User Manual Avira AntiVir MailGate | MailGate Suite www.avira.
Contents 1 About this Manual ...............................................................................3 1.1 Introduction ...................................................................................................................3 1.2 The Structure of the Manual .........................................................................................4 1.3 Signs and Symbols ..........................................................................................................4 1.
About this Manual 1 About this Manual In this Chapter you can find an overview of the structure and contents of this manual. After a short introduction, you can read information about the following issues: • The Structure of the Manual – Page 4 • Signs and Symbols – Page 4 • Abbreviations – Page 5 1.1 Introduction We have included in this manual all the information you need on Avira AntiVir MailGate and it will guide you step by step through installation, configuration and operation of the software.
About this Manual 1.2 The Structure of the Manual The manual of your AntiVir software consists of a number of Chapters, providing the following information: Chapter Contents 1 About this Manual 2 Product Information The structure of the manual, signs and symbols. General information on Avira AntiVir MailGate, its modules, features, system requirements and licensing. Presenting the Milter function mode in Avira AntiVir MailGate. Instructions to install Avira AntiVir MailGate on your system.
About this Manual For improved legibility and clear marking, the following types of emphasis are also used in the text: Emphasis in text Explanation Ctrl+Alt /usr/lib/AntiVir/avmailgate ls /usr/lib/AntiVir Choose component Select all Key or key combination Path and file name User entries Elements of the software interface such as menu items, window titles and buttons in dialog windows URLs Cross-reference within the document http://www.avira.com Signs and Symbols – Page 4 1.
Product Information 2 Product Information Email file transfer is a natural part of modern communication and we can no longer imagine everyday life without it. However, emails frequently also transport viruses or unwanted programs. Many of these viruses/unwanted programs were conceived especially to attack Windows operating systems. But it must be considered that there is also a danger for Open Source systems, because UNIX mail servers also transport malware.
Product Information 2.1 Features Avira AntiVir MailGate supports a variety of configuration settings to ensure that you have control of the email traffic on your system.
Product Information 2.2 Modules and Operating Mode of Avira AntiVir MailGate Avira AntiVir MailGate is an SMTP scanner, which scans all incoming and outgoing emails, including attachments, on your UNIX mail server for viruses/unwanted programs (see figure below). The program has a high scanning speed and is easy to configure. Apart from SMTP, Avira AntiVir MailGate supports the Sendmail Milter interface.
Product Information Warnings: The postmaster receives an email containing detailed alerts when viruses, unwanted programs or suspicious files are detected. The alerts can also be sent to the sender and recipient of the email. The program contains alert templates that you can adjust and use. Updater: Avira Updater downloads current updates from the AntiVir web servers and installs them at regular intervals, manually or automatically. It can also send update notifications by email.
Product Information The license file must have the suffix .key (case insensitive). The new scanner backend (savapi) does not display information about the license file, when called with --version. 2.
Milter Mode 3 Milter Mode 3.1 Overview AntiVir Milter has been a stand-alone product up to now. The product has been available only for Sendmail, using the Sendmail Milter interface. Now, the Milter functionality is integrated in MailGate. In order to start MailGate in Milter mode, the option ListenAddress in avmailgate.
Milter Mode 3.2 AntiVir MailGate (Milter Mode) Features AntiVir MailGate (Milter mode) is a plug-in for Sendmail, starting with version 8.11, and communicates through Sendmail’s libmilter interface. It scans all incoming and outgoing emails. Infected emails are not forwarded. A status notification is shown in syslog. It can notify senders, recipients and administrators of infections. Functions 3.3 Most of these features also apply to MailGate, even when it is not running in Milter mode.
Milter Mode Directly modify sendmail.cf X Insert the following two lines in the configuration file sendmail.
Installation 4 Installation You can find the current version of AntiVir MailGate on Avira website. AntiVir is supplied as a packed archive. You can install the program on your system using the install script. Requirements You have to be logged in as root in order to install AntiVir MailGate. You also need an MTA (Sendmail, Postfix, Exim, Qmail etc.) available on your system. We cannot provide support for problems that do not directly concern AntiVir MailGate.
