ClamAV Anti Virus with procmail

This is the second part of HowTo run ClamAV Anti Virus on a low memory system - and you chose the procmail based system. Please make sure that you understood and accepted the problems and limitations of this approach before starting.

After installing ClamAV we'll continue to...

Configure Postfix

We need to tell postfix to use postfix as local delivery agent. Optionally (and highly recommended) is to run only one delivery a time to save ressources. For this we configure in /etc/postfix/main.cf 
	mailbox_command = procmail -a "$EXTENSION"	
	local_destination_concurrency_limit=1

Configure .procmailrc

We'll use a simple .procmail reciept. Please adapt it to your needs and copy it to each user's home directory - plus to /etc/skel/.procmailrc 
	# .procmailrc

	#----------------------------------------------------
	## Silently drop all asian language mail
	## Noone can read it here anyway.
	
	UNREADABLE='[^?"]*big5|iso-2022-jp|ISO-2022-KR|euc-kr|gb2312|ks_c_5601-1987'
	OR="9876543210^0"
	
	:0:
	*$ $OR ^Subject:.*=\?($UNREADABLE)
	*$ $OR ^Content-Type:.*charset="?($UNREADABLE)
	/dev/null
	
	:0:
	* ^Content-Type:.*multipart
	* B ?? $ ^Content-Type:.*^?.*charset="?($UNREADABLE)
	/dev/null
	
	
		
	#----------------------------------------------------
	## AntiVirus:
	##      1.) CarbonCopy through ClamScan and dump the copy,
	##	    we're only interested in the exit code anyway.
	##      2.) forward infected mail to virusalert@*DOMAIN*
	
	:0ci: /tmp/clamscan.lock
	/usr/bin/clamscan --stdout --quiet --no-summary \
		--tempdir=/tmp --recursive --max-files=500 \
		--max-space=500M \
		--unzip=/usr/bin/unzip --jar=/usr/bin/unzip \
		--tar=/bin/tar --tgz=/bin/tar \
		-
	/dev/null
	
	:0e
	! virusalert@**MYDOMAIN***

Another option - if you don't allow individual .procmail files: create a central /etc/procmailrc file and create links to this in /etc/skel and the individual subdirectories - but spare the VIRUSALERT account to prevent loops!

Advanced scanning

Somewhere between the simple solution above and TrashScan is this option: you replace the direct call of clamscan in the .procmail example above with 
	# .procmailrc
	#----------------------------------------------------
	## AntiVirus:
	
	:0ci: /tmp/clamscan.lock
	| /usr/local/bin/clamscanwrapper
	/dev/null
	
	:0e
	! virusalert@**MYDOMAIN***

when you created a /usr/local/bin/clamscanwrapper like below: 

	#! /bin/sh
	cat - > /tmp/clamscan.msg
	mkdir /tmp/clamscan.dir
	chmod go+r /tmp/clamscan.*	# not nice but necessary
		
	typeset -i RESULT
	#	
	/usr/bin/clamscan --mbox \
		--tempdir=/tmp/clamscan.dir \
		--recursive --max-files=500 --max-space=500M \
		--unzip=/usr/bin/unzip --jar=/usr/bin/unzip \
		--tar=/bin/tar --tgz=/bin/tar \
		--log=/tmp/clamscan.log \
		/tmp/clamscan.msg
	RESULT=$?
	typeset -i RESULT

	cat /tmp/clamscan.log >> /var/log/clamav/clamscan_full.log 
	echo Return-Code: $RESULT >> /var/log/clamav/clamscan_full.log
	
	
	if [ $RESULT -gt 0 ]; then
	    VIRUS=`fgrep FOUND /tmp/clamscan.log | cut -d " " -f 2`
	    echo "Virus $VIRUS found"  >> /var/log/clamav/clamscan_full.log	
	    echo "A Virus was found in following mail: " > /tmp/clamscan.mai
	    echo " " > /tmp/clamscan.mai
	    echo -n "        " >> /tmp/clamscan.mai
	    grep -e "^From:" /tmp/clamscan.msg >> /tmp/clamscan.mai
	    echo -n "        " >> /tmp/clamscan.mai
	    grep -e "^To:" /tmp/clamscan.msg >> /tmp/clamscan.mai
	    echo -n "        " >> /tmp/clamscan.mai
	    grep -e "^Subject:" /tmp/clamscan.msg >> /tmp/clamscan.mai
	    echo -n "        " >> /tmp/clamscan.mai
	    grep -e "^Date:" /tmp/clamscan.msg >> /tmp/clamscan.mai
	    cat /tmp/clamscan.mai | mail -s "Virus $VIRUS found" virusalert@***MYDOMAIN***
	    cat "$VIRUS"  >> /var/log/clamav/clamscan.log
	fi
	
	rm -rf /tmp/clamscan.*
	exit $RESULT

Enjoy!
Corrections and suggestions are heartly welcome!