Linux.com

Home Learn Linux Linux Tutorials Using ClamAV to Kill Viruses on Postfix

Using ClamAV to Kill Viruses on Postfix

 

Our Postfix mail server series comes to a close this week with the addition of antivirus. I think it's fitting to close with this article because, to many people, the idea of having to add antivirus on a Linux machine is antithetical to what Linux is. When applied to a mail server, that is quit untrue.

I am an advocate of "better safe than sorry," and in the case of a Linux mail server, that statement could never be truer. Why is that? To answer that question you simply have to ask yourself what a Linux mail server does: it serves up mail to clients. Will all of those clients be using a Linux operating system? Most likely not. Because of this, the email your server sends out has to be free from viruses or else those Windows clients will become crippled. That is the last thing you want for your mail server.

So, what do you do? You install an antivirus for your mail server. And on the Linux platform, one of the easiest to integrate into Postfix is ClamAV. ClamAV is an antivirus tool designed especially for Linux mail servers. It runs in the background, as a daemon, and has plenty of features, including:

  • Command line scanner.

  • Advanced database updater.

  • On-access scanning.

  • Virus database update multiple times daily.

  • Built in support for nearly all mail formats.

  • Support for many archive formats.

  • Support for ELF and Portable executables.

  • Support for most common document formats.

ClamAV is a must have for your Postfix mail server and in this article I am going to show you how to install and integrate this outstanding antivirus scanner. The installation of ClamAV will follow the rest of our Postfix series and will happen on an Ubuntu machine. But fear not, ClamAV will work on Windows, BSD, and nearly all of the Linux variants. You might have to modify your installation somewhat to get it to run on a different flavor, but the installation will be nearly as easy as it is on Ubuntu.

With that said, let's begin the installation.

Installation

The installation of ClamAV couldn't be any easier. All you need to do is follow these steps:

  1. Open up a terminal window (or log into your mail server if you are using a GUI-less Ubuntu installation).

  2. Issue the command sudo apt-get install clamav clamav-freshclam clamsmtp

  3. Type your sudo password and hit Enter.

  4. Okay any dependencies (if necessary) and hit Enter.

  5. Watch the installation fly by.

That's it! ClamAV is now installed. You don't even need to start the ClamAV daemon, as the installation will take care of that for you. Upon completion of the configuration you will have to manually restart the daemon (as well as the Postfix daemon). When that time comes, the command to restart ClamAV is:

sudo /etc/init.d/clamsmtpd restart

Just in case you have forgotten, the command to restart the Postfix daemon is:

sudo /etc/init.d/postfix restart

Now, let's begin the configuration.

Configuration

There are three files that will need to be configured:

  • /etc/clamsmtpd.conf
  • /etc/postfix/main.cf
  • /etc/postfix/master.cf

Only the first file is a ClamAV file, so let's start with that configuration first. Open up the /etc/clamsmtpd.conf file in your favorite editor and look for the lines:

OutAddress: 10025

127.0.0.1:10026

These two lines need to be changed to:

OutAddress: 10026

127.0.0.1:10025

This will change the ports according to the needs of Postfix. That is all you need to do with the ClamAV configuration file. Save and close that file and we will now move on to configure Postfix.

Open up the file /etc/postfix/main.cf. Scroll to the bottom of this file and add the following two lines:

content_filter = scan:127.0.0.1:10025

receive_override_options = no_address_mappings

Save and close that file.

Now, open up the /etc/postfix/master.cf file. Scroll down to the bottom of this file and add the following lines (you might just want to copy/paste this section because it is rather long).

# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

Make sure the above section is exact. Save and close that file. Now it's time to restart both daemons with the commands I showed you above. Restart both daemons and Postfix will now begin filtering your email with the help of ClamAV.

Updating the Definitions

Your antivirus will eventually become worthless if you do not update your definitions. Fortunately, ClamAV has a built in tool just for that purpose. The tool in question is (aptly named) freshclam. To update your signatures you would issue the command:

sudo freshclam

I would highly recommend adding freshclam to the root users crontab following these steps.

  1. Open up a terminal window.
  2. Issue the command sudo crontab -e
  3. Add the following line 00 1 * * * /usr/bin/freshclam --quiet for the definitions to be updated at 1am every day.
  4. Save and close the file.

Now your virus definitions will be updated daily. You can modify that cron entry to better suit your needs.

Final Thoughts

You now have a Postfix mail server that serves up mail and that has been checked for both SPAM (with the help of Spamassassin) and viruses (with the help of ClamAV). Although no system is 100 percent secure, you have now taken steps to ensure email going out of your sever is as safe as possible.

Is it possible for either Spamassassin or ClamAV to miss now and then? Of course. We all know how wily both SPAM and viruses can be. If a system had been created that was 100 percent on both accounts, everyone would be using it. But you have opted to go the open source route and, as for mail servers, the Postfix/Spamassassin/ClamAV route is one of the best combinations for reliability and safety.

 

Comments

Subscribe to Comments Feed
  • anon Said:

    Perhaps note that the '-o' lines need spaces before them

  • Alex Said:

    There are a few minor mistakes here, like anon noted. The biggest issue I can't get around is that email marked as spam doesn't get scanned by ClamAV. An email with a virus gets flagged, but an email marked as spam gets passed back to Postfix without ClamAV looking at it. Do you have a solution for this? Thanks for a great guide to get started on this with!

  • Alex Said:

    I actually just solved this. Don't define a content filter in main, don't define a content filter on the main smtp line, add a content filter to the listener that clamAV sends to, that points at spamassassin. Then.... ?? Then PROFIT!

  • Fred Said:

    Nice and easy, had just one hick-up when installing on Ubuntu 12.04 that may aid others - clamAV was already installed and running as user "clamav". If you're in the same situation and following this guide, remember to also change the User setting in clamsmtpd.conf to the same user as clamAV so they can access each other's temp files. You may also have to chown -R /var/run/clamsmtp/ and /var/spool/clamsmtp/ to the clamAV user.

Upcoming Linux Foundation Courses

  1. LFS230 Linux Network Management
    06 Oct » 09 Oct - Virtual
    Details
  2. LFS416 Linux Security
    06 Oct » 09 Oct - Washington
    Details
  3. LFD331 Developing Linux Device Drivers
    13 Oct » 17 Oct - Virtual
    Details

View All Upcoming Courses

Become an Individual Member
Check out the Friday Funnies

Sign Up For the Linux.com Newsletter


Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board