spamd/clamd on remote server with encryption?

Hey all,

I have a server that is getting very low on memory, and I would like to use one of my other throwaway servers to process spam and virus filtering, to ease the load on the first server.

I can’t seem to find any comprehensive tutorials on this, other than the virtualmin docs which are a bit vague, so I’ll ask here:

  • What ports do I need to open on my firewall so my remote servers can receive requests to process spam/virus from my first server?

  • How can I be sure these processes are using encryption?

  • Is there a way (other than firewall rules) to tell spamd/clamd to only accept requests from specific other server names/ips/credentials?

Thank you!

Howdy,

Just to make sure you’re looking at the right docs, the current Virtualmin documentation on setting up remote spam and virus processing is here, in the section “Moving Spam and Virus Scanning to Another System”:

https://www.virtualmin.com/documentation/email/spam-av

I’ve updated it to include the ports you would need to open in the firewall, which are ports 3310 for ClamAV and 783 for SpamAssassin.

Those services don’t support encrypted connections, though you could always setup some sort of SSH tunneling to accomplish that.

SpamAssassin has a -A parameter (described in the above docs) that can be used to specify what IP’s may connect to it, though there isn’t any sort of authentication.

To my knowledge ClamAV doesn’t support anything similar – you would need to use firewall rules to restrict connections to your ClamAV service.

-Eric

Hey man thanks for the reply and the updated docs! I was about to ask for more information on SSH tunneling (as I’ve only ever used it for secure browsing, not as a way to connect two machines from port-to-port as you’re suggesting here) … but I may have found an easier solution!

Something called “OpenVPN” released under GNU, which would in theory allow two servers to connect to each other securely, then you’d be able to access any service as a matter of private IPs. I haven’t looked into it yet or determined it will do auto-reconnects or anything, but here’s the link in case anyone comes here for the same question: http://unix.stackexchange.com/questions/71082/connecting-from-openvpn-server-to-mysql-server

I’ll come back when I succeed or fail, or not come back if I end up playing book of heroes

I believe I’ve gotten it working. I found that program “autossh” to keep a persistent tunnel going between servers, as well as a very useful service script that allows for easy autossh config files here: http://surniaulula.com/2012/12/10/autossh-startup-script-for-multiple-tunnels/

Now I am persistently forwarding 127.0.0.1:3310 to the remote server’s 127.0.0.1:3310 for ClamAV, as well as port 783, and it appears this will be very easy to maintain.

Another question - how can I verify that ClamAV/SpamAssassin are now indeed doing the job on behalf of my main server? Is there a log on either server that I can check to see if this is working? … or should I just attempt to send myself a virus and see how it goes lol

Here is how to test a virus scanner:
http://en.wikipedia.org/wiki/EICAR_test_file

Spam scanner:
http://spamassassin.apache.org/gtube/

Thanks man! I totally used the EICAR test to prove I got the virus scanner working. Spam assassin was slightly easier since all I had to do was note when the X-Spam-Something headers disappeared and reappeared as I turned on and off the services.

One last issue. It seems virtualmin wants to stop me from choosing to use clamc because it sees that clamd is not running locally and refuses to allow me to save changes. In order to work around this, I had to enable clamd, then set clamc to look locally, then go back and disable clamd locally.

Also just this second I just did a full configuration check with virtualmin, and it’s failing with the following message:

"You have selected to use clamdscan for virus scanning, but the clamd server it talks to is not running

… your system is not ready for use by Virtualmin."

So I think it would be great if there were an option in the spam/virus config, where I could select to say that clam/spam should look locally, but I have an SSH tunnel running that makes my machine think its local.

OR to make things more automatic, instead of simply checking for a running service, virtualmin might want to actually connect to localhost and see if it can send/recv a quick test/dummy session with those services to see if they work. That way, the system would see the services are up and running, regardless of whether they’re local, or remote but mapped over SSH.