There are probably many blogs or posts online about how to use “unofficial clam AV signatures” with mail servers but this one is accurate. You don’t need super secret special github scripts someone maintains. No, you need a brain. I will admit that some things are harder than others, like…if you wanted to use LetsEncrypt SSL certs with multiple domains on Zimbra…well, that’s another post!
For unofficial clam AV signatures on Zimbra (or other mail servers) though LOOK NO FURTHER!
First, I always make a “temp directory” for my working scripts in /var/ftp. You can put it wherever you’d like but I always use that, much like I use c:\temp on Windows 😉
This makes a directory located in /var/ftp/sane
Then…nano: /var/ftp/sane/get.sh like this: nano /var/ftp/sane/get.sh
This creates the “get.sh” file we’ll call from a cron later.
Copy and paste this for starters:
# Aditional securiteinfo.com Info ClamAV signatures
Now…we need to fill in the blanks. We basically have a blank file with the shebang! and a comment. See…”securiteinfo.com” is a website, go there and get a free account. The free basic account lets you download signatures for clamav that aren’t the standard signatures albeit, at 300 kb/s but hey…who needs them at the speed of light anyway? They also allow you (generously) to download them 24 times per day, at 300 kb/s I don’t know why you would, I think once per day is probably fine (adjust for yourself). These are “extra signatures” for clamav that clamav by default DOENS’T HAVE! What’s this do? It covers your ass that much more! That’s one of the many cool things about Free or Open Source software, there are many projects out there you can leverage to further enhance what you’re doing!
There is also another site that has signatures I like to use from sanesecurity.net you can add. You can add any 3rd party databases this way ;-). There are a few out there and you can also create your own!
Back to our script right?
When you get your free account from securiteinfo.com you can go to the “setup” tab in your account and it will give you a URL for your database files.
It will look similar to this:
Now…that “.hdb” file is a clamav database with signatures that the clamav db binary can read and of course the http:// is the URL where YOU can download the file, don’t share this, this is YOUR URL tied to your account. When your mail server receives files in an attachment it will use that database file as a signature file to scan the received file against. If it’s a match it will get blocked as a match, if it doesn’t match, it will let it on through.
You can use this not only with Zimbra but with ANY MTA (That’s Mail Transfer Agent) that uses clamav as it’s anti-virus scanning engine. 99% of mail filters online that are open source all use clamav so this post might bring my web server down it’ll be so popular 😛 ClamAV hands down is the #1 antivirus in the world used on back end servers like spam filters, it just is. I don’t know anyone who disputes this fact.
What we need to do then is incorporate our URL into a download mechanism so it downloads it into the directory Zimbra stores the db files for clamav and then restart clamav! That’s the process! Signup + Get URL + download + restart services!
My script looks like this then:
# Aditional Secureite Info ClamAV signatures
wget -O /opt/zimbra/data/clamav/db/securiteinfo.hdb http://www.securiteinfo.com/get/signatures/bunch_of_numbers_here_its_wicked_long/securiteinfo.hdb
wget -O is an output, you’re saying, output this file into that directory. What this does is downloads the “securiteinfo.hdb” file into /opt/zimbra/data/clamav/db/ folder!
Now…at the end of your script you need this line:
# Fix permissions
chown -R zimbra:zimbra /opt/zimbra/data/clamav/db/
This fixes permission so the db directory where the clam AV databases lives is owned by zimbra. That’s the default set of permissions for this directory anyway BUT when you run the download script as “root” it would download those and put root:root as the perms on those db files so if you tried to restart the service it might fail not being able to read those databases so fair warning! You also need in your /var/ftp/sane folder to change permissions and execution of your script like this:
/var/ftp/sane# chown root:zimbra get.sh
/var/ftp/sane# chmod +x get.sh
This changes the permission of the get.sh script so root owns it and zimbra can also access it. The “chmod +x” makes it executable so we can put it into a crontab and call it / run it!
What you want to do now is add this to the very end of your script to “restart clamav”.
This restarts clamav, clamd and several other things on Zimbra after we’ve downloaded our new signatures! Now…we’ll be running our script as the “zimbra” user, again, the zimbra user is the one users that controls the daemons and can stop, restart, start, check status, etc of those daemons. Root can not, it will say “command not found”.
To add a cron job and run it at 5:15 am every morning you’d do this:
15 5 * * * zimbra /var/ftp/sane/get.sh > /dev/null
Notice the “zimbra” here, that will run that get.sh script AS THE ZIMBRA ACCOUNT. This is very important, only the zimbra account and control services on a Zimbra server as I’ve mentioned.
Whatever you had in your shell script (get.sh) then is what the zimbra account will run. It will download the databases + change permissions + restart the services.
This worked for me and hopefully it will work for you. I’m running Zimbra 8.x + Ubuntu 16.04 LTS on a VM.