This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

CONTOS 7 - MailScanner - Postfix - Clam Antivirus
#1
CONTOS 7 - MailScanner - Postfix - Clam Antivirus
Install MailScanner:


Quote:wget https://s3.amazonaws.com/msv5/release/Ma...hel.tar.gz
tar zxvf MailScanner-5.0.3-7.rhel.tar.gz
cd MailScanner-5.0.3-7/ 
sh install.sh


In the Postfix configuration file /etc/postfix/main.cf add this line at the end of file

Quote:header_checks = regexp:/etc/postfix/header_checks


In the file /etc/postfix/header_checks add this line



Quote:/^Received:/ HOLD

This will tell Postfix to move all messages to the HOLD queue



Configure MailScanner and Postfix
Edit /etc/MailScanner/MailScanner.conf and make the following adjustments


Quote:Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix

Make sure user postfix has write permissions to MailScanner folder

Quote:cd /var/spool
chown -R postfix.postfix MailScanner
Start MailScanner


Quote:/etc/init.d/MailScanner restart

Note:

In some cases you need to do the following to get mailscanner to work

Quote:mkdir /var/spool/MailScanner/spamassassin
chown postfix.postfix /var/spool/MailScanner/spamassassin

We should now have working MailScanner gateway

P.S. if you already have installed SpamAssassin ,DISABLE SpamAssassin

ClamAV

To get ClamAV on CentOS installed, we have to use the EPEL repository (Extra Packages for Enterprise Linux). Fortunately, the Fedora project provides this with an easy installation. Unfortunately the default configuration is not properly working. In this post we collect some of the issues and required changes.

Let’s start with installing the EPEL support.

Quote:yum install epel-release

Next step is installing all ClamAV components.

Quote:yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
Configure SELinux for ClamAV

If you are using ClamAV on CentOS, together with SELinux, we should configure it a little bit. This way ClamAV can access all files on disk, and update its data definition files.

Enable antivirus_can_scan_system:

Quote:setsebool -P antivirus_can_scan_system 1

If you don’t perform this step, Freshclam will log something like:

During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied

Configuration of Clam daemon

Copy a the clamd.conf template, in case you don’t have a configuration file yet.

Quote:cp /usr/share/clamav/template/clamd.conf /etc/clamd.d/clamd.conf
sed -i "/^Example/d" /etc/clamd.d/clamd.conf

Change /etc/clamd.d/clamd.conf file and define if you want to run the scanner as root, or a specific user. Check your /etc/passwd file for the related Clam user.

Change the following two options:

Quote:User clamscan
LocalSocket /var/run/clamd.<SERVICE>/clamd.sock

Enable Freshclam

Freshclam helps with keeping the database of ClamAV up-to-date. First delete the related “Example” line from /etc/freshclam.conf.

Quote:cp /etc/freshclam.conf /etc/freshclam.conf.bak
sed -i "/^Example/d" /etc/freshclam.conf

Check the other options in the file, and change it to your preferred settings.

Missing systemd service file

We didn’t get a systemd service file, so creating a quick file here. The process should be forking itself and start freshclam in daemon mode. In this case we configure it to check 4 times a day for new files.

Create a new file /usr/lib/systemd/system/clam-freshclam.service

Quote:# Run the freshclam as daemon
[Unit]
Description = freshclam scanner
After = network.target

[Service]
Type = forking
ExecStart = /usr/bin/freshclam -d -c 4
Restart = on-failure
PrivateTmp = true

[Install]
WantedBy=multi-user.target

Now enable and start the service.

Quote:systemctl enable clam-freshclam.service
 
systemctl start clam-freshclam.service

Check the status.

[root@centos7 system]# systemctl status clam-freshclam.service
clam-freshclam.service - freshclam scanner
Loaded: loaded (/usr/lib/systemd/system/clam-freshclam.service; enabled)
Active: active (running) since Thu 2015-06-11 11:09:24 CEST; 1s ago
Process: 3158 ExecStart=/usr/bin/freshclam -d -c 4 (code=exited, status=0/SUCCESS)
Main PID: 3159 (freshclam)
CGroup: /system.slice/clam-freshclam.service
└─3159 /usr/bin/freshclam -d -c 4


Change service files

By default, the service files seem to be messy and not working.

These are the files bundled:

[root@centos7 system]# ls -l /usr/lib/systemd/system/clam*
-rw-r--r--. 1 root root 136 Apr 29 20:38 /usr/lib/systemd/system/clamd@scan.service
-rw-r--r--. 1 root root 231 Apr 29 20:38 /usr/lib/systemd/system/clamd@.service


When enabling the clamd service, we would see something like this:

[root@centos7 system]# systemctl enable /usr/lib/systemd/system/clamd@.service
Failed to issue method call: Unit /usr/lib/systemd/system/clamd@.service does not exist.


So let’s fix it. First rename the /usr/lib/systemd/system/clamd@.service file.

Rename the clamd@ file.

Quote:mv /usr/lib/systemd/system/clamd@.service /usr/lib/systemd/system/clamd.service

Now we have to change the clamd@scan service as well, as it refers to a non-existing file now. Change this line in /usr/lib/systemd/system/clamd@scan.service and remove the @ sign.

Quote:.include /lib/systemd/system/clamd@.service

Next step is changing the clamd service file /usr/lib/systemd/system/clamd.service

Quote:[Unit]
Description = clamd scanner daemon
After = syslog.target nss-lookup.target network.target

[Service]
Type = simple
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/clamd.conf
Restart = on-failure
PrivateTmp = true


[Install]
WantedBy=multi-user.target

Move into the directory.

Quote:cd /usr/lib/systemd/system

Start all services.

Quote:[root@centos7 system]# systemctl enable clamd.service
[root@centos7 system]# systemctl enable clamd@scan.service
[root@centos7 system]# systemctl start clamd.service
[root@centos7 system]# systemctl start clamd@scan.service

Checking the status
With all these changes, ClamAV on CentOS 7 should be running now. The easiest way to check, is using the ps command and see if freshclam and clamd are running.

FOR Email Security Check USE http://www.emailsecuritycheck.net/

NOW YOU HAVE A ANTIVIRUS THAT WILL VERIFY ALL EMAILS SEND OR RECIVED.
Reply
Thanks given by:


Messages In This Thread
CONTOS 7 - MailScanner - Postfix - Clam Antivirus - by ecomeda - 01-08-2017, 10:30 PM

Possibly Related Threads…
Thread Author Replies Views Last Post
Ubuntu: How to setup TLS on postfix and dovecot Diablo925 28 116 ,288 02-15-2018, 08:46 PM
Last Post: duane
Centos 7 | Postfix + Postgrey and other SPAM evasive actions paknet 4 25 ,614 10-11-2017, 09:45 AM
Last Post: wormsunited
Postfix + Dovecot + sieve (vacation) not working for email aliases - FIX paknet 0 8 ,094 08-17-2016, 08:07 PM
Last Post: paknet

Forum Jump:


Users browsing this thread: 1 Guest(s)