Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ClamAV not scanning incoming mails

15 views
Skip to first unread message

Seventh Prince

unread,
Sep 18, 2008, 12:27:09 AM9/18/08
to
Hi Everyone,

I am running a Debian based Email server with Exim4 MTA, Courier IMAP,
Squirrelmail, CLamAV & Spamassassin. I could not get the Clamav to
scan any of my incoming mails. advice, pls, thks.

I could do manual scanning with clamdscan though.

My configurations are:
/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs/

# Just for reference and scripts.
# On Debian systems, the main binary is installed as exim4 to avoid
# conflicts with the exim 3 packages.
exim_path = /usr/sbin/exim4

# Macro defining the main configuration directory.
# We do not use absolute paths.
.ifndef CONFDIR
CONFDIR = /etc/exim4
.endif

# debconf-driven macro definitions get inserted after this line
UPEX4CmacrosUPEX4C = 1

# Create domain and host lists for relay control
# '@' refers to 'the name of the local host'

# List of domains considered local for exim. Domains not listed here
# need to be deliverable remotely.
domainlist local_domains = MAIN_LOCAL_DOMAINS

# List of recipient domains to relay _to_. Use this list if you're -
# for example - fallback MX or mail gateway for domains.
domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS

# List of sender networks (IP addresses) to _unconditionally_ relay
# _for_. If you intend to be SMTP AUTH server, you do not need to
enter
# anything here.
hostlist relay_from_hosts = MAIN_RELAY_NETS


# Decide which domain to use to add to all unqualified addresses.
# If MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN is defined, the primary
# hostname is used. If not, but MAIN_QUALIFY_DOMAIN is set, the value
# of MAIN_QUALIFY_DOMAIN is used. If both macros are not defined,
# the first line of /etc/mailname is used.
.ifndef MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN
.ifndef MAIN_QUALIFY_DOMAIN
qualify_domain = ETC_MAILNAME
.else
qualify_domain = MAIN_QUALIFY_DOMAIN
.endif
.endif

# listen on all all interfaces?
.ifdef MAIN_LOCAL_INTERFACES
local_interfaces = MAIN_LOCAL_INTERFACES
.endif

.ifndef LOCAL_DELIVERY
# The default transport, set in /etc/exim4/update-exim4.conf.conf,
# defaulting to mail_spool. See CONFDIR/conf.d/transport/ for
possibilities
LOCAL_DELIVERY=mail_spool
.endif

# The gecos field in /etc/passwd holds not only the name. see
passwd(5).
gecos_pattern = ^([^,:]*)
gecos_name = $1

# define macros to be used in acl/30_exim4-config_check_rcpt to check
# recipient local parts for strange characters.

# This macro definition really should be in
# acl/30_exim4-config_check_rcpt but cannot be there due to
# http://www.exim.org/bugzilla/show_bug.cgi?id=101 as of exim 4.62.

# These macros are documented in acl/30_exim4-config_check_rcpt,
# can be changed here or overridden by a locally added configuration
# file as described in README.Debian chapter 2.1.2

.ifndef CHECK_RCPT_LOCAL_LOCALPARTS
CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
.endif

.ifndef CHECK_RCPT_REMOTE_LOCALPARTS
CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
.endif

# always log tls_peerdn as we use TLS for outgoing connects by default
.ifndef MAIN_LOG_SELECTOR
MAIN_LOG_SELECTOR = +tls_peerdn
.endif

# This tells what virus scanner to use
#av_scanner = clamd:/var/run/clamav/clamd.ctl
av_scanner = clamd:/usr/sbin/clamdscan


/etc/exim4/conf.d/main/02_exim4-
config_options

# Defines the access control list that is run when an
# SMTP MAIL command is received.
#
.ifndef MAIN_ACL_CHECK_MAIL
MAIN_ACL_CHECK_MAIL = acl_check_mail
.endif
acl_smtp_mail = MAIN_ACL_CHECK_MAIL


