# adding clamav to sendmail/spamassassin setup SOLVED

## Moriah

I am running a mail server using sendmail and filtering spam with spamassasin.  I need to add virus filtering with clamav.  I have emerged clamav, but I can't figure out how to configure it so that it works.  I have sendmail, spamassassin, and clamav all running, and I have tried to configure my sendmail.mc to use a milter for clamav, and clamav is configured with verbose messages and debug and log clean messages, but I see no entries in either /var/log/messages nor /var/log/clamav/clamd.log that would make me believe that clamav is even getting invoked by sendmail.

Here is my /etc/mail/sendmail.mc file:

```
divert(-1)

divert(0)dnl

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl

VERSIONID(`$Id: sendmail-procmail.mc,v 1.2 2004/12/07 01:59:31 g2boojum Exp $')dnl

OSTYPE(linux)dnl

DOMAIN(generic)dnl

FEATURE(`smrsh',`/usr/sbin/smrsh')dnl

FEATURE(`local_lmtp',`/usr/sbin/mail.local')dnl

FEATURE(`local_procmail')dnl

MAILER(local)dnl

MAILER(smtp)dnl

MAILER(procmail)dnl

INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav-milter.sock, F=T, T=S:4m;R:4m')
```

And here is my /etc/clamd.conf file:

```
##

## Example config file for the Clam AV daemon

## Please read the clamd.conf(5) manual before editing this file.

##

# Comment or remove the line below.

# Example

# Uncomment this option to enable logging.

# LogFile must be writable for the user running daemon.

# A full path is required.

# Default: disabled

LogFile /var/log/clamav/clamd.log

# By default the log file is locked for writing - the lock protects against

# running clamd multiple times (if want to run another clamd, please

# copy the configuration file, change the LogFile variable, and run

# the daemon with --config-file option).

# This option disables log file locking.

# Default: disabled

#LogFileUnlock

# Maximal size of the log file.

# Value of 0 disables the limit.

# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)

# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size

# in bytes just don't use modifiers.

# Default: 1M

#LogFileMaxSize 2M

# Log time with each message.

# Default: disabled

LogTime

# Also log clean files. Useful in debugging but drastically increases the

# log size.

# Default: disabled

LogClean

# Use system logger (can work together with LogFile).

# Default: disabled

LogSyslog

# Specify the type of syslog messages - please refer to 'man syslog'

# for facility names.

# Default: LOG_LOCAL6

#LogFacility LOG_MAIL

# Enable verbose logging.

# Default: disabled

LogVerbose

# This option allows you to save a process identifier of the listening

# daemon (main thread).

# Default: disabled

PidFile /var/run/clamav/clamd.pid

# Optional path to the global temporary directory.

# Default: system specific (usually /tmp or /var/tmp).

#TemporaryDirectory /var/tmp

# Path to the database directory.

# Default: hardcoded (depends on installation options)

#DatabaseDirectory /var/lib/clamav

# The daemon works in a local OR a network mode. Due to security reasons we

# recommend the local mode.

# Path to a local socket file the daemon will listen on.

# Default: disabled

LocalSocket /var/run/clamav/clamd.sock

# Remove stale socket after unclean shutdown.

# Default: disabled

FixStaleSocket

# TCP port address.

# Default: disabled

#TCPSocket 3310

# TCP address.

# By default we bind to INADDR_ANY, probably not wise.

# Enable the following to provide some degree of protection

# from the outside world.

# Default: disabled

#TCPAddr 127.0.0.1

# Maximum length the queue of pending connections may grow to.

# Default: 15

#MaxConnectionQueueLength 30

# Clamd uses FTP-like protocol to receive data from remote clients.

# If you are using clamav-milter to balance load between remote clamd daemons

# on firewall servers you may need to tune the options below.

# Close the connection when the data size limit is exceeded.

# The value should match your MTA's limit for a maximal attachment size.

# Default: 10M

#StreamMaxLength 20M

# Limit port range.

# Default: 1024

#StreamMinPort 30000

# Default: 2048

#StreamMaxPort 32000

# Maximal number of threads running at the same time.

# Default: 10

#MaxThreads 20

# Waiting for data from a client socket will timeout after this time (seconds).

# Value of 0 disables the timeout.

# Default: 120

#ReadTimeout 300

# Waiting for a new job will timeout after this time (seconds).

# Default: 30

#IdleTimeout 60

# Maximal depth directories are scanned at.

# Default: 15

#MaxDirectoryRecursion 20

# Follow directory symlinks.

# Default: disabled

#FollowDirectorySymlinks

# Follow regular file symlinks.

# Default: disabled

#FollowFileSymlinks

# Perform internal sanity check (database integrity and freshness).

# Default: 1800 (30 min)

#SelfCheck 600

# Execute a command when virus is found. In the command string %v will

# be replaced by a virus name.

# Default: disabled

#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

