25 Jul 2005
Mailgraph on antivirus / antispam mail relay
The last couple of days I have tinkered with a new antivirus / antispam server at work. Its foundation is a Debian Sarge running Postfix, Spamassassin, ClamAV through Amavis-ng (Amavis is installed from current unstable) and of top if it all mailgraph.
All packages was taken from the stable Debian release – Sarge, except of amavis-ng which does not exist in Sarge. This package was instead downloaded from unstable… fortunately it had no dependencies from unstable what so ever.
The documentation on the Spamassassin homepage is great which is just the opposite for amavis-ng which seems non-exsisting. The configuration file shipped with Debian makes up for the lack of documentation. It seems that amavis-ng should be a (more modular) reimplementation of amavisd-new. Even though people on the mailinglists recommend amavisd-new 
I have a serious problem keeping my hands off the bleeding edge stuff so I couldn’t resist installing amavis-ng. I have tried using it before, but at that time I couldn’t make it fork (it became a serious bottleneck). I’m not saying that it didn’t work, it might as well hav been me. Though I cannot seem to find the difference from my previous installation and my new one. Anyway it seems to fork correctly in this new installation and to test the virus filter I recommend this web site
The reason why I write this entry is because I made some changes to mailgrap to make it work the way I wanted. Read on to see what (small) changes I made.
* First I changed the startup script to be able to use 2 log files (one for emails and one for virus).
Code for /etc/init.d/mailgraph:
#!/bin/sh
MAILGRAPH_CONFIG="/etc/default/mailgraph"
NAME="mailgraph"
DAEMON="/usr/sbin/mailgraph.pl"
PID_FILE="/var/run/mailgraph.pid"
PID_VIRUS_FILE="/var/run/mailgraph_virus.pid"
RRD_DIR="/var/lib/mailgraph"
IGNORE_OPTION=""
if [ -f $MAILGRAPH_CONFIG ]; then
. $MAILGRAPH_CONFIG
else
exit 0
fi
test -x /usr/sbin/mailgraph.pl || exit 0
if [ "$IGNORE_LOCALHOST" = "true" ]; then
IGNORE_OPTION="--ignore-localhost"
fi
case "$1" in
start)
echo -n "Starting Postfix Mail Statistics: $NAME"
if [ -f $VIRUS_LOG ]; then
start-stop-daemon -S -q -b -p $PID_FILE -x $DAEMON -- --only-mail-rrd -l $MAIL_LOG -d --daemon_rrd=$RRD_DIR $IGNORE_OPTION
start-stop-daemon -S -q -b -p $PID_VIRUS_FILE -x $DAEMON -- --daemon-pid=$PID_VIRUS_FILE --only-virus-rrd -l $VIRUS_LOG -d --daemon_rrd=$RRD_DIR $IGNORE_OPTION
else
start-stop-daemon -S -q -b -p $PID_FILE -x $DAEMON -- -l $MAIL_LOG -d --daemon_rrd=$RRD_DIR $IGNORE_OPTION
fi
echo "."
;;
stop)
echo -n "Stopping Postfix Mail Statistics: $NAME"
if [ -f $PID_FILE ]; then
kill `cat $PID_FILE`
rm $PID_FILE
fi
if [ -f $PID_VIRUS_FILE ]; then
kill `cat $PID_VIRUS_FILE`
rm $PID_VIRUS_FILE
fi
echo "."
;;
restart)
$0 stop
$0 start
;;
force-reload)
$0 restart
;;
*)
echo "Usage: $0 start|stop|restart|force-reload"
exit 1
;;
esac
Remember to define the virus log file in `/etc/default/mailgraph` 
Second I modified the
mailgraph.plcode because I didn’t recognize the output from Amavis (ClamAV):> Jul 25 20:04:59 gargoyle amavis[18319]: CLAMD found: > Jul 25 20:04:59 gargoyle amavis[18319]: Eicar-Test-Signature > Jul 25 20:04:59 gargoyle amavis[18319]: AMAVIS::MTA::SMTP: Dropping message (Message-ID: )
It might be because I use amavis-ng, I dunno. But I found a line to put into
/usr/sbin/mailgraph.pl. Around line 596 within the amavis case put this:... elsif($tqext =~ /^\CLAMD found\b/) { event($time, 'virus'); } ...
December 22, 2006