Avira AntiVir MailGate / Avira MailGate Suite User Manual
1 About this manual ............................................................................................................. 4 1.1 Introduction ...................................................................................................................4 1.2 Structure of the manual .................................................................................................4 1.3 Characters and symbols ............................................................................................
8 Service ............................................................................................................................. 114 8.1 FAQs .......................................................................................................................... 114 8.2 Support ...................................................................................................................... 115 8.3 Contact .........................................................................................
About this manual 1 About this manual This chapter contains an overview of the structure and content of this manual. A brief introduction provides information on the following subjects: • Structure of the manual – Page 4 Characters and symbols – Page 5 • Abbreviations – Page 6 1.1 Introduction In this manual, we have compiled all of the information you need on Avira AntiVir MailGate and lead you step-by-step through the installation, configuration and use of the software.
About this manual 1.3 Characters and symbols The following characters and symbols are used in this manual: Symbol Meaning placed before a condition which must be fulfilled prior to performing an action. placed before a step which has to be completed. placed before an event resulting directly from the previous action. placed before an alert warning of critical data loss or hardware damage.
About this manual 1.
Product information 2 Product information File transfer by email has become such a fixture of modern communications that it’s difficult to imagine life without it. However emails often also transfer viruses and unwanted programs. Many of these viruses and programs are specially developed to attack Windows operating systems. UNIX systems are however exposed to the same danger, as malware is also transmitted by UNIX mail servers. Cyber attacks exploit this fact mercilessly to invade third-party networks.
Product information A virus protection program can only provide reliable and effective protection if it is up-to-date. 2.1 Use automatic updates to ensure that your Avira AntiVir MailGate is always up-to-date. This manual will explain how to proceed. Features Avira AntiVir MailGate supports a wide range of configuration settings which allow you to constantly monitor email traffic on your system.
Product information 2.2 Modules and functionality of Avira AntiVir MailGate Avira AntiVir MailGate is an SMTP scanner which scans all incoming and outgoing emails (including attachments) on your UNIX mail server. The scan is performed extremely quickly and is easy to configure. As well as SMTP, Avira AntiVir MailGate also supports the Sendmail milter interface.
Product information suspicious emails in the same directory, e.g. password-protected archives and fragmented emails. The rules for the spam filter are also defined in the same configuration file. Where necessary, the queue can be scanned with the queue manager avq. To find out how to scan the spool directory, go to Queue manager avq – Page 96. Alerts: If viruses, unwanted programs or suspicious files are detected, the postmaster receives an email detailing the alerts.
Product information After installation of an Avira AntiVir MailGate product, you can use the following command to display information on the current license: /usr/lib/AntiVir/mailgate/avlinfo Change the /usr/lib/AntiVir/mailgate directory and access ./avlinfo You can obtain further information by using the following command: avlinfo -h 2.
Product information 2.4.
Milter mode 3 Milter mode 3.1 Overview To start Avira AntiVir MailGate in milter mode, the following syntax is required (after installation of MailGate) for the ListenAddress option in avmailgate.conf: inet:port@{hostname|ip-address} Example: inet:3333@localhost - or {unix|local}:/path/to/file Example: unix:/path/to/file local:/path/to/file 3.2 Functions of Avira AntiVir MailGate (Milter mode) Avira AntiVir MailGate (Milter mode) is a plug-in for Sendmail available from Version 8.
Milter mode 3.3.1 Requirements Sendmail Version 8.11 or later with libmilter interface. Otherwise: Read the README file in the libmilter directory of the Sendmail kit (http://www.sendmail.org). Compile the new version of Sendmail with the libmilter interface. To check whether Sendmail has been compiled with the libmilter interface: sendmail -d0.10 < /dev/null | grep MILTER 3.3.
Milter mode Add the relevant lines to the sendmail.mc file (commands beginning with INPUT must be on one line): For Sendmail 8.11.x: define(`_FFR_MILTER’, `true’) INPUT_MAIL_FILTER(`avmilter’,`S=inet:3333@localhost, F=R, T=S:2m;R:2m;E:10m’) for Sendmail 8.12.x: INPUT_MAIL_FILTER(`avmilter’,`S=inet:3333@localhost, F=R, T=S:2m;R:2m;E:10m’) Generate the file sendmail.cf Example: m4 sendmail.mc > /etc/mail/sendmail.
Installation 4 Installation You can find the current version of Avira AntiVir MailGate on the Avira website. Avira AntiVir MailGate is available as a compressed archive. You can install the program on your system with the install script. Requirements To be able to install Avira AntiVir MailGate you must be logged on as root. An MTA (Sendmail, Postfix, Exim, Qmail etc.) must also be available on your system. Our support service however only deals with problems directly linked to Avira AntiVir MailGate.
Installation 4.1 Preparing installation files Downloading program files from the Internet Download the current files to your local computer from our website http://www.avira.com. The file name is antivir-mailgate-prof.tgz. Copy the file into a directory of your choice (e.g. /tmp) on the computer on which Avira AntiVir MailGate is to be installed.
Installation 4.3 Installation with the “install” installation script You can install Avira AntiVir MailGate automatically using the install script. To do this, the install script will complete the following steps: • Check the integrity of the installation files. • Check authorizations required for installation. • Search for previously installed versions of Avira AntiVir MailGate on the computer. • Copy the program file (and overwrite existing files that are no longer needed).
Installation requests the license file path: copying install_list_mailgate to /usr/lib/AntiVir/mailgate ... done copying LICENSE to /usr/lib/AntiVir/mailgate/LICENSE-mailgate ... done 1) installing AntiVir Core Components (Engine, Savapi and Avupdate) copying ... Enter the path to your key file [] Enter the license file path and press Enter. copying license key to /usr/lib/AntiVir/mailgate/ license-mailgate.key...
