Distroname and release: Debian Squeeze

Postfix with Antivirus filter using ClamAV

Actually viruses was not a big problem for me (since my clients are *nix based) ;), but it could be for some.
Also I wanted to make sure that I do not spread the viruses to other computers, in example during backup or similiar! So I decided to configure an antivirus scanner on my postfix installation. This works both for incomming and outgoing mails. The original post and author can be found here!
http://memberwebs.com/stef/software/clamsmtp/postfix.html

This is just my own writeup/rewriteup for getting this to work.

Configuring the source list

Since Debian Squeeze 6.0, volatile have been replaced with squeeze-updates.
You can more about it here.: http://lists.debian.org/debian-volatile-announce/2011/msg00000.html

For Debian Lenny, it is an absolute must to have volatile in your source.list, and for Debian Squeeze squeeze-updates, since antiviruses definitions and normal revision updates to the application very often occour.
By adding volatile or squeeze-updates to the source list, we make sure that we get these updates as soon as they come. Of course we will need to update the system manually !

If you want to know more about volatile, please follow this link.:The Debian Volatile Project
Again, note volatile have been replaced with squeeze-updates. http://lists.debian.org/debian-volatile-announce/2011/msg00000.html

For Debian Lenny Only
In the example below, the volatile source is the last link, and the only one that we have added here. The rest of the source links was already there.
/etc/apt/source.list
deb http://debian.uni-c.dk/debian/ stable main contrib non-free
deb-src http://debian.uni-c.dk/debian/ stable main contrib non-free
deb http://security.debian.org/debian-security stable/updates main
deb http://volatile.debian.org/debian-volatile lenny/volatile main contrib non-free
For Debian Squeeze Only
Again, the last two lines, are the ones we want for keeping ClamAV up-to date.
/etc/apt/source.list
deb http://ftp.dk.debian.org/debian/ squeeze main
deb-src http://ftp.dk.debian.org/debian/ squeeze main

#normal security updates
deb http://security.debian.org/ squeeze/updates main
deb-src http://security.debian.org/ squeeze/updates main

#rolling non-security updates 
deb http://ftp.dk.debian.org/debian/ squeeze-updates main
deb-src http://ftp.dk.debian.org/debian/ squeeze-updates main

After the change/add of the volatile source or squeeze-updates, please update the system.
#aptitude update

Install the clamav SMTP package.

This will install the clamav daemon, and freshclam as well which we will need!
aptitude install clamsmtp
Just after the installation you will be selected with options, on how you wish to update antivirus definitions.

Configure ClamAV

I have configured as follows.
1) I select daemon here since the server is always connected to the internet
2) Choose the mirror closest to your. (In my example, this is Denmark)
3) Proxy informations to access the internet. None, in my case.
4) Select yes, to update the databases on each update.
5) Select yes, to remove qurantined packages, when removing packages with the 
--purge option.
Now you should see that ClamAV is updating antivirus definitions.
Let it run, it could take some time.

Next configure the clamsmtp conf file.
Actually this is not needed, since it should be default values, but do a check anyway!
/etc/clamsmtpd.conf
OutAddress: 10026
Listen: 127.0.0.1:10025

Configure Postfix

Time to configure postfix. We need to edit the master.cf and main.cf.

Insert the following lines into the main.cf file.
/etc/postfix/main.cf
content_filter                  = scan:127.0.0.1:10025
recieve_override_options        = no_address_mappings
Afterwards, edit the mater.cf. This one is a little more tricky.
Also make sure that there are no whitespaces between the '=' signs!
/etc/postfix/master.cf
scan      unix  -       -       n       -       16      smtp
         -o smtp_send_xforward_command=yes
         -o smtp_enforce_tls=no

#Inject mail into postfix from the netfilter
127.0.0.1:10026 inet    n       -       n       -       16      smtpd
         -o content_filter=
         -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
         -o smtpd_helo_restrictions=
         -o smtpd_client_restrictions=
         -o smtpd_sender_restrictions=
         -o smtpd_recipient_restrictions=permit_mynetworks,reject
         -o mynetworks_style=host
         -o smtpd_authorized_xforward_hosts=127.0.0.0/8

Startup the services

Ok, now everything is configured, and should be working!
Just make sure that postfix, clamsmtpd and clamav-daemon is running!
If either clamav-daemon og clamsmtp is not running you will get failures in the log.

So we just restart all of them, to be sure that all changes are applied.
/etc/init.d/clamav-daemon restart
/etc/init.d/clamsmtp restart
/etc/init.d/postfix restart
Hopefully everything should be running.
# ps aux |grep clam
clamav   17940  0.0 17.7 104752 86064 ?        Ss   18:55   0:00 /usr/sbin/clamd
clamsmtp 18347  0.0  0.1   1884   736 ?        Ss   19:36   0:00 /usr/sbin/clamsmtpd

Now test using eicar test virus file.

This is not a virus, but a file that acts like one, used to test antivirus installations and setups, so it does NO harm at all!
http://www.eicar.org/anti_virus_test_file.htm

Test, and WATCH THE LOGS! /var/log/mail.log !!!

A working output, where the eicar test file is caught and the e-mail is deleted!
Mar 15 19:04:43 loke clamsmtpd: 100007: accepted connection from: 127.0.0.1
Mar 15 19:04:43 loke postfix/smtpd[18034]: connect from localhost[127.0.0.1]
Mar 15 19:04:43 loke postfix/smtpd[18016]: disconnect from mailhost.example2.com[xxx.xxx.xxx.xxx]
Mar 15 19:04:43 loke postfix/smtpd[18034]: D486212224: client=localhost[127.0.0.1]
Mar 15 19:04:43 loke postfix/smtp[18031]: B91134E16: to=<mail@example.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.19,\
delays=0.07/0/0.05/0.07, dsn=2.0.0, status=sent (250 Virus Detected; Discarded Email)
Mar 15 19:04:43 loke postfix/qmgr[17679]: B91134E16: removed
Mar 15 19:04:43 loke clamsmtpd: 100007: from=mail@example2.com, to=mail@example.com,\ 
status=VIRUS:Eicar-Test-Signature
Mar 15 19:04:43 loke postfix/smtpd[18034]: disconnect from localhost[127.0.0.1]
Done, you should now be one step closer to be virusfree!
Do not trust the authors words! POC, tests and experience is key

Copyright LinuxLasse.net 2009 - 2024 All Rights Reserved.

Valid HTML 4.01 Strict Valid CSS!