Installation 4.1 Preparing the Installation Files Downloading program files from the Internet X Download the current files from our website http://www.avira.com to your local computer. The file name is antivir-mailgate-prof-.tar.gz X Copy the file to a directory of your choice on the computer on which you want to install AntiVir MailGate. For example, in /tmp.
Installation 4.3 Installation with the Installation Script "install" The install script performs the installation of AntiVir MailGate automatically.
Installation The AntiVir Engine is being installed. Then the script asks for the path to the license file: creating /usr/lib/AntiVir ... done 1) installing AntiVir Core Components (Engine, Savapi and Avupdate) copying ... Enter the path to your key file [] X Type the path to the license file and press Enter – OR – If you want to copy the license file later, just click Enter. The next step is installing the automatic Internet Updater.
Installation X Confirm the default path with Enter or type another one. The following questions regard the local and relayed hosts: Enter the hosts and/or domains that are local: []: X Change the host name, if necessary, and press Enter. The next question is: Enter the hosts and networks that are allowed to relay: [127.0.0.1/8 192.168.0.0/16]: X Change the settings if necessary and press Enter.
Installation X Finally, you can start AntiVir MailGate: /usr/lib/AntiVir/avmailgate start Modified binaries will not run. For example, if binaries are prelinked: Either disable prelinking or add /usr/lib/AntiVir as an excluded prelink path in /etc/prelink.conf. Starting with version 3.0.0, a new scanner backend is used. Old scanner specific configuration options, that are not known to MailGate, must be moved from /etc/avmailgate.conf to the scanner specific configuration file /etc/avmailgate-scanner.
Installation X Make the changes you need during installation procedure. AntiVir MailGate is installed with the required settings. Uninstalling AntiVir You can use the uninstall script, located in the temporary AntiVir directory, to remove Avira AntiVir MailGate. The syntax is: uninstall [--product=productname] [--no-interactive] [--force] [--version] [--help] where productname is Mailgate. X Open the AntiVir directory: cd /usr/lib/AntiVir X Type: .
Installation z Content Filter Proxy mode AntiVir MailGate configuration: X Modify (or add) the following entries in avmailgate.conf: ListenAddress 127.0.0.1 port 10024 ForwardTo SMTP: 127.0.0.1 port 10025 X Restart AntiVir MailGate. Exim configuration: X Modify (or add) the following entries in exim.conf: # Listen on all interfaces on port 25 # and on 127.0.0.1 port 10025 local_interfaces = 0.0.0.0.25 : 127.0.0.1.10025 Add router entry: X Search for the entry begin router in exim.
Installation X Restart AntiVir MailGate. Exim configuration: X Modify (or add) the following entries in exim.conf: daemon_smtp_port = 825 X Restart Exim. Configuring Qmail A plugin for Qmail is available, for better integration of AntiVir MailGate into Qmail. Please contact support@avira.com for details. There are two ways to integrate AntiVir MailGate with Qmail: z Sendmail wrapper z Backdoor mechanism Replace SMTP with SMTP-Backdoor only in the run file.
Installation X Change these entries as below: # ForwardTo /usr/sbin/sendmail -oem -oi # Or if you want the mail to be sent by SMTP ForwardTo SMTP: localhost port smtp-backdoor If you use inetd with Qmail: X Insert the following line in inetd.conf (one line!): smtp-backdoor stream tcp nowait qmaild /var/qmail/bin/ tcp-env tcp-env /var/qmail/bin/qmail-smtpd If you use tcpwrapper with Qmail: X Change the Qmail port in /var/qmail/supervise/qmail-smtpd/run.
Installation X Change these entries as below: # Select how mail should be forwarded. # Send mail by piping it thru sendmail (this is the default) # ForwardTo /usr/sbin/sendmail -oem -oi # Or if you want the mail to be sent by SMTP ForwardTo SMTP: localhost port smtp-backdoor # The location of the scanner's socket. # MailGate connects to this socket to perform scan requests.
Installation Listen on port 25 X Look in master.cf for: smtp inet n - n - - smtpd X Comment it out: # smtp inet n - n - - smtpd It prevents Postfix from listening on SMTP port. SMTP daemon can listen on this port. Emails forwarded by the SMTP daemon will be processed by the Sendmail wrapper /usr/lib/sendmail (delivered by Postfix). X Restart Postfix: /etc/init.d/postfix restart or /etc/init.d/postfix reload 4.
