Postfix and Clam AV
It's been a while since we've posted something and a lot of stuff piled up. At the day and age of MS Exchange and cloud hosting, there are still instances when you'd like to run your own email server. Postfix being the popular choice, we present here are simple steps to enable ClamAV to scan your incoming emails (Ubuntu is used as an example in this case).
First, a short description of the steps that the mail will take:
Incoming mail → 25:postfix → 10026:clamav → 10025:postfix → Delivery to user
Installation steps are as follows:
1) download and install ClamAV
apt-get install clamsmtp clamav-freshclam
2) Next edit the /etc/clamsmtpd.conf file to make some changes:
OutAddress: 10026
Listen: 0.0.0.0:10025
Make sure you change the ports above, because originally they are flipped. If you don't you'll get the following error:
postfix/master[13836]: fatal: bind 127.0.0.1 port 10026: Address already in use
3) Edit /etc/postfix/main.cf to add the following:
content_filter = scan:127.0.0.1:10025
receive_override_options = no_address_mappings
4) Edit /etc/postfix/master.cf and add the following:
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
5) Restart postfix, clamav-daemon and clamsmtp
Looking through another installation, it seems the clam /var/run directories are not symlinks to /run and I must have previously updated my configuration to use /run/ directories. As long as the paths match accordingly with correct ownership and permissions, they will work. However, I have updated the comment below to use only the default settings. Moderators, kindly remove the previous Postfix Clamsmtp smtp_bind_address posts and use the comment below, again I apologize.
In order to send emails through Postfix outside of localhost, my configuration required setting the Postfix smtp_bind_address to the server's private IP. The setting was required for both Ubuntu 17.04 and Centos7 servers.
Clamsmtp Postfix settings likewise had to be set to the smtp_bind_address, as 127.0.0.1 created 'transport unavailable' errors.
The comments by Jeff Roberson were applicable as well.
Ubuntu settings as follows:
clamsmtp.conf was set with clamav as the user; and owner permissions were changed from clamsmtp to clamav for the following directories/files:
ClamAddress: /var/run/clamav/clamd.ctl
TempDirectory: /var/spool/clamsmtp
PidFile: /var/run/clamsmtp/clamsmtpd.pid
(I read elsewhere that ownership permissions could also be resolved by adding user clamsmtp to the clamav group.)
Local Socket files had to match:
clamsmtp.conf - ClamAddress: /var/run/clamav/clamd.ctl
clamd.conf - LocalSocket /var/run/clamav/clamd.ctl
/etc/clamsmtp.conf
OutAddress: 10026
Listen: 0.0.0.0:10025
ClamAddress: /var/run/clamav/clamd.ctl
TempDirectory: /var/spool/clamsmtp
PidFile: /var/run/clamsmtp/clamsmtpd.pid
User: clamav
/etc/clamav/clamd.conf:
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
User clamav
Postfix
main.cf:
(Network Setting with server's private IP)
smtp_bind_address=xxx.xxx.x.xx
(clamsmtp Settings with server's private IP)
content_filter = scan:xxx.xxx.x.xx:10025
receive_override_options = no_address_mappings
master.cf:
(clamsmtp Settings with server's private IP)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
xxx.xxx.x.xx:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
Start or Restart postfix, clamav-daemon (clamd), clamsmtp as root:
systemctl restart postfix clamav-daemon clamsmtp
Check status, all should be Active:
systemctl status postfix clamav-daemon clamsmtp
FYI, the comment preview does not appear to work.
Thank you for the helpful tutorial!
Kim Keown
Local Socket files had to match:
clamsmtp.conf - ClamAddress: /var/run/clamav/clamd.ctl
clamd.conf - LocalSocket /run/clamav/clamd.ctl
/var/run/clamav/clamd.ctl is a symlink;
can omit symlink and chmod ownership to clamav:
clamsmtp.conf - ClamAddress: /run/clamav/clamd.ctl
clamd.conf - LocalSocket /run/clamav/clamd.ctl
or use the default symlinks:
clamsmtp.conf - ClamAddress: /var/run/clamav/clamd.ctl
clamd.conf - LocalSocket /var/run/clamav/clamd.ctl
clamsmpt.conf
ClamAddress: /var/run/clamav/clamd.ctl
Is a symlink. Can use the default or /run/clamav/clamd.ctl
Clamsmtp Postfix settings likewise had to be set to the smtp_bind_address, as 127.0.0.1 created 'transport unavailable' errors.
The comments by Jeff Roberson were applicable as well.
Ubuntu settings as follows:
clamsmtp.conf was set with clamav as the user; and owner permissions were changed from clamsmtp to clamav for the following directories/files:
ClamAddress: /var/run/clamav/clamd.ctl
TempDirectory: /var/spool/clamsmtp
PidFile: /var/run/clamsmtp/clamsmtpd.pid
(I read elsewhere that ownership permissions could also be resolved by adding user clamsmtp to the clamav group.)
Local Socket files had to match:
clamsmtp.conf - ClamAddress: /var/run/clamav/clamd.ctl
clamd.conf - LocalSocket /run/clamav/clamd.ctl
/etc/clamsmtp.conf
OutAddress: 10026
Listen: 0.0.0.0:10025
ClamAddress: /var/run/clamav/clamd.ctl
TempDirectory: /var/spool/clamsmtp
PidFile: /var/run/clamsmtp/clamsmtpd.pid
(symlink in Ubuntu, PidFile could be changed to /run/clamsmtp/clamsmtpd.pid)
User: clamav
/etc/clamav/clamd.conf:
LocalSocket /var/run/clamav/clamd.ctl
(symlink in Ubuntu, LocalSocket could be changed to /run/clamsmtp/clamsmtpd.pid)
FixStaleSocket true
LocalSocketGroup clamav
User clamav
Postfix
main.cf:
(Network Setting with server's private IP)
smtp_bind_address=xxx.xxx.x.xx
(clamsmtp Settings with server's private IP)
content_filter = scan:xxx.xxx.x.xx:10025
receive_override_options = no_address_mappings
master.cf:
(clamsmtp Settings with server's private IP)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
xxx.xxx.x.xx:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
Start or Restart postfix, clamav-daemon (clamd), clamsmtp as root:
systemctl restart postfix clamav-daemon clamsmtp
Check status, all should be Active:
systemctl status postfix clamav-daemon clamsmtp
Is there way to make it NOT scan outbound?