3
A makefile was supplied with this which should have built the program. If it
4
fails please let us know, and here are some hints for building on different
5
platforms. You will need to set --enable-milter when running configure for
6
the automatic build to work.
8
Tested OK on Linux/x86 with gcc3.2.
9
cc -O3 -pedantic -Wuninitialized -Wall -pipe -mcpu=pentium -march=pentium -fomit-frame-pointer -ffast-math -finline-functions -funroll-loops clamav-milter.c -pthread -lmilter ../libclamav/.libs/libclamav.a ../clamd/cfgfile.o ../clamd/others.o
11
Compiles OK on Linux/x86 with tcc 0.9.16, but fails to link errors with 'atexit'
12
tcc -g -b -lmilter -lpthread clamav-milter.c...
14
Fails to compile on Linux/x86 with icc6.0 (complains about stdio.h...)
15
icc -O3 -tpp7 -xiMKW -ipo -parallel -i_dynamic -w2 clamav-milter.c...
16
Fails to build on Linux/x86 with icc7.1 with -ipo (fails on libclamav.a - keeps saying run ranlib). Otherwise it builds and runs OK.
17
icc -O2 -tpp7 -xiMKW -parallel -i_dynamic -w2 -march=pentium4 -mcpu=pentium4 clamav-milter.c...
19
Tested with Electric Fence 2.2.2, and the bounds checking C compiler from
20
http://sourceforge.net/projects/boundschecking/
22
Compiles OK on Linux/ppc (YDL2.3) with gcc2.95.4. Needs -lsmutil to link.
23
cc -O3 -pedantic -Wuninitialized -Wall -pipe -fomit-frame-pointer -ffast-math -finline-functions -funroll-loop -pthread -lmilter ../libclamav/.libs/libclamav.a ../clamd/cfgfile.o ../clamd/others.o -lsmutil
24
I haven't tested it further on this platform yet.
25
YDL3.0 should compile out of the box
27
Linux/sparc (Gentoo 2004.2) comes with a sendmail that doesn't support MILTER,
28
so *before* running "configure --enable-milter", download from
29
http://www.sendmail.org/ftp, then:
30
cd .../sendmail-source-directory
36
Sendmail on MacOS/X (10.1) is provided without a development package so this
37
can't be run "out of the box"
39
Solaris 8 doesn't have milter support so clamav-milter won't work unless you
40
rebuild sendmail from source.
42
FreeBSD4.7 use /usr/local/bin/gcc30. GCC3.0 is an optional extra on
43
FreeBSD. It comes with getopt.h which is handy. To link you need
45
gcc30 -O3 -DCONFDIR=\"/usr/local/etc\" -I. -I.. -I../clamd -I../libclamav -pedantic -Wuninitialized -Wall -pipe -mcpu=pentium -march=pentium -fomit-frame-pointer -ffast-math -finline-functions -funroll-loops clamav-milter.c -pthread -lmilter ../libclamav/.libs/libclamav.a ../clamd/cfgfile.o ../clamd/others.o -lgnugetopt
47
FreeBSD4.8: compiles out of the box with either gcc2.95 or gcc3
49
NetBSD2.0: compiles out of the box
51
OpenBSD3.4: the supplied sendmail does not come with Milter support.
52
Do this *before* running configure (thanks for Per-Olov Sjöhol
53
<peo_s@incedo.org> for these instructions).
55
echo WANT_LIBMILTER=1 > /etc/mk.conf
56
cd /usr/src/gnu/usr.sbin/sendmail
60
kill -HUP `sed q /var/run/sendmail.pid`
62
Then do this to make the milter headers available to clamav...
63
(the libmilter.a file is already in the right place after the sendmail
67
ln -s ../src/gnu/usr.sbin/sendmail/include/libmilter libmilter
69
Solaris 9 and FreeBSD5 have milter support in the supplied sendmail, but
70
doesn't include libmilter so you can't develop milter applications on it.
71
Go to sendmail.org, download the latest sendmail, cd to libmilter and
74
Needs -lresolv on Solaris, for res_close().
76
If, when building clamav-milter, you see the error
77
"undefined reference to smfi_opensocket",
78
it means that your sendmail installation is broken. More specifically it means
79
that your installed version of libmilter does not agree with your installed
80
version of Sendmail. Naturally they must be the same. Check to see if you have
81
more than one mfapi.h on your system; if you installed sendmail from source,
82
did you remember to install libmilter at the same time? You can ensure that
83
your Sendmail is correctly installed if you follow these instructions:
84
cd .../sendmail-source-directory
92
Install into /usr/local/sbin/clamav-milter.
