ClamAV is a cross-platform antivirus. While it is generic and can scan files in many situations, in this guide we will only configure it to scan emails. Using an antivirus on a mail server serve two goals:
- You wouldn't like you or someone else getting a virus that transited trough your mail server
- The huge majority of emails containing viruses is actually spam. This makes a great complement to Spamassassin.
$ sudo apt install clamav clamdscan clamav-daemon
The default signatures of ClamAV are quite useless against the rapidly changing zip attachments you find in spam.
Fortunately Sanesecurity provide for free some hourly updated databases that will detect them. Getting them on your system is as simple as
$ sudo apt install clamav-unofficial-sigs
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228 si_dbs="" # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831607 mbl_dbs=""
Integrate with Exim
The ClamAV daemon is running under user
clamav. We need to get this user access to the mail spool for the scan to be possible.
$ sudo usermod -a -G Debian-exim clamav $ sudo systemctl restart clamav-daemon.service
/etc/exim4/local-acl with the following content
deny malware = * message = This message was detected as possible malware ($malware_name).
and append the following lines to
CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/local-acl av_scanner = clamd:/var/run/clamav/clamd.ctl
Finally restart Exim
$ sudo systemctl restart exim4.service
Testing anti-virus software is commonly done using EICAR anti malware testfile. Although this file is not a virus, it will be recognised by all major anti-virus programs. This allows you to test them without risking infecting yourself.
To get the file, simply create a file with the following content
You can then email this file to yourself. It must be blocked by Exim.
Check the content of
/var/log/exim4/paniclog for any issue.