Clam AV and MailScanner mini HOWTO for Solaris and Linux
by Steve Ochani http://www.steveo.us
v 1.2 Updated July 13th, 2004
This document is intended for people looking to setup a free open source virus and spam protection solution on their e-mail servers running Sendmail.
Prerequisites
Knowledge of how to build and install programs on Solaris or Linux. You will need a system that can build and install programs with gcc (I used version 3.1) and PERL along with Clam AV, Mailscanner and lots of PERL modules which I have listed later. Also you will need GMP.
1. The first thing you have to do on Solaris 8 is install (or build yourself and install) PERL built with gcc. I downloaded perl_s-5.8.3-sol8-sparc-local.gz from www.sunfreeware.com. Before installing it I renamed the PERL that comes with Solaris to perl.sun. The reason for installing the gcc built PERL is because later on you will need to build and install some PERL modules which will need the compiler that PERL is built with, the PERL that comes with SUN Solaris is built with their compiler and most people don't use that.
2. Download, build and install GMP (GNU MP library.) I used version 4.1.2. On Solaris 8 with a 64 bit processor I set the environment variable ABI to 32 before running configure. That's "export abi=32" if you're using bash.
4. Download, build and install the following PERL modules. These can be all found from http://www.cpan.org. These are the versions I used.
HTML-Tagset-3.03
HTML-Parser-3.35
IO-stringy-2.109
MailTools-1.60
MIME-tools-5.411
Net-CIDR-0.09
Convert-TNEF-0.17
Compress-Zlib-1.33
Archive-Zip-1.09
5. Download Clam AV (I used version .68-1.) Before building, add a group called clamav and add a user clamav with a false shell. On Solaris 8 this can be done as
groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
Gunzip and untar clamav, run configure as such
./configure --sysconfdir=/etc
Then "make" and "make install"
After a successful build and install run "freshclam" which will update the virus definitions. After which run a test scan on the test subdirectory. You should get output such as this.
[root@newton clamav-0.68-1]# clamscan test
test/test1: ClamAV-Test-Signature FOUND
test/README: OK
test/rarfail.rar: RAR module failure.
test/rarfail.rar: OK
test/debugm.c: OK
test/test1.bz2: ClamAV-Test-Signature FOUND
test/test2.zip: ClamAV-Test-Signature FOUND
test/test3.rar: ClamAV-Test-Signature FOUND
test/test2.badext: ClamAV-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 20514
Scanned directories: 1
Scanned files: 8
Infected files: 5
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 3.000 sec (0 m 3 s)
Note: You SHOULD get the failure notice on rarfail.rar.
6. Now to setup MailScanner (currently I'm using version 4.28.6-1). Download, gunzip it then untar it into /opt. Then make a symbolic link to MailScanner. For ex.
cd /opt
ln -s MailScanner-4.28.6/ MailScanner
Now setup the directories MailScanner will need
cd /var/spool/
mkdir mqueue.in
chown root:bin mqueue.in/
chmod o-r,o-x mqueue.in/
mkdir /var/spool/MailScanner
mkdir /var/spool/MailScanner/incoming
mkdir /var/spool/MailScanner/quarantine
Now edit /opt/MailScanner/etc/MailScanner.conf. I set or changed the following (these are all my personal preferences).
set %org-name%
Incoming Work Group = clamav
Incoming Work Permissions = 0640
File Command = /usr/bin/file (took out the # in front of /usr/bin/file)
Virus Scanners = clamav # changed from none
Silent Viruses = HTML-IFrame # All-Viruses
Allow Password-Protected Archives = yes # from no
Notify Senders Of Viruses = yes # from no
Virus Subject Text = {Virus} # took out the ?
Filename Subject Text = {Filename} # took out the ?
Notices Include Full Headers = yes # from no
In the file /opt/MailScanner/etc/filename.rules.conf I allowed exe files and in the file opt/MailScanner/etc/filetype.rules.conf I allowed everything/all files. Note: Just because you allow for example exe files in the filename.rules.conf doesn't mean that MailScanner will allow virus infected exe files through. It will still perform virus checks on the files you are allowing in filenames.rules.conf.
7. Now setup sendmail. First thing I did on Solaris 8 is deleted /etc/rc2.d/S88sendmail because it wasn't a symlink to /etc/init.d/sendmail. After deleting it i made it a symlink, so for ex.
cd /etc/rc2.d
rm S88sendmail
ln -s ../init.d/sendmail S88sendmail
Then edit /etc/init.d/sendmail
I commented out the line
/usr/lib/sendmail $MODE -q$QUEUEINTERVAL $OPTIONS &
and put in the following
/usr/lib/sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly
-OQueueDirectory=/var/spool/mqueue.in
/usr/lib/sendmail -q15m &
/opt/MailScanner/bin/check_mailscanner
Now you can stop and restart sendmail which will also start mailscanner.
If you want to test your setup by sending a virus, use the eicar test virus from http://www.eicar.org/anti_virus_test_file.htm
Note: I did not enable SpamAssassin because I found the default setting of mail checking against spam black list servers to catch 99% of spam going through my servers.
Note for Solaris users: Installing any sendmail patches will overwrite your sendmail config file and your /etc/init.d/sendmail file, so it's a good idea to back those files up!
Reference sites