File written by Aric Pedersen. aric1@hotmail.com Revised 11/8/04: Initial Release Revised 11/11/04: Added likely locations for older MailScanner and ClamAV files for removal. Use at your own risk. Also added some pre-install cleanup in case you already downloaded an older copy of the Webumake script. Also added a note about what to do if the Mail::ClamAV install fails in cpan. Installing MailScanner and ClamAV on a CPANEL server with Exim 4.43 or later and the free installer from Webumake.com Before we begin, if you use this method and like it, please consider donating to Webumake.com: http://www.webumake.com/free/mailscanner.htm (Scroll to the bottom of the page and click the Paypal Donate logo.) Please note that I am in no way connected to the author of the Webumake.com automated installer. If you have problems with that script, please contact Webumake. If you've installed MailScanner using my original directions (or the Redhat RPM installed version) and you want to use webumake's automated installer, you should completely uninststall MailScanner first. To do that, log into your server as root and: service MailScanner stop updatedb (this may take quite a while depending on your server, there is no output from this command) locate mailscanner any mailscanner files listed from this command should be removed. MailScanner is not compatible with CPANEL's ClamAV CPANEL module, so you need to uninstall that if it is installed before you begin. To do that, go into WHM as root and remove the ClamAV module and make sure the box is unchecked. Sadly, this usually doesn't remove most of what gets installed, so you may have to do so manually. The process is similar to above: updatedb locate clam Remove any files with clamav, freshclam or libclam in the name If you've used the Redhat rpm MailScanner install prior to this and installed ClamAV prior to this, here is a list of locations you will likely need to remove files from. This may or may not get everything on your server. service MailScanner stop cd /usr/share/man/man5/ rm -Rf *MailScanner* cd /usr/share/doc/ rm -Rf *MailScanner* rm -Rf *mailscanner* cd /usr/sbin/ rm -Rf *MailScanner* cd /usr/lib/ rm -Rf *MailScanner* cd /etc rm -Rf *MailScanner* cd /etc/cron.hourly/ rm -Rf *MailScanner* cd /etc/rc.d/rc6.d/ rm -Rf *MailScanner* cd /etc/rc.d/rc5.d/ rm -Rf *MailScanner* cd /etc/rc.d/rc4.d/ rm -Rf *MailScanner* cd /etc/rc.d/rc3.d/ rm -Rf *MailScanner* cd /etc/rc.d/rc2.d/ rm -Rf *MailScanner* cd /etc/rc.d/rc1.d/ rm -Rf *MailScanner* cd /etc/rc.d/rc0.d/ rm -Rf *MailScanner* cd /etc/sysconfig/ rm -Rf *MailScanner* cd /var/spool/ rm -Rf *MailScanner* cd /var/run/ rm -Rf *MailScanner* cd /var/lock/ rm -Rf *MailScanner* cd /usr/sbin/ rm -Rf *mailscanner* cd /etc/log.d/conf/services/ rm -Rf *mailscanner* ClamAV -- Leave anything in /home and /scripts and in any directory with /cpanel/ in the path like /usr/local/cpanel/whostmgr/addonsfeatures/ etc. cd /home/.cpan/build/ rm -Rf *clam* cd /usr/man/man8/ rm -Rf *clam* cd /usr/man/man5/ rm -Rf *clam* cd /usr/man/man1/ rm -Rf *clam* cd /usr/src/ rm -Rf *clam* cd /usr/local/share/ rm -Rf *clam* cd /usr/local/man/man1/ rm -Rf *clam* cd /usr/local/man/man5/ rm -Rf *clam* cd /usr/local/man/man8/ rm -Rf *clam* cd /usr/local/lib/pkgconfig/ rm -Rf *clam* cd /usr/local/sbin/ rm -Rf *clam* cd /usr/local/lib/ rm -Rf *clam* cd /usr/local/include/ rm -Rf *clam* cd /usr/local/etc/ rm -Rf *clam* cd /usr/local/bin/ rm -Rf *clam* cd /usr/include/ rm -Rf *clam* cd /usr/share/ rm -Rf *clam* cd /usr/sbin/ rm -Rf *clam* cd /usr/lib/pkgconfig/ rm -Rf *clam* cd /usr/bin/ rm -Rf *clam* cd /etc/ rm -Rf *clam* cd /etc/log.d/scripts/services/ rm -Rf *clam* cd /etc/log.d/conf/services/ rm -Rf *clam* cd /var/ rm -Rf *clam* cd /var/spool/mail/ rm -Rf *clam* cd /var/run/chkservd/ rm -Rf *clam* cd /var/log/ rm -Rf *clam* cd /etc/log.d/conf/logfiles/ rm -Rf *clam* Now you can begin the install of ClamAV itself and then MailScanner. Make sure you are actually logged into your server via SSH as root, DO NOT attempt the install by su'ing to root (as there may be restrictions that will interfere with the install). cd ~ rm -Rf gmp* wget ftp://ftp.gnu.org/gnu/gmp/gmp-4.1.4.tar.gz tar xfz gmp-4.1.4.tar.gz cd gmp* ./configure make make install make clean groupadd clamav useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav passwd -l clamav cd /usr/src rm -Rf clamav* wget http://voxel.dl.sourceforge.net/sourceforge/clamav/clamav-0.80.tar.gz tar -xvzf clamav-0.80.tar.gz cd clamav-0.80 ./configure --prefix=/usr/local make make install make clean touch /var/log/clam-update.log chmod 0600 /var/log/clam-update.log chown clamav /var/log/clam-update.log cd .. rm -Rf clamav-0.80.tar.gz Now we begin the MailScanner install process: cd ~ rm -Rf