Feed Your Virus Worries to a Clam

By Carla Schroder | Sep 1, 2004 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/10952_3402591_2/Feed-Your-Virus-Worries-to-a-Clam.htm

Last week, we looked at how to set up SpamAssassin with Postfix, as part of a lean, mean, spam-killing gateway machine. This week we'll add an anti-virus scanner to our bubbling brew.

Prerequisites: a nice Postfix server already running and working smoothly. Then add Amavisd-new and ClamAV, and you're in business.

Don't be a pain to the rest of the world: All bounced virus notifications do is clog the Internet with useless traffic.
You need Amavisd-new, because Postfix does not directly support anti-virus scanners. Amavisd-new acts as a SMTP proxy: Postfix hands incoming mail to Amavisd-new. Amavisd-new then stuffs it through ClamAV, then hands off whatever messages remain after processing to Postfix for final delivery. Amavisd-new supports several AV scanners, you don't have to use ClamAV. I just like the name. Plus it's GPL (define) , and it works very well.

Configuring Postfix To Use Amavisd-new

Set up Postfix and Amavisd-new by following the directions in last week's article under Configuring Postfix To Use Amavisd-new.

Installing ClamAV

No big deal here, get sources or binary packages from Clam AntiVirus, or grab packages from wherever you usually get packages for your Linux distribution.

Configure Amavisd-new

Edit /etc/amavis/amavisd.conf. In Section 1, set $mydomain and $myhostname to your own values. Then, uncomment:

$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail
$notify_method = $forward_method; # where to submit notifications

That tells Amavisd-new to pass on any messages that survive virus-scanning to Postfix for final delivery.

Next, we're going to disable virus quarantines, and reject virus-infested messages without notification. There is absolutely no point in sending auto-replies to senders of infected messages, because -- are you listening? Do I have your full attention? The return addresses are forged. Don't send replies to forged addresses. All bounced virus notifications do is clog the Internet with useless traffic. Geeks who receive your bounce messages will be annoyed and know you are lame. Regular folks will be puzzled or alarmed, and may pester you for help. Lose-lose-lose all the way.

To configure this, move down to Section IV. Here we shall disable quarantining virus-infested messages:

$QUARANTINEDIR = undef;
$virus_quarantine_to = undef;
$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)

D_DISCARD drops the sucker cold, with no notification to the sender of any kind. Boom, dead.

Find Section VII and uncomment the Clam AV section, and comment out all the virus scanners you are not using. Make sure all ClamAV lines are uncommented:

### http://www.clamav.net/
['Clam Antivirus-clamd',
  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
  qr/\bOK$/, qr/\bFOUND$/,
  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Now make sure Amavisd-new is stopped, and check the configuration with the built-in debugger:

# /etc/init.d/amavis stop
# amavis debug

This spits out a configuration summary and checks syntax. If there are any error messages, correct the errors before proceeding.

Next, start it back up and connect with telnet to confirm that Amavisd-new is running:

# /etc/init.d/amavis start
$ telnet 127.0.0.1 10024
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready

Amvisd-new is running, so quit telnet:

^]
telnet> quit
Connection closed.

Continued on page 2: Configuring ClamAV

Continued From Page 1

Now open /etc/clamav/clamav.conf and /etc/amavis/amavisd.conf, and make sure that amavisd.conf references the "Local Socket" file named in clamav.conf:

## /etc/clamav/clamav.conf 
LocalSocket /var/run/clamav/clamd.ctl

##/etc/amavis/amavisd.conf
### http://www.clamav.net/
['Clam Antivirus-clamd',
  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
....

Now you must change the ownership of all directories that ClamAV uses to the "amavis" user. It won't work otherwise. If an amavis user and group were not created by the installer, create them now. In most installations, ClamAV creates these directories:

LogFile /var/log/clamav/clamav.log
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/lib/clamav/

Change ownership like this:

# chown -R amavis:amavis /var/log/clamav/

Be careful! Only change directories that belong only to ClamAV, don't do this with any shared directories. Now open /etc/clamav/freshclam.conf, and do the same with any other directories you find listed there.

Next, locate any files belonging to ClamAV in /etc/logrotate.d/:

/etc/logrotate.d/clamav-daemon
/etc/logrotate.d/clamav-freshclam

The filenames may vary a bit, depending on your Linux distribution. Inside the files, find this line:

create 640 clamav adm

change it to

create 640 clamav amavis

Save your changes, and restart both clamd and freshclam. On Debian:

# /etc/init.d/clamav-daemon reload
# /etc/init.d/clamav-freshclam reload

On Red Hat/Fedora:

# /etc/init.d/clamd reload
# /etc/init.d/freshclam reload

And you're done. Now you can start sending test messages and watching your logs.

You'll save yourself a lot of work if you install from packages, rather than sources. If you must install from sources, read all the documentation. You'll have to manually create all kinds of users and directories and init scripts.

The two ClamAV components of greatest interest are clamd, the scanning daemon, and freshclam, which automatically fetches virus definition updates. These are configured in /etc/clamav/clamav.conf, and /etc/clamav/freshclam.conf. The defaults should be fine, there really isn't much to tweak. Except you should find a different update mirror for freshclam.conf, at http://www.clamav.net/mirrors.html. Be kind -- don't use the default mirror.

Next Week

Next week, in Part 3, we'll go more in-depth into the role Postfix plays in all this, and look at how to test and monitor your nice new anti-spam, anti-virus gateway for effectiveness.

Resources