Configuration 5 Configuration You can adjust AntiVir MailGate for optimum performance on your system. During installation with the install script, some of the settings are suggested and you can make changes at any time. In this section, you will be guided step by step through the configuration process. It contains the following sections: z MailGate Spool Directories – Page 27 z MailGate Configuration in avmailgate.
Configuration 5.1 MailGate Spool Directories AntiVir MailGate isolates infected emails in "quarantine". Depending on the configuration, a message about the detection of a virus/unwanted program is sent to postmaster and/or the sender and/or recipient of the email. These parameters can be set in the file avmailgate.conf (see MailGate Configuration in avmailgate.conf – Page 28).
Configuration Spool files processing If there is a virus/unwanted program detection, the directory /var/spool/avmailgate/rejected/ contains: z df-file z vf-file or mf-file These files can be processed by external programs or scripts, such as those set by the ExternalProgram parameter (see MailGate Configuration in avmailgate.conf – Page 28). If no virus/unwanted program is detected, data files and control files are deleted after scanning and sending the email. 5.
Configuration MyHostName Host name: FQDN (Fully Qualified Domain Name) of the local host. If not set, the default setting is given by gethostname(2). Otherwise, the default is: MyHostName localhost SpoolDir Spool directory: Emails are kept in the sub-directories incoming, rejected and outgoing while being processed. The spool directory must belong to the user defined under User and the associated Group and must only be accessible to this user (mode=700).
Configuration PidDir PID directory: This directory saves the PID files for MailGate’s main processes. You must stop AntiVir MailGate before changing this parameter. PidDir /var/tmp Syslog Facility Syslog facility: LogFile Logfile: It sets the log category that Syslog should apply for MailGate messages. SyslogFacility mail It must contain the full path to the log file. Apart from the log file, entries will also be sent to syslog. If LogFile is set to NO (default), no log file is used.
Configuration MaxMessage Size Maximum message size (not in milter mode): A value greater than 0 means that only emails up to the given size are scanned. Larger emails are rejected. If the value is 0, all messages of any size are scanned. e.g.: 4KB, 3MB, 2GB. MaxMessageSize 0 MinFree Blocks Minimum free system space (not in milter mode): AntiVir MailGate refuses incoming connections, if the free hard disk space is smaller than the given value.
Configuration hostA,@hostB:user@hostC If source routing is allowed, the email is sent to hostA, otherwise to hostC. InEnvelopeAddressesBangIs REFUSED InEnvelope Addresses PercentIs Percent sign in envelope address (not in milter mode): If REFUSED is set and a '%' sign is in the recipient's address, the message is rejected. If IGNORED is set, '%' is treated as a normal sign in the address. If INTERPRETED is set, the recipient's address is transformed into RFC821 standard form.
Configuration According to the result, the procedures are: z if there is no match in the first list, the next list is checked. z if there is no match in the second list either, the email is scanned. z if there is a match in the ignore list, the email is not scanned. z if there is a match in the scan list, the email is scanned. The email addresses must have Perl-compatible regular expressions, such as: /abc/ /^abc/ /xyz/i /^abc@def\.tld/ Example: /etc/avmailgate.
Configuration command (not in milter mode). SMTPHeloTimeout 300 SMTP MailFrom Timeout Defines the maximum timeout, in seconds, for receiving a reply to the MAIL FROM command (not in milter mode). SMTPMailFromTimeout 300 SMTP Rcpt Timeout Defines the maximum timeout, in seconds, for receiving a reply to the RCPT TO command (not in milter mode). SMTPRcptTimeout 300 SMTP Data Timeout Defines the maximum timeout, in seconds, for receiving a reply to the DATA command (not in milter mode).
Configuration requests. ScannerListenAddress /var/run/avmailgate/scanner If you modify this parameter, you must also set the same value for ListenAddress in /etc/avmailgate-scanner.conf. See Scanner Configuration in avmailgate-scanner.conf – Page 46 Max Attachments Block Suspicious Mime Block Fragmented Message BlockPartial Archive Block Extensions Maximum number of email attachments (MIME): Defines the maximum number of attachments for a single MIME email.
