4.clamav のインストール
#-- clamav のインストール
# dnf install -y clamd clamav clamav-update
#-- virus database の更新
# freshclam
#-- ログ保存先の作成
# mkdir /var/log/clamd
# chown clamscan. /var/log/clamd
# chmod 775 /var/log/clamd
#-- clamd の設定ファイルの作成
# cp -p /etc/clamd.d/scan.conf{,.org}
# cat <<_EOL_>/etc/clamd.d/scan.conf
LogFile /var/log/clamd/clamd.log
LogFileMaxSize 0
LogTime yes
LogSyslog yes
PidFile /var/run/clamd.scan/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/lib/clamav
LocalSocket /var/run/clamd.scan/clamd.sock
FixStaleSocket yes
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
User clamscan
ScanPE yes
ScanELF yes
ScanOLE2 yes
ScanMail yes
ScanArchive yes
ArchiveBlockEncrypted yes
StreamMaxLength 128M
_EOL_
#-- clamd の起動設定
# systemctl enable clamd@scan clamav-freshclam
# systemctl start clamd@scan5. rspamd のインストール
# DOMAIN=sacloud.ma3ki.net
#-- リポジトリの設定と rspamd, redis のインストール
# curl -L -o /etc/yum.repos.d/rspamd.repo https://rspamd.com/rpm-stable/centos-8/rspamd.repo
# dnf install -y rspamd redis
#-- rspamd の設定
# mkdir /etc/rspamd/local.d/keys
# cat <<'_EOL_'> /etc/rspamd/local.d/options.inc
filters = "chartable,dkim,spf,surbl,regexp,fuzzy_check";
check_all_filters = true;
max_message = 128Mb
_EOL_
# cat <<'_EOL_'> /etc/rspamd/local.d/milter_headers.conf
#use = ["x-spamd-result","x-rspamd-server","x-rspamd-queue-id","authentication-results","x-spam-level","x-virus"];
use = ["authentication-results"];
authenticated_headers = ["authentication-results"];
_EOL_
# cat <<_EOL_> /etc/rspamd/local.d/redis.conf
servers = "127.0.0.1";
_EOL_
# cat <<'_EOL_'> /etc/rspamd/local.d/actions.conf
reject = null;
add_header = 6 ;
greylist = null;
_EOL_
# cat <<'_EOL_'> /etc/rspamd/local.d/greylist.conf
enabled = false
_EOL_
# cat <<'_EOL_'> /etc/rspamd/local.d/phishing.conf
openphish_enabled = true;
phishtank_enabled = true;
_EOL_
# cat <<_EOL_> /etc/rspamd/local.d/antivirus.conf
clamav {
action = "reject";
type = "clamav";
servers = "/var/run/clamd.scan/clamd.sock";
symbol = "CLAM_VIRUS";
patterns {
#symbol_name = "pattern";
JUST_EICAR = "^Eicar-Test-Signature$";
}
}
_EOL_
# usermod -aG clamscan _rspamd
# usermod -aG virusgroup _rspamd
# cat <<'_EOL_'> /etc/rspamd/local.d/url_reputation.conf
enabled = true;
