| .gitignore | ||
| ChangeLog-rpm.old | ||
| clamav-clamonacc-service.patch | ||
| clamav-default_confs.patch | ||
| clamav-freshclam.service.patch | ||
| clamav-milter.systemd | ||
| clamav-private.patch | ||
| clamav-rpath.patch | ||
| clamav-rustflags.patch | ||
| clamav-types.h | ||
| clamav-update.crond | ||
| clamav-update.logrotate | ||
| clamav.spec | ||
| clamd-README | ||
| clamd.logrotate | ||
| clamd@.service | ||
| freshclam-sleep | ||
| freshclam.sysconfig | ||
| libclamav-pe-Use-endian-wrapper-in-more-places.patch | ||
| README.fedora.md | ||
| sources | ||
| update_clamav.sh | ||
| update_clamav_data.sh | ||
README.Fedora.md for clamav-milter
Please note for Fedora and EPEL 7+ we use only systemd.
A clamav-milter setup consists of the following three components:
-
the clamav-milter itself
The main configuration is in /etc/mail/clamav-milter.conf and MUST be changed before first use.
This can be enabled with: 'systemctl enable clamav-milter.service'
-
a clamav scanner daemon
The daemon is configured by /etc/clamd.d/scan.conf (which MUST be edited before first use).
This can be enabled with: 'systemctl enable clamd@scan.service'
-
the MTA (sendmail/postfix)
--> you should know how to install this...
When communicating across unix sockets with the clamav-milter, it is suggested to use the /run/clamav-milter/clamav-milter.socket path. You have to add something like
INPUT_MAIL_FILTER(
clamav',S=local:/run/clamav-milter/clamav-milter.socket, F=, T=S:4m;R:4m')dnlto your sendmail.mc.
-
Changing permissions of directory /var/lib/clamav Whenever ClamAV is upgraded by dnf, the permissions for the /var/lib/clamav directory change to user clamupdate If for some reason you need DatabaseOwner be another user, you may copy /usr/lib/systemd/system/clamav-freshclam.service to /etc/systemd/system/ and add ExecStartPre=+/usr/bin/chown youruser:yourgroup /var/lib/clamav and updates won't break your configuration ... Please add comments to https://bugzilla.redhat.com/show_bug.cgi?id=2023371 if not work for you or if you have any suggestion. Note: =+ on systemd.service (man 5 systemd.service, Special executable prefixes) If the executable path is prefixed with "+" then the process is executed with full privileges.
EXAMPLE
For clamav-milter, a possible setup might be created by
A) On the MTA (assumed hostname 'host-mta')
- Add to sendmail.mc
| INPUT_MAIL_FILTER(`clamav', `S=inet:6666@host-milter, F=, T=S:4m;R:4m')dnl
- Rebuild sendmail.cf
B) On the clamav-milter host (assumed hostname 'host-milter')
-
Install clamav-milter + clamav-milter-upstart packages
-
Set in /etc/mail/clamav-milter.conf
| MilterSocket inet:6666
| ClamdSocket tcp:host-scanner:6665
and all the other options which are required on your system
- Enable clamav-milter.service:
| systemctl enable clamav-milter.service
Restart your system or execute
| systemctl start clamav-milter.service
- Add something like
| iptables -N IN-cmilt
| iptables -A IN-cmilt -s host-mta -j ACCEPT
| iptables -A IN-cmilt -j DROP
| iptables -A INPUT -p tcp --dport 6666 -j IN-cmilt
to your firewall setup
C) On the clamav-scanner host (assumed hostname 'host-scanner')
-
Install clamd
-
Add to /etc/clamd.d/scan.conf
| TCPSocket 6665
| TCPAddr host-scanner
comment out possible 'LocalSocket' lines and set all the other
options which are required on your system
- Enable clamd@scan.service:
| systemctl enable clamd@scan.service
Restart your system or execute
| systemctl start clamd@scan.service
- Add something like
| iptables -N IN-cscan
| iptables -A IN-cscan -s host-milter -j ACCEPT
| iptables -A IN-cscan -j DROP
| iptables -A INPUT -p tcp --dport 6665 -j IN-csan
to your firewall setup