Installation The next queries relate to hosts handled as local, and those hosts which are allowed to relay via Avira AntiVir MailGate emails: Enter the hosts and/or domains that are local []: When appropriate, change the host names and press Enter. The next query is displayed: Please enter the hosts and networks that are allowed to relay. When running MailGate in content filter mode (SMTP), the address suggested below will be sufficient.
Installation Depending on your MTA, continue the installation as described in Other installation steps depending on the MTA – Page 19. Avira AntiVir MailGate is installed under /usr/lib/AntiVir/mailgate . You can now start Avira AntiVir MailGate: /usr/lib/AntiVir/mailgate/avmailgate start Warning: Modified binary files cannot start. For example, with prelink: either deactivate prelink, or enter /usr/lib/AntiVir/mailgate as an exception in the configuration file /etc/prelink.conf.
Installation Reinstalling Avira AntiVir MailGate The procedure is the same in all cases: Change the temporary directory in which you extracted Avira AntiVir MailGate, for example: cd /tmp/antivir-mailgate-prof-/ Enter: ./install The installation script starts as described for the initial installation (Installing Avira AntiVir MailGate – Page 15). Change the relevant settings during installation. Avira AntiVir MailGate is installed with the new settings.
Installation Configuring Exim Avira AntiVir MailGate runs with Exim Version 3.0 or higher. The following command enables you to find out which Exim version you are using: exim -bV There are two options for integrating Avira AntiVir MailGate into Exim: • Integration of Avira AntiVir MailGate as a content filter in Exim (recommended) • Proxy mode Content filter Configuration of Avira AntiVir MailGate: Change (or add) the following entries in avmailgate.conf: ListenAddress 127.0.0.
Installation Proxy mode Configuration of Avira AntiVir MailGate: Change (or add) the following entries in avmailgate.conf: ListenAddress 0.0.0.0 port 25 ForwardTo SMTP: 127.0.0.1 port 825 Restart Avira AntiVir MailGate. Configuration of Exim: Change (or add) the following entries in exim.conf: daemon_smtp_port = 825 Restart Exim. Configuring Qmail A plugin is available in Qmail to enhance the integration of Avira AntiVir MailGate. Details are available from support@avira.com.
Installation The second options involves setting up email delivery via port 825 on which Qmail should be enabled. This is achieved, e.g. with the aid of the file inetd.conf (see Qmail installation package). Set up the email relay mode. In /etc/avira/avmailgate.conf, search for the following line: # Select how mail should be forwarded.
Installation If you are using SuSE Mail Server II: Replace the entry #AllowSourceRouting NO with the following: AllowSourceRouting YES Close Avira AntiVir MailGate and then restart it: /etc/init.d/avmailgate restart Add the following entry to /etc/postfix/master.cf: # For AntiVir maildaemon localhost:10025 inet n - n - - smtpd -o content_filter= Ensure that the first symbol in the table is not a space or tab character.
Installation /etc/init.d/postfix reload 4.6 Testing Avira AntiVir MailGate after installation After you have installed Avira AntiVir MailGate you should check it is functioning correctly. For this purpose you can use the Eicar test virus, which is detected by all virus scanners. The virus does not cause any damage, but triggers a program reaction when scanning the email if everything has been installed and configured correctly.
Configuration 5 Configuration You can adapt Avira AntiVir MailGate to ensure optimal performance on your system. Some settings are recommended during installation with the install script. You can change these settings at any time. This section takes you step-by-step through the configuration process. The following subject areas are covered: Avira AntiVir MailGate-Spool directories – Page 24 Avira AntiVir MailGate configuration in avmailgate.
Configuration configuration in avmailgate.conf – Page 26). Spool directories Spool files Spool directories The spool directory (default: /var/spool/avmailgate/) contains three sub-directories: incoming: incoming emails which must be scanned. outgoing: scanned emails which can be forwarded. rejected: emails containing a virus or unwanted program or which have been classified as problematic (for example due to a MIME error).
Configuration 5.2 Avira AntiVir MailGate configuration in avmailgate.conf The configuration file avmailgate.conf contains numerous parameters for working with Avira AntiVir MailGate. If a parameter is not specified, the default value is used. Please note, that not all parameters have a default value. The options are keywords, followed by whitespaces and value. The keywords ar not case sensitive. Value types Value types - Characters: a sequence of one or more characters.
Configuration You can use the following command ./avmailgate.bin --dump-config to display the currently valid configuration values, excluding all existing comments in the configuration file and disabled configuration settings. User, Group User/Group The user and group for Avira AntiVir MailGate processes (should not be root). If you change this parameter, you also have to change the value for User and Group in /etc/avira/avmailgate-scanner.conf (see Scanner configuration in avmailgate-scanner.
Configuration SpoolDir Spool directory During processing emails are placed in the sub-directories incoming, rejected and outgoing. The default directory is created by the install script. If you change the option SpoolDir you have to create the sub-directories incoming, outgoing and rejected by yourself. The spool directory and the sub-directories incoming, outgoing and rejected must belong to the user and group specified in User, Group User, Group. Access can only be granted by these users (mode=700).
Configuration MatchMail AddressFor Local Check domain names This option determines whether the domain names of RECIPIENT-, SENDER- or BOTH-addresses should be compared with the entries in the local: section of the file avmailgate.acl, before an email is accepted. Syntax: MatchMailAddressForLocal "option" MatchMailAddressForLocal RECIPIENT | SENDER | BOTH Example: MatchMailAddressForLocal RECIPIENT For further information, refer to Host configuration in avmailgate.acl – Page 87.
Configuration Example: SyslogFacility local0 Default: SyslogFacility mail LogFile Log file This option must contain the full path of the log file. Entries in the log file are also sent to syslog. If LogFile is set to NO (default setting), no log file is used. Entries are however still sent to syslog. Syntax: LogFile "path" Example: LogFile /var/log/avmailgate.
