1clamav-milter.conf(5)           Clam AntiVirus           clamav-milter.conf(5)
2
3
4

NAME

6       clamav-milter.conf - Configuration file for clamav-milter
7

DESCRIPTION

9       clamav-milter.conf  contains  the configuration options for clamav-mil‐
10       ter(8).
11

FILE FORMAT

13       The file consists of comments and options  with  arguments.  Each  line
14       which  starts  with a hash (#) symbol is ignored by the parser. Options
15       and arguments are case sensitive and of the form Option  Argument.  The
16       arguments are of the following types:
17
18       BOOL   Boolean value (yes/no or true/false or 1/0).
19
20       STRING String without blank characters.
21
22       SIZE   Size  in  bytes.  You can use 'M' or 'm' modifiers for megabytes
23              and 'K' or 'k' for kilobytes.
24
25       NUMBER Unsigned integer.
26

MAIN OPTIONS

28       Example
29              If this option is set clamav-milter will not run.
30
31       MilterSocket STRING
32              Define the interface through which we communicate with sendmail.
33              This option is mandatory!
34              Possible formats are:
35              [[unix|local]:]/path/to/file - to specify a unix domain socket
36              inet:port@[hostname|ip-address] - to specify an ipv4 socket
37              inet6:port@[hostname|ip-address] - to specify an ipv6 socket
38              Default: unset
39
40       MilterSocketGroup STRING
41              Define the group ownership for the (unix) milter socket.
42              Default: disabled (the primary group of the user running clamd)
43
44       MilterSocketMode STRING
45              Sets  the  permissions on the (unix) milter socket to the speci‐
46              fied mode.
47              Default: disabled (obey umask)
48
49       FixStaleSocket BOOL
50              Remove stale socket after unclean shutdown.
51              Default: yes
52
53       User STRING
54              Run as another user (clamav-milter must be started by  root  for
55              this option to work)
56              Default: unset (don´t drop privileges)
57
58       ReadTimeout NUMBER
59              Waiting  for  data from clamd will timeout after this time (sec‐
60              onds).
61              Default: 120
62
63       Foreground BOOL
64              Don´t fork into background.
65              Default: no
66
67       Chroot STRING
68              Chroot to the specified directory. Chrooting is  performed  just
69              after reading the config file and before dropping privileges.
70              Default: unset (don´t chroot)
71
72       PidFile STRING
73              Save  the process identifier of a clamav-milter (main thread) to
74              a specified file.
75              Default: disabled
76
77       TemporaryDirectory STRING
78              Optional path to the global temporary directory.
79              Default: system specific (usually /tmp or /var/tmp).
80

CLAMD OPTIONS

82       ClamdSocket STRING
83              Define the clamd socket to connect to for scanning. This  option
84              is mandatory! Syntax:
85              ClamdSocket unix:path
86              ClamdSocket tcp:host:port
87              The  first  syntax specifies a local unix socket (needs an abso‐
88              lute path) e.g.:
89              ClamdSocket unix:/var/run/clamd/clamd.socket
90              The second syntax specifies a tcp local or  remote  tcp  socket:
91              the  host  can be a hostname or an ip address; the ":port" field
92              is only required for IPv6 addresses, otherwise  it  defaults  to
93              3310 e.g.:
94              ClamdSocket tcp:192.168.0.1
95              This option can be repeated several times with different sockets
96              or even with the same socket: clamd servers will be selected  in
97              a round-robin fashion.
98              Default: no default
99

EXCLUSIONS

101       LocalNet STRING
102              Messages  originating  from  these  hosts/networks  will  not be
103              scanned. This option takes a host(name)/mask pair in CIRD  nota‐
104              tion and can be repeated several times. If "/mask" is omitted, a
105              host is assumed. To  specify  a  locally  originated,  non-smtp,
106              email use the keyword "local"
107              Default: unset (scan everything regardless of the origin)
108
109       Whitelist STRING
110              This  option  specifies  a  file  which contains a list of basic
111              POSIX regular expressions. Addresses (sent  to  or  from  -  see
112              below)  matching these regexes  will not be scanned.  Optionally
113              each line can start with the string "From:" or "To:"  (note:  no
114              whitespace  after the colon) indicating if it is,  respectively,
115              the sender or recipient that is to be whitelisted. If the  field
116              is missing, "To:" is assumed.  Lines starting with #, : or ! are
117              ignored.
118              Default: unset (no exclusion applied)
119
120       SkipAuthenticated STRING
121              Messages from authenticated SMTP users  matching  this  extended
122              POSIX  regular  expression (egrep-like) will not be scanned.  As
123              an alternative, a file containing a plain (not  regex)  list  of
124              names  (one per line) can be specified using the prefix "file:".
125              e.g. SkipAuthenticated file:/etc/good_guys. Note:  this  is  the
126              AUTH login name!
127              Default: unset (no whitelisting based on SMTP auth)
128
129       MaxFileSize SIZE
130              Messages larger than this value won´t be scanned. Make sure this
131              value is lower or equal than StreamMaxLength in clamd.conf
132              Default: 25M
133

