Home Server ClamAV Milter

Index.

03-Jul-2011: initial release.
25-Nov-2012: adjusted for Slackware.

 

Introduction.

To scan mail for viruses and other malware, I use the ClamAV scanner. I wrote a Slackbuild that compiles ClamAV with a milter daemon. This milter daemon is needed by the postfix mail server that will be described in it’s own article. The ClamAV milter daemon is static linked against Sendmail’s libmilter.

 

Installation.

Build and install clamav-milter. There are three configuration files in /etc/clamav, you need to edit them, here I will show the diff files compared with the originals. First /etc/clamav/clamav-milter.conf:

--- clamav-milter.conf.orig     2011-06-22 14:50:35.000000000 +0200
+++ clamav-milter.conf  2011-06-22 14:54:16.000000000 +0200
@@ -1,12 +1,4 @@
 ##
-## Example config file for clamav-milter
-##
-
-# Comment or remove the line below.
-Example
-
-
-##
 ## Main options
 ##

@@ -26,7 +18,7 @@

 # Sets the permissions on the (unix) milter socket to the specified mode.
 # Default: disabled (obey umask)
-#MilterSocketMode 660
+MilterSocketMode 666

 # Remove stale socket after unclean shutdown.
 #
@@ -185,13 +177,13 @@
 # Note that while "Replace" can potentially break DKIM signatures, "Add" may
 # confuse procmail and similar filters.
 # Default: no
-#AddHeader Replace
+AddHeader Replace

 # When AddHeader is in use, this option allows to arbitrary set the reported
 # hostname. This may be desirable in order to avoid leaking internal names.
 # If unset the real machine name is used.
 # Default: disabled
-#ReportHostname my.mail.server.name
+ReportHostname mail.wpl.uk

 # Execute a command (possibly searching PATH) when an infected message is found.
 # The following parameters are passed to the invoked program in this order:
@@ -212,7 +204,7 @@
 # A full path is required.
 #
 # Default: disabled
-LogFile /var/log/clamav/clamav-milter.log
+#LogFile /var/log/clamav/clamav-milter.log

 # By default the log file is locked for writing - the lock protects against
 # running clamav-milter multiple times.
@@ -233,23 +225,23 @@
 # Log time with each message.
 #
 # Default: no
-LogTime yes
+#LogTime yes

 # Use system logger (can work together with LogFile).
 #
 # Default: no
-#LogSyslog yes
+LogSyslog yes

 # Specify the type of syslog messages - please refer to 'man syslog'
 # for facility names.
 #
 # Default: LOG_LOCAL6
-#LogFacility LOG_MAIL
+LogFacility LOG_MAIL

 # Enable verbose logging.
 #
 # Default: no
-#LogVerbose yes
+LogVerbose yes

 # This option allows to tune what is logged when a message is infected.
 # Possible values are Off (the default - nothing is logged),
@@ -269,5 +261,5 @@
 # See LogInfected for possible values and caveats.
 # Useful in debugging but drastically increases the log size.
 # Default: disabled
-#LogClean Basic
+LogClean Basic

 

Next, /etc/clamav/clamd.conf:

--- clamd.conf.orig     2011-06-22 14:50:44.000000000 +0200
+++ clamd.conf  2011-06-22 15:00:23.000000000 +0200
@@ -1,17 +1,10 @@
-##
-## Example config file for the Clam AV daemon
-## Please read the clamd.conf(5) manual before editing this file.
-##
-
-
-# Comment or remove the line below.
-Example
+## /etc/clamav/clamd.conf

 # Uncomment this option to enable logging.
 # LogFile must be writable for the user running daemon.
 # A full path is required.
 # Default: disabled
-LogFile /var/log/clamav/clamd.log
+#LogFile /var/log/clamav/clamd.log

 # By default the log file is locked for writing - the lock protects against
 # running clamd multiple times (if want to run another clamd, please
@@ -31,7 +24,7 @@

