Introduction
In this article, we will describe how you can configure ClamAV to scan incoming and outgoing mail for viruses in Plesk on CentOS 8. ClamAV is an open-source anti-virus used in situations like email scanning, web scanning, and endpoint security. These articles will help you with installing and configuring ClamAV on your servers.
Prerequisites
- A VPS, Budget Dedicated Server or Dedicated Server running Plesk Obsidian(tested on 18.0.30) control panel on CentOS 8.
- SSH root access to the server
Step 1: Log in using SSH
You must be logged in via SSH as sudo or root user. Please read this article for instructions if you don’t know how to connect.
Step 2: Install EPEL repo
ClamAV is installed from EPEL repo.
dnf --enablerepo=extras install epel-release
Step 3: Install ClamAV and utilities
yum -y install clamav clamd clamav-update clamav-milter
Step 4: Adjust SELinux
setsebool -P antivirus_can_scan_system 1
Step 5: Get the antivirus signatures
freshclam
Step 6: Enable freshclam to update virus definitions automatically
systemctl enable clamav-freshclam systemctl start clamav-freshclam
Step 7: Configure clamd
Clamd is used to actually scan for viruses. In our example, clamd is called by ClamAV-milter.
sed -i "s|^#LogFacility LOG_MAIL|LogFacility LOG_MAIL|g" /etc/clamd.d/scan.conf sed -i "s|^#LocalSocket\s.*|LocalSocket /run/clamd.scan/clamd.sock |g" /etc/clamd.d/scan.conf sed -i "s|^#ScanArchive yes|ScanArchive yes|g" /etc/clamd.d/scan.conf sed -i "s|^#AlertEncrypted yes|AlertEncrypted yes|g" /etc/clamd.d/scan.conf sed -i "s|^#AlertEncryptedArchive yes|AlertEncryptedArchive yes|g" /etc/clamd.d/scan.conf sed -i "s|^#AlertEncryptedDoc yes|AlertEncryptedDoc yes|g" /etc/clamd.d/scan.conf sed -i "s|^#AlertBrokenExecutables yes|AlertBrokenExecutables yes|g" /etc/clamd.d/scan.conf
Step 8: Enable clamd
systemctl enable [email protected] systemctl start [email protected]
Step 9: Configure ClamAV-milter
We make changes to ClamAV-milter and instruct ClamAV-milter how to connect to clamd. We also configure that viruses should be rejected.
sed -i "s|^Example|#Example|g" /etc/mail/clamav-milter.conf sed -i "s|^#ClamdSocket tcp:scanner.mydomain:7357|ClamdSocket unix:/run/clamd.scan/clamd.sock|g" /etc/mail/clamav-milter.conf sed -i "s|^#AddHeader Replace|AddHeader Replace|g" /etc/mail/clamav-milter.conf sed -i "s|^#LogFacility LOG_MAIL|LogFacility LOG_MAIL|g" /etc/mail/clamav-milter.conf sed -i "s|^#MilterSocket inet:7357|MilterSocket inet:3381@localhost|g" /etc/mail/clamav-milter.conf sed -i "s|^#OnInfected Quarantine|OnInfected Reject|g" /etc/mail/clamav-milter.conf
Step 10: Enable ClamAV-milter
systemctl enable clamav-milter systemctl start clamav-milter
Step 11: Verify that ClamAV-milter is running.
grep clamav-milter /var/log/maillog
The output should be something like:
Aug 28 14:41:41 s1.localhost clamav-milter[124614]: +++ Started at Fri Jun 19 16:43:51 2020
Step 12: Update Postfix main configuration
This is the step where we instruct Postfix to make use of the ClamAV-milter.
postconf -e milter_default_action=accept postconf -e milter_protocol=6 postconf -e smtpd_milters="inet:127.0.0.1:12768, inet:127.0.0.1:3381" postconf -e non_smtpd_milters=inet:127.0.0.1:3381
Step 13: Reload postfix
postfix reload
Step 14: Test ClamAV (local)
At this step, we will test whether the delivery of viruses is rejected.
We start by downloading the eicar test file. This is a harmless file (not an actual virus) which should be detected as a virus by any anti-virus solution.
cd /tmp wget https://secure.eicar.org/eicar.com.txt
Next, we install mutt for sending a test mail with an attachment:
yum -y install mutt
Next, we need to configure mutt to send a proper from the address which will also receive the bounce. Don’t forget to change the sender’s address!
echo -e 'set from="[email protected]"' > /root/.muttrc echo -e 'set use_from=yes' >> /root/.muttrc echo -e 'set use_envelope_from=yes' >> /root/.muttrc
Next, we send an e-mail, make sure you replace the recipient address.
echo "This message contains a virus" | mutt -a eicar.com.txt -s "This is a virus" -- [email protected]
You should be able to see the bounce email in the mail log (replace sender address):
grep "[email protected]" /var/log/maillog
The output should be something like:
Aug 28 14:55:41 s1 postfix/cleanup[27493]: 2305E300A6E: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Command rejected; from=<[email protected]> to=<[email protected]> Aug 28 14:55:41 s1 postfix/cleanup[27493]: 2305E300A6E: to=<[email protected]>, relay=none, delay=0.19, delays=0.19/0/0/0, dsn=5.7.1, status=bounced (Command rejected)
If you want to see the whole transaction grep on the ID (replace ID):
grep 2305E300A6E /var/log/maillog
The output should be something like:
Aug 28 14:55:41 s1.localhost postfix/pickup[22190]: 2305E300A6E: uid=0 from=<root> Aug 28 14:55:41 s1.localhost postfix/cleanup[27493]: 2305E300A6E: message-id=<[email protected]> Aug 28 14:55:41 s1.localhost postfix/cleanup[27493]: 2305E300A6E: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Command rejected; from=<[email protected]> to=<[email protected]> Aug 28 14:55:41 s1.localhost postfix/cleanup[27493]: 2305E300A6E: to=<[email protected]>, relay=none, delay=0.17, delays=0.17/0/0/0, dsn=5.7.1, status=bounced (Command rejected) Aug 28 14:55:41 s1.localhost postfix/cleanup[27493]: 2305E300A6E: to=<[email protected]>, relay=none, delay=0.19, delays=0.19/0/0/0, dsn=5.7.1, status=bounced (Command rejected) Aug 28 14:55:41 s1.localhost postfix/bounce[27499]: 2305E300A6E: sender non-delivery notification: 4D46F300A91
Cleanup:
rm -f /tmp/eicar.com.txt /root/.muttrc yum remove mutt
Conclusion
Congratulations, you have now configured ClamAV to scan incoming and outgoing mail for viruses.
Leave a Reply