Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

November 11, 2003

Clam

ClamAV Logo

Here’s another benefit of the 24 hours spent trying to get sendmail working again after upgrading to Panther.

One of my desperate measures was to download and compile the latest Sendmail 8.13.PreAlpha4. Among the new features of 8.13 is that it comes with Milter support enabled by default.

In the past, I’ve been annoyed by the blizzards of Windoze email viruses collecting in my in-box. This weekend saw a flurry of what looked like a new one.

Seizing the opportunity, I downloaded and installed ClamAV, the open-source virus scanner. It comes with clamav-milter, so that Sendmail can use it to scan incoming email for viruses. What a great package! The virus database is actively maintained, receiving 4 or 5 updates a week, and you can update your local copy daily by executing freshclam as a cron job.

After poking around the mailing list, I decided to go with the latest development version, rather than the rather old “stable” version, ClamAV-0.60. The response to the sundry complaints about the latter was always “that’s fixed in the development version.”

To compile properly, it required a small patch, and linking to the GMP libraries from fink. My script for building the distribution is

#!/bin/sh
autoreconf
CFLAGS="-I/sw/include" LDFLAGS="-L/sw/lib" ./configure --enable-milter
patch -p0 < clamav.patch
make
sudo make install

There was one wee glitch: Sendmail complains if the Unix socket used by the milter is in a group-writable directory. Rather than trying to find another home for it, I decided that it was more secure to patch /etc/rc.cleanup to make /var/run (which gets recreated every time you reboot) mode 755 instead of 775. That’s probably the “right” set of permissions anyway.

Adding

/usr/local/sbin/clamd
/usr/local/sbin/clamav-milter -blo /var/run/clmilter.sock

to the startup sequence in /Library/StartupItems/Sendmail/Sendmail, virus-laden emails are automatically rejected, leaving only a telltale rejection notice

Nov 10 06:51:00 golem clamav-milter[9356]: clamfi_connect: connection from rs25s8.datacenter.cha.cantv.net [200.44.33.9]
Nov 10 06:51:02 golem sm-mta[28469]: hAACp0Ic028469: from=<anliz6@hotmail.com>, size=66483, class=0, nrcpts=1, msgid=<200311101249.hAACnabM006232@rs25s8.datacenter.cha.cantv.net>, proto=ESMTP, daemon=MTA, relay=rs25s8.datacenter.cha.cantv.net [200.44.33.9]
Nov 10 06:51:02 golem clamav-milter[9356]: stream: Worm.Galil.C FOUND
Nov 10 06:51:02 golem clamav-milter[9356]: Intercepted virus from <anliz6@hotmail.com> to <distler@golem.ph.utexas.edu> 
Nov 10 06:51:02 golem sm-mta[28469]: hAACp0Ic028469: Milter: data, reject=550 5.7.1 Virus detected by ClamAV - http://clamav.elektrapro.com
Nov 10 06:51:02 golem sm-mta[28469]: hAACp0Ic028469: to=<distler@golem.ph.utexas.edu>, delay=00:00:01, pri=96483, stat=Virus detected by ClamAV - http://clamav.elektrapro.com

in my mail logs. Works so well, I’ve asked Terry to install ClamAV on our Linux cluster.

I’m as happy as a …

Update (11/15/2003): No sooner did I write this, than a serious security flaw was announced in clamav-milter. Fortunately, upgrading to ClamAV-0.65 fixes the problem.

Update (11/30/2003): The development version (11/22/2003 or later) of clamav-milter finally drops privileges correctly. Neither clamd nor clamav-milter need to run as root. If configured to do so, now they’ll both run as an unprivileged user

  1. Create a new user (as root)
    echo "clamav:*:77:77::0:0:Clamd User:/dev/null:/dev/null" | niload -m passwd .
    echo "clamav:*:77:clamav" |niload -m group .
  2. Edit your clamav.conf file so that clamd and clamav-milter run as the user “clamav” and put all their files in a directory owned by that user
    PidFile /var/run/clamav/clamd.pid
    LocalSocket /var/run/clamav/clamd.sock
    User clamav
  3. The startup code in /Library/StartupItems/Sendmail/Sendmail gets a bit more complicated
    if [ ! -d /var/run/clamav ] ; then
        mkdir /var/run/clamav
    fi
    chown clamav /var/run/clamav
    /usr/local/sbin/clamd
    /usr/local/sbin/clamav-milter -blo /var/run/clamav/clmilter.sock
    
    right before you start up sendmail
Posted by distler at November 11, 2003 12:17 AM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/247

0 Comments & 0 Trackbacks

Post a New Comment