msinstall rm -f restartMS.sh rm -Rf gmp* service exim stop /scripts/updatenow /scripts/exim4 cd ~ mkdir msinstall cd msinstall wget http://www.webumake.com/free/msinstall.txt mv msinstall.txt msinstall.pl chmod 0700 msinstall.pl ./msinstall.pl Select #1 (new install) Webumake.com suggests answering YES to both of the following questions. I personally recommend at the moment that you say NO to Use SpamAssassin and per domain configuration rules unless you don't want to use SpamAssassin via CPANEL right now). Webumake.com is working on CPANEL front-end for MailScanner and SpamAssassin that will allow the user to control their per-domain settings but it is not quite ready yet. Use Bayesian filtering? Yes if you want to catch more spam, no if your server is regularly overloaded The installation will begin. When finished, continue... wget http://www.webumake.com/free/mscheck.txt mv mscheck.txt mscheck.pl chmod 700 mscheck.pl pico /scripts/postupcp ADD: #!/bin/sh perl /root/msinstall/mscheck.pl chmod 0700 /scripts/postupcp /scripts/postupcp /usr/mailscanner/bin/MailScanner -v You need to install any missing Perl modules listed by the last command as missing, EXCEPT SAVI, now: cpan install Inline::C install Mail::SPF::Query install Mail::ClamAV exit Note: If you have problems installing Mail::ClamAV via cpan, exit cpan and try the following (only if the cpan install failed): cd ~/.cpan/build/Mail-ClamAV-0.13 chmod 0755 Makefile.PL perl Makefile.PL make make test make install make clean Now clean up the GMP files we installed earlier: cd ~ rm -Rf gmp* We also need to make a change to freshclam: pico /usr/local/etc/freshclam.conf ADD (at the end of the file): DNSDatabaseInfo current.cvd.clamav.net SAVE CHANGES. (Adding the line above speeds up freshclam updates and reduces traffic looking for updates.) Check settings: pico /usr/mailscanner/etc/MailScanner.conf Line 56: %org-name% = cPanel You should change "cPanel" to the name of your server, site or company. Ideally, this should be unique so you can tell what server it came from, but it doesn't have to be. This DOES need to be set to SOMETHING. Line 73: Max Children = 3 This setting tells MailScanner to run this many concurrent processes. For many servers, this setting is probably OK as-is. Each child process takes up 20 MB of RAM while it is running, so if you have a Celeron with 512 MB of RAM and you are concerned with your server possibly getting overloaded, you may want to reduce this to 2 if you have load issues. If you reduce this number, it will take your mail server LONGER to process incoming and outgoing mail. If you increase this number, it will take the mail server less time to process mail BUT you should make sure you have enough RAM and spare processing power. The recommended average is 5 child processes per CPU, but that assumes the server is ONLY processing mail. Unless you get a LOT of mail and have a really fast dual processor server with at least 2 GB of RAM, I wouldn't bother increasing this value. When in doubt, leave this set to 3. If you notice problems later, you can adjust this value and restart MailScanner. Line 93: Queue Scan Interval = 5 This is the time in seconds between MailScanner checks for new incoming or outgoing mail. A lower value will improve mail processing time slightly at the expense of server load. If you don't generally get tons of mail or you have a slower server, you might try increasing this value some to reduce the load on your server. Line 229: Max Normal Queue Size = 800 This values is usually fine as-is, but if you get A LOT of mail or you notice that MailScanner isn't able to keep up with new mail and you can't or don't want to change any of the above settings, try lowering this value. If MailScanner notices this many new incoming and/or outgoing messages (total) or higher it will switch to an accellerated scanning mode that takes mail in the order found in the queue rather than first-in, first-out like normal. This will enable MailScanner to process more mail more quickly. Once the total queue drops below this value, MailScanner will automatically go back to the slower first-in, first out method of processing mail. Line 244: Expand TNEF = yes TNEF is a Microsoft proprietary method of storing "rich text" in an e-mail message. Outlook and Outlook Express use this format to send rich text (non-HTML) messages. ClamAV and MailScanner can handle this special format without any problems. It is best to leave this set to YES unless you don't want ANY TNEF encoded messages or attachments scanned. This isn't a good idea since many viruses and even spam use TNEF. If you set this to NO then any TNEF encoded messages or attachments will be completely IGNORED by MailScanner and delivered to the user immediately (BAD IDEA!). Line 252: Deliver Unparsable TNEF = yes If you leave this set to YES, then if MailScanner or ClamAV can't decode the TNEF encoded message or attachment, it will be immediately sent or delivered UNSCANNED to the user. This means that there is a risk of a virus or other malware getting through MailScanner's net, but if you set this to NO then you risk upsetting Outlook (Express) users, because their mail will not be sent/delivered. It is probably best to leave this set to YES. Line 266: TNEF Expander = internal You should probably leave this set as-is, but if you have another binary (or a perl module) that you feel will do a better job than MailScanner's own TNEF parser, put the path to that module or binary here. Another acceptable setting example for most servers: TNEF Expander = /usr/bin/tnef --maxsize=100000000 This value uses a different tnef decoder also installed typically with MailScanner. The maxsize option will help stop denial of service attacks where a really large TNEF encoded message is sent. Line 270: TNEF Timeout = 120 This is the time, in seconds, that any one message will be scanned by the TNEF parser before MailScanner gives up. What happens when MailScanner gives up scanning a TNEF encoded message or attachment is controlled by the setting on line 252. Line 288: Maximum Message Size = 0 It is probably best to leave this as-is. When this value is zero (0) then no size checking is done and MailScanner will NOT reject a message itself due to the message size. It may still be rejected by Exim or the remote mail server if the user's mailbox can't accomodate a message of that size. Setting this to a value tells MailScanner to automatically DENY any message (including headers) over that size (total) in bytes even if the user's mailbox or the mail server itself would normally accept a message that size. 1024 bytes = 1 Kb, 1,048,576 bytes = 1 MB, etc. Don't set this too low if you are going to set it to anything other than zero. Line 296: Maximum Attachment Size = -1 Again, it is probably best to leave this as-is. Setting this to -1 will disable MailScanner's own attachment size checking. Setting this to any other value will cause MailScanner itself to DENY any message with an attachment larger than this value in bytes. Setting this to zero (0) will deny any message with an attachment, regardless of size even if the mail server itself would normally accept it. Line 304: Maximum Archive Depth = 2 I would change this to zero (0), but you can do what you want. This setting tells MailScanner to look "x" layers deep into compressed attachments (.zip files, etc.) for banned/dangerous content. If you have MailScanner set to scan for viruses then ALL ARCHIVES WILL BE SCANNED FOR VIRUSES REGARDLESS OF THIS SETTING. This setting only controls scanning for illegal/banned content (see more on this later). Setting this to zero allows users to send content that might otherwise be denied by MailScanner based on the filetype or extension of the file by compressing the file(s) into an archive and sending them that way. If you set this to zero, you might also want to deny password protected archives to make sure no malware slips through the net. Line 306: Find Archives By Content = yes Leaving this set to YES will tell MailScanner to actually look at the content of attachments to figure out if they are archives or not. Setting this to NO will rely on the file extension to identify an archive. For example archive.zip will be seen as an archive, but archive_zip won't be. If you don't want archives scanned, it is better to set Maximum Archive Depth to 0. Setting this to NO could possibly let a virus slip through the net. Line 309: Virus Scanning = yes Set this to NO only if you want to have MailScanner only act as a spam and/or dangerous content scanner and not scan viruses at all. Line 379: Virus Scanners = none You will need to change this if you leave Virus Scanning set to YES. If you followed my directions earlier, you actually have 2 different (related) methods of scanning for viruses both using the ClamAV engine. Set this to "clamav" if you want to use the standard ClamAV installation. If the Mail::ClamAV version 0.13 or later perl module (which requires Inline::C to be installed first) was successfully installed via CPAN earlier, then you should set this line to "clamavmodule" (no quotes). The Perl module is a bit faster at scanning and tends to use slightly less server resources than the standard clamav scanning method. Both are equally effective at finding and killing viruses. Line 383: Virus Scanner Timeout = 300 Typically you shouldn't change this. This is the amount of time in seconds the virus scanner chosen above is allowed to scan a batch of messages before