1clamav-milter.conf(5) Clam AntiVirus clamav-milter.conf(5)
2
3
4
6 clamav-milter.conf - Configuration file for clamav-milter
7
9 clamav-milter.conf contains the configuration options for clamav-mil‐
10 ter(8).
11
13 The file consists of comments and options with arguments. Each line
14 which starts with a hash (#) symbol is ignored by the parser. Options
15 and arguments are case sensitive and of the form Option Argument. The
16 arguments are of the following types:
17
18 BOOL Boolean value (yes/no or true/false or 1/0).
19
20 STRING String without blank characters.
21
22 SIZE Size in bytes. You can use 'M' or 'm' modifiers for megabytes
23 and 'K' or 'k' for kilobytes.
24
25 NUMBER Unsigned integer.
26
28 Example
29 If this option is set clamav-milter will not run.
30
31 MilterSocket STRING
32 Define the interface through which we communicate with sendmail.
33 This option is mandatory!
34 Possible formats are:
35 [[unix|local]:]/path/to/file - to specify a unix domain socket
36 inet:port@[hostname|ip-address] - to specify an ipv4 socket
37 inet6:port@[hostname|ip-address] - to specify an ipv6 socket
38 Default: unset
39
40 MilterSocketGroup STRING
41 Define the group ownership for the (unix) milter socket.
42 Default: disabled (the primary group of the user running clamd)
43
44 MilterSocketMode STRING
45 Sets the permissions on the (unix) milter socket to the speci‐
46 fied mode.
47 Default: disabled (obey umask)
48
49 FixStaleSocket BOOL
50 Remove stale socket after unclean shutdown.
51 Default: yes
52
53 User STRING
54 Run as another user (clamav-milter must be started by root for
55 this option to work)
56 Default: unset (don´t drop privileges)
57
58 ReadTimeout NUMBER
59 Waiting for data from clamd will timeout after this time (sec‐
60 onds).
61 Default: 120
62
63 Foreground BOOL
64 Don´t fork into background.
65 Default: no
66
67 Chroot STRING
68 Chroot to the specified directory. Chrooting is performed just
69 after reading the config file and before dropping privileges.
70 Default: unset (don´t chroot)
71
72 PidFile STRING
73 Save the process identifier of a clamav-milter (main thread) to
74 a specified file.
75 Default: disabled
76
77 TemporaryDirectory STRING
78 Optional path to the global temporary directory.
79 Default: system specific (usually /tmp or /var/tmp).
80
82 ClamdSocket STRING
83 Define the clamd socket to connect to for scanning. This option
84 is mandatory! Syntax:
85 ClamdSocket unix:path
86 ClamdSocket tcp:host:port
87 The first syntax specifies a local unix socket (needs an abso‐
88 lute path) e.g.:
89 ClamdSocket unix:/var/run/clamd/clamd.socket
90 The second syntax specifies a tcp local or remote tcp socket:
91 the host can be a hostname or an ip address; the ":port" field
92 is only required for IPv6 addresses, otherwise it defaults to
93 3310 e.g.:
94 ClamdSocket tcp:192.168.0.1
95 This option can be repeated several times with different sockets
96 or even with the same socket: clamd servers will be selected in
97 a round-robin fashion.
98 Default: no default
99
101 LocalNet STRING
102 Messages originating from these hosts/networks will not be
103 scanned. This option takes a host(name)/mask pair in CIRD nota‐
104 tion and can be repeated several times. If "/mask" is omitted, a
105 host is assumed. To specify a locally originated, non-smtp,
106 email use the keyword "local"
107 Default: unset (scan everything regardless of the origin)
108
109 AllowList STRING
110 This option specifies a file which contains a list of basic
111 POSIX regular expressions. Addresses (sent to or from - see be‐
112 low) matching these regexes will not be scanned. Optionally
113 each line can start with the string "From:" or "To:" (note: no
114 whitespace after the colon) indicating if it is, respectively,
115 the sender or recipient that is to be allowed. If the field is
116 missing, "To:" is assumed. Lines starting with #, : or ! are
117 ignored.
118 Default: unset (no exclusion applied)
119
120 SkipAuthenticated STRING
121 Messages from authenticated SMTP users matching this extended
122 POSIX regular expression (egrep-like) will not be scanned. As
123 an alternative, a file containing a plain (not regex) list of
124 names (one per line) can be specified using the prefix "file:".
125 e.g. SkipAuthenticated file:/etc/good_guys. Note: this is the
126 AUTH login name!
127 Default: unset (no allowing based on SMTP auth)
128
129 MaxFileSize SIZE
130 Messages larger than this value won´t be scanned. Make sure this
131 value is lower or equal than StreamMaxLength in clamd.conf
132 Default: 25M
133
135 The following group of options controls the delivery process under
136 different circumstances. The following actions are available:
137 - Accept: The message is accepted for delivery
138 - Reject: Immediately refuse delivery (a 5xx error is returned to the
139 peer)
140 - Defer: Return a temporary failure message (4xx) to the peer
141 - Blackhole (not available for OnFail): Like Accept but the message is
142 sent to oblivion
143 - Quarantine (not available for OnFail): Like Accept but message is
144 quarantined instead of being delivered. NOTE: In Sendmail the quaran‐
145 tine queue can be examined via mailq -qQ. For Postfix this causes the
146 message to be placed on hold.
