Configuration of ClamAV on Fedora Core 21 with Postfix

Question

I was unable to find any help anywhere on installing Clamav on a modern Fedora system. All the advice out there is old and doesn't apply - so far as I found anyway.

And, it's not enough straight-forward that I know what to do! The most important missing link appears to be what I tell to Postfix on how to call ClamAV. However, it's also completely unclear where configuration options are to be defined.

I've installed these versions:

clamav-0.98.6-1.fc21.x86_64 
clamav-filesystem-0.98.6-1.fc21.noarch 
clamav-data-0.98.6-1.fc21.noarch 
clamav-lib-0.98.6-1.fc21.x86_64

And again, this is Fedora Core 21. The installed Postfix is:

postfix-2.11.3-1.fc21.x86_64

I can't seem to find a file called clamav-milter.conf, though there's a man page for it (try 'man clamav-milter.conf') Somewhere I found a reference that intimated that file belongs in /etc.

I imagine that there needs to be an entry made in Postfix's main.cf to create or add an entry called smtpd_milters to include whatever link is needed to tell Postfix how to call clamav. PRESENTLY I have an entry for openDKIM:

# This is for openDKIM - missing are clamav and spamassassin:
smtpd_milters = inet:localhost:8891

CLEARLY there should be installation directions somewhere, but NONE of what I've found pertains to these versions. Please either tell me how this should be done or point me to where I can find a competent write-up that DOES apply!

Answer 1

It turns out that there's a LOT to this.

First, someone NOT familiar with this exact problem pointed out that maybe I didn't have enough of the software installed. What I had installed is listed in the question above. However, I did a yum list clamav-* and found there were packages available I did not have installed, including a milter, among other things.

When I tried yum install clamav-* it FAILED, as follows:

# yum install clamav-*
Loaded plugins: langpacks
pgdg94                                                      | 3.6 kB  00:00
updates/21/x86_64/metalink                                  |  14 kB  00:00
pgdg94/21/x86_64/primary_db                                 |  91 kB  00:05
Package clamav-data-0.98.6-1.fc21.noarch already installed and latest version
Package clamav-0.98.6-1.fc21.x86_64 already installed and latest version
Package clamav-lib-0.98.6-1.fc21.x86_64 already installed and latest version
Package clamav-filesystem-0.98.6-1.fc21.noarch already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package clamav-data-empty.noarch 0:0.98.6-1.fc21 will be installed
---> Package clamav-devel.x86_64 0:0.98.6-1.fc21 will be installed
---> Package clamav-milter.x86_64 0:0.98.6-1.fc21 will be installed
---> Package clamav-milter-systemd.noarch 0:0.98.6-1.fc21 will be installed
---> Package clamav-scanner.noarch 0:0.98.6-1.fc21 will be installed
---> Package clamav-scanner-systemd.noarch 0:0.98.6-1.fc21 will be installed
---> Package clamav-server.x86_64 0:0.98.6-1.fc21 will be installed
---> Package clamav-server-systemd.noarch 0:0.98.6-1.fc21 will be installed
---> Package clamav-server-sysvinit.noarch 0:0.98.6-1.fc21 will be installed
---> Package clamav-unofficial-sigs.noarch 0:3.7.1-12.fc21 will be installed
---> Package clamav-update.x86_64 0:0.98.6-1.fc21 will be installed
--> Processing Conflict: clamav-data-0.98.6-1.fc21.noarch conflicts data(clamav) < full
--> Processing Conflict: clamav-data-empty-0.98.6-1.fc21.noarch conflicts data(clamav) > empty
--> Finished Dependency Resolution
Error: clamav-data-empty conflicts with clamav-data-0.98.6-1.fc21.noarch
Error: clamav-data conflicts with clamav-data-empty-0.98.6-1.fc21.noarch
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest
#

So, instead of using --skip-broken, or the other option, I went with excluding the problematic package with yum install clamav-* -x clamav-data-empty - which worked just fine.

This gave me some of the files I knew were clearly missing, so I figured I was on my way. After stumbling a long a bit, I noticed the comment from serverfault's masegaloeh that pointed out this page: http://pantestmb.blogspot.com/2013/10/fedora-19-systemctl-sendmail-clamav.html

It was very helpful! Here, I won't repeat everything it says, but rather comment on highlights or low-lights.

There are a lot of moving parts here, more than I expected. For example, I wasn't getting clamav-milter to start at all, and it was only after I gave it an updated database AND a program running that keeps that database up to date when it was finally happy. This was done by running freshclam and then starting clamd@scan.service. (My guess is that the 'data empty' package somehow addresses this.)

I also had a lot of "fun" getting the milter and scan service talking, most of which was my fault; it's worth pointing out that the default values given in the two key setup files, /etc/clamd/scan.conf and /etc/mail/clamav-milter.conf DO NOT MATCH.

Another very odd problem I had that frustrated me to no end was that the milter simply refused to start even when EVERYTHING seemed fine, according to the directions. It was only when I SLOWED DOWN and gave a several second pause between # systemctl start clamd@scan.service and # systemctl start clamav-milter.service that the dang thing started to work! IMAGINE, just waiting a moment before starting the milter made ALL THE DIFFERENCE! That one quirk cost me perhaps two hours! I simply couldn't imagine that I could type faster than the system could keep up! So, of course, I kept changing things around thinking there was still something to fix...

And that's about the extent of the helpfulness of the web page I cited above.

This did NOT YET result in a working system for me, though, but at least ClamAV components were up and ready. The last remaining feature is the integration with Postfix.

As it was at this point, things were at least better than they were before; instead of there being NO socket, the privileges were apparently wrong. The error message is:

postfix/smtpd[31665]: warning: connect to Milter service unix:/var/run/clamav-milter/clamav-milter.socket: Permission denied

...I tried everything I could think of to get the socket working, but I finally gave up and just went for the port connection instead. To do that, I configured clamav-milter.conf to include:

# 7357 appears to be the standard port for this...
milterSocket inet:7357

And changed postfix's main.cf to this:

smtpd_milters = inet:localhost:7357

AND IT WORKED. I understand local sockets are faster so I'd like to get that working, but just having it up at all as a relief.