ng wi th MDA usi ng LMTP. However, esets_mda does not understand LMTP. If
you have FEATURE(l ocal _l mtp) i n ‘hostname’.mc, comment i t out now and recreate sendmai l.cf.
The currentl y-used MDA can be found i n the fi l e sendmai l.cf i n secti on Ml ocal: parameters ‘P’ (executabl e) and ‘A’ (i ts name and
arguments).
Fi rst, set the ‘mda_path’ i n the [mda] secti on of the ESETS confi gurati on fi l e to the currentl y used MDA executabl e (Sendmai l ’s ‘P’
parameter). Then restart the ESETS daemon.
Next, add the l i nes bel ow to the sendmai l.mc fi l e (or `‘hostname’.mc on FreeBSD and Sol ari s) before al l MAILER defi ni ti ons:
define('LOCAL_MAILER_PATH', '@BINDIR@/esets_mda')dnl
define('LOCAL_MAILER_ARGS', 'esets_mda original_arguments -- --sender $f --recipient $u@$j')dnl
In the exampl e above, ori gi nal _arguments i s Sendmai l ’s ‘A’ parameter wi thout the name (fi rst word).
Lastl y, recreate sendmai l.cf and restart Sendmai l.
Bi-directional email message scanning
The objecti ve of thi s i nstal l ati on i s to scan al l mai l i n Sendmai l usi ng the esets_smfi fi l ter. In the [smfi] secti on of the ESETS
confi gurati on fi l e, set the fol l owi ng parameters:
agent_enabled = yes
smfi_sock_path = "/var/run/esets_smfi.sock"
Restart the ESETS daemon. Then, add the l i nes bel ow to the sendmai l.mc fi l e (or ‘hostname’.mc on FreeBSD) before al l MAILER
defi ni ti ons:
INPUT_MAIL_FILTER('esets_smfi', 'S=local:/var/run/esets_smfi.sock, F=T, T=S:2m;R:2m;E:5m')dnl
Wi th these setti ngs, Sendmai l wi l l communi cate wi th esets_smfi vi a uni x socket ‘/var/run/esets_smfi.sock’. Fl ag ‘F=T’ wi l l resul t
i n a temporary fai l ed connecti on i f the fi l ter i s unavai l abl e. ‘S:2m’ defi nes a 2 mi nute ti meout for sendi ng i nformati on from MTA
to the fi l ter, ‘R:2m’ defi nes a 2 mi nute ti meout for readi ng repl i es from the fi l ter and ‘E:5m’ sets an overal l 5 mi nute ti meout
between sendi ng end-of-message to the fi l ter and wai ti ng for fi nal acknowl edgment.
If the ti meouts for the esets_smfi fi l ter are too short, Sendmai l can temporari l y defer the message to the queue and attempt to
pass i t through l ater. However, thi s may l ead to conti nuous deferral of the same messages. To avoi d thi s probl em, the ti meouts
shoul d be set properl y. You can experi ment wi th Sendmai l ’s ‘confMAX_MESSAGE_SIZE’ parameter, whi ch i s the maxi mum
accepted message si ze i n bytes. Taki ng i nto account thi s val ue and the approxi mate maxi mum ti me for MTA to process a message
of that si ze (thi s can be measured), you can determi ne the most effecti ve ti meout setti ngs for the esets_smfi fi l ter.
Lastl y, recreate sendmai l.cf and restart Sendmai l.
10.3 Setting ESETS for MTA Qmail
Inbound email message scanning
The objecti ve of thi s i nstal l ati on i s to i nsert esets_mda before Qmai l ’s l ocal del i very agent. Assumi ng Qmai l i s i nstal l ed i n the /
var/qmai l di rectory, i n the [mda] secti on of the ESETS confi gurati on fi l e, set the fol l owi ng parameter:
mda_path = "/var/qmail/bin/qmail-esets_mda"
Restart the ESETS daemon. Create the fi l e /var/qmai l/bi n/qmai l -esets_mda wi th the fol l owi ng content and run ‘chmod a+x’ on i t:
#!/bin/sh
exec qmail-local -- "$USER" "$HOME" "$LOCAL" "" "$EXT" "$HOST" "$SENDER" "$1"
Thi s wi l l cause esets_mda to cal l Qmai l ’s l ocal del i very agent. Next, create the fi l e /var/qmai l/bi n/qmai l -start.esets wi th the
fol l owi ng content and al so run 'chmod a+x' on i t:
#!/bin/sh
A="$1"; shift
exec qmail-start.orig "|@BINDIR@/esets_mda '$A'"' -- --sender="$SENDER" --recipient="$RECIPIENT"' "$@"
33
Thi s wi l l start Qmai l usi ng esets_mda for l ocal del i veri es. However, the ori gi nal del i very speci fi cati on i s passed to qmai l -l ocal
through esets_mda. Note that i n thi s confi gurati on esets_mda wi l l use Qmai l ’s recogni zed exi t codes (see the qmail-command(8)
man page). Lastl y, repl ace qmai l -start usi ng commands:
mv /var/qmail/bin/qmail-start /var/qmail/bin/qmail-start.orig
ln -s qmail-start.esets /var/qmail/bin/qmail-start
Restart Qmai l.
