ESET North America NOD32 User Manual

NOD32 for Linux Mail Servers

Installation Manual

and

Users’ Documentation

Copyright 2005, Eset, s.r.o.

NOD32 for Linux Mail Server , First Edition
Published on 11th March 2005
Copyright © 2005 Eset s.r.o.

All rights reserved. No part of this documentation may be reproduced, stored in a retrieval system or transmitted in any form or by

any means, electronic, mechanical, photocopying, recording, scanning, or otherwise without a permission in writing from the author.

Eset s.r.o. reserves the right to change any of the described application software without prior notice.

Revision History

Revision 2.14-1 (11/03/2005)
Chapter with alternative methods using NOD32 Command Line Interface (nod32cli) added.
Revision 2.13-2 (10/02/2005)
Chapter with tips and tricks for NOD32LMS configuration added.
Revision 2.13-1 (01/01/2005)
Authorized transcription of NOD32 for Linux Mail Servers (version 2.13-1) user’s guide.

Table of Contents

1. Introduction .......................................................................................................................................... 1

2. How to navigate through this guide ................................................................................................3

3. Mail server in UNIX OS environment.............................................................................................5

4. NOD32LMS package installation.....................................................................................................9

5. NOD32LMS basic configuration..................................................................................................... 13

5.1. NOD32LMS - own configuration.........................................................................................13

5.2. Scanning of the inbound e-mail messages..........................................................................15

5.2.1. Renaming the original MDA and its replacement by NOD32MDA..................16

5.2.2. Setting of NOD32MDA (in MTA) as MDA............................................................18

5.2.2.1. Setting Sendmail MTA ................................................................................. 18

5.2.2.2. Setting Postfix MTA ......................................................................................19

5.2.2.3. Setting Qmail MTA .......................................................................................20

5.2.2.4. Setting MTA Exim version 3........................................................................22

5.2.2.5. Setting MTA Exim version 4........................................................................23

5.3. Scanning the outbound e-mail messages............................................................................ 25

5.4. Content filtering in MTA.......................................................................................................28

5.4.1. Content filtering in MTA Postfix ............................................................................. 28

5.4.2. Content filtering in MTA Sendmail......................................................................... 29

5.5. Alternative methods of scanning e-mails. ..........................................................................30

5.5.1. Scanning e-mail messages using AMaViS .............................................................30

5.5.1.1. amavis............................................................................................................. 31

5.5.1.2. amavisd .......................................................................................................... 32

5.5.1.3. amavisd-new .................................................................................................32

6. NOD32 system update and maintenance...................................................................................... 33

6.1. Basic concept of NOD32 system update.............................................................................33

6.1.1. NOD32 modules organization.................................................................................33

6.1.2. NOD32 mirror creation.............................................................................................34

6.1.3. Generation of NOD32 scanner loading modules..................................................34

6.2. Subordinate mirrors creation................................................................................................35

6.3. Automatic update of the virus definitions database.........................................................36

6.3.1. Structure and use of automatic update script .......................................................36

6.3.2. Periodic update of the virus definitions database ................................................37

7. Tips and tricks ....................................................................................................................................39

7.1. Dropping messages marked by NOD32 as deleted in MTA Postfix...............................39

7.2. NOD32LMS and TLS support in MTA................................................................................39

8. Let us know......................................................................................................................................... 43

A. Installed content of NOD32LMS package...................................................................................45

iii

iv

Chapter 1. Introduction

Dear user, you have acquired NOD32 for Linux Mail Servers - NOD32LMS - probably the best
antivirus system for e-mail servers running under the Linux operating system. As you will soon
realize, the system has unsurpassed scanning speed and detection rate, combined with a very
small footprint that makes NOD32 the ideal choice for any Linux mail server.

The following is a short summary of its key features.

• NOD32 scanning engine algorithms provide both the highest detection rate and the fastest

scanning times.

• It includes unique advanced heuristics for Win32 worms and backdoors.

• The system solution is MTA-independent (mail server independent).

• Inbuilt NOD32 archivers unpack archived e-mail attachments without the need for any exter-

nal programs.

• In order to increase speed and efficiency of the system, its architecture is based on the running

daemon (resident program) where all the scanning requests are sent to.

