How to ClamAV Postfix Integration on CentOS

ClamAV is an open source (GPL) anti-virus toolkit for UNIX/Linux

Especially for e-mail scanning on mail gateways. It offers a number of utilities, including a flexible and scalable multi-threaded daemon, as well as a command line scanner as an advanced tool for automatic database updates. The core of the package provides an anti-virus engine in the form of a shared library.

This article describes the integration of ClamAV on a CentOS 6 Mail Gateway (MTA) with Postfix.

First, the ClamAV daemon from the EPL repo is installed on the MTA.

$ yum --enablerepo=epel -y install clamd clamsmtp

After installation, the ClamAV-SMTP daemon is configured to remove the comment character (uncomment) from the listed lines.

vi /etc/clamsmtpd.conf

Lists: 0.0.0.0:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop

Now the services can be started.

$ service clamsmtpd start

Download the antivirus DB with freshclam.

$ freshclam

Start the ClamAV Daemon

$ service clamsmtp-clamd start

Enable automatic system startup.

$ chkconfig clamsmtpd on
$ chkconfig clamsmtp-clamd on

Postfix content-filter integration takes place in main.cf, via port 10025 to ClamAV, from master.cf via port 10026 the return transport to Postfix.

vi /etc/postfix/main.cf

content_filter = scan:127.0.0.1:10025

vi /etc/postfix/master.ch

scan unix - - n - 16 smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes
127.0.0.1:10026 inet n - n - 16 smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks_style=host
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8

Postfix must now be restarted.

$ service postfix restart

With netstat, the daemon readiness can be checked.

[root@mail ~]netstat -talpn | grep clam
tcp 0 0 0.0.0.0:10025 0.0.0.0:* LISTEN 21645/clamsmtpd

ClamAV can be checked with telnet, if everything works should the following result be output.

[root@mail ~]telnet localhost 10025
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is 'A]'.
220 smtp.passthru
ehlo localhost
250-smtp.passthru
250-SIZE 22000000
250-VRFY
250-ETRN
250-XFORWARDING NAME ADDR PROTO HELO SOURCE PORT
250-ENHANCED STATUS CODES
250-8BITMIME
250 DSN
Quit
221 2.0.0 Bye
Connection closed by foreign host.

[root@mail ~]telnet localhost 10026
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is 'A]'.
220 mail.odyssee.net ESMTP Postfix
ehlo localhost
250-mail.odyssee.net
250-PIPELINING
250-SIZE 22000000
250-VRFY
250-ETRN
250-XFORWARDING NAME ADDR PROTO HELO SOURCE PORT
250-ENHANCED STATUS CODES
250-8BITMIME
250 DSN
Quit
221 2.0.0 Bye
Connection closed by foreign host.

The mail protocol should also be consulted.

$ tail -f /var/log/maillog

The Internet Envelope appears in the E-mail Internet Headers (SMTP Envelope).

SMTP Internet Headers

Troubleshooting

If mail is no longer received, the following error is likely to be found in maillog:

clamsmtpd: 100006: CLAMAV: couldn’t connect to: /var/run/clamd.clamsmtp/clamd.sock: No such file or directory
clamsmtpd: 100004: SERVER: couldn’t connect to: 127.0.0.1:10026: Transport endpoint is not connected

The clamd deamon is no longer active. To restart the clamav services, they can be stopped in the console and restarted in the loop:

$ service clamd stop
$ service clamsmtp-clamd stop
$ service clamsmtpd stop
$ service clamd start
$ service clamsmtp-clamd start
$ service clamsmtpd start

After clamd and clamsmtpd is started, the active ports can be checked as follows:

$ ls -al /var/run/clamd.clamsmtp/clamd.pid
-rw-rw-r-- 1 clamsmtp mail 6 Oct 28 16:24 /var/run/clamd.clamsmtp/clamd.pid

$ netstat -tulpn
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 21134/clamsmtpd
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 21272/master

Furthermore, mails could still be in the queue, these could be removed with the command mailq and postqueue processed.

$ mailq
$ postqueue -f

Source: https://www.clamav.net/

FortiGate subnet overlapping remapping

FortiGate in a site-to-site VPN configuration, the private IPv4 Subnet addresses at each scheduled end can often be the same. The problem can be solved by remapping the private IPv4 addresses using virtual IP addresses (VIP).

VIPs allow computers in its overlapping private subnets to be assigned a different range of IP addresses, and the subnets can be used transparently. The FortiGate appliance converts the VIP addresses to the original addresses. This means that if PC1 starts a session with PC2 at 10.31.101.10, FortiGate_2 the session to PC2, which actually has the IP address 10.11.101.10.

Figure shows – Finance Network VIP is 10.21.101.0/24 and the HR network has 10.31.101.0/24.

Overlapping subnets Example

Configuration of a route-based VPN solution:

Create an IPsec Phase 1 and Phase 2, as you would normally do for a route-based VPN. This example refers to the resulting IPsec interface as IPsec_FGT1_2_FGT2.

Configuring Virtual IP (VIP) Mapping, under Policy & Objects > Virtual IPs > Create New

New Virtual IP

Create IP Pool for Subnet Remmaping under Objects – IP Pools.

New IP Pool

Configure an outbound policy on both FortiGate, under Policy & Objects > IPv4 Policy > Create New, Leave the Policy Type on Firewall and the Policy Subtype as the address:

Policy outbound

To configure the inbound policy:

Policy inbound

To configure the Static Route:

Static Route

Repeat this process on both FortiGate, FGT1 and FGT2, taking into account the corresponding subnets, 10.21.101.0/24 and 10.31.101.0/24.

Exit mobile version