This is a very basic how to on adding support for ClamAV to your Directadmin server. It simply rejects all messages containing viruses. Please do not try this on a production box unless you are sure you know what you are doing and do it at your own risk. Your Directadmin box must be running Exiscan patch. I am running on Fedora 2 so if you are not it could go differently.

This is based on info from here:

http://www.timj.co.uk/linux/exim.php

First install or make sure you have Exiscan installed. See below.

http://www.directadmin.com/forum/showthread.php?s=&threadid=2990&highlight=exiscan

SSH into your box as root.

cd /var/tmp

It is very handy to have Pico so if you don't have it and want it:

www.rpmfind.net or:
wget ftp://194.199.20.114/linux/SuSE-Linux/i386/9.0/suse/i586/pico-4.58-24.i586.rpm

rpm -Uvh pico-4.58-24.i586.rpm

Now we must download and install ClamAV.

www.clamav.net or:
wget http://crash.fce.vutbr.cz/crash-hat/2/clamav/clamav-0.74-1.i386.rpm

rpm -Uvh clamav-0.74-1.i386.rpm

Now add a cronjob to keep ClamAV up to date.

export EDITOR=pico

crontab -e

Add an entry to your crontab as follows:

53 * * * * /usr/bin/freshclam --quiet

Change 53 to a random number between 1-60 to be considerate to server load.

Alt-X to save and exit.

Next type:

clamd start
chkconfig clamd on
freshclam

This should start clamd and bring your virus signatures up to date.

Now we need to edit exim.conf. The -w turns off wordwrap in pico.

pico -w /etc/exim.conf

At the end of comments section add this:

av_scanner = clamd:127.0.0.1 3310

Type in Ctrl-W and search for the second instance of check_message

Change:

# ACL that is used after the DATA command
check_message:
accept

To this:

# ACL that is used after the DATA command
check_message:
# Virus Check
deny message = This message contains a virus or other malware ($malware_name)
demime = *
malware = *
accept

Do a Ctrl-X and save.

We now need to make it so clamav has access to mail files so type:

pico /etc/group

Change:

mail:x:12:mail

to:

mail:x:12:mail,clamav

Ctrl-X and save.

Now restart Exim

/etc/init.d/exim restart

Does it work? It should refuse all virus infected messages. Test it extensively before trusting it. Also, occasionally the ClamAV software may need updated so log in and do a freshclam to see all is ok once in a while. Unlike Mailscanner this rejects infected messages before accepting them. Could result in some weird issues. If you cannot get this to work please post here so someone may help you. Perhaps Directadmin could add support for ClamAV right out of the box in the future.

Matthew

Worked for me. From my log :
"rejected after DATA: This message contains a virus or other malware (ClamAV-Test-Signature)"

I got the following dependancy problem when attempting to install the RPM (clamav):



warning: clamav-0.74-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1
error: Failed dependencies:
libc.so.6(GLIBC_2.3.4) is needed by clamav-0.74-1


How do I get this? Anything I'm doing wrong?

I also tried to install the GNU MP 3 to verify signatures, but got the following error:



checking for suitable m4... configure: error: No usable m4 in $PATH or /usr/5bin


Running RH9

Any help/suggestions appreciated!

error: Failed dependencies:
libc.so.6(GLIBC_2.3.4) is needed by clamav-0.74-1


Go to rpmfind.net and do a search for "GLIBC" and try installing the version for Redhat 9.

ftp://194.199.20.114/linux/redhat/updates/9/en/os/i386/glibc-2.3.2-27.9.7.i386.rpm

If that don't work try installing ClamAV from source maybe. I would not worry about the signatures thing but thats just me.

Matthew

I managed to install ClamAV from source.

However, when I type chkconfig clamd on, I get the following error:


error reading information on service clamd: No such file or directory

I continue with the setup and edit clamav.conf to enable the following:

Uncomment "LogSyslog"
Uncomment "StreamSaveToDisk"
Uncomment "MaxThreads" and change value to "30"
Uncomment "User" and change value to "clamav"
Uncomment "Foreground"
Uncomment "ScanMail"

I then change all the values in exim.conf. I'm using jlsman's spamblocked exim.conf file.

When restarting exim I get the following eror:

Exim configuration error in line 203:
main option "av_scanner" unknown

Anyone know what this could be?

[root@host root]# /etc/init.d/exim restart
Shutting down exim: /etc/init.d/exim: line 37: kill: (11573) - No such process

Starting exim: 2004-07-21 19:29:15 Exim configuration error in line 679 of /etc/exim.conf:
unknown retry error name "="
[FAILED]
ere is smth wrong with this line at the end of /etc/exim.conf
av_scanner = clamd:127.0.0.1 3310

any clues ?

Hey,

Perhaps something got munged when you edited the exim.conf file...


Starting exim: 2004-07-21 19:29:15 Exim configuration error in line 679 of /etc/exim.conf:
unknown retry error name "="
[FAILED]

Take a look at line 679 and see what is says.

My guess is that the line you added is at the bottom of the exim.conf in the Retry Configuration and that is whats causing problems.


av_scanner = clamd:127.0.0.1 3310

David

Anyone know how I can get service clamd to be recognised on the server?

Right now neither chkconfig or exim.conf are able to load clamd, and I haven't been able to sort out the problem.

Thanks!

I have moved this line up in the config and got:

Starting exim: 2004-07-22 10:55:16 Exim configuration error in line 658 of /etc/exim.conf:
option "av_scanner" unknown

it seems like option av_scanner is not recognizable in my exim
i dunno why.
installed packages :
da_exim-4.32-1 , clamav-0.72-1

ok solved.my mistake. this line was put in wrong section of exim.conf

thx!

Which section did you put it in?

I have it at the very top, and it's not working.

Me too, I left it at the end of comment bit, it gave me error of "main option av_scanner unknown"

Thanks.

Hey,

Appears that in the latest DA Exim config file this part was missing/left out:

##################################################
# MAIN CONFIGURATION SETTINGS #
##################################################

Which is normally above this part:

# Specify your host's canonical name here. This should normally be the fully
# qualified "official" name of your host. If this option is not set, the
# uname() function is called to obtain the name.


