ClamAV is the de facto open source virus scanner for linux. Amavis can be linked to many different free and commercial virus scanners, but here clamav will be used. ClamAV is specifically designed for scanning e-mail. It consists of two parts, clamav itself, and freshclam, the clamav updating service. By default it updates every two hours, which should be enough for anyone.
Installing anti-virus protection:
# dnf install clamav clamd clamav-freshclam # clamscan --version // Shows version and date virus database # freshclam // Update virus database
To begin, we will need to edit /etc/clamd.d/scan.conf. Change the following lines in:
# vi /etc/clamd.d/scan.conf #Example LocalSocket /run/clamd.scan/clamd.sock
Then enable and start the clamav scanner daemon:
# setsebool -P antivirus_can_scan_system 1 # systemctl start clamd@scan clamav-freshclam # systemctl enable clamd@scan clamav-freshclam
At this point it is worth and well to check on the service's status:
# systemctl status clamd@scan ..... # systemctl status clamav-freshclam .....
To perform a scan with ClamAV, you can use the following command:
# clamscan -r --bell -i /home/
This command recursively scans all files, only outputs infected files, and rings a bell when found. Be aware that scanning the entire filesystem can take a considerable amount of time.
This can take some time.
Regular scans are essential for maintaining system integrity. You can automate the scanning process by creating a cron job. For instance, to schedule a weekly system scan, you could edit the crontab with:
# crontab -u root -e 30 4 * * 0 /usr/bin/clamscan -r -i /home/ >> /var/log/clamav/scan.log
For notification of scan results, you can use a script to monitor the log file and send alerts if infections are found.
Amavis is an open-source content filter for electronic mail, implementing mail message transfer, decoding, some processing and checking, and interfacing with external content filters to provide protection against spam and viruses and other malware. It can be considered an interface between a mailer (MTA, Mail Transfer Agent) and one or more content filters.
Amavis will actually behave as a mail server in itself, accept mail, filter it, and send it onwards again. For this to work, postfix will need to actually listen for mail twice. The default port 25 is where mail initially is received on. From there on it is sent to amavis, which will be listening on port 10024. When amavis is done with the message, it will be sent to postfix on a different port, 10025. The reason for this should be obvious. If mail would be offered again on port 25, it would be passed to amavis again and thus in an endless loop. Obviously, postfix on port 10025 would only be listening to known hosts, like localhost and not check for spam anymore.
Before installing amavis be sure the mailsystems work without any problems in real world use.
# dnf install amavisd-new unrar
Amavisd offers an enormous amount of options and going over all them will take some time. The configuration file /etc/amavisd.conf however is well documented and divided into clear sections. Each section will be examined as needed. Only options that will be changed will be mentioned to cut down the text for readability.
Note: The configuration file is actually perl code and proper precautions should be taken when editing this file.
For this example amavisd will be running on host foo but this could be any other host as well, amavisd does not require to run on the same host as postfix. Also the domain used is only used to identify the server itself with, not the domains amavisd will be scanning.
Note: With amavis being quite complex, troubleshooting can be difficult enough as it is.
The first step, is to disable all actual checks and to enable logging. Also some default values should be setup:
# cd /etc/amavisd # vi amavisd.conf @bypass_virus_checks_maps = (1); # controls running of anti-virus code @bypass_spam_checks_maps = (1); # controls running of anti-spam code # $bypass_decode_parts = 1; # controls running of decoders&dearchivers $mydomain = 'example.com'; $myhostname = 'foo.example.com'; $log_level = 5; # verbosity 0..5, -d
# systemctl start amavisd # systemctl enable amavisd
# telnet localhost 10024 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 [127.0.0.1] ESMTP amavis service ready ehlo localhost 250-[127.0.0.1] 250-VRFY 250-PIPELINING 250-SIZE 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SMTPUTF8 250-DSN 250 XFORWARD NAME ADDR PORT PROTO HELO IDENT SOURCE ..... quit 221 2.0.0 [127.0.0.1] amavis closing transmission channel Connection closed by foreign host. #
With amavisd working in bare skeletal mode, it should theoretically just pass mail through. Perfect for testing the postfix -> amavisd -> postfix binding.
First, a second postfix transport, where amavis will inject its mail, is added. A lot of options are defaulted to empty, since either they have been checked already, or interfere otherwise:
# cd /etc/postfix/ # vi masster.cf # # anti spam & anti virus section # amavisfeed unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters -o local_header_rewrite_clients=
Postfix will listen to port 10025 so that Amavis can send back checked emails to that port.
Also add to smtp, submission and smtps: -o content_filter=amavisfeed:[127.0.0.1]:10024.
# postfix check # systemctl restart postfix
We only have to check the second postfix server.
# telnet localhost 10025 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 server5.robkalmeijer.nl ESMTP Postfix (3.5.9) ehlo localhost 250-server5.robkalmeijer.nl 250-PIPELINING 250-SIZE 4194304 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING quit 221 2.0.0 Bye Connection closed by foreign host.
You can send an email for testing.
If you look in the maillog you will find amavis[xxxxx].
When this works you can activate the virusscanner.
# cd /etc/amavisd # vi amavisd.conf #@bypass_virus_checks_maps = (1); # controls running of anti-virus code @bypass_spam_checks_maps = (1); # controls running of anti-spam code #$bypass_decode_parts = 1; # controls running of decoders&dearchivers
Test if mail is received and send between test email address and the mailserver.