Based on Debian 11 "Bullseye" environment.

ClamAV

ClamAV is anti-virus software. Set up clamav-milter to check the virus whenever a mail goes through Postfix.

Install

# apt install clamav-milter
  • Installing clamav-milter will install the required ClamAV suites. (e.g. clamav-base, clamav-daemon)

After installation, clamav-daemon automatically starts and fails.

# systemctl status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon
     Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
    Drop-In: /etc/systemd/system/clamav-daemon.service.d
             └─extend.conf
     Active: inactive (dead)
  Condition: start condition failed at Thu 2021-09-19 16:11:15 JST; 1min 27s ago

ClamAV needs the virus database, but it doesn't exist before clamav-freshclam completes the initial download.
So change the configuration for clamav-daemon while clamav-freshclam is downloading the latest database.

Configuration

clamav-milter

The clamav-milter socket location has to be changed from the default to Postfix chroot. Change the MilterSocket in /etc/clamav/clamav-milter.conf.

MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl
  • If you want more tweaks, run "# dpkg-reconfigure clamav-milter" and read the explanations.

clamav-daemon

ClamAV scan sometimes does false positive for the Phishing URL detection. In my case, some emails from Amex and Hilton were caught by this filter.
To turn it off, tweak /etc/clamav/clamd.conf.

PhishingSignatures true
PhishingScanURLs false  # Change this from true to false
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false

After the virus database is ready and config files are updated, start clamav-daemon and restart clamav-milter.
(You can check the log: /var/log/clamav/freshclam.log to see the status of database download.)

# systemctl start clamav-daemon
---(Wait for a while till clamav-daemon is fully up)---
# systemctl restart clamav-milter

Postfix Configuration

Add clamav-milter to the milter configuration line in /etc/postfix/main.cf.

smtpd_milters =
 unix:/milter-greylist/milter-greylist.sock
 unix:/clamav/clamav-milter.ctl
  • The order written here indicates the order of checks. Greylisting should be the first to kick spam before checking the actual contents.

Reload Postfix to apply a new milter.

# systemctl reload postfix

Test

Send a clean mail to the account, and check the mail header to find the lines added by ClamAV.

X-Virus-Scanned: clamav-milter 0.103.3 at host
X-Virus-Status: Clean

If you want to test the infected mail case, you can use the EICAR test virus for this purpose.

Update History

2021-09-11

  • Update to Bullseye version

2021-09-19

  • Re-write configurations and restart orders of clamav-milter and clamav-daemon.

Ginnojo LLC company website