Virus filtering with Postfix and ClamAV in 4 steps :)

Posted by joeblack on Thu 29 Sep 2005 at 11:29

Tags:

If you're using the postfix mail server you can reject mails which have viral content at SMTP time - meaning they aren't delivered and you don't have to worry about sending bounce messages to the often-faked "From" address. Below are quick details to setting up clamsmtp with postfix. We also setup an up to date version of ClamAV from the new volatile repository.

Before you begin to read, please note I am writing the expecting you have got a working postfix server, if not I suggest get it working correctly and then follow on.

1. Get the correct clam installed

The default clam install are not up to date. Add the following to your /etc/apt/sources.list

deb http://ftp2.de.debian.org/debian-volatile sarge/volatile main
Now Update
apt-get update
now install :)
apt-get install clamsmtp clamav-freshclam
2. Edit the clamsmtp file

Edit the /etc/clamsmtpd.conf file and change OutAddress: 10025 to OutAddress: 10026. also change Listen: 127.0.0.1:10026 to Listen: 127.0.0.1:10025


3. Edit the postfix files

Add the following to /etc/postfix/main.cf

content_filter = scan:127.0.0.1:10025
receive_override_options = no_address_mappings

Add the following to /etc/postfix/master.cf

# AV scan filter (used by content_filter)
scan      unix  -       -       n       -       16      smtp
        -o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet  n -       n       -       16      smtpd
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
4. Conclusion

Restart postfix and clamsmtp. Follow the mail.log and check for errors.

Send yourself a virus and see if clam will catch it.

Hope this will help somebody, drop me a line if it did. joeblack at pixelporn dot co dot za.

 

 


Posted by Anonymous (160.45.xx.xx) on Thu 29 Sep 2005 at 13:16
1) The changes to the /etc/clamsmtpd.conf are not needed; instead it's better to configure Postfix correctly (since we have to touch it's config anyway!)

2) content_filter = scan:[127.0.0.1]:10025
is better

3) The whole thing is more suitable for a smtpd_proxy_filter...

[ Parent | Reply to this comment ]

Posted by chewie (134.84.xx.xx) on Mon 9 Jan 2006 at 21:32
As the packager of clamsmtp, I explained my the decision to diverge from clamsmtp's default settings in README.Debian:

"This package departs from the default clamsmtpd configuration in the ports it
listens to and forward messages to. The reason for this is partially
historical and partially a compatibility issue. At the time that postfix was
first introducing its filtering capabilities, it quoted the use of Amavisd and
Amavisd-new as possible filtering proxies. In those examples, it showed
postfix using port 10025 as the unfiltered port for returning email from the
proxy. Amavisd-new installs listening to port 10024. Rather than forcing the
Debian systems administrator from having to customize /etc/postfix/master.cf
yet again, I choose to flip clamsmtpd's settings."

As the author of this post has indicated, it's relatively simple to customize clamsmtp+postfix to your environment.

[ Parent | Reply to this comment ]

Posted by Anonymous (82.119.xx.xx) on Sat 1 Oct 2005 at 01:34
Better than sending a virus is sending EICAR test signature, which is just a non-viral virus signature for testing antivirus software.

apt-get install clamav-testfiles

[ Parent | Reply to this comment ]

Posted by Anonymous (212.202.xx.xx) on Tue 11 Oct 2005 at 21:18
I prefer to let the clamsmtp listen on a xxx25 port instead of a port number which does not contain a 25.

In step 2 I changed the clamsmtp OutAddress to the full local address:
OutAddress: 127.0.0.1:10026
If you don´t do that, it will connect to postfix from the default network interface. In my setup even that is not a local network to postfix ;)

[ Parent | Reply to this comment ]

Posted by Anonymous (82.67.xx.xx) on Tue 3 Jul 2007 at 09:49
so you insist on having a 25 in the port, but you still use 10026... if you really want 25, then you can use 10125 instead of 10026. but this has no importance, really.

[ Parent | Reply to this comment ]

Posted by bellerofont (212.76.xx.xx) on Wed 19 Oct 2005 at 21:06
Is this solution faster than ClamAV and Amavis? I think it should be...

