Blame | Last modification | View Log | RSS feed
#### Example config file for clamav-milter### Comment or remove the line below.Example#### Main options### Define the interface through which we communicate with sendmail# This option is mandatory! Possible formats are:# [[unix|local]:]/path/to/file - to specify a unix domain socket# inet:port@[hostname|ip-address] - to specify an ipv4 socket# inet6:port@[hostname|ip-address] - to specify an ipv6 socket## Default: no default#MilterSocket /tmp/clamav-milter.socket#MilterSocket inet:7357# Define the group ownership for the (unix) milter socket.# Default: disabled (the primary group of the user running clamd)#MilterSocketGroup virusgroup# Sets the permissions on the (unix) milter socket to the specified mode.# Default: disabled (obey umask)#MilterSocketMode 660# Remove stale socket after unclean shutdown.## Default: yes#FixStaleSocket yes# Run as another user (clamav-milter must be started by root for this option to work)## Default: unset (don't drop privileges)#User clamav# Initialize supplementary group access (clamav-milter must be started by root).## Default: no#AllowSupplementaryGroups no# Waiting for data from clamd will timeout after this time (seconds).# Value of 0 disables the timeout.## Default: 120#ReadTimeout 300# Don't fork into background.## Default: no#Foreground yes# Chroot to the specified directory.# Chrooting is performed just after reading the config file and before dropping privileges.## Default: unset (don't chroot)#Chroot /newroot# This option allows you to save a process identifier of the listening# daemon (main thread).## Default: disabled#PidFile /var/run/clamav-milter.pid# Optional path to the global temporary directory.# Default: system specific (usually /tmp or /var/tmp).##TemporaryDirectory /var/tmp#### Clamd options### Define the clamd socket to connect to for scanning.# This option is mandatory! Syntax:# ClamdSocket unix:path# ClamdSocket tcp:host:port# The first syntax specifies a local unix socket (needs an absolute path) e.g.:# ClamdSocket unix:/var/run/clamd/clamd.socket# The second syntax specifies a tcp local or remote tcp socket: the# host can be a hostname or an ip address; the ":port" field is only required# for IPv6 addresses, otherwise it defaults to 3310, e.g.:# ClamdSocket tcp:192.168.0.1## This option can be repeated several times with different sockets or even# with the same socket: clamd servers will be selected in a round-robin fashion.## Default: no default#ClamdSocket tcp:scanner.mydomain:7357#### Exclusions### Messages originating from these hosts/networks will not be scanned# This option takes a host(name)/mask pair in CIRD notation and can be# repeated several times. If "/mask" is omitted, a host is assumed.# To specify a locally orignated, non-smtp, email use the keyword "local"## Default: unset (scan everything regardless of the origin)#LocalNet local#LocalNet 192.168.0.0/24#LocalNet 1111:2222:3333::/48# This option specifies a file which contains a list of basic POSIX regular# expressions. Addresses (sent to or from - see below) matching these regexes# will not be scanned. Optionally each line can start with the string "From:"# or "To:" (note: no whitespace after the colon) indicating if it is,# respectively, the sender or recipient that is to be whitelisted.# If the field is missing, "To:" is assumed.# Lines starting with #, : or ! are ignored.## Default unset (no exclusion applied)#Whitelist /etc/whitelisted_addresses# Messages from authenticated SMTP users matching this extended POSIX# regular expression (egrep-like) will not be scanned.# As an alternative, a file containing a plain (not regex) list of names (one# per line) can be specified using the prefix "file:".# e.g. SkipAuthenticated file:/etc/good_guys## Note: this is the AUTH login name!## Default: unset (no whitelisting based on SMTP auth)#SkipAuthenticated ^(tom|dick|henry)$# Messages larger than this value won't be scanned.# Make sure this value is lower or equal than StreamMaxLength in clamd.conf## Default: 25M#MaxFileSize 10M#### Actions### The following group of options controls the delievery process under# different circumstances.