1clamav-milter.conf(5) Clam AntiVirus clamav-milter.conf(5)
2
6 clamav-milter.conf - Configuration file for clamav-milter
7
9 clamav-milter.conf contains the configuration options for clamav-mil‐
10 ter(8).
11
13 The file consists of comments and options with arguments. Each line
14 which starts with a hash (#) symbol is ignored by the parser. Options
15 and arguments are case sensitive and of the form Option Argument. The
16 arguments are of the following types:
17 BOOL Boolean value (yes/no or true/false or 1/0).
19 STRING String without blank characters.
21 SIZE Size in bytes. You can use 'M' or 'm' modifiers for megabytes
23 and 'K' or 'k' for kilobytes.
24 NUMBER Unsigned integer.
26
28 Example
29 If this option is set clamav-milter will not run.
30 MilterSocket STRING
32 Define the interface through which we communicate with sendmail.
33 This option is mandatory!
34 Possible formats are:
35 [[unix|local]:]/path/to/file - to specify a unix domain socket
36 inet:port@[hostname|ip-address] - to specify an ipv4 socket
37 inet6:port@[hostname|ip-address] - to specify an ipv6 socket
38 Default: unset
39 MilterSocketGroup STRING
41 Define the group ownership for the (unix) milter socket.
42 Default: disabled (the primary group of the user running clamd)
43 MilterSocketMode STRING
45 Sets the permissions on the (unix) milter socket to the speci‐
46 fied mode.
47 Default: disabled (obey umask)
48 FixStaleSocket BOOL
50 Remove stale socket after unclean shutdown.
51 Default: yes
52 User STRING
54 Run as another user (clamav-milter must be started by root for
55 this option to work)
56 Default: unset (don´t drop privileges)
57 AllowSupplementaryGroups BOOL
59 Initialize supplementary group access (clamav-milter must be
60 started by root).
61 Default: no
62 ReadTimeout NUMBER
64 Waiting for data from clamd will timeout after this time (sec‐
65 onds).
66 Default: 120
67 Foreground BOOL
69 Don´t fork into background.
70 Default: no
71 Chroot STRING
73 Chroot to the specified directory. Chrooting is performed just
74 after reading the config file and before dropping privileges.
75 Default: unset (don´t chroot)
76 PidFile STRING
78 Save the process identifier of a clamav-milter (main thread) to
79 a specified file.
80 Default: disabled
81 TemporaryDirectory STRING
83 Optional path to the global temporary directory.
84 Default: system specific (usually /tmp or /var/tmp).
85
87 ClamdSocket STRING
88 Define the clamd socket to connect to for scanning. This option
89 is mandatory! Syntax:
90 ClamdSocket unix:path
91 ClamdSocket tcp:host:port
92 The first syntax specifies a local unix socket (needs an abso‐
93 lute path) e.g.:
94 ClamdSocket unix:/var/run/clamd/clamd.socket
95 The second syntax specifies a tcp local or remote tcp socket:
96 the host can be a hostname or an ip address; the ":port" field
97 is only required for IPv6 addresses, otherwise it defaults to
98 3310 e.g.:
99 ClamdSocket tcp:192.168.0.1
100 This option can be repeated several times with different sockets
101 or even with the same socket: clamd servers will be selected in
102 a round-robin fashion.
103 Default: no default
104
106 LocalNet STRING
107 Messages originating from these hosts/networks will not be
108 scanned. This option takes a host(name)/mask pair in CIRD nota‐
109 tion and can be repeated several times. If "/mask" is omitted, a
110 host is assumed. To specify a locally orignated, non-smtp, email
111 use the keyword "local"
112 Default: unset (scan everything regardless of the origin)
113 Whitelist STRING
115 This option specifies a file which contains a list of basic
116 POSIX regular expressions. Addresses (sent to or from - see
117 below) matching these regexes will not be scanned. Optionally
118 each line can start with the string "From:" or "To:" (note: no
119 whitespace after the colon) indicating if it is, respectively,
120 the sender or recipient that is to be whitelisted. If the field
121 is missing, "To:" is assumed. Lines starting with #, : or ! are
122 ignored.
123 Default: unset (no exclusion applied)
124 SkipAuthenticated STRING
126 Messages from authenticated SMTP users matching this extended
127 POSIX regular expression (egrep-like) will not be scanned. As
128 an alternative, a file containing a plain (not regex) list of
129 names (one per line) can be specified using the prefix "file:".