94
Ensure that your sendmail supports milters by running
95
/usr/lib/sendmail -d0 < /dev/null | fgrep MILTER
97
/usr/sbin/sendmail -d0 < /dev/null | fgrep MILTER
99
You should see something like:
100
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
101
It doesn't matter exactly what you see, as long as the word MILTER is printed.
103
If you see no output you MUST upgrade your sendmail.
105
See http://www.nmt.edu/~wcolburn/sendmail-8.12.5/libmilter/docs/sample.html
107
2.1 LINUX (RedHat, Fedora, YellowDog etc)
109
Installations for RedHat Linux and it's derivatives such as YellowDog:
110
Ensure that you have the sendmail-devel RPM installed
111
Add to /etc/mail/sendmail.mc before the MAILER statement:
112
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m;C:30s;E:10m')dnl
113
define(`confINPUT_MAIL_FILTERS', `clamav')
115
Note that the INPUT_MAIL_FILTER line must come before the
116
confINPUT_MAIL_FILTERS line.
118
Don't worry that the file /var/run/clamav/clmilter.sock doesn't exist,
119
clamav-milter will create it for you. However you will need
120
to create the directory /var/run/clamav (usually owned
121
by user clamav, mode 700).
123
Check entry in /usr/local/etc/clamd.conf of the form:
124
LocalSocket /var/run/clamav/clamd.sock
126
If you already have a filter (such as spamassassin-milter from
127
http://savannah.nongnu.org/projects/spamass-milt) add it thus:
128
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl
129
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')
130
define(`confINPUT_MAIL_FILTERS', `spamassassin,clamav')dnl
132
mkdir /var/run/clamav
133
chown clamav /var/run/clamav (if you use User clamav in clamd.conf)
134
chmod 700 /var/run/clamav
136
Where /var/run/spamass.sock is the location of the spamass-milt
137
socket file (on some systems it is in /var/run/sendmail/spamass.sock).
141
Installations for Debian Linux:
142
As above for RedHat, except that you need the libmilter-dev package:
143
apt-get install libmilter-dev
144
To use TCPwrappers you need to:
145
apt-get install libwrap0-dev
149
Installations for FreeBSD5 (may be true for other BSDs)
150
Add to /etc/mail/freebsd.mc:
151
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl
152
define(`confINPUT_MAIL_FILTERS', `clamav')
154
Check entry in /usr/local/etc/clamd.conf of the form:
155
LocalSocket /var/run/clamav/clamd.sock
157
If you already have a filter (such as spamassassin-milter from
158
http://savannah.nongnu.org/projects/spamass-milt) add it thus:
159
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl
160
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')
161
define(`confINPUT_MAIL_FILTERS', `spamassassin,clamav')dnl
163
mkdir /var/run/clamav
164
chown clamav /var/run/clamav (if you use User clamav in clamd.conf)
165
chmod 700 /var/run/clamav
167
Where /var/run/spamass.sock is the location of the spamass-milt
168
socket file (on some systems it is in /var/run/sendmail/spamass.sock).
170
FreeBSD5.3 sendmail comes without libmilter support. You can upgrade by
171
cd /usr/ports/mail/sendmail
174
This may overwrite your existing sendmail configuration, so ensure
175
that you back up first.
177
You should have received a script to install into /etc/rc.d as /etc/rc.d/clamav
178
with this software. Add to /etc/rc.conf:
180
clamav_milter_enable="YES"
181
clamav_milter_flags="--max-children=2 --dont-wait --timeout=0 -P local:/var/run/clamav/clmilter.sock --pidfile=/var/run/clamav/clamav-milter.pid --quarantine-dir=/var/run/clamav/quarantine"
185
Solaris 10 should install out of the box. Edit /etc/mail/cf/cf/main.mc adding
187
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter, F=, T=S:4m;R:4m')dnl
189
cp /etc/mail/cf/cf/main.cf /etc/mail/main.cf
190
/usr/local/sbin/clamav-milter local:/var/run/clamav/clamav-milter
191
mkdir /var/run/clamav
192
chown clamav /var/run/clamav (if you use User clamav in clamd.conf)
193
chmod 700 /var/run/clamav
195
You should have received a script to install into /etc/init.d as
196
/etc/init.d/clamav-milter. Then:
198
chmod 755 /etc/init.d/clamav-milter
200
ln init.d/clamav-milter rc2.d/S90clamav-milter
201
ln init.d/clamav-milter rc0.d/K90clamav-milter
202
/etc/init.d/clamav-milter start
203
/etc/init.d/sendmail restart
207
OpenBSD4.1 should install out of the box.
