Feed Your Virus Worries to a Clam

Building an Anti-Virus/Anti-Spam Gateway (Part 2): With ClamAV, your Linux-based secure mail gateway can feed on viruses before they get to your users. Here's how to do it quickly and easily, and without looking like a bozo to the rest of the 'net.

 By Carla Schroder
Page 1 of 2
Print Article

Last week, we looked at how to set up SpamAssassin with Postfix, as part of a lean, mean, spam-killing gateway machine. This week we'll add an anti-virus scanner to our bubbling brew.

Prerequisites: a nice Postfix server already running and working smoothly. Then add Amavisd-new and ClamAV, and you're in business.

Don't be a pain to the rest of the world: All bounced virus notifications do is clog the Internet with useless traffic.
You need Amavisd-new, because Postfix does not directly support anti-virus scanners. Amavisd-new acts as a SMTP proxy: Postfix hands incoming mail to Amavisd-new. Amavisd-new then stuffs it through ClamAV, then hands off whatever messages remain after processing to Postfix for final delivery. Amavisd-new supports several AV scanners, you don't have to use ClamAV. I just like the name. Plus it's GPL (define) , and it works very well.

Configuring Postfix To Use Amavisd-new

Set up Postfix and Amavisd-new by following the directions in last week's article under Configuring Postfix To Use Amavisd-new.

Installing ClamAV

No big deal here, get sources or binary packages from Clam AntiVirus, or grab packages from wherever you usually get packages for your Linux distribution.

Configure Amavisd-new

Edit /etc/amavis/amavisd.conf. In Section 1, set $mydomain and $myhostname to your own values. Then, uncomment:

$forward_method = 'smtp:'; # where to forward checked mail
$notify_method = $forward_method; # where to submit notifications

That tells Amavisd-new to pass on any messages that survive virus-scanning to Postfix for final delivery.

Next, we're going to disable virus quarantines, and reject virus-infested messages without notification. There is absolutely no point in sending auto-replies to senders of infected messages, because -- are you listening? Do I have your full attention? The return addresses are forged. Don't send replies to forged addresses. All bounced virus notifications do is clog the Internet with useless traffic. Geeks who receive your bounce messages will be annoyed and know you are lame. Regular folks will be puzzled or alarmed, and may pester you for help. Lose-lose-lose all the way.

To configure this, move down to Section IV. Here we shall disable quarantining virus-infested messages:

$virus_quarantine_to = undef;
$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)

D_DISCARD drops the sucker cold, with no notification to the sender of any kind. Boom, dead.

Find Section VII and uncomment the Clam AV section, and comment out all the virus scanners you are not using. Make sure all ClamAV lines are uncommented:

### http://www.clamav.net/
['Clam Antivirus-clamd',
  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
  qr/\bOK$/, qr/\bFOUND$/,
  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Now make sure Amavisd-new is stopped, and check the configuration with the built-in debugger:

# /etc/init.d/amavis stop
# amavis debug

This spits out a configuration summary and checks syntax. If there are any error messages, correct the errors before proceeding.

Next, start it back up and connect with telnet to confirm that Amavisd-new is running:

# /etc/init.d/amavis start
$ telnet 10024
Connected to
Escape character is '^]'.
220 [] ESMTP amavisd-new service ready

Amvisd-new is running, so quit telnet:

telnet> quit
Connection closed.

Continued on page 2: Configuring ClamAV

This article was originally published on Sep 1, 2004
Get the Latest Scoop with Networking Update Newsletter