being forced to give up. Increasing this time may increase the likelihood that viruses are detected (espeically with large messages) but it will slow down mail delivery. Line 395: Deliver Disinfected Files = no You shouldn't change this. Less than 1% of viruses can be disinfected. If a virus is found as an attachment, the attachment will be deleted and the message delivered with a note about the infected attachment. Line 429: Silent Viruses = HTML-IFrame All-Viruses Leave this line as-is. This controls whether the sender of a virus gets notified. Since most viruses are sent with spoofed headers, there isn't any point in trying to inform the sender. Line 443: Still Deliver Silent Viruses = no Don't change this. This would really only be useful to test the virus scanning ability in a non-production environment. Setting this to yes will typically only upset your users. Line 466: Block Encrypted Messages = no If a message is encrypted in some way (like a PGP-encrypted messsage for example), setting this to YES will block such messages. MailScanner can't decrypt or scan encrypted messages, so allowing encrypted messages COULD allow viruses or other banned content to get in/out. Generally it is a good idea to leave this set to NO so you don't upset your users. Line 472: Block Unencrypted Messages = no Setting this to YES will block unencrypted messages. Setting this line and the above line to YES will block all mail, so either both should be no (preferred) or one OR the other should be yes. This setting might be handy if you want to force ALL users to use PGP or other encryption to send/recieve messages, but you'd limit the mail that could get through. Line 478: Allow Password-Protected Archives = yes These days, a lot of viruses are sent this way, so you might want to set this to NO to be sure viruses don't get to or from your users. MailScanner cannot scan password protected archives. Line 532: Dangerous Content Scanning = yes Set this to NO if you only want to use MailScanner to scan for viruses and nothing else. Setting this to NO will stop all content/file type checks. Line 541: Allow Partial Messages = no Don't change this. Setting this to yes could allow viruses and other banned content to reach its destination without being scanned. Line 554: Allow External Message Bodies = no Don't change this either. Setting this to YES would allow the content of a message to be entirely fetched from a remote location and is a bad idea. MailScanner cannot scan remote content. Line 569: Find Phishing Fraud = no Set this to yes and you can cut down on phishing attacks. A phishing attack (in case you've been hiding under a rock for the last year or so) is an e-mail that appears to be from a legit location like Paypal.com, Citibank.com, etc. but the user is told that they need to confirm some personal information due to a problem with their account. When the user clicks on the link in the message, they are taken to a page that looks exactly like the real location. They are then required to enter personal account info to "fix" their account. The phishers then take this info and use it for personal gain. MailScanner is able to detect these because the actual link in the message does not match what the text says the link is linking to. This will increase server load, however, so you may want to leave it off if you notice load issues. Line 599: Allow Form Tags = yes I would change this to DISARM. Form tags can be used to gather private information about the e-mail recipient (like phishing scams). Disarming form tags will stop them from working, but will still deliver those messages. Disarming form tags works in most cases, but it could be defeated, allowing the tags through, so it may not be 100% safe. Setting this to NO will cause MailScanner to deny any messages with form tags in them. Leaving this set to YES allows messages with form tags to be delivered, intact and working. Line 609: Allow Script Tags = disarm It is a good idea to leave this set to DISARM (or to set it to NO if you prefer). Script tags in e-mail can allow a javascript or other script to be executed as soon as the user looks at or opens the message. This is a REALLY BAD idea no matter how you slice it. Disarming the tags will allow the message to be delivered, but will stop the script from working. Again, disarming isn't 100% foolproof, so it is possible that a script could sneak by the disarming process. Setting this to NO will cause MailScanner to deny any message with script tags. Setting this to yes will allow e-mail with script tags through without any changes or warnings. Line 621: Allow WebBugs = disarm Leave this as-is. Web bugs are small 1-2 pixel graphic files inserted into an e-mail message so that when the message is