clamav e-mail Linux procmail virus

Even Linux needs to scan for Windows Viruses

What! you say. Why would Linux need to scan for Windows viruses, surely they don’t affect Linux. Well, yes it is true that a standard Linux O/S setup cannot be affected by Windows viruses. However, almost all setups I read about with Linux involve either acting as a server for Windows machines or as a dual boot/wine host.

In these cases it is essential to run a antivirus tool to prevent your Windows machines from being infected by files sitting on a samba share, shared e-mail server or wine. In my case, my office server stores Windows documents on samba shares and shares e-mail via dovecot IMAP server. The e-mails are fetched from various sources using fetchmail and passed through procmail for delivery to the correct mail folder.

The most common antivirus package on Linux is ClamAV. There are others available from:

I will be speaking about my setup with ClamAV. ClamAV is the most common anti-virus you will find on a Linux setup. This is because it is completely open source and free and available as part of the major Linux distributions. I use Ubuntu throughout my business and ClamAV is included in the main repositories.

To get started the simplest thing to do is install:

sudo apt-get install clamav-base freshclam-daemon clamav-daemon clamassassin

let’s go through this. We install the base tools and software (clam-base), then a daemon to download the latest virus and malware signatures (freshclam-daemon), the clamav daemon  – very useful for scanning e-mail and a script for processing e-mail virus scans (clamassassin).

There are two ways to scan your files, with clamscan or with clamdscan which uses the daemon. Using clamdscan is usually faster as all the virus definitions are loaded in memory. However, the daemon runs under its own user (clamav) and you need to add it to any groups necessary to scan your files.

I use clamscan within a script file which is then invoked through cron to provide a nightly scan with a e-mail summary.

To scan e-mail I needed to add in a procmail recipe. Procmail is a wonderful piece of software which could use a better web page. Procmail delivers mail based on a set of rules/patterns which are set in a global and user’s rules file.

My current setup I have fetchmail bringing down e-mail from my ISP and various other sources. Procmail which is dropping the e-mails into the correct folders. Exim which is currently only acting as a local and forwarding e-mail server. There is a way to tie in ClamAV into Exim but this would only catch outgoing e-mails which I’m not worried about. The only place appropriate was in Procmail.

After some looking around I came up with this procmail recipe:

SUBJ_=`formail -xSubject: | expand | sed -e 's/^[ ]*//g' -e 's/[ ]*$//g'`

# check if there is a virus and indicate in subject, don't actually delete it!
| /usr/bin/clamassassin

* ^X-Virus-Status: Yes
  :0: fhw
   | formail -I"Subject: [**VIRUS**] ${SUBJ_}"
  :0: fhw

To test it go to where you can download a sample virus and then send it to yourself. The e-mail should be trapped and dropped into your virus folder with the subject altered.

My colleagues appreciated not having to worry any longer about e-mails with suspect viruses coming through the e-mail system. I also have made some adjustments to our Windows e-mail clients for any remote accounts accessed by IMAP (like info and enquiries). Some e-mail clients like to cache the e-mails and attachments from these accounts and this bypasses our e-mail scanner. I have turned off that caching because as you can imagine these accounts get a lot of spam and malicious attachments.

We here at chameeya now feel much more secure. We are even improving in other areas by removing local admin rights for many users and ensuring everyone is logging in with domain accounts.

Now to see if I can get a proxy server to keep out all the porn!

dovecot e-mail fetchmail IMAP procmail

Fido, Fetch my mail, pleeease

This blog I shall cover the intricacies of setting up a mail fetch server and the IMAP server Dovecot.

First, let me tell you about the reasoning behind this. I have a small ISP hosting account. Due to the times and my inability to find work, I can’t afford any more. This account has a miserly 125MB total storage. This was fine when it was just me and my e-mail were quite small I could use it as a IMAP server and keep all my mail online.

About three months ago, I decided to host my wife’s website as part of mine. This worked brilliantly. I also setup my wife’s employees with IMAP e-mail accounts. I thought that their e-mail would be quite small. How wrong I was. She deals with loads of scanned documents and many emails were 30MB in size. This quickly filled up my storage.

So I pondered what to do. Should I change user’s over to POP or get more storage. Then I happened upon a article in a old Linux Magazine I had where the authors sets up a local IMAP server which is fed by a e-mail fetch software. The software (fetchmail) downloads the e-mail to a local folder and a IMAP server (Dovecot) provides IMAP service to the users. Looked like a good solution to me. Much simpler than setting up a postfix server and altering MX records, all of which would require a static IP an changes to my router.

I followed the steps in the article ( But I immediately ran into problems. The main problem was in fetchmail, everything which got downloaded ended up being dumped into the postmaster account. I had my /etc/fetchmailrc as:

poll with proto POP3
<'' with password '‘ is ‘salik’ here mda
‘/usr/bin/procmail -d %T’

I became quite frustrated at this and spent the best part of one day trying to resolve this. As always Linux documentation isn’t the best. I did eventually find the solution. I had to change my fetchmailrc to this:

poll with proto POP3’’ with password ‘‘ to ‘salik’ here mda ‘/usr/bin/procmail -d %T’

The documentation on fetchmail doesn’t seem to indicate any difference but there does appear to be one.

Once that was sorted out. I could then move on to procmail. It was important to store the items in Maildir format. This means that each individual e-mail is stored in its own file. To do this one mearly has to ensure that all folder references end with ‘/’. I also left out any spamassassin processing. I performed a test and on the rather slow server which is running all this, each e-mail appeared to take several seconds to process. This was too slow for my likeing, so I just rely on my ISP (and online account) determnation of spam.

Then the bit I got confused with. Each user may have their own desires to sort mail. This can, of course, be done two ways. The server can do it, or the e-mail client can do it. I can see a need for a mix. But where I got confused was that each user would have their own .procmailrc which is run after the mail /etc/procmailrc. And so I would not need to put e-mail specific filters in procmailrc, but put these in each user’s .procmailrc.

Then, how would I ensure that all e-mailed marked as SPAM when to each user’s spam folder. Would I have to go into each user’s file and add the appropriate filter. Luckily procmail has a solution to this. Add this into the bottom of the procmailrc:

:0:* ^X-Spam-Status: Yes


#Any e-mail from Yahoo with this in there will drop into spam folder
:0:* ^X-YahooFilteredBulk:.*

Once that was complete and I could see the e-mail being downloaded into the proper folders it was then on to Dovecot. There is really not much to say here. Dovecot is super simple to setup and the config file is very easy to follow. Only one thing I would say is that the e-mail subfolders in most e-mail client software will still be stored as .folder.subfolder.subsubfolder and not as folder/subfolder/subsubfolder. So there is no use turning on the :LAYOUT=fs flag in Dovecot. This will have an effect on how you filter e-mail, so keep that in mind.

Once I had everything going it worked a charm. As always the problems seemed to revolve around documentation. This is definitly something the OpenSource camp needs to work on.

I did have add an entry for logrotate for the procmail logs as the Ubuntu install did not seem to set one up by default.

My user’s now have limitless e-mail storage. And I have reduced the network traffic over the DSL connection. Now I just need to find a way to get Dovecot to expire SPAM after a few weeks and possibly setup a squirrel webmail setup so employees can access from the web.

Next time, Plone as the ease of setting up a Plone CMS development environment.