SMTP server for scanning viruses via clamd
is an SMTP filter that allows you to
check for viruses using the ClamAV anti-virus software. It accepts SMTP
connections and forwards the SMTP commands and responses to another SMTP
The DATA email body is intercepted and scanned before forwarding. By default
email with viruses are dropped silently and logged without any additional
aims to be lightweight and simple rather
than have a myriad of options. The options it does have are configured by
editing the clamsmtpd.conf(5)
file. See the man
page for clamsmtpd.conf(5)
for more info on the
default location of the configuration file.
Previous versions had more options. These still work for now but have
equivalents in clamsmtpd.conf(5)
and are not
documented here. The options are as follows.
- Don't detach from the console and run as a daemon. In
addition the level argument specifies
what level of error messages to display. 0 being the least, 4 the
- configfile specifies an
alternate location for the clamsmtpd
configuration file. See clamsmtpd.conf(5) for
more details on where the configuration file is located by default.
- pidfile specifies a
location for the a process id file to be written to. This file contains
the process id of clamsmtpd and can be used
to stop the daemon.
- Prints the clamsmtp version number and exits.
by default under the 'mail' facility. You
can also output logs to the console using the -d
In some cases it's advantageous to consolidate the virus scanning and filtering
for several mail servers on one machine.
allows this by providing a loopback
feature to connect back to the IP that an SMTP connection comes in from.
To use this feature specify only a port number (no IP address) for the
setting in the configuration file.
This will cause clamsmtpd
to pass the email back
to the said port on the incoming IP address.
Make sure the MaxConnections
setting is set
high enough to handle the mail from all the servers without refusing
A transparent proxy is a configuration on a gateway that routes certain types of
traffic through a proxy server without any changes on the client computers.
has support for transparent proxying of
SMTP traffic by enabling the TransparentProxy
setting. This type of setup usually involves firewall rules which redirect
traffic to clamsmtpd
and the setup varies from OS
to OS. The SMTP traffic will be forwarded to it's original destination after
When doing transparent proxying for outgoing email it's probably a good idea to
turn on bounce notifications using the Action:
setting. Also note that some features (such as SSL/TLS) will not
be available when going through the transparent proxy.
Make sure that the MaxConnections
set high enough for your transparent proxying. Because
is not being used as a filter inside a
queue, which usually throttles the amount of email going through, this setting
may need to be higher than usual.
Using the VirusAction
option you can run a
script or program whenever a virus is found. This may be handy in certain
circumstances but it has several drawbacks. For one, the performance of the
virus filtering will take a hit, perhaps DOS'ing your machine under heavy
load. Secondly as with running any program there are security implications to
Please consider the above carefully before implementing a virus action.
The script is run without its output being logged, or return value being
checked. Because of this you should test it thoroughly. Make sure it runs
without problems under the user that clamsmtpd(8)
is being run as.
Various environment variables will be present when your script is run. You may
need to escape them properly before use in your favorite scripting language.
Failure to do this could lead to a REMOTE COMPROMISE of your machine.
- The network address of the SMTP client connected.
- When the Quarantine option
is enabled, this specifies the file that the virus was saved to.
- The email addresses of the email recipients. These are
specified one per line, in standard address format.
- If clamsmtpd is being used to
filter email between SMTP servers, then this is the IP address of the
original client. In order for this information to be present (a) the SMTP
client (sending server) must an send an XFORWARD command and (b) the SMTP
server (receiving server) must accept that XFORWARD command without
- If clamsmtpd is being used to
filter email between SMTP servers, then this is the HELO/EHLO banner of
the original client. In order for this information to be present (a) the
SMTP client (sending server) must an send an XFORWARD command and (b) the
SMTP server (receiving server) must accept that XFORWARD command without
- The email address for the sender of the email.
- The network address of the SMTP server we're connected
- The path to the temp directory in use. This is the same as
the TempDirectory option.
- The name of the virus found.
There's no reason to run this daemon as root. It is meant as a filter and should
listen on a high TCP port. It's probably a good idea to run it using the same
user as the clamd(8)
daemon. This way the
temporary files it writes are accessible to
Care should be taken with the directory that
writes its temporary files to. In order
to be secure, it should not be a world writeable location. Specify the
directory using the TempDirectory
When using the VirusAction
option make sure you
understand the security issues involved. Unescaped environment variables can
lead to execution of arbitrary shell commands on your machine.
If running clamsmtpd
on a publicly accessible IP
address or without a firewall please be sure to understand all the possible
security issues. This is especially true if the loopback feature is used (see