标签:postfix amavis-new spamassassin clamav 垃圾过滤 病毒扫描
1、测试amavisd端口10024
postfix将邮件发给内容过滤器amavisd:10024
[root@mail ~]# telnet localhost 10024 Trying ::1... Connected to localhost. Escape character is ‘^]‘. 220 [::1] ESMTP amavisd-new service ready ehlo localhost 250-[::1] 250-VRFY 250-PIPELINING 250-SIZE 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 XFORWARD NAME ADDR PORT PROTO HELO IDENT SOURCE quit 221 2.0.0 [::1] amavisd-new closing transmission channel Connection closed by foreign host.
成功
2、测试postfix端口10025连接
amavisd调用SA或clamd扫描完邮件后,将邮件回注给postfix:10025
[root@mail ~]# telnet localhost 10025 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is ‘^]‘. 220 mail.yourmail.com ESMTP Postfix - by yourmail.com ehlo localhost 250-mail.yourmail.com 250-PIPELINING 250-SIZE 10485760 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host.
成功
3、测试病毒邮件
(1)发送病毒邮件:
[root@mail ~]# telnet localhost 25 Trying ::1... Connected to localhost. Escape character is ‘^]‘. 220 mail.yourmail.com ESMTP Postfix - by yourmail.com ehlo localhost #输入ehlo命令 250-mail.yourmail.com 250-PIPELINING 250-SIZE 10485760 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN auth login #输入认证登陆命令 334 VXNlcm5hbWU6 cG9zdG1hc3RlckB5b3VybWFpbC5jb20= #输入postmaster账号的base64编码 334 UGFzc3dvcmQ6 ZXh0bWFpbA== #输入其密码的base64编码 235 2.7.0 Authentication successful mail from:<postmaster@yourmail.com> #输入发件箱 250 2.1.0 Ok rcpt to:<test@yourmail.com> #输入收件箱 250 2.1.5 Ok data #输入数据内容命令 354 End data with <CR><LF>.<CR><LF> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* @#输入病毒字符串 . #输入.结束data输入 250 2.0.0 Ok: queued as 039B41A2129 #039B41A2129是此邮件的ID号 quit #退出 221 2.0.0 Bye Connection closed by foreign host.
(2)查看日志:
[root@mail ~]# tailf /var/log/maillog Dec 5 13:59:06 mail postfix/smtpd[33105]: 039B41A2129: client=localhost[::1], sasl_method=login, sasl_username=postmaster@yourmail.com Dec 5 13:59:16 mail postfix/cleanup[33115]: 039B41A2129: message-id=<20141205055906.039B41A2129@mail.yourmail.com> Dec 5 13:59:16 mail postfix/qmgr[32477]: 039B41A2129: from=<postmaster@yourmail.com>, size=430, nrcpt=1 (queue active) #039B41A2129是postmaster发出的邮件ID号 Dec 5 13:59:16 mail postfix/smtpd[33119]: initializing the server-side TLS engine Dec 5 13:59:16 mail postfix/smtpd[33119]: connect from localhost[127.0.0.1] Dec 5 13:59:16 mail postfix/smtpd[33119]: B00BE1A2131: client=localhost[127.0.0.1] Dec 5 13:59:16 mail postfix/cleanup[33115]: B00BE1A2131: message-id=<VA6t1HGplBpVw3@mail.yourmail.com> Dec 5 13:59:16 mail postfix/qmgr[32477]: B00BE1A2131: from=<virusalert@yourmail.com>, size=2212, nrcpt=1 (queue active) Dec 5 13:59:16 mail amavis[33064]: (33064-01) Blocked INFECTED (Eicar-Test-Signature) {NoBounceInbound,Quarantined}, [::1]:42295 [::1] <postmaster@yourmail.com> -> <test@yourmail.com>, quarantine: virus-6t1HGplBpVw3, Message-ID: <20141205055906.039B41A2129@mail.yourmail.com>, mail_id: 6t1HGplBpVw3, Hits: -, size: 430, 374 ms #B00BE1A2131是amavisd将处理后的病毒邮件发给virusalert账号,同时保存病毒邮件报告到/var/virusmails/,名称是virus-6t1HGplBpVw3 #Blocked INFECTED (Eicar-Test-Signature)表示amavis调用clamav检测到病毒,也就是说postfix+amavisd+clamAV整合成功 Dec 5 13:59:16 mail postfix/smtp[33116]: 039B41A2129: to=<test@yourmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=16/0.09/0.02/0.36, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=33064-01, DISCARD(bounce.suppressed)) Dec 5 13:59:16 mail postfix/qmgr[32477]: 039B41A2129: removed #amavisd将原始邮件还给postfix,DISCARD(bounce.suppressed)丢弃(抑制反弹)表示将邮件丢弃了,test是收不到邮件的。 Dec 5 13:59:16 mail postfix/pipe[33120]: B00BE1A2131: to=<virusalert@yourmail.com>, relay=maildrop, delay=0.19, delays=0.04/0.03/0/0.13, dsn=5.1.1, status=bounced (user unknown. Command output: Invalid user specified. ) Dec 5 13:59:16 mail postfix/cleanup[33115]: DFFA91A2130: message-id=<20141205055916.DFFA91A2130@mail.yourmail.com> Dec 5 13:59:16 mail postfix/qmgr[32477]: DFFA91A2130: from=<>, size=4184, nrcpt=1 (queue active) Dec 5 13:59:16 mail postfix/bounce[33122]: B00BE1A2131: sender non-delivery notification: DFFA91A2130 #因为做了别名,发送给别名virusalert的邮件B00BE1A2131,转变成DFFA91A2130发给实体邮箱postmaster Dec 5 13:59:16 mail postfix/qmgr[32477]: B00BE1A2131: removed Dec 5 13:59:17 mail postfix/pipe[33120]: DFFA91A2130: to=<postmaster@yourmail.com>, orig_to=<virusalert@yourmail.com>, relay=maildrop, delay=0.1, delays=0.05/0/0/0.04, dsn=2.0.0, status=sent (delivered via maildrop service) Dec 5 13:59:17 mail postfix/qmgr[32477]: DFFA91A2130: removed Dec 5 13:59:17 mail postfix/smtpd[33105]: disconnect from localhost[::1] #你将在邮箱postmaster中看到病毒报告邮件DFFA91A2130
(3)进入postmaster邮箱查看病毒邮件:
(4)查看信头,可以看到邮件编号正是DFFA91A2130:
(5)查看病毒邮件目录:
[root@mail ~]# ll /var/virusmails/ 总用量 4 -rw-r-----. 1 amavis amavis 1027 12月 5 13:59 virus-6t1HGplBpVw3
(6)查看病毒邮件报告:
[root@mail ~]# cat /var/virusmails/virus-6t1HGplBpVw3 Return-Path: <> Delivered-To: virus-quarantine X-Envelope-From: <postmaster@yourmail.com> X-Envelope-To: <test@yourmail.com> X-Envelope-To-Blocked: <test@yourmail.com> X-Quarantine-ID: <6t1HGplBpVw3> X-Amavis-Alert: INFECTED, message contains virus: Eicar-Test-Signature X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=x tag=x tag2=x kill=x tests=[] autolearn=unavailable Received: from mail.yourmail.com ([127.0.0.1]) by localhost (mail.yourmail.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6t1HGplBpVw3 for <test@yourmail.com>; Fri, 5 Dec 2014 13:59:16 +0800 (CST) Received: from localhost (localhost [IPv6:::1]) by mail.yourmail.com (Postfix - by yourmail.com) with ESMTPA id 039B41A2129 for <test@yourmail.com>; Fri, 5 Dec 2014 13:58:59 +0800 (CST) Message-Id: <20141205055906.039B41A2129@mail.yourmail.com> Date: Fri, 5 Dec 2014 13:58:59 +0800 (CST) From: postmaster@yourmail.com To: undisclosed-recipients:; X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
