Postfix and Clam AV

Print

It's been a while since we've posted something and a lot of stuff piled up. At the day and age of MS Exchange and cloud hosting, there are still instances when you'd like to run your own email server. Postfix being the popular choice, we present here are simple steps to enable ClamAV to scan your incoming emails (Ubuntu is used as an example in this case).

First, a short description of the steps that the mail will take:

Incoming mail → 25:postfix → 10026:clamav → 10025:postfix → Delivery to user

Installation steps are as follows:

1) download and install ClamAV

apt-get install clamsmtp clamav-freshclam

2) Next edit the /etc/clamsmtpd.conf file to make some changes:

OutAddress: 10026
Listen: 0.0.0.0:10025

Make sure you change the ports above, because originally they are flipped. If you don't you'll get the following error:

postfix/master[13836]: fatal: bind 127.0.0.1 port 10026: Address already in use

3) Edit /etc/postfix/main.cf to add the following:

content_filter = scan:127.0.0.1:10025
receive_override_options = no_address_mappings

4) Edit /etc/postfix/master.cf and add the following:

# AV scan filter (used by content_filter)
scan      unix  -       -       n       -       16      smtp
        -o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet  n -       n       -       16      smtpd
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

5) Restart postfix, clamav-daemon and clamsmtp

 

Linux
Comments (6)
Postfix Clamsmtp smtp_bind_address
6 Thursday, 21 September 2017 19:44
Kim Keown
Apologies for the many posts, I am sincerely trying to share settings that worked for me and may help others.

Looking through another installation, it seems the clam /var/run directories are not symlinks to /run and I must have previously updated my configuration to use /run/ directories. As long as the paths match accordingly with correct ownership and permissions, they will work. However, I have updated the comment below to use only the default settings. Moderators, kindly remove the previous Postfix Clamsmtp smtp_bind_address posts and use the comment below, again I apologize.

In order to send emails through Postfix outside of localhost, my configuration required setting the Postfix smtp_bind_address to the server's private IP. The setting was required for both Ubuntu 17.04 and Centos7 servers.

Clamsmtp Postfix settings likewise had to be set to the smtp_bind_address, as 127.0.0.1 created 'transport unavailable' errors.

The comments by Jeff Roberson were applicable as well.
Ubuntu settings as follows:

clamsmtp.conf was set with clamav as the user; and owner permissions were changed from clamsmtp to clamav for the following directories/files:
ClamAddress: /var/run/clamav/clamd.ctl
TempDirectory: /var/spool/clamsmtp
PidFile: /var/run/clamsmtp/clamsmtpd.pid
(I read elsewhere that ownership permissions could also be resolved by adding user clamsmtp to the clamav group.)

Local Socket files had to match:
clamsmtp.conf - ClamAddress: /var/run/clamav/clamd.ctl
clamd.conf - LocalSocket /var/run/clamav/clamd.ctl

/etc/clamsmtp.conf
OutAddress: 10026
Listen: 0.0.0.0:10025
ClamAddress: /var/run/clamav/clamd.ctl
TempDirectory: /var/spool/clamsmtp
PidFile: /var/run/clamsmtp/clamsmtpd.pid
User: clamav

/etc/clamav/clamd.conf:
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
User clamav

Postfix
main.cf:
(Network Setting with server's private IP)
smtp_bind_address=xxx.xxx.x.xx

(clamsmtp Settings with server's private IP)
content_filter = scan:xxx.xxx.x.xx:10025
receive_override_options = no_address_mappings

master.cf:
(clamsmtp Settings with server's private IP)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
xxx.xxx.x.xx:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

Start or Restart postfix, clamav-daemon (clamd), clamsmtp as root:
systemctl restart postfix clamav-daemon clamsmtp

Check status, all should be Active:
systemctl status postfix clamav-daemon clamsmtp
Postfix Clamsmtp smtp_bind_address
5 Thursday, 21 September 2017 19:03
Kim Keown
I should have included my full name in the original comment(s). Moderators kindly update...
FYI, the comment preview does not appear to work.
Thank you for the helpful tutorial!
Kim Keown
Postfix Clamsmtp smtp_bind_address - Correction
4 Thursday, 21 September 2017 18:54
Kim
Typo, moderators kindly update the original comment:

