Using ClamAV to Kill Viruses on Postfix

6264

 

Our Postfix mail server series comes to a close this week with the addition of antivirus. I think it’s fitting to close with this article because, to many people, the idea of having to add antivirus on a Linux machine is antithetical to what Linux is. When applied to a mail server, that is quit untrue.

I am an advocate of “better safe than sorry,” and in the case of a Linux mail server, that statement could never be truer. Why is that? To answer that question you simply have to ask yourself what a Linux mail server does: it serves up mail to clients. Will all of those clients be using a Linux operating system? Most likely not. Because of this, the email your server sends out has to be free from viruses or else those Windows clients will become crippled. That is the last thing you want for your mail server.

So, what do you do? You install an antivirus for your mail server. And on the Linux platform, one of the easiest to integrate into Postfix is ClamAV. ClamAV is an antivirus tool designed especially for Linux mail servers. It runs in the background, as a daemon, and has plenty of features, including:

  • Command line scanner.

  • Advanced database updater.

  • On-access scanning.

  • Virus database update multiple times daily.

  • Built in support for nearly all mail formats.

  • Support for many archive formats.

  • Support for ELF and Portable executables.

  • Support for most common document formats.

ClamAV is a must have for your Postfix mail server and in this article I am going to show you how to install and integrate this outstanding antivirus scanner. The installation of ClamAV will follow the rest of our Postfix series and will happen on an Ubuntu machine. But fear not, ClamAV will work on Windows, BSD, and nearly all of the Linux variants. You might have to modify your installation somewhat to get it to run on a different flavor, but the installation will be nearly as easy as it is on Ubuntu.

With that said, let’s begin the installation.

Installation

The installation of ClamAV couldn’t be any easier. All you need to do is follow these steps:

  1. Open up a terminal window (or log into your mail server if you are using a GUI-less Ubuntu installation).

  2. Issue the command sudo apt-get install clamav clamav-freshclam clamsmtp

  3. Type your sudo password and hit Enter.

  4. Okay any dependencies (if necessary) and hit Enter.

  5. Watch the installation fly by.

That’s it! ClamAV is now installed. You don’t even need to start the ClamAV daemon, as the installation will take care of that for you. Upon completion of the configuration you will have to manually restart the daemon (as well as the Postfix daemon). When that time comes, the command to restart ClamAV is:

sudo /etc/init.d/clamsmtpd restart

Just in case you have forgotten, the command to restart the Postfix daemon is:

sudo /etc/init.d/postfix restart

Now, let’s begin the configuration.

Configuration

There are three files that will need to be configured:

  • /etc/clamsmtpd.conf
  • /etc/postfix/main.cf
  • /etc/postfix/master.cf

Only the first file is a ClamAV file, so let’s start with that configuration first. Open up the /etc/clamsmtpd.conf file in your favorite editor and look for the lines:

OutAddress: 10025

127.0.0.1:10026

These two lines need to be changed to:

OutAddress: 10026

127.0.0.1:10025

This will change the ports according to the needs of Postfix. That is all you need to do with the ClamAV configuration file. Save and close that file and we will now move on to configure Postfix.

Open up the file /etc/postfix/main.cf. Scroll to the bottom of this file and add the following two lines:

content_filter = scan:127.0.0.1:10025

receive_override_options = no_address_mappings

Save and close that file.

Now, open up the /etc/postfix/master.cf file. Scroll down to the bottom of this file and add the following lines (you might just want to copy/paste this section because it is rather long).

# AV scan filter (used by content_filter)
scan unix – – n – 16 smtp
-o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n – n – 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

Make sure the above section is exact. Save and close that file. Now it’s time to restart both daemons with the commands I showed you above. Restart both daemons and Postfix will now begin filtering your email with the help of ClamAV.

Updating the Definitions

Your antivirus will eventually become worthless if you do not update your definitions. Fortunately, ClamAV has a built in tool just for that purpose. The tool in question is (aptly named) freshclam. To update your signatures you would issue the command:

sudo freshclam

I would highly recommend adding freshclam to the root users crontab following these steps.

  1. Open up a terminal window.
  2. Issue the command sudo crontab -e
  3. Add the following line 00 1 * * * /usr/bin/freshclam –quiet for the definitions to be updated at 1am every day.
  4. Save and close the file.

Now your virus definitions will be updated daily. You can modify that cron entry to better suit your needs.

Final Thoughts

You now have a Postfix mail server that serves up mail and that has been checked for both SPAM (with the help of Spamassassin) and viruses (with the help of ClamAV). Although no system is 100 percent secure, you have now taken steps to ensure email going out of your sever is as safe as possible.

Is it possible for either Spamassassin or ClamAV to miss now and then? Of course. We all know how wily both SPAM and viruses can be. If a system had been created that was 100 percent on both accounts, everyone would be using it. But you have opted to go the open source route and, as for mail servers, the Postfix/Spamassassin/ClamAV route is one of the best combinations for reliability and safety.