4、测试垃圾邮件
(1)发送垃圾邮件:
[root@mail ~]# telnet localhost 25 Trying ::1... Connected to localhost. Escape character is ‘^]‘. 220 mail.yourmail.com ESMTP Postfix - by yourmail.com ehlo localhost #输入ehlo命令 250-mail.yourmail.com 250-PIPELINING 250-SIZE 10485760 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN auth login #输入认证登陆命令 334 VXNlcm5hbWU6 cG9zdG1hc3RlckB5b3VybWFpbC5jb20= #输入postmaster账号的编码 334 UGFzc3dvcmQ6 ZXh0bWFpbA== #输入其密码的编码 235 2.7.0 Authentication successful mail from:<postmaster@yourmail.com> #输入发件箱 250 2.1.0 Ok rcpt to:<test@yourmail.com> #输入收件箱 250 2.1.5 Ok data #输入数据内容命令 354 End data with <CR><LF>.<CR><LF> XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X #输入垃圾字符串 . #输入.结束data输入 250 2.0.0 Ok: queued as 336741A2129 #336741A2129是此邮件的ID号 quit #退出 221 2.0.0 Bye Connection closed by foreign host.
(2)查看日志:
tailf /var/log/maillog Dec 5 14:26:11 mail postfix/smtpd[33239]: 336741A2129: client=localhost[::1], sasl_method=login, sasl_username=postmaster@yourmail.com Dec 5 14:26:46 mail postfix/cleanup[33248]: 336741A2129: message-id=<20141205062611.336741A2129@mail.yourmail.com> Dec 5 14:26:46 mail postfix/qmgr[32477]: 336741A2129: from=<postmaster@yourmail.com>, size=430, nrcpt=1 (queue active) Dec 5 14:26:49 mail postfix/smtpd[33239]: disconnect from localhost[::1] #336741A2129是postmaster发出的邮件ID号 Dec 5 14:26:49 mail amavis[33065]: (33065-01) INFO: no existing header field ‘Subject‘, inserting it #交给amavis扫描,提示邮件没有主题,amavis会给垃圾邮件插入一个“***Spam***”这样的主题,这是amavisd中的$sa_spam_subject_tag参数定义的 Dec 5 14:26:49 mail postfix/smtpd[33254]: initializing the server-side TLS engine Dec 5 14:26:49 mail postfix/smtpd[33254]: connect from localhost[127.0.0.1] Dec 5 14:26:49 mail postfix/smtpd[33254]: 5B38D1A2136: client=localhost[127.0.0.1] Dec 5 14:26:49 mail postfix/cleanup[33248]: 5B38D1A2136: message-id=<20141205062611.336741A2129@mail.yourmail.com> Dec 5 14:26:49 mail postfix/qmgr[32477]: 5B38D1A2136: from=<postmaster@yourmail.com>, size=1240, nrcpt=1 (queue active) #5B38D1A2136是插入主题后的邮件 Dec 5 14:26:49 mail amavis[33065]: (33065-01) Passed SPAM {RelayedTaggedInbound,Quarantined}, [::1]:42299 [::1] <postmaster@yourmail.com> -> <test@yourmail.com>, quarantine: spam-Z230tCIzZbzS.gz, Message-ID: <20141205062611.336741A2129@mail.yourmail.com>, mail_id: Z230tCIzZbzS, Hits: 1000.768, size: 