# Run as a selected user (clamd must be started by root).

# Default: disabled

User clamav

# Initialize supplementary group access (clamd must be started by root).

# Default: disabled

#AllowSupplementaryGroups

# Stop daemon when libclamav reports out of memory condition.

#ExitOnOOM

# Don't fork into background.

# Default: disabled

#Foreground

# Enable debug messages in libclamav.

# Default: disabled

Debug

# Do not remove temporary files (for debug purposes).

# Default: disabled

#LeaveTemporaryFiles

# By default clamd uses scan options recommended by libclamav. This option

# disables recommended options and allows you to enable selected ones below.

# DO NOT TOUCH IT unless you know what you are doing.

# Default: disabled

#DisableDefaultScanOptions

##

## Executable files

##

# PE stands for Portable Executable - it's an executable file format used

# in all 32-bit versions of Windows operating systems. This option allows

# ClamAV to perform a deeper analysis of executable files and it's also

# required for decompression of popular executable packers such as UPX, FSG,

# and Petite.

# Default: enabled

#ScanPE

# With this option clamav will try to detect broken executables and mark

# them as Broken.Executable

# Default: disabled

#DetectBrokenExecutables

##

## Documents

##

# This option enables scanning of Microsoft Office document macros.

# Default: enabled

#ScanOLE2

##

## Mail files

##

# Enable internal e-mail scanner.

# Default: enabled

#ScanMail

# If an email contains URLs ClamAV can download and scan them.

# WARNING: This option may open your system to a DoS attack.

#      Never use it on loaded servers.

# Default: disabled

#MailFollowURLs

##

## HTML

##

# Perform HTML normalisation and decryption of MS Script Encoder code.

# Default: enabled

#ScanHTML

##

## Archives

##

# ClamAV can scan within archives and compressed files.

# Default: enabled

#ScanArchive

# Due to license issues libclamav does not support RAR 3.0 archives (only the

# old 2.0 format is supported). Because some users report stability problems

# with unrarlib it's disabled by default and you must uncomment the directive

# below to enable RAR 2.0 support.

# Default: disabled

#ScanRAR

# The options below protect your system against Denial of Service attacks

# using archive bombs.

# Files in archives larger than this limit won't be scanned.

# Value of 0 disables the limit.

# Default: 10M

#ArchiveMaxFileSize 15M

# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR

# file, all files within it will also be scanned. This options specifies how

# deep the process should be continued.

# Value of 0 disables the limit.

# Default: 8

#ArchiveMaxRecursion 9

# Number of files to be scanned within an archive.

# Value of 0 disables the limit.

# Default: 1000

#ArchiveMaxFiles 1500

# If a file in an archive is compressed more than ArchiveMaxCompressionRatio

# times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip)

# Value of 0 disables the limit.

# Default: 250

#ArchiveMaxCompressionRatio 300

# Use slower but memory efficient decompression algorithm.

# only affects the bzip2 decompressor.

# Default: disabled

#ArchiveLimitMemoryUsage

# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

# Default: disabled

#ArchiveBlockEncrypted

# Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit)

# if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is

# reached.

# Default: disabled

#ArchiveBlockMax

##

## Clamuko settings

## WARNING: This is experimental software. It is very likely it will hang

##       up your system!!!

##

# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.

# Default: disabled

#ClamukoScanOnAccess

# Set access mask for Clamuko.

# Default: disabled

#ClamukoScanOnOpen

#ClamukoScanOnClose

#ClamukoScanOnExec

# Set the include paths (all files in them will be scanned). You can have

# multiple ClamukoIncludePath directives but each directory must be added

# in a seperate line.

# Default: disabled

#ClamukoIncludePath /home

#ClamukoIncludePath /students

# Set the exclude paths. All subdirectories are also excluded.

# Default: disabled

#ClamukoExcludePath /home/guru

# Don't scan files larger than ClamukoMaxFileSize

# Value of 0 disables the limit.

# Default: 5M

#ClamukoMaxFileSize 10M
```

Any ideas what I am doing wrong   :Question: 

I do not seem to even have the clamav milter task either running, or even installed anywhere, and I can't find it with emerge -s, so I am rather lost...    :Crying or Very sad: 

PS The logs do indicate that clamav is getting started, but this milter thing has me totally befuddled.  What is a milter anyway, somekind of multiple-filter or something?Last edited by Moriah on Fri Dec 16, 2005 1:25 pm; edited 1 time in total

----------

## magic919

I guess milter is just a contraction of mail and filter.