Local Socket files had to match:
clamsmtp.conf - ClamAddress: /var/run/clamav/clamd.ctl
clamd.conf - LocalSocket /run/clamav/clamd.ctl

/var/run/clamav/clamd.ctl is a symlink;
can omit symlink and chmod ownership to clamav:
clamsmtp.conf - ClamAddress: /run/clamav/clamd.ctl
clamd.conf - LocalSocket /run/clamav/clamd.ctl

or use the default symlinks:
clamsmtp.conf - ClamAddress: /var/run/clamav/clamd.ctl
clamd.conf - LocalSocket /var/run/clamav/clamd.ctl

clamsmpt.conf
ClamAddress: /var/run/clamav/clamd.ctl
Is a symlink. Can use the default or /run/clamav/clamd.ctl
Postfix and clamsmtp smtp_bind_address
3 Thursday, 21 September 2017 18:46
Kim
In order to send emails through Postfix outside of localhost, I had to set the Postfix smtp_bind_address to the server's private IP. The setting was required for both an Ubuntu 17.04 and Centos7 server.

Clamsmtp Postfix settings likewise had to be set to the smtp_bind_address, as 127.0.0.1 created 'transport unavailable' errors.

The comments by Jeff Roberson were applicable as well.
Ubuntu settings as follows:

clamsmtp.conf was set with clamav as the user; and owner permissions were changed from clamsmtp to clamav for the following directories/files:
ClamAddress: /var/run/clamav/clamd.ctl
TempDirectory: /var/spool/clamsmtp
PidFile: /var/run/clamsmtp/clamsmtpd.pid
(I read elsewhere that ownership permissions could also be resolved by adding user clamsmtp to the clamav group.)

Local Socket files had to match:
clamsmtp.conf - ClamAddress: /var/run/clamav/clamd.ctl
clamd.conf - LocalSocket /run/clamav/clamd.ctl

/etc/clamsmtp.conf
OutAddress: 10026
Listen: 0.0.0.0:10025
ClamAddress: /var/run/clamav/clamd.ctl
TempDirectory: /var/spool/clamsmtp
PidFile: /var/run/clamsmtp/clamsmtpd.pid
(symlink in Ubuntu, PidFile could be changed to /run/clamsmtp/clamsmtpd.pid)
User: clamav

/etc/clamav/clamd.conf:
LocalSocket /var/run/clamav/clamd.ctl
(symlink in Ubuntu, LocalSocket could be changed to /run/clamsmtp/clamsmtpd.pid)
FixStaleSocket true
LocalSocketGroup clamav
User clamav

Postfix
main.cf:
(Network Setting with server's private IP)
smtp_bind_address=xxx.xxx.x.xx

(clamsmtp Settings with server's private IP)
content_filter = scan:xxx.xxx.x.xx:10025
receive_override_options = no_address_mappings

master.cf:
(clamsmtp Settings with server's private IP)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
xxx.xxx.x.xx:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

Start or Restart postfix, clamav-daemon (clamd), clamsmtp as root:
systemctl restart postfix clamav-daemon clamsmtp

Check status, all should be Active:
systemctl status postfix clamav-daemon clamsmtp
Its scanning incoming and outgoing??
2 Thursday, 29 June 2017 00:02
Mike Edwards
This is working great for me but it is scanning both incoming and outgoing. if a customer with a huge mailing list sends out a few thousand messages, it really slows down the queue scanning all those thousands of messages.

Is there way to make it NOT scan outbound?
Segfaults in Clamsmtpd
1 Tuesday, 24 February 2015 17:20
Jeff Roberson
I was having trouble with segfaults in clamsmtpd. What I discovered is that calmd was running under clamav and clamsmtpd was running under a different user. Make sure that they are bot running under the same account. In addition, the ctl file is critical, make sure that it matches in both clamd and clamsmtp's configuration.
yvComment v.1.24.0