Clam SMTP

1.   Introduction
1.1   Installing Clam AV and Clam SMTP
1.2   Configuring Clam SMTP and Postfix
1.3   Unofficial ClamAV Signatures

Introduction

I have decided to give Clam SMTP a try as I have found the my Postfix Anti-UCE measure combined with Postgrey have pretty much eliminated spam. So all I really need is anti virus scanning to protect to Windows users ;-)

Installing Clam AV and Clam SMTP

 apt-get install clamav clamav-freshclam clamav-testfiles clamsmtp

Configuring Clam SMTP and Postfix

First setup the Clam SMTP content filter.

 vi /etc/postfix/main.cf

 content_filter = scan:[127.0.0.1]:10026

The 'content_filter' tells Postfix to send all mail through the service called 'scan' on port 10026. We'll set up clamsmtpd to listen on this port later.

Next we add the following to the Postfix master.cf file:

 vi /etc/postfix/master.cf

Sample

 # ClamSMTP anti virus scan filter (used by content_filter)
 scan      unix  -       -       n       -       16      smtp
   -o smtp_send_xforward_command=yes
   -o smtp_enforce_tls=no
 # For injecting mail back into postfix from the filter
 127.0.0.1:10025 inet  n -       n       -       16      smtpd
   -o content_filter=
   -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
   -o smtpd_helo_restrictions=
   -o smtpd_client_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks_style=host
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8

Now reload Postfix.

 /etc/init.d/postfix reload

You should do some testing here ;-)

Unofficial ClamAV Signatures

ClamAV's scanning engine is quite flexible and has also been used to scan for phishing signatures. The Official phishing signatures in ClamAV are great a number of phishing attempts can get past the Official ClamAV signatures. There are several unofficial ClamAV signature database available which can detect lots more phishing attempts, image spams and scams.

First we need to download a script which can fetch all the extra signatures.

 wget http://www.sanesecurity.co.uk/clamav/scamp.txt -O /usr/local/bin/scamp.sh
 chmod 755 /usr/local/bin/scamp.sh

Now make sure we have all the file retrieval tools...

 apt-get install wget curl rsync gzip gzunzip

Now modify the settings for 'scamp.sh'

 vi /usr/local/bin/scamp.sh

The are the settings I use...

 SIG_DB="/var/lib/clamav"

 ## ************************************************************************ ##
 # Uncomment this on to enable logging. It is off by default.
 
 LOG=1

 ## *************************************************************************##
 # Uncomment to install the optional MSRBL-SPAM-CR.ndb definition file.
 
 CR="yes"

Test the signature retrieval...

 /usr/local/bin/scamp.sh

...and you should see something like this.

 Logging is enabled
 Using Rsync to download the MSRBL files.
 Using curl to download Sanesecurity, Securiteinfo and Malware files
 
 Installed:    ........ MSRBL-SPAM-CR.ndb
 Installed:    ........ MSRBL-SPAM.ndb
 Installed:    ........ phish.ndb
 Installed:    ........ scam.ndb
 Installed:    ........ MSRBL-Images.hdb
 Installed:    ........ honeynet.hdb
 Installed:    ........ securiteinfo.hdb
 Installed:    ........ vx.hdb
 Installed:    ........ mbl.db
 
 Database Reloaded
 
 Files saved to: /var/lib/clamav
 
 Installed:   9
 Not Updated: 0
 Failed:      0

If everything worked, you can schedule a cron job...

 ln -s /usr/local/bin/scamp.sh /etc/cron.daily/scamp

References

• http://www.debian-administration.org/articles/259
• http://memberwebs.com/stef/software/clamsmtp/
• http://memberwebs.com/stef/software/clamsmtp/postfix.html
• http://www.sanesecurity.co.uk/clamav/

$Id: AddingClamsmtpdToPostfix,v 1.11 2008/01/06 09:42:41 martin Exp $