208
Edit <your .mc file>, or if you have none: cd into /usr/share/sendmail/cf,
209
copy openbsd-proto.mc custom.mc, edit custom.mc adding:
210
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter, F=, T=S:4m;R:4m')dnl
212
m4 ../m4/cf.m4 custom.mc >/etc/mail/localhost.cf
213
and finally restart sendmail by sending it a SIGHUP
215
2.6 General Installation Issues
217
You may find INPUT_MAIL_FILTERS is not needed on your machine, however it
218
is recommended by the Sendmail documentation and I recommend going along
221
If you see an unsafe socket error from sendmail, it means that the permissions
222
of the /var/run/clamav directory are too open; check you have correctly run
223
chown and chmod. It may also mean that clamav-milter hasn't started, run
224
ps and check your logs.
226
The above example shows clamav-milter, clamd and sendmail all on the
227
same machine, however using TCP they may reside on different machines,
228
indeed clamav-milter is capable of talking to multiple clamds for redundancy
229
and load balancing. An alternative load balancer is PEN (http://siag.nu/pen/).
231
I suggest putting SpamAssassin first since you're more likely to get spam
232
than a virus/worm sent to you.
234
Add to /etc/sysconfig/clamav-milter
235
CLAMAV_FLAGS="local:/var/run/clamav/clmilter.sock"
236
or if clamd is on a different machine
237
CLAMAV_FLAGS="--server=192.168.1.9 local:/var/run/clamav/clmilter.sock"
239
If you want clamav-milter to listen on TCP for communication with sendmail,
240
for example if they are on different machines use inet:<port>.
241
On machine A (running sendmail) you would have in sendmail.mc:
242
INPUT_MAIL_FILTER(`clamav', `S=inet:3311@machineb, F=T, T=S:4m;R:4m')dnl
243
On machine B (running clamav-milter) you would start up clamav-milter thus:
244
clamav-milter inet:3311
246
You should have received a script to put into /etc/init.d with this software.
248
You should always start clamd before clamav-milter.
250
You may also think about the F= entry in sendmail.mc, since it tells sendmail
251
what to do with emails if clamav-milter is not running. Setting F=T will tell
252
the remote end to resend later (temporary failure), setting F=R will reject
253
the email (permanent failure) and setting F= will pass the email through as
254
though clamav-milter were not installed, in this case you should warn your
255
users that emails are not being scanned. We recommend setting F=T.
257
You may wish to experiment with the T= entry which governs timeout options. You
258
MUST set some type of timeout or a malicious client could cause a Denial of
259
Service attack by keeping your clamav-milter threads alive. The types of
260
timeout are C (time for clamav-milter to acknowledge to sendmail that it
261
has accepted a new connection), S (timeout for sending information from sendmail
262
to clamav-milter), R (timeout for sendmail reading a reply from clamav-milter
263
when it has been sent some information) and E (timeout for clamav-milter to
264
handle the end-of-message request, this needs to be high enough to scan the
265
largest file that you will receive since it is at this stage that the file is
266
scanned, but short enough to ensure that a DoS can't occur when lots of scans
267
are requested). The important entries for clamav-milter are C and E (both
268
default to 5 minutes).
270
WARNING: When running on internal mode (--external is NOT used), clamav-milter
271
will need to wait for all connections to stop before it can reload the database
272
after running freshclam. It is therefore important that NO timeouts in
273
sendmail.cf are set too high or worse still turned off, otherwise clamav-milter
274
can wait a long time, perhaps indefinately, while waiting for the system to
275
quieten down. The same goes for disabling StreamMaxLength, since receiving a
276
very large email to be scanned may take a long time. We advise setting
277
StreamMaxLength to 1M.
279
Don't forget to rebuild sendmail.cf after modifying sendmail.mc. You will
280
need to restart sendmail after rebuilding sendmail.cf and starting clamd and
283
As with all software it is wise to ensure that clamav-milter has the least
284
privileges it needs to run. So don't run it as root and don't store the sockets in a directory that can be written by everyone. For example ensure that /var/run
285
is owned and writeable only by root and add entries for 'User' and
286
'FixStaleSocket' in clamd.conf.
