Install ClamAV for scanning your e-mails for virusses

From OpenFSG

Jump to: navigation, search

This page describes step by step how to install http://www.clamav.org/ as virusscanner for your default Postfix installation on your FSG3. I have tested this configuration with the default firmware 3.1.29, but it should work with any version.

Contents

Setting up your FSG3

Preparation

  1. First make sure that you installed ipkg according to the description on Use the Custom Ipkg Installer
  2. Be sure to have a backup of your inboxes
  3. Switch on syslogging by going in the administrative web console to Information->Logs->Start log file recording
  4. Log on to your FSG as user root (See Logging in as root)

During the installation incoming e-mails may get lost if you don't configure this well, so be sure to only implement this in a quiet time when you don't rely on the mailtraffic.

The instalation

  • First install ClamAV 
/ # ipkg install clamav

You will see that not only ClamAV is installed, but also a number of dependent packages.

  • Get the postfix integration script

You can either download the original script from http://www.unitednerds.org/projects/mail/clamav-filter.sh.en.gz or use the below adaptation of that same script, that has already been changed for use on the FSG (correct paths etc. you only need to enter a real username instead of postmaster 2 times in the script). the script needs to be put in the directory /usr/libexec/postfix, with name clamav-filter.sh 

#!/bin/sh
# ClamAV script; set the option ScanMail on clamav.conf
# by Deives Michellis "thefallen" - dmichellis@yahoo.com | thefallen@unitednerds.org
#
# Change master.cf and add those lines:
#clamav unix    -       n       n       -       -       pipe
#  flags=Rq user=clamav argv=/usr/libexec/postfix/clamav-filter.sh -f ${sender}  --  ${recipient}
#
# Also change the smtpd config on master.cf
# smtp  inet    n       -       n       -       -       smtpd
#       -o content_filter=clamav:clamav
#
#
export PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/usr/games
#
# Config
#
# Create that dir with permition to the user clamav to have read/write permissions on it (as the script will run as clamav)
#
INSPECT_DIR=/opt/var/filter
SENDMAIL="/usr/sbin/sendmail -i "
MYHOSTNAME=`postconf -h myhostname`
REPORTHOST=`postconf -h myhostname`
#
# Exit codes <sysexits.h>
#
EX_TEMPFAIL=75
EX_UNAVAILABLE=69
EX_DENIED=77
#
# Tempnames definitions
#
nome_arquivo=`date +%Y%m%d%H%M%S`
nome_arquivo=in.$$.$nome_arquivo
#
# the clamdscan command
#
AVCMD="/opt/bin/clamdscan   --disable-summary --stdout "
#
# Should ppl be notified they're sending virus?
#
NOTIFY_VIRUS=yes
#
# Do YOU wann know about virus?
#
NOTIFY_POSTMASTER=yes

viruscan() {
  VIRUS=`$AVCMD  $nome_arquivo`
  SAIDA=$?
  VIRUS=`echo $VIRUS | cut -d" " -f2-`
  if [ $SAIDA -eq 1 ]; then
    #
    # Let's log to syslog
    #
    postlog -t postfix/virus-filter message-id=$msgid reject: VIRUS from=\<$from\> to=\<$original\> 2>/dev/null
    if [ "$NOTIFY_VIRUS" = "yes" ]; then
      echo "From: Virus Scanner <mailer-daemon@$MYHOSTNAME>
Subject: WARNING: Email rejected: VIRUS Detected
To: $from

Your email to ($rcpts) with subject ($subj) was rejected because of a virus.

Virus found: $VIRUS

 " | $SENDMAIL -f MAILER-DAEMON -- $from
    fi

    if [ "$NOTIFY_POSTMASTER" = "yes" ]; then
      echo "From: Virus Scanner <mailer-daemon@$MYHOSTNAME>
Subject: Postmaster Copy: VIRUS Detected
To: postmaster@$MYHOSTNAME

Email from $from to ($rcpts) subject ($subj) infected by virus.

Virus found: $VIRUS

 " | $SENDMAIL -f MAILER-DAEMON -- postmaster@$MYHOSTNAME
   fi
   exit 0
  fi
}
#
# Clean up when done or when aborting.
#
trap "rm -rf $nome_arquivo*" 0 1 2 3 15
#
# Start processing.
#
cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }

cat >$nome_arquivo || { echo Cannot save mail to file; exit $EX_TEMPFAIL; }

from=$2
if [ "$from" != "--" ]; then
  shift
else
  $from=""
fi

shift ; shift

dominio=`echo $from | cut -d"@" -f2`
email=`echo $from | cut -d"@" -f1`
subj=`head -n 200 $nome_arquivo | grep -i "^Subject:" | cut -d":" -f2- | head -n 1`
msgid=`head -n 200 $nome_arquivo | grep -i "^message-id" | cut -d: -f 2- | sed 's/^ *//' | head -n 1`


saida="-f $from -- $@"
rcpts=$@

viruscan

$SENDMAIL $saida <$nome_arquivo

exit 0

The configuration

This section will describe changes in different files, to configure the clamav scanner and the postfix integration.

  • /etc/postfix/master.cf
  1. Comment out the following line somewhere at the top of the file by putting a hash (#) in front of it. 
#smtp      inet  n       -       n       -       -       smtpd -o smtpd_sasl_ auth_enable=yes

Underneath that same line, include the following replacement for this: 

#SBE commented above line, and inserted the below one
smtp  inet    n       -       n       -       -       smtpd
     -o smtpd_sasl_auth_enable=yes  -o content_filter=clamav:clamav

On a new line (e.g. at the end of the files), add the following lines: 

clamav unix    -       n       n       -       -       pipe
  flags=Rq user=clamav argv=/usr/libexec/postfix/clamav-filter.sh -f ${sender}  --  ${recipient}
  • /usr/libexec/postfix/clamav-filter.sh

I decided to create a special directory for unpacking the e-mails, and scanning them, so I did: 

/ # mkdir /opt/var/filter
/ # chown clamav:clamav /opt/var/filter

Now in the clamav-filter.sh script I changed the lines: 

# Config
#
# Create that dir with permition to the user clamav to have read/write permissio
#
INSPECT_DIR=/opt/var/filter

#
# Should ppl be notified they're sending virus?
#
# SBE change notify ton o, to avoid sending warnings
NOTIFY_VIRUS=no

As you might have noticed, I switched the above NOTIFY_VIRUS on again in my script mentioned above, for testing purposes.

  • /opt/etc/clamd.conf

In the /opt/etc/clamd.conf, I enabled some settings which are enabled by default, just to make it explicit that the settings are required. 

# Enable internal e-mail scanner.
# Default: enabled
# SBE re-enabled
ScanMail

# ClamAV can scan within archives and compressed files.
# Default: enabled
#SBE re-enabled
ScanArchive
  • /opt/etc/init.d/S98clamav

In the default startup of the system, the init mechanism automatically searches for additonal "/opt" packages, and therefore I used the S98clamav to start the clamd daemon. I probably should have done it a little more elegant, and created a handler for start/stop etc. If you did this, please update the page with your script... 

#!/bin/sh

addgroup clamav 2>/dev/null
adduser -s /dev/null -H -h /opt/share/clamav -D -G clamav clamav 2>/dev/null

/opt/sbin/clamd &

User rights

I had some issues with userrights, so I adapted a few security settings to overcome this. Below are the most important ones:

  • /etc/group (added user clamav to admin and maildrop group) 
...
admin:x:105:clamav
maildrop:x:106:admin,clamav
...
  • /home/.postfix

I needed to open up some directories for clamav 

/ # cd /home/.postfix
/home/.postfix # chown -R admin:admin active/
/home/.postfix # chown -R admin:admin bounce/
/home/.postfix # chown -R admin:admin corrupt/
/home/.postfix # chown -R admin:admin defer/
/home/.postfix # chown -R admin:admin deferred/
/home/.postfix # chown -R admin:admin flush/
/home/.postfix # chown -R admin:admin hold/
/home/.postfix # chown -R admin:admin incoming/
/home/.postfix # chown -R admin:admin pid/
/home/.postfix # chown -R admin:admin private/
/home/.postfix # chown -R admin:admin saved/
/home/.postfix # chown -R admin:admin trace/
/home/.postfix # ls -ld .
drwxrwxr--   16 admin    admin         408 Jan 23 00:26 .
/home/.postfix # chmod +x .
/home/.postfix # ls -ld .
drwxrwxr-x   16 admin    admin         408 Jan 23 00:26 .
/home/.postfix # ls -ld maildrop/
drwx-wx---    2 admin    maildrop       48 Jan 28 16:24 maildrop/
/home/.postfix # chmod +rwx maildrop/

This (and maybe some changes I haven't logged --> oops), have given me the following view on the /home/.postfix directory: 

/home/.postfix # ls -la
drwxrwxr-x   16 admin    admin         408 Jan 23 00:26 .
drwxr-xr-x   16 root     root          416 Feb  1 22:39 ..
drwx------    2 admin    admin          48 Feb  3 22:02 active
drwx------    2 admin    admin          48 Feb  3 10:44 bounce
drwx------    2 admin    admin          48 Jan 23 00:26 corrupt
drwx------    2 admin    admin          48 Jan 23 00:26 defer
drwx------    2 admin    admin          48 Jan 23 00:26 deferred
-rw-r--r--    1 root     root            0 Jan 23 00:26 dummy
drwx------    2 admin    admin          48 Jan 23 00:26 flush
drwx------    2 admin    admin          48 Jan 23 00:26 hold
drwx------    2 admin    admin          48 Feb  3 22:02 incoming
drwxrwxrwx    2 admin    maildrop       48 Feb  3 22:02 maildrop
drwxr-xr-x    2 admin    admin         272 Feb  1 18:13 pid
drwx------    2 admin    admin         608 Feb  1 22:36 private
drwxr-x---    2 admin    maildrop      168 Feb  1 22:36 public
drwx------    2 admin    admin          48 Jan 23 00:26 saved
drwx------    2 admin    admin          48 Jan 23 00:26 trace

Keeping clamav up to date

To keep clamav up to date, there is a special tool called freshclam. This tool should be run multiple times a day, to pick up changes in the virus definitions. This made me decide to put it as a cronjob. To add something to the /etc/crontab, without losing it at every reboot, you should put it in (add it as last line):

  • /etc/init.d/croninit 
#SBE schedule ClamAV updates
echo "13 0,6,12,18 * * * clamav /opt/bin/freshclam">>/etc/crontab

This tells cron to start freshclam as user clamav at 00:13, 06:13, 12:13 and 18:13 hours (every day of the week). In the clamav documentation, you will find that freshclam can also run with a --daemon-notify option, but this is not necessary, as in clamd.conf it is defined that the Selfcheck is still enabled, which is a guarantee that clamd sees the changes.

  • /opt/etc/clamd.conf (no change needed, added this snippet just for illustration of the above statement) 
# Perform internal sanity check (database integrity and freshness).
# Default: 1800 (30 min)
#SelfCheck 600

Testing your new set-up

To test an anti virus installation, you need a ....... Virus. It is very easy to run into all kind of virusses in the wild, but fortunatly there are also controlled "virusses" for testpurposes. Please follow the link http://www.eicar.org/anti_virus_test_file.htm ==> this link brings you to a download page, where you can download a testvirus. Now try and find an unprotected computer (otherwise it will clean your virus even before you have sent it), and send an e-mail with this "virus" attached to an e-mail account that you are running on your FSG (e.g. via a fetchmail set-up like in my case). once the mail is processed, you need to check the inbox, which should contain a message from the anti-virus software, telling you that the mail has been blocked. Is this not the case, then you need to check the e-mail logs from your administrative website, 10:1 that your problem is caused by some directory rights problems. I myself, opened all directories up using chmod +rwx for which errormessages were shown.

For me, this did the trick!!

The finishing touch

Of course I wanted to see whether my clamd daemon was running, right from my FSG status page, so I adapted the file:

  • index.php

In this file I added 1 line (watch out for right place of commas etc), which tells the status page to take the occrences with the word clamd, and put them under a heading ClamAV: 

function RunningApps()
{
    global $RUNNING_APPS_COLUMNS;
    
    StartCapture();
    
    $appnames = array(
        "mysqld" => "MySQL",
        "httpd" => "Apache",
        "smbd" =>"Samba",
        "crond" => "Cron",
        "noflushd" => HD_SPINDOWN,
        "vsftpd" => FTP_SERV,
        "sshd" => SSH_SERV,
        "clamd" => "ClamAV");
Retrieved from "http://www.openfsg.com/index.php/Install_ClamAV_for_scanning_your_e-mails_for_virusses"
Personal tools