opened, the spammer knows that the e-mail address the message was sent to is VALID, and thus can send you more spam. This line can only be set to YES (let web bugs through unchanged or disarm (remove the web bug but deliver the message) because right now the web bug scanning process can cause false positive hits. Line 633: Allow Object Codebase Tags = no I would set this to DISARM. Setting this to YES will allow a common Microsoft product security problem to get through to the end user. Setting this to DISARM will deliver the message without the object codebase tag(s). Leaving this set to NO will cause MailScanner to deny mail that contains object codebase tags. Line 654: Convert Dangerous HTML To Text = no Note the table above this line that explains what happens when you set various settings. If you set this to YES, any message that has dangerous HTML content, like object codebase tags or web bugs, will be converted to plain text rather than being delivered as HTML. Delivering HTML as text will destroy the look of the message, but is safe since the HTML code won't be executed by the recipient. Line 661: Convert HTML To Text = no Leave this set to NO unless you want to upset your users. Set this to YES and ALL incoming or outgoing messages in HTML format will be converted to plain text before being delivered. Line 698: Quarantine Infections = yes Unless you enjoy filling up your server with useless and potentially dangerous content, I personally recommend that you DO NOT leave this set to YES. Leaving this set to YES will store the quarantined viruses on your server for a time. The quarantine area is: /var/spool/MailScanner/quarantine I would also answer NO for ALL the quarantine options in this area. However, if you do want to quarantine viruses, the webumake.com installer does create a cronjob that periodically cleans out the quarantine area so the quarantine doesn't get too large. Line 779: Include Scanner Name In Reports = yes If for some reason you don't want users to know what virus scanner you use, set this to NO. Line 950: Notify Senders = yes I've skiped a lot of lines. The lines I skipped don't really need to be changed unless you really want to fine-tune what MailScanner does to e-mail messages. All lines are commented, so you should be able to figure it out on your own. As for this line, leaving this set to YES is probably a good idea. It will cause MailScanner to send a message to anyone who sends blocked content explaining why the message was blocked (so the user knows and can take steps or send the message without the blocked content. This is modified by the line below... Line 957: Notify Senders Of Viruses = no Leave this as-is since most viruses spoof the sender. Viruses usually spoof the sender these days, so informing the sender usually only annoys someone who is innocent. Line 963: Notify Senders Of Blocked Filenames Or Filetypes = yes Leaving this set to YES will have MailScanner send a form letter back to the sender of a message that MailScanner has blocked because it contains forbidden filenames or filetypes. It is probably a good idea to leave this set to yes although this can sometimes cause a mail to be sent to a spoofed viruses address. Line 969: Notify Senders Of Other Blocked Content = yes This will send a form letter back to anyone who has mail blocked by MailScanner due to other reasons (like partial messages or external message bodies, etc.). It's probably a good idea to leave this set to YES. Line 990: Scanned Modify Subject = no # end The possible values for this line are NO, START or END. (The # end in this line is a comment and can be deleted or left as-is, it does not affect anything). Setting this to START will place the text in the line below at the beginning of every subject line in every message that MailScanner has scanned. END will do the same, but place the text at the end of the subject. NO will not modify the subject any more than the other rules modify it (like spam checking, virus checking, etc.). Handy to check and make sure MailScanner is working, but potentially annoying once you're sure everything is working. Line 995: Scanned Subject Text = {Scanned} The text after the = is what will be added to all messages if you have the line above set to START or END. Line 1000: Virus Modify Subject = yes If you have set MailScanner to deliver viruses, cleaned or otherwise, you can have the subject line modified. This can be set to YES or NO. It is probably a good idea if you have MailScanner set to deliver virus-infected messages to set this to YES. Obviously if you don't have MailScanner set to deliver cleaned messages, this setting won't do anything either way. Line 1005: Virus Subject Text = {Virus?