Clam
Here’s another benefit of the 24 hours spent trying to get sendmail working again after upgrading to Panther.
One of my desperate measures was to download and compile the latest Sendmail 8.13.PreAlpha4. Among the new features of 8.13 is that it comes with Milter support enabled by default.
In the past, I’ve been annoyed by the blizzards of Windoze email viruses collecting in my in-box. This weekend saw a flurry of what looked like a new one.
Seizing the opportunity, I downloaded and installed ClamAV, the open-source virus scanner. It comes with clamav-milter, so that Sendmail can use it to scan incoming email for viruses. What a great package! The virus database is actively maintained, receiving 4 or 5 updates a week, and you can update your local copy daily by executing freshclam as a cron job.
After poking around the mailing list, I decided to go with the latest development version, rather than the rather old “stable” version, ClamAV-0.60. The response to the sundry complaints about the latter was always “that’s fixed in the development version.”
To compile properly, it required a small patch, and linking to the GMP libraries from fink. My script for building the distribution is
#!/bin/sh autoreconf CFLAGS="-I/sw/include" LDFLAGS="-L/sw/lib" ./configure --enable-milter patch -p0 < clamav.patch make sudo make install
There was one wee glitch: Sendmail complains if the Unix socket used by the milter is in a group-writable directory. Rather than trying to find another home for it, I decided that it was more secure to patch /etc/rc.cleanup to make /var/run (which gets recreated every time you reboot) mode 755 instead of 775. That’s probably the “right” set of permissions anyway.
Adding
/usr/local/sbin/clamd /usr/local/sbin/clamav-milter -blo /var/run/clmilter.sock
to the startup sequence in /Library/StartupItems/Sendmail/Sendmail, virus-laden emails are automatically rejected, leaving only a telltale rejection notice
Nov 10 06:51:00 golem clamav-milter[9356]: clamfi_connect: connection from rs25s8.datacenter.cha.cantv.net [200.44.33.9] Nov 10 06:51:02 golem sm-mta[28469]: hAACp0Ic028469: from=<anliz6@hotmail.com>, size=66483, class=0, nrcpts=1, msgid=<200311101249.hAACnabM006232@rs25s8.datacenter.cha.cantv.net>, proto=ESMTP, daemon=MTA, relay=rs25s8.datacenter.cha.cantv.net [200.44.33.9] Nov 10 06:51:02 golem clamav-milter[9356]: stream: Worm.Galil.C FOUND Nov 10 06:51:02 golem clamav-milter[9356]: Intercepted virus from <anliz6@hotmail.com> to <distler@golem.ph.utexas.edu> Nov 10 06:51:02 golem sm-mta[28469]: hAACp0Ic028469: Milter: data, reject=550 5.7.1 Virus detected by ClamAV - http://clamav.elektrapro.com Nov 10 06:51:02 golem sm-mta[28469]: hAACp0Ic028469: to=<distler@golem.ph.utexas.edu>, delay=00:00:01, pri=96483, stat=Virus detected by ClamAV - http://clamav.elektrapro.com
in my mail logs. Works so well, I’ve asked Terry to install ClamAV on our Linux cluster.
I’m as happy as a …
Update (11/15/2003): No sooner did I write this, than a serious security flaw was announced in clamav-milter. Fortunately, upgrading to ClamAV-0.65 fixes the problem.
Update (11/30/2003): The development version (11/22/2003 or later) of clamav-milter finally drops privileges correctly. Neither clamd nor clamav-milter need to run as root. If configured to do so, now they’ll both run as an unprivileged user
- Create a new user (as root)
echo "clamav:*:77:77::0:0:Clamd User:/dev/null:/dev/null" | niload -m passwd . echo "clamav:*:77:clamav" |niload -m group . - Edit your
clamav.conffile so thatclamdandclamav-milterrun as the user “clamav” and put all their files in a directory owned by that userPidFile /var/run/clamav/clamd.pid LocalSocket /var/run/clamav/clamd.sock User clamav - The startup code in
/Library/StartupItems/Sendmail/Sendmailgets a bit more complicated
right before you start up sendmailif [ ! -d /var/run/clamav ] ; then mkdir /var/run/clamav fi chown clamav /var/run/clamav /usr/local/sbin/clamd /usr/local/sbin/clamav-milter -blo /var/run/clamav/clmilter.sock