clamav¶
clamav is a plugin for spmfilter that enables spmfilter to check mails with the Clam AntiVirus open source toolkit for viruses. The major goal of this plugin is to provide an easy way for virus-scanning emails. If ClamAV detects malicious software like viruses the affected email is discarded by the plugin. Optionally notifications can be enabled to inform the recipients and sender (configurable) about the discarded message. Activation of the module is done by adding clamav to the modules-variable with the [global]-section in spmfilter.conf like follows:
[global]
...
modules = clamav
...
Please note that ClamAV needs to listen on a TCP/IP-socket instead of a local socket to interact with the spmfilter clamav-plugin. This is achieved by replacing the option "LocalSocket" with "TCPSocket" and "TCPAddr" in clamd.conf like follows:
TCPSocket 3310
TCPAddr 127.0.0.1
Configuration of the spmfilter clamav-plugin is done by adding a new section for clamav to spmfilter.conf
[clamav]
host = 127.0.0.1
port = 3310
max_scan_size = 2097152
notification = 0
notification_template = /path/to/clamav-template.txt
notification_sender = postmaster@example.com
notification_subject = Virus detected
add_header = true
header_name = X-Spmfilter-Virus-Scanned
scan_direction = 0
If you want to inform your users within templates about which malicious software has been found by ClamAV, you can use the '%virus%' expansion which will be replaced by the full name of the virus detected. Also there is a '%sender%' expansion which you can use within your templates to inform the recipient about the origin sender. If you enable notifications, please note that you have to define 'notification_template' and 'notification_sender' - otherwise this plugin will quit processing with an appropriate error warning.
Configuration parameter overview:
| option | description | scope |
| host | IP-address of the ClamAV-daemon | mandatory |
| port | Port on which the ClamAV-daemon listens | optional, default: 3310 |
| max_scan_size | Files larger than this limit won’t be scanned, defined in bytes | optional, default: 5MB |
| notification | Enables or disables notifications of recipient if virus detected. Possible values: 0 (notification disabled), 1 (notify recipient), 2 (notify sender and recipient). If the smtp-engine of spmfilter is used, envelope-addresses are used for notification. Otherwise if the message was delivered to spmfilter by the pipe-engine all addresses are extracted from the header | optional, default: 0 (notification disabled) |
| notification_template | Absolute path to the notification template | mandatory if notification != 0 |
| notification_sender | Sender address for notifications | mandatory if notification != 0 |
| notification_subject | Subject String for notification messages | optional, default: Virus notification |
| add_header | Add header for scanned message. Possible values: true (add header), false (don't add header) | optional, default: false |
| header_name | Define X-Header for scanned messages | optional, default: X-Spmfilter-Virus-Scanned |
| scan_direction | Define direction to scan. Possible values: 0 (scan incoming and outgoing mail), 1 (scan incoming mails only -> sender is external), 2 (scan outgoing mails only, sender is local). Lookup-backend required for option 1 or 2 | optional, default:0 |
Important notes
If you're running spmfilter with clamav-plugin enabled as pre-queue-filter be aware that the clamav-plugin at the current stage doesn't reject the message directly within the smtp-conversation if malicious software like a virus is detected. Instead the message is accepted and discarded by the clamav-plugin.