} The text after the = is exactly what will be added to the beginning of the message if you have it set to do so in the line above this. The rest of the lines in this section follow the same pattern as above and are fully commented, so you shouldn't have a problem deciding what you want MailScanner to do. Line 1067: Warning Is Attachment = yes If MailScanner finds some content that it blocks, but it still delivers the message (for example, a virus or other blocked content), this setting will tell MailScanner to either attach the warning message as a separate text attachment OR to add the warning to the message body. If this is set to YES, the message will be sent as an attachment. If it is set to NO, then the warning will be added to the body of the message. Line 1073: Attachment Warning Filename = %org-name%-Attachment-Warning.txt This will control the filename of the attachment if the line above is set to YES. "%org-name%" will be replaced with the value you set for your organization name near the top of this file (set to "cpanel" by default unless you changed it). DO NOT put any spaces or other non-alphanumeric characters in the filename. Also make sure you don't give the file an extention type that is normally blocked by MailScanner. Line 1080: Attachment Encoding Charset = ISO-8859-1 You shouldn't change this unless you know you need to. This is the character set encoding used for the attachment mentioned above. This encoding should cover a wide variety of languages, but you could change this to any encoding type if you want attachments in a different language like Chinese or Arabic, etc. Line 1098: Archive Mail = This is very powerful, but also potentially illegal depending on the laws where you live. You can set this to an e-mail address or space separated set of e-mail addresses and all mail scanned by MailScanner will go to that address. You can also set up a ruleset and have e-mail selectively archived. Typically you should leave this line set to nothing as it is. Line 1108: Send Notices = no This section is handy if you want to be very sure MailScanner is working. Setting this to YES will have MailScanner send the administrator (the account you set later) a notice every time blocked content or viruses are found. Line 1114: Notices Include Full Headers = yes If you set the line above to YES, then this line will make sure that the full headers of each blocked message are sent to you with the report so you can see them. This is a good idea. Line 1119: Hide Incoming Work Dir in Notices = no This refers to the Administrative notices. It's a good idea not to hide them from yourself so you can make sure things are going to/coming from the correct locations. Line 1123: Notice Signature = -- \nMailScanner\nEmail Virus Scanner\nwww.mailscanner.info This is the signature line at the end of the admin notice e-mail. /n is a line break. The entire sig must be placed on a single line as you see it above. This can be whatever you want, though. Line 1128: Notices From = MailScanner This is the name that will appear in the From: line in the admin notice e-mail. It is a very good idea, especially if you have more than one server to modify this line so it is unique for each server. Let's say you had 3 servers, alpha, beta, and gamma, then you might change this line to read Alpha MailScanner on the aplpha server, etc. Line 1132: Notices To = postmaster If you leave this as-is, the mail will be sent to wherever you have root mail set to go to. You can change this to any e-mail address you like or even a path to a ruleset so it goes to several locations. Line 1137: Local Postmaster = postmaster This is the e-mail address that will appear in the FROM: line of these notices. It can be whatever you want. Line 1163: Spam Checks = no Leaving this set to NO will stop MailScanner from doing ANY spam checking at all. Setting this to YES will allow MailScanner to run spam checks (what checks it does are configured later). MailScanner itself can do basic spam checking without using SpamAssassin or other spam lists. Setting this to YES will cause MailScanner to do spam checking regardless of (and in addition to) any SpamAssassin settings the user may have set in their CPANEL. Line 1169: Spam List = SBL+XBL spamcop.net This is a space separated list of the lists you want to use. These have to match an entry in /usr/mailscanner/etc/spam.lists.conf Note that this affects the spam checking that MailScanner itself does, it does not affect SpamAssassin checks. I prefer the standard MailScanner default of ORDB-RBL and SBL+XBL While the default setting does not catch all spam, I've never seen the setting generate a false positive, meaning you rest easy that you're not dumping non-spam if you filter out the spam MailScanner catches using this