Installing a mailserver on Debian 8/9 – Part 7: Antivirus: clamav

Tech

How to install a complete mailserver on Debian 8/9, featuring Postfix, Dovecot, MySQL, Spamassassin, ClamAV, Roundcube and Fail2ban.

~ the howto that actually works ~

Part 1: Introduction
Part 2: Preparations: Apache, Let’s Encrypt, MySQL and phpMyAdmin
Part 3: MTA: Postfix
Part 4: IMAP server: Dovecot
Part 5: Web interface: Roundcube
Part 6: Spam filtering: SpamAsasssin
Part 7: Antivirus: ClamAV and ClamSMTP
Part 8: Quota and other Roundcube settings
Part 9: Using mail with a remote IMAP client (i.e. Thunderbird)
Part 10: Counter brute-force attacks with Fail2ban
Part 11: Sources, config files, colouring and comments

On this page

Installing
Automatically updating ClamAV
Testing the virus filter

Comments are on the last page.

On this page
On this page

Installing

ClamAV is a open source antivirus tool. It comes with Freshclam, which handles definition updates. Clamsmtp is the part that allows Clam to scan smtp traffic.

Installation:
[code]
# aptitude install clamav-daemon clamav clamsmtp
[/code]

The clamsmtp manfile suggests the following. Change the clamsmtp folders ownership to clamav:
[code]
# chown -R clamav:clamav /var/spool/clamsmtp/
# chown -R clamav:clamav /var/run/clamsmtp/
[/code]

in /etc/clamsmtpd.conf:
[code]
User: clamav
[/code]

Restart the service:
[code]
# service clamsmtp restart
[/code]

In /etc/postfix/main.cf we need to tell Postfix about the virus scanner. Add these lines:
[code]
# Virusscanner
content_filter = scan:127.0.0.1:10026
receive_override_options = no_address_mappings
[/code]

in /etc/postfix/master.cf add:
[code]
# Antivirus
scan unix – – n – 16 smtp
-o smtp_send_xforward_command=yes

# For injecting mail back into postfix from the filter
127.0.0.1:10025 inet n – n – 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
[/code]

More info: http://thewalter.net/stef/software/clamsmtp/postfix.html

As always make sure that the lines starting with -o begin with one or more whitespaces.

[code]
# postfix reload
[/code]

Start ClamAV:
[code]
# service clamav-daemon start
[/code]

Automatically updating ClamAV

ClamAV will update automatically. Initially you should keep an eye on /var/log/clamav/freshclam.log for errors.

In /etc/clamav/freshclam.conf change
[code]
DatabaseMirror db.local.clamav.net
[/code]
to
[code]
DatabaseMirror db.XX.clamav.net
[/code]

Restart ClamAV:
[code]
# service clamav-daemon start
[/code]

Change XX to your country code (NL for The Netherlands, BE for Belgium, and so on). I vaguely remember that if you get this value right you are allowed to poll for updates every 15 minutes instead of 60 but I’m not sure ClamAV still do that.

Testing the virus filter

Testing antivirus is not easy. It is, in a sense, because you can just send the EICAR test virus to your server, only you can’t because no mailserver will allow you to send it. Even if you found one you can’t save the EICAR file locally because your local antivirus will delete the file. There are webservices that send EICAR files to your address but most are obsolete.

We’ll send an EICAR test virus from within our server using Mutt. Mutt is a versatile but lightweight e-mail client installed by default on Debian 8.

Do
[code]
# tail -f /var/log/mail.log | grep -i clam
[/code]
and
[code]
# tail -f /var/log/clamav/clamav.log
[/code]
to keep an eye on Clam’s activities, especially regarding the EICAR test file.

Fire up a new SSH session into your server and this time don’t su to root.
Download the EICAR test file:
[code]
$ wget http://www.eicar.org/download/eicar.com
[/code]

Start Mutt:
[code]
$ mutt
[/code]

Mutt will ask you if you want to create a spool file. That’s ok. In Mutt press m to start a new mail.
To: tinus@example.com
Subject: 01 – test
Now the Nano text editor is started. Type something in the body of the mail; it doesn’t matter what. Press Ctrl + X to stop editing.
Press Y to save the mail
Press Enter to confirm the filename.
Press y to send the mail. Mutt should now say the mail was sent.

/var/log/clamav/clamav.log should show no new entries and /var/log/mail.log | grep -i clam should show “from=vorkbaard@example.com, to=tinus@example.com, status=CLEAN”

Verify you have received the mail in Roundcube. Then start over: in Mutt, press m to start a new mail.
To: tinus@example.com
Subject: 02 – test
Type something in the body.
Ctrl + X to stop editing
Y to save
Enter to confirm the filename
Press a to add an attachment
type: eicar.com and press Enter (if the file wasn’t found use an absolute path).
eicar.com is now added as attachment
Press y to send the mail. Mutt should confirm the mail was sent.

EICAR is noted in the log files.
EICAR is noted in the log files.

/var/log/clamav/clamav.log should log something like
[code]
Tue Mar 22 15:27:47 2016 -> /var/spool/clamsmtp/clamsmtpd.N3lkUG: Eicar-Test-Signature(c88982d8fd9fe8013389c4f801a237b6:851) FOUND
[/code]

and /var/log/mail.log | grep -i clam should show:
[code]
from=vorkbaard@example.com, to=tinus@example.com, status=VIRUS:Eicar-Test-Signature
[/code]

Back to Top