# Defines the access control list that is run when an
# SMTP RCPT command is received.
#
.ifndef MAIN_ACL_CHECK_RCPT
MAIN_ACL_CHECK_RCPT = acl_check_rcpt
.endif
acl_smtp_rcpt = MAIN_ACL_CHECK_RCPT


# Defines the access control list that is run when an
# SMTP DATA command is received.
#
.ifndef MAIN_ACL_CHECK_DATA
MAIN_ACL_CHECK_DATA = acl_check_data
.endif
acl_smtp_data = MAIN_ACL_CHECK_DATA


# Message size limit. The default (used when MESSAGE_SIZE_LIMIT
# is unset) is 50 MB
.ifdef MESSAGE_SIZE_LIMIT
message_size_limit = MESSAGE_SIZE_LIMIT
.endif


# If you are running exim4-daemon-heavy or a custom version of Exim
that
# was compiled with the content-scanning extension, you can cause
incoming
# messages to be automatically scanned for viruses. You have to modify
the
# configuration in two places to set this up. The first of them is
here,
# where you define the interface to your scanner. This example is
typical
# for ClamAV; see the manual for details of what to set for other
virus
# scanners. The second modification is in the acl_check_data access
# control list.

# av_scanner = clamd:/tmp/clamd
#av_scanner = clamd:/var/run/clamav/clamd.ctl
av_scanner = clamd:/usr/sbin/clamdscan

# For spam scanning, there is a similar option that defines the
interface to
# SpamAssassin. You do not need to set this if you are using the
default, which
# is shown in this commented example. As for virus scanning, you must
also
# modify the acl_check_data access control list to enable spam
scanning.

spamd_address = 127.0.0.1 783

# Domain used to qualify unqualified recipient addresses
# If this option is not set, the qualify_domain value is used.
# qualify_recipient = <value of qualify_domain>


# Allow Exim to recognize addresses of the form "user@[10.11.12.13]",
# where the domain part is a "domain literal" (an IP address) instead
# of a named domain. The RFCs require this facility, but it is
disabled
# in the default config since it is seldomly used and frequently
abused.
# Domain literal support also needs a special router, which is
automatically
# enabled if you use the enable macro MAIN_ALLOW_DOMAIN_LITERALS.
# Additionally, you might want to make your local IP addresses (or
@[])
# local domains.
.ifdef MAIN_ALLOW_DOMAIN_LITERALS
allow_domain_literals
.endif


# Do a reverse DNS lookup on all incoming IP calls, in order to get
the
# true host name. If you feel this is too expensive, the networks for
# which a lookup is done can be listed here.
.ifndef DC_minimaldns
.ifndef MAIN_HOST_LOOKUP
MAIN_HOST_LOOKUP = *
.endif
host_lookup = MAIN_HOST_LOOKUP
.endif


# In a minimaldns setup, update-exim4.conf guesses the hostname and
# dumps it here to avoid DNS lookups being done at Exim run time.
.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME
primary_hostname = MAIN_HARDCODE_PRIMARY_HOSTNAME
.endif

# The settings below, which are actually the same as the defaults in
the
# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming
SMTP
# calls. You can limit the hosts to which these calls are made, and/or
change
# the timeout that is used. If you set the timeout to zero, all RFC
1413 calls
# are disabled. RFC 1413 calls are cheap and can provide useful
information
# for tracing problem messages, but some hosts and firewalls are
# misconfigured to drop the requests instead of either answering or
# rejecting them. This can result in a timeout instead of an immediate
refused
# connection, leading to delays on starting up SMTP sessions. (The
default was
# reduced from 30s to 5s for release 4.61.)
# rfc1413_hosts = *
# rfc1413_query_timeout = 5s

# When using an external relay tester (such as rt.njabl.org and/or the
# currently defunct relay-test.mail-abuse.org, the test may be aborted
# since exim complains about "too many nonmail commands". If you want
# the test to complete, add the host from where "your" relay tester
# connects from to the MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS macro.
# Please note that a non-empty setting may cause extra DNS lookups to
# happen, which is the reason why this option is commented out in the
# default settings.
# MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS = !rt.njabl.org
.ifdef MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
smtp_accept_max_nonmail_hosts = MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
.endif