setting. Spamcop.net will occasionally mark non-spam as spam Line 1175: Spam Domain List = If you want, you can have MailScanner check for messages sent from open relays or messages sent from servers known to host spammers, etc. Again this has to be a list defined in the appropriate section of /usr/mailscanner/etc/spam.lists.conf Line 1183: Spam Lists To Reach High Score = 1 Change this number to 2 if you feel messages are being marked as definitely being spam that aren't spam. If you use spamcop.net in the spam list value above, you should definitely change this to 2 if you are going to have MailScanner delete high-scoring spam. Line 1187: Spam List Timeout = 10 This is the time in seconds that MailScanner will wait for a spam list defined above to respond before giving up and moving on. Line 1194: Max Spam List Timeouts = 7 After this many timeouts in the history from "n" numbers of attempts (see below) the list will be marked as unavailable until the next time MailScanner is automatically restarted (set to 1 day (14400 minutes) by default). Line 1202: Spam List Timeouts History = 10 If a list has "n" timeouts (see the line above) in this many attempts it will be marked as unavailable until the next time MailScanner is automatically restarted (1 day by default). Line 1209: Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules This is the path to MailScanner's own spam whitelist. For the automated install method we did above, this path is: /usr/mailscanner/etc/rules/spam.whitelist.rules anything listed in that file is automatically considered to be not spam, even if MailScanner found a match in the spam lists above. Line 1215: Is Definitely Spam = no If you regularly get spam from the same locations or addresses and you want to blacklist them (separately from SpamAssassin's settings), then create a file with the addresses or domains and place the word "yes" after the entries. Paste the full path into this line and MailScanner will use it as an automatic blacklist. Leave this set to NO if you don't want MailScanner itself to blacklist anything. Line 1221: Definite Spam Is High Scoring = yes Anything in the blacklist above is marked as high scoring spam if this is set to YES. If you set this to NO then the spam won't be marked highly as spam by default. You shouldn't change this. Line 1228: Ignore Spam Whitelist If Recipients Exceed = 20 This works around a method spammers use to take advantage of overly generous whitelists. If there are more than this number of recipients listed in the message, the MailScanner whitelist is ignored and the message will be marked (or not marked) as spam as normal. Line 1237: Use SpamAssassin = no This should be set to NO unless you chose to use SpamAssassin when you installed MailScanner (using the installer script). If you used the installer script originally and change your mind about using SpamAssassin on ALL mail, you should reinstall selecting to use SpamAssassin and then go into WHM and completely remove SpamAssassin from your users accounts using the Feature list, service manager, etc. If you leave SpamAssassin as an option in CPANEL, your users will be confused when they discover their SpamAssassin settings are being ignored (because MailScanner is using a totally different set of rules that you specify here). Please note that this entire section can be skipped if you aren't using SpamAssassin as part of MailScanner. I'm going to skip that section since most will probably NOT want to have MailScanner work directly with SpamAssassin at this point (allowing your customers to use their own SpamAssassin settings in CPANEL instead). This section is well commented if you choose to use it. Line 1341: Spam Actions = deliver This can be a space-separated list of actions or even a path to a ruleset. When you are comfortable that MailScanner isn't marking messages as spam when it shouldn't, you might want to change this to DELETE. See the comments above this line in the config file to see what else you can set it to. Line 1364: High Scoring Spam Actions = deliver Same as the above line except it covers what happens to high scoring spam (which are less likely to be false positives). Line 1375: Non Spam Actions = deliver This is what you want MailScanner to do with mail that is NOT marked as spam. Line 1418: Bounce Spam As Attachment = no Leave this set to NO. Line 1430: Syslog Facility = mail Don't change this. Line 1435: Log Speed = no If you think MailScanner is taking too long to process messages, setting this to YES will cause MailScanner to write the speed of the various scans it does to each batch of messages to the mail log so you can diagnose slowdowns. Normally, you should leave this set to NO. Line 1440: Log Spam = no If you want MailScanner to log