# Key prefix for redis - default "Ur."
key_prefix = "Ur.";
# Symbols to insert - defaults as shown
symbols {
white = "URL_REPUTATION_WHITE";
black = "URL_REPUTATION_BLACK";
grey = "URL_REPUTATION_GREY";
neutral = "URL_REPUTATION_NEUTRAL";
}
# DKIM/DMARC/SPF allow symbols - defaults as shown
foreign_symbols {
dmarc = "DMARC_POLICY_ALLOW";
dkim = "R_DKIM_ALLOW";
spf = "R_SPF_ALLOW";
}
# SURBL metatags to ignore - default as shown
ignore_surbl = ["URIBL_BLOCKED", "DBL_PROHIBIT", "SURBL_BLOCKED"];
# Amount of samples required for scoring - default 5
threshold = 5;
#Maximum number of TLDs to update reputation on (default 1)
update_limit = 1;
# Maximum number of TLDs to query reputation on (default 100)
query_limit = 100;
# If true, try to find most 'relevant' URL (default true)
relevance = true;
_EOL_
#-- DKIMの設定
# rspamadm dkim_keygen -d ${DOMAIN} -s default -b 1024 > /tmp/${DOMAIN}.keys
# head -16 /tmp/${DOMAIN}.keys > /etc/rspamd/local.d/keys/default.${DOMAIN}.key
# chmod 600 /etc/rspamd/local.d/keys/default.${DOMAIN}.key
# chown _rspamd. /etc/rspamd/local.d/keys/default.${DOMAIN}.key
# cat <<_EOL_> /etc/rspamd/local.d/dkim_signing.conf
allow_hdrfrom_mismatch = true;
sign_local = true;
use_esld = false;
try_fallback = true;
domain {
${DOMAIN} {
path = "/etc/rspamd/local.d/keys/\$selector.\$domain.key";
selector = "default";
}
}
sign_headers = '(o)from:(o)sender:(o)reply-to:(o)subject:(o)date:(o)message-id:(o)to:(o)cc:(o)mime-version:(o)content-type:(o)content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:(o)in-reply-to:(o)references:list-id:list-owner:list-unsubscribe:list-subscribe:list-post';
_EOL_
#-- ARCの設定
# cat <<_EOL_> /etc/rspamd/local.d/arc.conf
allow_hdrfrom_mismatch = true;
sign_local = true;
use_domain = "envelope";
use_esld = false;
try_fallback = true;
cat <<-_EOL_>> /etc/rspamd/local.d/arc.conf
domain {
${DOMAIN} {
path = "/etc/rspamd/local.d/keys/\$selector.\$domain.key";
selector = "default";
}
}
sign_headers = "(o)from:(o)sender:(o)reply-to:(o)subject:(o)date:(o)message-id:(o)to:(o)cc:(o)mime-version:(o)content-type:(o)content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:(o)in-reply-to:(o)references:list-id:list-owner:list-unsubscribe:list-subscribe:list-post:dkim-signature";
_EOL_
# cat <<_EOL_> /etc/rspamd/local.d/history_redis.conf
servers = 127.0.0.1:6379;
key_prefix = "rs_history";
nrows = 10000;
compress = true;
subject_privacy = false;
_EOL_
# cat <<_EOL_> /etc/rspamd/local.d/mime_types.conf
bad_extensions = {
ace = 4,
arj = 4,
bat = 2,
cab = 3,
com = 2,
exe = 1,
jar = 2,
lnk = 4,
scr = 4,
};
bad_archive_extensions = {
pptx = 0.1,
docx = 0.1,
xlsx = 0.1,
pdf = 0.1,
jar = 3,
js = 0.5,
vbs = 4,
};
archive_extensions = {
zip = 1,
arj = 1,
rar = 1,
ace = 1,
7z = 1,
cab = 1,
};
_EOL_
#-- web interface のログインパスワードを設定
# ROOT_PASSWORD=HogeHoge
# web_passwd=$(rspamadm pw -p ${ROOT_PASSWORD})
# cat <<_EOL_> /etc/rspamd/local.d/worker-controller.inc
password = "${web_passwd}";
enable_password = "${web_passwd}";
_EOL_
#-- redis, rspamd の起動
# systemctl enable redis rspamd
# systemctl start redis rspamd
#-- nginx に設定を追加
# mkdir -p /etc/nginx/conf.d/https.d
# cat <<'_EOL_' > /etc/nginx/conf.d/https.d/rspamd.conf
location ^~ /rspamd {
location /rspamd/ {
proxy_pass http://127.0.0.1:11334/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
_EOL_
6.DNSレコードの設定(2)
#-- DKIM の公開鍵をDNSレコードに登録
# RECODE=$(cat /tmp/${DOMAIN}.keys | tr '\n' ' ' | sed -e 's/.*( "//' -e 's/".*"p=/p=/' -e 's/" ).*//')
# usacloud dns record-add -y --name default._domainkey --type TXT --value "${RECODE}" ${DOMAIN}次の投稿ではLDAPサーバの 389 Directory Server をセットアップします。