130 e.g. SkipAuthenticated file:/etc/good_guys. Note: this is the
131 AUTH login name!
132 Default: unset (no whitelisting based on SMTP auth)
133 MaxFileSize SIZE
135 Messages larger than this value won´t be scanned. Make sure this
136 value is lower or equal than StreamMaxLength in clamd.conf
137 Default: 25M
138
140 The following group of options controls the delievery process under
141 different circumstances. The following actions are available:
142 - Accept: The message is accepted for delievery
143 - Reject: Immediately refuse delievery (a 5xx error is returned to the
144 peer)
145 - Defer: Return a temporary failure message (4xx) to the peer
146 - Blackhole (not available for OnFail): Like Accept but the message is
147 sent to oblivion
148 - Quarantine (not available for OnFail): Like Accept but message is
149 quarantined instead of being delivered. NOTE: In Sendmail the quaran‐
150 tine queue can be examined via mailq -qQ. For Postfix this causes the
151 message to be placed on hold.
152 OnClean STRING
154 Action to be performed on clean messages (mostly useful for
155 testing)
156 Default: Accept
157 OnInfected STRING
159 Action to be performed on infected messages
160 Default: Quarantine
161 OnFail STRING
163 Action to be performed on error conditions (this includes fail‐
164 ure to allocate data structures, no scanners available, network
165 timeouts, unknown scanner replies and the like)
166 Default: Defer
167 RejectMsg STRING
169 This option allows to set a specific rejection reason for
170 infected messages and it´s therefore only useful together with
171 "OnInfected Reject". The string "%v", if present, will be
172 replaced with the virus name.
173 Default: MTA specific
174 AddHeader STRING
176 If this option is set to "Replace" (or "Yes"), an "X-Virus-
177 Scanned" and an "X-Virus-Status" headers will be attached to
178 each processed message, possibly replacing existing headers. If
179 it is set to Add, the X-Virus headers are added possibly on top
180 of the existing ones. Note that while "Replace" can potentially
181 break DKIM signatures, "Add" may confuse procmail and similar
182 filters.
183 Default: no
184 ReportHostname STRING
186 When AddHeader is in use, this option allows to arbitrary set
187 the reported hostname. This may be desirable in order to avoid
188 leaking internal names. If unset the real machine name is used.
189 Default: disabled
190 VirusAction STRING
192 Execute a command (possibly searching PATH) when an infected
193 message is found. The following parameters are passed to the
194 invoked program in this order: virus name, queue id, sender,
195 destination, subject, message id, message date. Note #1: this
196 requires MTA macroes to be available (see LogInfected below).
197 Note #2: the process is invoked in the context of clamav-milter.
198 Note #3: clamav-milter will wait for the process to exit. Be
199 quick or fork to avoid unnecessary delays in email delievery.
200 Default: disabled
201
203 LogFile STRING
204 Enable logging to selected file.
205 Default: no
206 LogFileUnlock BOOL
208 Disable a system lock that protects against running clamd with
209 the same configuration file multiple times.
210 Default: no
211 LogFileMaxSize SIZE
213 Limit the size of the log file. The logger will be automatically
214 disabled if the file is greater than SIZE. Value of 0 disables
215 the limit.
216 Default: 1M
217 LogTime BOOL
219 Log time for each message.
220 Default: no
221 LogSyslog BOOL
223 Use system logger (can work together with LogFile).
224 Default: no
225 LogFacility STRING
227 Specify the type of syslog messages - please refer to 'man sys‐
228 log' for facility names.
229 Default: LOG_LOCAL6
230 LogVerbose BOOL
232 Enable verbose logging.
233 Default: no
234 LogInfected STRING
236 This option allows to tune what is logged when a message is
237 infected. Possible values are Off (the default - nothing is
238 logged), Basic (minimal info logged), Full (verbose info logged)
239 Note: For this to work properly in sendmail, make sure the
240 msg_id, mail_addr, rcpt_addr and i macroes are available in eom.
241 In other words add a line like: Milter.macros.eom={msg_id},
242 {mail_addr}, {rcpt_addr}, i to your .cf file. Alternatively use
243 the macro: define(`confMILTER_MACROS_EOM', `{msg_id},
244 {mail_addr}, {rcpt_addr}, i')
245 Postfix should be working fine with the default settings.
246 Default: disabled
247 LogClean STRING
249 This option allows to tune what is logged when no threat is
250 found in a scanned message.
251 See LogInfected for possible values and caveats.
252 Useful in debugging but drastically increases the log size.
253 Default: disabled
254
256 All options expressing a size are limited to max 4GB. Values in excess
257 will be resetted to the maximum.
258
260 /etc/clamav-milter.conf
261
263 aCaB <acab@clamav.net>
264
266 clamav-milter(8), clamd(8), clamd.conf(5)
267ClamAV 0.97.3 February 12, 2007 clamav-milter.conf(5)