martin: doc/architecture server.sgml,1.6,1.7

[cvs at intevation.de]

Author: martin

Update of /kolabrepository/doc/architecture
In directory doto:/tmp/cvs-serv30680

Modified Files:
	server.sgml 
Log Message:
Martin K.: Added documentation about Virus and Spam Scanning


Index: server.sgml
===================================================================
RCS file: /kolabrepository/doc/architecture/server.sgml,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -d -r1.6 -r1.7
--- server.sgml	17 Mar 2004 17:56:42 -0000	1.6
+++ server.sgml	18 Mar 2004 17:18:05 -0000	1.7
@@ -85,7 +85,8 @@
 	objectClass:
 	objectClass:
 	proftpd-ftp:
-</programlisting></para>
+</programlisting>
+</para>
 <para>Everything is build upon that base structute.
 In the furture there may be several domains be hosted on one LDAP server.
 With this concept, each domain would require such a base structur of its own.
@@ -158,64 +159,273 @@
 transport_maps			Static SMTP Routes
 virtual_maps			Virtual Address Mapping
 </programlisting></para>
-<para> We decided to not use postfix's LDAP features for the Kolab server in the first run. 
+<para>Kolab Version uses LDAP whenever possible. (This is a change from Kolab 1.0)
 </para>
 </sect2>
 
-<sect2><title>Cyrus Quota</title>
-<para>
-Quotas allow server administrators to limit resources used by hierarchies of mailboxes on the server. 
-</para>
-<para>
-The Cyrus IMAP server supports quotas on storage, which is defined as the number of bytes of the relevant RFC-822 messages, in kilobytes. Each copy of a message is counted independently, even when the server can conserve disk space use by making hard links to message files. The additional disk space overhead used by mailbox index and cache files is not charged against a quota. 
-</para>
-<para>
-Quotas are applied to quota roots, which can be at any level of the mailbox hierarchy. Quota roots need not also be mailboxes. 
-For the Kolab Server we limit ourself to top level quota roots. This means we only apply quotas to the complete mailbox of a user 
-(root of an individual account) and to the root of shared folder hierarchies.
-</para>
-<para>
-Quota roots are created automatically when they are mentioned in the setquota command. 
-Quota roots may not be deleted through the protocol. We automatically create the quota roots when applying the initial
-quota values to the quota roots.
-</para>
-<sect3><title>Hard Quota</title>
-<para>
-Normally, in order for a message to be inserted into a mailbox, the quota root for the mailbox must have enough unused storage so that inserting the message will not cause the block quota to go over the limit. 
-</para>
-<para>
-Mail delivery is a special case. In order for a message to be delivered to a mailbox, the quota root for the mailbox must not have usage that is over the limit. If the usage is not over the limit, then one message may be delivered regardless of its size. This puts the mailbox's usage over the quota, causing a user to be informed of the problem and permitting them to correct it. If delivery were not permitted in this case, the user would have no practical way of knowing that there was mail that could not be delivered. 
-</para>
-<para>
-If the usage is over the limit, then the mail delivery will fail with a temporary error. This will cause the delivery system to re-attempt delivery for a couple of days (permitting the user time to notice and correct the problem) and then return the mail to the sender. 
+<sect1><title>Antivirus and Antispam Daemon</title>
+
+<sect2><title>Antivirus - Amavis Daemon</title>
+<para>amavisd is a high-performance interface between mailer (Postfix) and content checkers: virus scanners (ClamAV) and 
+antispam scanners (SpamAssassin). It is written in Perl for maintainability, without paying a significant price for speed. 
+It talks to Postfix via ESMTP.
 </para>
 <para>
-The Kolab clients must bea able to handle the hard quota limit and provide a localized and meaningful error message. 
-The message which could not get synchronized must remain in the folder. User is ask to manually solve the problem e.g.
-deletion of messages.
+Recent versions of amavisd integrate spamassassin. So the setup of spamassasin is straight forward and we use the available
+OpenPKG package.
 </para>
 