[ Parent | Reply to this comment ]

Posted by Anonymous (85.224.xx.xx) on Wed 19 Oct 2005 at 22:33
Try Mailscanner both Antispams and Antiviruses

Joakim Nordberg

[ Parent | Reply to this comment ]

Posted by Anonymous (88.113.xx.xx) on Tue 24 Apr 2012 at 08:19
Mailscanner is not compatible with postfix, there is warning that it may cause lost emails

[ Parent | Reply to this comment ]

Posted by hackeron (212.36.xx.xx) on Tue 25 Oct 2005 at 15:32
After you've done this, visit http://www.webmail.us/testvirus and let them spam you with viruses :)

[ Parent | Reply to this comment ]

Posted by Anonymous (85.212.xx.xx) on Fri 4 Nov 2005 at 13:59
Looks like the original doc from the author of clamsmtp:
http://memberwebs.com/nielsen/software/clamsmtp/postfix.html

For further information go to: http://memberwebs.com/nielsen/software/clamsmtp/

[ Parent | Reply to this comment ]

Posted by Anonymous (217.8.xx.xx) on Wed 1 Feb 2006 at 10:22
It does not work for me. I have a problem with clamsmtpd. The mail log says

Feb 1 11:21:41 localhost clamsmtpd: 100001: clamav error: /var/spool/clamsmtp/clamsmtpd.e2ceOK: Access denied. ERROR

So i changed the permission to 777 just for testing. But that doesn't healp really much. Has anybody an idea?

[ Parent | Reply to this comment ]

Posted by Anonymous (222.124.xx.xx) on Thu 16 Feb 2006 at 01:12
i got message

Feb 16 08:03:55 kampes postfix/smtp[15876]: B87ADA45CF3: to=<box@semusim.info>, relay=127.0.0.1[127.0.0.1], delay=41, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 Local Error (in reply to end of DATA command))

how can i solve that ?

[ Parent | Reply to this comment ]

Posted by Anonymous (222.124.xx.xx) on Thu 16 Feb 2006 at 01:22

[ Parent | Reply to this comment ]

Posted by fher98 (200.30.xx.xx) on Thu 7 Dec 2006 at 17:29
[ View Weblogs ]
Great job dude!!! works like a charm and i dont need to configure amavis-new with that new multiple config files on etch!!!

thanks man

[ Parent | Reply to this comment ]

Posted by Anonymous (195.87.xx.xx) on Thu 14 Dec 2006 at 09:35
i've a error with instalation.Is this means clamsmtp versiyon doesn't fit my system ?


Building Dependency Tree... Done
Package clamsmtp is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package clamsmtp has no installation

[ Parent | Reply to this comment ]

Posted by joeblack (198.54.xx.xx) on Thu 14 Dec 2006 at 10:12
[ View Weblogs ]
Hi

Copy and paste your contents of /etc/apt/sources.list

joe

[ Parent | Reply to this comment ]

Posted by Anonymous (81.231.xx.xx) on Mon 22 Jan 2007 at 13:53
Just wondering, but do anyone have any suggestions on how to get mailgraph working proper with above mentioned config?

[ Parent | Reply to this comment ]

Posted by Anonymous (89.97.xx.xx) on Tue 18 Dec 2007 at 16:07
It does not work to me.

Non funziona.

[ Parent | Reply to this comment ]

Posted by joeblack (196.2.xx.xx) on Tue 18 Dec 2007 at 18:46
[ View Weblogs ]
What is not working ?

what do your logs say?

joeblack

[ Parent | Reply to this comment ]

Posted by Anonymous (62.233.xx.xx) on Fri 19 Jun 2009 at 09:24
Great. Spent an age setting up our mail server *not* to use apparmor and this borks everything by setting it back up again. What a sack of crap!

[ Parent | Reply to this comment ]

Posted by Anonymous (41.164.xx.xx) on Sun 3 Apr 2011 at 13:22
Does anyone know if this procedure will work with Plesk 9.5.4 and Ubuntu 8.04 64-bit LTS?

[ Parent | Reply to this comment ]

Posted by Anonymous (88.113.xx.xx) on Tue 24 Apr 2012 at 17:11
Sure it drops mails with viruses, but does not reject. Clamsmtpd does not have support for giving reject to postfix.

[ Parent | Reply to this comment ]

Posted by Anonymous (122.166.xx.xx) on Fri 31 May 2013 at 09:36
postfix/smtpd[13619]: too many errors after XFORWARD from localhost[127.0.0.1]

error is showing after installing clamav . I followed the the same steps you given above.

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 335 votes ~ 1 comments )

 

 

Related Links