288
When using UNIX domain sockets via the LocalSocket option of clamd.conf,
289
we recommend that you use the --quarantine-dir option since that may improve
292
If you wish to send a warning when a message is blocked, clamav-milter MUST be
293
able to call sendmail, for example on a Fedora Linux system:
295
# ls -lL /usr/lib/sendmail
296
-rwxr-sr-x 1 root smmsp 732356 Sep 1 11:16 /usr/lib/sendmail
298
To test that your clamAV system is now intercepting viruses, visit
299
http://www.testvirus.org
301
If, under heavy strain on Linux, you see the message
302
thread_create() failed: 12, abort
303
appearing in a log file, you will need to increase the number of threads on
304
your system (/proc/sys/kernel/threads-max), or decrease the value of
307
Clamav-milter performs DNS look ups, if you wish to tweak its timeouts
312
Clamav-milter has only been designed to work with Sendmail. I understand that
313
modern versions of Postfix have milter support, and I've heard that
314
Clamav-milter runs with these versions of Postfix, however it is not supported
315
with that software and I do not know how much functionality works.
317
To start clamav-milter:
319
# clamav-milter --sendmail-cf= --max-children=2 \
320
--timeout=0 --pidfile=/var/run/clamav/clamav-milter \
321
local:/var/spool/postfix/clamav/clamav-milter
322
# chown clamav:postfix /var/spool/postfix/clamav/clamav-milter
323
# chmod g+w /var/spool/postfix/clamav/clmilter
325
In /etc/postfix/main.cf set:
326
smtpd_milters = unix:clamav/clamav-milter
327
non_smtpd_milters = unix:clamav/clamav-milter
333
4. INTERNATIONALISATION
335
The .po file was created with the command
336
xgettext --msgid-bugs-address=bugs@clamav.net --copyright-holder=njh@bandsman.co.uk -L c -d clamav-milter -k_ clamav-milter.c
338
If you're interested in helping to translate this program please drop the
343
Please send bug reports and/or comments to Nigel Horne <njh@clamav.net> or
346
Various tips will go here, for example
347
define(`confMILTER_LOG_LEVEL',`22')
348
Running in the foreground, valgrind, LogSyslog, LogVerbose, LogFile etc.
352
Patches are welcome, but they must be against the latest CVS version and adhere
353
to the coding style of clamav-milter. Coding style is religious, everyone
354
believes theirs is great and all others are rubbish.
356
This is my coding style, live with it. You don't want me in a bad mood because
357
I can't read your code when I'm deciding if your code should be incorporated.
359
Most of this style is based on K&R.
361
Use the tab key, not space key, to indent.
363
Except for functions, braces always go on the same line as the condition.
365
Don't leave to chance, or your knowledge of precedence, use brackets to
366
highten the readability.
368
Choose variable names sensibly, don't use Hungarian style.
370
The code is ANSI C, not C++, remember that when thinking of comment formats,
371
location of declarations, etc.
373
Patches which use 'goto' will never, ever, be accepted.
375
Use the design of your code as comments.
377
Test your patches and document the tests when submitting, e.g. different
378
hardware, operating systems, test tools such as valgrind, compilers (gcc, icc,
381
Function names appear at the start of lines (I use ctags).
383
Document your changes. If you add, remove, or change functionality you will
384
need to update the manual page and possibly the usage message as well.
388
The instructions will differ for you, but these will give you an idea.
389
You will have to do a lot of fiddling if you want notifications to work,
390
since clamav-milter calls sendmail to handle the notifications and sendmail
391
will run of out the same jail. I've not disabled the notifications, but I
392
may in the future - for the moment handling notifications in the jail is an
393
excercise for the reader. I've put in a symbolic link to sendmail, but I
394
suspect it should be a real copy.
396
mkdir /var/run/clamav-root
397
chown clamav:clamav /var/run/clamav-root
398
chmod 750 /var/run/clamav-root
399
cd /var/run/clamav-root
405
ln -s ../../../../../var/log/clamav .
409
chown clamav:clamav run/clamav
413
mkdir usr/local/share
414
ln -s ../../../../../../usr/local/share/clamav .
417
ln -s ../../../../../usr/lib/sendmail .
422
chown clamav:clamav null
425
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav-root/var/run/clamav/clmilter.sock, F=T, T=S:4m;R:4m;C:30s;E:10m')dnl
427
When starting clamav-milter use options such as (notice that the location
428
of clmilter.sock is different in sendmail.mc than the location clamav-milter
430
--chroot=/var/run/clamav-root --max-children=3 -P --pidfile=/var/run/clamav/clamav-milter.pid --blacklist=60 --black-hole-mode local:/var/run/clamav/clmilter.sock
432
You may need to modify your shutdown script to look for clamav-milter.pid
433
in /var/run/clamav-root/var/run/clamav/clamav-milter.pid
437
There are several ideas marked as TODO in the source code. If anyone has
438
any other suggestions please feel free to contact me. To avoid disappointment
439
always contact me before undertaking any work.