• Six various levels of logging can be configured to get information about system activity and

infiltrations.

• One of the major advantages is the fact that the system installation does not require external

libraries or programs except for libc.

• The system can be configured to notify any person in case of detected infiltration.

• Moreover, information about infiltration can be configured to be written into an e-mail header,

footer and subject.

To run efficiently, the NOD32LMS requires just 5MB of hard-disk space and 8MB of RAM. The
system runs smoothly under the 2.2.x, 2.4.x and 2.6.x Linux OS kernel versions. It supports most
popular mail server software including Sendmail, Postfix, Qmail, Exim, etc. and runs under all
of the common Linux distributions:

• Fedora Core 1 and higher,

• Red Hat version 5.x and higher,

• Mandrake version 5.x and higher,

• SuSE version 6.x and higher,

• Debian version 2.x and higher.

From lower-powered, small office mail servers to enterprise-class ISP mail servers with thou­sands of users, NOD32LMS delivers the performance and scalability you expect from a UNIX
based solution and the unequalled security of NOD32.

1

Chapter 1. Introduction

2

Chapter 2. How to navigate through this guide

This guide is assumed to be the complex users’ guide into the NOD32LMS system. It covers in­formation on configuration and maintenance of the system in order to run efficiently for various
supported Linux OS distributions and various e-mail server systems.

Therefore, assuming you are a typical system administrator being too busy to read all these
pages, here are some hints on how to surf through this guide with just catching the most relevant
information necessary to setup and run.

First, look into the common messaging system scheme (next section) to see what the NOD32LMS
is able to do for you. Identify the proper implementation of the NOD32LMS into your system
and skip directly to the section that discusses the appropriate scenario.

Second, identify an e-mail server system running on your Linux OS and browse through just the
appropriate sections of this guide. All the guide sections are done in a manner that the e-mail
server system name always appears in the section title, in case the section is system specific.

Third, look into the foreword to each chapter to get information related to relevance of the
information stored in the chapter. Often you will get a hint to skip directly to the section that
contains just the step by step statement information in order to suffice what is necessary.

Fourth, besides the information in this guide, there exists manual pages related to the individual
components of the NOD32LMS package. The pages are always a useful reference for getting
actual information on the accurate components setting options that are not all mentioned here.

Lastly, note that the guide is divided in a following manner:

Chapter 1

Introduction.

Chapter 2

This text, that you have almost finished reading.

Chapter 3

Common scheme of the UNIX OS messaging system. Gives you an overview on what
NOD32LMS can do for you.

Chapter 4

Leads you step by step to install the system.

Chapter 5

Lists e-mail server specific configurations.

Chapter 6

Will help you keep your system up to date.

Chapter 7

Contains tips and tricks on configuration of NOD32LMS.

3

Chapter 2. How to navigate through this guide

Chapter 8

Contains information on where to send your questions or remarks.

4

Chapter 3. Mail server in UNIX OS environment

MDA

MAILBOX

MTA

MUA

INTERNET

E−mail Server

PIPE

FILE

Clients
Computer

(SMTP)TCP PORT 25 (SMTP)

TCP PORT 110 (POP3)

OR 143 (IMAP)

TCP PORT 25 (SMTP)

S1

S2

S3

Client

This chapter is concerned with the basics of the e-mail messaging system, also commonly called
e-mail serversystem, however, e-mail server is only part of the more complex messaging system.
For better understanding of the NOD32LMS operation, knowledge of the messaging system
basic principles is of paramount importance. Therefore we do not recommend to skipping this
section unless this knowledge is already acquired.

The following diagram is a rough scheme of the UNIX OS e-mail messaging system.

Figure 3-1. Scheme of UNIX OS e-mail messaging system.

5

Chapter 3. Mail server in UNIX OS environment

The meaning of abbreviations used in the scheme of figure 3-1 is as follows.

MTA (Mail Transport Agent)

A program (for instance sendmail, postfix, qmail, exim, etc.) receives e-mail messages from
local and/or remote domains and forwards it for further delivery. Generally speaking, MTA
is an agent providing mail transfer among other e-mail servers MTAs and/or MUAs (see
below).