Configuration 25), it can be configured with a particular network interface address. Syntax: for SMTP mode: ListenAddress "characters" port "number" for milter mode: ListenAddress "characters":"number"@"characters" The default value will only be accepted if IPv4 support is enabled. If you disable IPv4 support, you have to specify a valid IPv6 address here (See configuration option InetProtocols – Page 54). Default: ListenAddress 0.0.0.0 port 25 Examples for SMTP mode: ListenAddress 192.168.5.
Configuration Syntax: SMTPTimeout "non-negative number" Example: SMTPTimeout 60 Default: SMTPTimeout 300 EnableLegacy Quarantine EnableLegacyQuaratine You can use this option to select which Quarantine Manager you want to use. Quarantine Manager Classic is the default: EnableLegacyQuarantine Yes If you want to change to the new feature Quarantine Manager Advanced, change this parameter to: EnableLegacyQuarantine No Further details on the Quarantine Manager can be found in Chapter 6.
Configuration The setting 0 disables this option, resulting in an unlimited number of recipients for an email. Syntax: MaxRecipientsPerMessage "non-negative number" Example: MaxRecipientsPerMessage 50 Default: MaxRecipientsPerMessage 100 RefuseEmpty MailFrom Refuse emails without sender names (not in milter mode) Some emails do not contain sender names. With the default setting NO the SMTP server accepts all incoming emails. This setting should not be changed.
Configuration If source routing is enabled, the email is sent to hostA, otherwise it is sent to hostC. Syntax: InEnvelopeAddressesBangIs "option" Example: InEnvelopeAddressesBangIs IGNORED | REFUSED | INTERPRETED Default: InEnvelopeAddressesBangIs REFUSED InEnvelope Addresses PercentIs Percentage signs in envelope addresses (not in milter mode) If the parameter is set to REFUSED and the recipient address contains an percentage sign, the message is refused.
Configuration AcceptLooseDomainName AddressFilter NO Filter email addresses This option enables or disables the address filter. If the setting is NO (default setting) the default installation does not use an address filter. Syntax: AddressFilter "YES | NO" Default: AddressFilter NO You need the following files to use the address filter: /etc/avira/avmailgate.ignore and /etc/avira/avmailgate.scan These files contain lines with email addresses and optionally the flags S/s (sender) and/or R/r (recipient).
Configuration /^virus@firm/ R is equivalent to /^virus@firm/. When Avira AntiVir MailGate is started, log entries will be made which indicate whether the address filter is active or inactive : addressfilter is active table order is: ignore,scan or addressfilter is not active Assign recipient addresses to groups To draw up detailed statistics on email traffic, it is useful to assign recipients to groups. This can be done either with the aid of an ActiveDirectory server or a simple text file.
Configuration The following description applies to the use of an ActiveDirectory server. If you have entered a text file to the ActiveDirectoryServerURI the following is not valid. The sequence of the list has the following order: • The list starts with the organizational units listed in the memberOf attribute of the ActiveDirectory record associated with the user. They are sorted alphabetically.
Configuration Default: ActiveDirectoryServerURI ldap://my.ad-server.com:389 A valid LDAP-URI for an ActiveDirectory server is established as follows: Example: ActiveDirectoryServerURI /path/to/file If you specify an absolute filename such as: ActiveDirectoryServerURI /etc/avira/avmailgate.groups in this config option, no ActiveDirectory server is needed. A list of mappings from email addresses to group names is read from the given file instead. Multiple LDAP-URIs can also be specified.
Configuration If no ActiveDirectoryLogin is specified, Avira AntiVir MailGate will issue anonymous queries. If your ActiveDirectory server does not allow anonymous queries, however, the queries will fail. ActiveDirectory Password ActiveDirectoryPassword This option specifies the password for the ActiveDirectoryLogin.
Configuration ActiveDirectory SASLAuth Mechanism ActiveDirectorySASLAuthMechanisms This option defines the authentication procedure for the ActiveDirectory server. Options are PLAIN and DIGEST-MD5. Syntax: ActiveDirectorySASLAuthMechanism "option" Default: ActiveDirectorySASLAuthMechanism PLAIN The default setting PLAIN may constitute a security risk in that in this case the authentication is sent to the server as plaintext.
Configuration stored in the cache. In this way future queries can be processed faster. Syntax: ActiveDirectoryCacheSize "non-negative number" Example: ActiveDirectoryCacheSize 812 Default: ActiveDirectoryCacheSize 1024 There is a limit to the number of entries that can be stored. The cache capacity depends on the size of the RAM and the length of the search results. ActiveDirectory CacheTTL ActiveDirectoryCacheTTL This option establishes how long the LDAP queries should be stored in the cache.
Configuration Default: ActiveDirectoryGroupBlackList The names of the organizational units are entered in a list in the form of Distinguished Names and separated by semi-colons. Example: ActiveDirectoryGroupBlackList FirstDN; SecondDN The listed organizational units are ignored by the recipient search. This makes it possible to exclude specific organizational units from database statistics. The ActiveDirectoryGroupBlackList settings are overridden by the ActiveDirectoryGroupWhiteList settings.
Configuration Default: RejectUnknownRecipients NO The setting has no effect if ActiveDirectorySupport is disabled. Filter TableOrder Filter table scan sequence This option can only be used when AddressFilter is enabled (AddressFilter YES).
Configuration SMTPMailFromTimeout "non-negative number" Example: SMTPMailFromTimeout 100 Default: SMTPMailFromTimeout 300 SMTP RcptTimeout SMTPRcptTimeout (not in milter mode) This option defines the maximum timeout (in seconds) for a response to the command RCPT TO.
