<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML lang="en">
<HEAD>
<TITLE>Enhancing E-Mail Security With Procmail - Obtaining and installing</TITLE>
<meta http-equiv="description" content="A mail filter to prevent email-based security attacks.">
<meta http-equiv="Keywords" content="procmail, sendmail, mail, email, filter, buffer overflow, security, MIME, Netscape, Outlook, Outlook Express, Eudora, worm, virus, header, attachment, macro, vbs, iloveyou, melissa, kak, hybris">
</HEAD>
<BODY>
<H1 ALIGN=center>Enhancing E-Mail Security With Procmail</H1>
<H2 ALIGN=center>Obtaining and installing the sanitizer</H2>
<A HREF="procmail-security.html">Back to the home page</A>
<HR>
<H2 ALIGN=center>The current version of the sanitizer is:<B>
1.127
</B></H2>
<P>
It is recommended you update your copy if your version is older, as
bugfixes and filtering for newer exploits will have been added. See
<A HREF="sanitizer-changelog.html">the history of changes</A> for details.
<P>
The Email Sanitizer procmail ruleset is available at:
<BR>
[
<A HREF="ftp://ftp.rubyriver.com/pub/jhardin/antispam/html-trap.procmail.gz">FTP Mirror 1 (USA: UT)</A>
|
<A HREF="ftp://kanon.net/pub/jhardin/antispam/html-trap.procmail.gz">FTP Mirror 2 (Europe: NL)</A>
|
<A HREF="http://www.impsec.org/email-tools/html-trap.procmail.gz">HTTP Mirror 1 (USA: WA)</A>
|
<A HREF="http://www.wolfenet.com/~jhardin/html-trap.procmail.gz">HTTP Mirror 2 (USA: WA)</A>
|
<A HREF="http://www.megaloman.sk/~hany/RPM/procmail-security.html">RPM HTTP Mirror 1 (EU: SK)</A>
]
<P>
<A HREF="http://www.impsec.org/email-tools/html-trap.procmail.md5">The MD5
checksum of the current sanitizer</A> is available for verifying your download.
Check it after decompressing.
<P>
If you are downloading this on a Windows system for use on a Unix or Linux
system, <I>make sure</I> that you take care of text-file conversion - the
script will not run properly with DOS end-of-line characters in it. One way
to do this is to open the sanitizer script in <TT>vi</TT> and type:
<BLOCKQUOTE><TT>
:textmode on<BR>
:textmode off<BR>
:wq<BR>
</TT></BLOCKQUOTE>
Also, if you edit the sanitizer in an editor that breaks long lines (for
example, pico) the sanitizer will be corrupted.
<P>
A tarball of the ruleset and other useful files is available at:
<BR>
[
<A HREF="ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-sanitizer.tar.gz">FTP Mirror 1 (USA: UT)</A>
|
<A HREF="ftp://kanon.net/pub/jhardin/antispam/procmail-sanitizer.tar.gz">FTP Mirror 2 (Europe: NL)</A>
|
<A HREF="http://www.impsec.org/email-tools/procmail-sanitizer.tar.gz">HTTP Mirror 1 (USA: WA)</A>
|
<A HREF="http://www.wolfenet.com/~jhardin/procmail-sanitizer.tar.gz">HTTP Mirror 2 (USA: WA)</A>
]
<P>
<HR>
<H3>Site Safety</H3>
If you're an administrator and you wish to sanitize all of your users'
email automatically, here's how to do it:
<H4>Requirements</H4>
<UL>
<LI>
Your email must be received by a system that runs or can run procmail. See
the procmail link above for information about obtaining and installing
procmail for your platform. Ensure procmail is working properly before
installing the sanitizer.
<BR><BR>
</LI>
<LI>
If you are running <A HREF="http://www.sendmail.org">sendmail</A> then it
must be set up to use procmail as the local delivery agent. Look for the
following line in your <TT>/etc/sendmail.cf</TT> file:
<BLOCKQUOTE><PRE>
Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40,
A=procmail -Y -a $h -d $u
</PRE></BLOCKQUOTE>
</LI>
<LI>
You must have <A HREF="http://www.perl.org">perl</A> installed.