147
148 OnClean STRING
149 Action to be performed on clean messages (mostly useful for
150 testing)
151 Default: Accept
152
153 OnInfected STRING
154 Action to be performed on infected messages
155 Default: Quarantine
156
157 OnFail STRING
158 Action to be performed on error conditions (this includes fail‐
159 ure to allocate data structures, no scanners available, network
160 timeouts, unknown scanner replies and the like)
161 Default: Defer
162
163 RejectMsg STRING
164 This option allows you to set a specific rejection reason for
165 infected messages and it´s therefore only useful together with
166 "OnInfected Reject". The string "%v", if present, will be re‐
167 placed with the virus name.
168 Default: MTA specific
169
170 AddHeader STRING
171 If this option is set to "Replace" (or "Yes"), an "X-Virus-
172 Scanned" and an "X-Virus-Status" headers will be attached to
173 each processed message, possibly replacing existing headers. If
174 it is set to Add, the X-Virus headers are added possibly on top
175 of the existing ones. Note that while "Replace" can potentially
176 break DKIM signatures, "Add" may confuse procmail and similar
177 filters.
178 Default: no
179
180 ReportHostname STRING
181 When AddHeader is in use, this option allows you to set the re‐
182 ported hostname. This may be desirable in order to avoid leaking
183 internal names. If unset the real machine name is used.
184 Default: disabled
185
186 VirusAction STRING
187 Execute a command (possibly searching PATH) when an infected
188 message is found. The following parameters are passed to the in‐
189 voked program in this order: virus name, queue id, sender, des‐
190 tination, subject, message id, message date. Note #1: this re‐
191 quires MTA macroes to be available (see LogInfected below). Note
192 #2: the process is invoked in the context of clamav-milter. Note
193 #3: clamav-milter will wait for the process to exit. Be quick or
194 fork to avoid unnecessary delays in email delivery.
195 Default: disabled
196
198 LogFile STRING
199 Enable logging to selected file.
200 Default: no
201
202 LogFileUnlock BOOL
203 Disable a system lock that protects against running clamd with
204 the same configuration file multiple times.
205 Default: no
206
207 LogFileMaxSize SIZE
208 Limit the size of the log file. The logger will be automatically
209 disabled if the file is greater than SIZE. Value of 0 disables
210 the limit.
211 Default: 1M
212
213 LogTime BOOL
214 Log time for each message.
215 Default: no
216
217 LogSyslog BOOL
218 Use system logger (can work together with LogFile).
219 Default: no
220
221 LogFacility STRING
222 Specify the type of syslog messages - please refer to 'man sys‐
223 log' for facility names.
224 Default: LOG_LOCAL6
225
226 LogVerbose BOOL
227 Enable verbose logging.
228 Default: no
229
230 LogInfected STRING
231 This option allows you to tune what is logged when a message is
232 infected. Possible values are Off (the default - nothing is
233 logged), Basic (minimal info logged), Full (verbose info logged)
234 Note: For this to work properly in sendmail, make sure the
235 msg_id, mail_addr, rcpt_addr and i macroes are available in eom.
236 In other words add a line like: Milter.macros.eom={msg_id},
237 {mail_addr}, {rcpt_addr}, i to your .cf file. Alternatively use
238 the macro: define(`confMILTER_MACROS_EOM', `{msg_id},
239 {mail_addr}, {rcpt_addr}, i')
240 Postfix should be working fine with the default settings.
241 Default: disabled
242
243 LogClean STRING
244 This option allows you to tune what is logged when no threat is
245 found in a scanned message.
246 See LogInfected for possible values and caveats.
247 Useful in debugging but drastically increases the log size.
248 Default: disabled
249
250 SupportMultipleRecipients BOOL
251 This option affects the behaviour of LogInfected, LogClean and
252 VirusAction when a message with multiple recipients is scanned:
253 If SupportMultipleRecipients is off (the default) then one sin‐
254 gle log entry is generated for the message and, in case the mes‐
255 sage is determined to be malicious, the command indicated by
256 VirusAction is executed just once. In both cases only the last
257 recipient is reported.
258 If SupportMultipleRecipients is on then one line is logged for
259 each recipient and the command indicated by VirusAction is also
260 executed once for each recipient.
261 Note: although it's probably a good idea to enable this option,
262 the default value is currently set to off for legacy reasons.
263 Default: no
264
266 All options expressing a size are limited to max 4GB. Values in excess
267 will be reset to the maximum.
268
270 /etc/mail/clamav-milter.conf
271
273 aCaB <acab@clamav.net>
274
276 clamav-milter(8), clamd(8), clamd.conf(5)
277
278
279
280ClamAV 1.0.4 Feb 25, 2009 clamav-milter.conf(5)