Bi-directional email messages scanning
The objecti ve of thi s i nstal l ati on i s to i nsert esets_mda before qmai l -queue, whi ch queues al l mai l s before del i very. Assumi ng
Qmai l i s i nstal l ed i n the /var/qmai l di rectory, i n the [mda] secti on of the ESETS confi gurati on fi l e, set the fol l owi ng parameter:
mda_path = "/var/qmail/bin/qmail-queue.esets"
Restart the ESETS daemon. Lastl y, repl ace qmai l -queue usi ng these commands:
mv /var/qmail/bin/qmail-queue /var/qmail/bin/qmail-queue.esets
ln -s @BINDIR@/esets_mda /var/qmail/bin/qmail-queue
Restarti ng Qmai l i s unnecessary. Al l messages enqueued from now wi l l be scanned by ESETS. Note that i n thi s confi gurati on
esets_mda wi l l use qmai l -queue’s exi t codes (see the qmail-queue(8) man page).
10.4 Setting ESETS for MTA Exim version 3
Inbound email messages scanning
The objecti ve of thi s i nstal l ati on i s to create an Exi m transport from esets_mda for l ocal users. In the [mda] secti on of the ESETS
confi gurati on fi l e set the fol l owi ng parameter:
mda_path = "/usr/sbin/exim"
In the above, /usr/sbi n/exi m i s the ful l path to Exi m bi nary. Restart the ESETS daemon. Next, add the fol l owi ng transport (on any
l i ne) to the l i st of Exi m transports:
esets_transport:
driver = pipe
command = @BINDIR@/esets_mda -oi -oMr esets-scanned $local_part@$domain \
-- --sender=$sender_address --recipient=$local_part@$domain
user = mail
In the above exampl e, ‘mail’ i s one of Exi m’s ‘trusted_users’. Now add the fol l owi ng di rector to the top of the l i st of Exi m di rectors:
esets_director:
driver = smartuser
condition = "${if eq {$received_protocol}{esets-scanned} {0}{1}}"
transport = esets_transport
verify = false
Thi s wi l l send al l unscanned mai l s for l ocal users to esets_mda; esets_mda wi l l then send them back to Exi m for further
processi ng. To re-read the newl y created confi gurati on, restart Exi m.
Bi-directional email message scanning
The goal of thi s i nstal l ati on i s to create an Exi m transport from esets_mda for al l mai l. Perform al l steps from the previ ous
secti on, but al so add thi s router to the top of the Exi m router l i st:
esets_router:
driver = domainlist
route_list = "* localhost byname"
condition = "${if eq {$received_protocol}{esets-scanned} {0}{1}}"
transport = esets_transport
verify = false
10.5 Setting ESETS for MTA Exim version 4
Inbound email message scanning
The goal of thi s i nstal l ati on i s to create an Exi m transport from esets_mda for l ocal users. In the [mda] secti on of the ESETS
confi gurati on fi l e, set thi s parameter:
mda_path = "/usr/sbin/exim"
34
or, i f you are usi ng FreeBSD, thi s parameter:
mda_path = "/usr/local/sbin/exim"
where /usr/sbi n/exi m (or /usr/l ocal/sbi n/exi m) i s the ful l path to the Exi m bi nary. Then restart the ESETS daemon. Add thi s router
to the top of the Exi m router l i st:
esets_router:
driver = accept
domains = +local_domains
condition = "${if eq {$received_protocol}{esets-scanned} {0}{1}}"
transport = esets_transport
verify = false
and thi s transport (at whatever l ocati on) to the l i st of Exi m transports:
esets_transport:
driver = pipe
command = @BINDIR@/esets_mda -oi -oMr esets-scanned $local_part@$domain \
-- --sender=$sender_address --recipient=$local_part@$domain
Thi s wi l l send al l unscanned mai l s for l ocal users to esets_mda; esets_mda wi l l then send them back to Exi m for further
processi ng. To re-read the newl y created confi gurati on, restart Exi m.