+<programlisting>
+use strict;
+
+ $MYHOME = '@@@kolab_prefix@@@/var/amavisd';
+ $mydomain = '@@@postfix-mydomain@@@';
+ $daemon_user = 'amavisd';
+ $daemon_group = 'amavisd';
+ $daemon_chroot_dir = $MYHOME; 
+
+ $QUARANTINEDIR = "$MYHOME/quarantine";
+ $TEMPBASE = "$MYHOME/tmp";
+ $ENV{TMPDIR} = $TEMPBASE;
+ $helpers_home = $MYHOME;
+
+ $forward_method = 'smtp:127.0.0.1:10025'; 
+ $notify_method = $forward_method; 
+ $inet_socket_port = 10024;
+ $inet_socket_bind = '127.0.0.1';
+ @inet_acl = qw( 127.0.0.1 ); 
+
+ @bypass_virus_checks_acl = qw( . );
+ @local_domains_acl = ( ".$mydomain" );
+
+ $DO_SYSLOG = 1; # (1 = syslog, 0 = logfile)
+ $LOGFILE = "$MYHOME/amavis.log";
+ $log_level = 5; # (0-5)
+
+ $hdrfrom_notify_sender = 'SpamAssassin helpdesk at domain.com';
+ $notify_spam_sender_templ = read_text("$MYHOME/notify_spam_sender.txt");
+
+ $final_spam_destiny = D_PASS; # Set to D_BOUNCE to block/notify, D_PASS to pass through
+
+ read_hash(\%whitelist_sender, '@@@kolab_prefix@@@/var/amavisd/whitelist');
+ read_hash(\%blacklist_sender, '@@@kolab_prefix@@@/var/amavisd/blacklist');
+ read_hash(\%spam_lovers, '@@@kolab_prefix@@@/var/amavisd/spam_lovers');
+ 
+ #defending against mail bombs
+ $MAXLEVELS = 14; # Maximum recursion level for extraction/decoding
+ $MAXFILES = 1500; # Maximum number of extracted files
+ $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
+ $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
+ $MIN_EXPANSION_FACTOR = 5; # times original mail size (must be specified)
+ $MAX_EXPANSION_FACTOR = 500; # times original mail size (must be specified)
+
+ $path = '@@@kolab_prefix@@@/usr/sbin:@@@kolab_prefix@@@/usr/bin:@@@kolab_prefix@@@/bin';
+ 
+ #$banned_filename_re = new_RE();
+
+ $file = 'file';
+ $arc = ['nomarch', 'arc'];
+ $gzip = 'gzip';
+ $bzip2 = 'bzip2';
+ $uncompress = ['uncompress', 'gzip -d', 'zcat'];
+ $lha = 'lha';
+ $unarj = 'unarj';
+ $unrar = 'unrar';
+ $zoo = 'zoo';
+ 
+ # SpamAssassin settings
+ $sa_local_tests_only = 0; 
+ $sa_auto_whitelist = 1; # comment this line out to turn off auto whitelist
+ $sa_mail_body_size_limit = 64*1024; # 64KB
+
+ $sa_tag_level_deflt = 3.0; # controls adding the X-Spam-Status and X-Spam-Level headers,
+ $sa_tag2_level_deflt = 6.3; # controls adding 'X-Spam-Flag: YES', and editing Subject,
+ $sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions:
+
+ $sa_spam_subject_tag = '***SPAM*** ';
+ $sa_debug = 1; # comment this line out to turn off debugging
+
+1; # insure a defined return
+</programlisting>
+</sect2>
+
+<sect2><title>Antispam - Spamassassin</title>
 <para>
-Each maintainer of a domain gets a daily quota report via email. This report has different sections for hard quota, soft quota and filesystem usage for everyone else. The frequency or disabling of this feature is 
-configurable by an administrator. (No GUI currently)
+Recent versions of spamassassin are integrated into amavisd. 
 </para>
-<para>In order to be able to deal with quotas correctly the KDE client must first delete messages before trying to send new messages.
+
+<sect3><title>Spamassassin - User Interface</title>
+<para>In the future we intend to integrate possible the horde sam module for maintaining user specific white- and blacklists <filename>http://cvs.horde.org/cvs.php/sam/</filename>.
 </para>
 </sect3>
 