MDA (Mail Delivery Agent)

A program (maildrop, procmail, deliver, local.mail, etc.) providing delivery of an e-mail
into a particular mailbox.

MUA (Mail User Agent)

An e-mail processing program (MS Outlook, Mozilla Mail, Eudora, etc.) that allows user to
access and manage e-mail messages (i.e. read, compose, print them etc.).

MAILBOX

A file or a file structure on a disk serving as the storage space for e-mails. Note: There
are several formats of Mailboxes in Linux OS. (e.g.: an old fashioned format where e­mails for each user are stored sequentially in one user appropriate file located in directory
/var/spool/mail; MBOX (a bit newer but still an old format) with e-mails stored sequen­tially in one file located within user home directory; MAILDIR with e-mail stored in a sep­arate file within a hierarchical directory structure.

Now the scheme in the figure 3-1 represents a typical e-mail gateway placed at an entrance to
some local network. This means that the e-mail server receives data communication typically
via TCP port 25 (SMTP - Simple Mail Transfer Protocol is used within this process). The mes­sage received is transfered by the local MTA either to another remote e-mail server system or
the message is delivered by using local MDA into the appropriate MAILBOX (we assume that
each user belonging to the local network has a corresponding MAILBOX located at the server).
It is then a responsibility of the client’s local MUA to provide download and/or correct inter­pretation of the message at the client’s computer. To get the data from an e-mail server system
the MUA uses typically TCP port 110 (POP3 - Post Office Protocol) or TCP port 143 (IMAP ­Internet Message Access Protocol). On the other hand if a user at the client’s computer would
like to send an e-mail message to the Internet, it is again the responsibility of the local MUA to
deliver the message via TCP port 25 (SMTP) to the local MTA (located at an entrance to the local
network) that will take care of the further message delivery.

The operating principle of NOD32LMS system is based on the idea of data communication in­terception at the various phases of its transfer and of scanning this communication by NOD32
scanning engine. Those locations are marked in the figure 3-1 by symbols S1, S2 and S3. In the
following text we will distinguish between three scenarios of e-mail message scanning which
basically corresponds to the referred marks:

6

Chapter 3. Mail server in UNIX OS environment

• Scanning of inbound e-mail messages (We define the term "inbound message" for e-mail mes-

sage with the target address corresponding to the destination located at the local domain.
Similarly the "outbound message" will be a message bound to some remote domain via its
target address.) marked in the figure by symbol S1, is used to protect e-mail messages deliv­ered from the outside Internet to the local MAILBOX-es belonging to local users.

• Scanning of outbound messages marked in the figure by symbol S2 is used to protect the

e-mail messages sent by local user MUAs to the outside Internet.

• Bi-directional scanning (usually known also as content filtering in MTA) marked by symbol

S3 is devoted to check both directions (or even all directions) of the e-mail messages flow.

Note: Bi-directional scanning scenario is more complex than the other two methods previously
discussed. The bi-directional scanning checks not only message flow directed from Internet to a
local network or vice versa. Indeed, this scanning also takes care of the messages that will come
to the gateway server and are further routed to the different remote domains. Therefore in a
general case this kind of scanning can be used typically as a checkpoint between two different
Internet networks. From this point of view, concerning our local e-mail gateway, this kind of
scanning is not necessarily required, as this creates a much higher load on the server computer
than previously discussed scenarios.

7

Chapter 3. Mail server in UNIX OS environment

8

Chapter 4. NOD32LMS package installation

Before further explanations concerned with NOD32LMS, let’s first install the whole thing. In
order to do so, one has to download the appropriate packages from the NOD32 server. Use your
favorite web browser to navigate to the NOD32 download page

http://www.nod32.com/download/download.htm

At this page you can see a set of NOD32LMS packages listed for various UNIX OS distributions.
Identify the appropriate distribution of the actual OS installed on your computer and download
the appropriate package.

Note: For the download process to succeed, the username and password for authentication
against the NOD32 server is required. You will receive both from your vendor.

