Showing posts with label clamav. Show all posts
Showing posts with label clamav. Show all posts

Saturday, July 30, 2016

Brief go through fuglu a mail scanner daemon

This is way long overdue that I promised to write a blog for a good dear friend on his python mail scanner daemon. And today, finally got my spare time to review Fuglu. First, what is Fuglu?

Fuglu is a mail scanner daemon written in Python. Installed as a postfix before-queue or after-queue filter fuglu can be used to filter spam, viruses, unwanted attachments etc.

As I'm not a mail admin, so this article will skip some mail related features. Let's install fuglu by cloning from the github repository.

 $ git clone https://github.com/gryphius/fuglu.git  
 $ cd fuglu/fuglu  
 $ sudo python setup.py install  

If the installation is successful, then we go to the basic configuration. Running fuglu --lint

 root@localhost:/etc/fuglu# fuglu --lint  
 Could not drop privileges to nobody/nobody : Can not drop privileges, user nobody or group nobody does not exist  
 Fuglu 0.6.6-2-ge18e56b  
 ---------- LINT MODE ----------  
 Checking dependencies...  
 sqlalchemy: not installed Optional dependency, required if you want to enable any database lookups  
 BeautifulSoup: V4 installed  
 magic: not installed Optional dependency, without python-file or python-magic the attachment plugin's automatic file type detection will easily be fooled  
 Loading extensions...  
 fuglu.extensions.sql: disabled (sqlalchemy not installed)  
 Loading plugins...  
 Plugin loading complete  
 Linting main configuration  
 OK  
   
 Linting Plugin Archive Config section: ArchivePlugin  
 SuspectFilter file not found: /etc/fuglu/archive.regex  
 ERROR  
   
 Linting Plugin Attachment Blocker Config section: FiletypePlugin  
 python libmagic bindings (python-file or python-magic) not available. Will only do content-type checks, no real file analysis  
 ERROR  
   
 Linting Plugin Debugger Config section: debug  
 OK  
   
 Linting Plugin Plugin Skipper Config section: PluginSkipper  
 SuspectFilter file not found: /etc/fuglu/skipplugins.regex  
 ERROR  
 3 plugins reported errors.  
   
 WARNING:  
 Skipping logging configuration check because I could not switch to user 'nobody' earlier.  
 please re-run fuglu --lint as privileged user  
 (problems in the logging configuration could prevent the fuglu daemon from starting up)  
 root@localhost:/etc/fuglu#  

You should really fix the above lint error before continue to get a good setup for the incoming features. The solution is different for each lint error output above but for mine, I did the following.

 root@localhost:/etc/fuglu# cp archive.regex.dist archive.regex  
 root@localhost:/etc/fuglu# cp fuglu_mrtg.cfg.dist fuglu_mrtg.cfg  
 root@localhost:/etc/fuglu# cp logging.conf.dist logging.conf  
 root@localhost:/etc/fuglu# cp skipplugins.regex.dist skipplugins.regex  
 root@localhost:/etc/fuglu# apt-get install python-sqlalchemy python-magic   
 root@localhost:/etc/fuglu# groupadd nobody  

Run again the fuglu lint command

 root@localhost:/etc/fuglu# fuglu --lint  
 Fuglu 0.6.6-2-ge18e56b  
 ---------- LINT MODE ----------  
 Checking dependencies...  
 sqlalchemy: installed  
 BeautifulSoup: V4 installed  
 magic: found python-file/libmagic bindings (http://www.darwinsys.com/file/)  
 Loading extensions...  
 fuglu.extensions.sql: enabled (available)  
 Loading plugins...  
 Plugin loading complete  
 Linting main configuration  
 OK  
   
 Linting Plugin Archive Config section: ArchivePlugin  
 OK  
   
 Linting Plugin Attachment Blocker Config section: FiletypePlugin  
 Found python-file/libmagic bindings (http://www.darwinsys.com/file/)  
 No database configured. Using per user/domain file configuration from /etc/fuglu/rules  
 rarfile library not found, RAR support disabled  
 Archive scan, available file extensions: ['z', 'zip']  
 OK  
   
 Linting Plugin Debugger Config section: debug  
 OK  
   
 Linting Plugin Plugin Skipper Config section: PluginSkipper  
 OK  
 0 plugins reported errors.  
   
 Checking logging configuration....  
 OK  

Perfect! Everything is OK. We are ready to move on. As for fuglu postfix configuration, you can refer here.This I will skip for the aforementioned reason. To start fuglu, just run the command fuglu and fuglu will run in the background. Give -f if you want to quickly test it.

 root@localhost:~# fuglu  
 root@localhost:~#   
 root@localhost:~# tail -F /var/log/fuglu/fuglu.log  
 2016-06-23 20:44:15,178 root    : INFO FuGLU Version 0.6.6-2-ge18e56b starting up  
 2016-06-23 20:44:15,289 fuglu.MainController: INFO Init Stat Engine  
 2016-06-23 20:44:15,290 fuglu.MainController: INFO Init Threadpool  
 2016-06-23 20:44:15,290 fuglu.MainController: INFO Starting interface sockets...  
 2016-06-23 20:44:15,291 fuglu.MainController: INFO starting connector smtp/10025  
 2016-06-23 20:44:15,291 fuglu.incoming.10025: INFO SMTP (After Queue) Server running on port 10025  
 2016-06-23 20:44:15,291 fuglu.MainController: INFO starting connector smtp/10099  
 2016-06-23 20:44:15,292 fuglu.incoming.10099: INFO SMTP (After Queue) Server running on port 10099  
 2016-06-23 20:44:15,292 fuglu.MainController: INFO starting connector smtp/10888  
 2016-06-23 20:44:15,292 fuglu.incoming.10888: INFO SMTP (After Queue) Server running on port 10888  
 2016-06-23 20:44:15,293 fuglu.control.fuglu_control.sock: INFO Control/Info Server running on port /tmp/fuglu_control.sock  
 2016-06-23 20:44:15,293 fuglu.MainController: INFO Startup complete  

Started okay. Now let us print out some fuglu status.

 $ sudo fuglu_control stats  
 Fuglu statistics  
 ---------------  
 Uptime:          0:00:20.218391  
 Avg scan time:     0  
 Total msgs:     0  
 Ham:          0  
 Spam:          0  
 Virus:          0  
   
   
 $ sudo fuglu_control workerlist  
 Total 2 Threads  
   
 [1]: waiting for task  
 *******  
 [2]: waiting for task  

The response is fast and yet the statistics are simple to understand. If you are a mail admin, I suggest you also setup fuglu so that statistics can be plotted into mrtg. Fuglu comes support with mrtg natively, you can find out how here.

To take a step further, mail admin should really read on the plugin page. It contains all various goodies you will required and if you want more, you can actually write your plugin and integrate to fuglu. You can read it here as the example given on how to write the plugin.

Last but not least, if you have question, you can reach the author in many different medium. You can find it here.

If you are mail admin, consider fuglu your mail scanner daemon!