Forums & Blog

SAVASM - SpamAssassin Virtual Appliance for SmarterMail

A virtual machine image with a trimmed down Linux and SpamAssassin with ClamAV, Razor, DCC and other plugins. Installed, configured, and ready to use. Easy administration using a web interface. No Linux knowledge needed. Really turnkey.


includes:
 CentOS 4.6 (Linux kernel 2.6.9-67.0.1.EL)
 Webmin 1.390
 SpamAssassin 3.2.4
 ClamAV 0.92
 Razor 2.84
 DCC 1.3.80


requires:
 - VMWare Server or Player
 - a minimum of 2.5 GB of free disk space
 - 256 MB RAM free (can be changed using the VMWare Server Console)


download:

 SAVASM VMW version 0.1.8 (released 2008/01/08)
 .zip archive (1.08 GB) [ mirror 1 :: mirror 2 ]

installation instructions:
 - extract the contents of the 'SAVASM.zip' (or .7z) archive to your 'Virtual Machines' folder
 - read the included 'readme.txt' file for further instructions
 

notes:
 Basically, all you need to do to get SAVASM up and running is:
 - extract the archive
 - import the virtual machine image into VMWare Server
 - set the SAVASM network settings (to assign a static IP)
 - that's it
 Administration can be done via a web interface, by connecting to https://savasmIP:10000

 


___________________

related topics and posts:

- old thread about SAVASM

 

someone,

This really is awesome work and I am sure it is appreciated by a lot of people.  I am installing VMWare, SAVASM and a single domain copy of SM4 on a test box to get a feel for it before putting it on my development box.  I am a complete newb when it comes to Linux.  I have been using Windows server my entire life.  My mail server is only a 1.7 with 1 GIG of ram but my SQL Server is a 3.4 with 4 GIGs of ram so i was going to install SAVASM on my sql box.  My only questions is how is the security of the SAVASM install if I give it a public IP?  I know windows security inside and out but will have any holes by installing this on my SQL Server box?  Since my expierence on Linux is limited I am going to take a leap and rely on the feedback from you and all the others who have implemented this solution.

Thanks again!

Any increase in the surface of attack will inevitably mean an increase in security risks; this is the main reason why I generally recommend that a dedicated server like SAVASM be kept on a private network instead of an exposed IP. Now general considerations aside, I think SAVASM is by default quite secure. It is running a solid Linux kernel with auto-updating enabled, and I have taken several steps to ensure that its attack surface is minimized, and that it is as locked down as a generic turnkey solution will allow. This does not mean, however, that it cannot be locked down even further; it can, and if you have the knowledge to do it, I recommend you do. A server can never be too secure.

Should you be worried about putting a default SAVASM on a private network? No.

Should you be worried about putting a default SAVASM on the internet? A bit, yes. But you can fix that.

The main issue with exposing SAVASM on the internet is its main attack surface: SSH and Webmin. These can obviously be targeted by dictionary attacks and other brute force tactics. The solution to this is simple enough: restrict allowed access to SSH and Webmin, or put them on non standard ports. Or both. I never run those two on their default ports, and strongly  recommend that others follow this advice: use ports that only you know. This significantly reduces the attack surface of SAVASM, and consequently gives you more peace of mind.

Remember that SAVASM has a built-in firewall, so a SAVASM with non-standard (SSH and Webmin) ports is roughly as safe as one kept on a private network.

 

I need to run SAVASM on the internet because I have other 2 server that scan theis messages on SAVASM, so, this servers need to access SAVASM on a public IP Address.

But I have a Cisco Firewall connected to it, and I've allowed only my company IP Address to access Webmin and other services, and only my 3 mail servers can access the Spamassassin port. This way, I believe I'm protected.

I should have waited to post that thread because after installing it on my test box and playing around with it I noticed the built in firewall.  I was also planning on implementing the same security precautions as WebPlus. I have a watchguard firewall and I am only going to allow access to the webmin to our remote office location.  Thanks again, I look forward to getting my mail server upgraded and get SAVASM implemented.

