|
 |
76a1c6b |
Please note since el7 and Fedora 15 or 19 we use only systemd.
|
|
|
76a1c6b |
upstart and sysv was dropped, this document may still applies to el6.
|
|
|
76a1c6b |
|
|
 |
c382d9b |
A clamav-milter setup consists of the following three components:
|
|
|
93ac5ce |
|
|
|
c382d9b |
* the clamav-milter itself
|
|
|
93ac5ce |
|
|
|
c382d9b |
--> this is provided by the 'clamav-milter' package plus (alternatively)
|
|
|
c382d9b |
'clamav-milter-upstart' or 'clamav-milter-sysvinit'
|
|
|
c382d9b |
|
|
|
c382d9b |
The main configuration is in /etc/mail/clamav-milter.conf and MUST
|
|
|
c382d9b |
be changed before first use.
|
|
|
c382d9b |
|
|
|
c382d9b |
The -sysvinit package is managed by the traditional tools, but
|
|
|
c382d9b |
-upstart requires modification of /etc/event.d/clamav-milter to
|
|
|
c382d9b |
enable automatic startup. See comments there for more details.
|
|
|
c382d9b |
|
|
|
c382d9b |
* a clamav scanner daemon
|
|
|
c382d9b |
|
|
|
c382d9b |
--> this package is called 'clamav-scanner' plus (alternatively)
|
|
|
c382d9b |
'clamav-scanner-upstart' or 'clamav-scanner-sysvinit'
|
|
|
c382d9b |
|
|
|
c382d9b |
The daemon is configured by /etc/clamd.d/scan.conf (which MUST be
|
|
|
c382d9b |
edited before first use).
|
|
|
c382d9b |
|
|
|
c382d9b |
The -sysvinit package is managed by the traditional tools, but
|
|
|
c382d9b |
-upstart requires modification of /etc/event.d/clamd.scan to enable
|
|
|
c382d9b |
automatic startup. See comments there for more details.
|
|
|
c382d9b |
|
|
|
31617f2 |
* the MTA (sendmail/postfix)
|
|
|
c382d9b |
|
|
|
c382d9b |
--> you should know how to install this...
|
|
|
c382d9b |
|
|
|
c382d9b |
When communicating across unix sockets with the clamav-milter, it is
|
|
|
14a7b57 |
suggested to use the /var/run/clamav-milter/clamav-milter.socket
|
|
|
14a7b57 |
path. You have to add something like
|
|
|
c382d9b |
|
|
|
14a7b57 |
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav-milter/clamav-milter.socket, F=, T=S:4m;R:4m')dnl
|
|
|
c382d9b |
|
|
|
c382d9b |
to your sendmail.mc.
|
|
|
c382d9b |
|
|
|
c382d9b |
|
|
|
c382d9b |
|
|
|
c382d9b |
It is suggested that components communicate through TCP sockets as
|
|
|
c382d9b |
this eases setup. Please add corresponding packet filter rules!
|
|
|
14a7b57 |
|
|
|
14a7b57 |
|
|
|
14a7b57 |
EXAMPLE
|
|
|
14a7b57 |
=======
|
|
|
14a7b57 |
|
|
|
14a7b57 |
For clamav-milter, a possible setup might be created by
|
|
|
14a7b57 |
|
|
|
14a7b57 |
A) On the MTA (assumed hostname 'host-mta')
|
|
|
14a7b57 |
|
|
|
14a7b57 |
1. Add to sendmail.mc
|
|
|
14a7b57 |
|
|
|
14a7b57 |
| INPUT_MAIL_FILTER(`clamav', `S=inet:6666@host-milter, F=, T=S:4m;R:4m')dnl
|
|
|
14a7b57 |
|
|
|
14a7b57 |
2. Rebuild sendmail.cf
|
|
|
14a7b57 |
|
|
|
14a7b57 |
|
|
|
14a7b57 |
B) On the clamav-milter host (assumed hostname 'host-milter')
|
|
|
14a7b57 |
|
|
|
14a7b57 |
1. Install clamav-milter + clamav-milter-upstart packages
|
|
|
14a7b57 |
|
|
|
14a7b57 |
2. Set in /etc/mail/clamav-milter.conf
|
|
|
14a7b57 |
|
|
|
14a7b57 |
| MilterSocket inet:6666
|
|
|
14a7b57 |
| ClamdSocket tcp:host-scanner:6665
|
|
|
14a7b57 |
|
|
|
14a7b57 |
and all the other options which are required on your system
|
|
|
14a7b57 |
|
|
|
5fe351d |
3. Edit /etc/event.d/clamav-milter and uncomment the
|
|
|
14a7b57 |
|
|
|
14a7b57 |
| start on starting local
|
|
|
14a7b57 |
|
|
|
5fe351d |
line. Restart your system or execute
|
|
|
14a7b57 |
|
|
|
14a7b57 |
| initctl emit starting local
|
|
|
14a7b57 |
|
|
|
14a7b57 |
4. Add something like
|
|
|
14a7b57 |
|
|
|
14a7b57 |
| iptables -N IN-cmilt
|
|
|
14a7b57 |
| iptables -A IN-cmilt -s host-mta -j ACCEPT
|
|
|
14a7b57 |
| iptables -A IN-cmilt -j DROP
|
|
|
14a7b57 |
|
|
|
14a7b57 |
| iptables -A INPUT -p tcp --dport 6666 -j IN-cmilt
|
|
|
14a7b57 |
|
|
|
14a7b57 |
to your firewall setup
|
|
|
14a7b57 |
|
|
|
14a7b57 |
C) On the clamav-scanner host (assumed hostname 'host-scanner')
|
|
|
14a7b57 |
|
|
|
14a7b57 |
1. Install clamav-scanner + clamav-scanner-upstart packages
|
|
|
14a7b57 |
|
|
|
14a7b57 |
2. Add to /etc/clamd.d/scan.conf
|
|
|
14a7b57 |
|
|
|
14a7b57 |
| TCPSocket 6665
|
|
|
14a7b57 |
| TCPAddr host-scanner
|
|
|
14a7b57 |
|
|
|
14a7b57 |
comment out possible 'LocalSocket' lines and set all the other
|
|
|
14a7b57 |
options which are required on your system
|
|
|
14a7b57 |
|
|
|
5fe351d |
3. Edit /etc/event.d/clamav-scanner and uncomment the
|
|
|
14a7b57 |
|
|
|
14a7b57 |
| start on starting local
|
|
|
14a7b57 |
|
|
|
5fe351d |
line. Restart your system or execute
|
|
|
14a7b57 |
|
|
|
14a7b57 |
| initctl emit starting local
|
|
|
14a7b57 |
|
|
|
14a7b57 |
4. Add something like
|
|
|
14a7b57 |
|
|
|
14a7b57 |
| iptables -N IN-cscan
|
|
|
14a7b57 |
| iptables -A IN-cscan -s host-milter -j ACCEPT
|
|
|
14a7b57 |
| iptables -A IN-cscan -j DROP
|
|
|
14a7b57 |
|
|
|
14a7b57 |
| iptables -A INPUT -p tcp --dport 6665 -j IN-csan
|
|
|
14a7b57 |
|
|
|
14a7b57 |
to your firewall setup
|