Configuration Syntax: SMTPDataPeriodTimeout "non-negative number" Example: SMTPDataPeriodTimeout 100 Default: SMTPDataPeriodTimeout 600 Max Forwarders Maximum number of forwarding processes (not in milter mode) This option defines the maximum number of simultaneous forwarding processes. The optimal value depends on the efficiency of your email system and the quality of the email connection.
Configuration ForwardTo2 ForwardTo2 This option can be used to set up an alternate SMTP forwarding server which can be used if the primary forwarding server, defined by ForwardTo fails. Syntax: ForwardTo2 "characters" Example: ForwardTo2 SMTP: smtp.example.com port 25 Avira AntiVir MailGate uses this setting when no connection to the primary forwarding server can be established, the status code 421 is received in response to a SMTP command or if no response is received within the specified time (Timeout).
Configuration MaxAttachments "non-negative number" Example: MaxAttachments 50 Default: MaxAttachments 100 Block Suspicious Mime Block suspicious emails (MIME) This option lets you block suspicious MIME emails. An email is classed as suspicious based on the MaxAttachments setting. (Default setting: NO). Syntax: BlockSuspiciousMime "YES | NO" Default: BlockSuspiciousMime NO Block Fragmented Message Block fragmented emails This parameter is used to block fragmented emails.
Configuration Example: BlockExtensions exe;scr;pif Each individual file extension should not exceed 120 characters. Expose Recipient Alerts Send alerts to recipients of suspicious emails You can send alerts relating to viruses and unwanted programs to the recipient. Possible values: • NO: the recipient receives no virus alert. • LOCAL: Alarm messages are only sent when the recipient is a local user in your domain. Set the option in avmailgate.acl tolocal. Note, that local has no effect in milter mode.
Configuration AlertsUser Alert recipients Specifies the sender address of notification emails, if unwanted programs or viruses are detected. Syntax: AlertsUser "characters" Default: AlertsUser AvMailGate Warning: If, during configuration of the InetProtocols you turn off IPv4 support, both ActiveDirectory and SNMP support are automatically disabled, as they are based on IPv4.
Configuration The setting SNMPSender is only active if SNMP notifications are enabled in Notification Mechanisms. SNMP Community SNMP Community Applications that support SNMP can be grouped on the basis of community membership. Information on community membership is restricted to 255 characters. Syntax: SNMPCommunity "characters" Default: SNMPCommunity Avira The setting SNMPCommunity is only active if SNMP notifications are enabled in Notification Mechanisms.
Configuration Please use the Postmaster configuration option to specify whom notifications should be sent to. AddStatus InBody Status information in the text of the email You may insert additional information in the body of emails. Syntax: AddStatusInBody "YES | NO" AddStatusInBody /path/to/file Default: AddStatusInBody NO If the setting is NO, no status information is inserted in the body of the emails.
Configuration Syntax: ForwardAllEmailAsMIME "YES | NO" Default: ForwardAllEmailAsMIME NO ScanInArchive Scan archives If the setting is NO, archives are not scanned for viruses and unwanted programs. If the setting is YES, all archived files are extracted and scanned. For this the settings in ArchiveMaxSize, ArchiveMaxRecursion and ArchiveMaxRatio apply.
Configuration rate. You can specify the maximum difference between the compressed and uncompressed file size. The setting 0 disables the option (not recommended). The default setting is 150. Syntax: ArchiveMaxRatio "non-negative number" Example: ArchiveMaxRatio 100 Default: ArchiveMaxRatio 150 ArchiveMax Recursion Maximum recursion depth in archives If the setting is 0, recursive (nested) archives are extracted irrespective of their recursion depth.
Configuration Default: BlockEncryptedArchive NO Encrypted EmailAction Handling encrypted emails Avira AntiVir MailGate can deal with encrypted emails in three different ways. Syntax: EncryptedEmailAction "option" Default: EncryptedEmailAction IGNORE 1. The email is delivered/forwarded without a log entry or notification (default). EncryptedEmailAction IGNORE 2. The email is delivered/forwarded and the postmaster is notified. EncryptedEmailAction NOTIFY_POSTMASTER 3. The email is classified as suspicious.
Configuration Warning: If you turn off IPv4 support, both ActiveDirectory support and SNMP support are automatically disabled, as these are based on IPv4. The following features of Avira AntiVir MailGate require IPv4: Milter mode, ActiveDirectory support and SNMP support. Detecting Detecting other unwanted programs As well as viruses, other harmful or unwanted software is described in avmailgate.conf.
Configuration HeuristicsMacro YES Heuristics Level Win32 heuristics This option defines the detection level of Win32 heuristics. Permitted values are 0 (Off), 1 (Low), 2 (Medium) and 3 (High). Syntax: HeuristicsLevel "non-negative number" Example: HeuristicsLevel 1 Default: HeuristicsLevel 3 Block OnError Block emails in the case of scan errors If the setting is YES, emails are blocked if an error occurs when scanning archives in the attachment or if the scan process is terminated by a timeout.
Configuration files manually from this directory. To remove all rejected emails you can use the following option (6.4 Quarantine management and the option AlertAction below) avmailgate.bin --avq --remove=all Quarantine Alert Place alert emails in quarantine (only in milter mode) If both QuarantineAlert and RejectAlertMail are set to YES, emails containing an alert are rejected and placed in quarantine.
Configuration Default for all parameters is: 0 A maximum (HighFillLevel) and minimum (LowFillLevel) threshold value are defined for this purpose. As soon as the maximum value is reached, any other emails are rejected with a temporary error message (SMTP Code 452: insufficient system storage). Depending on the performance and load of the system, the number of emails might slighty exceed the given threshold.
