byterazor/qpsmtpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* plugins/virus/clamav

Browse Source 
Reword the POD to explain exactly how to chmod the directories to get
    clamdscan to work within the spool directory (Thanks to Robin Bowes)


git-svn-id: https://svn.perl.org/qpsmtpd/trunk@373 958fd67b-6ff1-0310-b445-bb7760255be9
This commit is contained in:
John Peacock 2005-02-25 03:06:22 +00:00
parent f95c2f8826
commit 72eb14dcfb
1 changed files with 36 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
plugins/virus/clamav
View File

@ -23,27 +23,9 @@ new installations should use the name=value form as follows:
=item clamscan_path=I<path> (e.g. I<clamscan_path=/usr/bin/clamdscan>)
Path to the clamav commandline scanner. Using clamdscan is recommended
for sake of performance. However, in this case, the user executing clamd
requires access to the qpsmtpd spool directory, which usually means either
running clamd as the same user as qpsmtpd does (by far the easiest method)
or by doing the following:
=over 2
=item * Change the group ownership of the spool directory to be a group
of which clamav is a member or add clamav to the same group as the qpsmtpd
user;
=item * Enable the "AllowSupplementaryGroups" option in clamd.conf;
=item * Change the permissions of the qpsmtpd spool directory to 0770 (this
will emit warning when the qpsmtpd service starts up).
=back
Mail will be passed to the clamav scanner in Berkeley mbox format (that is,
with a "From " line).
Path to the clamav commandline scanner. Mail will be passed to the clamav
scanner in Berkeley mbox format (that is, with a "From " line). See the
discussion below on which commandline scanner to use.
=item action=E<lt>I<add-header> | I<reject>E<gt> (e.g. I<action=reject>)
@ -73,6 +55,39 @@ variable to include a couple of now deprecated options.
=back
=head2 CLAMAV COMMAND LINE SCANNER
You can use either clamscan or clamdscan, but the latter is recommended for
sake of performance. However, in this case, the user executing clamd
requires access to the qpsmtpd spool directory, which usually means either
running clamd as the same user as qpsmtpd does (by far the easiest method)
or by doing the following:
=over 4
=item * Change the group ownership of the spool directory to be a group
of which clamav is a member or add clamav to the same group as the qpsmtpd
user.
=item * Enable the "AllowSupplementaryGroups" option in clamd.conf.
=item * Change the permissions of the qpsmtpd spool directory to 0750 (this
will emit a warning when the qpsmtpd service starts up, but can be safely
ignored).
=item * Make sure that all directories above the spool directory (to the
root) are g+x so that the group has directory traversal rights; it is not
necessary for the group to have any read rights except to the spool
directory itself.
=back
It may be helpful to temporary grant the clamav user a shell and test to
make sure you can cd into the spool directory and read files located there.
Remember to remove the shell from the clamav user when you are done
testing.
=head2 CLAMAV CONFIGURATION
At the least, you should have 'ScanMail' supplied in your clamav.conf file.