The idea is that Sendmail or some other MTA pokes the message through to the filter before delivery to the mailbox.  This can happen via a TCP port (more common when on separate machines) or on a unix socket.  Your design seems to be attempting the socket method.  And there's a problem from what I can see.  The sockets don't match.

LocalSocket /var/run/clamav/clamd.sock

is the one clamav is listening on.  The Sendmail config is not quite the same.  So they can't talk to each other.

----------

## magic919

Did you look at the clamsmtp in Portage?

----------

## Pete M

Moriah

Here's a little How-To I wrote

https://forums.gentoo.org/viewtopic-t-357913-highlight-.html

About halfway down the page

Hope it helps

Pete

----------

## Moriah

I did a lot of googling before I posted that help request, and a howto I found talked about starting the milter like you start sendmail or spamd or clamd, so I thought it was a seperate task of something.    :Surprised: 

----------

## Pete M

From my How-To

Edit /etc/conf.d/clamd to enable milter, should look like 

```
START_CLAMD=yes

START_FRESHCLAM=yes

START_MILTER=yes

MILTER_SOCKET="/var/run/clamav/clmilter.sock"

MILTER_OPTS="-m 10"
```

So yes you do have to start milter

Then start clamd

```
rc-update add clamd default
```

```
rc default
```

Pete

----------

## Moriah

Everything is as you said, as faras I can tell, but I get:

```

eli bocarjb # rc-update show | grep clam

               clamd |      default                  

eli bocarjb # rc default

 * Starting clamd ...

 * Failed to start clamd                                                  [ !! ]

 * Starting freshclam ...                                                 [ ok ]

 * Virus databases are already up to date.

 * Starting clamav-milter ...

/usr/sbin/clamav-milter: socket-addr (/var/run/clamav/clmilter.sock) doesn't agree with sendmail.cf

 * Failed to start clamav-milter                                          [ !! ]

eli bocarjb # 

```

What log or config files do you need to see?

Here is /etc/mail/sendmail.mc

```

divert(-1)

divert(0)dnl

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl

VERSIONID(`$Id: sendmail-procmail.mc,v 1.2 2004/12/07 01:59:31 g2boojum Exp $')dnl

OSTYPE(linux)dnl

DOMAIN(generic)dnl

FEATURE(`smrsh',`/usr/sbin/smrsh')dnl

FEATURE(`local_lmtp',`/usr/sbin/mail.local')dnl

FEATURE(`local_procmail')dnl

INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav-milter.sock, F=T, T=S:4m;R:4m')

define(`confINPUT_MAIL_FILTERS', `clmilter')dnl

MAILER(local)dnl

MAILER(smtp)dnl

MAILER(procmail)dnl

```

----------

## Pete M

Clamd log should be as set in /etc/clamd.conf

 *Quote:*   

> LogFile /var/log/clamav/clamd.log

 

You should also have /var/log/freshclam.log

 *Quote:*   

> /usr/sbin/clamav-milter: socket-addr (/var/run/clamav/clmilter.sock) doesn't agree with sendmail.cf
> 
>  * Failed to start clamav-milter 

 

Your sendmail.mc states /var/run/clamav-milter.sock ?

Pete

----------

## Moriah

 *Quote:*   

> Your sendmail.mc states /var/run/clamav-milter.sock ? 

 

Yes, and so does /etc/conf.d/clamd:

```

# Config file for /etc/init.d/clamd

# NOTICE: Since clamav-0.85-r1, only START_CLAMD and START_FRESHCLAM settings

#     are used, other are silently ignored

START_CLAMD=yes

START_FRESHCLAM=yes

START_MILTER=yes

MILTER_SOCKET="/var/run/clamav/clmilter.sock"

#MILTER_OPTS="-m 10 --timeout=0"

MILTER_OPTS="-m 10"

```

It also says it doesn't even look at that, so where else could it be set differently?  Is there as clamav-milter.conf somewhere?