Configuration PollPeriod 60 Queue Lifetime Storage time for emails in the queue (not in milter mode) The maximum time an email spends in the queue before it is rejected. The value can be specified in seconds, minutes, hours or days. Examples: 10s, 10m, 10h, 10d. Syntax: QueueLifetime "timespan" Example: QueueLifetime 1h The setting 0 disables this option.
Configuration ThrottleDelay (see the following example). It is important that no other emails are accepted while this option is enabled. These emails would not be processed immediately. This option should only be used on a temporary basis. The ThrottleDelay option must also be defined.
Configuration BounceMessageSizeBody 0 Bounce Message SizeHeader Length of the bounce-email header (not in milter mode) Defines the extent to which the original email header is reproduced by the bounceemail (in bytes). The value 0 means there is no upper limit.
Configuration ScanTimeout Maximum time for email scan This option defines the maximum time for the email scan (in seconds). Syntax: ScanTimeout "non-negative number" Example: ScanTimeout 100 Default: ScanTimeout 300 External Program Execute an external program or script if a virus/unwanted program is discovered Accesses an external program or script if a virus/unwanted program is detected. The parameter is the ID of the rejected email (see Avira AntiVir MailGate-Spool directories – Page 24).
Configuration AddPrecedenceHeader "YES | NO | custom text" Default: AddPrecedenceHeader NO AddHeaderTo Notice Add email header for postmaster You can include the header of a rejected email in the alert message sent to the postmaster. Possible values are YES and NO. Syntax: AddHeaderToNotice "YES | NO" Default: AddHeaderToNotice YES GUISupport Enabling GUI support This option must be enabled to ensure Avira AntiVir MailGate can communicate with the SMC-GUI.
Configuration Syntax: OpenMax “non-negative number” Example: OpenMax 1 Default: OpenMax 0 5.2.1 Database support Since version 3.1.0, Avira AntiVir MailGate supports the logging of statistics to a database. For details on how to set up the database and other requirements, see Setup below. The database consists of two tables, called alerts and counter. Alerts table contains information about each blocked alert. This means that each alert is logged even if it occurred in the same mail.
Configuration For 64-bit machines you should make sure that the ODBC connector is a 32-bit shared object. For details about how to set up database support in Avira AntiVir MailGate on a 64-bit machine, see the file README.db-support-SLES10-SP2-64bit. This file contains an example setup for ODBC on SuSE Linux Enterprise 10 SP2. 1. Set up the database If you haven't already set up a user with access rights to the database, you should set one up now.
Configuration If you want to configure the odbc.ini path from the Avira Security Manager Center (SMC) please notice that it is not possible to define the file via the SMC GUI. You may copy the path manually to the client, for example with the help of SCP or WinSCP or you may use the file copy function of the SMC. Please make sure that the file has the appropriate write permission.
Configuration If successful, the tool will print the following: $ /usr/lib/AntiVir/mailgate/gui/bin/avmg_stats -S Using these settings: ODBC ini: ODBC library: libodbc.so.1 ODBC source: MailGate Preparing connection ... => OK Connecting ... => OK Disconnecting ... => OK Successfully verified database connectivity! ...
Configuration The first line of the resulting list contains the column names. All other lines are the table's rows. The results are not sorted. Example: Print the "alerts" table: # /usr/lib/AntiVir/mailgate/gui/bin/avmg_stats -o csv Print the "counter" table: # /usr/lib/AntiVir/mailgate/gui/bin/avmg_stats -o csv -t counter CSV separator: Specify a field separator using one character: -o csv:s You must quote the separator for it to be interpreted by the shell.
Configuration the database. Column Description id This column has no special meaning. It's just an auto-incremented number. The reason why the mail was blocked.
Configuration Column Description filename The name of the file in which the alert was found. Depends on reason: Alert - file name of the file which caused the alert action source alerturl missed product rcpt vdf engine hostname Avira GmbH All other reasons - column contains "" Note: The file name is limited to 100 characters. If truncated, the file name gets " ..." appended. Contains only quarantined at the moment. The sender's mail address (limited to 40 characters).
Configuration Column Description ou If ActiveDirectorySupport is activated and a group look-up has been processed, the found value will be added to this column The date and time the statistics daemon received the alert information. Date and time are the values received from localtime_r(). date The format is YYYY-MM-DD HH:MM:SS. “ Date notes" for details on storing the date. Counter table description The rows in the counter table are written periodically. The default setting is every completed hour.
Configuration Column Description unsupported Count of mails which contained an unsupported compression method Count of mails with encrypted attachments Count of mails with a file attached whose file name contains a forbidden extension Count of mails which reached an archive limit while processing Unused (0) The product's name "MailGate" If ActiveDirectorySupport is activated and a group look-up has been processed, the found organizational units with their counts of processed emails are listed here The v
Configuration and "Alerttype+Counter.ods" in the "doc" directory. These files can be used to add a database to OpenOffice and to receive information currently stored in the database. MailGate.odb contains database information: • An ODBC data source is used (called "MailGate") • The username and password is "mailgate" Additionally the file contains a macro which automatically registers the database in OpenOffice. See Macro for details. (This works only for OpenOffice 3.1 or later). Alerttype+Counter.
Configuration ***** BASIC ***** ' The purpose of this macro is to register a database if it isn't already registered. ' The macro is linked to the "Open Document" event. ' This means it is always executed when opening the document. Sub Main Dim DatabaseName as String Dim DatabaseCtx as Object DatabaseName = "MailGate" ' Get context to access datasource DatabaseCtx = CreateUnoService("com.sun.star.sdb.DatabaseContext") ' Check if database is already registered If not DatabaseCtx.