Bi-directional email message scanning
The goal of thi s i nstal l ati on i s to create an Exi m transport from esets_mda for al l mai l. Perform al l steps from the previ ous
secti on, but omi t thi s l i ne i n esets_router:
domains = +local_domains
10.6 Setting ESETS for MTA ZMailer
Inbound email message scanning
The goal of thi s i nstal l ati on i s to use esets_mda as ZMai l er’s l ocal del i very agent. However, you must have a real MDA i nstal l ed,
such as procmai l. In the [mda] secti on of the ESETS confi gurati on fi l e, set thi s parameter:
mda_path = "/path/to/procmail"
and restart the ESETS daemon. Procmai l doesn‘t support the ful l emai l address as a reci pi ent, so comment out thi s l i ne i n
ZMai l er‘s router.cf prependi ng a ‘#‘:
localdoesdomain=1
Next, i n the ‘local/*’ cl ause of schedul er.conf, repl ace your current del i very command wi th:
command="sm -c $channel esets"
and append thi s l i ne to sm.conf (repl ace your.hostname.com wi th your FQDN):
esets sSPfn @BINDIR@/esets_mda esets_mda -a $h -d $u -- --sender $g --recipient $u@your.hostname.com
Fi nal l y, restart ZMai l er.
Bi-directional email messages scanning
The goal of thi s i nstal l ati on i s to use esets_zmfi as ZMai l er‘s SMTP contentfi l ter. Fi rst start the ESETS daemon. Then add thi s l i ne
to smtpserver.conf:
PARAM contentfilter @BINDIR@/esets_zmfi
and restart ZMai l er.
Pl ease note that thi s wi l l scan onl y the emai l messages comi ng through the smtpserver. Al so, make sure that your smtp-pol i cy i s
fi l teri ng al l emai l accordi ng to your needs.
10.7 Setting ESETS for MTA Novell GroupWise
ESETS GroupWi se Internet Agent contentfi l ter modul e scanni ng i s performed usi ng the esets_gwia daemon. The ESETS
confi gurati on fi l e In the [gwia] secti on shoul d l ook l i ke thi s:
agent_enabled = yes
gwia_smtphome = "/var/spool/gwia/esets"
gwia_dhome = "/var/spool/gwia/queues"
35
Note: Accordi ng to the Handl e Object Pol i cy
, confi gurati on opti ons i n [gwia] secti on such as ‘action_av’, ‘action_av_infected’,
‘action_as’ and thei r acti ons ‘defer’ and ‘reject’ wi l l be changed to ‘discard’. These events wi l l be l ogged i nto sysl og
.
Ensure that these parameters were set usi ng esets_setup i nstal l er i n gwia.cfg (l ocated i n /opt/novel l/groupwi se/agents/share/)
confi gurati on fi l e:
--home /opt/novell/groupwise/wpgate/gwia
--dhome /var/spool/gwia/queues
--smtphome /var/spool/gwia/esets
10.8 Setting ESETS for outbound email message scanning
Outbound emai l message scanni ng i s performed usi ng the esets_smtp daemon. In the [smtp] secti on of the ESETS confi gurati on
fi l e, set these parameters:
agent_enabled = yes
listen_addr = "192.168.1.0"
listen_port = 2525
‘listen_addr’ i s the address of the l ocal network i nterface named i f0. Then, restart the ESETS daemon. The next step i s to redi rect
al l SMTP requests to esets_smtp. If IP-fi l teri ng i s bei ng performed by the i pchai ns admi ni strati on tool, an appropri ate rul e woul d
be:
ipchains -A INPUT -p tcp -i if0 --dport 25 -j REDIRECT 2525
If IP-fi l teri ng i s bei ng performed by the i ptabl es admi ni strati on tool, the rul e i s:
iptables -t nat -A PREROUTING -p tcp -i if0 --dport 25 -j REDIRECT --to-ports 2525
On FreeBSD, the rul e i s as fol l ows:
ipfw add fwd 192.168.1.10,2525 tcp from any to any 25 via if0 in
On NetBSD and Sol ari s:
echo 'rdr if0 0.0.0.0/0 port 25 -> 192.168.1.10 port 2525 tcp' | ipnat -f -
Warning: Your MTA may accept al l connecti ons wi thout extensi ve checki ng from esets_smtp because those connecti ons are l ocal.
By usi ng your own fi rewal l rul es, make sure you do not create an open rel ay, i.e., al l ow someone from the outsi de to connect to
esets_smtp and use i t as a rel ay SMTP server.
