Clamav Amavis how to fedora core 3

[be1993]

Since I had many problems to create this, I would like to share my 6 hours of agony-ectsasy in order to make amavis use clamd as antivirus.

Assuming you have installed clamd and amavis:
Open /etc/clamd.conf

Comment Out the lines

Code:

#TCPAddr 127.0.0.1
#TCPSocket 3310

Enable LocalSocket /var/run/clamav/clamd.sock

My configuration is

Code:

LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/clamav
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket
MaxConnectionQueueLength 30
ReadTimeout 180
SelfCheck 3600
User amavis
AllowSupplementaryGroups
ScanPE
DetectBrokenExecutables
ScanOLE2
ScanMail
ScanHTML
ScanArchive
ArchiveMaxFileSize 10M
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
ArchiveMaxCompressionRatio 300
ArchiveBlockEncrypted
ArchiveBlockMax

Noteou have to change anyway the User from clamav to amavis

Open /etc/freshclam.conf

My configuration is

Code:

UpdateLogFile /var/log/clamav/freshclam.log
DatabaseDirectory /var/clamav
PidFile /var/run/clamav/freshclam.pid
DatabaseOwner amavis
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.gr.clamav.net
MaxAttempts 5
NotifyClamd
DatabaseMirror db.local.clamav.net

Noteou have to change anyway the DatabaseOwner from clamav to amavis

Go to Users and Groups

Find Clamav user and add him to amavis Group. amavis sould be the primary group for clamav.
You can do that with command line as well

Open /etc/amavis.conf

Go to ClaMav section
replace /var/run/clamav/clamd with /var/run/clamav/clamd.sock
OR whatever value is on LocalSocket in clamd.conf

Now pay attention to this:
In our case we have 2 directories used for clamav one is
/var/clamav for the database and /var/log/clamav for logs
then you must do a
chown -R amavis:amavis /var/clamav
chown -R amavis:amavis /var/log/clamav
Amavis needs to be the owner in order to work properly

And the last thing
Open /etc/logrotate.d/clamav
you see something like

Code:

/var/log/clamav/clamav.log {
create 644 clamav clamav
}

change the first clamav to amavis

Open /etc/logrotate.d/freshclam.log
you see something like

Code:

/var/log/clamav/freshclam.log {
        create 644 clamav clamav
}

change the first clamav to amavis

Now do a
/sbin/service clamd restart
/sbin/service amavisd restart

Test the setup
My Mail Server is postfix
Everything should be working

The only thing I am not sure of is whether clamd does antivirus update or not
because freshclam can't write to log file because of the permissions.

Any input is very welcomed!


Cheers

[jult]

Thanks for that. Some additions/corrections:

> Assuming you have installed clamd and amavis:

That is to say:

# yum install amavisd-new
# yum install clamd
# yum install clamav

(add the DAG repository, otherwise it won't work ;-)

Here's my /etc/clamd.conf (for about 18 users with a mail-account here)

Some differences, mainly based on earlier clamav experiences;

Code:

LogFile /var/log/clamav/clamd.log
LogFileMaxSize 1M
LogTime
LogClean
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/clamav
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket
TCPAddr 192.168.1.77
MaxConnectionQueueLength 30
ReadTimeout 200
IdleTimeout 20
SelfCheck 6400
User amavis
AllowSupplementaryGroups
ScanPE
#DetectBrokenExecutables
ScanOLE2
ScanMail
ScanHTML
ScanArchive
ArchiveMaxFileSize 10M
ArchiveMaxRecursion 6
ArchiveMaxFiles 800
ArchiveMaxCompressionRatio 300
ArchiveLimitMemoryUsage
ArchiveBlockEncrypted
ArchiveBlockMax
StreamMaxLength 60M
# Use system logger (can work together with LogFile).
# Default: disabled
LogSyslog
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL

MaxThreads 12

and this is my /etc/freshclam.conf

Code:

DatabaseDirectory /var/clamav
PidFile /var/run/clamav/freshclam.pid
#DatabaseOwner clamav
DatabaseOwner amavis
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.nl.clamav.net
DatabaseMirror db.local.clamav.net
DatabaseMirror db.gr.clamav.net
Checks 6
MaxAttempts 5
NotifyClamd
NotifyClamd /etc/clamd.conf

You need to
chown -R amavis:clamav /var/run/clamav
as well.

I'm also using postfix as MTA.

