Enable ClamAV for Postfix on Plesk Obsidian on CentOS 8

Estimated reading time: 2 min

Introduction

In this article, we will describe how you can configure ClamAV to scan incoming and outgoing mail for viruses in Plesk on CentOS 8. ClamAV is an open-source anti-virus used in situations like email scanning, web scanning, and endpoint security. These articles will help you with installing and configuring ClamAV on your servers.

Prerequisites

Step 1: Log in using SSH

You must be logged in via SSH as sudo or root user. Please read this article for instructions if you don’t know how to connect.

Step 2: Install EPEL repo

ClamAV is installed from EPEL repo.

dnf --enablerepo=extras install epel-release

Step 3: Install ClamAV and utilities

yum -y install clamav clamd clamav-update clamav-milter

Step 4: Adjust SELinux

setsebool -P antivirus_can_scan_system 1

Step 5: Get the antivirus signatures

freshclam

Step 6: Enable freshclam to update virus definitions automatically

systemctl enable clamav-freshclam
systemctl start clamav-freshclam

Step 7: Configure clamd

Clamd is used to actually scan for viruses. In our example, clamd is called by ClamAV-milter.

sed -i "s|^#LogFacility LOG_MAIL|LogFacility LOG_MAIL|g" /etc/clamd.d/scan.conf
sed -i "s|^#LocalSocket\s.*|LocalSocket /run/clamd.scan/clamd.sock |g" /etc/clamd.d/scan.conf
sed -i "s|^#ScanArchive yes|ScanArchive yes|g" /etc/clamd.d/scan.conf
sed -i "s|^#AlertEncrypted yes|AlertEncrypted yes|g" /etc/clamd.d/scan.conf
sed -i "s|^#AlertEncryptedArchive yes|AlertEncryptedArchive yes|g" /etc/clamd.d/scan.conf
sed -i "s|^#AlertEncryptedDoc yes|AlertEncryptedDoc yes|g" /etc/clamd.d/scan.conf
sed -i "s|^#AlertBrokenExecutables yes|AlertBrokenExecutables yes|g" /etc/clamd.d/scan.conf

Step 8: Enable clamd

systemctl enable [email protected]
systemctl start [email protected]

Step 9: Configure ClamAV-milter

We make changes to ClamAV-milter and instruct ClamAV-milter how to connect to clamd. We also configure that viruses should be rejected.

sed -i "s|^Example|#Example|g" /etc/mail/clamav-milter.conf
sed -i "s|^#ClamdSocket tcp:scanner.mydomain:7357|ClamdSocket unix:/run/clamd.scan/clamd.sock|g" /etc/mail/clamav-milter.conf
sed -i "s|^#AddHeader Replace|AddHeader Replace|g" /etc/mail/clamav-milter.conf
sed -i "s|^#LogFacility LOG_MAIL|LogFacility LOG_MAIL|g" /etc/mail/clamav-milter.conf
sed -i "s|^#MilterSocket inet:7357|MilterSocket inet:[email protected]|g" /etc/mail/clamav-milter.conf
sed -i "s|^#OnInfected Quarantine|OnInfected Reject|g" /etc/mail/clamav-milter.conf

Step 10: Enable ClamAV-milter

systemctl enable clamav-milter 
systemctl start clamav-milter

Step 11: Verify that ClamAV-milter is running.

grep clamav-milter /var/log/maillog

The output should be something like:

Aug 28 14:41:41 s1.localhost clamav-milter[124614]: +++ Started at Fri Jun 19 16:43:51 2020

Step 12: Update Postfix main configuration

This is the step where we instruct Postfix to make use of the ClamAV-milter.

postconf -e milter_default_action=accept
postconf -e milter_protocol=6
postconf -e smtpd_milters="inet:127.0.0.1:12768, inet:127.0.0.1:3381"
postconf -e non_smtpd_milters=inet:127.0.0.1:3381

Step 13: Reload postfix

postfix reload

Step 14: Test ClamAV (local)

At this step, we will test whether the delivery of viruses is rejected.

We start by downloading the eicar test file. This is a harmless file (not an actual virus) which should be detected as a virus by any anti-virus solution.

cd /tmp
wget https://secure.eicar.org/eicar.com.txt

Next, we install mutt for sending a test mail with an attachment:

yum -y install mutt

Next, we need to configure mutt to send a proper from the address which will also receive the bounce. Don’t forget to change the sender’s address!

echo -e 'set from="[email protected]"' > /root/.muttrc
echo -e 'set use_from=yes' >> /root/.muttrc
echo -e 'set use_envelope_from=yes' >> /root/.muttrc

Next, we send an e-mail, make sure you replace the recipient address.

echo "This message contains a virus" | mutt -a eicar.com.txt -s "This is a virus" -- [email protected]

You should be able to see the bounce email in the mail log (replace sender address):

grep "[email protected]" /var/log/maillog

The output should be something like:

Aug 28 14:55:41 s1 postfix/cleanup[27493]: 2305E300A6E: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Command rejected; from=<[email protected]> to=<[email protected]>
Aug 28 14:55:41 s1 postfix/cleanup[27493]: 2305E300A6E: to=<[email protected]>, relay=none, delay=0.19, delays=0.19/0/0/0, dsn=5.7.1, status=bounced (Command rejected)

If you want to see the whole transaction grep on the ID (replace ID):

grep 2305E300A6E /var/log/maillog

The output should be something like:

Aug 28 14:55:41 s1.localhost postfix/pickup[22190]: 2305E300A6E: uid=0 from=<root>
Aug 28 14:55:41 s1.localhost postfix/cleanup[27493]: 2305E300A6E: message-id=<[email protected]>
Aug 28 14:55:41 s1.localhost postfix/cleanup[27493]: 2305E300A6E: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Command rejected; from=<[email protected]> to=<[email protected]>
Aug 28 14:55:41 s1.localhost postfix/cleanup[27493]: 2305E300A6E: to=<[email protected]>, relay=none, delay=0.17, delays=0.17/0/0/0, dsn=5.7.1, status=bounced (Command rejected)
Aug 28 14:55:41 s1.localhost postfix/cleanup[27493]: 2305E300A6E: to=<[email protected]>, relay=none, delay=0.19, delays=0.19/0/0/0, dsn=5.7.1, status=bounced (Command rejected)
Aug 28 14:55:41 s1.localhost postfix/bounce[27499]: 2305E300A6E: sender non-delivery notification: 4D46F300A91

Cleanup:

rm -f /tmp/eicar.com.txt /root/.muttrc
yum remove mutt

Conclusion

Congratulations, you have now configured ClamAV to scan incoming and outgoing mail for viruses.

Was this article helpful?
Dislike 0
Views: 58

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

snel-knowledgebase