Exiscan + ClamAV

[hci]

This is a very basic how to on adding support for ClamAV to your Directadmin server. It simply rejects all messages containing viruses. Please do not try this on a production box unless you are sure you know what you are doing and do it at your own risk. Your Directadmin box must be running Exiscan patch. I am running on Fedora 2 so if you are not it could go differently.

This is based on info from here:

http://www.timj.co.uk/linux/exim.php

First install or make sure you have Exiscan installed. See below.

http://www.directadmin.com/forum/sho...hlight=exiscan

SSH into your box as root.

cd /var/tmp

It is very handy to have Pico so if you don't have it and want it:

www.rpmfind.net or:
wget ftp://194.199.20.114/linux/SuSE-Linu...58-24.i586.rpm

rpm -Uvh pico-4.58-24.i586.rpm

Now we must download and install ClamAV.

www.clamav.net or:
wget http://crash.fce.vutbr.cz/crash-hat/....74-1.i386.rpm

rpm -Uvh clamav-0.74-1.i386.rpm

Now add a cronjob to keep ClamAV up to date.

export EDITOR=pico

crontab -e

Add an entry to your crontab as follows:

53 * * * * /usr/bin/freshclam --quiet

Change 53 to a random number between 1-60 to be considerate to server load.

Alt-X to save and exit.

Next type:

clamd start
chkconfig clamd on
freshclam

This should start clamd and bring your virus signatures up to date.

Now we need to edit exim.conf. The -w turns off wordwrap in pico.

pico -w /etc/exim.conf

At the end of comments section add this:

av_scanner = clamd:127.0.0.1 3310

Type in Ctrl-W and search for the second instance of check_message

Change:

# ACL that is used after the DATA command
check_message:
accept

To this:

# ACL that is used after the DATA command
check_message:
# Virus Check
deny message = This message contains a virus or other malware ($malware_name)
demime = *
malware = *
accept

Do a Ctrl-X and save.

We now need to make it so clamav has access to mail files so type:

pico /etc/group

Change:

mail:x:12:mail

to:

mail:x:12:mail,clamav

Ctrl-X and save.

Now restart Exim

/etc/init.d/exim restart

Does it work? It should refuse all virus infected messages. Test it extensively before trusting it. Also, occasionally the ClamAV software may need updated so log in and do a freshclam to see all is ok once in a while. Unlike Mailscanner this rejects infected messages before accepting them. Could result in some weird issues. If you cannot get this to work please post here so someone may help you. Perhaps Directadmin could add support for ClamAV right out of the box in the future.

Matthew

[interfasys]

Worked for me. From my log :
"rejected after DATA: This message contains a virus or other malware (ClamAV-Test-Signature)"

[torp]

I got the following dependancy problem when attempting to install the RPM (clamav):

Quote:

warning: clamav-0.74-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1
error: Failed dependencies:
libc.so.6(GLIBC_2.3.4) is needed by clamav-0.74-1

How do I get this? Anything I'm doing wrong?

I also tried to install the GNU MP 3 to verify signatures, but got the following error:

Quote:

checking for suitable m4... configure: error: No usable m4 in $PATH or /usr/5bin

Running RH9

Any help/suggestions appreciated!

[hci]

Quote:

error: Failed dependencies:
libc.so.6(GLIBC_2.3.4) is needed by clamav-0.74-1

Go to rpmfind.net and do a search for "GLIBC" and try installing the version for Redhat 9.

ftp://194.199.20.114/linux/redhat/up...7.9.7.i386.rpm

If that don't work try installing ClamAV from source maybe. I would not worry about the signatures thing but thats just me.

Matthew

[torp]

I managed to install ClamAV from source.

However, when I type chkconfig clamd on, I get the following error:

Quote:

error reading information on service clamd: No such file or directory

I continue with the setup and edit clamav.conf to enable the following:

Quote:

Uncomment "LogSyslog"
Uncomment "StreamSaveToDisk"
Uncomment "MaxThreads" and change value to "30"
Uncomment "User" and change value to "clamav"
Uncomment "Foreground"
Uncomment "ScanMail"

I then change all the values in exim.conf. I'm using jlsman's spamblocked exim.conf file.

When restarting exim I get the following eror:

Quote:

Exim configuration error in line 203:
main option "av_scanner" unknown

Anyone know what this could be?

[magaf]

[root@host root]# /etc/init.d/exim restart
Shutting down exim: /etc/init.d/exim: line 37: kill: (11573) - No such process

Starting exim: 2004-07-21 19:29:15 Exim configuration error in line 679 of /etc/exim.conf:
unknown retry error name "="
[FAILED]
ere is smth wrong with this line at the end of /etc/exim.conf
av_scanner = clamd:127.0.0.1 3310

any clues ?

[skruf]

Hey,

Perhaps something got munged when you edited the exim.conf file...

Quote:

Starting exim: 2004-07-21 19:29:15 Exim configuration error in line 679 of /etc/exim.conf:
unknown retry error name "="
[FAILED]

Take a look at line 679 and see what is says.

My guess is that the line you added is at the bottom of the exim.conf in the Retry Configuration and that is whats causing problems.

Quote:

av_scanner = clamd:127.0.0.1 3310

David

[torp]

Anyone know how I can get service clamd to be recognised on the server?

Right now neither chkconfig or exim.conf are able to load clamd, and I haven't been able to sort out the problem.

Thanks!

[magaf]

I have moved this line up in the config and got:

Starting exim: 2004-07-22 10:55:16 Exim configuration error in line 658 of /etc/exim.conf:
option "av_scanner" unknown

it seems like option av_scanner is not recognizable in my exim
i dunno why.
installed packages :
da_exim-4.32-1 , clamav-0.72-1

[magaf]

ok solved.my mistake. this line was put in wrong section of exim.conf

thx!

[torp]

Which section did you put it in?

I have it at the very top, and it's not working.

[hkimac]

Me too, I left it at the end of comment bit, it gave me error of "main option av_scanner unknown"

Thanks.

[skruf]

Hey,

Appears that in the latest DA Exim config file this part was missing/left out:

##################################################
# MAIN CONFIGURATION SETTINGS #
##################################################

Which is normally above this part:

# Specify your host's canonical name here. This should normally be the fully
# qualified "official" name of your host. If this option is not set, the
# uname() function is called to obtain the name.


Right in that area is where you should be able to add the av_scanner line.

David

[mo.mentum]

So... does this setup work on top of SpamAssassin/spamd?

I have it runnon with exim 4.24 i believe

[hci]

I am using Spamassassin with this on my box. Spamassassin was in use before I added the anti-virus actually.

http://www.directadmin.com/forum/sho...t=spamassassin

Matthew

[Muzza]

I'm having similar issues with adding the line

av_scanner = clamd:127.0.0.1 3310

to the exim.conf

comes back with

option "av_scanner" unknown at the line where av-scanner is in the .conf file.

I have tried putting it in several places, including the area suggested by skruf.

installed packages :
da_exim-4.32-1 , clamav-0.72-1

thanks in advance,

[hci]

Sounds like you have just Exim installed and not Exiscan.

http://www.directadmin.com/forum/sho...hlight=exiscan

Check that you have Exiscan installed.

Matthew

[sander815]

can someone translate this to redhat servers?

[fusionictnl]

It's pretty much the same. Except that /etc/init.d in redhat is something /etc/rc.d/init.d

[sander815]

i need it enabled on a production machine, so i sont want to guess