Right in that area is where you should be able to add the av_scanner line.

David

So... does this setup work on top of SpamAssassin/spamd?

I have it runnon with exim 4.24 i believe

I am using Spamassassin with this on my box. Spamassassin was in use before I added the anti-virus actually.

http://www.directadmin.com/forum/showthread.php?s=&threadid=544&highlight=spamassassin

Matthew

I'm having similar issues with adding the line

av_scanner = clamd:127.0.0.1 3310

to the exim.conf

comes back with

option "av_scanner" unknown at the line where av-scanner is in the .conf file.

I have tried putting it in several places, including the area suggested by skruf.

installed packages :
da_exim-4.32-1 , clamav-0.72-1

thanks in advance,

Sounds like you have just Exim installed and not Exiscan.

http://www.directadmin.com/forum/showthread.php?s=&threadid=2990&highlight=exiscan

Check that you have Exiscan installed.

Matthew

can someone translate this to redhat servers?

It's pretty much the same. Except that /etc/init.d in redhat is something /etc/rc.d/init.d

;)

i need it enabled on a production machine, so i sont want to guess ;)

Who said I guessed ?

Don't ask things if you didn't check them out.
The full steps in this thread are perfectly well explained for REDHAT.

the only difference I can find is that PICO maybe isn't installed standardly. but everyone with a little bit of knowledge could find out they should edit the file (example vi).

it might seem logical to you, but not to me, i ain't no linux expert. I didn't say you guessed

anyway, the install of exiscan, does that replace exim with exiscan, or does exiscan run besides exim?

i am using spamblocked exim.conf, where exactly does that clamd info go?


# Specify your host's canonical name here. This should normally be the fully
# qualified "official" name of your host. If this option is not set, the
# uname() function is called to obtain the name. In many cases this does
# the right thing and you need not set anything explicitly.
<<<-HERE??
# primary_hostname =

Exiscan is Exim Scanner. It is build in Exim.

In you're exim.conf you will find something like:

# ACL that is used after the DATA command
check_message:
......


You just change it as pointed to in this thread.

ok, but does exiscan replace exim then?
or does it patch exim?


about exim.conf: i mean this line:
av_scanner = clamd:127.0.0.1 3310

Exiscan is PATCHED into exim already a few versions back ago by Exim itself.

Exiscan is just a directive in the configuration file.

Just put that line on the first line of the file. or where you say :
<<<-HERE??

i am still running 4.24, is that 1 already patched?

No. Update to the latest:

http://www.directadmin.com/forum/showthread.php?s=&threadid=5129

i assume http://crash.fce.vutbr.cz/crash-hat/2/clamav/clamav-0.80rc4-1.i386.rpm is the new link to clamav?

Can anyone comment on the server load that this imposes on the servers in a production environment? I'm interested in the number of domains running on the server, and load values PRIOR to installation and POST installation.

Thanks

Joe

Is it possible to make it behave like mailscanner?

I mean receive the file, remove the virus and deliver the message?

BTW I tried to install clamav .80rc4
however it asked me for an updated version of glibc (2.34) which I don´t have access to. Therefore I had to install clamav version 0.75 from
ftp://ftp.pbone.net/mirror/ftp.falsehope.net/pub/clamav/clamav-0.75.1-1rh73.i386.rpm


Originally posted by interfasys
Worked for me. From my log :
"rejected after DATA: This message contains a virus or other malware (ClamAV-Test-Signature)"

Originally posted by hostpc.com
Can anyone comment on the server load that this imposes on the servers in a production environment? I'm interested in the number of domains running on the server, and load values PRIOR to installation and POST installation.

Thanks

Joe

Didn't noticed a huge load...working very good.

It seems that I got clamd running (finally installed it from the tar-gz), however exim is bouncing every email I receive ...


Here is a tail for /exim/maillog
2004-10-15 16:40:02 1CIYrq-00008p-Kc H=octopus.dnsvelocity.com [64.21.80.9] F=<alengua@virtualorbis.com> temporarily rejected after DATA
ale2004-10-15 16:43:02 1CIYuk-0004Fj-5u malware acl condition: clamd: ClamAV returned /var/spool/exim/scan/1CIYuk-0004Fj-5u: Access denied. ERROR

2004-10-15 16:43:02 1CIYuk-0004Fj-5u H=web13906.mail.yahoo.com [216.136.175.69] F=<alengua@rocketmail.com> temporarily rejected after DATA

Guess what?
I rebooted the server and started all the services again, and it is working now :)

I seems that my windows admin skills also work with Linux ;)

A final note on this, I have noticed no traces of spam assassin in the incoming email headers, why?

I was getting the error
option "av_scanner" unknown at the line where av-scanner is in the .conf file

then I installed exiscan for redhat 9.0 and after that when I tried to restart exim, I get the following error


Starting exim: 2004-10-16 01:22:55 Exim configuration error in line 283 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "($malware_name)"
[FAILED]


Does anybody know how can I fix this?
thanks

Edit: Never Mind, Fixed it, there was an extra Carrige Return

Hi!
I was forwarding my emails from server account that also has spam assassin, it is an ehem cpanel server :)

It seems that DA's SpamAssassin was not
scanning emails that has been previously scanned.


Originally posted by albatroz
Guess what?
I rebooted the server and started all the services again, and it is working now :)

I seems that my windows admin skills also work with Linux ;)

A final note on this, I have noticed no traces of spam assassin in the incoming email headers, why?

Actually, I would use VI instead of PICO, as in some cases PICO breaks lines that are too long.. generating errors



Originally posted by fusionictnl
Who said I guessed ?

Don't ask things if you didn't check them out.
The full steps in this thread are perfectly well explained for REDHAT.

the only difference I can find is that PICO maybe isn't installed standardly. but everyone with a little bit of knowledge could find out they should edit the file (example vi).

Anybody tried successfully Exiscan with ClamAV 0.80rc4?