Here is /etc/mail/sendmail.mc:

```

divert(-1)

divert(0)dnl

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl

VERSIONID(`$Id: sendmail-procmail.mc,v 1.2 2004/12/07 01:59:31 g2boojum Exp $')dnl

OSTYPE(linux)dnl

DOMAIN(generic)dnl

FEATURE(`smrsh',`/usr/sbin/smrsh')dnl

FEATURE(`local_lmtp',`/usr/sbin/mail.local')dnl

FEATURE(`local_procmail')dnl

INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav-milter.sock, F=T, T=S:4m;R:4m')

define(`confINPUT_MAIL_FILTERS', `clmilter')dnl

MAILER(local)dnl

MAILER(smtp)dnl

MAILER(procmail)dnl

```

----------

## magic919

Use ls and a bit of poking and find the correct name and location of the clamav socket.  You'll need to make sure the Sendmail config points to the right socket.

----------

## Moriah

Well, its gone from bad to worse.  Now I've broken the ability to receive email from outside at all.    :Evil or Very Mad: 

I noticed a slight descrepancy: one of the config files had a - where another had a slash, so I fixed that, and that's when email stopped flowing it at all.  I think I fixed the socket problem with that last edit, and there is still something else wrong, so the mail is not getting through because it is being stopped buy clamd, but that is just a guess.

I restored the old sendmail.cf and reran the m4 command to make sendmail.mc, and now my email works again, but not clamav.  clamav is still trying to start, and still complaining about the socket inconsistency, but at least the mail is coming thru again.

Here is the sendmail.mc that lets the mail get thru:

```

divert(-1)

divert(0)dnl

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl

VERSIONID(`$Id: sendmail-procmail.mc,v 1.2 2004/12/07 01:59:31 g2boojum Exp $')dnl

OSTYPE(linux)dnl

DOMAIN(generic)dnl

FEATURE(`smrsh',`/usr/sbin/smrsh')dnl

FEATURE(`local_lmtp',`/usr/sbin/mail.local')dnl

FEATURE(`local_procmail')dnl

MAILER(local)dnl

MAILER(smtp)dnl

MAILER(procmail)dnl

```

And here is the sendmail.mc that stops it from getting thru:

```

divert(-1)

divert(0)dnl

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl

VERSIONID(`$Id: sendmail-procmail.mc,v 1.2 2004/12/07 01:59:31 g2boojum Exp $')dnl

OSTYPE(linux)dnl

DOMAIN(generic)dnl

FEATURE(`smrsh',`/usr/sbin/smrsh')dnl

FEATURE(`local_lmtp',`/usr/sbin/mail.local')dnl

FEATURE(`local_procmail')dnl

INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=T, T=S:4m;R:4m')

define(`confINPUT_MAIL_FILTERS', `clmilter')dnl

MAILER(local)dnl

MAILER(smtp)dnl

MAILER(procmail)dnl

```

The only difference is the one that stopp email has the following inserted into it:

```

INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=T, T=S:4m;R:4m')

define(`confINPUT_MAIL_FILTERS', `clmilter')dnl

```

So I really think I've made progress by stopping email from getting thru, as I think it is being stopped by clamd, which would not get any traffic at all before because of the socket naming problem.

What's next   :Question: 

----------

## Moriah

I notice you are in the UK, so it must be getting close to bedtime there.  What time (GMT-0) do you expect to get back online tomorow morniing?  I am working at home, so my schedule is pretty flexible, and I don't want to keep you up too late.  I can get back online whenever it suits you best  I REALLY appreciate this help!  :Very Happy: 

----------

## Pete M

/var/run/clamav/clmilter.sock is here in /etc/conf.d/clamd

 *Quote:*   

> # Config file for /etc/init.d/clamd
> 
> # NOTICE: Since clamav-0.85-r1, only START_CLAMD and START_FRESHCLAM settings
> 
> #	  are used, other are silently ignored
> ...

 

Pete

----------

## Moriah

If you look back at my post of Thu Dec 15, 2005 6:48 pm you will see where I formely had a dash instead of a slash between the clamav/clmilter so it was formerly clamav-clmilter, which was where the mismatch came in.

Like I said, I think I fixed the socket naming problem, which allowed me to see that clamd and clamav-milter together are capable of totally blocking all of my inbound email.  

So now I need to troubleshoot the reason why everything is getting blocked.  I suspect that clamav-milter is getting the traffic, but either not passing it on to clamd, or clamd is not passing the filtered result back to clamav-milter, or that clamav-milter is not passing it back to sendmail.  How do I determine where the flow is being blocked?

