------

Use Sagator, an Antivirus/Antispam Gateway, to Protect Your Mail Server

We read of virus infections (new ones come out all the time) and are somehow affected by spam mail on a daily basis. While there are plenty of free and commercial solutions (available as client applications) for both nuisances, system administrators need to have a strategy for dealing with these threats well before they reach the users’ mailboxes.

SAGATOR – An Antiviriurs/Antispam Protection for Mail Server

One of such strategies is as setting up an antivirus / antispam gateway. You can think of this tool as an intermediate layer (or filter) between the outside world and your inside network as far as email content is concerned.

In addition, if you think of it, it is much easier to install and maintain a single piece of software in a single machine (the mail server) than it is to do the same on several machines individually.

In this article we will introduce you to Sagator, an antivirus/anti-spam gateway for Linux mail servers written in Python. Among other things, Sagator provides database logging, use statistics, and daily reports for users. That said, let’s get started.

Installing Sagator and Postfix Mail Server

To install Sagator in CentOS/RHEL 7, download and install the following RPM packages. The latest beta release (7) includes support and fixes for systemd – that is why we prefer to install it using this method instead of downloading the package from the repositories.

# rpm -Uvh https://www.salstar.sk/pub/sagator/epel/testing/7/i386/sagator-core-1.3.2-0.beta7.el7.noarch.rpm # rpm -Uvh https://www.salstar.sk/pub/sagator/epel/testing/7/i386/sagator-1.3.2-0.beta7.el7.noarch.rpm

If you are performing this installation on a fresh server, please note that several other packages need to be installed as dependencies, among which we can mention Postfix, ClamAV, and SpamAssassin.

Additionally, you may want to also install Rrdtool, an utility to create and display day / week / month / year graphics of total / clean / virus / spam number of emails.

These graphics will be available in /var/www/html/sagator once the service and its dependencies are fully functional.

# yum install epel-release # yum install postfix spamassassin clamav clamav-scanner clamav-scanner-systemd clamav-data clamav-update rrdtool

This is not a surprise as we will need a mail server, and antivirus / antispam software Sagator can hook up to. In addition, we may need to install the mailx package, which provides MUA (Mail User Agent, also known as Email Agent) functionalities.

In Debian and Ubuntu, you will need to install Sagator from a precompiled .deb package, which you can download from here and install as follows:

Debian Jessie:

# wget https://www.salstar.sk/pub/sagator/debian/pool/jessie/testing/sagator-base_1.3.2-0.beta7_all.deb  # wget https://www.salstar.sk/pub/sagator/debian/pool/jessie/testing/sagator_1.3.2-0.beta7_all.deb  # dpkg -i sagator-base_1.3.2-0.beta7_all.deb # dpkg -i sagator_1.3.2-0.beta7_all.deb 

Ubuntu Trusty:

# wget https://www.salstar.sk/pub/sagator/ubuntu/pool/trusty/testing/sagator-base_1.3.2-0.beta7_all.deb  # wget https://www.salstar.sk/pub/sagator/ubuntu/pool/trusty/testing/sagator_1.3.2-0.beta7_all.deb  # sudo dpkg -i sagator-base_1.3.2-0.beta7_all.deb # sudo dpkg -i sagator_1.3.2-0.beta7_all.deb

As it was the case with CentOS, you will need to install and configure the mail server, SpamAssassin, and ClamAV packages:

# aptitude install postfix spamassassin clamav clamav-daemon -y

Don’t forget to use sudo in Ubuntu.

Next, regardless of the distribution, you will need to update the virus definition before starting ClamAV. Before doing it, edit /etc/clamd.d/scan.conf and /etc/freshclam.conf and delete the following line:

Example

Also, in /etc/clamd.d/scan.conf, make sure the following line is uncommented:

LocalSocket /var/run/clamd.scan/clamd.sock

Finally, do

# freshclam

And start / enable ClamAV, SpamAssassin, and Sagator:

# systemctl start clamd@scan # systemctl start spamassassin # systemctl start sagator # systemctl enable clamd@scan # systemctl enable spamassassin # systemctl enable sagator

You may want to check the Sagator log to make sure the service started correctly:

# systemctl status -l sagator

or for more details,

# tail -f /var/spool/vscan/var/log/sagator/sagator.log

The above commands are illustrated in the following image:

Configuring Sagator in Linux

The main configuration file is located at /etc/sagator.conf. Let’s have a look at the minimum set of directives we need to set in order for Sagator to operate properly:

Step 1 – We will be using Sagator inside a chroot, so make sure the following line is uncommented:

CHROOT = '/var/spool/vscan'

Step 2 – Make sure the LOGFILE directive matches the following value:

LOGFILE = CHROOT + '/var/log/sagator/sagator.log'

Step 3 – Choose an antivirus that will be integrated with Sagator. To do so, make sure the lines highlighted in the image below are uncommented:

While you are free to choose from a wide variety of antivirus solutions, ClamAV provides higher performance and stability. Although we will use ClamAV in this guide, please keep in mind that the configuration file includes the instructions to hook Sagator to other antivirus / antispam solutions.

When you’re done, run

# sagator --test

To check the configuration file. No output is a good thing! Otherwise, address whatever errors are found before proceeding.

Integrating Sagator with Postfix

In order to integrate Sagator with Postfix, make sure the following lines are present in /etc/postfix/main.cf and /etc/postfix/master.cf:

main.cf

mynetworks = 127.0.0.0/8 content_filter = smtp:[127.0.0.1]:27

master.cf

#smtp inet n - n -- smtpd 127.0.0.1:26 inet n - n - 30 smtpd -o content_filter= -o myhostname=localhost -o local_recipient_maps=  -o relay_recipient_maps= -o mynetworks=127.0.0.0/8  -o mynetworks_style=host -o smtpd_restriction_classes=  -o smtpd_client_restrictions= -o smtpd_helo_restrictions=  -o smtpd_sender_restrictions= -o smtpd_data_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_use_tls=no

Then restart postfix and make sure it’s enabled to start automatically on boot:

# systemctl restart postfix # systemctl enable postfix

We can now proceed with testing.

Testing Sagator

To test Sagator, send an email from user root to user gacanepa with the following body. This is nothing more and nothing less than the standard GTUBE (Generic Test for Unsolicited Bulk Email) provided by SpamAssassin, as shown in the image below:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

Testing Sagator

Now let’s see what happens when a virus is sent as an attachment. In the following example we will use the EICAR test (refer to this Wikipedia entry for more details):

# wget http://www.eicar.org/download/eicar.com # mail -a eicar.com gacanepa

Then check the log:

# tail -f /var/spool/vscan/var/log/sagator/sagator.log

Rejected emails are then delivered back to the sender with the corresponding notice:

Rejected Mail Returned to Sender

What’s so good about this? As you can see, spam and viruses never actually make it to the destination mail server and the users’ mailboxes, but they are dropped or rejected at the gateway level.

As we mentioned before, the graphs are available at http://<server ip or hostname>/sagator:

Sagator Mail Statistics

Summary

In this article we have explained how to install and configure Sagator, an antivirus / antispam gateway which integrates seamlessly with and protects your mail server.

For more information and further functionality (there is much more to this incredible software than we can adequately cover in a single article!), you may want to refer to the project’s website at http://www.salstar.sk/sagator.

------