How can I tell if my Exim has been patched with Exiscan?

whenever I try to install da_exim-4.32-1-exiscan.i386.rpm
I get these messages

[root@alfa instaladores]# rpm -ivh da_exim-4.32-1-exiscan.i386.rpm
Preparing... ########################################### [100%]
package da_exim-4.42-1 (which is newer than da_exim-4.32-1) is already installed
file /etc/exim.cert from install of da_exim-4.32-1 conflicts with file from package da_exim-4.42-1

I'm getting a similar error message

# rpm -Uvh da_exim-4.32-1-exiscan.i386.rpm
Preparing... ########################################### [100%]
package da_exim-4.32-1 is already installed
file /etc/exim.cert from install of da_exim-4.32-1 conflicts with file from package da_exim-4.32-1
file /etc/exim.key from install of da_exim-4.32-1 conflicts with file from package da_exim-4.32-1
file /usr/sbin/exim from install of da_exim-4.32-1 conflicts with file from package da_exim-4.32-1


Am I supposed to uninstall exim or is there something i'm not doing.

did you try these:
http://files.directadmin.com/services/7.2/da_exim-4.43-1.i386.rpm
http://files.directadmin.com/services/7.3/da_exim-4.43-1.i386.rpm
http://files.directadmin.com/services/8.0/da_exim-4.43-1.i386.rpm
http://files.directadmin.com/services/9.0/da_exim-4.43-1.i386.rpm
http://files.directadmin.com/services/es_3.0/da_exim-4.43-1.i386.rpm
http://files.directadmin.com/services/fedora_1/da_exim-4.43-1.i386.rpm
http://files.directadmin.com/services/fedora_2/da_exim-4.43-1.i386.rpm
http://files.directadmin.com/services/freebsd4.8/da_exim-4.43-1.tgz
http://files.directadmin.com/services/freebsd5.1/da_exim-4.43-1.tgz

newer exims already have the exiscanpatch

Yes, they worked for me, although it took me some time to figure out that DA's exim rpms already come with exiscan...

Okay I've downloaded the new version of exim, but how do i go about installing it over the old version.

Do i just run

# rpm -Uvh <rpm>

or something like

# update

The rpms posted by DA are rpms with source, so the installation process is a bit different....


wget http://files.directadmin.com/services/da_exim-4.43-1.src.rpm
rpm -ivh da_exim-4.43-1.src.rpm
rpmbuild -bb /usr/src/redhat/SPECS/exim.spec
rpm -Uvh /usr/src/redhat/RPMS/i386/da_exim-4.43-1.i386.rpm

I got a copy of the one listed by sander815.

fo me it was just rpm -Uvh

Is it possible to add in the subject line a texte like **Virus** ?

how do i drop all the messages that contain viruses. i do not want to notify sender or receiptent.

exim restarted ok but now when i try to send an email i get a message on thunderbird from the smtp server saying tempoary local problem please check the messsage and try sending again. :confused:

edit nvm rebooting server seems to have solved that :cool:

Originally posted by dannygoh
how do i drop all the messages that contain viruses. i do not want to notify sender or receiptent.
VirusBlocker, now in completion stage, will do that.

Jeff

as clam av is free anyway i think this should be standard with directadmin


i dont think my spam assasin is working not sure if setting this up caused that or wether or not it was working in the first place :confused:

Originally posted by dragon2611
as clam av is free anyway i think this should be standard with directadmin
Once VirusBlocker is completed I will offer it to DA at no cost, as I did SpamBlocker. Should they implement it, as they did SpamBlocker, then ClamAV will be free for anyone who wants to use it.

Jeff

Hello,

I just upgraded exim to 4.43 and ready for install exiscan & clamav. when i want to patch the exim. i got a problem.


Enter the exim source directory, and apply the
patch file like this:

patch -p1 < /path/to/exiscan-acl-4.14-02.patch


Where is the "source directory"? Thanks.
:D

Hello

I just setup the clamav and seems work fine. But it that possible keep the email send to the receipent with label? Clamav seems remove the inflected email exactly.

Originally posted by Curtis
Hello

I just setup the clamav and seems work fine. But it that possible keep the email send to the receipent with label? Clamav seems remove the inflected email exactly.

If you mean remove the virus and then send the email with a note appended that the virus was removed i would like to know how to do this also.

Hi,

When I try to install http://crash.fce.vutbr.cz/crash-hat/2/clamav/clamav-0.80-2.i386.rpm

I get the error:
error: Failed dependencies:
libc.so.6(GLIBC_2.3.4) is needed by clamav-0.80-2

But the latest version of GLIBC I've found is 2.3.2

Is this a bug? ne1 seen this before?

I'm a bit lost here ;)


RH 9

You can find RPM for RH9 on this page : http://dag.wieers.com/packages/clamav/

just download the right version.

Originally posted by dragon2611
If you mean remove the virus and then send the email with a note appended that the virus was removed i would like to know how to do this also.
Same here :)

Haven't found it in the config files.

Also,

Is it true that e-mails take about 5 minutes from the scanner to traverse into the mailboxes? Or am I being paranoid....

TIA

RoRoo

If you mean remove the virus and then send the email with a note appended that the virus was removed i would like to know how to do this also.

Same here


Thats strange. Thats exactly the thing I wanted to get away from. Users actually complained to us about all the email virus warnings they receive. They would rather not get any. If you want to see that its working you can look at the log files and/or have MRTG graph its performance. If you are concerned about blocking a legitiment email in that rare case the sending MTA 'should' alert the sender of the reject. Test this your self to be sure. Usually the sending MTA is a virus and will just go onto the next victim though.



Is it true that e-mails take about 5 minutes from the scanner to traverse into the mailboxes? Or am I being paranoid....


Thats not true at all. Messages seem to go through almost instantly for me. There are other settings in Exim that can affect delivery time that are not related to virus scanning. Look through your Exim config file.

