Installing a mailserver on Debian 8/9 – Part 7: Antivirus: clamav

Tech

How to install a complete mailserver on Debian 8/9, featuring Postfix, Dovecot, MySQL, Spamassassin, ClamAV, Roundcube and Fail2ban.

~ the howto that actually works ~

Part 1: Introduction
Part 2: Preparations: Apache, Let’s Encrypt, MySQL and phpMyAdmin
Part 3: MTA: Postfix
Part 4: IMAP server: Dovecot
Part 5: Web interface: Roundcube
Part 6: Spam filtering: SpamAsasssin
Part 7: Antivirus: ClamAV and ClamSMTP
Part 8: Quota and other Roundcube settings
Part 9: Using mail with a remote IMAP client (i.e. Thunderbird)
Part 10: Counter brute-force attacks with Fail2ban
Part 11: Sources, config files, colouring and comments

On this page

Installing
Automatically updating ClamAV
Testing the virus filter

Comments are on the last page.

On this page
On this page

Installing

ClamAV is a open source antivirus tool. It comes with Freshclam, which handles definition updates. Clamsmtp is the part that allows Clam to scan smtp traffic.

Installation:

# aptitude install clamav-daemon clamav clamsmtp

The clamsmtp manfile suggests the following. Change the clamsmtp folders ownership to clamav:

# chown -R clamav:clamav /var/spool/clamsmtp/
# chown -R clamav:clamav /var/run/clamsmtp/

in /etc/clamsmtpd.conf:

User: clamav

Restart the service:

# service clamsmtp restart

In /etc/postfix/main.cf we need to tell Postfix about the virus scanner. Add these lines:

# Virusscanner
content_filter = scan:127.0.0.1:10026
receive_override_options = no_address_mappings

in /etc/postfix/master.cf add:

# Antivirus
scan      unix  -       -       n       -       16      smtp
        -o smtp_send_xforward_command=yes

# For injecting mail back into postfix from the filter
127.0.0.1:10025 inet  n -       n       -       16      smtpd
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

More info: http://thewalter.net/stef/software/clamsmtp/postfix.html

As always make sure that the lines starting with -o begin with one or more whitespaces.

# postfix reload

Start ClamAV:

# service clamav-daemon start

Automatically updating ClamAV

ClamAV will update automatically. Initially you should keep an eye on /var/log/clamav/freshclam.log for errors.

In /etc/clamav/freshclam.conf change

DatabaseMirror db.local.clamav.net

to

DatabaseMirror db.XX.clamav.net

Restart ClamAV:

# service clamav-daemon start

Change XX to your country code (NL for The Netherlands, BE for Belgium, and so on). I vaguely remember that if you get this value right you are allowed to poll for updates every 15 minutes instead of 60 but I’m not sure ClamAV still do that.

Testing the virus filter

Testing antivirus is not easy. It is, in a sense, because you can just send the EICAR test virus to your server, only you can’t because no mailserver will allow you to send it. Even if you found one you can’t save the EICAR file locally because your local antivirus will delete the file. There are webservices that send EICAR files to your address but most are obsolete.

We’ll send an EICAR test virus from within our server using Mutt. Mutt is a versatile but lightweight e-mail client installed by default on Debian 8.

Do

# tail -f /var/log/mail.log | grep -i clam

and

# tail -f /var/log/clamav/clamav.log

to keep an eye on Clam’s activities, especially regarding the EICAR test file.

Fire up a new SSH session into your server and this time don’t su to root.
Download the EICAR test file:

$ wget http://www.eicar.org/download/eicar.com

Start Mutt:

$ mutt

Mutt will ask you if you want to create a spool file. That’s ok. In Mutt press m to start a new mail.
To: tinus@example.com
Subject: 01 – test
Now the Nano text editor is started. Type something in the body of the mail; it doesn’t matter what. Press Ctrl + X to stop editing.
Press Y to save the mail
Press Enter to confirm the filename.
Press y to send the mail. Mutt should now say the mail was sent.

/var/log/clamav/clamav.log should show no new entries and /var/log/mail.log | grep -i clam should show “from=vorkbaard@example.com, to=tinus@example.com, status=CLEAN”

Verify you have received the mail in Roundcube. Then start over: in Mutt, press m to start a new mail.
To: tinus@example.com
Subject: 02 – test
Type something in the body.
Ctrl + X to stop editing
Y to save
Enter to confirm the filename
Press a to add an attachment
type: eicar.com and press Enter (if the file wasn’t found use an absolute path).
eicar.com is now added as attachment
Press y to send the mail. Mutt should confirm the mail was sent.

EICAR is noted in the log files.
EICAR is noted in the log files.

/var/log/clamav/clamav.log should log something like

Tue Mar 22 15:27:47 2016 -> /var/spool/clamsmtp/clamsmtpd.N3lkUG: Eicar-Test-Signature(c88982d8fd9fe8013389c4f801a237b6:851) FOUND

and /var/log/mail.log | grep -i clam should show:

from=vorkbaard@example.com, to=tinus@example.com, status=VIRUS:Eicar-Test-Signature