MailScanner install instructions for quicksilver:
-------------------------------------------------

Background info:  quicksilver is one of two identically specced MXs at 
UKC running Exim v3.22 on Solaris 8 on a Sun Ultra5.  This machine 
indvidually ships approx 30,000 mails a day with load of around .1 .

Exim is installed under /usr/lib/exim  with a symlink for the exim
binary back to /usr/lib/sendmail for anything that wants sendmail (!).

The exim mail queues are located in /var/spool/exim/input   but this
directory is symblinked to /u1/mailspool.  This is to keep the mailspools
on a separate disk and to ensure that a mail explosion wont take out the
entire machine...  Also the 4.5gb disk should be enough to spool mail
for four days minimum (ie long weekend) should the central mail stores
be unavailable. 

=====================================================================
STAGE 1:  Install prerequisite binaries, perl modules,  mailsanner, sophos

The machine is still running as an MX at this point with normal mail
actions taking place.
=====================================================================

0.  Install lynx as the MailScanner autoupdate script uses this
    to pull the virus definitions from www.sohos.com  and you want
    to install this now as it will save you from swearing later (as
    I did).

Anyway lynx is a dog to compile on Solaris so I ripped all the files from
another host:

# rcp -p /usr/local/bin/lynx quicksilver:/usr/local/bin/lynx
# rcp -p /usr/local/lib/lynx.cfg quicksilver:/usr/local/lib/lynx.cfg
# rcp -pr /usr/local/lib/lynx_doc/ quicksilver:/usr/local/lib/lynx_doc/
# rcp -pr /usr/local/lib/lynx_help/ quicksilver:/usr/local/lib/lynx_help/
# rcp -p /usr/local/man/cat1/lynx.1 quicksilver:/usr/local/man/cat1/lynx.1
# rcp -p /usr/local/man/man1/lynx.1 quicksilver:/usr/local/man/man1/lynx.1

1.  Install the following perl modules (in this order):-

IO-stringy 

% cd IO-stringy-2.108 
% perl Makefile.PL
% make
% make test
# make install

MIME-Base64 

% cd ../MIME-Base64-2.12
% perl Makefile.PL

Then edit the Makefile so that:
Change the definition of CC to be gcc instead of cc 
Change the definition of LD to be gcc instead of cc 
Change the definition of CCCDLFLAGS to be -fPIC instead of -KPIC 
Change the definition of OPTIMIZE to be -O2 instead of -xO3 -xdepend 

% make
% make test     (unicode test is skipped - dont worry)
# make install

LibNet  (you need this as Solaris8  Perl version is old....) 

% cd ../libnet-1.09 
% perl Makefile.PL
        (we only need the DNS stuff as MailTools.pm  needs the DNS stuff
        and will winge if its not installed,  so let it do DNS lookups
        and hit return for everything else)
% make
% make test
        (this will fail parts of it ((see note above)),  however the bit we
        need is:  t/hostname..........ok )
# make install

MailTools

% cd ../MailTools-1.13
% perl Makefile.PL
% make
% make test
# make install

File-Spec (I used version 0.82) 

% cd ../File-Spec-0.82 
% perl Makefile.PL
% make
% make test
# make install

MIME-tools 

% cd ../MIME-tools-BETA-5.503    (its the only version I could find on CPAN)
% perl Makefile.PL
% make
% make test
# make install

2.  Need to update perl/gcc slightly as Solaris has not got the perl 
    headers to the C include functions...(which is thougtfull of SMI :-)

# cd /usr/include
# /usr/perl5/bin/h2ph -r -l .

Then edit the file /usr/perl5/site_perl/5.005/sun4-solaris/_h2ph_pre.ph 
and comment out line 2, which is the first line in the file starting with 
the word unless. 

#unless (defined &) { sub () { "" } }

3.  Install MailScanner

Ideally this must be installed into the same file system as the mail queues....

So in ~pao/src:
# tar xvf MailScanner-3.03-1.tar

then we need to move the binaries etc round...

# cp -pr mailscanner /u1/mailscanner
# cp -pr sophos /u1/sophos

NOTE:  the sophos directory does NOT include Sophos,  merely the wrapper
scripts that MailScanner uses to update the real sophos virus definitions. 

First though MailScanner doesn't come with an install script as such
so we fix the permissions:

# cd /u1
# chown -hR root:other mailscanner sophos   

(dont forget the -h as the R tells chown to go recursive and it follows 
symlinks by default which is potentialy quite embarassing but does give 
you a good oppurtunity to improve your shell scripting skills... :-)

By default mailscanner thinks its directories are in /opt/mailscanner
so for neatness we symlink the stuff back to /opt:

# ln -s /u1/mailscanner /opt/mailscanner
# ln -s /u1/sophos /opt/sophos

4. Install Sophos

Bizarrely Mailscanner comes with a script to install sophos but not itself...

However ensure that you have the latest version of the sophos distribution,
as of Jan 2002 the vdl file and the sophos binaries are at version 3.53,  
and there will only be downloads of vdls for this sophos version for three 
months - at which point the autoupdate script will probably break.....  
So you do this entire stage every three months (I think).