----------

## Pete M

Moriah

Time here is now 01:07 am won't be online again till 05:30 pm UK time, have to work

Anyway just in case it helps here are my configuration files

1 sendmail.mc (short version)

```
dnl MASQUERADE_DOMAIN(localhost)dnl

dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl

dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl

dnl MASQUERADE_DOMAIN(mydomain.lan)dnl

INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl

define(`confINPUT_MAIL_FILTERS', `clmilter')dnl

MAILER(local)dnl

MAILER(smtp)dnl

MAILER(procmail)dnl

```

2 /etc/conf.d/clamd

```
# Config file for /etc/init.d/clamd

# NOTICE: Since clamav-0.85-r1, only START_CLAMD and START_FRESHCLAM settings

#         are used, other are silently ignored

START_CLAMD=yes

START_FRESHCLAM=yes

START_MILTER=yes

MILTER_SOCKET="/var/run/clamav/clmilter.sock"

MILTER_OPTS="-m 10 -T 0 --force-scan --signature-file=/home/peter/.clam"

```

MILTER_OPTS has a few extra options to scan all mail plus add signature

3 /etc/clamd.conf

```
##

## Example config file for the Clam AV daemon

## Please read the clamd.conf(5) manual before editing this file.

##

# Comment or remove the line below.

# Example

# Uncomment this option to enable logging.

# LogFile must be writable for the user running daemon.

# A full path is required.

# Default: disabled

LogFile /var/log/clamav/clamd.log

# By default the log file is locked for writing - the lock protects against

# running clamd multiple times (if want to run another clamd, please

# copy the configuration file, change the LogFile variable, and run

# the daemon with --config-file option).

# This option disables log file locking.

# Default: disabled

#LogFileUnlock

# Maximal size of the log file.

# Value of 0 disables the limit.

# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)

# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size

# in bytes just don't use modifiers.

# Default: 1M

#LogFileMaxSize 2M

# Log time with each message.

# Default: disabled

LogTime

# Also log clean files. Useful in debugging but drastically increases the

# log size.

# Default: disabled

#LogClean

# Use system logger (can work together with LogFile).

# Default: disabled

#LogSyslog

# Specify the type of syslog messages - please refer to 'man syslog'

# for facility names.

# Default: LOG_LOCAL6

#LogFacility LOG_MAIL

# Enable verbose logging.

# Default: disabled

#LogVerbose

# This option allows you to save a process identifier of the listening

# daemon (main thread).

# Default: disabled

PidFile /var/run/clamav/clamd.pid

# Optional path to the global temporary directory.

# Default: system specific (usually /tmp or /var/tmp).

#TemporaryDirectory /var/tmp

# Path to the database directory.

# Default: hardcoded (depends on installation options)

#DatabaseDirectory /var/lib/clamav

# The daemon works in a local OR a network mode. Due to security reasons we

# recommend the local mode.

# Path to a local socket file the daemon will listen on.

# Default: disabled

LocalSocket /var/run/clamav/clamd.sock

# Remove stale socket after unclean shutdown.

# Default: disabled

FixStaleSocket

# TCP port address.

# Default: disabled

#TCPSocket 3310

# TCP address.

# By default we bind to INADDR_ANY, probably not wise.

# Enable the following to provide some degree of protection

# from the outside world.

# Default: disabled

#TCPAddr 127.0.0.1

# Maximum length the queue of pending connections may grow to.

# Default: 15

#MaxConnectionQueueLength 30

# Clamd uses FTP-like protocol to receive data from remote clients.

# If you are using clamav-milter to balance load between remote clamd daemons

# on firewall servers you may need to tune the options below.

# Close the connection when the data size limit is exceeded.

# The value should match your MTA's limit for a maximal attachment size.

# Default: 10M

#StreamMaxLength 20M

# Limit port range.

# Default: 1024

#StreamMinPort 30000

# Default: 2048

#StreamMaxPort 32000

# Maximal number of threads running at the same time.

# Default: 10

#MaxThreads 20

# Waiting for data from a client socket will timeout after this time (seconds).

# Value of 0 disables the timeout.

# Default: 120

#ReadTimeout 300

# Waiting for a new job will timeout after this time (seconds).

# Default: 30

#IdleTimeout 60

# Maximal depth directories are scanned at.

# Default: 15

#MaxDirectoryRecursion 20

# Follow directory symlinks.

# Default: disabled

#FollowDirectorySymlinks

# Follow regular file symlinks.

# Default: disabled

#FollowFileSymlinks