Matthew

Originally posted by hci
Thats strange. Thats exactly the thing I wanted to get away from. Users actually complained to us about all the email virus warnings they receive. They would rather not get any. If you want to see that its working you can look at the log files and/or have MRTG graph its performance. If you are concerned about blocking a legitiment email in that rare case the sending MTA 'should' alert the sender of the reject. Test this your self to be sure. Usually the sending MTA is a virus and will just go onto the next victim though.



Thats not true at all. Messages seem to go through almost instantly for me. There are other settings in Exim that can affect delivery time that are not related to virus scanning. Look through your Exim config file.

Matthew

i'll monitor the performance for a few days..
thanks

Originally posted by jlasman
Once VirusBlocker is completed I will offer it to DA at no cost, as I did SpamBlocker. Should they implement it, as they did SpamBlocker, then ClamAV will be free for anyone who wants to use it.

Jeff

THANKS JEFF.

So how is this working for everyone? Its working super on our server.

I also added this to the exim.conf ACLs to block SPAM.



deny dnslists = relays.ordb.org : sbl-xbl.spamhaus.org : dnsbl.sorbs.net
message = SPAM: rejected because $sender_host_address is in the blacklist at $dnslist_domain\n\ ($dnslist_text)


These lists are all rather conservative and rarely ever false and still block a lot of crud. I have Spamassassin running to tag SPAM more aggressively so end users can choose to filter further at there own risk.

I am also working on making some scripts for Rrdtool that will graph the whole works. Spare time projects are slow coming though.

Matthew

I wouldn't use sorbs. They ask you $50 to remove an IP. They're extortionists.

I wouldn't use sorbs. They ask you $50 to remove an IP. They're extortionists.

I did not realize that. Will remove them. I only added them for there dialup pools. Know of a good blacklist for dialup pools?

Matthew

I also added this to the exim.conf ACLs to block SPAM.



quote:
--------------------------------------------------------------------------------

deny dnslists = relays.ordb.org : sbl-xbl.spamhaus.org : dnsbl.sorbs.net
message = SPAM: rejected because $sender_host_address is in the blacklist at $dnslist_domain\n\ ($dnslist_text)

--------------------------------------------------------------------------------



These lists are all rather conservative and rarely ever false and still block a lot of crud. I have Spamassassin running to tag SPAM more aggressively so end users can choose to filter further at there own risk.


Hi all,

Is this ok to use?? And (important) is it free? ;)

tnks!

Dennis

All DirectAdmin installs during at least the last year, and all up to date DA installs as well, include the SpamBlocker version of exim.conf.

That standard exim.conf file includes the following blocklists by default:

bl.spamcop.net
cbl.abuseat.org
dnsbl.njabl.org
sbl-xbl.spamhaus.org
relays.ordb.org
rhsbl.sorbs.net

and all of the dnsbl.sorbs.net blocklists except for:

spam.dnsbl.sorbs.net

which is defined thusly on the Sorbs website (http://www.dnsbl.au.sorbs.net/using.shtml):

List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS. This zone also contains netblocks of spam supporting service providers, including those who provide websites, DNS or drop boxes for a spammer. Spam supporters are added on a 'third strike and you are out' basis, where the third spam will cause the supporter to be added to the list.
SpamCop website (http://www.spamcop.net/)
CBL Website (http://cbl.abuseat.org/)
NJABL website (http://dnsbl.njabl.org/)
sbl-xbl.spamhaus website (http://www.spamhaus.org/sbl/howtouse.html)
ORDB website (http://ordb.org/)
Sorbs website (http://www.dnsbl.au.sorbs.net/using.shtml)

All you have to do to use these blocklists (all are available at no charge) is copy (not cut and copy) the domain names that you want to use the blocklists for, when receiving their email, from /etc/virtual/domains to /etc/virtual/use_rbl_domains.

Jeff

Tnx Jeff, and also for all the other posts! Really helps! :)

I just got one thing:

I've installed Exim and the ClamAV as said in this post.....but all normal email is now: "temporarily rejected after DATA". I think this has something to do with the scanning?

I can also see he is scanning "/var/spool/exim/scan/1CoILG-0006hO-7O: Access denied. ERROR" This is in the paniclog of Exim.

What can be the error? Not enough rights?

Tnx again!

Dennis

Edit: Sorry.....looked closer in this forum and found this post:

http://www.directadmin.com/forum/showthread.php?s=&threadid=5444

I am going to check if there is a reboot or just restart clamd.....I'll edit this post again.

Edit2: Yep, you also have to restart clamd aswell as Exim......The mainlog tells me: "2005-01-11 11:12:56 1CoJ1E-0002Kq-9I Completed" Witch is the same filename as when it went wrong.

Well I believe I have clam working. Other then not receiving test viri email, where can I check in the logs and what should I be looking for in the logs to verify it's operation?

Thanks.

Goto the Directadmin log viewer and look at Exim reject log. Look for MALWARE entries. Directadmin's log viewer rocks.

Here is a test virus.

http://www.aleph-tec.com/eicar/index.php

Matthew

It's working like a charm :)

http://www.webmail.us/testvirus/

Actually, I'm not sure what happened over the last few days but clam has given me some problems. I have clam updated to .81. Clam started blocking all emails on the server. My admin changed the exim.conf to

#av_scanner = clamd:127.0.0.1 3310
av_scanner = clamd:/var/run/clamav/clamd

Now why would the bottom line work and not the one above?

Check out how is the clamd daemon configured in your server...

Look for the clamd.conf file at /etc/
and see if it matches with what exim is looking for.

It looks like it mateches up, but what is the significance of the tcp port address for clam?

TCP port address.
# Default: disabled
#TCPSocket 3310

In your clamd.conf file should be an
uncommented line like this
LocalSocket /var/run/clamav/clamd


Why?
Clamd has 2 modes of operation.
1st as a daemon linked to a tcp port, just like telnet. In these cases the TCP port 3310
is used, and EXIM uses that TCP port to interface with the antivirus.

2nd with a local socket, what is supposed to be most secure method. It seems that your admin tried to configure everything in that way, but something seems to be wrong.

