[CentOS-docs] Amavisd Howto

Tue Aug 26 05:07:46 UTC 2008
Will F. <will at digitaldev.com>

Hello CentOS Docs People!

I recently used the Amavisd howto to setup a couple of mailservers, which saved me from hours of searching online and reading novels of documentation. Since Ned is taking a little break from the Amavisd page, I would like to help contribute. There were a few things I'd like to add, like GTUBE/EICAR testing and SELinux config lines. 

My wiki username is WilliamFong. I'm frequently on Freenode IRC as either "seekwill" or "will".

Please let me know how I may contribute.

Thanks,
-will



----- Original Message -----
From: "Ned Slider" <ned at unixmail.co.uk>
To: "Will F." <will at digitaldev.com>
Cc: ralph at centos.org
Sent: Monday, August 25, 2008 4:24:03 AM GMT -08:00 US/Canada Pacific
Subject: Re: CentOS Wiki

Will F. wrote:
> Hello! 
> 
> 
> Brilliant job on the Amavisd Howto on CentOS Wiki. I was wondering if you would like some help with that page. Specifically, I think adding a little part about SELinux blocking when starting clamav and adding some spam/virus test patterns to make sure everything is running as planned. 
> 
> 
> I'm building up a server now, and would like to contribute things I find along the way, if you don't mind. 
> 
> 
> Thanks! 
> -will 
> 

Hi Will,

Thanks for the offer :)

To be able to contribute to the Wiki you'll need to create an account of 
the form FirstnameLastname and then send a message to the centos-docs 
mailing list explaining that you'd like to contribute and what your Wiki 
username is. Ralph will then give you edit permissions for that page. 
I've copied Ralph in on this email for his info (Ralph also helped in 
putting together the amavisd guide). If you're happy with that, then it 
would also be useful to CC this mail and your reply to the centos-docs 
mailing list for reference.

To be honest, I'm no longer running that amavisd setup on my server, so 
yes, some help checking, adding to and maintaining that page would be 
great. I found that the postfix restrictions and DNSBLs I run are so 
effective that post-filtering is completely unnecessary for my setup so 
I disabled it.

I had planned on adding a section on testing with the amavisd test 
samples at the end but never got around to it.

Regarding SELinux, I've recently finished a guide that can be referenced:

http://wiki.centos.org/HowTos/SELinux

Also, SELinux with respect to the amavisd guide was recently discussed 
on the mailing list here:

http://lists.centos.org/pipermail/centos/2008-August/062296.html

Quoting from that post:

module local 1.0;

require {
          type traceroute_port_t;
          type amavis_t;
          type postfix_spool_t;
          type clamd_t;
          type amavis_var_lib_t;
          type sysctl_kernel_t;
          type var_t;
          type postfix_smtpd_t;
          type initrc_t;
          type proc_t;
          class unix_stream_socket connectto;
          class file { read getattr };
          class sock_file write;
          class lnk_file { read create unlink getattr };
          class udp_socket name_bind;
          class dir { read search };
}

#============= amavis_t ==============
allow amavis_t amavis_var_lib_t:lnk_file { read create unlink getattr };
allow amavis_t traceroute_port_t:udp_socket name_bind;

#============= clamd_t ==============
allow clamd_t proc_t:file { read getattr };
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;
allow clamd_t var_t:dir read;
allow clamd_t var_t:file { read getattr };

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t initrc_t:unix_stream_socket connectto;
allow postfix_smtpd_t postfix_spool_t:sock_file write;


which also includes rules for postgrey that from my own setup I found to be:

module postgrey 1.0;

require {
         type postfix_smtpd_t;
         type postfix_spool_t;
         type initrc_t;
         class sock_file write;
         class unix_stream_socket connectto;
}

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t initrc_t:unix_stream_socket connectto;
allow postfix_smtpd_t postfix_spool_t:sock_file write;


So my best guess when removing the rules for postgrey above, is that the 
following are specific to amavisd/clam and can be used as a starting 
point to check your findings:


module local 1.0;

require {
          type traceroute_port_t;
          type amavis_t;
          type clamd_t;
          type amavis_var_lib_t;
          type sysctl_kernel_t;
          type var_t;
          type proc_t;
          class file { read getattr };
          class lnk_file { read create unlink getattr };
          class udp_socket name_bind;
          class dir { read search };
}

#============= amavis_t ==============
allow amavis_t amavis_var_lib_t:lnk_file { read create unlink getattr };
allow amavis_t traceroute_port_t:udp_socket name_bind;

#============= clamd_t ==============
allow clamd_t proc_t:file { read getattr };
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;
allow clamd_t var_t:dir read;
allow clamd_t var_t:file { read getattr };


Regards,

Ned