# Perform internal sanity check (database integrity and freshness).

# Default: 1800 (30 min)

#SelfCheck 600

# Execute a command when virus is found. In the command string %v will

# be replaced by a virus name.

# Default: disabled

#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

# Run as a selected user (clamd must be started by root).

# Default: disabled

User clamav

# Initialize supplementary group access (clamd must be started by root).

# Default: disabled

#AllowSupplementaryGroups

# Stop daemon when libclamav reports out of memory condition.

#ExitOnOOM

# Don't fork into background.

# Default: disabled

#Foreground

# Enable debug messages in libclamav.

# Default: disabled

#Debug

# Do not remove temporary files (for debug purposes).

# Default: disabled

#LeaveTemporaryFiles

# By default clamd uses scan options recommended by libclamav. This option

# disables recommended options and allows you to enable selected ones below.

# DO NOT TOUCH IT unless you know what you are doing.

# Default: disabled

#DisableDefaultScanOptions

##

## Executable files

##

# PE stands for Portable Executable - it's an executable file format used

# in all 32-bit versions of Windows operating systems. This option allows

# ClamAV to perform a deeper analysis of executable files and it's also

# required for decompression of popular executable packers such as UPX, FSG,

# and Petite.

# Default: enabled

#ScanPE

# With this option clamav will try to detect broken executables and mark

# them as Broken.Executable

# Default: disabled

#DetectBrokenExecutables

##

## Documents

##

# This option enables scanning of Microsoft Office document macros.

# Default: enabled

#ScanOLE2

##

## Mail files

##

# Enable internal e-mail scanner.

# Default: enabled

#ScanMail

# If an email contains URLs ClamAV can download and scan them.

# WARNING: This option may open your system to a DoS attack.

#          Never use it on loaded servers.

# Default: disabled

#MailFollowURLs

##

## HTML

##

# Perform HTML normalisation and decryption of MS Script Encoder code.

# Default: enabled

#ScanHTML

##

## Archives

##

# ClamAV can scan within archives and compressed files.

# Default: enabled

#ScanArchive

# Due to license issues libclamav does not support RAR 3.0 archives (only the

# old 2.0 format is supported). Because some users report stability problems

# with unrarlib it's disabled by default and you must uncomment the directive

# below to enable RAR 2.0 support.

# Default: disabled

#ScanRAR

# The options below protect your system against Denial of Service attacks

# using archive bombs.

# Files in archives larger than this limit won't be scanned.

# Value of 0 disables the limit.

# Default: 10M

#ArchiveMaxFileSize 15M

# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR

# file, all files within it will also be scanned. This options specifies how

# deep the process should be continued.

# Value of 0 disables the limit.

# Default: 8

#ArchiveMaxRecursion 9

# Number of files to be scanned within an archive.

# Value of 0 disables the limit.

# Default: 1000

#ArchiveMaxFiles 1500

# If a file in an archive is compressed more than ArchiveMaxCompressionRatio

# times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip)

# Value of 0 disables the limit.

# Default: 250

#ArchiveMaxCompressionRatio 300

# Use slower but memory efficient decompression algorithm.

# only affects the bzip2 decompressor.

# Default: disabled

#ArchiveLimitMemoryUsage

# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

# Default: disabled

#ArchiveBlockEncrypted

# Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit)

# if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is

# reached.

# Default: disabled

#ArchiveBlockMax

##

## Clamuko settings

## WARNING: This is experimental software. It is very likely it will hang

##          up your system!!!

##

# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.

# Default: disabled

#ClamukoScanOnAccess

# Set access mask for Clamuko.

# Default: disabled

#ClamukoScanOnOpen

#ClamukoScanOnClose

#ClamukoScanOnExec

# Set the include paths (all files in them will be scanned). You can have

# multiple ClamukoIncludePath directives but each directory must be added

# in a seperate line.

# Default: disabled

#ClamukoIncludePath /home

#ClamukoIncludePath /students

# Set the exclude paths. All subdirectories are also excluded.

# Default: disabled

#ClamukoExcludePath /home/guru

# Don't scan files larger than ClamukoMaxFileSize

# Value of 0 disables the limit.

# Default: 5M

#ClamukoMaxFileSize 10M
```

