Bots and infected servers send many viruses via email. It is therefore important for the security of your mail server to use an antivirus scanner. In this tutorial, we show how to use ClamAV as a virus scanner for a mail server with Postfix and Dovecot.
- For the steps in this guide, you need a VPS with Ubuntu, Debian, CentOS Stream, AlmaLinux, or Rocky Linux with Postfix and Dovecot. In this guide, we explain how to install and configure Postfix and Dovecot. For this guide, we assume you have completed that guide.
- Install ClamAV beforehand (CentOS Stream, AlmaLinux, Rocky Linux, Ubuntu or Debian). Note that ClamAV is a RAM-intensive program and quickly uses almost 1GB.
- Execute the commands in this guide with sudo, or as the root user.
Step 1
Connect to your VPS via SSH or the VPS console in the TransIP control panel.
Step 2
To allow PostFix to use ClamAV, we use Amavisd. This is an interface between MTAs and content checkers such as ClamAV:
Ubuntu & Debian:
apt -y install amavisd-new
CentOS Stream, AlmaLinux & Rocky Linux:
dnf --enablerepo=PowerTools dnf -y install amavisd-new
Step 3
Open the Amavisd configuration:
Ubuntu & Debian:
nano /etc/amavis/conf.d/15-content_filter_mode
CentOS Stream, AlmaLinux & Rocky Linux:
nano /etc/amavisd/amavisd.conf
Step 4
Uncomment/adjust the lines below in the file.
Ubuntu & Debian:
@bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); @bypass_spam_checks_maps = ( \%bypass_spam_checks, @bypass_spam_checks_acl, $bypass_spam_checks_re);
CentOS Stream, AlmaLinux & Rocky Linux:
In the comments (starting with #), it is indicated on which line number you (at the time of writing) can find the option:
# line 23
$mydomain = 'example.com';
line 155
$myhostname = 'mail.example.com';
lines 157 & 158
$notify_method = 'smtp:[127.0.0.1]:10025';
$forward_method = 'smtp:[127.0.0.1]:10025';
For $mydomain, replace the value example.com with the domain you use as the hostname, but without the prefix, and for $myhostname, replace the value with your hostname.
Save the changes and close the file (ctrl + x > y > enter).
Step 5
A new service for Amavisd is needed in the Postfix configuration. Open the Postfix configuration with:
nano /etc/postfix/master.cf
Step 6
Add the following code at the bottom of the file.
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
Then save the changes and close the file (ctrl + x > y > enter).
Step 7
To work with Amavisd, Dovecot needs a 'statistics' service and a dh-key. For this, open the Dovecot configuration:
nano /etc/dovecot/dovecot.conf
Step 8
Add the following code at the bottom of the file:
service stats {
unix_listener stats-reader {
user = vmail
group = vmail
mode = 0660
}
unix_listener stats-writer {
user = vmail
group = vmail
mode = 0660
}
}
ssl_dh = </etc/dovecot/dh.pem
Then save the changes and close the file (ctrl + x > y > enter).
Step 9
Generate the required dh.pem certificate (this takes a while):
openssl dhparam -out /etc/dovecot/dh.pem 4096
Step 10
Finally, restart the necessary services and enable Amavisd:
systemctl enable amavisd
systemctl restart amavisd
systemctl restart postfix
systemctl restart dovecot
This brings us to the end of this article. We recommend adding a spam scanner to your mail server in addition to an antivirus scanner. In this guide, we explain how to do this.
If you have any questions based on this tutorial, do not hesitate to contact our support department. You can reach them via the 'Contact us' button at the bottom of this page.