ClamAV on CentOS 7 (with amavisd)

There are a lot of guides out there to getting CentOS 7 working well with ClamAV / Amavisd-new, but I didn’t find out single one of them that quite hit the spot completely. I already had a working postfix / amavisd server, so this is working on an assumption of that. I don’t address configuration of those services here, other than amavisd to talk to ClamAV.

Installing ClamAV

I used the guides here: https://www.server-world.info/en/note?os=CentOS_7&p=clamav and https://www.server-world.info/en/note?os=CentOS_7&p=mail&f=6 as a rough guide, but it did not result in a working install. In summary, install clamav (as listed in the guide) and its dependencies (from the EPEL repository), and run through the configuration as advised above. I already had amavisd installed and working with postfix, so didn’t need to install or configure that – but I did follow the steps above on configuration to make sure I was following it correctly.

All of the right software was installed, but I could not get ClamAV and Amavisd talking over local socket… an issue that Google tells is apparently pretty common! Also the amavisd service was generating errors about not being able to start a non-existent service; while appearing harmless, these errors annoyed me. So, a couple of things needed tweaking. 

TCP socket for ClamAV and Amavisd communication

Along with a few other people online I had problems with using the local socket for communication between Amavisd and ClamAV (both running on the same server). The configuration suggested in the guide above was enabling both local socket and TCP socket – something that at least one guide says won’t work (e.g. http://verchick.com/mecham/public_html/spam/clamav-amavisd-new.html). I disabled the local socket and set communication to be using TCP socket, restricted to access from localhost only (as noted above, both services are on the same host). It may well work with both if you get the local socket right – but for me I got it working very rapidly with a minimum of fuss using TCP only, so I stopped there.

ClamAV configuration

For ClamAV that was accomplished by setting the following options in /etc/clam.d/scan.conf (note the # in front of LocalSocket option). Note the three options are not next to each other in the file, I’ve just put them here that way for clarity. You’ll need to find each of them:

#LocalSocket /var/run/clamd.scan/clamd.sock
TCPSocket 3310
TCPAddr 127.0.0.1

Restart the clamd@scan service, and if it’s right, you should see a line in your clamd log (if you’ve followed the guide, it will be at /var/log/clamd.scan):

TCP: Bound to [127.0.0.1]:3310

Amavisd configuration

Next configure amavisd to use that TCP socket. Find the ClamAV section in your amavisd configuration file, usually on CentOS 7 at /etc/amavisd/amavisd.conf, make sure the local socket line is commented out (referring to clamd.sock) add the line to configure it to use the ClamAV TCP port 3310 that you configured previously:

### http://www.clamav.net/
['ClamAV-clamd',
# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.scan/clamd.sock"],
\&ask_daemon, ["CONTSCAN {}\n", '127.0.0.1:3310'],

Amavisd config is a whole other subject, and not one I’m touching on here – that is just the line that you need for amavisd to talk to ClamAV on the same server using a TCP socket, if ClamAV is set up as above. At the very least though, make sure that

# @bypass_virus_checks_maps = (1); # controls running of anti-virus code 

is commented out so that virus_checks are NOT bypassed. 

Amavis service ‘wants’

Finally… when I restarted amavisd I noticed a lot of errors in logs:

systemd: [email protected]: main process exited, code=exited, status=1/FAILURE
systemd: Unit [email protected] entered failed state.
clamd: ERROR: Can't open/parse the config file /etc/clamd.d/amavisd.conf
systemd: [email protected] failed.
systemd: [email protected] holdoff time over, scheduling restart.

It turns out that when amavisd-new is installed it sets itself up looking for clamd@amavis service, not clamd@scan service which ClamAV is setup with by default. The amavisd systemd file, located at /etc/systemd/system/multi-user.target.wants/amavisd.service, read (in part)

[Unit]
Description=Amavisd-new is an interface between MTA and content checkers.
Documentation=http://www.ijs.si/software/amavisd/#doc
After=network.target
[email protected]
Wants=postfix.service

Fix that to be:

[email protected]

…and it should start without errors.

Once that is done, my amavisd works correctly with clamd – no errors on startup, and it communicates over the TCP socket fine. YMMV – but hopefully this helps.

4 Comments

  1. Thank you so much, Simon!
    This issue was also driving me nuts, but I didn’t catch the discrepancy in that amavis service file and, like you, was rather disillusioned that none of the massive number of online resources I uncovered included any mention of this ‘bug’. Makes me wonder what percentage of completed email servers around the world are still malfunctioning this way, and how many chose to abandon amavis as a result.

  2. ioan

    The guide from https://www.server-world.info works fine with Centos minimal install. When I used the Vultr or Digitalocean Centos 7 standard images, clamd@amavisd didn’t start.

    Vultr has the option of custom ISO, and from there I could select Centos minimal.

    It seems non-minimal ISOs start some services/sockets that would conflict with clamd@amavisd.

  3. jazz

    The issue with the socket appears to be that it must be set to clam:amavis with
    permissions set to 664
    You must also have clamd.log set to 644 or clamd can choke.
    Set your config file for clamd to set 664 this will take care of the stale socket
    issue which will now work fine as clamd will always reset the socket correctly

    A problem then occurs (possibly at cron time) whereby amavis when restarted (such as cron time ) may set the socket to 750 and taking sole control killing amavisd-new dead apparently at random.

    Ideally amavis needs to be changed somehow to stop that happening but I have yet to spot
    the correct location so in the cron.daily folder put a file starting with Z or something to make it run last – to either restart clamd or chmod /var/spool/amavisd/clamd.sock to 664 again.
    You could also chown clam:amavis at the same time if that is an issue

    This works fine for me and leaves the system in a recognisable state when bug hunting.

    PS to repeat clamd’s log must be right.
    If you get that right the rest of the standard config should work.

    I hope that helps.

    You may have to restart amavisd then clamd after changing things to get it all synced right.

    jazz

Leave a Reply