SU3 Analytics Technical document: Virus detection with Clam Antivirus: Chapter 2

Technology consulting and quantitative research

	Technical document: Virus detection with Clam Antivirus
Chapter 2 - Setting up ClamSMTP

Introduction

ClamSMTP is an anti-virus filter for SMTP relays which uses Clam AntiVirus for virus identification. It can be used with any mail relay, although was written with reference to postfix in particular. It requires the clamd daemon to be running, and also needs to be configued with a few clamd particulars, but otherwise runs independently of the clamd install.

Downloading, compiling and installing clamSMTP

As always, check for the latest releases. As root:

> cd > wget http://memberwebs.com/stef/software/clamsmtp/clamsmtp-1.10.tar.gz > tar -xvf clamsmtp-1.10.tar.gz > cd clamsmtp-1.10 > ./configure > make > make check > make install

Configuring Postfix

We are going to configure postfix to pipe all mails for relaying and delivery through the clamsmtp daemon. In the postfix configuration file main.cf, add the following line:

content_filter = scan:[127.0.0.1]:10025

which tells postfix to pipe all mail to a localhost service on port 10025. Next add the following to the postfix configuration file master.cf:


# AV scan filter (used by content_filter)
scan      unix  -       -       n       -       16      smtp
        -o smtp_send_xforward_command=yes
        -o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet  n -       n       -       16      smtpd
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

The first two lines set up the scan service. The rest is concerned with specifying the port to listen on for accepting mail back into postfix, and with preventing infinite loopbacks. Don't forget, after changing main.cf or master.cf, to always reload postfix:

> postfix reload

Configuring ClamSMTP

The configuration file for clamsmtpd is clamsmtpd.conf. If it is not copied to a system location during install, it is likely to be found somewhere like:

/root/clamsmtp-1.10/doc/clamsmtpd.conf

You'll need to copy it to /usr/local/etc. As root:

> cp /root/clamsmtp-1.10/doc/clamsmtpd.conf /usr/local/etc/

Uncomment and set the various config options as appropriate. The important ones to note here should be defined as follows:

# The address to send scanned mail to.
OutAddress: 127.0.0.1:10026

# Address to listen on
Listen: 0.0.0.0:10025

# The address clamd is listening on
ClamAddress: /tmp/clamd.socket

# What to do when we see a virus (use 'bounce' or 'pass' or 'drop')
Action: drop

# User to switch to
User: clamav

So, in the set-up described here, postfix passes mail to the service listening on port 10025 (clamsmtpd). clamsmtpd then passes the mail to the Clam AntiVirus daemon clamd, which is listening on the socket /tmp/clamd.socket. Mail which is reported to contain a virus is dropped. Mail which is reported clean is returned by clamsmtpd to postfix listening on port 10026. This mail is then relayed or delivered as normal. The last configuration option tells clamsmtpd to run as user clamav.

Running ClamSMTP

clamsmtpd can be started as follows:

> clamsmtpd

clamsmtpd can also be run in an interactive debug mode, with all STDOUT and STDERR being printed to the terminal:

> clamsmtpd -d 4

where "4" refers to the debug level. Although clamsmtpd can be started as described above, note that clamsmtpd and clamd should be run as the same user as each other (or they will have problems accessing each other's temporay files). Also, they should not be run as root. In the previous chapter we set up the user clamav with which to run clamd. There is a startup and shutdown script for clamsmtpd which enables a runtime user to be specified here. Save a copy of this script in /usr/local/sbin/ (or where ever your clamsmtpd executable is), and call it clamsmtpd.sh. make sure you set the execute permission:

> chmod u+x clamsmtpd.sh

Check you can start and stop clamsmtpd using this script. You may then like to configure clamsmtpd to start at system boot time. The simplest way of doing this is to add the following line to rc.local or the equivalent on your system:

/usr/local/sbin/clamsmtpd.sh start

With any luck, that should be it! Check mails are being sent and received correctly. Also send a few test viruses to make sure they are being identified and dropped. Example viruses are included with the clamav package.

Previous: Chapter 1 - Setting up Clam Antivirus

TOC

Next: Appendix A - Clam Antivirus startup and shutdown script