System-wide virus and spam scanning on Debian/GNU Linux.
Install at least these packages:
- clamav
- clamav-base
- clamav-daemon
- clamav-docs
- clamav-freshclam
- libclamav1
- procmail
- razor
- spamassassin
- spamc
First setup the spamd daemon process to run automatically. Edit the /etc/default/spamassassin file and change the ENABLED variable to 1. Also if you’re running SpamAssassin 3.x, add the “–round-robin” parameter to the OPTIONS variable to fix the broken preforking. Edit the system-wide SpamAssassin configuration (/etc/spamassassin/local.cf) and make whatever changes you want. Personally I’ve disabled the Bayes and Auto-whitelist systems for now but your mileage will vary. Now do a “/etc/init.d/spamassassin restart” to get it started.
ClamAV’s daemon should automatically be up and running if you used the right package, and the freshclam addon will keep the virus definitions up to date.
Make sure that procmail will execute for every user. By default Exim 3 will only run procmail if the user has a “.procmailrc” file in their home directory. Disable this test by commenting out the following line in the exim.conf file:
require_files = ${local_part}:+${home}:+${home}/.procmailrc:+/usr/bin/procmail
If you’re less lazy you can just comment out the procmailrc component. Now edit /etc/procmailrc and make it look like this:
# Drop privileges
DROPPRIVS=yes
MAILDIR=${HOME}
# Scan using the ClamAV daemon. If a virus is found append a special header.
:0
{
CS_OUT=`clamdscan --mbox --no-summary --stdout -`
CS_EXIT = $?
:0 D
* CS_OUT ?? : \/.* FOUND$
* MATCH ?? ^^\/.* ()
* MATCH ?? ^^\/.*[^ ]
{
:0 fw h
| formail -I “X-Clamscan: Infected with $MATCH”
}
}
# This shoves all virus infected e-mails to a shared file. Make this file
# writeable by the mail users and readable only by root (just a precaution)
# will check if this file is above 0 (and if so e-mail root)
:0:
* ^X-Clamscan: Infected with.*
/var/spool/av/Infected
:0fw: spamassassin.lock
* < 2560000
| spamc
:0:
* ^X-Spam-Level: \*\*\*\*\*
${MAILDIR}/Junk
That file should be fairly straight-forward. In the last rule you can change the threshold for SpamAssasin’s score. I’ve never had a false positive yet with 5 (but again, that’s my experience). Now finally restart exim with a “/etc/init.d/exim restart” and you should be good to go. One thing I recommend is adding a LOGFILE option to the procmailrc file - the only caveat being that the file will have to be writeable by all of your mail users. You can log to the file by putting “LOGFILE=/tmp/procmail.log” as the first line of the file.
Also if your users use IMAP to check their mail, make sure to add the Junk folder to their “.mailboxlist” file (assuming that you’re using uw-imap).
P.S.: Exim 3 is old and dead, I know, and I’ll eventually upgrade to 4 and add any notes here.
David said,
January 20, 2006 @ 10:10 pm
Thanks. This page helped me a lot. I’m now using:
# Scan using the ClamAV daemon. If a virus is found append a special header.
# Run on all messages that are multipart
:0
* multipart
{
CS_OUT=`/usr/bin/clamscan –no-summary –stdout -`
CS_EXIT = $?
:0 D
* CS_OUT ?? : \/.* FOUND$
* MATCH ?? ^^\/.* ()
* MATCH ?? ^^\/.*[^ ]
{
:0 fwh
| formail -I “X-Virus-Status: Infected with $MATCH.”
}
:0 E
{
:0 fwh
| formail -I “X-Virus-Status: no virus detected.
}
}
based on your web page. Do you want to send this stuff onto procmail and or clamav? If not I’ll do it in a few weeks.