-<sect3><title>Soft Quota</title>
-<para>
-When a user selects a mailbox whose quota root has usage that is close to or over the limit and the user has 
-<filename>d</filename> rights on the mailbox, the server will issue an alert notifying the user that usage is close to or over the limit. The threshold of usage at which the server will issue quota warnings is set by the 
-<filename>quotawarn</filename> configuration option. 
+</sect2>
+
+<sect2><title>Open Source Antivirus Scan Engine ClamAV</title>
+<para>The costs of scanning for viruses and other malware skyrocks while the quality of many proprietary 
+virus scanner option declines. A special problem is here the need for the supplier of proprietary software for 
+diversivication. This leads to technically suboptimal solutions like large and unreliable 
+software for the plain download of pattern files. We therefore experience for example ever changing download URLS for 
+new patterns and the need to update many components of the solution regularily.
 </para>
-<para>
-The server only issues warnings when the user has <filename>d</filename> rights because only users with <filename>d</filename>
- rights are capable of correcting the problem. 
+<para> 
+Fortunately there have been recently very positiv reports (<filename>http://www.pcwelt.de/news/viren_bugs/37827/2.html</filename>) about the opensource <filename>ClamAV</filename> virus scanner.
+For Kolab we use the current ClamAV OpenPKG package. Of course it is easily possible to install a proprietary scanner either 
+to replace or supplement ClamAV.
 </para>
-</sect3>
+<para> 
+The Kolab ClamAV package is based on the OpenPKG package. The configuration of ClamAV <filename>clamav.conf</filename> is
+</para>
+<programlisting>
+##
+## config template file for the Clam AV daemon
+## Please read the clamav.conf(5) manual before editing this file.
+##
+
+LogFile @@@kolab_prefix@@@/tmp/clamd.log
+
+LogFileMaxSize 8M
+
+# Log time with an each message.
+LogTime
+
+# Enable verbose logging.
+#LogVerbose
+
+# This option allows you to save the process identifier of the listening
+# daemon (main thread).
+PidFile @@@kolab_prefix@@@/var/run/clamd.pid
+
+TemporaryDirectory @@@kolab_prefix@@@/var/tmp
+
+# Path to the database directory.
+# Default is the hardcoded directory (mostly /usr/local/share/clamav,
+# but it depends on installation options).
+DatabaseDirectory @@@kolab_prefix@@@/var/lib/clamav
+
+# The daemon works in local or network mode. Currently the local mode is
+# recommended for security reasons.
+
+# Path to the local socket. The daemon doesn't change the mode of the
+# created file (portability reasons). You may want to create it in a directory
+# which is only accessible for a user running daemon.
+LocalSocket @@@kolab_prefix@@@/tmp/clamd
+
+# Remove stale socket after unclean shutdown.
+FixStaleSocket
+
+# TCP port address.
+TCPSocket 3310
+
+# TCP address.
+# By default we bind to INADDR_ANY, probably not wise.
+# Enable the following to provide some degree of protection
+# from the outside world.
+TCPAddr 127.0.0.1
+
+# Maximum length the queue of pending connections may grow to.
+# Default is 15.
+MaxConnectionQueueLength 30
+
+# When activated, input stream (see STREAM command) will be saved to disk before
+# scanning - this allows scanning within archives.
+StreamSaveToDisk
+
+# Close the connection if this limit is exceeded.
+StreamMaxLength 30M
+
+# Maximal number of a threads running at the same time.
+# Default is 5, and it should be sufficient for a typical workstation.
+# You may need to increase threads number for a server machine.
+
+MaxThreads 10
+
+# Thread (scanner - single task) will be stopped after this time (seconds).
+# Default is 180. Value of 0 disables the timeout. SECURITY HINT: Increase the
+# timeout instead of disabling it.
+ThreadTimeout 500
+
+# Maximal depth the directories are scanned at.
+MaxDirectoryRecursion 45
+
+# Follow a directory symlinks.
+# SECURITY HINT: You should have enabled directory recursion limit to
+# avoid potential problems.
+FollowDirectorySymlinks
+
+# Follow regular file symlinks.
+FollowFileSymlinks
+
+# Do internal checks (eg. check the integrity of the database structures)
+# By default clamd checks itself every 3600 seconds (1 hour).
+SelfCheck 600
+
+# Execute a command when virus is found. In the command string %v and %f will
+# be replaced by the virus name and the infected file name respectively.
+#
+# SECURITY WARNING: Make sure the virus event command cannot be exploited,
+#                   eg. by using some special file name when %f is used.
+#                   Always use a full path to the command.
+#                   Never delete/move files with this directive !
+#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %f: %v"
+
+# This option enables scanning of Microsoft Office document macros.
+ScanOLE2
+
+##
+## Mail support
+##
+
+# Uncomment this option if you are planning to scan mail files.
+ScanMail
+
+##
+## Archive support
+##
+
+
+# Comment this line to disable scanning of the archives.
+ScanArchive
+
+
+# By default the built-in RAR unpacker is disabled by default because the code
+# terribly leaks, however it's probably a good idea to enable it.
+ScanRAR
+
+
+# Options below protect your system against Denial of Service attacks
+# with archive bombs.
+
+# Files in archives larger than this limit won't be scanned.
+# Value of 0 disables the limit.
+# WARNING: Due to the unrarlib implementation, whole files (one by one) in RAR
+#          archives are decompressed to the memory. That's why never disable
+#          this limit (but you may increase it of course!)
+ArchiveMaxFileSize 20M
+
+# Archives are scanned recursively - e.g. if Zip archive contains RAR file,
+# the RAR file will be decompressed, too (but only if recursion limit is set
+# at least to 1). With this option you may set the recursion level.
+# Value of 0 disables the limit.
+ArchiveMaxRecursion 5
+
+# Number of files to be scanned within archive.
+# Value of 0 disables the limit.
+ArchiveMaxFiles 1000
+
+# Mark potential archive bombs as viruses (0 disables the limit)
+ArchiveMaxCompressionRatio 200
+
+# Use slower decompression algorithm which uses less memory. This option
+# affects bzip2 decompressor only.
+#ArchiveLimitMemoryUsage
+
+# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
+ArchiveDetectEncrypted
+</programlisting>
 
