| clamsmtpd(8) | System Manager's Manual | clamsmtpd(8) |
clamsmtpd — an
SMTP server for scanning viruses via clamd
clamsmtpd |
[-d level]
[-f configfile]
[-p pidfile] |
clamsmtpd |
-v |
clamsmtpd is an SMTP filter that allows
you to check for viruses using the ClamAV anti-virus software. It accepts
SMTP connections and forwards the SMTP commands and responses to another
SMTP server.
The DATA email body is intercepted and scanned before forwarding. By default email with viruses are dropped silently and logged without any additional action taken.
clamsmtpd aims to be lightweight and
simple rather than have a myriad of options. The options it does have are
configured by editing the clamsmtpd.conf(5) file. See the
man page for clamsmtpd.conf(5) for more info on the
default location of the configuration file.
Previous versions had more options. These still work for now but have equivalents in clamsmtpd.conf(5) and are not documented here. The options are as follows.
-d-fclamsmtpd configuration file. See
clamsmtpd.conf(5) for more details on where the
configuration file is located by default.-pclamsmtpd and can be used to stop the daemon.-vclamsmtpd logs to
syslogd by default under the 'mail' facility. You can also
output logs to the console using the -d option.
In some cases it's advantageous to consolidate the virus scanning
and filtering for several mail servers on one machine.
clamsmtpd allows this by providing a loopback
feature to connect back to the IP that an SMTP connection comes in from.
To use this feature specify only a port number (no IP address) for
the OutAddress setting in the configuration file. This
will cause clamsmtpd to pass the email back to the
said port on the incoming IP address.
Make sure the MaxConnections setting is set high enough to handle the mail from all the servers without refusing connections.
A transparent proxy is a configuration on a gateway that routes
certain types of traffic through a proxy server without any changes on the
client computers. clamsmtpd has support for
transparent proxying of SMTP traffic by enabling the
TransparentProxy setting. This type of setup usually
involves firewall rules which redirect traffic to
clamsmtpd and the setup varies from OS to OS. The
SMTP traffic will be forwarded to it's original destination after being
scanned.
When doing transparent proxying for outgoing email it's probably a good idea to turn on bounce notifications using the Action: bounce setting. Also note that some features (such as SSL/TLS) will not be available when going through the transparent proxy.
Make sure that the MaxConnections setting is
set high enough for your transparent proxying. Because
clamsmtpd is not being used as a filter inside a
queue, which usually throttles the amount of email going through, this
setting may need to be higher than usual.
Using the VirusAction option you can run a script or program whenever a virus is found. This may be handy in certain circumstances but it has several drawbacks. For one, the performance of the virus filtering will take a hit, perhaps DOS'ing your machine under heavy load. Secondly as with running any program there are security implications to be considered.
Please consider the above carefully before implementing a virus action.
The script is run without its output being logged, or return value being checked. Because of this you should test it thoroughly. Make sure it runs without problems under the user that clamsmtpd(8) is being run as.
Various environment variables will be present when your script is run. You may need to escape them properly before use in your favorite scripting language. Failure to do this could lead to a REMOTE COMPROMISE of your machine.
clamsmtpd is being used to filter email between
SMTP servers, then this is the IP address of the original client. In order
for this information to be present (a) the SMTP client (sending server)
must an send an XFORWARD command and (b) the SMTP server (receiving
server) must accept that XFORWARD command without error.clamsmtpd is being used to filter email between
SMTP servers, then this is the HELO/EHLO banner of the original client. In
order for this information to be present (a) the SMTP client (sending
server) must an send an XFORWARD command and (b) the SMTP server
(receiving server) must accept that XFORWARD command without error.There's no reason to run this daemon as root. It is meant as a filter and should listen on a high TCP port. It's probably a good idea to run it using the same user as the clamd(8) daemon. This way the temporary files it writes are accessible to clamd(8)
Care should be taken with the directory that
clamsmtpd writes its temporary files to. In order to
be secure, it should not be a world writeable location. Specify the
directory using the TempDirectory setting.
When using the VirusAction option make sure you understand the security issues involved. Unescaped environment variables can lead to execution of arbitrary shell commands on your machine.
If running clamsmtpd on a publicly
accessible IP address or without a firewall please be sure to understand all
the possible security issues. This is especially true if the loopback
feature is used (see above).
Stef Walter ⟨stef@memberwebs.com⟩
| September, 2004 | clamsmtp |