3
A makefile was supplied with this which should have built the program. If it
4
fails please let us know, and here are some hints for building on different
5
platforms. You will need to set --enable-milter when running configure for
6
the automatic build to work.
8
Tested OK on Linux/x86 with gcc3.2.
9
cc -O3 -pedantic -Wuninitialized -Wall -pipe -mcpu=pentium -march=pentium -fomit-frame-pointer -ffast-math -finline-functions -funroll-loops clamav-milter.c -pthread -lmilter ../libclamav/.libs/libclamav.a ../clamd/cfgfile.o ../clamd/others.o
11
Compiles OK on Linux/x86 with tcc 0.9.16, but fails to link errors with 'atexit'
12
tcc -g -b -lmilter -lpthread clamav-milter.c...
14
Fails to compile on Linux/x86 with icc6.0 (complains about stdio.h...)
15
icc -O3 -tpp7 -xiMKW -ipo -parallel -i_dynamic -w2 clamav-milter.c...
16
Fails to build on Linux/x86 with icc7.1 with -ipo (fails on libclamav.a - keeps saying run ranlib). Otherwise it builds and runs OK.
17
icc -O2 -tpp7 -xiMKW -parallel -i_dynamic -w2 -march=pentium4 -mcpu=pentium4 clamav-milter.c...
19
Tested with Electric Fence 2.2.2, and the bounds checking C compiler from
20
http://sourceforge.net/projects/boundschecking/
22
Compiles OK on Linux/ppc (YDL2.3) with gcc2.95.4. Needs -lsmutil to link.
23
cc -O3 -pedantic -Wuninitialized -Wall -pipe -fomit-frame-pointer -ffast-math -finline-functions -funroll-loop -pthread -lmilter ../libclamav/.libs/libclamav.a ../clamd/cfgfile.o ../clamd/others.o -lsmutil
24
I haven't tested it further on this platform yet.
25
YDL3.0 should compile out of the box
27
Linux/sparc (Gentoo 2004.2) comes with a sendmail that doesn't support MILTER,
28
so *before* running "configure --enable-milter", download from
29
http://www.sendmail.org/ftp, then:
30
cd .../sendmail-source-directory
36
Sendmail on MacOS/X (10.1) is provided without a development package so this
37
can't be run "out of the box"
39
Solaris 8 doesn't have milter support so clamav-milter won't work unless you
40
rebuild sendmail from source.
42
FreeBSD4.7 use /usr/local/bin/gcc30. GCC3.0 is an optional extra on
43
FreeBSD. It comes with getopt.h which is handy. To link you need
45
gcc30 -O3 -DCONFDIR=\"/usr/local/etc\" -I. -I.. -I../clamd -I../libclamav -pedantic -Wuninitialized -Wall -pipe -mcpu=pentium -march=pentium -fomit-frame-pointer -ffast-math -finline-functions -funroll-loops clamav-milter.c -pthread -lmilter ../libclamav/.libs/libclamav.a ../clamd/cfgfile.o ../clamd/others.o -lgnugetopt
47
FreeBSD4.8: compiles out of the box with either gcc2.95 or gcc3
49
NetBSD2.0: compiles out of the box
51
OpenBSD3.4: the supplied sendmail does not come with Milter support.
52
Do this *before* running configure (thanks for Per-Olov Sjƶhol
53
<peo_s@incedo.org> for these instructions).
55
echo WANT_LIBMILTER=1 > /etc/mk.conf
56
cd /usr/src/gnu/usr.sbin/sendmail
60
kill -HUP `sed q /var/run/sendmail.pid`
62
Then do this to make the milter headers available to clamav...
63
(the libmilter.a file is already in the right place after the sendmail
67
ln -s ../src/gnu/usr.sbin/sendmail/include/libmilter libmilter
69
Solaris 9 and FreeBSD5 have milter support in the supplied sendmail, but
70
doesn't include libmilter so you can't develop milter applications on it.