10.9 Setting ESETS for scanning of POP3 communication
The POP3 communi cati on scanni ng i s performed usi ng esets_pop3 daemon. In the [pop3] secti on of the ESETS confi gurati on fi l e,
set these parameters:
agent_enabled = yes
listen_addr = "192.168.1.10"
listen_port = 8110
where ‘listen_addr’ i s the address of the l ocal network i nterface named i f0. Then restart the ESETS daemon. The next step i s to
redi rect al l POP3 requests to esets_pop3. If IP-fi l teri ng i s bei ng performed by the i pchai ns admi ni strati on tool, an appropri ate
rul e i s:
ipchains -A INPUT -p tcp -i if0 --dport 110 -j REDIRECT 8110
If IP-fi l teri ng i s bei ng performed by the i ptabl es admi ni strati on tool, the rul e woul d be:
iptables -t nat -A PREROUTING -p tcp -i if0 --dport 110 -j REDIRECT --to-ports 8110
On FreeBSD, the rul e i s as fol l ows:
ipfw add fwd 192.168.1.10,8110 tcp from any to any 110 via if0 in
On NetBSD and Sol ari s:
echo 'rdr if0 0.0.0.0/0 port 110 -> 192.168.1.10 port 8110 tcp' | ipnat -f -
36
10.10 Setting ESETS for scanning of IMAP communication
The IMAP communi cati on scanni ng i s performed usi ng the esets_imap daemon. In the [imap] secti on of the ESETS confi gurati on
fi l e, set these parameters:
agent_enabled = yes
listen_addr = "192.168.1.10"
listen_port = 8143
where ‘listen_addr’ i s the address of the l ocal network i nterface named i f0. Then restart the ESETS daemon. The next step i s to
redi rect al l IMAP requests to esets_imap. If IP-fi l teri ng i s bei ng performed by the i pchai ns admi ni strati on tool an appropri ate
rul e woul d be:
ipchains -A INPUT -p tcp -i if0 --dport 143 -j REDIRECT 8143
If IP-fi l teri ng i s bei ng performed by the i ptabl es admi ni strati on tool, the rul e i s:
iptables -t nat -A PREROUTING -p tcp -i if0 --dport 143 -j REDIRECT --to-ports 8143
On FreeBSD, the rul e i s as fol l ows:
ipfw add fwd 192.168.1.10,8143 tcp from any to any 143 via if0 in
On NetBSD and Sol ari s:
echo 'rdr if0 0.0.0.0/0 port 143 -> 192.168.1.10 port 8143 tcp' | ipnat -f -
37
11. Appendix B. PHP License
The PHP Li cense, versi on 3.01 Copyri ght (c) 1999 - 2006 The PHP Group. Al l ri ghts reserved.
Redi stri buti on and use i n source and bi nary forms, wi th or wi thout modi fi cati on, i s permi tted provi ded that the fol l owi ng
condi ti ons are met:
1.Redi stri buti ons of source code must retai n the above copyri ght noti ce, thi s l i st of condi ti ons and the fol l owi ng di scl ai mer.
2.Redi stri buti ons i n bi nary form must reproduce the above copyri ght noti ce, thi s l i st of condi ti ons and the fol l owi ng di scl ai mer
i n the documentati on and/or other materi al s provi ded wi th the di stri buti on.
3.The name “PHP” must not be used to endorse or promote products deri ved from thi s software wi thout pri or wri tten
permi ssi on. For wri tten permi ssi on, pl ease contact group@php.net.
4.Products deri ved from thi s software may not be cal l ed “PHP”, nor may “PHP” appear i n thei r name, wi thout pri or wri tten
permi ssi on from group@php.net. You may i ndi cate that your software works i n conjuncti on wi th PHP by sayi ng “Foo for PHP”
i nstead of cal l i ng i t “PHP Foo” or “phpfoo”
5.The PHP Group may publ i sh revi sed and/or new versi ons of the l i cense from ti me to ti me. Each versi on wi l l be gi ven a
di sti ngui shi ng versi on number. Once covered code has been publ i shed under a parti cul ar versi on of the l i cense, you may
al ways conti nue to use i t under the terms of that versi on. You may al so choose to use such covered code under the terms of
any subsequent versi on of the l i cense publ i shed by the PHP Group. No one other than the PHP Group has the ri ght to modi fy
the terms appl i cabl e to covered code created under thi s Li cense.
6.Redi stri buti ons of any form whatsoever must retai n the fol l owi ng acknowl edgment: “Thi s product i ncl udes PHP software,
freel y avai l abl e from <http://www.php.net/software/
>”.
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.