Enable ClamAV for Postfix on Plesk Obsidian on CentOS 7

Introduction

In this article, you will learn how to configure ClamAV (anti-virus) to scan incoming mail for viruses in Plesk on CentOS 7. This standard setup will help you to protect your emails against spam and viruses. 

Prerequisites

• A VPS, Budget Dedicated Server or Dedicated Server running Plesk Obsidian control panel on CentOS 7. 
• SSH root access to the server

Step 1: Log in with SSH

Before you start you need to be logged in via SSH as sudo or root user. If you do not know how to connect with SSH, then you can read this article.

Step 2: Install EPEL repo

ClamAV is installed from EPEL repo.

yum -y install epel-release

Step 3: Install ClamAV and utilities

yum -y install clamav clamd clamav-milter

Step 4: Enable freshclam to update virus definitions automatically

systemctl enable clamav-freshclam
systemctl start clamav-freshclam

Step 5: Configure clamd

Clamd is used to actually scan for viruses. In our example clamd is called by clamav-milter.

sed -i "s|^#LogFacility LOG_MAIL|LogFacility LOG_MAIL|g" /etc/clamd.d/scan.conf
sed -i "s|^#LocalSocket\s.*|LocalSocket /run/clamd.scan/clamd.sock |g" /etc/clamd.d/scan.conf
sed -i "s|^#ScanArchive yes|ScanArchive yes|g" /etc/clamd.d/scan.conf
sed -i "s|^#AlertEncrypted yes|AlertEncrypted yes|g" /etc/clamd.d/scan.conf
sed -i "s|^#AlertEncryptedArchive yes|AlertEncryptedArchive yes|g" /etc/clamd.d/scan.conf
sed -i "s|^#AlertEncryptedDoc yes|AlertEncryptedDoc yes|g" /etc/clamd.d/scan.conf
sed -i "s|^#AlertBrokenExecutables yes|AlertBrokenExecutables yes|g" /etc/clamd.d/scan.conf

Step 6: Enable clamd

systemctl enable [email protected]
systemctl start [email protected]

Step 7: Configure clamav-milter

We make changes to clamav-milter and instruct clamav-milter how to connect to clamd. We also configure that viruses should be rejected.

sed -i "s|^Example|#Example|g" /etc/mail/clamav-milter.conf
sed -i "s|^#ClamdSocket tcp:scanner.mydomain:7357|ClamdSocket unix:/run/clamd.scan/clamd.sock|g" /etc/mail/clamav-milter.conf
sed -i "s|^#AddHeader Replace|AddHeader Replace|g" /etc/mail/clamav-milter.conf
sed -i "s|^#LogFacility LOG_MAIL|LogFacility LOG_MAIL|g" /etc/mail/clamav-milter.conf
sed -i "s|^#MilterSocket inet:7357|MilterSocket inet:3381@localhost|g" /etc/mail/clamav-milter.conf
sed -i "s|^#OnInfected Quarantine|OnInfected Reject|g" /etc/mail/clamav-milter.conf

Step 8: Enable clamav-milter

systemctl enable clamav-milter
systemctl start clamav-milter

Step 9: Verify that clamav-milter is running.

grep clamav-milter /var/log/maillog

Output should be something like:

Aug 28 14:41:41 s1.localhost clamav-milter[124614]: +++ Started at Fri Jun 19 16:43:51 2020

Step 10: Update Postfix main configuration

This is the step where we instruct Postfix to make use of the clamav-milter.

postconf -e milter_default_action=accept
postconf -e milter_protocol=6
postconf -e smtpd_milters="inet:127.0.0.1:12768, inet:127.0.0.1:3381"
postconf -e non_smtpd_milters=inet:127.0.0.1:3381

Step 11: Reload postfix

postfix reload

Step 12: Test ClamAV (local)

At this step we will test whether the delivery of viruses are rejected.

We start with downloading the eicar test file. This is a harmless file (not an actual virus) which should be detected as a virus by any anti-virus solution.

cd /tmp
wget https://secure.eicar.org/eicar.com.txt

Next we install mutt for sending a test mail with an attachment:

yum -y install mutt

Next we need to configure mutt to send a proper from address which will also receive the bounce. Don’t forget to change the sender address!

echo -e 'set from="[email protected]"' > /root/.muttrc
echo -e 'set use_from=yes' >> /root/.muttrc
echo -e 'set use_envelope_from=yes' >> /root/.muttrc

Next we send an e-mail, make sure you replace the recipient address.

echo "This message contains a virus" | mutt -a eicar.com.txt -s "This is a virus" -- [email protected]

You should be able to see the bounce email in the mail log (replace sender address):

grep "[email protected]" /var/log/maillog

Output should be something like:

Aug 28 14:55:41 s1 postfix/cleanup[27493]: 2305E300A6E: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Command rejected; from=<[email protected]> to=<[email protected]>
Aug 28 14:55:41 s1 postfix/cleanup[27493]: 2305E300A6E: to=<[email protected]>, relay=none, delay=0.19, delays=0.19/0/0/0, dsn=5.7.1, status=bounced (Command rejected)

If you want to see the whole transaction grep on the ID (replace ID):

grep 2305E300A6E /var/log/maillog

Output should be something like:

Aug 28 14:55:41 s1.localhost postfix/pickup[22190]: 2305E300A6E: uid=0 from=<root>
Aug 28 14:55:41 s1.localhost postfix/cleanup[27493]: 2305E300A6E: message-id=<[email protected]>
Aug 28 14:55:41 s1.localhost postfix/cleanup[27493]: 2305E300A6E: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Command rejected; from=<[email protected]> to=<[email protected]>
Aug 28 14:55:41 s1.localhost postfix/cleanup[27493]: 2305E300A6E: to=<[email protected]>, relay=none, delay=0.17, delays=0.17/0/0/0, dsn=5.7.1, status=bounced (Command rejected)
Aug 28 14:55:41 s1.localhost postfix/cleanup[27493]: 2305E300A6E: to=<[email protected]>, relay=none, delay=0.19, delays=0.19/0/0/0, dsn=5.7.1, status=bounced (Command rejected)
Aug 28 14:55:41 s1.localhost postfix/bounce[27499]: 2305E300A6E: sender non-delivery notification: 4D46F300A91

Cleanup:

rm -f /tmp/eicar.com.txt /root/.muttrc

Conclusion

Congratulations, you have now configured ClamAV to scan incoming mail for viruses.