Configuration Expose SenderAlerts Sending alerts to senders of concerning emails: You can send alerts about viruses and unwanted programs to senders. The available values are: • NO: the sender will receive no virus alert. • LOCAL: alert messages are sent only if the sender is local user in your domain. Set the option in avmailgate.acl to local (not in milter mode). • YES: the sender always receives virus alerts for the concerning emails.
Configuration If the setting is YES, non-MIME emails are transformed into MIME emails. ForwardAllEmailAsMIME NO ScanInArchive Scan in archives: If the setting is NO, the archives are not scanned for viruses/unwanted programs. If the setting is YES, all files in archives are unpacked and scanned, depending on the settings for ArchiveMaxSize, ArchiveMaxRecursion and ArchiveMaxRatio.
Configuration Block Encrypted Archive Blocking emails with password-protected archives: If the setting is YES, emails containing password-protected files in archives are rejected. If NO is set, emails containing encrypted archives are also delivered. BlockEncryptedArchive NO Detect... Detection of other types of unwanted programs: Besides viruses, there are some other types of harmful or unwanted software, described in avmailgate.conf.
Configuration Quarantine Alert Sending alert emails to quarantine: (Available only in Milter mode) If QuarantineAlert is YES and RejectAlertMail is YES, an email containing an alert will be rejected and the email will be quarantined. If QuarantineAlert is NO and RejectAlertMail is YES, the email will be rejected and not quarantined. QuarantineAlert YES PollPeriod Scanning queue: Sets the interval, in seconds, for the program to scan the emails queue for viruses and malware.
Configuration Bounce MessageUser Bounce Message SizeBody Recipient for email failure (not in milter mode): This is the user that receives email failure reports when an email cannot be sent by MTA. BounceMessageUser MAILER-DAEMON Size of the email failure - mail body (not in milter mode): Sets the size in bytes from the original mail body, to be returned by bounce mail. The value 0 means no limit is set. e.g.: 4KB, 3MB, 2GB.
Configuration NotifyEnd OfLicense Information on license expiry date: Add Precedence Header Adding precedence header: Sends a message to postmaster, 30 days before license expiration date. The 0 value means no alert. NotifyEndOfLicense 30 If the setting is YES, the following line is added in the headers: Precedence: junk. Programs that are set to respond automatically to incoming emails (e.g.: vacation) would not react to this report. YES and NO entries can be replaced by specific text.
Configuration Options and parameters for spam filter Enable SpamCheck Activates/deactivates spam filter. EnableSpamCheck NO SpamAction Defines an action for spam mails: BLOCK, TAG, NONE. • TAG inserts a header line into the email. For example: X-AntiVirus-Spam-Check: clean (checked by Avira MailGate: version: 2.1.3-0; spam filter version: 2.0.5/0.2; host: host.your.site) • BLOCK puts the mail into the "rejected" directory. • NONE disables any action for spam mail.
Configuration this file can be used as a black and white list for the spam filter. Each list consists of an address, given as regular expression. E.g.: /^someone@somewhere\.tld$/i blacklist The above example treats emails from someone@somewhere.tld as spam, independently of the spam check result. "blacklist" is the action for the given address. For Avira MailGate v 2.1.3, a match in this list concerns all recipients even if the mail was sent to recipients that are not listed. E. g. (in asmailgate.
Configuration Another example: • in /etc/avmailgate.conf: DangerousAttachmentAction TAG DangerousIFrameAction TAG • in /etc/asmailgate.except: /^me@here\.tld$/i r !tag_dangerous_attachment !tag_dangerous_iframe Don't tag DangerousAttachment and DangerousIFrame mails. A "DangerousOutbreak" has a higher priority than the black- and whitelisting. If a "DangerousOutbreak" was detected, no check for black- and whitelistings will be performed.
Configuration SpamFilter ModifySubject Inserts the spam check result into the "Subject:" header line: Subject: [spamcheck: spam] this is the original subject text This is the default message.It can be overridden using a template: "spamfiltersubjects". This template allows you to specify a string for each spam check result. The string for the corresponding spam check result will be used as a replacement for the "Subject:" header line. A sample template is installed to /usr/lib/AntiVir/templates/examples.