There's a good clamav FAQ/wiki here:
http://wiki.clamav.net/index.php/Fre...AskedQuestions

[fabio@conecta.i]

I hope it could be helpfull for somebody..
I insert info to explain how to add the DAG repository on yum:



First
open /etc/yum.conf

# joe open /etc/yum.conf

insert these rows

[dag] name=Dag RPM Repository for Fedora Core baseurl=http://apt.sw.be/fedora/$releasever/en/$basearch/dag [dag] name=Dag RPM

Repository for Red Hat Enterprise Linux baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag [dag] name=Dag RPM

Repository for older Red Hat Linux baseurl=http://apt.sw.be/redhat/$releasever/en/$basearch/dag

then


> Assuming you have installed clamd and amavis:

That is to say:

# yum install amavisd-new
# yum install clamd
# yum install clamav

Here's my /etc/clamd.conf (for about 12 users with a mail-account here)

Some differences, mainly based on earlier clamav experiences;

Code:

LogFile /var/log/clamav/clamd.log
LogFileMaxSize 4M
LogTime
LogClean
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/clamav
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket
MaxConnectionQueueLength 40
ReadTimeout 200
IdleTimeout 20
SelfCheck 6400
User amavis
AllowSupplementaryGroups
StreamMaxLength 80M
ScanPE
DetectBrokenExecutables
ScanOLE2
ScanMail
ScanHTML
ScanArchive
ArchiveMaxFileSize 12M
ArchiveMaxRecursion 6
ArchiveMaxFiles 800
ArchiveMaxCompressionRatio 300
ArchiveLimitMemoryUsage
ArchiveBlockEncrypted
ArchiveBlockMax

# TCP port address.
# Default: disabled
# TCPSocket 3310

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: disabled
# TCPAddr 127.0.0.1

and this is my /etc/freshclam.conf

Code:

# UpdateLogFile /var/log/clamav/freshclam.log
# LogSyslog
DatabaseDirectory /var/clamav
PidFile /var/run/clamav/freshclam.pid
DatabaseOwner amavis
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.nl.clamav.net
DatabaseMirror db.local.clamav.net
DatabaseMirror db.gr.clamav.net
NotifyClamd
Checks 6

as you can see I just disabled logging of updates entirely,
and checks are a little less paranoid.

You need to
chown -R amavis:clamav /var/run/clamav
as well.

I'm also using postfix as MTA.

There's a good clamav FAQ/wiki here:
http://wiki.clamav.net/index.php/Fre...AskedQuestions[/QUOTE]

[dmode]

How can we introduce spamassassin to all this?

[be1993]

Good Question dmode
As far as I know Amavis takes care for this.
i use to have spamassassin deamon running but no more.
Amavis writes the hits anyway plus I have some anti UCE controls for postfix.
But to be onest I never understood really how amavis works with spamassassin.

[DoorGunner]

Hi

I cannot get past this section: Open /etc/amavis.conf

There is no open command ....and when i try gedit it opens as a blank page

I did a search and the only amavis.config file i have is is located at /etc/log.d/conf/services and it doesnt have anything remotely like what you have.

what is happening?

[be1993]

amavis.conf is located at /etc.
If you don't have it maybe you have to reinstall.
Be sure to open the file as root hance /etc directory can be written only by root
I use vi to edit files.
Something like vi /etc/amavis.conf

[jult]

Quote:

Originally Posted by DoorGunner

I cannot get past this section: Open /etc/amavis.conf

There is no open command ....and when i try gedit it opens as a blank page

For linux-beginners I can recommend Midnight Commander's internal editor, i.e. mc:

# yum install mc
(?) it is included with fedora, and I think it installs with default install of FC3.

After installing, just type
mc

Then search for the file you want to edit/change and
simply press the F4 key when you're on it.

The internal editor of mc has a nice menu on F9, you'll like it.
F2 stores the changes.

[jult]

Quote:

Originally Posted by dmode

How can we introduce spamassassin to all this?

When you use Postfix as your MTA (recommended over the use of sendmail)
you might want to consider doing a simple thing such as this:

from the bottom of my /etc/postfix/main.cf :

Code:

# smtp_skip_4xx_greeting = yes
smtp_destination_recipient_limit = 27
smtp_connect_timeout = 45s
smtp_destination_concurrency_limit = 8
smtpd_recipient_limit = 100
empty_address_recipient = admin
maximal_backoff_time= 2000s
body_checks_size_limit = 102400
header_size_limit = 102400
mailbox_size_limit = 351200000
message_size_limit = 80240000

strict_rfc821_envelope = yes
content_filter = smtp-amavis:[localhost]:10024

smtpd_recipient_restrictions = permit_mynetworks,
   reject_invalid_hostname,
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
   reject_unauth_destination,
   reject_unauth_pipelining,
   reject_non_fqdn_sender,
   reject_unknown_sender_domain,
   reject_rhsbl_client blackhole.securitysage.com,
   reject_rhsbl_sender blackhole.securitysage.com,
   reject_rbl_client hosts.rbl.zonnet.net,
   reject_rbl_client dul.dnsbl.sorbs.net,
   reject_rbl_client sbl-xbl.spamhaus.org,
   reject_rbl_client bl.spamcop.net,
   permit