 </sect2>
+
 </sect1>
 
 <sect1><title> Cyrus IMAP Daemon </title>
@@ -239,6 +449,7 @@
 It therefor uses the Cyrus SASL 2 library with its saslauthd daemon.</para>
 </sect2>
 
+
 <sect2><title> Cyrus Sieve </title>
 <para>The historic Unix tool procmail can not be used to filter incoming email for Cyrus IMAP users.
 This is due to a special delivery procedure which must be followed to deliver mail to a local IMAP user.
@@ -507,7 +718,59 @@
 </para>
 
 </sect2>
+<sect2><title>Cyrus Quota</title>
+<para>
+Quotas allow server administrators to limit resources used by hierarchies of mailboxes on the server. 
+</para>
+<para>
+The Cyrus IMAP server supports quotas on storage, which is defined as the number of bytes of the relevant RFC-822 messages, in kilobytes. Each copy of a message is counted independently, even when the server can conserve disk space use by making hard links to message files. The additional disk space overhead used by mailbox index and cache files is not charged against a quota. 
+</para>
+<para>
+Quotas are applied to quota roots, which can be at any level of the mailbox hierarchy. Quota roots need not also be mailboxes. 
+For the Kolab Server we limit ourself to top level quota roots. This means we only apply quotas to the complete mailbox of a user 
+(root of an individual account) and to the root of shared folder hierarchies.
+</para>
+<para>
+Quota roots are created automatically when they are mentioned in the setquota command. 
+Quota roots may not be deleted through the protocol. We automatically create the quota roots when applying the initial
+quota values to the quota roots.
+</para>
+<sect3><title>Hard Quota</title>
+<para>
+Normally, in order for a message to be inserted into a mailbox, the quota root for the mailbox must have enough unused storage so that inserting the message will not cause the block quota to go over the limit. 
+</para>
+<para>
+Mail delivery is a special case. In order for a message to be delivered to a mailbox, the quota root for the mailbox must not have usage that is over the limit. If the usage is not over the limit, then one message may be delivered regardless of its size. This puts the mailbox's usage over the quota, causing a user to be informed of the problem and permitting them to correct it. If delivery were not permitted in this case, the user would have no practical way of knowing that there was mail that could not be delivered. 
+</para>
+<para>
+If the usage is over the limit, then the mail delivery will fail with a temporary error. This will cause the delivery system to re-attempt delivery for a couple of days (permitting the user time to notice and correct the problem) and then return the mail to the sender. 
+</para>
+<para>
+The Kolab clients must bea able to handle the hard quota limit and provide a localized and meaningful error message. 
+The message which could not get synchronized must remain in the folder. User is ask to manually solve the problem e.g.
+deletion of messages.
+</para>
 
+<para>
+Each maintainer of a domain gets a daily quota report via email. This report has different sections for hard quota, soft quota and filesystem usage for everyone else. The frequency or disabling of this feature is 
+configurable by an administrator. (No GUI currently)
+</para>
+<para>In order to be able to deal with quotas correctly the KDE client must first delete messages before trying to send new messages.
+</para>
+</sect3>
+
+<sect3><title>Soft Quota</title>
+<para>
+When a user selects a mailbox whose quota root has usage that is close to or over the limit and the user has 
+<filename>d</filename> rights on the mailbox, the server will issue an alert notifying the user that usage is close to or over the limit. The threshold of usage at which the server will issue quota warnings is set by the 
+<filename>quotawarn</filename> configuration option. 
+</para>
+<para>
+The server only issues warnings when the user has <filename>d</filename> rights because only users with <filename>d</filename>
+ rights are capable of correcting the problem. 
+</para>
+</sect3>
+</sect2>
 </sect1>
 
 <sect1><title> ProFTP Daemon </title>