blob: ed0d519ffb9bddd109a2b61e2847607da64ea094 [file] [log] [blame]
Richard Marian Thomaiyar14fddef2018-07-13 23:55:56 +05301##
2## Example config file for clamav-milter
3##
4
5# Comment or remove the line below.
6Example
7
8
9##
10## Main options
11##
12
13# Define the interface through which we communicate with sendmail
14# This option is mandatory! Possible formats are:
15# [[unix|local]:]/path/to/file - to specify a unix domain socket
16# inet:port@[hostname|ip-address] - to specify an ipv4 socket
17# inet6:port@[hostname|ip-address] - to specify an ipv6 socket
18#
19# Default: no default
20#MilterSocket /tmp/clamav-milter.socket
21#MilterSocket inet:7357
22
23# Define the group ownership for the (unix) milter socket.
24# Default: disabled (the primary group of the user running clamd)
25#MilterSocketGroup virusgroup
26
27# Sets the permissions on the (unix) milter socket to the specified mode.
28# Default: disabled (obey umask)
29#MilterSocketMode 660
30
31# Remove stale socket after unclean shutdown.
32#
33# Default: yes
34#FixStaleSocket yes
35
36# Run as another user (clamav-milter must be started by root for this option to work)
37#
38# Default: unset (don't drop privileges)
39#User clamav
40
41# Initialize supplementary group access (clamav-milter must be started by root).
42#
43# Default: no
44#AllowSupplementaryGroups no
45
46# Waiting for data from clamd will timeout after this time (seconds).
47# Value of 0 disables the timeout.
48#
49# Default: 120
50#ReadTimeout 300
51
52# Don't fork into background.
53#
54# Default: no
55#Foreground yes
56
57# Chroot to the specified directory.
58# Chrooting is performed just after reading the config file and before dropping privileges.
59#
60# Default: unset (don't chroot)
61#Chroot /newroot
62
63# This option allows you to save a process identifier of the listening
64# daemon (main thread).
65#
66# Default: disabled
67#PidFile /var/run/clamav/clamav-milter.pid
68
69# Optional path to the global temporary directory.
70# Default: system specific (usually /tmp or /var/tmp).
71#
72#TemporaryDirectory /var/tmp
73
74##
75## Clamd options
76##
77
78# Define the clamd socket to connect to for scanning.
79# This option is mandatory! Syntax:
80# ClamdSocket unix:path
81# ClamdSocket tcp:host:port
82# The first syntax specifies a local unix socket (needs an absolute path) e.g.:
83# ClamdSocket unix:/var/run/clamd/clamd.socket
84# The second syntax specifies a tcp local or remote tcp socket: the
85# host can be a hostname or an ip address; the ":port" field is only required
86# for IPv6 addresses, otherwise it defaults to 3310, e.g.:
87# ClamdSocket tcp:192.168.0.1
88#
89# This option can be repeated several times with different sockets or even
90# with the same socket: clamd servers will be selected in a round-robin fashion.
91#
92# Default: no default
93ClamdSocket /var/run/clamav/clamd
94
95
96##
97## Exclusions
98##
99
100# Messages originating from these hosts/networks will not be scanned
101# This option takes a host(name)/mask pair in CIRD notation and can be
102# repeated several times. If "/mask" is omitted, a host is assumed.
103# To specify a locally orignated, non-smtp, email use the keyword "local"
104#
105# Default: unset (scan everything regardless of the origin)
106#LocalNet local
107#LocalNet 192.168.0.0/24
108#LocalNet 1111:2222:3333::/48
109
110# This option specifies a file which contains a list of basic POSIX regular
111# expressions. Addresses (sent to or from - see below) matching these regexes
112# will not be scanned. Optionally each line can start with the string "From:"
113# or "To:" (note: no whitespace after the colon) indicating if it is,
114# respectively, the sender or recipient that is to be whitelisted.
115# If the field is missing, "To:" is assumed.
116# Lines starting with #, : or ! are ignored.
117#
118# Default unset (no exclusion applied)
119#Whitelist /etc/whitelisted_addresses
120
121# Messages from authenticated SMTP users matching this extended POSIX
122# regular expression (egrep-like) will not be scanned.
123# As an alternative, a file containing a plain (not regex) list of names (one
124# per line) can be specified using the prefix "file:".
125# e.g. SkipAuthenticated file:/etc/good_guys
126#
127# Note: this is the AUTH login name!
128#
129# Default: unset (no whitelisting based on SMTP auth)
130#SkipAuthenticated ^(tom|dick|henry)$
131
132# Messages larger than this value won't be scanned.
133# Make sure this value is lower or equal than StreamMaxLength in clamd.conf
134#
135# Default: 25M
136#MaxFileSize 10M
137
138
139##
140## Actions
141##
142
143# The following group of options controls the delievery process under
144# different circumstances.