Configuration 2. Start OpenOffice 3. Ignore the warning about macro security 4. Add the database manually: Tools -> Options OpenOffice.org Base -> Databases New Browse for "MailGate.odb" OK OK 5. Continue with "6." in the below section OpenOffice 3.1 This section describes how to use the OpenOffice files with OpenOffice 3.1. 1. Copy "MailGate.odb" from the package to your hard disk (The file must exist if you want to use "Alertype+Counter.ods" in the future). 2.
Configuration Right-click into the data you'd like to refresh (one of the cells: A3,D3,G3) (Enter username and password for the database if asked) Choose "Refresh" If there's data available in the database, you should see some counters or even alert types in "alerttype" if a mail was quarantined since Avira AntiVir MailGate with database support was started. The counter charts are updated automatically if any of the counters change.
Configuration If you are using DBSupport together with exceptions for the SpamFilter ( SpamFilterExceptions) it could happen that the entries in the database look inconsistent. If a single email has different sender or recipient addresses or its sender/recipient is not available in SpamFilterExceptions, the email will be multiplied.
Configuration Syntax: DBUpdateDelay "timespan" Default: DBUpdateDelay 1h DBStoreAlerts ForEach Recipient DBStoreAlertsForEachRecipient If this option is enabled, there will be one row in the alerts table for each recipient of an email. If it is disabled, there will be only one row per email which will mention the first recipient. Default: only write one row per email to the alerts table.
Configuration Syntax: EnableSpamCheck "YES | NO" Default: EnableSpamCheck NO SpamAction SpamAction Defines an action for spam emails: BLOCK, TAG, NONE. Syntax: SpamAction "option" • TAG adds a header line to the email. Example: X-AntiVirus-Spam-Check: clean (checked by Avira MailGate: version: 3.2.1.16; spam filter version: 3.2.0/2.3; host: host.your.site) • BLOCK moves the email to the rejected directory. • NONE disables all actions for spam emails.
Configuration • NONE disables all actions for dangerous attachments. Default: DangerousAttachmentAction TAG Dangerous IFrameAction DangerousIFrameAction Performs the specified action if a dangerous IFRAME is discovered. Valid options are TAG, BLOCK and NONE. Syntax: DangerousFrameAction "option" • TAG adds a header line to the email. Example: X-AntiVirus-Spam-Check: clean (checked by Avira MailGate: version: 3.2.1.16; spam filter version: 3.2.0/2.3; host: host.your.
Configuration LibAsmailgate LibAsmailgate Specifies the path to the spam filter library. Syntax: LibAsmailgate "path" Default: LibAsmailgate /usr/lib/AntiVir/mailgate/ libasmailgate.so Spam HeaderName SpamHeaderName Specifies the spam header to be added to the email header. Only the beginning of the text can be changed (X-AntiVirus-Spam-Check). Syntax: SpamHeaderName "characters" Default: SpamHeaderName X-AntiVirus-Spam-Check Result: X-AntiVirus-Spam-Check: spam (checked by Avira MailGate: version: 3.2.
Configuration Actions have priority over spam filter settings in avmailgate.conf (with the exception of blacklists/whitelists).
Configuration SpamFilter DetectGTUBE SpamFilterDetectGTUBE The GTUBE test string can be used to test the integrated spam filter. You can find this string and a complete RFC-822 email at: http://spamassassin.apache.org/gtube/ An email containing this string should be classified as spam by spam filters. Simply copy the string into the text of the message and send it via Avira AntiVir MailGate. The spam filter is working correctly if you receive the following message: ...
Configuration SpamFilterServiceMaxSessions 50 SpamFilter HandleBulk ADVLikeSpam SpamFilterHandleBulkADVLikeSpam You can use this option to classify junk mail as spam. Syntax: SpamFilterHandleBulkADVLikeSpam "YES | NO" Default: SpamFilterHandleBulkADVLikeSpam NO SpamFilter HandleBulk PornLikeSpam SpamFilterHandleBulkPornLikeSpam You can use this option to classify emails with pornographic content as spam.
Configuration introduced: avmailgate-scanner.conf. This file contains special configuration options for the new Scanner backend. The options in this file need to be changed only in a few exceptional cases. User Group User, Group If you change one of these options, you must ensure that the files avmailgatescanner.conf and avmailgate.conf contain identical values for these options. You must also adapt avmailgate-scanner.conf if you have updated from an earlier MailGate version (< 3.0.
Configuration ListenAddress unix:/var/run/avmailgate/scanner ScannerListenAddress /var/run/avmailgate/scanner PoolScanners PoolScanners A pool of scanners is used to ensure scans are performed more efficiently. The PoolScanners option defines the size of this pool. Please note however that too many scanners may overload the computer, whilst too few causes higher waiting times for the applications.
Configuration The directory in which the scanner places temporary files, e.g. extracted archives or blocked files. The Scanner backend does not recognize the environment variable “TMPDIR”. If all Avira AntiVir MailGate components are using a common temporary directory, change the options TemporaryDir in /etc/avira/avmailgate.conf and ScanTemp in avmailgate-scanner.conf. Default: ScanTemp /var/tmp LogFileName LogFileName The path of the Scanner log file. LogFileName /path/to/logfile 5.
Configuration Example for /etc/avira/avmailgate.acl: # Access lists for AVIRA MailGate # These hosts and/or domains are local. local: localhost 127.0.0.1 local: avira.com # These hosts and networks are allowed to relay. relay: 127.0.0.1/8 192.168.0.0/16 If you enable only IPv6 support using the option InetProtocols, you have to specify IPv6 addresses for the ListenAddress and ForwardTo options, as well as in the avmailgate.acl file. 5.6 Configuration of warnings in avmailgate.
Configuration Keywords Change the directory in /usr/lib/AntiVir/mailgate/templates. This directory contains the following files: patho-administrator patho-recipient patho-sender alert-administrator alert-recipient alert-sender Type the required texts into the abovementioned files. Retain the structure of the file: - The first line is the subject of the email. - This is followed by an empty line (new line). - The conclusion forms the text of the email.
