|
ClamMail
is ClamMail is small POP3 proxy with integrated ClamAV engine (libclamav)
for windows, which filters incoming emails and delete all unwanted
malwares (viruses, trojans, phishings and more).
ClamMail is a native port for Microsoft Windows of Clam
AntiVirus has been developed by Boguslaw Brandys and is licensed
under GNU General
Public License
Thanks to its internal architecture, it can work with any mail client
(Outlook, Thunderbird, Eudora, Pegasus and anything that supports
the POP3 protocol).
|
|
1. Install
SpamPal
2. Configure
SpamPal
3. Configure your Mercury Server
3.1 Change your POP3 settings
3.2 Create Filter/Message rules
4. Email
Virus Scanners and Firewalls
5. Whitelist
friends and contacts
|
|
Start installation by double-clicking on the SpamPal
Setup program (spampal.exe) and follow
the on-screen instructions. Upon completion, SpamPal will run, showing
its pink umbrella icon in your system tray.
If this installation is an upgrade of SpamPal
then the existing configuration of ClamMail is retained and the
process
is now complete. If not, i.e. this is a new installation of SpamPal,
proceed with the steps below.
|
::Top:: |
To setup SpamPal, go to
Options and then look at the Connections
pane (see screen below).
Now select the POP3 (any servername)
option and click Properties |
|
|
| Now change the Local
Port Number to port 1101
(see screen below) |
|
|
| All you need to
know about extra configuration can be found here |
::Top:: |
Now you have set
up SpamPal, you need to tell your Mercury server to fetch your mail
through the SpamPal proxy rather than directly from your ISP.
You need to how you collect mail from your ISP, for example, if you
use POP3 to collect your mail then your only need to change your POP3
settings. |
| A system running
Windows 98/Me or Windows NT/2000/XP is required. On Windows 2000/XP
ClamMail is installed as an auto-started service running in the LocalSystem
account context. During installation the service is started if supported
by the OS and the default configuration is probably functional. However,
changing the configuration (especially mirrors for signatures updates)
is required.
Under Windows 98/Me ClamMail is running as a hidden
process (hidden means here that ClamMail has no visible window).
This program could also work with Windows 95,
however, Winsock 2 and iphlpapi.dll are missing and required.
There may be some problems on Windows NT 4.0 or
previous. (I don't even know if it works with such old versions,
latest service packs and Internet Explorer 5.5+ may be required).
The current installer should not be limited by the NT version. If
it works for you please send me a note to include it to the FAQ
.
Due to the fact that ClamMail is using Synapse
there are some limitation for accounts under which this program
can run.
From the Synapse readme:
„On WinNT standardly RAW sockets work if
program is running under user with administrators provilegies. To
use RAW sockets under another users, you must create the following
registry variable and set its value to DWORD 1:
HKLM\System\CurrentControlSet\Services\Afd\Parameters\DisableRawSecurity
After you change the registry, you need to restart
your computer!”
|
|
|
| |
|
|
| |
|
|
| |
|
|
::Top:: |
|
Go to Mercury and from the Configuration
menu select Mercury POP3 Client.
Highlight the POP3 connection you wish to use with Spampal and click
the Change button
|
|
1. Set the user name in your email client application
settings to contain also the destination POP3 server like this:
user\POP3_server[:port]
The port is optional and defaults to 110.
It is required only if the destination POP3 server is using a non-standard
port.
2. Set the POP3 server in your email client to 127.0.0.1
(or the host name in your local network, where ClamMail is installed).
3. Set the authentication
method to simple (ClamMail
is using other methods like APOP transparently)
Important:
You must set a proper DNS server and the mirrors
for updating the clamav database to the nearest of your location.
Please check the ClamMail applet in the Control Panel.
If the destination server is using SSL (port
995) you should download or compile the OpenSSL DLL files,
put them into the program directory and restart the ClamMail service
using the Control Panel applet.
|
| Rather
than modifying the existing POP3 setup, create a new one. Each
POP3 account has a checkbox for enable/disable.
|
|
|
Now, write down the name of your POP3
Server in the POP3 Host
box (e.g..pop3.yourisp.com) and then
replace this with 127.0.0.1
Now add an % symbol and
the POP3 Server that you wrote
down earlier, to the Username
box (e.g.. my_login_name%pop3.yourisp.com)
(The setup should look like the screen below)
|
|
|
|
|
| Username:
fred.bloggs |
Username:
fred.bloggs@mail.btopenworld.com |
| Incoming
Mail (POP3) Server: |
Incoming
Mail (POP3) Server: localhost
|
| Username:
johnsmith |
Username:johnsmith@pop3.west.cox.net |
| Incoming
Mail (POP3) Server: pop3.west.cox.net |
Incoming
Mail (POP3) Server: localhost |
| Username:
fax07734 |
fax07734@pop.telus.net |
| Incoming
Mail (POP3) Server:
pop.telus.net |
Incoming
Mail (POP3) Server: localhost |
| Username:
mary_jones |
Username:
mary_jones@192.168.1.1 |
| Incoming
Mail (POP3) Server:
192.168.1.1 |
Incoming
Mail (POP3) Server: 127.0.0.1 |
|
|
|
::Top:: |
| Coming soon... |
::Top:: |
|
Specific instructions for using a variety of email
virus scanners with SpamPal can be found on the main
installation page
Some email virus filters want to sit between your
mail program and your mail server in just the way that SpamPal does.
