1## 2## Example config file for clamav-milter 3## 4 5# Comment or remove the line below. 6#Example 7 8 9## 10## Main options 11## 12 13# Define the interface through which we communicate with sendmail 14# This option is mandatory! Possible formats are: 15# [[unix|local]:]/path/to/file - to specify a unix domain socket 16# inet:port@[hostname|ip-address] - to specify an ipv4 socket 17# inet6:port@[hostname|ip-address] - to specify an ipv6 socket 18# 19# Default: no default 20MilterSocket /var/run/clamav/clmilter.sock 21#MilterSocket inet:7357 22 23# Define the group ownership for the (unix) milter socket. 24# Default: disabled (the primary group of the user running clamd) 25#MilterSocketGroup virusgroup 26 27# Sets the permissions on the (unix) milter socket to the specified mode. 28# Default: disabled (obey umask) 29#MilterSocketMode 660 30 31# Remove stale socket after unclean shutdown. 32# 33# Default: yes 34FixStaleSocket yes 35 36# Run as another user (clamav-milter must be started by root for this option 37# to work) 38# 39# Default: unset (don't drop privileges) 40User clamav 41 42# Waiting for data from clamd will timeout after this time (seconds). 43# Value of 0 disables the timeout. 44# 45# Default: 120 46#ReadTimeout 300 47 48# Don't fork into background. 49# 50# Default: no 51#Foreground yes 52 53# Chroot to the specified directory. 54# Chrooting is performed just after reading the config file and before 55# dropping privileges. 56# 57# Default: unset (don't chroot) 58#Chroot /newroot 59 60# This option allows you to save a process identifier of the listening 61# daemon (main thread). 62# This file will be owned by root, as long as clamav-milter was started by 63# root. It is recommended that the directory where this file is stored is 64# also owned by root to keep other users from tampering with it. 65# 66# Default: disabled 67PidFile /var/run/clamav/clamav-milter.pid 68 69# Optional path to the global temporary directory. 70# Default: system specific (usually /tmp or /var/tmp). 71# 72#TemporaryDirectory /var/tmp 73 74## 75## Clamd options 76## 77 78# Define the clamd socket to connect to for scanning. 79# This option is mandatory! Syntax: 80# ClamdSocket unix:path 81# ClamdSocket tcp:host:port 82# The first syntax specifies a local unix socket (needs an absolute path) e.g.: 83# ClamdSocket unix:/var/run/clamd/clamd.socket 84# The second syntax specifies a tcp local or remote tcp socket: the 85# host can be a hostname or an ip address; the ":port" field is only required 86# for IPv6 addresses, otherwise it defaults to 3310, e.g.: 87# ClamdSocket tcp:192.168.0.1 88# 89# This option can be repeated several times with different sockets or even 90# with the same socket: clamd servers will be selected in a round-robin 91# fashion. 92# 93# Default: no default 94ClamdSocket unix:/var/run/clamav/clamd.sock 95 96 97## 98## Exclusions 99## 100 101# Messages originating from these hosts/networks will not be scanned 102# This option takes a host(name)/mask pair in CIRD notation and can be 103# repeated several times. If "/mask" is omitted, a host is assumed. 104# To specify a locally originated, non-smtp, email use the keyword "local" 105# 106# Default: unset (scan everything regardless of the origin) 107#LocalNet local 108#LocalNet 192.168.0.0/24 109#LocalNet 1111:2222:3333::/48 110 111# This option specifies a file which contains a list of basic POSIX regular 112# expressions. Addresses (sent to or from - see below) matching these regexes 113# will not be scanned. Optionally each line can start with the string "From:" 114# or "To:" (note: no whitespace after the colon) indicating if it is, 115# respectively, the sender or recipient that is to be allowed. 116# If the field is missing, "To:" is assumed. 117# Lines starting with #, : or ! are ignored. 118# 119# Default unset (no exclusion applied) 120#AllowList /etc/allowed_addresses 121 122# Messages from authenticated SMTP users matching this extended POSIX 123# regular expression (egrep-like) will not be scanned. 124# As an alternative, a file containing a plain (not regex) list of names (one 125# per line) can be specified using the prefix "file:". 126# e.g. SkipAuthenticated file:/etc/good_guys 127# 128# Note: this is the AUTH login name! 129# 130# Default: unset (no allowing based on SMTP auth) 131#SkipAuthenticated ^(tom|dick|henry)$ 132 133# Messages larger than this value won't be scanned. 134# Make sure this value is lower or equal than StreamMaxLength in clamd.conf 135# 136# Default: 25M 137#MaxFileSize 10M 138 139 140## 141## Actions 142## 143 144# The following group of options controls the delivery process under 145# different circumstances. 