spam it receives in detail, set this to YES, but doing so can really increase server load, especially if you get a lot of spam. Keep in mind that if your logwatch scanner is up-to-date, you will get a report each day of MailScanner activity that looks something like this WITHOUT logging viruses and spam: --------------------- MailScanner Begin ------------------------ MailScanner Status: 98 messages Scanned by MailScanner 2.9 Total MB 16 Spam messages detected by MailScanner 2 Viruses found by MailScanner 96 Messages delivered by MailScanner ClamAV Virus Report: (Total Seen = 2) Eicar-Test-Signature: 2 Times(s) Virus Sender Report: (Total Seen = 2) 111.111.111.111 : 2 Times(s) So you don't really need to log virus activity unless you need to diagnose a serious problem. Line 1445: Log Non Spam = no Write non-spam e-mail to the mail log. No point in doing this unless you are trying to track down problems. Your log files could get really large, too. Line 1450: Log Permitted Filenames = no Setting this to YES will log filenames of attachments that MailScanner DID NOT deny. Again, not recommended unless you are having problems. Line 1455: Log Permitted Filetypes = no Same as above but logs filetypes rather than filenames that MailScanner did not deny. Line 1459: Log Silent Viruses = no Log viruses that spoof the mail headers so they appear to be from someone else. The next section doesn't contain anything that you will need to change, so I am skipping it. Line 1527: MCP Checks = no Message Content Protection uses a second copy of SpamAssassin (there must be two installed copies). If you enable this feature and configure it properly, it can actually scan the content of HTML messages and attachments like Microsoft Office documents looking for banned content or words that would signify spam. This adds quite a bit to the memory usage, server load and processing time for all messages. It is recommended that you leave this OFF. The rest of this section deals with MCP settings and some other settings that you should not change, there is only one line of interest in the rest of the file: Line 1660: Split Exim Spool = yes CPANEL now sets Exim by default to use split spools for messages. This improves Exim's message processing time. Leave this on if you have Exim 4.43R1 or later installed. If you've turned off split spools in the exim.conf file, then set this to NO. There are two other files you should edit and then you will be done: pico /usr/mailscanner/etc/filetype.rules.conf This file contains file types that should be allowed explicitly and denied by MailScanner. The file type is determined by MailScanner by looking inside to file and any meta data it contains. In my opinion there are several file types that are restricted that really shouldn't be, but use your own judgement. I usually comment out (by placing a "#" at the beginning of the line) the video file and self extracting file restrictions. For example, I change: deny QuickTime No QuickTime movies No QuickTime movies allowed to this: #deny QuickTime No QuickTime movies No QuickTime movies allowed Do that to every deny line that you don't want to deny. You could also completely delete the line, but if you ever change your mind, removing a comment (#) is a lot easier than recreating the line. There is one more file to edit: pico /usr/mailscanner/etc/filename.rules.conf This file contains a list of any explicitly permitted or banned filenames and file extensions. Edit as you see fit, but I usually comment out one line so users are less inconvenienced. I change: deny \.exe$ Windows/DOS Executable to: #deny \.exe$ Windows/DOS Executable Save all changes you make and then you should restart MailScanner. /root/restartMS.sh will restart MailScanner for you. Now send some mail to and from your server to make sure that MailScanner is working. If it is working, MailScanner should add at 2-3 lines to the headers of every message: X-orgname-MailScanner: Found to be clean, Found to be clean X-orgname-MailScanner-Information: Please contact the ISP for more information X-MailScanner-From: user@domain.com "orgname" will be whatever you set it to in your MailScanner.conf file. If you want to test ClamAV, then go to: http://eicar.com/anti_virus_test_file.htm and download one of the test virus files. Keep in mind that the Eicar test virus isn't really a virus, it is just a file that all virus scanners have agreed to detect as a virus for testing purposes. The Eicar test "virus" will not harm your computer in any way, even if ClamAV isn't scanning messages. Send the virus to yourself. Wait 10 minutes to be sure. If nothing shows up (or, depending on your settings, if you get a warning) then you know ClamAV and MailScanner are working properly together.