Configuration 5.4 Scanner Configuration in avmailgate-scanner.conf A new configuration file has been introduced, starting with MailGate v 3.0.0: avmailgate-scanner.conf. It contains configuration options specific to the new scanner backend. Usually, you don't have to change the options in this file, but there might be a few exceptions. User, Group If you change one of these options, you have to make sure that the files avmailgate-scanner.conf and avmailgate.conf contain the same values for these options.
Configuration UseSavapiProxy 0 PoolScanners The number of AntiVir scanners set in the pool. Default: PoolScanners 24 Pool Connections The maximum number of simultaneous connections MailGate allows to the scanner pool. Default: PoolConnections 128 Syslog Facility ReportLevel It sets the log category that Syslog should apply for Scanner messages.
Configuration X Set which hosts and networks may send emails. For example: relay: 127.0.0.1/8 192.168.0.0/16 IP addresses You can specify IP addresses in various ways: 192.168.0.0/16 or 192.168 Both have the same meaning. /16 means 16 bit and signifies the first two numbers of the IP address. Therefore, all IP addresses starting with 192.168 are allowed. Example for /etc/avmailgate.acl: # Access lists for AVIRA MailGate # These hosts and/or domains are local. local: localhost 127.0.0.1 local: avira.
Configuration Keywords Avira GmbH X Copy the example templates in the required language from the templates directory /usr/lib/AntiVir/templates/examples// in the directory /usr/lib/AntiVir/templates. X Change the directory to /usr/lib/AntiVir/templates. This directory contains the following files: patho-administrator patho-recipient patho-sender alert-administrator alert-recipient alert-sender X Write the texts you need in the files listed above.
Configuration Example for alert-sender Avira GmbH SUBJECT: AntiVir ALARM [Your email: "SUBJECT"] **********************AntiVir ALARM******************* AntiVir has discovered the following in the email sent from your address: ALERTS This email has not been sent, but isolated on your server. Please scan your system immediately for possible virus infection. Clean your system before sending any more email messages.
Configuration 5.8 Updater Configuration in avupdate.conf Updates ensure that AntiVir MailGate components (MailGate, scanner, VDF and engine), which provide security against viruses or unwanted programs, are always kept up to date. With Avira Updater you can update Avira software on your computers, using Avira update servers. To configure the update process, use the options in /etc/avira/avupdate.conf described below. All parameters from avupdate.conf can be passed to the Updater via command line.
Configuration • • • 1 - email notifications are sent in case of "successful update", "unsuccessful update", or "up to date". 2 - email notification only in case of "unsuccessful update". 3 - email notification only in case of "successful update" (default). notify-when= email-to The recipient of notification emails. email-to= Logfile settings log Specify a full path with a filename to which AntiVir Updater will write its log messages. log=/var/log/avupdate.
Operation 6 Operation After concluding installation and configuration and when AntiVir MailGate is running, MailGate guarantees continuous monitoring of your system. During operation you might have to make occasional changes in settings, as described in Configuration – Page 26. In some cases, it may be necessary to operate AntiVir MailGate manually or to process the emails filtered by AntiVir MailGate manually.
Operation Starting AntiVir MailGate X Type: /usr/lib/AntiVir/avmailgate start The program starts with the following message: Starting AVIRA AntiVir MailGate... Starting savapi Stopping AntiVir MailGate X Type: /usr/lib/AntiVir/avmailgate stop The program stops with the following message: Stopping AVIRA AntiVir MailGate... Stopping: avmailgate.bin Shutting down Avira MailGate... Stopping: savapi Restarting AntiVir MailGate This is used, for example, after making changes in configuration scripts.
Operation 6.2 Parameters for SMTP and Scanner Daemon The following tables describe the possible command line parameters that overrule avmailgate.conf settings. Syntax: avmailgate.bin [-V|--version] [-i] [-C config-file] [-D debug-level] [--stop] [--status] [--avq] Parameters for avmailgate.bin Parameter Description -V or --version Displays the version number -C config-file Defines an alternative configuration file instead of /etc/avmailgate.
