Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have recently installed amavisd-new on an email server (Debian / Postfix) and now I am to the point of installing and configuring the av filter which I selected clamav. I installed this on my machine and read the documentation however I don't see how I am to have amavisd-new and clamav holding hands. I have to uid/gid for both applications:
Code:
email:/# id amavis
uid=103(amavis) gid=107(amavis) groups=107(amavis)
email:/# id clamav
uid=104(clamav) gid=108(clamav) groups=108(clamav)
Both daemons are running however I don't know how to integrate the newly installed Clamav scanner with Postfix / Amavisd-new.
I tried the clamav mailing list & had not had any luck as of yet. Posting here because I always get great help here!
Mr. C, again you come to my rescue! Thanks for that link. It was easy to follow however the first step is not matching up.
Quote:
One requirement for a successful installation is 'AllowSupplementaryGroups yes' must be included in clamd.conf.
In my systems clamd.conf, I have what looks to be similar but has "true" and the end and is not commented out. Does this mean I am good?
Code:
AllowSupplementaryGroups true
Quote:
Another requirement is the value after CONTSCAN in amavisd.conf must match the LocalSocket parameter in clamd.conf (change amavisd.conf if it does not)
Since I am using Debian and their version of amavisd-new is split into many files. I checked /etc/amavis/conf.d/50-user and I have nothing in my config which specifies "CONTSCAN" in either Clam or Amavis so I don't know what is required here.
This is the configuration that specifies how to call clamd. The value in bold should match your clamd.conf socket setting. Check all the debian files. In the default amavisd.conf file, there are numerous entries for various scanners.
# Initialize supplementary group access (clamd must be started by root).
# Default: disabled
AllowSupplementaryGroups True
clamd.conf
Quote:
# Path to a local socket file the daemon will listen on.
# Default: disabled
#LocalSocket /tmp/clamd
LocalSocket /var/run/clamav/clamd.socket
amavisd.conf (mine's in 1 bit)
Quote:
# ### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.socket"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# # NOTE: run clamd under the same user as amavisd, or run it under its own
# # uid such as clamav, add user clamav to the amavis group, and then add
# # AllowSupplementaryGroups to clamd.conf;
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
# # this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
The group that your amavisd-new user belongs to must also have write privileges to the amavisd-new user's home directory and subdirectories. This step should have been done during the installation of amavisd-new, and would consist of doing something similar to chmod -R 750 /var/amavis or chmod -R 750 /var/lib/amavis (adjust path as needed)
Now with a fresh amavis installation on my Debian system the permissions are as follows:
Code:
email:/var/lib# ls -l
total 64
drwxr-xr-x 6 amavis amavis 4096 2008-08-04 18:18 amavis
I don't understand why they use "chmod -R 750" to the amavis directory if the group amavis needs to be able to write to /var/lib/amavis/. 750 gives group R+X only, no?
As it stands now, I have the following config files for Clamav and Amavisd-New.
amavis config.
Code:
$sa_tag_level_deflt = -5; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 4; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 10000; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$forward_method = 'smtp:[127.0.0.1]:10025';
$notify_method = $forward_method;
$virus_admin = 'formorer@formorer.de'; # due to D_DISCARD default
#inform recipients about a blocked mail
$warnbannedrecip = 1;
$warnvirusrecip = 1;
$final_banned_destiny = D_PASS;
$log_level = 2; # (defaults to 0), -d
$DO_SYSLOG = 1; # log via syslogd (preferred)
# ### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# # NOTE: run clamd under the same user as amavisd, or run it under its own
# # uid such as clamav, add user clamav to the amavis group, and then add
# # AllowSupplementaryGroups to clamd.conf;
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
# # this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