Just make sure that paths are correct

LocalSocket /var/run/clamav/clamd

is there and all is running,

Is it better to run it one way or another?

i'm trying to install the latest version of ClamAV, but i got some failed dependacies:

libc.so.6(GLIBC_2.3.4) is needed by clamav-0.83-1
libcurl.so.3 is needed by clamav-0.83-1
libidn is needed by clamav-0.83-1
libidn.so.11 is needed by clamav-0.83-1
zlib >= 1.2.1.2 is needed by clamav-0.83-1

so i got zlib.1.2.1.2

but when i tried to update the zlib i got the following error

zlib = 1.1.4 is needed by (installed) zlib-devel-1.1.4-8

When i try to update zlib-devel-1.2.1.2 i get the following error

zlib = 1.2.1.2 is needed by zlib-devel-1.2.1.2-1

Any help would be appreciated as it seems i can't update one without the other being updated already. Kind of catch 22.

Sorry I kind of still fair new to all this.

Edit: I found out what i needed to do. Didn't realise you could have more than one rpm installing at a time.

Used: rpm -Uvh zlib-1.2.1.2-1.i386.rpm zlib-devel-1.2.1.2-1.i386.rpm

That worked fine.

I am running redhat 9 (which i think is the same as Fedora 3)

i've d/l the following

glibc-2.3.4-2.fc3.i386.rpm
glibc-common-2.3.4-2.fc3.i386.rpm
glibc-devel-2.3.4-2.fc3.i386.rpm
glibc-headers-2.3.4-2.fc3.i386.rpm
glibc-profile-2.3.4-2.fc3.i386.rpm
glibc-utils-2.3.4-2.fc3.i386.rpm

but when i try and do a

# rpm -Uvh glibc*.i386.rpm

i get the follow error

error: Failed dependencies:
shadow-utils < 2:4.0.3-20 conflicts with glibc-2.3.4-2.fc3
nscd < 2.3.3-52 conflicts with glibc-2.3.4-2.fc3
tzdata >= 2003a is needed by glibc-common-2.3.4-2.fc3
libgd.so.2 is needed by glibc-utils-2.3.4-2.fc3

Have i d/l the correct .rpm's or not. I tried d/l the source for clamAV, but got some different failed dependencies.

i cheated...

im using centos and i get my clam av from the dag redhat enterprise reposotory which i added to yum, doesnt seem to cause any problems :)

not sure if there is a DAG repository for redhat9 but if there is grab yum or apt-get for rh and then add it ;) (http://freshrpms.net for yum/apt)

then a simple 'yum update' will update your clam-av and anything else that needs updated


(apt-get update then apt-get upgrade if you grab apt instead)

I am having similar issues as Muzza. We just got a new webserver running RedHat 9. Apt-get is "working" as in I grabbed it via wget, installed it, and can run -update and -upgrade. I added:


### Dag Apt Repository for Red Hat 9
rpm http://apt.sw.be redhat/9/en/i386 dag

...to my sources.list file.

It does list a few things to be upgraded:


The following packages will be upgraded


apt lftp libxml2 libxml2-devel logwatch mtools mtr pine proftpd rsync splint syslinux wireless-tools

I suppose I expected apt-get to find GLIBC and zlib updates, since Clam is looking for newer versions of those.

What I'm finding is Clam needs a newer glibc, and glibc needs a newer shadow-utils, nscd, etc.

I tried to grab Yum, and it wants a newer libxml2, and so forth.

I'm curious, if I grab an older version of Clam (.7x or something) to get around the dependencies, I'm obviously missing out on a newer scan engine and newer features. I'd like to be able to run a tool that updates all of my dependencies. Am I running into issues because its RedHat 9.0, and latest and greatest are all FC3 or Redhat Enterprise? If I'm stuck with RH9, am I stuck with old Clam?

Thanks for your time.

try grabing yum from http://ftp.freshrpms.net/pub/freshrpms/redhat/9/yum/

if you dont have clam installed try yum install clamav or apt-get install clamav


hopefully it would sort the depdencys itself

Originally posted by dragon2611
try grabing yum from http://ftp.freshrpms.net/pub/freshrpms/redhat/9/yum/

if you dont have clam installed try yum install clamav or apt-get install clamav


hopefully it would sort the depdencys itself

From my earlier post
I tried to grab Yum, and it wants a newer libxml2, and so forth

Yum also has dependencies I cannot resolve (I grabbed libxml2-2.6.9-0.99_10.rh9.at.src.rpm, try to install it, tells me "libxml2-2.6.9-0.99_10.rh9.at.src.rpm: not an rpm package (or package manifest):
")

I'd love to use yum, if I can get through that dependencies. I'm sure it's simple, and if I would be better served by asking about Yum in another forum, feel free to berate me.

try the non source rpm

http://download.atrpms.net/production/packages/redhat-9-i386/atrpms/libxml2-2.6.9-0.99_10.rh9.at.i386.rpm

Originally posted by dragon2611
try the non source rpm

http://download.atrpms.net/production/packages/redhat-9-i386/atrpms/libxml2-2.6.9-0.99_10.rh9.at.i386.rpm

Trying that (rpm -Uhv [filename]), I get this:


error: Failed dependencies:
libxml2 = 2.5.4 is needed by (installed) libxml2-devel-2.5.4-3.rh9

Is this common on a fresh install of 9? Since it's been out a while, is everything just way out of date?

http://download.atrpms.net/production/packages/redhat-9-i386/atrpms/libxml2-2.6.9-0.99_10.rh9.at.i386.rpm

http://download.atrpms.net/production/packages/redhat-9-i386/atrpms/libxml2-devel-2.6.9-0.99_10.rh9.at.i386.rpm

make sure you have them both in the same directory ideally with nothing else

then try

rpm -Uhv *.rpm


that might do it but im not sure.