# By default, exim forces a Sender: header containing the local
# account name at the local host name in all locally submitted
messages
# that don't have the local account name at the local host name in the
# From: header, deletes any Sender: header present in the submitted
# message and forces the envelope sender of all locally submitted
# messages to the local account name at the local host name.
# The following settings allow local users to specify their own
envelope sender
# in a locally submitted message. Sender: headers existing in a
locally
# submitted message are not removed, and no automatic Sender: headers
# are added. These settings are fine for most hosts.
# If you run exim on a classical multi-user systems where all users
# have local mailboxes that can be reached via SMTP from the Internet
# with the local FQDN as the domain part of the address, you might
want
# to disable the following three lines for traceability reasons.
.ifndef MAIN_FORCE_SENDER
local_from_check = false
local_sender_retain = true
untrusted_set_sender = *
.endif


# By default, Exim expects all envelope addresses to be fully
qualified, that
# is, they must contain both a local part and a domain. Configure exim
# to accept unqualified addresses from certain hosts. When this is
done,
# unqualified addresses are qualified using the settings of
qualify_domain
# and/or qualify_recipient (see above).
# sender_unqualified_hosts = <unset>
# recipient_unqualified_hosts = <unset>


# Configure Exim to support the "percent hack" for certain domains.
# The "percent hack" is the feature by which mail addressed to x%y@z
# (where z is one of the domains listed) is locally rerouted to x@y
# and sent on. If z is not one of the "percent hack" domains, x%y is
# treated as an ordinary local part. The percent hack is rarely needed
# nowadays but frequently abused. You should not enable it unless you
# are sure that you really need it.
# percent_hack_domains = <unset>


# Bounce handling
.ifndef MAIN_IGNORE_BOUNCE_ERRORS_AFTER
MAIN_IGNORE_BOUNCE_ERRORS_AFTER = 2d
.endif
ignore_bounce_errors_after = MAIN_IGNORE_BOUNCE_ERRORS_AFTER

.ifndef MAIN_TIMEOUT_FROZEN_AFTER
MAIN_TIMEOUT_FROZEN_AFTER = 7d
.endif
timeout_frozen_after = MAIN_TIMEOUT_FROZEN_AFTER

.ifndef MAIN_FREEZE_TELL
MAIN_FREEZE_TELL = postmaster
.endif
freeze_tell = MAIN_FREEZE_TELL


# Define spool directory
.ifndef SPOOLDIR
SPOOLDIR = /var/spool/exim4
.endif
spool_directory = SPOOLDIR


# trusted users can set envelope-from to arbitrary values
.ifndef MAIN_TRUSTED_USERS
MAIN_TRUSTED_USERS = uucp
.endif
trusted_users = MAIN_TRUSTED_USERS
.ifdef MAIN_TRUSTED_GROUPS
trusted_groups = MAIN_TRUSTED_GROUPS
.endif


# users in admin group can do many other things
# admin_groups = <unset>


# SMTP Banner. The example includes the Debian version in the SMTP
dialog
# MAIN_SMTP_BANNER = "${primary_hostname} ESMTP Exim ${version_number}
(Debian package MAIN_PACKAGE_VERSION) ${tod_full}"
# smtp_banner = $smtp_active_hostname ESMTP Exim $version_number
$tod_fu


acl/40_exim4-config_check_data


# This ACL is used after the contents of a message have been received.
This
# is the ACL in which you can test a message's headers or body, and in
# particular, this is where you can invoke external virus or spam
scanners.

acl_check_data:

# Deny unless the address list headers are syntactically correct.
#
# If you enable this, you might reject legitimate mail.
# .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX
# deny
# message = Message headers fail syntax check
# !acl = acl_local_deny_exceptions
# !verify = header_syntax
# .endif


# require that there is a verifiable sender address in at least
# one of the "Sender:", "Reply-To:", or "From:" header lines.
.ifdef CHECK_DATA_VERIFY_HEADER_SENDER
deny
message = No verifiable sender address in message headers
!acl = acl_local_deny_exceptions
!verify = header_sender
.endif


# Deny if the message contains malware. Before enabling this check,
you
# must install a virus scanner and set the av_scanner option in the
# main configuration.
#
# exim4-daemon-heavy must be used for this section to work.
#
# deny
# malware = *
# message = This message was detected as possible malware
($malware_name).


