Clam AntiVirus Milter Setup and Debugging

Setup | Debugging

Rough notes on how to setup clamav-milter with Sendmail for malware scanning with Clam AntiVirus (clamav). Malware is a general term encompassing viruses, trojan horses, worms: software that may damage or render insecure computers and networks.

These notes reference clamav 0.65 (with references to configuration filename changes introduced in 0.80) and Sendmail 8.12.10 compiled from source. Only general setup notes are provided, as I currently run clamav from MIMEDefang.

The following image shows an overview of the three daemons involved (sendmail, clamav-milter, and clamd), the connecting socket files /var/run/clamav-milter.sock and /var/run/clamav.sock between the daemons, along the configuration files for the daemons and log paths to syslogd. The clamd daemon should be started before clamav-milter, and finally sendmail, as clamd and clamav-milter create the socket files used for communication.

Setup

  1. Sendmail requires MILTER support.
  2. To see whether sendmail supports MILTER, run the following command. If MILTER is listed in the output, skip to the next step. Sendmail 8.13 enables MILTER by default. Some vendors provide ports or packages of Sendmail: consult these before compiling from scratch. On RedHat linux, install the sendmail and sendmail-devel packages.

    $ sendmail -d0 < /dev/null | grep MILTER
    Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7

    Adding MILTER support to Sendmail 8.12 usually involves adding the following entries to a site.config.m4 used to build Sendmail from source then rebuilding Sendmail. The second entry is disabled with dnl for debugging, though can be enabled if clamav-milter is not running as the root user.

    APPENDDEF(`confENVDEF', `-DMILTER')
    dnl APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE')

    To rebuild sendmail from a site.config.m4, use the Build script with the -f option.

    $ sh Build -c -f /etc/mail/site.config.m4

  3. libmilter* library must be installed.
  4. In addition to sendmail, the libmilter* library must be installed. The install location of the library and supporting header files will vary by system.

    $ locate libmilter | grep /usr/local
    /usr/local/include/sendmail/libmilter
    /usr/local/include/sendmail/libmilter/mfapi.h
    /usr/local/include/sendmail/libmilter/mfdef.h
    /usr/local/include/sendmail/libmilter/milter.h
    /usr/local/lib/libmilter.a

    If the library is not installed, go to the Sendmail source directory, change into the libmilter subdirectory and run the install script.

    $ cd libmilter
    $ sh Build install

    Some operating systems provide MILTER support via a port or package. Check with your vendor before compiling from scratch.

  5. clamav must be configured with --enable-milter.
  6. $ ./configure --enable-milter ?

    This must be done on a system where the libmilter library and header files have also been installed to a location that clamav can find.

  7. Configure clamd.conf.
  8. Important configuration options for clamd are as follows. Also be sure to set the LocalSocket option to be a secure file location only readable by the clamav user.

    LocalSocket /var/run/clamav.sock
    LogSyslog
    FixStaleSocket
    StreamSaveToDisk

    # set this below confMAX_MESSAGE_SIZE for Sendmail
    StreamMaxLength 10M

    User clamav

    ScanMail
    ScanArchive
    ArchiveMaxFileSize 10M

    Verbose logging or debugging mode may be required when first learning how to run clamav.

  9. Launch clamd.
  10. The clamd daemon will need to be listening to the file given by the LocalSocket option before clamav-milter is started.

    $ sudo /usr/local/sbin/clamd

  11. Launch clamav-milter with appropriate command line arguments.
  12. Review the --help options to clamav-milter for the various options supported, and experiment with test messages once sendmail is configured and running before putting clamav-milter onto a production system.

    $ sudo /usr/local/sbin/clamav-milter --max-children=2 -olb \
    local:/var/run/clamav-milter.sock

    The --max-children=2 limit is only for testing, and will need to be increased on a production mail server.

  13. Configure Sendmail to use the clamav-milter socket.
  14. Set the following in the proper *.mc configuration file for sendmail, and rebuild sendmail.cf from that. Consult my Sendmail Configurations for more information about sendmail.mc and configuring Sendmail.

    INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav-milter.sock, F=T, T=S:4m;R:4m')

    The F=T causes messages to be bounced with a Simple Mail Transport Protocol (SMTP) temporary failure if clamd-milter has problems running properly. You may want to remove this statement if you prefer e-mail getting through over being tempfailed. Consult the ?X ? Mail Filter (Milter) Definitions? section of doc/op/op.ps under the Sendmail source for more information on mail filters, notably the flags (F) and timeout (T) options. Note that different vendors will hide the socket file in different locations; solving this problem is a simple matter of ensuring any parent directory files of the socket exist and have the correct permission, and that the Sendmail and clamav-milter processes use the same location.

    Once sendmail.cf is rebuilt, restart Sendmail.

Debugging