Edit yes its common with rh9 which is why i now use centos its seems to be easier to get updated packages for

Originally posted by dragon2611
http://download.atrpms.net/production/packages/redhat-9-i386/atrpms/libxml2-2.6.9-0.99_10.rh9.at.i386.rpm

http://download.atrpms.net/production/packages/redhat-9-i386/atrpms/libxml2-devel-2.6.9-0.99_10.rh9.at.i386.rpm

make sure you have them both in the same directory ideally with nothing else

then try

rpm -Uhv *.rpm


that might do it but im not sure.

Edit yes its common with rh9 which is why i now use centos its seems to be easier to get updated packages for

Unfortunately that didn't work, I got another failed dependency:


error: Failed dependencies:
libxml2 = 2.6.9 is needed by libxml2-devel-2.6.9-0.99_10.rh9.at

This lack of being able to find current rpms for all these dependencies is telling me RH9 +latest ClamAV is a no-go.

That's not going to be fun. This a rental server, Redhat 9 is our only option on this box. Clam looked like the popular choice. Do we have any other options?

Looks like i'll have to wait til a solution is foud too emkubed.

maybe try googling/searching for some more rh9 repositorys then maybe one of them will allow apt to update everything for you, only thing i can really think off at the mo

I actually found

clamav-0.83-1.0.rh9.rf.i386.rpm

that I did a rpm -Uvh on, and it did something w/o questions or prompts. I can run clamscan or freshclam from anywhere, and they run, but it didn't load clamd, which i obviously want. It didn't load the clamd.conf file anywhere, so I'm at an impasse until I can stumble across how to add clamd by itself.

I got yum working also, but after it spends like 3 minutes pulling down loads of stuff, it says there is nothing to update. Not a single thing. Why would that be?

Originally posted by dragon2611
i cheated...

im using centos and i get my clam av from the dag redhat enterprise reposotory which i added to yum, doesnt seem to cause any problems :)

not sure if there is a DAG repository for redhat9 but if there is grab yum or apt-get for rh and then add it ;) (http://freshrpms.net for yum/apt)

then a simple 'yum update' will update your clam-av and anything else that needs updated


(apt-get update then apt-get upgrade if you grab apt instead)

Can you write the line that you added to Yum to use thhe dag repository, thanks.

Jon

added this to /etc/yum.conf

[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el3/en/$basearch/dag

OK, i'm having a bit of an issue.

I'm running Redhat 9, Exim and the 0.83 clamav.

After making the appropriate changes to my exim.conf, when any mail is sent, my exim mainlog shows this:

2005-03-25 12:05:45 1DEsFl-00040S-FU malware acl condition: clamd: connection to 127.0.0.1, port 3310 failed (Bad file descriptor)
2005-03-25 12:05:45 1DEsFl-00040S-FU H=bay103-dav11.bay103.hotmail.com (hotmail.com) [65.54.174.83] F=<emkubed@hotmail.com> temporarily rejected after DATA

I'm sure this is something simple, but I've tried to follow the instructions in the clamdoc.pdf and from this helpful thread:

http://www.directadmin.com/forum/showthread.php?threadid=3860

I'm thinking my issue is something I've missed in setting up clam. It installed fine from RPMs, clamd runs, freshclam runs, etc.

What does this give you?

/etc/init.d/clamd status

Have you tried clamscan somefile

Have you restarted Exim? Have you rebooted since adding all this?

Matthew

Originally posted by hci
What does this give you?

/etc/init.d/clamd status

Have you tried clamscan somefile

Have you restarted Exim? Have you rebooted since adding all this?

Matthew

clamd (pid 3370) is running...

and I've restarted both exim and the server, yes. I can comment out the clam stuff I've added to exim.conf and email goes through OK.

Do you have iptables or some other firewall running? If so stop firewall and see what happens.

Matthew

Originally posted by hci
Do you have iptables or some other firewall running? If so stop firewall and see what happens.

Matthew

This is on our colo'd webserver, I'm sure the host has a router/firewall or three. ASAIK there is no firewall running on the box itself I can reprint our pid list if needed.

Is there a command I can do on the box to see if I can get out via port 3310?

Here is someone who had same problem.

http://www.mail-archive.com/clamav-users@lists.sourceforge.net/msg02221.html

Not that it does any good since no one really helped him.

Look in your /etc/clamd.conf

Make sure TCP port is right and see if anything else sticks out. Seems that either clamd is not properly running on port 3310 or you have a firewall on your box blocking it.

Maybe someone else will jump in here with an idea?

Matthew

firewall is possible. I had a similar problem due to apf settings.

Originally posted by hci
Here is someone who had same problem.

http://www.mail-archive.com/clamav-users@lists.sourceforge.net/msg02221.html

Not that it does any good since no one really helped him.

Look in your /etc/clamd.conf

Make sure TCP port is right and see if anything else sticks out. Seems that either clamd is not properly running on port 3310 or you have a firewall on your box blocking it.

Maybe someone else will jump in here with an idea?

Matthew

Well heck maybe it's this. This is from my clamd.conf:

# Path to a local socket file the daemon will listen on.
# Default: disabled
LocalSocket /var/run/clamav/clamd.sock

# Remove stale socket after unclean shutdown.
# Default: disabled
FixStaleSocket

# TCP port address.
# Default: disabled
# TCPSocket 3310

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: disabled
TCPAddr 127.0.0.1


My 3310 is commented out, as i was following suggestions from here: http://www200.pair.com/mecham/spam/clamav-redhat-amavis.html

but it occured to me, these are instructions with amavisd-new, not exim.

Maybe that's all I need to switch around, comment out the TCPAddr 127.0.0.1 and uncomment the # TCPSocket 3310...

Here is mine if it will help any.

http://www.fileholder.net/files/clamd.conf

Let us know what you find.

Matthew

Well crap, now when I try to send, I have to go to the exim paniclog and see this:


2005-03-25 23:06:48 Exim configuration error in line 558 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "($malware_name)"

repeated several times.

Edit: Ah, my mistake. Your sample conf helped. I had local socket commented out, but both 127.0.0.1 and 3310 were uncommented. Easy enough.

Email works now. Thanks for your help.

