ClamAV is an open source (GPL) anti-virus toolkit for UNIX/Linux
Especially for e-mail scanning on mail gateways. It offers a number of utilities, including a flexible and scalable multi-threaded daemon, as well as a command line scanner as an advanced tool for automatic database updates. The core of the package provides an anti-virus engine in the form of a shared library.
This article describes the integration of ClamAV on a CentOS 6 Mail Gateway (MTA) with Postfix.
First, the ClamAV daemon from the EPL repo is installed on the MTA.
1 2 |
yum --enablerepo=epel -y install clamd clamsmtp |
After installation, the ClamAV-SMTP daemon is configured to remove the comment character (uncomment) from the listed lines.
vi /etc/clamsmtpd.conf
1 2 3 4 |
Lists: 0.0.0.0:10025 Header: X-Virus-Scanned: ClamAV using ClamSMTP Action: drop |
Now the services can be started.
1 2 |
service clamsmtpd start |
Download the antivirus DB with freshclam.
1 2 |
Freshclam |
Start the ClamAV Daemon
1 2 |
service clamsmtp-clamd start |
Enable automatic system startup.
1 2 3 |
chkconfig clamsmtpd on chkconfig clamsmtp-clamd on |
Postfix content-filter integration takes place in main.cf, via port 10025 to ClamAV, from master.cf via port 10026 the return transport to Postfix.
vi /etc/postfix/main.cf
1 2 |
content_filter = scan:127.0.0.1:10025 |
vi /etc/postfix/master.ch
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
scan unix - - n - 16 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes 127.0.0.1:10026 inet n - n - 16 smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks_style=host -o smtpd_authorized_xforward_hosts=127.0.0.0/8 |
Postfix must now be restarted.
1 2 |
service postfix restart |
With netstat, the daemon readiness can be checked.
1 2 3 |
[root@mail ~]netstat -talpn | grep clam tcp 0 0 0.0.0.0:10025 0.0.0.0:* LISTEN 21645/clamsmtpd |
ClamAV can be checked with telnet, if everything works should the following result be output.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
[root@mail ~]telnet localhost 10025 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is 'A]'. 220 smtp.passthru ehlo localhost 250-smtp.passthru 250-SIZE 22000000 250-VRFY 250-ETRN 250-XFORWARDING NAME ADDR PROTO HELO SOURCE PORT 250-ENHANCED STATUS CODES 250-8BITMIME 250 DSN Quit 221 2.0.0 Bye Connection closed by foreign host. [root@mail ~]telnet localhost 10026 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is 'A]'. 220 mail.odyssee.net ESMTP Postfix ehlo localhost 250-mail.odyssee.net 250-PIPELINING 250-SIZE 22000000 250-VRFY 250-ETRN 250-XFORWARDING NAME ADDR PROTO HELO SOURCE PORT 250-ENHANCED STATUS CODES 250-8BITMIME 250 DSN Quit 221 2.0.0 Bye Connection closed by foreign host. |
The mail protocol should also be consulted.
1 2 |
tail -f /var/log/maillog |
The Internet Envelope appears in the E-mail Internet Headers (SMTP Envelope).

Troubleshooting
If mail is no longer received, the following error is likely to be found in maillog:
clamsmtpd: 100006: CLAMAV: couldn’t connect to: /var/run/clamd.clamsmtp/clamd.sock: No such file or directory
clamsmtpd: 100004: SERVER: couldn’t connect to: 127.0.0.1:10026: Transport endpoint is not connected
The clamd deamon is no longer active. To restart the clamav services, they can be stopped in the console and restarted in the loop:
1 2 3 4 5 6 7 |
service clamd stop service clamsmtp-clamd stop service clamsmtpd stop service clamd start service clamsmtp-clamd start service clamsmtpd start |
After clamd and clamsmtpd is started, the active ports can be checked as follows:
1 2 3 4 5 6 7 |
ls -al /var/run/clamd.clamsmtp/clamd.pid -rw-rw-r-- 1 clamsmtp mail 6 Oct 28 16:24 /var/run/clamd.clamsmtp/clamd.pid netstat -tulpn tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 21134/clamsmtpd tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 21272/master |
Furthermore, mails could still be in the queue, these could be removed with the command mailq and postqueue processed.
1 2 3 |
mailq postqueue -f |
Source: https://www.clamav.net/