If I use the SM 4 interface to configure my VMWare server and don't use SMSpamC will it check mail that is forwarded from an alias or a user?

Got SAVASM up and running after I figured out I had to enable SA in the spam checks section - DUH!

Is DCC enabled on SAVASM by default?

Also when I try to use Clamd on SAVASM I get this error.  Any idea?  Should I just use the one built into SM 4?

18:22:06 [07001] Unable to run Clam virus checks: System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at SmarterTools.SmarterMail.MailStore.Spam1.ClamDClient.Check()

I also have one final question.  How are the weights determined by the default installation SA on SAVASM? 

 Thanks!

jcosta:

If I use the SM 4 interface to configure my VMWare server and don't use SMSpamC will it check mail that is forwarded from an alias or a user?

No idea. You'd have to ask SmarterTools people. 

 

jcosta:

Is DCC enabled on SAVASM by default?

Yes. 

 

jcosta:

Also when I try to use Clamd on SAVASM I get this error. ... Should I just use the one built into SM 4?

The built-in Clam 'client' is SmarterMail 4 is not a ClamD client; it only works with local ClamAV installations. Remember, though, that ClamAV is also enabled in SAVASM, so if you use the one in SmarterMail, you'll be basically scanning mail twice. You should then disable one of them.

 

jcosta:

I also have one final question.  How are the weights determined by the default installation SA on SAVASM? 

The SpamAssassin rules in a default SAVASM installation will use default scores.

 

jcosta:

Also when I try to use Clamd on SAVASM I get this error.  Any idea?  Should I just use the one built into SM 4?

18:22:06 [07001] Unable to run Clam virus checks: System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
  at SmarterTools.SmarterMail.MailStore.Spam1.ClamDClient.Check()

 I was also getting this issue.  It turns out that the 0.1.2 release of SAVASM has the wrong port enabled on the firewall for ClamAV.  It has 3301 setup not 3310 (or maybe the other way around, can't remember off the top of my head).  You just need to log into webmin and go to the firewall page and change it to match the right port.  Maybe someone_else can get this fixed, if not it is that simple to change.

 I will say that I have tested this and will be implementing it on 2 servers and have been happy with it.

eclipsewebs thanks for the response.  I saw the port was different from the default but I just assumed everyone had changed it and knowing SILZTCH / NADA about Linux I didn't know how to check it.

When you enable it through smartermail to use SAVASM did you just disable the ClamAV and Spam Assasin services on the mail server or did you uninstall them?  When I installed smartermail it just asked if I wanted to use those services and not really if I wanted to install them.  It seems it installs them even if you choose not to use them.

Last questions for today :)!  When you use the ClamAV on SAVASM does it send the entire email and attchment to the SAVASM server, scan it for viruses, strip out the attachment and then return the email to smartermail?  Sorry for the dumb questions but until I get a better understanding of Linux I just have no clue where to look for the configuration files of some of these services. I am using ClamD on SM3 right now as a service and I know where all the settings for that is since I set it up and know windows!

Is there an advantage to using the ClamAV service on SAVASM instead of the one built into SM4?

Thanks again!

As of right now, using the ClamAV integration in SmarterMail does not support remote scanning of files. SmarterMail just connects to Clam and says "SCAN xxx" where xxx is a filename. Since that filename doesn't exist on the remote server it doesn't work. We have just added an option to use the "STREAM" command in Clam where SmarterMail will actually send the entire file to the remote server, which will then scan it. Additionally, that option will prevent clamd.exe from running locally, as well. However, the STREAM command makes Clam open up a random port from 1024+, so it may cause problems with firewalls.

That will be in the next minor release, which will most likely occur early next week.

As for any advantages either way, it depends. Clam is pretty fast and doesn't use much CPU, so it's generally fine to run it locally. However, if you are hurting for cpu/ram, running it remote would free a bit up.