71
Go to sendmail.org, download the latest sendmail, cd to libmilter and
74
Needs -lresolv on Solaris
76
If, when building clamav-milter, you see the error
77
"undefined reference to smfi_opensocket",
78
it means that your sendmail installation is broken. More specifically it means
79
that your installed version of libmilter does not agree with your installed
80
version of Sendmail. Naturally they must be the same. Check to see if you have
81
more than one mfapi.h on your system; if you installed sendmail from source,
82
did you remember to install libmilter at the same time? You can ensure that
83
your Sendmail is correctly installed if you follow these instructions:
84
cd .../sendmail-source-directory
92
Install into /usr/local/sbin/clamav-milter.
94
Ensure that your sendmail supports milters by running
95
/usr/lib/sendmail -d0 < /dev/null | fgrep MILTER
97
/usr/sbin/sendmail -d0 < /dev/null | fgrep MILTER
99
You should see something like:
100
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
101
It doesn't matter exactly what you see, as long as the word MILTER is printed.
103
If you see no output you MUST upgrade your sendmail.
105
See http://www.nmt.edu/~wcolburn/sendmail-8.12.5/libmilter/docs/sample.html
107
2.1 LINUX (RedHat, Fedora, YellowDog etc)
109
Installations for RedHat Linux and it's derivatives such as YellowDog:
110
Ensure that you have the sendmail-devel RPM installed
111
Add to /etc/mail/sendmail.mc before the MAILER statement:
112
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m;C:30s;E:10m')dnl
113
define(`confINPUT_MAIL_FILTERS', `clamav')
115
Note that the INPUT_MAIL_FILTER line must come before the
116
confINPUT_MAIL_FILTERS line.
118
Don't worry that the file /var/run/clamav/clmilter.sock doesn't exist,
119
clamav-milter will create it for you. However you will need
120
to create the directory /var/run/clamav (usually owned
121
by user clamav, mode 700).
123
Check entry in /usr/local/etc/clamd.conf of the form:
124
LocalSocket /var/run/clamav/clamd.sock
126
If you already have a filter (such as spamassassin-milter from
127
http://savannah.nongnu.org/projects/spamass-milt) add it thus:
128
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl
129
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')
130
define(`confINPUT_MAIL_FILTERS', `spamassassin,clamav')dnl
132
mkdir /var/run/clamav
133
chown clamav /var/run/clamav (if you use User clamav in clamd.conf)
134
chmod 700 /var/run/clamav
136
Where /var/run/spamass.sock is the location of the spamass-milt
137
socket file (on some systems it is in /var/run/sendmail/spamass.sock).
141
Installations for Debian Linux:
142
As above for RedHat, except that you need the libmilter-dev package:
143
apt-get install libmilter-dev
144
To use TCPwrappers you need to:
145
apt-get install libwrap0-dev
149
Installations for FreeBSD5 (may be true for other BSDs)
150
Add to /etc/mail/freebsd.mc:
151
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl
152
define(`confINPUT_MAIL_FILTERS', `clamav')
154
Check entry in /usr/local/etc/clamd.conf of the form:
155
LocalSocket /var/run/clamav/clamd.sock
157
If you already have a filter (such as spamassassin-milter from
158
http://savannah.nongnu.org/projects/spamass-milt) add it thus:
159
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl
160
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')
161
define(`confINPUT_MAIL_FILTERS', `spamassassin,clamav')dnl
163
mkdir /var/run/clamav
164
chown clamav /var/run/clamav (if you use User clamav in clamd.conf)
165
chmod 700 /var/run/clamav
167
Where /var/run/spamass.sock is the location of the spamass-milt
168
socket file (on some systems it is in /var/run/sendmail/spamass.sock).
170
FreeBSD5.3 sendmail comes without libmilter support. You can upgrade by
171
cd /usr/ports/mail/sendmail
174
This may overwrite your existing sendmail configuration, so ensure
175
that you back up first.