146# The following actions are available: 147# - Accept 148# The message is accepted for delivery 149# - Reject 150# Immediately refuse delivery (a 5xx error is returned to the peer) 151# - Defer 152# Return a temporary failure message (4xx) to the peer 153# - Blackhole (not available for OnFail) 154# Like Accept but the message is sent to oblivion 155# - Quarantine (not available for OnFail) 156# Like Accept but message is quarantined instead of being delivered 157# 158# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ 159# For Postfix this causes the message to be placed on hold 160# 161# Action to be performed on clean messages (mostly useful for testing) 162# Default: Accept 163#OnClean Accept 164 165# Action to be performed on infected messages 166# Default: Quarantine 167#OnInfected Quarantine 168 169# Action to be performed on error conditions (this includes failure to 170# allocate data structures, no scanners available, network timeouts, 171# unknown scanner replies and the like) 172# Default: Defer 173#OnFail Defer 174 175# This option allows to set a specific rejection reason for infected messages 176# and it's therefore only useful together with "OnInfected Reject" 177# The string "%v", if present, will be replaced with the virus name. 178# Default: MTA specific 179#RejectMsg 180 181# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an 182# "X-Virus-Status" headers will be attached to each processed message, possibly 183# replacing existing headers. 184# If it is set to Add, the X-Virus headers are added possibly on top of the 185# existing ones. 186# Note that while "Replace" can potentially break DKIM signatures, "Add" may 187# confuse procmail and similar filters. 188# Default: no 189#AddHeader Replace 190 191# When AddHeader is in use, this option allows to arbitrary set the reported 192# hostname. This may be desirable in order to avoid leaking internal names. 193# If unset the real machine name is used. 194# Default: disabled 195#ReportHostname my.mail.server.name 196 197# Execute a command (possibly searching PATH) when an infected message is 198# found. 199# The following parameters are passed to the invoked program in this order: 200# virus name, queue id, sender, destination, subject, message id, message date. 201# Note #1: this requires MTA macroes to be available (see LogInfected below) 202# Note #2: the process is invoked in the context of clamav-milter 203# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to 204# avoid unnecessary delays in email delivery 205# Default: disabled 206#VirusAction /usr/local/bin/my_infected_message_handler 207 208## 209## Logging options 210## 211 212# Uncomment this option to enable logging. 213# LogFile must be writable for the user running daemon. 214# A full path is required. 215# 216# Default: disabled 217#LogFile /tmp/clamav-milter.log 218 219# By default the log file is locked for writing - the lock protects against 220# running clamav-milter multiple times. 221# This option disables log file locking. 222# 223# Default: no 224#LogFileUnlock yes 225 226# Maximum size of the log file. 227# Value of 0 disables the limit. 228# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) 229# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size 230# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log 231# rotation (the LogRotate option) will always be enabled. 232# 233# Default: 1M 234#LogFileMaxSize 2M 235 236# Log time with each message. 237# 238# Default: no 239#LogTime yes 240 241# Use system logger (can work together with LogFile). 242# 243# Default: no 244#LogSyslog yes 245 246# Specify the type of syslog messages - please refer to 'man syslog' 247# for facility names. 248# 249# Default: LOG_LOCAL6 250#LogFacility LOG_MAIL 251 252# Enable verbose logging. 253# 254# Default: no 255#LogVerbose yes 256 257# Enable log rotation. Always enabled when LogFileMaxSize is enabled. 258# Default: no 259#LogRotate yes 260 261# This option allows to tune what is logged when a message is infected. 262# Possible values are Off (the default - nothing is logged), 263# Basic (minimal info logged), Full (verbose info logged) 264# Note: 265# For this to work properly in sendmail, make sure the msg_id, mail_addr, 266# rcpt_addr and i macroes are available in eom. In other words add a line like: 267# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i 268# to your .cf file. Alternatively use the macro: 269# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i') 270# Postfix should be working fine with the default settings. 271# 272# Default: disabled 273#LogInfected Basic 274 275# This option allows to tune what is logged when no threat is found in 276# a scanned message. 277# See LogInfected for possible values and caveats. 278# Useful in debugging but drastically increases the log size. 279# Default: disabled 280#LogClean Basic 281 282# This option affects the behaviour of LogInfected, LogClean and VirusAction 283# when a message with multiple recipients is scanned: 284# If SupportMultipleRecipients is off (the default) 285# then one single log entry is generated for the message and, in case the 286# message is determined to be malicious, the command indicated by VirusAction 287# is executed just once. In both cases only the last recipient is reported. 288# If SupportMultipleRecipients is on: 289# then one line is logged for each recipient and the command indicated 290# by VirusAction is also executed once for each recipient. 291# 292# Note: although it's probably a good idea to enable this option, the default 293# value 294# is currently set to off for legacy reasons. 295# Default: no 296#SupportMultipleRecipients yes 297