After successful download the whole installation relies on one command line statement written
in the directory where the package is downloaded. In case the OS distribution installed at your
computer is one of the following (Fedora, Red Hat, Suse, Mandrake, or other Linux OS using
Red Hat package manager) you need to write the statement:

rpm -i nod32lms-x.xx-x.i386.rpm

In case the NOD32LMS is already installed on your computer you will receive the following or
similar message in return.

package nod32lms-x.xx-x.i386.rpm is already installed

In this case you have to use a different switch -u to update the appropriate rpm package, so the
statement will look like this

rpm -u nod32lms-x.xx-x.i386.rpm

The Debian Linux OS uses its own package manager for installation, so called dpkg (debian
packager) and the files are also of different format (suffix deb). So the appropriate statement for
installation and/or update of the package in this case will be as follows

dpkg -i nod32lms-x.xx-x.i386.deb

Once the NOD32LMS package is installed, one can see that the main NOD32LMS scanning
daemon nod32d is running in the background. Indeed, the installation apparatus is done in a
way that it starts the daemon automatically. One can also see that from now on the nod32d
daemon will also start immediately after a computer boot. To be absolutely certain, the fact that
the daemon is running can be checked by typing the command

ps -C nod32d

9

Chapter 4. NOD32LMS package installation

that should return the following or simillar message

PID TTY TIME CMD
2226 ? 00:00:00 nod32d

If this is not the case, then something is wrong and you should report this as a bug to the NOD32
support service.

As you will soon realize, there are also other daemons within a NOD32LMS package that are re­quired to run in some system configurations. For instance the daemon nod32smtp or nod32smfi.
However, since the functionality of these daemons is not required in all cases, the installation
script does not provide the automatic start-up of them at system boot. If necessary one has to do
it by hand. Here is the description of how to do this.

In order to start, for instance, nod32smtp daemon under Red Hat or Mandrake, one has to write
the following command

/sbin/service nod32smtp start

Under SuSE the appropriate command would be

/sbin/startproc /usr/bin/nod32smtp

Finally, for the Debian the equivalent command is

/sbin/start-stop-daemon --start --exec /usr/sbin/nod32smtp

Similarly, for stopping the appropriate service, one would write under RedHat or Mandrake the
following command

/sbin/service nod32smtp stop

Under SuSE the appropriate command would be

/sbin/killproc /usr/bin/nod32smtp

and for Debian the equivalent command is

/sbin/start-stop-daemon --stop --name nod32smtp

Above are the useful commands always used when reconfiguring the system (in this case the
NOD32LMS system always has to be restarted).

10

Now we will describe how to provide the automatic start of the daemon at system boot. In order
to do so, one has to write under Red Hat or Mandrake system the following commands

Chapter 4. NOD32LMS package installation

/sbin/chkconfig --add nod32smtp

Under SuSE Linux the following command will be valid

/sbin/insserv /etc/init.d/nod32smtp

and finally for the Debian the statement

/usr/sbin/update-rc.d nod32smtp defaults

can be used. After using these commands, the system will create all the necessary settings for
the automatic start of the nod32smtp daemon at system boot.

However, we still have to discuss one circumstance about the NOD32LMS package installation.
In case none of the above OS distributions correspond to your actual operating system, you can
try to install NOD32LMS from the tgz (tarred and gzipped) format. The rest of this chapter is
a step by step guide to do so, therefore if this is not relevant to you, skip directly to the next
section.

In order to install NOD32LMS from a generic tgz file, copy the file nod32lms-x.xx-x.i386.lnx.tgz,
for instance, into the directory /usr/local/src. Unpack the file

tar -xvzf nod32lms-x.xx-x.i386.lnx.tgz

and copy the individual components of the package into the corresponding subdirectories of
the root directory, i.e. change current working directory to the unpacked package directory

cd /usr/local/src/nod32lms-x.xx

and write the following statement

cp -r * /

The switch -r will provide the recursive copying of all package components to the proper place
in the root directory. If this is not the case or implementation of copy (cp) statement does not
provide this functionality, you should probably copy individual components one by one. For
this purpose check the appendix A to see complete NOD32LMS package content installed at the
proper location.

Note: After copying the NOD32LMS components you have to adjust the initialization scripts
for the daemon programs of NOD32LMS. In the /etc/init.d directory you should see a short
scripts, corresponding to the individual NOD32LMS components and OS distributions by their
names. For instance

/etc/init.d/nod32d.deb

11