177
You should have received a script to install into /etc/rc.d as /etc/rc.d/clamav
178
with this software. Add to /etc/rc.conf:
180
clamav_milter_enable="YES"
181
clamav_milter_flags="--max-children=2 --dont-wait --timeout=0 -P local:/var/run/clamav/clamav.sock --pidfile=/var/run/clamav/clamav-milter.pid --quarantine-dir=/var/run/clamav/quarantine"
185
Solaris 10 should install out of the box. Edit /etc/mail/cf/cf/main.mc adding
187
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter, F=, T=S:4m;R:4m')dnl
189
cp /etc/mail/cf/cf/main.cf /etc/mail/main.cf
190
/usr/local/sbin/clamav-milter local:/var/run/clamav/clamav-milter
191
mkdir /var/run/clamav
192
chown clamav /var/run/clamav (if you use User clamav in clamd.conf)
193
chmod 700 /var/run/clamav
195
You should have received a script to install into /etc/init.d as
196
/etc/init.d/clamav-milter. Then:
198
chmod 755 /etc/init.d/clamav-milter
200
ln init.d/clamav-milter rc2.d/S90clamav-milter
201
ln init.d/clamav-milter rc0.d/K90clamav-milter
202
/etc/init.d/clamav-milter start
203
/etc/init.d/sendmail restart
205
2.6 General Installation Issues
207
You may find INPUT_MAIL_FILTERS is not needed on your machine, however it
208
is recommended by the Sendmail documentation and I recommend going along
211
If you see an unsafe socket error from sendmail, it means that the permissions
212
of the /var/run/clamav directory are too open. Check you have correctly run
213
chown and chmod, it may also mean that clamav-milter hasn't started, run
214
ps and check your logs.
216
The above example shows clamav-milter, clamd and sendmail all on the
217
same machine, however using TCP they may reside on different machines,
218
indeed clamav-milter is capable of talking to multiple clamds for redundancy
221
I suggest putting SpamAssassin first since you're more likely to get spam
222
than a virus/worm sent to you.
224
Add to /etc/sysconfig/clamav-milter
225
CLAMAV_FLAGS="local:/var/run/clamav/clmilter.sock"
226
or if clamd is on a different machine
227
CLAMAV_FLAGS="--server=192.168.1.9 local:/var/run/clamav/clmilter.sock"
229
If you want clamav-milter to listen on TCP for communication with sendmail,
230
for example if they are on different machines use inet:<port>.
231
On machine A (running sendmail) you would have in sendmail.mc:
232
INPUT_MAIL_FILTER(`clamav', `S=inet:3311@machineb, F=T, T=S:4m;R:4m')dnl
233
On machine B (running clamav-milter) you would start up clamav-milter thus:
234
clamav-milter inet:3311
236
You should have received a script to put into /etc/init.d with this software.
238
You should always start clamd before clamav-milter.
240
You may also think about the F= entry in sendmail.mc, since it tells sendmail
241
what to do with emails if clamav-milter is not running. Setting F=T will tell
242
the remote end to resend later (temporary failure), setting F=R will reject
243
the email (permanent failure) and setting F= will pass the email through as
244
though clamav-milter were not installed, in this case you should warn your
245
users that emails are not being scanned. We recommend setting F=T.
247
You may wish to experiment with the T= entry which governs timeout options. You
248
MUST set some type of timeout or a malicious client could cause a Denial of
249
Service attack by keeping your clamav-milter threads alive. The types of
250
timeout are C (time for clamav-milter to acknowledge to sendmail that it
251
has accepted a new connection), S (timeout for sending information from sendmail
252
to clamav-milter), R (timeout for sendmail reading a reply from clamav-milter
253
when it has been sent some information) and E (timeout for clamav-milter to
254
handle the end-of-message request, this needs to be high enough to scan the
255
largest file that you will receive since it is at this stage that the file is
256
scanned, but short enough to ensure that a DoS can't occur when lots of scans
257
are requested). The important entries for clamav-milter are C and E (both
258
default to 5 minutes).
260
WARNING: When running on internal mode (--external is NOT used), clamav-milter
261
will need to wait for all connections to stop before it can reload the database
262
after running freshclam. It is therefore important that NO timeouts in
263
sendmail.cf are set too high or worse still turned off, otherwise clamav-milter
264
can wait a long time, perhaps indefinately, while waiting for the system to
265
quieten down. The same goes for disabling StreamMaxLength, since receiving a
266
very large email to be scanned may take a long time. We advise setting
267
StreamMaxLength to 1M.