# The following actions are available:# - Accept# The message is accepted for delievery# - Reject# Immediately refuse delievery (a 5xx error is returned to the peer)# - Defer# Return a temporary failure message (4xx) to the peer# - Blackhole (not available for OnFail)# Like Accept but the message is sent to oblivion# - Quarantine (not available for OnFail)# Like Accept but message is quarantined instead of being delivered## NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ# For Postfix this causes the message to be placed on hold## Action to be performed on clean messages (mostly useful for testing)# Default: Accept#OnClean Accept# Action to be performed on infected messages# Default: Quarantine#OnInfected Quarantine# Action to be performed on error conditions (this includes failure to# allocate data structures, no scanners available, network timeouts,# unknown scanner replies and the like)# Default: Defer#OnFail Defer# This option allows to set a specific rejection reason for infected messages# and it's therefore only useful together with "OnInfected Reject"# The string "%v", if present, will be replaced with the virus name.# Default: MTA specific#RejectMsg# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an# "X-Virus-Status" headers will be attached to each processed message, possibly# replacing existing headers.# If it is set to Add, the X-Virus headers are added possibly on top of the# existing ones.# Note that while "Replace" can potentially break DKIM signatures, "Add" may# confuse procmail and similar filters.# Default: no#AddHeader Replace# When AddHeader is in use, this option allows to arbitrary set the reported# hostname. This may be desirable in order to avoid leaking internal names.# If unset the real machine name is used.# Default: disabled#ReportHostname my.mail.server.name# Execute a command (possibly searching PATH) when an infected message is found.# The following parameters are passed to the invoked program in this order:# virus name, queue id, sender, destination, subject, message id, message date.# Note #1: this requires MTA macroes to be available (see LogInfected below)# Note #2: the process is invoked in the context of clamav-milter# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to# avoid unnecessary delays in email delievery# Default: disabled#VirusAction /usr/local/bin/my_infected_message_handler#### Logging options### Uncomment this option to enable logging.# LogFile must be writable for the user running daemon.# A full path is required.## Default: disabled#LogFile /tmp/clamav-milter.log# By default the log file is locked for writing - the lock protects against# running clamav-milter multiple times.# This option disables log file locking.## Default: no#LogFileUnlock yes# Maximum size of the log file.# Value of 0 disables the limit.# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log# rotation (the LogRotate option) will always be enabled.## Default: 1M#LogFileMaxSize 2M# Log time with each message.## Default: no#LogTime yes# Use system logger (can work together with LogFile).## Default: no#LogSyslog yes# Specify the type of syslog messages - please refer to 'man syslog'# for facility names.## Default: LOG_LOCAL6#LogFacility LOG_MAIL# Enable verbose logging.## Default: no#LogVerbose yes# Enable log rotation. Always enabled when LogFileMaxSize is enabled.# Default: no#LogRotate yes# This option allows to tune what is logged when a message is infected.# Possible values are Off (the default - nothing is logged),# Basic (minimal info logged), Full (verbose info logged)# Note:# For this to work properly in sendmail, make sure the msg_id, mail_addr,# rcpt_addr and i macroes are available in eom. In other words add a line like:# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i# to your .cf file. Alternatively use the macro:# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')# Postfix should be working fine with the default settings.## Default: disabled#LogInfected Basic# This option allows to tune what is logged when no threat is found in a scanned message.# See LogInfected for possible values and caveats.# Useful in debugging but drastically increases the log size.# Default: disabled#LogClean Basic# This option affects the behaviour of LogInfected, LogClean and VirusAction# when a message with multiple recipients is scanned:# If SupportMultipleRecipients is off (the default)# then one single log entry is generated for the message and, in case the# message is determined to be malicious, the command indicated by VirusAction# is executed just once. In both cases only the last recipient is reported.# If SupportMultipleRecipients is on:# then one line is logged for each recipient and the command indicated# by VirusAction is also executed once for each recipient.## Note: although it's probably a good idea to enable this option, the default value# is currently set to off for legacy reasons.# Default: no#SupportMultipleRecipients yes