Configuration SUBJECT: AntiVir ALERT [Your email: “SUBJECT”] **********************AntiVir ALERT******************* AntiVir has discovered the following viruses/unwanted programs in an email with your sender address:: ALERTS The email has not been sent and has been isolated on your server. Check your system immediately for a possible virus infection. Clean your system before you send any more email messages. 5.8 Updater configuration in avupdate-mailgate.
Configuration Creating email update reports All reports on Avira AntiVir MailGate updates are sent to the email addresses specified in avupdate-mailgate.conf: mailer The reports can be sent via smtp or via sendmail: Default: mailer=smtp smtp... notify-when Authentication of the smtp connection. Enable the auth-method option and specify the smtp server, the port, the user and the password.
Configuration have to provide them in the command line: intranet-srvs Specifies a comma separated list of Avira IUM servers. product-root Specifies the root of the update on the IUM server (set to /update). intranet Specifies that the update will be made from the intranet rather than from the Internet.
Operation 6 Operation After completing installation and configuration and after starting Avira AntiVir MailGate, the program ensures that your system is constantly monitored. In the course of the usage process, occasional changes to the configuration may be required. The Chapter Configuration – Page 24 contains explanations relating to this. In some cases, it is necessary to operate Avira AntiVir MailGate manually or to manually process the files filtered by Avira AntiVir MailGate.
Operation Starting Avira AntiVir MailGate Enter the following: /usr/lib/AntiVir/mailgate/avmailgate start The program is started with the following message: Starting AVIRA AntiVir MailGate... Starting savapi Stopping Avira AntiVir MailGate Enter the following: /usr/lib/AntiVir/mailgate/avmailgate stop The program is stopped with the following message: Stopping AVIRA AntiVir MailGate... Stopping: avmailgate.bin Shutting down Avira MailGate...
Operation 6.2 Parameters for the SMTP and Scanner daemon The following tables describe the possible command line parameters which override the settings in avmailgate.conf. Syntax: avmailgate.bin [ -V | --version ] [ -C config file ] [ -A ACL file ] [-p milter listen address ] [ --start ] [ --stop ] [ --status ] [--avq ] [ --dump-config ] [--test-activedirectory] [ --runtime-versions ] [--rebuild-quarantine -db] [ -D debug level ] Parameters for avmailgate.
Operation Parameter Description --test-activedirectory Verifies the configuration settings that are related to the ActiveDirectorySupport. This option tests the ActiveDirectory server connection, runs a query for a given email address and prints a list of the related organizational units. Errors will be reported on stdout and to the log files. Use this command to troubleshoot Avira AntiVir MailGate’s ActiveDirectorySupport.
Operation The list can be controlled with the aid of the following parameters for --avq (further parameters can be found in the Help, which you can access with --avq --help). If no command is given, the content of the "rejected" queue will be listed. The following parameters control the list: Parameter Description --queue=incoming The emails in the “incoming” queue are listed. --queue=outgoing The emails in the “outgoing” queue are listed.
Operation 6.4 Quarantine management Avira AntiVir MailGate provides two different quarantine managers: the original Quarantine Manager Classic and the more recent Quarantine Manager Advanced. Only one of these managers can be used at a time, enabling one disables the other. Warning: The two quarantine managers are not compatible. In consequence, emails sent to quarantine by one quarantine manager cannot be converted to the format of the other quarantine manager. 6.4.
Operation The list can be controlled with the aid of the following parameters for --avq (further parameters can be found in the Help, which you can access with --avq --help). The following parameters control the list: Parameter Description --list=all All queues are listed. --nosort Disables the sorting. The emails in the queue are by default sorted according to date (according to the timestamp of the waiting file): the most recent email takes the last position.
Operation You can control the delete process using the following parameters: Parameter Description --remove= Deletes the email with the specified ID. --remove=all Deletes all emails. The user is prompted to confirm the action: # ./avmailgate.bin --avq --remove=all All mails in the directory “/var/spool/ avmailgate/rejected/” will be deleted.
Operation The Quarantine Manager Advanced is not available in milter mode. The syntax for calling the Quarantine Management Tool is as follows: # avqmc-mgt [ARGUMENTS] [COMMANDS] [COMMANDS ARGUMENTS] 6.4.3 Functions of the quarantine tool avqmc-mgt The following arguments are available: avqmc-mgt[ -f ] [ -m ] [ -h, --help ] [--print-alert-types] [-u ] [ --version ] [ --force-root ] Argument Description -f Will execute a command, e.g. deliver, immediately.
Operation Command/argument Description list Displays a list of quarantined emails. view Displays the email with the specified ID. count Displays the number of quarantined emails. delete all Deletes all emails from quarantine. delete Deletes the email with the specified ID. delete Deletes emails quarantined at a certain date and time or during a specified period. reprocess Sends an email to be reprocessed with Avira AntiVir MailGate.
Operation to the time log of the email in quarantine. The queue ID is static and linked to a specific email. ID: 62 Queue ID: 16113-Gw2lMB In addition, the date and time at which an email was moved to quarantine is displayed, as well as the basic data of the email (sender, recipient, subject, send date and message ID) and the scan result. The reason why the email was placed in quarantine is specified (Alert).
Operation to display the number of emails placed in quarantine. Deleting emails placed in quarantine There are various options for deleting emails placed in quarantine. To delete all emails from quarantine, use the command avqmc-mgt delete all If you want to delete a specific email, you can enter the following command: avqmc-mgt delete Use the appropriate database or queue ID. You can also delete an email based on the quarantine date.