So untar sophos:

# cd ~pao/src
# tar xf solaris.sparc.tar

Which should decompress sophos into sav-install  under the current directory.

NOTE that version:  3.03-1  17th Jan  2002   the Sophos.install.solaris
script was the Linux version I dont think Julian did this on purpose,  but
if you are using that version of MailScanner  edit the file:
/opt/mailscanner/bin/Sophos.install.solaris as follows:

#SOPHOS=/usr/local/Sophos
#DISTRIB=linux.intel.libc6.tar.Z

SOPHOS=/opt/sophos
DISTRIB=solaris.sparc.tar.Z

Having fixed the file (assuming you needed to):

# cd ~pao/src/sav-install
# /opt/mailscanner/bin/Sophos.install.solaris

=========================================================
At this point all of the binaries should be installed.
=========================================================


=========================================================
STAGE2:  Configure mailscanner,  set paths etc etc 
         BUT DO NOT START mailscanner as the MX is still
         running and Exim itself needs a reconfigure.
=========================================================

At this point we edit:  /opt/mailscanner/etc/mailscanner.conf

I have just included the lines changed from the default:

Host name          = quicksilver.ukc.ac.uk

Clean Header       = No virus detected    
Infected Header    = Virus detected      
        (these were changed for politcal reasons :-)

Incoming Work Dir  = /opt/mailscanner/var/incoming
Quarantine Dir     = /opt/mailscanner/var/quarantine
        (These two are really linked back to /u1 where the mail spool is held)

Incoming Queue Dir = /var/spool/exim/incoming/input
Outgoing Queue Dir = /var/spool/exim/input
        (again the /var/spool/exim/incoming is linked bak to /u1)

MTA                = exim
Sendmail           = /usr/lib/exim/bin/exim

Sendmail2 = /usr/lib/exim/bin/exim -C /usr/lib/exim/configure.outgoing

Expand TNEF        = no    
        (this is handled by sophos automagically :-)

Deliver In Background = yes

The policy currently in place at UKC is as follows:

+ Reject specific file names - as in current Exim system filter:
        ie happy99.exe     *.pif.scr  etc etc
        but not *.exe :-(

+ virus check email as follows:
        - message to sender
        - deliver the clean bits to recipient
        - quarantine bad bits

Virus Scanning     = yes
Virus Scanner      = sophos
Sweep              = /opt/sophos/bin/sophoswrapper
Deliver To Recipients = yes
Notify Senders = yes

quicksilver# mkdir /u1/incoming
quicksilver# ln -s /u1/incoming /var/spool/exim/incoming

=====================================================================
STAGE 3:  Configure Exim
=====================================================================

First stop Exim running:

/etc/init.d/sendmail stop

Flush the mail queues,  delete frozen messages etc etc

Backup the configure file and copy it to two new ones for adjusting:

quicksilver# cp configure configure.pre-mailscanner
quicksilver# cp configure configure.incoming
quicksilver# cp configure configure.outgoing

We now edit the incoming configuration file so that it *only* queues
email and defers delivery.

The changes are:

# specify the spool directory for incoming mail...
spool_directory = /var/spool/exim/incoming

# force mail to queue - this can be bypassed so a router/driver pair 
# have also been added
queue_only = true 

# director to force queuing...
defer_director:
        driver = smartuser
        new_address= :defer: All deliveries are deferred

# router to deal with forced queuing director
defer_router:
        driver = domainlist
        self = defer
        route_list = "*         127.0.0.1       byname"

Next edit the outgoing configuration file,  so that it doesn't
place mail in a queue prior to processing - as MailScanner calls
it directly (I think).

#spool_directory = /var/spool/exim/outgoing

Now edit the startup script for exim:  /etc/rc2.d/S88sendmail so
it starts with:

/usr/lib/exim/bin/exim -C /usr/lib/exim/configure.incoming -bd
/usr/lib/exim/bin/exim -C /usr/lib/exim/configure.outgoing -q30m
/opt/mailscanner/bin/check_mailscanner  

That will then start both copies of exim with appropriate config files
as well as a copy of mailscanner

Next we edit roots crontab entries:

# mailscanner stop and restart
0,20,40 * * * * [ -x /opt/mailscanner/bin/check_mailscanner ] && /opt/mailscanner/bin/check_mailscanner >/dev/null 2>&1
# Automatically fetch updates to Sophos just after midnight
13 0 * * * [ -x /opt/sophos/bin/autoupdate ] && /opt/sophos/bin/autoupdate >/dev/null 2>&1

The first kicks mailscanner every 20 mins and is an anti embarrassment 
measure - just in case it does die - at which point mail gets queued
locally and nowt else happens.

The second update the virus definition files - which is generally a good idea...

Finally syslog needs configuring to log somewhere sane,
so adjusted /etc/syslog.conf to include:

mail.debug                      /opt/mailscanner/var/log

Don't forget to send syslogd a HUP:

# pkill -HUP syslogd

#########################################################
At this point everything should be in place.

So starting up the mail system out of the sendmail script
in /etc/rc2.d  should get things going.....