269
Don't forget to rebuild sendmail.cf after modifying sendmail.mc. You will
270
need to restart sendmail after rebuilding sendmail.cf and starting clamd and
273
As with all software it is wise to ensure that clamav-milter has the least
274
privileges it needs to run. So don't run it as root and don't store the sockets
275
in a directory that can be written by everyone. For example ensure that /var/run
276
is owned and writeable only by root and add entries for 'User' and
277
'FixStaleSocket' in clamd.conf.
279
When using UNIX domain sockets via the LocalSocket option of clamd.conf,
280
we recommend that you use the --quarantine-dir option since that may improve
283
If you wish to send a warning when a message is blocked, clamav-milter MUST be
284
able to call sendmail, for example on a Fedora Linux system:
286
# ls -lL /usr/lib/sendmail
287
-rwxr-sr-x 1 root smmsp 732356 Sep 1 11:16 /usr/lib/sendmail
289
To test that your clamAV system is now intercepting viruses, visit
290
http://www.testvirus.org
292
If, under heavy strain on Linux, you see the message
293
thread_create() failed: 12, abort
294
appearing in a log file, you will need to increase the number of threads on
295
your system (/proc/sys/kernel/threads-max), or decrease the value of
300
Clamav-milter has only been designed to work with Sendmail. I understand that
301
modern versions of Postfix have milter support, and I've heard that
302
Clamav-milter runs with these versions of Postfix, however it is not supported
303
with that software and I do not know how much functionality works.
305
To start clamav-milter:
307
# clamav-milter --sendmail-cf= --max-children=2 \
308
--timeout=0 --pidfile=/var/run/clamav/clamav-milter \
309
local:/var/spool/postfix/clamav/clamav-milter
310
# chown clamav:postfix /var/spool/postfix/clamav/clamav-milter
311
# chmod g+w /var/spool/postfix/clamav/clmilter
313
In /etc/postfix/main.cf set:
314
smtpd_milters = unix:clamav/clamav-milter
315
non_smtpd_milters = unix:clamav/clamav-milter
321
4. INTERNATIONALISATION
323
The .po file was created with the command
324
xgettext --msgid-bugs-address=bugs@clamav.net --copyright-holder=njh@bandsman.co.uk -L c -d clamav-milter -k_ clamav-milter.c
326
If you're interested in helping to translate this program please drop the
331
Please send bug reports and/or comments to Nigel Horne <njh@clamav.net> or
334
Various tips will go here, for example
335
define(`confMILTER_LOG_LEVEL',`22')
336
Running in the foreground, valgrind, LogSyslog, LogVerbose, LogFile etc.
340
Patches are welcome, but they must be against the latest CVS version and adhere
341
to the coding style of clamav-milter. Coding style is religious, everyone
342
believes theirs is great and all others are rubbish.
344
This is my coding style, live with it. You don't want me in a bad mood because
345
I can't read your code when I'm deciding if your code should be incorporated.
347
Most of this style is based on K&R.
349
Use the tab key, not space key, to indent.
351
Except for functions, braces always go on the same line as the condition.
353
Don't leave to chance, or your knowledge of precedence, use brackets to
354
highten the readability.
356
Choose variable names sensibly, don't use Hungarian style.
358
The code is ANSI C, not C++, remember that when thinking of comment formats,
359
location of declarations, etc.
361
Patches which use 'goto' will never, ever, be accepted.
363
Use the design of your code as comments.
365
Test your patches and document the tests when submitting, e.g. different
366
hardware, operating systems, test tools such as valgrind, compilers (gcc, icc,
369
Function names appear at the start of lines (I use ctags).
371
Document your changes. If you add, remove, or change functionality you will
372
need to update the manual page and possibly the usage message as well.
376
There are several ideas marked as TODO in the source code. If anyone has
377
any other suggestions please feel free to contact me.
added
removed
clamav-milter/INSTALL
