From 72eb14dcfb163b8a462cde12aefb7e6a4c0d5a85 Mon Sep 17 00:00:00 2001 From: John Peacock Date: Fri, 25 Feb 2005 03:06:22 +0000 Subject: [PATCH] * plugins/virus/clamav Reword the POD to explain exactly how to chmod the directories to get clamdscan to work within the spool directory (Thanks to Robin Bowes) git-svn-id: https://svn.perl.org/qpsmtpd/trunk@373 958fd67b-6ff1-0310-b445-bb7760255be9 --- plugins/virus/clamav | 57 ++++++++++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 21 deletions(-) diff --git a/plugins/virus/clamav b/plugins/virus/clamav index bd5cbaf..0507ef8 100644 --- a/plugins/virus/clamav +++ b/plugins/virus/clamav @@ -23,27 +23,9 @@ new installations should use the name=value form as follows: =item clamscan_path=I (e.g. I) -Path to the clamav commandline scanner. Using clamdscan is recommended -for sake of performance. However, in this case, the user executing clamd -requires access to the qpsmtpd spool directory, which usually means either -running clamd as the same user as qpsmtpd does (by far the easiest method) -or by doing the following: - -=over 2 - -=item * Change the group ownership of the spool directory to be a group -of which clamav is a member or add clamav to the same group as the qpsmtpd -user; - -=item * Enable the "AllowSupplementaryGroups" option in clamd.conf; - -=item * Change the permissions of the qpsmtpd spool directory to 0770 (this -will emit warning when the qpsmtpd service starts up). - -=back - -Mail will be passed to the clamav scanner in Berkeley mbox format (that is, -with a "From " line). +Path to the clamav commandline scanner. Mail will be passed to the clamav +scanner in Berkeley mbox format (that is, with a "From " line). See the +discussion below on which commandline scanner to use. =item action=EI | IE (e.g. I) @@ -73,6 +55,39 @@ variable to include a couple of now deprecated options. =back +=head2 CLAMAV COMMAND LINE SCANNER + +You can use either clamscan or clamdscan, but the latter is recommended for +sake of performance. However, in this case, the user executing clamd +requires access to the qpsmtpd spool directory, which usually means either +running clamd as the same user as qpsmtpd does (by far the easiest method) +or by doing the following: + +=over 4 + +=item * Change the group ownership of the spool directory to be a group +of which clamav is a member or add clamav to the same group as the qpsmtpd +user. + +=item * Enable the "AllowSupplementaryGroups" option in clamd.conf. + +=item * Change the permissions of the qpsmtpd spool directory to 0750 (this +will emit a warning when the qpsmtpd service starts up, but can be safely +ignored). + +=item * Make sure that all directories above the spool directory (to the +root) are g+x so that the group has directory traversal rights; it is not +necessary for the group to have any read rights except to the spool +directory itself. + +=back + +It may be helpful to temporary grant the clamav user a shell and test to +make sure you can cd into the spool directory and read files located there. +Remember to remove the shell from the clamav user when you are done +testing. + + =head2 CLAMAV CONFIGURATION At the least, you should have 'ScanMail' supplied in your clamav.conf file.