4 /etc/freshclam.conf

```
#

## Example config file for freshclam

## Please read the freshclam.conf(5) manual before editing this file.

## This file may be optionally merged with clamd.conf.

##

# Comment or remove the line below.

# Example

# Path to the database directory.

# WARNING: It must match clamd.conf's directive!

# Default: hardcoded (depends on installation options)

#DatabaseDirectory /var/lib/clamav

# Path to the log file (make sure it has proper permissions)

# Default: disabled

UpdateLogFile /var/log/freshclam.log

# Enable verbose logging.

# Default: disabled

# LogVerbose

# Use system logger (can work together with UpdateLogFile).

# Default: disabled

#LogSyslog

# Specify the type of syslog messages - please refer to 'man syslog'

# for facility names.

# Default: LOG_LOCAL6

#LogFacility LOG_MAIL

# This option allows you to save the process identifier of the daemon

# Default: disabled

PidFile /var/run/clamav/freshclam.pid

# By default when started freshclam drops privileges and switches to the

# "clamav" user. This directive allows you to change the database owner.

# Default: clamav (may depend on installation options)

DatabaseOwner clamav

# Initialize supplementary group access (freshclam must be started by root).

# Default: disabled

#AllowSupplementaryGroups

# Use DNS to verify virus database version. Freshclam uses DNS TXT records

# to verify database and software versions. With this directive you can change

# the database verification domain.

# Default: enabled, pointing to current.cvd.clamav.net

#DNSDatabaseInfo current.cvd.clamav.net

# Uncomment the following line and replace XY with your country

# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.

# Default: There is no default, which results in an error when running freshclam

DatabaseMirror db.GB.clamav.net

# database.clamav.net is a round-robin record which points to our most

# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is

# not working. DO NOT TOUCH the following line unless you know what you

# are doing.

DatabaseMirror database.clamav.net

# How many attempts to make before giving up.

# Default: 3 (per mirror)

#MaxAttempts 5

# Number of database checks per day.

# Default: 12 (every two hours)

#Checks 24

# Proxy settings

# Default: disabled

#HTTPProxyServer myproxy.com

#HTTPProxyPort 1234

#HTTPProxyUsername myusername

#HTTPProxyPassword mypass

# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for

# multi-homed systems.

# Default: Use OS'es default outgoing IP address.

#LocalIPAddress aaa.bbb.ccc.ddd

# Send the RELOAD command to clamd.

# Default: disabled

#NotifyClamd

# By default it uses the hardcoded configuration file but you can force an

# another one.

#NotifyClamd /config/file/path

# Run command after successful database update.

# Default: disabled

#OnUpdateExecute command

# Run command when database update process fails.

# Default: disabled

#OnErrorExecute command

# Don't fork into background.

# Default: disabled

#Foreground

# Enable debug messages in libclamav.

# Default: disabled

#Debug

```

Hope some of this helps

Pete

----------

## magic919

I'd be looking to make sure the milter socket is actually there.  You can see it with ls just like any file.

Also check the /var/log/clamav/ directory and see what the logs say.  Check general syslog too.

----------

## Pete M

One more thing before I go to bed, turn up the log level in sendmail.mc

Here

```
dnl # Rudimentary information on creating certificates for sendmail TLS:

dnl #     make -C /usr/share/ssl/certs usage

dnl #

define(`CERT_DIR', `/etc/mail/certs')dnl

define(`confCACERT_PATH', `CERT_DIR')dnl

define(`confCACERT', `CERT_DIR/cacert.pem')dnl

define(`confSERVER_CERT', `CERT_DIR/server-cert.pem')dnl

define(`confSERVER_KEY', `CERT_DIR/server-key.pem')dnl

define(`confCLIENT_CERT', `CERT_DIR/server-cert.pem')dnl

define(`confCLIENT_KEY', `CERT_DIR/server-key.pem')dnl

dnl #

dnl define(`confCACERT_PATH',`/usr/share/ssl/certs')

dnl define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')

dnl define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')

dnl define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')

define(`confLOG_LEVEL', `15')dnl