Operation 6.3 Queue Manager avq The Queue Manager avq is integrated in avmailgate.bin. The Queue Manager enables manipulation of the AntiVir MailGate spool directory /var/spool/avmailgate/ and its sub-directories. Here you can see and modify the status of the pending emails (see MailGate Spool Directories – Page 27). Email status in queue X Type: /usr/lib/AntiVir/avmailgate.bin --avq The status for all emails in the queue is displayed. In the first row you will see the name of the displayed queue.
Operation You can control the outcome with the following parameters after --avq (the Help provides more parameters, which you can call with --avq --help). You can apply the following parameters to the outcome: Parameter Description --queue=incoming Lists the emails in the incoming queue --queue=outgoing Lists the emails in the outgoing queue --list=all Lists all queues --type= Lists all rejected emails of the specific type.
Operation X Type the command (where is the ID of the infected email): /usr/lib/AntiVir/avmailgate.bin --avq --remove= The email is deleted from the queue. You can use the following parameters when deleting: Parameter Description --remove= Deletes the email with the given ID. --remove=all Deletes all emails. Before deleting, an alert appears to confirm the action. --flush Immediately empties the incoming and outgoing queue.
Operation 6.4 Procedures when Detecting Viruses/Unwanted Programs If configured correctly, AntiVir MailGate has already automatically carried out all important antivirus tasks on your system: z Infected emails are not forwarded. z Infected emails are moved to /var/spool/avmailgate/rejected (or to another directory, specified in avmailgate.conf ), where data file (df-) and control file (vfor mf -) are located. For further information, see MailGate Spool Directories – Page 27.
Updates 7 Updates With Avira Updater you can update Avira software on your computers, using Avira update servers. The program can be configured either by editing the configuration file (see 5.8 Updater Configuration in avupdate.conf), or by using parameters in the command line. It is recommended to run the Updater as root. If the Updater does not run as root, it does not have the necessary rights to restart AntiVir daemons, so the restart has to be made manually, as root.
Updates As [product], you can use: • Scanner - (recommended) to update the scanner, engine and vdf files. • MailGate - complete update (MailGate, scanner, engine and vdf files). X Start the update process to test the settings: /usr/lib/AntiVir/avupdate --product=[product] where [product] takes the same values as above. If successful, a report will appear in the logfile /var/log/avupdate.
Service 8 Service 8.1 Support Support Service Our website http://www.avira.com contains all the necessary information on our extensive support service. The expertise and experience of our developers is available to you. The experts from Avira answer your questions and help you with difficult technical problems. During the first 30 days after you have purchased a license, you can use our AntiVir Installation Support by phone, email or by online form.
Service 8.3 Contact Address Avira GmbH Lindauer Strasse 21 D-88069 Tettnang Germany Internet You can find further information on us and our products by visiting http://www.avira.com.
Appendix 9 Appendix 9.1 Glossary Term Meaning cron (daemon) A daemon which starts other programs at specified times. Daemon A background process for administration on UNIX systems. On average, there are about a dozen daemons running on a computer. These processes usually start up and shut down with the computer. Demo version Without a license file, Avira AntiVir MailGate runs as a demo version. An Avira banner is inserted in every email.
Appendix Term syslog daemon Meaning Unwanted programs The name for programs that do not directly harm the computer, but are not wanted by the user or administrator or have been installed without their consent. These can be backdoors (BDC), dialers, jokes and games. VDF (Virus Definition File) A file with known signatures for viruses and unwanted programs. In many cases it is sufficient for an update to load the most recent version of this file. 9.
Appendix 9.3 Golden Rules for Protection Against Viruses X Always keep boot floppy disks for your network server and for your workstations. X Always remove floppy disks from the drive after finishing work. Even if they have no executable programs, disks can contain program code in the boot sector and these can serve to carry boot sector viruses. X Regularly back up your files. X Limit program exchange: particularly with other networks, mailboxes, Internet and acquaintances.
Avira AntiVir MailGate | Avira AntiVir MailGate Suite Avira GmbH Lindauer Str. 21 88069 Tettnang Germany Telephone: +49 (0) 7542-500 0 Fax: +49 (0) 7542-525 10 Internet: http://www.avira.com © Avira GmbH. All rights reserved. This manual was created with great care. However, errors in design and contents cannot be excluded. The reproduction of this publication or parts thereof in any form is prohibited without previous written consent from Avira GmbH. Errors and technical subject to change.
