ClamAV on CentOS 7 (with amavisd)

There are a lot of guides out there to getting CentOS 7 working well with ClamAV / Amavisd-new, but I didn’t find out single one of them that quite hit the spot completely. I already had a working postfix / amavisd server, so this is working on an assumption of that. I don’t address configuration of those services here, other than amavisd to talk to ClamAV.

Installing ClamAV

I used the guides here: https://www.server-world.info/en/note?os=CentOS_7&p=clamav and https://www.server-world.info/en/note?os=CentOS_7&p=mail&f=6 as a rough guide, but it did not result in a working install. In summary, install clamav (as listed in the guide) and its dependencies (from the EPEL repository), and run through the configuration as advised above. I already had amavisd installed and working with postfix, so didn’t need to install or configure that – but I did follow the steps above on configuration to make sure I was following it correctly.

All of the right software was installed, but I could not get ClamAV and Amavisd talking over local socket… an issue that Google tells is apparently pretty common! Also the amavisd service was generating errors about not being able to start a non-existent service; while appearing harmless, these errors annoyed me. So, a couple of things needed tweaking. 

TCP socket for ClamAV and Amavisd communication

Along with a few other people online I had problems with using the local socket for communication between Amavisd and ClamAV (both running on the same server). The configuration suggested in the guide above was enabling both local socket and TCP socket – something that at least one guide says won’t work (e.g. http://verchick.com/mecham/public_html/spam/clamav-amavisd-new.html). I disabled the local socket and set communication to be using TCP socket, restricted to access from localhost only (as noted above, both services are on the same host). It may well work with both if you get the local socket right – but for me I got it working very rapidly with a minimum of fuss using TCP only, so I stopped there.

ClamAV configuration

For ClamAV that was accomplished by setting the following options in /etc/clam.d/scan.conf (note the # in front of LocalSocket option). Note the three options are not next to each other in the file, I’ve just put them here that way for clarity. You’ll need to find each of them:

#LocalSocket /var/run/clamd.scan/clamd.sock
TCPSocket 3310
TCPAddr 127.0.0.1

Restart the clamd@scan service, and if it’s right, you should see a line in your clamd log (if you’ve followed the guide, it will be at /var/log/clamd.scan):

TCP: Bound to [127.0.0.1]:3310

Amavisd configuration

Next configure amavisd to use that TCP socket. Find the ClamAV section in your amavisd configuration file, usually on CentOS 7 at /etc/amavisd/amavisd.conf, make sure the local socket line is commented out (referring to clamd.sock) add the line to configure it to use the ClamAV TCP port 3310 that you configured previously:

### http://www.clamav.net/
['ClamAV-clamd',
# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.scan/clamd.sock"],
\&ask_daemon, ["CONTSCAN {}\n", '127.0.0.1:3310'],

Amavisd config is a whole other subject, and not one I’m touching on here – that is just the line that you need for amavisd to talk to ClamAV on the same server using a TCP socket, if ClamAV is set up as above. At the very least though, make sure that

# @bypass_virus_checks_maps = (1); # controls running of anti-virus code 

is commented out so that virus_checks are NOT bypassed. 

Amavis service ‘wants’

Finally… when I restarted amavisd I noticed a lot of errors in logs:

systemd: clamd@amavisd.service: main process exited, code=exited, status=1/FAILURE
systemd: Unit clamd@amavisd.service entered failed state.
clamd: ERROR: Can't open/parse the config file /etc/clamd.d/amavisd.conf
systemd: clamd@amavisd.service failed.
systemd: clamd@amavisd.service holdoff time over, scheduling restart.

It turns out that when amavisd-new is installed it sets itself up looking for clamd@amavis service, not clamd@scan service which ClamAV is setup with by default. The amavisd systemd file, located at /etc/systemd/system/multi-user.target.wants/amavisd.service, read (in part)

[Unit]
Description=Amavisd-new is an interface between MTA and content checkers.
Documentation=http://www.ijs.si/software/amavisd/#doc
After=network.target
Wants=clamd@amavis.service
Wants=postfix.service

Fix that to be:

Wants=clamd@scan.service

…and it should start without errors.

Once that is done, my amavisd works correctly with clamd – no errors on startup, and it communicates over the TCP socket fine. YMMV – but hopefully this helps.

One Comment

  1. Thank you so much, Simon!
    This issue was also driving me nuts, but I didn’t catch the discrepancy in that amavis service file and, like you, was rather disillusioned that none of the massive number of online resources I uncovered included any mention of this ‘bug’. Makes me wonder what percentage of completed email servers around the world are still malfunctioning this way, and how many chose to abandon amavis as a result.

Leave a Reply