```

define(`confLOG_LEVEL', `15')dnl

You may have permission problems, mail.log will show this

Goodnight

Pete

----------

## Moriah

OK, did it.  When I /etc/init.d/sendmail start, I get in /var/log/messages:

```

Dec 15 20:50:01 eli cron[12921]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Dec 15 20:50:02 eli clamd[13026]: Daemon started.

Dec 15 20:50:02 eli clamd[13026]: clamd daemon 0.87.1 (OS: linux-gnu, ARCH: i386, CPU: i686)

Dec 15 20:50:02 eli clamd[13026]: Log file size limited to 1048576 bytes.

Dec 15 20:50:02 eli clamd[13026]: Verbose logging activated.

Dec 15 20:50:02 eli clamd[13026]: Running as user clamav (UID 101, GID 407)

Dec 15 20:50:02 eli clamd[13026]: Reading databases from /var/lib/clamav

Dec 15 20:50:04 eli clamd[13026]: Protecting against 41445 viruses.

Dec 15 20:50:04 eli clamd[13036]: Unix socket file /var/run/clamav/clamd.sock

Dec 15 20:50:04 eli clamd[13036]: Setting connection queue length to 15

Dec 15 20:50:04 eli clamd[13036]: Listening daemon: PID: 13036

Dec 15 20:50:04 eli clamd[13036]: Archive: Archived file size limit set to 10485760 bytes.

Dec 15 20:50:04 eli clamd[13036]: Archive: Recursion level limit set to 8.

Dec 15 20:50:04 eli clamd[13036]: Archive: Files limit set to 1000.

Dec 15 20:50:04 eli clamd[13036]: Archive: Compression ratio limit set to 250.

Dec 15 20:50:04 eli clamd[13036]: Archive support enabled.

Dec 15 20:50:04 eli clamd[13036]: Archive: RAR support disabled.

Dec 15 20:50:04 eli clamd[13036]: Portable Executable support enabled.

Dec 15 20:50:04 eli clamd[13036]: Mail files support enabled.

Dec 15 20:50:04 eli clamd[13036]: OLE2 support enabled.

Dec 15 20:50:04 eli clamd[13036]: HTML support enabled.

Dec 15 20:50:04 eli clamd[13036]: Self checking every 1800 seconds.

Dec 15 20:50:05 eli clamav-milter[13055]: Loaded ClamAV 0.87.1/1210/Thu Dec 15 10:23:22 2005

Dec 15 20:50:05 eli clamav-milter[13055]: ClamAV: Protecting against 41445 viruses

Dec 15 20:50:05 eli clamav-milter[13060]: ClamAv: Opening listen socket on conn /var/run/clamav/clmilter.sock

Dec 15 20:50:05 eli clamav-milter[13060]: Starting ClamAV version 0.87.1, clamav-milter version 0.87

Dec 15 20:50:05 eli sendmail[13072]: alias database /etc/mail/aliases rebuilt by root

Dec 15 20:50:05 eli sendmail[13072]: /etc/mail/aliases: 21 aliases, longest 10 bytes, 221 bytes total

Dec 15 20:50:05 eli sm-mta[13078]: NOQUEUE: --- 451 4.0.0 InputFilter clmilter not defined: No such file or directory

Dec 15 20:50:05 eli sm-mta[13078]: NOQUEUE: SYSERR(root): InputFilter clmilter not defined: No such file or directory

Dec 15 20:50:05 eli sm-cm[13086]: starting daemon (8.13.4): queueing@00:30:00

```

I am suspicious of the lines:

```

Dec 15 20:50:05 eli sm-mta[13078]: NOQUEUE: --- 451 4.0.0 InputFilter clmilter not defined: No such file or directory

Dec 15 20:50:05 eli sm-mta[13078]: NOQUEUE: SYSERR(root): InputFilter clmilter not defined: No such file or directory

```

This looks like yet another peice needs to be reconfigured or re-emerged...   :Rolling Eyes: 

At any rate, have a good night.  I will check in tomorow morning when I get up.  I am in US eastern time zone, GMT-5, so I should check in about noon your time.

Thanks again!   :Very Happy: 

----------

## magic919

 *Quote:*   

> 
> 
> define(`confINPUT_MAIL_FILTERS', `clmilter')dnl
> 
> 

 

Get rid of the S on the end of FILTER to match the line above it in the conf and you're done.

----------

## Moriah

Great, it works!   :Very Happy: 

Now to just tone down the loglevel a bit...   :Cool: 

Thanks a million !!!   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## Moriah

As I said, it works great, and is intercepting viri etc. and sending email notices that it did so to the recipients, but it is not scanning internal email -- sent from one account to another on the same domain -- nor is it scanning outbound email to make sure my network is not a source of contagion.  

How can I fix this   :Question: 

All the email in my domain goes thru the one central server where clamav is running.

----------

## Pete M

/etc/conf.d/clamd

```
# Config file for /etc/init.d/clamd

# NOTICE: Since clamav-0.85-r1, only START_CLAMD and START_FRESHCLAM settings

#         are used, other are silently ignored

START_CLAMD=yes

START_FRESHCLAM=yes

START_MILTER=yes

MILTER_SOCKET="/var/run/clamav/clmilter.sock"

MILTER_OPTS="-m 10 -T 0 --force-scan --signature-file=/home/peter/.clam" 
```

Add milter opts like this, signature-file is simply a text file in my case containing

X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87

--force-scan scans all mail, incoming, outgoing, internal

--signature-file adds a signature to all mail, only works for plain text emails

Pete

----------

## Moriah

Thanks!  Changes made.   :Very Happy: 

----------