# Add headers to a message if it is judged to be spam. Before
enabling this,
# you must install SpamAssassin. You also need to set the
spamd_address
# option in the main configuration.
#
# exim4-daemon-heavy must be used for this section to work.
#
# Please note that this is only suiteable as an example. There are
# multiple issues with this configuration method. For example, if
you go
# this way, you'll give your spamassassin daemon write access to the
# entire exim spool which might be a security issue in case of a
# spamassassin exploit.
#
# See the exim docs and the exim wiki for more suitable examples.
#
# warn
# spam = Debian-exim:true
# message = X-Spam_score: $spam_score\n\
# X-Spam_score_int: $spam_score_int\n\
# X-Spam_bar: $spam_bar\n\
# X-Spam_report: $spam_report


# This hook allows you to hook in your own ACLs without having to
# modify this file. If you do it like we suggest, you'll end up with
# a small performance penalty since there is an additional file
being
# accessed. This doesn't happen if you leave the macro unset.
.ifdef CHECK_DATA_LOCAL_ACL_FILE
.include CHECK_DATA_LOCAL_ACL_FILE
.endif

#Reject messages that have serious MIME errors.
# This calls the demime condition again, but it
# will return cached results.
#deny message = Serious MIME defect detected ($demime_reason)
#demime = *
#condition = ${if >{$demime_errorlevel}{2}{1}{0}}

# Reject file extensions used by worms.
# Note that the extension list may be incomplete.
# deny message = This domain has a policy of not accepting certain
types of attachments \
in mail as they may contain a virus. This mail has a
file with a .$found_extension \
attachment and is not accepted. If you have a
legitimate need to send \
this particular attachment, send it in a compressed
archive, and it will \
then be forwarded to the recipient.
# demime = exe:com:vbs:bat:pif:scr
# .ifdef TEERGRUBE
# delay = TEERGRUBE
# .endif

# Reject messages containing malware.
# deny message = This message contains a virus ($malware_name) and
has been rejected
# malware = *

deny message = Message contains malware or a virus ($malware_name).
log_message = $sender_host_address tried sending $malware_name
demime =
malware =

# accept otherwise
accept

Robert Harris

unread,
Sep 18, 2008, 9:28:05 AM9/18/08
to
Seventh Prince wrote:
> Hi Everyone,
>
> I am running a Debian based Email server with Exim4 MTA, Courier IMAP,
> Squirrelmail, CLamAV & Spamassassin. I could not get the Clamav to
> scan any of my incoming mails. advice, pls, thks.
>
> I could do manual scanning with clamdscan though.
>
> My configurations are:
> /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs/
>
>
>
>
> [snip]

>
> # This tells what virus scanner to use
> #av_scanner = clamd:/var/run/clamav/clamd.ctl
> av_scanner = clamd:/usr/sbin/clamdscan

This should be:

av_scanner = clamd:/var/run/clamav/clamd.ctl

(this is the socket with which exim communicates with clamd)

> conf

> # av_scanner = clamd:/tmp/clamd
> #av_scanner = clamd:/var/run/clamav/clamd.ctl

Again, use clamd:/var/run/clamav/clamd.ctl

This file should generate the one you quoted above!

> av_scanner = clamd:/usr/sbin/clamdscan
>


The other thing you have to do is make sure that clamd uses the same
socket. That is defined by LocalSocket in /etc/clamav/clamd.conf but you
generally generate it through debconf by running:

dpkg-reconfigure clamav-base

Also, make sure that user Debian-exim is in group clamav

I hope that helps.

Robert

0 new messages