I used the yum program, and it updated the server, except that i still have the same Failed dependencies issue before i ran yum. So it looks like yum updated the couple of rpm's on my system that were old, except for the ones i really needed it to update.





warning: glibc-2.3.5-0.fc3.1.i386.rpm: V3 DSA signature: NOKEY, key ID 4f2a6fd2
error: Failed dependencies:
shadow-utils < 2:4.0.3-20 conflicts with glibc-2.3.5-0.fc3.1
nscd < 2.3.3-52 conflicts with glibc-2.3.5-0.fc3.1
tzdata >= 2003a is needed by glibc-common-2.3.5-0.fc3.1
libgd.so.2 is needed by glibc-utils-2.3.5-0.fc3.1
libc.so.6(GLIBC_PRIVATE) is needed by (installed) nscd-2.3.2-27.9.7





Any thought's

I have actually downloaded a different version of ClamAV rpm's and it installed okay.

Just now i get the following error message when i do

# clamd start





LibClamAV Warning: ****************************************************
LibClamAV Warning: *** This version of ClamAV engine is outdated. ***
LibClamAV Warning: *** Please update it IMMEDIATELY! ***
LibClamAV Warning: ****************************************************
LibClamAV Error: cli_hex2si(): Malformed hexstring: 49662042203d2033205468656e205365742043203d204e6f726d616c54656d706c617465*42203c3e2031205468656e20442e41646466726f6d737472696e672045 (length: 131)
LibClamAV Error: cli_parse_add(): Problem adding signature.
LibClamAV Error: Problem parsing signature at line 26895
LibClamAV Error: Problem parsing database at line 26895
LibClamAV Error: Malformed database file /tmp/clamav-1cfd79e0498fd0e3/main.db
LibClamAV Warning: ****************************************************
LibClamAV Warning: *** This version of ClamAV engine is outdated. ***
LibClamAV Warning: *** Please update it IMMEDIATELY! ***
LibClamAV Warning: ****************************************************
Segmentation fault



but it's the latest version of ClamAV, so i'm not sure what to do now.

I think it was due to a previous version of ClamAV installed on my server and the copy of the new ClamAv not installing properly.

I downloaded a copy of the source from

http://easynews.dl.sourceforge.net/sourceforge/clamav/

and also zlib from

http://www.zlib.net/

i created and installed them both without any real issues. A couple of conf issues but that was to be expected.

I've followed all steps as indicated, with latest versions.
I've got :
Fedora Core 3 - Directadmin 1.24.1
- Exim 4.50 da installed (so normally no need of exiscan as integrated in package)
- pico 4.61 installed
- i got clamAV 0.85-1 downloaded.

When i rpm -Uvh clamav-0.85.1-1.i386.rpm i get the following error :
[mymachine tmp]# rpm -Uvh clamav-0.85.1-1.i386.rpm
attention: clamav-0.85.1-1.i386.rpm: signature V3 DSA: NOKEY, key ID 6cdf2cc1
erreur: D
curl est n
libcurl.so.2 est n

Anyone can help me on this problem ?? I'm a linux newbie, who is willing to learn, but needs sometime some howto to understand...

Thks
Tdldp

edited : After reading a bit i've found an error.. I'd downloaded fedora 2 rpm. So restarted loading Fed 3 rpm and installing.
i then get this message (worse ;) )
[mymachine tmp]# rpm -Uvh clamav-0.85.1-1.i386.rpm
attention: clamav-0.85.1-1.i386.rpm: signature V3 DSA: NOKEY, key ID 6cdf2cc1
erreur: D
curl est n
libcurl.so.3 est n
libidn est n
libidn.so.11 est n

Anyone has a clue ???

edited : In fact using bitvise tunnelier there are some error output troubles, so for other newbies as me, prefer using putty, or when error messages are uncomplete as above double check with putty.


Edited : Thks very much to titam who help me a lot round getting clamAV clean installed...
Though i do not pretend being an expert in how-to's, here is one that worked for my box : FC 3 / Da 1.241
//** are comments : are line feeds
1. //** ssh to box as root.
2. : cd /var/tmp
// put up to date exim to 4.51
3. : yum install db4-devel (if not installed it will skip)
4. : yum install rpm-build (if not installed it will skip)
5. //** install exim 4.51
: wget http://files.directadmin.com/services/da_exim-4.51-1.src.rpm
: rpm -ivh da_exim-4.51-1.src.rpm
: cd /usr/src/redhat/SPECS
: rpmbuild -bb exim.spec
: cd /usr/src/redhat/RPMS/i386
: rpm -Uvh --force da_exim-4.51-1.i386.rpm
6. //** install clamAV 0.85
: wget http://crash.fce.vutbr.cz/crash-hat/3/clamav/clamav-0.85.1-1.i386.rpm
: yum install clamav-0.85.1-1.i386.rpm //** yes i know this isn't normal way, but rpm -iv or -Uvh --force never worked on my box)


Answer yes to all questions and ClamAv should be installed, and so with latest exim version..
Hope this helps out as it could have helped me ...

Tdldp

I get at:
clamd start
[root@srv2 admin]# clamav start
bash: clamav: command not found

Fedora core 2, Exim 4.50 clean box installed
ClamAV downloaded from: http://crash.fce.vutbr.cz/crash-hat/2/clamav/clamav-0.86.1-1.i386.rpm

Any tips?

Are you sure that 1 and 2 were not blocked? 3 is a spam and should just say so. 4-7 should be blocked, but for this to happen, someone needs to write a better mime acl rule.

I found instructions on how to integrate ClamAV into Exim and make it scan on this forum. Those instructions are here:
http://www.directadmin.com/forum/showthread.php?postid=31701#post31701

I succeed, but when I get to the part to modify the exim.conf file, I get the following error when restarting:

Shutting down exim:
Starting exim: 2005-07-19 22:34:37 Exim configuration error in line 563 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"

Any ideas?

[root@savvis clamav-0.86.2]# service exim restart
Shutting down exim: /etc/init.d/exim: line 41: kill: (9486) - No such process

Starting exim: 2005-07-30 01:00:34 Exim configuration error in line 593 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"

[root@savvis clamav-0.86.2]#

what could be the problem

Open your exim.conf file (at /etc/exim.conf)
with a text editor and look for that line,
the one that contents the "demime" ACL
and comment that line.