430, queued_as: 5B38D1A2136, 2860 ms #由于amavis设置垃圾邮件为PASS,即不进行拦截,因此显示Passed SPAM,设置拦截会显示Blocked SPAM,并发送报告给spam.police<postmaster@yourmail.com> #同时将垃圾邮件保存一份到/var/virusmails/,名称是spam-Z230tCIzZbzS.gz Dec 5 14:26:49 mail postfix/smtp[33251]: 336741A2129: to=<test@yourmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=43, delays=40/0.04/0.01/2.9, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 5B38D1A2136) Dec 5 14:26:49 mail postfix/qmgr[32477]: 336741A2129: removed #amavisd将邮件还给postfix,用的是10024端口 Dec 5 14:26:49 mail postfix/pipe[33255]: 5B38D1A2136: to=<test@yourmail.com>, relay=maildrop, delay=0.11, delays=0.02/0.04/0/0.05, dsn=2.0.0, status=sent (delivered via maildrop service) Dec 5 14:26:49 mail postfix/qmgr[32477]: 5B38D1A2136: removed[root@mail ~]# ll /var/virusmails/ #postfix将邮件发送给收件人test,这次是在原邮件基础上加了SPAM标题发出去了
(3)进入test邮箱查看收到的垃圾邮件
可以看到主题被插入了垃圾邮件提示符。
(4)查看信头
可以看到邮件编号正是5B38D1A2136,以及SPAM标记的分数1000.768,远远超过了要求的6.2。
(5)查看垃圾邮件目录:
[root@mail ~]# ll /var/virusmails/ 总用量 8 -rw-r-----. 1 amavis amavis 588 12月 5 14:26 spam-Z230tCIzZbzS.gz -rw-r-----. 1 amavis amavis 1027 12月 5 13:59 virus-6t1HGplBpVw3
(6)查看垃圾邮件报告:
[root@mail ~]# gunzip /var/virusmails/spam-Z230tCIzZbzS.gz [root@mail ~]# cat /var/virusmails/spam-Z230tCIzZbzS Return-Path: <> Delivered-To: spam-quarantine X-Envelope-From: <postmaster@yourmail.com> X-Envelope-To: <test@yourmail.com> X-Envelope-To-Blocked: X-Quarantine-ID: <Z230tCIzZbzS> X-Spam-Flag: YES X-Spam-Score: 1000.768 X-Spam-Level: **************************************************************** X-Spam-Status: Yes, score=1000.768 tag=2 tag2=6.2 kill=6.9 tests=[ALL_TRUSTED=-1, GTUBE=1000, MISSING_SUBJECT=1.767, TVD_SPACE_RATIO=0.001] autolearn=no autolearn_force=no Received: from mail.yourmail.com ([127.0.0.1]) by localhost (mail.yourmail.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z230tCIzZbzS for <test@yourmail.com>; Fri, 5 Dec 2014 14:26:46 +0800 (CST) Received: from localhost (localhost [IPv6:::1]) by mail.yourmail.com (Postfix - by yourmail.com) with ESMTPA id 336741A2129 for <test@yourmail.com>; Fri, 5 Dec 2014 14:26:06 +0800 (CST) Message-Id: <20141205062611.336741A2129@mail.yourmail.com> Date: Fri, 5 Dec 2014 14:26:06 +0800 (CST) From: postmaster@yourmail.com To: undisclosed-recipients:; XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
提示:如果设置的是拦截垃圾邮件,而垃圾邮件的tag分数设置太低,容易导致很多正常邮件
不能到达收件方;在postmaster中可以查看拦截的垃圾邮件报告。
5、留个作业给大家:
设置amavisd.conf中的垃圾过滤
$final_spam_destiny = D_BOUNCE;
执行垃圾邮件测试,观察结果比对。
本文出自 “月晴星飞” 博客,请务必保留此出处http://ywzhou.blog.51cto.com/2785388/1591330
Postfix邮箱(七):测试Amavisd-new+SpamAssassin+Clamav
标签:postfix amavis-new spamassassin clamav 垃圾过滤 病毒扫描
原文地址:http://ywzhou.blog.51cto.com/2785388/1591330