ACTIONS

135       The following group of options  controls  the  delivery  process  under
136       different circumstances. The following actions are available:
137       - Accept: The message is accepted for delivery
138       -  Reject:  Immediately refuse delivery (a 5xx error is returned to the
139       peer)
140       - Defer: Return a temporary failure message (4xx) to the peer
141       - Blackhole (not available for OnFail): Like Accept but the message  is
142       sent to oblivion
143       -  Quarantine  (not  available  for OnFail): Like Accept but message is
144       quarantined instead of being delivered. NOTE: In Sendmail  the  quaran‐
145       tine  queue  can be examined via mailq -qQ. For Postfix this causes the
146       message to be placed on hold.
147
148       OnClean STRING
149              Action to be performed on  clean  messages  (mostly  useful  for
150              testing)
151              Default: Accept
152
153       OnInfected STRING
154              Action to be performed on infected messages
155              Default: Quarantine
156
157       OnFail STRING
158              Action  to be performed on error conditions (this includes fail‐
159              ure to allocate data structures, no scanners available,  network
160              timeouts, unknown scanner replies and the like)
161              Default: Defer
162
163       RejectMsg STRING
164              This  option  allows  you to set a specific rejection reason for
165              infected messages and it´s therefore only useful  together  with
166              "OnInfected  Reject".  The  string  "%v",  if  present,  will be
167              replaced with the virus name.
168              Default: MTA specific
169
170       AddHeader STRING
171              If this option is set to  "Replace"  (or  "Yes"),  an  "X-Virus-
172              Scanned"  and  an  "X-Virus-Status"  headers will be attached to
173              each processed message, possibly replacing existing headers.  If
174              it  is set to Add, the X-Virus headers are added possibly on top
175              of the existing ones. Note that while "Replace" can  potentially
176              break  DKIM  signatures,  "Add" may confuse procmail and similar
177              filters.
178              Default: no
179
180       ReportHostname STRING
181              When AddHeader is in use, this option  allows  you  to  set  the
182              reported hostname. This may be desirable in order to avoid leak‐
183              ing internal names. If unset the real machine name is used.
184              Default: disabled
185
186       VirusAction STRING
187              Execute a command (possibly searching  PATH)  when  an  infected
188              message  is  found.  The  following parameters are passed to the
189              invoked program in this order: virus  name,  queue  id,  sender,
190              destination,  subject,  message  id, message date. Note #1: this
191              requires MTA macroes to be available  (see  LogInfected  below).
192              Note #2: the process is invoked in the context of clamav-milter.
193              Note #3: clamav-milter will wait for the  process  to  exit.  Be
194              quick or fork to avoid unnecessary delays in email delivery.
195              Default: disabled
196

LOGGING OPTIONS

198       LogFile STRING
199              Enable logging to selected file.
200              Default: no
201
202       LogFileUnlock BOOL
203              Disable  a  system lock that protects against running clamd with
204              the same configuration file multiple times.
205              Default: no
206
207       LogFileMaxSize SIZE
208              Limit the size of the log file. The logger will be automatically
209              disabled  if  the file is greater than SIZE. Value of 0 disables
210              the limit.
211              Default: 1M
212
213       LogTime BOOL
214              Log time for each message.
215              Default: no
216
217       LogSyslog BOOL
218              Use system logger (can work together with LogFile).
219              Default: no
220
221       LogFacility STRING
222              Specify the type of syslog messages - please refer to 'man  sys‐
223              log' for facility names.
224              Default: LOG_LOCAL6
225
226       LogVerbose BOOL
227              Enable verbose logging.
228              Default: no
229
230       LogInfected STRING
231              This  option allows you to tune what is logged when a message is
232              infected. Possible values are Off  (the  default  -  nothing  is
233              logged), Basic (minimal info logged), Full (verbose info logged)
234              Note:  For  this  to  work  properly  in sendmail, make sure the
235              msg_id, mail_addr, rcpt_addr and i macroes are available in eom.
236              In  other  words  add  a  line like: Milter.macros.eom={msg_id},
237              {mail_addr}, {rcpt_addr}, i to your .cf file. Alternatively  use
238              the     macro:     define(`confMILTER_MACROS_EOM',    `{msg_id},
239              {mail_addr}, {rcpt_addr}, i')
240              Postfix should be working fine with the default settings.
241              Default: disabled
242
243       LogClean STRING
244              This option allows you to tune what is logged when no threat  is
245              found in a scanned message.
246              See LogInfected for possible values and caveats.
247              Useful in debugging but drastically increases the log size.
248              Default: disabled
249
250       SupportMultipleRecipients BOOL
251              This  option  affects the behaviour of LogInfected, LogClean and
252              VirusAction  when a message with multiple recipients is scanned:
253              If SupportMultipleRecipients is off (the default) then one  sin‐
254              gle log entry is generated for the message and, in case the mes‐
255              sage is determined to be malicious,  the  command  indicated  by
256              VirusAction  is  executed just once. In both cases only the last
257              recipient is reported.
258              If SupportMultipleRecipients is on then one line is  logged  for
259              each  recipient and the command indicated by VirusAction is also
260              executed once for each recipient.
261              Note: although it's probably a good idea to enable this  option,
262              the default value is currently set to off for legacy reasons.
263              Default: no
264

NOTES

266       All  options expressing a size are limited to max 4GB. Values in excess
267       will be reset to the maximum.
268

FILES

270       /etc/mail/clamav-milter.conf
271

AUTHOR

273       aCaB <acab@clamav.net>
274

SEE ALSO

276       clamav-milter(8), clamd(8), clamd.conf(5)
277
278
279
280ClamAV 0.101.5                   Feb 25, 2009            clamav-milter.conf(5)
Impressum