Then restart exim...

When i do that, and remove the demime = * now i get

[root@savvis etc]# service exim restart
Shutting down exim: /etc/init.d/exim: line 41: kill: (7953) - No such process

Starting exim: 2005-07-30 21:10:47 Exim configuration error in line 591 of /etc/exim.conf:
error in ACL: unknown ACL verb in "malware = *"

for malware = *

and if i remove that,
then all emails with an attachment are scanned and said they were a virus,

Theres gotta be a bug someplace.

Originally posted by splitech
When i do that, and remove the demime = * now i get
...
Starting exim: 2005-07-30 21:10:47 Exim configuration error in line 591 of /etc/exim.conf:
error in ACL: unknown ACL verb in "malware = *"
...
for malware = *
...

Sounds like you don't have an exiscan patch or something...
demime is normal, malware shouldn't happen...

How can i tell if i have exiscan installed??

I just installed da_exim-4.52-1

Should be enough...

Anyone else have the same problem ?
I'm still at a bit older version with my servers... Not going to upgrade until I find it to be safe ;)...

I get this :
Starting exim: 2005-08-06 02:15:55 Exim configuration error in line 565 of /etc/exim.conf: error in ACL: unknown ACL condition/modifier in "demime = *"

Then I commented out
# demime = *

And it is working exim restarted fine.

What does demime = * do?? Is it needed and will everything work with out it??

Redhat 9
exim 4.52
clamav 0.86.2

From a Waikato Linux Users Group Wiki (http://www.wlug.org.nz/EximMailFilter):

Recent exiscans (including the one included with Exim 4.50) have deprecated demime, instead adding a acl_smtp_mime ACL. This is more powerful than the precvious demime, but as always, is more complex to get the above features.
While there's a complete workaround listed, I'm not sure this is something we should implement individually.

I've asked John to look at this thread and my post, and give us the benefit of his knowledge. :)

Jeff

Should I be ok with demime commented out?
Will it not cause users to loose mail or anything wired and will still block viruses??

Thanks
Rmday

The only effect I know of from commenting out the line would be that mime attachments may not get scanned.

However I'm not positive.

Jeff

Hi Guys,

I've honestly never looked at it in any detail, so I won't be of much use.

If it will make your lives easier, I can easily add the demime option to the exim compiles, not a big deal for me. The only issue you may encounter is the day that demime *is* in fact fully depreciated (removed from exim) on a future release. So it's basically now or later.

I've got no problems changing the compiles, so if you'd like it, let me know. If there is a new tool that is replacing demime (I'm guessing acl_smtp_mime), then I think it may be smarter to implement the scanning with the new tool instead, so that you won't need to worry about it becoming depreciated down the line.

This looks like it would be the guide on how to replace demime with what you want:
http://www.exim.org/exim-html-4.50/doc/html/spec_40.html#CHAP40

John

John, I agree with you fully (your last paragraph) and I'm sorry I asked you to get involved, since it's really not required for a basic DA install.

It's going to be my problem for VirusBlocker, and I'm going to follow the instructions in your link.

Jeff

I personally would like the option. Add my vote.

Or a quick how-to would be appreciated, I can rebuild my exim.

I have noticed ½ the virus test emails I am sending myself get rejected, but the other half come through, I am guessing it has something to do with this.

Thanks!

http://www.directadmin.com/forum/showthread.php?s=&postid=50202#post50202

John

Excellent, just what I needed.

Thanks!

Starting exim: 2006-01-19 05:10:37 Exim configuration error in line 556 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"

my exim version is da_exim-4.50-2

changes made in the server
[root@copy2 root]# diff /etc/group group
12c12
< mail:x:12:mail,clamav
---
> mail:x:12:mail

changes made in exim.conf file
[root@copy2 root]# diff /etc/exim.conf exim.conf_backup
208c208
< av_scanner = clamd:/var/run/clamav/clamd.sock
---
>
554,557d553
< # Virus Check
< deny message = This message contains a virus or other malware ($malware_name)
< demime = *
< malware = *

[root@copy2 root]# /etc/init.d/exim stop
Shutting down exim:
[root@copy2 root]# /etc/init.d/exim start
Starting exim: 2006-01-19 05:10:37 Exim configuration error in line 556 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"


cat /var/log/exim/paniclog

2006-01-19 05:10:37 Exim configuration error in line 556 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"
2006-01-19 05:11:00 Exim configuration error in line 556 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"
2006-01-19 05:11:14 Exim configuration error in line 556 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"
2006-01-19 05:11:25 Exim configuration error in line 556 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"
2006-01-19 05:12:01 Exim configuration error in line 556 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"

if i upgrade my exim like this is this problem will be solved?
procedure for upgrade exim4 and integrate with ClamAv http://files.directadmin.com/servic...-4.60-1.src.rpm
rpm -ivh da_exim-4.60-1.src.rpm
cd /usr/src/redhat/SPECS
rpmbuild -bb exim.spec
cd /usr/src/redhat/RPMS/i386
rpm -Uvh --force --nodeps da_exim-4-60-1.i386.rpm

or can I add
WITH_OLD_DEMIME=yes
in Makefile.pl to work it

Posted an update to this thread with revisions for a fresh DA install on CentOS 4.2 here.

http://www.directadmin.com/forum/showthread.php?s=&threadid=12071

Matthew

How to whitelist a user who does not want virus scanning?

I couldn´t install with RPMs (due to dependencies) so I decided to download sources and compile.

After the compilation I followed the same steps mentioned above.

It compiled fine and after some reboots,
and edition of config files it is working fine.

I am using CentOS 4

btw I have noticed that the previous version of this "how to" had also these instructions.

Why are they no longer required?



We now need to make it so clamav has access to mail files so type:

pico /etc/group

Change:

mail:x:12:mail

to:

mail:x:12:mail,clamav

Ctrl-X and save.