# permit_sasl_authenticated,
# reject_rbl_client pl.countries.nerd.dk,

smtpd_data_restrictions = reject_multi_recipient_bounce, reject_unauth_pipelining, permit
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, permit

# smtpd_sasl_auth_enable = yes
# smtpd_sasl_local_domain = $myhostname
# smtpd_sasl_security_options = noanonymous

You can add/change block-lists to that reject_rbl_client list. In many cases this makes the use of spamassassin close to overkill. Especially considering the effort and time you'll have to put into using and maintaining the cpu-monster that is spamassassin.

If you use postfix like this, make sure your dns-resolver is a really fast one, preferably some ISP's DNS, and your firewall (if you use one) is not set too triggerhappy for DoS-attacks, 'cause it could consider this type of DNS traffic unusual when you recieve a lot of mail ;-)

[DoorGunner]

Hello again

sorry i had to give up puttering with this for a bit.....

I found out why i couldnt fine /etc/amavis.conf It was actually /etc/amavisd.conf amavis with a "d"

so i made my way down to the restart portion and got this result

[john@localhost ~]$ su
Password:
[root@localhost john]# /sbin/service clamd restart
Stopping Clam AntiVirus Daemon: [FAILED]
Starting Clam AntiVirus Daemon: [ OK ]
[root@localhost john]# /sbin/service amavisd restart
Shutting down Mail Virus Scanner (amavisd): [ OK ]
Starting Mail Virus Scanner (amavisd): [ OK ]
[root@localhost john]#

I also get an argument on start up as well ....it states the following:
Clamav Milter Daemon: clamav-milter: socket-addr (local: /var/clamav/clmilter.socket) does not agree with sendmail.cf

I am going to asume for now that i didnt need clam-milter. (it wasnt listed in the above requirements)I assume amavis is handling this send check unless anyone thinks this is a false asumption

the next question is How do i know if i got every thing installed corectly? I see no indication of icon or interface of anysort? Does this clam and amavis just work silently in the background?

[jult]

Quote:

Originally Posted by DoorGunner

the next question is How do i know if i got every thing installed corectly? I see no indication of icon or interface of anysort? Does this clam and amavis just work silently in the background?

Just check out all the log-files under /var/log
They are a world of information. ;-)

[DoorGunner]

I think i may have misunderstood how to " Enable LocalSocket /var/run/clamav/clamd.sock "

I am getting an error in my clamav and fresh clam log that states
ERROR: Socket file /var/run/clamav/clamd.sock could not be bound: Permission Denied

When i am going to /var/run/clamav i do not see a clamd.sock file ....as a matter of fact the folder is empty.

Did i miss something? What do i need to do to fix this?

[DoorGunner]

I figured it out...... after a bit of carefull reading i spoted this in one of your previous posts jult ...

chown -R amavis:clamav /var/run/clamav

All the checks on the eicar site work fine and freshclam is works as well as the logs etc

In addition to you instructions i added /var/log/clamav/freshclam.log and /var/log/clamav/clamd.log to the Applications > System Tools > System Log program for easy access

THANKS jult and be 1993 For all your help and a great set of instructions

[DoorGunner]

Have any of you tried to use AVSCAN? This is a gui from wolfpack.

Clamav can only do one file scan at a time. AVScan allows you to program several different ones insuccession. I thought it might be interesting to try. However, doing the make it couldnt find the clamd config etc (long list). I am wondering if i have to move the file somewhere like urs. My experience with programs is somewhat limited and there are no real instructions with the avscan.

[cpt_nemo]

Question:

I have Postfix and Spamassassin already working.

Now I want to add ClamAV and Amavis.

What I'm missing in the instructions above (Thank you very much for it anyway!) is how it connects to Postfix.

My current entry in master.cf for Spamassassin:

Code:

smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin

[...]

spamassassin unix -     n       n       -       -       pipe
  user=spam argv=/usr/bin/spamc -x -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

I read a little bit through the manuals and I think now I have to do the following - add this to the end of /etc/postfix/master.cf:

Code:

smtp-amavis unix -   -     n   -    2  smtp
    -o smtp_data_done_timeout=1200
    -o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
   -o content_filter=
   -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks=127.0.0.0/8
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8
   -o strict_rfc821_envelopes=yes

Then add this line to /etc/postfix/main.cf:

Code:

content_filter = smtp-amavis:[127.0.0.1]:10024

I'm a little bit confused because you don't mention these steps.

And does this affect the work of SpamAssassin in any way or is it better to connect SpamAssassin with Amavis and not with Postfix - I'm really confused

Can someone explain this to me?