Eclipse is right about the ClamAV port issue in SAVASM; it was an error on my part which went unnoticed since the ClamAV functionality in SAVASM does not really require its port to be open to outside connections. In SAVASM, ClamAV is integrated as a SpamAssassin plugin, so when the SpamAssassin daemon receives a message, it will also pass it to clamd for inspection; if Clam finds a virus, a score of 10 (by default) is added to the SpamAssassin score. Of course, when using ClamAV this way, a virus is still passed on in the message, and it is up to the client side to eventually delete it (based on the 'X-Spam-Virus' header, which, unfortunately, the built-in SA client in SM4 does not retain). If you want to use an external ClamD client, I recommend you disable the ClamAV SpamAssassin plugin in SAVASM by simply deleting (or moving) the 'clamav.cf' and 'clamav.pm' files from /etc/mail/spamassassin/ (and then restarting spamd).

A updated version of SAVASM which fixes the ClamAV port/firewall issue will be made available in the next couple of days, but until then, you can fix this yourselves, as Eclipse indicated, by using the 'Networking' -> 'Linux Firewall' menu in Webmin, and editing the rule about port 3301 to port 3310.

 

I seem to have run into a wall in my setup, and I am not sure where the problem is.

I installed VMware server, and then SAVASM per the readme.  I can't seem to get to the config via browser, however... and I am unclear as to how to configure the network settings.  When I do "ifconfig" eth0 appears to be located at 192.168.2.1 (which is the IP I *think* I assigned in the network setup) but browsing via port 10000 gets me a "timed out" message in Firefox.  Obviously I am missing something easy, but I am stuck.  Not a Linux guy at all.  Any ideas?

Plus, as long as I am asking, what do I enter for an IP in SmarterMail once I do have this configured?  Is it the internal IP 192.168.2.1 (assuming that is the correct address once I get this network stuff straightened out)?

I am sure I will have more questions.... bear with me, I am a quick learner.  My MCSE cert doesn't seem to be doing me much good in the virtual Linux world...
 

answerman:

I seem to have run into a wall in my setup, and I am not sure where the problem is.

You'll need to make sure that your SAVASM network configuration is correct, and that it conforms to the way in which its virtual network adapter is mapped in VMWare. The VMWare Server documentation is not all that great when it comes to explaining network mapping, but you can find more information on their forums and on the internet.

Basically, the first checkpoint in configuring your network is to make sure that you can ping the SAVASM IP from your SmarterMail server; if you can do that, then you can probably connect to the Webmin control panel* as well. Of course, once you can connect to Webmin, the final step is to make sure that SAVASM can connect to the internet (this is not mandatory, mind you, but it is recommended); you can check this by using commands like 'ping' or 'traceroute' on the SAVASM end.

 

* Remember to always use HTTPS when accessing the SAVASM Webmin URL.

 

 

answerman:

what do I enter for an IP in SmarterMail once I do have this configured?  Is it the internal IP 192.168.2.1 (assuming that is the correct address once I get this network stuff straightened out)?

Yes.

 

SAVASM 0.1.3

 

changes in this version:

- added Webmin module to configure spamd startup parameters
- fixed ClamAV port not being open in firewall
- added denyhosts for SSH
- kernel 2.6.9-42.0.8.EL
- Webmin 1.320
- DCC 1.3.48

 

notes:

- The most notable change in this version is the inclusion of DenyHosts. This is a daemon that monitors SSH connection attempts, and automatically blocks access to a host after a specified number of failed logins (by default, the number is 5 for the root user). The purpose of this is obviously to reduce the risk of dictionary or brute force attacks on SSH, and for this, as of SAVASM 0.1.3, denyhosts is enabled by default. Now, if in your setup SSH is not exposed to the internet, or if you simply feel that you do not need the protection that denyhosts provides, you can disable it and save about 10 MB of memory. To do this, simply log in to Webmin, go to 'System', 'Bootup and Shutdown', and then click on the 'denyhosts' action to modify its startup behavior. Note that the main configuration file for denyhosts is /etc/denyhosts.conf so if you want to tweak its settings (perhaps to whitelist certain IPs) this is the file you want to edit. And remember to restart denyhosts (from the aforementioned Webmin menu) after any changes to its configuration file.

 

Just a feature request.... Is it posable to include Message Sniffer in your next release?

 

This is appliance, thanks for all you hard work.