 # Log time with each message.
 # Default: no
-LogTime yes
+#LogTime yes

 # Also log clean files. Useful in debugging but drastically increases the
 # log size.
@@ -40,16 +33,16 @@

 # Use system logger (can work together with LogFile).
 # Default: no
-#LogSyslog yes
+LogSyslog yes

 # Specify the type of syslog messages - please refer to 'man syslog'
 # for facility names.
 # Default: LOG_LOCAL6
-#LogFacility LOG_MAIL
+LogFacility LOG_MAIL

 # Enable verbose logging.
 # Default: no
-#LogVerbose yes
+LogVerbose yes

 # Log additional information about the infected file, such as its
 # size and hash, together with the virus name.
@@ -209,7 +202,7 @@

 # Detect Possibly Unwanted Applications.
 # Default: no
-#DetectPUA yes
+DetectPUA yes

 # Exclude a specific PUA category. This directive can be used multiple times.
 # See http://www.clamav.net/support/pua for the complete list of PUA
@@ -403,6 +396,7 @@
 # to the system.
 # Default: 25M
 #MaxFileSize 30M
+MaxFileSize 100M

 # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
 # file, all files within it will also be scanned. This options specifies how

 

And finally /etc/clamav/freshclam.conf:

--- freshclam.conf.orig 2011-06-22 14:50:54.000000000 +0200
+++ freshclam.conf      2011-06-22 15:01:44.000000000 +0200
@@ -1,11 +1,4 @@
-##
-## Example config file for freshclam
-## Please read the freshclam.conf(5) manual before editing this file.
-##
-
-
-# Comment or remove the line below.
-Example
+## /etc/clamav/freshclam.conf

 # Path to the database directory.
 # WARNING: It must match clamd.conf's directive!
@@ -14,7 +7,7 @@

 # Path to the log file (make sure it has proper permissions)
 # Default: disabled
-UpdateLogFile /var/log/clamav/freshclam.log
+#UpdateLogFile /var/log/clamav/freshclam.log

 # Maximum size of the log file.
 # Value of 0 disables the limit.
@@ -34,12 +27,12 @@

 # Use system logger (can work together with UpdateLogFile).
 # Default: no
-#LogSyslog yes
+LogSyslog yes

 # Specify the type of syslog messages - please refer to 'man syslog'
 # for facility names.
 # Default: LOG_LOCAL6
-#LogFacility LOG_MAIL
+LogFacility LOG_MAIL

 # This option allows you to save the process identifier of the daemon
 # Default: disabled
@@ -118,7 +111,7 @@

 # Send the RELOAD command to clamd.
 # Default: no
-NotifyClamd /etc/clamav/clamd.conf
+#NotifyClamd /etc/clamav/clamd.conf

 # Run command after successful database update.
 # Default: disabled

 

Put the next script in /etc/cron.hourly as freshclam and make it chmod 755 so that we check each hour for updated virus definitions:

#!/bin/sh
/usr/bin/freshclam --quiet

 

When the package is fresh installed there is no signature virus database present, so we need to download one before we can start the ClamAV package. After the download we can start it:

root@homsrv:~# freshclam
ClamAV update process started at Wed Jun 22 15:06:04 2011
Downloading main.cvd [100%]
main.cvd updated (version: 53, sigs: 846214, f-level: 53, builder: sven)
Downloading daily.cvd [100%]
daily.cvd updated (version: 13227, sigs: 129691, f-level: 60, builder: guitar)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 143, sigs: 40, f-level: 60, builder: edwin)
Database updated (975945 signatures) from database.clamav.net (IP: 81.26.223.45)
root@homsrv:~# /etc/rc.d/init.d/clamd start
Starting ClamAV: /usr/sbin/clamd /usr/sbin/clamav-milter 
root@homsrv:~#

 

As root run pkgtool and in Setup select clamd to enable it to start at boot.

 

Download.

See the download page for the script and configuration files.