Openprotect I've Installed OpenProtect - what now?
"Fools rush in where Angels fear to tread" Chronicles of a fool being educated As on 10 February 2004 I installed OpenProtect on my Linux Internet server. Once done, the questions started. These chronicles are in the order I asked the questions or got the answers. Doesn't matter in exactly which order, but it would be more or less in the order a fool that rushed in would ask them. These Q&A's are without guarentee of any kind. If you use them, and they cause trouble, remember that you followed the advise of a self-admitted fool. Q1: Is OpenProtect safe? A1: Do a search at Google (or any other search engine) for "openprotect" and see for yourself. It is widely listed with numerous Linux (and OpenSource) sites. I could not find any mention of security hassles. Q2: How does it actually work? A2: The developers at OpenProtect wrote some software that automates the installation process of a few other Opensource packages. This makes it easier for the average person to add more security features to his e-mail server. A MTA (mail transfer agent - Sendmail, Exim or similar) actually does 2 tasks at its core: It receives mail, and it delivers it. When adding protection, one lets the MTA deliver the mail firstly to the protection system, which does its scanning and then delivers the appropriate mail back to the MTA for delivery to the intended mailbox. Openprotect installed MailScanner on your server and did the required changes to your MTA to do what is required for the system to work. More details at:http://www.mailscanner.info. See http://www.fsl.com/MS-process.htm for a graphic description. MailScanner takes the mail, do some tests itself, passes it on the ClamAV and then SpamAssasin to do their jobs. The result is passed to the MTA for final delivery. Q3: How is this all configured? A3: When running the OpenProtect installation script, you answered a number of questions. From this the MailScanner configuration file was compiled which you can find at /etc/MailScanner/MailScanner.conf You can read it with the Linux command "less /etc/MailScanner/MailScanner.conf" You'll learn a lot by just reading it. Q4: I want to change something in the MailScanner configuration file - may I? A4: Off course you may - it is your server. But take care to have a backup copy of the original in case something goes wrong. Q5: I've changed the /etc/MailScanner/MailScanner.conf file. But the changes don't seem to take effect. Must I restart something? A5: Type "openprotect restart" to restart the MTA and the MailScanner filters to reflect your changes. Q6: I stopped my MTA and started it again. Now the mail don't get scanned. What is wrong? (This might be SuSe and Exim specific) A6: OpenProtect has its own startup script that should be used. See /etc/init.d - you will see the script for openprotect. So stop your MTA using the old script, and start everything with "openprotect start" Remember to update your rc3/rc5 startup directories as well. (Apparently this is due to a problem of OpenProtect not handling the SuSE setup correctly. I will most probably be fixed in the next release) Q7: I'm using Exim4 as MTA. Why do I now have 2 configuration files? A7: Do a "ps ax" and you will notice you are actually running 2 instances of Exim. The first instance ".../exim/configure.in -bd" receives the email from outside and delivers it to MailScanner. The second instance ".../exim/configure -q5m" receives the mail from MailScanner and delivers it to its final destination. If you do any changes to the configuration file, remember to change both. Q8: A message that should not have been quarantined was. How do I recover the attachements and deliver them to the intended recipient? A8: Be sure it was indeed a false positive and be sure the recipient understands the risks. The attachments are stored in the directory as indicated in the notice sent to the recipient. They are already decrypted form the Base-64 (or other format). Open a mail client that can send attachments, and send them to the intented recipient. Q9: My harddrive is filling up fast. Why? A9: Possibly because of the potentially harmfull attachments that are being quarantined. It is important to formulate a policy how long quarantined attachments will be stored before they are deleted and to communicate it to all users. Delete outdated quarantined files regularly. Q10: ClamAV seems to do a great job of stopping viruses. Could I drop my vigilance on the workstations under my control? A10: You could, but it could be very risky. Viruses and worms tend to spread primarily by e-mail at present. But the can be spread in many other ways as well. Drop your vigilance, and you might just be sorry! Q11: I've not used OpenProtect long enough to have another question to ask.