145# The following actions are available:
146# - Accept
147# The message is accepted for delievery
148# - Reject
149# Immediately refuse delievery (a 5xx error is returned to the peer)
150# - Defer
151# Return a temporary failure message (4xx) to the peer
152# - Blackhole (not available for OnFail)
153# Like Accept but the message is sent to oblivion
154# - Quarantine (not available for OnFail)
155# Like Accept but message is quarantined instead of being delivered
156#
157# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ
158# For Postfix this causes the message to be placed on hold
159#
160# Action to be performed on clean messages (mostly useful for testing)
161# Default: Accept
162#OnClean Accept
163
164# Action to be performed on infected messages
165# Default: Quarantine
166#OnInfected Quarantine
167
168# Action to be performed on error conditions (this includes failure to
169# allocate data structures, no scanners available, network timeouts,
170# unknown scanner replies and the like)
171# Default: Defer
172#OnFail Defer
173
174# This option allows to set a specific rejection reason for infected messages
175# and it's therefore only useful together with "OnInfected Reject"
176# The string "%v", if present, will be replaced with the virus name.
177# Default: MTA specific
178#RejectMsg
179
180# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an
181# "X-Virus-Status" headers will be attached to each processed message, possibly
182# replacing existing headers.
183# If it is set to Add, the X-Virus headers are added possibly on top of the
184# existing ones.
185# Note that while "Replace" can potentially break DKIM signatures, "Add" may
186# confuse procmail and similar filters.
187# Default: no
188#AddHeader Replace
189
190# When AddHeader is in use, this option allows to arbitrary set the reported
191# hostname. This may be desirable in order to avoid leaking internal names.
192# If unset the real machine name is used.
193# Default: disabled
194#ReportHostname my.mail.server.name
195
196# Execute a command (possibly searching PATH) when an infected message is found.
197# The following parameters are passed to the invoked program in this order:
198# virus name, queue id, sender, destination, subject, message id, message date.
199# Note #1: this requires MTA macroes to be available (see LogInfected below)
200# Note #2: the process is invoked in the context of clamav-milter
201# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to
202# avoid unnecessary delays in email delievery
203# Default: disabled
204#VirusAction /usr/local/bin/my_infected_message_handler
205
206##
207## Logging options
208##
209
210# Uncomment this option to enable logging.
211# LogFile must be writable for the user running daemon.
212# A full path is required.
213#
214# Default: disabled
215#LogFile /var/log/clamav/clamav-milter.log
216
217# By default the log file is locked for writing - the lock protects against
218# running clamav-milter multiple times.
219# This option disables log file locking.
220#
221# Default: no
222#LogFileUnlock yes
223
224# Maximum size of the log file.
225# Value of 0 disables the limit.
226# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
227# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
228# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
229# rotation (the LogRotate option) will always be enabled.
230#
231# Default: 1M
232#LogFileMaxSize 2M
233
234# Log time with each message.
235#
236# Default: no
237#LogTime yes
238
239# Use system logger (can work together with LogFile).
240#
241# Default: no
242#LogSyslog yes
243
244# Specify the type of syslog messages - please refer to 'man syslog'
245# for facility names.
246#
247# Default: LOG_LOCAL6
248#LogFacility LOG_MAIL
249
250# Enable verbose logging.
251#
252# Default: no
253#LogVerbose yes
254
255# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
256# Default: no
257#LogRotate yes
258
259# This option allows to tune what is logged when a message is infected.
260# Possible values are Off (the default - nothing is logged),
261# Basic (minimal info logged), Full (verbose info logged)
262# Note:
263# For this to work properly in sendmail, make sure the msg_id, mail_addr,
264# rcpt_addr and i macroes are available in eom. In other words add a line like:
265# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i
266# to your .cf file. Alternatively use the macro:
267# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
268# Postfix should be working fine with the default settings.
269#
270# Default: disabled
271#LogInfected Basic
272
273# This option allows to tune what is logged when no threat is found in a scanned message.
274# See LogInfected for possible values and caveats.
275# Useful in debugging but drastically increases the log size.
276# Default: disabled
277#LogClean Basic
278
279# This option affects the behaviour of LogInfected, LogClean and VirusAction
280# when a message with multiple recipients is scanned:
281# If SupportMultipleRecipients is off (the default)
282# then one single log entry is generated for the message and, in case the
283# message is determined to be malicious, the command indicated by VirusAction
284# is executed just once. In both cases only the last recipient is reported.
285# If SupportMultipleRecipients is on:
286# then one line is logged for each recipient and the command indicated
287# by VirusAction is also executed once for each recipient.
288#
289# Note: although it's probably a good idea to enable this option, the default value
290# is currently set to off for legacy reasons.
291# Default: no
292#SupportMultipleRecipients yes
293