Operation In this way, all emails placed in quarantine between 21.10.2010 at 08:30 hrs and 24.10.2010 at 22:30 hrs are deleted. If there are no problems executing the command, you will receive a confirmation to that effect in the command line. Rescanning emails placed in quarantine The command avqmc-mgt reprocess e.g. avqmc-mgt reprocess 62 or reprocess 16113-Gw2lMB sends an email to be reprocessed with Avira AntiVir MailGate.
Operation Example for a search based on a specific alert type: avqmc-mgt search alert-type=virus Example for a search based on a specific alert name: avqmc-mgt search alert-name=Eicar In addition ? can be used as a wildcard for a symbol, e.g.
Operation 6.5 Procedures for identifying viruses or unwanted programs If you have configured Avira AntiVir MailGate correctly, all important anti-virus tasks are performed automatically in your system: Infected emails are not forwarded. Infected emails are moved to /var/spool/avmailgate/rejected (or to another directory specified in avmailgate.conf), which contains the data file (df-) and the control file (vf- or mf-).
Updates 7 Updates The Avira Updater lets you update the Avira software on your computer using Avira update servers. The program can be configured either by editing the configuration file (see 5.8 Updater configuration in avupdate-mailgate.conf) or via parameters in the command line. We recommend that you execute the Updater as root.
Updates UNIX documentation. To manually define or change the settings for automatic updates in the cron configuration: Add the required entry to the file /etc/cron.d/avira_updater or edit it (see the following example). Example: To perform the update hourly (always at *:23), enter the following command: 23 * * * * root /usr/lib/AntiVir/mailgate/avupdate-mailgate --product=[Product] You can enter the following as the [Product]: • Scanner - (recommended) der Scanner is updated.
Service 8 Service 8.1 FAQs 8.1.1 How to watch for SNMP traps on Debian 5 1.) Install the snmpd package: $ apt-get install snmpd 2.) Copy the MIB files from the Avira AntiVir MailGate package to /usr/share/ snmp/mibs: $ cp antivir-mailgate-prof-/etc/AVIRA-*-MIB.txt /usr/share/snmp/mibs 3.) Configure snmpd in such way that the Avira AntiVir MailGate MIB files are read: $ echo "+mibs AVIRA-MIB" >> /etc/snmp/snmp.conf $ echo "+mibs AVIRA-MAILGATE-V0-MIB" >> /etc/snmp/ snmp.conf 4.
Service #!/bin/bash read host read ip vars= name= klass= qid= while read oid val do if [ "$oid" = "AVIRA-MAILGATE-V0-MIB::mgtMalwareName.0" ] then name=$val fi if [ "$oid" = "AVIRA-MAILGATE-V0-MIB::mgtMalwareClass.0" ] then klass=$val fi if [ "$oid" = "AVIRA-MAILGATE-V0-MIB::mgtQueueItemID.0" ] then qid=$val fi done echo "MailGate found $name (classification: $klass) in $qid" 5.) Run snmptrapd -f and wait for Avira AntiVir MailGate to send the mgtAlert trap.
Service at http://forum.avira.com/. Please also read the FAQs section on our website. Your question may already have been asked and answered by other users in this section. Email support Email support You can obtain support by email from support@avira.
Service 8.3 Contact Address Avira GmbH Kaplaneiweg 1 D-88069 Tettnang Germany Internet You can find further information about us and our products at http://www.avira.com.
Appendix 9 Appendix 9.1 Sent SNMP traps mgtUp: Avira AntiVir MailGate has been started. mgtDown: Avira AntiVir MailGate has been stopped. mgtSmtpServerDown: The SMTP server (avgated) has unexpectedly closed, i.e. it has been shut down by a signal or closed with the exit code other than 0. mgtSmtpSessionDown: An SMTP session has unexpectedly closed, i.e. it has been shut down by a signal or closed with the exit code other than 0. Transmitted parameters: The exit code and the received signal.
Appendix mgtQuarantineDaemonDown: The Quarantine Daemon has unexpectedly closed, i.e. it has been shut down by a signal or closed with an exit code other than 0. mgtScannerSpamCheckerUnreach: No connection to the spam filter (e.g. Expurgate) could be established. mgtLicenseWillExpireSoon: The license expires in less than N days (the number N is defined with the NotifyEnd OfLicense – Page 62 option). Transmitted parameters: Number of days the license is still valid for.
Appendix The incoming or outgoing queue reaches its low fill level (only sent if the feature QueueFillLevel is enabled). An encrypted email has been found (only sent if the configuration option EncryptedEmailOption is set to NOTIFY_POSTMASTER.) 9.3 Glossary Term Meaning AVE (Anti Virus Engine) AVE refers to the engine the virus scanner uses to scan the emails for potentially dangerous programs. cron (daemon) A daemon which starts other programs at a specified time.
Appendix SMC Avira Security Management Center. SMTP Simple Mail Transfer Protocol: A protocol for email communications on the Internet. syslog daemon A daemon which is used by programs to log different information. The reports are written in different log files. Unwanted programs An umbrella term for programs which are installed without the agreement of the user or administrator and are therefore unwanted, although they do not cause any direct damage to the computer.
Appendix Appoint a Data Protection Officer who is responsible for handling virus infections, and set out the steps to be taken to remove a virus. Draw up an emergency plan. Such a plan can help prevent damage due to willful destruction, theft, outages or losses/changes due to incompatibilities. Programs and memory devices can be replaced, but data that a company relies on for its economic survival cannot. Draw up a protection and recovery plan for your data.
This manual was created with great care. However, errors in design and contents cannot be excluded. The reproduction of this publication or parts thereof in any form is prohibited without previous written consent from Avira GmbH. Errors and technical subject to change. Issued Q2-2011 AntiVir® is a registered trademark of the Avira GmbH. All other brand and product names are trademarks or registered trademarks of their respective owners. Protected trademarks are not marked as such in this manual.
