Postfix and BitDefender for Milter

If you wish to use the BitDefender Security Milter integration with your Postfix server, then follow these steps (all commands should be executed from within the ~bitdefender/bin directory):

1) Check that you have the minimum required version (we recommend 2.4.x).

# postconf mail_version
mail_version = 2.4.5

Although the Postfix documentation stipulates that versions 2.3 or later are sufficient, our tests revealed that the setup doesn’t work for 2.3.x versions and that messages similar to the following appear in the postfix log:

warning: milter unix:/var/spool/postfix/BitDefender/bdmilterd.sock:
can't read SMFIC_OPTNEG reply packet header: Success
warning: milter unix:/var/spool/postfix/BitDefender/bdmilterd.sock:
read error in initial handshake
NOQUEUE: milter-reject: CONNECT from localhost[127.0.0.1]: 451 4.7.1
Service unavailable - try again later; proto=SMTP
NOQUEUE: milter-reject: MAIL from localhost[127.0.0.1]: 451 4.7.1
Service unavailable - try again later; proto=SMTP

See this page for more information regarding 2.3 vs. 2.4 version. Specifically, “body replacement is not available in Postfix 2.3“.

2) Add the postfix user to the LocalUsers of BitDefender and to the bitdefender group:

# export POSTFIXUSER=`postconf -h mail_owner`
# ./bdsafe registry configure localusers add $POSTFIXUSER

2.a) Linux: add the postfix user to the bitdefender group

# usermod -G $(groups $POSTFIXUSER |
sed -e 'y/ /,/' -e 's;^.*:,;;'),bitdefender $POSTFIXUSER

2.b) FreeBSD: add the postfix user to the bitdefender group

# pw usermod $POSTFIXUSER -G $(groups $POSTFIXUSER | \
sed -e 'y/ /,/' -e 's;^.*:,;;'),bitdefender

3) Fix access rights on /var/run/BitDefender since bdmilterd will need to write its pid there when running as $POSTFIXUSER

# chmod 731 /var/run/BitDefender

4) bdmilterd needs to be run as the $POSTFIXUSER; this can be done either by:

a) setting the bdmilterd setuid and making it owned by the $POSTFIXUSER – in this way the bd script will control the milter agent, too – easier, but possibly riskier, depending on your mail setup, or by

b) starting bdmilterd as the postfix user, manually or via a wrapper (bdmilterd should also be stopped manually or via a wrapper before a “bd stop” command)

4.a) use suid and enable the milter agent:

# chown $POSTFIXUSER bdmilterd
# chmod u+s bdmilterd
# ./bdsafe agent enable milter

4.b) manually start/stop bdmilterd as $POSTFIXUSER after “bd start” / after “bd stop“. After bd start the following should be run

# ./bdsu postfix ./bdmilterd -s

and, respectively, before bd stop:

# ./bdmilterd -k

5) Depending on your distribution, your Postfix MTA might start in a chroot. Debian and Debian-based distributions start in a chroot (var/spool/postfix), while RedHat based distributions don’t. Because of this, we have to make sure the socket used for Postfix <-> bdmilterd communication is visible in that chroot. We have seen that the chroot is usually placed in the queue_directory. The following commands should make sure that happens no matter if your setup uses chroot or not when starting the MTA. Please adapt to your needs.

5.1) find out the queue_directory and set things up for the socket

# export POSTFIXCHROOT=`postconf -h queue_directory`
# mkdir -p $POSTFIXCHROOT/BitDefender $POSTFIXCHROOT/$POSTFIXCHROOT
# chown bitdefender:bitdefender $POSTFIXCHROOT/BitDefender
# chmod 731 $POSTFIXCHROOT/BitDefender

5.2) create a relative symlink to the $POSTFIXCHROOT/BitDefender directory in the $POSTFIXCHROOT/$POSTFIXCHROOT directory.

# ln -s `echo $POSTFIXCHROOT | sed 's#[^/]+#..#g' | \
sed 's#^/##'`/BitDefender $POSTFIXCHROOT/$POSTFIXCHROOT

Example: for $POSTFIXCHROOT=/var/spool/postfix, the command above should create the /var/spool/postfix/var/spool/postfix/BitDefender symlink which should point to ../../../BitDefender, thus pointing to /var/spool/postfix/BitDefender. Please make sure this link is created correctly on systems using chroots to run the MTA.

6) Configure the location of the bdmilterd socket file:

# ./bdsafe agent configure milter sockpath "$POSTFIXCHROOT/BitDefender/"

7) Configure Postfix to know the location of the bdmilterd socket (usually $POSTFIXCHROOT is /var/spool/postfix; adapt to your case). Append these lines to main.cf:

smtpd_milters=unix:/var/spool/postfix/BitDefender/bdmilterd.sock
milter_protocol = 2
milter_default_action = tempfail
milter_connect_timeout = 30s
milter_command_timeout = 30s
milter_content_timeout = 30s

Note: all options other than smtpd_milters can be omitted entirely. If milter_protocol is present, it must be set to 2.

8 ) restart Postfix or reload its configuration:

# postfix reload

9 ) Make sure BitDefender is (re)started

10 ) If the setup works correctly the Received: and X-BitDefender-Scanner: headers of a delivered mail should be of a form similar to this:

[...]
Received: from foo.example.com (foo.example.com [1.2.3.4])
by myexampleserver.com (Postfix) with ESMTP id 123456789AB
[...]
X-BitDefender-Scanner: Clean, Agent: BitDefender Milter 3.0.2 on
myexampleserver, sigver: 7.15108
[..]

Comments are closed.