There's actually no reason why they can't; you just have them up
in serial so that your virus filter fetches its mail through SpamPal
rather than directly from your mailserver, and then your email program
fetches the mail through the virus filter.
|
::Top:: |
| ClamMail's main configuration
is carried out by accessing the Control
Panel and selecting the ClamMail
icon. See screenshots below on how this is carried out: |
  |
| |
|
|
|
Use ClamAV scan engine; If not
checked, ClamMail is working as simple POP3 proxy only without filtering
any emails.
Limit archives scan; Max files
in single archive; Archives with more than this number of files
will not be scanned.
Limit archives scan; Max recursion
level; If an archive contains another archive which contains another
archive within, and so on, and if such recursion is deeper that
given limit this archive won't be scanned.
Limit archives scan; Max compression
level; Archives which contain some files with a compression ratio
bigger than this limit will not be scanned (this prevents some obscure
DoS attack when small archive contains really big empty files).
Notice: some files are compressible beyond this limit.
Report broken executable; Treat
broken executables like malware (for example broken EXE file) Report
such files as Broken.Executable malware. Use with caution.
Debug level; None; Only important
informations,warnings and errors are logged into event logged
Debug level; Mail debug; All
commands sent by the email client, ClamMail proxy and destination
POP3 server is logged if dbgview or any other special program is
running.
Debug level; Mail + Clam debug;
The same as above plus all debug information from the libclamav.dll
engine is logged.
Debug level; Mail + Clam+ Update
debug; The same as above plus the update process and DNS resolution
is stored in update.log file.
Debug level; Mail + Clam + Update
+ Email; Full debug. Also all email data is logged if dbgview is
used. Very slow
|
|
|
Proxy
server IP; IP address to which the server should bind on start.
ClamMail uses this IP. In case of 0.0.0.0 all available interfaces
are used. Using localhost (127.0.0.1) ClamMail will accept only local
connections. Notice: do not open ports on globally available IP interfaces
without a correctly configured firewall
Proxy server port; ClamMail will
listen on this port
Max data length; Maximal incoming
data stream size in bytes from POP3 server in a single request response
(either reply or email data stream) . Used to avoid memory overflow.
Use 0 (zero) to disable this limitation.
Connection timeout; After this timeout a connection to the
destination POP3 server is closed. Also connections to ClamMail POP3
proxy server from any client email is limited by this timeout. Default
is 20 seconds (should be sufficient). This is timeout between throwing
TCP/IP packets. |
|
|
Clean
email, report virus by modification of email body; Infected
email will be cleaned (all attachments and the email body are deleted),
the email body is being replaced by a special notification text. Email
headers remain unchanged.
Clean email, report as error; Infected
email will be cleaned (all attachments and email body are deleted),an
error will be reported to the user (and the connection will be dropped).
Infected email is being deleted from destination POP3 server. Users
will retrieve other emails after connecting once again. This option
is not recommended.
Don not clean email, only modify email
header; Instead of cleaning email, only some special email
header parts are added:
X-Virus-Scanner with ClamMail signature and versions and X-Virus
with malware found name.
Cleaned email message; Text of special
email notification in simple HTML. The email body is being replaced
by this message if the first user action above is used.
Notice: %s will be replaced by the actual malware name. Only one
such item must be used in this text.
Charset encoding; Used to properly
display localized version of the notification text (see above). |
| Important:
The first thing ClamMail does on start is to update the ClamAV
antivirus databases (main.cvd and daily.cvd) as it is distributed
without those files. This could take some time depending on your
internet connection and the chosen ClamAV database mirror (the main.cvd
size is about 1,5MB). However, daily.cvd (daily updates) is rather
small and subsequent updates are rather quick even if the ClamMail
main proxy is suspended during the update process. Clients cannot
connect to proxy while an update is in progress. Yes, this is a
known design flaw and should be changed, but not in version 1.0
release :-)
If first update fails , the second one and subsequent are started
with about 2 minutes period. After the first succesfull update (which
means that databases are updated or recognized as fresh) this period
is extended to the value set in control panel applet.
This is implemented in such way to allow quick update for ADSL internet
connection which could be in "not established" state when
clammail service is started on system boot.
|
|
|
DNS
info server; This is the DNS record (type TXT) published by
the ClamAV team. By querying this record, ClamMail learns what the
latest virus database is and eventually download the newly released
database. Notice: do not clear this field, unless you really know
what you are doing!
Database mirrors; ClamAV antivirus
signature database is mirrored all over the world. Please configure
ClamMail to download the database from the mirror closest to you.
Add something like db.XY.clamav.net where XY represents your Country
code. Check http://www.iana.org/cctld/cctld-whois.htm for the complete
list of Country codes.You must keep database.clamav.net at the bottom
of the list. Remove it only if you really know what you are doing.
Check every; ClamMail checks for
a database update once as soon as it starts and then periodically,
at the interval defined here. Checking too often is just a waste of
resources, so you are not allowed to set
this value below 15. |
|
|
| If malware is found ClamMail
can report this fact also by sending a notification email to someone
else (e.g. an sysadmin). Set e-mail notification parameters here. |
|
|
| On this page, the status
of the ClamMail service can be checked and changed (only
on Windows NT/XP/2000) |
| This completes the installation
and setup. |
::Top:: |