<P>
</LI>
<LI>
If you want to install the sanitizer on a sendmail relay (for example,
to protect a Microsoft Exchange system that is not directly
connected to the Internet), follow these directions:
<BR>
[
<A
HREF="ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-on-gateway.txt">FTP Mirror 1 (USA: UT)</A>
|
<A HREF="ftp://kanon.net/pub/jhardin/antispam/procmail-on-gateway.txt">FTP Mirror 2 (Europe: NL)</A>
|
<A HREF="http://www.impsec.org/email-tools/procmail-on-gateway.txt">HTTP Mirror 1 (USA: WA)</A>
|
<A HREF="http://www.wolfenet.com/~jhardin/procmail-on-gateway.txt.gz">HTTP Mirror 2 (USA: WA)</A>
]
<P>
</LI>
<LI>
If you wish to scan attachments, you <I>must</I> have <TT>mimencode</TT>
(which is a part of
<A HREF="http://www.impsec.org/email-tools/metamail-2.7-RH.tar.gz">the metamail
package</A>) and <TT>mktemp</TT> (from
<A HREF="ftp://ftp.openbsd.org/pub/OpenBSD/src/usr.bin/mktemp">OpenBSD</A>) installed.
<P>
</LI>
</UL>
<P>
<H4>Installation under *nix and workalikes (Linux, *BSD, etc.)</H4>
<OL>
<LI>
Create a directory <TT>/etc/procmail</TT>
owner and group <TT>root</TT>, permissions <TT>rwxr-xr-x</TT>.
<BR><BR>
</LI>
<LI>
Download the sanitizing ruleset and save it in that directory,
owner and group <TT>root</TT>, permissions <TT>rw-r--r--</TT>.
If you are using Lynx, highlight the link and press "D" to
download the file - don't view it and save it, it'll be corrupted.
<BR><BR>
</LI>
<LI>
Read the <A HREF="sanitizer-configuration.html">configuration instructions</A>.
</LI>
</OL>
<P>
It is important to note the obvious: the sanitizer will only protect you
against attacks in email messages that go through the mail gateway it's
installed on. If your users are able to access external POP servers or
web-based email systems, they may still receive and become victims of email
worms and viruses.
<P>
Access to external POP servers can be blocked by your firewall, but the
only way to defend against attacks via web email services is <I>user
education</I>. Make your users aware that they may destroy a lot of
valuable work and lose a lot of valuable time if they retrieve attachments
from web email gateways. Suggest that they forward such messages to their
work email address so that they get sanitized.
<P>
<HR>
<H4>Troubleshooting</H4>
<P>
If you get <TT>Program failure (141) of "perl -p -e '</TT>...
whenever the sanitizer tries to scan a document for macros, you need to
make sure that mktemp and mimencode are properly installed. Add this to
your /etc/procmailrc file for debugging:
<BLOCKQUOTE><TT>
LOG=`type mktemp`<BR>
LOG=`type mimencode`
</TT></BLOCKQUOTE>
If either program cannot be found, macro scanning will fail and crash the
sanitizer.
<P>
If you get "<TT>Word too long</TT>" errors, try adding
"<TT>SHELL=/bin/sh</TT>" or "<TT>SHELL=/bin/ksh</TT>"
to <TT>/etc/procmailrc</TT> before the call to <TT>html-trap.procmail</TT>
- <A HREF="http://www.gregor.com/dgregor/csh_whynot.html">csh can't
handle a command-line argument the size of the Perl script that's in the
filter</A>.
<P>
Do <EM>not</EM> put <TT>html-trap.procmail</TT> into
<TT>/etc/procmailrc<B><U>s</U></B>/</TT> as implied by the procmail man page.
You'll get security errors from Perl about -e and setuid scripts if you do
this. You may also have problems with filtering mail sent to root for this
reason.
<P>
It looks like this perl script can be a bit of a memory hog on some
systems. If you start getting "Out of memory" errors in your
procmail log file, try adding
<BLOCKQUOTE><TT>ulimit -d 15000;</TT></BLOCKQUOTE>
just before the <TT>perl -p -e</TT> in the MIME-sanitizing rule:
<BLOCKQUOTE><TT>:0 fw<BR>| ulimit -d 15000; perl -p -e ' #\</TT></BLOCKQUOTE>
You might also have to increase the hard memory limit originally set for
sendmail. Don't add this unless you get "Out of memory" errors.
<P>
<HR>
<IMG SRC="vi.fischer.handcrafted_using_vi.png" ALT="Created with vi" ALIGN=middle>
<A HREF="http://www.cast.org/bobby">
<IMG SRC="http://www.cast.org/bobby/images/approved.gif" ALT="Bobby approved"
ALIGN=middle WIDTH="131" HEIGHT="40"></A>
<A HREF="http://www.anybrowser.org/campaign/">Best viewed with
<EM>Any</EM> Browser</a>
<P>
<H6>$Id: sanitizer-download.html,v 1.9 2001-02-25 14:43:19-08 jhardin Exp jhardin $
<BR>
Contents Copyright (C) 2001 by John D. Hardin - All Rights Reserved.
</H6>
</BODY>
</HTML>