public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
From: Michael Orlitzky <michael@orlitzky.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] clamav and spamassassin
Date: Sat, 03 Dec 2011 20:35:50 -0500	[thread overview]
Message-ID: <4EDACE76.9060400@orlitzky.com> (raw)
In-Reply-To: <CAN0CFw2AbWTfBk+FUY25NK05DqHevtQSDBzuGAK7V-OYkZxwpg@mail.gmail.com>

On 12/03/2011 07:59 PM, Grant wrote:
>>> I haven't set up any antivirus measures on my Gentoo systems so I
>>> think I should.  Is clamav run as a scheduled filesystem scanner on
>>> each system and as an email scanner on the mail server all that's
>>> necessary?
>>
>>
>> Nobody (as far as I know?) scans linux filesystems unless there's a legal
>> requirement or the files might wind up on a Windows box.
>
> Very cool.  I found out clamscan and avgfree scan the filesystem so I
> thought I should set it up, but if it's not necessary I won't bother.
> All of my mail users are on Gentoo so do I need to bother having
> clamav scan my incoming mail?

Well, they aren't going to get infected with anything, but ClamAV could 
still keep the virus message (which is obviously unwanted) out of their 
inbox. There are also some third-party signatures[1] for ClamAV that 
catch scam/phishing mail.


>>> I'm currently greylisting email to prevent spam from getting through.
>>> It catches a lot, but more and more gets through.  I'm not using any
>>> mailfilters now and If I set up a clamav mailfilter I think I may as
>>> well set up a spamassassin mailfilter to take the place of
>>> greylisting.  Is this the best guide for clamav and spamassassin:
>>
>>
>> SpamAssassin shouldn't take the place of greylisting; they reject different
>> stuff. Keep the greylisting unless the delays bother you, but use postscreen
>> to do it (see below).
>
> I just did some reading on postscreen but it doesn't sound like a
> greylister.  Should I use postscreen in addition to postgrey, or are
> they substitutes for each other?
>

Postscreen isn't a greylist daemon per se, but it has the same effect if 
you enable the "deep protocol" tests. Once it gets past the initial 
greeting (into the "deep" stages), postscreen can no longer hand off the 
session to a real smtpd. So, even if the client passes all of the tests, 
postscreen will send it a "4xx try again." That's essentially greylisting.

Postscreen, like Postgrey, keeps a database of good clients, so you 
shouldn't lose any functionality there. This is what makes the 
aforementioned 4xx strategy work: when the client reconnects, it 
bypasses postscreen entirely and goes to a real smtpd.

I would make the switch when you have some free time. Postscreen is part 
of postfix, so it removes one dependency from your mail system. It also 
adds a couple of nice anti-spam features for free. And, if you ever 
decide to implement Amavis, postscreen makes the before-queue setup viable.


>>> http://www.gentoo.org/doc/en/mailfilter-guide.xml
>>>
>>> Could I run into any problems with clamav or spamassassin that might
>>> make we wish I hadn't implemented them?
>>
>>
>> Yeah. The first is false positives. The second, related problem is that
>> you'll have to manage a quarantine unless you stick amavisd-new in front of
>> the postfix queue.
>
> Now that sounds like a hassle.  Greylisting leaves me with about 50/50
> spam/legit mail and maybe incorporating postscreen I'll do even
> better.  Deleting spam in my inbox might be easier than dealing with
> false positives and managing a quarantine.

You should be able to do a lot better than that with just postscreen and 
postfix. If you try to implement postscreen, post your main.cf over on 
postfix-users for review. The built-in restrictions combined with a few 
RBLs should get you well below 50/50.

Plus, if you still get too much spam, you'll already have postscreen in 
place and that will make adding amavisd-new that much easier.


[1] http://www.sanesecurity.com/



  reply	other threads:[~2011-12-04  1:37 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-12-03 19:52 [gentoo-user] clamav and spamassassin Grant
2011-12-03 22:54 ` Michael Orlitzky
2011-12-04  0:59   ` Grant
2011-12-04  1:35     ` Michael Orlitzky [this message]
2011-12-04  1:57       ` Grant
2011-12-04  2:10         ` Michael Orlitzky
2011-12-04  1:59   ` Pandu Poluan
2011-12-04  2:17     ` Michael Orlitzky
2011-12-04  2:48       ` Pandu Poluan
2011-12-04  3:06         ` Michael Orlitzky
2011-12-04  8:27           ` Pandu Poluan
2011-12-06  0:15       ` Grant
2011-12-06  0:45         ` Pandu Poluan
2011-12-06  0:52           ` Michael Orlitzky
2011-12-06  1:01             ` Pandu Poluan
2011-12-06  1:14               ` Michael Orlitzky
2011-12-06  3:24             ` Grant
2011-12-06  4:43               ` Michael Orlitzky
2011-12-06 16:32                 ` Grant
2011-12-06 17:11                   ` Michael Orlitzky
2011-12-06 19:17                     ` Paul Hartman
2011-12-07  0:16                       ` Pandu Poluan
2011-12-06 21:34                     ` Grant
2011-12-06 22:20                       ` Michael Orlitzky
2011-12-07  1:02                         ` Grant
2011-12-07 16:38                           ` Michael Orlitzky
2011-12-07 18:16                             ` Grant
2011-12-07 18:56                               ` Michael Orlitzky
2011-12-07 19:00                                 ` Michael Orlitzky
2011-12-08  0:49                                 ` Grant
2011-12-07  9:15                         ` Pandu Poluan
2011-12-07 16:01                           ` Grant
2011-12-07 16:47                             ` Pandu Poluan
2011-12-07  0:57                     ` Grant
2011-12-07  1:11                       ` Pandu Poluan
2011-12-07 16:34                       ` Michael Orlitzky
2011-12-07 18:08                         ` Grant

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4EDACE76.9060400@orlitzky.com \
    --to=michael@orlitzky.com \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox