The clamav-miler is packaged by most distributions in their "clamav" package can be used in conjunction with
Postfix to protect your network from malware embedded in SMTP traffic. Integration of
CLAMAV and
Postfix involves four steps:
- Configuration and enabling of the clamd service.
- Updating the CLAMAV malware database and enabling the freshclam service
- Configuration and enabling of the clamav-milter service. Current versions of the clamav-milter require connectivity to the clamd daemon through either a local UNIX socker or a TCP/IP socket.
- Configuration of Postfix to utilize the available clamav-milter service.
Step#1 : Enabling the clamd service
LocalSocket /var/lib/clamav/clamd-socket
LogFacility LOG_MAIL
LogSyslog yes
PidFile /var/lib/clamav/clamd.pid
TCPAddr 127.0.0.1
TCPSocket 3310
User vscan
Text 1: Typical settings overridden from defaults in /etc/clamd.conf
The
clamd daemon typically reads its configuration from the
/etc/clamd.conf file. Most importantly this file specifies, via the
TCPSocket and
TCPAddr directives, on what IP port and address the service listens for connections. These directives should be set to values appropriate for the host and which will be reachable by the
clamav-milter. If the
clamav-milter and the
clamd daemon will be running on the same host the clamd service can be configured to listen to the localhost address [127.0.0.1] to avoid any potential network firewall and traffic filtering issues.
The
clamd.conf file also provides many other tunable values but almost all of these should be appropriate at the distributions defaults.
Once configured the
clamd service must be started and enabled for automatic start following the system's boot-up sequence; on RPM based systems this is typically achieved using the
service and
chkconfig commands.
Step #2 : Enabling the freshclam service
The
freshclam service is an instance of the
freshclam command line tool started with the “
-d” option which runs the command in daemon mode. Whether started from the command-line or running in daemon mode
freshclam will read its configuration from the
/etc/freshclam.conf file. When running the
freshclam daemon will periodically check the
CLAMAV project mirrors for new malware signatures and update the local database used by the
clamd scanning service. The
freshclam daemon should run as the same user context as the
clamd service; the typical way to ensure this is to synchronize the values of
DatabaseOwner in
/etc/freshclam.conf and
User in
/etc/clamd.conf. The frequency which
freshclam will check for new patterns is controlled by the
Checks directive – the default is 12 [times a day], this value should be sufficient in most cases. When database update succeeds the
freshclam service will notify the clamd service that newer patterns are now available [for this to work the
NotifyClamd directive must indicate the correct path to the current
clamd configuration file].
DatabaseMirror database.clamav.net
DatabaseOwner vscan
HTTPProxyPort 3128
HTTPProxyServer proxy.example.com
LogFacility LOG_MAIL
LogSyslog yes
NotifyClamd /etc/clamd.conf
OnErrorExecute /usr/local/bin/malware_update_fail.sh
OnUpdateExecute /usr/local/bin/malware_update_ok.sh
PidFile /var/lib/clamav/freshclam.pid
UpdateLogFile /var/log/freshclam.log
Text 2: Example /etc/freshclam.conf file (comments removed)
The most important considerations in configuration of
freshclam is if your network configuration requires use of an HTTP proxy server in order to access the CLAMAV mirrors for updates and if you need to configure some form of notification concerning success or failure of the pattern updates – a security focused service like a malware milter doesn't help anyone if it is silently failing in the background.
The
HTTPProxyPort and
HTTPProxyServer directives allow an HTTP proxy to be specified; freshclam will use this proxy for all mirror requests whether running as a command-line utility or in daemon mode. Should your proxy require a username/password for authentication these can be provided using the additional
HTTPProxyUsername and
HTTPProxyPassword directives. However it is simpler and more reliable to simply approve the “
database.clamav.net” domain and sub-domains on your HTTP proxy service; all mirror requests will be made to those domains.
For notification of successful or failed updates the
OnUpdateExecute and
OnErrorExecute directives are used respectively. Whatever command is specified here will execute in the security context of the
DatabaseOwner. A useful approach is to enable the log file via the
UpdateLogFile directive and have the tail-end of that file mailed to a responsible party such as a help-desk or system-administrator for periodic verification that the service is operational.
#!/bin/sh
tail -25 /var/log/freshclam.log \
| mail -s "[NOTICE] Malware Database Update Successful" \
-r milter@example.com helpdesk@example.com
Text 3: A simple example script that might be used for OnUpdateExecute
The proper operation of
freshclam can be tested by simply executing the
freshclam utility on the command-line; it should check the mirrors and download any new patterns without an error message. Once configured and tested the
freshclam service must be started and enabled for automatic start following the system's boot-up sequence.
Step #3 : Enabling the clamav-milter service
ClamdSocket tcp:127.0.0.1
LogFacility LOG_MAIL
LogSyslog yes
MilterSocket inet:32767@192.168.1.66
OnInfected Reject
PidFile /var/lib/clamav/clamav-milter.pid
ReportHostname mail.example.com
User vscan
VirusAction /usr/local/bin/virus_notify.sh
Text 4: Example clamav-milter.conf file (with comments removed)
Once the
clamd scanning service is running and the
freshclam service is maintaining the malware signatures the
clamav-milter must be configured and started in order to connect the scanning service into
Postfix's SMTP processing. The milter service is typically loads its configuration from the
/etc/clamav-milter.conf file.
The service must be informed via the
ClamdSocket directive where to find the
clamd scanning service and via
MilterSocket where to listen for connections from
Postfix. The
MitlerSocket directive is “
inet:port@ip-address”.
VirusAction and
OnInfected directives can be used to control the behavior of the service when malware is identified; an
OnInfected value of
Quarantine will cause Postfix to hold the infected message in it's hold queue while a value of
Reject will bounce the message with an SMTP error. Especially when used in
Reject mode defining an appropriate
VirusAction to notify the intended recipient of the message that a message has been discarded is important. The script named by
VirusAction is executed in the security context of the scanning service and is provided seven parameters:
- Virus name-space
- Message queue id
- The sender's e-mail addres
- The e-mail address of the intended recipient.
- The subject of the message-id
- The message's Message-ID
- The date of the message.
Once configured the
clamav-milter service must be started and set to automatically restart upon completion of system boot-up.
#!/bin/bash
# Parameters:
# virus name, queue id, sender, destination, subject, message id, message date
(
echo "";
echo " A message containing malware has been discarded.";
echo "";
echo " Malware: $1";
echo " Sender: $3";
echo " Destination: $4";
echo " Subject: $5";
echo " Message-ID: $6";
echo " Date: $7";
echo " Queue-ID: $2";
echo "";
) | \
mail -s '[ALERT] Infected Messages Discarded' \
-r milter@example.com -c helpdesk@example.com $4
Text 5: A sample script for use as the VirusAction. This script notifies the intended recipient and help-desk that a message was identified as malware and discarded.
Connecting the Postfix service to clamav-milter
In order to integrate the scanning into
Postfix the milter is configured in the
main.cf file as an
smtpd_milter. The default action of the milter should be set to “
accept” so if for any reason the milter is unresponsive messages will still be delivered. As when connecting the other components it is important to verify that the Postfix service can reach the specified service [traffic is permitted by firewall's etc...].
smtpd_milters = inet:milter.example.com:32767
milter_default_action = accept
Text 6: Configuration directives from Postfix's main.cf
Upon modification of the
main.cf file the Postfix service should be restarted.
Once configured the malware filtering service should be tested; this can be accomplished by acquiring a copy of the
EICAR diagnostic virus and verifying that messages with this content attached are rejected and that the end-user's are notified of the rejection [according the clamav-milter's defined
VirusAction].
clamd[11973]: instream(127.0.0.1@60469): Eicar-Test-Signature FOUND
Text 7: Example clamd log message for identified malware.
When malware is detected a message will be logged by
clamd via syslog regarding the event; this will typically be logged under the “
mail” service. Depending on the distribution messages logged as mail will be written to either
/var/log/mail or
/var/log/maillog [at least with the default syslog configuration].