Previous Section  < Day Day Up >  Next Section

Recipe 21.8. Setting Up Clam Anti-Virus on a Postfix Server

21.8.1 Problem

You want a good anti-virus scanner on your Postfix mail server, to automatically scan all incoming mail and to reject infected mail.

21.8.2 Solution

Use Clam Anti-Virus and Amavisd-new on your Postfix server. Amavisd-new is a Perl wrapper that acts as an SMTP proxy, to manage the message flow between Clam AV and Postfix. Clam AV cannot directly scan incoming emails by itself.

Note that this is a radical departure from the previous recipes that describe how to set up UBE controls and whitelists in Postfix. All of that will now be handled by Amavsid-new, not Postfix.

RPM users need clamav and amavisd-new. Debian users need amavisd-new, clamav, clamav-base, clamav-daemon, and clamav-freshclam.

Back up your configuration files before making any changes. Then set up Amavisd-new. Create /var/log/amavis.log, and assign ownership to the "amavis" user and group, which should have been created by the package manager.

Next, edit /etc/amavis/amavisd.conf. In Section 1, set $mydomain and $myhostname to your own values, and uncomment the following lines:

$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail

$notify_method = $forward_method; # where to submit notifications

Disable virus quarantines in Section IV, because virus-infested messages will be rejected at the SMTP level. There's no point in saving them, as the vast majority are autogenerated with forged return addresses:

$QUARANTINEDIR = undef;

$virus_quarantine_to = undef;

Also in Section IV, disable all auto-notifications to senders. Most return addresses are forged; it's pointless to send out "Hey, you sent me a virus!" notices. This rejects virus-infested messages without notification of any kind:

$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)

Next, find Section VII and uncomment the Clam AV section. Comment out all virus scanners you are not using:

### http://www.clamav.net/

['Clam Antivirus-clamd',

  \&ask_daemon, ["CONTSCAN {  }\n", "/var/run/clamav/clamd.ctl"],

  qr/\bOK$/, qr/\bFOUND$/,

  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Now make sure Amavisd-new is stopped, and check the configuration with the built-in debugger:

# /etc/init.d/amavis stop

# amavis debug

This spits out a configuration summary; all you need to worry about are error messages. Next, start it back up and connect with telnet to confirm that Amavisd-new is running:

# /etc/init.d/amavis start

$ telnet 127.0.0.1 10024

Trying 127.0.0.1...

Connected to 127.0.0.1.

Escape character is '^]'.

220 [127.0.0.1] ESMTP amavisd-new service ready

Amvisd-new is running, so quit telnet:

^]

telnet> quit

Connection closed.

Next, configure Postfix to use Amavisd-new, which will now function as an SMTP proxy server. Add this to the end of /etc/postfix/master.cf:

smtp-amavis unix -   -     n   -    2  smtp

    -o smtp_data_done_timeout=1200

    -o disable_dns_lookups=yes

127.0.0.1:10025 inet n - n - - smtpd

   -o content_filter=

   -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

   -o local_recipient_maps=

   -o relay_recipient_maps=

   -o smtpd_restriction_classes=

   -o smtpd_client_restrictions=

   -o smtpd_helo_restrictions=

   -o smtpd_sender_restrictions=

   -o smtpd_recipient_restrictions=permit_mynetworks,reject

   -o mynetworks=127.0.0.0/8

   -o smtpd_authorized_xforward_hosts=127.0.0.0/8

   -o strict_rfc821_envelopes=yes

Then add this line to /etc/postfix/main.cf:

content_filter = smtp-amavis:[127.0.0.1]:10024

And do a complete stop/start cycle for Postfix:

# /etc/init.d/postfix stop

# /etc/init.d/postfix start

The final step is to make the "amavis" user the owner of Clam AV. It won't work otherwise. First, open /etc/clamav/clamav.conf and /etc/amavis/amavisd.conf, and make sure that amavisd.conf references the "LocalSocket" file:

## /etc/clamav/clamav.conf 

LocalSocket /var/run/clamav/clamd.ctl

   

## /etc/amavis/amavisd.conf

### http://www.clamav.net/

['Clam Antivirus-clamd',

  \&ask_daemon, ["CONTSCAN {  }\n", "/var/run/clamav/clamd.ctl"],

  qr/\bOK$/, qr/\bFOUND$/,

  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Now you must make the "amavis" user the owner of all directories that Clam AV uses. In this example, that is:

  • LogFile /var/log/clamav/clamav.log

  • PidFile /var/run/clamav/clamd.pid

  • DatabaseDirectory /var/lib/clamav/

For example:

# chown -R amavis:amavis /var/log/clamav/

Be careful! Only change directories that belong only to Clam AV; any files in shared directories must be changed individually. Now open /etc/clamav/freshclam.conf, and do the same with any directories listed there. Finally, hunt down any files belonging to Clam AV in /etc/logrotate.d/. For example:

  • /etc/logrotate.d/clamav-daemon

  • /etc/logrotate.d/clamav-freshclam

The filenames may vary. Inside each file, find this line:

create 640 clamav adm

Change it to:

create 640 clamav amavis

Save your changes, and restart both clamd and freshclam. On Debian, use:

# /etc/init.d/clamav-daemon reload

# /etc/init.d/clamav-freshclam reload

On Red Hat and Fedora, use:

# /etc/init.d/clamd reload

# /etc/init.d/freshclam reload

And you're done. Now you can start sending test messages and watching your logs.

21.8.3 Discussion

You'll save yourself a lot of work if you install from packages, rather than sources. If you must install from sources, read all the documentation. You'll have to manually create all kinds of users, directories, and init scripts.

The -o content_filter= and -o smtpd_xxx_restrictions= directives in master.cf override the directives in /etc/postfix/main.cf. You do not want duplications, because they will either waste system resources or create loops—and Clam AV, together with SpamAssassin, will do a better, less error-prone job of filtering mail than the Postfix UBE checks described in the previous recipes.

The two Clam AV components of greatest interest are clamd, the scanning daemon, and freshclam, which automatically fetches virus definition updates. These are configured in /etc/clamav/clamav.conf and /etc/clamav/freshclam.conf, respectively. The defaults should be fine, there really isn't much to tweak, except that you should find a different update mirror for freshclam.conf, at http://www.clamav.net/mirrors.html. Be kind—don't use the default mirror.

21.8.4 See Also

  • The Postfix FILTER_README, which describes how mail is moved between Postfix and Amavisd-new in detail

  • Local Amavisd-new documentation (/usr/share/doc/amavisd-new, amavisd-new(8), and /usr/share/doc/amavisd-new/README.postfix)

  • Local Clam AV documentation (/usr/share/doc/clamav)

  • Clam Anti-Virus (http://www.clamav.net)

  • Amavisd-new (http://www.ijs.si/software/amavisd)

    Previous Section  < Day Day Up >  Next Section